Number Theory for

Cryptosystem
Prof. M Rahaman
Some Mathematics: A Brief Introduction to Galois Fields
• A finite field, sometimes also called Galois field, is a set with a finite number of elements. Roughly
speaking, a Galois field is a finite set of elements in which we can add, subtract, multiply and invert.
• Before we introduce the definition of a field, we first need the concept of a simpler algebraic structure, a
group

• Roughly speaking, a group is

set with one operation and
the corresponding inverse
operation

• If the operation is called

addition, the inverse operation is
subtraction;
• if the operation is multiplication,
the inverse operation is division

2/28
• The set of integers Zₘ (also denoted as ℤₘ) consists of the elements {0, 1, …, m-1}.
• The set of real numbers forms a field with the following properties:
• Additive Group: The neutral element for the additive group is 0. For any real
number a, there exists an additive inverse, denoted as -a such that a + (-a) ≡ 0 (mod
m).
• Multiplicative Group: The neutral element for the multiplicative group is 1. Every
nonzero element a has a multiplicative inverse, denoted as 1/a such that a · a⁻¹ ≡ 1
(mod m).

3/28
• In cryptography, we are almost always interested in fields with a finite number
of elements, which we call finite fields or Galois fields. The number of elements
in the field is called the order or cardinality of the field.

4/28
Find the multiplication inverse pairs of module 5
Solution:

5/28
Content of this Chapter

• Symmetric Cryptography Revisited

• Principles of Asymmetric Cryptography
• Practical Aspects of Public-Key Cryptography
• Important Public-Key Algorithms
• Essential Number Theory for Public-Key Algorithms

6/29
Euclidean Algorithm
• Compute the greatest common divisor gcd (r0, r1) of two integers r0 and r1

• gcd is easy for small numbers:

1. factor r0 and r1
2. gcd = highest common factor

• Example:
r0 = 84 = 2 . 2 . 3 . 7
r1 = 30 = 2 . 3 . 5

 The gcd is the product of all common prime factors:

2 . 3 = 6 = gcd (30,84)

• But: Factoring is complicated (and often infeasible) for large numbers

7/29
Euclidean Algorithm Cont..
• Observation: gcd (r0, r1) = gcd (r0 - r1, r1)
 Core idea:
• Reduce the problem of finding the gcd of two given numbers
to that of the gcd of two smaller numbers
• Repeat process recursively
• The final gcd (ri, 0) = ri is the answer to the original problem !
Euclidean Algorithm 2/2
• Observation: gcd (r0, r1) = gcd (r0 - r1, r1)
 Core idea:
• Reduce the problem of finding the gcd of two given numbers
to that of the gcd of two smaller numbers
• Repeat process recursively
• The final gcd (ri, 0) = ri is the answer to the original problem !

Example: gcd (r0, r1) for r0 = 27 and r1 = 21

9
Extended Euclidean Algorithm
• An extension of the algorithm allows us to compute modular inverses, which is of
major importance in public-key
• cryptography. In addition to computing the gcd, the extended Euclidean algorithm
(EEA) computes a linear combination of the form: gcd(r0,r1) = s·r0 +t ·r1
• where s and t are integer coefficients. This equation is often referred to as
Diophantine equation.

10/29
Extended Euclidean Algorithm (cont...)
• Extend the Euclidean algorithm to find modular inverse of r1 mod r0
• EEA computes s,t, and the gcd :
• Take the relation mod r0

 Compare with the definition of modular inverse: t is the inverse of r1 mod r0

• Note that gcd (r0, r1) = 1 in order for the inverse to exist

• Recursive formulae to calculate s and t in each step

 „magic table“ for r, s, t and a quotient q to derive the inverse with pen and paper
(cf. Section 6.3.2 in Understanding Cryptography)

11/29
Example We consider the extended Euclidean algorithm to find the coefficient of s 0 and s1. here r0 = 973 and r1 = 301

Euclidian algorithm Rewrite Euclid Solution

12/29
compute 12−1 mod 67. The values 12 and 67 are relatively prime, i.e., gcd(67,12) = 1. If we
apply the EEA, we obtain the coefficients s and t in gcd(67,12) = 1 = s·67+t ·12. starting with
the values r0 = 67 and r1 = 12,
Euclidian Rewrite Euclid Solution

13
 Example 6.7. Compute the inverse of A(x) = x2 in the finite field GF(23) with P(x) = x3 + x + 1

Euclidian Algorithm Rewrite Euclid Solution

14/29
Euler‘s Phi Function 1/2
• New problem, important for public-key systems, e.g., RSA:
Given the set of the m integers {0, 1, 2, …, m -1},
How many numbers in the set are relatively prime to m ?

• Answer: Euler‘s Phi function Φ(m)

• Example for the sets {0,1,2,3,4,5} (m=6), and {0,1,2,3,4} (m=5)

 1 and 5 relatively prime to m=6,  Φ(5) = 4

hence Φ(6) = 2

• Testing one gcd per number in the set is extremely slow for large m. 15/29
Euler‘s Phi Function 2/2
• If canonical factorization of m known:
(where pi primes and ei positive integers)
• then calculate Phi according to the relation

• Phi especially easy for ei = 1, e.g., m = p . q  Φ(m) = (p-1) . (q-1)

• Example m = 899 = 29 . 31:

Φ(899) = (29-1) . (31-1) = 28 . 30 = 840

• Note: Finding Φ(m) is computationally easy if factorization of m is known

(otherwise the calculation of Φ(m) becomes computationally infeasible for large numbers)

16/29
Fermat‘s Little Theorem
• Given a prime p and an integer a:
• Can be rewritten as

• Use: Find modular inverse, if p is prime. Rewrite to

• Comparing with definition of the modular inverse
 is the modular inverse modulo a prime p

Example: a = 2, p = 7

• Fermat‘s Little Theorem works only modulo a prime p

17/29
Euler‘s Theorem
• Generalization of Fermat‘s little theorem to any integer modulus

• Given two relatively prime integers a and m :

• Example: m=12, a=5

1. Calculate Euler‘s Phi Function

2. Verify Euler‘s Theorem

• Fermat‘s little theorem = special case of Euler‘s Theorem

• for a prime p:
 Fermat:
18/29
 Implementation aspects of Public Key Cryptography
 Since exponents e and d are in general very large numbers.
 The exponents are typically chosen in the range of 1024–3072 bit or even larger. (The public exponent
e is sometimes chosen to be a small value, but d is always very long.)
 Straightforward exponentiation as shown above would thus require around 21024 or more
multiplications.
 Since the number of atoms in the visible universe is estimated to be around 2300, computing 21024
multiplications to set up one secure session for our Web browser is no too tempting.
 The central question:
• whether there are considerably faster methods for exponentiation available.
• The answer is, luckily, yes. Otherwise we could forget about RSA
 The square-and-multiply algorithm allows fast exponentiation, even with very long numbers…

19
 Example: How many multiplications are required to compute the simple exponentiation x 8.

 With the straightforward method we need seven multiplications and squaring

 Alternate method(Faster)

• which requires only three squaring that are roughly as complex as a multiplication.
• This fast method works fine but is restricted to exponents that are powers of 2, i.e., values e
and d of the form 2i .

20
How many multiplications are needed to compute general exponent
x26,
require 25 multiplications.
• A faster way is as follows:

• This approach takes a total of six operations, two multiplications and four squarings.
• We see that we can achieve the desired result by performing two basic operations:
• Squaring the current result,
• Multiplying the current result by the base element x
• But we do not know the sequence in which the squaring and multiplications have to be performed for
other exponents.
• Solution: square-and-multiply algorithm
• It provides a systematic way for finding the sequence in which we have to perform squaring and
multiplications by x for computing xH.

21
 Square-and-Multiply algorithm in brief
 The algorithm is based on scanning the bit of the exponent from the left (the most
significant bit) to the right (the least significant bit).
 In every iteration, i.e., for every exponent bit,
• the current result is squared.

 If and only if the currently scanned exponent bit has the value 1,
- a multiplication of the current result by x is executed following the squaring.

22
 Square-and-Multiply
• Basic principle: Scan exponent bits from left to right and square/multiply
operand accordingly
Algorithm: Square-and-Multiply for xH mod n
Input: Exponent H, base element x, Modulus n
Output: y = xH mod n
1. Determine binary representation H = (ht, ht-1, ..., h0)2
2. FOR i = t-1 TO 0
3. y = y2 mod n
4. IF hi = 1 THEN
5. y = y * x mod n
6. RETURN y

• Rule: Square in every iteration (Step 3) and multiply current result by x if the
exponent bit hi = 1 (Step 5)

23 /34
• Modulo reduction after each step keeps the operand y small
 Example: Square-and-Multiply
• Computes x26 without modulo reduction
• Binary representation of exponent: 26 =(1,1,0,1,0)2=(h4,h3,h2,h1,h0)2
Step Binary exponent Op Comment

1 x = x1 (1)2 Initial setting, h4 processed

1a (x1)2 = x2 (10)2 SQ Processing h3

1b x2 * x = x 3 (11)2 MUL h3 = 1

2a (x3)2 = x6 (110)2 SQ Processing h2

2b - (110)2 - h2 = 0

3a (x6)2 = x12 (1100)2 SQ Processing h1

3b x12 * x = x13 (1101)2 MUL h1=1

4a (x13)2 = x26 (11010)2 SQ Processing h0

4b - (11010)2 - h0 = 0

24 /34
 Speed-Up Techniques

• Modular exponentiation is computationally intensive

• Even with the square-and-multiply algorithm, RSA can be quite slow on
constrained devices such as smart cards
• Some important tricks:
• Short public exponent e
• Chinese Remainder Theorem (CRT)
• Exponentiation with pre-computation (not covered here)

25 /34
 RSA an example
BOB
ALICE
1. Choose p = 37 and q = 89
Message x = 153
2. Compute n = p * q = 3293
3. Φ(n) = (83-1) * (263-1) = 21484
4. Choose e = 35
5. d ≡ e-1 ≡2987 mod 3293
Kpub = (3293,35)

y = xe ≡ 15335≡ 2494 mod 3293

y = 2494
X=yd = 24942987 ≡ 153 = x mod 3293

This is computationally expensive

Solution The Chinese Remainder Theorem
26 /34
 The Chinese Remainder Theorem
 Suppose p,q are relatively prime
• Then y ≡ a mod pq if and only if
• y ≡ a mod p
• y ≡ a mod q
 Example
• Bob received the message c= 2494. Decrypt the message. { Hint. Since Bob know p (=37) and q (=89) where
pq (=3293) is the n. Bob also knows the decrypt key, d= 2987 }
 As we know that since p and q are prime, so cp-1 ≡ 1 mod p and cq-1 ≡ 1 mod q
 In this example,
• x ≡ 24942987 mod 37 and x ≡ 29842987 mod 89
• x ≡ 152987 mod 37 and x ≡ 22987 mod 89
 Since 37 and 89 are prime, so we can reduce the exponents

27
 The Chinese Remainder Theorem (cont. )
 x ≡ 152987 mod 37
 x ≡ 15{(36 × 82) + 35} mod 37
 x ≡ (1536)82 1535 mod 37
 x ≡ 1 × 1535 mod 37
x ≡ 1535 mod 37
x ≡ 5 mod 37
28
As we know that since p and q are prime, so
cp-1 ≡ 1 mod p and
cq-1 ≡ 1 mod q
Similarly,
 x ≡ 22987 mod 89
 x ≡ 2{(88 × 33) + 83} mod 89
 x ≡ (288)33 283 mod 89
 x ≡ 1 × 283 mod 89
x ≡ 283 mod 89
x ≡ 64 mod 89
 CRT Rule
• If x ≡ a1 mod m1 x≡
• If x ≡ a2 mod m2
❑
… 𝑴
𝑴 𝟏 = 𝒔𝒐 𝒐𝒏. 𝒘𝒉𝒆𝒓𝒆 𝑴 =𝒎𝟏 ∗ 𝒎𝟐 …∗ 𝒎𝒏
• If x ≡ an mod mn then 𝒎𝟏 ❑

x ≡ 1535 mod 37 x ≡ 283 mod 89

x≡5 mod 37 x ≡ 64 mod 89

Given To find
a 1= 5 m1= 37 M1= 89 =5 M=37*89=3293
a2= 64 m2 = 89 M2= 37 77

x ≡ 5*89*5 + 64*37*77 mod 3293

x ≡ 2225 + 182336 mod 3293
x ≡ 184561 mod 3293
x ≡ 153 mod 3293
29