Kiran Kadarla MTP Dissertation

7/31/2019 Kiran Kadarla MTP Dissertation

1/63

Cryptography and Algorithms over Finite Fields

built on

Gaussian Integers

M.Tech Dissertation

Submitted in partial fulllment of the requirements

for the degree of

Master of Technologyby

Kiran K Kadarla

Roll No. 03307904

Under the guidance of

Prof. V.R.Sule

Department of Electrical Engineering

Indian Institute of Technology, Bombay

Mumbai - 400 076


2/63

Approval Sheet

The dissertation entitled Cryptography and Algorithms over Finite Fields

built on Gaussian Integers by Kiran K Kadarla is approved for the degree of Master

of Technology

Examiner(s)

Supervisor

Chairman

Date:

Place:

i


3/63

Contents

List of Acronyms iv

List of Tables v

1 Introduction 1

1.1 Motivation & Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.1 Objective of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Organization of Dissertation . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2.1 Literature Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Gaussian Integers 4

2.1 Introduction to Gaussian Integers . . . . . . . . . . . . . . . . . . . . . . . 4

2.1.1 Divisibility in Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1.2 Primes in Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1.3 Unique factorization in Z [i] . . . . . . . . . . . . . . . . . . . . . . 8

2.1.4 Factorization Algorithm in Z [i] . . . . . . . . . . . . . . . . . . . . 9

2.1.5 Fermats Little Theorem for Z [i] . . . . . . . . . . . . . . . . . . . 10

2.1.6 Residue class systems in Z [i] . . . . . . . . . . . . . . . . . . . . . 10

2.1.7 Construction of nite elds . . . . . . . . . . . . . . . . . . . . . . 12

2.1.8 Chinese Remainder Theorem for Z [i] . . . . . . . . . . . . . . . . . 14

2.2 Basic Computations Over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.2.1 Complexity Comparisons . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Efficient Gaussian Integer Arithmetic 18

3.1 Bit Representations for Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.1.1 Integer Radix Method . . . . . . . . . . . . . . . . . . . . . . . . . 19

ii


4/63

3.1.2 Complex Radix Representation [10] . . . . . . . . . . . . . . . . . 22

3.1.3 Clearing Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.2 Division Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2.1 Direct Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2.2 Lattice Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.3 Other Z [i] Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.3.1 Binary division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.3.2 GCD Algorithms for Z [i] . . . . . . . . . . . . . . . . . . . . . . . 29

3.3.3 Extended Euclidean algorithm for Z [i] . . . . . . . . . . . . . . . . 31

3.3.4 (1+i)-ary Extended GCD algorithm for Z [i] . . . . . . . . . . . . . 32

3.3.5 CRT Algorithms for Z [i] . . . . . . . . . . . . . . . . . . . . . . . . 33

3.3.6 Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4 Cryptographic Algorithms 364.1 RSA Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.1.1 RSA over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.2 Diffie-Hellman key exchange scheme . . . . . . . . . . . . . . . . . . . . . . 40

4.2.1 Diffie-Hellman key exchange over Z [i] . . . . . . . . . . . . . . . . 40

4.3 Generating gaussian primes . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.4 BitSizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4.4.1 Faster computations . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5 Special Gaussian Primes 44

5.1 Mersenne primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.1.1 Fermats Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.1.2 Gaussian Mersenne Primes . . . . . . . . . . . . . . . . . . . . . . . 45

6 RSA Implementation on Z[i] using GMP 47

6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

References 54

Acknowledgments 56

iii


5/63

Notations

Z [i] :Set of Gaussian integers

,, :Gaussian integers

:prime in Z [i]

M :Plain text message

C :Cipher text messageE() :Encryption Algorithm or function

D() :Decryption Algorithm or function

K :Key

K 1 :Encryption key

K 2 :Decryption Key

Some Fundamental Complexities

Complexity in-terms of No.of Bit Operations for Arthematic operations on Integers:

Addition of a k bit number by a l bit number: O(k),where k > l .

Multiplication of a k bit number by a l bit number: O(kl).

Division of k bit number by a l bit number: O(kl).

Division modulo p takes: O(log3 p) bit operations.

Inverse modulo p takes: O(log3 p) bit operations.

Modular Exponentiation by Repeated Squaring Method, bn mod m, takes: O(log n.log2 m)bit operations.

iv


6/63

List of Tables

2.1 Primitive Roots in Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.2 Complexity Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.1 Gaussian Binary Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.1 RSA Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.2 RSA Encryption 1 over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.3 RSA Encryption 2 over Z [i] . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4.4 Diffie-Hellman Key Exchange protocol . . . . . . . . . . . . . . . . . . . . 40

4.5 Diffie-Hellman Key Exchange protocol on Z [i] . . . . . . . . . . . . . . . . 41

4.6 Complexity Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

v


7/63

Abstract

The main aim of the project is to construct the cryptographic primitives on nite elds

dened over gaussian integers and explore computational advantages if any. First, cryp-

tographic schemes known over Z are extended to gaussian integers( Z [i]) since these have

many common features. Along this division, primes, unique factorization and construc-

tion of nite elds over Z [i] are discussed. Then an efficient multi-precision arithmetic isdeveloped for Z [i] analogous to the standard arithmetic over Z . Problems of nite eld

arithmetic, improving efficiency of division aglorithms, gcd calculation and exponentia-

tion in Z [i] are discussed and different approaches to these problems are tried out. The

Diffie-Hellman Key exchange scheme is then formulated over these nite elds and some

of its advantages are discussed. The security of the discrete logarithm problem(DLP) over

these elds is discussed and it is shown that it is as much secure as the DLP over GF ( p)

type elds. Other cryptographic schemes like RSA are formulated on Z [i] . Behaviour of certain well-known primes like Mersenne primes and Fermats primes in Z [i] is discussed.

The cryptographic schemes are implemented using GNU Multi-Precision library using C

language.

Key Words : Groups, Rings, elds, Extension elds, Modular Exponentiation, Discrete

Logarithm problem, Diffie Hellman scheme, Elgamal Scheme.

vi


8/63

Chapter 1

Introduction

Cryptographic algorithms are implemented using the arithmetic of nite elds. In the

present work, we consider the problem of designing cryptographic schemes over nite

elds when the prime elds are dened by primes in Z [i] called gaussian primes. We shall

call such elds as gaussian integer elds. We show implementation of basic cryptographic

schemes such as Diffie-Hellman key exchange scheme and RSA scheme on gaussian integer

elds. Like ordinary integers, Gaussian integers form a principal ideal domain, have

primes, have Euclidean division algorithm forming a Euclidean domain. In this thesis,

we develop efficient algorithms for gaussian integer arithmetic that are analogous to the

multi-precision algorithms well known in Z . By implementing cryptographic schemes over

these elds, we show that, for the same security factor, the size of the numbers involved

in the computations are half the size than those that are involved when the scheme is

implemented over Z . These algorithms over gaussian integer elds have the potential to

reduce the key lengths of cryptographic schemes to half.

1.1 Motivation & Objective

Gaussian integers( Z [i]) are similar to ordinary integers in many aspects. They have unique

factorizaton, form a Euclidean domain with a division algorithm. Hence, it to extend

algorithms and cryptographic primitives on nite elds where prime subelds are dened

by primes in Z [i] .

More specically, following aspects motivated the work in this thesis.

Cryptographic Schemes over Z [i] do not appear to have been investigated in detail1


9/63

Ref[1]. Many problems of cryptographic primitives like prime factorization, primal-

ity testing etc are far from being completely understood.

Primes in Z [i] seem to suggest an advantage that with moderately sized bit-lengthsequally secure implementation of cryptographic primitives might be possible.

Arithmetic over Z [i] is likely to be different from arithmetic over Z . Hence, al-gorithmic implementation of cryptographic schemes and construction of efficientmulti-precision algorithms over Z [i] deserves further study.

1.1.1 Objective of the thesis

With the above motivation, following aim & objectives were formulated for the thesis

to develop Efficient Multi-Precision arithmetic algorithms for Z [i]

to implement different Cryptographic primitives on gaussian integer eldsThe thesis is aimed at highlighting the computational advantages in implementing the

above plan of work.

1.2 Organization of Dissertation

The thesis is organized into 4 parts

Literature Survey on Gaussian Integers: This part explains the basic propertiesof gaussian integers, primes in gaussian integers, residue classes, elds over Z [i] ,

unique factorization and analogous of certain well known theorems like Fermats

little theorem.

Efficient Implementation of Gaussian Integer Arithmetic: An effort is made to de-velop efficient multi-precision arithmetic for gaussian integers.

Cryptographic Algorithms over Z [i] elds: Cryptographic schemes analogous to thatof Diffie-Hellman, RSA are constructed.

Implementations: Different algorithms and protocols mentioned and used in theproject are implemented using GNU Multi-Precision(GMP) library . The

code is written in C-Language.

2


10/63

1.2.1 Literature Survey

Most of the introductory part on gaussian integers in chapter 2 is referred from the

standard textbook A classical introduction to modern number theory by Ireland and

Rosen and from [4], [5],[6]. There are numerous papers published in various journals on

gaussian integers. Topics vary from Algorithms for Gaussian integer arithmetic(1974)

to Primality testing using Pythagorean Integers latest in the june 2005 [2]. The paper

by George Collins [14], published in 2002 presents a fast euclidean algorithm for gaussian

integers. Though there are papers on the arithmetic of gaussian integers, cryptographic

schemes with efficient arithmetic implemented on the nite elds built on gaussian integers

donot seem to have been studied in much detail.

3


11/63

Chapter 2

Gaussian Integers

2.1 Introduction to Gaussian Integers

The Gaussian integers are the set denoted Z [i] =

{a + ib : a, b

Z , where i =

1

}Thus Z [i] is a subset of complex numbers that is closed under addition, subtraction andmultiplication and form an integral domain. The ring Z [i] has clear similarity with Z .

Denition 1 ( Norm) . For = a + ibZ [i] , its norm denoted N () is dened by

N () = = ( a + ib)(a ib) = a2 + b2 (2.1)

Norms play a role analogous to absolute values. Norms are integers and the divisibility

properties of norms in Z provide important information about the divisibilty propertiesin Z [i] . We summarize some of the important properties of Z [i] from the references [3],[4].

A primary observation is that the norm of every Gaussian integer is a non-negative integer,

but it is not true that every non-negative integer is a norm .

Example: 6 is a gaussian integer and its norm is 36, but 6 cannot be a norm of any

gaussian integer.

Theorem 1. The only Gaussian integers invertible in Z [i] are

1,

i which are called

units of Z [i] .

2.1.1 Divisibility in Z [i ]

We say divides (written as | ) if = for some Z [i] .

4

12/63

Theorem 2. A gaussian integer = a + ib is divisible by an ordinary integer c if f c |aand c|b in Z .Theorem 3. For , in Z [i] , if | in Z [i] then N ( )|N () in Z Ref[3]The converse is not true as shown by this example. Let = 2 + i and = 2 i. HereN ()|N ( ) but doesnot divide Corollary 1. A Gaussian integer has even norm iff it is a multiple of 1 + i.

Theorem 4 (Division Theorem). For , Z [i] with = 0, there are ,

Z [i] ,such

that = + and N () < N ( ).In fact we can choose so that N () (1/ 2)N ( ).Theorem 5. Z [i] is a Euclidean domain

Proof. Let = a + ib and = c + id and suppose that = 0. Let = r + is, where r

and s are rational. Choose integers m, n Z such that |r m| 1/ 2 and |s n| 1/ 2.

Set = m + in . Then Z [i] and

N ( ) = ( r m)

2 + ( s n)2 (1/ 4 + 1/ 4) = 1 / 2

Set = . Then Z [i] and either = 0 or

N () = N ( ( )) = N ( ).N (

)

12

N ( ) < N ( ).

It follows that norm makes Z [i] into a euclidean domain.

2.1.1.1 Congruences in Z [i]

Given three gaussian integers ,, , we say that alpha is congruent to modulo and

write mod , if the difference is divisible by . is called modulus of thecongruence.

Denition 2 (GCD). For non-zero and inZ

[i] ,a

greatest common divisor of and is a common divisor with maximal norm .

Note that the greatest common divisor of two gaussian integers and is not unique .

But it is ambiguous only by a unit multiple i.e., unique modulo multiplication by units.

5

13/63

Theorem 6 (Euclids Algorithm on Z [i] ). Let , Z [i] be non-zero. Recursively

apply the division theorem, starting with this pair, and make the divisor and remainder

in one equation the new didvidend and divisor in the next, provided the remainder is not

zero: Ref[4]

= 1 + 1, N (1 < N ( ))

= 1 2 + 2, N (2 < N (1))

1 = 2 3 + 3, N (3 < N (2))

.

.

.

The last non-zero remainder is divisible by all common divisors of and , and is itself

a comon divisor, so it is a greatest common divisor of and . Ref[4]

Corollary 2. A greatest common divisor of and has a norm dividing gcd(N (), N ( )).

The gaussian integers with relatively prime norms are relatively prime themselves. But it

should be noted that the converse is not true as shown by this example. eg: Let = 2 + i

and = 2 i. gcd(, ) = 1, but gcd(N (), N ( )) = 1Corollary 3. For non-zero and in Z [i] , let be a greatest common divisor produced

byEuclids algorithm

. Any greatest common divisor of and is a unit multiple of .Theorem 7 (Bezouts Theorem for Z [i] ). Let be any greatest common divisor of

two non-zero gaussian integers and ,then = x + y for some x, yZ [i] . Ref[4]

Corollary 4. The non-zero Gaussian integers and are realtively prime iff

1 = x + y

for some x, y

Z [i] .

Corollary 5. Let | in Z [i] with and relatively prime then | .Corollary 6. If | and | in Z [i] , with and being relatively prime, then | .Corollary 7. For non-zero , , in Z [i] , and are each relatively prime to iff

is relatively prime to .

6


14/63

2.1.2 Primes in Z [i ]

Here, we dene primes in Z [i] and classify them.

Lemma 1. For = 0 and Z [i] the only Gaussian integers which divide and have

norm equal to N () are and i .From the above Lemma, any divisor of whose norm is 1 or equal to N () is either a

unit or a unit multiple of .

Denition 3 (Trivial factors). Let Z [i] and when N () > 1 there are eight

obvious factors of : 1, i, , i .We call them as trivial factors .The eight trivial factors are analogus to the four trivial factors, 1, n of any integern in Z . Any other factor of is called a non-trivial factor. Note that the non-trivial

factors of have norm strictly between 1 and N ().

Denition 4 (Primes in Z [i] ). Let Z [i] withN () > 1.We call composite if it

has a non-trivial factor.If has only trivial factors then it is a prime.

Lemma 2. Let be a prime in Z [i] . Then a prime p inZ [i] such that | p.

Theorem 8. If the norm of a guassian integer, N (), is prime in Z , then the gaussian

integer is prime in Z [i] .

The converse is not true as shown by this example. 3 is a prime in Z but N (3) = 9 is not

a prime. Describing all Gaussian primes is thus reduced to the problem of factoring every

prime in Z + . The prime factors in Z [i] of all pZ will give us all the gaussian primes.

It should be noted that upto unit multiple, the eight gaussian integers ( a + ib), (a ib), (a+ ib), (aib), (b+ ia), (bia ), (bia ), (b+ ia) are just two (a+ ib) and (aib),which are conjugates .

Lemma 3. If p is a prime in Z and p

1 mod 4, then p can be expressed as sum of two

squares and viceversa .

Lemma 4 (more generalized). An integer n > 1 is a sum of exactly two squares when

any prime factor of n which is 3 mod 4 appears in n with even multiplicity.Theorem 9. A prime p in Z + is composite in Z [i] iff it is a sum of two squares.

7


15/63

Corollary 8. If a prime p in Z + is composite in Z [i] and p = 2, then upto unit multiple

p has exactly two Gaussian prime factors, each with norm p.

Corollary 9. If a prime p in Z + satises p 3 mod 4, then it is also a prime in Z [i] .Theorem 10. Let p be a prime in Z + . The factorization of p in Z [i] is determined by

p mod 4

i.) 2 = (1 + i)(1 i) = i(1 + i)2.ii.) If p 1 mod 4, then p = is a product of two conjugate primes and , which

are not unit multiples.

iii.) If p 3 mod 4, then p remains prime in Z [i] .Now, we have a description of all Gaussian primes in terms of primes in Z . We identify

them by the following theorem:

Theorem 11. Up to multiplication by units, the primes in Z [i] are of three types:

i.) = a + ib and = a ib, where p = a2 + b2 is a prime in Z and p 1 mod 4;ii.) p, where p is a prime in Z and p 3 mod 4;

iii.) = 1 + i.

Thus, we have innte Gaussian primes as primes that occur in Z [i] are either the

factors of primes q 1 mod 4 or the primes p 3 mod 4. It is even shown in [22] thatone can walk to innity on Gaussian primes taking steps of bounded length.

2.1.3 Unique factorization in Z [i ]

Theorem 12. Every Z [i] with N () > 1 is a product of primes in Z [i] . Ref[4]

Lemma 5. Let be a prime in Z [i] . For gassian integers 1, 2...., r if |123... rthen divides some j .

Theorem 13 (Unique factorization). Any Z [i] with N () > 1 has a unique

factorization into primes in the following sense: If

= 123...... r = 123..... s

where the i s and j s are prime in Z [i] , then r = s and after a suitable renumbering

each i is a unit multiple of j . Ref [4]

8

16/63

2.1.4 Factorization Algorithm in Z [i ]

One way to factor a given gaussian integer is to rst factor the norm and then nd the

appropriate gaussian integer factors. The algorithm is as follows

Let a + ib be the gaussian integer to be factored where a = 0, b = 0 and gcd(a, b) = 1

Pseudo code:

factorize(a+ib)

{

do {

norm = a^2+b^2;

d = smallest non-trivial factor of n;

if(d==n)

a+ib is prime;

else {

find [x,y] such that x^2+y^2 = d;

quo1: q1 + i q1 = divide [a, b] by [x, y];

quo2: q2 + i q2 = divide [a, b] by [x,-y];

if ([x,y] exactly divides [a,b])

{

print factor of [a,b] = [x,y];

[a,b] = q1 + i q1;

}

else {

print fator of [a,b] = [x,-y];

[a,b]=q2 + i q2;

}

}

} while(d < n);

}

9

17/63

It should be noted that the factoization problem for gaussian integers is as complex as

the factorization problem for ordinary integers.

2.1.5 Fermats Little Theorem for Z [i ]

Theorem 14. For any coprime to , we have N ( ) 1 = 1 mod

2.1.6 Residue class systems in Z [i ]

Denition 5. The ring of residues classes of the ring R modulo the ideal J is called the

residue class ring or factor ring of R mod J and is denoted by R/J.

Since the units of Z [i] are 1 and i, for any two integers a and b, the ideals < a + bi >, < a bi >,< b+ ai >, and in Z [i] are one and the same. Hence, we haveZ [i] / < a + bi > = Z [i] / = Z [i] / = Z [i] / .

Z [i] / < 0 > = Z [i] and Z [i] / < 1 > = 0.

Theorem 15 (Equivalence classes in Z [i] / < n > , prime in Z [i] ). The equiva-

lence classes of Z [i] modulo a power of a prime are given as follows: Ref[5]

Z [i] / < n > = {[x] : 0x q n 1}, where N () = q

Z [i] / = {[x + iy] : 0x pn 1 and 0 y pn 1}

Z

[i] / < 2m

> = {[x + iy] : 0x 2m

1and 0 y 2m

1} Z [i] / < 2m +1 > = {[x + iy] : 0x 2m +1 1and 0 y 2m +1 1}

The above theorem implies that Z [i] / < n > has q n members, Z [i] / 

has p2n members, and Z [i] / < n > has 2n members, which shows that the order of

Z [i] / < > is N ( )

Theorem 16 (Units of the rings Z [i] / < n > ). Conditions on the units of theringsZ [i] / < n > Ref[5]

Let [x] be in Z [i] / < n > , then [x] is a unit iff (q, x) = 1 .

Let [x + iy] be in Z [i] / , then [x + iy] is a unit iff atleast one of x and y isprime to p

Let [x + iy] be in Z [i] / < n > , then [x + iy] is a unit iff a b mod 210

18/63

2.1.6.1 Eulers function in Z [i]

Using the theorems 13 and 14, a Eulers function in Z [i] is shown Ref[5]

z [i ](n ) = z (q n ) = q n q n 1 = q n 1(q 1)

z [i ]( pn ) = p2n p2n 2 = p2n 2( p2 1)

z [i ]( n ) = 2 n 2n

1 = 2 n

1

Theorem 17. The gaussian integers , 2, 3, n , p, n and p have primitive roots.

These and their associates are the only gaussian integers having primitive roots. Ref[5]

Table 2.1: Primitive Roots in Z [i]

Group Order Cyclic

z [i ](n) q

n 1(q 1) yesz [i ]( pn ) p2n 2( p2 1) only if n = 1

z [i ]( n ) 2n 1 only if n 3

Theorem 18 ( 1st theorem of Isomorphism). Let : G H be a group homo-morphism. Then ker () is a normal subgroup of G and Im () H and there is an

Isomorphism : G/ker () Im ().Theorem 19. If a > 1 and a

Z + , then

Z [i] / < a > = Z a [i]. Ref [6]

Proof. Dene a mapping : Z [i] Z a [i] by (x + iy) = [x]a + i[y]a , where [.]a representsthe equivalence class modulo a. This mapping is clearly a surjective(onto) ring homomor-

phism. Since (a) = [a]a = [0]a = 0, a belongs to ker () and hence < a >ker (). On

the other hand, if (x + iy) = 0, then both x and y are congruent to 0 modulo a, so we canwrite x = ax and y = ay for some integers x and y . Thus x + iy = ax + iay = a(x + iy )

lies in < a > . Therefore ker () = < a > , implying that Z [i] / < a > = Z a [i].

Theorem 20. If a > 1 and a Z + , then Z a [i] is a eld iff a is a prime in Z and is

3 mod 4. Ref[6]11

19/63

Theorem 21. If a and b are relatively prime integers, then Z [i] / < a + ib > is isomorphic

to Z a 2 + b2 . Ref[6]

Proof. We assume without loss of generality that a and b both are positive. As a and

b re relatively prime, b is realtively prime to a2 + b2. So, b 1 exists in Z a 2 + b2 . (i.e., the

inverse of equivalence class of b modulo a2 + b2 exists). Since a2 + b2 0 mod (a2 + b2),a2

b2 mod (a2 + b2), implying that ( ab 1)2

1.

Dene : Z [i] Z a 2 + b2 by (x + iy) = x (ab 1)y mod (a2 + b2). Clearly is surjective

(Onto) and preserves addition.

Let = x + iy and = w + iz be in Z [i] . Since

().( ) = (x + iy).(w + iz ) = ( x ab 1y).(w ab

1z )

(xw) + a2b 2(yz ) ab

1(xz + yw)

(xw

yz )

ab 1(xz + yw)

= ((xw yz ) + i(xz + yw))= ((x + iy).(w + iz ))

= (. ) (2.2)

preserves multiplication. Moreover, as (a + ib) = a ab 1b 0, < a + ib >ker ().

Let c + idker () and let c + id = ( a + ib).(x + iy), where x and y are rational

numbers. Since 0 (c + id) = c ab 1d, 0 (bcad) which makes y an integer.

0 (c+ id) = cab 1d0 (ab2ca2bd)0 (aca2b

2bd). From ab 1 1, wehave 0 (ac + bd), so x is also an integer. We conclude ker ()< a + ib > , which meansthat ker () = < a + ib > and thus demonstrates that Z [i] / < a + ib > is isomorphic toZ a 2 + b2 .

2.1.7 Construction of nite elds

Notation:

= a prime in Z [i] of type (a + ib), N () = q = , where q is a prime inZ and q 1 mod 4;

= p = a prime in Z [i] , which also a prime in Z . N () = p2, where p 3 mod 4.Corollary 10. Z [i] / < > is isomorphic to Z p[i] and is a eld. Ref[6]

12

20/63

Corollary 11. Z [i] / < > is isomorphic to Z q and is a eld Ref[6]

Denition 6. For a prime pZ , let F p be the set 0 , 1, 2, 3,.. ,p 1 of integers and let

: Z p F p be a mapping dened by ([ a]) = a for a = 0 , 1, 2, ...p1. Then F p, endowedwith the eld structure induced by , is a nite eld, called Galois led of order p.

2.1.7.1 Constructing prime elds

To construct F pm , eld extension on F p of degree m, we take any monic irreducible

polynomial g(x) on F p of degree m. g(x) has m roots which are exactly the elements of

F pm , i.e., the splitting eld of g(x) over F p is given as F pm .

To construct an extension eld which will be a eld on Gaussian integers, ( F p[i]),

we take m = 2 . and nd a prime p in Z such that the polynomial g(x) = x2 + 1 is

irreducible, which means that there should not be any zero in F p. Ref [17]

Lemma 6. x2 1 mod p iff p 1 mod 4.Lemma 7. Other than the prime 2 , there are only two kinds of primes in Z . They are

Prime p 1 mod 4.

Prime p 3 mod 4.If we select a prime p 3 mod 4, then x2 + 1 is a monic irreducible polynomial on

F p and one of the roots is i = 1. Hence all the elements are of the type a + ib wherea, b

F p. Working on F p2 is same as working on F p[i]

Theorem 22. Let A = gx mod and B = gx mod q , where q = N (). Given ( g, , A)

in Z [i] , nding x is as difficlut as nding x given (g, q, B) in Z .

Proof. As Z [i] / is isomorphic to Z q from corollary 11 , where q is a prime in Z , the

structure of nite elds over Z [i] is similar to the structure of nite elds over Z . Working

on Z [i] is equivalent to working on Z q . Hence, breaking the DLP on Z [i] / involves samecomputational complexity as breaking DLP on GF (q ).

Theorem 23. Given a bound on key size, one can obtain much greater security by using

nite elds of type Z [i] / than the elds GF (2n ) Ref[18]

13

21/63

The problem of solving the discrete logarithm problem in nite elds of type GF (q )

is more computationally involved that the nite elds of type GF (2n ). Given a bound

on key size, one can obtain much greater security by using GF (q ) where q is a prime inZ then the elds GF (2n ) Ref[18]. As the nite eld Z [i] / is isomorphic to GF (q ) and

has similar structure, the security is involved greater than GF (2n ) type nite Fields.

2.1.8 Chinese Remainder Theorem for Z [i ]

Theorem 24. If 1, 2, 3...... m Z [i] are pairwise co-prime i.e., gcd( i , j ) = 1 for

i = j , then there exists a solution x Z [i] to the system of simultaneous congruences

x 1 mod 1x 2 mod 2

x 3 mod 3...

...

x m mod m .If there exists another solution x

Z [i] , then x x mod ( 1. 2... m ).We present an algorithm that is analogous to garner s algorithm for CRT computations

involving Z [i] in chapter 3.

2.2 Basic Computations Over Z [i ]

Some fundamentals:

A number n satisfying bk 1 n l , involves k bit opera-tions. Same for Subtraction

Multiplication of a k bit number by a l bit number, where k > l , takes l(k + l) bitoperations.If k = l then bit operations = 2 k2. Same for Division

14

22/63

2.2.1 Complexity Comparisons

The Big-O Notation:

Let f (n) and g(n) are functions of the positive integers n which take positive, but

not necessarily integer values for all n. We say that f (n) = Og(n), if there exists a

constant C such that f (n) is always less than Cg(n).

Denition 7. Let f (n1, n2,...n r ) and g(n1, n2,...n r ) be two functions whose domains arein the set of all r tuples of positive integers.Suppose that there exist constants B andC such that whenever all of the n j are greater than B the two functions are dened and

positive, and f (n1, n2, ...n r ) < Cg (n1, n2,...n r ). In this case we say that f is bounded by

g and we write f = O(g).

2.2.1.1 Addition in Z [i]

Let = a + ib and = c + id then + = ( a + c) + i(b + d), involves two additions

a + c and b + d. We represnt this as (0 M, 2A), which means 0 M ultiplications and 2

Additions.

Let the no. of bits in a, b, c, d be k each. Then, no.of bit operations required for addition

in Z [i] are 2k .

2.2.1.2 Multiplication in Z [i]

Now, consider = ( ac bd) + i(ad + bc), which requires (4 M, 2A) when computeddirectly. No.of bit operations required here are 8 k2 + 2 k.

But a tricky operation can reduce that to (3 M, 5A) as follows:

Let as say m = ( ac bd) and n = ( ad + bc). To compute m and n, we computex = ( a + b)(c + d), y = ac, z = bd. Then m = y z and n = x y z, which involves(3M, 5A) i.e., 6k 2 + 5k bit operations.

2.2.1.3 Squaring in Z [i]

Consider 2 = ( a + ib)2 = ( a2 b2) + i2ab. On direct computation this requires (3M,2A)i.e, 6k2 + 2 k bit operations. Let m = ( a2 b2) and n = 2 ab. To compute m and n , wecompute x = ( a + b)(a b) and y = ab. Now, m = x and n = y + y, which requires(2M, 3A) ie., 4k 2 + 3k bit operations.

15


23/63

2.2.1.4 Norm in Z [i]

To calculate N () = a2 + b2, we require (2M, 1A) i.e., 4k 2 + k bit operations.

2.2.1.5 Division in Z [i]

Let us assume |. Consider

= a + ibc + id

= (a + ib)(c id)N ( ) = (ac + bd) + i(bcad)N ( ) = (ac + bd)N ( ) + i (bcad)N ( ) = m+ in.

To calculate m + in , we require (5M, 6A, 2D). Multiplications and Additions involve k

bit numbers, whereas Divisions involve 2 k bit numbers. Hence the total number bit op-

erations required are 26k 2 + 6k .

2.2.1.6 Modular Exponentiation and its Complexity

Finding gn mod p if often encountered in modular arithmetic and is called Modular Expo-

nentiation. Finding this in very efficient and very fast way has got a lot of cryptographic

signicance. Now, we see the complexity of one faster way of nding modular exponenti-

ation.

2.2.1.7 Repeated Squaring Method (RSM)We donot present the RSM algorithm here but only discuss the complexity and bit oper-

ations involved and extend the same to Z [i] showing the bit operations for Z [i] numbers.

Consider, gx mod p and ( gx mod )

Let the no.of bits in g and g be k

Let the no.of bits in x and x be l and let its binary weight be w

Let the no.of bits in p and be nFor calculating gx mod p using RSM, we require w+ l1 multiplications and w+ l1 modoperations. Hence, the no.of bit operations required are 2(w + l 1)(k 2 + n 2 ). Similarlyfor modular exponentiation in gaussian integers, ( gx mod ), we require l 1 squarings,

16


24/63

w + l 1 mod operations and w multiplications. Hence, the no.of bit operations requiredare

(l 1)(4k2 + 3 k) + ( w + l 1)(26n2 + 6 n) + w(6k2 + 5 k)= 2( w + l 1)(4k2 + 3 k) + ( w + l 1)(26n2 + 6 n) + 2 w(k2 + k)

Table 2.2: Complexity Comparisons

Operations Z [i] (, ) Z (x, y)

Addition 2 k k

Multiplication 6 k2 + 5 k 2k2

Squaring 4k2 + 3 k 2k2

Norm 4k2 + k Division 26k2 + 6 k 2k2

Mod.Expo. ( l 1)(4k2 + 3 k) + ( w + l 1)(26n2 +6n) + w(6k2 + 5 k)

2(w + l 1)(k2 + n2)

17


25/63

Chapter 3

Efficient Gaussian Integer

Arithmetic

Introduction

In this chapter, we construct multi-precision algorithms for gaussian integers that are

analogous to the efficient multi-precision algorithms well known for Z . In chapter 1, we

saw the basic arithmetic operations on gaussian integers which are carried out by treating

the real and imaginary parts seperately. But it may be advantages to treat gaussian

integer as a whole unit of bits and perform the operations. If ( an an 1...a 1a0) is the base

b representation of a and an = 0 then the precision or length of a is n + 1. If n = 0, then

a is called a single precision number, otherwise, a is multiprecision.

3.1 Bit Representations for Z [i ]

There are two ways to represent a gaussian integer as binary bits:

Expressing a gaussian integer to a complex radix like ( 1 + j ) or 2 j using binarybits

Expressing a gaussian integer to an integer radix using complex-binary bitsWe studied these two representations and came up with algorithms that output a bit

sequence given a gaussian integer.

18

26/63

3.1.1 Integer Radix Method

In this method [11] the base b is an integer and the digit set D turn out to be gaussian

integer bits with norm less than N (b). Let the base be 2. Any gaussian integer a + ib can

be written to the base 2 by expressing a and b to the base 2 and then clubing them to

form single gaussian bits with norm < 2.

Examples :

3 + 4i = {i, 1, 1}2Explaination:

3 + 4i = (0 .22 + 1 .21 + 1 .20) + i(1.22 + 0 .21 + 0 .20)

= 2 2.(0 + i) + 2 1.(1 + 0) + 2 0(1 + 0)

= 2 2.(i) + 2 1.(1) + 2 0.(1)

=

{i, 1, 1

}When both a and b are positive, we need the following gaussian-bits to express a + ib tobase 2.

Table 3.1: Gaussian Binary Bits

xr xi xk

0 0 0

0 1 j

1 0 1

1 1 1 + j

To represent a + ib when either a or b or both negative, we increase the digit set to

D = {0, i, 1, (1 + i), (1 i)}Lets say (1 + i) = a then D =

{0,

i,

1,

a,

a

}where a is conjugate of a. We require

9 digits denoted as n(D) = 9 when the base b is 2. For any base b, n(D)b = 4 .bP 2 + 1,

where bP 2 = b!(b 2)! .

Examples:

1) b = 2, n(D) = 4 .2P 2 + 1 = 9

D = {0, i, 1, (1 + i), (1 i)}19


27/63


28/63

x y value carry

a i 1 0

i a 1 i1 a i 0

a 1 i 0

Figure 3.2: Basic carry operations-II

Addition

1) Add 6 + 4i and 3 4i in base 2Step1: Express 6+4 i to base 2 ie., 6 +4 i = {1, 1, 0}+ i{1, 0, 0}= {(1+ i), 1, 0}= {a, 1, 0}Now, 6 + 4i = {(1 + i), 1, 0}= {a, 1, 0}Step2: 3 + 4 i = {i, 1, 1}then 3 4i = {i, 1, 1}

a 1 0

i 1 1

1 0 1 = 1.2 + 0 + 1

= 4 + 1

= 3

2

6 + i 4

3 i 4

3 + i 0

Figure 3.3: Bin-Gauss Addition

Multiplication

2) Multiply 3 + 4 i by 3 + 4i

(3 + 4i)*(3 + 4i) = 7 + 24 i = { i, i, 1, 1, 1}

i 1 1i 1 1

i 1 1

i 1 1i 1 1

a a 0 0 1= 16 +16i + 8 +8i +1= 7 + 24i

= (1+i)2 + (1+i)2 + 14 3

Figure 3.4: Bin-Gauss multiplication

21


29/63

3.1.2 Complex Radix Representation [10]

In this representation, the radix is a gaussian integer and the digit set consists of integers.

For each xed positive integer n, Katai and Szabo [7] proved that all the gaussian integers

can be uniquely represented in the base ( n + i) using the digit set D = {0, 1, 2, 3.....n 2}.These bases and their conjugates are the only possible ones in which the digit set con-

sists of the natural numbers 0 , 1, 2, ....norm (b)

1. The base

1 + i provides a binary

representation of gaussian integers using 0 and 1 as digits. Here, we consider only the

base(1 + i). Addition and Multiplication of two gaussian integers written in positionalnotation to a base ( 1 + i) can be performed in the same way as real arithmetic in base2, except for a change in the carry digits.

3.1.2.1 Arithmetic using complex radix method

0 0 0 0

0 1 1 0

1 1 0 110

bit bit value carry

Figure 3.5: Basic bit addition

Addition :

+

1 1 1 0 1 0 1

1 0 1 1

1 1 01i+

1+2i

2+3i 0 + 0 = 00 + 1 = 11 + 0 = 1

1 + 1 = 1110

Figure 3.6: Bin-Gauss Addition

22


30/63

Multiplication :

1i2+3i

x

15i

x 1 1 0

1 0 1 1 01 0 1 1 0 0

11101001010

Figure 3.7: Bin-Gauss Multiplication

It should be noted that when numbers are represented in negative or complex bases and

added, a problem of innite series of carry digits occur even though the sum is nite. This

phenomenon can always happen whenever a number and its negative can be represented

in the same base using natural numbers as digits. This innite sequence of carrys doesnt

invalidate the arithmetic because the carry numbers all sum to zero after a certain stage.

The innite carry digit phenomenon can be overcome by xing a upper limit on the no

of bits used to represent the gaussian integer.

1 1 11 1

0

011

0 0 0 0 0 0 0

0111 1 0

1 1 0infinite carry sequence

Example :Infinite carry bits

Add (i) and ( i ) in the base 1+i

i = {1 1 1}

i = {0 1 1}

i =

i =

Figure 3.8: Innite carry sequence

Theorem 25. The number of digits in the sum of two numbers expressed in the base

(n+ i) is [10]

23


31/63

1. atmost 3 more than the number in the largest summand if n 42. atmost 5 more if n=2 or 3

3. atmost 8 more if n=1

To express a gaussian integer to a complex base( n + i) efficiently, Gilbert pro-posed an algorithm called clearing algorithm , which uses the minimal polynomial of the

base(n + i). The minimal polynomial of a complex base b is given as b2

+2 nb+ norm (b).

3.1.3 Clearing Algorithm

Let a r be the coefficient of the smallest power of b which lies outside the range from 0 to

n2.

Find an integer s such that 0 [(a r ) + s(norm (b))] n2

Add sbr

times the minimum polynomial to clear the rth

coefficient

The clearing algorithm always terminates as minimal polynomial of the base is used in

reduction of the coefficients.[10]

Examples:

[u,v] = [4, 1]

4 11 2 2 (x0)

0 0 4 11 2 2 (x2)

2 4 0 11 2 2 (x2)

2 2 0 0 11 2 2 (x1)

1 0 0 0 0 1

Let a+ib = 3+4i; base = n+i = 1+i , where n=1

> initial gaussian bits

1 2 2 (x1)

2 1 0 0 0 0 11

1 2 2 (x1)1 0 1 0 0 0 0 11

1 2 2 (x1)

1 1 0 1 0 0 0 0 11gaussian bit representation =

Figure 3.9: gbits by Clearing Algorithm

24

32/63

3.2 Division Algorithms

Division is one of the important arithmetic operations. It is the most complicated and

costly of the basic multiprecision operations. In this section, we discuss different ap-

proaches to division for gaussian integers, which include the direct method of division

and lattice method proposed by steve benson. We, then, show that constructing a bi-

nary analog division algorithm for gaussian integers is difficult. The division theorem forgaussian integers stated in chapter 2 is reproduced here.

Theorem 26 (Division Theorem). For , Z [i] with = 0, there are ,

Z [i] ,such that = + and N () < N ( ). In fact we can choose so that N () (1/ 2)N ( ).

3.2.1 Direct Method

The direct method involves rationalization of denominator and nding real and imaginary

parts of quotient and remainder seperately.

Consider and Z [i] .

=a + ibc + id

=(a + ib)(c id)

N ( )=

(ac + bd) + i(bcad)N ( )

=(ac + bd)

N ( )+ i

(bcad)N ( )

Now, we dene a function () as follows: If (a a ) < 0.5 then (a) = a otherwise

(a

) =a

. Letm

=

( (ac + bd)N ( )

) andn

=

( (bc ad )N ( ))

then

=m

+in

and

=

(m

+in

)

where , Z [i] . We can get maximum 4 possible quotients and 4 possible remainders

which saisfy the division theorem. But the function () is dened in such a way that we

get the least norm remainder and nearest quotient.

To calculate , we require (5M, 6A, 2D). If the no.of binary bits in a,b,c,d are k

then multiplications and additions involve k bit numbers, whereas divisions involve 2 k bit

numbers as divisor is N ( ). Hence the total number bit operations required are 26 k2 + 6 k.

The disadvantages of direct method are (i) division is implemented seperately for real and

imaginary parts. Hence division has to be done twice, (ii) divison is done twice by N ( )

which has double no.of bits(2 k). The bit operaions required are more thus making the

operation costly.

25

33/63

3.2.2 Lattice Method

Introduction

The lattice method is proposed by Steve Benson [9]. This is a geometric approach to

division. We mention the propositions he made in his paper and present the algorithm.

To make the algorithm efficient we suggest certain modications and explain the modied

algorithm through an example.

Theorem 27. If a and b are integers, b = 0, then a is less than a distance of |b| from anintegral multiple of b.

a is either a multiple of b (say k|b|) or a lies between two consecutive multiples of b(say k|b| and k + 1 |b|). Let r be the distance of a from k|b| then |r | < |b| i.e., a liesno farher than |b/2| from a multiple of b.

