Number Theory Algorithms and
Cryptography Algorithms
Analysis of Algorithms
Prepared by
John Reif, Ph.D.
Number Theory Algorithms
a) 
b) 
c) 
d) 
e) 
GCD
Multiplicative Inverse
Fermat & Euler’s Theorems
Public Key Cryptographic Systems
Primality Testing
Number Theory Algorithms (cont’d)
•  Main Reading Selections:
•  CLR, Chapter 33
Euclid’s Algorithm
•  Greatest Common Divisor
GCD(u, v) = largest a s.t.
a is a divisor of both u,v
•  Euclid’s Algorithm
procedure
begin
if
else return
GCD(u,v)
v=0
then return(u)
(GCD(v,u mod v))
Euclid’s Algorithm (cont’d)
•  Inductive proof of correctness:
if a is a divisor of u,v
⇔ a is a divisor of u - ( ⎣ u/v ⎦ ) v
= u mod v
Euclid’s Algorithm (cont’d)
•  Time Analysis of Euclid’s Algorithm for n
bit numbers u,v
T(n) ≤ T(n-1) + M (n)
= O(n M(n))
= O(n 2log n log log n)
(where M(n) = time to mult two n bit integers)
Euclid’s Algorithm (cont’d)
•  Fibonacci worst case:
u = Fk , v = Fk+1
where F0 = 0, F1 = 1, Fk+2 = Fk+1 + Fk, k ≥ 0
Φk
Fk =
5
, Φ=
1
(1 + 5)
2
⇒ Euclid's Algorithm takes logΦ ( 5 N) = O(n)
stages when N = max(u,v).
Here n = number of bits of N.
Euclid’s Algorithm (cont’d)
•  Improved Algorithm
T(n) ≤ T
( 2 ) + O(M(n))
n
= O(M(n) log n)
Extended GCD Algorithm
 
procedure ExGCD(u , v )


where u = (u1, u2, u3) , v = (v1, v2, v3)
begin

if v3 = 0 then return(u )
  
else return ExGCD(v, u - (v ! u 3 / v 3"))
Extended GCD Algorithm (cont’d)
•  Theorem
ExGCD((1,0,x),(0,1,y))
= (x', y', GCD(x,y))
where x x' + y y' = GCD(x,y)
•  Proof
inductively can verify on each call
⎛ xu1 + yu 2 = u 3
⎜
⎝ xv1 + yv 2 = v3
Extended GCD Algorithm (cont’d)
•  Corollary
If gcd(x,y) = 1 then x' is the
modular inverse of x modulo y
•  Proof
we must show x x' = 1 mod y
but by previous Theorem,
1 = x x' + y y' = x x' mod y
so 1 = x x' mod y
Modular Laws
•  Gives Algorithm for
Modular Inverse !
•  Modular Laws
for n ≥ 1
let x ≡ y if x = y mod n
Modular Laws (cont’d)
Law A if a ≡ b and x ≡ y then ax ≡ by
Law B if a ≡ b and ax ≡ by and
gcd(a, n) = 1 then x ≡ y
Modular Laws (cont’d)
let {a1 ,..., a k } ≡ {b1 ,..., bk } if
a i ≡ b ji for i = 1,..., k and
{j1,..., jk } = {1,..., k}
Fermat’s Little Theorem
•  If n prime then an = a mod n
•  Proof by Euler
if a ≡ 0 then a n ≡ 0 ≡ a
else suppose gcd(a,n) = 1
-1
Then x ≡ ay for y ≡ a x and any x
so {a,2a,..., (n-1)a} ≡ {1,2,..., n-1}
Fermat’s Little Theorem (cont’d)
So by Law A,
(a) (2a) ⋅⋅⋅ (n-1)a ≡ 1 ⋅ 2 ⋅⋅⋅ (n-1)
So a n-1 (n-1)! ≡ (n-1)!
So by Law B
a n-1 ≡ 1 mod n
Euler’s Theorem
•  Φ(n) = number of integers in {1,…, n-1}
relatively prime to n
•  Euler’s Theorem
If gcd(a,n) = 1
then a
ϕ (n)
= 1 mod n
•  Proof
let b1 ,...,bϕ(n) be the integers < n
relatively prime to n
Euler’s Theorem (cont’d)
•  Lemma
{b1 ,...,bϕ(n) } ≡ {ab1 , ab 2 ,..., ab ϕ(n) }
•  Proof
If abi ≡ ab j then by Law B, bi ≡ b j
Since 1 = gcd(bi ,n) = gcd(a,n)
then
gcd(abi ,n) = 1
so
for {j1 ,...,jϕ(n) } ≡ {1,..., ϕ(n)}
abi = b ji
Euler’s Theorem (cont’d)
•  By Law A and Lemma
(ab1 )(ab2 ) ⋅⋅⋅ (abϕ(n) ) ≡ b1b 2 ⋅⋅⋅ bϕ(n)
so a
ϕ(n)
b1 ⋅⋅⋅ bϕ(n) ≡ b1 ⋅⋅⋅ bϕ(n)
•  By Law B
a
ϕ (n)
≡ 1 mod n
Taking Powers mod n by “Repeated
Squaring”
•  Problem: Compute ae mod b
e = e k e k-1 ⋅⋅⋅ e1 e0
binary representation
[1] X ← 1
[2] for i = k, k-1,..., 0
do
begin
X ← X 2 mod b
if ei = 1
then X ← Xa mod b
end
k
output
∏a
i=0
ei 2i
=a
∑ e i 2i
=a e mod b
Taking Powers mod n by “Repeated
Squaring” (cont’d)
•  Time Cost
O(k) mults and additions mod b
k = # bits of e
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm
•  M = integer message
e = “encryption integer” for user A
•  Cryptogram
e
C = E(M) = M mod n
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
•  Method
(1) Choose large random primes p,q
let n = p ⋅ q
(2) Choose large random integer d
relatively prime to ϕ(n) = ϕ(p) ⋅ ϕ(q)
= (p-1) ⋅ (q-1)
(3) Let e be the multiplicative inverse
of d modulo
ϕ(n)
e ⋅ d ≡ 1 mod ϕ(n)
(require e > log n, else try another d)
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
•  Theorem
If M is relatively prime to n,
and D(x) = x d (mod n) then
D(E(M)) ≡ E(D(M)) ≡ M
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
•  Proof
D(E(M)) ≡ E(D(M))
≡ M e⋅d mod n
There must
∃ k > 0 s.t.
1 = gcd(d,ϕ(n)) = -kϕ(n) + de
So, M e⋅d ≡ M k ϕ(n)+1 mod n
Since (p-1) divides ϕ(n)
M k ϕ(n)+1 ≡ M mod p
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
•  By Euler’s Theorem
By Symmetry,
M
k ϕ (n)+1
≡ M (mod q)
Hence M ed = M k ϕ(n)+1 = M mod n
So M ed = M mod n
Security of RSA Cryptosystem
•  Theorem
If can compute d in polynomial time,
then can factor n in polynomial time
•  Proof
e· d-1 is a multiple of φ(n)
But Miller has shown can factor n
from any multiple of φ(n)
Security of RSA Cryptosystem (cont’d)
If can find d' s.t.
d'
M =M d mod n
⇒ d' differs from d by lcm(p-1, q-1)
⇒ so can factor n.
(lcm is the "least common multiple)
Rabin’s Public Key Crypto System
•  Use private large primes p, q
public key
n=q p
message
M
cryptogram M2 mod n
•  Theorem
If cryptosystem can be broken,
then can factor key n
Rabin’s Public Key Crypto System
(cont’d)
•  Proof
α = M 2 mod n has solutions
M = γ , β , n-γ , n-β
where β ≠ {γ , n-γ }
But then γ 2 -β 2 = (γ -β )(γ + β ) = 0 mod n
So either (1) p | (γ -β ) and q | (γ + β )
or either (2) q | (γ -β ) and p | (γ + β )
•  In either case, two independent
solutions for M give factorization of n,
i.e., a factor of n is gcd (n, γ -β).
Rabin’s Public Key Crypto System
(cont’d)
•  Rabin’s Algorithm for factoring n, given a
way to break his cryptosystem.
Choose random β , 1 < β < n s.t. gcd(β , n)=1
let α = β 2 mod n
find M s.t. M 2 =α mod n
by assumed way to break cryptosystem
with probability ≥ 12 ,
M ≠ {β , n-β }
⇒ so factors of n are found
else repeat with another β
Note: Expected number of rounds is 2
Quadratic Residues
a is quadratic residue of n
if x 2 ≡ a mod n has solution
Euler:
If n is odd, prime and gcd(a,n)=1, then
a is quadratic residue of n
iff
a
(n-1)/2
≡ 1 mod n
Jacobi Function
⎛1 if gcd(a,n) = 1 and
⎜
⎜ a is quadratic residue of n
⎜
⎜
J(a,n) = ⎜ -1 if gcd(a,n) = 1 and
⎜ a is not quadratic residue of n
⎜
⎜
⎜ 0 if gcd(a,n) ≠ 1
⎝
Jacobi Function (cont’d)
•  Gauss’s Quadratic Reciprocity Law
if p,q are odd primes,
J(p,q) ⋅ J(q,p) = (-1)
(p-1) (q-1)/4
•  Rivest Algorithm
⎛1 if a=1
⎜
(n 2 -1)/8
J(a,n) = ⎜ J(a/2, n) ⋅ (-1)
if a even
(a-1) (n-1)
⎜⎜
2
2
J(n
mod
a,
a)
⋅
(-1)
else
⎝
Jacobi Function (cont’d)
•  Theorem (Fermat)
n > 2 is prime iff
∃x , 1 < x < n
(1) x
n-1
≡ 1 mod n
(2) x i ≠ 1 mod n for all
i ∈ {1, 2,..., n-2}
Theorem: Primes are in NP
•  Proof
input n
n = 2 ⇒ output "prime"
n = 1 or (n even and n > 2) ⇒ output "composite"
else guess x to verify Fermat's Theorem
Check (1) x n-1 = 1 mod n
To verify (2) guess prime factorization
of n-1=n1 ⋅ n 2 ⋅⋅⋅ n k
(a) recursively verify each n i prime
(b) verify x (n-1)/ni ≠ 1 mod n
Theorem & Primes NP (cont’d)
•  Note
if x
(n-1)
=1 mod n
the least y s.t. x y =1 mod n must
divide n-1. So x ya =1 mod n
(n-1)/n i
ya
let a= (n-1)
so
1
≡
x
=x
mod n
yn i
Primality Testing
•  Testing
wish to test if n is prime
technique Wn (a) = "a witness that n is composite"
Wn (a) = true ⇒ n composite
Wn (a) = false ⇒ don't know
•  Goal of Randomized Primality Testing
for random aε {1,..., n-1}
n composite ⇒ Prob (Wn (a) true) > 12
So
1
2
of all a ∈ {1,..., n-1}
are "witness to compositeness of n"
Primality Testing (cont’d)
•  Solovey & Strassen Primality Test quadratic
reciprocal law
Wn (a) = (gcd(a,n) ≠ 1)
or J(a, n) ≠ a (n-1)/2 mod n
↑
test if Gauss's
Quadratic Reciprocal Law
is violated
Definitions
*
n
Z = set of all nonnegative numbers < n
which are relatively prime to n.
generator
*
n
g of Z
such that for all x ∈ Z*n
there is i such that g i = x mod n
Theorem of Solovey & Strassen
•  Theorem
If n is composite, then | G |≤
n -1
2
where G = {a | Wn (a mod n) false}
•  Proof
*
n
Case G ≠ Z
*
n
⇒ G is subgroup of Z
|Z*n | n-1
⇒ |G| ≤
≤
2
2
Theorem of Solovey & Strassen (cont’d)
Case G = Zn
so a
Use Proof by Contradiction
(n-1)/2
=J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
n=P1 P2 ⋅⋅⋅ P3 , α1 ≥ α 2 ≥ ... ≥ α k
α1
α2
α3
Let g be a generator of Z*m1 where m1 =Pα1
Theorem of Solovey & Strassen (cont’d)
•  Then by Chinese Remainder Theorem,
∃ unique a s.t. a = g mod m1
a = 1 mod ( mn1 )
•  Since a is relatively prime to n,
*
n
a∈Z
so
a n-1 = 1 mod n
and g n-1 =1 mod n
Theorem of Solovey & Strassen (cont’d)
Case α1 ≥ 2.
Then order of g in Z*n
α1 -1
is p1 (p1 -1) by known formula,
a contradiction since the order divides n-1.
Theorem of Solovey & Strassen (cont’d)
Case α1 = α 2 = ... = α k = 1
Since n = p1 ⋅⋅⋅ p k
k
J(a,n) =
∏
J(a,p i )
i =1
k
= J(g,p1 ) ⋅ ∏ J(a, pi )
i=2
⎧g mod pi i = 1
Since a = ⎨
⎩1 mod pi i ≠ 1
So J(a,n) = -1 mod n
since J(1,p i ) = 1
and J(g,p1 ) = -1
Theorem of Solovey & Strassen (cont’d)
We have shown J(a,n) = -1 mod n
= -1 mod n ( mn1 )
But by assumption a = 1 mod ( mn1 )
so a (n-1)/2 =1 mod ( mn1 )
Hence a (n-1)/2 ≠ J(a,n) mod ( mn1 )
a contradiction with Gauss ' s Law!
Miller
•  Miller’s Primality Test
Wn (a) = (gcd(a,n) ≠ 1)
or (a n-1 ≠ 1 mod n)
(n-1)/2i
or gcd (a
mod n-1, n) ≠ 1
for i ∈ {1,..., k}
i
where k = max {i| 2 divides n-1}
Miller (cont’d)
•  Theorem (Miller)
Assuming the extended RH,
if n is composite, then Wn(a) holds for some
a ∈ {1,2,…, c log 2 n}
•  Miller’s Test assumes
extended RH (not proved)
Miller – Rabin Randomized Primality Test
choose a random a ∈ {1,..., n-1}
test Wn (a)
•  Theorem
if n is composite then
Prob (Wn (a) holds) >
1
2
⇒ gives another randomized, polytime
algorithm for primality!
Number Theory Algorithms and
Cryptography Algorithms
Analysis of Algorithms
Prepared by
John Reif, Ph.D.