Advanced Algorithms Analysis and Design By Dr. Nazir Ahmad Zafar Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Lecture No. 40 Chinese Remainder Theorem RSA Cryptosystem Dr. Nazir A. Zafar Advanced Algorithms Analysis and Design

Addition: Modulo 8 7 6 5 4 3 2 1 Dr. Nazir A. Zafar 20

Multiplication: Modulo 8 1 2 3 4 5 6 7 1 6 7 1 2 3 4 5 2 6 4 6 2 4 2 3 6 1 4 7 2 5 3 4 4 4 4 4 5 7 4 5 2 1 6 3 6 4 2 6 4 2 6 7 7 6 5 4 3 2 1 Dr. Nazir A. Zafar 20

Reduced set of residues mod n Complete set of residues is Zn = {0, 1, . . ., n-1} Reduced set of residues consists of all those numbers (residues) which are relatively prime to n And it is denoted by Zn* = {k : gcd(k, n) = 1, 0  k < n} The number of elements in reduced set of residues is called the Euler Totient Function (n) Example 1 For n = 10, find reduced list of residues of n All residues: {0, 1, 2, 3, 4, 5, 6, 7, 8, 9} Reduced residues (primes) = {1, 3, 7, 9}, (n) = 4 Dr. Nazir A. Zafar 10

Group Definition of a Group Group is a set, G, together with a binary operation : G * G  G, usually denoted by a*b, such that the following properties are satisfied : Associativity : (a*b)*c = a*(b*c) for all a, b, c  G Identity :  e  G, such that e*g = g = g*e for all g  G. Inverse : For each g  G, there exists the g’, inverse of g, such that g’*g = g*g’ = e Dr. Nazir A. Zafar 11

Result: The Multiplicative Group Zn* Statement: Zn* = {k : gcd(k, n) = 1, 1  k < n}. For any positive integer n, Zn* forms a group under multiplication modulo n. Proof: Binary Operation Let a, b Zn*, gcd(a, n) = 1; gcd(b, n) = 1 gcd(ab, n) = gcd(a, n)*gcd(b,n) = 1*1 = 1 Associativity holds, 1 is the identity element. inverse of each element exits Hence (Zn* ,*) forms a group. Dr. Nazir A. Zafar 11

Rings Definition A ring is a set R with two binary operations + : R × R → R and · : R × R → R (where × denotes the Cartesian product), called addition and multiplication, such that: (R, +) is an abelian group with identity element 0 (a + b) + c = a + (b + c) 0 + a = a + 0 = a For every a in R, there exists an element denoted −a, such that a + −a = −a + a = 0 a + b = b + a Dr. Nazir A. Zafar 22

Definition (Cont…) (R, ·) is a monoid with identity element 1: (a·b)·c = a·(b·c) 1·a = a·1 = a Multiplication distributes over addition: a·(b + c) = (a·b) + (a·c) (a + b)·c = (a·c) + (b·c) Definition: An element a in a ring R is called unit if there exists b in R such that a·b = b·a = 1 Lemma Set of all units in R forms a group under ring multiplication Dr. Nazir A. Zafar 22

Example: Rings Example 2 Prove that Z (+, *) ( the set of integers) is a ring. Solution + and * are binary operation on Z because sum and product of two integers are also an integer Now,  a, b, c  Z (a + b) + c = a + (b + c), 0 + a = a + 0 = a a + (−a) = (−a) + a = 0 a + b = b + a Hence (Z, +) is an abelian group with identity element 0 Dr. Nazir A. Zafar 22

Example 2: Rings Since,  a, b, c  Z (a·b)·c = a·(b·c) 1·a = a·1 = a Hence (Z, ·) is a monoid with identity element 1 Finally  a, b, c  Z a·(b + c) = (a·b) + (a·c) (a + b)·c = (a·c) + (b·c) i.e., multiplication is distributive over addition Hence we can conclude that Z (+, *) is a ring Dr. Nazir A. Zafar 22

Modular arithmetic for integer n: Zn = {0, 1, . . ., n-1} forms a commutative ring for addition with a multiplicative identity Lemma 1 For a, b, c  Z If (a + b) ≡ (a + c) mod n then b ≡ c mod n Lemma 2 If (a*b) ≡ (a*c) mod n then b ≡ c mod n only if a is relatively prime to n i.e. gcd(a, n) = 1. Dr. Nazir A. Zafar 22

Solving Modular Linear Equations Definition: A congruence of the form ax ≡ b (mod m) is called a linear congruence. Solving: To solve this congruence, objective is to find the x that satisfy the given equation. An inverse of a, modulo m is any integer a′ such that, a′a ≡ 1 (mod m). If we can find such an a′, then we can solve ax ≡ b by multiplying throughout by it, giving a′ax ≡ a′b, Thus, 1·x ≡ a′b,  x ≡ a′b (mod m). Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Solving Modular Linear Equations Theorem If gcd(a, m) = 1 and m > 1, then a has a unique inverse a′ (modulo m). Proof: Since gcd(a, m) = 1, hence  s, t such that, sa + tm = 1 So, sa + tm ≡ 1 (mod m). Since tm ≡ 0 (mod m), sa ≡ 1 (mod m). Thus s is an inverse of a (mod m). Hence this Theorem guarantees that if ra ≡ sa ≡ 1 then r ≡ s, thus this inverse is unique mod m. Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Chinese Remainder Theorem Let m1,…,mk > 0 be relatively prime. Then the system of equations: x ≡ a1 (mod m1) x ≡ a2 (mod m2) . x ≡ ak (mod mk) has a unique solution modulo m = m1·…·mk. Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Chinese Remainder Theorem Proof: We are given that, m = m1·…·mk. Let Mi = m/mi. for i = 1, . . . , k Since gcd(mi, Mi) = 1, hence by above Theorem,  yi = Mi′ such that yiMi ≡ 1 (mod mi) for i = 1, . . . , k Let x = a1y1M1 + a2y2M2 + . . .+ akykMk = ∑ aiyiMi Now m1 does don’t divide M1 But m2|M1, m3|M1, . . ., mk|M1 Similarly m2 does don’t divide M2 But m1|M2, m3|M2, m4|M2, . . ., mk|M2 and so on Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Chinese Remainder Theorem Hence mi does don’t divide Mi,  i  {1, 2, . . . , k} But mi|Mj,  i  j, i, j  {1, 2, . . . , k} Therefore, Mj ≡ 0 (mod mi) j ≠ i, Now we show that x is simultaneous solution x ≡ a1 (mod m1) Since x = a1y1M1 + a2y2M2 + . . .+ akykMk Hence x ≡ a1y1M1 ≡ 1.a1 = a1 (mod m1). x ≡ a2y2M2 ≡ 1.a2 = a2 (mod m2). . . . x ≡ akykMk ≡ 1.ak = ak (mod mk). Thus, x is the solution Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Application: Example 3 x ≡ 2 (mod 3), a1 = 2 x ≡ 3 (mod 5), a2 = 3 Solve the given system of linear modular equations using Chinese Remainder Theorem. x ≡ 2 (mod 3), a1 = 2 x ≡ 3 (mod 5), a2 = 3 x ≡ 2 (mod 7) , a3 = 2 Solution As m1 = 3, m2 = 5, m3 = 7, hence m = 3.5.7 = 105 Now M1 = m/m1 = 105/3 = 35, M2 = m/m2 = 105/5 = 21 and M3 = m/m3 = 105/7 = 15 Inverse of M1 (modulo 3) = y1 = 2 Inverse of M2 (modulo 5) = y2 = 1 Inverse of M3 (modulo 7) = y3 = 1 Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Cont... Verification 23 ≡ 2 (mod 3) 23 ≡ 3 (mod 5) 23 ≡ 2 (mod 7) Now, x, solution to this systems is x ≡ a1y1M1 + a2y2M2 + a3y3M3 = 2.35.2 + 3.21.1 + 2.15.1 = 233 (mod 105) ≡ 23 (mod 105) Thus 23 is the smallest positive integer that is a simultaneous solution. Verification 23 ≡ 2 (mod 3) 23 ≡ 3 (mod 5) 23 ≡ 2 (mod 7) Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Unique Representation of a Number by CRT Let m1,…,mk are pair-wise relatively prime integers, let m = m1·…·mk. Then by CRT it can be proved that any integer a, 0 ≤ a ≤ m can be uniquely represented by n-tuple consisting of its remainders upon division by mi (i = 1, 2, . . ., k). That is we can uniquely represent a by (a mod m1, a mod m2, . . . , a mod mk) = (a1, a2 ,…, ak ) Example 4 Pairs to represent non-negative integers < 12, first component is result of division by 3, second by 4 0 = (0, 0); 1 = (1, 1); 2 = (2, 2); 3 = (0, 3); 4 = (1, 0); 5 = (2, 1); 6 = (0, 2); 7 = (1, 3); 8 = (2, 0); 9 = (0, 1); 10 = (1, 2); 11 = (2, 3) Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Unique Representation of a Number by CRT Example 5 Compute (1, 2) if m1 = 3 and m2 = 4 Solution x ≡ 1 (mod 3) x ≡ 2 (mod 4) m1 = 3, m2 = 4, hence m = 12 Now M1 = m/m1 = 4, M2 = m/m2 = 3 Inverse of M1 (modulo 3) = y1 = 1 Inverse of M2 (modulo 4) = y2 = 3 Now x ≡ a1y1M1 + a2y2M2 = 1.1.4 + 2.3.3 = 22 mod 12 = 10 Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Example 6: Chinese Remainder Theorem Let m1 = 99, m2 = 98, m3 = 97 and m4 = 95 Now any integer < 99.98.97.95 = 89,403,930 can be uniquely represented by its remainders when divided by 99, 98, 97 and 95 respectively. If a = 123,684, b = 413,456 then compute a + b. Solution Now 123,684 mod 99 = 33; 123,684 mod 98 = 8 123,684 mod 97 = 9; 123,684 mod 95 = 89 Hence a = 123,684 = (33, 8, 9, 89) Similarly 413,456 mod 99 = 32; 413,456 mod 98 = 92 413,456 mod 97 = 42; 413,456 mod 95 = 16 Hence b = 413,456 = (32, 92, 42, 16) Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Example 6: Chinese Remainder Theorem Now a + b = 123,684 + 413,456 = (33, 8, 9, 89) + (32, 92, 42, 16) = (65 mod 99, 100 mod 98, 51 mod 97, 105 mod 99) Now we want to find a number x satisfying following x ≡ 65 (mod 99) x ≡ 2 (mod 98) x ≡ 51 (mod 97) x ≡ 10 (mod 95) This can be solved using CRT, Answer = 537,140 Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

The RSA Public Key Cryptosystem RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. The keys for the RSA algorithm are generated by the following way: Choose two distinct large random prime numbers p and q such that p  q Compute n by the equation n = pq, n is used as the modulus for both the public and private keys Compute the totient function (n) Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

The RSA Public Key Cryptosystem Choose an integer e such that 1 < e < (n) and e and (n) share no factors other than 1 (co-prime), e is released as the public key exponent Compute d to satisfy the congruence relation; de ≡ 1 mod (n) i.e. de = 1 + k(n) for some integer k d is kept as the private key exponent Publish the pair P =(e, n) as his RSA public Key Keep secret pair S =(d, n) as his RSA secret Key Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Property: Totient Function Prove that (p.q) = (p-1).(q-1), where p and q are prime numbers Proof If n = p, a prime number, then (p) = (p-1); e.g., ((7) = 6 because 7 is prime) If n = p * q where p and q are both prime then (n) = (p*q) As above (p) = p - 1 Similarly (q) = q - 1 Dr Nazir A. Zafar Advanced Algorithms Analysis and Design

Property: Totient Function For (n) = (p*q), the residues will be S1 = {0, 1, 2,. . ., (pq-1)} Out of S1, residues that are not relatively prime to n: S2 = {p, 2p, ….(q-1)p}, S3 = {q, 2q,……(p-1)q}, S4 = {0} The number of elements of S1 = pq The number of elements of S2 = q-1 The number of elements of S3 = p-1 The number of elements of S4 = 1 Hence number of relatively prime elements in S1 is (n) = pq – [(q-1)+(p-1)+1] = pq – q + 1 – p + 1 -1 = pq – q – p + 1 = (p-1)(q-1) = (p) * (q) Dr Nazir A. Zafar Advanced Algorithms Analysis and Design