ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

ECEN 5022 CryptographyElementary Algebra and Number Theory

Peter Mathys

University of Colorado

Spring 2008

Peter Mathys ECEN 5022 Cryptography



Divisibility, Primes

I Definition. N denotes the set {1, 2, 3, . . .} of naturalnumbers and Z denotes the set of integers{. . . ,−2,−1, 0, 1, 2, . . .}. R denotes the real numbers and Cdenotes the complex numbers.

I Definition. The integer n is divisible by the integer d ,denoted by d |n, if a , d = n for some integer a.

I Definition. A positive integer p, p > 1, is called a prime if itis divisible only by ±p and ±1. Any integer greater than 1which is not prime is called composite.

I Theorem. (Euclid, 300 B.C.) There are infinitely many primes.

I Proof. Assume that the set of primes is finite, e.g.,{p1, p2, . . . , pn}. Then the integer N = 1 + p1p2 · · · pn is notdivisible by any of the primes p1, . . . pn.




Prime Numbers

I Between any two primes there can be arbitrarily large gaps.For instance, the sequence n! + 2, n! + 3, . . . n! + n containsn − 1 consecutive composite numbers.

I Definition. The prime counting function π(x) is defined by

π(x) = |{p prime | p ≤ x}| ,i.e., π(x) is equal to the number of primes less than or equalto x .

I Example: π(50) = 15 since

2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47

are all primes p ≤ 50.

I Prime Number Theorem. (Hadamard, de la Vallee Poussin,1896) π(x) satisfies

limx→∞

π(x) ln(x)

x= 1 =⇒ π(x) ≈ x

ln x.




Example

I Using π(x) ≈ x/ ln x , the number of primes with n decimaldigits is

π(10n)− π(10n−1) ≈ 9n − 1

n (n − 1)10n−1 log10 e ≈ 10n

3n.

I Approximate numerical values are

n bits π(10n)− π(10n−1)

38 128 ≈ 3.5× 1036

77 256 ≈ 5.9× 1074

100 332 ≈ 3.9× 1097

154 512 ≈ 3.4× 10151

308 1024 ≈ 1.9× 10305

617 2048 ≈ 1.7× 10613

I As can be seen, there is no shortage for the number of primeswith n digits.




Greatest Common Divisor

I Definition: The greatest common divisor of two integers n1

and n2, denoted gcd(n1, n2), is the largest positive integerthat divides both n1 and n2.

I Definition: If gcd(n1, n2) = 1, then n1 and n2 are said to berelatively prime.

I Example: Fermat’s (little) theorem states that for p prime

p | (ap−1 − 1) , if gcd(a, p) = 1 ,

e.g., 5 divides 34 − 1 = 80, or 7 divides 26 − 1 = 63.

I Definition: The least common multiple of two integers n1

and n2, denoted lcm(n1, n2), is the smallest positive integerdivisible by both n1 and n2.




Division Algorithm

I Theorem: Division Algorithm. Given a pair of integers, cand d 6= 0, there is a unique pair of integers q and r , calledquotient and remainder, such that

c = q · d + r , 0 ≤ r < |d | .

I Proof: Assume that there are two solutions, i.e.,c = q1 · d + r1 = q2 · d + r2, with 0 ≤ r1 < |d | and0 ≤ r2 < |d |. Thus, (q1 − q2) · d = r2 − r1 and−|d | < r2 − r1 < |d |. But since r2 − r1 must be a multiple ofd , this implies that r2 − r1 = 0. Since d 6= 0, this also impliesthat q1 − q2 = 0 and thus q and r are unique. QED




Remainders

I Definition: The notation

r = Rd(c) ,

means that r is the remainder of c when divided by d .I Note: Another notation that is often used in connection with

remainders isr ≡ c (mod d) .

This means that “r is congruent to c modulo d”. In this case0 ≤ r < |d | is not guaranteed and thus r is not unique. Forexample, 9 ≡ 16 (mod 7) as well as 2 ≡ 16 (mod 7).

I Theorem: Computations with remainders satisfy

(i) Rd(a + b) = Rd

(Rd(a) + Rd(b)

).

(ii) Rd(a · b) = Rd

(Rd(a) · Rd(b)

).

I Proof: Left as an exercise.




Euclid’s Algorithm

I Euclid’s Algorithm. The greatest common divisor,gcd(n1, n2), of two integers n1, n2, n2 6= 0, is computed byrepeated application of the division algorithm as follows:

n1 = q2 n2 + n3

n2 = q3 n3 + n4... 0 ≤ ni+1 < |ni |

nm−2 = qm−1 nm−1 + nm

nm−1 = qm nm + 0 .

The process stops when a zero remainder is obtained. The lastnonzero remainder is the desired result, i.e., gcd(n1, n2) = nm.

I Proof: Sketch. Use the fact thatgcd(n1, n2) = gcd(n1 + kn2, n2), for any integer k.




Euclid’s Extended Algorithm

I Corollary: For any integers n1 and n2 6= 0 there exist integersa and b such that

gcd(n1, n2) = a n1 + b n2 .

That is, gcd(n1, n2) can be expressed as a linear combinationof n1 and n2.

I Proof: Use Euclid’s algorithm, starting with the last equationand work backwards to the first equation, to compute

gcd(n1, n2) = nm = nm−2 − qm−1 nm−1

nm−1 = nm−3 − qm−2 nm−2...

n3 = n1 − q2 n2 .

Then successively eliminate all the intermediate remaindersnm−1, nm−2, . . . , n3, to obtain gcd(n1, n2) as a linearcombination of n1 and n2 with integer coefficients. QED




ai ai�2 � q ai�1

bi bi�2 � q bi�1

i i + 1

ni+1 = 0 ?

Output ni; ai; bi

ni = gcd(n1; n2)

= ai n1 + bi n2

STOP

q

�ni�1

ni

�

ni+1 ni�1 � q ni

Input n1; n2

Initialize

i 2

a1 1; b1 0

a2 0; b2 1

STARTEuclid's Algorithm

for gcd

no yes




Groups, Rings, Fields

I Over the reals R (or rationals Q or complex number C) onecan add, subtract, multiply, and divide.

I Over the integers Z one can add, subtract, and multiply.

I Group: Set of mathematical objects for which “addition” and“subtraction” are defined.

I Ring: Set of mathematical objects for which “addition”,“subtraction” and “multiplication” are defined.

I Field: Set of mathematical objects for which “addition”,“subtraction”, “multiplication” and “division” are defined.

I Note: “addition”, “subtraction”, “multiplication” and“division” are not necessarily the usual ‘+’, ‘−’, ‘×’ and ‘÷’.




Some Definitions

I Definition: A set S is an arbitrary collection of elements,without any predefined operations between the set elements.

I Definition: The cardinality |S| of a set S is the number ofobjects in the set. |S| can be finite, countably infinite, oruncountably infinite.

I Examples: The set of tea cups in a kitchen cabinet is a finiteset. The set Q of rational numbers is countably infinite. Theset R of real numbers is uncountably infinite.




Axioms

Let S denote a set of mathematical objects. For any a, b, c ∈ Sdefine the following axioms:

(A.1) a + b ∈ S Closure wrt +(A.2) a + (b + c) = (a + b) + c = a + b + c Associativity wrt +(A.3) a + 0 = 0 + a = a, 0 ∈ S Identity element wrt +(A.4) a + (−a) = (−a) + a = 0, (−a) ∈ S Inverse element wrt +(A.5) a + b = b + a Commutativity wrt +

(B.1) a · b ∈ S Closure wrt ·(B.2) a · (b · c) = (a · b) · c = a · b · c Associativity wrt ·(B.3) a · 1 = 1 · a = a, 1 ∈ S−{0} Identity element wrt ·(B.4) a · (a−1)=(a−1) · a = 1,

a, (a−1) ∈ S−{0} Inverse element wrt ·(B.5) a · b = b · a Commutativity wrt ·(C.1) (a + b) · c = a · c + b · c Distributivity




Groups, Rings, Fields

I Depending on the subset of axioms that are satisfied thefollowing arithmetic systems are defined:

Axioms satisfied Name

(A.1). . .(A.4) Group(A.1). . .(A.4),(A.5) Commutative Group(A.1). . .(A.5),(B.1). . .(B.3),(C.1) Ring with Identity(A.1). . .(A.5),(B.1). . .(B.3),(B.5),(C.1) Commutative Ring

with Identity(A.1). . .(A.5),(B.1). . .(B.5),(C.1) Field

I Note: Commutative groups (rings, fields) are also calledAbelian groups (rings, fields) in honor of Niels Henrik Abel(1802-1829).




Notation, Definitions

I Notation:I A group with set of elements G and operation ‘∗’ is denoted

by <G , ∗>.I A ring with set of elements R and operations ‘+’ and ‘·’ is

denoted by <R,+, ·>.I A field with set of elements F and operations ‘+’ and ‘·’ is

denoted by <F ,+, ·>.I Example: The set of all permutations of n objects forms a (generally

non-commutative) group under the operation of concatenation ofpermutations.

I Example: The set of all binary 2× 2 matrices forms a non-commutativering with identity under the operations of binary (i.e., modulo 2) matrixaddition and binary matrix multiplication. This ring has 16 elements.

I Example: The set of all polynomials in the indeterminate x with realcoefficients form a commutative ring with identity. This ring has aninifinite number of elements.




Finite Groups, Rings, Fields

I Definition: If |G | (or |R| or |F |) is finite then <G , ∗> is calleda finite group (or <R,+, ·> is called a finite ring, <F ,+, ·> iscalled a finite field).

I Definition: A finite field with q elements is denoted byGF(q), where GF stands for Galois field in honor of EvaristeGalois (1811-1832).

I Theorem: Finite Fields.

(i) If F is a finite field then F contains pm elements for someprime p and integer m ≥ 1.

(ii) For every prime power pm there is a unique (up toisomorphism) finite field of order pm, called GF pm or Fpm




Finite Groups, Rings, Fields

I Example: The integers 0, 1, . . . , 6 form the finite field GF (7)under the operations of addition and multiplication modulo 7.Here are the group operation tables for GF (7):

+ 0 1 2 3 4 5 60 0 1 2 3 4 5 61 1 2 3 4 5 6 02 2 3 4 5 6 0 13 3 4 5 6 0 1 24 4 5 6 0 1 2 35 5 6 0 1 2 3 46 6 0 1 2 3 4 5

× 0 1 2 3 4 5 60 0 0 0 0 0 0 01 0 1 2 3 4 5 62 0 2 4 6 1 3 53 0 3 6 2 5 1 44 0 4 1 5 2 6 35 0 5 3 1 6 4 26 0 6 5 4 3 2 1




More Definitions

I Definition: The elements in a ring with identity which havean inverse with respect to the second operation are calledunits.

I Example: The ring which is obtained by adding andmultiplying integers modulo 10 has units 1,3,7, and 9.

I Definition: Let <G , ∗> be a group and let H be a nonemptysubset of G . Then H is called a subgroup of G if <H, ∗> is agroup.

I Example: In the group of non-zero integers under theoperation of multiplication modulo 7, the set of elements{1, 2, 4} forms a subgroup. Another subgroup is formed bythe set of elements {1, 6}.




More Definitions

I Definition: Let <R,+, ·> be a ring and let H be a nonemptysubset of R. Then H is called a subring of R if <H,+, ·> is aring.

I Note: In particular, identity with respect to the firstoperation must be in H and closure must hold (under allspecified operations) for elements in H.

I Definition: Let <E ,+, ·> be a field. Then F ⊂ E is called asubfield of E if <F ,+, ·> is a field. The field E is called anextension field of F .

I Example: Consider the field of rational numbers Q, the fieldof real numbers R, and the field of complex numbers C. ThenQ ⊂ R ⊂ C , and Q is called a subfield of R and C is calledan extension field of R.




Isomorphism

I Definition: Isomorphism. Two groups <G ,+> and <G ′, ∗>are iomorphic if a one-to-one mapping f (.) exists such that

(i) a′ = f (a) (and thus a = f −1(a′)) for all a ∈ G and a′ ∈ G ′,(ii) if a′ = f (a), b′ = f (b), then

a′ ∗ b′ = f (a + b) (and thus a + b = f −1(a′ ∗ b′)) ,

for any a, b ∈ G (or any a′, b′ ∈ G ′).

That is, there has to be a one-to-one correspondence betweenthe elements of the two groups which is preserved under thegroup operations ‘+’ and ‘∗’.

I Note: Isomorphism for rings and fields is defined analogously.In this case the one-to-one correspondence must be preservedfor both operations of the rings/fields.




Subgroups

I To obtain a subgroup H of a finite group G , one can proceedas follows. Take any h ∈ G and let H be the set{h, h ∗ h, h ∗ h ∗ h, . . .}, or, using a more concise notation,

H = {h, h2, h3, . . . , hc = 1} ,

where c , called the order of H, is the smallest positive integersuch that hc = 1.

I Example: Consider the group G = {1, 2, . . . , 12} of integersunder the operation of multiplication modulo 13. Startingfrom h = 5, the set

H = {51 = 5, 52 = 12, 53 = 8, 54 = 1} ,

is obtained, which forms a subgroup of G of order 4.




Subgroups

I Theorem: If G is a finite group and h ∈ G , then a smallestpositive integer c , called the order of the element h, existssuch that hc = 1. Moreover, the first element in the sequenceh, h2, h3, . . . which is repeated is h itself.

I Proof: The element h is a member of a finite group and thusa repetition must eventually occur in h, h2, h3, . . ., that is,there must be two positive integers k,m, m > k, such thathk = hm. Since h−k must be an element of G, one can write

1 = hk · h−k = hm · h−k = hm−k ,

which proves that there is at least one positive integer c suchthat hc = 1. But then hc+1 = h and, since h, h2, . . . , hc mustall be distinct (otherwise c is not smallest positive integer suchthat hc = 1), h is the first element which is repeated. QED




(Sub)Groups

I Definition: h, h2, h3, . . . , hc = 1 is called a cycle.

I Note: A cycle is a subgroup.

I Definition: A group that consists of all the powers of one ofits elements, say, α, is called a cyclic group (i.e.,G = {α, α2, . . . , αc = 1}). The element α is called a primitiveelement or a generator of the group.

I Example: Let <G , ·> be the set of integers undermultiplication modulo 13. Then, choosing α = 2,

α0 = 1 α4 = 3 α8 = 9 α12 = 1α1 = 2 α5 = 6 α9 = 5α2 = 4 α6 = 12 α10 = 10α3 = 8 α7 = 11 α11 = 7

Thus, <G , ·> is a cyclic group and α = 2 is a primitiveelement in this group.




Generator of a Group

I Definition: Generator of a group. A subset X of a group<G , ∗> is called a generator if every element of G can beexpressed in the form xi ∗ xj ∗ . . . . If X is a finite set, then Gis said to be finitely generated.

I Example: X = {2} is a generator of the group of integersunder modulo 13 multiplication.

I Example: X = {2, 11} is a generator of the group of integers{1, 2, 4, 7, 8, 11, 13, 14} under multiplication modulo 15. Notethat this group is not cyclic.




Coset Decomposition of a Group

I Definition: Coset Decomposition of finite group withrespect to subgroup. A finite group <G , ∗> can bedecomposed with respect to a subgroup <H, ∗> as follows:

h1 = 1 h2 h3 . . . hn

g2 ∗ h1 = g2 g2 ∗ h2 g2 ∗ h3 . . . g2 ∗ hn

g3 ∗ h1 = g3 g3 ∗ h2 g3 ∗ h3 . . . g3 ∗ hn...

......

. . ....

gm ∗ h1 = gm gm ∗ h2 gm ∗ h3 . . . gm ∗ hn

The rows of the coset decomposition are called cosets. Thefirst row is the subgroup H. The elements h1, g2, g3, . . . , gm inthe first column are called coset leaders.





I In general the construction of the coset decompositionproceeds as follows:

I Start with the elements of H in the first row (each elementoccurs exactly once).

I Then choose an (arbitrary) element of G which has not yetappeared in the table as coset leader and complete thecorresponding coset. Repeat this step until all elements of Gare used.

