Course notes (chap. 1 Number Theory, chap. 2 ... - McGill University

COMP-547A
/B
Cryptography and Data Security
Lecture 01 02-06
Prof. Claude Crépeau
School of Computer Science
McGill University

1 Basic Number Theory
1.1 Definitions
Divisibility:
a|b ⇐⇒ ∃k ∈ Z [b = ak]
Congruences:
a ≡ b (mod n) ⇐⇒ n|(a − b)
Modulo operator: (Maple irem, mod)
b mod n =min{a ≥ 0:a ≡ b
(mod n)}
Division operator: (Maple iquo)
b div n = ⌊b/n⌋ =
b − (b mod n)
n
a ≡ b (mod n)
⟺
a mod n = b mod n

Euclid
Leonhard Euler
Greatest Common Divider: (Maple igcd, igcdex)
g =gcd(a, b) ⇐⇒ g|a, g|b and [g ′ |a, g ′ |b ⇒ g ′ |g]
Euler’s Phi function: (Maple phi)
φ(n) =#{a :0

1.2 Efficient operations
For the basic operations of +, −, ×, mod , div one may use standard “elementary
school” algorithms reducing the work load by the following rules:
a
⎧
⎨
⎩
+
−
×
⎫
⎬
⎭ b mod n = ⎛
⎝(a mod n)
⎧
⎨
⎩
+
−
×
⎫
⎬
⎭ (b mod n) ⎞
⎠ mod n
The standard “elementary school” algorithms are precisely described in
Knuth (Vol 2). For very large numbers, special purpose divide-and-conquer
algorithms may be used for better efficiency of ×,mod, div. Consult the
algorithmics book of Brassard-Bratley for these.

1.2.1 Fast modular exponentiation
The idea behind this algorithm is to maintain in each iteration the value of
the expression xa e mod n while reducing the exponent e by a factor 2.
Algorithm 1.1 ( a e mod n )
1: x ← 1,
2: WHILE e>0 DO
3: IF e is odd THEN x ← ax mod n,
4: a ← a 2 mod n, e ← e div 2,
5: ENDWHILE
6: RETURN x.
(Maple x&^e mod n)

EXAMPLE
5 13 mod 7
= 5 8+4+1 mod 7
= 5 8 x5 4 x5 1 mod 7
5 0 , 5 1 , 5 2 , 5 4 , 5 8
≡ 1, 5, 4, 2, 4 (mod 7)
= 4x2x5 mod 7
= 1x5 mod 7
= 5

1.2.2 GCD calculations and multiplicative inverses
Note. gcd(a, b) =g →∃ x,y ∈ Z such that g = ax + by. The following
recursive definition is based on the property gcd(a, b) =gcd(a, b − a).
gcd(a, b) =
{ a if b =0
gcd(b, a mod b) otherwise
The idea behind the following iterative algorithm is to maintain in each
iteration the relations g = ax+by and g ′ = ax ′ +by ′ while reducing the value
of g.
At the end of the algorithm, the value of g is gcd(a, b). The final value
of x is such that ax ≡ g (mod b) andbysymmetry,thefinalvalueofy
is such that by ≡ g (mod a) . Whengcd(a, b) =1,wefindthatx is the
multiplicative inverse of a modulo b and that y is the multiplicative inverse
of b modulo a.

Algorithm 1.2 ( Euclide gcd(a,b) )
1: g ⟵ a, g′ ⟵ b, x ⟵ 1, y ⟵ 0, x′ ⟵ 0, y′ ⟵ 1,
2:WHILE g′>0 DO
3: k ⟵ g div g′
4: g′′ ⟵ g-kg′; x′′ ⟵ x-kx′; y′′ ⟵ y-ky′
5: g ⟵ g′; x ⟵ x′; y ⟵ y′
6: g′ ⟵ g′′; x′ ⟵ x′′; y′ ⟵ y′′;
7: ENDWHILE
8: RETURN g,x,y
(Maple igcd, igcdex, 1/x mod n, x^(-1) mod n)

EXAMPLE
gcd(7,19)
= gcd(19,7)
= gcd(7,19 mod 7)
= gcd(7,5)
= gcd(5,7 mod 5)
= gcd(5,2)
= gcd(2,5 mod 2)
= gcd(2,1)
= gcd(1,2 mod 1) = gcd(1,0) = 1

EXAMPLE
gcd(7,19)
x=1,y=0,x’=0,y’=1
= gcd(19,7) x=0,y=1,x’=1,y’=0
= gcd(7,19 mod 7)
= gcd(7,5) x=1,y=0,x’=-2,y’=1
= gcd(5,7 mod 5)
= gcd(5,2) x=-2,y=1,x’=3,y’=-1
= gcd(2,5 mod 2)
= gcd(2,1) x=3,y=-1,x’=-8,y’=3
= gcd(1,2 mod 1) = gcd(1,0) = 1
x=-8,y=3,x’=19,y’=-7

EXAMPLE
gcd(7,19)
= gcd(1,0) = 1 x=-8,y=3,x’=19,y’=-7
thus
1 = -8x7 + 3x19
and
7 -1 mod 19 = 11 = -8 mod 19
19 -1 mod 7 = 3 = 3 mod 7

1.3 Solving linear congruentials
A linear congruential is an expression of the form
ax ⌘ b (mod n)
for known a, b, n and unknown x.
gcd(a, n) =1sinceinthatcasea 1
x ⌘ ba 1
Clearly, we can solve for x whenever
(mod n) existsandthus
(mod n).

EXAMPLE
7x ≡ 5 (mod 9)
7 -1 ∙7x ≡ 7 -1 ∙5 (mod 9)
4∙7x ≡ 4∙5 (mod 9)
x ≡ 2 (mod 9)

Similarily, when gcd(a, n) =g>1thesituationcanbemodifiedtoapply
the same strategy. If it is the case that g|b as well, we can solve the following
system instead, where a ′ = a g , b′ = b g , n′ = n g :
a ′ x ′ ≡ b ′ (mod n ′ ).
Since gcd(a ′ ,n ′ )=1,a ′−1 (mod n ′ )existsandwecansolveforx ′
x ′ ≡ b ′ a ′−1 (mod n ′ ).
Note however, that no solution exists if g̸ |b.

Finally, we know that a solution x modulo n must satisfy x ≡ x ′ (mod n ′ ).
Thus we can write
x = x ′ + kn ′
and consider all such x with 0 ≤ k

EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
----------------------------------
6x ≡ 3 (mod 9)
2x ≡ 1 (mod 3)
since gcd(6,9)|3
2 -1 ∙2x ≡ 2 -1 ∙1 (mod 3)
x ≡ 2 (mod 3)
x ≡ 2, 5, 8 (mod 9)

1.3.1 Chinese Remainder Theorem
Qin Jiushao
Theorem 1.1 (Chinese Remainder (Maple chrem)) Let m 1 ,m 2 ,...,m r
be r positive integers such that gcd(m i ,m j )=1for 1 ≤ i

EXAMPLE
x ≡ 5 (mod 9) x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
has a unique solution mod 468
= 4∙9∙13
x = 5∙52∙(52 -1 mod 9)+ 3∙117∙(117 -1 mod 4)
+ 7∙36∙(36 -1 mod 13)
x = 260∙4 + 351∙1 + 252∙4
x = 1040 + 351 + 1008
x = 2399
x ≡ 59 (mod 468)

1.4 Quadratic Residues
Quadratic residues modulo n are the integers with an integer square root
modulo n (Maple quadres):
QR n = {a :gcd(a, n) =1, ∃r[a ≡ r 2
QNR n = {a :gcd(a, n) =1, ∀r[a ≢ r 2
(mod n)]}
(mod n)]}
Example:
since
QR 17 = {1, 2, 4, 8, 9, 13, 15, 16}
QNR 17 = {3, 5, 6, 7, 10, 11, 12, 14}
{1 2 , 2 2 , 3 2 , 4 2 , 5 2 , 6 2 , 7 2 , 8 2 , 9 2 , 10 2 , 11 2 , 12 2 , 13 2 , 14 2 , 15 2 , 16 2 }≡
{1, 2, 4, 8, 9, 13, 15, 16} (mod 17).
Theorem 1.2 Let p be an odd prime number
#QR p =#QNR p =(p − 1)/2.

1.4.1 Legendre and Jacobi Symbols
For an odd prime number p,wedefinetheLegendresymbol(Maplelegendre)
as
⎧
( a
⎨ +1 if a ∈ QR p
= −1 if a ∈ QNR p
p)
⎩
0 if p|a
For any integer n = p 1 p 2 ...p k ,wedefinetheJacobisymbol(Maplejacobi)
(a generalization of the Legendre symbol) as
( ( )( ) ( )
a a a a
=
...
n)
p 1 p 2 p k
Adrien-Marie Legendre
Carl Gustav Jacob Jacobi

Properties ( 1
=+1
n)
( ) ab
( a
) ( )
b
=
n n n
( ( )
a a mod n
=
n)
n
For n odd
( ) −1
n
( 2
n)
For a, n odd and such that gcd(a, n) =1
( a
)( n
)
n a
=(−1) (n−1)/2
=(−1) (n2 −1)/8
=(−1) (n−1)(a−1)/4
Carl Friedrich Gauss

Algorithm 1.3 ( Jacobi(a, n) )
1:if a ≤ 1 then return a
else if a is odd then if a ≡ n ≡ 3(mod4)
then return −Jacobi(n mod a, a)
else return +Jacobi(n mod a, a)
else if n ≡±1(mod8)
then return +Jacobi(a/2,n)
else return −Jacobi(a/2,n)
This algorithm runs in O((lg n) 2 )bitoperations.

EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
= -Jacobi(98, 527)
= -Jacobi(49, 527)
= -Jacobi(527 mod 49, 49)
= -Jacobi(37, 49)
= -Jacobi(49 mod 37, 37)
= -Jacobi(12, 37)

EXAMPLE
Jacobi(527, 723)
= -Jacobi(12, 37)
= Jacobi(6, 37)
= -Jacobi(3, 37)
= -Jacobi(37 mod 3, 3)
= -Jacobi(1, 3)
= -1

Pierre de Fermat
1.4.2 Fermat-Euler
Theorem 1.3 (Fermat) Let p be a prime number and a be an integer not
amultipleofp, then
a p−1 ≡ 1 (mod p).
Theorem 1.4 Let p be a prime number and a be an integer, then
(Euler)
( a
a (p−1)/2 ≡ (mod p).
p)
Theorem 1.5 (Euler) Let n be an integer and a another integer such that
gcd(a, n) =1,then
a φ(n) ≡ 1 (mod n).

1.4.3 Extracting Square Roots modulo p
Theorem 1.6 For prime numbers p ≡ 3(mod4)and a ∈ QR p ,wehave
that r = a (p+1)/4 mod p is a square root of a.
Proof.
(a (p+1)/4) ) 2 ≡ a (p−1)/2 · a (mod p)
≡ a (mod p)(Fermat, sec. 1.3)

For prime numbers p ≡ 1(mod4)anda ∈ QR p ,there(only)existsan
efficient probabilistic algorithm. We present one found in the algorithmics
book of Brassard-Bratley:
Algorithm 1.4 ( rootLV(a, p, VAR r, VAR success) )
1: z ← uniform(1 ...p− 1)
2: IF a = z 2 mod p {very unlikely} THEN success ← true, r ← z
3: ELSE compute c and d such that 0 ≤ c ≤ p − 1, 0 ≤ d ≤ p − 1, and
c + d √ a ≡ (z + √ a) (p−1)/2 mod p
4: IF d =0THEN success ← false
5: ELSE (c =0), success ← true,
Michele Cipolla
6: compute r such that 1 ≤ r ≤ p − 1andd · r ≡ 1modp

EXAMPLE
p = 37, a = 16
z = 3
(3 + √a) (p-1)/2 ≡ (3 + √a) 18 (mod 37)
≡ (25 + 6√a) 9 (mod 37)
≡ (25 + 6√a) 8 (25 + 6√a) (mod 37)
≡ (17 + 4√a) 4 (25 + 6√a) (mod 37)
≡ (27 + 25√a) 2 (25 + 6√a) (mod 37)
≡ (36 + 18√a)(25 + 6√a) (mod 37)
≡ (1 + 0√a) (mod 37)

EXAMPLE
p = 37, a = 16
z = 5
(5 + √a) (p-1)/2 ≡ (5 + √a) 18 (mod 37)
≡ (4 + 10√a) 9 (mod 37)
≡ (4 + 10√a) 8 (4 + 10√a) (mod 37)
≡ (25 + 6√a) 4 (4 + 10√a) (mod 37)
≡ (17 + 4√a) 2 (4 + 10√a) (mod 37)
≡ (27 + 25√a)(4 + 10√a) (mod 37)
≡ (1 + 0√a) (mod 37)

EXAMPLE
p = 37, a = 16
z = 7
(7 + √a) (p-1)/2 ≡ (7 + √a) 18 (mod 37)
≡ (28 + 14√a) 9 (mod 37)
≡ (28 + 14√a) 8 (28 + 14√a) (mod 37)
≡ (35 + 7√a) 4 (28 + 14√a) (mod 37)
≡ (11 + 9√a) 2 (28 + 14√a)(mod 37)
≡ (11 + 13√a)(28 + 14√a) (mod 37)
≡ (1 + 0√a) (mod 37)

EXAMPLE
p = 37, a = 16
z = 9
(9 + √a) (p-1)/2 ≡ (9 + √a) 18 (mod 37)
≡ (23 + 18√a) 9 (mod 37)
≡ (23 + 18√a) 8 (23 + 18√a) (mod 37)
≡ (15 + 14√a) 4 (23 + 18√a) (mod 37)
≡ (31 + 13√a) 2 (23 + 18√a)(mod 37)
≡ (2 + 29√a)(23 + 18√a) (mod 37)
≡ (36 + 0√a) (mod 37)

EXAMPLE
p = 37, a = 16
z = 11
(11 + √a) (p-1)/2 ≡ (11 + √a) 18 (mod 37)
≡ (26 + 22√a) 9 (mod 37)
≡ (26 + 22√a) 8 (26 +22√a)(mod 37)
≡ (21 + 34√a) 4 (26 + 22√a)(mod 37)
≡ (30 + 22√a) 2 (26 +22√a)(mod 37)
≡ (23 + 25√a)(26 + 22√a) (mod 37)
≡ (0 + 9√a) (mod 37)

EXAMPLE
p = 37, a = 16
z = 11
(11 + √a) (p-1)/2 ≡ (11 + √a) 18 (mod 37)
≡ (0 + 9√a) (mod 37)
thus
9√a ≡ ±1 (mod 37)
√a ≡ ±9 -1 (mod 37)
√a ≡ ±33 (mod 37)

1.4.4 Extracting Square Roots modulo n
We want to solve r 2 ≡ a (mod n) forr knowing p, q such that n = pq. We
first solve modulo p and q and find solutions to
r 2 p ≡ a (mod p)
r 2 q ≡ a (mod q).
We then consider the simultaneous congruences
r ≡ r p (mod p) ⇐⇒ p|r 2 − a
r ≡ r q (mod q) ⇐⇒ q|r 2 − a
} {{ }
⇒ p · q = n|r 2 − a
⇒ r 2 ≡ a (mod n)
We can now solve r by the chinese remainder theorem.

EXAMPLE
n = 37*43 = 1591, a = 16
√a ≡ ±33 (mod 37)
√a ≡ ±a (p+1)/4 ≡ ±a 11 ≡ ±4 (mod 43)
use CRT on the following 4 systems
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
√a ≡ 33(mod 37) √a ≡ 39(mod 43)

EXAMPLE
use CRT on the following 4 systems
√a ≡ 4 (mod 37) √a ≡ 4 (mod 43)
√a ≡ 4 (mod 1591)
√a ≡ 4 (mod 37) √a ≡ 39(mod 43)
√a ≡ 1114 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 4 (mod 43)
√a ≡ 477 (mod 1591)
√a ≡ 33(mod 37) √a ≡ 39(mod 43)
√a ≡ 1587 (mod 1591)

Definition 1.7 (SQROOT) The square root modulo n problem can be
stated as follows:
given a composite integer n and a ∈ QR n , find a square root of a mod n.
(Maple msqrt)
Theorem 1.8 SQROOT is polynomialy equivalent to FACTORING.
Proof idea: the previous construction showed that if we know the
factorization of n, then we can extract square roots modulo each prime
factor of n and then recombine using the Chinese Remainder Theorem.
If we can extract square roots modulo n, then we can split n in two factors
n = uv by repeating the following algorithm:
• Pick a random integer a and extract the square root of a 2 mod n, say a′.
• If a′ ≡ ±a (mod n) then try again,
• Return(u,v)
else set u = gcd(a+a′, n) and v = gcd(a−a′, n).
(The probability of the second case is at least 1 / 2 .)

EXAMPLE
n = 37*43 = 1591,
a = 477,
a 2 mod 1591 = 16
√(a 2 ) mod 1591 = 4
477 ≢ ±4 (mod 1591)
u = gcd(477+4, 1591) = 37
v = gcd(477-4, 1591) = 43

1.5 Prime numbers
If we want a random prime (Maple rand, isprime) ofagivensize,weuse
the following theorem to estimate the number of integers we must try before
finding a prime. Let π(n) =#{a :0

Algorithm 1.5 ( Pseudo(a, n) )
1: IF gcd(a, n) ≠1THEN RETURN “composite”,
2: Let t be an odd number and s apositiveintegersuchthatn − 1=t2 s
3: x ← a t mod n, y ← n − 1,
4: FOR i ← 0 TO s
5: IF x =1AND y = n − 1 THEN RETURN “pseudo”,
6: y ← x, x ← x 2 mod n,
7: ENDFOR
8: RETURN “composite”.
It is easy to show that if n is prime, then Pseudo(a, n) returns“pseudo”
for all a, 0

EXAMPLE
n = 37*43 = 1591,
n-1 = 1590 = 795*2
t = 795, s = 1
a = 16
x = 16 795 mod 1591, y = 1590
i=0, x = 692 ≠ 1, y = n-1
i=1, x = 1564 ≠ 1, y=692
1591 is composite

EXAMPLE
n = 1597,
n-1 = 1596 = 399*4
t = 399, s = 2
a = 16
x = 16 399 mod 1597, y = 1596
i=0, x = 1, y = n-1
1597 is pseudo

EXAMPLE
n = 1597,
n-1 = 1596 = 399*4
t = 399, s = 2
a = 17
x = 17 399 mod 1597, y = 1596
i=0, x = 1, y = n-1
1597 is pseudo

EXAMPLE
n = 1597,
n-1 = 1596 = 399*4
t = 399, s = 2
a = 18
x = 18 399 mod 1597, y = 1596
i=0, x = 610, y = n-1
i=1, x = 1596, y = 610
i=2, x = 1, y = 1596
1597 is pseudo

Algorithm 1.6 ( Miller-Rabin prime(n, k) )
1: FOR i ← 1 TO k
2: Pick a random element a, 0

EXAMPLE
n = 1597
is either prime
or we just experienced an event
(3 random occurrences of “pseudo”)
that happens with probability at
most 1/64.
We are almost certain that 1597 is
prime...

In August of 2002, Agrawal, Kayal, and Saxena, announced the discovery
of a deterministic primality test running in polynomial time. Unfortunately
this test is too slow in practice... its running time being O(|n| 12 ).
To prove that an integer n is prime:
Let a be an integer such that gcd(a, n) =1.
n is prime if and only if, for all such a
(x + a) n ≡ x n + a (mod n)
Manindra Agrawal, Neeraj Kayal, and Nitin Saxena

1.6 Quadratic Residuosity problem
Definition 1.11
J n := {a ∈ Z n |
( a
n)
=1}
Theorem 1.12 Let n be a(
product ) ( of ) two distinct odd primes p and q. Then
we have that a ∈ QR n iff = =1.
a
p
a
q
Definition 1.13 The quadratic residuosity problem (QRP) is the following:
given an odd composite integer n and a ∈ J n ,decidewhetherornota is a
quadratic residue modulo n.
Definition 1.14 (pseudosquare) Let n ≥ 3 be an odd integer. An integer a
is said to be a pseudosquare modulo n if a ∈ QNR n
⋂
Jn .

Remark: If n is a prime, then it is easy to decide if a is in QR n ,since
a ∈ QR n iff a ∈ J n ,andtheLegendresymbolcanbeefficientlycomputedby
algorithm 1.3.
If n is a product of two distinct odd primes ( p and ) q, thenitfollowsfrom
theorem 1.12 that if a ∈ J n ,thena ∈ QR n iff =1.
If we can factor ( ) n, thenwecanfindoutifa ∈ QR n by computing the
Legendre symbol .
a
p
If the factorization of n is unknown, then there is no efficient algorithm known
to decide if a ∈ QR n .
a
p

Shafi Goldwasser
Silvio Micali
This leads to the Goldwasser-Micali probabilistic encryption algorithm:
Init: Alice starts by selecting two large distinct prime numbers p and q.
She then computes n = pq and selects a pseudosquare y. n and y will be
public, p and q private.
Algorithm 1.7 ( Goldwasser-Micali probabilistic encryption )
1: Represent message m in binary (m = m 1 m 2 ...m t ).
2: FOR i =1TO t DO
3:
∗
Pick x ∈ R Z n
4: c i ← y m i
x 2 mod n
5: RETURN c = c 1 c 2 ...c t

3: Pick x ∈ R Z n
∗
4: c i ← y m i
x 2 mod n
5: RETURN c = c 1 c 2 ...c t
Algorithm 1.8 ( Goldwasser-Micali decryption )
1: FOR i =1TO t DO
2: e i ←
(
ci
p
)
using algo 1.3.
3: IF e i =1THEN m i ← 0 ELSE m i ← 1
4: RETURN m = m 1 m 2 ...m t

2 Finite Fields
2.1 Prime Fields
Let p be a prime number. The integers 0, 1, 2,...,p − 1withoperations
+modp et × mod p constitute a field F p of p elements.
• contains an additive neutral element (0)
• each element e has an additive inverse −e
• contains an multiplicative neutral element (1)
• each non-zero element e has a multiplicative inverse e −1
Évariste Galois
• associativity
• commutativity
• distributivity

Examples
F 2 =({0, 1}, ⊕, ∧). F 5 =({0, 1, 2, 3, 4}, +, ×) definedby
+ 0 1 2 3 4
0 0 1 2 3 4
1 1 2 3 4 0
2 2 3 4 0 1
3 3 4 0 1 2
4 4 0 1 2 3
× 0 1 2 3 4
0 0 0 0 0 0
1 0 1 2 3 4
2 0 2 4 1 3
3 0 3 1 4 2
4 0 4 3 2 1
Other kind of finite fields for numbers q not necessarily prime exist (Maple
GF). This is studied in another section. In general we refer to F q for a finite
field, but you may think of the special case F p if you do not wish to find out
about the general field construction.

2.1.1 Primitive Elements
In all finite fields F q (and some groups in general) there exists a primitive
element, thatisanelementg of the field such that g 1 ,g 2 ,...,g q−1 enumerate
all of the q − 1non-zeroelementsofthefield. Weusethefollowingtheorem
to find a primitive element over F q .
Theorem 2.1 Let l 1 ,l 2 ,...,l k be the prime factors of q−1 and m i =(q−1)/l i
for 1 ≤ i ≤ k. Anelementg is primitive over F q if and only if
• g q−1 =1
• g mi ≠1for 1 ≤ i ≤ k

Algorithm 2.1 ( Primitive(q) )
1: Let l 1 ,l 2 ,...,l k be the prime factors of q−1 and m i = q−1
l i
for 1 ≤ i ≤ k,
2: REPEAT
3: pick a random non-zero element g of F q ,
4: UNTIL g mi ≠1for 1 ≤ i ≤ k,
5: RETURN g.
(Maple primroot, G[PrimitiveElement])
We use the following theorems to estimate the number of field elements
we must try in order to find a random primitive element.
Theorem 2.2 #{g : g is a primitive element of F q } = φ(q − 1).
Theorem 2.3 lim inf
n→∞
φ(n)loglogn
n
= e −γ ≈ 0.5614594836
Example: 2isaprimitiveelementofF 5 since {2, 2 2 , 2 3 , 2 4 } = {2, 4, 3, 1}.

