number theory algorithms and cryptography algorithms prepared by john reif, ph.d. analysis of...
TRANSCRIPT
Number Theory Algorithms and Cryptography
Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms
Number Theory Algorithms
a) GCDb) Multiplicative Inversec) Fermat & Euler’s Theoremsd) Public Key Cryptographic Systemse) Primality Testing
Number Theory Algorithms (cont’d)
• Main Reading Selections:• CLR, Chapter 33
Euclid’s Algorithm
• Greatest Common Divisor
• Euclid’s Algorithm
( , ) largest a s.t.
a is a divisor of both u,v
GCD u v
GCD(u,v)
0 then return(u)
(GCD(v,u mod v))
procedure
begin
if v
else return
Euclid’s Algorithm (cont’d)
• Inductive proof of correctness:
if a is a divisor of u,v
a is a divisor of u - ( u/v ) v
= u mod v
Euclid’s Algorithm (cont’d)
• Time Analysis of Euclid’s Algorithm for n bit numbers u,v
2
T(n) T(n-1) + M (n)
= O(n M(n))
= O(n log n log log n)
(where M(n) = time to mult two n bit integers)
Euclid’s Algorithm (cont’d)
• Fibonacci worst case:
k+1
k
k
0 1 k+2 k+1 k
k
u = F , v = F
where F = 0, F = 1, F = F + F , k 0
1F = , = (1 5)
25
Euclid's Algorithm takes log ( 5 N) = O(n)
stages when N = max(u,v).
Here n = number of bits of
N.
Euclid’s Algorithm (cont’d)
• Improved Algorithm
2
nT(n) T + O(M(n))
= O(M(n) log n)
( )
Extended GCD Algorithm
Extended GCD Algorithm (cont’d)
• Theorem
• Proof
GCD((1,0,x),(0,1,y))
= (x', y', GCD(x,y))
where x x' + y y' = GCD(x,y)
Ex
1 2 3
1 2 3
inductively can verify on each call
xu + yu = u
xv + yv = v
Extended GCD Algorithm (cont’d)
• Corollary
If gcd(x,y) = 1 then x' is the
modular inverse of x modulo y
• Proof
we must show x x' = 1 mod y
but by previous Theorem,
1 = x x' + y y' = x x' mod y
so 1 = x x' mod y
Modular Laws
• Gives Algorithm for
• Modular Laws
!Modular Inverse
for n 1
if x y mod nlet x y
Modular Laws (cont’d)
if a b and x y then ax by
if a b and ax by and
gcd(a, n) 1 then x y
Law A
Law B
Modular Laws (cont’d)
i
1 k 1 k
i j
1 k
let {a ,..., a } {b ,..., b } if
a b for i 1,..., k and
{j ,..., j } {1,..., k}
Fermat’s Little Theorem
• If n prime then an = a mod n• Proof by Euler
n
-1
if a 0 then a 0 a
else suppose gcd(a,n) 1
Then x ay for y a x and any x
so {a,2a,..., (n-1)a} {1,2,..., n-1}
Fermat’s Little Theorem (cont’d)
n-1
n-1
So by Law A,
(a) (2a) (n-1)a 1 2 (n-1)
So a (n-1)! (n-1)!
So by Law B
a 1 mod n
Euler’s Theorem
• Φ(n) = number of integers in {1,…, n-1} relatively prime to n
• Euler’s Theorem
• Proof
( )
If gcd(a,n) 1
then = 1 mod na n
1 (n)let b ,...,b be the integers n
relatively prime to n
Euler’s Theorem (cont’d)
• Lemma
• Proof
1 (n) 1 2 (n){b ,...,b } {ab , ab ,..., ab }
i
i j i j
i
i i j
1 (n)
If ab ab then by Law B, b b
Since 1 gcd(b ,n) gcd(a,n)
then gcd(ab ,n) 1 so ab b
for {j ,...,j } {1,..., (n)}
Euler’s Theorem (cont’d)
• By Law A and Lemma
• By Law B
1 2 (n) 1 2 (n)
(n)1 (n) 1 (n)
(ab )(ab ) (ab ) b b b
so a b b b b
(n)a 1 mod n
Taking Powers mod n by “Repeated Squaring”
• Problem: Compute ae mod b
k k-1 1 0
2
i
e e e e e binary representation
[1] X 1
[2] i k, k-1,..., 0
X X mod b
e 1 then X Xa mod b
for do
begin
if
end
outp
i ii i
ke 2 e 2 e
i=0
a =a =a mod but
Taking Powers mod n by “Repeated Squaring” (cont’d)
• Time Cost
O(k) mults and additions mod b
k = # bits of e
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm
• M = integer messagee = “encryption integer” for user A
• Cryptogram
eC E(M) M mod n
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Method
(1) Choose large random primes p,q
let n p q
(2) Choose large random integer d
relatively prime to (n) (p) (q)
(p-1) (q-1)
(3) Let e be
the multiplicative inverse
of d modulo (n)
e d 1 mod (n)
(require e log n, else try another d)
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Theorem
d
If M is relatively prime to n,
and D(x) = x (mod n) then
D(E(M)) E(D(M)) M
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• Proof
e d
e d k (n) 1
D(E(M)) E(D(M))
M mod n
There must k 0 s.t.
1 gcd(d, (n)) -k (n) de
So, M M mod n
Since (p-1) divides (n)
k (n) 1 M M mod p
Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)
• By Euler’s Theorem
k (n)+1
ed k (n)+1
ed
By Symmetry,
M M (mod q)
Hence M M M mod n
So M M mod n
Security of RSA Cryptosystem
• TheoremIf can compute d in polynomial time,then can factor n in polynomial time
• Proofe· d-1 is a multiple of φ(n)But Miller has shown can factor nfrom any multiple of φ(n)
Security of RSA Cryptosystem (cont’d)
'd d
If can find d' s.t.
M =M mod n
d' differs from d by lcm(p-1, q-1)
so can factor n.
(lcm is the "least common multiple)
Rabin’s Public Key Crypto System
• Use private large primes p, qpublic key n=q pmessage M
cryptogram M2 mod n
• TheoremIf cryptosystem can be broken,then can factor key n
Rabin’s Public Key Crypto System (cont’d)
• Proof
• In either case, two independent solutions for M give factorization of n, i.e., a factor of n is gcd (n, γ -β).
2
2 2
M mod n has solutions
M , , n- , n-
where { , n- }
But then - ( - )( ) 0 mod n
So either (1) p | ( - ) and q | ( )
or either (2) q | ( - ) and p | ( )
Rabin’s Public Key Crypto System (cont’d)
• Rabin’s Algorithm for factoring n, given a way to break his cryptosystem.
2
2
12
Choose random , 1 n s.t. gcd( , n)=1
let mod n
find M s.t. M = mod n
by assumed way to break cryptosystem
with probability ,
M { ,
n- }
so factors of n are found
else repeat with another
Note: Expected number of rounds is 2
Quadratic Residues
2
(n-1)/2
a is quadratic residue of n
if x a mod n has solution
:
If n is odd, prime and gcd(a,n)=1, then
a is quadratic residue of n
iff a 1 mod n
Euler
Jacobi Function
1 if gcd(a,n) 1 and
a is quadratic residue of n
J(a,n) -1 if gcd(a,n) 1 and
a is not quadratic residue of n
0 if gcd(a,n) 1
Jacobi Function (cont’d)
• Gauss’s Quadratic Reciprocity Law
• Rivest Algorithm
(p-1) (q-1)/4
if p,q are odd primes,
J(p,q) J(q,p) (-1)
2
(a-1) (n-1)2 2
(n -1)/8
1 if a=1
J(a,n) J(a/2, n) (-1) if a even
J(n mod a, a) (-1) else
Jacobi Function (cont’d)
• Theorem (Fermat)
n-1
i
x
n 2 is prime iff
, 1 x n
(1) x 1 mod n
(2) x 1 mod n for all
i {1, 2,..., n-2}
Theorem: Primes are in NP
• Proof
n-1
n
n 2 output "prime"
n 1 or (n even and n 2) output "composite"
guess x to verify Fermat's Theorem
Check (1) x 1 mod n
To verify (2) guess prime fac
input
else
i
1 2 k
i
(n-1)/n
torization
of n-1=n n n
(a) recursively verify each n prime
(b) verify x 1 mod n
Theorem & Primes NP (cont’d)
• Note
i
i
(n-1)
y
ya
(n-1) (n-1)/nyayn
if x =1 mod n
the least y s.t. x =1 mod n must
divide n-1. So x =1 mod n
let a= so 1 x =x mod n
Primality Testing
• Testing
• Goal of Randomized Primality Testing
n
n
n
wish to test if n is prime
technique W (a) "a witness that n is composite"
W (a) true n composite
W (a) false don't know
1n 2
12
for random a {1,..., n-1}
n composite Prob (W (a) true) >
So of all {1,..., n-1}
are "witness to compositeness of n"
a
Primality Testing (cont’d)
• Solovey & Strassen Primality Test quadratic reciprocal law
n
(n-1)/2
W (a) (gcd(a,n) 1)
or J(a, n) a mod n
test if Gauss's
Quadratic Reciprocal Law
is vi
olated
Definitions
*n
*n
*n
i
Z set of all nonnegative numbers n
which are relatively prime to n.
generator g of Z
such that for all x Z
there is i such that g x mod n
Theorem of Solovey & Strassen• Theorem
• Proof
-12
n
If , | |
where G = {a | W (a mod n) false}
nn is composite then G
* *n n
*n
Case G Z G is subgroup of Z
|Z | n-1 |G|
2 2
Theorem of Solovey & Strassen (cont’d)
31 2
n
(n-1)/2
1 2 3 1 2 k
Case G Z Use Proof by Contradiction
so a =J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
n=P P P , ...
Let g be a gener
1
1
*m 1ator of Z where m =P
Theorem of Solovey & Strassen (cont’d)
• Then by Chinese Remainder Theorem,
• Since a is relatively prime to n,
1
1
nm
unique a s.t. a g mod m
a 1 mod ( )
*n
n-1 n-1
a Z so
a 1 mod n and g =1 mod n
Theorem of Solovey & Strassen (cont’d)
1
1
*n
-11 1
2.
Then order of g in Z
is p (p -1) by known formula,
a contradiction since the order divides n-1.
Case
Theorem of Solovey & Strassen (cont’d)
1 2 k
1 k
k
ii 1
k
1 ii 2
i
i
... 1
Since n p p
J(a,n) J(a,p )
J(g,p ) J(a, p )
g mod p i 1 Since a
1 mod p i 1
Case
i
1
So J(a,n) -1 mod n
since J(1,p ) 1
and J(g,p ) -1
Theorem of Solovey & Strassen (cont’d)
1
1
1
1
nm
nm
(n-1)/2 nm
(n-1)/2 nm
We have shown J(a,n) -1 mod n
-1 mod n
But by assumption a 1 mod
so a =1 mod
Hence a J(a,n) mod
a
( )
( )
( )
( )contradiction with Ga
' !uss s Law
Miller
• Miller’s Primality Test
i
n
n-1
(n-1)/2
i
W (a) (gcd(a,n) 1)
or (a 1 mod n)
or gcd (a mod n-1, n) 1
for i {1,..., }
where k max {i| 2 divides n-1}
k
• Theorem (Miller)
Assuming the extended RH,if n is composite, then Wn(a) holds for some
a ∈ {1,2,…, c log 2 n}
• Miller’s Test assumes extended RH (not proved)
Miller (cont’d)
Miller – Rabin Randomized Primality Test
• Theorem
n
choose a random a {1,..., n-1}
test W (a)
1n 2
if n is composite then
Prob (W (a) holds)
gives another randomized, polytime
algorithm for primality!
Number Theory Algorithms and Cryptography
Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms