Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | amina-fugit |
View: | 229 times |
Download: | 1 times |
Number Theory Algorithms and Cryptography
Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms
Number Theory Algorithms
a) GCDb) Multiplicative Inversec) Fermat & Euler’s Theoremsd) Public Key Cryptographic Systemse) Primality Testing
Number Theory Algorithms (cont’d)
• Main Reading Selections:• CLR, Chapter 33
Euclid’s Algorithm
• Greatest Common Divisor
• Euclid’s Algorithm
( , ) largest a s.t.
a is a divisor of both u,v
GCD u v
GCD(u,v)
0 then return(u)
(GCD(v,u mod v))
procedure
begin
if v
else return
Euclid’s Algorithm (cont’d)
• Inductive proof of correctness:
if a is a divisor of u,v
a is a divisor of u - ( u/v ) v
= u mod v
Euclid’s Algorithm (cont’d)
• Time Analysis of Euclid’s Algorithm for n bit numbers u,v
2
T(n) T(n-1) + M (n)
= O(n M(n))
= O(n log n log log n)
(where M(n) = time to mult two n bit integers)
Euclid’s Algorithm (cont’d)
• Fibonacci worst case:
k+1
k
k
0 1 k+2 k+1 k
k
u = F , v = F
where F = 0, F = 1, F = F + F , k 0
1F = , = (1 5)
25
Euclid's Algorithm takes log ( 5 N) = O(n)
stages when N = max(u,v).
Here n = number of bits of
N.
Euclid’s Algorithm (cont’d)
• Improved Algorithm
2
nT(n) T + O(M(n))
= O(M(n) log n)
( )
Extended GCD Algorithm
Extended GCD Algorithm (cont’d)
• Theorem
• Proof
GCD((1,0,x),(0,1,y))
= (x', y', GCD(x,y))
where x x' + y y' = GCD(x,y)
Ex
1 2 3
1 2 3
inductively can verify on each call
xu + yu = u
xv + yv = v
Extended GCD Algorithm (cont’d)
• Corollary
If gcd(x,y) = 1 then x' is the
modular inverse of x modulo y
• Proof
we must show x x' = 1 mod y
but by previous Theorem,
1 = x x' + y y' = x x' mod y
so 1 = x x' mod y
Modular Laws
• Gives Algorithm for
• Modular Laws
!Modular Inverse
for n 1
if x y mod nlet x y
Modular Laws (cont’d)
if a b and x y then ax by
if a b and ax by and
gcd(a, n) 1 then x y
Law A
Law B
Modular Laws (cont’d)
i
1 k 1 k
i j
1 k
let {a ,..., a } {b ,..., b } if
a b for i 1,..., k and
{j ,..., j } {1,..., k}
Fermat’s Little Theorem
• If n prime then an = a mod n• Proof by Euler
n
-1
if a 0 then a 0 a
else suppose gcd(a,n) 1
Then x ay for y a x and any x
so {a,2a,..., (n-1)a} {1,2,..., n-1}
Fermat’s Little Theorem (cont’d)
n-1
n-1
So by Law A,
(a) (2a) (n-1)a 1 2 (n-1)
So a (n-1)! (n-1)!
So by Law B
a 1 mod n
Euler’s Theorem
• Φ(n) = number of integers in {1,…, n-1} relatively prime to n
• Euler’s Theorem
• Proof
( )
If gcd(a,n) 1
then = 1 mod na n
1 (n)let b ,...,b be the integers n
relatively prime to n
Euler’s Theorem (cont’d)
• Lemma
• Proof
1 (n) 1 2 (n){b ,...,b } {ab , ab ,..., ab }
i
i j i j
i
i i j
1 (n)
If ab ab then by Law B, b b
Since 1 gcd(b ,n) gcd(a,n)
then gcd(ab ,n) 1 so ab b
for {j ,...,j } {1,..., (n)}
Euler’s Theorem (cont’d)
• By Law A and Lemma
• By Law B
1 2 (n) 1 2 (n)
(n)1 (n) 1 (n)
(ab )(ab ) (ab ) b b b
so a b b b b
(n)a 1 mod n
Taking Powers mod n by “Repeated Squaring”
• Problem: Compute ae mod b
k k-1 1 0
2
i
e e e e e binary representation
[1] X 1
[2] i k, k-1,..., 0
X X mod b
e 1 then X Xa mod b
for do
begin
if
end
outp
i ii i
ke 2 e 2 e
i=0
a =a =a mod but
Taking Powers mod n by “Repeated Squaring” (cont’d)
• Time Cost
O(k) mults and additions mod b
k = # bits of e
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm
• M = integer messagee = “encryption integer” for user A
• Cryptogram
eC E(M) M mod n
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Method
(1) Choose large random primes p,q
let n p q
(2) Choose large random integer d
relatively prime to (n) (p) (q)
(p-1) (q-1)
(3) Let e be
the multiplicative inverse
of d modulo (n)
e d 1 mod (n)
(require e log n, else try another d)
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Theorem
d
If M is relatively prime to n,
and D(x) = x (mod n) then
D(E(M)) E(D(M)) M
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Proof
e d
e d k (n) 1
D(E(M)) E(D(M))
M mod n
There must k 0 s.t.
1 gcd(d, (n)) -k (n) de
So, M M mod n
Since (p-1) divides (n)
k (n) 1 M M mod p
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• By Euler’s Theorem
k (n)+1
ed k (n)+1
ed
By Symmetry,
M M (mod q)
Hence M M M mod n
So M M mod n
Security of RSA Cryptosystem
• TheoremIf can compute d in polynomial time,then can factor n in polynomial time
• Proofe· d-1 is a multiple of φ(n)But Miller has shown can factor nfrom any multiple of φ(n)
Security of RSA Cryptosystem (cont’d)
'd d
If can find d' s.t.
M =M mod n
d' differs from d by lcm(p-1, q-1)
so can factor n.
(lcm is the "least common multiple)
Rabin’s Public Key Crypto System
• Use private large primes p, qpublic key n=q pmessage M
cryptogram M2 mod n
• TheoremIf cryptosystem can be broken,then can factor key n
Rabin’s Public Key Crypto System (cont’d)
• Proof
• In either case, two independent solutions for M give factorization of n, i.e., a factor of n is gcd (n, γ -β).
2
2 2
M mod n has solutions
M , , n- , n-
where { , n- }
But then - ( - )( ) 0 mod n
So either (1) p | ( - ) and q | ( )
or either (2) q | ( - ) and p | ( )
Rabin’s Public Key Crypto System (cont’d)
• Rabin’s Algorithm for factoring n, given a way to break his cryptosystem.
2
2
12
Choose random , 1 n s.t. gcd( , n)=1
let mod n
find M s.t. M = mod n
by assumed way to break cryptosystem
with probability ,
M { ,
n- }
so factors of n are found
else repeat with another
Note: Expected number of rounds is 2
Quadratic Residues
2
(n-1)/2
a is quadratic residue of n
if x a mod n has solution
:
If n is odd, prime and gcd(a,n)=1, then
a is quadratic residue of n
iff a 1 mod n
Euler
Jacobi Function
1 if gcd(a,n) 1 and
a is quadratic residue of n
J(a,n) -1 if gcd(a,n) 1 and
a is not quadratic residue of n
0 if gcd(a,n) 1
Jacobi Function (cont’d)
• Gauss’s Quadratic Reciprocity Law
• Rivest Algorithm
(p-1) (q-1)/4
if p,q are odd primes,
J(p,q) J(q,p) (-1)
2
(a-1) (n-1)2 2
(n -1)/8
1 if a=1
J(a,n) J(a/2, n) (-1) if a even
J(n mod a, a) (-1) else
Jacobi Function (cont’d)
• Theorem (Fermat)
n-1
i
x
n 2 is prime iff
, 1 x n
(1) x 1 mod n
(2) x 1 mod n for all
i {1, 2,..., n-2}
Theorem: Primes are in NP
• Proof
n-1
n
n 2 output "prime"
n 1 or (n even and n 2) output "composite"
guess x to verify Fermat's Theorem
Check (1) x 1 mod n
To verify (2) guess prime fac
input
else
i
1 2 k
i
(n-1)/n
torization
of n-1=n n n
(a) recursively verify each n prime
(b) verify x 1 mod n
Theorem & Primes NP (cont’d)
• Note
i
i
(n-1)
y
ya
(n-1) (n-1)/nyayn
if x =1 mod n
the least y s.t. x =1 mod n must
divide n-1. So x =1 mod n
let a= so 1 x =x mod n
Primality Testing
• Testing
• Goal of Randomized Primality Testing
n
n
n
wish to test if n is prime
technique W (a) "a witness that n is composite"
W (a) true n composite
W (a) false don't know
1n 2
12
for random a {1,..., n-1}
n composite Prob (W (a) true) >
So of all {1,..., n-1}
are "witness to compositeness of n"
a
Primality Testing (cont’d)
• Solovey & Strassen Primality Test quadratic reciprocal law
n
(n-1)/2
W (a) (gcd(a,n) 1)
or J(a, n) a mod n
test if Gauss's
Quadratic Reciprocal Law
is vi
olated
Definitions
*n
*n
*n
i
Z set of all nonnegative numbers n
which are relatively prime to n.
generator g of Z
such that for all x Z
there is i such that g x mod n
Theorem of Solovey & Strassen• Theorem
• Proof
-12
n
If , | |
where G = {a | W (a mod n) false}
nn is composite then G
* *n n
*n
Case G Z G is subgroup of Z
|Z | n-1 |G|
2 2
Theorem of Solovey & Strassen (cont’d)
31 2
n
(n-1)/2
1 2 3 1 2 k
Case G Z Use Proof by Contradiction
so a =J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
n=P P P , ...
Let g be a gener
1
1
*m 1ator of Z where m =P
Theorem of Solovey & Strassen (cont’d)
• Then by Chinese Remainder Theorem,
• Since a is relatively prime to n,
1
1
nm
unique a s.t. a g mod m
a 1 mod ( )
*n
n-1 n-1
a Z so
a 1 mod n and g =1 mod n
Theorem of Solovey & Strassen (cont’d)
1
1
*n
-11 1
2.
Then order of g in Z
is p (p -1) by known formula,
a contradiction since the order divides n-1.
Case
Theorem of Solovey & Strassen (cont’d)
1 2 k
1 k
k
ii 1
k
1 ii 2
i
i
... 1
Since n p p
J(a,n) J(a,p )
J(g,p ) J(a, p )
g mod p i 1 Since a
1 mod p i 1
Case
i
1
So J(a,n) -1 mod n
since J(1,p ) 1
and J(g,p ) -1
Theorem of Solovey & Strassen (cont’d)
1
1
1
1
nm
nm
(n-1)/2 nm
(n-1)/2 nm
We have shown J(a,n) -1 mod n
-1 mod n
But by assumption a 1 mod
so a =1 mod
Hence a J(a,n) mod
a
( )
( )
( )
( )contradiction with Ga
' !uss s Law
Miller
• Miller’s Primality Test
i
n
n-1
(n-1)/2
i
W (a) (gcd(a,n) 1)
or (a 1 mod n)
or gcd (a mod n-1, n) 1
for i {1,..., }
where k max {i| 2 divides n-1}
k
• Theorem (Miller)
Assuming the extended RH,if n is composite, then Wn(a) holds for some
a ∈ {1,2,…, c log 2 n}
• Miller’s Test assumes extended RH (not proved)
Miller (cont’d)
Miller – Rabin Randomized Primality Test
• Theorem
n
choose a random a {1,..., n-1}
test W (a)
1n 2
if n is composite then
Prob (W (a) holds)
gives another randomized, polytime
algorithm for primality!
Number Theory Algorithms and Cryptography
Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms