If n prime then a
n
= a mod n
Proof by Euler
n
-1
if a 0 then a 0 a
else suppose gcd(a,n) 1
Then x ay for y a x and any x
so {a,2a,..., (n-1)a} {1,2,..., n-1}
=
Eulers Theorem
(n) = number of integers in {1,, n-1}
relatively prime to n
Eulers Theorem
Proof
( )
If gcd(a,n) 1
then = 1 mod
n
a n
=
1 (n)
let b ,...,b be the integers n
relatively prime to n
<
Eulers Theorem (contd)
Lemma
Proof
1 (n) 1 2 (n)
{b ,...,b } {ab , ab ,..., ab }
i
i j i j
i
i i j
1 (n)
If ab ab then by Law B, b b
Since 1 gcd(b ,n) gcd(a,n)
then gcd(ab ,n) 1 so ab b
for {j ,...,j } {1,..., (n)}
= =
= =
Eulers Theorem (contd)
By Law A and Lemma
By Law B
1 2 (n) 1 2 (n)
(n)
1 (n) 1 (n)
(ab )(ab ) (ab ) b b b
so a b b b b
(n)
a 1 mod n
=
i i
i i
k
e 2 e 2 e
i=0
a =a =a mod b ut
[
Taking Powers mod n by Repeated
Squaring (contd)
Time Cost
O(k) mults and additions mod b
k = # bits of e
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm
M = integer message
e = encryption integer for user A
Cryptogram
e
C E(M) M mod n = =
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (contd)
Method
(1) Choose large random primes p,q
let n p q
(2) Choose large random integer d
relatively prime to (n) (p) (q)
(p-1) (q-1)
(3) Let e be
=
=
=
the multiplicative inverse
of d modulo (n)
e d 1 mod (n)
(require e log n, else try another d)
>
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (contd)
Theorem
d
If M is relatively prime to n,
and D(x) = x (mod n) then
D(E(M)) E(D(M)) M
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm (contd)
Proof
e d
e d k (n) 1
D(E(M)) E(D(M))
M mod n
There must k 0 s.t.
1 gcd(d, (n)) -k (n) de
So, M M mod n
Since (p-1) divides (n)
- >
= = +
k (n) 1
M M mod p
+
= =
=
Security of RSA Cryptosystem
Theorem
If can compute d in polynomial time,
then can factor n in polynomial time
Proof
e d-1 is a multiple of (n)
But Miller has shown can factor n
from any multiple of (n)
Security of RSA Cryptosystem (contd)
'
d d
If can find d' s.t.
M =M mod n
d' differs from d by lcm(p-1, q-1)
so can factor n.
(lcm is the "least common multiple)
Quadratic Residues
2
(n-1)/2
a is quadratic residue of n
if x a mod n has solution
:
If n is odd, prime and gcd(a,n)=1, then
a is quadratic residue of n
iff a 1 mod n
Euler
Jacobi Function
1 if gcd(a,n) 1 and
a is quadratic residue of n
J(a,n) -1 if gcd(a,n) 1 and
a is not quadratic residue of n
0 if gcd(a,n) 1
=
|
= =
=
\
Jacobi Function (contd)
Gausss Quadratic Reciprocity Law
Rivest Algorithm
(p-1) (q-1)/4
if p,q are odd primes,
J(p,q) J(q,p) (-1) =
2
(a-1) (n-1)
2 2
(n -1)/8
1 if a=1
J(a,n) J(a/2, n) (-1) if a even
J(n mod a, a) (-1) else
|
\
Jacobi Function (contd)
Theorem (Fermat)
n-1
i
x
n 2 is prime iff
, 1 x n
(1) x 1 mod n
(2) x 1 mod n for all
i {1, 2,..., n-2}
>
- < <
=
e
Theorem: Primes are in NP
Proof
n-1
n
n 2 output "prime"
n 1 or (n even and n 2) output "composite"
guess x to verify Fermat's Theorem
Check (1) x 1 mod n
To verify (2) guess prime fac
input
else
=
= >
=
i
1 2 k
i
(n-1)/n
torization
of n-1=n n n
(a) recursively verify each n prime
(b) verify x 1 mod n
=
Theorem & Primes NP (contd)
Note
i
i
(n-1)
y
ya
(n-1) (n-1)/n ya
yn
if x =1 mod n
the least y s.t. x =1 mod n must
divide n-1. So x =1 mod n
let a= so 1 x =x mod n
Primality Testing
Testing
Goal of Randomized Primality Testing
n
n
n
wish to test if n is prime
technique W (a) "a witness that n is composite"
W (a) true n composite
W (a) false don't know
=
=
=
1
n 2
1
2
for random a {1,..., n-1}
n composite Prob (W (a) true) >
So of all {1,..., n-1}
are "witness to compositeness of n"
a
c
e
Primality Testing (contd)
Solovey & Strassen Primality Test quadratic
reciprocal law
n
(n-1)/2
W (a) (gcd(a,n) 1)
or J(a, n) a mod n
test if Gauss's
Quadratic Reciprocal Law
is vi
= =
=
|
olated
Definitions
*
n
*
n
*
n
i
Z set of all nonnegative numbers n
which are relatively prime to n.
generator g of Z
such that for all x Z
there is i such that g x mod n
= <
e
=
Theorem of Solovey & Strassen
Theorem
Proof
-1
2
n
If , | |
where G = {a | W (a mod n) false}
n
n is composite then G s
* *
n n
*
n
Case G Z G is subgroup of Z
|Z | n-1
|G|
2 2
=
s s
Theorem of Solovey & Strassen (contd)
3 1 2
n
(n-1)/2
1 2 3 1 2 k
Case G Z Use Proof by Contradiction
so a =J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
n=P P P , ...
Let g be a gener
o o o
o o o
=
> > >
1
1
*
m 1
ator of Z where m =P
o
Theorem of Solovey & Strassen (contd)
Then by Chinese Remainder Theorem,
Since a is relatively prime to n,
1
1
n
m
unique a s.t. a g mod m
a 1 mod ( )
- =
=
*
n
n-1 n-1
a Z so
a 1 mod n and g =1 mod n
e
=
Theorem of Solovey & Strassen (contd)
1
1
*
n
-1
1 1
2.
Then order of g in Z
is p (p -1) by known formula,
a contradiction since the order divides n-1.
Case
o
o >
Theorem of Solovey & Strassen (contd)
1 2 k
1 k
k
i
i 1
k
1 i
i 2
i
i
... 1
Since n p p
J(a,n) J(a,p )
J(g,p ) J(a, p )
g mod p i 1
Since a
1 mod p i 1
Case o o o
=
=
= = = =
=
=
=
=
=
=
[
[
i
1
So J(a,n) -1 mod n
since J(1,p ) 1
and J(g,p ) -1
=
=
=
Theorem of Solovey & Strassen (contd)
1
1
1
1
n
m
n
m
(n-1)/2
n
m
(n-1)/2
n
m
We have shown J(a,n) -1 mod n
-1 mod n
But by assumption a 1 mod
so a =1 mod
Hence a J(a,n) mod
a
( )
( )
( )
( )
contradiction with Ga
=
=
=
=
' ! uss s Law
Miller
Millers Primality Test
i
n
n-1
(n-1)/2
i
W (a) (gcd(a,n) 1)
or (a 1 mod n)
or gcd (a mod n-1, n) 1
for i {1,..., }
where k max {i| 2 divides n-1}
k
= =
=
=
e
=
Theorem (Miller)
Assuming the extended RH,
if n is composite, then W
n
(a) holds for some a
{1,2,, c log
2
n}
Millers Test assumes
extended RH (not proved)
Miller (contd)
Miller Rabin Randomized Primality Test
Theorem
n
choose a random a {1,..., n-1}
test W (a)
e
1
n 2
if n is composite then
Prob (W (a) holds)
gives another randomized, polytime
algorithm for primality!
>