Number Theory Algorithms and
Cryptography Algorithms
Analysis of Algorithms
Prepared by
John Reif, Ph.D.
Number Theory Algorithms
a)
b)
c)
d)
e)
GCD
Multiplicative Inverse
Fermat & Euler’s Theorems
Public Key Cryptographic Systems
Primality Testing
Number Theory Algorithms (cont’d)
• Main Reading Selections:
• CLR, Chapter 33
Euclid’s Algorithm
• Greatest Common Divisor
GCD(u, v)  largest a s.t.
a is a divisor of both u,v
• Euclid’s Algorithm
procedure
GCD(u,v)
begin
if
else return
v0
then return(u)
(GCD(v,u mod v))
Euclid’s Algorithm (cont’d)
• Inductive proof of correctness:
if a is a divisor of u,v
 a is a divisor of u - (  u/v ) v
= u mod v
Euclid’s Algorithm (cont’d)
• Time Analysis of Euclid’s Algorithm for n
bit numbers u,v
T(n)  T(n-1) + M (n)
= O(n M(n))
= O(n 2log n log log n)
(where M(n) = time to mult two n bit integers)
Euclid’s Algorithm (cont’d)
• Fibonacci worst case:
u = Fk , v = Fk+1
where F0 = 0, F1 = 1, Fk+2 = Fk+1 + Fk, k  0
k
Fk =
5
, =
1
(1  5)
2
 Euclid's Algorithm takes log ( 5 N) = O(n)
stages when N = max(u,v).
Here n = number of bits of N.
Euclid’s Algorithm (cont’d)
• Improved Algorithm
T(n)  T
n
( 2 ) + O(M(n))
= O(M(n) log n)
Extended GCD Algorithm
procedure ExGCD(u, v)
where u = (u1, u2, u3) , v = (v1, v2, v3)
begin
if v3 = 0 then return(u)
else return ExGCD(v, u - (v u v 
Extended GCD Algorithm (cont’d)
• Theorem
ExGCD((1,0,x),(0,1,y))
= (x', y', GCD(x,y))
where x x' + y y' = GCD(x,y)
• Proof
inductively can verify on each call
 xu1 + yu 2 = u 3

 xv1 + yv 2 = v3
Extended GCD Algorithm (cont’d)
• Corollary
If gcd(x,y) = 1 then x' is the
modular inverse of x modulo y
• Proof
we must show x x' = 1 mod y
but by previous Theorem,
1 = x x' + y y' = x x' mod y
so 1 = x x' mod y
Modular Laws
• Gives Algorithm for
Modular Inverse !
• Modular Laws
for n  1
let x  y
if x  y mod n
Modular Laws (cont’d)
Law A if a  b and x  y then ax  by
Law B if a  b and ax  by and
gcd(a, n)  1 then x  y
Modular Laws (cont’d)
let {a1 ,..., a k }  {b1 ,..., bk } if
a i  b ji for i  1,..., k and
{j1 ,..., jk }  {1,..., k}
Fermat’s Little Theorem
• If n prime then an = a mod n
• Proof by Euler
if a  0 then a n  0  a
else suppose gcd(a,n)  1
Then x  ay for y  a -1x and any x
so {a,2a,..., (n-1)a}  {1,2,..., n-1}
Fermat’s Little Theorem (cont’d)
So by Law A,
(a) (2a)  (n-1)a  1  2  (n-1)
So a n-1 (n-1)!  (n-1)!
So by Law B
a
n-1
 1 mod n
Euler’s Theorem
• Φ(n) = number of integers in {1,…, n-1}
relatively prime to n
• Euler’s Theorem
If gcd(a,n)  1
then a ( n ) = 1 mod n
• Proof
let b1 ,...,b(n) be the integers  n
relatively prime to n
Euler’s Theorem (cont’d)
• Lemma
{b1 ,...,b(n) }  {ab1 , ab 2 ,..., ab(n) }
• Proof
If abi  ab j then by Law B, bi  b j
Since 1  gcd(bi ,n)  gcd(a,n)
then
gcd(abi ,n)  1
so
for {j1 ,...,j(n) }  {1,..., (n)}
abi  b ji
Euler’s Theorem (cont’d)
• By Law A and Lemma
(ab1 )(ab 2 )  (ab(n) )  b1b 2  b (n)
so a
 (n)
b1  b(n)  b1  b(n)
• By Law B
a
 (n)
 1 mod n
Taking Powers mod n by “Repeated
Squaring”
• Problem: Compute ae mod b
e  e k e k-1  e1 e0
binary representation
[1] X  1
[2] for i  k, k-1,..., 0
do
begin
X  X 2 mod b
if ei  1
then X  Xa mod b
end
k
output
a
i=0
ei 2i
=a
 ei 2i
=a e mod b
Taking Powers mod n by “Repeated
Squaring” (cont’d)
• Time Cost
O(k) mults and additions mod b
k = # bits of e
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm
• M = integer message
e = “encryption integer” for user A
• Cryptogram
C  E(M)  M e mod n
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
• Method
(1) Choose large random primes p,q
let n  p  q
(2) Choose large random integer d
relatively prime to (n)  (p)  (q)
 (p-1)  (q-1)
(3) Let e be the multiplicative inverse
of d modulo
(n)
e  d  1 mod (n)
(require e  log n, else try another d)
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
• Theorem
If M is relatively prime to n,
and D(x) = x d (mod n) then
D(E(M))  E(D(M))  M
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
• Proof
D(E(M))  E(D(M))
 Med mod n
There must
 k  0 s.t.
1  gcd(d,(n))  -k(n)  de
So, M ed  M k (n)1 mod n
Since (p-1) divides (n)
M
k  (n) 1
 M mod p
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (cont’d)
• By Euler’s Theorem
By Symmetry,
M k (n)+1  M (mod q)
Hence M ed  M k (n)+1  M mod n
So M ed  M mod n
Security of RSA Cryptosystem
• Theorem
If can compute d in polynomial time,
then can factor n in polynomial time
• Proof
e· d-1 is a multiple of φ(n)
But Miller has shown can factor n
from any multiple of φ(n)
Security of RSA Cryptosystem (cont’d)
If can find d' s.t.
d'
M =M d mod n
 d' differs from d by lcm(p-1, q-1)
 so can factor n.
(lcm is the "least common multiple)
Rabin’s Public Key Crypto System
• Use private large primes p, q
public key
n=q p
message
M
cryptogram M2 mod n
• Theorem
If cryptosystem can be broken,
then can factor key n
Rabin’s Public Key Crypto System
(cont’d)
• Proof
  M 2 mod n has solutions
M   ,  , n- , n-
where   { , n- }
But then  2 - 2  ( - )(   )  0 mod n
So either (1) p | ( - ) and q | (   )
or either (2) q | ( - ) and p | (   )
• In either case, two independent
solutions for M give factorization of n,
i.e., a factor of n is gcd (n,  -).
Rabin’s Public Key Crypto System
(cont’d)
• Rabin’s Algorithm for factoring n, given a
way to break his cryptosystem.
Choose random  , 1    n s.t. gcd( , n)=1
let    2 mod n
find M s.t. M 2 = mod n
by assumed way to break cryptosystem
with probability  12 ,
M  { , n- }
 so factors of n are found
else repeat with another 
Note: Expected number of rounds is 2
Quadratic Residues
a is quadratic residue of n
if x  a mod n has solution
2
Euler:
If n is odd, prime and gcd(a,n)=1, then
a is quadratic residue of n
iff
a
(n-1)/2
 1 mod n
Jacobi Function
1 if gcd(a,n)  1 and

 a is quadratic residue of n


J(a,n)   -1 if gcd(a,n)  1 and
 a is not quadratic residue of n


 0 if gcd(a,n)  1

Jacobi Function (cont’d)
• Gauss’s Quadratic Reciprocity Law
if p,q are odd primes,
J(p,q)  J(q,p)  (-1)(p-1) (q-1)/4
• Rivest Algorithm
1 if a=1

(n 2 -1)/8
J(a,n)   J(a/2, n)  (-1)
if a even
(a-1) (n-1)

2
2
J(n
mod
a,
a)

(-1)
else

Jacobi Function (cont’d)
• Theorem (Fermat)
n  2 is prime iff
x , 1  x  n
(1) x n-1  1 mod n
(2) x i  1 mod n for all
i  {1, 2,..., n-2}
Theorem: Primes are in NP
• Proof
input n
n  2  output "prime"
n  1 or (n even and n  2)  output "composite"
else guess x to verify Fermat's Theorem
Check (1) x n-1  1 mod n
To verify (2) guess prime factorization
of n-1=n1  n 2  n k
(a) recursively verify each n i prime
(b) verify x (n-1)/ni  1 mod n
Theorem & Primes NP (cont’d)
• Note
if x (n-1) =1 mod n
the least y s.t. x y =1 mod n must
divide n-1. So x ya =1 mod n
let a=
(n-1)
yn i
so 1  x =x
ya
(n-1)/n i
mod n
Primality Testing
• Testing
wish to test if n is prime
technique Wn (a)  "a witness that n is composite"
Wn (a)  true  n composite
Wn (a)  false  don't know
• Goal of Randomized Primality Testing
for random a {1,..., n-1}
n composite  Prob (Wn (a) true) > 12
So
1
2
of all a  {1,..., n-1}
are "witness to compositeness of n"
Primality Testing (cont’d)
• Solovey & Strassen Primality Test quadratic
reciprocal law
Wn (a)  (gcd(a,n)  1)
or J(a, n)  a (n-1)/2 mod n

test if Gauss's
Quadratic Reciprocal Law
is violated
Definitions
Z  set of all nonnegative numbers  n
*
n
which are relatively prime to n.
generator
*
n
g of Z
such that for all x  Z*n
there is i such that g i  x mod n
Theorem of Solovey & Strassen
• Theorem
If n is composite, then | G |
n -1
2
where G = {a | Wn (a mod n) false}
• Proof
Case G  Z
*
n
 G is subgroup of Z
*
n
*
n
|Z | n-1
 |G| 

2
2
Theorem of Solovey & Strassen (cont’d)
Case G  Zn
so a
Use Proof by Contradiction
(n-1)/2
=J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
1
2
3
n=P1 P2  P3 , 1   2  ...   k
*
m1
Let g be a generator of Z
1
where m1 =P
Theorem of Solovey & Strassen (cont’d)
• Then by Chinese Remainder Theorem,
 unique a s.t. a  g mod m1
a  1 mod ( mn1 )
• Since a is relatively prime to n,
aZ
*
n
a
n-1
so
 1 mod n
n-1
and g =1 mod n
Theorem of Solovey & Strassen (cont’d)
Case 1  2.
Then order of g in Z*n
1 -1
is p1 (p1 -1) by known formula,
a contradiction since the order divides n-1.
Theorem of Solovey & Strassen (cont’d)
Case 1   2  ...   k  1
Since n  p1  p k
J(a,n) 
k

J(a,p i )
i 1
k
 J(g,p1 )   J(a, pi )
i2
g mod pi i  1
Since a  
1 mod pi i  1
So J(a,n)  -1 mod n
since J(1,p i )  1
and J(g,p1 )  -1
Theorem of Solovey & Strassen (cont’d)
We have shown J(a,n)  -1 mod n
 -1 mod n ( mn1 )
But by assumption a  1 mod ( mn1 )
so a
(n-1)/2
Hence a
(n-1)/2
=1 mod ( mn1 )
 J(a,n) mod ( mn1 )
a contradiction with Gauss ' s Law!
Miller
• Miller’s Primality Test
Wn (a)  (gcd(a,n)  1)
or (a n-1  1 mod n)
or gcd (a
(n-1)/2i
mod n-1, n)  1
for i  {1,..., k}
where k  max {i| 2i divides n-1}
Miller (cont’d)
• Theorem (Miller)
Assuming the extended RH,
if n is composite, then Wn(a) holds for some a
{1,2,…, c log 2 n}
• Miller’s Test assumes
extended RH (not proved)
Miller – Rabin Randomized Primality Test
choose a random a {1,..., n-1}
test Wn (a)
• Theorem
if n is composite then
Prob (Wn (a) holds) 
1
2
 gives another randomized, polytime
algorithm for primality!
Number Theory Algorithms and
Cryptography Algorithms
Analysis of Algorithms
Prepared by
John Reif, Ph.D.