CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 8: Computational Number Theory Reading. • KatzLindell 2nd edition 8.0,8.1,8.2.3,8.3.0-8.3.2 OR 1st edition 7.0,7.1,7.2.3,7.3.0-7.3.2 Computational Number theory is a major source of hard problems (eg one-way functions) for cryptography. 1 Modular arithmetic: and ∗ ZN ZN Basic denitions: • x ≡ y (mod N) if Nj(x − y). (Written x = y mod N in KatzLindell.) • [x mod N] def= unique x0 2 f0;:::;N − 1g s.t. x ≡ x0 (mod N). def • ZN = f0;:::;N − 1g with arithmetic (+,·) modulo N. We cannot divide in general: 5 · 8 ≡ 5 · 1 (mod 35). Fact 1 (Extended Euclidean Algorithm) For any x; y 2 N there exists two integers a, b such that ax + by = gcd(x; y). Moreover, such a and b can be found in polynomial time. Denition of ∗ ZN ∗ def elements of with multiplicative inverses ZN = fx 2 ZN : gcd(x; N) = 1g = ZN −1 By a multiplicative inverse for x we mean an element y 2 ZN , denoted y = x , such that . Given and ∗ , we can compute −1 in polynomial time: x · y ≡ 1 (mod N) N x 2 ZN x Example: In ∗ , −1 . Z35 3 = ::: Euler phi function def ∗ φ(N) = jZN j Example: ∗ • Z35 = • φ(35) = 1 Q: how to generate random elements of ∗ ? ZN Fact 2 Y 1 N φ(N) = N · 1 − ≥ p 6loglogN primes pjN 2 Groups • An abelian group G is a set G with binary operation ? satisfying associativity, identity, inverses, and commutativity. Examples: under addition, ∗ under multiplication. ZN ZN • Fact: In any group G, x ? x ? ··· ? x = id for all x 2 G. | {z } jGj Examples: Corollary: ∗ φ(N) . • 8x 2 ZN ; x ≡ 1 (mod N) Example: [224 mod 35] = 3 when prime Zp p ∗ (because ) and thus is called a eld. • Zp = Zp n f0g φ(p) = p − 1 Zp Fermat's Little Theorem: For every ∗, p−1 . • a 2 Zp a ≡ 1 (mod p) • A polynomial of degree d has at most d solutions mod p. For every prime , there is a ∗ such that 2 3 p−2 • p g 2 Zp f1 mod p; g mod p; g mod p; g mod p; : : : ; g mod ∗. Such a is called a generator of ∗. pg = Zp g Zp Example: ∗ Z11 = Fact 3 We can generate random -bit prime together with a (random) generator of ∗ time • n p Zp poly(n). Discrete logarithms: For ∗, def unique s.t. i . • x 2 Zp logg x = [ i 2 f0; : : : ; p − 2g g ≡ x (mod p)] Computing the discrete logarithm is believed to be hard, even if p and g are known. 4 Chinese Remainder Theorem Fact 4 (Chinese Remainder Theorem) Let N = pq with gcd(p; q) = 1. Then the map x 7! (x mod p; x mod q) from ZN to Zp × Zq is one-to-one and onto. In particular, for every (y; z) 2 Zp × Zq, there exists a unique x 2 ZN s.t. x ≡ y (mod p) and x ≡ z (mod q). Moreover, x can be found in polynomial time given (y; z; p; q). 2 Proof sketch: What is the inverse map? Example: Z35 $ Z5 × Z15 Using the Chinese Remainder Theorem, an arithmetic question modulo N can be reduced to an arithmetic problem modulo p and modulo q, provided we know the factorization of N. 5 Quadratic Residues We dene def 2 ∗ . QRN = fx mod N : x 2 ZN g Proposition 5 When odd prime, ∗ . p jQRpj = jZpj=2 = (p − 1)=2 Proof: Consider the map from ∗ ∗, given by 2. A square in ∗ has at least two square Zp ! Zp x 7! x Zp roots because 2 2 and as p is odd. A square in ∗ has at most two a ≡ (−a) mod p a 6≡ −a mod p Zp square roots: Zp is a eld so a polynomial of degree d has at most d roots modulo p. We consider 2 the polynomial x − c ≡ 0 (mod p): for any c, the polynomial has at most two roots in Zp. The map is hence exactly 2 to 1. Proposition 6 When for odd primes , ∗ and 2 is 4-to-1 on ∗ . N = pq p; q jQRN j = jZN j=4 x 7! x ZN Proof: Let us prove that and . s 2 QRN () (s mod p 2 QRp) (s mod q 2 QRq) The map 2 is 4-to-1 on ∗ . x 7! x ZN (p − 1) (q − 1) jQR j = j ∗ j=4 = · N ZN 2 2 Example: elements of QR35 3.