Number-Theoretic Algorithms

What are the factors of 326,818,261,539,809,441,763,169? There is no known efficient algorithm. What is the greatest common divisor of 835,751,544,820 and 391,047,152,188? Euclids algorithm solves this efficiently. These two facts are the basis for the RSA public-key cryptosystem.

COT 5993 (Lec 14)

2/24/05

Basic Number Theory

Divisibility
3|12 3 divides 12, 12 is a multiple of 3

Factors
Factors (non-trivial divisors) of 20 are 2,4,5,10

Primes
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 1 is not prime There are infinitely many primes.

COT 5993 (Lec 14)

2/24/05

Unique Factorization
Divisibility by a prime
If p is prime and p | ab, then p | a or p | b.

Unique factorization
Every integer has a unique factorization as a product of primes. 5280 = 25 31 51 111

COT 5993 (Lec 14)

2/24/05

Division Theorem
For any integer a and any positive integer n, there are unique integers q and r, such that 0 r < n and a = qn+r. Quotient q and remainder r Notation: r = a mod n

COT 5993 (Lec 14)

2/24/05

Greatest Common Divisors

Any two integers, not both 0, have a greatest common divisor (gcd). gcd(24,30)=6 a, b are relatively prime if gcd(a,b)=1.

COT 5993 (Lec 14)

2/24/05

Euclids Algorithm
For any nonnegative integer a and any positive integer b,
gcd(a,b) = gcd (b, a mod b)

Euclids algorithm (ca. 300 B.C.)

EUCLID(a,b) { if (b = 0) then return a else return EUCLID(b, a mod b) }
COT 5993 (Lec 14) 2/24/05 6

Example
EUCLID(120, 23) = EUCLID(23, 5) = EUCLID(5, 3) = EUCLID(3, 2) = EUCLID(2, 1) = EUCLID(1, 0) =1 So 120 and 23 are relatively prime.
COT 5993 (Lec 14) 2/24/05 7

Extended Euclids Algorithm

Theorem 31.2: gcd(a,b) is the smallest positive integer in the set {ax+by : x,y } Euclids Algorithm can calculate x and y such that ax+by = gcd(a,b).

COT 5993 (Lec 14)

2/24/05

Example
120 / 23 = 5 r 5
So 5 = 120-523

23 / 5 = 4 r 3
So 3 = 23-45 = 234(120-523) = -4120+2123

5/3=1r2
So 2 = 5-13 = (120-523)-1(-4120+2123) = 5120-2623

3/2=1r1
So 1 = 3-12 = (-4120+2123)-1(5120-2623) = -9120+4723
COT 5993 (Lec 14) 2/24/05 9

Modular Arithmetic
We do all arithmetic modulo n. Powers of 3
1,3,9,27,81,243,

Powers of 3 modulo 7
1,3,2,6,4,5,1,3,2,6,4,5,

Fermats Theorem:
If p is prime and 1 a < p, then ap-1 = 1 (mod p) .

COT 5993 (Lec 14)

2/24/05

10

Multiplicative Inverses
If a is relatively prime to n, then there exists x such that ax = 1 (mod n). x is the multiplicative inverse of a (mod n). We can find x using the Extended Euclids Algorithm.
ax+ny=1 implies that ax = 1 (mod n)

Example
The multiplicative inverse of 23 (mod 120) is 47, since 1 = -9120 + 4723.
COT 5993 (Lec 14) 2/24/05 11

Public Key Cryptography

Goal: Allow users to communicate securely even if they dont share a secret key. Each user publishes a public key and also keeps a private key secret. Anyone can encrypt a message using Alices public key, but only she can decrypt it, using her private key. Also, Alice can sign a message by encrypting it with her private key.
COT 5993 (Lec 14) 2/24/05 12

The RSA Cryptosystem

Randomly choose two large primes p and q.
p = 835,751,544,821 q = 391,047,152,189 (Really p and q should be about 150 digits long.)

Let n = pq.
n = 326,818,261,539,809,441,763,169

Idea: Factoring n is hard! Compute (n) = (p-1)(q-1).

(n) = 326,818,261,538,582,643,066,160 ((n) gives the number of integers less than n that are relatively prime to n.)
COT 5993 (Lec 14) 2/24/05 13

RSA Cryptosystem, continued

Choose e relatively prime to (n).
e=3

Use Extended Euclids Algorithm to compute d, the multiplicative inverse of e (mod (n)).
d = 217,878,841,025,721,762,044,107

(e,n) is the RSA public key. (d,n) is the RSA private key. Encryption: E(M) = Me mod n. Decryption: D(C) = Cd mod n.
COT 5993 (Lec 14) 2/24/05 14

Fast Exponentiation
Since d is huge, Cd mod n cannot be computed navely. We can do it in 2log d multiplications: fun exp(C, d, n) = if d = 0 then 1 else if even(d) then exp(C*C mod n, d/2, n) else C*exp(C, d-1, n) mod n

COT 5993 (Lec 14)

2/24/05

15

Correctness of RSA
Encrypting and decrypting M gives D(E(M)) = E(D(M)) = Med (mod n). By the choice of e and d, we have ed = 1 + k(p-1)(q-1), for some k. Calculating mod p, if M 0 (mod p), then Med = M(Mp-1)k(q-1) = M(1)k(q-1) = M (mod p) using Fermats Theorem. And, of course, if M = 0 (mod p), then again Med = M (mod p).
COT 5993 (Lec 14) 2/24/05 16

Correctness of RSA, Continued

A similar calculation shows that Med = M (mod q). Hence we have p | Med M and q | Med M Because gcd(p,q)=1, this implies that pq | Med - M So Med = M (mod n).

COT 5993 (Lec 14)

2/24/05

17

Example
n = 326,818,261,539,809,441,763,169 e=3 d = 217,878,841,025,721,762,044,107 M = 12,345,678,901,234,567,890 Encryption: E(M) = Me mod n E(M) = 268,102,434,874,902,796,719,062 Decryption: D(C) = Cd mod n D(E(M)) = 12,345,678,901,234,567,890
COT 5993 (Lec 14) 2/24/05 18

Finding Big Primes

Prime Number Theorem: the number of primes less than or equal to n is about n/ln n. Hence a random 512-bit number is prime with probability about 1/ln 2512 1/355. So random search will work well, if we can test for primality. Randomized tests: For example, if an-1 1 (mod n), then n cannot be prime. Agrawal, Kayal and Saxena found a polynomial-time algorithm in 2002!
COT 5993 (Lec 14) 2/24/05 19

Factoring Big Integers

Many very sophisticated algorithms have been developed. But all take exponential time. Today, factoring an arbitrary 300-digit integer remains infeasible (apparently).

COT 5993 (Lec 14)

2/24/05

20