Greatest Common Divisor The Euclidean Algorithm Let a and b be two - PowerPoint PPT Presentation

Greatest Common Divisor The Euclidean Algorithm Let a and b be two integers such that a > 0 and b > 0. Then the following algorithm computes integers x and y such that Definition gcd( a , b ) = x ∗ a + b ∗ y Let a , b ∈ Z with a � = 0 and b � = 0. The greatest common divisor for a and b , written gcd( a , b ), is the largest positive integer that Calculate a i , b i , x i , 1 , x i , 2 , y i , 1 , y i , 2 for i ≤ 0 such that divides both numbers without remainder. a i = x i , 1 ∗ a + x i , 2 ∗ b b i = y i , 1 ∗ a + y i , 2 ∗ b as follows: Eike Ritter Cryptography 2013/14 142 Eike Ritter Cryptography 2013/14 143 a 0 = a = 1 ∗ a + 0 ∗ b b 0 = b = 0 ∗ a + 1 ∗ b Repeatedly do the following calculation: If a i = 0, then b i is the greatest common divisor, and b i = y i , 1 ∗ a + y i , 2 ∗ b Theorem is the desired equation If b i = 0, then a i is the greatest common divisor, and Let x ∈ Z n . x has an inverse in Z n if and only if gcd( x , n ) = 1 . a i = x i , 1 ∗ a + x i , 2 ∗ b is the desired equation. If a i > b i , let q = a i div b i a i +1 = a i − q ∗ b i x i +1 , 1 = x i , 1 − q ∗ y i , 1 x i +1 , 2 = x i , 2 − q ∗ y i , 2 The case a i ≤ b i is symmetric. Eike Ritter Cryptography 2013/14 144 Eike Ritter Cryptography 2013/14 145

Definition We call the function φ , which assigns to an integer n the number Theorem of invertible elements in Z ∗ n Euler’s Totient function . Let m , n ∈ Z with gcd( m , n ) = 1 . Then for any given a , b ∈ Z Examples ( p , q prime): there exists and x ∈ Z such that φ ( p ) = p − 1 x ≡ a (mod m ) and x ≡ b (mod n ) φ ( p ∗ q ) = ( p − 1) ∗ ( q − 1) Moreover, every solution x is congruent modulo m · n. Or in other words the solution x ∈ Z mn is unique. Theorem Let n ∈ N and a ∈ Z , with gcd( a , n ) = 1 , then we have a ϕ ( n ) ≡ 1(mod n ) . Eike Ritter Cryptography 2013/14 146 Eike Ritter Cryptography 2013/14 147 IND-CPA secure public-key encryption Second possibility: encrypt random number rather than message Several possibilities to achieve IND-CPA secure public-key ( H is hash function) encryption First possibility: add suitable padding (PKCS) to RSA Encryption: choose random r . ciphertext is msg ( E pubKey ( r ) , H ( r ) ⊕ m ) 01 00 · · · 0 rand Decryption: Given ( c 1 , c 2 ), compute message as H ( D privKey ( c 1 )) ⊕ c 2 H Intuitively: IND-CPA satisfied because attacker cannot decrypt c 1 , G hence second component looks like one-time pad Formal proof surprisingly difficult - requires new ideas X Y plaintext for encryption Eike Ritter Cryptography 2013/14 148 Eike Ritter Cryptography 2013/14 149

Finding Prime numbers Fermat’s test yields some false positives Some eliminated by refinement: Miller-Rabin test Let n − 1 = 2 r · s Usual way: pick number at random and check whether it is prime Several tests for primality of n available for i := 0 to k − 1 do Pick a ∈ { 1 , . . . , n − 1 } First one: Fermat’s test if a s �≡ 1 (mod n ) then for i := 0 to k − 1 do for j := 0 to r − 1 do Pick a ∈ { 2 , . . . , n − 1 } if a (2 j · s ) �≡ − 1 (mod n ) then return (“ n is a composite”) if a n − 1 �≡ 1 (mod n ) then return (“ n is a composite”) end end end return (” n is probably prime”) end return (” n is probably prime”) Eike Ritter Cryptography 2013/14 150 Eike Ritter Cryptography 2013/14 151