You are on page 1of 57

COMS30002 : Mathematical Interlude

Elisabeth Oswald, Nigel Smart and Martijn Stam


Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.

September 5, 2011

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 1

Outline

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 2

A Quiz
The purpose is for you and me to nd out what you already know about basic number theory. Work with your neighbour(s) and discuss answers to the following questions: The factorisation problem is hard for all numbers. True or false? What is 16023843203210 mod 16023843203209? The xgcd is a new Xserver. True of false? What is the greatest common divisor of two numbers? The modular inverse of a number is a real number. True or false?

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 3

Modular Arithmetic
Modular arithmetic is fundamental to modern public key cryptosystems. Given integers a, b, N Z we say that a is congruent to b modulo N ab (mod N) iff N divides b a.

Often we are lazy and just write a b if it is clear we are working modulo N. The modulo operator is like the C-operator %. Example: 16 1 (mod 5) since 16 1 = 3 5.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 4

Modular Arithmetic
For convenience we dene the set (Z/NZ) = {0, . . . , N 1}, which is the set of remainders modulo N. Note: some authors use ZN = (Z/NZ). It is clear that given N, every integer a Z is congruent modulo N to an element in the set Z/NZ, since we can write a = q N + r, with 0 r < N and clearly a r (mod N).

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 5

Modular Arithmetic
The set Z/NZ has two operations dened on it. Addition
Ex. (11 + 13) (mod 16) 24 (mod 16) 143 (mod 16) 8 (mod 16) 15 (mod 16). (mod 16).

Multiplication
Ex. (11 13)

Theorems: Given integers a, b Z we have (a + b) (a b) (a b) (mod N) [(a (mod N) [(a (mod N) [(a (mod N)) + (b (mod N)) (b (mod N)) (b (mod N))] (mod N))] (mod N))] (mod N) (mod N) (mod N)

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 6

Multiplicative Inverse
The multiplicative inverse of a Z/NZ is an element b Z/NZ with a b b a 1. We often write b = a1 . Theorem: a Z/NZ has a unique inverse modulo N iff a and N are relatively prime, i.e. gcd(a, N) = 1. If p is a prime then every non-zero element in Z/pZ has an inverse. Note 1/3 (mod 5) = 2 it does not equal 0.3333

Decimals should never exist

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 7

Multiplicative Inverse - Examples

Consider Z/NZ with N = 10, then 3 has a multiplicative inverse, since gcd(3, 10) = 1.
Indeed, 3 7 21 1 (mod 10).

5 has no multiplicative inverse, since gcd(5, 10) = 5.


Indeed, we have the following table

050 155 250 355 450

(mod 10) (mod 10) (mod 10) (mod 10) (mod 10)

555 650 755 850 955

(mod 10) (mod 10) (mod 10) (mod 10) (mod 10)

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 8

Greatest Common Divisor (GCD)


We need a method to determine when a Z/NZ has a multiplicative inverse and compute it when it does. We know this happens iff gcd(a, N) = 1. Therefore we need to compute the GCD of two integers a, b Z. This is easy if we know the prime factorization of a and b, since a= pii and b = pii d = gcd(a, b) = pi
min(i ,i )

However, factoring is a very expensive operation, so we cannot use the above formula. A much faster algorithm to compute GCDs is Euclids algorithm.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 9

GCD - Euclidean Algorithm


To compute the GCD of r0 = a and r1 = b we compute r0 = q1 r1 + r2 r1 = q2 r2 + r3 . . . . . . rm2 = qm1 rm1 + rm rm1 = qm rm

If d divides a and b then d divides r2 , r3 , r4 and so on. Therefore gcd(a, b) = gcd(r0 , r1 ) = gcd(r1 , r2 ) = = gcd(rm1 , rm ) = rm
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 10

GCD - Euclidean Algorithm - Example


As an example of this algorithm we want to show that 3 = gcd(21, 12). Using the Euclidean algorithm we compute gcd(21, 12) as gcd(21, 12) = gcd(21 = gcd(12 = gcd(3, 9) = gcd(9 (mod 3), 3) = gcd(0, 3) = 3. (mod 12), 12) (mod 9), 9)

= gcd(9, 12)

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 11

GCD - Extended Euclidean Algorithm


Using the Euclidean algorithm, we can determine when a has an inverse modulo N, i.e. iff gcd(a, N) = 1. But we do not know yet how to compute the inverse. Solution: use an extended version of the Euclidean algorithm. Recall that during the Euclidean algorithm we had ri2 = qi1 ri1 + ri and nally rm = gcd(r0 , r1 ). Now we unwind the above and write each ri , i 2 in terms of a and b.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 12

GCD - Extended Euclidean Algorithm


Unwinding the various steps in the Euclidean algorithm gives: r2 = r0 q1 r1 = a q1 b r3 = r1 q2 r2 = b q2 (a q1 b) = q2 a + (1 + q1 q2 )b . . . . . . ri2 = si2 a + ti2 b ri1 = si1 a + ti1 b ri = ri2 qi1 ri1 = a(si2 qi1 si1 ) + b(ti2 qi1 ti1 ) . . . . . . rm = sm a + tm b The XGCD takes as input a and b and outputs sm , tm , rm such that rm = gcd(a, b) = sm a + tm b.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 13

XGCD - Multiplicative Inverse


Given a, N Z we can compute d, x, y using XGCD such that d = gcd(a, N) = x a + y N. Considering the above equation modulo N we get d x a+y N (mod N) x a (mod N).

Thus if d = 1 then a has a multiplicative inverse given by a1 x (mod N).

Remark: the more general equation a x b (mod N) has precisely d = gcd(a, N) solutions iff d divides b.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 14

Euler Phi Function (N)

The number of integers in Z/NZ which are relatively prime to N is given by (N). (N) is called the Euler Phi function of N. We know that an element a Z/NZ has a multiplicative inverse modulo N iff gcd(a, N) = 1. Therefore, there are precisely (N) invertible elements in Z/NZ.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 15

Formula for (N)


Given the prime factorization of N, i.e.
n

N=
i=1

piei

we can compute (N) using the following formula:


n

(N) =
i=1

piei 1 (pi 1).

The most important cases for cryptography are: If p is prime then (p) = p 1. If p and q are both prime and p = q then (p q) = (p 1)(q 1).
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 16

Modular Arithmetic
1) Addition is closed : a, b Z/NZ : a + b Z/NZ. 2) Addition is associative : a, b, c Z/NZ : (a + b) + c a + (b + c). 3) 0 is an additive identity : a Z/NZ : a + 0 0 + a a. 4) The additive inverse always exists : a Z/NZ : a + (N a) (N a) + a 0. 5) Addition is commutative : a, b Z/NZ : a + b b + a.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 17

Modular Arithmetic
6) Multiplication is closed : a, b Z/NZ : a b Z/NZ. 8) Multiplication is associative : a, b, c Z/NZ : (a b) c a (b c). 9) 1 is a multiplicative identity : a Z/NZ : a 1 1 a a. 7) Mutliplication is commutative : a, b Z/NZ : a b b a. 10) Multiplication distributes over addition : a, b, c Z/NZ : (a + b) c a c + b c.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 18

Groups
A group (G, ) consists of a set G and an operation , satisfying Associativity: a, b, c G : a (b c) = (a b) c. Identity element: 1 G, a G : a 1 = 1 a = a. Every element has inverse element: a G, a1 G : a a1 = a1 a = 1. The group G is called commutative or Abelian if a, b G : a b = b a.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 19

Groups - Examples
Integers / Reals / Complexes under addition. The identity is 0, the inverse of x is x. Non-Zero Real / Non-zero Rationals under multiplication. The identity is 1, the inverse of x is x 1 . These are all examples of innite Abelian groups. Questions: Why are the integers not a group under multiplication ? Why do we say non-zero real numbers above ?

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 20

Modular Arithmetic

Going back to our 10 properties of modular arithmetic we see Properties 1-4 say that Z/NZ is a group with respect to addition. Property 5 says that the group Z/NZ is abelian. Properties 1-10 say that Z/NZ is a ring. Other rings you have seen before are the integers, reals and complexes. These are all innite rings, whereas Z/NZ is a nite ring.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 21

Lagranges Theorem
The order of an element a of a group (G, ) is the smallest positive integer t such that at = 1. Lagranges Theorem If G is a group of order (size) n = #G then for all a G we have an = 1.

Corollary: the order t of an element a G divides n = #G. So if a (Z/NZ) then a(N) 1 #(Z/NZ) = (N). (mod N), since

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 22

Fermats Little Theorem

This is not to be confused with Fermats Last Theorem . . . Fermats Little Theorem Suppose p is a prime and a F then p ap a (mod p).

Fermats Little Theorem is a special case of Lagranges Theorem. This will be the basis of one of our primality tests.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 23

Fields
A eld is a set with two operations (G, +, ) such that (G, +) is an abelian group with identity denoted by 0. (G \ {0}, ) is an abelian group with identity denoted by 1. (G, +, ) satises the distributive law. Distributive law: for all a, b, c G a (b + c) = (a b) + (a c).

Examples Rational numbers, real numbers, complex numbers.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 24

Fields
We dene the set of invertible elements of Z/NZ as (Z/NZ) = {a Z/NZ : gcd(a, N) = 1}. The set (Z/NZ) is always a group with respect to multiplication and clearly has size (N). When N is a prime p we have (Z/NZ) = {1, . . . , p 1}. We dene the sets Fp = Z/pZ = {0, . . . , p 1} and F = (Z/pZ) = {1, . . . , p 1}. p

We call Fp a nite eld of characteristic p. Finite elds are of central importance in coding theory and cryptography.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 25

Characteristic Two Fields


Of particular interest are elds of char 2. Take an irreducible binary polynomial f of degree n and let F2n denote all the binary polynomials of degree < n. Addition in F2n is dened as ab =a+b (mod 2) Note this means a = a. Multiplication in F2n is dened as ab =ag (mod f ). Inversion is performed by a variant of the Euclidean algorithm for polynomials.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 26

Characteristic Two Fields

Often write F2n = F2 [x]/f to denote working modulo f . Set of non-zero elements denoted by Fn 2 This is the multiplicative subgroup of the eld

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 27

Char 2 Example
Let f = x 6 + x + 1 (this is irreducible) The nite eld of 26 elements can then be identied with Bit strings of length six bits Binary polynomials of degree less than or equal to ve a = 001101 = x 3 + x 2 + 1 b = 101011 = x 5 + x 3 + x + 1 a b = 100110 = x 5 + x 2 + x Since the two x 3 and the two 1 terms cancel, as we are working mod two. Notice, we are simply taking the exclusive-or of the bit string representation.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 28

Char 2 Example
Recap f = x 6 + x + 1, a = 001101 = x 3 + x 2 + 1, b = 101011 = x 5 + x 3 + x + 1. Since f is sparse reduction mod f done using rewriting, as x 6 = x + 1 (mod f ), a b = (x 3 + x 2 + 1) (x 5 + x 3 + x + 1) = x8 + x7 + x6 + x4 + x3 + x2 + x + 1 = x 6 (x 2 + x + 1) + x 4 + x 3 + x 2 + x + 1 = (x + 1) (x 2 + x + 1) + x 4 + x 3 + x 2 + x + 1 = (x 3 + 1) + (x 4 + x 3 + x 2 + x + 1) = x 4 + x 2 + x. i.e. a b = 010110 = x 4 + x 2 + x.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 29

Char 2 Example
Since f is assumed irreducible, every polynomial a = 0 is coprime to f. Hence, using a binary polynomial version of the extended GCD algorithm we can nd u and v so that ua+v f =1 In which case a1 = u in F2n . If a = x 3 + x 2 + 1 and f = x 6 + x + 1 then taking u = x 5 + x 3 and v = x 2 + x + 1 gives us ua+v f =1 and so a1 = u = x 5 + x 3 = 101000.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

(mod 2).

(mod 2)

Slide 30

Choice of Dening Polynomial


All char 2 elds of the same degree n are isomorphic. This means it does not depend on which polynomial f we take. Different f s give different representations of the same thing. Let f (x) and g(y ) be irreducible polynomials of degree n. Then there are polynomials r (x) and s(y ) such that one can map one eld into the other via x y (mod f (x)) s(y ) (mod g(y )) r (x) (mod g(y )) (mod f (x))

This means we can select the best irreducible polynomial f for our own implementation. Requires the mapping s(y ) only when talking to someone elses implementation which uses g(y ) instead.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 31

Primitive Polynomials
Let f (X ) be an irreducible binary polynomial of degree n. Let denote a root of f (X ) i.e. F2n = F2 [] Such an f (X ) is called primitive if generates Fn 2 i.e. as a set Fn = {i : i = 0, . . . , 2n 1} 2

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 32

Primitive Polynomials
The number of primitive polynominals of degree n is (n) = (2n 1)/n Hence there are a lot: If n = 4 then (n) = 2 If n = 5 then (n) = 6 If n = 6 then (n) = 6 If n = 14 then (n) = 756 If n = 15 then (n) = 1800 If n = 16 then (n) = 2048 If n = 20 then (n) = 24000 If n = 21 then (n) = 84672 If n = 22 then (n) = 120032
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 33

The Rijndael Field


Of additional interest is the following eld of degree 8 It is used in Rijndael and some error correcting code systems Identify bytes (8 bits) with elements of the eld of degree 8 Dening polynonial f given by f = x8 + x4 + x3 + x + 1 Write numbers (base 16) to represent the elements 0x01 1 0x02 x 0x03 x + 1 0x05 x 2 + 1 etc
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 34

Chinese Remainder Theorem (CRT)


Consider N = 15 = 3 5, then we can represent every element a of Z/NZ by its coordinates (a (mod 3), a (mod 5)). This leads to the following table: 0 0 10 5 1 6 1 11 2 12 7 2 3 3 13 8 4 9 4 14

0 1 2

Note that all elements in Z/NZ have different coordinates, i.e. given (a1 , a2 ) with 0 a1 < 3 and 0 a2 < 5 we can reconstruct a.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 35

Chinese Remainder Theorem (CRT)


Consider N = 24 = 4 6, then we can represent every element a of Z/NZ by its coordinates (a (mod 4), a (mod 6)). This leads to the following table: 0 0/12 6/18 7/19 1 1/13 2/14 3/15 2 8/20 3 9/21 10/22 11/23 4 4/16 5 5/17

0 1 2 3

Note that a and a + 12

(mod 24) map to the same coordinates.

Therefore, given (a1 , a2 ) with 0 a1 < 4 and 0 a2 < 6 we cannot uniquely reconstruct a.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 36

Chinese Remainder Theorem (CRT)


The previous examples indicate that if N = m1 m2 with gcd(m1 , m2 ) = 1, we can replace computing modulo N by computing modulo m1 and modulo m2 , i.e. Z/NZ Z/m1 Z Z/m2 Z iff = gcd(m1 , m2 ) = 1.

If N = m1 m2 then its very easy to compute the coordinates of a Z/NZ, since these are simply (a (mod m1 ), a (mod m2 )). However, given the coordinates (a1 , a2 ) with 0 a1 < m1 and 0 a2 < m2 how do we compute the corresponding a ?

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 37

Chinese Remainder Theorem (CRT)

We can reformulate our reconstruction problem as: Given N = m1 m2 with gcd(m1 , m2 ) = 1, compute x Z/NZ with x a1 (mod m1 ) and x a2 (mod m2 ).

Example: If x 4

(mod 7) and x 3 x 18

(mod 5) then we have

(mod 35).

How did we work this out ?

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 38

CRT - Example
We want to nd x Z/NZ with N = 35 such that x 4 (mod 7) and x 3 (mod 5)

Therefore, for some u Z we have x = 4 + 7u and x 3 (mod 5).

Substituting this in the second equation gives 4 + 7u 3 (mod 5).

Therefore, u is given by the solution of 2u 7u 3 4 4 Hence we can compute u as u 4/2 (mod 5) 2 (mod 5). (mod 35).
Slide 39

(mod 5).

But then x 4 + 7u 4 + 7 2 18
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

CRT - General Case


Let m1 , . . . , mr be pairwise relatively prime and let a1 , . . . , ar be integers. We want to nd x modulo M = m1 m2 mr such that x ai (mod mi ) for all i.

The CRT guarantees a unique solution given by


r

x=
i=1

ai Mi yi

(mod M)

with Mi = M/mi and yi = Mi1 (mod mi ). Note that Mi 0 mod mj for j = i and that Mi yi 1 (mod mi ).
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 40

CRT - General Case Example


We want to nd the unique x modulo M = 1001 = 7 11 13 such that x 5 (mod 7) and x 3 (mod 11) and x 10 (mod 13).

We compute M1 = 143, y1 = 5 and M2 = 91, y1 = 4 and M3 = 77, y3 = 12. Then we reconstruct x as


r

i=1

ai Mi yi

(mod M) (mod 1001)

5 143 5 + 3 91 4 + 10 77 12 894 (mod 1001)

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 41

CRT - Example Application Modular Exponentiation


Let N = 55 = 5 11 and suppose we want to compute 2737 (mod N). This can be done in a number of ways: Really stupid: using 36 multiplications modulo 55. (((27 27) (mod N)) 27 (mod N)) 27 (mod N).

Less stupid: using 5 squarings and 2 multiplications modulo 55. ((272


5

(mod N)) 272

(mod N)) 27

(mod N).

Rather intelligent: using 5 squarings and 2 multiplications modulo 5 and modulo 11 and CRT to combine both results. Really intelligent: using Lagranges theorem, a few multiplications modulo 5 and 11 and CRT to combine both results. The next slide explains this method in general.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 42

Modular Exponentiation
Suppose we want to compute y = xd where N = p q. We know by Lagranges Theorem x p1 = 1 So we rst compute y yp = y yq = y (mod p) (mod q) via
(mod p1) (mod q1)

(mod N)

(mod p) and y

(mod p) = x d (mod q) = x d

(mod p) = x d (mod q) = x d

(mod p), (mod q).

We then solve for y by applying the CRT to the equations y yp y yq


Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

(mod p) (mod q).


Slide 43

One-way Functions
A function f : X Y : x y = f (x) is a one-way function iff For all x X it is very easy or efcient to compute f (x). For almost all y Y , nding an x X with f (x) = y is computationally infeasible. A trapdoor one-way function is a one-way function f : X Y , but given some extra information, called the trapdoor information, it is easy to invert f , i.e. given y Y , it is easy to nd x X such that f (x) = y . We get one-way permutations/trapdoor one-way permutations if we have X = Y and f is injective.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Remark: there is no proof that such functions actually exist.


Slide 44

One-way Functions

Candidate one-way functions: Multiplication:


Given primes p and q, compute N = p q. This is very easy to compute, since we just multiply p and q. The inverse problem: given N nd p and q is called factoring.

Modular exponentiation:
Given N and an element a Z/NZ, compute b am (mod N). This can be computed efciently using square and multiply. The inverse problem: given N, a, b Z/NZ nd m such that b am (mod N) is called the discrete logarithm problem.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 45

Factoring Numbers
The complexity of most algorithms can be expressed in terms of LN (, ) = exp ( + o(1))(log N) (log log N)1 Trial Division: Complexity = LN (1, 1/2 + ), i.e. exponential. Try every number up to N. Elliptic Curve Method: Complexity = Lp (1/2, c), i.e. sub-exponential. Good if N has a prime factor p with p < 250 . Quadratic Sieve: Complexity = LN (1/2, 1), i.e. sub-exponential. Faster for N less than 10110 2365 . Number Field Sieve: Complexity = LN (1/3, 1.923), i.e. sub-exponential. Best known method, can factor N 10158 2525 . Multiplication: Complexity = LN (0, 2), i.e. polynomial.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 46

Factoring Numbers - History


1 MIPSY = # operations of DEC VAX 11/780 running for 1 year. year 1964 1974 1984 1989 1992 1994 1996 1999 1999 2002 # digits 20 45 71 105 110 129 130 145 155 158 # operations 0.001 MIPSY 0.1 MIPSY 75 MIPSY 5000 MIPSY 1000 MIPSY 2000 MIPSY 8400 MIPSY 7000 MIPSY

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 47

List of Hard Problems I


Suppose you are given N but not p, q such that N = p q. FACTORING : Find p and q. RSAP : Given c Z/NZ and integer e with gcd(e, (p 1)(q 1) = 1. Find m such that me c (mod N). (mod N). x2 (mod N) nd x. QUADRES : Given a determine whether a x 2 SQROOT: Given a such that a Later we will prove that QUADRES P SQROOT P FACTORING RSAP P FACTORING
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 48

Discrete Logarithm Problem


Let (G, ) be an abelian group. Discrete Logarithm Problem Given g, h G, nd an x (if it exists) such that g x = h. The difculty of this problem depends on the group G: Very easy: polynomial time algorithm, e.g. (Z/NZ, +) Rather hard: sub-exponential time algorithm, e.g. (GF (p), ). Very hard: exponential time algorithm, e.g. Elliptic Curve groups.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 49

List of Hard Problems II


Given an abelian group (G, ) and g G. DLP : Given h G such that h = g x nd x. DHP : Given a = g x and b = g y nd c = g xy . DDH : Given a = g x , b = g y and c = g z , determine if z = xy . Later we will prove that: If we can solve DLP then we can solve DHP. If we can solve DHP then we can solve DDH.

DDH P DHP P DLP


Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 50

Reductions
We will reduce one hard problem to another, which will allow us to compare the relative difculty of the two problems, i.e. we can say Problem A is no harder than Problem B Let A and B be two computational problems. Then A is said to polytime reduce to B, written A P B if There is an algorithm which solves A using an algorithm which solves B. This algorithm runs in polynomial time if the algorithm for B does. Assume we have an oracle (or efcient algorithm) to solve problem B. We then use this oracle to give an efcient algorithm for problem A.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 51

Reductions - DHP P DLP


Here we show how to reduce DHP to DLP, i.e. we give an efcient algorithm for solving the DHP given an oracle for the DLP. Given g x and g y we wish to nd g xy . First compute y = DLP(g y ) using the oracle. Then compute (g x )y = g xy . So DHP is no harder than DLP, i.e. DHP P DLP. Remark: in some groups you can show that DHP is equivalent to DLP.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 52

Reductions - DDH P DHP


Here we show how to reduce DDH to DHP, i.e. we give an efcient algorithm for solving the DDH given an oracle for the DHP. Given elements g x , g y and g z , determine if z = x y . Using the oracle to solve DHP, compute g xy = DHP(g x , g y ). Then check whether g xy = g z . So DDH is no harder than DHP, i.e. DDH P DHP. Remark: in some groups you can show that DDH is probably easier than DHP.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 53

Reductions - SQROOT P FACTORING


Here we show how to reduce SQROOT to FACTORING, i.e. we give an efcient algorithm for solving SQROOT given an oracle for FACTORING. Given z = x 2 (mod N) we wish to compute x.

Using the oracle for FACTORING, nd the prime factors pi of N. Compute z (mod pi ). (can be done in polynomial time) Recover z (mod N) using CRT on the data z (mod pi ). One has to be a little careful if powers of pi greater than one divide N. So computing square roots modulo N is no harder than factoring. SQROOT P FACTORING.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 54

Reductions - FACTORING P SQROOT


Here we show how to reduce FACTORING to SQROOT, i.e. we give an efcient algorithm for FACTORING given an oracle for SQROOT. Given N = p q we wish to compute p and q. Compute z = x 2 for a random x (Z/NZ) . Compute y = z (mod N) using the oracle for SQROOT.
There are four possible square roots, since there are two factors. With fty percent probability we have y = x (mod N).

Factor N by computing gcd(x y , N). So factoring is no harder than computing square roots modulo N. FACTORING P SQROOT.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 55

Reductions - FACTORING P SQROOT

Summarizing the result of the previous two slides: FACTORING P SQROOT. SQROOT P FACTORING. So FACTORING and SQROOT are computationally equivalent. SQROOT P FACTORING.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 56

Reductions - RSAP P FACTORING


Here we show how to reduce RSAP to FACTORING, i.e. we give an efcient algorithm for solving RSAP given an oracle for FACTORING. Given c = me (mod N) and the integer e, nd m. Find the factorization of N = p q using the oracle. Compute (N) as (N) = (p 1) (q 1). Using the XGCD compute d = 1/e Finally, recover m = cd (mod N). (mod (N)).

So the RSA problem is no harder than factoring, i.e. RSAP P FACTORING. There is some evidence (although slight) that it might be easier.

Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude

Slide 57