Number Theory Algorithms and Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms
Number Theory Algorithms
a) GCD b) Multiplicative Inverse c) Fermat & Euler’s Theorems d) Public Key Cryptographic Systems e) Primality Testing
Number Theory Algorithms (cont’d)
• Main Reading Selections:
• CLR, Chapter 33
Euclid’s Algorithm • Greatest Common Divisor
• Euclid’s Algorithm
( , ) largest a s.t. a is a divisor of both u,vGCD u v =
GCD(u,v) 0 then return(u)
(GCD(v,u mod v))
procedurebeginif v
else return=
Euclid’s Algorithm (cont’d)
• Inductive proof of correctness:
if a is a divisor of u,v
a is a divisor of u - ( u/v ) v = u mod v
⎣ ⎦⇔
Euclid’s Algorithm (cont’d)
• Time Analysis of Euclid’s Algorithm for n bit numbers u,v
2
T(n) T(n-1) + M (n) = O(n M(n)) = O(n log n log log n)(where M(n) = time to mult two n bit integers)
≤
Euclid’s Algorithm (cont’d)
• Fibonacci worst case:
k+1
k
k
0 1 k+2 k+1 k
k
u = F , v = F where F = 0, F = 1, F = F + F , k 0
1F = , = (1 5)25
Euclid's Algorithm takes log ( 5 N) = O(n) stages when N = max(u,v).
Here n = number of bits of
Φ
≥
ΦΦ +
⇒
N.
Euclid’s Algorithm (cont’d)
• Improved Algorithm
2nT(n) T + O(M(n))
= O(M(n) log n)
( )≤
Extended GCD Algorithm
procedure ExGCD(u, v)
where u
= (u1, u2, u3) , v
= (v1, v2, v3)begin
if v3 = 0 then return(u)
else return ExGCD(v, u
- (v
! u 3 / v3"))
Extended GCD Algorithm (cont’d)
• Theorem
• Proof
GCD((1,0,x),(0,1,y)) = (x', y', GCD(x,y))where x x' + y y' = GCD(x,y)
Ex
1 2 3
1 2 3
inductively can verify on each callxu + yu = u
xv + yv = v⎛⎜⎝
Extended GCD Algorithm (cont’d)
• Corollary
If gcd(x,y) = 1 then x' is the modular inverse of x modulo y
• Proof
we must show x x' = 1 mod ybut by previous Theorem,1 = x x' + y y' = x x' mod yso 1 = x x' mod y
Modular Laws
• Gives Algorithm for
• Modular Laws
!Modular Inverse
for n 1 if x y mod nlet x y
≥
≡ =
Modular Laws (cont’d)
if a b and x y then ax by if a b and ax by and
gcd(a, n) 1 then x y
Law ALaw B
≡ ≡ ≡
≡ ≡
= ≡
Modular Laws (cont’d)
i
1 k 1 k
i j
1 k
let {a ,..., a } {b ,..., b } if a b for i 1,..., k and
{j ,..., j } {1,..., k}
≡
≡ =
=
Fermat’s Little Theorem
• If n prime then an = a mod n • Proof by Euler
n
-1
if a 0 then a 0 aelse suppose gcd(a,n) 1Then x ay for y a x and any xso {a,2a,..., (n-1)a} {1,2,..., n-1}
≡ ≡ ≡
=
≡ ≡
≡
Fermat’s Little Theorem (cont’d)
n-1
n-1
So by Law A, (a) (2a) (n-1)a 1 2 (n-1) So a (n-1)! (n-1)!So by Law B a 1 mod n
⋅ ⋅ ⋅ ≡ ⋅ ⋅⋅⋅
≡
≡
Euler’s Theorem
• Φ(n) = number of integers in {1,…, n-1} relatively prime to n
• Euler’s Theorem
• Proof
( )
If gcd(a,n) 1then = 1 mod na nϕ
=
1 (n)let b ,...,b be the integers n
relatively prime to nϕ <
Euler’s Theorem (cont’d)
• Lemma
• Proof
1 (n) 1 2 (n){b ,...,b } {ab , ab ,..., ab }ϕ ϕ≡
i
i j i j
i
i i j
1 (n)
If ab ab then by Law B, b b
Since 1 gcd(b ,n) gcd(a,n)then gcd(ab ,n) 1 so ab b
for {j ,...,j } {1,..., (n)}ϕ
≡ ≡
= =
= =
≡ ϕ
Euler’s Theorem (cont’d)
• By Law A and Lemma
• By Law B
1 2 (n) 1 2 (n)
(n)1 (n) 1 (n)
(ab )(ab ) (ab ) b b b
so a b b b bϕ ϕ
ϕϕ ϕ
⋅⋅⋅ ≡ ⋅⋅⋅
⋅⋅⋅ ≡ ⋅⋅⋅
(n)a 1 mod nϕ ≡
Taking Powers mod n by “Repeated Squaring”
• Problem: Compute ae mod b
k k-1 1 0
2
i
e e e e e binary representation [1] X 1 [2] i k, k-1,..., 0 X X mod b e 1 then X Xa mod b
for dobegin
ifend
outp
= ⋅ ⋅ ⋅
←
=
←
= ←
i ii i
ke 2 e 2 e
i=0
a =a =a mod but ∑∏
Taking Powers mod n by “Repeated Squaring” (cont’d)
• Time Cost
O(k) mults and additions mod bk = # bits of e
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm
• M = integer message e = “encryption integer” for user A
• Cryptogram
eC E(M) M mod n= =
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Method
(1) Choose large random primes p,q let n p q(2) Choose large random integer d relatively prime to (n) (p) (q) (p-1) (q-1)(3) Let e be
= ⋅
ϕ = ϕ ⋅ϕ
= ⋅
the multiplicative inverse of d modulo (n) e d 1 mod (n) (require e log n, else try another d)
ϕ
⋅ ≡ ϕ
>
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Theorem
d
If M is relatively prime to n, and D(x) = x (mod n) thenD(E(M)) E(D(M)) M≡ ≡
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Proof
e d
e d k (n) 1
D(E(M)) E(D(M)) M mod n There must k 0 s.t. 1 gcd(d, (n)) -k (n) de So, M M mod n Since (p-1) divides (n)
⋅
⋅ ϕ +
≡
≡
∃ >
= ϕ = ϕ +
≡
ϕk (n) 1 M M mod p ϕ + ≡
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• By Euler’s Theorem
k (n)+1
ed k (n)+1
ed
By Symmetry, M M (mod q) Hence M M M mod n So M M mod n
ϕ
ϕ
≡
= =
=
Security of RSA Cryptosystem
• Theorem If can compute d in polynomial time, then can factor n in polynomial time
• Proof
e· d-1 is a multiple of φ(n) But Miller has shown can factor n from any multiple of φ(n)
Security of RSA Cryptosystem (cont’d)
'd d
If can find d' s.t.
M =M mod n d' differs from d by lcm(p-1, q-1) so can factor n.
(lcm is the "least common multiple)
⇒
⇒
Rabin’s Public Key Crypto System
• Use private large primes p, q public key n=q p message M
cryptogram M2 mod n • Theorem
If cryptosystem can be broken, then can factor key n
Rabin’s Public Key Crypto System (cont’d)
• Proof
• In either case, two independent solutions for M give factorization of n, i.e., a factor of n is gcd (n, γ -β).
2
2 2
M mod n has solutions M , , n- , n- where { , n- }But then - ( - )( ) 0 mod nSo either (1) p | ( - ) and q | ( )or either (2) q | ( - ) and p | ( )
α
γ β γ β
β γ γ
γ β γ β γ β
γ β γ β
γ β γ β
=
=
≠
= + =
+
+
Rabin’s Public Key Crypto System (cont’d)
• Rabin’s Algorithm for factoring n, given a way to break his cryptosystem.
2
2
12
Choose random , 1 n s.t. gcd( , n)=1 let mod n find M s.t. M = mod nby assumed way to break cryptosystem with probability , M { ,
β β β
α β
α
β
< <
=
≥
≠ n- } so factors of n are found else repeat with another
Note: Expected number of rounds is 2
β
β
⇒
Quadratic Residues
2
(n-1)/2
a is quadratic residue of n if x a mod n has solution
: If n is odd, prime and gcd(a,n)=1, then a is quadratic residue of n iff a 1 mod n
Euler≡
≡
Jacobi Function
1 if gcd(a,n) 1 and a is quadratic residue of n
J(a,n) -1 if gcd(a,n) 1 and a is not quadratic residue of n
0 if gcd(a,n) 1
=⎛⎜⎜⎜⎜
= =⎜⎜⎜⎜⎜ ≠⎝
Jacobi Function (cont’d)
• Gauss’s Quadratic Reciprocity Law
• Rivest Algorithm
(p-1) (q-1)/4
if p,q are odd primes,J(p,q) J(q,p) (-1)⋅ =
2
(a-1) (n-1)2 2
(n -1)/8
1 if a=1
J(a,n) J(a/2, n) (-1) if a even
J(n mod a, a) (-1) else
⎛⎜
= ⋅⎜⎜⎜ ⋅⎝
Jacobi Function (cont’d)
• Theorem (Fermat) n-1
i
x
n 2 is prime iff , 1 x n
(1) x 1 mod n (2) x 1 mod n for all i {1, 2,..., n-2}
>
∃ < <
≡
≠
∈
Theorem: Primes are in NP
• Proof
n-1
n n 2 output "prime" n 1 or (n even and n 2) output "composite"
guess x to verify Fermat's Theorem Check (1) x 1 mod n To verify (2) guess prime fac
input
else
= ⇒
= > ⇒
=
i
1 2 k
i(n-1)/n
torization of n-1=n n n (a) recursively verify each n prime
(b) verify x 1 mod n
⋅ ⋅ ⋅ ⋅
≠
Theorem & Primes NP (cont’d)
• Note
i
i
(n-1)
y
ya
(n-1) (n-1)/nyayn
if x =1 mod n the least y s.t. x =1 mod n must divide n-1. So x =1 mod n
let a= so 1 x =x mod n≡
Primality Testing
• Testing • Goal of Randomized Primality Testing
n
n
n
wish to test if n is primetechnique W (a) "a witness that n is composite"W (a) true n compositeW (a) false don't know
=
= ⇒
= ⇒
1n 2
12
for random a {1,..., n-1} n composite Prob (W (a) true) >So of all {1,..., n-1}are "witness to compositeness of n"
a
ε
⇒
∈
Primality Testing (cont’d)
• Solovey & Strassen Primality Test quadratic reciprocal law
n(n-1)/2
W (a) (gcd(a,n) 1)
or J(a, n) a mod n
test if Gauss's Quadratic Reciprocal Law is vi
= ≠
≠
↑
olated
Definitions
*n
*n
*n
i
Z set of all nonnegative numbers n which are relatively prime to n.
generator g of Z
such that for all x Z
there is i such that g x mod n
= <
∈
=
Theorem of Solovey & Strassen
• Theorem
• Proof
-12
n
If , | |where G = {a | W (a mod n) false}
nn is composite then G ≤
* *n n
*n
Case G Z G is subgroup of Z
|Z | n-1 |G| 2 2
≠ ⇒
⇒ ≤ ≤
Theorem of Solovey & Strassen (cont’d)
31 2
n(n-1)/2
1 2 3 1 2 k
Case G Z Use Proof by Contradiction
so a =J(a,n) mod n for all a relatively prime to nLet n have prime factorization n=P P P , ...
Let g be a gener
αα α α α α
=
⋅ ⋅ ⋅ ≥ ≥ ≥1
1
*m 1ator of Z where m =Pα
Theorem of Solovey & Strassen (cont’d)
• Then by Chinese Remainder Theorem,
• Since a is relatively prime to n,
1
1
nm
unique a s.t. a g mod m
a 1 mod ( )∃ =
=
*n
n-1 n-1
a Z so
a 1 mod n and g =1 mod n
∈
=
Theorem of Solovey & Strassen (cont’d)
1
1*n
-11 1
2.
Then order of g in Z
is p (p -1) by known formula,a contradiction since the order divides n-1.
Case
α
α ≥
Theorem of Solovey & Strassen (cont’d)
1 2 k
1 kk
ii 1
k
1 ii 2
i
i
... 1 Since n p p
J(a,n) J(a,p )
J(g,p ) J(a, p )
g mod p i 1 Since a
1 mod p i 1
Case α α α
=
=
= = = =
= ⋅ ⋅ ⋅
=
= ⋅
=⎧= ⎨
≠⎩
∏
∏
i
1
So J(a,n) -1 mod n since J(1,p ) 1 and J(g,p ) -1
=
=
=
Theorem of Solovey & Strassen (cont’d)
1
1
1
1
nm
nm
(n-1)/2 nm
(n-1)/2 nm
We have shown J(a,n) -1 mod n -1 mod n
But by assumption a 1 mod
so a =1 mod
Hence a J(a,n) mod
a
( )( )
( )( )
contradiction with Ga
=
=
=
≠
' !uss s Law
Miller
• Miller’s Primality Test
i
nn-1
(n-1)/2
i
W (a) (gcd(a,n) 1)
or (a 1 mod n)
or gcd (a mod n-1, n) 1 for i {1,..., }where k max {i| 2 divides n-1}
k
= ≠
≠
≠
∈
=
• Theorem (Miller)
Assuming the extended RH, if n is composite, then Wn(a) holds for some a ∈ {1,2,…, c log 2 n}
• Miller’s Test assumes extended RH (not proved)
Miller (cont’d)
Miller – Rabin Randomized Primality Test
• Theorem
n
choose a random a {1,..., n-1} test W (a)
∈
1n 2
if n is composite then Prob (W (a) holds)
gives another randomized, polytime algorithm for primality!
>
⇒
Number Theory Algorithms and Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms