MATH 470 Lecture 13

« previous | Tuesday, February 26, 2013 | next »

Lagrange's Theorem

(special case) offers a way to check if ${\displaystyle a}$ is a generator for ${\displaystyle (\mathbb {Z} /p\mathbb {Z} )^{*}}$

If ${\displaystyle p}$ is prime and ${\displaystyle a\in \left(\mathbb {Z} /p\mathbb {Z} \right)^{*}}$,

Then ${\displaystyle \mathrm {ord} _{p}(a)\mid (p-1)}$, where ${\displaystyle \mathrm {ord} _{p}(a)}$ is the smallest exponent ${\displaystyle e\neq 0}$ with ${\displaystyle a^{e}\equiv 1{\pmod {p}}}$.

Proof. Suppose ${\displaystyle k=\mathrm {ord} _{p}(a)}$. Consider ${\displaystyle \ell =\mathrm {GCD} (k,p-1)}$.

By the Extended Euclidean Algorithm, there are ${\displaystyle x,y\in \mathbb {Z} }$ with ${\displaystyle k\,x+(p-1)\,y=\ell }$.

So then ${\displaystyle a^{\ell }\equiv a^{k\,x+(p-1)y}\equiv 1{\pmod {p}}}$. Since ${\displaystyle \ell \mid k}$ (since ${\displaystyle k=\mathrm {ord} _{p}(a)}$, we must have ${\displaystyle \ell \geq k}$. By construction, ${\displaystyle \ell \mid k\implies \ell =k}$, so ${\displaystyle k\mid (p-1)}$.

Corollary

If ${\displaystyle p}$ is prime and ${\displaystyle a\in (\mathbb {Z} /p\mathbb {Z} )^{*}}$ and ${\displaystyle a^{\frac {p-1}{q}}\not \equiv 1{\pmod {p}}}$ for all primes ${\displaystyle q\mid (p-1)}$,

Then ${\displaystyle a}$ is a generator of ${\displaystyle \mathbb {Z} /p\mathbb {Z} )^{*}}$.

In particular, given a list ${\displaystyle \{a_{1},\ldots ,a_{k}\}}$ of all primes dividing ${\displaystyle p-1}$, you can check the preceding condition in time ${\displaystyle O((\log {p})^{4})}$

Proof. We must show that ${\displaystyle \mathrm {ord} _{p}(a)=p-1}$. By Lagrange's theorem, ${\displaystyle \mathrm {ord} _{p}(a)\mid (p-1)}$.

So we need to rule out ${\displaystyle \mathrm {ord} _{p}(a)}$ being a divisor of ${\displaystyle p-1}$ other than ${\displaystyle p-1}$.

If ${\displaystyle p-1=q_{1}^{e_{1}}\dots q_{k}^{e_{k}}}$ is the factorization of ${\displaystyle p-1}$, then any ${\displaystyle d<p-1}$ dividing ${\displaystyle p-1}$ must divide ${\displaystyle {\tfrac {p-1}{q_{1}}}}$ or ${\displaystyle {\tfrac {p-1}{q_{2}}}}$ or ... or ${\displaystyle {\tfrac {p-1}{q_{k}}}}$.

Now ${\displaystyle a^{\frac {p-1}{q}}\not \equiv 1{\pmod {p}}}$ for all ${\displaystyle q\mid (p-1)}$ is equivalent to ${\displaystyle a^{\frac {p-1}{q_{1}}}\not \equiv 1{\pmod {p-1}}}$, ..., ${\displaystyle a^{\frac {p-1}{q_{k}}}\not \equiv 1{\pmod {p-1}}}$. So if ${\displaystyle \mathrm {ord} _{p}(a)<p-1}$, it would divide one of ${\displaystyle {\tfrac {p-1}{q_{1}}}}$ or ... or ${\displaystyle {\tfrac {p-1}{q_{k}}}}$, which is impossible.

Therefore ${\displaystyle \mathrm {ord} _{p}(a)=p-1}$.

Complexity Bounds

By Theorem 5.4.1 (of Bach and Shallit), computing ${\displaystyle a^{e}{\pmod {n}}}$ takes ${\displaystyle O((\log {e})(\log ^{2}{n}))}$ bit operations. So computing ${\displaystyle a^{\frac {p-1}{q}}{\pmod {p}}}$ takes ${\displaystyle O((\log {p})^{3})}$ bit operations. By problem 5 of homework 6, the number of primes dividing ${\displaystyle p-1}$ is ${\displaystyle O(\log {p})}$

Last Words on RSA

et tu Brute?

To solve problem 1 on the homework, frequency analysis might be useful (decrypt and check that text is in English)

In Ruby,

require 'openssl' base.to_bn.mod_exp(exponent, modulus)

RSA and World Peace

How can the UN monitor Iran's nuclear reactors reliably and still have Iran happy?

Build Good non-tamperable sensors

OR Use RSA as follows: given private large primes ${\displaystyle p}$ and ${\displaystyle q}$, private decryption key ${\displaystyle d}$, public encryption key ${\displaystyle e}$, and large number ${\displaystyle n=p\,q}$

If the sensor reads ${\displaystyle x}$, transmit ${\displaystyle (x,x^{d})}$.

Iran is happy: they can verify that ${\displaystyle x=(x^{d})^{e}}$ so they know the UN is not transmitting secrets or anything.

The UN is happy: they can compute ${\displaystyle x^{d}}$ and check that it really is the supposedly-transmitted ${\displaystyle x^{d}}$.

It is hard to mess with ${\displaystyle x}$ to get ${\displaystyle x'}$ and still have ${\displaystyle (x')^{d}=x^{d}}$. If you mess with ${\displaystyle x}$ and ${\displaystyle x^{d}}$, then you need to know ${\displaystyle d}$!