I Note that the array constructed in this way is alwaysrectangular and the construction always stops since G is finite.For non-Abelian groups left coset decompositions withelements gi ∗ hj are distinguished from right cosetdecompositions with elements hj ∗ gi .





I Theorem: Every element of G appears exactly once in acoset decomposition of G .

I Proof: omitted.

I Corollary: If H is a subgroup of G , then |H| divides |G |.I Proof: Follows from the rectangular structure of the coset

decomposition. QED

I Theorem: Lagrange. The order of a finite group is divisibleby the order of any of its elements.

I Proof: The group contains the cyclic subgroup generated byany element of the group. The above corollary thus proves thetheorem. QED





I Definition: Zn denotes the ring of integers modulo n withoperations + (addition mod n) and · (multiplication mod n).The elements of Zn are 0, 1, . . . , n − 1.

I Definition: The set of residues modulo n that are relativelyprime to n is denoted Z∗n . Since any a ∈ Z∗n satisfiesgcd(a, n) = 1, a−1 exists and thus Z∗n forms an Abelian groupunder multiplication modulo n. The elements a ∈ Z∗n are theunits of Zn.




Euler’s Totient Function

I Definition: Euler’s Totient Function φ. Euler’s totientfunction, φ(n), evaluated at a positive integer n, is given by

φ (n) = |{0 ≤ r < n| gcd (r , n) = 1}| ,

i.e., it is the number of integers in the set {0, 1, 2, . . . , n − 1}that are relatively prime to n. By definition, φ(1) = 1.

I Euler’s totient function can be computed as follows. Assumethat n = pe1

1 pe22 · · · p

ekk is the factorization of n into distinct

prime powers. Then

φ(n) =m∏

i=1

pei−1i (pi − 1) = n

m∏i=1

(1− 1

pi

).




Euler’s Totient Function

I Note that if gcd(n1, n2) = 1, then φ(n1 n2) = φ(n1) φ(n2),and thus

φ(n) = φ(pe11 ) φ(pe2

2 ) · · · φ(pemm ) ,

where φ(peii ) = pei−1

i (pi − 1). Note that this also implies thatφ(n) ≥ 1.

I Theorem: The order of the group Z∗n is φ (n).

I Proof: Follows directly from the definition of Euler’s totientfunction φ (n). QED




Euler’s Theorem

I Theorem: Euler’s Theorem. If a ∈ Z∗n , then

aφ (n) = 1 (mod n) .

I Proof: The elements {r1, r2, . . . , rm} of Z∗n are all integers0 < r < n such that gcd(r , n) = 1 and thus |Z∗n | = φ(n) = m.For each i , 1 ≤ i ≤ m, there is a unique j , 1 ≤ j ≤ m suchthat ari = rj (mod n). Since both a and ri are relatively primeto n, ari is also relatively prime to n and thus

ar1 · ar2 · · · arm︸︷︷︸= am (r1 · r2 · · · rm)

= r1 · r2 · · · rm (mod n)

This implies that (am − 1) r1 · r2 · · · rm = 0 (mod n) andbecause of gcd(ri , n) = 1 for all i it follows thatam = aφ(n) = 1 (mod n). QED




Fermat’s Little Theorem

I Corollary: Fermat’s Little Theorem. Suppose p is a primeand a ∈ Z∗p . Then

ap−1 = 1 (mod p) .

I Proof: Z∗p is a multiplicative group of order φ(p) = p − 1.QED




Chinese Remainder Theorem

I Theorem: (The Chinese Remainder Theorem.) Givenn1, n2, . . . , nk such that gcd (ni , nj) = 1 for i 6= j , the set ofsimultaneous congruences

x = ai (mod ni ) , i = 1, 2, . . . , k ,

has a unique solution x modulo N = n1 n2 · · · nk .

I Proof: Define Ni = N/ni . Note that gcd (Ni , ni ) = 1. Thus,using Euclid’s extended algorithm,

gcd (Ni , ni ) = 1 = Mi Ni+mi ni =⇒ Mi Ni = 1 (mod ni ).

Therefore, the desired solution is

x = a1 M1 N1 + a2 M2 N2 + . . . + ak Mk Nk (mod N) .

Check: x = ai Mi Ni = ai (mod ni ).





I Proof: (contd.) To prove uniqueness of the solution, supposethat x and x ′ are two different solutions satisfying

x = ai (mod ni ) , i = 1, 2, . . . , k ,

x ′ = ai (mod ni ) , i = 1, 2, . . . , k .

Then

∆ = x − x ′ = 0 (mod ni ) , i = 1, 2, . . . , k .

Thus, ∆ is divisible by n1, n2, . . . , nk . Since gcd (ni , nj) = 1for i 6= j , ∆ must satisfy

∆ = m N , m integer , N = n1 n2 · · · nk ,

which implies ∆ = 0 (mod N). QED





Example: n1 = 3, n2 = 4, n3 = 5, and thus N = 60,N1 = 60/3 = 20, N2 = 60/4 = 15, and N3 = 60/5 = 12. Supposethat

x = 2 (mod 3) , x = 1 (mod 4) , x = 4 (mod 5) .

Compute the quantities

gcd (N1, n1) = gcd (20, 3) = 1 = −1 · 20 + 7 · 3 =⇒ M1 = −1 = 2 (mod 3) ,gcd (N2, n2) = gcd (15, 4) = 1 = −1 · 15 + 4 · 4 =⇒ M2 = −1 = 3 (mod 4) ,gcd (N3, n3) = gcd (12, 5) = 1 = −2 · 12 + 5 · 5 =⇒ M3 = −2 = 3 (mod 5) .

The solution x is then obtained as

x = 2·2·20+1·3·15+4·3·12 = 80+45+144 = 269 = 29 (mod 60).

Check:

29 = 2 (mod 3) , 29 = 1 (mod 4) , 29 = 4 (mod 5) .




Quadratic Residues

I Definition: An element x ∈ Z∗n is called a quadratic residuemodulo n (QRn) if x = y2 (mod n) for some y ∈ Z∗n .Otherwise, if no such y ∈ Z∗n exists, x is called a quadraticnon-residue modulo n (QNRn).

I Note: If x ∈ QRn then an element y exists such that√

x = y(mod n).

I Example: If n = 13 (prime)

y : 1 2 3 4 5 6 7 8 9 10 11 12

y 2: 1 4 9 3 12 10 10 12 3 9 4 1

Thus, QR13 = {1, 3, 4, 9, 10, 12}, and QNR13 = {2, 5, 6, 7, 8, 11} and

√1 = ±1 (mod 13),

√3 = ±4 (mod 13),

√4 = ±2 (mod 13),√

9 = ±3 (mod 13),√

10 = ±6 (mod 13),√

12 = ±5 (mod 13).




Quadratic Residues

I Example: If n = 21 (composite)

y : 1 2 4 5 8 10 11 13 16 17 19 20

y2: 1 4 16 4 1 16 16 1 4 16 4 1

Thus, QR21 = {1, 4, 16}, andQNR21 = {2, 5, 8, 10, 11, 13, 17, 19, 20}. Note that 33 = 9(mod 21), or 72 = 7 (mod 21), but 3, 9, and 7 are not inZ∗21. Each square root now has 4 solutions:

√1 = ±1 (mod 21), and

√1 = ±8 (mod 21),√

4 = ±2 (mod 21), and√

4 = ±5 (mod 21),√16 = ±4 (mod 21), and

√16 = ±10 (mod 21).




Legendre Symbol, Euler’s Criterion

I Definition: Legendre symbol. Suppose p is an odd prime.Then, for any x , the Legendre symbol L(x , p) is defined as

L(x , p) =

0 , if x = 0 (mod p) ,1 , if x ∈ QRp ,−1 , if x ∈ QNRp .

L(x , p) can be computed easily using the following theorem.

I Theorem: Euler’s criterion. For all primes p > 2, and allx ∈ Zp

x (p−1)/2 = L(x , p) (mod p) .




Euler’s Criterion

I Proof: If x = 0 the result is trivially true. Thus, assume thatx ∈ Z∗p . Then, according to Fermat’s Little Theorem,xp−1 = 1 (mod p) and either

x (p−1)/2 = 1 (mod p) , or x (p−1)/2 = −1 (mod p) .

If x ∈ QRp, i.e., x = y2 (mod p) for some y ∈ Z∗p , then

x (p−1)/2 = (y2)(p−1)/2

= yp−1 = 1 (mod p) .

Conversely, if x ∈ QNRp, then x 6= y2 (mod p) for y ∈ Z∗pand thus x (p−1)/2 must be congruent to −1 modulo p. QED




Jacobi Symbol

I Definition: Jacobi symbol. Let n be any positive oddinteger with prime factorization

n = pe11 · p

e22 · . . . · p

ekk .

Then, for any x , the Jacobi symbol J(x , n) is defined as

J(x , n) = L(x , p1)e1 · L(x , p2)

e2 · . . . · L(x , pk)ek .

I An important special case in cryptography is the case n = p q,where p and q are distinct odd primes. In this case

J(x , n) =

0 , ⇒ gcd(x , n) 6= 1 ,−1 , ⇒ x ∈ QNRn ,

1 , ⇒ x ∈ QRn or x ∈ QNRn .

If J(x , n) = L(x , p) L(x , q) = 1, it is impossible to tell whetherx ∈ QRn or not since both 1× 1 and (−1)× (−1) are equal toone. In the first case x ∈ QRn, in the second case x ∈ QNRn.




Jacobi Symbol

I Theorem: Properties of Jacobi symbol. The Jacobisymbol satisfies the following properties which make it easy tocompute J(x , n), n odd:

(1) J(x ± n, n) = J(x , n) ,(2) J(x · y , n) = J(x , n) · J(y , n) ,(3) J(x ,m · n) = J(x ,m) · J(x , n) ,(4) J(1, n) = 1

(5) J(−1, n) = (−1)(n−1)/2 =

{1 , if n = 1 (mod 4) ,−1 , if n = −1 (mod 4) ,

(6) J(2, n) = (−1)(n2−1)/8 =

{1 , if n = ±1 (mod 8) ,−1 , if n = ±3 (mod 8) ,

(7) If x , n odd and gcd(x , n) = 1

J(x , n) · J(n, x) = (−1)(x−1)(n−1)/4 , or equivalently,

J(x , n) =

{−J(n, x) , if x = n = 3 (mod 4) ,

J(n, x) , otherwise .




Primality Tests

I A decision problem is a problem where a question is posedthat can be answered by “yes” or “no”.

I A probabilistic algorithm is an algorithm that uses some formof randomness, e.g., random numbers, during its execution.

I Definition: A yes-biased Monte Carlo Algorithm is aprobabilistic algorithm for a decision problem in which a “yes”answer is always correct, but a “no” answer may be incorrect,e.g., with probability ≤ ε.

I Example: The Solovay-Strassen algorithm is a yes-biasedMonte Carlo algorithm for composite integers n with ε = 1/2.Thus, if the algorithm answers “yes” then n is composite forsure, but if it answers “no” then n may still be composite,with probability ≤ 1/2.




Pseudo-Primes

I Example: According to Fermat’s Little Theorem, every primen must satisfy xn−1 = 1 (mod n) for x ∈ Zn. Thus, if for agiven n an x is found such that this statement is not true,then it is known that n is composite. But some compositesmay actually pass this test, which motivates the followingdefinition.

I Definition: If n is an odd composite number and x ∈ Z∗n isan integer such that

xn−1 = 1 (mod n) ,

holds, then n is called a pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is a pseudo-prime.




Distribution of Pseudo-Primes

0 500 1000 1500 2000 25000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

n

Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Pseudo−Prime to Base a

I Definition: A Carmichael number is a composite integer nsuch that

xn−1 = 1 (mod n) ,

holds for every x ∈ Z∗n . The first few Carmichael numbers are561, 1105, 1729, 2465.




Euler Pseudo-Primes

I Definition: Let n be an odd integer and let J(x , n) denotethe Jacobi symbol. If n is composite and x ∈ Z∗n satisfies (cf.Euler’s criterion)

x (n−1)/2 ≡ J(x , n) (mod n) ,

then n is called an Euler pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is an Euler pseudo-prime.

I Example: The number n = 91 (= 7× 13) is an Euler pseudo-prime tothe base x = 9 since (quite obviously 9 ∈ QR91)

92 = 81 , 93 = 9× (−10) = 1 ⇒ 9(91−1)/2 = (93)15 = 1 = J(9, 91) .

But 91 is not an Euler pseudo-prime to the base 4 since

4(91−1)/2 = (46)7 × 43 = 64 6= J(4, 91) = 1 .

Question: Are there any composite numbers n which are Eulerpseudo-primes to every x ∈ Z∗n ?




Distribution of Euler Pseudo-Primes

0 500 1000 1500 2000 25000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

n

Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Euler Pseudo−Prime to Base a

I Theorem: If n is an odd composite integer, then n is an Eulerpseudo-prime to the base x for at most 50% of all x such thatgcd(x , n) = 1. Holds with equality for n = 1729, 2465, . . ..




Solovay-Strassen Primality Test

I Theorem: Solovay-Strassen 1977. For any odd integern > 1 the following statements are equivalent:

(1) n is prime.(2) x (n−1)/2 = J(x , n) (mod n) holds for all x ∈ Z∗

n .

I Solovay-Strassen Primality Test. This is a probabilistic testwhich is based on the above theorem. Assume n > 1 is anodd integer. The steps for each test are:

(1) Choose a random integer x , 1 < x < n − 1.(2) If J(x , n) = x (n−1)/2 (mod n) then answer “n is prime,” else

answer “n is composite.”

I Note: It will never happen that the answer is “n is composite” if n isindeed a prime. But with probability at most 1/2 it can happen that theanswer is “n is prime” if n is indeed composite. By repeating the test asufficient number of times, the probability of error can be made arbitrarilysmall (≈ 2−m where m is the number of tests performed).




Strong Pseudo-Primes

I Theorem: Miller 1976. For any odd integer n > 1 writen − 1 = 2s m, where m is odd. Then the following statementsare equivalent:

(1) n is prime.(2) For all x ∈ Z∗

n , if xm 6= 1 (mod n), then there exists an i ,

0 ≤ i < k such that x2i m = −1 (mod n).

I Definition: Let n = 2s m + 1, m odd, be an odd integer. If nis composite and x ∈ Z∗n satisfies

either xm ≡ 1 (mod n) ,

or there exists i , 0 ≤ i < k , such that (xm)2i

= −1 (mod n) ,

then n is called a strong pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is a strong pseudo-prime.




Distribution of Strong Pseudo-Primes

0 500 1000 1500 2000 25000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

n

Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Strong Pseudo−Prime to Base a

I Example: Let n = 133 (= 7× 19) and thus n − 1 = 132 = 22 × 33.Testing with x ∈ Z∗133 yields

x = 11 : 1133 = 1 =⇒ “n is prime”x = 12 : 1233 = 132 =⇒ “n is prime”x = 13 : 1333 = 27 , (1333)2 = 64 =⇒ “n is composite”

n = 133 is strong pseudo-prime to base 11, 12, but not to base 13.




Miller-Rabin Primality Test

I Miller-Rabin Primality Test. This is a probabilistic testwhich is based on Miller’s theorem. Assume n > 1 is an oddinteger and write n− 1 = 2s m, where m is odd. The steps foreach test are:

(1) Choose a random integer x , 1 < x < n − 1.(2) Compute b = xm (mod n)(3) If b = 1 (mod n) then answer “n is prime” and stop.(4) For i = 0 to s − 1 do(5) If b = −1 (mod n) then answer “n is prime” and stop, else

b ← b2 (mod n)(6) If you did not quit in step (3) or (5), answer “n is composite.”

I Note: Like in the Solovay-Strassen test, it will never happen in theMiller-Rabin test that the answer is “n is composite” if n is indeed aprime. But with probability at most 1/4 it can happen that the answer is“n is prime” if n is indeed composite. By repeating the test a sufficientnumber of times, the probability of error can be made arbitrarily small(≈ 4−m where m is the number of tests performed).


ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

Documents

ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys