Number Theory Algorithms

and Cryptography
Algorithms
Analysis of Algorithms

Prepared by

John Reif, Ph.D.

Number Theory Algorithms

a)
b)
c)
d)
e)

GCD
Multiplicative Inverse
Fermat & Eulers Theorems
Public Key Cryptographic Systems
Primality Testing

Number Theory Algorithms

(contd)
Main Reading Selections:
CLR, Chapter 33

Euclids Algorithm
Greatest Common Divisor

GCD(u , v) largest a s.t.

a is a divisor of both u,v
Euclids Algorithm

procedure
begin
if
else return

GCD(u,v)
v0

then return(u)
(GCD(v,u mod v))

Euclids Algorithm (contd)

Inductive proof of correctness:

if a is a divisor of u,v
a is a divisor of u - ( u/v ) v
= u mod v

Euclids Algorithm (contd)

Time Analysis of Euclids Algorithm for
n bit numbers u,v

T(n) T(n-1) + M (n)

= O(n M(n))
= O(n 2log n log log n)
(where M(n) = time to mult two n bit integers)

Euclids Algorithm (contd)

Fibonacci worst case:
u = Fk , v = Fk+1
where F0 = 0, F1 = 1, Fk+2 = Fk+1 + Fk, k 0
k
Fk =
5

, =

1
(1 5)
2

Euclid's Algorithm takes log ( 5 N) = O(n)

stages when N = max(u,v).
Here n = number of bits of N.

Euclids Algorithm (contd)

Improved Algorithm

T(n) T

( 2 ) + O(M(n))
n

= O(M(n) log n)

Extended GCD Algorithm

procedure ExGCD(u, v )

where u = (u1, u2, u3) , v = (v1, v2, v3)

begin

if v3 = 0 then return(u )

else return ExGCD(v, u - (v u v

Extended GCD Algorithm

(contd)
Theorem

ExGCD((1,0,x),(0,1,y))
= (x', y', GCD(x,y))
where x x' + y y' = GCD(x,y)
Proof

inductively can verify on each call

xu1 + yu 2 = u 3

xv1 + yv 2 = v3

Extended GCD Algorithm

(contd)
Corollary

If gcd(x,y) = 1 then x' is the

modular inverse of x modulo y
Proof

we must show x x' = 1 mod y

but by previous Theorem,
1 = x x' + y y' = x x' mod y
so 1 = x x' mod y

Modular Laws
Gives Algorithm for

Modular Inverse !
Modular Laws

for n 1
let x y if x y mod n

Modular Laws (contd)

Law A if a b and x y then ax by
Law B if a b and ax by and
gcd(a, n) 1 then x y

Modular Laws (contd)

let {a1 ,..., a k } {b1,..., b k } if

a i b ji for i 1,..., k and
{j1 ,..., jk } {1,..., k}

Fermats Little Theorem

If n prime then an = a mod n
Proof by Euler

if a 0 then a n 0 a
else suppose gcd(a,n) 1
Then x ay for y a -1x and any x
so {a,2a,..., (n-1)a} {1,2,..., n-1}

Fermats Little Theorem

(contd)
So by Law A,
(a) (2a)
(n-1)a

1 2

So a n-1 (n-1)! (n-1)!

So by Law B
a

n-1

1 mod n

(n-1)

Eulers Theorem
(n) = number of integers in {1,, n-1}
relatively prime to n
Eulers Theorem

If gcd(a,n) 1
then a

(n)

= 1 mod n

Proof

let b1 ,...,b (n) be the integers n

relatively prime to n

Eulers Theorem (contd)

Lemma

{b1 ,...,b (n) } {ab1 , ab 2 ,..., ab (n) }

Proof

If abi ab j then by Law B, bi b j

Since 1 gcd(bi ,n) gcd(a,n)
then

gcd(abi ,n) 1

so

for {j1 ,...,j(n) } {1,..., (n)}

ab i b ji

Eulers Theorem (contd)

By Law A and Lemma

(ab1 )(ab 2 )
(ab (n) )
so a (n) b1
b (n)
By Law B

(n)

1 mod n

b1

b1b 2

b (n)

b (n)

Taking Powers mod n by

Repeated Squaring
Problem: Compute ae mod b

e e k e k-1
e1 e 0

binary representation

[1] X 1
[2] for i k, k-1,..., 0

do

begin
X X 2 mod b
if ei 1

then X Xa mod b

end
k

output

a
i=0

ei 2i

=a

ei 2i

=a e mod b

Taking Powers mod n by

Repeated Squaring (contd)
Time Cost

O(k) mults and additions mod b

k = # bits of e

Rivest, Sharmir, Adelman (RSA)

Encryption Algorithm
M = integer message
e = encryption integer for user A
Cryptogram

C E(M) M e mod n

Rivest, Sharmir, Adelman (RSA)

Encryption Algorithm (contd)
Method

(1) Choose large random primes p,q

let n p q
(2) Choose large random integer d
relatively prime to (n) (p) (q)
(p-1) (q-1)
(3) Let e be the multiplicative inverse
of d modulo

(n)

e d 1 mod (n)
(require e log n, else try another d)

Rivest, Sharmir, Adelman (RSA)

Encryption Algorithm (contd)
Theorem

If M is relatively prime to n,
and D(x) = x d (mod n) then
D(E(M)) E(D(M)) M

Rivest, Sharmir, Adelman (RSA)

Encryption Algorithm (contd)
Proof

D(E(M)) E(D(M))
M ed mod n
There must k 0 s.t.
1 gcd(d,(n)) -k(n) de
So, M ed M k (n) 1 mod n
Since (p-1) divides (n)
M k (n)1 M mod p

Rivest, Sharmir, Adelman (RSA)

Encryption Algorithm (contd)
By Eulers Theorem

By Symmetry,
M k (n)+1 M (mod q)
Hence M ed M k (n)+1 M mod n
So M ed M mod n

Security of RSA Cryptosystem

Theorem
If can compute d in polynomial time,
then can factor n in polynomial time
Proof
e d-1 is a multiple of (n)
But Miller has shown can factor n
from any multiple of (n)

Security of RSA Cryptosystem

(contd)
If can find d' s.t.
d'

M =M d mod n
d' differs from d by lcm(p-1, q-1)
so can factor n.
(lcm is the "least common multiple)

Rabins Public Key Crypto

System
Use private large primes p, q
public key
n=q p
message
M
cryptogram
M2 mod n
Theorem
If cryptosystem can be broken,
then can factor key n

Rabins Public Key Crypto System

(contd)
Proof

M 2 mod n has solutions

M , , n- , n-
where { , n- }
But then 2 - 2 ( - )( ) 0 mod n
So either (1) p | ( - ) and q | ( )
or either (2) q | ( - ) and p | ( )
In either case, two independent solutions for M
give factorization of n, i.e., a factor of n is gcd (n,
-).

Rabins Public Key Crypto System

(contd)
Rabins Algorithm for factoring n, given
a way to break his cryptosystem.
Choose random , 1 n s.t. gcd( , n)=1
let 2 mod n
find M s.t. M 2 = mod n
by assumed way to break cryptosystem
with probability 12 ,
M { , n- }
so factors of n are found
else repeat with another
Note: Expected number of rounds is 2

Quadratic Residues
a is quadratic residue of n
if x a mod n has solution
2

Euler:
If n is odd, prime and gcd(a,n)=1, then
a is quadratic residue of n
iff

(n-1)/2

1 mod n

Jacobi Function
1 if gcd(a,n) 1 and

a is quadratic residue of n

J(a,n) -1 if gcd(a,n) 1 and

a is not quadratic residue of n

0 if gcd(a,n) 1

Jacobi Function (contd)

Gausss Quadratic Reciprocity Law

if p,q are odd primes,

J(p,q) J(q,p) (-1) (p-1) (q-1)/4
Rivest Algorithm

1 if a=1

(n 2 -1)/8

J(a,n) J(a/2, n) (-1)

if a even
(a-1) (n-1)

2
2
J(n
mod
a,
a)

(-1)
else

Jacobi Function (contd)

