Let Z = {. . . , � 2, � 1, 0, 1, 2, . . .} denote the set of integers. Let Z+ = {1, 2, . . .} denote the set of positive integers and N = {0, 1, 2, . . .} the set of non-negative integers. CS 4803 If a, N are integers with N > 0 then there are unique integers r , q such that a = Nq + r and 0 � r < N. Computer and Network Security We associate to any positive integer N the following two sets: ZN ={0, 1, . . . , N � 1}, � ZN ={ i � Z : 1 � i � N � 1 and gcd(i,N)=1 (relatively prime to N)} Alexandra (Sasha) Boldyreva Very basic number theory 1 2 Groups • Fact. Let N be a positive integer. Then ZN is a group under * addition modulo N, and ZN is a group under multiplication • Def. Let G be a non-empty set and let � denote a modulo N. binary operation on G. We say that G is a group if it has the following properties: • In any group, we can define an exponentiation operation: if i = 0 then ai is defined to be 1, 1. Closure: For every a, b ∈ G it is the case that a � b if i > 0 then ai = a � a � � � a (i times) is also in G. if i < 0 then ai = a-1 � a-1 � � � a-1 (j=-i times) 2. Associativity: For every a, b, c ∈ G it is the case that (a � b) � c = a � (b � c). • For all a ∈ G and all i,j ∈ Z : 3. Identity: There exists an element 1 ∈ G such that • ai+j = ai � aj a � 1 = 1 � a = a for all a ∈ G. 4. Invertibility: For every a ∈ G there exists a unique • (ai)j = aij b ∈ G such that a � b = b � a = 1. • a-i = (ai)-1= (a-1)i inverse, denoted a-1 3 4
• The order of a group is its size • If G is a group, a set S ⊆ G is called a subgroup if it is a group in its own right, under the same operation as that under • Fact. Let G be a group and let m = | G | be its order. which G is a group. Then am = 1 for all a ∈ G • Fact. Let G be a group and let S be a subgroup of G . Then the order of S divides the order of G . • Fact. Let G be a group and let m = | G | be its order. Then ai = ai mod m for all a ∈ G and all i ∈ Z . * • Example. Let us work in the group Z21 ={1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20} under the operation of multiplication modulo 21. m=12. 586 mod 21 = 586 mod 12 mod 21 = 52 mod 12 mod 21 = 25 mod 21 = 4 5 6 Algorithms and their running times Some basic algorithms • Since in cryptography we will be working with Algorithm Input Output Running Time BIG numbers, the complexity of algorithms INT-DIV a, N ( N > 0) ( q, r ) with a = Nq + r and 0 ≤ r < N O ( | a | · | N | ) taking numbers as inputs is measured as a MOD ( N > 0) a mod N O ( | a | · | N | ) a, N function of the bit-length of the numbers. EXT-GCD a, b (( a, b ) � = (0 , 0)) ( d, a, b ) with d = gcd( a, b ) = aa + bb O ( | a | · | b | ) MOD-ADD a, b, N ( a, b ∈ Z N ) ( a + b ) mod N O ( | N | ) • E.g. PrintinBinary (A), where A=2k takes k MOD-MULT a, b, N ( a, b ∈ Z N ) ab mod N O ( | N | 2 ) operations MOD-INV ( a ∈ Z ∗ N ) N with ab ≡ 1 (mod N ) O ( | N | 2 ) a, N b ∈ Z ∗ a n mod N O ( | n | · | N | 2 ) MOD-EXP a, n, N ( a ∈ Z N ) a n ∈ G EXP G a, n ( a ∈ G ) 2 | n | G -operations 7 8
Cyclic groups and generators * • Example. Let p = 11. Then Z11 = {1,2,3,4,5,6,7,8,9,10} has order p � 1 = 10. We find the subgroups generated by group • If g ∈ G is any member of the group, the order of g is defined to be elements 2 and 5. We raise them to the powers 0,...,9. the least positive integer n such that gn = 1. We let <g> = { gi : i ∈ Zn } = {g0,g1,..., gn-1} denote the set of • i 0 1 2 3 4 5 6 7 8 9 group elements generated by g. This is a subgroup of order n. 2 i mod 11 • 1 2 4 8 5 10 9 7 3 6 • Def. An element g of the group is called a generator of G if <g>= G , 5 i mod 11 1 5 3 4 9 1 5 3 4 9 • or, equivalently, if its order is m=| G |. * <2> = {1,2,3,4,5,6,7,8,9,10}= Z11 <5> = {1,3,4,5,9} • Def. A group is cyclic if it contains a generator. • If g is a generator of G , then for every a ∈ G there is a unique * 2 is a generator and thus Z11 is cyclic. integer i ∈ Zm such that gi = a. This i is called the discrete logarithm of a to base g, and we denote it by DLog G ,g(a). 1 2 3 4 5 6 7 8 9 10 a DLog Z ∗ 11 , 2 ( a ) 0 1 8 2 4 9 7 3 6 5 • DLog G ,g(a) is a function that maps G to Zm , and moreover this function is a bijection. • The function of Zm to G defined by i � gi is called the discrete exponentiation function 9 10 Squares and non-squares Choosing cyclic group and generators • Def. An element a of a group G is called a square, or quadratic • The discrete log function is conjectured to be one-way (hard to residue if it has a square root, meaning there is some b ∈ G such compute) for some cyclic groups G . Due to this fact we often seek that b2 = a in G . cyclic groups. • We let QR( G ) = { g ∈ G : g is quadratic residue in G } • Examples of cyclic groups: � • We are mostly interested in the case where the group G is ZN for * • Zp for a prime p, some integer N. • a group of prime order • Defs. An integer a is called a square mod N or quadratic residue mod N if a mod N is a member of QR( ZN ). If b2 = a (mod N) then • We will also need generators. There are efficient algorithms that � allow to choose generators. b is called a square-root of a mod N. An integer a is called a non- square mod N or quadratic non-residue mod N if a mod N is a � � member of ZN � QR( ZN ). • Def. Let p be a prime. Define the Legendre symbol of a 1 if a is a square mod p J p ( a ) = 0 if a mod p = 0 − 1 otherwise. 11 12
� • Example. QR( Z11 )? Facts. Let p � 3 be a prime. Then p − 1 � • for any a ∈ Zp J p ( a ) ≡ a (mod p ) • 2 a 1 2 3 4 5 6 7 8 9 10 a 2 mod 11 p − 1 • 1 4 9 5 3 3 5 9 4 1 � • for any generator g of Zp g ≡ − 1 (mod p ) 2 QR( Z11 )={1, 3, 4, 5, 9} � • for any a ∈ Zp J p ( ab mod p ) = J p ( a ) · J p ( b ) � � Recall that Z11 is cyclic and 2 is a generator. • J p ( g xy mod p ) = 1 J p ( g x mod p ) = 1 or J p ( g y mod p ) = 1 , if and only if Fact. A generator is always a non-square. (But not all non-squares are � for any generator g of Zp and any x,y ∈ Zp-1 generators). a 1 2 3 4 5 6 7 8 9 10 DLog Z ∗ 11 , 2 ( a ) 0 1 8 2 4 9 7 3 6 5 J 11 ( a ) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1 • Fact. |QR( Zp )| = (p � 1)/2 (about half elements are squares) � 13 14 Groups of prime order • Example. Let q = 5 and p = 2q + 1 = 11. • QR ( Z ∗ 11 ) = { 1 , 3 , 4 , 5 , 9 } • Def. An element h of a group G is called non-trivial if it is not equal to the identity element of the group. � We know that 2 is a generator of Z11 • Fact. Any non-trivial member of a group of prime order is a Let’s verify that 4 = 22 is a generator of QR( Z11 ). generator of the group. � • Fact. Let q � 3 be a prime such that p = 2q + 1 is also prime. Then QR( Zp ) is a group of prime order q. Furthermore, if g is any � i 0 1 2 3 4 generator of Zp , then g2 mod p is a generator of QR( Zp ). � � 4 i mod 11 1 4 5 9 3 15 16
Recommend
More recommend
