CS 127/CSCI E-127: Introduction to Cryptography
Prof. Salil Vadhan
Fall 2013
Lecture Notes 8:
Computational Number Theory
Reading.
• KatzLindell 2nd edition Ÿ8.0,8.1,8.2.3,8.3.0-8.3.2 OR 1st edition Ÿ7.0,7.1,7.2.3,7.3.0-7.3.2
Computational Number theory is a major source of hard problems (eg one-way functions) for
cryptography.
1
Modular arithmetic: ZN and Z∗N
Basic denitions:
• x ≡ y (mod N ) if N |(x − y). (Written x = y mod N in KatzLindell.)
def
• [x mod N ] = unique x0 ∈ {0, . . . , N − 1} s.t. x ≡ x0 (mod N ).
def
• ZN = {0, . . . , N − 1} with arithmetic (+,·) modulo N .
We cannot divide in general: 5 · 8 ≡ 5 · 1 (mod 35).
Fact 1 (Extended Euclidean Algorithm) For any x, y ∈ N there exists two integers a, b such
that ax + by = gcd(x, y). Moreover, such a and b can be found in polynomial time.
Denition of Z∗N
def
Z∗N = {x ∈ ZN : gcd(x, N ) = 1} = elements of ZN with multiplicative inverses
By a multiplicative inverse for x we mean an element y ∈ ZN , denoted y = x−1 , such that
x · y ≡ 1 (mod N ). Given N and x ∈ Z∗N , we can compute x−1 in polynomial time:
Example: In Z∗35 , 3−1 = . . ..
Euler phi function
def
∗
φ(N ) = |ZN
|
Example:
• Z∗35 =
• φ(35) =
1
Q: how to generate random elements of Z∗N ?
Fact 2
φ(N ) = N ·
Y
primes p|N
2
N
1
≥
1−
p
6loglogN
Groups
• An abelian group G is a set G with binary operation ? satisfying associativity, identity, inverses,
and commutativity.
Examples: ZN under addition, Z∗N under multiplication.
•
Fact:
In any group G, |x ? x ?{z· · · ? x} = id for all x ∈ G.
Examples:
•
3
|G|
Corollary: ∀x ∈ Z∗N , xφ(N ) ≡ 1
Example: [224 mod 35] =
(mod N ).
Zp when p prime
• Z∗p = Zp \ {0} (because φ(p) = p − 1) and thus Zp is called a eld.
•
Fermat's Little Theorem:
For every a ∈ Z∗p , ap−1 ≡ 1 (mod p).
• A polynomial of degree d has at most d solutions mod p.
• For every prime p, there is a g ∈ Z∗p such that {1 mod p, g mod p, g 2 mod p, g 3 mod p, . . . , g p−2 mod
p} = Z∗p . Such a g is called a generator of Z∗p .
Example: Z∗11 =
4
•
Fact 3 We can generate random n-bit prime p together with a (random) generator of Z∗p time
•
Discrete logarithms:
poly(n).
def
For x ∈ Z∗p , logg x = [unique i ∈ {0, . . . , p − 2} s.t. g i ≡ x (mod p)].
Computing the discrete logarithm is believed to be hard, even if p and g are known.
Chinese Remainder Theorem
Fact 4 (Chinese Remainder Theorem) Let N
= pq with gcd(p, q) = 1. Then the map x 7→ (x
mod p, x mod q) from ZN to Zp × Zq is one-to-one and onto. In particular, for every (y, z) ∈
Zp × Zq , there exists a unique x ∈ ZN s.t. x ≡ y (mod p) and x ≡ z (mod q). Moreover, x can be
found in polynomial time given (y, z, p, q).
2
Proof sketch:
Example:
What is the inverse map?
Z35 ↔ Z5 × Z1 5
Using the Chinese Remainder Theorem, an arithmetic question modulo N can be reduced to an
arithmetic problem modulo p and modulo q , provided we know the factorization of N .
5
Quadratic Residues
def
We dene QRN = {x2 mod N : x ∈ Z∗N }.
Proposition 5 When p odd prime, |QRp | = |Z∗p |/2 = (p − 1)/2.
Proof:
Consider the map from Z∗p → Z∗p , given by x 7→ x2 . A square in Z∗p has at least two square
roots because a2 ≡ (−a)2 mod p and a 6≡ −a mod p as p is odd. A square in Z∗p has at most two
square roots: Zp is a eld so a polynomial of degree d has at most d roots modulo p. We consider
the polynomial x2 − c ≡ 0 (mod p): for any c, the polynomial has at most two roots in Zp . The
map is hence exactly 2 to 1.
Proposition 6 When N
Proof:
= pq for odd primes p, q , |QRN | = |Z∗N |/4 and x 7→ x2 is 4-to-1 on Z∗N .
Let us prove that s ∈ QRN ⇐⇒ (s mod p ∈ QRp ) and (s mod q ∈ QRq ).
The map x 7→ x2 is 4-to-1 on Z∗N .
|QRN | = |Z∗N |/4 =
Example:
elements of QR35
3
(p − 1) (q − 1)
·
2
2