Greatest Common Divisor The Euclidean Algorithm Let a and b be two integers such that a > 0 and b > 0. Then the following algorithm computes integers x and y such that Definition gcd(a, b) = x a + b y Let a, b Z with a = 0 and b = 0. The greatest common divisor ∈ 6 6 ∗ ∗ for a and b, written gcd(a, b), is the largest positive integer that Calculate a , b , x , x , y , y for i 0 such that divides both numbers without remainder. i i i,1 i,2 i,1 i,2 ≤ a = x a + x b b = y a + y b i i,1 ∗ i,2 ∗ i i,1 ∗ i,2 ∗ as follows: Eike Ritter Cryptography 2013/14 142 Eike Ritter Cryptography 2013/14 143 a = a = 1 a + 0 b b = b = 0 a + 1 b 0 ∗ ∗ 0 ∗ ∗ Repeatedly do the following calculation: If ai = 0, then bi is the greatest common divisor, and b = y a + y b i i,1 ∗ i,2 ∗ is the desired equation Theorem If bi = 0, then ai is the greatest common divisor, and Let x Zn. x has an inverse in Zn if and only if gcd(x, n) = 1. ∈ a = x a + x b i i,1 ∗ i,2 ∗ is the desired equation. If ai > bi , let q = ai div bi a = a q b i+1 i − ∗ i xi+1,1 = xi,1 q yi,1 x = x − q ∗ y i+1,2 i,2 − ∗ i,2 The case a b is symmetric. i ≤ i Eike Ritter Cryptography 2013/14 144 Eike Ritter Cryptography 2013/14 145 Definition We call the function φ, which assigns to an integer n the number Theorem of invertible elements in Zn∗ Euler’s Totient function. Let m, n Z with gcd(m, n) = 1. Then for any given a, b Z ∈ ∈ Examples (p, q prime): there exists and x Z such that ∈ φ(p) = p 1 x a(mod m) and x b(mod n) − φ(p q) = (p 1) (q 1) ≡ ≡ ∗ − ∗ − Moreover, every solution x is congruent modulo m n. Or in other · words the solution x Zmn is unique. Theorem ∈ Let n N and a Z, with gcd(a, n) = 1, then we have ∈ ∈ aϕ(n) 1(mod n). ≡ Eike Ritter Cryptography 2013/14 146 Eike Ritter Cryptography 2013/14 147 IND-CPA secure public-key encryption Several possibilities to achieve IND-CPA secure public-key Second possibility: encrypt random number rather than message encryption (H is hash function) First possibility: add suitable padding (PKCS) to RSA Encryption: choose random r. ciphertext is msg 01 00 0 rand (E (r), H(r) m) ··· pubKey ⊕ Decryption: Given (c1, c2), compute message as H H(D (c )) c privKey 1 ⊕ 2 Intuitively: IND-CPA satisfied because attacker cannot decrypt c , G 1 hence second component looks like one-time pad Formal proof surprisingly difficult - requires new ideas X Y plaintext for encryption Eike Ritter Cryptography 2013/14 148 Eike Ritter Cryptography 2013/14 149 Finding Prime numbers Fermat’s test yields some false positives Some eliminated by refinement: Miller-Rabin test Let n 1 = 2r s − · Usual way: pick number at random and check whether it is prime Several tests for primality of n available for i := 0 to k 1 do − First one: Fermat’s test Pick a 1,..., n 1 ∈ { − } if as 1 (mod n) then for i := 0 to k 1 do 6≡ − for j := 0 to r 1 do Pick a 2,..., n 1 (2j s) − ∈ { − } if a · 1 (mod n) then return (“n is a composite”) if an 1 1 (mod n) then return (“n is a composite”) 6≡ − − 6≡ end end end return(”n is probably prime”) end return(”n is probably prime”) Eike Ritter Cryptography 2013/14 150 Eike Ritter Cryptography 2013/14 151.