Applied Cryptography and Computer Security CSE 664 Spring 2018

Similar documents
Number Theory and Group Theoryfor Public-Key Cryptography

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

CPSC 467b: Cryptography and Computer Security

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Numbers. Çetin Kaya Koç Winter / 18

Basic elements of number theory

ECEN 5022 Cryptography

CPSC 467b: Cryptography and Computer Security

Basic elements of number theory

Number Theory. Modular Arithmetic

CSC 373: Algorithm Design and Analysis Lecture 30

Number Theory and Algebra: A Brief Introduction

Cryptography: Joining the RSA Cryptosystem

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Elementary Number Theory Review. Franz Luef

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

A Guide to Arithmetic

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

1. Algebra 1.7. Prime numbers

3 The fundamentals: Algorithms, the integers, and matrices

Mathematics of Cryptography

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

CIS 551 / TCOM 401 Computer and Network Security

Mathematics for Cryptography

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

CPSC 467: Cryptography and Computer Security

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

Introduction to Modern Cryptography. Benny Chor

A SURVEY OF PRIMALITY TESTS

Mathematical Foundations of Public-Key Cryptography

CPSC 467b: Cryptography and Computer Security

4 Number Theory and Cryptography

ECE596C: Handout #11

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Applied Cryptography and Computer Security CSE 664 Spring 2017

LECTURE NOTES IN CRYPTOGRAPHY

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

CPSC 467b: Cryptography and Computer Security

Ma/CS 6a Class 4: Primality Testing

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Part II. Number Theory. Year

Introduction to Cryptography. Lecture 6

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Introduction to Information Security

Lecture 1: Introduction to Public key cryptography

A. Algebra and Number Theory

Lecture 3.1: Public Key Cryptography I

Advanced Algorithms and Complexity Course Project Report

ICS141: Discrete Mathematics for Computer Science I

Topics in Cryptography. Lecture 5: Basic Number Theory

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Introduction to Public-Key Cryptosystems:

10 Public Key Cryptography : RSA

Basic Algorithms in Number Theory

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Discrete Mathematics with Applications MATH236

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Public Key Cryptography

Math/Mthe 418/818. Review Questions

THE SOLOVAY STRASSEN TEST

Number Theory A focused introduction

Elliptic curves: Theory and Applications. Day 3: Counting points.

Public-key Cryptography: Theory and Practice

CHAPTER 3. Congruences. Congruence: definitions and properties

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

The security of RSA (part 1) The security of RSA (part 1)

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Part IA Numbers and Sets

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

10 Concrete candidates for public key crypto

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Congruences and Residue Class Rings

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Factorization & Primality Testing

Cryptography IV: Asymmetric Ciphers

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Chapter 5. Modular arithmetic. 5.1 The modular ring

Some Facts from Number Theory

IRREDUCIBILITY TESTS IN F p [T ]

Discrete mathematics I - Number theory

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

Lecture 31: Miller Rabin Test. Miller Rabin Test

Theory of Numbers Problems

Euler s, Fermat s and Wilson s Theorems

basics of security/cryptography

Elementary Number Theory MARUCO. Summer, 2018

Carmen s Core Concepts (Math 135)

Public Key Encryption

Transcription:

Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1

Lecture Outline This time we ll finish the intro to number theory What to expect: congruences Fermat and Euler s theorems the Chinese remainder theorem finding large primes 2

Congruences A congruence is a statement about divisibility such statements simplify reasoning about divisibility Definition let a, b, m > 0 be integers if m divides a b, then a is congruent to b modulo m and we write a b (mod m) if m does not divide a b, a is not congruent to b modulo m and we write a b (mod m) the formula a b (mod m) is called a congruence the integer m is called the modulus 3

Congruences Do not confuse a b (mod m) with binary operator mod a b (mod m) if and only if (a mod m) = (b mod m) For each integer a, the set of all integers b a (mod m) is called the congruence class or residue class of a modulo m example: the residue class of 27 (mod 5) is..., 13, 8, 3, 2, 7, 12,... each value is a representative of the class, and the smallest positive value is the standard representative 4

Congruences The congruence relation has many similarities to equality it, like equality, is an equivalence relation reflexive: a a (mod m) symmetric: if a b (mod m), then b a (modm) transitive: if a b (mod m) and b c (mod m), then a c (mod m) 5

Congruences Properties of congruence relations let a b (mod m) and c d (mod m) a + c b + d (mod m) a c b d (mod m) ac bd (mod m) let f be a polynomial with integer coefficients, then if a b (mod m), f(a) f(b) (mod m) let d m, then a b (mod m) a b (mod d) 6

Congruences Although addition, subtraction, and multiplication follow the usual rules, division does not always work as expected ac bc (mod m) does not always imply a b (mod m) example: 2 3 = 6 18 = 2 9 (mod 12), but 3 9 (mod 12) we next investigate when this implication is true Theorem (division): for integer a, b, c 0, and m > 0, if gcd(c, m) = 1, then ac bc (mod m) implies a b (mod m) example: 5 3 = 15 39 = 13 3 (mod 8); both 15 39 (mod 8) and 5 13 (mod 8) 7