Theorem 28. If a, b Z and b = 0 then a is no farther than a distance of |b|/ 2 from

some integral multiple of b

Now extending the above two theorems to gaussian integers, we have the following

Theorem 29. If and are gaussian integers and = 0 , the is less than a distance

of | | from a multiple of .It should be noted that the multiple can be a gaussian integer multiple, not just an integer

multiple.

Theorem 30. If and Z [i] and = 0 , then is no farther than a distance of

| |/ 2 from a multiple of . More precisely guassian integers and s.t = + ,where |r | | |/ 2.

The following algorithm gives the 4 possible quotients and 4 possible remainders

when = c + id divides = a + ib using the lattice method.

Algorithm:

Draw a line(L1) through point(c,d) passing through origin and a line(L2) perpen-dicular to line L1 passing through origin.

With side length = s , where s = c2 + d2 , form squares on lines L1 and L2 onthe whole xy plane.

26

34/63

Locate the point(a,b) on the xy plane.

Let the 4 vertices of the square in which the point(a,b) lies be 1, 2, 3, 4 then

1 = ( a + ib) (c + id) 12 = ( a + ib) (c + id) 23 = ( a + ib) (c + id) 34 = ( a + ib) (c + id) 4

For i= 1:4, check |(i )| < |(c + id)|. All the i satisfying this condition and thecorresponding i are the required remainder and quotients respectively.

In the above approach, Steve uses absolute value instead of norm as the condition for

calculating remainders. But calculation of absolute value of a gaussian integer involves

computing of sqrt which is a complex and costly operation. We modify this method by

using norm as the condition for division and thus eliminate the sqrt computations. Our

modifed method uses solving two linear equations using crammers method. We express

the point ( a, b) as a linear combination of the points ( c, d), (d, c) i.e.,a

b= x

c

d+ y

d

cThe coefficents x and y are computed by solving the above equation using crammersmethod. From the coefficients we calculate the 4 quotients( q 1, q 2, q 3, q 4) wrt axis L1,L2.

By transforming the values of quotients to xy axis , we get the actual quotients. Thefollowing example explains the process.

27


35/63

Example: Let = 9 + 4 i and = 3 + 2 i. We nd the 4 possible quotients( q 1, q 2, q 3, q 4)

and remainders when | .

3+2i

9+4iq1

q2

q3

q4

imag

real

L1

L2

Figure 3.10: lattice method

Division by norm can be eliminated if an efficient method to solve two linear equations is

designed.

3.3 Other Z [i ] Algorithms

In this section, we construct multiprecision algorithms for Z [i] that are analogous to

efficient multiprecision algorithms well known for Z . First, we show the problems involved

in constructing an efficient binary division analog for Z [i] and then present other analogous

algorithms like binary extended gcd algorithm, chinese remainder theorem for Z [i] andGarners algorithm.

28


36/63

3.3.1 Binary division

We saw in the initial sections of this chapter that we get a binary-like representation for

gaussian integers with digitset, D = {0, 1}, when then the base b = ( 1+ i). We shall callthese binary-like bits gbits . But the nice properties of binary representation of integers

donot extend to binary-like representation of gaussian integers. Some of the difficulties

we face while constructing a binary-like division algorithm for gaussian integers are as

follows:

(i) Let Z [i] have n gbits and

Z [i] have m gbits. If n > m then =N () > N ( ).

But in binary representation of integers we can easily say a > b if L(a) > L (b) where

L() is no.of binary bits. The above property of binary representation for integers make

certain operations like comparisons of two integers look just symbolic while it becomes a

costly operation in Z [i] case as norms of respective gaussian integers are to be computed.

(ii) In binary division for integers, nding a nearest quotient is easy as it just involves

shifting of bits appropriately, which is again a symbolic operation. But a nearest quotient

cannot be found so easily by shifting the gbits in case of Z [i] because of the difficulty

pointed in (i).

The above two facts make constructing a binary division analog for gaussian integers

difficult.

3.3.2 GCD Algorithms for Z [i ]

In chapter 2, we discussed gcd, Euclids algorithm and bezouts algorithm for Z [i] . Here,

we present (1+i)-ary algorithm for Z [i] that is analogous to binary gcd algorithm which

is due to Weilert. [13]

3.3.2.1 (1+i)-ary GCD Algorithm

Let A = a + ib and B = c + id where a,b ,c ,d Z

Pseudo Code:Input: A, B Z [i] and m=1 + i

Output: g = gcd(A,B)

(1+i)_gcd(A,B) {

29

37/63

g=1; m = 1+i;

while(m|A && m|B) {

A = A/m;

B = B/m;

g = g*m;

}

if(A < B)

swap(A,B);

while(R ! = 0) {

while( m | A ) do A = A/m;

while( m | B ) do B = B/m;

R = (A-B);

if(R < B) {

A = B ;

B = R ;

}

else

A = R ;

}

g=g*A;

return(g);

}

The basic observation that a gaussian integer ( a + ib) is divisible by (1+ i) iff a b mob2is useful in implementation of the above algorithm efficiently. We state its proof below

Proof. Consider, a + ib1+ i =(a + ib)(1 i )(1+ i )(1 i ) =

(a + b)2 + i

(b a )2 . If (1 + i)|(a + ib)2|(a + b) and

2

|(b

a)

a

b mob 2

The condition whether m|A can be checked by using the above observation i.e.,m|A iff a b mob 2. Once the a and b are expressed in binary, it is just a symbolicoperation to check the condition and nd the greatest power of 1 + i that divides A.

The condition ( A > B ) can be checked as follows [14]:30

38/63

Let L(A) = sum of binary(base 2) bits in a and b.

Let L(B) = sum of binary(base 2) bits in c and d. Let k = L(A) L(B).If k > 1 then |A| > |B | and if k < 1 then |A| < |B |. In other cases, approximationsof N (A) and N (B) can be compared.

3.3.3 Extended Euclidean algorithm for Z [i ]

Given two gaussian integers A and B, this algorithm computes gaussian integers x1, y1

such that x1A + y1B = v where v = gcd(A, B ) Z [i] . If v = 1, x1 will be inverse of A

modulo B and y1 is inverse of B modulo A.

Algorithm (pseudo code):

INPUT: two gaussian integers A, B and v = gcd(A, B )

OUTPUT: gaussian integers x1 and y1.

extendedgcd()

{

x0 = 1; y0 = 0;

x1 = 0; y1 = 1;

while ( (x1 * A + y1 * B) != v )

{

q = (x0 * A + y0 * B) / (x1 * A + y1 * B) ;

t1 = x0 - x1 * q ;

t2 = y0 - y1 * q ;

x0 = x1;

y0 = y1;

x1 = t1;

y1 = t2;

}

return(x1,y1);

}

To calculate q, gaussian divison algorithm is used.

31


39/63

3.3.4 (1+i)-ary Extended GCD algorithm for Z [i ]

This algorithm is analogous to binary extended gcd algorithm except that the gaussian

integers are reduced by (1 + i) instead of 2 as done in integers case.

Algorithm (pseudo code):

INPUT: two gaussian integers A and B.

OUTPUT: gaussian integers x, y and v st xA + yB = z , where z = gcd(A, B ).

{

g=1;m=1+i;

while(m|A && m|B)

{

A=A/m;

B=B/m;

g=m*g;

}

u=A; v=B;

x0 = 1 ; y0 = 0 ; x1 = 0 ; y1 = 1 ;

do {

while(m|u) {

u=u/m;

if(x0 = y0 = 0 mod m) {

x0 = x0 / m;

y0 = y0 / m;

}

else {

x0 = (x0 + B)/m;

y0 = (y0 - A)/m;

}

}

while(m|v) {

v = v/m;

32

40/63

if(x1 = y1 = 0 mod m) {

x1 = x1 / m;

y1 = y1 / m;

}

else {

x1 = (x1 + B)/m;

y1 = (y1 - A)/m;

}

}

if(u > v) {

u = u - v;

x0 = x0 - x1;

y0 = y0 - y1;

}

else {

v = v-u;

x1 = x1 - x0;

y1 = y1 - y0;

}

} while(u != 0)

return(x1,y1,g*v);

}

3.3.5 CRT Algorithms for Z [i ]

Chinese Remainder Theorem for Z [i] is discussed in chapter 2. Here, we present algo-

rithms to solve the system of simultaneous congruences in Z [i] .