Relation to Quadratic residues As an interesting note, if g is a primitive
element of the field F p ,foraprimep, thenwehave:
QR p = {g 2i mod p :0≤ i

Factoring q − 1... The only efficient way we know to finding a primitive
element in fields F q is when the factorization of q − 1isknown. Ingeneral,it
may be difficult to factor q − 1. However, if we are after a large field with a
random number of elements, Eric Bach has devised an efficient probabilistic
algorithm to generate random integers of a given size with known factorization.
Recently, Adam Kalai has invented a somewhat slower algorithm that
is much simpler. Suppose we randomly select r with its factorization using
Bach’s or Kalai’s algorithm. We may check whether r +1 is a prime or a
prime power. In this case a finite field of r +1elements isobtainedand a
primitive element may be computed.
Eric Bach
Adam Kalai

Algorithm 2.2 ( Kalai randfact(n) )
1: Generate a sequence n = s 0 ≥ s 1 ≥ s 2 ≥ ... ≥ s l =1by picking
s i+1 ∈ R {1, 2,...,s i },untilreachings l =1.
2: Let r be the product of the prime s i ’s, 1 ≤ i ≤ l.
3: IF r ≤ n THEN with probability r/n RETURN (r, {prime s i ’s}).
4: Otherwise, RESTART.
∏
Theorem 2.4 The probability of producing r at step 2 is M n /r, whereM n =
(1 − 1/p).
p≤n
Thus by outputting r with probability r/n in step 3, each possible value
is generated with equal probability M n r
= M n
r n n
.Theoverallprobabilitythat
some small enough r is produced and chosen in step 3 is ∑ M n
1≤r≤n n
= M n .
Theorem 2.5 lim
n→∞
M n log n = e −γ ≈ 0.5614594836

EXAMPLE
n = 10000000
S = [2710128, 641972, 624230,
63651, 29726, 20674, 18328, 11419,
2278, 225, 111, 20, 9, 6, 4, 3˙, 3˙, 3˙,
3˙, 2˙, 1]
r = 3*3*3*3*2 = 162 < 10000000
output r with prob 162/10000000

EXAMPLE
n = 10000000
S = [1710521, 1598315, 1593963,
391063˙, 358492, 238266, 47754,
16614, 15731˙, 15278, 13784, 5463,
3157, 1668, 764, 666, 25, 15, 1]
r = 391063*15731
= 6151812053 > 10000000
output r with prob 0

EXAMPLE
n = 10000000
S = [4721693, 4476798, 78400,
64925, 16481˙, 4780, 529, 251˙,
189, 182, 175, 72, 1]
r = 16481*251 = 4136731 < 10000000
output r
with prob 4136731/10000000 ≈ 41%
4136731, [16481, 251]

2.2 Polynomials over a field
ApolynomialoverF p is specified by a finite sequence (a n ,a n−1 ,...,a 1 ,a 0 )of
elements from F p ,witha n ≠0.Thenumbern is the degree of the polynomial.
We have operations +, −, × on polynomials analogous to the similar integer
operations. Addition and subtraction are performed componentwise using
the addition + and subtraction − of the field F p .
Products are computed by adding all the products of coefficients associated
to pairs of exponents adding to a specific exponent.
Example:
(x 4 + x +1)× (x 3 + x 2 + x)
= x 4 × (x 3 + x 2 + x)+x × (x 3 + x 2 + x)+1× (x 3 + x 2 + x)
= (x 7 + x 6 + x 5 )+(x 4 + x 3 + x 2 )+(x 3 + x 2 + x)
= x 7 + x 6 + x 5 + x 4 +(1+1)x 3 +(1+1)x 2 + x
= x 7 + x 6 + x 5 + x 4 + x

We also have operations g(x) modh(x)(Maplemodpol, rem)andg(x) divh(x)
Maple quo) defined as the unique polynomials r(x) andq(x) such that
(x) =q(x)h(x) +r(x) withdeg(r)

2.2.1 Irreducible Polynomials
Apolynomialg(x) isirreducible (Maple irreduc) ifitisnottheproductof
two polynomials h(x),k(x) oflowerdegrees. Weusethefollowingtheorem
to find irreducible polynomials.
Theorem 2.6 Let l 1 ,l 2 ,...,l k be the prime factors of n and m i = n/l i for
1 ≤ i ≤ k. Apolynomialg(x) of degree n is irreducible over F p iff
• g(x)|x pn − x
• gcd(g(x),x pm i
− x) =1for 1 ≤ i ≤ k

