CS 127/CSCI E-127: Introduction to Cryptography

Prof. Salil Vadhan Fall 2013

Lecture Notes 8:

Computational Number Theory

Reading.

• KatzLindell 2nd edition Ÿ8.0,8.1,8.2.3,8.3.0-8.3.2 OR 1st edition Ÿ7.0,7.1,7.2.3,7.3.0-7.3.2 Computational Number theory is a major source of hard problems (eg one-way functions) for cryptography.

1 Modular arithmetic: and ∗ ZN ZN Basic denitions:

• x ≡ y (mod N) if N|(x − y). (Written x = y mod N in KatzLindell.)

• [x mod N] def= unique x0 ∈ {0,...,N − 1} s.t. x ≡ x0 (mod N).

def • ZN = {0,...,N − 1} with arithmetic (+,·) modulo N. We cannot divide in general: 5 · 8 ≡ 5 · 1 (mod 35).

Fact 1 (Extended Euclidean Algorithm) For any x, y ∈ N there exists two integers a, b such that ax + by = gcd(x, y). Moreover, such a and b can be found in polynomial time.

Denition of ∗ ZN

∗ def elements of with multiplicative inverses ZN = {x ∈ ZN : gcd(x, N) = 1} = ZN

−1 By a multiplicative inverse for x we mean an element y ∈ ZN , denoted y = x , such that . Given and ∗ , we can compute −1 in polynomial time: x · y ≡ 1 (mod N) N x ∈ ZN x

Example: In ∗ , −1 . Z35 3 = ... Euler phi function def ∗ φ(N) = |ZN | Example:

∗ • Z35 = • φ(35) =

1 Q: how to generate random elements of ∗ ? ZN

Fact 2 Y  1 N φ(N) = N · 1 − ≥ p 6loglogN primes p|N

2 Groups

• An abelian group G is a set G with binary operation ? satisfying associativity, identity, inverses, and commutativity. Examples: under addition, ∗ under multiplication. ZN ZN • Fact: In any group G, x ? x ? ··· ? x = id for all x ∈ G. | {z } |G| Examples:

Corollary: ∗ φ(N) . • ∀x ∈ ZN , x ≡ 1 (mod N) Example: [224 mod 35] =

3 when prime Zp p ∗ (because ) and thus is called a eld. • Zp = Zp \{0} φ(p) = p − 1 Zp Fermat's Little Theorem: For every ∗, p−1 . • a ∈ Zp a ≡ 1 (mod p) • A polynomial of degree d has at most d solutions mod p. For every prime , there is a ∗ such that 2 3 p−2 • p g ∈ Zp {1 mod p, g mod p, g mod p, g mod p, . . . , g mod ∗. Such a is called a generator of ∗. p} = Zp g Zp Example: ∗ Z11 =

Fact 3 We can generate random -bit prime together with a (random) generator of ∗ time • n p Zp poly(n).

Discrete logarithms: For ∗, def unique s.t. i . • x ∈ Zp logg x = [ i ∈ {0, . . . , p − 2} g ≡ x (mod p)] Computing the discrete logarithm is believed to be hard, even if p and g are known.

4 Chinese Remainder Theorem

Fact 4 (Chinese Remainder Theorem) Let N = pq with gcd(p, q) = 1. Then the map x 7→ (x mod p, x mod q) from ZN to Zp × Zq is one-to-one and onto. In particular, for every (y, z) ∈ Zp × Zq, there exists a unique x ∈ ZN s.t. x ≡ y (mod p) and x ≡ z (mod q). Moreover, x can be found in polynomial time given (y, z, p, q).

2 Proof sketch: What is the inverse map?

Example: Z35 ↔ Z5 × Z15

Using the Chinese Remainder Theorem, an arithmetic question modulo N can be reduced to an arithmetic problem modulo p and modulo q, provided we know the factorization of N.

5 Quadratic Residues

We dene def 2 ∗ . QRN = {x mod N : x ∈ ZN }

Proposition 5 When odd prime, ∗ . p |QRp| = |Zp|/2 = (p − 1)/2

Proof: Consider the map from ∗ ∗, given by 2. A square in ∗ has at least two square Zp → Zp x 7→ x Zp roots because 2 2 and as p is odd. A square in ∗ has at most two a ≡ (−a) mod p a 6≡ −a mod p Zp square roots: Zp is a eld so a polynomial of degree d has at most d roots modulo p. We consider 2 the polynomial x − c ≡ 0 (mod p): for any c, the polynomial has at most two roots in Zp. The map is hence exactly 2 to 1.

Proposition 6 When for odd primes , ∗ and 2 is 4-to-1 on ∗ . N = pq p, q |QRN | = |ZN |/4 x 7→ x ZN Proof: Let us prove that and . s ∈ QRN ⇐⇒ (s mod p ∈ QRp) (s mod q ∈ QRq)

The map 2 is 4-to-1 on ∗ . x 7→ x ZN (p − 1) (q − 1) |QR | = | ∗ |/4 = · N ZN 2 2

Example: elements of QR35

3