Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 14 February 27, 2012 CPSC 467b, Lecture 14 1/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Quadratic Residues, Squares, and Square Roots Square Roots Modulo an Odd Prime p Square Roots Modulo the Product of Two Odd Primes Euler Criterion Finding Square Roots Square Roots Modulo Special Primes Square Roots Modulo General Odd Primes QR Probabilistic Cryptosystem Summary The Legendre and Jacobi Symbols The Legendre symbol Jacobi Symbol Computing the Jacobi Symbol Useful Tests of Compositeness Solovay-Strassen Test of Compositeness Miller-Rabin Test of Compositeness CPSC 467b, Lecture 14 2/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Quadratic Residues, Squares, and Square Roots CPSC 467b, Lecture 14 3/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests ∗ Square roots in Zn Recall from lecture 13 that to find points on an elliptic curve requires solving the equation y 2 = x3 + ax + b ∗ for y (mod p), and that requires computing square roots in Zp. Squares and square roots have several other cryptographic applications as well. Today, we take a brief tour of the theory of quadratic resides. CPSC 467b, Lecture 14 4/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Quadratic residues modulo n An integer b is a square root of a modulo n if b2 ≡ a (mod n): An integer a is a quadratic residue (or perfect square) modulo n if it has a square root modulo n. CPSC 467b, Lecture 14 5/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests ∗ Quadratic residues in Zn 2 If a; b 2 Zn and b ≡ a (mod n), then ∗ ∗ b 2 Zn iff a 2 Zn: Why? Because gcd(b; n) = 1 iff gcd(a; n) = 1 This follows from the fact that b2 = a + un for some u, so if p is a prime divisor of n, then p jb iff p ja: ∗ Assume that all quadratic residues and square roots are in Zn unless stated otherwise. CPSC 467b, Lecture 14 6/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests QRn and QNRn ∗ We partition Zn into two parts. ∗ QRn = fa 2 Zn j a is a quadratic residue modulo ng: ∗ QNRn = Zn − QRn: QRn is the set of quadratic residues modulo n. QNRn is the set of quadratic non-residues modulo n. For a 2 QRn, we sometimes write p ∗ 2 a = fb 2 Zn j b ≡ a (mod n)g; the set of square roots of a modulo n. CPSC 467b, Lecture 14 7/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests ∗ Quadratic residues in Z15 The following table shows all elements of ∗ Z15 = f1; 2; 4; 7; 8; 11; 13; 14g and their squares. b b2 mod 15 1 1 2 4 4 1 7 4 8 = −7 4 11 = −4 1 13 = −2 4 14 = −1 1 Thus, QR15 = f1; 4g and QNR15 = f2; 7; 8; 11; 13; 14g. CPSC 467b, Lecture 14 8/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Sqrt mod p Quadratic residues modulo an odd prime p Fact For an odd prime p, ∗ I Every a 2 QRp has exactly two square roots in Zp; ∗ I Exactly 1/2 of the elements of Zp are quadratic residues. In other words, if a 2 QRp, p j aj = 2: p − 1 jQR j = jZ∗j=2 = : n p 2 CPSC 467b, Lecture 14 9/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Sqrt mod p ∗ Quadratic residues in Z11 ∗ The following table shows all elements b 2 Z11 and their squares. b b2 mod 11 b −b b2 mod 11 1 1 6 −5 3 2 4 7 −4 5 3 9 8 −3 9 4 5 9 −2 4 5 3 10 −1 1 Thus, QR11 = f1; 3; 4; 5; 9g and QNR11 = f2; 6; 7; 8; 10g. CPSC 467b, Lecture 14 10/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Sqrt mod p p Proof that j aj = 2 modulo an odd prime p Let a 2 QRp. ∗ I It must have a square root b 2 Zp. 2 2 p I (−b) ≡ b ≡ a (mod p), so −b 2 a. p I Moreover, b 6≡ −b (mod p) since p ∼j 2b, so j aj ≥ 2. p 2 2 I Now suppose c 2 a. Then c ≡ a ≡ b (mod p). 2 2 I Hence, p jc − b = (c − b)(c + b). I Since p is prime, then either p j(c − b) or p j(c + b) (or both). I If p j(c − b), then c ≡ b (mod p). I If p j(c + b), then c ≡ −b (mod p). p p I Hence, c = ±b, so a = fb; −bg, and j aj = 2. CPSC 467b, Lecture 14 11/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Sqrt mod p ∗ Proof that half the elements of Zp are in QRp ∗ I Each b 2 Zp is the square root of exactly one element of QRp. 2 ∗ I The mapping b 7! b mod p is a 2-to-1 mapping from Zp to QRp. 1 ∗ I Therefore, jQRpj = 2 jZpj as desired. CPSC 467b, Lecture 14 12/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Sqrt mod pq Quadratic residues modulo pq We now turn to the case where n = pq is the product of two distinct odd primes. Fact Let n = pq for p, q distinct odd primes. ∗ I Every a 2 QRn has exactly four square roots in Zn; ∗ I Exactly 1/4 of the elements of Zn are quadratic residues. In other words, if a 2 QRn, p j aj = 4: (p − 1)(q − 1) jQR j = jZ∗j=4 = : n n 4 CPSC 467b, Lecture 14 13/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Sqrt mod pq Proof sketch I Let a 2 QRn. Then a 2 QRp and a 2 QRq. I There are numbers bp 2 QR and bq 2 QR such that p p q I pa (mod p) = {±bpg, and I a (mod q) = {±bqg. I Each pair (x; y) with x 2 {±bpg and y 2 {±bqg can be p 1 combined to yield a distinct element bx;y in a (mod n). p ∗ I Hence, j a (mod n)j = 4, and jQRnj = jZnj=4. 1 To find bx;y from x and y requires use of the Chinese Remainder theorem. CPSC 467b, Lecture 14 14/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Euler Criterion Testing for membership in QRp Theorem (Euler Criterion) An integer a is a non-trivial 2 quadratic residue modulo an odd prime p iff a(p−1)=2 ≡ 1 (mod p): Proof in forward direction. Let a ≡ b2 (mod p) for some b 6≡ 0 (mod p). Then a(p−1)=2 ≡ (b2)(p−1)=2 ≡ bp−1 ≡ 1 (mod p) by Euler's theorem, as desired. 2A non-trivial quadratic residue is one that is not equivalent to 0 (mod p). CPSC 467b, Lecture 14 15/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Euler Criterion Proof of Euler Criterion Proof in reverse direction. Suppose a(p−1)=2 ≡ 1 (mod p). Clearly a 6≡ 0 (mod p). We find a square root b of a modulo p. Let g be a primitive root of p. Choose k so that a ≡ g k (mod p), and let ` = (p − 1)k=2. Then g ` ≡ g (p−1)k=2 ≡ (g k )(p−1)=2 ≡ a(p−1)=2 ≡ 1 (mod p): Since g is a primitive root, (p − 1)j`. Hence, 2jk and k=2 is an integer. Let b = g k=2. Then b2 ≡ g k ≡ a (mod p), so b is a non-trivial square root of a modulo p, as desired. CPSC 467b, Lecture 14 16/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Finding Square Roots CPSC 467b, Lecture 14 17/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests Special primes Finding square roots modulo prime p ≡ 3 (mod 4) The Euler criterion lets us test membership in QRp for prime p, but it doesn't tell us how to quickly find square roots. They are easily found in the special case when p ≡ 3 (mod 4). Theorem (p+1)=4 p Let p ≡ 3 (mod 4), a 2 QRp. Then b = a 2 a (mod p). Proof. p + 1 is divisible by 4, so (p + 1)=4 is an integer. Then b2 ≡ (a(p+1)=4)2 ≡ a(p+1)=2 ≡ a1+(p−1)=2 ≡ a · 1 ≡ a (mod p) by the Euler Criterion. CPSC 467b, Lecture 14 18/54 Outline Quadratic Residues Finding sqrt QR crypto Legendre/Jacobi Useful tests General primes Finding square roots for general primes We now present an algorithm due to D. Shanks3 that finds square roots of quadratic residues modulo any odd prime p. It bears a strong resemblance to the algorithm presented in lecture 9 for factoring the RSA modulus given both the encryption and decryption exponents. 3Shanks's algorithm appeared in his paper, \Five number-theoretic algorithms", in Proceedings of the Second Manitoba Conference on Numerical Mathematics, Congressus Numerantium, No.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages54 Page
-
File Size-