50
Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms
Number Theory Algorithms and Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms
Number Theory Algorithms
a) GCD b) Multiplicative Inverse c) Fermat & Euler’s Theorems d) Public Key Cryptographic Systems e) Primality Testing
Number Theory Algorithms (cont’d)
• Main Reading Selections:
• CLR, Chapter 33
Euclid’s Algorithm • Greatest Common Divisor
• Euclid’s Algorithm
( , ) largest a s.t. a is a divisor of both u,vGCD u v =
GCD(u,v) 0 then return(u)
(GCD(v,u mod v))
procedurebeginif v
else return=
Euclid’s Algorithm (cont’d)
• Inductive proof of correctness:
if a is a divisor of u,v
a is a divisor of u - ( u/v ) v = u mod v
⎣ ⎦⇔
Euclid’s Algorithm (cont’d)
• Time Analysis of Euclid’s Algorithm for n bit numbers u,v
2
T(n) T(n-1) + M (n) = O(n M(n)) = O(n log n log log n)(where M(n) = time to mult two n bit integers)
≤
Euclid’s Algorithm (cont’d)
• Fibonacci worst case:
k+1
k
k
0 1 k+2 k+1 k
k
u = F , v = F where F = 0, F = 1, F = F + F , k 0
1F = , = (1 5)25
Euclid's Algorithm takes log ( 5 N) = O(n) stages when N = max(u,v).
Here n = number of bits of
Φ
≥
ΦΦ +
⇒
N.
Euclid’s Algorithm (cont’d)
• Improved Algorithm
2nT(n) T + O(M(n))
= O(M(n) log n)
( )≤
Extended GCD Algorithm
procedure ExGCD(u, v)
where u
= (u1, u2, u3) , v
= (v1, v2, v3)begin
if v3 = 0 then return(u)
else return ExGCD(v, u
- (v
! u 3 / v3"))
Extended GCD Algorithm (cont’d)
• Theorem
• Proof
GCD((1,0,x),(0,1,y)) = (x', y', GCD(x,y))where x x' + y y' = GCD(x,y)
Ex
1 2 3
1 2 3
inductively can verify on each callxu + yu = u
xv + yv = v⎛⎜⎝
Extended GCD Algorithm (cont’d)
• Corollary
If gcd(x,y) = 1 then x' is the modular inverse of x modulo y
• Proof
we must show x x' = 1 mod ybut by previous Theorem,1 = x x' + y y' = x x' mod yso 1 = x x' mod y
Modular Laws
• Gives Algorithm for
• Modular Laws
!Modular Inverse
for n 1 if x y mod nlet x y
≥
≡ =
Modular Laws (cont’d)
if a b and x y then ax by if a b and ax by and
gcd(a, n) 1 then x y
Law ALaw B
≡ ≡ ≡
≡ ≡
= ≡
Modular Laws (cont’d)
i
1 k 1 k
i j
1 k
let {a ,..., a } {b ,..., b } if a b for i 1,..., k and
{j ,..., j } {1,..., k}
≡
≡ =
=
Fermat’s Little Theorem
• If n prime then an = a mod n • Proof by Euler
n
-1
if a 0 then a 0 aelse suppose gcd(a,n) 1Then x ay for y a x and any xso {a,2a,..., (n-1)a} {1,2,..., n-1}
≡ ≡ ≡
=
≡ ≡
≡
Fermat’s Little Theorem (cont’d)
n-1
n-1
So by Law A, (a) (2a) (n-1)a 1 2 (n-1) So a (n-1)! (n-1)!So by Law B a 1 mod n
⋅ ⋅ ⋅ ≡ ⋅ ⋅⋅⋅
≡
≡
Euler’s Theorem
• Φ(n) = number of integers in {1,…, n-1} relatively prime to n
• Euler’s Theorem
• Proof
( )
If gcd(a,n) 1then = 1 mod na nϕ
=
1 (n)let b ,...,b be the integers n
relatively prime to nϕ <
Euler’s Theorem (cont’d)
• Lemma
• Proof
1 (n) 1 2 (n){b ,...,b } {ab , ab ,..., ab }ϕ ϕ≡
i
i j i j
i
i i j
1 (n)
If ab ab then by Law B, b b
Since 1 gcd(b ,n) gcd(a,n)then gcd(ab ,n) 1 so ab b
for {j ,...,j } {1,..., (n)}ϕ
≡ ≡
= =
= =
≡ ϕ
Euler’s Theorem (cont’d)
• By Law A and Lemma
• By Law B
1 2 (n) 1 2 (n)
(n)1 (n) 1 (n)
(ab )(ab ) (ab ) b b b
so a b b b bϕ ϕ
ϕϕ ϕ
⋅⋅⋅ ≡ ⋅⋅⋅
⋅⋅⋅ ≡ ⋅⋅⋅
(n)a 1 mod nϕ ≡
Taking Powers mod n by “Repeated Squaring”
• Problem: Compute ae mod b
k k-1 1 0
2
i
e e e e e binary representation [1] X 1 [2] i k, k-1,..., 0 X X mod b e 1 then X Xa mod b
for dobegin
ifend
outp
= ⋅ ⋅ ⋅
←
=
←
= ←
i ii i
ke 2 e 2 e
i=0
a =a =a mod but ∑∏
Taking Powers mod n by “Repeated Squaring” (cont’d)
• Time Cost
O(k) mults and additions mod bk = # bits of e
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm
• M = integer message e = “encryption integer” for user A
• Cryptogram
eC E(M) M mod n= =
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Method
(1) Choose large random primes p,q let n p q(2) Choose large random integer d relatively prime to (n) (p) (q) (p-1) (q-1)(3) Let e be
= ⋅
ϕ = ϕ ⋅ϕ
= ⋅
the multiplicative inverse of d modulo (n) e d 1 mod (n) (require e log n, else try another d)
ϕ
⋅ ≡ ϕ
>
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Theorem
d
If M is relatively prime to n, and D(x) = x (mod n) thenD(E(M)) E(D(M)) M≡ ≡
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Proof
e d
e d k (n) 1
D(E(M)) E(D(M)) M mod n There must k 0 s.t. 1 gcd(d, (n)) -k (n) de So, M M mod n Since (p-1) divides (n)
⋅
⋅ ϕ +
≡
≡
∃ >
= ϕ = ϕ +
≡
ϕk (n) 1 M M mod p ϕ + ≡
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• By Euler’s Theorem
k (n)+1
ed k (n)+1
ed
By Symmetry, M M (mod q) Hence M M M mod n So M M mod n
ϕ
ϕ
≡
= =
=
Security of RSA Cryptosystem
• Theorem If can compute d in polynomial time, then can factor n in polynomial time
• Proof
e· d-1 is a multiple of φ(n) But Miller has shown can factor n from any multiple of φ(n)
Security of RSA Cryptosystem (cont’d)
'd d
If can find d' s.t.
M =M mod n d' differs from d by lcm(p-1, q-1) so can factor n.
(lcm is the "least common multiple)
⇒
⇒
Rabin’s Public Key Crypto System
• Use private large primes p, q public key n=q p message M
cryptogram M2 mod n • Theorem
If cryptosystem can be broken, then can factor key n
Rabin’s Public Key Crypto System (cont’d)
• Proof
• In either case, two independent solutions for M give factorization of n, i.e., a factor of n is gcd (n, γ -β).
2
2 2
M mod n has solutions M , , n- , n- where { , n- }But then - ( - )( ) 0 mod nSo either (1) p | ( - ) and q | ( )or either (2) q | ( - ) and p | ( )
α
γ β γ β
β γ γ
γ β γ β γ β
γ β γ β
γ β γ β
=
=
≠
= + =
+
+
Rabin’s Public Key Crypto System (cont’d)
• Rabin’s Algorithm for factoring n, given a way to break his cryptosystem.
2
2
12
Choose random , 1 n s.t. gcd( , n)=1 let mod n find M s.t. M = mod nby assumed way to break cryptosystem with probability , M { ,
β β β
α β
α
β
< <
=
≥
≠ n- } so factors of n are found else repeat with another
Note: Expected number of rounds is 2
β
β
⇒
Quadratic Residues
2
(n-1)/2
a is quadratic residue of n if x a mod n has solution
: If n is odd, prime and gcd(a,n)=1, then a is quadratic residue of n iff a 1 mod n
Euler≡
≡
Jacobi Function
1 if gcd(a,n) 1 and a is quadratic residue of n
J(a,n) -1 if gcd(a,n) 1 and a is not quadratic residue of n
0 if gcd(a,n) 1
=⎛⎜⎜⎜⎜
= =⎜⎜⎜⎜⎜ ≠⎝
Jacobi Function (cont’d)
• Gauss’s Quadratic Reciprocity Law
• Rivest Algorithm
(p-1) (q-1)/4
if p,q are odd primes,J(p,q) J(q,p) (-1)⋅ =
2
(a-1) (n-1)2 2
(n -1)/8
1 if a=1
J(a,n) J(a/2, n) (-1) if a even
J(n mod a, a) (-1) else
⎛⎜
= ⋅⎜⎜⎜ ⋅⎝
Jacobi Function (cont’d)
• Theorem (Fermat) n-1
i
x
n 2 is prime iff , 1 x n
(1) x 1 mod n (2) x 1 mod n for all i {1, 2,..., n-2}
>
∃ < <
≡
≠
∈
Theorem: Primes are in NP
• Proof
n-1
n n 2 output "prime" n 1 or (n even and n 2) output "composite"
guess x to verify Fermat's Theorem Check (1) x 1 mod n To verify (2) guess prime fac
input
else
= ⇒
= > ⇒
=
i
1 2 k
i(n-1)/n
torization of n-1=n n n (a) recursively verify each n prime
(b) verify x 1 mod n
⋅ ⋅ ⋅ ⋅
≠
Theorem & Primes NP (cont’d)
• Note
i
i
(n-1)
y
ya
(n-1) (n-1)/nyayn
if x =1 mod n the least y s.t. x =1 mod n must divide n-1. So x =1 mod n
let a= so 1 x =x mod n≡
Primality Testing
• Testing • Goal of Randomized Primality Testing
n
n
n
wish to test if n is primetechnique W (a) "a witness that n is composite"W (a) true n compositeW (a) false don't know
=
= ⇒
= ⇒
1n 2
12
for random a {1,..., n-1} n composite Prob (W (a) true) >So of all {1,..., n-1}are "witness to compositeness of n"
a
ε
⇒
∈
Primality Testing (cont’d)
• Solovey & Strassen Primality Test quadratic reciprocal law
n(n-1)/2
W (a) (gcd(a,n) 1)
or J(a, n) a mod n
test if Gauss's Quadratic Reciprocal Law is vi
= ≠
≠
↑
olated
Definitions
*n
*n
*n
i
Z set of all nonnegative numbers n which are relatively prime to n.
generator g of Z
such that for all x Z
there is i such that g x mod n
= <
∈
=
Theorem of Solovey & Strassen
• Theorem
• Proof
-12
n
If , | |where G = {a | W (a mod n) false}
nn is composite then G ≤
* *n n
*n
Case G Z G is subgroup of Z
|Z | n-1 |G| 2 2
≠ ⇒
⇒ ≤ ≤
Theorem of Solovey & Strassen (cont’d)
31 2
n(n-1)/2
1 2 3 1 2 k
Case G Z Use Proof by Contradiction
so a =J(a,n) mod n for all a relatively prime to nLet n have prime factorization n=P P P , ...
Let g be a gener
αα α α α α
=
⋅ ⋅ ⋅ ≥ ≥ ≥1
1
*m 1ator of Z where m =Pα
Theorem of Solovey & Strassen (cont’d)
• Then by Chinese Remainder Theorem,
• Since a is relatively prime to n,
1
1
nm
unique a s.t. a g mod m
a 1 mod ( )∃ =
=
*n
n-1 n-1
a Z so
a 1 mod n and g =1 mod n
∈
=
Theorem of Solovey & Strassen (cont’d)
1
1*n
-11 1
2.
Then order of g in Z
is p (p -1) by known formula,a contradiction since the order divides n-1.
Case
α
α ≥
Theorem of Solovey & Strassen (cont’d)
1 2 k
1 kk
ii 1
k
1 ii 2
i
i
... 1 Since n p p
J(a,n) J(a,p )
J(g,p ) J(a, p )
g mod p i 1 Since a
1 mod p i 1
Case α α α
=
=
= = = =
= ⋅ ⋅ ⋅
=
= ⋅
=⎧= ⎨
≠⎩
∏
∏
i
1
So J(a,n) -1 mod n since J(1,p ) 1 and J(g,p ) -1
=
=
=
Theorem of Solovey & Strassen (cont’d)
1
1
1
1
nm
nm
(n-1)/2 nm
(n-1)/2 nm
We have shown J(a,n) -1 mod n -1 mod n
But by assumption a 1 mod
so a =1 mod
Hence a J(a,n) mod
a
( )( )
( )( )
contradiction with Ga
=
=
=
≠
' !uss s Law
Miller
• Miller’s Primality Test
i
nn-1
(n-1)/2
i
W (a) (gcd(a,n) 1)
or (a 1 mod n)
or gcd (a mod n-1, n) 1 for i {1,..., }where k max {i| 2 divides n-1}
k
= ≠
≠
≠
∈
=
• Theorem (Miller)
Assuming the extended RH, if n is composite, then Wn(a) holds for some a ∈ {1,2,…, c log 2 n}
• Miller’s Test assumes extended RH (not proved)
Miller (cont’d)
Miller – Rabin Randomized Primality Test
• Theorem
n
choose a random a {1,..., n-1} test W (a)
∈
1n 2
if n is composite then Prob (W (a) holds)
gives another randomized, polytime algorithm for primality!
>
⇒
Number Theory Algorithms and Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms
