blog/_posts/lecture-notes/modern-cryptography/2023-10-05-number-theory.md

---
share: true
toc: true
math: true
categories:
  - Lecture Notes
  - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
  - lecture-note
  - cryptography
  - number-theory
  - security
title: 8. Number Theory
date: 2023-10-05
github_title: 2023-10-05-number-theory
---

## Background

### Number Theory

Let $n$ be a positive integer and let $p$ be prime.

> **Notation.** Let $\mathbb{Z}$ denote the set of integers. We will write $\mathbb{Z} _ n = \left\lbrace 0, 1, \dots, n - 1 \right\rbrace$.

> **Definition.** Let $x, y \in \mathbb{Z}$. $\gcd(x, y)$ is the **greatest common divisor** of $x, y$. $x$ and $y$ are relatively prime if $\gcd(x, y) = 1$.

> **Definition.** The **multiplicative inverse** of $x \in \mathbb{Z} _ n$ is an element $y \in \mathbb{Z} _ n$ such that $xy = 1$ in $\mathbb{Z} _ n$.

> **Lemma.** $x \in \mathbb{Z} _ n$ has a multiplicative inverse if and only if $\gcd(x, n) = 1$.

> **Definition.** $\mathbb{Z} _ n^\ast$ is the set of invertible elements in $\mathbb{Z} _ n$. i.e, $\mathbb{Z} _ n^\ast = \left\lbrace x \in \mathbb{Z} _ n : \gcd(x, n) = 1 \right\rbrace$.

> **Lemma.** (Extended Euclidean Algorithm) For $x, y \in \mathbb{Z}$, there exists $a, b \in \mathbb{Z}$ such that $ax + by = \gcd(x, y)$.

### Group Theory

> **Definition.** A **group** is a set $G$ with a binary operation $* : G \times G \rightarrow G$, satisfying the following properties.
> 
> - $(\mathsf{G1})$ (Associative) $(a * b) * c = a * (b * c)$ for all $a, b, c \in G$.
> - $(\mathsf{G2})$ (Identity) $\exists e \in G$ such that for all $a\in G$, $e * a = a * e = a$.
> - $(\mathsf{G3})$ (Inverse) For each $a \in G$, $\exists x \in G$ such that $a * x = x * a = e$. In this case, $x = a^{-1}$.

> **Definition.** A group is **commutative** if $a * b = b * a$ for all $a, b \in G$.

> **Definition.** The **order** of a group is the number of elements in $G$, denoted as $\left\lvert G \right\lvert$.

> **Definition.** A set $H \subseteq G$ is a **subgroup** of $G$ if $H$ is itself a group under the operation of $G$. We write $H \leq G$.

> **Theorem.** (Lagrange) Let $G$ be a finite group and $H \leq G$. Then $\left\lvert H \right\lvert \mid \left\lvert G \right\lvert$.

*Proof*. All left cosets of $H$ have the same number of elements. A bijection between any two coset can be constructed. Cosets partition $G$, so $\left\lvert G \right\lvert$ is equal to the number of left cosets multiplied by $\left\lvert H \right\lvert$.

Let $G$ be a group.

> **Definition.** Let $g \in G$. The set $\left\langle g \right\rangle = \left\lbrace g^n : n \in \mathbb{Z} \right\rbrace$ is called the **cyclic subgroup generated by $g$**. The **order** of $g$ is the number of elements in $\left\langle g \right\rangle$, denoted as $\left\lvert g \right\lvert$.

> **Definition.** $G$ is **cyclic** if there exists $g \in G$ such that $G = \left\langle g \right\rangle$.

> **Theorem.** $\mathbb{Z} _ p^\ast$ is cyclic.

*Proof*. $\mathbb{Z} _ p$ is a finite field, so $\mathbb{Z} _ p^\ast = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$ is cyclic.

> **Theorem.** If $G$ is a finite group, then $g^{\left\lvert G \right\lvert} = 1$ for all $g \in G$. i.e, $\left\lvert g \right\lvert \mid \left\lvert G \right\lvert$.

*Proof*. Consider $\left\langle g \right\rangle \leq G$, then the result follows from Lagrange's theorem.

> **Corollary.** (Fermat's Little Theorem) If $x \in \mathbb{Z} _ p^\ast$, $x^{p-1} = 1$.

*Proof*. $\mathbb{Z} _ p^\ast$ has $p-1$ elements.

> **Corollary.** (Euler's Generalization) If $x \in \mathbb{Z} _ n^\ast$, $x^{\phi(n)} = 1$.

*Proof*. $\mathbb{Z} _ n^\ast$ has $\phi(n)$ elements, where $\phi(n)$ is the Euler's totient function.

---

Schemes such as Diffie-Hellman rely on the hardness of the DLP. So, *how hard is it*? How does one compute the discrete logarithm?

There are group-specific algorithms that exploit the algebraic features of the group, but we only cover generic algorithms, that works on any cyclic group. A trivial example would be the exhaustive search, where if $\left\lvert G \right\lvert = n$ and given a generator $g \in G$, find the discrete logarithm of $h \in G$ by computing $g^i$ for all $i = 1, \dots, n - 1$. Obviously, it has running time $\mathcal{O}(n)$. We can do better than this.

## Baby Step Giant Step Method (BSGS)

Let $G = \left\langle g \right\rangle$, where $g \in G$ has order $q$. $q$ need not be prime for this method. We are given $u = g^\alpha$, $g$, and $q$. Our task is to find $\alpha \in \mathbb{Z} _ q$.

Set $m = \left\lceil \sqrt{q} \right\rceil$. $\alpha$ is currently unknown, but by the division algorithm, there exists integers $i,j$ such that $\alpha = i \cdot m + j$ and $0\leq i, j < m$. Then $u = g^\alpha = g^{i\cdot m + j} = g^{im} \cdot g^j$. Therefore,

$$
u(g^{-m})^i = g^j.
$$

Now, we compute the values of $g^j$ for $j = 0, 1,\dots, m - 1$ and keep a table of $(j, g^j)$ pairs. Next, compute $g^{-m}$ and for each $i$, compute $u(g^{-m})^{i}$ and check if this value is in the table. If a value is found, then we found $(i, j)$ such that $i \cdot m + j = \alpha$.

We see that this algorithm takes $2\sqrt{q}$ group operations on $G$ in the worst case, so the time complexity is $\mathcal{O}(\sqrt{q})$. However, to store the values of $(j, g^j)$ pairs, a lot of memory is required. The table must be large enough to contain $\sqrt{q}$ group elements, so the space complexity is also $\mathcal{O}(\sqrt{q})$.

To get around this, we can build a smaller table by choosing a smaller $m$. But then $0 \leq j < m$ but $i$ must be checked for around $q/m$ values.

There is actually an algorithm using constant space. **Pollard's Rho** algorithm takes $\mathcal{O}(\sqrt{q})$ times and $\mathcal{O}(1)$ space.

## Groups of Composite Order

In Diffie-Hellman, we only used large primes. There is a reason for using groups with prime order. We study what would happen if we used composite numbers.

Let $G$ be a cyclic group of composite order $n$. First, we start with a simple case.

### Prime Power Case: Order $n = q^e$

Let $G = \left\langle g \right\rangle$ be a cyclic group of order $q^e$.[^1] ($q > 1$, $e \geq 1$) We are given $g,q, e$ and $u = g^\alpha$ and we will find $\alpha$. ($0 \leq \alpha < q^e)$

For each $f = 0, \dots, e$, define $g _ f = g^{(q^f)}$. Then

$$
(g _ f)^{(q^{e-f})} = g^{(q^f) \cdot (q^{e-f})} = g^{(q^e)} = 1.
$$

So $g _ f$ generates a cyclic subgroup of order $q^{e-f}$. In particular, $g _ {e-1}$ generates a cyclic subgroup of order $q$. Using this fact, we will reduce the given problem into a discrete logarithm problem on a group having smaller order $q$.

We proceed with recursion on $e$. If $e = 1$, then $\alpha \in \mathbb{Z} _ q$, so we have nothing to do. Suppose $e > 1$. Choose $f$ so that $1 \leq f \leq e-1$. We can write $\alpha = i\cdot q^f + j$, where $0 \leq i < q^{e-f}$ and $0 \leq j < g^f$. Then

$$
u = g^\alpha = g^{i \cdot q^f + j} = (g _ f)^i \cdot g^j.
$$

Since $g _ f$ has order $q^{e-f}$, exponentiate both sides by $q^{e-f}$ to get

$$
u^{(q^{e-f})} = (g _ f)^{q^{e-f} \cdot i} \cdot g^{q^{e-f} \cdot j} = (g _ {e-f})^j.
$$

Now the problem has been reduced to a discrete logarithm problem with base $g _ {e-f}$, which has order $q^f$. We can compute $j$ using algorithms for discrete logarithms.

After finding $j$, we have

$$
u/g^j = (g _ f)^i
$$

which is also a discrete logarithm problem with base $g _ f$, which has order $q^{e-f}$. We can compute $i$ that satisfies this equation. Finally, we can compute $\alpha = i \cdot q^f + j$. We have reduced a discrete logarithm problem into two smaller discrete logarithm problems.

To get the best running time, choose $f \approx e/2$. Let $T(e)$ be the running time, then

$$
T(e) = 2T\left( \frac{e}{2} \right) + \mathcal{O}(e\log q).
$$

The $\mathcal{O}(e\log q)$ term comes from exponentiating both sides by $q^{e-f}$. Solving this recurrence gives

$$
T(e) = \mathcal{O}(e \cdot T _ {\mathrm{base}} + e\log e \log q),
$$

where $T _ \mathrm{base}$ is the complexity of the algorithm for the base case $e = 1$. $T _ \mathrm{base}$ is usually the dominant term, since the best known algorithm takes $\mathcal{O}(\sqrt{q})$.

Thus, computing the discrete logarithm in $G$ is only as hard as computing it in the subgroup of prime order.

### General Case: Pohlig-Hellman Algorithm

Let $G = \left\langle g \right\rangle$ be a cyclic group of order $n = q _ 1^{e _ 1}\cdots q _ r^{e _ r}$, where the factorization of $n$ into distinct primes $q _ i$ is given. We want to find $\alpha$ such that $g^\alpha = u$.

For $i = 1, \dots, r$, define $q _ i^\ast = n / q _ i^{e _ i}$. Then $u^{q _ i^\ast} = (g^{q _ i^\ast})^\alpha$, where $g^{q _ i^\ast}$ will have order $q _ i^{e _ i}$ in $G$. Now compute $\alpha _ i$ using the algorithm for the prime power case.

Then for all $i$, we have $\alpha \equiv \alpha _ i \pmod{q _ i^{e _ i}}$. We can now use the Chinese remainder theorem to recover $\alpha$. Let $q _ r$ be the largest prime, then the running time is bounded by

$$
\sum _ {i=1}^r \mathcal{O}(e _ i T(q _ i) + e _ i \log e _ i \log q _ i) = \mathcal{O}(T(q _ r) \log n + \log n \log \log n)
$$

group operations. Thus, we can conclude the following.

> The difficulty of computing discrete logarithms in a cyclic group of order $n$ is determined by the size of the largest prime factor.

### Consequences

- For a group with order $n = 2^k$, the Pohlig-Hellman algorithm will easily compute the discrete logarithm, since the largest prime factor is $2$. The DL assumption is false for this group.
- For primes of the form $p = 2^k + 1$, the group $\mathbb{Z} _ p^\ast$ has order $2^k$, so the DL assumption is also false for these primes.
- In general, $G$ must have at least one large prime factor for the DL assumption to be true.
- By the Pohlig-Hellman algorithm, discrete logarithms in groups of composite order is a little harder than groups of prime order. So we often use a prime order group.

## Information Leakage in Groups of Composite Order

Let $G = \left\langle g \right\rangle$ be a cyclic group of composite order $n$. We suppose that $n = n _ 1n _ 2$, where $n _ 1$ is a small prime factor.

By the Pohlig-Hellman algorithm, the adversary can compute $\alpha _ 1 \equiv \alpha \pmod {n _ 1}$ by computing the discrete logarithm of $u^{n _ 2}$ with base $g^{n _ 2}$.

Consider $n _ 1 = 2$. Then the adversary knows whether $\alpha$ is even or not.

> **Lemma.** $\alpha$ is even if and only if $u^{n/2} = 1$.

*Proof*. If $\alpha$ is even, then $u^{n/2} = g^{\alpha n/2} = (g^{\alpha/2})^n = 1$, since the group has order $n$. Conversely, if $u^{n/2} = g^{\alpha n/2} = 1$, then the order of $g$ must divide $\alpha n/2$, so $n \mid (\alpha n /2)$ and $\alpha$ is even.

This lemma can be used to break the DDH assumption.

> **Lemma.** Given $u = g^\alpha$ and $v = g^\beta$, $\alpha\beta \in \mathbb{Z} _ n$ is even if and only if $u^{n/2} = 1$ or $v^{n/2} = 1$.

*Proof*. $\alpha\beta$ is even if and only if either $\alpha$ or $\beta$ is even. By the above lemma, this is equivalent to $u^{n/2} = 1$ or $v^{n/2} = 1$.

Now we describe an attack for the DDH problem.

> 1. The adversary is given $(g^\alpha, g^\beta, g^\gamma)$.
> 2. The adversary computes the parity of $\gamma$ and $\alpha\beta$ and compares them.
> 3. The adversary outputs $\texttt{accept}$ if the parities match, otherwise output $\texttt{reject}$.

If $\gamma$ was chosen uniformly, then the adversary wins with probability $1/2$. But if $\gamma = \alpha\beta$, the adversary always wins, so the adversary has DDH advantage $1/2$.

The above process can be generalized to any groups with small prime factor. See Exercise 16.2[^2] Thus, this is another reason we use groups of prime order.

- DDH assumption does not hold in $\mathbb{Z} _ p^\ast$, since its order $p-1$ is always even.
- Instead, we use a prime order subgroup of $\mathbb{Z} _ p^\ast$ or prime order elliptic curve group.

## Summary of Discrete Logarithm Algorithms

|Name|Time Complexity|Space Complexity|
|:-:|:-:|:-:|
|BSGS|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(\sqrt{q})$|
|Pohlig-Hellman|$\mathcal{O}(\sqrt{q _ \mathrm{max}}$|$\mathcal{O}(1)$|
|Pollard's Rho|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(1)$|

- In generic groups, solving the DLP requires $\Omega(\sqrt{q})$ operations.
	- By *generic groups*, we mean that only group operations and equality checks are allowed. Algebraic properties are not used.
- Thus, we use a large prime $q$ such that $\sqrt{q}$ is large enough.

## Candidates of Discrete Logarithm Groups

We need groups of order prime, and we cannot use $\mathbb{Z} _ p^\ast$ as itself. We have two candidates.

- Use a subgroup of $\mathbb{Z} _ p^\ast$ having prime order $q$ such that $q \mid (p-1)$ as in Diffie-Hellman.
- Elliptic curve group modulo $p$.

### Reduced Residue Class $\mathbb{Z} _ p^\ast$

There are many specific algorithms for discrete logarithms on $\mathbb{Z} _ p^\ast$.

- Index-calculus
- Elliptic-curve method
- Special number-field sieve (SNFS)
- **General number-field sieve** (GNFS)

GNFS running time is dominated by the term $\exp(\sqrt[3]{\ln p})$. If we let $p$ to be an $n$-bit prime, then the complexity is $\exp(\sqrt[3]{n})$. Suppose that GNFS runs in time $T$ for prime $p$. Since $\sqrt[3]{2} \approx 1.26$, doubling the number of bits will increase the running time of GNFS to $T^{1,26}$.

Compare this with symmetric ciphers such as AES, where doubling the key size squares the amount of work required.[^3] NIST and Lenstra recommends the size of primes that gives a similar level of security to that of symmetric ciphers.

|Symmetric key length|Size of prime (NIST)|Size of prime (Lenstra)|
|:-:|:-:|:-:|
|80|1024|1329|
|128|3072|4440|
|256|15360|26268|

All sizes are in bits. Thus we need a very large prime, for example $p > 2^{2048}$, for security these days.

### Elliptic Curve Group over $\mathbb{Z} _ p$

Currently, the best-known attacks are generic attacks, so we can use much smaller parameters than $\mathbb{Z} _ p^\ast$. Often the groups have sizes about $2^{256}$, $2^{384}$, $2^{512}$.

[^1]: We didn't require $q$ to be prime!
[^2]: A Graduate Course in Applied Cryptography
[^3]: Recall that the best known attack was only 4 times faster than brute-force search.