Congruences Theorem (multiplicative inverse): if gcd(a, m) = 1, then there is a unique x (0 < x < m) such that ax 1 (mod m), i.e., x is a 1 (mod m) example: a = 3, m = 5; x 2 3 1 (mod 5) the inverse is normally computed using the extended Euclidean algorithm, where ax + my = 1 8

Residue Sets A complete set of residues (CSR) modulo m is a set S of integers such that every integer is congruent to exactly one integer in that set S the standard CSR modulo m is {0, 1,..., m 1}, i.e, Z m A reduced set of residues (RSR) modulo m is a set R of integers such that every integer relatively prime to m is congruent to exactly one integer in R the standard RSR modulo m is all 1 r m such that gcd(r, m) = 1 example: for m = 12, the standard RSR is {1, 5, 7, 11} for a prime p, this set is {1, 2,..., p 1} 9

Linear Congruences Now how do we solve congruences ax b (mod m) for given a, b, m and unknown x? we first need to determine when they are solvable Theorem (solvability of linear congruence) ax b (mod m) has a solution if and only if gcd(a, m) divides b example: solve 165x 100 (mod 285)? 10

Linear Congruences Theorem (solution to a linear congruence) let g = gcd(a, m) if g divides b, then ax b (mod m) has g solutions the solutions are: x b g x 0 + t m g (mod m), t = 0, 1,..., g 1 here x 0 is any solution to a g x 0 1(mod m g ) 11

Linear Congruences Example of a linear congruence solve 7x 3 (mod 12) first find g = determine the number of solutions determine x 0 find the solution now solve 8x 4 (mod 12) 12

Groups A group G is a set of elements together with a binary operation such that the set is closed under the operation, i.e., for every a, b G, a b is a unique element of G the associative law holds, i.e., for all a, b, c G, a (b c) = (a b) c the set has a unique identity element e such that a e = e a = a for every a G every element has a unique inverse a 1 in G such that a a 1 = a 1 a = e 13

Groups A group is called commutative or abelian if a b = b a for every pair a, b G Size of a group a group is finite if it has only a finite number of elements a group is infinite if it has an infinite number of elements the number of elements of a finite group is called the order of the group Groups are a convenient way to represent sets by strings of symbols 14

Groups Examples of groups the set of integers {..., 2, 1, 0, 1, 2,...} forms an infinite abelian group addition is the binary operation 0 is the identity a is the inverse of a this set does not form a group with multiplication as the binary operation (lack of inverses) 15

Groups Examples of groups if m 2 is an integer, a complete set of residues (CSR) modulo m forms an abelian group addition modulo m is the binary operation the residue class containing 0 is the identity the inverse of the residue class containing a is the residue class containing a this group is called the additive group modulo m a CSR modulo m does not form a group under multiplication 16

Groups Examples of groups recall that a reduced set of residues (RSR) includes all numbers relatively prime to m for m > 1, a RSR modulo m forms a group with multiplication modulo m as operation the identity element is the residue class containing 1 it is called the multiplicative group modulo m what is the group order? 17

Euler s φ Function Euler φ function φ(m) is the size of RSR modulo m φ is called the Euler Phi or totient function Properties of φ if p is prime, φ(p) = p 1 φ is multiplicative: φ(ab) = φ(a)φ(b) for relatively prime a and b thus, if p q are primes, φ(pq) = (p 1)(q 1) if p is prime, φ(p e ) = p e p e 1 if n = i p e i i, where p i s are distinct primes and e i 1, φ(n) = i p e i 1 i (p i 1) 18

Fermat and Euler s Theorems Fermat s Little Theorem let p be prime and a be an integer which is not a multiple of p, then a p 1 1 (mod p) Euler s Theorem let m > 1 and gcd(a, m) = 1, then a φ(m) 1 (mod m) A Corollary of Euler s Theorem let m, x, y, and g be positive integers with gcd(g, m) = 1 if x y (mod φ(m)), then g x g y (mod m) 19

Fermat and Euler s Theorems Another corollary of Euler s theorem we obtain an alternative way of computing a 1 (mod m) recall that a a 1 1 (mod m) factoring out one a gives us aa φ(m) 1 1(mod m) then a 1 for a prime modulus p, a 1 computing the inverse using this approach requires roughly the same number of bit operations as the extended Euclidean algorithm 20

More on Groups If a is an element of a finite group with identity 1, then there is a unique smallest positive integer i with a i = 1 (using multiplicative notation) such i is called the order of a (different from the order of the group) The element a has infinite order is there is no positive integer i with a i = 1 A cyclic group is one that contains an element a whose powers a i and a i make up the entire group An element a with such property is called a generator of the group 21

Cyclic Groups Examples the set of all integers with + for the operation is a cyclic group of infinite order the group is generated by 1 the powers of 1 are 0, ±1, ±2,... every element a 0 has infinite order the integers modulo m with + operation form a cyclic group of order m, where the residue class of 1 is a generator the multiplicative group modulo m, Z m, may or may not be cyclic depending on m 22

Cyclic Groups Theorem: If p is prime, then (Z p, ) is cyclic. Example consider multiplicative group over Z 7 what is the order of 2? what is the order of 3? 23

