Lec 05

COMP-547 Fall 2023
Cryptography & Data Security

Lecture 05
Claude Crépeau
while r is even do{
a r ⋅ b r′ mod p = 1
a r ⋅ b r′ mod p = p − 1
}
/ / Now r is odd, r′ is even, and a r ⋅ b r′ mod p = 1
while r is even do{
a r ⋅ b r′ mod p = 1
a r ⋅ b r′ mod p = p − 1
}
/ / Now r is odd, r′ is even, and a r ⋅ b r′ mod p = 1
= a a r ⋅ b r′ = ± a
EXAMPLE
while r is even do
EXAMPLE
p = 43, a = 16
while r is even do
EXAMPLE
p = 43, a = 16
b = -1
while r is even do
EXAMPLE
p = 43, a = 16
b = -1
r := (p-1)/2 = 21, r’:= 0
while r is even do
EXAMPLE
p = 43, a = 16
b = -1
r := (p-1)/2 = 21, r’:= 0
return ±1611 mod 43 (= ±4)
while r is even do
EXAMPLE
while r is even do
EXAMPLE
p = 37, a = 16
while r is even do
EXAMPLE
p = 37, a = 16
b=2
while r is even do
EXAMPLE
p = 37, a = 16
b=2
r := (p-1)/2 = 18, r’:= 0
while r is even do
EXAMPLE
p = 37, a = 16
b=2
r := (p-1)/2 = 18, r’:= 0
r := r/2 =9, r’:= 0
while r is even do
EXAMPLE
p = 37, a = 16
b=2
r := (p-1)/2 = 18, r’:= 0
r := r/2 =9, r’:= 0
return ±165 mod 37 (= ±4)
while r is even do
EXAMPLE
while r is even do
EXAMPLE
p = 41, a = 16
while r is even do
EXAMPLE
p = 41, a = 16
b=3
while r is even do
EXAMPLE
p = 41, a = 16
b=3
r := (p-1)/2 = 20, r’:= 0
while r is even do
EXAMPLE
p = 41, a = 16
b=3
r := (p-1)/2 = 20, r’:= 0
r := r/2 = 10, r’:= 0
while r is even do
EXAMPLE
p = 41, a = 16
b=3
r := (p-1)/2 = 20, r’:= 0
r := r/2 = 10, r’:= 0
r := r/2 = 5, r’:= 0
while r is even do
EXAMPLE
p = 41, a = 16
b=3
r := (p-1)/2 = 20, r’:= 0
r := r/2 = 10, r’:= 0
r := r/2 = 5, r’:= 0
return ±163 mod 41 (= ±4)
while r is even do
EXAMPLE
while r is even do
EXAMPLE
p = 41, a = 8
while r is even do
EXAMPLE
p = 41, a = 8
b=3
while r is even do
EXAMPLE
p = 41, a = 8
b=3
r := (p-1)/2 = 20, r’:= 0
while r is even do
EXAMPLE
p = 41, a = 8
b=3
r := (p-1)/2 = 20, r’:= 0
r := r/2 = 10, r’ := r’/2 +20 = 20
while r is even do
EXAMPLE
p = 41, a = 8
b=3
r := (p-1)/2 = 20, r’:= 0
r := r/2 = 10, r’ := r’/2 +20 = 20
r := r/2 = 5, r’:= r’/2 +20 = 30
while r is even do
EXAMPLE
p = 41, a = 8
b=3
r := (p-1)/2 = 20, r’:= 0
r := r/2 = 10, r’ := r’/2 +20 = 20
r := r/2 = 5, r’:= r’/2 +20 = 30
return ±83x315 mod 41 (= ±7)
while r is even do
Extracting Square Roots modulo N
We want to solve r 2 ≡ a (mod N) for r knowing p, q such that N = pq.

We first solve modulo p and q and find solutions to
rp2 ≡ a (mod p)
rq2 ≡ a (mod q) .
We then consider the simultaneous congruences

r ≡ rp (mod p) ⟺ p | r 2 − a
r ≡ rq (mod q) ⟺ q | r 2 − a
⟹ p ⋅ q = N | r2 − a
⟹ r 2 ≡ a (mod N) .
We can now solve r using the Chinese Remainder Theorem.

EXAMPLE
EXAMPLE
N = 37*43 = 1591, a = 16
EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±4 (mod 43)
EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±4 (mod 43)
EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±4 (mod 43)
use CRT on the following 4 systems

EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±4 (mod 43)

√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±4 (mod 43)

√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±4 (mod 43)

√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
EXAMPLE
N = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±4 (mod 43)

√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
√a ≡ 33(mod 37) √a ≡ 39(mod 43)
EXAMPLE
EXAMPLE
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 1114 (mod 1591)
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 1114 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 1114 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
√a ≡ 477 (mod 1591)
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 1114 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
√a ≡ 477 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 39(mod 43)
EXAMPLE
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 1114 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
√a ≡ 477 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 39(mod 43)
√a ≡ 1587 (mod 1591)
definition [SQROOT]
The square root modulo N problem is: given a composite integer N and
a ∈ QRN, find an integer r, 0 ≤ r < N, such that a ≡ r 2 (mod N).
Theorem: SQROOT is polynomialy equivalent to FACTORING.
Proof idea:
The previous construction shows that if we know the factorization of N,
we can extract square roots modulo each prime factor and then
recombine using the Chinese Remainder Theorem.
If we can extract square roots modulo N, we can split N in two factors

N = uv using the following algorithm, and by repetition fully factor it:
The probability of the else case is at least 1/2.

definition [SQROOT]
Proof idea:


definition [SQROOT]
Proof idea:


ALGORITHM B.𝜔+1
Integer Spliting
Input: non-negative Integer N

Output: Integers u, v > 1 s.t. N = uv
r ← {1…N − 1}, r′ ← SQROOT(r 2, N)

if r′ ≡ ± r (mod N) return Spliting(N)
else u := gcd(r + r′, N), v := gcd(r − r′, N)
return (u, v)
ALGORITHM B.𝜔+2
Integer Factoring
Input: non-negative Integer N

Output: List of Prime Integers p1, . . . , pk s.t. N = p1⋯pk
if N is prime return [N]

else (u, v) := Spliting(N); return Factoring(u)|| Factoring(v)
EXAMPLE
EXAMPLE
N = 37*43 = 1591,
EXAMPLE
N = 37*43 = 1591,
EXAMPLE
N = 37*43 = 1591,
a = 477,
EXAMPLE
N = 37*43 = 1591,
a = 477,
a2 mod 1591 = 16
EXAMPLE
N = 37*43 = 1591,
a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
EXAMPLE
N = 37*43 = 1591,
a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)
EXAMPLE
N = 37*43 = 1591,
a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)
EXAMPLE
N = 37*43 = 1591,
a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)
u = gcd(477+4, 1591) = 37
EXAMPLE
N = 37*43 = 1591,
a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)
u = gcd(477+4, 1591) = 37
v = gcd(477-4, 1591) = 43
Prime numbers
If we want a random prime of a given size, we use the following theorem to

estimate the number of integers we must try before finding a prime.
Let π(N) = #{a : 1 < a ≤ N and a is prime}.
Theorem
π(N)log N
lim =1
N→∞ N
To decide whether a number N is prime or not we rely on Miller-Rabin's

probabilistic algorithm. This algorithm introduces the notion of ``pseudo-
primality'' base a. Miller defined this test as an extension of Fermat's test.
If the Extended Riemann Hypothesis is true than it is sufficient to use the

test with small values of a to decide whether a number N is prime or
composite. However the ERH is not proven and we use the test in a
probabilistic fashion as suggested by Rabin.
Prime numbers

Theorem
π(N)log N
lim =1
N→∞ N


*Charles Levieux, *Jacques Salomon Hadamard

Gary L. Miller Michael O. Rabin Baron de la Vallée Poussin
Prime numbers

Theorem
π(N)log N
lim =1
N→∞ N


9.31
9.31
p′ ← {0,1}n−2
p := 1 ∥ p′ ∥ 1
Multiples of 3 (base 2)
𝟘
𝟘
q1
𝟙
𝟙
𝟙
q0
q2
𝟘
9.34
p′ ← {0,1}n−2
p := 1 ∥ p′ ∥ 1
Primality à la Fermat
9.35
Primality à la Miller-Rabin
9.44
It is easy to show that if N is prime, then

Miller−Rabin(N, t)
returns ``prime’’ with probability 1.
Rabin showed that if N is composite, then

