Attribution Non-Commercial (BY-NC)

14 views

Attribution Non-Commercial (BY-NC)

- Group Theory - The Application to Quantum Mechanics [Meijer-Bauer]
- Number Theory tutorial
- Undergraduate Algebra Problems and Solutions
- Cp Lab Manual 2010
- c Lab Manuals
- Han
- Zalamea Seminar Readings
- Fundamentals of Math
- IBPS and SBI Bank Exams Important Formulae to Solve Quantitative Aptitude Questions
- SEM2
- Excel Formulas
- Yuval Peres - MarkovChains and Mixing Times Copy
- Important Math Formulae by Das Sir (08961556195)
- Permutations and Combinations
- Rules of Differentiation of Functions in Calculus
- chapter1 (2)
- Schedules
- Assembly Language Programming
- Construction of Number Systems
- Hohenberger Phd Thesis

You are on page 1of 57

Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.

September 5, 2011

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 1

Outline

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 2

A Quiz

The purpose is for you and me to nd out what you already know about basic number theory. Work with your neighbour(s) and discuss answers to the following questions: The factorisation problem is hard for all numbers. True or false? What is 16023843203210 mod 16023843203209? The xgcd is a new Xserver. True of false? What is the greatest common divisor of two numbers? The modular inverse of a number is a real number. True or false?

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 3

Modular Arithmetic

Modular arithmetic is fundamental to modern public key cryptosystems. Given integers a, b, N Z we say that a is congruent to b modulo N ab (mod N) iff N divides b a.

Often we are lazy and just write a b if it is clear we are working modulo N. The modulo operator is like the C-operator %. Example: 16 1 (mod 5) since 16 1 = 3 5.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 4

Modular Arithmetic

For convenience we dene the set (Z/NZ) = {0, . . . , N 1}, which is the set of remainders modulo N. Note: some authors use ZN = (Z/NZ). It is clear that given N, every integer a Z is congruent modulo N to an element in the set Z/NZ, since we can write a = q N + r, with 0 r < N and clearly a r (mod N).

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 5

Modular Arithmetic

The set Z/NZ has two operations dened on it. Addition

Ex. (11 + 13) (mod 16) 24 (mod 16) 143 (mod 16) 8 (mod 16) 15 (mod 16). (mod 16).

Multiplication

Ex. (11 13)

Theorems: Given integers a, b Z we have (a + b) (a b) (a b) (mod N) [(a (mod N) [(a (mod N) [(a (mod N)) + (b (mod N)) (b (mod N)) (b (mod N))] (mod N))] (mod N))] (mod N) (mod N) (mod N)

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 6

Multiplicative Inverse

The multiplicative inverse of a Z/NZ is an element b Z/NZ with a b b a 1. We often write b = a1 . Theorem: a Z/NZ has a unique inverse modulo N iff a and N are relatively prime, i.e. gcd(a, N) = 1. If p is a prime then every non-zero element in Z/pZ has an inverse. Note 1/3 (mod 5) = 2 it does not equal 0.3333

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 7

Consider Z/NZ with N = 10, then 3 has a multiplicative inverse, since gcd(3, 10) = 1.

Indeed, 3 7 21 1 (mod 10).

Indeed, we have the following table

(mod 10) (mod 10) (mod 10) (mod 10) (mod 10)

(mod 10) (mod 10) (mod 10) (mod 10) (mod 10)

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 8

We need a method to determine when a Z/NZ has a multiplicative inverse and compute it when it does. We know this happens iff gcd(a, N) = 1. Therefore we need to compute the GCD of two integers a, b Z. This is easy if we know the prime factorization of a and b, since a= pii and b = pii d = gcd(a, b) = pi

min(i ,i )

However, factoring is a very expensive operation, so we cannot use the above formula. A much faster algorithm to compute GCDs is Euclids algorithm.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 9

To compute the GCD of r0 = a and r1 = b we compute r0 = q1 r1 + r2 r1 = q2 r2 + r3 . . . . . . rm2 = qm1 rm1 + rm rm1 = qm rm

If d divides a and b then d divides r2 , r3 , r4 and so on. Therefore gcd(a, b) = gcd(r0 , r1 ) = gcd(r1 , r2 ) = = gcd(rm1 , rm ) = rm

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 10

As an example of this algorithm we want to show that 3 = gcd(21, 12). Using the Euclidean algorithm we compute gcd(21, 12) as gcd(21, 12) = gcd(21 = gcd(12 = gcd(3, 9) = gcd(9 (mod 3), 3) = gcd(0, 3) = 3. (mod 12), 12) (mod 9), 9)

= gcd(9, 12)

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 11

Using the Euclidean algorithm, we can determine when a has an inverse modulo N, i.e. iff gcd(a, N) = 1. But we do not know yet how to compute the inverse. Solution: use an extended version of the Euclidean algorithm. Recall that during the Euclidean algorithm we had ri2 = qi1 ri1 + ri and nally rm = gcd(r0 , r1 ). Now we unwind the above and write each ri , i 2 in terms of a and b.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 12

Unwinding the various steps in the Euclidean algorithm gives: r2 = r0 q1 r1 = a q1 b r3 = r1 q2 r2 = b q2 (a q1 b) = q2 a + (1 + q1 q2 )b . . . . . . ri2 = si2 a + ti2 b ri1 = si1 a + ti1 b ri = ri2 qi1 ri1 = a(si2 qi1 si1 ) + b(ti2 qi1 ti1 ) . . . . . . rm = sm a + tm b The XGCD takes as input a and b and outputs sm , tm , rm such that rm = gcd(a, b) = sm a + tm b.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 13

Given a, N Z we can compute d, x, y using XGCD such that d = gcd(a, N) = x a + y N. Considering the above equation modulo N we get d x a+y N (mod N) x a (mod N).

Remark: the more general equation a x b (mod N) has precisely d = gcd(a, N) solutions iff d divides b.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 14

The number of integers in Z/NZ which are relatively prime to N is given by (N). (N) is called the Euler Phi function of N. We know that an element a Z/NZ has a multiplicative inverse modulo N iff gcd(a, N) = 1. Therefore, there are precisely (N) invertible elements in Z/NZ.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 15

Given the prime factorization of N, i.e.

n

N=

i=1

piei

n

(N) =

i=1

The most important cases for cryptography are: If p is prime then (p) = p 1. If p and q are both prime and p = q then (p q) = (p 1)(q 1).

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 16

Modular Arithmetic

1) Addition is closed : a, b Z/NZ : a + b Z/NZ. 2) Addition is associative : a, b, c Z/NZ : (a + b) + c a + (b + c). 3) 0 is an additive identity : a Z/NZ : a + 0 0 + a a. 4) The additive inverse always exists : a Z/NZ : a + (N a) (N a) + a 0. 5) Addition is commutative : a, b Z/NZ : a + b b + a.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 17

Modular Arithmetic

6) Multiplication is closed : a, b Z/NZ : a b Z/NZ. 8) Multiplication is associative : a, b, c Z/NZ : (a b) c a (b c). 9) 1 is a multiplicative identity : a Z/NZ : a 1 1 a a. 7) Mutliplication is commutative : a, b Z/NZ : a b b a. 10) Multiplication distributes over addition : a, b, c Z/NZ : (a + b) c a c + b c.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 18

Groups

A group (G, ) consists of a set G and an operation , satisfying Associativity: a, b, c G : a (b c) = (a b) c. Identity element: 1 G, a G : a 1 = 1 a = a. Every element has inverse element: a G, a1 G : a a1 = a1 a = 1. The group G is called commutative or Abelian if a, b G : a b = b a.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 19

Groups - Examples

Integers / Reals / Complexes under addition. The identity is 0, the inverse of x is x. Non-Zero Real / Non-zero Rationals under multiplication. The identity is 1, the inverse of x is x 1 . These are all examples of innite Abelian groups. Questions: Why are the integers not a group under multiplication ? Why do we say non-zero real numbers above ?

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 20

Modular Arithmetic

Going back to our 10 properties of modular arithmetic we see Properties 1-4 say that Z/NZ is a group with respect to addition. Property 5 says that the group Z/NZ is abelian. Properties 1-10 say that Z/NZ is a ring. Other rings you have seen before are the integers, reals and complexes. These are all innite rings, whereas Z/NZ is a nite ring.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 21

Lagranges Theorem

The order of an element a of a group (G, ) is the smallest positive integer t such that at = 1. Lagranges Theorem If G is a group of order (size) n = #G then for all a G we have an = 1.

Corollary: the order t of an element a G divides n = #G. So if a (Z/NZ) then a(N) 1 #(Z/NZ) = (N). (mod N), since

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 22

This is not to be confused with Fermats Last Theorem . . . Fermats Little Theorem Suppose p is a prime and a F then p ap a (mod p).

Fermats Little Theorem is a special case of Lagranges Theorem. This will be the basis of one of our primality tests.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 23

Fields

A eld is a set with two operations (G, +, ) such that (G, +) is an abelian group with identity denoted by 0. (G \ {0}, ) is an abelian group with identity denoted by 1. (G, +, ) satises the distributive law. Distributive law: for all a, b, c G a (b + c) = (a b) + (a c).

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 24

Fields

We dene the set of invertible elements of Z/NZ as (Z/NZ) = {a Z/NZ : gcd(a, N) = 1}. The set (Z/NZ) is always a group with respect to multiplication and clearly has size (N). When N is a prime p we have (Z/NZ) = {1, . . . , p 1}. We dene the sets Fp = Z/pZ = {0, . . . , p 1} and F = (Z/pZ) = {1, . . . , p 1}. p

We call Fp a nite eld of characteristic p. Finite elds are of central importance in coding theory and cryptography.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 25

Of particular interest are elds of char 2. Take an irreducible binary polynomial f of degree n and let F2n denote all the binary polynomials of degree < n. Addition in F2n is dened as ab =a+b (mod 2) Note this means a = a. Multiplication in F2n is dened as ab =ag (mod f ). Inversion is performed by a variant of the Euclidean algorithm for polynomials.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 26

Often write F2n = F2 [x]/f to denote working modulo f . Set of non-zero elements denoted by Fn 2 This is the multiplicative subgroup of the eld

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 27

Char 2 Example

Let f = x 6 + x + 1 (this is irreducible) The nite eld of 26 elements can then be identied with Bit strings of length six bits Binary polynomials of degree less than or equal to ve a = 001101 = x 3 + x 2 + 1 b = 101011 = x 5 + x 3 + x + 1 a b = 100110 = x 5 + x 2 + x Since the two x 3 and the two 1 terms cancel, as we are working mod two. Notice, we are simply taking the exclusive-or of the bit string representation.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 28

Char 2 Example

Recap f = x 6 + x + 1, a = 001101 = x 3 + x 2 + 1, b = 101011 = x 5 + x 3 + x + 1. Since f is sparse reduction mod f done using rewriting, as x 6 = x + 1 (mod f ), a b = (x 3 + x 2 + 1) (x 5 + x 3 + x + 1) = x8 + x7 + x6 + x4 + x3 + x2 + x + 1 = x 6 (x 2 + x + 1) + x 4 + x 3 + x 2 + x + 1 = (x + 1) (x 2 + x + 1) + x 4 + x 3 + x 2 + x + 1 = (x 3 + 1) + (x 4 + x 3 + x 2 + x + 1) = x 4 + x 2 + x. i.e. a b = 010110 = x 4 + x 2 + x.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 29

Char 2 Example

Since f is assumed irreducible, every polynomial a = 0 is coprime to f. Hence, using a binary polynomial version of the extended GCD algorithm we can nd u and v so that ua+v f =1 In which case a1 = u in F2n . If a = x 3 + x 2 + 1 and f = x 6 + x + 1 then taking u = x 5 + x 3 and v = x 2 + x + 1 gives us ua+v f =1 and so a1 = u = x 5 + x 3 = 101000.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

(mod 2).

(mod 2)

Slide 30

All char 2 elds of the same degree n are isomorphic. This means it does not depend on which polynomial f we take. Different f s give different representations of the same thing. Let f (x) and g(y ) be irreducible polynomials of degree n. Then there are polynomials r (x) and s(y ) such that one can map one eld into the other via x y (mod f (x)) s(y ) (mod g(y )) r (x) (mod g(y )) (mod f (x))

This means we can select the best irreducible polynomial f for our own implementation. Requires the mapping s(y ) only when talking to someone elses implementation which uses g(y ) instead.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 31

Primitive Polynomials

Let f (X ) be an irreducible binary polynomial of degree n. Let denote a root of f (X ) i.e. F2n = F2 [] Such an f (X ) is called primitive if generates Fn 2 i.e. as a set Fn = {i : i = 0, . . . , 2n 1} 2

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 32

Primitive Polynomials

The number of primitive polynominals of degree n is (n) = (2n 1)/n Hence there are a lot: If n = 4 then (n) = 2 If n = 5 then (n) = 6 If n = 6 then (n) = 6 If n = 14 then (n) = 756 If n = 15 then (n) = 1800 If n = 16 then (n) = 2048 If n = 20 then (n) = 24000 If n = 21 then (n) = 84672 If n = 22 then (n) = 120032

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 33

Of additional interest is the following eld of degree 8 It is used in Rijndael and some error correcting code systems Identify bytes (8 bits) with elements of the eld of degree 8 Dening polynonial f given by f = x8 + x4 + x3 + x + 1 Write numbers (base 16) to represent the elements 0x01 1 0x02 x 0x03 x + 1 0x05 x 2 + 1 etc

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 34

Consider N = 15 = 3 5, then we can represent every element a of Z/NZ by its coordinates (a (mod 3), a (mod 5)). This leads to the following table: 0 0 10 5 1 6 1 11 2 12 7 2 3 3 13 8 4 9 4 14

0 1 2

Note that all elements in Z/NZ have different coordinates, i.e. given (a1 , a2 ) with 0 a1 < 3 and 0 a2 < 5 we can reconstruct a.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 35

Consider N = 24 = 4 6, then we can represent every element a of Z/NZ by its coordinates (a (mod 4), a (mod 6)). This leads to the following table: 0 0/12 6/18 7/19 1 1/13 2/14 3/15 2 8/20 3 9/21 10/22 11/23 4 4/16 5 5/17

0 1 2 3

Therefore, given (a1 , a2 ) with 0 a1 < 4 and 0 a2 < 6 we cannot uniquely reconstruct a.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 36

The previous examples indicate that if N = m1 m2 with gcd(m1 , m2 ) = 1, we can replace computing modulo N by computing modulo m1 and modulo m2 , i.e. Z/NZ Z/m1 Z Z/m2 Z iff = gcd(m1 , m2 ) = 1.

If N = m1 m2 then its very easy to compute the coordinates of a Z/NZ, since these are simply (a (mod m1 ), a (mod m2 )). However, given the coordinates (a1 , a2 ) with 0 a1 < m1 and 0 a2 < m2 how do we compute the corresponding a ?

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 37

We can reformulate our reconstruction problem as: Given N = m1 m2 with gcd(m1 , m2 ) = 1, compute x Z/NZ with x a1 (mod m1 ) and x a2 (mod m2 ).

Example: If x 4

(mod 7) and x 3 x 18

(mod 35).

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 38

CRT - Example

We want to nd x Z/NZ with N = 35 such that x 4 (mod 7) and x 3 (mod 5)

Therefore, u is given by the solution of 2u 7u 3 4 4 Hence we can compute u as u 4/2 (mod 5) 2 (mod 5). (mod 35).

Slide 39

(mod 5).

But then x 4 + 7u 4 + 7 2 18

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Let m1 , . . . , mr be pairwise relatively prime and let a1 , . . . , ar be integers. We want to nd x modulo M = m1 m2 mr such that x ai (mod mi ) for all i.

r

x=

i=1

ai Mi yi

(mod M)

with Mi = M/mi and yi = Mi1 (mod mi ). Note that Mi 0 mod mj for j = i and that Mi yi 1 (mod mi ).

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 40

We want to nd the unique x modulo M = 1001 = 7 11 13 such that x 5 (mod 7) and x 3 (mod 11) and x 10 (mod 13).

r

i=1

ai Mi yi

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 41

Let N = 55 = 5 11 and suppose we want to compute 2737 (mod N). This can be done in a number of ways: Really stupid: using 36 multiplications modulo 55. (((27 27) (mod N)) 27 (mod N)) 27 (mod N).

5

(mod N)) 27

(mod N).

Rather intelligent: using 5 squarings and 2 multiplications modulo 5 and modulo 11 and CRT to combine both results. Really intelligent: using Lagranges theorem, a few multiplications modulo 5 and 11 and CRT to combine both results. The next slide explains this method in general.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 42

Modular Exponentiation

Suppose we want to compute y = xd where N = p q. We know by Lagranges Theorem x p1 = 1 So we rst compute y yp = y yq = y (mod p) (mod q) via

(mod p1) (mod q1)

(mod N)

(mod p) and y

(mod p) = x d (mod q) = x d

(mod p) = x d (mod q) = x d

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 43

One-way Functions

A function f : X Y : x y = f (x) is a one-way function iff For all x X it is very easy or efcient to compute f (x). For almost all y Y , nding an x X with f (x) = y is computationally infeasible. A trapdoor one-way function is a one-way function f : X Y , but given some extra information, called the trapdoor information, it is easy to invert f , i.e. given y Y , it is easy to nd x X such that f (x) = y . We get one-way permutations/trapdoor one-way permutations if we have X = Y and f is injective.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 44

One-way Functions

Given primes p and q, compute N = p q. This is very easy to compute, since we just multiply p and q. The inverse problem: given N nd p and q is called factoring.

Modular exponentiation:

Given N and an element a Z/NZ, compute b am (mod N). This can be computed efciently using square and multiply. The inverse problem: given N, a, b Z/NZ nd m such that b am (mod N) is called the discrete logarithm problem.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 45

Factoring Numbers

The complexity of most algorithms can be expressed in terms of LN (, ) = exp ( + o(1))(log N) (log log N)1 Trial Division: Complexity = LN (1, 1/2 + ), i.e. exponential. Try every number up to N. Elliptic Curve Method: Complexity = Lp (1/2, c), i.e. sub-exponential. Good if N has a prime factor p with p < 250 . Quadratic Sieve: Complexity = LN (1/2, 1), i.e. sub-exponential. Faster for N less than 10110 2365 . Number Field Sieve: Complexity = LN (1/3, 1.923), i.e. sub-exponential. Best known method, can factor N 10158 2525 . Multiplication: Complexity = LN (0, 2), i.e. polynomial.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 46

1 MIPSY = # operations of DEC VAX 11/780 running for 1 year. year 1964 1974 1984 1989 1992 1994 1996 1999 1999 2002 # digits 20 45 71 105 110 129 130 145 155 158 # operations 0.001 MIPSY 0.1 MIPSY 75 MIPSY 5000 MIPSY 1000 MIPSY 2000 MIPSY 8400 MIPSY 7000 MIPSY

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 47

Suppose you are given N but not p, q such that N = p q. FACTORING : Find p and q. RSAP : Given c Z/NZ and integer e with gcd(e, (p 1)(q 1) = 1. Find m such that me c (mod N). (mod N). x2 (mod N) nd x. QUADRES : Given a determine whether a x 2 SQROOT: Given a such that a Later we will prove that QUADRES P SQROOT P FACTORING RSAP P FACTORING

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 48

Let (G, ) be an abelian group. Discrete Logarithm Problem Given g, h G, nd an x (if it exists) such that g x = h. The difculty of this problem depends on the group G: Very easy: polynomial time algorithm, e.g. (Z/NZ, +) Rather hard: sub-exponential time algorithm, e.g. (GF (p), ). Very hard: exponential time algorithm, e.g. Elliptic Curve groups.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 49

Given an abelian group (G, ) and g G. DLP : Given h G such that h = g x nd x. DHP : Given a = g x and b = g y nd c = g xy . DDH : Given a = g x , b = g y and c = g z , determine if z = xy . Later we will prove that: If we can solve DLP then we can solve DHP. If we can solve DHP then we can solve DDH.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 50

Reductions

We will reduce one hard problem to another, which will allow us to compare the relative difculty of the two problems, i.e. we can say Problem A is no harder than Problem B Let A and B be two computational problems. Then A is said to polytime reduce to B, written A P B if There is an algorithm which solves A using an algorithm which solves B. This algorithm runs in polynomial time if the algorithm for B does. Assume we have an oracle (or efcient algorithm) to solve problem B. We then use this oracle to give an efcient algorithm for problem A.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 51

Here we show how to reduce DHP to DLP, i.e. we give an efcient algorithm for solving the DHP given an oracle for the DLP. Given g x and g y we wish to nd g xy . First compute y = DLP(g y ) using the oracle. Then compute (g x )y = g xy . So DHP is no harder than DLP, i.e. DHP P DLP. Remark: in some groups you can show that DHP is equivalent to DLP.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 52

Here we show how to reduce DDH to DHP, i.e. we give an efcient algorithm for solving the DDH given an oracle for the DHP. Given elements g x , g y and g z , determine if z = x y . Using the oracle to solve DHP, compute g xy = DHP(g x , g y ). Then check whether g xy = g z . So DDH is no harder than DHP, i.e. DDH P DHP. Remark: in some groups you can show that DDH is probably easier than DHP.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 53

Here we show how to reduce SQROOT to FACTORING, i.e. we give an efcient algorithm for solving SQROOT given an oracle for FACTORING. Given z = x 2 (mod N) we wish to compute x.

Using the oracle for FACTORING, nd the prime factors pi of N. Compute z (mod pi ). (can be done in polynomial time) Recover z (mod N) using CRT on the data z (mod pi ). One has to be a little careful if powers of pi greater than one divide N. So computing square roots modulo N is no harder than factoring. SQROOT P FACTORING.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 54

Here we show how to reduce FACTORING to SQROOT, i.e. we give an efcient algorithm for FACTORING given an oracle for SQROOT. Given N = p q we wish to compute p and q. Compute z = x 2 for a random x (Z/NZ) . Compute y = z (mod N) using the oracle for SQROOT.

There are four possible square roots, since there are two factors. With fty percent probability we have y = x (mod N).

Factor N by computing gcd(x y , N). So factoring is no harder than computing square roots modulo N. FACTORING P SQROOT.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 55

Summarizing the result of the previous two slides: FACTORING P SQROOT. SQROOT P FACTORING. So FACTORING and SQROOT are computationally equivalent. SQROOT P FACTORING.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 56

Here we show how to reduce RSAP to FACTORING, i.e. we give an efcient algorithm for solving RSAP given an oracle for FACTORING. Given c = me (mod N) and the integer e, nd m. Find the factorization of N = p q using the oracle. Compute (N) as (N) = (p 1) (q 1). Using the XGCD compute d = 1/e Finally, recover m = cd (mod N). (mod (N)).

So the RSA problem is no harder than factoring, i.e. RSAP P FACTORING. There is some evidence (although slight) that it might be easier.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 57

- Group Theory - The Application to Quantum Mechanics [Meijer-Bauer]Uploaded bylinziyi
- Number Theory tutorialUploaded byNiranjan Prasad
- Undergraduate Algebra Problems and SolutionsUploaded byJyoti Prasad Sahu
- Cp Lab Manual 2010Uploaded byAngeleena Grace
- c Lab ManualsUploaded byNetaji Gandi
- HanUploaded byKlevis Kaso
- Zalamea Seminar ReadingsUploaded bytmfjones
- Fundamentals of MathUploaded byNorman Serna
- IBPS and SBI Bank Exams Important Formulae to Solve Quantitative Aptitude QuestionsUploaded byanimboy
- SEM2Uploaded byjanellequianzon
- Excel FormulasUploaded byMajoy Recuerdo
- Yuval Peres - MarkovChains and Mixing Times CopyUploaded byLaura Ribas
- Important Math Formulae by Das Sir (08961556195)Uploaded byTamal Kumar Das
- Permutations and CombinationsUploaded byDeepanshu
- Rules of Differentiation of Functions in CalculusUploaded byTundeOyedotun
- chapter1 (2)Uploaded byRodney Chen
- SchedulesUploaded byJose FG
- Assembly Language ProgrammingUploaded byJacob Henner
- Construction of Number SystemsUploaded byKelvin
- Hohenberger Phd ThesisUploaded byAgung Nugraha
- Pitkanen - Local Zeta Functions & Rieman Zeta in TGD (2007)Uploaded byuniversallibrary
- Maths syllabus kerala universityUploaded byJust for Fun
- mathgen-486175967Uploaded bymdp anon
- Admission Brochure MSc 2012Uploaded byHarshal Masih
- R2-99a24Uploaded byValy Nietzsche
- alg_top_II_paper.pdfUploaded byDavid Roberts
- Excel VBA Fortran Para IQUploaded byLuis Mendoza
- AKP_JoEUploaded bybuihuutu
- keeper 6 dividing fractionsUploaded byapi-366304862
- Prbs ConstructionUploaded byAmit Swar

- Raspberry Pi - Hardware (eLinux)Uploaded bysher123
- Nagravision PRM Submission to DTLA - V1.0Uploaded byLenin Ramon
- QSSUploaded byArvind Khaple
- Allen Bradley OS 9 Technical ManualUploaded byscribdblowschunks
- Course Outline BC101Uploaded byarun_mmc
- Unix PPT LessonUploaded byapi-26041653
- Easy DownloaderUploaded byErwin Cahyadi
- ROBT308HW03Spring16.pdfUploaded byrighthearted
- CKCL44, CKCA43Uploaded byLullaby summer
- PX330.pdfUploaded byCarlos Montoya
- mp_assign5Uploaded byFahad Ali Khan
- 12_SPH0901N_Series and Parallel Circuits Lab.docxUploaded byFiqri Ash Rule
- AN MPEG-4 FACIAL ANIMATION PARAMETERS GENERATION SYSTEM.pdfUploaded byFelice Chew
- BEGINNING MICROSOFT SMALL BASICUploaded bylilashcoco
- Percona-Server-5.7.12-5Uploaded byHendra Lin
- AIR_UsageUploaded byhymshr
- Drystar 5302_GB_1037810 8.0Uploaded byProeber
- ecs10pa67Uploaded byapi-227481421
- Manual ViewSonic E90f +_Bg_19Uploaded bymaxReader3000
- Acx4000 Quick StartUploaded byIlia Aleshin
- Cls and ClabUploaded bysadegh
- Engine Hood DoorUploaded bydieselbiker
- BELKIN N150 Router User ManualUploaded byNanog21
- Ber Ring HerUploaded byKay Ash
- Full d1 at 0104v-Le 4ch Avtron Stand Alone DvrUploaded byAvtron Technologies
- 98278878_fb126_pniodiag_en.pdfUploaded byBin Mulyadin
- Downloadmela.com Oracle DBA Resume With 2 YearsUploaded byabdulgani11
- Ssd6 Multiple ChoiceUploaded byAndrew
- 0026-187Uploaded bywaerw
- Apache Kudu User GuideUploaded byzaheerimpeccable1116