Number Theory Algorithms and

Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms
Number Theory Algorithms
a) GCD
b) Multiplicative Inverse
c) Fermat & Eulers Theorems
d) Public Key Cryptographic Systems
e) Primality Testing


Number Theory Algorithms (contd)

Main Reading Selections:
CLR, Chapter 33



Euclids Algorithm

Greatest Common Divisor



Euclids Algorithm


( , ) largest a s.t.
a is a divisor of both u,v
GCD u v =
GCD(u,v)

0 then return(u)
(GCD(v,u mod v))
procedure
begin
if v
else return
=
Euclids Algorithm (contd)
Inductive proof of correctness:


if a is a divisor of u,v
a is a divisor of u - ( u/v ) v
= u mod v

Euclids Algorithm (contd)
Time Analysis of Euclids Algorithm for n
bit numbers u,v


2
T(n) T(n-1) + M (n)
= O(n M(n))
= O(n log n log log n)
(where M(n) = time to mult two n bit integers)
s
Euclids Algorithm (contd)
Fibonacci worst case:
k+1
k

k
0 1 k+2 k+1 k
k
u = F , v = F
where F = 0, F = 1, F = F + F , k 0
1
F = , = (1 5)
2
5
Euclid's Algorithm takes log ( 5 N) = O(n)
stages when N = max(u,v).
Here n = number of bits of
u
>
u
u +

N.
Euclids Algorithm (contd)
Improved Algorithm
2
n
T(n) T + O(M(n))
= O(M(n) log n)
( ) s
Extended GCD Algorithm
1 2 3 1 2 3
3
GCD(u, v)
where u = (u , u , u ) , v = (v , v , v )
if v = 0 then return(u)
return GCD(v, u - (v u v
procedure Ex
begin
else Ex 3 3 / ))
Extended GCD Algorithm (contd)
Theorem




Proof
GCD((1,0,x),(0,1,y))
= (x', y', GCD(x,y))
where x x' + y y' = GCD(x,y)
Ex
1 2 3
1 2 3
inductively can verify on each call
xu + yu = u

xv + yv = v
|

\
Extended GCD Algorithm (contd)
Corollary
If gcd(x,y) = 1 then x' is the
modular inverse of x modulo y

Proof
we must show x x' = 1 mod y
but by previous Theorem,
1 = x x' + y y' = x x' mod y
so 1 = x x' mod y
Modular Laws
Gives Algorithm for


Modular Laws
! Modular Inverse
for n 1
if x y mod n let x y
>
=
Modular Laws (contd)
if a b and x y then ax by
if a b and ax by and
gcd(a, n) 1 then x y
Law A
Law B


=
Modular Laws (contd)
i
1 k 1 k
i j
1 k
let {a ,..., a } {b ,..., b } if
a b for i 1,..., k and
{j ,..., j } {1,..., k}

=
=
Fermats Little Theorem
If n prime then a
n
= a mod n
Proof by Euler
n
-1
if a 0 then a 0 a
else suppose gcd(a,n) 1
Then x ay for y a x and any x
so {a,2a,..., (n-1)a} {1,2,..., n-1}

=

Fermats Little Theorem (contd)

n-1
n-1
So by Law A,
(a) (2a) (n-1)a 1 2 (n-1)
So a (n-1)! (n-1)!
So by Law B
a 1 mod n

Eulers Theorem
(n) = number of integers in {1,, n-1}
relatively prime to n
Eulers Theorem



Proof
( )
If gcd(a,n) 1
then = 1 mod
n
a n

=
1 (n)
let b ,...,b be the integers n
relatively prime to n

<
Eulers Theorem (contd)
Lemma


Proof
1 (n) 1 2 (n)
{b ,...,b } {ab , ab ,..., ab }

i
i j i j
i
i i j
1 (n)
If ab ab then by Law B, b b
Since 1 gcd(b ,n) gcd(a,n)
then gcd(ab ,n) 1 so ab b
for {j ,...,j } {1,..., (n)}

= =
= =

Eulers Theorem (contd)
By Law A and Lemma




By Law B
1 2 (n) 1 2 (n)
(n)
1 (n) 1 (n)
(ab )(ab ) (ab ) b b b
so a b b b b

(n)
a 1 mod n

Taking Powers mod n by Repeated

Squaring
Problem: Compute a
e
mod b




k k-1 1 0
2
i
e e e e e binary representation
[1] X 1
[2] i k, k-1,..., 0

X X mod b
e 1 then X Xa mod b


for do
begin
if
end
outp
=

=
i i
i i
k
e 2 e 2 e
i=0
a =a =a mod b ut

[
Taking Powers mod n by Repeated
Squaring (contd)
Time Cost



O(k) mults and additions mod b
k = # bits of e
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm
M = integer message
e = encryption integer for user A

Cryptogram





e
C E(M) M mod n = =
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (contd)
Method





(1) Choose large random primes p,q
let n p q
(2) Choose large random integer d
relatively prime to (n) (p) (q)
(p-1) (q-1)
(3) Let e be
=
=
=
the multiplicative inverse
of d modulo (n)
e d 1 mod (n)
(require e log n, else try another d)

>
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (contd)
Theorem




d
If M is relatively prime to n,
and D(x) = x (mod n) then
D(E(M)) E(D(M)) M
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (contd)
Proof

e d
e d k (n) 1
D(E(M)) E(D(M))
M mod n
There must k 0 s.t.
1 gcd(d, (n)) -k (n) de
So, M M mod n
Since (p-1) divides (n)

- >
= = +

k (n) 1
M M mod p
+

Rivest, Sharmir, Adelman (RSA)

Encryption Algorithm (contd)
By Eulers Theorem

k (n)+1
ed k (n)+1
ed
By Symmetry,
M M (mod q)
Hence M M M mod n
So M M mod n

= =
=
Security of RSA Cryptosystem
Theorem
If can compute d in polynomial time,
then can factor n in polynomial time

Proof
e d-1 is a multiple of (n)
But Miller has shown can factor n
from any multiple of (n)
Security of RSA Cryptosystem (contd)
'
d d
If can find d' s.t.
M =M mod n
d' differs from d by lcm(p-1, q-1)
so can factor n.
(lcm is the "least common multiple)

Rabins Public Key Crypto System

Use private large primes p, q
public key n=q p
message M
cryptogram M
2
mod n

Theorem
If cryptosystem can be broken,
then can factor key n


Rabins Public Key Crypto System
(contd)
Proof









In either case, two independent
solutions for M give factorization of n,
i.e., a factor of n is gcd (n, -|).


2
2 2
M mod n has solutions
M , , n- , n-
where { , n- }
But then - ( - )( ) 0 mod n
So either (1) p | ( - ) and q | ( )
or either (2) q | ( - ) and p | ( )
o
| |
|
| | |
| |
| |
=
=
=
= + =
+
+
Rabins Public Key Crypto System
(contd)
Rabins Algorithm for factoring n, given a
way to break his cryptosystem.

2
2
1
2
Choose random , 1 n s.t. gcd( , n)=1
let mod n
find M s.t. M = mod n
by assumed way to break cryptosystem
with probability ,
M { ,
| | |
o |
o
|
< <
=
>
= n- }
so factors of n are found
else repeat with another
Note: Expected number of rounds is 2
|
|

Quadratic Residues
2
(n-1)/2
a is quadratic residue of n
if x a mod n has solution
:
If n is odd, prime and gcd(a,n)=1, then
a is quadratic residue of n
iff a 1 mod n
Euler

Jacobi Function


1 if gcd(a,n) 1 and
a is quadratic residue of n
J(a,n) -1 if gcd(a,n) 1 and
a is not quadratic residue of n
0 if gcd(a,n) 1
=
|

= =

=
\
Jacobi Function (contd)
Gausss Quadratic Reciprocity Law




Rivest Algorithm
(p-1) (q-1)/4
if p,q are odd primes,
J(p,q) J(q,p) (-1) =
2
(a-1) (n-1)
2 2
(n -1)/8
1 if a=1
J(a,n) J(a/2, n) (-1) if a even
J(n mod a, a) (-1) else
|

\
Jacobi Function (contd)
Theorem (Fermat)




n-1
i
x
n 2 is prime iff
, 1 x n
(1) x 1 mod n
(2) x 1 mod n for all
i {1, 2,..., n-2}
>
- < <

