10 Numth Annotated

uan 8oneh
lnLro. number 1heory

noLauon
Cnllne CrypLography Course uan 8oneh
uan 8oneh
8ackground
We wlll use a blL of number Lheory Lo consLrucL:
key exchange proLocols
ulglLal slgnaLures
ubllc-key encrypuon
1hls module: crash course on relevanL concepLs

More lnfo: read parLs of Shoup's book referenced
aL end of module
uan 8oneh
noLauon
lrom here on:
n denoLes a posluve lnLeger.
p denoLe a prlme.
noLauon:

Can do addluon and mulupllcauon modulo n
uan 8oneh
Modular arlLhmeuc
Lxamples: leL n = 12

9 + 8 = 3 ln

3 7 = 11 ln

3 - 7 = 10 ln

ArlLhmeuc ln works as you expecL, e.g x(y+z) = xy + xz ln

uan 8oneh
CreaLesL common dlvlsor
Def: lor lnLs. x,y: gcd(x, y) ls Lhe greaLesL common dlvlsor of x,y
Lxample: gcd( 12, 18 ) = 6
Iact: for all lnLs. x,y Lhere exlsL lnLs. a,b such LhaL
ax + by = gcd(x,y)
a,b can be found emclenLly uslng Lhe exLended Luclld alg.
lf gcd(x,y)=1 we say LhaL x and y are re|anve|y pr|me
uan 8oneh
Modular lnverslon
Cver Lhe rauonals, lnverse of 2 ls x . WhaL abouL ?

Def: 1he |nverse of x ln ls an elemenL y ln s.L.

y ls denoLed x
-1
.

Lxample: leL n be an odd lnLeger. 1he lnverse of 2 ln ls
uan 8oneh
Modular lnverslon
Whlch elemenLs have an lnverse ln ?

Lemma: x ln has an lnverse lf and only lf gcd(x,n) = 1
roof:
gcd(x,n)=1 a,b: ax + bn = 1

gcd(x,n) > 1 a: gcd( ax, n ) > 1 ax = 1 ln

uan 8oneh
More noLauon
Def: = (seL of lnveruble elemenLs ln ) =
= [ x : gcd(x,n) = 1 }

Lxamples:
1. for prlme p,
2.

= [ 1, 3, 7, 11}
lor x ln , can nd x
-1
uslng exLended Luclld algorlLhm.
uan 8oneh
Solvlng modular llnear equauons
Solve: ax + b = 0 |n

Soluuon: x = -ba
-1
|n

llnd a
-1
ln uslng exLended Luclld. 8un ume: C(log
2
n)

WhaL abouL modular quadrauc equauons?
nexL segmenLs
uan 8oneh
Lnd of SegmenL
uan 8oneh
lermaL and Luler
uan 8oneh
8evlew
n denoLes an n-blL posluve lnLeger. p denoLes a prlme.
Z
n
= [ 0, 1, ., n-1 }
(Z
n
)
*
= (seL of lnveruble elemenLs ln Z
n
) =
= [ xZ
n
: gcd(x,n) = 1 }

Can nd lnverses emclenLly uslng Luclld alg.: ume = C(n
2
)

uan 8oneh
lermaL's Lheorem (1640)
1hm: LeL p be a prlme
x (2
p
)
*
: x
p-1
= 1 |n 2
p

Lxample: p=3. 3
4
= 81 = 1 ln Z
3

So: x (Z
p
)
*
xx
p-2
= 1 x
-1
= x
p-2
ln Z
p
anoLher way Lo compuLe lnverses, buL less emclenL Lhan Luclld
uan 8oneh
Appllcauon: generaung random prlmes
Suppose we wanL Lo generaLe a large random prlme
say, prlme p of lengLh 1024 blLs ( l.e. p = 2
1024
)

SLep 1: choose a random lnLeger p [ 2
1024
, 2
1023
-1 ]
SLep 2: LesL lf 2
p-1
= 1 ln Z
p

lf so, ouLpuL p and sLop. lf noL, goLo sLep 1 .

Slmple algorlLhm (noL Lhe besL). r[ p not pr|me ] < 2
-60
uan 8oneh
1he sLrucLure of (Z
p
)
*

1hm (Luler): (Z
p
)
*
ls a cyc||c group, LhaL ls
g(Z
p
)
*
such LhaL [1, g, g
2
, g
3
, ., g
p-2
} = (Z
p
)
*

g ls called a generator of (Z
p
)
*

Lxample: p=7. [1, 3, 3
2
, 3
3
, 3
4
, 3
3
} = [1, 3, 2, 6, 4, 3} = (Z
7
)
*

noL every elem. ls a generaLor: [1, 2, 2
2
, 2
3
, 2
4
, 2
3
} = [1, 2, 4}
uan 8oneh
Crder
lor g(Z
p
)
*
Lhe seL [1 , g , g
2
, g
3
, .

} ls called
Lhe group generated by g, denoLed <g>
Def: Lhe order of g(Z
p
)
*
ls Lhe slze of <g>
ord
p
(g) = |<g>| = (sma||est a>0 s.t. g
a
= 1 |n 2
p
)
Lxamples: ord
7
(3) = 6 , ord
7
(2) = 3 , ord
7
(1) = 1
1hm (Lagrange): g(Z
p
)
*
: ord
p
(g) dlvldes p-1
uan 8oneh
Luler's generallzauon of lermaL (1736)
Def: lor an lnLeger n dene (n) = |(Z
n
)
*
| (Luler's func.)
Lxamples: (12) = |[1,3,7,11}| = 4 , (p) = p-1
lor n=pq: (n) = n-p-q+1 = (p-1)(q-1)

1hm (Luler): x (2
N
)
*
: x
(n)
= 1 |n 2
N
Lxample: 3
(12)
= 3
4
= 623 = 1 ln Z
12
Cenerallzauon of lermaL. 8asls of Lhe 8SA crypLosysLem
uan 8oneh
Lnd of SegmenL
uan 8oneh
Modular e'Lh rooLs
uan 8oneh
Modular e'Lh rooLs
We know how Lo solve modular ||near equauons:
ax + b = 0 ln Z
n
Soluuon: x = -ba
-1
ln Z
n

WhaL abouL hlgher degree polynomlals?

Lxample: leL p be a prlme and cZ
p
. Can we solve:

x
2
- c = 0 , y
3
- c = 0 , z
37
- c = 0 ln Z
p

uan 8oneh
Modular e'Lh rooLs
LeL p be a prlme and cZ
p
.

Def: xZ
p
s.L. x
e
= c ln Z
p
ls called an e'th root of c .

Lxamples:
7
1/3
= 6 ln

3
1/2
= 3 ln

1
1/3
= 1 ln

2
1/2
does noL exlsL ln
uan 8oneh
1he easy case
When does c
1]e
|n 2
p
exlsL? Can we compuLe lL emclenLly?
1he easy case: suppose gcd( e , p-1 ) = 1
1hen for all c ln (Z
p
)
*
: c
1]e
exlsLs ln Z
p
and ls easy Lo nd.
roof: leL d = e
-1
|n 2
p-1
. 1hen
de = 1 ln Z
p-1

uan 8oneh
1he case e=2: square rooLs
lf p ls an odd prlme Lhen gcd( 2, p-1) = 1

Iact: ln , x ! x
2
ls a 2-Lo-1 funcuon

Lxample: ln :

Def: x ln ls a quadranc res|due (C.8.) lf lL has a square rooL ln
p odd prlme Lhe # of C.8. ln ls (p-1)/2 + 1
1 10
1

2 9
4

3 8
9

4 7
3

3 6
3

x -x
x
2
uan 8oneh
Luler's Lheorem
1hm: x ln (Z
p
)
*
ls a C.8. " x
(p-1)/2
= 1 ln Z
p
(p odd prlme)

Lxample:

noLe: x=0 x
(p-1)/2
= (x
p-1
)
1/2
= 1
1/2
[ 1, -1 } ln Z
p
Def: x
(p-1)/2
ls called Lhe Legendre Symbo| of x over p (1798)
ln : 1
3
, 2
3
, 3
3
, 4
3
, 3
3
, 6
3
, 7
3
, 8
3
, 9
3
, 10
3

= 1 -1 1 1 1, -1, -1, -1, 1, -1
uan 8oneh
Compuung square rooLs mod p
Suppose p = 3 (mod 4)

Lemma: lf c(Z
p
)
*
ls C.8. Lhen vc = c
(p+1)/4
ln Z
p

roof:

When p = 1 (mod 4), can also be done emclenLly, buL a blL harder
run ume = C(log
3
p)
uan 8oneh
Solvlng quadrauc equauons mod p
Solve: ax
2
+ bx + c = 0 |n 2
p

Soluuon: x = (-b vb
2
- 4ac ) ] 2a |n 2
p

llnd (2a)
-1
|n 2
p
uslng exLended Luclld.

llnd square rooL of b
2
- 4ac ln Z
p
(lf one exlsLs)
uslng a square rooL algorlLhm
uan 8oneh
Compuung e'Lh rooLs mod n ??
LeL n be a composlLe number and e>1

When does c
1]e
|n 2
N
exlsL? Can we compuLe lL emclenLly?

Answerlng Lhese quesuons requlres Lhe facLorlzauon of n
(as far as we know)

uan 8oneh
Lnd of SegmenL
uan 8oneh
ArlLhmeuc algorlLhms
uan 8oneh
8epresenung blgnums
8epresenung an n-blL lnLeger (e.g. n=2048) on a 64-blL machlne

noLe: some processors have 128-blL reglsLers (or more)
and supporL mulupllcauon on Lhem
32 blLs 32 blLs 32 blLs 32 blLs

n/32 blocks
uan 8oneh
ArlLhmeuc
Clven: Lwo n-blL lnLegers
Add|non and subtracnon: llnear ume C(n)
Mu|np||canon: nalvely C(n
2
). karaLsuba (1960): C(n
1.383
)
8aslc ldea: (2
b
x
2
+ x
1
) (2
b
y
2
+ y
1
) wlLh 3 mulLs.
8esL (asympLouc) algorlLhm: abouL C(nlog n).
D|v|s|on w|th rema|nder: C(n
2
).
uan 8oneh
Lxponenuauon
llnlLe cycllc group C (for example C = )

Coal: glven g ln C and x compuLe g
x

Lxamp|e: suppose x = 33 = (110101)
2
= 32+16+4+1
1hen: g
33
= g
32+16+4+1
= g
32
g
16
g
4
g
1
g ! g
2
! g
4
! g
8
! g
16
! g
32
g
S3

uan 8oneh
1he repeaLed squarlng alg.
Input: g ln C and x>0 , Cutput: g
x
wrlLe x = (x
n
x
n-1
. x
2
x
1
x
0
)
2
y # g , z # 1
for l = 0 Lo n do:
lf (x[l] == 1): z # zy
y # y
2

ouLpuL z

example: g
33
y z
g
2
g
g
4
g

g
8
g
3
g
16
g
3
g
32
g
21
g
64
g
S3

uan 8oneh
8unnlng umes
Clven n-blL lnL. n:
Add|non and subtracnon |n 2
N
: llnear ume 1
+
= C(n)
Modu|ar mu|np||canon |n 2
N
: nalvely 1
= C(n
2
)
Modu|ar exponennanon |n 2
N
( g
x
):
C( (log x)1
) < C( (log x)n

2
) < C( n
3
)
uan 8oneh
Lnd of SegmenL
uan 8oneh
lnLracLable problems
uan 8oneh
Lasy problems
Clven composlLe n and x ln Z
n
nd x
-1
ln Z
n
Clven prlme p and polynomlal f(x) ln Z
p
[x]
nd x ln Z
p
s.L. f(x) = 0 ln Z
p
(lf one exlsLs)
8unnlng ume ls llnear ln deg(f) .
. buL many problems are dlmculL
uan 8oneh
lnLracLable problems wlLh prlmes
llx a prlme p>2 and g ln (Z
p
)
*
of order q.
Conslder Lhe funcuon: x $ g
x

|n 2
p

now, conslder Lhe lnverse funcuon:
D|og
g
(g
x
) = x where x |n {0, ., q-2}

Lxample: ln : 1, 2, 3, 4, 3, 6, 7, 8, 9, 10

ulog
2
() : 0, 1, 8, 2, 4, 9, 7, 3, 6, 3
uan 8oneh
uLCC: more generally
LeL G be a nlLe cycllc group and g a generaLor of C
C = [ 1 , g , g
2
, g
3
, . , g
q-1
} ( q ls called Lhe order of C )
Def: We say LhaL DLCG |s hard |n G lf for all emclenL alg. A:
r
g#C, x #Z
q

[ A( C, q, g, g
x

) = x ] < negllglble
Lxample candldaLes:
(1) (Z
p
)
*
for large p, (2) Llllpuc curve groups mod p
uan 8oneh
Compuung ulog ln (Z
p
)
*
(n-blL prlme p)
8esL known algorlLhm (CnlS): run ume exp( )
clpher key slze modulus slze
80 blLs 1024 blLs
128 blLs 3072 blLs
236 blLs (ALS) 1S360 blLs
As a resulL: slow Lransluon away from (mod p) Lo elllpuc curves
Llllpuc Curve
group slze
160 blLs
236 blLs
312 blLs
uan 8oneh
An appllcauon: colllslon reslsLance
Choose a group C where ulog ls hard (e.g. (Z
p
)
*
for large p)
LeL q = |C| be a prlme. Choose generaLors g, h of C
lor x,y [1,.,q} dene n(x,y) = g
x
h
y
|n G

Lemma: ndlng colllslon for P(.,.) ls as hard as compuung ulog
g
(h)
roof: Suppose we are glven a colllslon P(x
0
,y
0
) = P(x
1
,y
1
)
Lhen g
x
0
h
y
0
=

g
x
1
h
y
1
g
x
0
-x
1
=

h
y
1
-y
0
h = g
x
0
-x
1
]y
1
-y
0

uan 8oneh
lnLracLable problems wlLh composlLes
Conslder Lhe seL of lnLegers: (e.g. for n=1024)

rob|em 1: lacLor a random n ln (e.g. for n=1024)
rob|em 2: Clven a polynomlal f(x) where degree(f) > 1
and a random n ln
nd x ln s.L. f(x) = 0 ln
:= [ n = pq where p,q are n-blL prlmes }
uan 8oneh
1he facLorlng problem
Causs (1803):

8esL known alg. (nlS): run ume exp( ) for n-blL lnLeger
CurrenL world record: kSA-768 (232 dlglLs)
Work: Lwo years on hundreds of machlnes
lacLorlng a 1024-blL lnLeger: abouL 1000 umes harder
llkely posslble Lhls decade
!"#$ &'()*$+ (, -./0123./#.12 &'.+$ 13+)$'/ ,'(+
4(+&(/.5$ 13+)$'/ 61- (, '$/(*7.12 5#$ *68$' .15(
5#$.' &'.+$ ,645('/ ./ 91(:1 5( )$ (1$ (, 5#$ +(/5
.+&('5615 61- 3/$,3* .1 6'.5#+$04;<
uan 8oneh
lurLher readlng
A CompuLauonal lnLroducuon Lo number 1heory and Algebra,
v. Shoup, 2008 (v2), ChapLer 1-4, 11, 12

Avallable aL //shoup.net/ntb/ntb-v2.pdf
uan 8oneh
Lnd of SegmenL

10 Numth Annotated

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10 Numth Annotated

Uploaded by

Copyright:

Available Formats

uan 8oneh

lnLro. number 1heory

) < C( (log x)n

You might also like