


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The concepts of cyclic groups and quadratic residues in the context of number theory and cryptography. It covers the definition of a group, the properties of subgroups, and the importance of cyclic groups in cryptography. The document also discusses the legendre symbol and its relationship to quadratic residues, as well as algorithms for testing quadratic residuosity and computing discrete logarithms. The document concludes with a discussion of the distribution of diffie-hellman keys in a cyclic group.
Typology: Study notes
1 / 4
This page cannot be seen from the preview
Don't miss anything!



1
Let Z = {... , "2, "1, 0, 1, 2,.. .} denote the set of integers.
Let Z+ = {1, 2,.. .} denote the set of positive integers and
N = {0, 1, 2,.. .} the set of non-negative integers.
If a, N are integers with N > 0 then there are unique integers r, q
such that a = Nq + r and 0 # r < N.
We associate to any positive integer N the following two sets:
={ i!Z : 1#i#N"1 and gcd(i,N)=1 (relatively prime to N)}
2
binary operation on G. We say that G is a group if it
has the following properties:
is also in G.
that (a! b)! c = a! (b! c).
a! 1 = 1! a = a for all a G.
b G such that a! b = b! a = 1.
inverse, denoted a
3
Fact. Let N be a positive integer. Then Z N
is a group under
addition modulo N, and Z N
is a group under multiplication
modulo N.
if i = 0 then a
i is defined to be 1,
if i > 0 then a
i = a! a!!! a (i times)
if i < 0 then a
i = a
! a
!!! a
(j=-i times)
a
i+j = a
i ! a
j
i )
j = a
ij
a
-i = (a
i )
= (a
i
4
Then a
m = 1 for all a G
Then a
i = a
i mod m for all a G and all i Z.
Example. Let us work in the group Z 21
11, 13, 16, 17, 19, 20} under the operation of multiplication
modulo 21. m=12.
mod 21 = 5
86 mod 12 mod 21 = 5
2 mod 12 mod 21 =
25 mod 21 = 4
5
in its own right, under the same operation as that under
which G is a group.
order of S divides the order of G.
6
7
Algorithm Input Output Running Time
INT-DIV a, N (N > 0 ) (q, r) with a = N q + r and 0 ≤ r < N O(|a| · |N |)
MOD a, N (N > 0 ) a mod N O(|a| · |N |)
EXT-GCD a, b ((a, b) "= ( 0 , 0 )) (d, a, b) with d = gcd(a, b) = aa + bb O(|a| · |b|)
MOD-ADD a, b, N (a, b ∈ ZN ) (a + b) mod N O(|N |)
MOD-MULT a, b, N (a, b ∈ ZN ) ab mod N O(|N |
2 )
MOD-INV a, N (a ∈ Z
∗ N ) b ∈ Z
∗ N with ab ≡ 1 (mod N ) O(|N |
2 )
MOD-EXP a, n, N (a ∈ ZN ) a n mod N O(|n| · |N | 2 )
EXPG a, n (a ∈ G) a n ∈ G 2 |n| G-operations
F ig u r e 9 . : S ome
b as
ic
algor
ith
ms
an
d
th
eir
r u n n in
g
time.
U n less
o t h er w ise
in d ica
t ed
, a n
in p u t v a lu e is
a n
in t eg
er
a n d
t h e r u n n in g t ime
is
t h e n u m b er
o f b it
o p er a t io n s.
G
d en
o t es
a g r o u p .
9 . 2 . 2
In
t eg
er
d i v i s i o n
a n d
m
o d
a l g o ri t h m
s
W e d efi
n e t h e in t eg
er
d ivisio
n f u n ct io n a s t a kin
g in p u t t w o in t eg
er s (^) a , N (^) , w it h N
>
0 , a n d r et u r n in g
t h e qu
o t ien
t a n d r ema
in d er
o b t a in ed
b y
d ivid
in g a b y N (^). T h a t is,
t h e f u n ct io n r et u r n s ( q , (^) r ) su
c h 8
Example. QR( Z 11
)?
QR( Z 11
)={1, 3, 4, 5, 9}
Recall that Z 11
is cyclic and 2 is a generator.
Fact. A generator is always a non-square. (But not all non-squares are
generators).
Fact. |QR( Z p
)| = (p # 1)/2 (about half elements are squares)
"
nd Rogaway 13
le 9.16 Let p = 11 , which is prime. Then Z
∗ 11 = { 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 } has order p − 1 =
imple way to determine QR(Z
∗ 11 ) is to square all the group elements in turn:
a 1 2 3 4 5 6 7 8 9 10
a
2 mod 11 1 4 9 5 3 3 5 9 4 1
ares are exactly those elements that appear in the second row, so
∗ 11
mber of squares is 5 , which we notice equals (p − 1 )/ 2. This is not a coincidence, as we will
o notice that each square has exactly two different square roots. (The square roots of 1 are
0 ; the square roots of 3 are 5 and 6 ; the square roots of 4 are 2 and 9 ; the square roots of 5
d 7 ; the square roots of 9 are 3 and 8 .)
e 11 is prime, we know that Z
∗ 11 is cyclic, and as we saw in Example 9 .9, 2 is a generator.
de remark, we note that a generator must be a non-square. Indeed, if a = b
2 is a square,
= b
10 = 1 modulo 11 because 10 is the order of the group. So a
j = 1 modulo 11 for
ositive j < 10 , which means a is not a generator. However, not all non-squares need be
ors.) Below, we reproduce from that example the table of discrete logarithms of the group
s. We also add below it a row providing the Legendre symbols, which we know because,
e identified the squares. We get:
a 1 2 3 4 5 6 7 8 9 10
DLog Z ∗ 11
, 2 (a) 0 1 8 2 4 9 7 3 6 5
J 11 (a) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1
rve that the Legendre symbol of a is 1 if its discrete logarithm is even, and − 1 if the discrete
m is odd, meaning the squares are exactly those group elements whose discrete logarithm
It turns out that this fact is true regardless of the choice of generator.
we saw in the above example, the fact that Z
∗ p is cyclic is useful in understanding the
e of the subgroup of quadratic residues QR(Z
∗ p ). The following Proposition summarizes
portant elements of this connection.
ition 9.17 Let p ≥ 3 be a prime and let g be a generator of Z
∗ p
. Then
∗ p ) = { g
i : i ∈ Zp− 1 and i is even } , ( 9 .2)
number of squares mod p is
∣ ∣ ∣QR(Z
∗ p
∣ ∣ ∣ =
p − 1
more, every square mod p has exactly two different square roots mod p.
of Proposition 9.17: Let
E = { g
i : i ∈ Z p− 1 and i is even }.
prove that E = QR(Z
∗ p
) by showing first that E ⊆ QR(Z
∗ p
) and second that QR(Z
∗ p
that E ⊆ QR(Z
∗ p ), let a ∈ E. We will show that a ∈ QR(Z
∗ p ). Let i = DLog Z ∗ p ,g (a). Since
"
"
11
a 1 2 3 4 5 6 7 8 9 10
a
2 mod 11 1 4 9 5 3 3 5 9 4 1
The squares are exactly those elements that appear in the second row, so
QR(Z
∗ 11 ) = { 1 , 3 , 4 , 5 , 9 }.
The number of squares is 5 , which we notice equals (p − 1 )/ 2. This is not a coincidence, as we will
see. Also notice that each square has exactly two different square roots. (The square roots of 1 are
1 and 10 ; the square roots of 3 are 5 and 6 ; the square roots of 4 are 2 and 9 ; the square roots of 5
are 4 and 7 ; the square roots of 9 are 3 and 8 .)
Since 11 is prime, we know that Z ∗ 11 is cyclic, and as we saw in Example 9 .9, 2 is a generator.
(As a side remark, we note that a generator must be a non-square. Indeed, if a = b
2 is a square,
then a
5 = b
10 = 1 modulo 11 because 10 is the order of the group. So a
j = 1 modulo 11 for
some positive j < 10 , which means a is not a generator. However, not all non-squares need be
generators.) Below, we reproduce from that example the table of discrete logarithms of the group
elements. We also add below it a row providing the Legendre symbols, which we know because,
above, we identified the squares. We get:
a 1 2 3 4 5 6 7 8 9 10
DLog Z ∗ 11 , 2 (a) 0 1 8 2 4 9 7 3 6 5
J 11 (a) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1
We observe that the Legendre symbol of a is 1 if its discrete logarithm is even, and − 1 if the discrete
logarithm is odd, meaning the squares are exactly those group elements whose discrete logarithm
is even. It turns out that this fact is true regardless of the choice of generator.
As we saw in the above example, the fact that Z ∗ p is cyclic is useful in understanding the
structure of the subgroup of quadratic residues QR(Z
∗ p).^ The^ following^ Proposition^ summarizes
some important elements of this connection.
Proposition 9.17 Let p ≥ 3 be a prime and let g be a generator of Z
∗ p
. Then
QR(Z
∗ p)^ =^ {^ g
i : i ∈ Zp− 1 and i is even } , ( 9 .2)
and the number of squares mod p is
∣ ∣ ∣QR(Z
∗ p )
∣ ∣ ∣ =
p − 1
2
.
Furthermore, every square mod p has exactly two different square roots mod p.
Proof of Proposition 9.17: Let
E = { g
i : i ∈ Zp− 1 and i is even }.
We will prove that E = QR(Z
∗ p ) by showing first that E ⊆ QR(Z
∗ p ) and second that QR(Z
∗ p ) ⊆ E.
To show that E ⊆ QR(Z
∗ p),^ let^ a^ ∈^ E.^ We^ will^ show^ that^ a^ ∈^ QR(Z
∗ p).^ Let^ i^ =^ DLogZ∗ p ,g(a).^ Since
"
13
Facts. Let p $ 3 be a prime. Then
for any a Z p
for any generator g Z p
for any a Z p
for any generator g Z p
and any x,y Z p-
p
p− 1
∗ p
p− 1
∗ p
p− 1
∗ p
"
"
"
However Lemma 9 .1 9 tells us that the last quantity is − 1 modulo p, as desired.
The following Proposition says that ab mod p is a square if and only if either both a and b are
squares, or if both are non-squares. But if one is a square and the other is not, then ab mod p is
a non-square. This can be proved by using either Proposition 9 .1 7 or Proposition 9 .1 8. We use
the latter in the proof. You might try, as an exercise, to reprove the result using Proposition 9 .1 7
instead.
Proposition 9.20 Let p ≥ 3 be prime. Then
Jp(ab mod p) = Jp(a) · Jp(b)
for all a, b ∈ Z
∗ p
Proof of Proposition 9.20: Using Proposition 9 .1 8 we get
p (ab mod p) ≡ (ab)
p− 1 (^2) ≡ a
p− 1 (^2) b
p− 1 (^2) ≡ J p (a) · J p (b) (mod p).
The two quantities we are considering both being either 1 or − 1 , and equal modulo p, must then
be actually equal.
A quantity of cryptographic interest is the Diffie-Hellman (DH) key. Having fixed a cyclic group
G and generator g for it, the DH key associated to elements X = g
x and Y = g
y of the group is
the group element g
xy
. The following Proposition tells us that the DH key is a square if either X
or Y is a square, and otherwise is a non-square.
16 COMPUTATIONAL NUMBER THEORY
Proposition 9.21 Let p ≥ 3 be a prime and let g be a generator of Z
∗ p
. Then
Jp(g
xy mod p) = 1 if and only if Jp(g
x mod p) = 1 or Jp(g
y mod p) = 1 ,
for all x, y ∈ Zp− 1.
Proof of Proposition 9.21: By Proposition 9 .1 7 , it suffices to show that
xy mod (p − 1 ) is even if and only if x is even or y is even.
But since p − 1 is even, xy mod (p − 1 ) is even exactly when xy is even, and clearly xy is even
exactly if either x or y is even.
With a cyclic group G and generator g of G fixed, we will be interested in the distribution of the
DH key g
xy in G, under random choices of x, y from Z m , where m = |G|. One might at first think
that in this case the DH key is a random group element. The following proposition tells us that
in the group Z
∗ p
of integers modulo a prime, this is certainly not true. The DH key is significantly
more likely to be a square than a non-square, and in particular is thus not even almost uniformly
distributed over the group.
Proposition 9.22 Let p ≥ 3 be a prime and let g be a generator of Z
∗ p
. Then
Pr
[
x
$ ← Zp− 1 ; y
$ ← Zp− 1 : Jp(g
xy ) = 1
]
equals 3 / 4.
Proof of Proposition 9.22: By Proposition 9 .2 2 we need only show that
Pr
[
x
$ ← Zp− 1 ; y
$ ← Zp− 1 : Jp(g
x ) = 1 or Jp(g
y ) = 1
]
equals 3 / 4. The probability in question is 1 − α where
α = Pr
[
x
$ ← Z p− 1 ; y
$ ← Z p− 1
p (g
x ) = − 1 and J p (g
y ) = − 1
]
= Pr
[
x
$ ← Zp− 1 : Jp(g
x ) = − 1
]
· Pr
[
y
$ ← Zp− 1 : Jp(g
y ) = − 1
]
∗ p
∗ p
∗ p
∗ p
(p − 1 )/ 2
p − 1
(p − 1 )/ 2
p − 1
Thus 1 −α = 3 / 4 as desired. Here we used Proposition 9 .1 7 which told us that |QR(Z
∗ p )| = (p− 1 )/ 2.
The above Propositions, combined with Proposition 9 .1 8 (which tells us that quadratic residu-
osity modulo a prime can be efficiently tested), will later lead us to pinpoint weaknesses in certain
cryptographic schemes in Z
∗ p
"
14
to the identity element of the group.
generator of the group.
Then QR( Z p
) is a group of prime order q. Furthermore, if g is any
generator of Z p
, then g
2 mod p is a generator of QR( Z p
).
" "
"
15
We know that 2 is a generator of Z 11
Let’s verify that 4 = 2
2 is a generator of QR( Z 11
).
always cyclic. These groups turn out to be quite useful in cryptography, so let us take a brief look
at them and some of their properties.
An element h of a group G is called non-trivial if it is not equal to the identity element of the
group.
Proposition 9.23 Suppose G is a group of order q where q is a prime, and h is any non-trivial
member of G. Then h is a generator of G.
Proof of Proposition 9.23: It suffices to show that the order of h is q. We know that the
order of any group element must divide the order of the group. Since the group has prime order
q, the only possible values for the order of h are 1 and q. But h does not have order 1 since it is
non-trivial, so it must have order q.
A common way to obtain a group of prime order for cryptographic schemes is as a subgroup of a
group of integers modulo a prime. We pick a prime p having the property that q = (p − 1 )/ 2 is also
prime. It turns out that the subgroup of quadratic residues modulo p then has order q, and hence
is a group of prime order. The following proposition summarizes the facts for future reference.
Proposition 9.24 Let q ≥ 3 be a prime such that p = 2 q + 1 is also prime. Then QR(Z
∗ p
) is a
group of prime order q. Furthermore, if g is any generator of Z
∗ p , then g
2 mod p is a generator of
∗ p
Note that the operation under which QR(Z
∗ p ) is a group is multiplication modulo p, the same
operation under which Z
∗ p
is a group.
Proof of Proposition 9.24: We know that QR(Z
∗ p ) is a subgroup, hence a group in its own
right. Proposition 9 .1 7 tells us that |QR(Z
∗ p
)| is (p − 1 )/ 2 , which equals q in this case. Now let g be
a generator of Z
∗ p and let h = g
2 mod p. We want to show that h is a generator of QR(Z
∗ p ). As per
Proposition 9 .2 3 , we need only show that h is non-trivial, meaning h #= 1. Indeed, we know that
g
2
≡ 1 (mod p), because g, being a generator, has order p and our assumptions imply p > 2.
Example 9.25 Let q = 5 and p = 2 q + 1 = 11. Both p and q are primes. We know from
Example 9 .1 6 that
∗ 11
This is a group of prime order 5. We know from Example 9 .9 that 2 is a generator of Z
∗ p
Proposition 9 .2 4 tells us that 4 = 2
2 is a generator of QR(Z
∗ 11
). We can verify this by raising
4 to the powers i = 0 ,... , 4 :
i 0 1 2 3 4
i mod 11 1 4 5 9 3
We see that the elements of the last row are exactly those of the set QR(Z
∗ 11
Let us now explain what we perceive to be the advantage conferred by working in a group of
prime order. Let G be a cyclic group, and g a generator. We know that the discrete logarithms to
"
"
∗ p
∗ p
2
∗ p
∗
p
∗ p
∗ p
∗ p
∗ p
2
∗ p
2
∗ 11
∗
p
2
∗ 11
i
∗
11
16