COMP-547 Fall 2023

Cryptography & Data Security

Lecture 05
Claude Crépeau
COMP-547 Fall 2023
Cryptography & Data Security
Lecture 06
Claude Crépeau
definition [SQROOT]
The square root modulo N problem is: given a composite integer N and
a ∈ QRN, find an integer r, 0 ≤ r < N, such that a ≡ r 2 (mod N).

Theorem: SQROOT is polynomialy equivalent to FACTORING.

Proof idea:
The previous construction shows that if we know the factorization of N,
we can extract square roots modulo each prime factor and then
recombine using the Chinese Remainder Theorem.

If we can extract square roots modulo N, we can split N in two factors

N = uv using the following algorithm, and by repetition fully factor it:

The probability of the else case is at least 1/2.

definition [SQROOT]
The square root modulo N problem is: given a composite integer N and
a ∈ QRN, find an integer r, 0 ≤ r < N, such that a ≡ r 2 (mod N).

Theorem: SQROOT is polynomialy equivalent to FACTORING.

Proof idea:
The previous construction shows that if we know the factorization of N,
we can extract square roots modulo each prime factor and then
recombine using the Chinese Remainder Theorem.

If we can extract square roots modulo N, we can split N in two factors

N = uv using the following algorithm, and by repetition fully factor it:

The probability of the else case is at least 1/2.

definition [SQROOT]
The square root modulo N problem is: given a composite integer N and
a ∈ QRN, find an integer r, 0 ≤ r < N, such that a ≡ r 2 (mod N).

Theorem: SQROOT is polynomialy equivalent to FACTORING.

Proof idea:
The previous construction shows that if we know the factorization of N,
we can extract square roots modulo each prime factor and then
recombine using the Chinese Remainder Theorem.

If we can extract square roots modulo N, we can split N in two factors

N = uv using the following algorithm, and by repetition fully factor it:

The probability of the else case is at least 1/2.

ALGORITHM B.𝜔+1
Integer Spliting

Input: non-negative Integer N

Output: Integers u, v > 1 s.t. N = uv

r ← {1…N − 1}, r′ ← SQROOT(r 2, N)

if r′ ≡ ± r (mod N) return Spliting(N)
else u := gcd(r + r′, N), v := gcd(r − r′, N)
return (u, v)
ALGORITHM B.𝜔+2
Integer Factoring

Input: non-negative Integer N

Output: List of Prime Integers p1, . . . , pk s.t. N = p1⋯pk

if N is prime return [N]

else (u, v) := Spliting(N); return Factoring(u)|| Factoring(v)
EXAMPLE
 EXAMPLE
N = 37*43 = 1591,
 EXAMPLE
N = 37*43 = 1591,
 EXAMPLE
N = 37*43 = 1591,

a = 477,
 EXAMPLE
N = 37*43 = 1591,

a = 477,
a2 mod 1591 = 16
 EXAMPLE
N = 37*43 = 1591,

a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
 EXAMPLE
N = 37*43 = 1591,

a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)
 EXAMPLE
N = 37*43 = 1591,

a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)
 EXAMPLE
N = 37*43 = 1591,

a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)

u = gcd(477+4, 1591) = 37
 EXAMPLE
N = 37*43 = 1591,

a = 477,
a2 mod 1591 = 16
√(a2) mod 1591 = 4
477 ≢ ±4 (mod 1591)

u = gcd(477+4, 1591) = 37
v = gcd(477-4, 1591) = 43
 Prime numbers

If we want a random prime of a given size, we use the following theorem to

estimate the number of integers we must try before finding a prime.
Let π(N) = #{a : 1 < a ≤ N and a is prime}.

Theorem
π(N)log N
lim =1
N→∞ N

To decide whether a number N is prime or not we rely on Miller-Rabin's

probabilistic algorithm. This algorithm introduces the notion of ``pseudo-
primality'' base a. Miller defined this test as an extension of Fermat's test.

If the Extended Riemann Hypothesis is true than it is sufficient to use the

test with small values of a to decide whether a number N is prime or
composite. However the ERH is not proven and we use the test in a
probabilistic fashion as suggested by Rabin.
 Prime numbers

If we want a random prime of a given size, we use the following theorem to

estimate the number of integers we must try before finding a prime.
Let π(N) = #{a : 1 < a ≤ N and a is prime}.

Theorem
π(N)log N
lim =1
N→∞ N

To decide whether a number N is prime or not we rely on Miller-Rabin's

probabilistic algorithm. This algorithm introduces the notion of ``pseudo-
primality'' base a. Miller defined this test as an extension of Fermat's test.

If the Extended Riemann Hypothesis is true than it is sufficient to use the

test with small values of a to decide whether a number N is prime or
composite. However the ERH is not proven and we use the test in a
probabilistic fashion as suggested by Rabin.

*Charles Levieux, *Jacques Salomon Hadamard

Gary L. Miller Michael O. Rabin Baron de la Vallée Poussin
 Prime numbers

If we want a random prime of a given size, we use the following theorem to

estimate the number of integers we must try before finding a prime.
Let π(N) = #{a : 1 < a ≤ N and a is prime}.

Theorem
π(N)log N
lim =1
N→∞ N

To decide whether a number N is prime or not we rely on Miller-Rabin's

probabilistic algorithm. This algorithm introduces the notion of ``pseudo-
primality'' base a. Miller defined this test as an extension of Fermat's test.

If the Extended Riemann Hypothesis is true than it is sufficient to use the

test with small values of a to decide whether a number N is prime or
composite. However the ERH is not proven and we use the test in a
probabilistic fashion as suggested by Rabin.
9.31
 9.31

p′ ← {0,1}n−2
p := 1 ∥ p′ ∥ 1
Multiples of 3 (base 2)
𝟘

𝟘
q1

𝟙
𝟙
𝟙
q0

q2

𝟘
 9.34

p′ ← {0,1}n−2
p := 1 ∥ p′ ∥ 1
Primality à la Fermat

9.35
 Primality à la Miller-Rabin
9.44

It is easy to show that if N is prime, then

Miller−Rabin(N, t)
returns ``prime’’ with probability 1.

Rabin showed that if N is composite, then

Miller−Rabin(N, t)
returns ``prime’’ with probability at most 4−t.
EXAMPLE
 EXAMPLE
N = 37*43 = 1591,
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
i=1, a2u = 1564 ≠ 1 failure à la Fermat
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
i=1, a2u = 1564 ≠ 1 failure à la Fermat
1591 is definitely composite
 EXAMPLE
N = 37*43 = 1591,
N-1 = 1590 = 795*2
u = 795, r = 1
a = 16
au = 16795 mod 1591
i=0, au = 692 ≠ 1
i=1, a2u = 1564 ≠ 1 failure à la Fermat
1591 is definitely composite
EXAMPLE
 EXAMPLE
N = 1597,
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
au = 16399 mod 1597
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
au = 16399 mod 1597
i=0, au = 1
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 16
au = 16399 mod 1597
i=0, au = 1
1597 is potentially prime
EXAMPLE
 EXAMPLE
N = 1597,
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
au = 17399 mod 1597
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
au = 17399 mod 1597
i=0, au = 1
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 17
au = 17399 mod 1597
i=0, au = 1
1597 is potentially prime
EXAMPLE
 EXAMPLE
N = 1597,
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
i=1, a2u = 1596
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
i=1, a2u = 1596
i=2, a4u = 1
 EXAMPLE
N = 1597,
N-1 = 1596 = 399*4
u = 399, r = 2
a = 18
au = 18399 mod 1597
i=0, au = 610
i=1, a2u = 1596
i=2, a4u = 1
1597 is potentially prime
EXAMPLE
 EXAMPLE
N = 1597
 EXAMPLE
N = 1597
is either prime
 EXAMPLE
N = 1597
is either prime
or we just experienced an event
 EXAMPLE
N = 1597
is either prime
or we just experienced an event
(3 random occurrences of “prime”)
 EXAMPLE
N = 1597
is either prime
or we just experienced an event
(3 random occurrences of “prime”)
that happens with probability at
 EXAMPLE
N = 1597
is either prime
or we just experienced an event
(3 random occurrences of “prime”)
that happens with probability at
most 1/64.
 EXAMPLE
N = 1597
is either prime
or we just experienced an event
(3 random occurrences of “prime”)
that happens with probability at
most 1/64.
 EXAMPLE
N = 1597
is either prime
or we just experienced an event
(3 random occurrences of “prime”)
that happens with probability at
most 1/64.

We are almost certain that 1597 is

 EXAMPLE
N = 1597
is either prime
or we just experienced an event
(3 random occurrences of “prime”)
that happens with probability at
most 1/64.

We are almost certain that 1597 is

prime...
 Deterministic Primality Testing

In August of 2002, Agrawal, Kayal, and Saxena, announced the discovery

of a deterministic primality test running in polynomial time.
Unfortunately this test is too slow in practice... its running time being
O( | N |12 ).

In 2005, Pomerance and Lenstra demonstrated a faster variant of AKS

6
that runs in Õ( | N | ) operations, but is it still rather slow in practice.

To prove the primality of an integer N:

N is prime if and only if for all a such that gcd(a, N) = 1

(x + a)N ≡ x N + a (mod N) .

Manindra Agrawal Neeraj Kayal Nitin Saxena

The idea is to validate this (exponentially long) congruence in poly-time.

 Prime Fields

Let p be a prime number.

The integers 0,1,2,...,p − 1 with operations + mod p and × mod p
constitute a field 𝔽p of p elements.

• contains an additive neutral element (0)

• each element e has an additive inverse −e
• contains an multiplicative neutral element (1)
• each non-zero element e has a multiplicative inverse e −1 Évariste Galois

• associativity
• commutativity
• distributivity
 Examples

𝔽2 = ({0,1}, ⊕ , ∧ ) .

𝔽5 = ({0,1,2,3,4}, + (mod 5), × (mod 5)) defined by

+ 0 1 2 3 4 × 0 1 2 3 4
0 0 1 2 3 4 0 0 0 0 0 0
1 1 2 3 4 0 1 0 1 2 3 4
2 2 3 4 0 1 2 0 2 4 1 3
3 3 4 0 1 2 3 0 3 1 4 2
4 4 0 1 2 3 4 0 4 3 2 1

Other kind of finite fields for numbers q = p e, e > 1. We will not study
them this term. In general we refer to 𝔽q for a finite field, but you may
think of the special case 𝔽p if you do not wish to find out about the
general field construction. Galois proved that if N is not a prime power,
no field of N elements can be constructed.
 Examples

𝔽2 = ({0,1}, ⊕ , ∧ ) .

𝔽5 = ({0,1,2,3,4}, + (mod 5), × (mod 5)) defined by

+ 0 1 2 3 4 × 0 1 2 3 4
0 0 1 2 3 4 0 0 0 0 0 0
1 1 2 3 4 0 1 0 1 2 3 4
2 2 3 4 0 1 2 0 2 4 1 3
3 3 4 0 1 2 3 0 3 1 4 2
4 4 0 1 2 3 4 0 4 3 2 1

Other kind of finite fields for numbers q = p e, e > 1. We will not study
them this term. In general we refer to 𝔽q for a finite field, but you may
think of the special case 𝔽p if you do not wish to find out about the
general field construction. Galois proved that if N is not a prime power,
no field of N elements can be constructed.
 Example

𝔽4 = ({0,1,2,3}, + , × ) defined by

+ 0 1 2 3 × 0 1 2 3
0 0 1 2 3 0 0 0 0 0
1 1 0 3 2 1 0 1 2 3
2 2 3 0 1 2 0 2 3 1
3 3 2 1 0 3 0 3 1 2

Note: + is not + (mod 4) and × is not × (mod 4)

 Primitive Elements

In all finite fields 𝔽q (and some groups in general) there exists a

primitive element, that is an element g of the field such that
g 1, g 2, …, g q−1
enumerate all of the q − 1 non-zero elements of the field. We use the
following theorem to efficiently find a primitive element over 𝔽q.

Theorem
Let l1, l2, . . . , lk be the prime factors of q − 1 = l1 ⋅ l2⋯lk and
q−1 q−1 q−1
m1 = , m2 = , . . . , mk = .
l1 l2 lk
An element g is primitive over 𝔽q if and only if

• g q−1 = 1
• g mi ≠ 1 for 1 ≤ i ≤ k.
 Primitive Elements

ALGORITHM B.𝜔+9.3 (related to Section 9.3)

Random Primitive Element of 𝔽q

Input: positive Integers q, l1, . . . , lk (prime factors of q − 1)

Output: Primitive Element g ∈ 𝔽 ⋆ q

q−1 q−1
Let m1 = , . . . , mk = .
l1 lk
repeat
g ← 𝔽 ⋆q
until ∀i,1 ≤ i ≤ k, g mi ≠ 1
return g ∈ 𝔽 ⋆
q
 Primitive Elements

We use the following theorems to estimate the number of field elements

we must try in order to find a random primitive element.

Theorem
#{g : g is a primitive element of 𝔽q} = ϕ(q − 1).

Theorem
ϕ(N)log log N
lim inf = e −γ ≈ 0.5614594836
N→∞ N

Example:

2 is a primitive element of 𝔽5 since {2,22,23,24} = {2,4,3,1}.

 Relation to Quadratic residues

As an interesting note, if g is a primitive element of the prime field 𝔽p

then we have:

QRp = {g 2i mod p : 0 ≤ i < (p − 1)/2}

QNRp = {g 2i+1 mod p : 0 ≤ i < (p − 1)/2}

In other words, the quadratic residues are the even powers of g

while the quadratic non-residues are the odd powers of g.
 Factoring q − 1...

The only efficient way we know to finding a primitive element in fields 𝔽q

is when the factorization of q − 1 is already known. In general, it may
be difficult to factor q − 1.

However, if we are after a large field with a random number

of elements, Eric Bach has devised an efficient probabilistic
algorithm to generate random integers of a given size with
known factorization. Recently, Adam Kalai has invented a
somewhat slower algorithm that is much simpler. Suppose we Eric Bach

randomly select r with its factorization using Bach's or Kalai’s

algorithm. We may check whether r + 1 is a prime (power).

In this case, a finite field of r + 1 elements is obtained and a

primitive element may be computed efficiently. In this course Adam Kalai
we will limit our focus to the so-called Sophie-Germain primes:
primes q such that p = 2q + 1 is also a prime.
COMP-547 Fall 2023
Cryptography & Data Security
Lecture 06
Claude Crépeau