F 2
x +1 x 9 + x 4 +1
x 2 + x +1 x 10 + x 3 +1
x 3 + x +1 x 11 + x 2 +1
x 4 + x +1 x 12 + x 6 + x 4 + x +1
x 5 + x 2 +1 x 13 + x 4 + x 3 + x +1
x 6 + x +1 x 14 + x 10 + x 6 + x +1
x 7 + x 3 +1 x 15 + x +1
x 8 + x 4 + x 3 + x 2 +1 x 16 + x 12 + x 3 + x +1
Figure 1: Irreducible polynomials over F 2 .
F 3 F 5 F 7
x +1 x +1 x +1
x 2 + x +2 x 2 + x +2 x 2 + x +3
x 3 +2x +1 x 3 +3x +2 x 3 +3x +2
x 4 + x +2 x 4 + x 2 + x +2
x 5 +2x +1
x 6 + x +2
Figure 2: Irreducible polynomials over F 3 ,F 5 ,F 7 .

Algorithm 2.3 ( Rabin Irr(p, n) )
1: let l 1 ,l 2 ,...,l k be the prime factors of n and m i = n/l i for 1 ≤ i ≤ k,
2: REPEAT
3: pick a random polynomial h(x) of degree n − 1 over F p ,andset
g(x) ← x n + h(x),
4: UNTIL x pn mod g(x) =x and
gcd(g(x),x pm i
mod g(x) − x) =1for 1 ≤ i ≤ k,
5: RETURN g.
We use the following theorem to estimate the number of polynomials we
have to try on average before finding one that is irreducible.
Theorem 2.7 Let m(n) be the number of irreducible polynomials g(x) of
degree n of the form g(x) =x n + h(x) where h(x) is of degree n − 1. Wehave
p n
2n ≤ pn − p n/2 log n
n
≤ m(n) ≤ pn
n .

2.3 General Fields
Let p be a prime number and n apositiveinteger. Weconstructafieldwith
p n elements (Maple GF) fromthebasisfieldF p with p elements.
• The elements of F p n
F p .
are of the form a 1 a 2 ...a n where a i is an element of
• The sum of two elements of F p n
is defined by
a 1 a 2 ...a n + b 1 b 2 ...b n = c 1 c 2 ...c n
such that c i = a i + b i for 1 ≤ i ≤ n.
• The product of two elements of F p n
is defined by
a 1 a 2 ...a n × b 1 b 2 ...b n = c 1 c 2 ...c n
such that
(c 1 x n−1 + c 2 x n−2 + ... + c n )=
(a 1 x n−1 + a 2 x n−2 + ... + a n ) × (b 1 x n−1 + b 2 x n−2 + ... + b n )modr(x)
where r(x) isanirreduciblepolynomialofdegreen over F p .

Examples computations over F 2 5
10011 + 01110 = (1 + 0)(0 + 1)(0 + 1)(1 + 1)(1 + 0) = 11101
+ 000 001 010 011 100 101 110 111
000 000 001 010 011 100 101 110 111
001 001 000 011 010 101 100 111 110
010 010 011 000 001 110 111 100 101
011 011 010 001 000 111 110 101 100
100 100 101 110 111 000 001 010 011
101 101 100 111 110 001 000 011 010
110 110 111 100 101 010 011 000 001
111 111 110 101 100 011 010 001 000
addition of F23

10011×01110 = 01001 since (x 4 +x+1)×(x 3 +x 2 +x) mod(x 5 +x 2 +1) =
x 3 +1.
× 000 001 010 011 100 101 110 111
000 000 000 000 000 000 000 000 000
001 000 001 010 011 100 101 110 111
010 000 010 100 110 011 001 111 101
011 000 011 110 101 111 100 001 010
100 000 100 011 111 110 010 101 001
101 000 101 001 100 010 111 011 110
110 000 110 111 001 101 011 010 100
111 000 111 101 010 001 110 100 011
multiplication of F23
Figure 3: operations of F 2 3

COMP-547A
/B
Cryptography and Data Security
Lecture 01 02-06
Prof. Claude Crépeau
School of Computer Science
McGill University

EXTRA SLIDES

1.4.5 ∗∗∗ Extracting Square Roots modulo p e
If we have a solution r to r 2 ≡ a (mod p), how do we find a solution s to
s 2 ≡ a (mod p e )fore>1
The chinese remainder theorem does not apply here. We have to figure
things out in a different way.

First, consider the case e =2. Sincer 2 ≡ a (mod p), there exists an
integer m =(r 2 − a)/p such that r 2 − a = mp. Supposethesolutionmodp 2
is of the form s = r + kp for some integer k. Let’sexpands 2 :
and therefore
s 2 =(r + kp) 2 = r 2 +2rkp +(kp) 2 = mp + a +2rkp +(kp) 2
s 2 ≡ a +(m +2rk) ∗ p (mod p 2 ).
We find a solution s by making m +2rk amultipleofp so that
(m +2rk) ∗ p ≡ 0 (mod p 2 ).

The following value of k will acheive our goal
k ≡−m ∗ (2r) −1 (mod p)
and thus remembering s = r + kp we get
s = r − (m ∗ (2r) −1 mod p) ∗ p
and finally remembering m =(r 2 − a)/p we obtain a solution
s = r +(a − r 2 ) ∗ ((2r) −1 mod p).

Second, notice that the same exact reasoning allows to go from thecase
p e to the case p 2e ,meaningthatanysolutionr to r 2 ≡ a (mod p e ), can be
transformed to a solution s = r + kp e of s 2 ≡ a (mod p 2e ).
Using this argument i times allows to start from a solution r to r 2 ≡ a
(mod p), and find a solution s to s 2 ≡ a (mod p 2i ).
Finally, to solve the general problem where e is not necessarily a power
of 2, let i be the smallest integer such that 2 i ≥ e. From a solution r to
r 2 ≡ a (mod p), find a solution to s 2 ≡ a (mod p 2i )andsincep e |p 2i this
same solution s will also work mod p e .

2.4 Application of finite fields: Secret Sharing
ApolynomialoverF q is specified by a finite sequence (a n ,a n−1 ,...,a 1 ,a 0 )of
elements from F q ,witha n ≠0.Thenumbern is the degree of the polynomial.
Theorem 2.8 (Lagrange’s Interpolation) Let x 0 ,x 1 ,...,x d be distinct elements
of a field F q and y 0 ,y 1 ,...,y d be any elements of F q . There exists a
unique polynomial p(x) over F q with degree ≤ d such that p(x i )=y i for
1 ≤ i ≤ n.
Algorithm 2.4 ( Interpolation(x 0 ,x 1 ,...,x d ,y 0 ,y 1 ,...,y d ) )
1: return
⎛
⎜
⎝
1 x 0 ... x d 0
1 x 1 ... x d 1
.
. . .. .
1 x d ... x d d
⎞
⎟
⎠
−1 ⎛
⎜
⎝
⎞
y 0
y 1
⎟
. ⎠
y d
Adi Shamir
Of course the matrix inversion is to be performed over F q ,whichmeansall
additions, subtractions and multiplications are calculated within the field,
and divisions are performed by multiplying with the multiplicative inverse in
the field.

Suppose Alice wants to distribute a secret S among n people P 1 ,P 2 ,...,P n
in such a way that any k of them can recover the secret from their joint information,
while it remains perfectly secret when any k − 1orlessofthem
get together. This is what we call a [n, k]-secret sharing scheme.
Algorithm 2.5 ( SSSS(S) )
1: a 0 ← S,
2: FOR i := 1 TO k − 1 DO a i ← uniform(0..p − 1)
3: FOR j := 1 TO n DO s i ← a k−1 j k−1 + ...+ a 1 j + a 0 mod p
4: RETURN s 1 ,s 2 ,...,s n .

Let’s be a bit more formal. Let S be Alice’s secret from the finite set
{0, 1, 2,...,M} and let p be a prime number greater than M and n, the
number of share holders. Shamir’s construction of a [n, k]-secret sharing
scheme is as follows.
Share s j is given to P j secretly by Alice. In order to find S, k or more
people may construct the matrix from Lagrange’s theorem from thedistinct
values x j = j and find the unique (a 0 ,a 1 ,...,a k−1 )correspondingtotheir
values y j = s j .
Theorem 2.9 For 0 ≤ m ≤ n, distinctj 1 ,j 2 ,...,j m and any s j1 ,s j2 ,...,s jm
S|[j 1 ,s j1 ], [j 2 ,s j2 ],...,[j m ,s jm ]=
{ C if m ≥ k
U if m

Algorithm 2.6 ( Solve(x 1 ,x 2 ,...,x m ,s 1 ,s 2 ,...,s m ) )
⎛
⎜
⎝
1 x 1 ... x k+d
1 −s 1 ... −s 1 x k−1
1
1 x 2 ... x k+d
2 −s 2 ... −s 2 x2
k−1
.
. . .. .
. . .. .
. .
. .. . .
. .. .
1 x i ... x k+d
i
−s i ... −s i x k−1
i
.
. . .. .
. . .. .
. .
. .. . .
. .. .
1 x m ... xm k+d −s m ... −s m x k m
⎞
⎟
⎠
⎛
⎜
⎝
⎞
n 0
n 1
.
.
n k+d
w 0
w 1
⎟
. ⎠
w k−1
=
⎛
⎜
⎝
s 1 x k 1
s 2 x k 2
.
.
s i x k i
.
.
s m x k m
⎞
⎟
⎠