=
e
Theorem: Primes are in NP
Proof



n-1
n
n 2 output "prime"
n 1 or (n even and n 2) output "composite"
guess x to verify Fermat's Theorem
Check (1) x 1 mod n
To verify (2) guess prime fac
input
else
=
= >
=
i
1 2 k
i
(n-1)/n
torization
of n-1=n n n
(a) recursively verify each n prime
(b) verify x 1 mod n

=
Theorem & Primes NP (contd)
Note



i
i
(n-1)
y
ya
(n-1) (n-1)/n ya
yn
if x =1 mod n
the least y s.t. x =1 mod n must
divide n-1. So x =1 mod n
let a= so 1 x =x mod n
Primality Testing
Testing






Goal of Randomized Primality Testing
n
n
n
wish to test if n is prime
technique W (a) "a witness that n is composite"
W (a) true n composite
W (a) false don't know
=
=
=
1
n 2
1
2
for random a {1,..., n-1}
n composite Prob (W (a) true) >
So of all {1,..., n-1}
are "witness to compositeness of n"
a
c

e
Primality Testing (contd)
Solovey & Strassen Primality Test quadratic
reciprocal law




n
(n-1)/2
W (a) (gcd(a,n) 1)
or J(a, n) a mod n

test if Gauss's
Quadratic Reciprocal Law
is vi
= =
=
|
olated
Definitions





*
n
*
n
*
n
i
Z set of all nonnegative numbers n
which are relatively prime to n.
generator g of Z
such that for all x Z
there is i such that g x mod n
= <
e
=
Theorem of Solovey & Strassen
Theorem




Proof




-1
2
n
If , | |
where G = {a | W (a mod n) false}
n
n is composite then G s
* *
n n
*
n
Case G Z G is subgroup of Z
|Z | n-1
|G|
2 2
=
s s
Theorem of Solovey & Strassen (contd)





3 1 2
n
(n-1)/2
1 2 3 1 2 k
Case G Z Use Proof by Contradiction
so a =J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
n=P P P , ...
Let g be a gener
o o o
o o o
=
> > >
1
1
*
m 1
ator of Z where m =P
o
Theorem of Solovey & Strassen (contd)
Then by Chinese Remainder Theorem,





Since a is relatively prime to n,




1
1
n
m
unique a s.t. a g mod m
a 1 mod ( )
- =
=
*
n
n-1 n-1
a Z so
a 1 mod n and g =1 mod n
e
=
Theorem of Solovey & Strassen (contd)





1
1
*
n
-1
1 1
2.
Then order of g in Z
is p (p -1) by known formula,
a contradiction since the order divides n-1.
Case
o
o >
Theorem of Solovey & Strassen (contd)
1 2 k
1 k
k
i
i 1
k
1 i
i 2
i
i
... 1
Since n p p
J(a,n) J(a,p )
J(g,p ) J(a, p )
g mod p i 1
Since a
1 mod p i 1

Case o o o
=
=
= = = =
=
=
=
=

=

=

[
[
i
1
So J(a,n) -1 mod n
since J(1,p ) 1
and J(g,p ) -1
=
=
=
Theorem of Solovey & Strassen (contd)
1
1
1
1
n
m
n
m
(n-1)/2
n
m
(n-1)/2
n
m
We have shown J(a,n) -1 mod n
-1 mod n
But by assumption a 1 mod
so a =1 mod
Hence a J(a,n) mod
a
( )
( )
( )
( )
contradiction with Ga
=
=
=
=
' ! uss s Law
Miller
Millers Primality Test




i
n
n-1
(n-1)/2
i
W (a) (gcd(a,n) 1)
or (a 1 mod n)
or gcd (a mod n-1, n) 1
for i {1,..., }
where k max {i| 2 divides n-1}
k
= =
=
=
e
=
Theorem (Miller)
Assuming the extended RH,
if n is composite, then W
n
(a) holds for some a
{1,2,, c log
2
n}


Millers Test assumes
extended RH (not proved)





Miller (contd)
Miller Rabin Randomized Primality Test





Theorem
n
choose a random a {1,..., n-1}
test W (a)
e
1
n 2
if n is composite then
Prob (W (a) holds)
gives another randomized, polytime
algorithm for primality!
>

Number Theory Algorithms and

Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms