Cryptography and Number Theory: Understanding Cyclic Groups and Quadratic Residues, Study notes of Computer Science

The concepts of cyclic groups and quadratic residues in the context of number theory and cryptography. It covers the definition of a group, the properties of subgroups, and the importance of cyclic groups in cryptography. The document also discusses the legendre symbol and its relationship to quadratic residues, as well as algorithms for testing quadratic residuosity and computing discrete logarithms. The document concludes with a discussion of the distribution of diffie-hellman keys in a cyclic group.

Typology: Study notes

Pre 2010

Uploaded on 08/05/2009

koofers-user-p74
koofers-user-p74 🇺🇸

9 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 4803
Computer and Network Security
Alexandra (Sasha) Boldyreva
Very basic number theory
1
Let Z = {. . . , "2, "1, 0, 1, 2, . . .} denote the set of integers.
Let Z+ = {1, 2, . . .} denote the set of positive integers and
N = {0, 1, 2, . . .} the set of non-negative integers.
If a, N are integers with N > 0 then there are unique integers r, q
such that a = Nq + r and 0 # r < N.
We associate to any positive integer N the following two sets:
ZN ={0, 1, . . . , N " 1},
ZN={ i!Z : 1#i#N"1 and gcd(i,N)=1 (relatively prime to N)}
"
2
Groups
Def. Let G be a non-empty set and let ! denote a
binary operation on G. We say that G is a group if it
has the following properties:
1.Closure: For every a, b 󲰉 G it is the case that a ! b
is also in G.
2.Associativity: For every a, b, c 󲰉 G it is the case
that (a ! b) ! c = a ! (b ! c).
3.Identity: There exists an element 1 󲰉 G such that
a ! 1 = 1 ! a = a for all a 󲰉 G.
4.Invertibility: For every a 󲰉 G there exists a unique
b 󲰉 G such that a ! b = b ! a = 1.
inverse, denoted a-1
3
Fact. Let N be a positive integer. Then ZN is a group under
addition modulo N, and ZN is a group under multiplication
modulo N.
In any group, we can define an exponentiation operation:
if i = 0 then ai is defined to be 1,
if i > 0 then ai = a ! a ! ! ! a (i times)
if i < 0 then ai = a-1 ! a-1 ! ! ! a-1 (j=-i times)
For all a 󲰉 G and all i,j 󲰉 Z:
ai+j = ai ! aj
(ai)j = aij
a-i = (ai)-1= (a-1)i
*
4
pf3
pf4

Partial preview of the text

Download Cryptography and Number Theory: Understanding Cyclic Groups and Quadratic Residues and more Study notes Computer Science in PDF only on Docsity!

CS 4803

Computer and Network Security

Alexandra (Sasha) Boldyreva

Very basic number theory

1

Let Z = {... , "2, "1, 0, 1, 2,.. .} denote the set of integers.

Let Z+ = {1, 2,.. .} denote the set of positive integers and

N = {0, 1, 2,.. .} the set of non-negative integers.

If a, N are integers with N > 0 then there are unique integers r, q

such that a = Nq + r and 0 # r < N.

We associate to any positive integer N the following two sets:

Z

N

={0, 1,... , N " 1},

Z

N

={ i!Z : 1#i#N"1 and gcd(i,N)=1 (relatively prime to N)}

2

Groups

• Def. Let G be a non-empty set and let^!^ denote a

binary operation on G. We say that G is a group if it

has the following properties:

  1. Closure: For every a, b G it is the case that a! b

is also in G.

  1. Associativity: For every a, b, c G it is the case

that (a! b)! c = a! (b! c).

  1. Identity: There exists an element 1 G such that

a! 1 = 1! a = a for all a G.

  1. Invertibility: For every a G there exists a unique

b G such that a! b = b! a = 1.

inverse, denoted a

3

Fact. Let N be a positive integer. Then Z N

is a group under

addition modulo N, and Z N

is a group under multiplication

modulo N.

• In any group, we can define an exponentiation operation:

if i = 0 then a

i is defined to be 1,

if i > 0 then a

i = a! a!!! a (i times)

if i < 0 then a

i = a

! a

!!! a

(j=-i times)

• For all a G and all i,j Z :

a

i+j = a

i ! a

j

  • (^) (a

i )

j = a

ij

a

-i = (a

i )

= (a

i

4

• The order of a group is its size

• Fact. Let^ G^ be a group and let m = | G | be its order.

Then a

m = 1 for all a G

• Fact. Let^ G^ be a group and let m = | G | be its order.

Then a

i = a

i mod m for all a G and all i Z.

Example. Let us work in the group Z 21

11, 13, 16, 17, 19, 20} under the operation of multiplication

modulo 21. m=12.

mod 21 = 5

86 mod 12 mod 21 = 5

2 mod 12 mod 21 =

25 mod 21 = 4

5

• If G is a group, a set S G is called a subgroup if it is a group

in its own right, under the same operation as that under

which G is a group.

• Fact. Let^ G^ be a group and let S be a subgroup of^ G. Then the

order of S divides the order of G.

6

Algorithms and their running times

• Since in cryptography we will be working with

BIG numbers, the complexity of algorithms

taking numbers as inputs is measured as a

function of the bit-length of the numbers.

E.g. PrintinBinary (A), where A=

k

takes k

operations

7

Some basic algorithms

Algorithm Input Output Running Time

INT-DIV a, N (N > 0 ) (q, r) with a = N q + r and 0 ≤ r < N O(|a| · |N |)

MOD a, N (N > 0 ) a mod N O(|a| · |N |)

EXT-GCD a, b ((a, b) "= ( 0 , 0 )) (d, a, b) with d = gcd(a, b) = aa + bb O(|a| · |b|)

MOD-ADD a, b, N (a, b ∈ ZN ) (a + b) mod N O(|N |)

MOD-MULT a, b, N (a, b ∈ ZN ) ab mod N O(|N |

2 )

MOD-INV a, N (a ∈ Z

∗ N ) b ∈ Z

∗ N with ab ≡ 1 (mod N ) O(|N |

2 )

MOD-EXP a, n, N (a ∈ ZN ) a n mod N O(|n| · |N | 2 )

EXPG a, n (a ∈ G) a n ∈ G 2 |n| G-operations

F ig u r e 9 . : S ome

b as

ic

algor

ith

ms

an

d

th

eir

r u n n in

g

time.

U n less

o t h er w ise

in d ica

t ed

, a n

in p u t v a lu e is

a n

in t eg

er

a n d

t h e r u n n in g t ime

is

t h e n u m b er

o f b it

o p er a t io n s.

G

d en

o t es

a g r o u p .

9 . 2 . 2

In

t eg

er

d i v i s i o n

a n d

m

o d

a l g o ri t h m

s

W e d efi

n e t h e in t eg

er

d ivisio

n f u n ct io n a s t a kin

g in p u t t w o in t eg

er s (^) a , N (^) , w it h N

>

0 , a n d r et u r n in g

t h e qu

o t ien

t a n d r ema

in d er

o b t a in ed

b y

d ivid

in g a b y N (^). T h a t is,

t h e f u n ct io n r et u r n s ( q , (^) r ) su

c h 8

Example. QR( Z 11

)?

QR( Z 11

)={1, 3, 4, 5, 9}

Recall that Z 11

is cyclic and 2 is a generator.

Fact. A generator is always a non-square. (But not all non-squares are

generators).

Fact. |QR( Z p

)| = (p # 1)/2 (about half elements are squares)

"

nd Rogaway 13

le 9.16 Let p = 11 , which is prime. Then Z

∗ 11 = { 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 } has order p − 1 =

imple way to determine QR(Z

∗ 11 ) is to square all the group elements in turn:

a 1 2 3 4 5 6 7 8 9 10

a

2 mod 11 1 4 9 5 3 3 5 9 4 1

ares are exactly those elements that appear in the second row, so

QR(Z

∗ 11

mber of squares is 5 , which we notice equals (p − 1 )/ 2. This is not a coincidence, as we will

o notice that each square has exactly two different square roots. (The square roots of 1 are

0 ; the square roots of 3 are 5 and 6 ; the square roots of 4 are 2 and 9 ; the square roots of 5

d 7 ; the square roots of 9 are 3 and 8 .)

e 11 is prime, we know that Z

∗ 11 is cyclic, and as we saw in Example 9 .9, 2 is a generator.

de remark, we note that a generator must be a non-square. Indeed, if a = b

2 is a square,

= b

10 = 1 modulo 11 because 10 is the order of the group. So a

j = 1 modulo 11 for

ositive j < 10 , which means a is not a generator. However, not all non-squares need be

ors.) Below, we reproduce from that example the table of discrete logarithms of the group

s. We also add below it a row providing the Legendre symbols, which we know because,

e identified the squares. We get:

a 1 2 3 4 5 6 7 8 9 10

DLog Z ∗ 11

, 2 (a) 0 1 8 2 4 9 7 3 6 5

J 11 (a) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1

rve that the Legendre symbol of a is 1 if its discrete logarithm is even, and − 1 if the discrete

m is odd, meaning the squares are exactly those group elements whose discrete logarithm

It turns out that this fact is true regardless of the choice of generator.

we saw in the above example, the fact that Z

∗ p is cyclic is useful in understanding the

e of the subgroup of quadratic residues QR(Z

∗ p ). The following Proposition summarizes

portant elements of this connection.

ition 9.17 Let p ≥ 3 be a prime and let g be a generator of Z

∗ p

. Then

QR(Z

∗ p ) = { g

i : i ∈ Zp− 1 and i is even } , ( 9 .2)

number of squares mod p is

∣ ∣ ∣QR(Z

∗ p

∣ ∣ ∣ =

p − 1

more, every square mod p has exactly two different square roots mod p.

of Proposition 9.17: Let

E = { g

i : i ∈ Z p− 1 and i is even }.

prove that E = QR(Z

∗ p

) by showing first that E ⊆ QR(Z

∗ p

) and second that QR(Z

∗ p

) ⊆ E.

that E ⊆ QR(Z

∗ p ), let a ∈ E. We will show that a ∈ QR(Z

∗ p ). Let i = DLog Z ∗ p ,g (a). Since

"

"

11

  1. A simple way to determine QR(Z ∗ 11 ) is to square all the group elements in turn:

a 1 2 3 4 5 6 7 8 9 10

a

2 mod 11 1 4 9 5 3 3 5 9 4 1

The squares are exactly those elements that appear in the second row, so

QR(Z

∗ 11 ) = { 1 , 3 , 4 , 5 , 9 }.

The number of squares is 5 , which we notice equals (p − 1 )/ 2. This is not a coincidence, as we will

see. Also notice that each square has exactly two different square roots. (The square roots of 1 are

1 and 10 ; the square roots of 3 are 5 and 6 ; the square roots of 4 are 2 and 9 ; the square roots of 5

are 4 and 7 ; the square roots of 9 are 3 and 8 .)

Since 11 is prime, we know that Z ∗ 11 is cyclic, and as we saw in Example 9 .9, 2 is a generator.

(As a side remark, we note that a generator must be a non-square. Indeed, if a = b

2 is a square,

then a

5 = b

10 = 1 modulo 11 because 10 is the order of the group. So a

j = 1 modulo 11 for

some positive j < 10 , which means a is not a generator. However, not all non-squares need be

generators.) Below, we reproduce from that example the table of discrete logarithms of the group

elements. We also add below it a row providing the Legendre symbols, which we know because,

above, we identified the squares. We get:

a 1 2 3 4 5 6 7 8 9 10

DLog Z ∗ 11 , 2 (a) 0 1 8 2 4 9 7 3 6 5

J 11 (a) 1 − 1 1 1 1 − 1 − 1 − 1 1 − 1

We observe that the Legendre symbol of a is 1 if its discrete logarithm is even, and − 1 if the discrete

logarithm is odd, meaning the squares are exactly those group elements whose discrete logarithm

is even. It turns out that this fact is true regardless of the choice of generator.

As we saw in the above example, the fact that Z ∗ p is cyclic is useful in understanding the

structure of the subgroup of quadratic residues QR(Z

∗ p).^ The^ following^ Proposition^ summarizes

some important elements of this connection.

Proposition 9.17 Let p ≥ 3 be a prime and let g be a generator of Z

∗ p

. Then

QR(Z

∗ p)^ =^ {^ g

i : i ∈ Zp− 1 and i is even } , ( 9 .2)

and the number of squares mod p is

∣ ∣ ∣QR(Z

∗ p )

∣ ∣ ∣ =

p − 1

2

.

Furthermore, every square mod p has exactly two different square roots mod p.

Proof of Proposition 9.17: Let

E = { g

i : i ∈ Zp− 1 and i is even }.

We will prove that E = QR(Z

∗ p ) by showing first that E ⊆ QR(Z

∗ p ) and second that QR(Z

∗ p ) ⊆ E.

To show that E ⊆ QR(Z

∗ p),^ let^ a^ ∈^ E.^ We^ will^ show^ that^ a^ ∈^ QR(Z

∗ p).^ Let^ i^ =^ DLogZ∗ p ,g(a).^ Since

"

13

Facts. Let p $ 3 be a prime. Then

for any a Z p

for any generator g Z p

for any a Z p

for any generator g Z p

and any x,y Z p-

requires knowing the discrete logarithm of a, which is hard to compute. The following Proposition

says that the Legendre symbols of a modulo an odd prime p can be obtained by raising a to the

power (p − 1 )/ 2 , and helps us compute the Legendre symbol.

Proposition 9.18 Let p ≥ 3 be a prime. Then

J

p

(a) ≡ a

p− 1

2 (mod p)

for any a ∈ Z

∗ p

Now one can determine whether or not a is a square mod p by running the algorithm MOD-EXP

on inputs a, (p − 1 )/ 2 , p. If the algorithm returns 1 then a is a square mod p, and if it returns p − 1

(which is the same as − 1 mod p) then a is a non-square mod p. Thus, the Legendre symbol can be

computed in time cubic in the length of p.

Towards the proof of Proposition 9 .1 8 , we begin with the following lemma which is often useful

in its own right.

Lemma 9.19 Let p ≥ 3 be a prime. Then

g

p− 1

2 ≡ − 1 (mod p)

for any generator g of Z

∗ p

(which is the same as − 1 mod p) then a is a non-square mod p. Thus, the Legendre symbol can be

computed in time cubic in the length of p.

Towards the proof of Proposition 9 .1 8 , we begin with the following lemma which is often useful

in its own right.

Lemma 9.19 Let p ≥ 3 be a prime. Then

g

p− 1

2 ≡ − 1 (mod p)

for any generator g of Z

∗ p

"

"

"

However Lemma 9 .1 9 tells us that the last quantity is − 1 modulo p, as desired.

The following Proposition says that ab mod p is a square if and only if either both a and b are

squares, or if both are non-squares. But if one is a square and the other is not, then ab mod p is

a non-square. This can be proved by using either Proposition 9 .1 7 or Proposition 9 .1 8. We use

the latter in the proof. You might try, as an exercise, to reprove the result using Proposition 9 .1 7

instead.

Proposition 9.20 Let p ≥ 3 be prime. Then

Jp(ab mod p) = Jp(a) · Jp(b)

for all a, b ∈ Z

∗ p

Proof of Proposition 9.20: Using Proposition 9 .1 8 we get

J

p (ab mod p) ≡ (ab)

p− 1 (^2) ≡ a

p− 1 (^2) b

p− 1 (^2) ≡ J p (a) · J p (b) (mod p).

The two quantities we are considering both being either 1 or − 1 , and equal modulo p, must then

be actually equal.

A quantity of cryptographic interest is the Diffie-Hellman (DH) key. Having fixed a cyclic group

G and generator g for it, the DH key associated to elements X = g

x and Y = g

y of the group is

the group element g

xy

. The following Proposition tells us that the DH key is a square if either X

or Y is a square, and otherwise is a non-square.

16 COMPUTATIONAL NUMBER THEORY

Proposition 9.21 Let p ≥ 3 be a prime and let g be a generator of Z

∗ p

. Then

Jp(g

xy mod p) = 1 if and only if Jp(g

x mod p) = 1 or Jp(g

y mod p) = 1 ,

for all x, y ∈ Zp− 1.

Proof of Proposition 9.21: By Proposition 9 .1 7 , it suffices to show that

xy mod (p − 1 ) is even if and only if x is even or y is even.

But since p − 1 is even, xy mod (p − 1 ) is even exactly when xy is even, and clearly xy is even

exactly if either x or y is even.

With a cyclic group G and generator g of G fixed, we will be interested in the distribution of the

DH key g

xy in G, under random choices of x, y from Z m , where m = |G|. One might at first think

that in this case the DH key is a random group element. The following proposition tells us that

in the group Z

∗ p

of integers modulo a prime, this is certainly not true. The DH key is significantly

more likely to be a square than a non-square, and in particular is thus not even almost uniformly

distributed over the group.

Proposition 9.22 Let p ≥ 3 be a prime and let g be a generator of Z

∗ p

. Then

Pr

[

x

$ ← Zp− 1 ; y

$ ← Zp− 1 : Jp(g

xy ) = 1

]

equals 3 / 4.

Proof of Proposition 9.22: By Proposition 9 .2 2 we need only show that

Pr

[

x

$ ← Zp− 1 ; y

$ ← Zp− 1 : Jp(g

x ) = 1 or Jp(g

y ) = 1

]

equals 3 / 4. The probability in question is 1 − α where

α = Pr

[

x

$ ← Z p− 1 ; y

$ ← Z p− 1

: J

p (g

x ) = − 1 and J p (g

y ) = − 1

]

= Pr

[

x

$ ← Zp− 1 : Jp(g

x ) = − 1

]

· Pr

[

y

$ ← Zp− 1 : Jp(g

y ) = − 1

]

|QR(Z

∗ p

|Z

∗ p

|QR(Z

∗ p

|Z

∗ p

(p − 1 )/ 2

p − 1

(p − 1 )/ 2

p − 1

Thus 1 −α = 3 / 4 as desired. Here we used Proposition 9 .1 7 which told us that |QR(Z

∗ p )| = (p− 1 )/ 2.

The above Propositions, combined with Proposition 9 .1 8 (which tells us that quadratic residu-

osity modulo a prime can be efficiently tested), will later lead us to pinpoint weaknesses in certain

cryptographic schemes in Z

∗ p

"

14

Groups of prime order

  • Def. An element h of a group^ G^ is called non-trivial if it is not equal

to the identity element of the group.

  • Fact. Any non-trivial member of a group of prime order is a

generator of the group.

  • Fact. Let q^ $^ 3 be a prime such that p = 2q + 1 is also prime.

Then QR( Z p

) is a group of prime order q. Furthermore, if g is any

generator of Z p

, then g

2 mod p is a generator of QR( Z p

).

" "

"

15

  • Example. Let q = 5 and p = 2q + 1 = 11.

We know that 2 is a generator of Z 11

Let’s verify that 4 = 2

2 is a generator of QR( Z 11

).

always cyclic. These groups turn out to be quite useful in cryptography, so let us take a brief look

at them and some of their properties.

An element h of a group G is called non-trivial if it is not equal to the identity element of the

group.

Proposition 9.23 Suppose G is a group of order q where q is a prime, and h is any non-trivial

member of G. Then h is a generator of G.

Proof of Proposition 9.23: It suffices to show that the order of h is q. We know that the

order of any group element must divide the order of the group. Since the group has prime order

q, the only possible values for the order of h are 1 and q. But h does not have order 1 since it is

non-trivial, so it must have order q.

A common way to obtain a group of prime order for cryptographic schemes is as a subgroup of a

group of integers modulo a prime. We pick a prime p having the property that q = (p − 1 )/ 2 is also

prime. It turns out that the subgroup of quadratic residues modulo p then has order q, and hence

is a group of prime order. The following proposition summarizes the facts for future reference.

Proposition 9.24 Let q ≥ 3 be a prime such that p = 2 q + 1 is also prime. Then QR(Z

∗ p

) is a

group of prime order q. Furthermore, if g is any generator of Z

∗ p , then g

2 mod p is a generator of

QR(Z

∗ p

Note that the operation under which QR(Z

∗ p ) is a group is multiplication modulo p, the same

operation under which Z

∗ p

is a group.

Proof of Proposition 9.24: We know that QR(Z

∗ p ) is a subgroup, hence a group in its own

right. Proposition 9 .1 7 tells us that |QR(Z

∗ p

)| is (p − 1 )/ 2 , which equals q in this case. Now let g be

a generator of Z

∗ p and let h = g

2 mod p. We want to show that h is a generator of QR(Z

∗ p ). As per

Proposition 9 .2 3 , we need only show that h is non-trivial, meaning h #= 1. Indeed, we know that

g

2

≡ 1 (mod p), because g, being a generator, has order p and our assumptions imply p > 2.

Example 9.25 Let q = 5 and p = 2 q + 1 = 11. Both p and q are primes. We know from

Example 9 .1 6 that

QR(Z

∗ 11

This is a group of prime order 5. We know from Example 9 .9 that 2 is a generator of Z

∗ p

Proposition 9 .2 4 tells us that 4 = 2

2 is a generator of QR(Z

∗ 11

). We can verify this by raising

4 to the powers i = 0 ,... , 4 :

i 0 1 2 3 4

i mod 11 1 4 5 9 3

We see that the elements of the last row are exactly those of the set QR(Z

∗ 11

Let us now explain what we perceive to be the advantage conferred by working in a group of

prime order. Let G be a cyclic group, and g a generator. We know that the discrete logarithms to

"

"

An element h of a group G is called non-trivial if it is not equal to the identity element of the

group.

Proposition 9.23 Suppose G is a group of order q where q is a prime, and h is any non-trivial

member of G. Then h is a generator of G.

Proof of Proposition 9.23: It suffices to show that the order of h is q. We know that the

order of any group element must divide the order of the group. Since the group has prime order

q, the only possible values for the order of h are 1 and q. But h does not have order 1 since it is

non-trivial, so it must have order q.

A common way to obtain a group of prime order for cryptographic schemes is as a subgroup of a

group of integers modulo a prime. We pick a prime p having the property that q = (p − 1 )/ 2 is also

prime. It turns out that the subgroup of quadratic residues modulo p then has order q, and hence

is a group of prime order. The following proposition summarizes the facts for future reference.

Proposition 9.24 Let q ≥ 3 be a prime such that p = 2 q + 1 is also prime. Then QR(Z

∗ p

) is a

group of prime order q. Furthermore, if g is any generator of Z

∗ p

, then g

2

mod p is a generator of

QR(Z

∗ p

Note that the operation under which QR(Z

p

) is a group is multiplication modulo p, the same

operation under which Z

∗ p

is a group.

Proof of Proposition 9.24: We know that QR(Z

∗ p

) is a subgroup, hence a group in its own

right. Proposition 9 .1 7 tells us that |QR(Z

∗ p

)| is (p − 1 )/ 2 , which equals q in this case. Now let g be

a generator of Z

∗ p

and let h = g

2

mod p. We want to show that h is a generator of QR(Z

∗ p

). As per

Proposition 9 .2 3 , we need only show that h is non-trivial, meaning h #= 1. Indeed, we know that

g

2

≡ 1 (mod p), because g, being a generator, has order p and our assumptions imply p > 2.

Example 9.25 Let q = 5 and p = 2 q + 1 = 11. Both p and q are primes. We know from

Example 9 .1 6 that

QR(Z

∗ 11

This is a group of prime order 5. We know from Example 9 .9 that 2 is a generator of Z

p

Proposition 9 .2 4 tells us that 4 = 2

2

is a generator of QR(Z

∗ 11

). We can verify this by raising

4 to the powers i = 0 ,... , 4 :

i 0 1 2 3 4

i

mod 11 1 4 5 9 3

We see that the elements of the last row are exactly those of the set QR(Z

11

Let us now explain what we perceive to be the advantage conferred by working in a group of

prime order. Let G be a cyclic group, and g a generator. We know that the discrete logarithms to

16