Online Cryptography Course Dan Boneh Intro Number Theory Modular e’th roots Dan Boneh Modular e’th roots We know how to solve modular linear equaBons: a⋅x + b = 0 in ZN SoluBon: x = −b⋅a-‐1 in ZN What about higher degree polynomials? Example: let p be a prime and c∈Zp Can we solve: x2 – c = 0 , y3 – c = 0 , z37 – c = 0 in Zp Dan Boneh Modular e’th roots Let p be a prime and c∈Zp Def: x∈Zp s.t xe = c in Zp is called an e’th root of c Examples: 71/3 = 6 in 31/2 = 5 in 21/2 does not exist in 11/3 = 1 in Dan Boneh The easy case When does c1/e in Zp exist? Can we compute it efficiently? The easy case: suppose gcd( e , p-‐1 ) = 1 Then for all c in (Zp)*: c1/e exists in Zp and is easy to find Proof: let d = e-‐1 in Zp-‐1 Then d⋅e = 1 in Zp-‐1 ⇒ Dan Boneh The case e=2: square roots If p is an odd prime then gcd( 2, p-‐1) ≠ 1 Fact: in , x ⟶ x2 is a 2-‐to-‐1 funcBon x −x x2 Example: in : 10 Def: x in is a quadraAc residue (Q.R.) if it has a square root in p odd prime ⇒ the # of Q.R in is (p-‐1)/2 + 1 Dan Boneh Euler’s theorem Thm: x in (Zp)* is a Q.R ⟺ x(p-‐1)/2 = 1 in Zp (p odd prime) Example: in : 15, 25, 35, 45, 55, 65, 75, 85, 95, 105 = 1 -‐1 1 1 1, -‐1, -‐1, -‐1, 1, -‐1 Note: x≠0 ⇒ x(p-‐1)/2 = 1/2 p-‐1 (x ) = 11/2 ∈ { 1, -‐1 } in Z p Def: x(p-‐1)/2 is called the Legendre Symbol of x over p (1798) Dan Boneh CompuBng square roots mod p Suppose p = 3 (mod 4) Lemma: if c∈(Zp)* is Q.R then √c = c(p+1)/4 in Zp Proof: When p = 1 (mod 4), can also be done efficiently, but a bit harder run Bme ≈ O(log3 p) Dan Boneh Solving quadraBc equaBons mod p Solve: a⋅x2 + b⋅x + c = 0 in Zp SoluBon: x = (-‐b ± √b2 – 4⋅a⋅c ) / 2a in Zp • Find (2a)-‐1 in Zp using extended Euclid • Find square root of b2 – 4⋅a⋅c in Zp (if one exists) using a square root algorithm Dan Boneh CompuBng e’th roots mod N ?? Let N be a composite number and e>1 When does c1/e in ZN exist? Can we compute it efficiently? Answering these quesBons requires the factorizaBon of N (as far as we know) Dan Boneh End of Segment Dan Boneh