Computing exponents modulo a number: Repeated squaring



Similar documents
Math 319 Problem Set #3 Solution 21 February 2002

Applications of Fermat s Little Theorem and Congruences

Factoring Algorithms

RSA Encryption. Tom Davis October 10, 2003

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Some practice problems for midterm 2

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

8 Primes and Modular Arithmetic

Lecture 13: Factoring Integers

Primality - Factorization

mod 10 = mod 10 = 49 mod 10 = 9.

An Introduction to the RSA Encryption Method

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

Lecture 13 - Basic Number Theory.

The application of prime numbers to RSA encryption

MATH10040 Chapter 2: Prime and relatively prime numbers

RSA and Primality Testing

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Cryptography and Network Security Chapter 8

Homework until Test #2

Advanced Cryptography

The Mathematics of the RSA Public-Key Cryptosystem

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

SUM OF TWO SQUARES JAHNAVI BHASKAR

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Chapter 3. if 2 a i then location: = i. Page 40

Number Theory: A Mathemythical Approach. Student Resources. Printed Version

MATH 537 (Number Theory) FALL 2016 TENTATIVE SYLLABUS

Five fundamental operations. mathematics: addition, subtraction, multiplication, division, and modular forms

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Public Key Cryptography: RSA and Lots of Number Theory

Elementary factoring algorithms

Factoring. Factoring 1

RSA Attacks. By Abdulaziz Alrasheed and Fatima

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Maths delivers! A guide for teachers Years 11 and 12. RSA Encryption

A Factoring and Discrete Logarithm based Cryptosystem

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

CONTINUED FRACTIONS AND FACTORING. Niels Lauritzen

GREATEST COMMON DIVISOR

4.2 Euclid s Classification of Pythagorean Triples

SYSTEMS OF PYTHAGOREAN TRIPLES. Acknowledgements. I would like to thank Professor Laura Schueller for advising and guiding me

Settling a Question about Pythagorean Triples

2.6 Exponents and Order of Operations

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

MATH 13150: Freshman Seminar Unit 10

Stupid Divisibility Tricks

Midterm Practice Problems

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

Notes on Factoring. MA 206 Kurt Bryan

The Chinese Remainder Theorem

Zero: If P is a polynomial and if c is a number such that P (c) = 0 then c is a zero of P.

Grade 7/8 Math Circles Fall 2012 Factors and Primes

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Quotient Rings and Field Extensions

V Quantitative Reasoning: Computers, Number Theory and Cryptography

Math 55: Discrete Mathematics

2.5 Zeros of a Polynomial Functions

ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

CIS 5371 Cryptography. 8. Encryption --

Continued Fractions. Darren C. Collins

Elementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University

Continued Fractions and the Euclidean Algorithm

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

z 0 and y even had the form

Public Key Cryptography and RSA. Review: Number Theory Basics

CMPSCI 250: Introduction to Computation. Lecture #19: Regular Expressions and Their Languages David Mix Barrington 11 April 2013

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

SECTION 10-2 Mathematical Induction

Lecture 16 : Relations and Functions DRAFT

We can express this in decimal notation (in contrast to the underline notation we have been using) as follows: b + 90c = c + 10b

How To Know If A Message Is From A Person Or A Machine

Basic Algorithms In Computer Algebra

Every Positive Integer is the Sum of Four Squares! (and other exciting problems)

GCDs and Relatively Prime Numbers! CSCI 2824, Fall 2014!

MACM 101 Discrete Mathematics I

An Efficient RNS to Binary Converter Using the Moduli Set {2n + 1, 2n, 2n 1}

The last three chapters introduced three major proof techniques: direct,

8 Square matrices continued: Determinants

11 Ideals Revisiting Z

Number Theory Hungarian Style. Cameron Byerley s interpretation of Csaba Szabó s lectures

RECURSIVE ENUMERATION OF PYTHAGOREAN TRIPLES

MATH 22. THE FUNDAMENTAL THEOREM of ARITHMETIC. Lecture R: 10/30/2003

Solution to Exercise 2.2. Both m and n are divisible by d, som = dk and n = dk. Thus m ± n = dk ± dk = d(k ± k ),som + n and m n are divisible by d.

2.3. Finding polynomial functions. An Introduction:

The cyclotomic polynomials

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

WRITING PROOFS. Christopher Heil Georgia Institute of Technology

Math 453: Elementary Number Theory Definitions and Theorems

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Solutions to Problem Set 1

PYTHAGOREAN TRIPLES KEITH CONRAD

On Generalized Fermat Numbers 3 2n +1

Clock Arithmetic and Modular Systems Clock Arithmetic The introduction to Chapter 4 described a mathematical system

Indiana State Core Curriculum Standards updated 2009 Algebra I

Transcription:

Computing exponents modulo a number: Repeated squaring How do you compute (1415) 13 mod 2537 = 2182 using just a calculator? Or how do you check that 2 340 mod 341 = 1? You can do this using the method of repeated squaring; we ll illustrate by calculating (1415) 13 mod 2537. Start by looking at the exponent (13) and represent it as a sum of powers of 2. To do this, find the largest power of 2 less than your exponent; in this case it s 2 3 = 8. Subtract 8 from 13, getting 5. Then 5 = 4 + 1 = 2 2 + 2 0. So 13 = 8 + 4 + 1. Now (1415) 13 mod 2537 = (1415) (1+4+8) mod 2537. So all I have to do is to calculate the numbers (1415) 1 mod 2537, (1415) 4 mod 2537, and (1415) 8 mod 2537 and multiply them together, then take the product mod 2537. I already have the first number: 1415. I could raise it to the 4th power and take the result mod 2537, but to be systematic I ll square it, take the result mod 2537, and then repeat that same process. 1415 2 mod 2537 = 2002225 mod 2537 = 532. So to get 1415 4 mod 2537 I square 532 = 283024 and take this mod 2537 = 1417. To get (1415) 8 mod 2537 I square (1415) 4 mod 2537 and take the result mod 2537. So I square 1417, getting 200789 which mod 2537 is 1122. Multiply 1415 1417 1122 and take the result mod 2537. The result is 2182. 1

Correctness of RSA Now we are ready to prove that the RSA encryption and decryption functions are inverses of each other. We ll check that d(e(m)) = M, where e(m) = M e mod pq, and d(c) = C s mod pq, where s is an inverse of e modulo (p 1)(q 1). To do this, we ll need Fermat s Little Theorem, together with a simple lemma: Lemma If p and q are distinct primes, N M (mod p), and N M (mod q), then N M (mod pq). Proof: By hypothesis N M = jp for some j, and N M = kq for some k. Thus p kq. But p is a prime, and cannot divide q, so p k. Thus k = lp and so N M = lpq, which is what we need. (The easy way to see this, of course, is to use the uniqueness part of the Chinese Remainder Theorem.) We now want to show d(e(m)) = M, and writing this out: C s mod pq = M, where C = M e mod pq. To do this we ll show C s M (mod p) and C s M (mod q). The conclusion then follows from the lemma. 2

RSA Correctness, continued Our goal is now to show C s M (mod p), where s is an inverse of e modulo (p 1)(q 1). We also need C s M (mod q), but the proof will be exactly the same. Now We claim C s = (M e mod pq) s M es C s M es mod p; this is because C s M es = jpq = (jq)p for some j. What is M es mod p? (mod pq). Since s is an inverse of e modulo (p 1)(q 1), we have es = 1 + k(p 1)(q 1) for some k. Therefore M es = M 1+k(p 1)(q 1) = M 1 (M (p 1) ) k(q 1). 3

RSA Correctness, continued From last slide M es = M 1+k(p 1)(q 1) = M 1 (M (p 1) ) k(q 1). We are trying to prove C s M (mod p). On the last slide we showed C s M es (mod p). We take both sides of the top equation mod p, because we want M es mod p. We get M es mod p = ((M 1 (M (p 1) ) k(q 1) ) mod p = (M (M (p 1) mod p) k(q 1) ) mod p. There are now two cases. It s possible that p M so that M mod p = 0. But then M es mod p = 0, so that C s = M es M (mod p). This is our desired conclusion, so we consider the case that p does not divide M. In this case, by Fermat s little theorem, M (p 1) mod p = 1. Thus M es mod p = (M 1 k(q 1) ) mod p = M mod p. Thus in this case, C s M (mod p) as well, finishing the proof. 4

Summing up Let s look at what math we needed to do this RSA encryption. Correctness depended on Fermat s little theorem, whose proof depended on the idea of a one-to-one and onto function. None of the ideas made any sense without the notion of an equivalence relation (congruence mod n in our examples). Feasibility depended on the gcd algorithm extended to find multiplicative inverses. The extended algorithm was proved correct by strong induction (actually proving the sm + tn theorem), and the inductive proof gave the formulas we needed. In that inductive proof, we gave a formal statement of a proposition P (n), using logic and quantifiers. Analyzing the efficiency involved another theorem (Lame) whose proof was by strong induction. GCDs exist using the lattice of positive integers under the divisibility ordering. So, almost all of the discrete math ideas we introduced were exemplified in understanding the application. 5

What s next? Encryption functions are a special case of what are called computable functions from strings to strings. In EECS 376 you learn about what kinds of functions can be computed at all. Most functions, in a precise sense, cannot be computed there is no program even conceivable that could calculate them. You also learn about useful things like finite-state automata. These have applications everywhere in computer science. Specifying different kinds of (theoretical models of) computation requires all of the discrete math ideas we have learned. We have not done things like counting and combinatorics. You do learn these things in a probability course. The discrete math ideas help understand this stuff too. Don t forget about it! 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information