Miller−Rabin(N, t)
returns ``prime’’ with probability at most 4−t.
EXAMPLE
EXAMPLE
N = 37*43 = 1591,
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
i=1, a2u = 1564 ≠ 1 failure à la Fermat
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
1591 is definitely composite
EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
1591 is definitely composite
EXAMPLE
EXAMPLE
N = 1597,
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
au = 16399 mod 1597
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
au = 16399 mod 1597
i=0, au = 1
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
au = 16399 mod 1597
i=0, au = 1
1597 is potentially prime
EXAMPLE
EXAMPLE
N = 1597,
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
au = 17399 mod 1597
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
au = 17399 mod 1597
i=0, au = 1
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
au = 17399 mod 1597
i=0, au = 1
EXAMPLE
EXAMPLE
N = 1597,
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
i=1, a2u = 1596
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
i=1, a2u = 1596
i=2, a4u = 1
EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
i=1, a2u = 1596
i=2, a4u = 1
EXAMPLE
EXAMPLE
N = 1597
EXAMPLE
N = 1597
is either prime
EXAMPLE
N = 1597
is either prime
or we just experienced an event
EXAMPLE
N = 1597
is either prime
(3 random occurrences of “prime”)
EXAMPLE
N = 1597
is either prime
that happens with probability at
EXAMPLE
N = 1597
is either prime
most 1/64.
EXAMPLE
N = 1597
is either prime
most 1/64.
EXAMPLE
N = 1597
is either prime
most 1/64.
We are almost certain that 1597 is

EXAMPLE
N = 1597
is either prime
most 1/64.
We are almost certain that 1597 is

prime...
Deterministic Primality Testing
In August of 2002, Agrawal, Kayal, and Saxena, announced the discovery

of a deterministic primality test running in polynomial time.
Unfortunately this test is too slow in practice... its running time being
O( | N |12 ).
In 2005, Pomerance and Lenstra demonstrated a faster variant of AKS

6
that runs in Õ( | N | ) operations, but is it still rather slow in practice.
To prove the primality of an integer N:

N is prime if and only if for all a such that gcd(a, N) = 1
(x + a)N ≡ x N + a (mod N) .
Manindra Agrawal Neeraj Kayal Nitin Saxena
The idea is to validate this (exponentially long) congruence in poly-time.

COMP-547 Fall 2023
Cryptography & Data Security
Lecture 05
Claude Crépeau

Lec 05

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lec 05

Uploaded by

Copyright:

Available Formats

COMP-547 Fall 2023

Cryptography & Data Security

We want to solve r 2 ≡ a (mod N) for r knowing p, q such that N = pq.

We then consider the simultaneous congruences

We can now solve r using the Chinese Remainder Theorem.

use CRT on the following 4 systems

use CRT on the following 4 systems

use CRT on the following 4 systems

use CRT on the following 4 systems

use CRT on the following 4 systems

Theorem: SQROOT is polynomialy equivalent to FACTORING.

If we can extract square roots modulo N, we can split N in two factors

The probability of the else case is at least 1/2.

Theorem: SQROOT is polynomialy equivalent to FACTORING.

If we can extract square roots modulo N, we can split N in two factors

The probability of the else case is at least 1/2.

Theorem: SQROOT is polynomialy equivalent to FACTORING.

If we can extract square roots modulo N, we can split N in two factors

The probability of the else case is at least 1/2.

Input: non-negative Integer N

r ← {1…N − 1}, r′ ← SQROOT(r 2, N)

Input: non-negative Integer N

if N is prime return [N]

If we want a random prime of a given size, we use the following theorem to

To decide whether a number N is prime or not we rely on Miller-Rabin's

If the Extended Riemann Hypothesis is true than it is sufficient to use the

If we want a random prime of a given size, we use the following theorem to

To decide whether a number N is prime or not we rely on Miller-Rabin's

If the Extended Riemann Hypothesis is true than it is sufficient to use the

*Charles Levieux, *Jacques Salomon Hadamard

If we want a random prime of a given size, we use the following theorem to

To decide whether a number N is prime or not we rely on Miller-Rabin's

If the Extended Riemann Hypothesis is true than it is sufficient to use the

It is easy to show that if N is prime, then

Rabin showed that if N is composite, then

We are almost certain that 1597 is

We are almost certain that 1597 is

In August of 2002, Agrawal, Kayal, and Saxena, announced the discovery

In 2005, Pomerance and Lenstra demonstrated a faster variant of AKS

To prove the primality of an integer N:

Manindra Agrawal Neeraj Kayal Nitin Saxena

The idea is to validate this (exponentially long) congruence in poly-time.

You might also like

Charles Levieux, Jacques Salomon Hadamard