B504/I538: Introduction to Cryptography Spring 2017 • Lecture 16 (2017—03—02)

Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs) PRGs from OWPs Today’s lecture: Basic number theory “secret key” So far: cryptography Going forward: “public key” cryptography

Divisibility The set of integers is ℤ={…,-3,-2,-1, 0, 1, 2, 3,…} Let a and b be any two integers Defn: b is called a divisor of a if We write b | a (read “b divides a”) to indicate that b is a divisor of a and b ∤ a to indicate that b is not a divisor of a ∃c∈ℤ such that a=bc ??? If b | a, then a is called a multiple of b Defn: a is called a prime if a>1 and ??? b | a implies that b∈{±1,±a}

Divisibility Does 6 divide 12? Does 6 divide 6? Does 0 divide 6? YES! (Because 6·2=12) every integer divides itself YES! (Because 6·1=6) only 0 divides 0 No! (Because 0·c=0 for all c∈ℤ) every integer divides 0 YES! (Because 6·0=0) No! (Because 4·1<6 and 4·2>6) 1 divides every integer Yes! (Because 1·6=6)

Division Algorithm Thm: Let a, b∈ℤ with b>0. Then there exist unique integers q, r∈ℤ such that a=b·q+r and 0≤r<b. The integer q is called the quotient and r the remainder upon division of a by b. If b | a, then r= If b>a, then q= and r= a=17 and b=5 ⇒ a=-23 and b=6 ⇒ a=20 and b=5 ⇒ ?? ?? ?? a ???? q=3 and r=2, since 17 =5·3+2 ???? q=-4 and r=1, since -23=6·(-4) +1 ???? q=4 and r=0, since 20=5·4+0

Greatest common divisors (GCDs) Defn: The greatest common divisor of two non-zero integers a and b is The greatest common divisor of a and b is denoted gcd(a, b). the largest positive divisor of a that is also a divisor of b. ??? gcd(4, 15)= gcd(4, 10)= gcd(22 · 32 · 5, 2 · 33 · 72)= 1 ?? 2 ?? 2 · 32 ?? Defn: a and b are relatively prime if gcd(a, b)=1 ??? a.k.a co-prime

Least common multiples (LCMs) Defn: The least common multiple of two non-zero integers a and b is The least common multiple of a and b is denoted by lcm(a, b). the smallest positive multiple of a that is also a multiple of b. ??? lcm(4, 15)= lcm(4, 10)= lcm(4, 8)= lcm(22 · 32 · 5, 2 · 33 · 72)= 60 (4=22 and 15=3·5) ?? 20 (4=22 and 10=2·5) ?? 8 (4=22 and 8=23) ?? 22 · 33 · 5 · 72 ??

Properties of GCDs and LCMs Let a, b∈ℤ with a>0 and b>0, let d=gcd(a, b) and let m=lcm(a, b). Then a·b=d·m If c | a and c | b, then c | d If a | s and b | s, then m | s Bezout’s identity: There exist integers (unique) s and t such that d=as+bt. a·b=gcd(a, b)·lcm(a,b) every common divisor divides the gcd every common multiple is a multiple of the lcm “gcd is a linear combination”

Extended Euclidean Algorithm Fact 1: If b | a, then gcd(a, b)=b Fact 2: If a=b·q+r, then gcd(a, b)=gcd(b, r) (Assume that a>b; if not, swap a and b) Idea: Apply Facts 1 and 2 repeatedly, using the Division Algorithm to write a=b·q+r at each step a = q 0 b +r0 b = q 1 r0+r1 r0 = q 2 r1+r2 r1 = q 3 r2+r3 ⋮ rk-3= q k-1rk-2+rk-1 0 = q k rk-1+rk Pseudocode: function gcd(a,b) { while (a ≠ b) if (a >b) a := a − b; else b := b − a; } return a ; r0 = a-q0b r1 = b-q 3 r0 ⋮ rk-3= rk-5 – q k-3rk-4 rk-2= rk-4 -q k-2rk-3 gcd(a, b)= rk-3-qk-1rk-2 repeated substitution yields s,t such that as+bt=gcd(a,b) gcd(a, b)

