๐ŸŽ‰ ไปŽ330่ฝฌไธบWashUๅธฎๅŠฉๆ‰‹ๅ†Œๅ•ฆ!

CSE442
ๆจกๅ—
Cse442t L8

Lecture 8

Computational number theory/arithmetic

We want to have a easy-to-use one-way functions for cryptography.

How to find axmodโ€‰โ€‰Na^x\mod N quickly. a,x,Na,x,N are positive integers. We want to reduce [amodโ€‰โ€‰N][a\mod N]

Example: 12939modโ€‰โ€‰41โ‰ก(129modโ€‰โ€‰41)39modโ€‰โ€‰41=639modโ€‰โ€‰41129^{39}\mod 41\equiv (129\mod 41)^{39}\mod 41=6^{39}\mod 41

Find the binary representation of xx. e.g. express as sums of powers of 2.

x=39=bin(1,0,0,1,1,1)

Repeatedly square floor(logโก2(x))floor(\log_2(x)) times.

639modโ€‰โ€‰41=632+4+2+1modโ€‰โ€‰41=(632modโ€‰โ€‰41)(64modโ€‰โ€‰41)(62modโ€‰โ€‰41)(61modโ€‰โ€‰41)modโ€‰โ€‰41=(โˆ’4)(25)(โˆ’5)(6)modโ€‰โ€‰41=7\begin{aligned} 6^{39}\mod 41&=6^{32+4+2+1}\mod 41\\ &=(6^{32}\mod 41)(6^{4}\mod 41)(6^{2}\mod 41)(6^{1}\mod 41)\mod 41\\ &=(-4)(25)(-5)(6)\mod 41\\ &=7 \end{aligned}

The total multiplication steps is floor(logโก2(x))floor(\log_2(x))

looks like fast exponentiation right?

Goal: fg,p(x)=gxmodโ€‰โ€‰pf_{g,p}(x)=g^x\mod p is a one-way function, for certain choice of p,gp,g (and assumptions)

A group (Nice day one for MODERN ALGEBRA)

A group GG is a set with, a binary operation โŠ•\oplus. and โˆ€a,bโˆˆG\forall a,b\in G, aโŠ•bโ†’ca \oplus b\to c

  1. a,bโˆˆG,aโŠ•bโˆˆGa,b\in G,a\oplus b\in G
  2. (aโŠ•b)โŠ•c=aโŠ•(bโŠ•c)(a\oplus b)\oplus c=a\oplus(b\oplus c)
  3. โˆƒe\exists e such that โˆ€aโˆˆG,eโŠ•g=g=gโŠ•e\forall a\in G, e\oplus g=g=g\oplus e
  4. โˆƒgโˆ’1โˆˆG\exists g^{-1}\in G such that gโŠ•gโˆ’1=eg\oplus g^{-1}=e

Example:

  • ZN={0,1,2,3,...,Nโˆ’1}\mathbb{Z}_N=\{0,1,2,3,...,N-1\} with addition modโ€‰โ€‰N\mod N, with identity element 00. aโˆˆZN,aโˆ’1=Nโˆ’aa\in \mathbb{Z}_N, a^{-1}=N-a.
  • A even simpler group is Z\Z with addition.
  • ZNโˆ—={x:xโˆˆZ,1โ‰คxโ‰คN:gcd(x,N)=1}\mathbb{Z}_N^*=\{x:x\in \mathbb{Z},1 \leq x\leq N: gcd(x,N)=1\} with multiplication modโ€‰โ€‰N\mod N (we can do division here! yeah...).
    • If N=pN=p is prime, then Zpโˆ—={1,2,3,...,pโˆ’1}\mathbb{Z}_p^*=\{1,2,3,...,p-1\}
    • If N=24N=24, then Z24โˆ—={1,5,7,11,13,17,19,23}\mathbb{Z}_{24}^*=\{1,5,7,11,13,17,19,23\}
      • Identity is 11.
      • Let aโˆˆZNโˆ—a\in \mathbb{Z}_N^*, by Euclidean algorithm, gcd(a,N)=1gcd(a,N)=1,โˆƒx,yโˆˆZ\exists x,y \in Z such that ax+Ny=1,axโ‰ก1modโ€‰โ€‰N,x=aโˆ’1ax+Ny=1,ax\equiv 1\mod N,x=a^{-1}
      • a,bโˆˆZNโˆ—a,b\in \mathbb{Z}_N^*. Want to show gcd(ab,N)=1gcd(ab,N)=1. If gcd(ab,N)=d>1gcd(ab,N)=d>1, then some prime pโˆฃdp|d. so pโˆฃ(a,b)p|(a,b), which means pโˆฃap|a or pโˆฃbp|b. In either case, gcd(a,N)>dgcd(a,N)>d or gcd(b,N)>dgcd(b,N)>d, which contradicts that a,bโˆˆCNโˆ—a,b\in \mathbb{C}_N^*

Euler's totient function

ฯ•:Z+โ†’Z+,ฯ•(N)=โˆฃZNโˆ—โˆฃ=โˆฃ{1โ‰คxโ‰คN:gcd(x,N)=1}โˆฃ\phi:\mathbb{Z}^+\to \mathbb{Z}^+,\phi(N)=|\mathbb{Z}_N^*|=|\{1\leq x\leq N:gcd(x,N)=1\}|

Example: ฯ•(1)=1\phi(1)=1, ฯ•(24)=8\phi(24)=8, ฯ•(p)=pโˆ’1\phi (p)=p-1, ฯ•(pโ‹…q)=(pโˆ’1)(qโˆ’1)\phi(p\cdot q)=(p-1)(q-1)

Euler's Theorem

For any aโˆˆZNโˆ—a\in \mathbb{Z}_N^*, aฯ•(N)โ‰ก1modโ€‰โ€‰Na^{\phi(N)}\equiv 1\mod N

Consequence: axmodโ€‰โ€‰Na^x\mod N, x=Kโ‹…ฯ•(N)+r,0โ‰คrโ‰คฯ•(N)x=K\cdot \phi(N)+r,0\leq r\leq \phi(N)

a^x\equiv a^{K \cdot \phi (N) +r}\equiv ( a^{\phi(n)} )^K \cdot a^r \mod N$

So computing axmodโ€‰โ€‰Na^x\mod N is polynomial in logโก(N)\log (N) by reducing amodโ€‰โ€‰Na\mod N and xmodโ€‰โ€‰ฯ•(N)<Nx\mod \phi(N)<N

Corollary: Fermat's little theorem:

1โ‰คaโ‰คpโˆ’1,apโˆ’1โ‰ก1modโ€‰โ€‰p1\leq a\leq p-1,a^{p-1}\equiv 1 \mod p

Cse442t L7Cse442t L9