Maths

COMS30002 : Mathematical Interlude
Elisabeth Oswald, Nigel Smart and Martijn Stam

Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.
September 5, 2011
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude
Slide 1
Outline
Slide 2
A Quiz
The purpose is for you and me to nd out what you already know about basic number theory. Work with your neighbour(s) and discuss answers to the following questions: The factorisation problem is hard for all numbers. True or false? What is 16023843203210 mod 16023843203209? The xgcd is a new Xserver. True of false? What is the greatest common divisor of two numbers? The modular inverse of a number is a real number. True or false?
Slide 3
Modular Arithmetic
Modular arithmetic is fundamental to modern public key cryptosystems. Given integers a, b, N Z we say that a is congruent to b modulo N ab (mod N) iff N divides b a.
Often we are lazy and just write a b if it is clear we are working modulo N. The modulo operator is like the C-operator %. Example: 16 1 (mod 5) since 16 1 = 3 5.
Slide 4
Modular Arithmetic
For convenience we dene the set (Z/NZ) = {0, . . . , N 1}, which is the set of remainders modulo N. Note: some authors use ZN = (Z/NZ). It is clear that given N, every integer a Z is congruent modulo N to an element in the set Z/NZ, since we can write a = q N + r, with 0 r < N and clearly a r (mod N).
Slide 5
Modular Arithmetic
The set Z/NZ has two operations dened on it. Addition
Ex. (11 + 13) (mod 16) 24 (mod 16) 143 (mod 16) 8 (mod 16) 15 (mod 16). (mod 16).
Multiplication
Ex. (11 13)
Theorems: Given integers a, b Z we have (a + b) (a b) (a b) (mod N) [(a (mod N) [(a (mod N) [(a (mod N)) + (b (mod N)) (b (mod N)) (b (mod N))] (mod N))] (mod N))] (mod N) (mod N) (mod N)
Slide 6
Multiplicative Inverse
The multiplicative inverse of a Z/NZ is an element b Z/NZ with a b b a 1. We often write b = a1 . Theorem: a Z/NZ has a unique inverse modulo N iff a and N are relatively prime, i.e. gcd(a, N) = 1. If p is a prime then every non-zero element in Z/pZ has an inverse. Note 1/3 (mod 5) = 2 it does not equal 0.3333
Decimals should never exist
Slide 7
Multiplicative Inverse - Examples
Consider Z/NZ with N = 10, then 3 has a multiplicative inverse, since gcd(3, 10) = 1.
Indeed, 3 7 21 1 (mod 10).
5 has no multiplicative inverse, since gcd(5, 10) = 5.

Indeed, we have the following table
050 155 250 355 450
(mod 10) (mod 10) (mod 10) (mod 10) (mod 10)
555 650 755 850 955
(mod 10) (mod 10) (mod 10) (mod 10) (mod 10)
Slide 8
Greatest Common Divisor (GCD)

We need a method to determine when a Z/NZ has a multiplicative inverse and compute it when it does. We know this happens iff gcd(a, N) = 1. Therefore we need to compute the GCD of two integers a, b Z. This is easy if we know the prime factorization of a and b, since a= pii and b = pii d = gcd(a, b) = pi
min(i ,i )
However, factoring is a very expensive operation, so we cannot use the above formula. A much faster algorithm to compute GCDs is Euclids algorithm.
Slide 9
GCD - Euclidean Algorithm

To compute the GCD of r0 = a and r1 = b we compute r0 = q1 r1 + r2 r1 = q2 r2 + r3 . . . . . . rm2 = qm1 rm1 + rm rm1 = qm rm
If d divides a and b then d divides r2 , r3 , r4 and so on. Therefore gcd(a, b) = gcd(r0 , r1 ) = gcd(r1 , r2 ) = = gcd(rm1 , rm ) = rm
Slide 10
GCD - Euclidean Algorithm - Example

As an example of this algorithm we want to show that 3 = gcd(21, 12). Using the Euclidean algorithm we compute gcd(21, 12) as gcd(21, 12) = gcd(21 = gcd(12 = gcd(3, 9) = gcd(9 (mod 3), 3) = gcd(0, 3) = 3. (mod 12), 12) (mod 9), 9)
= gcd(9, 12)
Slide 11
GCD - Extended Euclidean Algorithm

Using the Euclidean algorithm, we can determine when a has an inverse modulo N, i.e. iff gcd(a, N) = 1. But we do not know yet how to compute the inverse. Solution: use an extended version of the Euclidean algorithm. Recall that during the Euclidean algorithm we had ri2 = qi1 ri1 + ri and nally rm = gcd(r0 , r1 ). Now we unwind the above and write each ri , i 2 in terms of a and b.
Slide 12
GCD - Extended Euclidean Algorithm

Unwinding the various steps in the Euclidean algorithm gives: r2 = r0 q1 r1 = a q1 b r3 = r1 q2 r2 = b q2 (a q1 b) = q2 a + (1 + q1 q2 )b . . . . . . ri2 = si2 a + ti2 b ri1 = si1 a + ti1 b ri = ri2 qi1 ri1 = a(si2 qi1 si1 ) + b(ti2 qi1 ti1 ) . . . . . . rm = sm a + tm b The XGCD takes as input a and b and outputs sm , tm , rm such that rm = gcd(a, b) = sm a + tm b.
Elisabeth Oswald, Nigel Smart and Martijn Stam COMS30002 : Mathematical Interlude Slide 13
XGCD - Multiplicative Inverse

Given a, N Z we can compute d, x, y using XGCD such that d = gcd(a, N) = x a + y N. Considering the above equation modulo N we get d x a+y N (mod N) x a (mod N).
Thus if d = 1 then a has a multiplicative inverse given by a1 x (mod N).
Remark: the more general equation a x b (mod N) has precisely d = gcd(a, N) solutions iff d divides b.
Slide 14
Euler Phi Function (N)
The number of integers in Z/NZ which are relatively prime to N is given by (N). (N) is called the Euler Phi function of N. We know that an element a Z/NZ has a multiplicative inverse modulo N iff gcd(a, N) = 1. Therefore, there are precisely (N) invertible elements in Z/NZ.
Slide 15
Formula for (N)

Given the prime factorization of N, i.e.
n
N=
i=1
piei
we can compute (N) using the following formula:

n
(N) =
i=1
piei 1 (pi 1).
The most important cases for cryptography are: If p is prime then (p) = p 1. If p and q are both prime and p = q then (p q) = (p 1)(q 1).
Modular Arithmetic
1) Addition is closed : a, b Z/NZ : a + b Z/NZ. 2) Addition is associative : a, b, c Z/NZ : (a + b) + c a + (b + c). 3) 0 is an additive identity : a Z/NZ : a + 0 0 + a a. 4) The additive inverse always exists : a Z/NZ : a + (N a) (N a) + a 0. 5) Addition is commutative : a, b Z/NZ : a + b b + a.
Modular Arithmetic
6) Multiplication is closed : a, b Z/NZ : a b Z/NZ. 8) Multiplication is associative : a, b, c Z/NZ : (a b) c a (b c). 9) 1 is a multiplicative identity : a Z/NZ : a 1 1 a a. 7) Mutliplication is commutative : a, b Z/NZ : a b b a. 10) Multiplication distributes over addition : a, b, c Z/NZ : (a + b) c a c + b c.
Groups
A group (G, ) consists of a set G and an operation , satisfying Associativity: a, b, c G : a (b c) = (a b) c. Identity element: 1 G, a G : a 1 = 1 a = a. Every element has inverse element: a G, a1 G : a a1 = a1 a = 1. The group G is called commutative or Abelian if a, b G : a b = b a.
Groups - Examples
Integers / Reals / Complexes under addition. The identity is 0, the inverse of x is x. Non-Zero Real / Non-zero Rationals under multiplication. The identity is 1, the inverse of x is x 1 . These are all examples of innite Abelian groups. Questions: Why are the integers not a group under multiplication ? Why do we say non-zero real numbers above ?
Slide 20
Modular Arithmetic
Going back to our 10 properties of modular arithmetic we see Properties 1-4 say that Z/NZ is a group with respect to addition. Property 5 says that the group Z/NZ is abelian. Properties 1-10 say that Z/NZ is a ring. Other rings you have seen before are the integers, reals and complexes. These are all innite rings, whereas Z/NZ is a nite ring.
Slide 21
Lagranges Theorem
The order of an element a of a group (G, ) is the smallest positive integer t such that at = 1. Lagranges Theorem If G is a group of order (size) n = #G then for all a G we have an = 1.
Corollary: the order t of an element a G divides n = #G. So if a (Z/NZ) then a(N) 1 #(Z/NZ) = (N). (mod N), since
Slide 22
Fermats Little Theorem
This is not to be confused with Fermats Last Theorem . . . Fermats Little Theorem Suppose p is a prime and a F then p ap a (mod p).
Fermats Little Theorem is a special case of Lagranges Theorem. This will be the basis of one of our primality tests.
Slide 23
Fields
A eld is a set with two operations (G, +, ) such that (G, +) is an abelian group with identity denoted by 0. (G \ {0}, ) is an abelian group with identity denoted by 1. (G, +, ) satises the distributive law. Distributive law: for all a, b, c G a (b + c) = (a b) + (a c).
Examples Rational numbers, real numbers, complex numbers.
Slide 24
Fields
We dene the set of invertible elements of Z/NZ as (Z/NZ) = {a Z/NZ : gcd(a, N) = 1}. The set (Z/NZ) is always a group with respect to multiplication and clearly has size (N). When N is a prime p we have (Z/NZ) = {1, . . . , p 1}. We dene the sets Fp = Z/pZ = {0, . . . , p 1} and F = (Z/pZ) = {1, . . . , p 1}. p
We call Fp a nite eld of characteristic p. Finite elds are of central importance in coding theory and cryptography.
Characteristic Two Fields

Of particular interest are elds of char 2. Take an irreducible binary polynomial f of degree n and let F2n denote all the binary polynomials of degree < n. Addition in F2n is dened as ab =a+b (mod 2) Note this means a = a. Multiplication in F2n is dened as ab =ag (mod f ). Inversion is performed by a variant of the Euclidean algorithm for polynomials.
Slide 26
Characteristic Two Fields
Often write F2n = F2 [x]/f to denote working modulo f . Set of non-zero elements denoted by Fn 2 This is the multiplicative subgroup of the eld
Slide 27
Char 2 Example
Let f = x 6 + x + 1 (this is irreducible) The nite eld of 26 elements can then be identied with Bit strings of length six bits Binary polynomials of degree less than or equal to ve a = 001101 = x 3 + x 2 + 1 b = 101011 = x 5 + x 3 + x + 1 a b = 100110 = x 5 + x 2 + x Since the two x 3 and the two 1 terms cancel, as we are working mod two. Notice, we are simply taking the exclusive-or of the bit string representation.
Slide 28
Char 2 Example
Recap f = x 6 + x + 1, a = 001101 = x 3 + x 2 + 1, b = 101011 = x 5 + x 3 + x + 1. Since f is sparse reduction mod f done using rewriting, as x 6 = x + 1 (mod f ), a b = (x 3 + x 2 + 1) (x 5 + x 3 + x + 1) = x8 + x7 + x6 + x4 + x3 + x2 + x + 1 = x 6 (x 2 + x + 1) + x 4 + x 3 + x 2 + x + 1 = (x + 1) (x 2 + x + 1) + x 4 + x 3 + x 2 + x + 1 = (x 3 + 1) + (x 4 + x 3 + x 2 + x + 1) = x 4 + x 2 + x. i.e. a b = 010110 = x 4 + x 2 + x.
Slide 29
Char 2 Example
Since f is assumed irreducible, every polynomial a = 0 is coprime to f. Hence, using a binary polynomial version of the extended GCD algorithm we can nd u and v so that ua+v f =1 In which case a1 = u in F2n . If a = x 3 + x 2 + 1 and f = x 6 + x + 1 then taking u = x 5 + x 3 and v = x 2 + x + 1 gives us ua+v f =1 and so a1 = u = x 5 + x 3 = 101000.
(mod 2).
(mod 2)
Slide 30
Choice of Dening Polynomial

All char 2 elds of the same degree n are isomorphic. This means it does not depend on which polynomial f we take. Different f s give different representations of the same thing. Let f (x) and g(y ) be irreducible polynomials of degree n. Then there are polynomials r (x) and s(y ) such that one can map one eld into the other via x y (mod f (x)) s(y ) (mod g(y )) r (x) (mod g(y )) (mod f (x))
This means we can select the best irreducible polynomial f for our own implementation. Requires the mapping s(y ) only when talking to someone elses implementation which uses g(y ) instead.
Primitive Polynomials
Let f (X ) be an irreducible binary polynomial of degree n. Let denote a root of f (X ) i.e. F2n = F2 [] Such an f (X ) is called primitive if generates Fn 2 i.e. as a set Fn = {i : i = 0, . . . , 2n 1} 2
Slide 32
Primitive Polynomials
The number of primitive polynominals of degree n is (n) = (2n 1)/n Hence there are a lot: If n = 4 then (n) = 2 If n = 5 then (n) = 6 If n = 6 then (n) = 6 If n = 14 then (n) = 756 If n = 15 then (n) = 1800 If n = 16 then (n) = 2048 If n = 20 then (n) = 24000 If n = 21 then (n) = 84672 If n = 22 then (n) = 120032
The Rijndael Field

Of additional interest is the following eld of degree 8 It is used in Rijndael and some error correcting code systems Identify bytes (8 bits) with elements of the eld of degree 8 Dening polynonial f given by f = x8 + x4 + x3 + x + 1 Write numbers (base 16) to represent the elements 0x01 1 0x02 x 0x03 x + 1 0x05 x 2 + 1 etc
Chinese Remainder Theorem (CRT)

Consider N = 15 = 3 5, then we can represent every element a of Z/NZ by its coordinates (a (mod 3), a (mod 5)). This leads to the following table: 0 0 10 5 1 6 1 11 2 12 7 2 3 3 13 8 4 9 4 14
0 1 2
Note that all elements in Z/NZ have different coordinates, i.e. given (a1 , a2 ) with 0 a1 < 3 and 0 a2 < 5 we can reconstruct a.
Slide 35

Consider N = 24 = 4 6, then we can represent every element a of Z/NZ by its coordinates (a (mod 4), a (mod 6)). This leads to the following table: 0 0/12 6/18 7/19 1 1/13 2/14 3/15 2 8/20 3 9/21 10/22 11/23 4 4/16 5 5/17
0 1 2 3
Note that a and a + 12
(mod 24) map to the same coordinates.
Therefore, given (a1 , a2 ) with 0 a1 < 4 and 0 a2 < 6 we cannot uniquely reconstruct a.

The previous examples indicate that if N = m1 m2 with gcd(m1 , m2 ) = 1, we can replace computing modulo N by computing modulo m1 and modulo m2 , i.e. Z/NZ Z/m1 Z Z/m2 Z iff = gcd(m1 , m2 ) = 1.
If N = m1 m2 then its very easy to compute the coordinates of a Z/NZ, since these are simply (a (mod m1 ), a (mod m2 )). However, given the coordinates (a1 , a2 ) with 0 a1 < m1 and 0 a2 < m2 how do we compute the corresponding a ?
Slide 37
We can reformulate our reconstruction problem as: Given N = m1 m2 with gcd(m1 , m2 ) = 1, compute x Z/NZ with x a1 (mod m1 ) and x a2 (mod m2 ).
Example: If x 4
(mod 7) and x 3 x 18
(mod 5) then we have
(mod 35).
How did we work this out ?
Slide 38
CRT - Example
We want to nd x Z/NZ with N = 35 such that x 4 (mod 7) and x 3 (mod 5)
Therefore, for some u Z we have x = 4 + 7u and x 3 (mod 5).
Substituting this in the second equation gives 4 + 7u 3 (mod 5).
Therefore, u is given by the solution of 2u 7u 3 4 4 Hence we can compute u as u 4/2 (mod 5) 2 (mod 5). (mod 35).
Slide 39
(mod 5).
But then x 4 + 7u 4 + 7 2 18
CRT - General Case

Let m1 , . . . , mr be pairwise relatively prime and let a1 , . . . , ar be integers. We want to nd x modulo M = m1 m2 mr such that x ai (mod mi ) for all i.
The CRT guarantees a unique solution given by

r
x=
i=1
ai Mi yi
(mod M)
with Mi = M/mi and yi = Mi1 (mod mi ). Note that Mi 0 mod mj for j = i and that Mi yi 1 (mod mi ).
CRT - General Case Example

We want to nd the unique x modulo M = 1001 = 7 11 13 such that x 5 (mod 7) and x 3 (mod 11) and x 10 (mod 13).
We compute M1 = 143, y1 = 5 and M2 = 91, y1 = 4 and M3 = 77, y3 = 12. Then we reconstruct x as

r
i=1
ai Mi yi
(mod M) (mod 1001)
5 143 5 + 3 91 4 + 10 77 12 894 (mod 1001)
Slide 41
CRT - Example Application Modular Exponentiation

Let N = 55 = 5 11 and suppose we want to compute 2737 (mod N). This can be done in a number of ways: Really stupid: using 36 multiplications modulo 55. (((27 27) (mod N)) 27 (mod N)) 27 (mod N).
Less stupid: using 5 squarings and 2 multiplications modulo 55. ((272

5
(mod N)) 272
(mod N)) 27
(mod N).
Rather intelligent: using 5 squarings and 2 multiplications modulo 5 and modulo 11 and CRT to combine both results. Really intelligent: using Lagranges theorem, a few multiplications modulo 5 and 11 and CRT to combine both results. The next slide explains this method in general.
Modular Exponentiation
Suppose we want to compute y = xd where N = p q. We know by Lagranges Theorem x p1 = 1 So we rst compute y yp = y yq = y (mod p) (mod q) via
(mod p1) (mod q1)
(mod N)
(mod p) and y
(mod p) = x d (mod q) = x d
(mod p) = x d (mod q) = x d
(mod p), (mod q).
We then solve for y by applying the CRT to the equations y yp y yq

(mod p) (mod q).

Slide 43
One-way Functions
A function f : X Y : x y = f (x) is a one-way function iff For all x X it is very easy or efcient to compute f (x). For almost all y Y , nding an x X with f (x) = y is computationally infeasible. A trapdoor one-way function is a one-way function f : X Y , but given some extra information, called the trapdoor information, it is easy to invert f , i.e. given y Y , it is easy to nd x X such that f (x) = y . We get one-way permutations/trapdoor one-way permutations if we have X = Y and f is injective.
Remark: there is no proof that such functions actually exist.

Slide 44
One-way Functions
Candidate one-way functions: Multiplication:

Given primes p and q, compute N = p q. This is very easy to compute, since we just multiply p and q. The inverse problem: given N nd p and q is called factoring.
Modular exponentiation:
Given N and an element a Z/NZ, compute b am (mod N). This can be computed efciently using square and multiply. The inverse problem: given N, a, b Z/NZ nd m such that b am (mod N) is called the discrete logarithm problem.
Slide 45
Factoring Numbers
The complexity of most algorithms can be expressed in terms of LN (, ) = exp ( + o(1))(log N) (log log N)1 Trial Division: Complexity = LN (1, 1/2 + ), i.e. exponential. Try every number up to N. Elliptic Curve Method: Complexity = Lp (1/2, c), i.e. sub-exponential. Good if N has a prime factor p with p < 250 . Quadratic Sieve: Complexity = LN (1/2, 1), i.e. sub-exponential. Faster for N less than 10110 2365 . Number Field Sieve: Complexity = LN (1/3, 1.923), i.e. sub-exponential. Best known method, can factor N 10158 2525 . Multiplication: Complexity = LN (0, 2), i.e. polynomial.
Factoring Numbers - History

1 MIPSY = # operations of DEC VAX 11/780 running for 1 year. year 1964 1974 1984 1989 1992 1994 1996 1999 1999 2002 # digits 20 45 71 105 110 129 130 145 155 158 # operations 0.001 MIPSY 0.1 MIPSY 75 MIPSY 5000 MIPSY 1000 MIPSY 2000 MIPSY 8400 MIPSY 7000 MIPSY
Slide 47
List of Hard Problems I

Suppose you are given N but not p, q such that N = p q. FACTORING : Find p and q. RSAP : Given c Z/NZ and integer e with gcd(e, (p 1)(q 1) = 1. Find m such that me c (mod N). (mod N). x2 (mod N) nd x. QUADRES : Given a determine whether a x 2 SQROOT: Given a such that a Later we will prove that QUADRES P SQROOT P FACTORING RSAP P FACTORING
Discrete Logarithm Problem

Let (G, ) be an abelian group. Discrete Logarithm Problem Given g, h G, nd an x (if it exists) such that g x = h. The difculty of this problem depends on the group G: Very easy: polynomial time algorithm, e.g. (Z/NZ, +) Rather hard: sub-exponential time algorithm, e.g. (GF (p), ). Very hard: exponential time algorithm, e.g. Elliptic Curve groups.
List of Hard Problems II

Given an abelian group (G, ) and g G. DLP : Given h G such that h = g x nd x. DHP : Given a = g x and b = g y nd c = g xy . DDH : Given a = g x , b = g y and c = g z , determine if z = xy . Later we will prove that: If we can solve DLP then we can solve DHP. If we can solve DHP then we can solve DDH.
DDH P DHP P DLP

Reductions
We will reduce one hard problem to another, which will allow us to compare the relative difculty of the two problems, i.e. we can say Problem A is no harder than Problem B Let A and B be two computational problems. Then A is said to polytime reduce to B, written A P B if There is an algorithm which solves A using an algorithm which solves B. This algorithm runs in polynomial time if the algorithm for B does. Assume we have an oracle (or efcient algorithm) to solve problem B. We then use this oracle to give an efcient algorithm for problem A.
Reductions - DHP P DLP

Here we show how to reduce DHP to DLP, i.e. we give an efcient algorithm for solving the DHP given an oracle for the DLP. Given g x and g y we wish to nd g xy . First compute y = DLP(g y ) using the oracle. Then compute (g x )y = g xy . So DHP is no harder than DLP, i.e. DHP P DLP. Remark: in some groups you can show that DHP is equivalent to DLP.
Slide 52
Reductions - DDH P DHP

Here we show how to reduce DDH to DHP, i.e. we give an efcient algorithm for solving the DDH given an oracle for the DHP. Given elements g x , g y and g z , determine if z = x y . Using the oracle to solve DHP, compute g xy = DHP(g x , g y ). Then check whether g xy = g z . So DDH is no harder than DHP, i.e. DDH P DHP. Remark: in some groups you can show that DDH is probably easier than DHP.
Reductions - SQROOT P FACTORING

Here we show how to reduce SQROOT to FACTORING, i.e. we give an efcient algorithm for solving SQROOT given an oracle for FACTORING. Given z = x 2 (mod N) we wish to compute x.
Using the oracle for FACTORING, nd the prime factors pi of N. Compute z (mod pi ). (can be done in polynomial time) Recover z (mod N) using CRT on the data z (mod pi ). One has to be a little careful if powers of pi greater than one divide N. So computing square roots modulo N is no harder than factoring. SQROOT P FACTORING.
Slide 54
Reductions - FACTORING P SQROOT

Here we show how to reduce FACTORING to SQROOT, i.e. we give an efcient algorithm for FACTORING given an oracle for SQROOT. Given N = p q we wish to compute p and q. Compute z = x 2 for a random x (Z/NZ) . Compute y = z (mod N) using the oracle for SQROOT.
There are four possible square roots, since there are two factors. With fty percent probability we have y = x (mod N).
Factor N by computing gcd(x y , N). So factoring is no harder than computing square roots modulo N. FACTORING P SQROOT.
Slide 55
Reductions - FACTORING P SQROOT
Summarizing the result of the previous two slides: FACTORING P SQROOT. SQROOT P FACTORING. So FACTORING and SQROOT are computationally equivalent. SQROOT P FACTORING.
Slide 56
Reductions - RSAP P FACTORING

Here we show how to reduce RSAP to FACTORING, i.e. we give an efcient algorithm for solving RSAP given an oracle for FACTORING. Given c = me (mod N) and the integer e, nd m. Find the factorization of N = p q using the oracle. Compute (N) as (N) = (p 1) (q 1). Using the XGCD compute d = 1/e Finally, recover m = cd (mod N). (mod (N)).
So the RSA problem is no harder than factoring, i.e. RSAP P FACTORING. There is some evidence (although slight) that it might be easier.
Slide 57

Maths

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Maths

Uploaded by

Copyright:

Available Formats

COMS30002 : Mathematical Interlude

Elisabeth Oswald, Nigel Smart and Martijn Stam

Decimals should never exist

Multiplicative Inverse - Examples

5 has no multiplicative inverse, since gcd(5, 10) = 5.

050 155 250 355 450

555 650 755 850 955

Greatest Common Divisor (GCD)

GCD - Euclidean Algorithm

GCD - Euclidean Algorithm - Example

GCD - Extended Euclidean Algorithm

GCD - Extended Euclidean Algorithm

XGCD - Multiplicative Inverse

Thus if d = 1 then a has a multiplicative inverse given by a1 x (mod N).

Euler Phi Function (N)

Formula for (N)

we can compute (N) using the following formula:

piei 1 (pi 1).

Fermats Little Theorem

Examples Rational numbers, real numbers, complex numbers.

Characteristic Two Fields

Characteristic Two Fields

Choice of Dening Polynomial

The Rijndael Field

Chinese Remainder Theorem (CRT)

Chinese Remainder Theorem (CRT)

Note that a and a + 12

(mod 24) map to the same coordinates.

Chinese Remainder Theorem (CRT)

Chinese Remainder Theorem (CRT)

(mod 5) then we have

How did we work this out ?

Therefore, for some u Z we have x = 4 + 7u and x 3 (mod 5).

Substituting this in the second equation gives 4 + 7u 3 (mod 5).

CRT - General Case

The CRT guarantees a unique solution given by

CRT - General Case Example

We compute M1 = 143, y1 = 5 and M2 = 91, y1 = 4 and M3 = 77, y3 = 12. Then we reconstruct x as

(mod M) (mod 1001)

5 143 5 + 3 91 4 + 10 77 12 894 (mod 1001)

CRT - Example Application Modular Exponentiation

Less stupid: using 5 squarings and 2 multiplications modulo 55. ((272

(mod N)) 272

(mod p), (mod q).

We then solve for y by applying the CRT to the equations y yp y yq

(mod p) (mod q).

Remark: there is no proof that such functions actually exist.

Candidate one-way functions: Multiplication:

Factoring Numbers - History

List of Hard Problems I

Discrete Logarithm Problem

List of Hard Problems II

DDH P DHP P DLP

Reductions - DHP P DLP

Reductions - DDH P DHP

Reductions - SQROOT P FACTORING

Reductions - FACTORING P SQROOT

Reductions - FACTORING P SQROOT

Reductions - RSAP P FACTORING

You might also like