Theorem (Fermat)

n 2 is prime iff
x , 1 x n
(1) x n-1 1 mod n
(2) x i 1 mod n for all
i {1, 2,..., n-2}

Theorem: Primes are in NP

Proof
input n
n 2 output "prime"
n 1 or (n even and n 2) output "composite"
else guess x to verify Fermat's Theorem
Check (1) x n-1 1 mod n
To verify (2) guess prime factorization
of n-1=n1 n 2
nk
(a) recursively verify each n i prime
(b) verify x (n-1)/ni 1 mod n

Theorem & Primes NP (contd)

Note

if x (n-1) =1 mod n
the least y s.t. x y =1 mod n must
divide n-1. So x ya =1 mod n
let a=

(n-1)
yn i

so 1 x ya =x (n-1)/ni mod n

Primality Testing
Testing

wish to test if n is prime

technique Wn (a) "a witness that n is composite"
Wn (a) true n composite
Wn (a) false don't know
Goal of Randomized Primality Testing

for random a {1,..., n-1}

n composite Prob (Wn (a) true) > 12

So

1
2

of all a {1,..., n-1}

are "witness to compositeness of n"

Primality Testing (contd)

Solovey & Strassen Primality Test quadratic
reciprocal law

Wn (a) (gcd(a,n) 1)
or J(a, n) a (n-1)/2 mod n

test if Gauss's
Quadratic Reciprocal Law
is violated

Definitions
Z set of all nonnegative numbers n
*
n

which are relatively prime to n.

generator

*
n

g of Z

such that for all x Z*n

there is i such that g i x mod n

Theorem of Solovey &

Strassen
Theorem

If n is composite, then | G |

n -1
2

where G = {a | Wn (a mod n) false}

Proof

Case G Z

*
n

G is subgroup of Z
*
n

|Z | n-1
|G|

2
2

*
n

Theorem of Solovey & Strassen

(contd)
Case G Zn

Use Proof by Contradiction

(n-1)/2

so a
=J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
n=P11 P2 2
P33 , 1 2
*
m1

Let g be a generator of Z

...
k

where m1 =P

Theorem of Solovey & Strassen

(contd)
Then by Chinese Remainder Theorem,

unique a s.t. a g mod m1

a 1 mod ( mn1 )
Since a is relatively prime to n,

a Z*n
a

n-1

so

1 mod n

n-1

and g =1 mod n

Theorem of Solovey & Strassen

(contd)
Case 1 2.
Then order of g in Z*n
1 -1
1

is p

(p1 -1) by known formula,

a contradiction since the order divides n-1.

Theorem of Solovey & Strassen

(contd)
Case 1 2 ... k 1
Since n p1
pk
J(a,n)

J(a,pi )

i 1

J(g,p1 ) J(a, pi )
i2

g mod pi i 1
Since a
1 mod pi i 1
So J(a,n) -1 mod n
since J(1,pi ) 1
and J(g,p1 ) -1

Theorem of Solovey & Strassen

(contd)

We have shown J(a,n) -1 mod n

-1 mod n ( mn1 )
But by assumption a 1 mod ( mn1 )
so a

(n-1)/2

=1 mod ( mn1 )

Hence a (n-1)/2 J(a,n) mod ( mn1 )

a contradiction with Gauss ' s Law!

Miller
Millers Primality Test

Wn (a) (gcd(a,n) 1)
or (a

n-1

or gcd (a

1 mod n)

(n-1)/2i

mod n-1, n) 1

for i {1,..., k}
where k max {i| 2i divides n-1}

Miller (contd)
Theorem (Miller)
Assuming the extended RH,
if n is composite, then Wn(a) holds for some
a {1,2,, c log 2 n}
Millers Test assumes
extended RH (not proved)

Miller Rabin Randomized

Primality Test

choose a random a {1,..., n-1}

test Wn (a)
Theorem

if n is composite then
Prob (Wn (a) holds)

1
2

gives another randomized, polytime

algorithm for primality!

Number Theory Algorithms

and Cryptography
Algorithms
Analysis of Algorithms

Prepared by

John Reif, Ph.D.