Ryan Henry I 538 /B 609 : Introduction to Cryptography

Ryan Henry After the talk, Chris will stick around to meet with students in LH 102 from 4:30 to 5:00 TOMORROW at 3pm in LH 102! 1

Ryan Henry Another upcoming talk! Who: abhi shelat (University of Virginia) When: 12:00—1:00pm on Thursday Oct 5 (One week from today!) Where: Maurer 335 Title: TBA Abstract: TBA 2

Ryan Henry Tuesday’s lecture: More number theory Introduction to groups Today’s lecture: Modular e th roots Discrete logarithms 3

Ryan Henry Assignment 5 is due Tuesday, November 10! (Please fill out Doodle poll for the optional lab!) 4

Ryan Henry Recall: Groups ab∈G Def n : Let G be a non-empty set and let ‘’ be a binary operation acting on ordered pairs of elements from G. The pair (G,) is called a group if 1. Closure: ∀a,b∈G, 2. Associativity: ∀a,b,c∈G, 3. Identity: ∃e∈G, 4. Inverses: ∀a∈G, The group (G,) is abelian (or commutative) if 5. Commutative: ∀a,b∈G, ??? (ab)c=a(bc) ∀a∈G, ae=ea=a ∃a -1 ∈G such that aa -1 =a -1 a=e a b=b a ??? ??? ??? ??? Note: We often refer to just the set G as the group if the operation is clear 5

Ryan Henry Recall: Exponentiation in a group ▪F▪For n∈{1,2,3,…} we define a n =aaaa ▪F▪For n=0, we define a n =e ▪F▪For n∈{-1,-2,-3, …} we define a n =(a -1 ) -n ▪A▪Additive notation: If (G,+) is a group under addition, then we write na≔a+a+⋯+a n times Thm (law of exponents): Let (G,) be a group and let m,n∈ℤ. For each a∈G, a m a n =a m+n and (a m ) n =a mn. n times 6

Ryan Henry e th roots Def n : Let (G,) be a group and let a∈G. An e th root of a in G is an element b∈G such that a≡b e mod n. ??? ?? ?? ?? (since 55=25≡8 mod 17) ?? 2 Def n : An e th root of a modulo n is an e th root of a in (℥ n,⊡), where ⊡ denotes multiplication modulo n. e≠identity! (from here on, we’ll denote the identity by 1) 7

Ryan Henry e th roots Q: Do e th roots modulo n always exist? A: No! (So when do they exist?) Q: If an e th root of a modulo n exists, is it unique? A: In general, no! (But when is it unique?) Q: If an e th root of a modulo n exists, is it easy to compute? A: Yes, provided we know the factorization of n! (2 1/2 mod 11 does not exist, since 1 2 ≡1, 2 2 ≡4, 3 2 ≡9, 4 2 ≡5, 5 2 ≡3, 6 2 ≡3, 7 2 ≡5, 8 2 ≡9, 9 2 ≡4, 10 2 ≡1!) (3 1/2 ≡5 or 6 mod 11, since 5 2 =25≡3 mod 11 and 6 2 =36≡ 3 mod 11) 8

Ryan Henry e th roots modulo p Suppose p>2 is prime and let a∈ℤ p Q: When does a unique solution for a 1⁄e mod p exist? A: If gcd(e,p-1)=1, then a 1/e ≡a d mod p where d≔e -1 mod p-1 If gcd(e,p-1)≠1, then a 1/e may or may not exist; if it does exist, then it is not unique! Fact: If p>2 is prime, then the squaring function, which maps each a∈G to a 2 is a 2—to—1 function in ℥ p. 9

Ryan Henry Quadratic residues Def n : An element a∈ℤ n is a quadratic residue modulo n if and only if it has a square root modulo n. –A–At most half of elements in ℤ n can be quadratic residues modulo n! ▪T▪The set of quadratic residues modulo n is denoted QR n. –F–Fact: (QR n,⊡) is a group, where ⊡ is multiplication modulo n! More generally, a is an e th residue modulo n if it has an e th root modulo n. 10

Ryan Henry Legendre symbols 11

Ryan Henry Jacobi Symbols 12

Ryan Henry Computing square roots modulo n Thm: If p is a prime such that p≡3 mod 4 and a is a quadratic residue modulo p, then a 1/2 ≡a (p+1)⁄4 mod p. Proof: (a (p+1)⁄4 ) 2 ≡a (p+1)⁄2 (law of exponents) ≡a 1+(p-1)⁄2 (rearranging) ≡aa (p-1)⁄2 ≡a (Euler’s Criterion) ☐ Q: Why do we insist on p≡3 mod 4? A: If p≡1 mod 4, then (p+1)⁄4 is not an integer! (If p≡1 mod 4, more complicated algorithm compute a 1/2 in O(lg 3 p) steps) 13

Ryan Henry e th roots modulo n Suppose n is composite and let a∈℥ n Q: When does a solution for a 1⁄e mod n exist? When is it unique? A: If gcd ( e,φ(n) ) =1, then a 1/e ≡a d mod n where d≔e -1 mod φ(n) If gcd ( e,φ(n) ) ≠1, then a 1/e may or may not exist; if it does exist, then it is not unique! ▪N▪Note: Suppose n=pq for distinct primes p and q. Then knowledge of φ(n) is sufficient to determine n ▪I▪It appears hard to determine existence of a 1/e when factorization of n is not known… 14

Ryan Henry Computing p and q from φ(pq) ▪G▪Goal: Given n=pq and φ(n), determine p and q. φ(n)=(p-1)(q-1)=pq-p-q+1=(n+1)-p-q (def n of φ(n)) ⇒ (n+1)-φ(n)=p+q so that q=(n+1)-φ(n)-p (rearranging) ⇒ n=p(n+1-φ(n)-p)=-p 2 +(n+1φ(p)) (substitute into n=pq) ⇒ p 2 -(n+1-φ(n))p+n=0 (rearranging) ▪T▪This is a quadratic equation in indeterminant p with a=1 b=-(n+1-φ(n)) c=n ⇒ the quadratic formula yields p and q as the two roots! 15

Ryan Henry The e th root problem Def n : The eth root problem (aka the RSA problem) is: Given (n,e,a) such that 1. n=pq for distinct s-bit primes p and q, 2. a∈℥ n, and 3. gcd(e,φ(n))=1, compute a 1/e mod n. 16 One possible solution: compute d≔e -1 mod φ(n) and output a d mod n Fact: Compute d is equivalent to factoring n! Q: Is solving e th root as hard as factoring? A: Well…err, maybe? I dunno! (It may be possible to compute a 1/e directly!)

Ryan Henry Practice: Computing square roots modulo p ▪C▪Compute the square roots of 3 mod 139, if they exist. ▪C▪Compute the square roots of 5 mod 139, if they exist. Legendre Symbol: 3 (139-1)/2 ≡138≡-1 mod 139 Legendre Symbol: 5 (139-1)/2 = 1 mod 139 Mod 4 congruence: 139 = 3 mod 4 “Positive” root: 5 (139+1)/4 = 127 mod 139 “Negative” root: = 12 mod 139  Roots do not exist! Roots exist! Simple formula for computing roots!

Ryan Henry Practice: Computing e th roots modulo n ▪ Compute 51 1/11 mod (Note: =113·97) Compute φ(10 961): (113-1)(97-1)= Relative primeness: gcd(11, 112·96) = 1 Inverse mod : ≡1955 mod Compute root: = mod unique root exists!

Ryan Henry Logarithms Def n : The logarithm of a to the base b is the number x such that We denote that x is the logarithm of a to the base b by log b a=x 19 a=b x ??? –l–log 4 16= –l–log 5 125= –l–log 2 128= –l–log 2 16= 4, since 2 4 =16 7, since 2 7 =128 3, since 5 3 =125 2, since 4 2 =16 ??? ??? ??? ???

Ryan Henry Recall: Order of a group element Def n : The number of elements in a group (G,) is called its order. We write |G| to denote the order of (G,). Def n : Let (G,) be a group and let a∈G. The smallest positive integer i such that a i =e is called the order of a in (G,). We write |a| to denote the order of a∈G. If |a|=|G|, then we call a a generator of (G,). 20

Ryan Henry Euler’s Theorem for finite groups Thm: Let (G,) be a group and let a∈G. a i =a j in G if and only if i≡j mod |a|. Trick: To compute a i mod n, first reduce the exponent (i.e., i) modulo |a|, or |G| if |a| is not known. - Lagrange’s Theorem: Let (G,) be a group with order |G|=N. Then |a| divides N for all a∈G. - Corollary: If i≡j mod |G|, then a i =a j in G. 21

Ryan Henry Cyclic groups Def n : If (G,) has one or more generators, then we call it a cyclic group. 22 Thm: If |G| is prime, then (G,) is cyclic. -T-This follows directly from the generalization of Euler’s Theorem on the last slide! Note: If (G,) is cyclic and |G| is given, then given any generator g∈G, it is easy to select h∊G is easy. (How?) - Choose r∊{0,1,…,|G|-1} and output h=g r

Ryan Henry Discrete logarithms Def n : Let G be a group with |G|=n and let g,h∈G. A discrete logarithm (DL) of h to the base g in G is a number x∈ℤ n such that 23 h=g x in G. ??? Q: Does the DL of h to the base g always exist? A: No! (So when does it exist?) Q: If the DL of h to the base g exists, is it unique? A: Sort of… If x 1 and x 2 are DLs of h to the base g, then x 1 ≡x 2 mod |g| Thm: If (G,) is a cyclic group of order n with g a generator, then ∀h∈G, x=log g h exists and is unique in ℤ n - We therefore speak of the DL of h to the base g

Ryan Henry The DL problem Def n : Let (G,) be a cyclic group of order n and let g be a generator of G. Then the DL problem in (G,) is: Given (G,n,g,h) where g,h∈G with |g|=n, compute x=log g h 24

Ryan Henry Intractable problems ▪ Intuitively, we call a problem intractable if no PPT algorithm can solve a uniform random instance the problem, except with negligible probability ▪ The factoring, e th root, and DL problems are all believed to lead to “intractable” problems – Attacker must be PPT in what parameter? – Success probability must be negligible in what parameter? ▪ So far, all problems are defined in a particular finite group 25

Ryan Henry Group generating algorithm Def n : A group generating algorithm G is a PPT algorithm that, on input a security parameter 1 s, outputs a finite group (G,) with s-bit prime order q and a generating g∈G. We write (G,,q,g)← G (1 s ) to indicate that (G,) is a group with s-bit prime order q and generator g, sampled from the output of G. 26

Ryan Henry That’s all for today, folks! 27