Upload
kiran-kadarla
View
220
Download
0
Embed Size (px)
Citation preview
7/31/2019 Kiran Kadarla MTP Dissertation
1/63
Cryptography and Algorithms over Finite Fields
built on
Gaussian Integers
M.Tech Dissertation
Submitted in partial fulllment of the requirements
for the degree of
Master of Technologyby
Kiran K Kadarla
Roll No. 03307904
Under the guidance of
Prof. V.R.Sule
Department of Electrical Engineering
Indian Institute of Technology, Bombay
Mumbai - 400 076
7/31/2019 Kiran Kadarla MTP Dissertation
2/63
Approval Sheet
The dissertation entitled Cryptography and Algorithms over Finite Fields
built on Gaussian Integers by Kiran K Kadarla is approved for the degree of Master
of Technology
Examiner(s)
Supervisor
Chairman
Date:
Place:
i
7/31/2019 Kiran Kadarla MTP Dissertation
3/63
Contents
List of Acronyms iv
List of Tables v
1 Introduction 1
1.1 Motivation & Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Objective of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Organization of Dissertation . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Literature Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Gaussian Integers 4
2.1 Introduction to Gaussian Integers . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 Divisibility in Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.2 Primes in Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.3 Unique factorization in Z [i] . . . . . . . . . . . . . . . . . . . . . . 8
2.1.4 Factorization Algorithm in Z [i] . . . . . . . . . . . . . . . . . . . . 9
2.1.5 Fermats Little Theorem for Z [i] . . . . . . . . . . . . . . . . . . . 10
2.1.6 Residue class systems in Z [i] . . . . . . . . . . . . . . . . . . . . . 10
2.1.7 Construction of nite elds . . . . . . . . . . . . . . . . . . . . . . 12
2.1.8 Chinese Remainder Theorem for Z [i] . . . . . . . . . . . . . . . . . 14
2.2 Basic Computations Over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.1 Complexity Comparisons . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Efficient Gaussian Integer Arithmetic 18
3.1 Bit Representations for Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.1 Integer Radix Method . . . . . . . . . . . . . . . . . . . . . . . . . 19
ii
7/31/2019 Kiran Kadarla MTP Dissertation
4/63
3.1.2 Complex Radix Representation [10] . . . . . . . . . . . . . . . . . 22
3.1.3 Clearing Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Division Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.1 Direct Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.2 Lattice Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Other Z [i] Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3.1 Binary division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.2 GCD Algorithms for Z [i] . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.3 Extended Euclidean algorithm for Z [i] . . . . . . . . . . . . . . . . 31
3.3.4 (1+i)-ary Extended GCD algorithm for Z [i] . . . . . . . . . . . . . 32
3.3.5 CRT Algorithms for Z [i] . . . . . . . . . . . . . . . . . . . . . . . . 33
3.3.6 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4 Cryptographic Algorithms 364.1 RSA Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.1.1 RSA over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 Diffie-Hellman key exchange scheme . . . . . . . . . . . . . . . . . . . . . . 40
4.2.1 Diffie-Hellman key exchange over Z [i] . . . . . . . . . . . . . . . . 40
4.3 Generating gaussian primes . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.4 BitSizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.4.1 Faster computations . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5 Special Gaussian Primes 44
5.1 Mersenne primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.1.1 Fermats Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.1.2 Gaussian Mersenne Primes . . . . . . . . . . . . . . . . . . . . . . . 45
6 RSA Implementation on Z[i] using GMP 47
6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
References 54
Acknowledgments 56
iii
7/31/2019 Kiran Kadarla MTP Dissertation
5/63
Notations
Z [i] :Set of Gaussian integers
,, :Gaussian integers
:prime in Z [i]
M :Plain text message
C :Cipher text messageE() :Encryption Algorithm or function
D() :Decryption Algorithm or function
K :Key
K 1 :Encryption key
K 2 :Decryption Key
Some Fundamental Complexities
Complexity in-terms of No.of Bit Operations for Arthematic operations on Integers:
Addition of a k bit number by a l bit number: O(k),where k > l .
Multiplication of a k bit number by a l bit number: O(kl).
Division of k bit number by a l bit number: O(kl).
Division modulo p takes: O(log3 p) bit operations.
Inverse modulo p takes: O(log3 p) bit operations.
Modular Exponentiation by Repeated Squaring Method, bn mod m, takes: O(log n.log2 m)bit operations.
iv
7/31/2019 Kiran Kadarla MTP Dissertation
6/63
List of Tables
2.1 Primitive Roots in Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Complexity Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1 Gaussian Binary Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1 RSA Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.2 RSA Encryption 1 over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.3 RSA Encryption 2 over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.4 Diffie-Hellman Key Exchange protocol . . . . . . . . . . . . . . . . . . . . 40
4.5 Diffie-Hellman Key Exchange protocol on Z [i] . . . . . . . . . . . . . . . . 41
4.6 Complexity Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
v
7/31/2019 Kiran Kadarla MTP Dissertation
7/63
Abstract
The main aim of the project is to construct the cryptographic primitives on nite elds
dened over gaussian integers and explore computational advantages if any. First, cryp-
tographic schemes known over Z are extended to gaussian integers( Z [i]) since these have
many common features. Along this division, primes, unique factorization and construc-
tion of nite elds over Z [i] are discussed. Then an efficient multi-precision arithmetic isdeveloped for Z [i] analogous to the standard arithmetic over Z . Problems of nite eld
arithmetic, improving efficiency of division aglorithms, gcd calculation and exponentia-
tion in Z [i] are discussed and different approaches to these problems are tried out. The
Diffie-Hellman Key exchange scheme is then formulated over these nite elds and some
of its advantages are discussed. The security of the discrete logarithm problem(DLP) over
these elds is discussed and it is shown that it is as much secure as the DLP over GF ( p)
type elds. Other cryptographic schemes like RSA are formulated on Z [i] . Behaviour of certain well-known primes like Mersenne primes and Fermats primes in Z [i] is discussed.
The cryptographic schemes are implemented using GNU Multi-Precision library using C
language.
Key Words : Groups, Rings, elds, Extension elds, Modular Exponentiation, Discrete
Logarithm problem, Diffie Hellman scheme, Elgamal Scheme.
vi
7/31/2019 Kiran Kadarla MTP Dissertation
8/63
Chapter 1
Introduction
Cryptographic algorithms are implemented using the arithmetic of nite elds. In the
present work, we consider the problem of designing cryptographic schemes over nite
elds when the prime elds are dened by primes in Z [i] called gaussian primes. We shall
call such elds as gaussian integer elds. We show implementation of basic cryptographic
schemes such as Diffie-Hellman key exchange scheme and RSA scheme on gaussian integer
elds. Like ordinary integers, Gaussian integers form a principal ideal domain, have
primes, have Euclidean division algorithm forming a Euclidean domain. In this thesis,
we develop efficient algorithms for gaussian integer arithmetic that are analogous to the
multi-precision algorithms well known in Z . By implementing cryptographic schemes over
these elds, we show that, for the same security factor, the size of the numbers involved
in the computations are half the size than those that are involved when the scheme is
implemented over Z . These algorithms over gaussian integer elds have the potential to
reduce the key lengths of cryptographic schemes to half.
1.1 Motivation & Objective
Gaussian integers( Z [i]) are similar to ordinary integers in many aspects. They have unique
factorizaton, form a Euclidean domain with a division algorithm. Hence, it to extend
algorithms and cryptographic primitives on nite elds where prime subelds are dened
by primes in Z [i] .
More specically, following aspects motivated the work in this thesis.
Cryptographic Schemes over Z [i] do not appear to have been investigated in detail1
7/31/2019 Kiran Kadarla MTP Dissertation
9/63
Ref[1]. Many problems of cryptographic primitives like prime factorization, primal-
ity testing etc are far from being completely understood.
Primes in Z [i] seem to suggest an advantage that with moderately sized bit-lengthsequally secure implementation of cryptographic primitives might be possible.
Arithmetic over Z [i] is likely to be different from arithmetic over Z . Hence, al-gorithmic implementation of cryptographic schemes and construction of efficientmulti-precision algorithms over Z [i] deserves further study.
1.1.1 Objective of the thesis
With the above motivation, following aim & objectives were formulated for the thesis
to develop Efficient Multi-Precision arithmetic algorithms for Z [i]
to implement different Cryptographic primitives on gaussian integer eldsThe thesis is aimed at highlighting the computational advantages in implementing the
above plan of work.
1.2 Organization of Dissertation
The thesis is organized into 4 parts
Literature Survey on Gaussian Integers: This part explains the basic propertiesof gaussian integers, primes in gaussian integers, residue classes, elds over Z [i] ,
unique factorization and analogous of certain well known theorems like Fermats
little theorem.
Efficient Implementation of Gaussian Integer Arithmetic: An effort is made to de-velop efficient multi-precision arithmetic for gaussian integers.
Cryptographic Algorithms over Z [i] elds: Cryptographic schemes analogous to thatof Diffie-Hellman, RSA are constructed.
Implementations: Different algorithms and protocols mentioned and used in theproject are implemented using GNU Multi-Precision(GMP) library . The
code is written in C-Language.
2
7/31/2019 Kiran Kadarla MTP Dissertation
10/63
1.2.1 Literature Survey
Most of the introductory part on gaussian integers in chapter 2 is referred from the
standard textbook A classical introduction to modern number theory by Ireland and
Rosen and from [4], [5],[6]. There are numerous papers published in various journals on
gaussian integers. Topics vary from Algorithms for Gaussian integer arithmetic(1974)
to Primality testing using Pythagorean Integers latest in the june 2005 [2]. The paper
by George Collins [14], published in 2002 presents a fast euclidean algorithm for gaussian
integers. Though there are papers on the arithmetic of gaussian integers, cryptographic
schemes with efficient arithmetic implemented on the nite elds built on gaussian integers
donot seem to have been studied in much detail.
3
7/31/2019 Kiran Kadarla MTP Dissertation
11/63
Chapter 2
Gaussian Integers
2.1 Introduction to Gaussian Integers
The Gaussian integers are the set denoted Z [i] =
{a + ib : a, b
Z , where i =
1
}Thus Z [i] is a subset of complex numbers that is closed under addition, subtraction andmultiplication and form an integral domain. The ring Z [i] has clear similarity with Z .
Denition 1 ( Norm) . For = a + ibZ [i] , its norm denoted N () is dened by
N () = = ( a + ib)(a ib) = a2 + b2 (2.1)
Norms play a role analogous to absolute values. Norms are integers and the divisibility
properties of norms in Z provide important information about the divisibilty propertiesin Z [i] . We summarize some of the important properties of Z [i] from the references [3],[4].
A primary observation is that the norm of every Gaussian integer is a non-negative integer,
but it is not true that every non-negative integer is a norm .
Example: 6 is a gaussian integer and its norm is 36, but 6 cannot be a norm of any
gaussian integer.
Theorem 1. The only Gaussian integers invertible in Z [i] are
1,
i which are called
units of Z [i] .
2.1.1 Divisibility in Z [i ]
We say divides (written as | ) if = for some Z [i] .
4
7/31/2019 Kiran Kadarla MTP Dissertation
12/63
Theorem 2. A gaussian integer = a + ib is divisible by an ordinary integer c if f c |aand c|b in Z .Theorem 3. For , in Z [i] , if | in Z [i] then N ( )|N () in Z Ref[3]The converse is not true as shown by this example. Let = 2 + i and = 2 i. HereN ()|N ( ) but doesnot divide Corollary 1. A Gaussian integer has even norm iff it is a multiple of 1 + i.
Theorem 4 (Division Theorem). For , Z [i] with = 0, there are ,
Z [i] ,such
that = + and N () < N ( ).In fact we can choose so that N () (1/ 2)N ( ).Theorem 5. Z [i] is a Euclidean domain
Proof. Let = a + ib and = c + id and suppose that = 0. Let = r + is, where r
and s are rational. Choose integers m, n Z such that |r m| 1/ 2 and |s n| 1/ 2.
Set = m + in . Then Z [i] and
N ( ) = ( r m)
2 + ( s n)2 (1/ 4 + 1/ 4) = 1 / 2
Set = . Then Z [i] and either = 0 or
N () = N ( ( )) = N ( ).N (
)
12
N ( ) < N ( ).
It follows that norm makes Z [i] into a euclidean domain.
2.1.1.1 Congruences in Z [i]
Given three gaussian integers ,, , we say that alpha is congruent to modulo and
write mod , if the difference is divisible by . is called modulus of thecongruence.
Denition 2 (GCD). For non-zero and inZ
[i] ,a
greatest common divisor of and is a common divisor with maximal norm .
Note that the greatest common divisor of two gaussian integers and is not unique .
But it is ambiguous only by a unit multiple i.e., unique modulo multiplication by units.
5
7/31/2019 Kiran Kadarla MTP Dissertation
13/63
Theorem 6 (Euclids Algorithm on Z [i] ). Let , Z [i] be non-zero. Recursively
apply the division theorem, starting with this pair, and make the divisor and remainder
in one equation the new didvidend and divisor in the next, provided the remainder is not
zero: Ref[4]
= 1 + 1, N (1 < N ( ))
= 1 2 + 2, N (2 < N (1))
1 = 2 3 + 3, N (3 < N (2))
.
.
.
The last non-zero remainder is divisible by all common divisors of and , and is itself
a comon divisor, so it is a greatest common divisor of and . Ref[4]
Corollary 2. A greatest common divisor of and has a norm dividing gcd(N (), N ( )).
The gaussian integers with relatively prime norms are relatively prime themselves. But it
should be noted that the converse is not true as shown by this example. eg: Let = 2 + i
and = 2 i. gcd(, ) = 1, but gcd(N (), N ( )) = 1Corollary 3. For non-zero and in Z [i] , let be a greatest common divisor produced
byEuclids algorithm
. Any greatest common divisor of and is a unit multiple of .Theorem 7 (Bezouts Theorem for Z [i] ). Let be any greatest common divisor of
two non-zero gaussian integers and ,then = x + y for some x, yZ [i] . Ref[4]
Corollary 4. The non-zero Gaussian integers and are realtively prime iff
1 = x + y
for some x, y
Z [i] .
Corollary 5. Let | in Z [i] with and relatively prime then | .Corollary 6. If | and | in Z [i] , with and being relatively prime, then | .Corollary 7. For non-zero , , in Z [i] , and are each relatively prime to iff
is relatively prime to .
6
7/31/2019 Kiran Kadarla MTP Dissertation
14/63
2.1.2 Primes in Z [i ]
Here, we dene primes in Z [i] and classify them.
Lemma 1. For = 0 and Z [i] the only Gaussian integers which divide and have
norm equal to N () are and i .From the above Lemma, any divisor of whose norm is 1 or equal to N () is either a
unit or a unit multiple of .
Denition 3 (Trivial factors). Let Z [i] and when N () > 1 there are eight
obvious factors of : 1, i, , i .We call them as trivial factors .The eight trivial factors are analogus to the four trivial factors, 1, n of any integern in Z . Any other factor of is called a non-trivial factor. Note that the non-trivial
factors of have norm strictly between 1 and N ().
Denition 4 (Primes in Z [i] ). Let Z [i] withN () > 1.We call composite if it
has a non-trivial factor.If has only trivial factors then it is a prime.
Lemma 2. Let be a prime in Z [i] . Then a prime p inZ [i] such that | p.
Theorem 8. If the norm of a guassian integer, N (), is prime in Z , then the gaussian
integer is prime in Z [i] .
The converse is not true as shown by this example. 3 is a prime in Z but N (3) = 9 is not
a prime. Describing all Gaussian primes is thus reduced to the problem of factoring every
prime in Z + . The prime factors in Z [i] of all pZ will give us all the gaussian primes.
It should be noted that upto unit multiple, the eight gaussian integers ( a + ib), (a ib), (a+ ib), (aib), (b+ ia), (bia ), (bia ), (b+ ia) are just two (a+ ib) and (aib),which are conjugates .
Lemma 3. If p is a prime in Z and p
1 mod 4, then p can be expressed as sum of two
squares and viceversa .
Lemma 4 (more generalized). An integer n > 1 is a sum of exactly two squares when
any prime factor of n which is 3 mod 4 appears in n with even multiplicity.Theorem 9. A prime p in Z + is composite in Z [i] iff it is a sum of two squares.
7
7/31/2019 Kiran Kadarla MTP Dissertation
15/63
Corollary 8. If a prime p in Z + is composite in Z [i] and p = 2, then upto unit multiple
p has exactly two Gaussian prime factors, each with norm p.
Corollary 9. If a prime p in Z + satises p 3 mod 4, then it is also a prime in Z [i] .Theorem 10. Let p be a prime in Z + . The factorization of p in Z [i] is determined by
p mod 4
i.) 2 = (1 + i)(1 i) = i(1 + i)2.ii.) If p 1 mod 4, then p = is a product of two conjugate primes and , which
are not unit multiples.
iii.) If p 3 mod 4, then p remains prime in Z [i] .Now, we have a description of all Gaussian primes in terms of primes in Z . We identify
them by the following theorem:
Theorem 11. Up to multiplication by units, the primes in Z [i] are of three types:
i.) = a + ib and = a ib, where p = a2 + b2 is a prime in Z and p 1 mod 4;ii.) p, where p is a prime in Z and p 3 mod 4;
iii.) = 1 + i.
Thus, we have innte Gaussian primes as primes that occur in Z [i] are either the
factors of primes q 1 mod 4 or the primes p 3 mod 4. It is even shown in [22] thatone can walk to innity on Gaussian primes taking steps of bounded length.
2.1.3 Unique factorization in Z [i ]
Theorem 12. Every Z [i] with N () > 1 is a product of primes in Z [i] . Ref[4]
Lemma 5. Let be a prime in Z [i] . For gassian integers 1, 2...., r if |123... rthen divides some j .
Theorem 13 (Unique factorization). Any Z [i] with N () > 1 has a unique
factorization into primes in the following sense: If
= 123...... r = 123..... s
where the i s and j s are prime in Z [i] , then r = s and after a suitable renumbering
each i is a unit multiple of j . Ref [4]
8
7/31/2019 Kiran Kadarla MTP Dissertation
16/63
2.1.4 Factorization Algorithm in Z [i ]
One way to factor a given gaussian integer is to rst factor the norm and then nd the
appropriate gaussian integer factors. The algorithm is as follows
Let a + ib be the gaussian integer to be factored where a = 0, b = 0 and gcd(a, b) = 1
Pseudo code:
factorize(a+ib)
{
do {
norm = a^2+b^2;
d = smallest non-trivial factor of n;
if(d==n)
a+ib is prime;
else {
find [x,y] such that x^2+y^2 = d;
quo1: q1 + i q1 = divide [a, b] by [x, y];
quo2: q2 + i q2 = divide [a, b] by [x,-y];
if ([x,y] exactly divides [a,b])
{
print factor of [a,b] = [x,y];
[a,b] = q1 + i q1;
}
else {
print fator of [a,b] = [x,-y];
[a,b]=q2 + i q2;
}
}
} while(d < n);
}
9
7/31/2019 Kiran Kadarla MTP Dissertation
17/63
It should be noted that the factoization problem for gaussian integers is as complex as
the factorization problem for ordinary integers.
2.1.5 Fermats Little Theorem for Z [i ]
Theorem 14. For any coprime to , we have N ( ) 1 = 1 mod
2.1.6 Residue class systems in Z [i ]
Denition 5. The ring of residues classes of the ring R modulo the ideal J is called the
residue class ring or factor ring of R mod J and is denoted by R/J.
Since the units of Z [i] are 1 and i, for any two integers a and b, the ideals < a + bi >, < a bi >,< b+ ai >, and < b ai > in Z [i] are one and the same. Hence, we haveZ [i] / < a + bi > = Z [i] / = Z [i] / = Z [i] / < b
ai > .
Z [i] / < 0 > = Z [i] and Z [i] / < 1 > = 0.
Theorem 15 (Equivalence classes in Z [i] / < n > , prime in Z [i] ). The equiva-
lence classes of Z [i] modulo a power of a prime are given as follows: Ref[5]
Z [i] / < n > = {[x] : 0x q n 1}, where N () = q
Z [i] / < p n > = {[x + iy] : 0x pn 1 and 0 y pn 1}
Z
[i] / < 2m
> = {[x + iy] : 0x 2m
1and 0 y 2m
1} Z [i] / < 2m +1 > = {[x + iy] : 0x 2m +1 1and 0 y 2m +1 1}
The above theorem implies that Z [i] / < n > has q n members, Z [i] / < p n >
has p2n members, and Z [i] / < n > has 2n members, which shows that the order of
Z [i] / < > is N ( )
Theorem 16 (Units of the rings Z [i] / < n > ). Conditions on the units of theringsZ [i] / < n > Ref[5]
Let [x] be in Z [i] / < n > , then [x] is a unit iff (q, x) = 1 .
Let [x + iy] be in Z [i] / < p n > , then [x + iy] is a unit iff atleast one of x and y isprime to p
Let [x + iy] be in Z [i] / < n > , then [x + iy] is a unit iff a b mod 210
7/31/2019 Kiran Kadarla MTP Dissertation
18/63
2.1.6.1 Eulers function in Z [i]
Using the theorems 13 and 14, a Eulers function in Z [i] is shown Ref[5]
z [i ](n ) = z (q n ) = q n q n 1 = q n 1(q 1)
z [i ]( pn ) = p2n p2n 2 = p2n 2( p2 1)
z [i ]( n ) = 2 n 2n
1 = 2 n
1
Theorem 17. The gaussian integers , 2, 3, n , p, n and p have primitive roots.
These and their associates are the only gaussian integers having primitive roots. Ref[5]
Table 2.1: Primitive Roots in Z [i]
Group Order Cyclic
z [i ](n) q
n 1(q 1) yesz [i ]( pn ) p2n 2( p2 1) only if n = 1
z [i ]( n ) 2n 1 only if n 3
Theorem 18 ( 1st theorem of Isomorphism). Let : G H be a group homo-morphism. Then ker () is a normal subgroup of G and Im () H and there is an
Isomorphism : G/ker () Im ().Theorem 19. If a > 1 and a
Z + , then
Z [i] / < a > = Z a [i]. Ref [6]
Proof. Dene a mapping : Z [i] Z a [i] by (x + iy) = [x]a + i[y]a , where [.]a representsthe equivalence class modulo a. This mapping is clearly a surjective(onto) ring homomor-
phism. Since (a) = [a]a = [0]a = 0, a belongs to ker () and hence < a >ker (). On
the other hand, if (x + iy) = 0, then both x and y are congruent to 0 modulo a, so we canwrite x = ax and y = ay for some integers x and y . Thus x + iy = ax + iay = a(x + iy )
lies in < a > . Therefore ker () = < a > , implying that Z [i] / < a > = Z a [i].
Theorem 20. If a > 1 and a Z + , then Z a [i] is a eld iff a is a prime in Z and is
3 mod 4. Ref[6]11
7/31/2019 Kiran Kadarla MTP Dissertation
19/63
Theorem 21. If a and b are relatively prime integers, then Z [i] / < a + ib > is isomorphic
to Z a 2 + b2 . Ref[6]
Proof. We assume without loss of generality that a and b both are positive. As a and
b re relatively prime, b is realtively prime to a2 + b2. So, b 1 exists in Z a 2 + b2 . (i.e., the
inverse of equivalence class of b modulo a2 + b2 exists). Since a2 + b2 0 mod (a2 + b2),a2
b2 mod (a2 + b2), implying that ( ab 1)2
1.
Dene : Z [i] Z a 2 + b2 by (x + iy) = x (ab 1)y mod (a2 + b2). Clearly is surjective
(Onto) and preserves addition.
Let = x + iy and = w + iz be in Z [i] . Since
().( ) = (x + iy).(w + iz ) = ( x ab 1y).(w ab
1z )
(xw) + a2b 2(yz ) ab
1(xz + yw)
(xw
yz )
ab 1(xz + yw)
= ((xw yz ) + i(xz + yw))= ((x + iy).(w + iz ))
= (. ) (2.2)
preserves multiplication. Moreover, as (a + ib) = a ab 1b 0, < a + ib >ker ().
Let c + idker () and let c + id = ( a + ib).(x + iy), where x and y are rational
numbers. Since 0 (c + id) = c ab 1d, 0 (bcad) which makes y an integer.
0 (c+ id) = cab 1d0 (ab2ca2bd)0 (aca2b
2bd). From ab 1 1, wehave 0 (ac + bd), so x is also an integer. We conclude ker ()< a + ib > , which meansthat ker () = < a + ib > and thus demonstrates that Z [i] / < a + ib > is isomorphic toZ a 2 + b2 .
2.1.7 Construction of nite elds
Notation:
= a prime in Z [i] of type (a + ib), N () = q = , where q is a prime inZ and q 1 mod 4;
= p = a prime in Z [i] , which also a prime in Z . N () = p2, where p 3 mod 4.Corollary 10. Z [i] / < > is isomorphic to Z p[i] and is a eld. Ref[6]
12
7/31/2019 Kiran Kadarla MTP Dissertation
20/63
Corollary 11. Z [i] / < > is isomorphic to Z q and is a eld Ref[6]
Denition 6. For a prime pZ , let F p be the set 0 , 1, 2, 3,.. ,p 1 of integers and let
: Z p F p be a mapping dened by ([ a]) = a for a = 0 , 1, 2, ...p1. Then F p, endowedwith the eld structure induced by , is a nite eld, called Galois led of order p.
2.1.7.1 Constructing prime elds
To construct F pm , eld extension on F p of degree m, we take any monic irreducible
polynomial g(x) on F p of degree m. g(x) has m roots which are exactly the elements of
F pm , i.e., the splitting eld of g(x) over F p is given as F pm .
To construct an extension eld which will be a eld on Gaussian integers, ( F p[i]),
we take m = 2 . and nd a prime p in Z such that the polynomial g(x) = x2 + 1 is
irreducible, which means that there should not be any zero in F p. Ref [17]
Lemma 6. x2 1 mod p iff p 1 mod 4.Lemma 7. Other than the prime 2 , there are only two kinds of primes in Z . They are
Prime p 1 mod 4.
Prime p 3 mod 4.If we select a prime p 3 mod 4, then x2 + 1 is a monic irreducible polynomial on
F p and one of the roots is i = 1. Hence all the elements are of the type a + ib wherea, b
F p. Working on F p2 is same as working on F p[i]
Theorem 22. Let A = gx mod and B = gx mod q , where q = N (). Given ( g, , A)
in Z [i] , nding x is as difficlut as nding x given (g, q, B) in Z .
Proof. As Z [i] / is isomorphic to Z q from corollary 11 , where q is a prime in Z , the
structure of nite elds over Z [i] is similar to the structure of nite elds over Z . Working
on Z [i] is equivalent to working on Z q . Hence, breaking the DLP on Z [i] / involves samecomputational complexity as breaking DLP on GF (q ).
Theorem 23. Given a bound on key size, one can obtain much greater security by using
nite elds of type Z [i] / than the elds GF (2n ) Ref[18]
13
7/31/2019 Kiran Kadarla MTP Dissertation
21/63
The problem of solving the discrete logarithm problem in nite elds of type GF (q )
is more computationally involved that the nite elds of type GF (2n ). Given a bound
on key size, one can obtain much greater security by using GF (q ) where q is a prime inZ then the elds GF (2n ) Ref[18]. As the nite eld Z [i] / is isomorphic to GF (q ) and
has similar structure, the security is involved greater than GF (2n ) type nite Fields.
2.1.8 Chinese Remainder Theorem for Z [i ]
Theorem 24. If 1, 2, 3...... m Z [i] are pairwise co-prime i.e., gcd( i , j ) = 1 for
i = j , then there exists a solution x Z [i] to the system of simultaneous congruences
x 1 mod 1x 2 mod 2
x 3 mod 3...
...
x m mod m .If there exists another solution x
Z [i] , then x x mod ( 1. 2... m ).We present an algorithm that is analogous to garner s algorithm for CRT computations
involving Z [i] in chapter 3.
2.2 Basic Computations Over Z [i ]
Some fundamentals:
A number n satisfying bk 1 n < b k has k digits to the base b.
number of digits in n = [logbn + 1]. Here after log means the naturallogarithm
Addition of a k bit number by a l bit number, where k > l , involves k bit opera-tions. Same for Subtraction
Multiplication of a k bit number by a l bit number, where k > l , takes l(k + l) bitoperations.If k = l then bit operations = 2 k2. Same for Division
14
7/31/2019 Kiran Kadarla MTP Dissertation
22/63
2.2.1 Complexity Comparisons
The Big-O Notation:
Let f (n) and g(n) are functions of the positive integers n which take positive, but
not necessarily integer values for all n. We say that f (n) = Og(n), if there exists a
constant C such that f (n) is always less than Cg(n).
Denition 7. Let f (n1, n2,...n r ) and g(n1, n2,...n r ) be two functions whose domains arein the set of all r tuples of positive integers.Suppose that there exist constants B andC such that whenever all of the n j are greater than B the two functions are dened and
positive, and f (n1, n2, ...n r ) < Cg (n1, n2,...n r ). In this case we say that f is bounded by
g and we write f = O(g).
2.2.1.1 Addition in Z [i]
Let = a + ib and = c + id then + = ( a + c) + i(b + d), involves two additions
a + c and b + d. We represnt this as (0 M, 2A), which means 0 M ultiplications and 2
Additions.
Let the no. of bits in a, b, c, d be k each. Then, no.of bit operations required for addition
in Z [i] are 2k .
2.2.1.2 Multiplication in Z [i]
Now, consider = ( ac bd) + i(ad + bc), which requires (4 M, 2A) when computeddirectly. No.of bit operations required here are 8 k2 + 2 k.
But a tricky operation can reduce that to (3 M, 5A) as follows:
Let as say m = ( ac bd) and n = ( ad + bc). To compute m and n, we computex = ( a + b)(c + d), y = ac, z = bd. Then m = y z and n = x y z, which involves(3M, 5A) i.e., 6k 2 + 5k bit operations.
2.2.1.3 Squaring in Z [i]
Consider 2 = ( a + ib)2 = ( a2 b2) + i2ab. On direct computation this requires (3M,2A)i.e, 6k2 + 2 k bit operations. Let m = ( a2 b2) and n = 2 ab. To compute m and n , wecompute x = ( a + b)(a b) and y = ab. Now, m = x and n = y + y, which requires(2M, 3A) ie., 4k 2 + 3k bit operations.
15
7/31/2019 Kiran Kadarla MTP Dissertation
23/63
2.2.1.4 Norm in Z [i]
To calculate N () = a2 + b2, we require (2M, 1A) i.e., 4k 2 + k bit operations.
2.2.1.5 Division in Z [i]
Let us assume |. Consider
= a + ibc + id
= (a + ib)(c id)N ( ) = (ac + bd) + i(bcad)N ( ) = (ac + bd)N ( ) + i (bcad)N ( ) = m+ in.
To calculate m + in , we require (5M, 6A, 2D). Multiplications and Additions involve k
bit numbers, whereas Divisions involve 2 k bit numbers. Hence the total number bit op-
erations required are 26k 2 + 6k .
2.2.1.6 Modular Exponentiation and its Complexity
Finding gn mod p if often encountered in modular arithmetic and is called Modular Expo-
nentiation. Finding this in very efficient and very fast way has got a lot of cryptographic
signicance. Now, we see the complexity of one faster way of nding modular exponenti-
ation.
2.2.1.7 Repeated Squaring Method (RSM)We donot present the RSM algorithm here but only discuss the complexity and bit oper-
ations involved and extend the same to Z [i] showing the bit operations for Z [i] numbers.
Consider, gx mod p and ( gx mod )
Let the no.of bits in g and g be k
Let the no.of bits in x and x be l and let its binary weight be w
Let the no.of bits in p and be nFor calculating gx mod p using RSM, we require w+ l1 multiplications and w+ l1 modoperations. Hence, the no.of bit operations required are 2(w + l 1)(k 2 + n 2 ). Similarlyfor modular exponentiation in gaussian integers, ( gx mod ), we require l 1 squarings,
16
7/31/2019 Kiran Kadarla MTP Dissertation
24/63
w + l 1 mod operations and w multiplications. Hence, the no.of bit operations requiredare
(l 1)(4k2 + 3 k) + ( w + l 1)(26n2 + 6 n) + w(6k2 + 5 k)= 2( w + l 1)(4k2 + 3 k) + ( w + l 1)(26n2 + 6 n) + 2 w(k2 + k)
Table 2.2: Complexity Comparisons
Operations Z [i] (, ) Z (x, y)
Addition 2 k k
Multiplication 6 k2 + 5 k 2k2
Squaring 4k2 + 3 k 2k2
Norm 4k2 + k Division 26k2 + 6 k 2k2
Mod.Expo. ( l 1)(4k2 + 3 k) + ( w + l 1)(26n2 +6n) + w(6k2 + 5 k)
2(w + l 1)(k2 + n2)
17
7/31/2019 Kiran Kadarla MTP Dissertation
25/63
Chapter 3
Efficient Gaussian Integer
Arithmetic
Introduction
In this chapter, we construct multi-precision algorithms for gaussian integers that are
analogous to the efficient multi-precision algorithms well known for Z . In chapter 1, we
saw the basic arithmetic operations on gaussian integers which are carried out by treating
the real and imaginary parts seperately. But it may be advantages to treat gaussian
integer as a whole unit of bits and perform the operations. If ( an an 1...a 1a0) is the base
b representation of a and an = 0 then the precision or length of a is n + 1. If n = 0, then
a is called a single precision number, otherwise, a is multiprecision.
3.1 Bit Representations for Z [i ]
There are two ways to represent a gaussian integer as binary bits:
Expressing a gaussian integer to a complex radix like ( 1 + j ) or 2 j using binarybits
Expressing a gaussian integer to an integer radix using complex-binary bitsWe studied these two representations and came up with algorithms that output a bit
sequence given a gaussian integer.
18
7/31/2019 Kiran Kadarla MTP Dissertation
26/63
3.1.1 Integer Radix Method
In this method [11] the base b is an integer and the digit set D turn out to be gaussian
integer bits with norm less than N (b). Let the base be 2. Any gaussian integer a + ib can
be written to the base 2 by expressing a and b to the base 2 and then clubing them to
form single gaussian bits with norm < 2.
Examples :
3 + 4i = {i, 1, 1}2Explaination:
3 + 4i = (0 .22 + 1 .21 + 1 .20) + i(1.22 + 0 .21 + 0 .20)
= 2 2.(0 + i) + 2 1.(1 + 0) + 2 0(1 + 0)
= 2 2.(i) + 2 1.(1) + 2 0.(1)
=
{i, 1, 1
}When both a and b are positive, we need the following gaussian-bits to express a + ib tobase 2.
Table 3.1: Gaussian Binary Bits
xr xi xk
0 0 0
0 1 j
1 0 1
1 1 1 + j
To represent a + ib when either a or b or both negative, we increase the digit set to
D = {0, i, 1, (1 + i), (1 i)}Lets say (1 + i) = a then D =
{0,
i,
1,
a,
a
}where a is conjugate of a. We require
9 digits denoted as n(D) = 9 when the base b is 2. For any base b, n(D)b = 4 .bP 2 + 1,
where bP 2 = b!(b 2)! .
Examples:
1) b = 2, n(D) = 4 .2P 2 + 1 = 9
D = {0, i, 1, (1 + i), (1 i)}19
7/31/2019 Kiran Kadarla MTP Dissertation
27/63
7/31/2019 Kiran Kadarla MTP Dissertation
28/63
x y value carry
a i 1 0
i a 1 i1 a i 0
a 1 i 0
Figure 3.2: Basic carry operations-II
Addition
1) Add 6 + 4i and 3 4i in base 2Step1: Express 6+4 i to base 2 ie., 6 +4 i = {1, 1, 0}+ i{1, 0, 0}= {(1+ i), 1, 0}= {a, 1, 0}Now, 6 + 4i = {(1 + i), 1, 0}= {a, 1, 0}Step2: 3 + 4 i = {i, 1, 1}then 3 4i = {i, 1, 1}
a 1 0
i 1 1
1 0 1 = 1.2 + 0 + 1
= 4 + 1
= 3
2
6 + i 4
3 i 4
3 + i 0
Figure 3.3: Bin-Gauss Addition
Multiplication
2) Multiply 3 + 4 i by 3 + 4i
(3 + 4i)*(3 + 4i) = 7 + 24 i = { i, i, 1, 1, 1}
i 1 1i 1 1
i 1 1
i 1 1i 1 1
a a 0 0 1= 16 +16i + 8 +8i +1= 7 + 24i
= (1+i)2 + (1+i)2 + 14 3
Figure 3.4: Bin-Gauss multiplication
21
7/31/2019 Kiran Kadarla MTP Dissertation
29/63
3.1.2 Complex Radix Representation [10]
In this representation, the radix is a gaussian integer and the digit set consists of integers.
For each xed positive integer n, Katai and Szabo [7] proved that all the gaussian integers
can be uniquely represented in the base ( n + i) using the digit set D = {0, 1, 2, 3.....n 2}.These bases and their conjugates are the only possible ones in which the digit set con-
sists of the natural numbers 0 , 1, 2, ....norm (b)
1. The base
1 + i provides a binary
representation of gaussian integers using 0 and 1 as digits. Here, we consider only the
base(1 + i). Addition and Multiplication of two gaussian integers written in positionalnotation to a base ( 1 + i) can be performed in the same way as real arithmetic in base2, except for a change in the carry digits.
3.1.2.1 Arithmetic using complex radix method
0 0 0 0
0 1 1 0
1 1 0 110
bit bit value carry
Figure 3.5: Basic bit addition
Addition :
+
1 1 1 0 1 0 1
1 0 1 1
1 1 01i+
1+2i
2+3i 0 + 0 = 00 + 1 = 11 + 0 = 1
1 + 1 = 1110
Figure 3.6: Bin-Gauss Addition
22
7/31/2019 Kiran Kadarla MTP Dissertation
30/63
Multiplication :
1i2+3i
x
15i
x 1 1 0
1 0 1 1 01 0 1 1 0 0
11101001010
Figure 3.7: Bin-Gauss Multiplication
It should be noted that when numbers are represented in negative or complex bases and
added, a problem of innite series of carry digits occur even though the sum is nite. This
phenomenon can always happen whenever a number and its negative can be represented
in the same base using natural numbers as digits. This innite sequence of carrys doesnt
invalidate the arithmetic because the carry numbers all sum to zero after a certain stage.
The innite carry digit phenomenon can be overcome by xing a upper limit on the no
of bits used to represent the gaussian integer.
1 1 11 1
0
011
0 0 0 0 0 0 0
0111 1 0
1 1 0infinite carry sequence
Example :Infinite carry bits
Add (i) and ( i ) in the base 1+i
i = {1 1 1}
i = {0 1 1}
i =
i =
Figure 3.8: Innite carry sequence
Theorem 25. The number of digits in the sum of two numbers expressed in the base
(n+ i) is [10]
23
7/31/2019 Kiran Kadarla MTP Dissertation
31/63
1. atmost 3 more than the number in the largest summand if n 42. atmost 5 more if n=2 or 3
3. atmost 8 more if n=1
To express a gaussian integer to a complex base( n + i) efficiently, Gilbert pro-posed an algorithm called clearing algorithm , which uses the minimal polynomial of the
base(n + i). The minimal polynomial of a complex base b is given as b2
+2 nb+ norm (b).
3.1.3 Clearing Algorithm
Let a r be the coefficient of the smallest power of b which lies outside the range from 0 to
n2.
Find an integer s such that 0 [(a r ) + s(norm (b))] n2
Add sbr
times the minimum polynomial to clear the rth
coefficient
The clearing algorithm always terminates as minimal polynomial of the base is used in
reduction of the coefficients.[10]
Examples:
[u,v] = [4, 1]
4 11 2 2 (x0)
0 0 4 11 2 2 (x2)
2 4 0 11 2 2 (x2)
2 2 0 0 11 2 2 (x1)
1 0 0 0 0 1
Let a+ib = 3+4i; base = n+i = 1+i , where n=1
> initial gaussian bits
1 2 2 (x1)
2 1 0 0 0 0 11
1 2 2 (x1)1 0 1 0 0 0 0 11
1 2 2 (x1)
1 1 0 1 0 0 0 0 11gaussian bit representation =
Figure 3.9: gbits by Clearing Algorithm
24
7/31/2019 Kiran Kadarla MTP Dissertation
32/63
3.2 Division Algorithms
Division is one of the important arithmetic operations. It is the most complicated and
costly of the basic multiprecision operations. In this section, we discuss different ap-
proaches to division for gaussian integers, which include the direct method of division
and lattice method proposed by steve benson. We, then, show that constructing a bi-
nary analog division algorithm for gaussian integers is difficult. The division theorem forgaussian integers stated in chapter 2 is reproduced here.
Theorem 26 (Division Theorem). For , Z [i] with = 0, there are ,
Z [i] ,such that = + and N () < N ( ). In fact we can choose so that N () (1/ 2)N ( ).
3.2.1 Direct Method
The direct method involves rationalization of denominator and nding real and imaginary
parts of quotient and remainder seperately.
Consider and Z [i] .
=a + ibc + id
=(a + ib)(c id)
N ( )=
(ac + bd) + i(bcad)N ( )
=(ac + bd)
N ( )+ i
(bcad)N ( )
Now, we dene a function () as follows: If (a a ) < 0.5 then (a) = a otherwise
(a
) =a
. Letm
=
( (ac + bd)N ( )
) andn
=
( (bc ad )N ( ))
then
=m
+in
and
=
(m
+in
)
where , Z [i] . We can get maximum 4 possible quotients and 4 possible remainders
which saisfy the division theorem. But the function () is dened in such a way that we
get the least norm remainder and nearest quotient.
To calculate , we require (5M, 6A, 2D). If the no.of binary bits in a,b,c,d are k
then multiplications and additions involve k bit numbers, whereas divisions involve 2 k bit
numbers as divisor is N ( ). Hence the total number bit operations required are 26 k2 + 6 k.
The disadvantages of direct method are (i) division is implemented seperately for real and
imaginary parts. Hence division has to be done twice, (ii) divison is done twice by N ( )
which has double no.of bits(2 k). The bit operaions required are more thus making the
operation costly.
25
7/31/2019 Kiran Kadarla MTP Dissertation
33/63
3.2.2 Lattice Method
Introduction
The lattice method is proposed by Steve Benson [9]. This is a geometric approach to
division. We mention the propositions he made in his paper and present the algorithm.
To make the algorithm efficient we suggest certain modications and explain the modied
algorithm through an example.
Theorem 27. If a and b are integers, b = 0, then a is less than a distance of |b| from anintegral multiple of b.
a is either a multiple of b (say k|b|) or a lies between two consecutive multiples of b(say k|b| and k + 1 |b|). Let r be the distance of a from k|b| then |r | < |b| i.e., a liesno farher than |b/2| from a multiple of b.
Theorem 28. If a, b Z and b = 0 then a is no farther than a distance of |b|/ 2 from
some integral multiple of b
Now extending the above two theorems to gaussian integers, we have the following
Theorem 29. If and are gaussian integers and = 0 , the is less than a distance
of | | from a multiple of .It should be noted that the multiple can be a gaussian integer multiple, not just an integer
multiple.
Theorem 30. If and Z [i] and = 0 , then is no farther than a distance of
| |/ 2 from a multiple of . More precisely guassian integers and s.t = + ,where |r | | |/ 2.
The following algorithm gives the 4 possible quotients and 4 possible remainders
when = c + id divides = a + ib using the lattice method.
Algorithm:
Draw a line(L1) through point(c,d) passing through origin and a line(L2) perpen-dicular to line L1 passing through origin.
With side length = s , where s = c2 + d2 , form squares on lines L1 and L2 onthe whole xy plane.
26
7/31/2019 Kiran Kadarla MTP Dissertation
34/63
Locate the point(a,b) on the xy plane.
Let the 4 vertices of the square in which the point(a,b) lies be 1, 2, 3, 4 then
1 = ( a + ib) (c + id) 12 = ( a + ib) (c + id) 23 = ( a + ib) (c + id) 34 = ( a + ib) (c + id) 4
For i= 1:4, check |(i )| < |(c + id)|. All the i satisfying this condition and thecorresponding i are the required remainder and quotients respectively.
In the above approach, Steve uses absolute value instead of norm as the condition for
calculating remainders. But calculation of absolute value of a gaussian integer involves
computing of sqrt which is a complex and costly operation. We modify this method by
using norm as the condition for division and thus eliminate the sqrt computations. Our
modifed method uses solving two linear equations using crammers method. We express
the point ( a, b) as a linear combination of the points ( c, d), (d, c) i.e.,a
b= x
c
d+ y
d
cThe coefficents x and y are computed by solving the above equation using crammersmethod. From the coefficients we calculate the 4 quotients( q 1, q 2, q 3, q 4) wrt axis L1,L2.
By transforming the values of quotients to xy axis , we get the actual quotients. Thefollowing example explains the process.
27
7/31/2019 Kiran Kadarla MTP Dissertation
35/63
Example: Let = 9 + 4 i and = 3 + 2 i. We nd the 4 possible quotients( q 1, q 2, q 3, q 4)
and remainders when | .
3+2i
9+4iq1
q2
q3
q4
imag
real
L1
L2
Figure 3.10: lattice method
Division by norm can be eliminated if an efficient method to solve two linear equations is
designed.
3.3 Other Z [i ] Algorithms
In this section, we construct multiprecision algorithms for Z [i] that are analogous to
efficient multiprecision algorithms well known for Z . First, we show the problems involved
in constructing an efficient binary division analog for Z [i] and then present other analogous
algorithms like binary extended gcd algorithm, chinese remainder theorem for Z [i] andGarners algorithm.
28
7/31/2019 Kiran Kadarla MTP Dissertation
36/63
3.3.1 Binary division
We saw in the initial sections of this chapter that we get a binary-like representation for
gaussian integers with digitset, D = {0, 1}, when then the base b = ( 1+ i). We shall callthese binary-like bits gbits . But the nice properties of binary representation of integers
donot extend to binary-like representation of gaussian integers. Some of the difficulties
we face while constructing a binary-like division algorithm for gaussian integers are as
follows:
(i) Let Z [i] have n gbits and
Z [i] have m gbits. If n > m then =N () > N ( ).
But in binary representation of integers we can easily say a > b if L(a) > L (b) where
L() is no.of binary bits. The above property of binary representation for integers make
certain operations like comparisons of two integers look just symbolic while it becomes a
costly operation in Z [i] case as norms of respective gaussian integers are to be computed.
(ii) In binary division for integers, nding a nearest quotient is easy as it just involves
shifting of bits appropriately, which is again a symbolic operation. But a nearest quotient
cannot be found so easily by shifting the gbits in case of Z [i] because of the difficulty
pointed in (i).
The above two facts make constructing a binary division analog for gaussian integers
difficult.
3.3.2 GCD Algorithms for Z [i ]
In chapter 2, we discussed gcd, Euclids algorithm and bezouts algorithm for Z [i] . Here,
we present (1+i)-ary algorithm for Z [i] that is analogous to binary gcd algorithm which
is due to Weilert. [13]
3.3.2.1 (1+i)-ary GCD Algorithm
Let A = a + ib and B = c + id where a,b ,c ,d Z
Pseudo Code:Input: A, B Z [i] and m=1 + i
Output: g = gcd(A,B)
(1+i)_gcd(A,B) {
29
7/31/2019 Kiran Kadarla MTP Dissertation
37/63
g=1; m = 1+i;
while(m|A && m|B) {
A = A/m;
B = B/m;
g = g*m;
}
if(A < B)
swap(A,B);
while(R ! = 0) {
while( m | A ) do A = A/m;
while( m | B ) do B = B/m;
R = (A-B);
if(R < B) {
A = B ;
B = R ;
}
else
A = R ;
}
g=g*A;
return(g);
}
The basic observation that a gaussian integer ( a + ib) is divisible by (1+ i) iff a b mob2is useful in implementation of the above algorithm efficiently. We state its proof below
Proof. Consider, a + ib1+ i =(a + ib)(1 i )(1+ i )(1 i ) =
(a + b)2 + i
(b a )2 . If (1 + i)|(a + ib)2|(a + b) and
2
|(b
a)
a
b mob 2
The condition whether m|A can be checked by using the above observation i.e.,m|A iff a b mob 2. Once the a and b are expressed in binary, it is just a symbolicoperation to check the condition and nd the greatest power of 1 + i that divides A.
The condition ( A > B ) can be checked as follows [14]:30
7/31/2019 Kiran Kadarla MTP Dissertation
38/63
Let L(A) = sum of binary(base 2) bits in a and b.
Let L(B) = sum of binary(base 2) bits in c and d. Let k = L(A) L(B).If k > 1 then |A| > |B | and if k < 1 then |A| < |B |. In other cases, approximationsof N (A) and N (B) can be compared.
3.3.3 Extended Euclidean algorithm for Z [i ]
Given two gaussian integers A and B, this algorithm computes gaussian integers x1, y1
such that x1A + y1B = v where v = gcd(A, B ) Z [i] . If v = 1, x1 will be inverse of A
modulo B and y1 is inverse of B modulo A.
Algorithm (pseudo code):
INPUT: two gaussian integers A, B and v = gcd(A, B )
OUTPUT: gaussian integers x1 and y1.
extendedgcd()
{
x0 = 1; y0 = 0;
x1 = 0; y1 = 1;
while ( (x1 * A + y1 * B) != v )
{
q = (x0 * A + y0 * B) / (x1 * A + y1 * B) ;
t1 = x0 - x1 * q ;
t2 = y0 - y1 * q ;
x0 = x1;
y0 = y1;
x1 = t1;
y1 = t2;
}
return(x1,y1);
}
To calculate q, gaussian divison algorithm is used.
31
7/31/2019 Kiran Kadarla MTP Dissertation
39/63
3.3.4 (1+i)-ary Extended GCD algorithm for Z [i ]
This algorithm is analogous to binary extended gcd algorithm except that the gaussian
integers are reduced by (1 + i) instead of 2 as done in integers case.
Algorithm (pseudo code):
INPUT: two gaussian integers A and B.
OUTPUT: gaussian integers x, y and v st xA + yB = z , where z = gcd(A, B ).
{
g=1;m=1+i;
while(m|A && m|B)
{
A=A/m;
B=B/m;
g=m*g;
}
u=A; v=B;
x0 = 1 ; y0 = 0 ; x1 = 0 ; y1 = 1 ;
do {
while(m|u) {
u=u/m;
if(x0 = y0 = 0 mod m) {
x0 = x0 / m;
y0 = y0 / m;
}
else {
x0 = (x0 + B)/m;
y0 = (y0 - A)/m;
}
}
while(m|v) {
v = v/m;
32
7/31/2019 Kiran Kadarla MTP Dissertation
40/63
if(x1 = y1 = 0 mod m) {
x1 = x1 / m;
y1 = y1 / m;
}
else {
x1 = (x1 + B)/m;
y1 = (y1 - A)/m;
}
}
if(u > v) {
u = u - v;
x0 = x0 - x1;
y0 = y0 - y1;
}
else {
v = v-u;
x1 = x1 - x0;
y1 = y1 - y0;
}
} while(u != 0)
return(x1,y1,g*v);
}
3.3.5 CRT Algorithms for Z [i ]
Chinese Remainder Theorem for Z [i] is discussed in chapter 2. Here, we present algo-
rithms to solve the system of simultaneous congruences in Z [i] .
Analogous to Garners Algorithm:
Garners algorithm is an efficient method for determining x, 0 x < M , given v(x) =(v1, v2, ...vt ), the residues of x modulo the pairwise co-prime moduli m1, m2, ...m t , where
M = t j =1 m j . Garners algorithm is for integers. We present an analogous algorithm for
gaussian integers.
33
7/31/2019 Kiran Kadarla MTP Dissertation
41/63
Pseudo Code:
INPUT: a gaussian integer M = t j =1 m j , with gcd(m i , m j ) = 1 for all i = j , and a
modular representation v(x) = ( v1, v2, ...vt ) of x for the m i .
OUTPUT: the gaussian integer x
CRT()
{for(i=2;i
7/31/2019 Kiran Kadarla MTP Dissertation
42/63
while implementing cryptographic schemes over Z [i] always belong to Z . Hence, all the
exponentiation algorithms can be directly applied to Z [i] with minor or no modications.
35
7/31/2019 Kiran Kadarla MTP Dissertation
43/63
Chapter 4
Cryptographic Algorithms
4.1 RSA Scheme
One of the most widely used cryptographic schemes for message encryption and signatures
is RSA scheme. RSA is named after the three inventors - Ron Rivest, Adi Shamir, and
Leonard Adleman. It gets its security from the difficulty of factoring large numbers. The
RSA algorithm is reproduced below.
Table 4.1: RSA Scheme
Public Key (n,e):
n product of two primes, p and q (p and q secret)
e relatively prime to (n) ie., gcd((n), e) = 1.
Private Key (d):
d e 1 mod ((n))
Encrypting:
c = me mod n
Decrypting:
m = cd mod n
where (n) = ( p1)(q 1).
36
7/31/2019 Kiran Kadarla MTP Dissertation
44/63
4.1.1 RSA over Z [i ]
We can have two cases of RSA scheme over Z [i] as we have two types of primes in Z [i] ,
primes that are congruent to 3 mod 4 and the primes that are congruent to 1 mod 4.
Case 1: When the primes are of the type p 3 mod 4Algorithm:
Table 4.2: RSA Encryption 1 over Z [i]
Public Key ( n,e):
n product of two primes, p1 and p2 (n = p1 p2)
e relatively prime to Z [i ] (n) i.e., gcd(Z [i ] (n), e) = 1.
Private Key ( d):
d e 1 mod (Z [i ] (n))
Encrypting:
c = m e mod n
Decrypting:
m = cd mod n
where,
z [i ](n) = z [i ]( p1.p2) = z [i ]( p1).z [i ]( p2) = ( p12 1).( p22 1)Implementation steps
Randomly select two large primes( p1, p2) which are 3 mod 4. This is done by rstselecting a large random prime and then checking whether it is 3 mod 4.
Calculate n (= p1 p2) and Z [i ] (n).
Select random e that is coprime to Z [i ] (n). Find d = e
1mod Z [i ] (n)
The only difference in implementing RSA over Z [i] is the value Z [i ] (n) which is very
large as compared to (n). But the security of RSA depends on the hardness of fac-
torization problem and not on the size of (n) ie., however large (n) one selects, the
37
7/31/2019 Kiran Kadarla MTP Dissertation
45/63
hardness of the RSA problem just depends on the factorization of n. In the paper [21],
the authors quote that one of the advantages of implementing RSA over Z [i] is having
a large G (n) value. Their observation is as follows. In Z n , (n) = ( p 1)(q 1) but in Z [i] , G (n) = ( p2 1)(q 2 1). Hence, an attempt to nd the private key d is morecomplicated when RSA is implemented over Z [i]
This is not true because Z [i ] (n) turns out to be a constant multiple of (n) ie., Z [i ] (n) =
k(n) and the cipher text can be decrypted by nding any d = e 1 mod k(n)
ie., the message encrypted using RSA over Z [i] can even be decrypted by nding a
d = e 1 mod (n) where (n) = ( p1 1)( p2 1). Hence, the difficulty is in nding (n)from the public keys and it is not more complicated when RSA is implemented on Z [i] .
In the case of gaussian integers the constant multiple turns out to be k = ( p + 1)( q + 1)
as shown below.
Z [i ] (n) = ( p2
1)(q 2
1)= ( p1)( p + 1)( q 1)(q + 1)= ( p1)(q 1)( p + 1)( q + 1)= (n)( p + 1)( q + 1)
= (n)k
(4.1)
We show below that message encrypted by usng RSA over Z [i] can be decrypted by ad = e 1 mod (n) where (n) = ( p1 1)( p2 1).
C d modn = M ed modn where ed 1 = k1G (n)= M 1+ k 1 G (n )modn
= M.M k 1 G (n )modn
= M.M k 1 k (n ) modn since, G (n) = k (n)
= M
(4.2)
38
7/31/2019 Kiran Kadarla MTP Dissertation
46/63
Now, using d = e 1 mod (n)
C dmodn = M ed modn where e d 1 = k3(n)= M 1+ k 3 (n )modn
= M.M k3 (n ) modn
= M
(4.3)
Conclusion:
When RSA is implemented over Z [i] , the G (n) is larger than (n), but as it is just a constant multiple of (n) any d = e 1mod(n) would decrypt the cipher text.
Larger G (n) does not make the attempt to nd a d more complicated but infact
is same as factorizing n.
RSA over Z [i] is just a particular case when k = 1 in the equation ed 1 = k(n).Here, in Z [i] case k happens to be ( p + 1)( q + 1)
Case 2: When the primes are of the type q 1 mod4Algorithm:
Table 4.3: RSA Encryption 2 over Z [i]
Public Key ( n,e):n product of two primes, 1 and 2 (n = 12)
e relatively prime to Z [i ] (n) i.e., gcd(Z [i ] (n), e) = 1.
Private Key ( d):
d e 1 mod (Z [i ] (n))
Encrypting:
c = m e mod n
Decrypting:m = cd mod n
where,
z [i ](n) = z [i ](1.2) = z [i ](1).z [i ](2) = ( q 1 1).(q 2 1)
39
7/31/2019 Kiran Kadarla MTP Dissertation
47/63
4.2 Diffie-Hellman key exchange scheme
Diffie-Hellman was the rst public-key algorithm [19] ever invented, way back in 1976.
It gets its security from the difficulty of calculating discrete logarithms in a nite eld,
as compared with the ease of calculating exponentiation in the same eld. It is used for
key exchange and not to encrypt or decrypt messages. Alice and Bob agree to on a large
prime p and a primitive element g mod p. These two numbers can be public. Then theprotocol is as follows:
Table 4.4: Diffie-Hellman Key Exchange protocol
Alice Bob
1) Chooses a large random integer x 1) Chooses a large random integer y
2) Calculates X = gx mod p 2) Calculates Y = gy mod p
3) Sends X to Bob. 3) Sends Y to Alice.4) Alice computes K 1 = Y x mod p 4) Bob computes K 2 = X y mod p.
Both K 1 and K 2 are equal to gxy mod p. Even an intruder knowing p, g, X, Y
cannot calculate gxy mod p. Unless he calculates the discrete logarithm and gets x or y,
he cannot solve the problem.
4.2.1 Diffie-Hellman key exchange over Z [i ]
Here, Alice and Bob agree on a large prime (a + ib type) and a primitive element g.
These two ( , g) can be made public. We know that Z [i] / < > = Z q , where N () = q
and q 1 mod 4. The Algorithm then follows similarly:
40
7/31/2019 Kiran Kadarla MTP Dissertation
48/63
Table 4.5: Diffie-Hellman Key Exchange protocol on Z [i]
Alice Bob
1) Chooses a large random integer x 1) Chooses a large random integer y
2) Calculates X = gx mod 2) Calculates Y = gy mod
3) Sends X to Bob. 3) Sends Y to Alice.
4) Alice computes K 1 = Y x mod 4) Bob computes K 2 = X y mod .
Both K 1 and K 2 are equal to gxy mod . Even an intruder knowing , g, X, Y
cannot calculate gxy mod . Unless he calculates the discrete logarithm and gets x or y,
he cannot solve the problem.
4.3 Generating gaussian primesThe gaussian primes of the type = a + ib are used in the cryptographic primitives like
RSA and DH schemes when implemented on Z [i] . To generate such primes randomly, we
follow the steps given below in our implementations
Randomly select an even number(a) and an odd number(b) until gcd(a, b) = 1
Compute q = a2 + b2.
Check if q is a prime using any efficient primality test.
If a2 + b2 is a prime then = a+ ib is our required random gaussian prime. Otherwiserepeat the steps from the start.
Checking whether a number is even or odd is done by checking the LSB of the binary
bit sequence of the number. If LSB = 1 the number is odd, otherwise even. If the
gcd(a, b) = 1, then a2 + b2 can never be a prime. Hence such cases of a and b can be
avoided by checking for the condition gcd(a, b) = 1. It should be noted that even if
gcd(a, b) = 1, a2 + b2 need not be a prime as shown by the example. Eg : gcd(3, 4) = 1
but 3 2 + 4 2 = 25 is not a prime. So, we have to test a2 + b2 for primality by using any
efficient primality test. Once that is done a + ib will be our required gaussian prime.
41
7/31/2019 Kiran Kadarla MTP Dissertation
49/63
4.4 BitSizes
While implementing cryptographic primitives on gaussian integer elds of type Z [i] / , we have an advantage of working with numbers which are half sized. We show below
what we mean by half sized and why we get such an advantage.
Proposition: If N () < c , where c = 4 m23 then all the elements in the eld Z [i] / can be uniquely represented as a+ ib with |a| {0, 1, 2, 3,...m 1}and |b| {0, 1, 2, 3, ...m1}.Examples:
Consider Z [i] / < 3 + 2i > . We know Z [i] / < 3 + 2i >= Z 13 . Hence,Z [i] / < 3 + 2i > = {0, 1, 2, 3, 4, ....12}= Z 13 .
Take m = 3, 4m2 3 = 33 > cardinality of Z [i] / < 3 + 2 i > , which means all theelements in the eld Z [i] / < 3 + 2i > can be uniquely represented as a + ib with
|a| {0, 1, 2}and |b| {0, 1, 2}as follows:Z [i] / < 3 + 2i > = {0, 1, 2, 2i, 1 + i,i, 1 + i, 1 i, i, 1 i, 2i, 2, 1}
Consider Z [i] / < 13 + 2i > . We know Z [i] / < 13 + 2i >= Z 173 . HenceZ [i] / < 13 + 2i > = {0, 1, 2, 3, 4, ....172}= Z 173 .
Take m = 7, 4m2 3 = 193 > cardinality of Z [i] / < 13 + 2i > , which meansall th elements in the eld Z [i] / < 13 + 2i > can be uniquely represented as a + ibwith |a| = {0, 1, 2, 3, 4, 5, 6}and |b| = {0, 1, 2, 3, 4, 5, 6}as follows:Z [i] / < 13+2 i > = {0, 1, 2, 3, 4, 5, 6, 62i, 52i, 42i...... 6+2 i, 6, 5, 4, 3, 2, 1}
Consider q = 110040101 1(mod4) and is a prime in Z . Now, = 10490 + i isa prime in Z [i] . We know Z [i] / < 10490 + i >= Z 110040101 whose cardinality is
110040101.
Z [i] / < 10490 + i > = {0, 1, 2, 3, 4, ......... 110040101}= Z 110040101Let us nd the value of m. We have m2 = (c+3)4 m = 5245. For m = 5246,
we have c > cardinality of Z [i] / < 10490 + i > . Hence, all the elements inZ [i] / < 10490+ i > can be uniquely represented as a+ ib with |a| {0, 1, 2, ..... 5245}and |b| {0, 1, 2,....5245}
42
7/31/2019 Kiran Kadarla MTP Dissertation
50/63
Let the no.of binary bits in q be k ie., log(q ) = k where q is a prime in Z and is 1 mod 4.Hence, q can be expressed as sum of two squares i.e., q = a2 + b2. Then a at the maximum
has k/ 2 bits and b at the maximum has k/ 2 bits. = a + ib will have at the maximum
k bits. Consider g (x + iy) mod Z [i] / < > , where |x| {0, 1, 2, ...m 1}and|y| {0, 1, 2...m 1}then
m2 =c + 3
4=
N () + 3
4=
q + 3
4
log(m2) = log((q + 3) / 4) = log(q ) 2log(m) =
k2 1
The size of m is k/ 2 bits. Thus, x and y at the max take k/ 2 bit values. Hence by
implementing cryptographic primitives Z [i] elds, we work with numbers which are at
the maximum half sized as compared to the numbers we work with in Z . Security,(DLP),
remains the same as from theorem 22 but the computations are made faster.
4.4.1 Faster computations
Table 4.6: Complexity Comparisons
Operations Z [i] ; (, ) Z ; (x, y)
Addition k k
Multiplication 0 .75k2 2k2
Squaring k2 2k2
Norm k2 Division 6.5k2 2k2
When we work on cryptographic primitives over Z , we choose large (100 digits or more)
primes(q ). Computations involving such large numbers take more time and hence are
slower. But by implementing the cryptographic primitives on Z [i] elds, we choose
primes of type a + ib where a and b are half or even smaller in size as compared to q .
This reduces the computation time and makes the computations faster. The table above
shows the complexities when basic operations are done on gaussian integers = a + ib
and = c + id where a,b,c,d have bits k/ 2 each comparing with the complexities of basic
operation done on integers x and y having bits k each.
43
7/31/2019 Kiran Kadarla MTP Dissertation
51/63
Chapter 5
Special Gaussian Primes
In this chapter, we study the behaviour of special primes, integer Mersenne primes and
Fermat primes, in the ring of gaussian integers. We then study the gaussian mersenne
primes. Mersenne primes play a vital role in constructing cryptographic primitives. The
biggest known primes till date are mersenne primes. The aim of this chapter is to show
that we are not deprived of such large primes by constructing cryptographic primitives
over gaussian integer elds. Most of the material in this chapter is referred from [23].
5.1 Mersenne primes
Denition 8 (Mersenne prime). A prime of type 2n 1 is called a Mersenne prime .There are no primes of the form bn 1 for any other positive integer b except 2, becauseb1 is a factor of bn 1. If bn 1 happens to be a prime then its factors should be aunit or itself. But the units in integers are 1 i.e., b1 = 1 =b = 2.Theorem 31. If 2n 1 is a Mersenne prime then n is a prime.It should be noted that the converse is not true as shown by the following example. Eg :
11 is a prime but 211
1 = 2047 = 23
89 is not a prime.
Theorem 32. A Mersenne prime in Z is also a prime in Z [i]
Proof. We know that if a prime pZ is 3 mod 4 then it stays prime in Z [i] . Any
prime 1 mod 4 is not a prime in Z [i] . Lets say p = 2 n 1 is not a prime in Z [i] then p 1 mod 4 =2n 1 1 mod 4 =2n 2 mod 4
44
7/31/2019 Kiran Kadarla MTP Dissertation
52/63
But 2 n 0 mod 4. Hence, p 3 mod 4. So, p stays prime in Z [i] .
5.1.1 Fermats Primes
A prime of type 22n
+ 1 is called a fermat prime. Fermat primes are not primes in Z [i] as
22n
+ 1 1mod4 and can be expressed as a2 + b2.Some known fermat primes:
F 0 = 2 1 + 1 = 3
F 1 = 2 2 + 1 = 5
F 2 = 2 4 + 1 = 17
F 3 = 2 8 + 1 = 257
F 4 = 2 16 + 1 = 65537
5.1.2 Gaussian Mersenne Primes
Not only an integer Mersenne prime remains prime in Z [i] , but there are also gaussian
integer Mersenne primes. Gaussian integers have four units ( 1, i). Now, we have fourconditions:
If b1 = 1, we get integer Mersenne primes, which are also primes in Z [i] (Theorem32).
If b1 = 1, b = 0 If b 1 = i, then b = 1 + i. We can have gaussian mersenne primes of the type
(1 + i)n 1.
If b1 = i, then b = 1 i. We can have gaussian mersenne primes of the type(1 i)n 1.
If b1 = i, then we get the conjugate pairs of numbers (1 i)n 1 with norms
N = 2 n (1)( n2 18 ).2( n + 12 ) + 1
and these can be prime in Z [i] iff the norm N is a prime in Z .
Theorem 33. (1 i)n 1 is a gaussian Mersenne prime iff n = 2 or n is odd and thenorm N = 2 n (1)(
n 2 18 ) .2(
n +12 ) + 1 is a rational prime
45
7/31/2019 Kiran Kadarla MTP Dissertation
53/63
The values of n for the rst 23 gaussian mersenne primes:
2,3,5,7,11,19,29,47,73,113, 151, 157, 163, 167, 239, 241, 283, 353, 367, 379, 457, 997, 1367,
3041, 10141, 14699, 27529, 49207, 77291, 85237, 106693, 160423 and 203789. Gaussian
Mersennes share many properties with the regular Mersennes and Mike Oakes suggests
they occur with the same density.
46
7/31/2019 Kiran Kadarla MTP Dissertation
54/63
Chapter 6
RSA Implementation on Z[i] using
GMP
GNU MP(Multi-Precision), in short called GMP, is a portable library written in C for
arbitrary precision arithmetic on integers, rational numbers, and oating-point numbers.
It aims to provide the fastest possible arithmetic for all applications that need higher
precision than is directly supported by the basic C types. Many applications use just a
few hundred bits of precision; but some applications may need thousands or even millions
of bits. GMP is designed to give good performance for both, by choosing algorithms
based on the sizes of the operands, and by carefully keeping the overhead at a minimum.
The speed of GMP is achieved by using fullwords as the basic arithmetic type, by using
sophisticated algorithms, by including carefully optimized assembly code for the most
common inner loops for many different CPUs, and by a general emphasis on speed (as
opposed to simplicity or elegance).
Our implementation has two parts. The rst part is the generation of RSA private
and public keys and the second part is the message encryption. We acheive the rst
part by randomly selecting the two primes using the function mpz nextprime() and then
calculating required private and public keys. The function mpz nextprime() takes a range
as input argument and outputs the next prime from the range. In case-2 of RSA, we
select two primes 3 mod 4, the range is a 50 digit number. The implementation is foracademic purpose and doesnot adhere to the RSA standards. Below is the output of the
program showing the private and public keys of case-2 RSA on Z [i] .
47
7/31/2019 Kiran Kadarla MTP Dissertation
55/63
[root@kadarla case2_rsa]# gcc -lgmp -lm -o Grsa_keys2 Grsa_keys2.c
[root@kadarla case2_rsa]# ./Grsa_keys2
Enter a prime range = 98547554223366987455212258899523321335563222155300
RSA Private Keys:
p1 = 98547554223366987455212258899523321335563222155307
p2 = 98547554223366987455212258899523321335563222155523phi n = 94315571636809643281409487683297202744915402422024259799500584739854626429188
3063420594603231522153072401481456253297479591393840029256356332424411789173371
767841087264643819839240282755339567466944
d = 18863114327361928656281897536659440548983080484404851959900116947970925285837752
6126841189206463044306144802962912506594959182787680058512712664848823578346743535
68217452928763967848056551067913493389
-RSA Public Keys:-
(n, e)= (97116204434074565660125164155424608060706582098713072383382143140171072641420
33929754400318413810561, 5 )
For the same range, the keys would differ when RSA is implemented on Z as shown
below:
[root@kadarla root]# gcc -lgmp -lm -o rsakeys-gmp rsakeys-gmp.c
[root@kadarla Zi-gmp]# ./rsakeys-gmp
Enter a prime range = 98547554223366987455212258899523321335563222155300
RSA Private Keys:
p[1] = 98547554223366987455212258899523321335563222155307
p[2] = 98547554223366987455212258899523321335563222155523
phi n = 9711620443407456566012516415542460806070658209871110143229767580042196
839624234883111729191969499732
d = 64744136289383043773416776103616405373804388065807400954865117200281312264
16156588741152794646333155
48
7/31/2019 Kiran Kadarla MTP Dissertation
56/63
-RSA Public Keys:-
(n, e) = (97116204434074565660125164155424608060706582098713072383382143140171
07264142033929754400318413810561, 3 )
The value of (n) to be very large when RSA is implemented on Z [i] . The next part is
to encrypt a message using the above generated public keys. We do this in steps writing
5 different functions as shown below
1. PT2PTN(): This function maps plain-text to numbers as follows {a = 0 , b = 1 ....z =25, = 26}2. PTN2MBN(): This function divides the plain text numbers to blocks called message
block numbers where message block length is supplied as input
3. MBN2CBN(): This is the RSA encryption function which uses the public keys to
encrypt the message blocks.
4. CBN2CTN(): This function maps the cipher block numbers to cipher text numbers
where the cipher block length is supplied as input.
5. CTN2CT(): This function maps the numbers back to cipher text.
As an example we encrypt the following plain-text using the above generated public keys
of RSA on Z [i]
[root@kadarla case2_rsa]# gcc -lgmp -lm -o Gencrypt2-gmp Gencrypt2-gmp.c
[root@kadarla case2_rsa]# ./Gencrypt2-gmp
Alert_1:: Do you have RSA keys ready? y/n : y
Plain-Text Message = mathematics may be defined as the subject in which we
never know what we are talking about nor whether what
we are saying is true
Message length is = 129
Alphabet Class Number = 27
Enter n = 971162044340745656601251641554246080607065820987130723833821431
4017107264142033929754400318413810561
Actual block length, abl = 69
49
7/31/2019 Kiran Kadarla MTP Dissertation
57/63
Minimum Cipher Block Length, cbl = 70
Enter Message-Block-Length For Encryption [Note: mbl < abl] : 43
Message-block-number of plain-text with blocksize(43) ::
mbn[0] = 15754866149035924850212993359496879570471099587086488944416453
mbn[1] = 18331787890887951871819684128671887954495434824983463431010847
mbn[2] = 2026560498171032771030822284718166822523221774816038667153658
Enter Cipher-Block-Length = 70
RSA Encryption STARTS ######
Enter e = 5
cbn[0] = 4667094709720118300123404500992861235764345504619348360427
457137306006109270494152290963108008540539
cbn[1] = 6771550807318265625034943811225787486383476175513776079365
25550264331024291962891193284151371698975
cbn[2] = 100953040395440494220240228946462035324107344786291017643
7904880923119743580518382065251206168177318
Cipher-Text Message = iay tbkdpe enzchjbaeshqpevcwvpqgfdyusfdmbimxzea
dyqfabtcokqrswvnkvsljabemvpcfmqykcucxjtiqd wztwsloyovadzlwdwzjdotdhkoopcfo
fowdmkncyllibdbboybtyysmgfvkbohm yzqsihlumeiliniddlsthiqj msgesbly
znxknurqtlneeqhcwcxnw
The decryption of the cipher text is achieved in the similar way as encryption by 5 dif-
ferent functions which take private keys as the input. The details are as given below:
1. CT2CTN(): This function maps cipher-text to numbers as follows {a = 0 , b = 1 ....z =25, = 26}2. CTN2CBN(): This function divides the cipher text numbers to blocks called cipher
block numbers where cipher block length is supplied as input
50
7/31/2019 Kiran Kadarla MTP Dissertation
58/63
3. CBN2MBN(): This is the RSA decryption function which uses the private keys to
decrypt the cipher blocks.
4. MBN2PTN(): This function maps the message block numbers to plain-text numbers
where the message block length is supplied as input.
5. PTN2PT(): This function maps the numbers back to plain-text.
[root@kadarla case2_rsa]# gcc -lgmp -lm -o Gdecrypt2-gmp Gdecrypt2-gmp.c
[root@kadarla case2_rsa]# ./Gdecrypt2-gmp
Cipher-Text Message = iay tbkdpe enz chjbaeshqpevcwvpqgfdyusfdmbimxzeady
qfabtcokqrswvnkvsljabemvpcfmqykcucxjtiqd wztwsloyovad
zlwdwzjdotdhkoopcfofowdmkncyllibdbboybtyysmgfvkbohmyzqsih
lumeiliniddlsthiqjmsgesblyzn
Cipher-Text Length = 210
Enter mbl and cbl used in Encryption: 43 70
Message Block Length,mbl = 43
Cipher Block Length,cbl = 70
Cipher-Block-Number of Cipher-Text with blocksize(70) ::cbn[0] = 466709470972011830012340450099286123576434550461934836
0427457137306006109270494152290963108008540539
cbn[1] = 677155080731826562503494381122578748638347617
551377607936525550264331024291962891193284151371698975
cbn[2] = 10095304039544049422024022894646203532410734478629101764379
04880923119743580518382065251206168177318
RSA Decryption STARTS ######
Enter n = 971162044340745656601251641554246080607065820987130723833
8214314017107264142033929754400318413810561
Enter d = 18863114327361928656281897536659440548983080484404851959
51
7/31/2019 Kiran Kadarla MTP Dissertation
59/63
90011694797092528583775261268411892064630443061448029629125
065949591827876800585127126648488235783467435356
8217452928763967848056551067913493389
mbn[0] = 15754866149035924850212993359496879570471099587086488944416453
mbn[1] = 18331787890887951871819684128671887954495434824983463431010847
mbn[2] = 2026560498171032771030822284718166822523221774816038667153658
Plain-Text Message = mathematics may be defined as the subject in which we
never know what we are talking about nor whether what
we are saying is true
52
7/31/2019 Kiran Kadarla MTP Dissertation
60/63
6.1 Conclusions
We constructed some efficient multi-precision algorithms for Z [i] arithmetic and showed
that the existing cryptographic schemes can be extended to Z [i] elds. The well dened
gaussian integer arithmetic and certain advantages it offers on implementing cryptographic
schemes over Z [i] elds, like smaller keys and faster computations with same security,
enable us to develop future cryptographic products using Z [i] elds.
6.2 Future Work
One of the most important operations required in the implementation of cryptographic
protocols is division. Though we could come up with some division algorithms, there
are difficulties in constructing a complete binary analog division algorithm for gaussian
integers and such algorithm is yet to be designed.
53
7/31/2019 Kiran Kadarla MTP Dissertation
61/63
References
[1] Kyung Mi Kim, Unpublished paper The Cryptanalysis of RSA over Gaussian in-
tegers
[2] Boris S Verkhovsky and Andre Mutovic Primality Testing Algorithm Using
Pythagorean Integers, International Conference on Computer Science and Infor-
mation Systems, June 15-18, 2005.
[3] K. Ireland and M. Rosen, A classical Introduction to Modern Number Theory,
2nd ed., Springer-verlag,1990.
[4] Keith Conrad Notes on Gaussian Integers, www.math.uconn.edu/kconrad
/math330/Zinotes.pdf
[5] J. T. Cross, The Euler - function in the Gaussian integers, Amer.math.Monthly,
vol. 90 (1983), pp. 518-528.
[6] Greg Dresden and Wayne Dymacek, Finding Factors of Factor Rings over Gaussian
Integers, link http://home.wlu.edu/dresdeng/papers/factorrings.pdf
[7] I.Katai and J.Szabo Canonical number systems for complex Integers, Acta Sci-
entiarium Mathematicarum, 1975 pp. 255-260.
[8] P. Zimmermann, A Proof of GMP fast division and square root implementations,
September 2000. http://www.loria.fr/zimmerma/papers
[9] Steve Benson, Euclids (Gaussian) Algorithm: A Lattice Approach, 25:2, 1994,
118-124
[10] William J. Gilbert, Arithmetic in Complex Bases, Mathematics magazine, Vol.57,
No.2(Mar.,1984), 77-81
54
7/31/2019 Kiran Kadarla MTP Dissertation
62/63
[11] K.Z. Pekmetzi, Complex number multipliers, IEE proceedings, Vol.136, Jan 1989.
[12] Donald E. Knuth, An Imaginary Number System, Communications of the ACM,
April 1960 vol. 3, Issue 4.
[13] Weilert A, (1+i)-ary GCD computation in Z [i] as an analogue to the binary GCD
algorithm, J. Sumb. Comput., 30, 605-617.
[14] George E. Collins, A Fast Euclidean Algorithm for Gaussian Integers, J. Symbolic
Computation(2002) 33, 385-392
[15] W. Diffe and M. Hellman, New directions in crptography, IEEE Trans. on Infor-
mation Theory, vol. 22, pp. 644-654, 1976.
[16] R.L Rivest, A. Shamir, and L.M Adleman, A Method for Obtaining Digital Sig-
nature and Public key cryptosystems Communications of the ACM, Vol.21. n. 2,
Feb 1978, pp. 120-126
[17] R. Lidl, H. Niederreiter, Finite Fields, Ency. of Math. and Its Appln. Cambridge
University Press, 1997.
[18] A. M. Odlyzko, Discrete Logarithms in nite elds and their Crypographic signif-
icance link www.dtc.umn.edu/odlyzko/doc/arch/discrete.logs.pdf
[19] W. Diffe and M. Hellman, New directions in crptography, IEEE Trans. on Infor-
mation Theory, vol. 22, pp. 644-654, 1976.
[20] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete
logarithms, IEEE Trans. on Information Theory, vol. 31, pp. 469-472, 1985.
[21] A.N El-Kassar, Ramzi Haraty, Y.A Awad and N.C Debnath, Modied RSA in the
domains of gaussian integers and polynomials over nite elds Int.J.Appl.Math
published in 2005
[22] N. Tsuchimura, Computational Results for Gaussian Moat Problem, March 2004
METR 2004-13.
[23] The Prime Pages - prime number research, records and resources,
http://primes.utm.edu/
55
7/31/2019 Kiran Kadarla MTP Dissertation
63/63
Acknowledgments
I express my indebtedness and sincere thanks to Prof. V. R. Sule for seeing potential in
me and giving me an opportunity to work on this project and for his constant encourage-
ment during my M.tech project. I would also like to thank all my colleagues and friends
in computing lab for their help and support. I am thankful to Amit Kalele for discussions
and also for constant help
Kiran K Kadarla
June, 2005