Hartle1998.com - World's No. 1 Assignment Help Company

Cryptography and Network Security

Seventh Edition

by William Stallings

Lecture slides prepared for “Cryptography and Network Security”, 7/e, by William Stallings, Chapter 2 – “Introduction to Number Theory”.

Chapter 2

Introduction to Number Theory

Number theory is pervasive in cryptographic algorithms. This chapter provides

sufficient breadth and depth of coverage of relevant number theory topics for understanding

the wide range of applications in cryptography. The reader familiar with these

topics can safely skip this chapter.

The first three sections introduce basic concepts from number theory that are

needed for understanding finite fields; these include divisibility, the Euclidian algorithm,

and modular arithmetic. The reader may study these sections now or wait until

ready to tackle Chapter 5 on finite fields.

Sections 2.4 through 2.8 discuss aspects of number theory related to prime numbers

and discrete logarithms. These topics are fundamental to the design of asymmetric

(public-key) cryptographic algorithms. The reader may study these sections now or

wait until ready to read Part Three.

The concepts and techniques of number theory are quite abstract, and it is often

difficult to grasp them intuitively without examples. Accordingly, this chapter includes

a number of examples, each of which is highlighted in a shaded box.

Divisibility

We say that a nonzero b divides a if a = mb for some m, where a, b, and m are integers

b divides a if there is no remainder on division

The notation b | a is commonly used to mean b divides a

If b | a we say that b is a divisor of a

The positive divisors of 24 are 1, 2, 3, 4, 6, 8, 12, and 24

13 | 182; – 5 | 30; 17 | 289; – 3 | 33; 17 | 0

We say that a nonzero b divides a if a=mb for some m, where a, b, and m are integers. That is, b divides a if there is no remainder on division.

The notation b | a is commonly used to mean b divides a . Also, if b | a , we say that b is a divisor of a .

Properties of Divisibility

If a | 1, then a = ±1

If a | b and b | a, then a = ±b

Any b ≠ 0 divides 0

If a | b and b | c, then a | c

If b | g and b | h, then b | (mg + nh) for arbitrary integers m and n

11 | 66 and 66 | 198 = 11 | 198

Subsequently, we will need some simple properties of divisibility for integers, which are as follows:

• If a|1, then a = ±1.

• If a|b and b|a, then a = ±b.

• Any b ≠ 0 divides 0.

• If a | b and b | c, then a | c

• If b|g and b|h, then b|(mg + nh) for arbitrary integers m and n.

Properties of Divisibility

To see this last point, note that:

If b | g , then g is of the form g = b * g1 for some integer g1

If b | h , then h is of the form h = b * h1 for some integer h1

So:

mg + nh = mbg1 + nbh1 = b * (mg1 + nh1 )

and therefore b divides mg + nh

b = 7; g = 14; h = 63; m = 3; n = 2

7 | 14 and 7 | 63.

To show 7 (3 * 14 + 2 * 63),

we have (3 * 14 + 2 * 63) = 7(3 * 2 + 2 * 9),

and it is obvious that 7 | (7(3 * 2 + 2 * 9)).

To see this last point, note that

• If b | g , then g is of the form g = b * g1 for some integer g1 .

• If b | h , then h is of the form h = b * h1 for some integer h1 .

mg + nh = mbg1 + nbh1 = b * (mg1 + nh1 )

and therefore b divides mg + nh .

Division Algorithm

Given any positive integer n and any nonnegative integer a, if we divide a by n we get an integer quotient q and an integer remainder r that obey the following relationship:

a = qn + r 0 ≤ r < n; q = [a/n]

Given any positive integer n and any nonnegative integer a, if we divide a by n, we get an integer quotient q and an integer remainder r that obey the following relationship:

a = qn + r, 0 ≤ r < n; q = [a/n] which is referred to as the division algorithm.

Figure 2.1a demonstrates that, given a and positive n, it is always possible to find q and r that satisfy the preceding relationship. Represent the integers on the number line; a will fall somewhere on that line (positive a is shown, a similar demonstration can be made for negative a). Starting at 0, proceed to n, 2n, up to qn such that qn ≤ a and (q + 1)n > a. The distance from qn to a is r, and we have found the unique values of q and r. The remainder r is often referred to as a residue .

For example:

a = 11; n = 7; 11 = 1 x 7 + 4; r = 4 q = 1

a = –11; n = 7; –11 = (–2) x 7 + 3; r = 3 q = –2

Figure 4.1b provides another example.

Euclidean Algorithm

One of the basic techniques of number theory

Procedure for determining the greatest common divisor of two positive integers

Two integers are relatively prime if their only common positive integer factor is 1

One of the basic techniques of number theory is the Euclidean algorithm, which

is a simple procedure for determining the greatest common divisor of two positive

integers. First, we need a simple definition: Two integers are relatively prime if their

only common positive integer factor is 1.

Greatest Common Divisor (GCD)

The greatest common divisor of a and b is the largest integer that divides both a and b

We can use the notation gcd(a,b) to mean the greatest common divisor of a and b

We also define gcd(0,0) = 0

Positive integer c is said to be the gcd of a and b if:

c is a divisor of a and b

Any divisor of a and b is a divisor of c

An equivalent definition is:

gcd(a,b) = max[k, such that k | a and k | b]

Recall that nonzero b is defined to be a divisor of a if a = mb for some m , where a , b , and

m are integers. We will use the notation gcd(a , b ) to mean the greatest common divisor

of a and b . The greatest common divisor of a and b is the largest integer that divides

both a and b . We also define gcd(0, 0) = 0.

More formally, the positive integer c is said to be the greatest common divisor

of a and b if

1. c is a divisor of a and of b .

2. Any divisor of a and b is a divisor of c .

An equivalent definition is the following:

gcd(a , b ) = max[k , such that k | a and k | b ]

GCD

Because we require that the greatest common divisor be positive, gcd(a,b) = gcd(a,-b) = gcd(-a,b) = gcd(-a,-b)

In general, gcd(a,b) = gcd(| a |, | b |)

Also, because all nonzero integers divide 0, we have gcd(a,0) = | a |

We stated that two integers a and b are relatively prime if their only common positive integer factor is 1; this is equivalent to saying that a and b are relatively prime if gcd(a,b) = 1

gcd(60, 24) = gcd(60, – 24) = 12

8 and 15 are relatively prime because the positive divisors of 8 are 1, 2, 4, and 8, and the positive divisors of 15 are 1, 3, 5, and 15. So 1 is the only integer on both lists.

Because we require that the greatest common divisor be positive, gcd(a , b ) =

gcd(a , -b ) = gcd(-a , b ) = gcd(-a ,-b ). In general, gcd(a , b ) = gcd( | a | , | b | ).

Also, because all nonzero integers divide 0, we have gcd(a , 0) = a .

We stated that two integers a and b are relatively prime if their only common

positive integer factor is 1. This is equivalent to saying that a and b are relatively

prime if gcd(a , b ) = 1.

We now describe an algorithm credited to Euclid for easily finding the greatest

common divisor of two integers (Figure 2.2). This algorithm has broad significance

in cryptography.

We can find the greatest common divisor of two integers by repetitive application

of the division algorithm. This scheme is known as the Euclidean algorithm.

Figure 2.3 illustrates a simple example.

Table 2.1 Euclidean Algorithm Example

(This table can be found on page 34 in the textbook)

In this example, we begin by dividing 1160718174 by 316258250, which gives 3

with a remainder of 211943424. Next we take 316258250 and divide it by 211943424.

The process continues until we get a remainder of 0, yielding a result of 1078.

Modular Arithmetic

The modulus

If a is an integer and n is a positive integer, we define a mod n to be the remainder when a is divided by n; the integer n is called the modulus

Thus, for any integer a:

a = qn + r 0 ≤ r < n; q = [a/ n]

a = [a/ n] * n + ( a mod n)

11 mod 7 = 4; – 11 mod 7 = 3

If a is an integer and n is a positive integer, we define a mod n to be the remainder

when a is divided by n . The integer n is called the modulus . Thus, for any integer a:

a = qn + r 0 ≤ r < n; q = [ a/ n]

a = [a/ n] * n + ( a mod n)

Modular Arithmetic

Congruent modulo n

Two integers a and b are said to be congruent modulo n if (a mod n) = (b mod n)

This is written as a = b(mod n)2

Note that if a = 0(mod n), then n | a

73 = 4 (mod 23); 21 = – 9 (mod 10)

Two integers a and b are said to be congruent modulo n , if (a mod n ) =

(b mod n ). This is written as a K b (mod n ).2

Note that if a = 0 (mod n ), then n | a .

Properties of Congruences

Congruences have the following properties:

1. a = b (mod n) if n (a – b)

2. a = b (mod n) implies b = a (mod n)

3. a = b (mod n) and b = c (mod n) imply a = c (mod n)

To demonstrate the first point, if n (a – b), then (a – b) = kn for some k

So we can write a = b + kn

Therefore, (a mod n) = (remainder when b + kn is divided by n) = (remainder when b is divided by n) = (b mod n)

23 = 8 (mod 5) because 23 – 8 = 15 = 5 * 3

– 11 = 5 (mod 8) because – 11 – 5 = – 16 = 8 * (- 2)

81 = 0 (mod 27) because 81 – 0 = 81 = 27 * 3

Congruences have the following properties:

1. a = b (mod n) if n (a – b)

2. a = b (mod n) implies b = a (mod n)

3. a = b (mod n) and b = c (mod n) imply a = c (mod n)

To demonstrate the first point, if n (a – b), then (a – b) = kn for some k

So we can write a = b + kn

Therefore, (a mod n) = (remainder when b + kn is divided by n) = (remainder when b is divided by n) = (b mod n)

Modular Arithmetic

Modular arithmetic exhibits the following properties:

1. [(a mod n) + (b mod n)] mod n = (a + b) mod n

2. [(a mod n) – (b mod n)] mod n = (a – b) mod n

3. [(a mod n) * (b mod n)] mod n = (a * b) mod n

We demonstrate the first property:

Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for some integer j and b = rb + kn for some integer k

Then:

(a + b) mod n = (ra + jn + rb + kn) mod n

= (ra + rb + (k + j)n) mod n

= (ra + rb) mod n

= [(a mod n) + (b mod n)] mod n

Modular arithmetic exhibits the following properties:

1. [(a mod n) + (b mod n)] mod n = (a + b) mod n

2. [(a mod n) – (b mod n)] mod n = (a – b) mod n

3. [(a mod n) * (b mod n)] mod n = (a * b) mod n

We demonstrate the first property:

Define (a mod n) = ra and (b mod n) = rb. Then we can write a = ra + jn for some integer j and b = rb + kn for some integer k.

Then:

(a + b) mod n = (ra + jn + rb + kn) mod n

= (ra + rb + (k + j)n) mod n

= (ra + rb) mod n

= [(a mod n) + (b mod n)] mod n

Remaining Properties:

Examples of the three remaining properties:

11 mod 8 = 3; 15 mod 8 = 7

[(11 mod 8) + (15 mod 8)] mod 8 = 10 mod 8 = 2

(11 + 15) mod 8 = 26 mod 8 = 2

[(11 mod 8) – (15 mod 8)] mod 8 = – 4 mod 8 = 4

(11 – 15) mod 8 = – 4 mod 8 = 4

[(11 mod 8) * (15 mod 8)] mod 8 = 21 mod 8 = 5

(11 * 15) mod 8 = 165 mod 8 = 5

The remaining properties are proven as easily. Here are examples of the three

properties.

Table 2.2(a) Arithmetic Modulo 8

(This table can be found on page 37 in the textbook)

Table 2.2a and Table 2.2b provide an illustration of modular addition and multiplication

modulo 8. Looking at addition, the results are straightforward, and there is a regular

pattern to the matrix. Both matrices are symmetric about the main diagonal

in conformance to the commutative property of addition and multiplication.

Table 2.2(b) Multiplication Modulo 8

(This table can be found on page 37 in the textbook)

Similarly, the entries in the multiplication table are straightforward. In ordinary

arithmetic, there is a multiplicative inverse, or reciprocal, to each integer. In modular

arithmetic mod 8, the multiplicative inverse of x is the integer y such that

(x * y ) mod 8 = 1 mod 8. Now, to find the multiplicative inverse of an integer

from the multiplication table, scan across the matrix in the row for that integer to

find the value 1; the integer at the top of that column is the multiplicative inverse;

thus, (3 * 3) mod 8 = 1. Note that not all integers mod 8 have a multiplicative

inverse; more about that later.

Table 2.2(c) Additive and Multiplicative Inverse Modulo 8

(This table can be found on page 37 in the textbook)

As in ordinary addition, there is an additive inverse, or negative, to each integer in

modular arithmetic. In this case, the negative of an integer x is the integer y such

that (x + y ) mod 8 = 0. To find the additive inverse of an integer in the left-hand

column, scan across the corresponding row of the matrix to find the value 0; the

integer at the top of that column is the additive inverse; thus, (2 + 6) mod 8 = 0.

Table 2.3 Properties of Modular Arithmetic for Integers in Zn

(This table can be found on page 38 in the textbook)

If we perform modular arithmetic within Zn, the properties shown in Table 2.3 hold for integers in Zn We show in the next section that this implies that Zn is a commutative ring with a multiplicative identity element.

In general, an integer has a multiplicative inverse in Zn if that integer is relatively prime to n. Table 2.2c in the text shows that the integers 1, 3, 5, and 7 have a multiplicative inverse in Z 8, but 2, 4, and 6 do not.

Table 2.4 Extended Euclidean Algorithm Example

Result: d = 1; x = –111; y = 355

(This table can be found on page 43 in the textbook)

Example of the Extended Euclidean Algorithm. (See pages 97 – 99 in textbook for details.)

Prime Numbers

Prime numbers only have divisors of 1 and itself

They cannot be written as a product of other numbers

Prime numbers are central to number theory

Any integer a > 1 can be factored in a unique way as

a = p1 a1 * p2 a2 * . . . * pp1 a1

where p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer

This is known as the fundamental theorem of arithmetic

An integer p > 1 is a prime number if and only if its only divisors are ±1

and ± p . Prime numbers play a critical role in number theory and in the techniques

discussed in this chapter.

Any integer a > 1 can be factored in a unique way as

a = p1 a1 * p2 a2 * . . . * pp1 a1

where p1 < p2 < . . . < pt are prime numbers and where each ai is a positive integer

This is known as the fundamental theorem of arithmetic; a proof can be found in any text on number theory.

Table 2.5

Primes Under 2000

(This table can be found on page 44 in the textbook)

Table 2.5 shows the primes less than 2000. Note the way

the primes are distributed. In particular, note the number of primes in each range

of 100 numbers.

Fermat’s Theorem

States the following:

If p is prime and a is a positive integer not divisible by p then

ap-1 = 1 (mod p)

An alternate form is:

If p is prime and a is a positive integer then

ap = a (mod p)

Two theorems that play important roles in public-key cryptography are Fermat’s

theorem and Euler’s theorem.

Fermat’s theorem states the following: If p is prime and a is a positive integer not

divisible by p, then

ap-1 = 1 (mod p)

An alternative form of Fermat’s theorem is also useful: If p is prime and a is a

positive integer, then

ap = a (mod p)

Table 2.6 Some Values of Euler’s Totient Function ø(n)

(This table can be found on page 48 in the textbook)

Before presenting Euler’s theorem, we need to introduce an important quantity in

number theory, referred to as Euler’s totient function, written ø (n ), and defined as

the number of positive integers less than n and relatively prime to n . By convention,

ø(1) = 1.

Table 2.6 lists the first 30 values of ø (n ). The value ø(1) is without meaning

but is defined to have the value 1.

It should be clear that, for a prime number p ,

ø (p ) = p – 1

Euler’s Theorem

States that for every a and n that are relatively prime:

aø(n) = 1(mod n)

An alternative form is:

aø(n)+1 = a(mod n)

Euler’s theorem states that for every a and n that are relatively prime:

aø(n) = 1(mod n)

As is the case for Fermat’s theorem, an alternative form of the theorem is also

Useful:

aø(n)+1 = a(mod n)

Miller-Rabin Algorithm

Typically used to test a large number for primality

Algorithm is:

TEST (n)

The algorithm due to Miller and Rabin [MILL75, RABI80] is typically used to test

a large number for primality.

The procedure TEST takes a candidate integer n as input and returns the result composite

if n is definitely not a prime, and the result inconclusive if n may or may not

be a prime.

How can we use the Miller-Rabin algorithm to determine with a high degree of confidence whether or not an integer

is prime? It can be shown [KNUT98] that given an odd number n that is not prime

and a randomly chosen integer, a with 1 < a < n – 1, the probability that TEST

will return inconclusive (i.e., fail to detect that n is not prime) is less than 1/4.

Thus, if t different values of a are chosen, the probability that all of them will pass

TEST (return inconclusive) for n is less than (1/4)t . For example, for t = 10, the

probability that a nonprime number will pass all ten tests is less than 10-6 . Thus,

for a sufficiently large value of t, we can be confident that n is prime if Miller’s test

always returns inconclusive .

This gives us a basis for determining whether an odd integer n is prime

with a reasonable degree of confidence. The procedure is as follows: Repeatedly

invoke TEST (n) using randomly chosen values for a . If, at any point, TEST returns

composite , then n is determined to be nonprime. If TEST continues to

return inconclusive for t tests, then for a sufficiently large value of t , assume

that n is prime.

Find integers k, q, with k > 0, q odd, so that (n – 1)=2kq ;

Select a random integer a, 1 < a < n – 1 ;

if aq mod n = 1 then return (“inconclusive”) ;

for j = 0 to k – 1 do

if (a2jq mod n = n – 1) then return (“inconclusive”) ;

return (“composite”) ;

Deterministic Primality Algorithm

Prior to 2002 there was no known method of efficiently proving the primality of very large numbers

All of the algorithms in use produced a probabilistic result

In 2002 Agrawal, Kayal, and Saxena developed an algorithm that efficiently determines whether a given large number is prime

Known as the AKS algorithm

Does not appear to be as efficient as the Miller-Rabin algorithm

Prior to 2002, there was no known method of efficiently proving the primality of very

large numbers. All of the algorithms in use, including the most popular (Miller-Rabin),

produced a probabilistic result. In 2002 (announced in 2002, published in 2004),

Agrawal, Kayal, and Saxena [AGRA04] developed a relatively simple deterministic

algorithm that efficiently determines whether a given large number is a prime. The algorithm,

known as the AKS algorithm, does not appear to be as efficient as the Miller-

Rabin algorithm. Thus far, it has not supplanted this older, probabilistic technique.

Chinese Remainder Theorem (CRT)

Believed to have been discovered by the Chinese mathematician Sun-Tsu in around 100 A.D.

One of the most useful results of number theory

Says it is possible to reconstruct integers in a certain range from their residues modulo a set of pairwise relatively prime moduli

Can be stated in several ways

One of the most useful results of number theory is the Chinese remainder theorem

(CRT). In essence, the CRT says it is possible to reconstruct integers in a certain

range from their residues modulo a set of pairwise relatively prime moduli.

The CRT can be stated in several ways. We present here a formulation that is most

useful from the point of view of this text. An alternative formulation is explored in

Problem 2.33.

One of the useful features of the Chinese remainder theorem is that it provides

a way to manipulate (potentially very large) numbers mod M in terms of tuples of

smaller numbers. This can be useful when M is 150 digits or more. However, note

that it is necessary to know beforehand the factorization of M .

Provides a way to manipulate (potentially very large) numbers mod M in terms of tuples of smaller numbers

This can be useful when M is 150 digits or more

However, it is necessary to know beforehand the factorization of M

Table 2.7

Powers of Integers, Modulo 19

(This table can be found on page 57 in the textbook)

Table 2.7 shows all the powers of a, modulo 19 for all positive a <19. The

length of the sequence for each base value is indicated by shading. Note the

following:

1. All sequences end in 1. This is consistent with the reasoning of the preceding

few paragraphs.

2. The length of a sequence divides ø (19) = 18. That is, an integral number of

sequences occur in each row of the table.

3. Some of the sequences are of length 18. In this case, it is said that the base

integer a generates (via powers) the set of nonzero integers modulo 19. Each

such integer is called a primitive root of the modulus 19.

More generally, we can say that the highest possible exponent to which a number

can belong (mod n ) is ø (n ). If a number is of this order, it is referred to as a

primitive root of n . The importance of this notion is that if a is a primitive root of n ,

then its powers

a , a2 ,. . . , aø(n)

are distinct (mod n ) and are all relatively prime to n . In particular, for a prime number

p , if a is a primitive root of p , then

a , a2 ,. . . , ap-1

are distinct (mod p ). For the prime number 19, its primitive roots are 2, 3, 10, 13, 14,

and 15.

Not all integers have primitive roots. In fact, the only integers with primitive

roots are those of the form 2, 4, pa , and 2pa , where p is any odd prime and a is a

positive integer. The proof is not simple but can be found in many number theory

books, including [ORE76].

Table 2.8

Tables of Discrete Logarithms, Modulo 19

(This table can be found on page 60 in the textbook)

Table 2.8, which is directly derived from Table 2.7, shows the sets of discrete

logarithms that can be defined for modulus 19.

Summary

Divisibility and the division algorithm

The Euclidean algorithm

Greatest Common Divisor

Finding the Greatest Common Divisor

Modular arithmetic

The modulus

Properties of congruences

Modular arithmetic operations

Properties of modular arithmetic

Euclidean algorithm revisited

The extended Euclidean algorithm

Prime numbers

Fermat’s Theorem

Euler’s totient function

Euler’s Theorem

Testing for primality

Miller-Rabin algorithm

A deterministic primality algorithm

Distribution of primes

The Chinese Remainder Theorem

Discrete logarithms

Powers of an integer, modulo n

Logarithms for modular arithmetic

Calculation of discrete logarithms

Chapter 2 summary.

n 2n 3n qn (q + 1)na

Figure 2.1 The Relationship a = qn + r; 0 ≤ r < n

(a) General relationship

0 15

30 = 2 15

(b) Example: 70 = (4 15) + 10

45 = 3 15

60 = 4 15

75 = 5 15

Figure 2.2 Euclidean Algorithm

No Yes a > b ?

r > 0 ? Swap a and b

Replace b with r

Replace a with b

Divide a byb, calling the

remainder r

GCD is the final

value of b

START

END

Figure 2.3 Euclidean Algorithm Example: gcd(710, 310)

710 = 2 x 310 + 90

310 = 3 x 90 + 40

90 = 2 x 40 + 10

40 = 4 x 10

GCDGCD Same GCD