CONGRUENCE. ․ Let m be an integer greater than 1. If x and y are integers, we say that x is congruent to y modulo m if x - y is divisible by m. If x is congruent to y in Z m , we write x ≡ y (mod m); otherwise, we write x ≇ y (mod m). - PowerPoint PPT Presentation
CONGRUENCE ․Let m be an integer greater than 1. If x and y are intege rs, we say that x is congruent to y modulo m if x - y is d ivisible by m. If x is congruent to y in Z m , we write x ≡ y (mod m); otherwise, we write x ≇ y (mod m). Ex1: 3 ≡ 24 (mod 7) because 3 - 24 = -7 is divisible by 7. But 42 ≇ 5 (mod 8), since 42 – 5 = 37 is not divisib le by 8. Similarly, 98 ≡ 43 (mod 11) and 4 ≇ 29 (mod 6). Note: “mod” is a binary operator when in binary operation with two inputs x and n, r ≡ x mod n (ex: 2 ≡ 12 mod 10), and the output r is called the residue.
Transcript
CONGRUENCE
․Let m be an integer greater than 1. If x and y are integers, we say that x is congruent to y modulo m if x - y is divisible by m. If x is congruent to y in Zm, we write x ≡ y (mod m);
otherwise, we write x y (mod m).≇
Ex1: 3 ≡ 24 (mod 7) because 3 - 24 = -7 is divisible by 7. But 42 5 (mod 8), since 42 – 5 = 37 ≇ is not divisible by 8. Similarly, 98 ≡ 43 (mod 11) and 4 29 (mod 6). ≇
Note: “mod” is a binary operator when in binary operation with two inputs x and n, r ≡ x mod n (ex: 2 ≡ 12 mod 10), and the output r is called the residue.
․Congruences occur in applications involving error-detecting codes. Take ISBN for an example, which is a 10-digit code.
․It consists of four parts: a group code, a publisher code, an identifying number assigned by the publisher, and a check bit (which is used to detect errors in copying or transmitting the ISBN.)
․The check digit has 11 possible values: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, or x (x representing the number 10.) This digit is determined by multiplying the first 9 digits of the ISBN by 10, 9, 8, 7, 6, 5, 4, 3 and 2, respectively, and add these 9 products to obtain a number y. The check digit d is then chosen so that d + y ≡ 0 (mod 11).
Ex2: The check digit is 5 for the ISBN 0-673-38582-5 because
[2] = {…, -4, -1, 2, 5, 8, 11, …} -4 ≡ 5 ≡ 11 (mod 3) and Z3 = {0, 1, 2} is the set of all least residue modulo 3.
Note 1: Each of the congruence classes in Z3 has many
possible representations. For instance, [0]3 = [3]3 = [9] = [-12]
and [2]3 = [-4]3 = [11] = [32].
Note 2: Congruence class is also called residue class when in binary operation.
․Comparison of Z and Zn using graphs
Z
-(n – 1) …. -8 …………. -1 0 1 2 ……… 6 …… (n – 1)
0 ․------------------ x ≡ 1 (mod n) (n – 1) 1 ․------------------ y ≡ 1 (mod n)
(n – 2) 2 ․-------------- w ≡ 2 (mod n)Zn
( Addition Table in Z10 ) ( Multiplication Table in Z10 )
․In cryptography, the receiver uses the inverse as the
decryption key if the sender uses an integer as the encryption key. If encryption/decryption algorithm is addition, Zn can be used as the set of possible keys. While the operation is multiplication, a new set Zn*, a subset of Zn, whose members have a multiplicative inverse is needed.
․Two more sets: Zp is the same as Zn except that n is a prime,
i.e. p. Zp* is the same as Zn* except that n is a prime p. Each
member in Zp* has an additive and a multiplicative inverse.
For example, p = 13 Z13 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
Z13* = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
Note: Members in Zn* are all relatively prime to n, or coprime.
Zp* is the same except that modulus (p) is a prime.
Euler’s Phi-Function• Euler’s totient function,Φ(n) calculates the number of elements in Zn*, i.e. Φ(1) = 0 Φ(p) = p – 1 Φ(mxn) = Φ(m)xΦ(n) if m and n are coprime. Φ(pe) = pe – pe -1 Ex4: Find the value of Φ(n) if n can be factored as n = p1e1 x p2e2 x p3e3 x … x pkek Combine the last two rules, and we get Φ(n) = (p1e1 - p1e1 – 1)x(p2e2 - p2e2 – 1)x … x(pkek - pkek – 1) Note: The difficulty of finding Φ(n) depends on the difficulty of finding the factorization of n. And, the value of Φ(n) is even if n > 2.
Ex5: Find the values of Φ(13), Φ(10), Φ(240) and Φ(49). What’s the number of elements in Z14* ? ∵ 13 is a prime ∴Φ(13) = 13 – 1 = 12 Φ(10) = Φ(5)xΦ(2) = 4x1 = 4 ∵ 240 = 24x31x51 ∴ Φ(240) = (24 - 23)x(31 – 30)x(51 – 50) Φ(49) ≠ Φ(7)xΦ(7) since m and n need to be coprime. Here, 49 = 72 ∴ Φ(49) = 72 – 71 = 42 The last answer for Φ(14) is Φ(7)xΦ(2) = 6x1 = 6 (The members are 1, 3, 5, 9, 11, 13.)
Fermat’s Little Theorem ․1st version: p is a prime and t is an integer, p t∤ => t p–1 ≡ 1 mod p ․version: p is a prime and t is an integer => tp ≡ t mod p Ex6: Find the results of 610 mod 11 and 312 mod 11. ∵ gcd(6, 11) = 1 ∴ 610 mod 11 = 1 312 mod 11 = (311 x 3) mod 11 = (311 mod 11)(3 mod 11) = (3)(3) mod 11 = 9 (ref. P. 24)
․Fermat’s to find quickly multiplicative inverses if p is a prime. (without using extended Euclidean algorithm for the inverse.) p t∤ => t –1 mod p = t p-2 mod p Ex7: 8-1 mod 17 = 817-2 mod 17 = 815 mod 17 = 15 mod 17
Euler’s Theorem ․1st version: Similar to that of Fermat’s except the modulus is not a prime but an integer. tΦ(n) ≡ 1 (mod n) ․version: “t and n” needn’t be coprime, and n = pxq, t<n. tk∙Φ(n)+1 ≡ t (mod n) k: an integer (The 2nd is used in the RSA cryptosystem. P. 18, P. 35) pf: (1) t: neither a multiple of p nor a multiple of q, i.e. (t, n) = 1 tk∙Φ(n)+1 (mod n) = (tΦ(n))k (t mod n) = (1)k (t mod n) = t mod n
(2) t: a multiple of p (t = i xp), but not a multiple of q tΦ(n) mod q = (tΦ(q) mod q)Φ(p) mod q = 1 tΦ(n) mod q = 1 tk∙Φ(n) mod q = = (tΦ(n) mod q)k mod q = 1 tk∙Φ(n) mod q = 1 tk∙Φ(n) mod q = 1 tk∙Φ(n) = 1 + jxq j: an integer tk∙Φ(n)+1 = t (1+jxq) = t + txjxq = t + (ixj)xqxp = t + (ixj)xn = t (mod n) (3) t: a multiple of q (t = i xq), but not a multiple of p The proof is the same as (2).
Ex8: Find the results of 624 mod 35 and 2062 mod 77. ∵ n = 35 = 5x7 ∴Φ(n) = Φ(35) = Φ(5)xΦ(7) = (5 - 1)(7 – 1) = 24 624 mod 35 = 6Φ(35) mod 35 = 1
n = 77 = 7x11 Φ(77) = Φ(7)xΦ(11) = (7 - 1)(11– 1) = 60 2062 mod 77 = 2061+1 mod 77 = (2060+1 mod 77)(201 mod 77) = (20Φ(77)+1 mod 77)(20) = (20)(20) mod 77 = 15 let k = 1 ․Euler’s can be used to find multiplicative inverses modulo a prime or a composite. If gcd(t, n) = 1, then t-1 mod n = tΦ(n)-1 mod n
Ex9: Using the factorization of the composite to find multiplicative inverse; 8-1 mod 77 and 71-1 mod 100, for example. ∵ 859 = (23)59 = (210)17 (27) and 1024 mod 77 = 23, 128 mod 77 = 51
232 mod 77 = 67, 672 mod 77 = 23, 23x51 = 1173 ∴ 8-1 mod 77 = 8Φ(77)-1 mod 77 = 859 mod 77 = (23)17(51) mod 77 = (232)8 (23) (51) mod 77 = (67)8 (1173) mod 77 = (23)4(18) mod 77 = (67)2 (18) mod 77 = (23)(18) mod 77 = 29 mod 77
∵ 100 = 22x52 ∴ Φ(100) = Φ(22)xΦ(52) = (22 - 21) (52 - 51) = 40 Hence, 71-1 mod 100 = 71Φ(100)-1 mod 100 = 7139 mod 77 = 31 mod 77
Theorem: If x ≡ x’ (mod m) and y ≡ y’ (mod m), then (1) x + y ≡ x’ + y’ (mod m) and (2) x∙y ≡ x’∙y’ (mod m)
․In the RSA method, the actual enciphering consists of
modular exponentiation in Zn ; i.e.
if the plaintext is P1, P2, P3, …, and Ci ≡ PiE (mod n)
for each i, 0 ≤ Ci < n (E for enciphering),
then the ciphertext is C1, C2, C3, …
Ex13: Suppose that n = 33, E = 3, and the plaintext is 8, 7, 20, 3, 11, 13.
∵ 83 = 512 and 512 ≡ 17 (mod 33) Thus, the ciphertext corresponding to 8 is 17. 73 = 343 ≡ 13 (mod 33), so 7 is enciphered as 13. The entire enciphered message is 17, 13, 14, 27,11, 19.
․ 為較符合實際情況 , 取 n = 1189, 這允許明文裡可有三位數字 例如 : 090 012 152 205 002 515 210 ( I LOVE YOU)
若取 E = 101, 加密時須計算 : 90101 mod 1189, 12101 mod 1189 152101 mod 1189, 205101 mod 1189, 2101 mod 1189,
Linear Congruence ․Cryptography often involves solving a equation or a set of equations of one or more variables with coefficient in Zn. Let’s solve equations with one variable when the power of each variable is 1 (linear equation)-- i.e. E∙x ≡ k (mod b).
․Assume gcd(E, b) = d, and there is no solution if d k∤ . There are d solutions if d | k, and one can use the following strategy to find solutions. 1. Reduce the equation by dividing both sides (including the modulus) by d. 2. Multiply both sides of the reduced equation by the multiplicative inverse of E to find the particular solution x0. 3. The general solutions are x = x0 + t∙(b/d) for t = 0, 1, 2, …, (d – 1).
x1 = x0 + 1∙(18/2) = 15 (two solutions!) Ex16: Solve the equ. 3∙x + 4 ≡ 6 (mod 13). We first change the equ. to the form E∙x ≡ k (mod b) by adding -4, which give 3∙x ≡ 2 (mod 13). ∵ gcd(3, 13) = 1 ∴ x0 = (2 3∙ -1) (mod 13) = 5 (only 1 solutions!)
․Multiplicative Inverse of a Matrix is defined only for square matrices and exists only if the det(A) has a multiplicative inverse in the corresponding set. Thus, there is no multiplicative inverse of a matrix in Z. However, matrices with real elements have inverses only if det(A) ≠ 0. We denote B = A-1 (or A = B-1) if AxB = BxA = I.
∙ Residue Matrix: with all elements in Zn and operations done in modular
arithmetic. It has a multiplicative inverse if gcd(det(C), n) = 1.
Ex17: a residue matrix C in Z26
interesting result: the det( )∙ has a multiplicative inverse in Zn.
21)det(
1645131793627412753
C
C
5)det(26mod62847
31816220915021
243157220915021
15
31573181615021
233157318162209
15
31572431816152209231502115
1
1
C
C
․Two matrices are congruence modulo n, written as A ≡ B (mod n), if they have the same number of rows and columns and all corresponding elements are congruent modulo n. That is A ≡ B (mod n) if aij ≡ bij (mod n) for all i’s and j’s. ․Justification for P. 10:
)mod)(mod())(modmod)(mod(
mod''mod)')('(mod))((
''..
nanmnnanm
ncrncndrnbnam
cndarnbmei
ktkt
kt
kt
)(mod'mod nrnmSuppose t )(mod'mod ncnak
Linear Equations with Same Modulus ․We make three matrices, i.e. a square and invertible matrix made from the coefs of vars and two column matrices from the vars. and from the values at the right-hand side of the congruence operator, respectively. If both sides are multiplied by the multiplicative Inverse of the 1st matrix, the result is the var matrix at the right-hand side and can be solved as the following: a11 x1 + a12 x2 + … + a1n xn ≡ b1 (mod m)
a21 x1 + a22 x2 + … + a2n xn ≡ b2 (mod m)
:
an1 x1 + an2 x2 + … + ann xn ≡ bn (mod m)
nnnnn
n
n
nnnnnnn
n
n
b
bb
aaa
aaaaaa
x
xx
b
bb
x
xx
aaa
aaaaaa
::
...::::::
...
...
::
::
::
...::::::
...
...
2
11
21
22221
11211
2
1
2
1
2
1
21
22221
11211
Ex18: Solve the set of two equations: 3x + 5y ≡ 4 (mod 5) 2x + y ≡ 3 (mod 5) The matrix formed by the set of equations is invertible since x and y play the role of x1 and x2.
The answer is x ≡ 3 (mod 5) and y ≡ 2 (mod 5).
)5(mod23
)5(mod723
)5(mod34
1152
)5(mod34
1253
)5(mod34
1253 1
yx
yx
yx
Ex19: Solve the set of three equations: 3x + 5y + 7z = 3 (mod 16) x + 4y + 13z = 5 (mod 16) 2x + 7y + 3z = 4 (mod 16) The matrix formed by the set of equations is invertible since x, y , and z play the role of x1, x2, and x3.
The answer is x ≡ 15 (mod 16), y ≡ 4 (mod 16), z ≡ 14 (mod 16).
)16(mod14415
)16(mod453
9111059111415
)16(mod453
3721341753
)16(mod453
3721341753 1
zyx
zyx
zyx
Chinese Remainder Theorem ․It is used to solve a set of congruent equations with one variable but different moduli, which are coprime, and have a unique solution, as shown below: x ≡ a1 (mod m1) x ≡ a2 (mod m2) : x ≡ ak (mod mk) The solution follows these steps: 1. Find M = m1 x m2 x … x mk , which is the common modulus. 2. Find M1 = M/m1 , M2 = M/m2 , …, Mk = M/mk 3. Find the multiplicative inverse of M1 , M2 , …, Mk using the correspond- ing moduli (m1 , m2 , …, mk). Let’s call the inverses M1-1 , M2-1 , …, Mk-1 4. The solution is x = (a1 x M1 x M1-1 + a2 x M2 x M2-1 + … + ak x Mk x Mk-1 ) mod M
Note: The set of equations can have a solution even if the moduli are not relatively prime but meet other conditions. However, we are interested in solving questions with coprime moduli in cryptography.
Ex20: Find the solution to the simultaneous equations x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7) 1. M = 3 x 5 x 7 = 105 2. M1 = 105/3 = 35, M2 = 105/5 = 21, M3 = 105/7 = 15 3. M1-1 = 2, M2-1 = 1, M3-1 = 1 4. x = (2 x 35 x 2 + 3 x 21 x 1 + 2 x 15 x 1) mod 105 = 23 mod 105
Ex21: Find the solution to the equations x ≡ 3 (mod 7) x ≡ 3 (mod 13) x ≡ 0 (mod 12) Ans: x = 276
․The Chinese remainder theorem applies to solve quadratic congruence and to represent a very large integer in terms of a list of small integers.
Ex22: To calculate z = x + y where x = 123 and y = 334, but the system accepting only numbers less than 100.
These numbers can be represented as: x ≡ 24 (mod 99) y ≡ 37 (mod 99) x ≡ 25 (mod 98) y ≡ 40 (mod 98) x ≡ 26 (mod 97) y ≡ 43 (mod 97)
Adding each congruence in x with the corresponding congruence in y gives z = x + y ≡ 61 (mod 99) z = x + y ≡ 65 (mod 98) z = x + y ≡ 69 (mod 97) Now solve them using the Chinese remainder theorem, and one answer is z= 457.
quadratic congruence ․Equations of the form a2x2 + a1x + a0 ≡ 0 (mod n) are quadratic congru-
ences, but we limit to x2 ≡ a (mod n). (1) quadratic congruence modulo a prime, i.e. n is a prime p and p a∤ (proved to have either no solution or exactly two incongruent solutions) Ex23: x2 ≡ 3 (mod 11) 11 3 , ∤ two solutions: x ≡ (± 5) (mod 11) but note that -5 ≡ 6 (mod 11). And these two solutions are incongruent. Here 3 (= a) is called quadratic residue (QR). Ex24: x2 ≡ 2 (mod 11) 11 2 , however, no∤ solution. 2 (= a) is called quadratic nonresidue (QNR).
Note: Zp* has (p – 1)/2 elements are QR and (p – 1)/2 elements are QNR.
ex: QR set = {1, 3, 4, 5, 9} of Z11* , QNR set = {2, 6, 7, 8, 10} of Z11*
Euler’s Criterion to check if an integer a QR modulo p? (1) If a(p – 1)/2 ≡ 1 (mod p), a is a QR modulo p. (2) If a(p – 1)/2 ≡ -1 (mod p), a is a QNR modulo p. Ex25: Find out if 14 or 16 is a QR in Z23* ?
14(23 – 1)/2 mod 23 = 1411 mod 23 ≡ 22 (mod 23) ≡ -1 (mod 23) ….. QNR 16(23 – 1)/2 mod 23 = 1611 mod 23 ≡ 1 (mod 23) …………………….. QR ․But Euler’s Criterion cannot find the solution to x2 ≡ a (mod n). Note a prime can be either p = 4k + 1 or 4k + 3, k∊N. We restrict ourselves
to the second one since solving the first case is very involved. ∵ p = 4k + 3 p ≡ 3 mod 4 , and a is a QR in Zp*
X ≡ a(p + 1)/4 (mod p) and X ≡ -a(p + 1)/4 (mod p)
Ex26: Solve the following: x2 ≡ 3 (mod 23) and x2 ≡ 2 (mod 11)
∵ (p + 1)/4 = 6 X ≡ 3∴ 6 (mod 23) ≡ (±16) mod 23 2 is a QNR in Z11 and no solution for in Z11 .
(2) quadratic congruence modulo a composite: can be done by solving a set of congruence modulo a prime; i.e. we have to factorize n if solvable.
x1 ≡ (±b1) mod p1 , x2 ≡ (±b2) mod p2 , …, x3 ≡ (±bk) mod pk
There are 2k set of equations to be solved for k pairs of answers, and 2k values for x solved by the Chinese remainder theorem. However, n is made such that n = p x q in cryptography, which means k = 2, and we have only four answers.
23mod163
2
Ex27: solve x2 ≡ 36 (mod 77). x2 ≡ 36 (mod 7) ≡ 1 (mod 7), x2 ≡ 36 (mod 11) ≡ 3 (mod 11) x ≡ 1(7 + 1)/4 mod 7 ≡ (±1) mod 7, x ≡ 3(11 + 1)/4 mod 11 ≡ (±5) mod 11 Now, the 22 (= 2k) set of equations out of these are
x ≡ 1 mod 7 x ≡ 5 mod 11 x ≡ 1 mod 7 x ≡ -5 mod 11 x ≡ -1 mod 7 x ≡ 5 mod 11 x ≡ -1 mod 7 x ≡ -5 mod 11 The answers are x = ± 6 , ± 27.
․首先 , 選擇加密指數 E : 使 gcd(E,b) = 1, b= (p-1)∙(q-1) 根據 Gabriel Lame’定理 , 所需用到的除法個數不超過 5∙400 = 2000 個 ( 這樣的計算量 , 電腦很容易完成 ; 且大部分的正奇數 E < n 皆可滿足條件 )․ 用於解密的指數 D, 為滿足下式同餘關係的最小正整數解 x E∙x ≡ 1 (mod b) D is sometimes called a private-key.
Ex28: Recall that E = 3, n = 33 = 3∙11, and the enciphered message is 17, 13, 14, 27,11, 19. ∵ b = (3 - 1) (11 - 1) = 20, and 3 x ≡ 1 (mod 20)∙ ∙ ∴ x = 7 = D 17D = 177 = 410338673 = 12434505 33 + 8 ≡ 8 (mod 33)∙ Similarly, 137 = 62748517 ≡ 7 (mod 33), same as Ex13.
Ex29: How to resolve p and q when solving 101∙x ≡ 1 (mod b), where n = 1189 = p∙q, E = 101 and b = (p -1)∙(q – 1) Key-point is in the following theorem.
Theorem: If the integer n > 1 is not prime, then n has a prime factor no larger than ․ According to the theorem above, we could check if 1189 is divisible by any primes less than 34. Actually, 1189/29 = 41 and so, 1189 = 29∙41 i.e. p = 29, q = 41 and b = (29 -1)∙(41 -1) = 1120 Then, we solve 101∙x ≡ 1 (mod 1120) and the least positive integer x = 621 = D.
Ex30: Decipher 582 corresponding to plaintext 90, when n = 1189 and E = 101? Ans: 582621 = 582512+64+32+8+4+1 ≡ 90 (mod 1189)
n
5.341189
RSA 的可行性․E could be called public-key, but keep p and q in secret. One has to resolve p and q prior to computing b, and then decipher D using E∙x ≡ 1 (mod b) to get plaintext.
․Why can’t anyone factor n, a number about 400 decimal digits? Though we could divide n by primes no larger than (i.e. primes ≤ 10200 ) in accordance with the previous theorem. Moreover, we can reduce the number of primes by restricting to odd numbers, which is 10200 /2.
For a computer with 109 divisions per second, however, it will take 3.17∙10183 years to finish checking!
