CONGRUENCE

․Let m be an integer greater than 1. If x and y are integers,

we say that x is congruent to y modulo m if x - y is divisible

by m. If x is congruent to y in Zm, we write x ≡ y (mod m);

otherwise, we write x y (mod m).≇

Ex1: 3 ≡ 24 (mod 7) because 3 - 24 = -7 is divisible by 7.

But 42 5 (mod 8), since 42 – 5 = 37 ≇ is not divisible by 8.

Similarly, 98 ≡ 43 (mod 11) and 4 29 (mod 6). ≇

Note: “mod” is a binary operator when in binary operation with two inputs x and n, r ≡ x mod n (ex: 2 ≡ 12 mod 10), and the output r is called the residue.

․Congruences occur in applications involving error-detecting

codes. Take ISBN for an example, which is a 10-digit code.

․It consists of four parts: a group code, a publisher code, an identifying number assigned by the publisher, and a check bit (which is used to detect errors in copying or transmitting the ISBN.)

․The check digit has 11 possible values: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, or x (x representing the number 10.) This digit is determined by multiplying the first 9 digits of the ISBN by 10, 9, 8, 7, 6, 5, 4, 3 and 2, respectively, and add these 9 products to obtain a number y. The check digit d is then chosen so that d + y ≡ 0 (mod 11).

Ex2: The check digit is 5 for the ISBN 0-673-38582-5 because

10∙(0)+9∙(6)+8∙(7)+7∙(3)+6∙(3)+5∙(8)+4∙(5)+3∙(8)+2∙(2) = 0 + 54+ 56 + 21 + 18 + 40 + 20 + 24 + 4 = 237

and 237 + 5 = 242 ≡ 0 (mod 11)

Likewise, the check digit is 9 for the ISBN 0-321-30515-9 because 10∙(0)+9∙(3)+8∙(2)+7∙(1)+6∙(3)+5∙(0)+4∙(5)+3∙(1)+2∙(5) = 101

and 101 + 9 = 110 ≡ 0 (mod 11)

Theorem: Congruence modulo m is an equivalence relation. • In Z3 the distinct congruence classes are

[0]3 = {…, -6, -3, 0, 3, 6, 9, …} -6 ≡ 0 ≡ 3 (mod 3)

[1]3 = {…, -5, -2, 1, 4, 7, 10, …}

[2] = {…, -4, -1, 2, 5, 8, 11, …} -4 ≡ 5 ≡ 11 (mod 3)

and Z3 = {0, 1, 2} is the set of all least residue modulo 3.

Note 1: Each of the congruence classes in Z3 has many

possible representations. For instance,

[0]3 = [3]3 = [9] = [-12]

and [2]3 = [-4]3 = [11] = [32].

Note 2: Congruence class is also called residue class

when in binary operation.

․Comparison of Z and Zn using graphs

Z

-(n – 1) …. -8 …………. -1 0 1 2 ……… 6 …… (n – 1)

0 ․------------------ x ≡ 1 (mod n)

(n – 1) 1 ․------------------ y ≡ 1 (mod n)

(n – 2) 2 ․-------------- w ≡ 2 (mod n)Zn

( Addition Table in Z10 ) ( Multiplication Table in Z10 )

․In cryptography, the receiver uses the inverse as the decryption key if the sender uses an integer as the encryption key. If encryption/decryption algorithm is addition, Zn can be used as the set of possible keys. While the operation is multiplication, a new set Zn*, a subset of Zn, whose members have a multiplicative inverse is needed.

