chapter 8 more number theory · 2015-03-09 · introduction to number theory cryptography and...
TRANSCRIPT
Chapter 8 Introduction to Number Theory
CRYPTOGRAPHY AND NETWORK SECURITY
1
Index 1. Prime Numbers
2. Fermat`s and Euler`s Theorems
3. Testing for Primality
4. Discrete Logarithms
2
Prime Numbers
3
Prime Numbers Prime number is a central concern of number theory
Integer p > 1 is a prime number if its only divisors are ±1 and ±p
Any Integer a > 1 can be factored in a unique way as ◦ 𝑎 = 𝑝1
𝑎1 × 𝑝2𝑎2 × 𝑝1
𝑎1 ×⋯× 𝑝𝑡𝑎𝑡
◦ 91 = 7 × 13
◦ 3600 = 24 × 32 × 52
◦ 11011 = 7 × 112 × 13
4
Prime Numbers (cont`d) 𝑎 = 𝑃𝑎𝑝𝑝∈𝑃 where each 𝑎𝑝 ≥ 0
◦ The integer 12 is represented by {𝑎2 = 2, 𝑎3 = 1}
◦ The integer 18 is represented by {𝑎2 = 1, 𝑎3 = 2}
◦ The integer 91 is represented by {𝑎7 = 1, 𝑎13 = 1}
𝑎 = 𝑃𝑎𝑝𝑝∈𝑃 , 𝑏 = 𝑃𝑏𝑝𝑝∈𝑃 define 𝑘 = 𝑎𝑏, Then 𝑘 = 𝑃𝑘𝑝𝑝∈𝑃
It follows 𝑘𝑝 = 𝑎𝑝 + 𝑏𝑝 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑝 ∈ 𝑃
◦ 𝑘 = 12 × 18 = 22 × 3 × 2 × 32 = 216
◦ 𝑘2 = 2 + 1 = 3; 𝑘3 = 1 + 2 = 3
◦ 216 = 23 × 33 = 8 × 27
5
Prime Numbers (cont`d) 𝑎 = 𝑃𝑎𝑝𝑝∈𝑃 , 𝑏 = 𝑃𝑏𝑝𝑝∈𝑃
If 𝑎|b, then 𝑎𝑝 ≤ 𝑏𝑝 for all p ◦ 𝑎 = 12; 𝑏 = 36; 12|36
◦ 12 = 22 × 3; 36 = 22 × 32
◦ 𝑎2 = 2 = 𝑏2
◦ 𝑎3 = 1 ≤ 𝑏3
Thus, the inequality 𝑎𝑝 ≤ 𝑏𝑝 is satisfied for all prime numbers.
6
Prime Numbers (cont`d) It is easy to determine gcd of two positive integers if we express each integer as the product of primes.
◦ 300 = 22 × 31 × 51
◦ 18 = 21 × 32
◦ gcd 18,300 = 21 × 31 × 50 = 6
If 𝑘 = gcd 𝑎, 𝑏 , 𝑡ℎ𝑒𝑛 𝑘𝑝 = min 𝑎𝑝, 𝑏𝑝 𝑓𝑜𝑟 𝑎𝑙𝑙 𝑝
Determining the prime factors of a large number is not easy task, so preceding relationship doesn`t not directly lead to a practical method of calculating gcd.
*gcd: greatest common devisor
7
Fermat and Euler`s Theorems
8
Fermat`s Theorems These two theorems play important roles in public-key cryptography.
Fermat`s Theorem ◦ If p is a prime and a is a positive integer not divisible by p, then
◦ 𝑎𝑝−1 ≡ 1(𝑚𝑜𝑑 𝑝)
𝑎 = 7, 𝑝 = 19
72 = 49 = 11 𝑚𝑜𝑑 19
74 = 121 = 7 𝑚𝑜𝑑 19
78 = 49 = 11 𝑚𝑜𝑑 19
716 = 121 = 7 𝑚𝑜𝑑 19
𝑎𝑝−1 = 718 = 716 × 72 = 7 × 11 = 77 = 1(𝑚𝑜𝑑 19)
9
Fermat`s Theorems: Proof 𝑠𝑒𝑡 𝑝 = 1,2, …𝑝 − 1
𝑠𝑒𝑡 𝑋 = 𝑎 𝑚𝑜𝑑 𝑝, 2𝑎 𝑚𝑜𝑑 𝑝, … 𝑝 − 1 𝑎 𝑚𝑜𝑑 𝑝 ◦ Suppose j𝑎 = k𝑎(mod p), where 1 ≤ j < 𝑘 ≤ 𝑝 − 1, and 𝑎 𝑖𝑠 𝑟𝑒𝑙𝑎𝑡𝑖𝑣𝑒 𝑝𝑟𝑖𝑚𝑒 𝑤𝑖𝑡ℎ 𝑎, 𝑤𝑒 𝑐𝑎𝑛 𝑒𝑙𝑖𝑚𝑖𝑛𝑎𝑡𝑒 𝑎.