Euclid’s Lemma Euclid’s Lemma: Let a and b be integers. If p is a prime such that p | a·b, then p | a or p | b (or both). Proof: Assume W.L.O.G. that p is prime and p | a·b but p ∤ a. We prove that p | b. First note that p ∤ a with p prime implies that gcd(a, p)=1; thus, by Bezout’s Theorem, there exist integer s and t such that as+pt=1. Multiplying both sides of this expression by b yields bas+bpt=(ab)s+p(bt)=b. Now, p | (ab)s by assumption and clearly p | p(bt); hence, p | (bas+bpt). But bas+bpt=b and it therefore follows that p | b, as desired. ☐

Fundamental Theorem of Arithmetic Fundamental Theorem of Arithmetic: Let n>1 be an arbitrary integer. Then n is a product of (powers of) primes, and this product is unique (up to the order of the prime powers) In other words, every n>1 can be “factored” into primes in one—and only one—way.

Clock arithmetic Q:If it is 10:00 am now, what time will it be in 6 hours? A:4:00 pm Q:If it is 2:00 pm now, what time was it 3 hours ago? A:11:00 am Q:It is currently October. What month will it be 25 months from now? A: November Q:On Mercury, each day is 1407 hours long. If it is 1200:00 now, what time will it be in 500 hours? A:293:00 (=1700:00-1407:00)

Modular arithmetic a=q·n+r, as in the Division Algorithm. ??? Defn: Let a, r, n∈ℤ with n>1 and 0≤r<n. Then a is congruent to r modulo n if We write a≡r mod n to indicate that a is congruent to r modulo n. a=q·n+r, as in the Division Algorithm. ??? 3 ≡ mod 2 6 ≡ mod 2 11≡ mod 3 62 ≡ mod 85 ?? 1 Thm: Let a, b, and n be integers with n≥1, then a≡b mod n if and only if n | a-b. ?? ?? 2 62 ??

Notational conventions p and q typically denote prime numbers n is always a positive integer, which may or may not (though usually not) be prime ℤn≔{0, 1, 2, …, n-1} with arithmetic modulo n ℥n ≔{ a∈ℤn | gcd(a, n)=1 } with arithmetic modulo n

Modular inversion Defn: Let a∈ℤn. The (multiplicative) inverse of a modulo n is an element b∈ℤn such that The inverse of a modulo n is denoted by a-1. a·b≡1 mod n ?? 2-1 ≡ mod 3 3-1 ≡ mod 5 2-1 ≡ mod 6 Let n be any odd integer. Then 2-1 ≡ mod n ?? 2 (since 2·2=4=3·1+1≡1 mod 3) 2 (since 3·2=6=5·1+1≡1 mod 5) ?? ⊥ (i.e., the inverse does not exist!) ?? (n+1)/2 ??

Modular inverses Q: Which elements of ℤ have inverses modulo n? Thus, a∈ℤn has an inverse modulo n if and only if a∈℥n Q: Given a∈℥n, how do you compute a-1 mod n? A: By definition, a·a-1≡1 mod n ⇒ a·a-1=1+t·n for some t Hence, a·a-1+(-t)·n=gcd(a, n) ⇒ a-1≡s from Bezout’s Theorem Thus, we can use the Extended Euclidean Algorithm Thm: An integer a∈ℤ has an inverse modulo n if and only if gcd(a, n)=1. Corollary: If p is a prime, then a has an inverse modulo p if and only if a is not a multiple of p; i.e., ℥p={1, 2, …, p-1}.

Solving linear equations modulo n Thm: For any integer n>1, there exists an integer x such that ax≡b mod n if and only if gcd(a, n) | b. Q: Does 6x≡18 mod 36 have a solution? A: YES! Because gcd(6, 18)=6 and 6 | 18 In fact, it has 6 solutions in ℤn:3, 9, 15, 21, 27, 33 Q: Does 2x≡5 mod 10 have a solution? A: NO! Because gcd(2, 10)=2 and 2 ∤ 5

Fermat’s Little Theorem Fermat’s Little Theorem: Let p be a prime. Then for every a∈℥p, we have ap-1≡1 mod p. Corollary: For all a∈ℤp, ap≡a mod p. 34≡ mod 5 84112≡ mod 113 79561≡ mod 113 Trick: To compute ax mod p, reduce the base (i.e., a) modulo p and the exponent (i.e., x) modulo p-1 ?? 1 ?? 1 79 (since 561=5·(113-1)+1) ??