0 1 2 3 4 5 6 7 8 9

0 0 1 2 3 4 5 6 7 8 9

1 1 2 3 4 5 6 7 8 9 0

2 2 3 4 5 6 7 8 9 0 1

3 3 4 5 6 7 8 9 0 1 2

4 4 5 6 7 8 9 0 1 2 3

5 5 6 7 8 9 0 1 2 3 4

6 6 7 8 9 0 1 2 3 4 5

7 7 8 9 0 1 2 3 4 5 6

8 8 9 0 1 2 3 4 5 6 7

9 9 0 1 2 3 4 5 6 7 8

0 1 2 3 4 5 6 7 8 9

0 0 0 0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6 7 8 9

2 0 2 4 6 8 0 2 4 6 8

3 0 3 6 9 2 5 8 1 4 7

4 0 4 8 2 6 0 4 8 2 6

5 0 5 0 5 0 5 0 5 0 5

6 0 6 2 8 4 0 6 2 8 4

7 0 7 4 1 8 0 2 9 6 3

8 0 8 6 4 2 0 8 6 4 2

9 0 9 8 7 6 5 4 3 2 1

Ex3: Some Zn and Zn* sets

Z6 = {0, 1, 2, 3, 4, 5} Z6* = {1, 5}

Z7 = {0, 1, 2, 3, 4, 5, 6} Z7* = {1, 2, 3, 4, 5, 6}

Z10 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9} Z10* = {1, 3, 7, 9}

․Two more sets: Zp is the same as Zn except that n is a prime,

i.e. p. Zp* is the same as Zn* except that n is a prime p. Each

member in Zp* has an additive and a multiplicative inverse.

For example, p = 13

Z13 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}

Z13* = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}

Note: Members in Zn* are all relatively prime to n, or coprime.

Zp* is the same except that modulus (p) is a prime.

Euler’s Phi-Function• Euler’s totient function,Φ(n) calculates the number of element

s in Zn*, i.e. Φ(1) = 0 Φ(p) = p – 1 Φ(mxn) = Φ(m)xΦ(n) if m and n are coprime. Φ(pe) = pe – pe -1

Ex4: Find the value of Φ(n) if n can be factored as n = p1

e1 x p2e2 x p3

e3 x … x pkek

Combine the last two rules, and we get

Φ(n) = (p1e1 - p1

e1 – 1)x(p2e2 - p2

e2 – 1)x … x(pkek - pk

ek – 1)

Note: The difficulty of finding Φ(n) depends on the difficulty of finding the factorization of n. And, the value of Φ(n) is even if n > 2.

Ex5: Find the values of Φ(13), Φ(10), Φ(240) and Φ(49). What’s the number of elements in Z14* ? ∵ 13 is a prime ∴Φ(13) = 13 – 1 = 12 Φ(10) = Φ(5)xΦ(2) = 4x1 = 4

∵ 240 = 24x31x51 ∴ Φ(240) = (24 - 23)x(31 – 30)x(51 – 50) Φ(49) ≠ Φ(7)xΦ(7) since m and n need to be coprime. Here, 49 = 72 ∴ Φ(49) = 72 – 71 = 42 The last answer for Φ(14) is Φ(7)xΦ(2) = 6x1 = 6

(The members are 1, 3, 5, 9, 11, 13.)

Fermat’s Little Theorem ․1st version: p is a prime and t is an integer,

p t∤ => t p–1 ≡ 1 mod p ․version: p is a prime and t is an integer => tp ≡ t mod p Ex6: Find the results of 610 mod 11 and 312 mod 11.

∵ gcd(6, 11) = 1 ∴ 610 mod 11 = 1

312 mod 11 = (311 x 3) mod 11 = (311 mod 11)(3 mod 11) = (3)(3) mod 11 = 9 (ref. P. 24)

․Fermat’s to find quickly multiplicative inverses if p is a prime.

(without using extended Euclidean algorithm for the inverse.)

p t∤ => t –1 mod p = t p-2 mod p Ex7: 8-1 mod 17 = 817-2 mod 17 = 815 mod 17 = 15 mod 17

Euler’s Theorem ․1st version: Similar to that of Fermat’s except the modulus is not a prime but an integer. tΦ(n) ≡ 1 (mod n) ․version: “t and n” needn’t be coprime, and n = pxq, t<n. tk∙Φ(n)+1 ≡ t (mod n) k: an integer (The 2nd is used in the RSA cryptosystem. P. 18, P. 35) pf: (1) t: neither a multiple of p nor a multiple of q, i.e. (t, n) = 1 tk∙Φ(n)+1 (mod n) = (tΦ(n))k (t mod n) = (1)k (t mod n) = t mod n

(2) t: a multiple of p (t = i xp), but not a multiple of q tΦ(n) mod q = (tΦ(q) mod q)Φ(p) mod q = 1 tΦ(n) mod q = 1 tk∙Φ(n) mod q = = (tΦ(n) mod q)k mod q = 1 tk∙Φ(n) mod q = 1 tk∙Φ(n) mod q = 1 tk∙Φ(n) = 1 + jxq j: an integer tk∙Φ(n)+1 = t (1+jxq) = t + txjxq = t + (ixj)xqxp = t + (ixj)xn = t (mod n)

(3) t: a multiple of q (t = i xq), but not a multiple of p The proof is the same as (2).

Ex8: Find the results of 624 mod 35 and 2062 mod 77.

∵ n = 35 = 5x7 ∴Φ(n) = Φ(35) = Φ(5)xΦ(7) = (5 - 1)(7 – 1) = 24 624 mod 35 = 6Φ(35) mod 35 = 1

n = 77 = 7x11 Φ(77) = Φ(7)xΦ(11) = (7 - 1)(11– 1) = 60 2062 mod 77 = 2061+1 mod 77 = (2060+1 mod 77)(201 mod 77)

= (20Φ(77)+1 mod 77)(20) = (20)(20) mod 77 = 15

let k = 1

․Euler’s can be used to find multiplicative inverses modulo a

prime or a composite. If gcd(t, n) = 1, then

t-1 mod n = tΦ(n)-1 mod n

Ex9: Using the factorization of the composite to find multiplicative inverse;

8-1 mod 77 and 71-1 mod 100, for example.

∵ 859 = (23)59 = (210)17 (27) and 1024 mod 77 = 23, 128 mod 77 = 51

232 mod 77 = 67, 672 mod 77 = 23, 23x51 = 1173

∴ 8-1 mod 77 = 8Φ(77)-1 mod 77 = 859 mod 77 = (23)17(51) mod 77

= (232)8 (23) (51) mod 77 = (67)8 (1173) mod 77 = (23)4(18) mod 77

= (67)2 (18) mod 77 = (23)(18) mod 77 = 29 mod 77

∵ 100 = 22x52 ∴ Φ(100) = Φ(22)xΦ(52) = (22 - 21) (52 - 51) = 40

Hence, 71-1 mod 100 = 71Φ(100)-1 mod 100 = 7139 mod 77 = 31 mod 77

Theorem: If x ≡ x’ (mod m) and y ≡ y’ (mod m), then (1) x + y ≡ x’ + y’ (mod m) and (2) x∙y ≡ x’∙y’ (mod m)

Ex10: In Z6 we have

[3]6 + [5]6 = [3 + 5]6 = [8] = [2]

since 8 ≡ 2 (mod 6). Also,

[3]∙[5]6 = [3∙5] = [15]6 = [3]

because 15 ≡ 3 (mod 6); and

[8]4 = [2]4 = [24] = [16] = [4]6

since 8 ≡ 2 (mod 6) and 16 ≡ 4 (mod 6).

THE EUCLIDEAN ALGORITHM

Theorem: Let a, b, c, and q be integers with b > 0.

If a = b∙q + c, then gcd(a,b) = gcd(b,c).

Ex11: Find the greatest common divisor of 804 and 654.

804 = 654∙1 + 150 0 ≤ 150 < 654

654 =150∙4 + 54 0 ≤ 54 < 150

150 = 54∙2 + 42

54 = 42∙1 + 12

42 = 12∙3 + 6

12 = 6∙2 + 0

Then, gcd(804, 654) = gcd(654, 150) = … = gcd(6, 0) = 6

THE RSA METHOD․ 明文 (plaintext): I HAVE A COOKIE 以”明文”每個英文字母的後一個字母 , 取代明文的該英文字母․ 密文 (ciphertext): J IBWF B DPPLJF

系統的運作依賴一把只有參與密碼使用的人才知道的金鑰 (key) --- 例如 , 用後一個字母取代明文的英文字母 ; 但 , 若無事先安

排 的加密 / 解密規則 , 又如何保密地與某人或某機構溝通呢 ? 例

如 , 網路購物的信用卡號碼被以密文傳送時 .

․ 答案就是使用公鑰 (public-key)--- 允許任何人加密 , 但解密困難 因為有些運算 , 反推困難 ( 知曉此系統的人才易解密 ); 例如 , 兩個大的質數乘在一起 : 71∙59 = 4189 , 要反推哪兩個質數 乘積是 4189, 顯然困難多多 .

․RSA: 訊息先以某種標準方式 ( 例如 , 下表 ) 轉換成一系列數字

Ex12: I LOVE YOU 09 00 12 15 22 05 00 25 15 21 三個數字一組 090 012 152 205 002 515 210

․ 將訊息轉換成數字並不是加密 ; 反推時 , 只要回到兩個數字一組 , 再利用上表即可 . 例如 : 041 815 160 004 050 104 04 18 15 16 00 04 05 01 04 DROP DEAD

符號 數字 space 00

A 01

B 02

C 03

D 04

E 05

F 06

符號 數字 G 07

H 08

I 09

J 10

K 11

L 12

M 13

符號 數字 N 14

O 15

P 16

Q 17

R 18

S 19

T 20

符號 數字 U 21

V 22

W 23

X 24

Y 25

Z 26

․In the RSA method, the actual enciphering consists of

modular exponentiation in Zn ; i.e.

if the plaintext is P1, P2, P3, …, and Ci ≡ PiE (mod n)

for each i, 0 ≤ Ci < n (E for enciphering),

then the ciphertext is C1, C2, C3, …

Ex13: Suppose that n = 33, E = 3, and the plaintext is 8, 7, 20, 3, 11, 13.

∵ 83 = 512 and 512 ≡ 17 (mod 33) Thus, the ciphertext corresponding to 8 is 17. 73 = 343 ≡ 13 (mod 33), so 7 is enciphered as 13. The entire enciphered message is 17, 13, 14, 27,11, 19.

․ 為較符合實際情況 , 取 n = 1189, 這允許明文裡可有三位數字 例如 : 090 012 152 205 002 515 210 ( I LOVE YOU)

若取 E = 101, 加密時須計算 : 90101 mod 1189, 12101 mod 1189

152101 mod 1189, 205101 mod 1189, 2101 mod 1189,

515101 mod 1189, 210101 mod 1189

․90101 有 198 位數 ( 尚須除以 1189), 此為無謂的計算量 , 既然只需 求得最多為四位數的餘數 (∵1189 為四位數 ); 何況真實世界實作 時 , 基於安全考慮 , 會採用遠大於這些數字的數 . 例如 , 不採用 1189 而是大約 400 位數的數字 ( 即明文的冪次會大到任何計算

機 都無法處理 )

․ 解決法 : 先回到 1189 的例子 , 分解指數到不會超過計算器的處理 範圍 ; 即在 Z1189 內 , 一步步計算 90101, 如下

902 = 8100 ≡ 966 (mod 1189)

903 ≡ 966∙90 = 86940 ≡ 143 (mod 1189)

904 ≡143∙90 = 12870 ≡ 980 (mod 1189)

:

:

․ 平方法更棒 : 902 = 8100 ≡ 966 (mod 1189)

904 ≡ 9662 = 933156 ≡ 980 (mod 1189)

908 ≡ 9802 = 960400 ≡ 877 (mod 1189)

9016 ≡ 8772 = 769129 ≡ 1035 (mod 1189)

9032 ≡ 10352 = 1071225 ≡ 1125 (mod 1189)

9064 ≡ 11252 = 1265625 ≡ 529 (mod 1189)

∵ 101 = 1 + 4 + 32 + 64 ∴ 90101 = 901∙904∙9032∙9064 ≡ 90∙980∙1125∙529 ≡ 582

Linear Congruence ․Cryptography often involves solving a equation or a set of

equations of one or more variables with coefficient in Zn. Let’s solve equations with one variable when the power of each variable is 1 (linear equation)-- i.e. E∙x ≡ k (mod b).

․Assume gcd(E, b) = d, and there is no solution if d k∤ . There are d solutions if d | k, and one can use the following strategy to find solutions. 1. Reduce the equation by dividing both sides (including the modulus) by d. 2. Multiply both sides of the reduced equation by the

multiplicative inverse of E to find the particular solution x0.

3. The general solutions are x = x0 + t∙(b/d) for t = 0, 1, 2, …, (d – 1).

Ex14: Solve the equ. 10∙x ≡ 2 (mod 15).

∵ gcd(10, 15) = 5 2 ∴ ∤ No solution

Ex15: Solve the equ. 14∙x ≡ 12 (mod 18).

∵ gcd(14, 18) = 2 ∣ 12 ∴ 14∙x ≡ 12 (mod 18) 7∙x ≡ 6 (mod 9)

x ≡ 6∙(7-1) (mod 9) x0 = 6∙(4) (mod 9) = 6

x1 = x0 + 1∙(18/2) = 15 (two solutions!)

Ex16: Solve the equ. 3∙x + 4 ≡ 6 (mod 13).

We first change the equ. to the form E∙x ≡ k (mod b)

by adding -4, which give 3∙x ≡ 2 (mod 13).

∵ gcd(3, 13) = 1 ∴ x0 = (2 3∙ -1) (mod 13) = 5 (only 1 solutions!)

․Multiplicative Inverse of a Matrix is defined only for square matrices and

exists only if the det(A) has a multiplicative inverse in the corresponding

set. Thus, there is no multiplicative inverse of a matrix in Z.

However, matrices with real elements have inverses only if det(A) ≠ 0.

We denote B = A-1 (or A = B-1) if AxB = BxA = I.

∙ Residue Matrix: with all elements in Zn and operations done in modular

arithmetic. It has a multiplicative inverse if gcd(det(C), n) = 1.

Ex17: a residue matrix C in Z26

interesting result: the det( )∙

has a multiplicative inverse

in Zn.

21)det(

164513

17936

2741

2753

C

C

5)det(26mod62847

31816

2209

15021

24

3157

2209

15021

15

3157

31816

15021

23

3157

31816

2209

15

315724

3181615

220923

1502115

1

1

C

C

․Two matrices are congruence modulo n, written as A ≡ B (mod n), if they have the same number of rows and columns and all corresponding elements are congruent modulo n. That is A ≡ B (mod n) if aij ≡ bij (mod n) for all i’s and j’s.

․Justification for P. 10:

)mod)(mod())(modmod)(mod(

mod''mod)')('(mod))((

''..

nanmnnanm

ncrncndrnbnam

cndarnbmei

ktkt

kt

kt

)(mod'mod nrnmSuppose t )(mod'mod ncnak

Linear Equations with Same Modulus ․We make three matrices, i.e. a square and invertible matrix made from

the coefs of vars and two column matrices from the vars. and from the

values at the right-hand side of the congruence operator, respectively.

If both sides are multiplied by the multiplicative Inverse of the 1st matrix,

the result is the var matrix at the right-hand side and can be solved as

the following:

a11 x1 + a12 x2 + … + a1n xn ≡ b1 (mod m)

a21 x1 + a22 x2 + … + a2n xn ≡ b2 (mod m)

:

an1 x1 + an2 x2 + … + ann xn ≡ bn (mod m)

nnnnn

n

n

nnnnnnn

n

n

b

b

b

aaa

aaa

aaa

x

x

x

b

b

b

x

x

x

aaa

aaa

aaa

:

:

...

:::

:::

...

...

:

:

:

:

:

:

...

:::

:::

...

...

2

1

1

21

22221

11211

2

1

2

1

2

1

21

22221

11211

Ex18: Solve the set of two equations:

3x + 5y ≡ 4 (mod 5)

2x + y ≡ 3 (mod 5)

The matrix formed by the set of equations is invertible since x and y play

the role of x1 and x2.

The answer is x ≡ 3 (mod 5) and y ≡ 2 (mod 5).

)5(mod2

3)5(mod

7

23)5(mod

3

4

11

52

)5(mod3

4

12

53)5(mod

3

4

12

531

y

x

y

x

y

x

Ex19: Solve the set of three equations:

3x + 5y + 7z = 3 (mod 16)

x + 4y + 13z = 5 (mod 16)

2x + 7y + 3z = 4 (mod 16)

The matrix formed by the set of equations is invertible since

x, y , and z play the role of x1, x2, and x3.

The answer is x ≡ 15 (mod 16), y ≡ 4 (mod 16), z ≡ 14 (mod 16).

)16(mod

14

4

15

)16(mod

4

5

3

9111

059

111415

)16(mod

4

5

3

372

1341

753

)16(mod

4

5

3

372

1341

7531

z

y

x

z

y

x

z

y

x

Chinese Remainder Theorem ․It is used to solve a set of congruent equations with one

variable but different moduli, which are coprime, and have

a unique solution, as shown below:

x ≡ a1 (mod m1) x ≡ a2 (mod m2) : x ≡ ak (mod mk) The solution follows these steps: 1. Find M = m1 x m2 x … x mk , which is the common modulus. 2. Find M1 = M/m1 , M2 = M/m2 , …, Mk = M/mk 3. Find the multiplicative inverse of M1 , M2 , …, Mk using the correspond- ing moduli (m1 , m2 , …, mk). Let’s call the inverses M1

-1 , M2

-1 , …, Mk

-1 4. The solution is x = (a1 x M1 x M1

-1 + a2 x M2 x M2-1 + … + ak x Mk x Mk

-1 ) mod M

Note: The set of equations can have a solution even if the moduli are not relatively prime but meet other conditions. However, we are interested in solving questions with coprime moduli in cryptography.

Ex20: Find the solution to the simultaneous equations x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7) 1. M = 3 x 5 x 7 = 105 2. M1 = 105/3 = 35, M2 = 105/5 = 21, M3 = 105/7 = 15 3. M1

-1 = 2, M2-1 = 1, M3

-1 = 1 4. x = (2 x 35 x 2 + 3 x 21 x 1 + 2 x 15 x 1) mod 105 = 23 mod 105

Ex21: Find the solution to the equations x ≡ 3 (mod 7) x ≡ 3 (mod 13) x ≡ 0 (mod 12) Ans: x = 276

․The Chinese remainder theorem applies to solve quadratic congruence

and to represent a very large integer in terms of a list of small integers.

Ex22: To calculate z = x + y where x = 123 and y = 334, but the system

accepting only numbers less than 100.

These numbers can be represented as:

x ≡ 24 (mod 99) y ≡ 37 (mod 99) x ≡ 25 (mod 98) y ≡ 40 (mod 98) x ≡ 26 (mod 97) y ≡ 43 (mod 97)

Adding each congruence in x with the corresponding congruence in y gives z = x + y ≡ 61 (mod 99) z = x + y ≡ 65 (mod 98) z = x + y ≡ 69 (mod 97) Now solve them using the Chinese remainder theorem, and one answer is z= 457.

quadratic congruence ․Equations of the form a2x2 + a1x + a0 ≡ 0 (mod n) are quadratic congru-

ences, but we limit to x2 ≡ a (mod n).

(1) quadratic congruence modulo a prime, i.e. n is a prime p and p a∤ (proved to have either no solution or exactly two incongruent solutions)

Ex23: x2 ≡ 3 (mod 11) 11 3 , ∤ two solutions: x ≡ (± 5) (mod 11)

but note that -5 ≡ 6 (mod 11). And these two solutions are incongruent.

Here 3 (= a) is called quadratic residue (QR).

Ex24: x2 ≡ 2 (mod 11) 11 2 , however, no∤ solution.

2 (= a) is called quadratic nonresidue (QNR).

Note: Zp* has (p – 1)/2 elements are QR and (p – 1)/2 elements are QNR.

ex: QR set = {1, 3, 4, 5, 9} of Z11* , QNR set = {2, 6, 7, 8, 10} of Z11*

Euler’s Criterion to check if an integer a QR modulo p?

(1) If a(p – 1)/2 ≡ 1 (mod p), a is a QR modulo p. (2) If a(p – 1)/2 ≡ -1 (mod p), a is a QNR modulo p.

Ex25: Find out if 14 or 16 is a QR in Z23* ?

14(23 – 1)/2 mod 23 = 1411 mod 23 ≡ 22 (mod 23) ≡ -1 (mod 23) ….. QNR 16(23 – 1)/2 mod 23 = 1611 mod 23 ≡ 1 (mod 23) …………………….. QR

․But Euler’s Criterion cannot find the solution to x2 ≡ a (mod n).

Note a prime can be either p = 4k + 1 or 4k + 3, k∊N. We restrict ourselves to the second one since solving the first case is very involved.

∵ p = 4k + 3 p ≡ 3 mod 4 , and a is a QR in Zp*

X ≡ a(p + 1)/4 (mod p) and X ≡ -a(p + 1)/4 (mod p)

Ex26: Solve the following: x2 ≡ 3 (mod 23) and x2 ≡ 2 (mod 11)

∵ (p + 1)/4 = 6 X ≡ 3∴ 6 (mod 23) ≡ (±16) mod 23 2 is a QNR in Z11 and no solution for in Z11 .

(2) quadratic congruence modulo a composite: can be done by solving a set

of congruence modulo a prime; i.e. we have to factorize n if solvable.

x2 ≡ a (mod n) , n = p1∙p2∙…∙pk

x2 ≡ a1 (mod p1) , x2 ≡ a2 (mod p2) , …, x2 ≡ ak (mod pk)

x1 ≡ (±b1) mod p1 , x2 ≡ (±b2) mod p2 , …, x3 ≡ (±bk) mod pk

There are 2k set of equations to be solved for k pairs of answers, and

2k values for x solved by the Chinese remainder theorem. However,

n is made such that n = p x q in cryptography, which means k = 2, and

we have only four answers.

23mod163

2

Ex27: solve x2 ≡ 36 (mod 77).

x2 ≡ 36 (mod 7) ≡ 1 (mod 7), x2 ≡ 36 (mod 11) ≡ 3 (mod 11)

x ≡ 1(7 + 1)/4 mod 7 ≡ (±1) mod 7, x ≡ 3(11 + 1)/4 mod 11 ≡ (±5) mod 11

Now, the 22 (= 2k) set of equations out of these are

x ≡ 1 mod 7 x ≡ 5 mod 11

x ≡ 1 mod 7 x ≡ -5 mod 11

x ≡ -1 mod 7 x ≡ 5 mod 11

x ≡ -1 mod 7 x ≡ -5 mod 11

The answers are x = ± 6 , ± 27.

以 RSA 方法解密․ 加密用到模指數運算 , 解密時也是 ; 只是使用不同的指數 回憶 , 模數 n 為兩個大質數的乘積 , 假設 n = p∙q, 實務上 p,q

為 相當大的數 (p ≠ q). 例如 , 各約 200 位數的數 ( 使得 n 約為 4

00 位數 )

․首先 , 選擇加密指數 E : 使 gcd(E,b) = 1, b= (p-1)∙(q-1) 根據 Gabriel Lame’定理 , 所需用到的除法個數不超過 5∙400 = 2000 個 ( 這樣的計算量 , 電腦很容易完成 ; 且大部分的正奇數 E < n 皆可滿足條件 )

․ 用於解密的指數 D, 為滿足下式同餘關係的最小正整數解 x E∙x ≡ 1 (mod b) D is sometimes called a private-key.

Ex28: Recall that E = 3, n = 33 = 3∙11, and the enciphered

message is 17, 13, 14, 27,11, 19.

∵ b = (3 - 1) (11 - 1) = 20, and 3 x ≡ 1 (mod 20)∙ ∙ ∴ x = 7 = D

17D = 177 = 410338673 = 12434505 33 + 8 ≡ 8 (mod 33)∙ Similarly, 137 = 62748517 ≡ 7 (mod 33), same as Ex13.

Ex29: How to resolve p and q when solving 101∙x ≡ 1 (mod b),

where n = 1189 = p∙q, E = 101 and b = (p -1)∙(q – 1)

Key-point is in the following theorem.

Theorem: If the integer n > 1 is not prime, then n has a prime factor no larger than ․ According to the theorem above,

we could check if 1189 is divisible by any primes less than 34. Actually, 1189/29 = 41 and so, 1189 = 29∙41 i.e. p = 29, q = 41 and b = (29 -1)∙(41 -1) = 1120 Then, we solve 101∙x ≡ 1 (mod 1120) and the least positive integer x = 621 = D.

Ex30: Decipher 582 corresponding to plaintext 90, when n = 1189 and E = 101? Ans: 582621 = 582512+64+32+8+4+1 ≡ 90 (mod 1189)

n

5.341189

RSA 的可行性․E could be called public-key, but keep p and q in secret.

One has to resolve p and q prior to computing b, and then

decipher D using E∙x ≡ 1 (mod b) to get plaintext.

․Why can’t anyone factor n, a number about 400 decimal digits?

Though we could divide n by primes no larger than (i.e.

primes ≤ 10200 ) in accordance with the previous theorem.

Moreover, we can reduce the number of primes by restricting

to odd numbers, which is 10200 /2.

For a computer with 109 divisions per second, however, it will

take 3.17∙10183 years to finish checking!

n