1 / 50

Chapter 3 Introduction to Number Theory and Its applications

Chapter 3 Introduction to Number Theory and Its applications. Cheng-Chia Chen. outline. Division Prime Gcd and Lcm Modular Arithmetic Chinese Remainder Theorem Fermat’s little theorem The RSA algorithm. Division. Def: a,b  Z with a ≠ 0. We say a divides b (written a | b) if

oihane
Download Presentation

Chapter 3 Introduction to Number Theory and Its applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3Introduction to NumberTheory and Its applications Cheng-Chia Chen

  2. outline • Division • Prime • Gcd and Lcm • Modular Arithmetic • Chinese Remainder Theorem • Fermat’s little theorem • The RSA algorithm

  3. Division Def: a,b Z with a ≠ 0. • We say a divides b (written a | b) if k Z s.t. b = ka • a | b => • a is a factor (or divisor) of b and • b is a multiple of a. • Ex: • 3 | 12 ( ∵ 12 = 4 x 3 ) • -4 | 8, • 13 | 0 (0 = 0 x 13) • not (3 | 7)

  4. Properties of | • a | b /\ a |c  a | b + c • a | b  a | bc for all c Z • | is reflexive ( a | a for all a Z ) • | is transitive ( a | b /\ b | c  a | c ) • pf: a | b /\ b | c  • b = k1 a and c = k2 b for some k1, k2Z •  c = k2 (k1 a) = (k1 k2) a • a | b /\ b | a  |a| = |b|)

  5. Primes • An integer p > 1 is said to be prime if •  n N+ ( n | p  n = 1 \/ n = p ). • I.e., the only positive factors of p are 1 and p. • p > 1 and is not prime => P is composite. • Examples: • 7 is prime • primes < 20 include : 2,3,5,7,11,13,17,19.

  6. The fundamental theorem of arithmetic (FTA) • n N+ > 1, there exists a unique increasing sequence of primes p1 ≤ p2 ≤ … ≤ pk ( k ≥ 1) s.t. n = p1 x p2 … x pk. • Ex: • 100 = 2 x 2 x 5 x 5 • 999 = 3 x 3 x 3 x 37.

  7. Proof of FTA • ( Existence) by Math Ind. • Basis: n = 1, 2 ok. • Ind. n > 1. • if n is prime, then n = p1, where p1 = n and k = 1. • if n is not prime then n = n1 x n2 with n1,n2 < n. • => by ind. hyp. n1 = q1 x q2 … x qt • n2 = r1 x r2 … rs • => n = n1 x n2 = q1 x … x qt x r1 x … x rs. • => n = p1 x … x ps+t. where p1,…,ps+t is an increasing reordering of q1,…,qt and r1,…,rt. • Uniqueness: • let n = p1 x … x pk x q1 x … x qs • = p1 x … x pk x r1 x … x rt where q1 ≠ r1 • => n – n = p1 x … x pk x (q1 x … x qt – r1 x … rt) • ≠ 0 ( a contradiction !! shown later).

  8. Theorem 3 • If n is composite =>  a ≤ s.t. a | n. pf: n is composite => n = p x q with p, q > 1. if p > /\ q > => p q > = n. a contradiction Hence n must have a factor ≤ Example: 101 is a prime. pf:  = 10. But no prime ≤ 10 is a factor of 101.

  9. The division algorithm • a Z, d N+ i q,r s.t. a = qd + r where 0 ≤ r < d. Def: if a = dq + r Then • d is called the divisor(除數) • a : dividend(被除數) • q: quotient(商數) • r: remainder(餘數) • Examples: • 101 = 11 ∙ 9 + 2 • -11 = -4 ∙ 3 + 1 • Note: d | a iff r = 0.

  10. Proof of the division algorithm Existence: Consider the Z-indexed sequence : … a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), … • Let r = a – qd be the smallest nonnegative number in the sequence. 1. since the sequence is strictly increasing toward infinity such q (and r) must exist and unique. 2. if r ≥ d  r’ =r-d =a – (q+1) d ≥ 0 is another nonnegative number in the sequence smaller than r. That’s a contradiction. Hence r must < d. Uniqueness: If both (q,r) and (q’,r’) satisfy the condition. Then r – r’ = (q’-q) d (*) . Since –d <r-r’ < d (*) and (q’-q)d is a multiple of d, (*) holds only if r-r’ = 0 = q-q’. QED

  11. gcd and lcm • a,b Z, ab ≠ 0. if d | a and d | b  d is a common divisor of a and b. • gcd(a,b) =def the greatest common divisor of a and b. Notes: 1. The set cd(a,b) = {x > 0 : x | a and x | b} is a finite subset of N+ (∵ {1}  cd  {1,… min(a,b)}  gcd(a,b) must exist. • Ex: gcd(24,36) = ? • factors of 24 : 1,2,3,4,6,12,24 • factors of 36: 1,2,3,4,6,9,12,18,36 •  cd(24,36) = {1,2,3,4,6,12}  gcd(24,36) = 12. 2.The same definition (cd and gcd) can be extended to more than two arguments. (ex: cd(8,12,18) = {1,2} and gcd(8,12,18) = 2. )

  12. Relatively prime • If gcd(a,b) = 1 we say a and b are relatively prime(r.p.). • Ex: gcd(17,22) = 1. • a1,a2,…an are pairwise r.p. if gcd(ai,aj) = 1 for all 1 ≤ i < j ≤ n. • Ex: • 10,17,21 are p.r.p. • 10,19,24 are not p.r.p since gcd(10,24) = 2. • Proposition 1: If a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 … pnyn, where p1 < p2 …< pn are primes and all xi, yj ≥ 0, then gcd(a,b) = s =def p1z1 p2z2 … pnzn where zi = min(xi,yi) for all 0 ≤ i ≤ n. • Ex: 100 = 223052 and 30 = 213151 => gcd(100,30) = 213051.

  13. lcm ( least common multiple) • a,b Z cN+ if a|c and b|c  d is a common multiple of a and b. • lcm(a,b) =def the least common multiple of a and b. Note: The set cm(a,b) = {x > 0 |, a|x and b|x} ≠ ∅ (∵ { a∙b}  cm  lcm(a,b) must exist. Proposition 2: If a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 … pnyn, where p1 < p2 …< pn are primes and all xi, yj ≥ 0, then lcm(a,b) = t =def p1z1 p2z2 … pnzn where zi = max(xi,yi) for all 0 ≤ i ≤ n. pf: Since tcm(a,b), it suffices to show t is a lower bound of cm(a,b). Then c  cm(a,b), pixi | a | c and piyi | b|c =>pimax(xi,yi) | c => t =  piZi |c. Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.

  14. Modular Arithmetic Def 8: m N+, a Z. a mod m =def the remainder of a divided by m. • Ex: • 17 mod 5 = 2 • -133 mod 9 = 2. Def 9: a,b Z, m N+. a ≡ b (mod m) means m | (a-b). • i.e., a and b have the same remainder when divided by m. • i.e., a mod m = b mod m • we say a is congruent to b (module m). • Ex: • 17 ≡ 5 (mod 6) ? • 24 ≡ 14 (mod 6) ?

  15. Properties of congruence Theorem 6:a ≡ b (mod m) iff a = km + b for some k Z. pf: a ≡ b (mod m)  (a-b) = km  a = km + b. Theorem 7:If m > 0, a ≡ b (mod m) and c ≡ d (mod m), then (1) a + c ≡ b + d (mod m), (2) ac ≡ bd (mod m), (3) - a ≡ - b (mod m) pf: By the premise, a = km + b and c = sm + d for some k,s.  a + c = (b + d) + (k + s) m, ac = bd + (kd + sb + skm) m, and (-a - -b) = (-k) m  (1),(2) and (3) hold. Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5)  18 ≡ 3, 77 ≡ 2 and - 7 ≡ - 2.

  16. The Euclidean Algorithm Lemma 1: a = bq + r  gcd(a,b) = gcd(b,r). pf: It suffices to show that cd(a,b) = cd(b,r). But for any integer d : • d | a /\ d | b  d | r since r = (a-bq) , and • d | b /\ d | r  d | a since a= bq + r. • Hence cd(a,b) = cd(b,r), and gcd(a,b) = gcd(b,r). Note: • if a = bq + 0  gcd(a,b) = gcd(b,0) = b. • Corollary: gcd(a, b) = gcd(b,c) if a is a linear combination(l.c.) of b and c, and c is a l.c. of a and b.

  17. A simple algorithm: • gcd(a,b) // a , b ≥ 0. if (b == 0) return a; else return gcd(b, a mod b); Notes: 1. this algorithm is very efficient. (O(log b) by Lame’s lamma). 2. The (tail) recursion of the above alg can be replaced by an iterative version as follows: • igcd(int a, int b) // a , b ≥ 0. while (b != 0) { // (a,b)  (b, a % b) ; int temp = a; a = b; b = temp % b ; } return x

  18. gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2.

  19. Theorem 1 • a > b ≥ 0  gcd(a,b) = sa + tb for some s,t Z. • i.e., gcd(a,b) is a linear integer combination of a and b. Pf: By induction on b. Basis: b = 0.  gcd(a,b) = a = 1 ∙ a + 0 ∙ b. Inductive case: b > 0. case1: b | a  gcd(a,b) = b = 0 a + 1 b. case2: b ∤ a  gcd(a,b) = gcd(b,r) where 0 ≤ r = a mod b < b. By I.H. gcd(b,r) = sb + t r. But r = a - bq ∴ gcd(a,b) = gcd(b,r) = sb + tr = sb + t(a – bq) = t a + (s – qt) b. QED • Conclusion: (sn, tn) = (t n+1, sn+1 – qntn+1).

  20. Example • gcd(252, 198) = 18 = ___∙ 252 + ___ ∙ 198. Sol: Exercise: Let L(a,b) = {sa + tb | s,t Z } be the set of all linear combinations of a and b. Show that gcd(a,b) = the smallest positive member of L(a,b). pf: let g = gcd(a,b). By Theorem 1, g is a linear combination of a and b. Hence g L(a,b). Now let m = sa + tb be any positive number in L(a,b). Then since g | a and g | b , we have g | sa+tb = m > 0 and hence g  m. As a result g is the least of L(a,b). Theorem 1.1: gcd(a,b) is the least positive integer combination of a and b.

  21. gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2 = 1x2+0x0. • = … = -5*662+8*414.

  22. The extended gcd algorithm // input: a  b  0; // output: (c, s, t) s.t. c = gcd(a,b) = s a + t b. egcd(a,b) : Z3 { if( b == 0 ) { return (a, 1, 0) ; } let (rlt, s, t) = egcd(b, a mod b) ; return (rlt, t, s – t * ( a / b)) ; } • What is a non-recursive algorithm for egcd ?

  23. Non-recursive algorithm for egcd // input: a  b  0; // output: (c, s, t) s.t. c = gcd(a,b) = s a + t b. Egcd(int a, int b) { Stack<int> s = new Stack() ; while( b != 0 ) { s.push(a / b ) ; // integer division (a,b)  (b, a%b) } int s = 1, t = 0, rlt = a; while( ! s.isEmpty()) { int q = s.pop() ; (s,t)  (t, s – q * t ) ; } return (rlt, s, t) ;

  24. Lemma 1 and Lemma 2 Lemma 1:gcd(a,b) = 1 /\ a | bc  a | c. ( must remember!) pf: gcd(a,b) = 1  1 = sa + tb for some s,t Z  c = sac + tbc = sac + tka ∵ a | bc = (sc + tk) ∙ a ∴ a | c. Corollary 1’: a | bc  a/d | c, where d = gcd(a,b) . Lemma 2’: p : prime /\ p ∤ a  gcd(p,a) = 1. Pf: cd(p,a)  factors of p = {1,p}. but p is not a factor of a. Hence gcd(p,a) = 1. Lemma 2: p : prime /\ p | a1 a 2 … an p | ai for some i. Pf: By ind. on n. Basis: n = 1. trivial. Ind. case: n = k + 1. p | a1 a 2 … ak a k+1. If p | a1 we are done. O/W p ∤ a1 and gcd(p, a1) = 1 by lem2’. By Lem 1 : p | ( a 2 … ak+1 )  p | ai for some 2 ≤ i ≤ k+1 by IH.

  25. Uniqueness of FTA Pf: Suppose  two distinct sequences p1 , … , ps and q1 , … , qt with n = p1 x … x ps = q1 x … x qt Removing all common primes on both sides : m =def pi1 x … piu = qj1x … x qjv 1 where pi ≠ qj for all pi and qj.  pi1 | m = qj1x … x qjv  pi1 | qj for some j ( a contradiction!!).

  26. Theorem 2 • m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1  a ≡ b (mod m). Pf: ac ≡ bc (mod m)  m | (ac – bc) = (a – b) c. ∵ gcd(m,c) = 1 ∴ m | (a – b) ∴ a ≡ b (mod m). Notes: • In general we have: ac ≡ bc (mod m) implies a ≡ b (mod m/d) where d = gcd(m,c). • If m is a prime and not (c ≡ 0 (mod m)) [ gcd(m,c) = 1], then ac ≡ bc implies => a ≡ b (mod m). • Like ordinary arithmetic.

  27. Lemma 3: Let c be a positive integer, then gcd(ac, bc) = c gcd(a,b). pf: It is easy to see that d is a common divisor of (a, b) iff cxd is a common divisor of (ca,cb). Hence cd(ca,cb) = { cxd | d  cd(a,b)} and gcd(ca,cb) = max { cxd | d  cd(a,b)} = c x gcd(a,b)

  28. Lemma 4: Let a = p1x1 p2x2 … pmxm , b = q1y1 q2y2 … qnyn where all pi’s and qj’s are primes and all xi, yj >0. If {p1,…,pm}  {q1,…,qn} =, then gcd(a,b) = 1. pf: Assume gcd(a,b)  1 and r be any prime factor of gcd(a,b). Then we have r | a and r | b. But, by Lemma 2, this implies r must be one of {p1,…,pm} and one of {q1,..,qn}. This implies {p1,…,pm}  {q1,…,qn} = , a contradiction! Hence gcd(a,b) = 1.

  29. Proof of Proposition 1 for gcd • Proposition 1: If a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 … pnyn, where p1 < p2 …< pn are primes and all xi, yj ≥ 0, then gcd(a,b) = s =def p1z1 p2z2 … pnzn where zi = min(xi,yi) for all 0 ≤ i ≤ n. pf: Let c = a/s and d = b/s. Then c = p1x1 p2x2 … pnxn / p1z1 p2z2 … pnzn Z d = p1y1 p2y2 … pnyn / p1z1 p2z2 … pnzn Z Hence by lemma 3, gcd(a,b) = s gcd(c,d). But since c and d has no common prime factor, By Lemma 4, gcd(c,d) =1. As a result, gcd(a,b)= s. Exercise: Show that c is a factor of a = p1x1 p2x2 … pnxn iff c = p1y1 p2y2 … pnyn where xk ≥ yk ≥ 0 for all n ≥ k ≥ 0.

  30. Linear Congruence Ex: Find an x such that 7 x ≡ 2 (mod 5). sol: x= 6. How to find? Analog: how to solve the equation ax = b ? let a-1 be the inverse of a (i.e. 1/a) => a-1ax = a-1b => x = a-1b = b/a. Def: Equations of the form ax ≡ b (mod m) are called linear congruence equations. Def: Given (a,m), any integer a’ satisfying the condition: a a’ ≡ 1 (mod m) is called the inverse of a(mod m). Ex: Since 7 x 3 ≡ 1 (mod 5), 3 is an inverse of 7 mod 5. Hence 3x2 = 6 is a solution of 7x ≡ 2(mod 5)

  31. General solution of ax ≡ b (mod m) Proposition:a a’ ≡ 1 (mod m)  x = a’ b + km is the general solution of the congruence equation ax ≡ b (mod m) Pf: 1. aa’ ≡ 1 => aa’ b ≡ b => a (a’b + km) ≡ b (mod m)  a’b + km is a solution for any k Z. 2. y is a solution  ay ≡ b (mod m) => a’ay ≡ a’b(mod m) => 1* y ≡ a’ay ≡ a’b (mod m) => y ≡ a’b (mod m) => m | (y – a’b)  y = a’b + km for some k.

  32. Theorem 3 (uniqueness of inverse) • m > 0, gcd(a,m) = 1. Then  bZ s.t. • 1. ab ≡ 1 (mod m) • 2. if ab ≡ ac [≡ 1] b ≡ c (mod m). Pf: 1. gcd(a,m) = 1. Then  b,t with ba + tm =1. since ab –1 = (-t) m, ab ≡ 1 (mod m). 2. Since gcd(a,m)=1, by Theorem 2, we can divide a from both sides. Note: Theorem 3 means that the inverse of a mod m uniquely exists (and hence is well defined) if a and m are relatively prime.

  33. Examples Ex: Find a s.t. 3a ≡ 1 (mod 7). Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and can be computed by the Euclidean algorithm: 7 = 3 X 2 + 1  1 = 7 + 3 (-2).  3 (-2 ) ≡ 1 (mod 7)  a = -2 + 7k for all k Z. EX: Find all solutions of 3x ≡ 4 (mod 7). Sol: -2 is an inverse of 3 (mod 7). Hence 3 (-2) ≡ 1 (mod 7) => 3 (-2) 4 ≡ 1 4 (mod 7) -- particular solution => x = 4 (-2) + 7k where k Z is a general solution of x.

  34. The Chinese Remainder Theorem • EX: Find all integer x satisfying the equations simultaneously: • x ≡ 2 (mod 3) • x ≡ 3 (mod 5) • x ≡ 2 (mod 7) • Theorem 4: m1,m2,…,mn : pairwise relatively prime. The system of congruence equations: • x ≡ a1 (mod m1) • x ≡ a2 (mod m2) • … • x ≡ an (mod mn) • has a unique solution modulo m = m1 m2 … mn.

  35. How the CRT problem is solved • Find a polynomial f(x) of degree < n passing through n points. • Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4). • Intuition: • 1. For each point (ai, bi) where i  [1,n] , construct a polynomial fi(x) of order < n with the properties: • 1.1. fi(ai) = bi and • 1.2. fi(ak) = 0 for all k [1,n]  i. • Suppose we can find all such fi(x)’s, then • F(x) = Sj = 1..n fj(x) is the solution. • pf: F(ai) = fi(ai) + S k  i fk(ai) = bi + 0 for all i  [1,n]

  36. Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4). Solution: 1. Find f1(x) with f1(1) = 2 and f1(3) = f1(5) = 0. => f1(x) must have a factor (x-3)(x-5) = c1 (x-3)(x-5) => since f1(1)= 2, 2 = c1 (1-3)(1-5) => c1 = 2/(1-3)(1-5) => f1(x) = 2 (x-3)(x-5) /(1-3)(1-5) 2. Similarly, f2(x) = 5 (x-1)(x-5) /(3-1)(3-5) f3(x) = 4 (x-1)(x-3)/(5-1)(5-3) and F(x) = f1(x) + f2(x) + f3(x) is the solution.

  37. Proof of the Chinese remainder theorem (CRT) Pf: Let Mk = m / mk for 1 ≤ k ≤ n. Note: 1. gcd(mk, Mk) = 1 and 2. mi | Mk if i ≠ k. Hence  sk, yk s.t. sk mk + yk Mk = 1. Hence yk is an inverse of Mk mod mk. Now Mk yk ≡ 1 (mod mk) and Mk yk ≡ 0 (mod mj) for all j ≠ k. Let x = a1 M1 y1 + … + an Mn yn then x ≡ a1 M1 y1 + … + an Mn yn ≡ ak Mk yk ≡ ak (mod mk) for all 1 ≤ k ≤ n.

  38. Proof of the uniqueness part If x and y satisfying the equations, then x-y ≡ 0 (mod mk) for all k = 1..n. =>  s1,…,sn with x-y = s1 m1 = … = sn mn. since gcd(mi, mk) = 1 for all i ≠ k and mk | s1 m1, we have mk | s1 for all k ≠ 1. Hence, by Lem(*) s1 is a multiple of m2 m3 … mn and x-y = s1 m1 is a multiple of m = m1 m2 … mk. Hence x ≡ y (mod m). QED Lem(*):If gcd(m,n)=1,then m | s and n | s implies mn | s. pf: m | s and n | s means s = km = t n. Hence n | km. but since (m,n) = 1, we have n | k. Hence mn | km = s.

  39. Example • Find x ≡ (2,3,2) (mod (3,5,7)) respectively. • Sol:

  40. An application of CRT • Instead of using binary representation, we can use m1,m2,…,mn : n pairwise relatively primes as the base of integer representations: • Ex: let (m1,… m5 ) = (19, 23, 29, 31,41) 99 = (4, 7, 12, 6, 17) 88 = (12, 19, 1, 26, 6). ---------------------------------------------------------------- 99+88 = (16, 3, 13, 1, 23) 99x88 = (10, 18, 12, 1, 20). Problems: 1. How to detect if a+b (or a*b) overflows ? 2. How to compare values (when will a < b )?

  41. Fermat’s little theorem • Let a be any positive integer and p a prime number. 1. If gcd(p,a) =1, then a p-1 ≡ 1 (mod p). 2. ap ≡ a (mod p). Ex: 1. p = 17, a = 2  216 = 65536 = 3855 x 17 + 1  216 ≡ 1 (mod 17). 2. p = 3, a = 20  203 – 20 = 8000 –20 = 7980 is a multiple of 3. Hence 203 ≡ 20 (mod 3).

  42. Proof of Fermat’s little theorem Lemma:1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p). Pf: ia ≡ ja (mod p)  p | (j-i) a. Since gcd(p,a)=1, p |(j-i). But 0 < j-i < p, p does not divide (j-i), a contradiction. Similarly, since not(p | i ) and gcd(p,a) = 1, not(p | ia). The above lemma means ia and ja have different remainders when divided by p. Hence a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)  (p-1)! ap-1 ≡ (p-1) ! (mod p). Then p | (p-1)! (a p-1 –1). ∵ p does not divide (p-1)!, p | ap-1 –1, and hence a p-1 ≡ 1 (mod p). 2. if gcd(p,a) = p  0 ≡ a ≡ ap (mod p). if gcd(p,a) = 1  ap-1 ≡ 1 (mod p)  ap ≡ a (mod p).

  43. public key Encryption (加密) Decryption (解密) M C cipher text M’ (plain text) Public key encryption and RSA private key • Public key can be known to the public • Private key is kept secret.

  44. The RSA algorithm • p.q: two large primes ( 768bits broken, 1024 digits recommended now), • n = pq • e = any number with gcd(e, (p-1)(q-1)) = 1. • d = inverse of e (mod (p-1)(q-1)). (i.e., de ≡ 1 (mod (p-1)(q-1)))  public key = (n,e) private key = (n,d) note : public and private keys are symmetric. C = Me (mod n) and M’ = Cd (mod n). Theorem : M’ ≡ M (mod n). • Hence if 0  M’, M < n => M’ = M.

  45. Proof of the correctness of the RSA algorithm • M’ = Cd ≡ (Me)d ≡ Mde // ∵ de ≡ 1 (mod (p-1)(q-1)) ≡ M1+k(p-1)(q-1) (mod n) for some integer k case1: gcd(M,p) = 1. Then Cd = M ∙ (M(p-1))k(q-1) ≡ M ∙ 1 k(q-1) ≡ M (mod p) ---(1) ( by Fermat’s little theorem) case2: gcd(M,p) = p (i.e., M = mp for some integer m) Then Cd = (mp)k(p-1)(q-1)+1 ≡ 0 ≡ M (mod p) Similarly, it can be shown that Cd ≡ M (mod q) --- (2)  M’ = Cd ≡ M (mod n). ∵ Cd-M is a multiple of p and q => Cd-M is a multiple of lcm(p,q) = pq = n. (or by Chinese Remainder Theorem, M’ is the only value in [0, n-1] satisfying (1) and (2) ).

  46. Example p = 43, q = 59  n = pq = 43 ∙ 59 = 2537. choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1. d = 937 is an inverse of 13 mod 2436. 1. To transmit ‘STOP’=1819 1415 : 2 blocks of length 4.  181913 mod 2537 = 2081, 141513 mod 2537 = 2182  C = 2081 2182. 2. Receive 0981 0461  M’1 = 0981937 (mod 2537) =0704 M’2 = 0461937 (mod 2537) = 1115  M’ = 0704 1115 = ‘HELP’. Issue: How to compute 0981937 (mod 2537) quickly ?

  47. Why is it hard to break RSA ? Given public key (e, n), to find (d,n) we need : => 1. decompose n into pq 2. find the inverse d of e modulo (p-1)(q-1). Step 2 is easy (Quick Euclidean Alg.) But step 1 : factorization of large number is computationally a hard work.

  48. How to compute bn (mod m) for large n • mpow1(b, n, m) { // b, n , m: int ; n  ;m > 0 int rlt = 1; while( n != 0) rlt = rlt * b; return (rlt % m); • Problem: rlt will overflow quickly in the loop! • mpow2(b, n, m) { // b, n , m: int ; n  ;m > 0 int rlt = 1; while( n != 0) rlt = (rlt * b) % m; return rlt ; Problem : need perform * and % operations n times

  49. How to compute bn (mod m) for large n • c.f.: Section 3.6 (page226 ; Algorithm 5) • mp(r, b, n, m) // find (rbn mod m) using (tail) recursion if(n == 0) return r % m; if(n == 2k+1) return mp(r b , bxb, k, m); if(n == 2k >0 ) return mp(r, bxb, k, m); } • mp3(b,n,m) { return mp(1, b, n, m) ;} • mpower(b, n, m){//non-recursive version of mpow3(&mp) int rlt = 1; power = b % m ; n’ = n; while( n’ > 0) { // invariant: rlt * powern’ = bn (mod m) if( n’ % 2 == 1) rlt = (rlt * power) % m ; power = power * power % m ; n’ = n’ / 2 } return rlt; // running time = O(log n) rb(2k+1) = rb (bb)k

  50. Example • Compute 3 644 mod 645 using mp3 (&mpower): • Note: 644 =(10100 00100)2 mp3(3, 644, 645)  mp(1, 3, 644, 645)  mp(1, 9, 322, 645)  mp(1, 81, 161, 645) (81, 812  111, 80, 645) • mp(81, 1112  66, 40, 645) • mp(81, 662  486, 20, 645) • mp(81, 4862  126, 10, 645) • mp(81,1262  396, 5, 645) • mp(81x396  471, 3962  81, 2, 645) • mp(471, 812  111, 1, 645) • mp(471x111  36, 1112  66, 0, 645) = 36 (rlt, power, n’, m)

More Related