Proof of Fermat’s Little Theorem To prove Fermat’s Little Theorem, we first prove the following lemma. Lemma: If n is an integer and a∈℥n, then a·k1≡a·k2 mod n if and only if k1≡k2 mod n. Proof: Suppose k1a≡k2a. Since a∈℥n, there exists an inverse a-1∈℥n such that a·a-1≡1 mod n. Therefore, (k1a) a-1≡ (k2a) a-1 mod n. But (k1a) a-1=k1 (a·a-1)≡k1 mod p and (k2 a) a-1= k2 (a·a-1)≡k2 mod p; hence, it follows that k1≡k2 mod p, as desired. ☐

Proof of Fermat’s Little Theorem Fermat’s Little Theorem: Let p be a prime. Then for every a∈℥p, we have ap-1≡1 mod p. Proof: Consider the product a·(2a)·(3a)⋯((p-1)a) mod p. By the lemma on the previous slide, it follows that the above product is congruent to (p-1)!=1·2·3⋯(p-1) mod p. (Indeed, it is clearly a product of p-1 numbers from ℥p; if these numbers aren’t distinct, then we obtain an immediate contradiction.) In other words, we have that a·(2a)·(3a)⋯((p-1)a)≡1·2·3⋯(p-1) mod p. Rearranging the left-hand side, we get ap-1(p-1)!≡(p-1)! mod p. Thus, a second application of the lemma shows that ap-1≡1 mod p. ☐

Generating random (probable) primes Goal: Generate a random n-bit prime Step 1: Choose n∈R [2n+1, 2n+1-1] Step 2: Check if 2n-1 ≡ 1 mod n If so, output n; otherwise, go to Step 1 If n is prime, then Pr[2n-1≡ 1]=1 If n is not prime, then Pr[2n-1≡1] is “small” - Unless you get unlucky and n is a Carmichael number…

Chinese Remainder Theorem Chinese Remainder Theorem: Let n1, n2, …, nk be positive integers with gcd(ni, nj)=1 whenever i≠j, and let N=n1·n2⋯nk. Then the system of congruence relations x≡ c1 mod n1 ⋮ x≡ ck mod nk has a unique solution in ℤN. zi≡1 mod ni zi≡0 mod nj when i≠j For each i=1,…,k, set yi ≡ (N/ni)-1 mod ni and zi≡(N/ni)·yi mod N The unique solution is x≡∑zi·ci mod N

Euler’s phi function Defn: Let n be a positive integer. Then Euler’s phi function is φ(n)≔|℥n|. In particular, Euler’s phi function of n indicates the number of positive integer less than and relatively prime to n. If p is prime, then φ(p)= If p is prime, then φ(p2)= If p is prime, then φ(pk)= If p and q are distinct prime, then φ(p·q)= If n=p1e1p2e2⋯pkek, then φ(n)= p-1 ?? p(p-1) ?? pk-1(p-1) ?? (p-1)(q-1) ?? p1e1-1(p1-1) p2e2-1(p2-1) ⋯pkek-1(pk-1) ?? Thm (Fermat restatement): If p is prime, then ∀a∈℥p, aφ(p)≡ 1 mod p.

Euler’s Theorem Generalization of Fermat’s Little Theorem Euler’s Theorem: For any integer n>1 and a∈℥n, aφ(n)≡1 mod n. 34≡ mod 10 8440≡ mod 100 79441≡ mod 100 The last two digits of 10381 are Trick: To compute ax mod n, reduce the base (i.e., a) modulo n and the exponent (i.e., x) modulo φ(n) 1 ?? ?? 1 (since φ(100)=5·(5-1)·2·(2-1)=40) 79 (since 441=11·φ(100)+1) ?? 01 (since 10381≡3 mod 100) ??

That’s all for today, folks!