◦ Then it resulting 𝑗 = 𝑘(𝑚𝑜𝑑 𝑝), but it is impossible.
◦ Therefore every elements in set X will be different.
𝑎 × 2𝑎 ×⋯× 𝑝 − 1 𝑎 ≡ [(1 × 2 ×⋯× 𝑝 − 1 ](𝑚𝑜𝑑 𝑝)
𝑎𝑝−1 𝑝 − 1 ! = 𝑝 − 1 ! 𝑚𝑜𝑑 𝑝
𝑎𝑝−1 = 1 𝑚𝑜𝑑 𝑝
10
Fermat`s Theorems (Cont`d) Alternative form: 𝑎𝑝 = 𝑎 𝑚𝑜𝑑 𝑝
This form does not requires 𝑎 and 𝑝 be relative prime. ◦ 𝑝 = 5, 𝑎 = 3 𝑎𝑝 = 35 = 243 = 3 𝑚𝑜𝑑5 = 𝑎 𝑚𝑜𝑑𝑝
◦ 𝑝 = 5, 𝑎 = 10 𝑎𝑝 = 105 = 100000 = 10 𝑚𝑜𝑑5 = 0 𝑚𝑜𝑑5 = 𝑎(𝑚𝑜𝑑𝑝)
11
Euler`s Totient Function Written 𝜙(𝑛), and defined as the number of positive integers less than n and relatively prime to n.
◦ Determine 𝜙(37), 37 is prime, 1~36 are relatively prime to 37, Thus 𝜙 37 = 36
◦ For a prime number p, 𝜙 𝑝 = p − 1
If we have two prime numbers p and q with p != q, for n = pq. ◦ 𝜙 𝑛 = 𝜙 𝑝𝑞 = 𝜙 𝑝 × 𝜙 𝑞 = (𝑝 − 1) × (𝑞 − 1)
𝜙 𝑛 = 𝑝𝑞 − 1 − 𝑞 − 1 + 𝑝 − 1
= 𝑝𝑞 − 𝑝 + 𝑞 + 1
= 𝑝 − 1 × 𝑞 − 1 = 𝜙 𝑝 × 𝜙 𝑞 ◦ 𝜙 21 = 𝜙 3 × 𝜙 7 = 3 − 1 × 7 − 1 = 2 × 6 = 12
◦ {1,2,3,5,8,10,11,13,16,17,19,20}
12
Euler`s Theorem Every a and n that are relatively prime:
◦ 𝑎𝜙 𝑛 = 1(𝑚𝑜𝑑 𝑛)
it is true if n is prime, because of Fermat`s theorem exists. ◦ 𝜙 𝑛 = 𝑛 − 1
◦ 𝑎𝑛−1 = 1 𝑚𝑜𝑑 𝑛
But this also holds for any integer n.
𝑎 = 3; 𝑛 = 10; 𝜙 10 = 4, 𝑎𝜙 𝑛 = 34 = 81 = 1 𝑚𝑜𝑑10
𝑎 = 2; 𝑛 = 11; 𝜙 11 = 10, 𝑎𝜙 𝑛 = 210 = 1024 = 1 𝑚𝑜𝑑11
13
Euler`s Theorem: Proof 𝑅 = 𝑥1, 𝑥2, … , 𝑥𝜙 𝑛
𝑒𝑎𝑐ℎ 𝑥𝑖 𝑖𝑠 𝑎 𝑢𝑛𝑖𝑞𝑢𝑒 𝑝𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝑖𝑛𝑡𝑒𝑔𝑒𝑟 𝑙𝑒𝑠𝑠 𝑡ℎ𝑎𝑛 𝑛.
now multiply by a, and modulo n;
𝑆 = { 𝑎𝑥1 𝑚𝑜𝑑 𝑛 , 𝑎𝑥2 𝑚𝑜𝑑 𝑛 , … , (𝑎𝑥𝜙 𝑛 𝑚𝑜𝑑 𝑛)}
From here, very similar with Fermat`s Theorem`s proof.
14
Testing for Primality
15
Testing for Primality Miller-Rabin Algorithm:
First, Any positive odd integer n>=3 can be expressed as
𝑛 − 1 = 2𝑘𝑞 𝑤𝑖𝑡ℎ 𝑘 > 0, 𝑞 𝑜𝑑𝑑
And we need two properties of prime numbers that we will need.
1. if p is prime and 𝑎 is a positive integer less than p, than 𝑎2𝑚𝑜𝑑 𝑝 = 1
2. let p be a prime number greater than 2. we can write 𝑝 − 1 = 2𝑘𝑞 𝑤𝑖𝑡ℎ 𝑘 >, 𝑞 𝑜𝑑𝑑. Let 𝑎 be any integer in 1 < 𝑎 < 𝑝 − 1. then one of two condition is true
◦ 1. 𝑎𝑞is congruent to 1 mod p. that is 𝑎𝑞𝑚𝑜𝑑 𝑝 = 1 𝑜𝑟 𝑎𝑞 = 1(𝑚𝑜𝑑 𝑝)
◦ 2. one of numbers 𝑎𝑞, 𝑎2𝑞, 𝑎4𝑞, … , 𝑎2𝑘−1𝑞 is congruent to -1 mod p. that is j in
range (1 ≤ 𝑗 ≤ 𝑘) such that 𝑎2𝑗−1𝑞 𝑚𝑜𝑑 𝑝 = −1 𝑚𝑜𝑑𝑝 = 𝑝 − 1
𝑜𝑟 𝑎2𝑗−1𝑞 = −1(𝑚𝑜𝑑 𝑝)
16
Miller-Rabin Algorithm(con`t) If 𝑛 is prime, then either the first element in the list of residues, or
remainders(𝑎𝑞 , 𝑎2𝑞 , … , 𝑎2𝑘−1𝑞 , 𝑎2
𝑘𝑞) mod n equals 1; or some elements is the list equals (n-1); otherwise, 𝑛 is not a prime.
Also, if condition met, it don`t exactly mean that 𝑛 is prime.
𝑛 = 2047 = 23 × 89, than 𝑛 − 1 = 2 × 1023. 𝑎𝑛𝑑 21023𝑚𝑜𝑑 2047 =1, 𝑠𝑜 𝑐𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛 𝑚𝑒𝑡𝑠, 𝑏𝑢𝑡 𝑖𝑠 𝑛𝑜𝑡 𝑝𝑟𝑖𝑚𝑒.
17
Miller-Rabin Algorithm(con`t) In the TEST procedure, it takes a candidate integer n as input and returns the result composite if n is not a prime, and the result inconclusive if n may or may not be a prime.
TEST(n)
1. Find integers k,q, with k>0, q odd, so that (𝑛 − 1 = 2𝑘𝑞 );
2. Select a random integer 𝑎, 1 < 𝑎 < 𝑛 − 1;
3. If 𝑎𝑞𝑚𝑜𝑑 𝑛 = 1 then return (“inconclusive”);
4. For j=0 to k-1 do
5. If 𝑎2𝑗𝑞 𝑚𝑜𝑑 𝑛 = 𝑛 − 1 then return (“inconclusive”);
6. return (“composite”);
18
Discrete Logarithms
19
The Powers of an Integer, Modulo n 𝑎𝑚 = 1 𝑚𝑜𝑑 𝑛
If a and n are relatively prime, then there is at least one integer m that satisfies this equation. Namely, M = 𝜙(𝑛). The least positive exponent m for this equation holds is referred to in several ways:
◦ The order of a(mod n)
◦ The exponent to which a belongs(mod n)
◦ The length of the period generated by a
20
21
The Powers of an Integer, Modulo n 1. All sequences end in 1.
2. The length of a sequence divides 𝜙 19 = 18. That is, an integral number of sequences occur in each row of table.
3. Some of the sequences are of length 19. In this case, it is said that base integer a generates(via powers) the set of nonzero integers modulo 19. Each such integer is called a primitive root of the modulus 19.
If a number is of this 𝜙 𝑛 𝑜𝑟𝑑𝑒𝑟 it is referred as primitive root.
If a is a primitive root of n,
𝑎, 𝑎2, … , 𝑎𝜙 𝑛 are distinct (mod n) and are all relatively prime to n.
Not all integers have primitive roots. The only integers of the form 2,4, 𝑝𝑎 , 2𝑝𝑎 where p is any odd prime and 𝑎 is a positive integer.
22
Logarithms for Modula Arithmetic
Review the ordinary logarithm`s properties ◦ 𝑦 = 𝑥log𝑥(𝑦)
◦ log𝑥(1) = 0
◦ log𝑥 x = 1
◦ log𝑥 𝑦𝑧 = log𝑥 𝑦 + log𝑥(𝑧)
◦ log𝑥 𝑦𝑟 = 𝑟 × log𝑥(𝑦)
Consider primitive root 𝑎 for some prime number 𝑝. We know that the powers of 𝑎 from 1 through (p-1) produce each integer from 1 through (p-1) exactly once. And any integer b satisfies
𝑏 = 𝑟 𝑚𝑜𝑑 𝑝 𝑓𝑜𝑟 𝑠𝑜𝑚𝑒 𝑟, 𝑤ℎ𝑒𝑟𝑒 0 ≤ 𝑟 ≤ (𝑝 − 1)
𝑏 = 𝑎𝑖 𝑚𝑜𝑑 𝑝 𝑤ℎ𝑒𝑟𝑒 0 ≤ 𝑖 ≤ (𝑝 − 1)
23
Logarithms for Modula Arithmetic(cont`d)
This exponent i is referred to as the discrete logarithm of the number b for the base a(mod p). We denote this as 𝑑𝑙𝑜𝑔𝑎,𝑝 𝑏 .
𝑑𝑙𝑜𝑔𝑎,𝑝 1 = 0 𝑏𝑒𝑐𝑎𝑢𝑠𝑒 𝑎0𝑚𝑜𝑑 𝑝 = 1 𝑚𝑜𝑑 𝑝 = 1
𝑑𝑙𝑜𝑔𝑎,𝑝 𝑎 = 1 𝑏𝑒𝑐𝑎𝑢𝑠𝑒 𝑎1𝑚𝑜𝑑 𝑝 = 𝑎
24
25
Logarithms for Modula Arithmetic(cont`d)
Now consider
𝑥 = 𝑎𝑑𝑙𝑜𝑔𝑎,𝑝 𝑥 𝑚𝑜𝑑 𝑝 𝑦 = 𝑎𝑑𝑙𝑜𝑔𝑎,𝑝 𝑦 𝑚𝑜𝑑 𝑝
𝑥𝑦 = 𝑎𝑑𝑙𝑜𝑔𝑎,𝑝 𝑥𝑦 𝑚𝑜𝑑 𝑝
𝑥𝑦 𝑚𝑜𝑑 𝑝 = [ 𝑥 𝑚𝑜𝑑 𝑝 𝑦 𝑚𝑜𝑑 𝑝 𝑚𝑜𝑑 𝑝
𝑎𝑑𝑙𝑜𝑔𝑎,𝑝 𝑥𝑦 𝑚𝑜𝑑 𝑝 = 𝑎𝑑𝑙𝑜𝑔𝑎,𝑝 𝑥 𝑚𝑜𝑑 𝑝 𝑎𝑑𝑙𝑜𝑔𝑎,𝑝 𝑦 𝑚𝑜𝑑 𝑝 𝑚𝑜𝑑 𝑝
=(𝑎𝑑𝑙𝑜𝑔𝑎,𝑝 𝑥 +𝑑𝑙𝑜𝑔𝑎,𝑝 𝑦 )𝑚𝑜𝑑 𝑝
26
Logarithms for Modula Arithmetic(cont`d)
But if consider Euler`s theorem, that every a and n that are relatively prime.
𝑎𝜙(𝑛) = 1(𝑚𝑜𝑑 𝑛)
Any positive integer z can be expressed in the form 𝑧 = 𝑞 + 𝑘𝜙 𝑛 , with 0 ≤ 𝑞 < 𝜙(𝑛). Therefore, by Euler`s theorem,
𝑎𝑧 = 𝑎𝑞 𝑚𝑜𝑑 𝑛 𝑖𝑓 𝑧 = 𝑞 𝑚𝑜𝑑 𝜙(𝑛)
Apply this to the foregoing equality we have,
𝑑𝑙𝑜𝑔𝑎,𝑝 𝑥𝑦 = [𝑑𝑙𝑜𝑔𝑎,𝑝 𝑥 +𝑑𝑙𝑜𝑔𝑎,𝑝 𝑦 ](𝑚𝑜𝑑 𝜙(𝑝))
And generalizing,
𝑑𝑙𝑜𝑔𝑎,𝑝 𝑦𝑟 = [𝑟 × 𝑑𝑙𝑜𝑔𝑎,𝑝 𝑦 ](𝑚𝑜𝑑 𝜙(𝑝))
27
28
Calculation of Discrete Logarithm
Consider the equation
𝑦 = 𝑔𝑥𝑚𝑜𝑑 𝑝
If g,x,p is given, it is straightforward to calculate y. At worst, we must perform x repeated multiplications, and algorithms exit for achieving grater efficiency.
However, given y,g, and p it is in general, very difficult to calculate x.
29
Thank you for listening
30