Fast Exponentiation We ll need to compute a n often This can be done using only O(log 2 n) multiplications power(a, n) { e = n; y = 1; z = a; repeat { if (e is odd) y = y z; if (e 1) return y; z = z z; e = e 1; } } e = e/2 24

Fast Exponentiation To compute a n mod m, we want to keep numbers small (smaller than m) We reduce them modulo m after each multiplication power(a, n, m) { e = n; y = 1; z = a; repeat { if (e is odd) y = (y z) % m; if (e 1) return y; z = (z z) % m; e = e 1; } } 25

Fast Exponentiation Example: compute 3 6 mod 11 set e = 6 (0110), y = 1; z = 3 execute the loop iteration 1 iteration 2 iteration 3 What s the complexity of fast exponentiation? 26

The Chinese Remainder Theorem The Chinese Remainder Theorem (CRT) can be used to perform modular exponentiations even faster than in the above algorithm The main advantage of CRT: it allows us to split up one large exponentiation into smaller exponentiations The main idea: for a composite number m with factors p 1, p 2,..., it allows us to combine congruences of the form x a i (mod p i ) into a congruence x a (mod m) Main uses: in public-key decryption and signing algorithms 27

The Chinese Remainder Theorem The Chinese Remainder Theorem we are given n 1,..., n r positive integers pair-wise relatively prime (i.e., gcd(n i, n j ) = 1 for any i j) let n = n 1 n r then r congruences x a i (mod n i ) have common solutions modulo n The solution to such congruences is x r i=1 here b i (n/n i ) 1 (mod n i ) (n/n i )b i a i (mod n) 28

The Chinese Remainder Theorem Example: solve a system of congruences x 1 (mod 7), x 3 (mod 10), and x 8 (mod 13) 29

Finding Large Primes In many constructions we rely on large primes How do we find them? the probability that a randomly picked integer, say, 2000 bits long is prime is not great But even if we have a candidate, how do we test it? Fermat s theorem says that if p is prime and p a, then a p 1 1 (mod p) this theorem gives us a test for compositeness if p is odd, p a, and a p 1 1 (mod p), then p is not prime how about the converse, a test for primality? 30

Finding Large Primes Unfortunately, the converse is not always true consider p = 11 13 = 341 and a = 2; 2 340 1 (mod 341) it is, however, true for most p and a The composite numbers that pass such primality test are called Carmichael numbers (pseudo-prime) they result in a p 1 1 (mod p) for every integer a with gcd(a, p) = 1 there are infinitely many of them they must be detected and avoided in cryptosystems like RSA 31

Finding Large Primes But there is a true converse of Fermat s theorem Lucas-Lehmer test (rigorous primality test): let n > 3 be odd if for every prime p that divides n 1 there exists a such that a n 1 1 (mod n), but a (n 1)/p 1 (mod n), then n is prime using the test requires knowledge of factorization of n 1 This theorem can be used iteratively to construct large, random primes start with a rather small prime and make it several digits longer in each step test for primality in each iteration 32

Finding Large Primes Constructing large primes: begin with a prime p 1 and let i = 1 repeat the following steps until p i is large enough for a random small k (9 10 digits), let n = 2kp i + 1 if 2 n 1 1(mod n), then n is composite and try another k otherwise, n is probably prime, so try to prove it using Lucas-Lehmer test if you succeed in finding the base a to satisfy the test, then n is proved prime and set p i+1 = n otherwise try a new random k 33

Finding Large Primes Using Lucas-Lehmer approach adds about 10 digits to the length of the prime in each step It is possible to construct large primes faster we can double the size of the prime in one step complete factorization of the candidate prime is not required Pocklington-Lehmer theorem allows us to do so given prime p i set n to 2F p i + 1, where factorization of F is not known the idea is that if p i n, then n is prime 34

More on Primality Tests Given a large number n, can we test whether it is prime without other conditions? History of primality tests development trying all numbers up to n works, but is inefficient this algorithm has been known for over 2000 years applying Fermat s theorem is efficient, but not always works Carmichael numbers satisfy the test as well this theorem was the basis for many efficient primality tests 35

More on Primality Tests History of primality tests development In 1970s randomized polynomial-time algorithms have been developed Miller-Rabin test determines composite numbers with probability at least 1 4 k for a chosen k Solovay-Strassen test determines composite numbers with probability at least 1 2 k In 1983 Adleman, Pomerance, and Rumely achieved a breakthrough they gave the first deterministic test that doesn t require exponential time the algorithm runs in (log n) O(log log log n) 36

More on Primality Tests History of primality tests development Finally, in 2004 Agrawal, Kayal, and Saxena proved that PRIMES is in P their deterministic algorithm runs in O((log n) 15/2 ) time or better the algorithm is based on a generalization of Fermat s theorem History happens even now! 37

Summary Congruences are statements about divisibility their properties often coincide with our intuition, but they also differ Fermat and Euler s theorems provide an alternative way of computing an inverse modulo a number provide a compositeness test To find a large prime either choose a value at random and test for primality construct a prime from smaller values As of 2004, unconditional primality testing is in P 38

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback