Outline

Outline • greatest common divisors and • Euclid’s algorithm • applications of large primes: public-key cryptosystems (RSA) • primality testing • integer factorization

GCD and Euclid’s algorithm gcd(a,b) - the greatest common divisor of integers a and b Euclid(a, b) if b = 0 then return a else return Euclid(b, a mod b) Time complexity?

Euclid’s algorithm - Complexity Euclid(a, b) if b = 0 then return a else return Euclid(b, a mod b) Theorem If a > b 0 and the invocation of Euclid performs k 1 recursivecalls, then a Fk+2 and b  Fk+1. (where Fk - the k-th Fibonacci number)

Euclid’s algorithm - Complexity Theorem If a > b 0 and the invocation of Euclid performs k 1 recursivecalls, then a Fk+2 and b  Fk+1. k = 1  b  1 = F2, a 2 = F3 OK k = n– 1  b  Fn, a  Fn+1 Assume k = n? a mod b  Fn, b  Fn+1  a  b + a mod b  Fn+1 + Fn = Fn+2  b  Fn+1 OK

Euclid’s algorithm - Complexity Theorem If a > b 0 and the invocation of Euclid performs k 1 recursivecalls, then a Fk+2 and b  Fk+1. Fk ((1 + 5) / 2)k / 5 (2)k < Fk < 2k  = max{log a, log b} - number of bits to encode a and b T’(a,b) = ( ) - number of arithmetic operations T(a,b) = ( 3) - total complexity

Extended Euclid’s algorithm d = gcd(a,b) - the greatest common divisor of integers a and b There exist integers x and y such that d = ax + by ExtendedEuclid(a, b) if b = 0 then return (a,1,0) (d’,x’,y’) ExtendedEuclid(b, a mod b) (d,x,y)  (d’,y’,x’ –a/b y’) return (d,x,y)

Extended Euclid’s algorithm - Example ExtendedEuclid(a, b) if b = 0 then return (a,1,0) (d’,x’,y’) ExtendedEuclid(b, a mod b) (d,x,y)  (d’,y’,x’ –a/b y’) return (d,x,y) [Adapted from T.Cormen, C.Leiserson, R. Rivest]

Complexity of modular operations Multiplication: for given a and b find x such that ab mod n = x multiplication + division, i.e. time complexity ( 2)

Complexity of modular operations Division: for given a and b find x such that bx mod n = a Not always such x exists - we should have gcd(b,n) | a Extended Euclid's algorithm: finds x and y such that gcd(s,t) = su + tv Take b = s and t = n and set x = ua/gcd(b,n) Time complexity ( 3)

Complexity of modular operations Exponentiation: for given a and b find x such that ab mod n = x Time complexity?

Modular Exponentiation ModularExponentiation(basea, degreeb, modulusn) let <bk,bk–1,...,b0> be the binary representation of b c 0 d 1 for i  k downto 0 do c  2  c d  (d  d) mod n if bi = 1 then c  c + 1 d  (d  a) mod n return d Time complexity T() = ( 3)

Modular Exponentiation - example ModularExponentiation(a,b, n) c 0; d 1 for i  k downto 0 do c  2  c d  (d  d) mod n if bi = 1 then c  c + 1 d  (d  a) mod n return d [Adapted from T.Cormen, C.Leiserson, R. Rivest]

Public-key cryptosystems P: *  * public key S: *  * secret key • For an arbitrary message M* we must have: • M = S(P(M)), and • M = P(S(M))

The RSA public-key cryptosystem p,q - two large primes (100 digits or more) n = pq e - small odd integer that is relatively prime to (p– 1)(q– 1) d - integer such that de  1 (mod(p– 1)(q– 1)) (it can be shown that it always exists) P = (e,n) - public key S = (d,n) - secret key Encoding: P(M) = Me(mod n) Decoding: S(C) = Cd(mod n) It works!

Fermat's Theorem • Fermat's little Theorem • If p is prime then: • ap = a mod p • if gcd(a,p) =1 then ap1 = 1 mod p. • Proof ?

Fermat's Theorem

RSA - Correctness n = pq e - odd and relatively prime to (p – 1)(q – 1) d - such that de  1(mod(p– 1)(q– 1)) P(M) = Me(mod n), S(C) = Cd(mod n) P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k(p– 1)(q– 1) M 0 (mod p)  MedM(Mp–1)k(q–1) (mod p)  M(1)k(q–1) (mod p)  M(mod p) M 0 (mod p)  Med M(mod p)

RSA - Correctness Med M(mod p) Med M(mod q) Thus Med M(mod n)

RSA - Complexity Encoding: P(M) = Me(mod n) Decoding: S(C) = Cd(mod n)

RSA - Complexity Encoding: P(M) = Me(mod n) Decoding: S(C) = Cd(mod n) TE(M) = O( 3) (and TE(M) = ( 2) for small e) TD(M) = ( 3)

RSA - Key management mode • Encryption: • Encrypt (using a traditional method) message with a • random key K • Send encrypted message • Send K encrypted with a public-key method

Public-key cryptosystems - Encryption [Adapted from T.Cormen, C.Leiserson, R. Rivest]

RSA + One-way hash functions • h - a one-way hash function (easy to compute, but for a • given M it is hard to find M’ with h(M) = h(M’)) • Digital signature: • Send message M • Send encrypted pair (h(M),)

Public-key cryptosystems - Digital signature [Adapted from T.Cormen, C.Leiserson, R. Rivest]

Finding primes - Erasthothenes sieve

Distribution of primes

Illegal primes :) 1811 digit prime number Represents an executable program that perform DeCSS decryption Technically illegal in some weird countries (e.g. USA)

Finding large primes (n) - the number of primes less or equal to n Prime number theorem limn(n) / (n / ln n) = 1 n / ln n tends to be a good approximation of (n) n = 1 000 000 000 (n) = 50 847 478 n / ln n = 48 254 942

Finding large primes limn(n) / (n / ln n) = 1 Idea how to find a prime approximately of the size of n: Consider randomly chosen integers close to n and check whether these are primes. On average you will need to examine ln n integers.

Primality testing The problem For a given integer n decide whether n is a prime. A simple solution: Try to divide n by 2 and all odd integers 3, 5,..., n1/2. Time complexity of such approach is (2/2), where  - number of bits needed to encode n ( = log n). Advantage - we also get factors of n (if n is not prime).

What we need from number theory Extended Euclid's algorithm d = gcd(a,b) - the greatest common divisor of integers a and b There exist integers x and y such that d = ax + by Fermat's little Theorem If p is prime and gcd(a,p) = 1 then ap1 = 1 mod p.

Square roots of 1 modulo n Quadratic residue theorem Ifthereexists an integer 1<x< n –1, such that x2= 1 (mod n), then n is composite. x2= 1 (mod n), 2 xn– 2 x2– 1 = kn, 1 kn– 2 (x– 1)(x+ 1) = kn but x– 1 and x+ 1 can’t be divisible by n

What we need from number theory Chinese reminder theorem Suppose n1, n2, …, nk are integers which are pairwise coprime. Then, for any given integers a1,a2, …, ak, there exists an integer x solving the system of simultaneous congruences: Furthermore, all solutions x to this system are congruent modulo the product N = n1n2…nk.

Something from algebra and number theory • Euclid's algorithm • groups and Lagrange's theorem • additive group Zn • multiplicative group Z*n • Fermat's theorem • primitive roots modulo n

Groups and Lagrange's theorem • Consider set G and binary oparator +. • Definition • Pair (G,+) is a group, if there is eG such that for all a,b,cG: • a+bG • (a+b)+c = a+(b+c) • a+e = a and e+a = a • there exists a unique a such that a+(a) = e and (a)+a = e • (X,+) is a subgroup of (G,+) if XG and (X,+) is a group • X<G - notation that X is a subgroup of G • o(G) - order of group = number of elements in G • a - subgroup generated by aG

Groups and Lagrange's theorem • Lagrange's Theorem • If H < G then o(H) | o(G) • Proof • let gG then all elements of the from a+h, hH, are distinct • and |{g+h | hH}| = o(H) • each element gG belongs to set {g+h | hH} (these sets • are called cosets) • thus G is a union of disjoint cosets, each having o(H) elements • Hence o(H) | o(G)

Additive group Zn n - a positive integer Set of elements Zn = {0,1,2, ...,n1} Operation "+": for x,yZn define x+y to be equal with an integer equal to x+ymod n o(Zn) = n

Multiplicative group Z*n n - a positive integer Set of elements Z*n = {a  Zn | gcd(a,n) = 1} Operation "·": for x,yZ*n define xy to be equal with an integer equal to xymod n Z*n is a group! o(Z*n) = (n) (Euler's phi function) If p is prime and n = pethen (n) = (p1)pe1

Fermat's Theorem Euler's Theorem For n>1 and all aZ*n we have a(n) = 1 mod n. Proof Let ah = 1 mod n. Then h | (n) and a(n) = 1 mod n. Fermat's little Theorem If p is prime then ap1 = 1 mod p. Proof p1 = (n).

Primitive roots modulo n Theorem Z*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0. Partial proof (and we are more interested in if part :) We will consider just case n = p...

Primitive roots modulo n Proposition 1 Let d | p1. Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p. Proof de = p1. xp11 = (xd)e1 = (xd1)g(x). From Fermat's theorem: For all ap1 = 1 mod p. Thus all p1 elements of Z*n are roots of xp11. g(x) has at most pd1 roots, thus xd1 should have d roots.

Primitive roots modulo n Proposition 2 a,bZ*n, o(a) = r, o(b) = s and gcd(r,s) = 1. Then o(ab) = rs. Proof (ab)rs = arsbrs =1. Thus o(ab) = xy, where x | r and y | s. Assume r = xu and s = yv. auxybuxy =1 and auxy =1. Then buxy =1 and s | uxy. Thus s = y. Similarly we show that r = x. Therefore o(ab) = rs.

Primitive roots modulo n Theorem Z*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0. Proposition 1 Let d | p1. Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p. Proposition 2 a,bZ*n, o(a) = r, o(b) = s and gcd(r,s) = 1. Then o(ab) = rs.

Primitive roots modulo n Partial proof (and we are more interested in if part:) n = p. Let p1 = q1n1...qrnr, where qi's are primes. By Proposition 1 f(x) = xqini1 has exactly qini roots and g(x) = xqini11 has exactly qini1 roots. There exists ai which is root of f(x) but not g(x). o(ai) = qini. a = a1...ar. o(a) = p1. (Proposition 2)

Finding large primes (n) - the number of primes less or equal to n Prime number theorem limn(n) / (n / ln n) = 1 n / ln n tends to be a good approximation of (n) n = 1 000 000 000 (n) = 50 847 478 n / ln n = 48 254 942

Finding large primes limn(n) / (n / ln n) = 1 Idea how to find a prime approximately of the size of n: Consider randomly chosen integers close to n and check whether these are primes. On average you will need to examine ln n integers.

Primality testing The problem For a given integer n decide whether n is a prime. A simple solution: Try to divide n by 2 and all odd integers 3, 5,..., n1/2. Time complexity of such approach is (2/2), where  - number of bits needed to encode n ( = log n). Advantage - we also get factors of n (if n is not prime).

Primality testing - Fermat’s theorem Fermat’s theorem an – 1 1 (mod n) for all primes n and all integers a > 1. What happens when n is not a prime? Composite integers n that satisfy an – 1 1 (mod n) for all a > 1 with gcd(a,n) = 1 are called Carmichael numbers. They are quite rare: the first three are 561, 1105, 1729 there are only 255 of them less than 100 000 000

PseudoPrime algorithm PseudoPrime(n) ifModularExponentiation(2,n–1,n) 1 then returnComposite definitely elsereturnPrime we hope ModularExponentiation(a,k,n) computes the value ak mod n

Outline

Outline

Presentation Transcript

Outline

Outline

Outline

Outline

Outline

Outline

Outline

outline

outline

OUTLINE

Outline

Outline

Outline

Outline

Outline

Outline

Outline

Outline

Outline:

Outline

Outline

OUTLINE: