COMP-547 Fall 2023

Cryptography & Data Security

Lecture 04
Claude Crépeau
 Solving linear congruentials:
A linear congruential is an expression of the form
ax ≡ b (mod N)
for known a, b, N and unknown x.

Clearly, we can solve for x whenever gcd(a, N) = 1 since in

that case a −1 (mod N) exists and x ≡ b ⋅ a −1 (mod N) .
EXAMPLE
EXAMPLE
EXAMPLE
 EXAMPLE

7x ≡ 5 (mod 9)
 EXAMPLE

7x ≡ 5 (mod 9)
7-1∙7x ≡ 7-1∙5 (mod 9)
 EXAMPLE

7x ≡ 5 (mod 9)
7-1∙7x ≡ 7-1∙5 (mod 9)
4∙7x ≡ 4∙5 (mod 9)
 EXAMPLE

7x ≡ 5 (mod 9)
7-1∙7x ≡ 7-1∙5 (mod 9)
4∙7x ≡ 4∙5 (mod 9)
x ≡ 2 (mod 9)
Similarily, when gcd(a, N) = g > 1 the situation can be
modified to apply the same strategy.

• If g |/ b then no solution exists.

• If it is the case that g | b as well, we can solve the

following system instead:

a ̂ ⋅ x ̂ ≡ b ̂ (mod N )̂

where a ̂ = , b̂= , N ̂=
a b N
.
g g g
Similarily, when gcd(a, N) = g > 1 the situation can be
modified to apply the same strategy.

• If g |/ b then no solution exists.

• If it is the case that g | b as well, we can solve the

following system instead:

a ̂ ⋅ x ̂ ≡ b ̂ (mod N )̂

where a ̂ = , b̂= , N ̂=
a b N
.
g g g
Similarily, when gcd(a, N) = g > 1 the situation can be
modified to apply the same strategy.

• If g |/ b then no solution exists.

• If it is the case that g | b as well, we can solve the

following system instead:

a ̂ ⋅ x ̂ ≡ b ̂ (mod N )̂

where a ̂ = , b̂= , N ̂=
a b N
.
g g g
Since gcd( a ,̂ N )̂ = 1, a −1
̂ (mod N )̂ exists and we compute

̂ (mod N )̂ .
x ̂ ≡ b ̂ ⋅ a −1

Finally, we know that a solution x modulo N must

satisfy x ≡ x ̂ (mod N )̂ . Thus we can write

x0 = x ̂ , . . . , xk = x ̂ + k N ̂ , . . . , xg−1 = x ̂ + (g − 1) N ̂

and consider all such xk with 0 ≤ k < g. All these g

possibilities will be valid solutions to the original system.
 Summary

To solve b ≡ ax (mod N)

• Compute g = gcd(a, N).

• If g |/ b then there are no solutions

otherwise
there are g distinct solutions, for 0 ≤ k < g, given by

x0 = x ̂ , . . . , xk = x ̂ + k N ̂ , . . . , xg−1 = x ̂ + (g − 1) N ̂

where N ̂ = , a ̂ = , b = , x ̂ ≡ b ̂ ⋅ a −1
̂ ̂ (mod N )̂ .
N a b
g g g
EXAMPLE
 EXAMPLE
6x ≡ 5 (mod 9)
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
----------------------------------
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
----------------------------------
6x ≡ 3 (mod 9)
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
----------------------------------
6x ≡ 3 (mod 9)
2x ≡ 1 (mod 3) since gcd(6,9)|3
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
----------------------------------
6x ≡ 3 (mod 9)
2x ≡ 1 (mod 3) since gcd(6,9)|3
2-1∙2x ≡ 2-1∙1 (mod 3)
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
----------------------------------
6x ≡ 3 (mod 9)
2x ≡ 1 (mod 3) since gcd(6,9)|3
2-1∙2x ≡ 2-1∙1 (mod 3)
x ≡ 2 (mod 3)
 EXAMPLE
6x ≡ 5 (mod 9)
has no solution because
gcd(6,9)=3 and 3∤5.
----------------------------------
6x ≡ 3 (mod 9)
2x ≡ 1 (mod 3) since gcd(6,9)|3
2-1∙2x ≡ 2-1∙1 (mod 3)
x ≡ 2 (mod 3)
x ≡ 2, 5, 8 (mod 9)
Chinese Remainder Theorem: Let m1, m2, . . . , mr
be r positive integers such that
gcd(mi, mj) = 1 for 1 ≤ i < j ≤ r
and let a1, a2, . . . , ar be arbitrary integers.

Qin Jiushao
Chinese Remainder Theorem: Let m1, m2, . . . , mr
be r positive integers such that
gcd(mi, mj) = 1 for 1 ≤ i < j ≤ r
and let a1, a2, . . . , ar be arbitrary integers.
The system of r congruences,
Qin Jiushao

x ≡ a1 (mod m1)
...
x ≡ ar (mod mr)
has a unique solution modulo M = m1 ⋅ ⋅ ⋅ mr given by
r

∑
x= ai Mi yi mod M
i=1
M
where Mi = and yi = Mi−1 mod mi.
mi
EXAMPLE
x ≡ 5 (mod 9)
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
 EXAMPLE
x ≡ 5 (mod 9)
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
has a unique solution mod 468 = 4∙9∙13
 EXAMPLE
x ≡ 5 (mod 9)
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
has a unique solution mod 468 = 4∙9∙13
x = 5∙52∙(52-1 mod 9)
+ 3∙117∙(117-1 mod 4)
+ 7∙36∙(36-1 mod 13)
 EXAMPLE
x ≡ 5 (mod 9)
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
has a unique solution mod 468 = 4∙9∙13
x = 5∙52∙(52-1 mod 9)
+ 3∙117∙(117-1 mod 4)
+ 7∙36∙(36-1 mod 13)
x = 260∙4 + 351∙1 + 252∙4
 EXAMPLE
x ≡ 5 (mod 9)
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
has a unique solution mod 468 = 4∙9∙13
x = 5∙52∙(52-1 mod 9)
+ 3∙117∙(117-1 mod 4)
+ 7∙36∙(36-1 mod 13)
x = 260∙4 + 351∙1 + 252∙4
x = 1040 + 351 + 1008
 EXAMPLE
x ≡ 5 (mod 9)
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
has a unique solution mod 468 = 4∙9∙13
x = 5∙52∙(52-1 mod 9)
+ 3∙117∙(117-1 mod 4)
+ 7∙36∙(36-1 mod 13)
x = 260∙4 + 351∙1 + 252∙4
x = 1040 + 351 + 1008
x = 2399
 EXAMPLE
x ≡ 5 (mod 9)
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
has a unique solution mod 468 = 4∙9∙13
x = 5∙52∙(52-1 mod 9)
+ 3∙117∙(117-1 mod 4)
+ 7∙36∙(36-1 mod 13)
x = 260∙4 + 351∙1 + 252∙4
x = 1040 + 351 + 1008
x = 2399
x ≡ 59 (mod 468)
 Quadratic Residues

Quadratic residues modulo N are the integers with an

integer square root modulo N:
QRN = {a : gcd(a, N) = 1, ∃r [a ≡ r 2 (mod N)]}
QNRN = {a : gcd(a, N) = 1, ∀r [a ≢ r 2 (mod N)]}
Example:
QR17 = {1,2,4,8,9,13,15,16}
QNR17 = {3,5,6,7,10,11,12,14}
since
{12,22,32,42,52,62,72,82,92,102,112,122,132,142,152,162} ≡
{1,2,4,8,9,13,15,16} (mod 17) .
Theorem
Let p be an odd prime number
#QRp = #QNRp = (p − 1)/2.
 Quadratic Residues

Quadratic residues modulo N are the integers with an

integer square root modulo N:
QRN = {a : gcd(a, N) = 1, ∃r [a ≡ r 2 (mod N)]}
QNRN = {a : gcd(a, N) = 1, ∀r [a ≢ r 2 (mod N)]}
Example:
QR17 = {1,2,4,8,9,13,15,16}
QNR17 = {3,5,6,7,10,11,12,14}
since
{12,22,32,42,52,62,72,82,92,102,112,122,132,142,152,162} ≡
{1,2,4,8,9,13,15,16} (mod 17) .
Theorem
Let p be an odd prime number
#QRp = #QNRp = (p − 1)/2.
 Quadratic Residues

Quadratic residues modulo N are the integers with an

integer square root modulo N:
QRN = {a : gcd(a, N) = 1, ∃r [a ≡ r 2 (mod N)]}
QNRN = {a : gcd(a, N) = 1, ∀r [a ≢ r 2 (mod N)]}
Example:
QR17 = {1,2,4,8,9,13,15,16}
QNR17 = {3,5,6,7,10,11,12,14}
since
{12,22,32,42,52,62,72,82,92,102,112,122,132,142,152,162} ≡
{1,2,4,8,9,13,15,16} (mod 17) .
Theorem
Let p be an odd prime number
#QRp = #QNRp = (p − 1)/2.
 Quadratic Residues

Quadratic residues modulo N are the integers with an

integer square root modulo N:
QRN = {a : gcd(a, N) = 1, ∃r [a ≡ r 2 (mod N)]}
QNRN = {a : gcd(a, N) = 1, ∀r [a ≢ r 2 (mod N)]}
Example:
QR17 = {1,2,4,8,9,13,15,16}
QNR17 = {3,5,6,7,10,11,12,14}
since
{12,22,32,42,52,62,72,82,92,102,112,122,132,142,152,162} ≡
{1,2,4,8,9,13,15,16} (mod 17) .
Theorem
Let p be an odd prime number
#QRp = #QNRp = (p − 1)/2.
 Legendre and Jacobi Symbols

For an odd prime number p, we define the Legendre symbol

as :

( p ) { 0 if p | a
a +1 if a ∈ QRp
= −1 if a ∈ QNRp

For any integer N = p1 p2⋯pk, we define the Jacobi symbol

(a generalization of the Legendre symbol) as

( N ) ( p1 ) ( p2 ) ( pk )
a a a a
= ⋯

Adrien-Marie Legendre Carl Gustav Jacob Jacobi

Properties of Legendre and Jacobi Symbols

(N)
1
=+1

( N ) (N)(N)
ab a b
=

(N) ( )
a a mod N
=
N
For N odd

( N )
−1
= (−1)(N−1)/2

(N)
2 (N 2−1)/8
= (−1)

For a, N odd and such that gcd(a, N) = 1

(N)( a )
a N
= (−1)(N−1)(a−1)/4
Properties of Legendre and Jacobi Symbols

(N)
1
=+1

( N ) (N)(N)
ab a b
=

(N) ( )
a a mod N
=
N
For N odd

( N )
−1
= (−1)(N−1)/2

(N)
2 (N 2−1)/8
= (−1)

For a, N odd and such that gcd(a, N) = 1

(N)( a )
a N
= (−1)(N−1)(a−1)/4
Properties of Legendre and Jacobi Symbols

(N)
1
=+1

( N ) (N)(N)
ab a b
=

(N) ( )
a a mod N
=
N
For N odd

( N )
−1
= (−1)(N−1)/2

(N)
2 (N 2−1)/8
= (−1)

For a, N odd and such that gcd(a, N) = 1

(N)( a )
a N
= (−1)(N−1)(a−1)/4
Properties of Legendre and Jacobi Symbols

(N)
1
=+1

( N ) (N)(N)
ab a b
=

(N) ( )
a a mod N
=
N
For N odd

( N )
−1
= (−1)(N−1)/2

(N)
2 (N 2−1)/8
= (−1)

For a, N odd and such that gcd(a, N) = 1

(N)( a )
a N
= (−1)(N−1)(a−1)/4
Properties of Legendre and Jacobi Symbols

(N)
1
=+1

( N ) (N)(N)
ab a b
=

(N) ( )
a a mod N
=
N
For N odd

( N )
−1
= (−1)(N−1)/2

(N)
2 (N 2−1)/8
= (−1)

For a, N odd and such that gcd(a, N) = 1

(N)( a )
a N
= (−1)(N−1)(a−1)/4
Properties of Legendre and Jacobi Symbols

(N)
1
=+1

( N ) (N)(N)
ab a b
=

(N) ( )
a a mod N
=
N
For N odd

( N )
−1
= (−1)(N−1)/2

(N)
2 (N 2−1)/8
= (−1)

For a, N odd and such that gcd(a, N) = 1

(N)( a )
a N
= (−1)(N−1)(a−1)/4
 ALGORITHM B.𝜔
Jacobi Symbols Algorithm Jaco

Input: non-negative Integers a, b

(b)
a
Output: the Jacobi Symbol of a w.r.t. b

if a ≤ 1 return a
if a is odd if a ≡ b ≡ 3 (mod 4) return − Jaco(b mod a, a)
else return + Jaco(b mod a, a)
else if b ≡ ± 1 (mod 8) return + Jaco(a/2, b)
else return − Jaco(a/2, b) .

running time: O(|a||b|)

EXAMPLE
 EXAMPLE
Jacobi(527, 723)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
= -Jacobi(98, 527)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
= -Jacobi(98, 527)
= -Jacobi(49, 527)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
= -Jacobi(98, 527)
= -Jacobi(49, 527)
= -Jacobi(527 mod 49, 49)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
= -Jacobi(98, 527)
= -Jacobi(49, 527)
= -Jacobi(527 mod 49, 49)
= -Jacobi(37, 49)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
= -Jacobi(98, 527)
= -Jacobi(49, 527)
= -Jacobi(527 mod 49, 49)
= -Jacobi(37, 49)
= -Jacobi(49 mod 37, 37)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(723 mod 527, 527)
= -Jacobi(196, 527)
= -Jacobi(98, 527)
= -Jacobi(49, 527)
= -Jacobi(527 mod 49, 49)
= -Jacobi(37, 49)
= -Jacobi(49 mod 37, 37)
= -Jacobi(12, 37)
EXAMPLE
 EXAMPLE
Jacobi(527, 723)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(12, 37)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(12, 37)
= Jacobi(6, 37)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(12, 37)
= Jacobi(6, 37)
= -Jacobi(3, 37)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(12, 37)
= Jacobi(6, 37)
= -Jacobi(3, 37)
= -Jacobi(37 mod 3, 3)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(12, 37)
= Jacobi(6, 37)
= -Jacobi(3, 37)
= -Jacobi(37 mod 3, 3)
= -Jacobi(1, 3)
 EXAMPLE
Jacobi(527, 723)
= -Jacobi(12, 37)
= Jacobi(6, 37)
= -Jacobi(3, 37)
= -Jacobi(37 mod 3, 3)
= -Jacobi(1, 3)
= -1
Pierre de Fermat
Fermat-Euler

Theorem [Fermat]
Let p be a prime number and a be an integer not a multiple of p, then
a p−1 ≡ 1 (mod p) .
Theorem [Euler]
Let p be a prime number and a be an integer, then

(p)
(p−1)/2 a
a ≡ (mod p) .

Theorem [Euler]
Let N be an integer and a another integer such that gcd(a, N) = 1, then
a ϕ(N) ≡ 1 (mod N) .
Pierre de Fermat
Fermat-Euler

Theorem [Fermat]
Let p be a prime number and a be an integer not a multiple of p, then
a p−1 ≡ 1 (mod p) .
Theorem [Euler]
Let p be a prime number and a be an integer, then

(p)
(p−1)/2 a
a ≡ (mod p) .

Theorem [Euler]
Let N be an integer and a another integer such that gcd(a, N) = 1, then
a ϕ(N) ≡ 1 (mod N) .
Pierre de Fermat
Fermat-Euler

Theorem [Fermat]
Let p be a prime number and a be an integer not a multiple of p, then
a p−1 ≡ 1 (mod p) .
Theorem [Euler]
Let p be a prime number and a be an integer, then

(p)
(p−1)/2 a
a ≡ (mod p) .

Theorem [Euler]
Let N be an integer and a another integer such that gcd(a, N) = 1, then
a ϕ(N) ≡ 1 (mod N) .
COMP-547 Fall 2023
Cryptography & Data Security
Lectures 04
Claude Crépeau