CS 6260 Some number theory Let Z = {. , −2, −1, 0, 1, 2, . .} denote the set of integers. Let Z+ = {1, 2, . .} denote the set of positive integers and N = {0, 1, 2, . .} the set of non-negative integers. If a, N are integers with N > 0 then there are unique integers r, q such that a = Nq + r and 0 ≤ r < N. We associate to any positive integer N the following two sets: ∗ ZN ={0, 1, . , N − 1}, ZN={ i∈Z : 1≤i≤N−1 and gcd(i,N)=1 } Groups • Def. Let G be a non-empty set and let · denote a binary operation on G. We say that G is a group if it has the following properties: 1. Closure: For every a, b ∈ G it is the case that a · b is also in G. 2. Associativity: For every a, b, c ∈ G it is the case that (a · b) · c = a · (b · c). 3. Identity: There exists an element 1 ∈ G such that a · 1 = 1 · a = a for all a ∈ G. 4. Invertibility: For every a ∈ G there exists a unique b ∈ G such that a · b = b · a = 1. inverse, denoted a-1 • Fact. Let N be a positive integer. Then ZN is a group under * addition modulo N, and ZN is a group under multiplication modulo N. • In any group, we can define an exponentiation operation: if i = 0 then ai is defined to be 1, i if i > 0 then a = a · a · · · a (i times) if i < 0 then ai = a-1 · a-1 · · · a-1 (j=-i times) • For all a ∈ G and all i,j ∈ Z: • ai+j = ai · aj • (ai)j = aij • a-i = (ai)-1= (a-1)i • The order of a group is its size • Fact. Let G be a group and let m = |G| be its order. Then am = 1 for all a ∈ G • Fact. Let G be a group and let m = |G| be its order. i i mod m Then a = a for all a ∈ G and all i ∈ Z. * • Example. Let us work in the group Z21 ={1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20} under the operation of multiplication modulo 21. m=12. 86 86 mod 12 2 mod 12 5 mod 21 = 5 mod 21 = 5 mod 21 = 25 mod 21 = 4 • If G is a group, a set S ⊆ G is called a subgroup if it is a group in its own right, under the same operation as that under which G is a group. • If we already know that G is a group, there is a simple way to test whether S is a subgroup: - - • it is one if and only if x · y 1 ∈ S for all x, y ∈ S. Here y 1 is the inverse of y in G. • Fact. Let G be a group and let S be a subgroup of G. Then the order of S divides the order of G. Algorithms and their running times • Since in cryptography we will be working with BIG numbers, the complexity of algorithms taking numbers as inputs is measured as a function of the bit-length of the numbers. • E.g. PrintinBinary (A), where A=2k takes k operations W t 9 in F 4 h . ig p e e 2 u u . d qu 2 t r efi e v o a 9 n t lu .1 ien e In e : t h t t is S eg e a ome in n a er n d t eg in r ema d er t b i eg as v d i er in ivisio ic s i d a o er algor n n d n o Some basic algorithms a t b f h n u t e ith a n d in ct r u m ed Algorithm Input Output Running Time ms io n n o n b in d a y an INT-DIV a, N (N > 0) (q, r) with a = Nq + r and 0 ≤ r < N O(|a| · |N|) s g a d t t d l a ivid ime g MOD a, N (N > 0) a mod N O(|a| · |N|) kin th o ri in g eir is EXT-GCD a, b ((a, b) "= (0, 0)) (d, a, b) with d = gcd(a, b) = aa + bb O(|a| · |b|) t g in h t a h p m ZN r MOD-ADD a, b, N (a, b ∈ ) (a + b) mod N O(|N|) e u u b t s y n n 2 t u MOD-MULT a, b, N (a, b ∈ ZN ) ab mod N O(|N| ) n w N m in o . ∗ ∗ 2 b in g MOD-INV a, N (a ∈ ZN ) b ∈ ZN with ab ≡ 1 (mod N) O(|N| ) er T t h time. eg n 2 o a MOD-EXP a, n, N (a ∈ ZN ) a mod N O(|n| · |N| ) C f t er OMP b is, n s it EXPG a, n (a ∈ G) a ∈ G 2|n| G-operations a o t U , h U p N n e T er less , A f a u w T t n I io it ONA ct o h n t io s. h N n er L G > w r NU et d ise 0 u en MB , r a n in o n s t ER d d es ( ica r q et T a , r t HEOR u g ed ) r r su n o , u in a c p Y h n g . Cyclic groups and generators • If g ∈ G is any member of the group, the order of g is defined to be the least positive integer n such that gn = 1. We let <g> = { gi : i ∈ } = {g0,g1,..., gn-1} denote the set of Zn group elements generated by g. This is a subgroup of order n. • Def. An element g of the group is called a generator of G if <g>=G, or, equivalently, if its order is m=|G|. • Def. A group is cyclic if it contains a generator. • If g is a generator of G, then for every a ∈ G there is a unique integer i ∈ such that gi = a. This i is called the discrete Zm logarithm of a to base g, and we denote it by DLogG,g(a). DLog (a) is a function that maps G to , and moreover this • G,g Zm function is a bijection. i The function of to G defined by i → g is called the discrete • Zm exponentiation function 8 COMPUTATIONAL NUMBER THEORY 8 COMPUTATIONAL NUMBER THEORY Fig. 9.1. (The input a is not required to be relatively prime to N even though it usually will be, so is listed as coming from ZN .) In that case, each group operation is implemented via MOD-MULT and takes O(|N|2) time, so the running time of the algorithm is O(|n| · |N|2). Since n is usually Fig. 9.1. (The input a is not r3equired to be relatively prime to N even though it usually will be, so in ZN , this comes to O(|N| ). The salient fact to remember is that modular exponentiation is a is listcubedic taimes coaminlgorgitfhrm.om ZN .) In that case, each group operation is implemented via MOD-MULT and takes O(|N|2) time, so the running time of the algorithm is O(|n| · |N|2). Since n is usually Z 3 in 9.N3, thisCcoycmeslic tgoroO(u|Np|s).anThde gsaenlieneratt factotrso remember is that modular exponentiation is a cubic time algorithm. Let G be a group, let 1 denote its identity element, and let m = |G| be the order of G. If g ∈ G 9.is3 anyCmemyclbierc ogf rotheugprosupan, thde orgdereneratof g isodrsefined to be the least positive integer n such that gn = 1. We let i 0 1 n−1 Let G be a group, let 1 deno"tge# it=s id{ gent:ityi ∈elemenZn } t=, a{ngd,letg , .m. .=, g |G|}be the order of G. If g ∈ G is adnenyomemte thbeersetofofthgerogurpouelemenp, thetsorgdereneroaftedg isbydgefi. nAedfatcto wbe dthoenleaot stpropvoe,sitbivute isinteaegsyertno vsuercifhy,thisat n g t=ha1t.thWisesetletis a subgroup of G. The order of this subgroup (which, by definition, is its size) is just i 0 1 n−1 the order of g. Fact 9.6 tells"g#us=th{atgth:e ior∈derZnn}of=g d{ividg , ges,t.h.e. ,ogrder }m of the group. An element dengootfe tthhee gsetrouopf isgrcaoulledp elemena genters atorgeneroaftGedifby"gg#.=AGf,actor,weque divoanlenottlypr,oifve,itsbuotrdisereaissym.toIfverg ifisy,ais i thagtentherisatsetor oisf Ga suthbengrofourpevoferGy.aT∈heGortdhereoisf tahisunsuiqubgeroinutpeg(erwhiic∈h,Zbmy sudefichntithioatn,gis=itsa.size)Thisisijuisst thecaolledrderthoef gd.iscrFaetcte 9lo.6gatrellsithmusotfhaattothbeaseordger, andofwge denividotese itthbeyoDrdLoergmG,go(fa)t.heTghruos,upD.LoAgnGelemen,g(·) is t Z g oaf ftuhnectgioronutphaist macalledps Gatgeno erm,atorand omof Greoifver"gt#h=is fGun, ctorio, nequis iva ablenijecttlyio,nif, meaits onrindgeronise-tmo.-oIfneganisd a onto. The function of Z to G defined by i $→ gi is called the discrete exponentiation function, generator of G then for evmery a ∈ G there is a unique integer i ∈ Z such that gi = a. This i is and the discrete logarithm function is the inverse of the discrete expomnentiation function. called the discrete logarithm of a to base g, and we denote it by DLogG,g(a). Thus, DLogG,g(·) is ∗ a fEunxampctionleth9.9at maLetpspG=t1o1Z, wmh,icahndismoprime.reoverThtenhisZf1u1n=ctio{1n, 2is, 3a, 4b,ij5,ect6, io7,n8,, 9mea, 10}ninhagsoonre-tderop-o−ne1a=nd i ont1o0.