Number Theory for Cryptography - PowerPoint PPT Presentation

Number Theory for Cryptography 密碼學與應用 海洋大學資訊工程系 丁培毅 丁培毅

Congruence  Modulo Operation:  Question: What is 12 mod 9?  Answer: 12 mod 9  3 or 12  3 (mod 9) ( ) “12 is congruent to 3 modulo 9”  Definition: Let a , r , m   (where  is the set of all  Definition: Let a , r , m   (where  is the set of all integers) and m  0. We write a  r (mod m ) if m divides a a  r (mod m ) if m divides a – r (i e m | a-r ) r (i.e. m | a r )   m is called the modulus  r is called the remainder r is called the remainder   0  r < m a = q ꞏ m + r   Example: a = 42 and m= 9  Example: a = 42 and m= 9 42 = 4 ꞏ 9 + 6 therefore 42  6 (mod 9)  2

G Greatest Common Divisor t t C Di i  GCD of a and b is the largest positive integer  GCD of a and b is the largest positive integer dividing both a and b  gcd(a, b) or (a,b) d( b) ( b)  ex. gcd(6, 4) = 2, gcd(5, 7) = 1 g ( , ) , g ( , )  Euclidean algorithm remainder  divisor  dividend  ignore  ex. gcd(482  ex gcd(482 482 1180 482, 1180 1180) 1180) Why does it work? Why does it work? Let d = gcd(482, 1180) 1180 1180 = 2 ꞏ 482 482 + 216 d | 482 and d | 1180  d | 216 482 = 2 ꞏ 216 + 50 482 = 2 ꞏ 216 + 50 because 216 = 1180 - 2 ꞏ 482 216 = 4 ꞏ 50 + 16 d | 216 and d | 482  d | 50 50 = 3 ꞏ 16 + 2 2 50 3 16 2 d | 50 and d | 216  d | 16 | | | 2 d | 16 and d | 50  d | 2 16 = 8 ꞏ 2 + 0 gcd 2 | 16  d = 2 3

Greatest Common Divisor (cont’d) G t t C Di i ( t’d)  Euclidean Algorithm: calculating GCD gcd(1180, 482) ( 輾轉相除法 ) 2 482 1180 2 432 964 3 50 216 4 48 48 200 200 2 2 16 8 16 0 4

Greatest Common Divisor (cont’d) G t t C Di i ( t’d)  Def: a and b are relatively prime: gcd(a, b) = 1  Theorem: Let a and b be two integers, with at least one of a, b nonzero, and let d = gcd(a,b). Then there exist of a, b nonzero, and let d gcd(a,b). Then there exist integers x, y, gcd(x, y) = 1 such that a ꞏ x + b ꞏ y = d  Constructive proof: Using Extended Euclidean Algorithm to  Constructive proof: Using Extended Euclidean Algorithm to find x and y d = 2 d = 2 = 50 - 3 ꞏ 16 216 = 1180 1180 - 2 ꞏ 482 482 50 = 482 - 2 ꞏ 216 = (482 - 2 ꞏ 216) - 3 ꞏ (216 - 4 ꞏ 50) 16 = 216 - 4 ꞏ 50 = • • • • = 1180 1180 ꞏ (-29) + 482 ( ) 482 ꞏ 71 a x b y 5

E t Extended Euclidean Algorithm d d E lid Al ith Let gcd(a, b) = d g ( , )  Looking for s and t, gcd(s, t) = 1 s.t. a ꞏ s + b ꞏ t = d  When d = 1 t  b -1 (mod a)  When d 1, t  b (mod a) Ex. 1180 1180 = 2 ꞏ 482 482 + 216 1180 1180 - 2 ꞏ 482 = 216 a a = q 1 ꞏ b + r 1 q 1 b + r 1 482 = 2 ꞏ 216 + 50  482 - 2 ꞏ (1180 - 2 ꞏ 482) = 50 b = q 2 ꞏ r 1 + r 2 q 2 -2 ꞏ 1180 + 5 ꞏ 482 = 50 2 1180 5 482 50 1 2 216 = 4 ꞏ 50 + 16   (1180 - 2 ꞏ 482) - r 1 = q 3 ꞏ r 2 + r 3 4 (-2 1180 + 5 482) = 16 4 ꞏ (-2 ꞏ 1180 + 5 ꞏ 482) = 16     9 ꞏ 1180 - 22 ꞏ 482 = 16 r 2 = q 4 ꞏ r 3 + d 50 = 3 ꞏ 16 + 2 ( 2 (-2 ꞏ 1180 + 5 ꞏ 482) - 1180 + 5 482) 3 ꞏ (9 ꞏ 1180 - 22 ꞏ 482) = 2 r 3 = q 5 ꞏ d + 0 -29 ꞏ 1180 + 71 ꞏ 482 = 2 6

Greatest Common Divisor (cont’d) G t t C Di i ( t’d)  The above proves only the existence of integers x and y  Z  How about gcd(x, y)? d = a ꞏ x + b ꞏ y d a x + b y  1 = a/d ꞏ x + b/d ꞏ y d = gcd(a, b) 1 = a/d ꞏ (x ꞏr) + b/d ꞏ (y ꞏr) 1 = a/d ꞏ (x'ꞏr) + b/d ꞏ (y'ꞏr) If gcd(x y) = r then If gcd(x, y) = r then i.e. 1 = r ꞏ (a/dꞏx' + b/dꞏy') which means that r | 1 i.e. r = 1 gcd(x, y) = 1 ¶ ¶ Note: gcd(x, y) = 1 but (x, y) is not unique e.g. d = a x + b y = a (x-kb) + b (y+ka) d + b ( kb) + b ( +k ) 7

Greatest Common Divisor (cont’d) G t t C Di i ( t’d) Lemma: gcd(a b) = gcd(x y) = gcd(a y) = gcd(x b) = 1  Lemma: gcd(a,b) gcd(x,y) gcd(a,y) gcd(x,b) 1   a, b, x, y s.t. 1 = a x + b y pf:(  ) following the previous theorem following the previous theorem (  ) Given a, b, z, if  x, y, gcd(x,y)=1 s.t. z = ax + by then gcd(a, b) | z (also gcd(a, y) | z, gcd(x, b) | z) ( let d = gcd(a, b)  d | a and d | b  d | a x + b y  d | z) especially given a b  x y s t 1 = a x + b y especially, given a, b,  x, y s.t. 1 = a x + b y  gcd(a, b) | 1  gcd(a, b) = 1 8

O Operations under mod n ti d d  Proposition: Let a,b,c,d,n be integers with n  0, suppose , , , , g , pp a  b (mod n) and c  d (mod n) then a + c  b + d (mod n), ( ), a - c  b - d (mod n), a ꞏ c  b ꞏ d (mod n) a c b d (mod n)  Proposition: Let a,b,c,n be integers with n  0 and gcd(a,n) =1. L t b b i t ith 0 d d( ) 1 If a ꞏ b  a ꞏ c (mod n) then b  c (mod n) 9

O Operations under mod n ti d d  What is the multiplicative inverse of a (mod n)?  What is the multiplicative inverse of a (mod n)? i.e. a ꞏ a -1  1 (mod n) or a ꞏ a -1 = 1 + k ꞏ n gcd(a, n) = 1   s and t such that a ꞏ s + n ꞏ t = 1  a -1  s (mod n) This expression also p  a ꞏ x  b (mod n), gcd(a, n) = 1, x  ? implies gcd(a,n)=1. x  b ꞏ a -1  b ꞏ s (mod n) ( )  a ꞏ x  b (mod n), gcd(a, n) = d  1, x  ? Are there any solutions? if d | b (a/d) ꞏ x  (b/d) (mod n/d) gcd(a/d,n/d) = 1 (a/d) ꞏ x  (b/d) (mod n/d) gcd(a/d n/d) = 1 if d | b x 0  (b/d) ꞏ (a/d) -1 (mod n/d)  there are d solutions to the equation a ꞏ x  b (mod n):  there are d solutions to the equation a x  b (mod n): x 0 , x 0 +(n/d) , ... , x 0 +(d-1)ꞏ(n/d) (mod n) 10

M t i i Matrix inversion under mod n i d d  A square matrix is invertible mod n if and only if  A square matrix is invertible mod n if and only if its determinant and n are relatively prime  ex: in real field R -1 1 a d -b b = ad - bc c d -c a In a finite field Z (mod n)? we need to find the inverse for ad-bc (mod n) in order to calculate the inverse of the ( ) -1 matrix a b d -b (ad – bc) -1  (mod n) c d d -c a 11

Group  A group G is a finite or infinite set of elements and a  A group G is a finite or infinite set of elements and a binary operation  which together satisfy 1. Closure:  a,b  G  a b  G a  b = c  G 封閉性 a  b = c  G 1 Closure: 封閉性 2. Associativity:  a,b,c  G (a  b)  c = a  (b  c) 結合性 3. Identity:  a  G  a 1  a = a  1 = a 單位元素 1  a a  1 3 Identit : G a 單位元素 a  a -1 = 1 = a -1  a 反元素 4. Inverse:  a  G  Abelian group 交換群  a,b  G a  b = b  a means g  g  g  …  g  Cyclic group G of order m: a group defined by an  Cyclic group G of order m: a group defined by an element g  G such that g, g 2 , g 3 , …. g m are all distinct elements in G (thus cover all elements of G) and g m = 1 elements in G (thus cover all elements of G) and g = 1, * the element g is called a generator of G. Ex: Z n (or Z/nZ) 12

G Group (cont’d) ( t’d)  The order of a group : the number of elements in a group G denoted  The order of a group : the number of elements in a group G, denoted |G|. If the order of a group is a finite number, the group is said to be a finite group, note g |G| = 1 (the identity element). g p g ( y )  The order of an element g of a finite group G is the smallest power m such that g m = 1 (the identity element), denoted by ord G (g) g ( y ) y G (g)  ex: Z n : additive group modulo n is the set {0, 1, …, n-1} binary operation: + (mod n) size of Z n is n, , n id identity: 0 i 0 g+g+…+g  0 (mod n) inverse: -x  n-x (mod n) *  ex: Z n : multiplicative group modulo n is the set {i:0  i  n, gcd(i,n)=1}  ex: Z : multiplicative group modulo n is the set {i:0  i  n gcd(i n)=1} * binary operation:  (mod n) size of Z n is  (n), g  (n)  1 (mod n) identity: 1 y  1 (mod n) g inverse : x -1 can be found using extended Euclidean Algorithm 13

Ring  m  Ri  Definition: The ring  m consists of  The set  m = {0, 1, 2, …, m -1}  The set  m {0, 1, 2, …, m 1}  Two operations “+ (mod m)” and “  (mod m)” for all a b   such that they satisfy the for all a , b   m such that they satisfy the properties on the next slide  Example: m = 9  9 = {0, 1, 2, 3, 4, 5, 6, 7, 8} 6 + 8 = 14  5 (mod 9) 6  8 = 48  3 (mod 9) 14