SageMath 2: Number Theory and RSA Cryptosystem Cheng-Hsin Hsu Na#onal Tsing Hua University Department of Computer Science CS3330 Scienfic Compung 1 Divisibility • a and b are integers, b divides a if there exists an integer q such that a=qb – b is a divisor of a – b is a factor of a – a is a mul>ple of b • Example – 12 divides 144, because 144 = 12 x 12 – Every integer divides 0 – 0 does not divide any integer, except 0 itself CS3330 Scienfic Compung 2 Modular Arithme>c • Example: 16 3=5 1 ÷ ··· Dividend Divisor Quo2ent Remainder • For any , there exist unique such a, b Z,b 0 q, r Z P ° P that a qb r, 0 r b “ ` § † – SageMath/Python: (i) is possible, and b<0 br 0, r < b ≥ | | | | • Modulo • 16 mod 3 = 1 • 12 mod 5 = 3 − CS3330 Scienfic Compung 3 Modular Arithme>c in SageMath q = a div b = a/b b c Quo2ent r = a mod b = a qb − Modulo a = qb + r Validaon CS3330 Scienfic Compung 4 Integers in Base Other than 10 • Write 6137 in the octal system (base 8). In other words, finds r0, r1, …, rk so that (6137)10=(rk…r2r1r0)8 • Write 3387 into binary (base 2) and hexadecimal (base 16) CS3330 Scienfic Compung 5 Convert Integers into Other Bases Validaon CS3330 Scienfic Compung 6 Exact Frac>ons: a Toy Problem • Start from our familiar 10-based (decimal) system, for a frac>on number p/q , we some>me can represent it exactly in two- decimal-place (or fewer) – 1/2 = 0.50 – 1/3 = 0.3333333333333333333333333333333 – 1/4 = 0.25 – 1/5 = 0.20 p 100p =0.01z z = q 100 • Any rules?? q à q à | CS3330 Scienfic Compung 7 Divisors of 100 • Turns out that if q | 100, we can write p/q as a two-decimal-place exact decimal! • Let’s use SageMath to find all divisors of 100 • When q is in {3, 6, 7, 8, 9}: two decimals are not enough! ß What does this mean? – Spling 10k TA salary among 3 students! CS3330 Scienfic Compung 8 How About Other Bases • Consider binary? • Base-20? • Base-60? 1, 2, 3, 4, 5, 6, 8, 9, 10, 12,... { } • 20 and 60 are highly composite numbers – Simplify coun>ng, e.g., with base-60 system, 1/3 can be easily wrigen! CS3330 Scienfic Compung 9 Who Use Base-20 Systems? Maya Numerals Source: hps://en.wikipedia.org/wiki/Maya_numerals CS3330 Scienfic Compung 10 How About Base-60 System? Babylonian Numerals • We s>ll see base-60 systems in trigonometry and >me metrics Source: hps://en.wikipedia.org/wiki/Babylonian_numerals CS3330 Scienfic Compung 11 Prime and Composite • Primes are integers (n>1) with exactly two posive divisors • All other integers (n>1) are called composite • n Z` If is composite, then there is a prime P p such that p n | • 0 and 1 are neither prime nor composite CS3330 Scienfic Compung 12 Fundamental Theorem of Arithme>c a, b Z` p ab p a or p b • If and P p is a prime, then | ñ | | – Can be generalized to n posi>ve integers • Any integer n>1 can be wrigen as a (unique) k product of primes a = pt1pt2 ptk = pti 1 2 ··· k i i=1 – Factorizaon: canonical representaon Y • Exercise: What is the prime factorizaon of 980? • Prove that 17|n given 10 9 8 7 6 5 4 3 2 n 21 20 19 18 17 16 15 14 ¨ ¨ ¨ ¨ ¨ ¨ ¨ ¨ CS3330 Scienfic Compung ¨ “ ¨ ¨ ¨ ¨ ¨ ¨ 13 ¨ Prime Related Fun Func>ons CS3330 Scienfic Compung 14 Prime Related Fun Func>ons (cont.) CS3330 Scienfic Compung 15 Common Divisors • For , is a common divisor of a, b Z c 0 a and b if P ° c a and c b | | • Let , where . Then is a a, b a 0 or b 0 c ` Z ‰ ‰ Z greatest common divisor (P gcd) of a and P b if – c a, c b | | – For any common divisor d of a and b, we know d c | • a, b Z` For all , there exists a unique greatest P common divisor of a and b, wrigen as gcd(a,b) – it is actually the smallest posi>ve integer that is a linear combinaon of a and b gcd(a, b)=ax + by CS3330 Scienfic Compung 16 Common Mul>ples • Let . a, b Z` c is a common mulple of a and b. P c is the least common mul>ple if it is the smallest posi>ve common mul>ple of a, b, we write c=lcm(a,b) • If and . For any a, b Z` c lcm a, b d that is a P “ p q common mulple of a and b, we know c|d • For all , a, b Z` ab=lcm(a,b)gcd(a,b) P CS3330 Scienfic Compung 17 Systemac Way to Find GCD and LCM • Exercise: Count the # of posi>ve divisors of 360 – Find 2 ways to do this in SageMath, hint: factor(.) and divisors(.) e1 e2 et f1 f2 ft e ,f 0, e ,f • Let , with m p p pt ,n p p pt i i i i “ 1 2 ¨¨¨ “ 1 2 ¨¨¨ • @ we have t t ai bi gcd m, n pi , and lcm m, n pi , p q“i 1 p q“i 1 π“ π“ where ai min ei,fi ,bi max ei,fi “ p q “ 3 3 p2 2 q1 2 – Find the gcd and lcm of 491891400 2 3 5 7 11 13 2 2 1 2 3 “1 and 1138845708 2 3 7 11 13 17 “ CS3330 Scienfic Compung 18 GCD and LCM Related Func>ons CS3330 Scienfic Compung 19 Euclidean Algorithm • Compute gcd(a,b) – r0=a, r1 = b – For i >= 1, stop when rn = 0 • ri+1 = ri mod ri-1 – gcd(a,b) = rn-1 • Example: gcd (1650, 2420) = 110 CS3330 Scienfic Compung 20 Extended Euclidean Algorithm • Compute x, y for gcd(a,b) = ax + by – r0=a, x0=1, y0=0 – r1= b, x0=0, y0=1 Example: a=2420, b=1650 – For i >= 1, stop when rn = 0 • qi=ri-1 div ri • xi+1 = xi-1 - qixi • yi+1 = yi-1 - qiyi • ri+1 = ri-1 - qiri – x=xi-1, y=yi-1, CS3330 Scienfic Compung 21 Linear Diophan>ne Equaons • For two non-zero integers a and b • There exist integer solu>ons for gcd(x,y)=ax +by ß extended Euclidean algorithm • ax+by=c has integer solu>ons iff gcd(a,b) | c • ax+by=1 has integer solu>ons iff gcd(a,b) = 1 – Relave prime (or co-prime) CS3330 Scienfic Compung 22 Congruence • If a and b have the same remainder upon division by n, a is congruent to b modulo n – Wrigen as a b (mod n) ⌘ – That is n (a b) | − • Example – 5 (23 8) | − – 23 8 (mod 5) • Congruence is ⌘ compable with addi>ons and mul>plicaons: and a b (mod n) c d (mod n) ⌘ ⌘ imply and a + c b + d (mod n) ac bd (mod n) ⌘ ⌘ CS3330 Scienfic Compung 23 Why Congruence is Useful? • Compute 122016 (mod 19) • Steps: 1. 12 2 = 144 11 (mod 19) ⌘ 2. 12 3 = 11 12 = 132 18 (mod 19) ⇥ ⌘ 3. 12 4 = 18 12 = 216 7 (mod 19) ⇥ ⌘ 4. 12 5 =7 12 = 84 8 (mod 19) ⇥ ⌘ 5. 12 6 =8 12 = 96 1 (mod 19) ⇥ ⌘ • We know 2016 = 6 x 336, what’s the answer? CS3330 Scienfic Compung 24 Linear Congruence • Linear congruence refers to an equaon ax b (mod m) ⌘ • m ax b It is the same as: , meaning that there | − ax b = my exists an y, so that − – Equivalent to ax my = b − • gcd(a, m) b The linear congruence has a solu>on iff | Slide 22 CS3330 Scienfic Compung 25 ax b (mod m) Solving Linear Congruence ⌘ • First, we apply the extended Euclidean algorithm to find u, v so that au + mv = gcd(a, m) • If , we have a gcd(a, m) b soluon x = ub/gcd(a,m) | aub 0 ß m b validate: show ?gcd(a, m) − • There are more solu>ons: ub m + i , where i =0, 1,...,gcd(a, m) 1 gcd(a, m) gcd(a, m) − m | (a/gcd(a,m)) im CS3330 Scienfic Compung 26 35x 10 (mod 240) ⌘ Example of Linear Congruence • Use extended Euclidean algorithm to get: 35 ( 41) + 240 6 = 5 = gcd(35, 240) ⇥ − ⇥ • One soluon: x = ub / gcd(35, 240) = (-41 x 10)/5 =-82 ß 158 (mod 240) • Step size: 240/5 = 48, then we have the following soluons {158, 158 + 48, 158 + 2 x 48, 158 + 3 x 48, 158 + 4 x 48} = {158, 206, 14, 62, 110} under (mod 240) CS3330 Scienfic Compung 27 Mul>plicave Inverse Modulo m • a is inverble modulo m is there is an inverse x so that ax 1 (mod m) ⌘ – a is inver>ble iff gcd(a, m)=1 • x is unique, and is denoted as a-1, where 0 <= a-1 < |m| • Example: Find the inverse of 65 mod 321 (if exists) – First, we have: 65 ( 79) + 321 16 = 1 ⇥ − ⇥ – Then, we have a-1 = -79 mod 321 ß what’s the ans? CS3330 Scienfic Compung 28 Congruence Classes • The congruence classes of mod m are: [a]= x a (mod m),x Z , where a =1, 2,...,m 1 {8 ⌘ 2 } − – Equivalent classes: reflec>ve, symmetric, and transi>ve – Note that [10] = [4] (mod 6) • The set of congruence classes mod m is wrigen as: Z/mZ = [0], [1],...,[m 1] { − } – Addi>ons and mul>plicaons are well defined ß see the next slide CS3330 Scienfic Compung 29 Operaons on Z/mZ • Two operaons: + and – [a] + [b] = [a+b] – [a][b] = [ab] • ( , +, Z/mZ ) is a commutave ring – + and are: commutave, associave, is distribu>ve w.r.t +, 1 is the iden>ty of mul>plicaon – [a] may not have inverse, only if gcd(a,m)=1 Hence, it’s not a field CS3330 Scienfic Compung 30 Euler’s Phi Funcon • φ(n) 1 z n We define as the number of , where gcd(z,n)=1 – What is ? φ(10) • Write code to compute phi func>on CS3330 Scienfic Compung 31 Euler’s Phi Func>on (cont.) • Try other x values for φ(x) • Suppose x and y are two dis>nct primes, what are the relaon among ? φ(x), φ(y), and φ(x y) ⇥ – Why? – In fact, as long as x and y are co-prime, the above discussion holds! • SageMath has phi built-in CS3330 Scienfic Compung 32 Divisors of an Integer • We define be the number of divisors of ⌧(x) x • We define be the sum of all the divisors of σ(x) x ⌧(250) σ(250) CS3330 Scienfic Compung 33 Built-in Sigma Func>on • Again, actually SageMath has a sigma func>on 1 + 3 + 5 + 9 + 15 + 45 = 78 12 +32 +52 +92 + 152 + 452 = 2366 10 +30 +50 +90 + 150 + 450 =6 What is this? CS3330 Scienfic Compung 34 Amicable Pairs of Numbers • An interes>ng Arab tradi>on: put two numbers 220 and 284 on their rings and give them to their spouses divisors(220) = 1, 2, 4, 5, 10, 11, 20, 22, 44, 55, 110, 220 { } 1 + 2 + 4 + 5 + 10 + 11 + 20 + 22 + 44 + 55 + 110 = 284 divisors(284) = 1, 2, 4, 71, 142, 284 { } 1 + 2 + 4 + 71 + 142 = 220 CS3330 Scienfic Compung 35 Summary (So Far) • We introduced various number theory func>ons in SageMath • We will use them to introduce some cryptography results • References: – hgp://www.sagemath.org ß Official Web and resources – hgp://www.gregorybard.com/SAGE.html ß Our textbook CS3330 Scienfic Compung 36 How to Secretly Send Messages • Plaintext: human-readable messages • Ciphertext: scrambled message • Encrypon: plaintext à ciphertext • Decrypon: ciphertext à plaintext Encrypt Decrypt Plaintext Ciphertext Plaintext CS3330 Scienfic Compung 37 Naïve Way: ASCII Encoding • Let be the English ⌃ = A, B, .