Analogous to Garners Algorithm:

Garners algorithm is an efficient method for determining x, 0 x < M , given v(x) =(v1, v2, ...vt ), the residues of x modulo the pairwise co-prime moduli m1, m2, ...m t , where

M = t j =1 m j . Garners algorithm is for integers. We present an analogous algorithm for

gaussian integers.

33


41/63

Pseudo Code:

INPUT: a gaussian integer M = t j =1 m j , with gcd(m i , m j ) = 1 for all i = j , and a

modular representation v(x) = ( v1, v2, ...vt ) of x for the m i .

OUTPUT: the gaussian integer x

CRT()

{for(i=2;i


42/63

while implementing cryptographic schemes over Z [i] always belong to Z . Hence, all the

exponentiation algorithms can be directly applied to Z [i] with minor or no modications.

35


43/63

Chapter 4

Cryptographic Algorithms

4.1 RSA Scheme

One of the most widely used cryptographic schemes for message encryption and signatures

is RSA scheme. RSA is named after the three inventors - Ron Rivest, Adi Shamir, and

Leonard Adleman. It gets its security from the difficulty of factoring large numbers. The

RSA algorithm is reproduced below.

Table 4.1: RSA Scheme

Public Key (n,e):

n product of two primes, p and q (p and q secret)

e relatively prime to (n) ie., gcd((n), e) = 1.

Private Key (d):

d e 1 mod ((n))

Encrypting:

c = me mod n

Decrypting:

m = cd mod n

where (n) = ( p1)(q 1).

36


44/63

4.1.1 RSA over Z [i ]

We can have two cases of RSA scheme over Z [i] as we have two types of primes in Z [i] ,

primes that are congruent to 3 mod 4 and the primes that are congruent to 1 mod 4.

Case 1: When the primes are of the type p 3 mod 4Algorithm:

Table 4.2: RSA Encryption 1 over Z [i]

Public Key ( n,e):

n product of two primes, p1 and p2 (n = p1 p2)

e relatively prime to Z [i ] (n) i.e., gcd(Z [i ] (n), e) = 1.

Private Key ( d):

d e 1 mod (Z [i ] (n))

Encrypting:

c = m e mod n

Decrypting:

m = cd mod n

where,

z [i ](n) = z [i ]( p1.p2) = z [i ]( p1).z [i ]( p2) = ( p12 1).( p22 1)Implementation steps

Randomly select two large primes( p1, p2) which are 3 mod 4. This is done by rstselecting a large random prime and then checking whether it is 3 mod 4.

Calculate n (= p1 p2) and Z [i ] (n).

Select random e that is coprime to Z [i ] (n). Find d = e

1mod Z [i ] (n)

The only difference in implementing RSA over Z [i] is the value Z [i ] (n) which is very

large as compared to (n). But the security of RSA depends on the hardness of fac-

torization problem and not on the size of (n) ie., however large (n) one selects, the

37


45/63

hardness of the RSA problem just depends on the factorization of n. In the paper [21],

the authors quote that one of the advantages of implementing RSA over Z [i] is having

a large G (n) value. Their observation is as follows. In Z n , (n) = ( p 1)(q 1) but in Z [i] , G (n) = ( p2 1)(q 2 1). Hence, an attempt to nd the private key d is morecomplicated when RSA is implemented over Z [i]

This is not true because Z [i ] (n) turns out to be a constant multiple of (n) ie., Z [i ] (n) =

k(n) and the cipher text can be decrypted by nding any d = e 1 mod k(n)

ie., the message encrypted using RSA over Z [i] can even be decrypted by nding a

d = e 1 mod (n) where (n) = ( p1 1)( p2 1). Hence, the difficulty is in nding (n)from the public keys and it is not more complicated when RSA is implemented on Z [i] .

In the case of gaussian integers the constant multiple turns out to be k = ( p + 1)( q + 1)

as shown below.

Z [i ] (n) = ( p2

1)(q 2

1)= ( p1)( p + 1)( q 1)(q + 1)= ( p1)(q 1)( p + 1)( q + 1)= (n)( p + 1)( q + 1)

= (n)k

(4.1)

We show below that message encrypted by usng RSA over Z [i] can be decrypted by ad = e 1 mod (n) where (n) = ( p1 1)( p2 1).

C d modn = M ed modn where ed 1 = k1G (n)= M 1+ k 1 G (n )modn

= M.M k 1 G (n )modn

= M.M k 1 k (n ) modn since, G (n) = k (n)

= M

(4.2)

38


46/63

Now, using d = e 1 mod (n)

C dmodn = M ed modn where e d 1 = k3(n)= M 1+ k 3 (n )modn

= M.M k3 (n ) modn

= M

(4.3)

Conclusion:

When RSA is implemented over Z [i] , the G (n) is larger than (n), but as it is just a constant multiple of (n) any d = e 1mod(n) would decrypt the cipher text.

Larger G (n) does not make the attempt to nd a d more complicated but infact

is same as factorizing n.

RSA over Z [i] is just a particular case when k = 1 in the equation ed 1 = k(n).Here, in Z [i] case k happens to be ( p + 1)( q + 1)

Case 2: When the primes are of the type q 1 mod4Algorithm:

Table 4.3: RSA Encryption 2 over Z [i]

Public Key ( n,e):n product of two primes, 1 and 2 (n = 12)

e relatively prime to Z [i ] (n) i.e., gcd(Z [i ] (n), e) = 1.

Private Key ( d):

d e 1 mod (Z [i ] (n))

Encrypting:

c = m e mod n

Decrypting:m = cd mod n

where,

z [i ](n) = z [i ](1.2) = z [i ](1).z [i ](2) = ( q 1 1).(q 2 1)

39

47/63

4.2 Diffie-Hellman key exchange scheme

Diffie-Hellman was the rst public-key algorithm [19] ever invented, way back in 1976.

It gets its security from the difficulty of calculating discrete logarithms in a nite eld,

as compared with the ease of calculating exponentiation in the same eld. It is used for

key exchange and not to encrypt or decrypt messages. Alice and Bob agree to on a large

prime p and a primitive element g mod p. These two numbers can be public. Then theprotocol is as follows:

Table 4.4: Diffie-Hellman Key Exchange protocol

Alice Bob

1) Chooses a large random integer x 1) Chooses a large random integer y

2) Calculates X = gx mod p 2) Calculates Y = gy mod p

3) Sends X to Bob. 3) Sends Y to Alice.4) Alice computes K 1 = Y x mod p 4) Bob computes K 2 = X y mod p.

Both K 1 and K 2 are equal to gxy mod p. Even an intruder knowing p, g, X, Y

cannot calculate gxy mod p. Unless he calculates the discrete logarithm and gets x or y,

he cannot solve the problem.

4.2.1 Diffie-Hellman key exchange over Z [i ]

Here, Alice and Bob agree on a large prime (a + ib type) and a primitive element g.

These two ( , g) can be made public. We know that Z [i] / < > = Z q , where N () = q

and q 1 mod 4. The Algorithm then follows similarly:

40


48/63

Table 4.5: Diffie-Hellman Key Exchange protocol on Z [i]

Alice Bob

1) Chooses a large random integer x 1) Chooses a large random integer y

2) Calculates X = gx mod 2) Calculates Y = gy mod

3) Sends X to Bob. 3) Sends Y to Alice.

4) Alice computes K 1 = Y x mod 4) Bob computes K 2 = X y mod .

Both K 1 and K 2 are equal to gxy mod . Even an intruder knowing , g, X, Y

cannot calculate gxy mod . Unless he calculates the discrete logarithm and gets x or y,

he cannot solve the problem.

4.3 Generating gaussian primesThe gaussian primes of the type = a + ib are used in the cryptographic primitives like

RSA and DH schemes when implemented on Z [i] . To generate such primes randomly, we

follow the steps given below in our implementations

Randomly select an even number(a) and an odd number(b) until gcd(a, b) = 1

Compute q = a2 + b2.

Check if q is a prime using any efficient primality test.

If a2 + b2 is a prime then = a+ ib is our required random gaussian prime. Otherwiserepeat the steps from the start.

Checking whether a number is even or odd is done by checking the LSB of the binary

bit sequence of the number. If LSB = 1 the number is odd, otherwise even. If the

gcd(a, b) = 1, then a2 + b2 can never be a prime. Hence such cases of a and b can be

avoided by checking for the condition gcd(a, b) = 1. It should be noted that even if

gcd(a, b) = 1, a2 + b2 need not be a prime as shown by the example. Eg : gcd(3, 4) = 1

but 3 2 + 4 2 = 25 is not a prime. So, we have to test a2 + b2 for primality by using any

efficient primality test. Once that is done a + ib will be our required gaussian prime.

41

49/63

4.4 BitSizes

While implementing cryptographic primitives on gaussian integer elds of type Z [i] / , we have an advantage of working with numbers which are half sized. We show below

what we mean by half sized and why we get such an advantage.

Proposition: If N () < c , where c = 4 m23 then all the elements in the eld Z [i] / can be uniquely represented as a+ ib with |a| {0, 1, 2, 3,...m 1}and |b| {0, 1, 2, 3, ...m1}.Examples:

Consider Z [i] / < 3 + 2i > . We know Z [i] / < 3 + 2i >= Z 13 . Hence,Z [i] / < 3 + 2i > = {0, 1, 2, 3, 4, ....12}= Z 13 .

Take m = 3, 4m2 3 = 33 > cardinality of Z [i] / < 3 + 2 i > , which means all theelements in the eld Z [i] / < 3 + 2i > can be uniquely represented as a + ib with

|a| {0, 1, 2}and |b| {0, 1, 2}as follows:Z [i] / < 3 + 2i > = {0, 1, 2, 2i, 1 + i,i, 1 + i, 1 i, i, 1 i, 2i, 2, 1}

Consider Z [i] / < 13 + 2i > . We know Z [i] / < 13 + 2i >= Z 173 . HenceZ [i] / < 13 + 2i > = {0, 1, 2, 3, 4, ....172}= Z 173 .

Take m = 7, 4m2 3 = 193 > cardinality of Z [i] / < 13 + 2i > , which meansall th elements in the eld Z [i] / < 13 + 2i > can be uniquely represented as a + ibwith |a| = {0, 1, 2, 3, 4, 5, 6}and |b| = {0, 1, 2, 3, 4, 5, 6}as follows:Z [i] / < 13+2 i > = {0, 1, 2, 3, 4, 5, 6, 62i, 52i, 42i...... 6+2 i, 6, 5, 4, 3, 2, 1}

Consider q = 110040101 1(mod4) and is a prime in Z . Now, = 10490 + i isa prime in Z [i] . We know Z [i] / < 10490 + i >= Z 110040101 whose cardinality is

110040101.

Z [i] / < 10490 + i > = {0, 1, 2, 3, 4, ......... 110040101}= Z 110040101Let us nd the value of m. We have m2 = (c+3)4 m = 5245. For m = 5246,

we have c > cardinality of Z [i] / < 10490 + i > . Hence, all the elements inZ [i] / < 10490+ i > can be uniquely represented as a+ ib with |a| {0, 1, 2, ..... 5245}and |b| {0, 1, 2,....5245}

42

50/63

Let the no.of binary bits in q be k ie., log(q ) = k where q is a prime in Z and is 1 mod 4.Hence, q can be expressed as sum of two squares i.e., q = a2 + b2. Then a at the maximum

has k/ 2 bits and b at the maximum has k/ 2 bits. = a + ib will have at the maximum

k bits. Consider g (x + iy) mod Z [i] / < > , where |x| {0, 1, 2, ...m 1}and|y| {0, 1, 2...m 1}then

m2 =c + 3

4=

N () + 3

4=

q + 3

4

log(m2) = log((q + 3) / 4) = log(q ) 2log(m) =

k2 1

The size of m is k/ 2 bits. Thus, x and y at the max take k/ 2 bit values. Hence by

implementing cryptographic primitives Z [i] elds, we work with numbers which are at

the maximum half sized as compared to the numbers we work with in Z . Security,(DLP),

remains the same as from theorem 22 but the computations are made faster.

4.4.1 Faster computations

Table 4.6: Complexity Comparisons

Operations Z [i] ; (, ) Z ; (x, y)

Addition k k

Multiplication 0 .75k2 2k2

Squaring k2 2k2

Norm k2 Division 6.5k2 2k2

When we work on cryptographic primitives over Z , we choose large (100 digits or more)

primes(q ). Computations involving such large numbers take more time and hence are

slower. But by implementing the cryptographic primitives on Z [i] elds, we choose

primes of type a + ib where a and b are half or even smaller in size as compared to q .

This reduces the computation time and makes the computations faster. The table above

shows the complexities when basic operations are done on gaussian integers = a + ib

and = c + id where a,b,c,d have bits k/ 2 each comparing with the complexities of basic

operation done on integers x and y having bits k each.

43


51/63

Chapter 5

Special Gaussian Primes

In this chapter, we study the behaviour of special primes, integer Mersenne primes and

Fermat primes, in the ring of gaussian integers. We then study the gaussian mersenne

primes. Mersenne primes play a vital role in constructing cryptographic primitives. The

biggest known primes till date are mersenne primes. The aim of this chapter is to show

that we are not deprived of such large primes by constructing cryptographic primitives

over gaussian integer elds. Most of the material in this chapter is referred from [23].

5.1 Mersenne primes

Denition 8 (Mersenne prime). A prime of type 2n 1 is called a Mersenne prime .There are no primes of the form bn 1 for any other positive integer b except 2, becauseb1 is a factor of bn 1. If bn 1 happens to be a prime then its factors should be aunit or itself. But the units in integers are 1 i.e., b1 = 1 =b = 2.Theorem 31. If 2n 1 is a Mersenne prime then n is a prime.It should be noted that the converse is not true as shown by the following example. Eg :

11 is a prime but 211

1 = 2047 = 23

89 is not a prime.

Theorem 32. A Mersenne prime in Z is also a prime in Z [i]

Proof. We know that if a prime pZ is 3 mod 4 then it stays prime in Z [i] . Any

prime 1 mod 4 is not a prime in Z [i] . Lets say p = 2 n 1 is not a prime in Z [i] then p 1 mod 4 =2n 1 1 mod 4 =2n 2 mod 4

44


52/63

But 2 n 0 mod 4. Hence, p 3 mod 4. So, p stays prime in Z [i] .

5.1.1 Fermats Primes

A prime of type 22n

+ 1 is called a fermat prime. Fermat primes are not primes in Z [i] as

22n

+ 1 1mod4 and can be expressed as a2 + b2.Some known fermat primes:

F 0 = 2 1 + 1 = 3

F 1 = 2 2 + 1 = 5

F 2 = 2 4 + 1 = 17

F 3 = 2 8 + 1 = 257

F 4 = 2 16 + 1 = 65537

5.1.2 Gaussian Mersenne Primes

Not only an integer Mersenne prime remains prime in Z [i] , but there are also gaussian

integer Mersenne primes. Gaussian integers have four units ( 1, i). Now, we have fourconditions:

If b1 = 1, we get integer Mersenne primes, which are also primes in Z [i] (Theorem32).

If b1 = 1, b = 0 If b 1 = i, then b = 1 + i. We can have gaussian mersenne primes of the type

(1 + i)n 1.

If b1 = i, then b = 1 i. We can have gaussian mersenne primes of the type(1 i)n 1.

If b1 = i, then we get the conjugate pairs of numbers (1 i)n 1 with norms

N = 2 n (1)( n2 18 ).2( n + 12 ) + 1

and these can be prime in Z [i] iff the norm N is a prime in Z .

Theorem 33. (1 i)n 1 is a gaussian Mersenne prime iff n = 2 or n is odd and thenorm N = 2 n (1)(

n 2 18 ) .2(

n +12 ) + 1 is a rational prime

45


53/63

The values of n for the rst 23 gaussian mersenne primes:

2,3,5,7,11,19,29,47,73,113, 151, 157, 163, 167, 239, 241, 283, 353, 367, 379, 457, 997, 1367,

3041, 10141, 14699, 27529, 49207, 77291, 85237, 106693, 160423 and 203789. Gaussian

Mersennes share many properties with the regular Mersennes and Mike Oakes suggests

they occur with the same density.

46


54/63

Chapter 6

RSA Implementation on Z[i] using

GMP

GNU MP(Multi-Precision), in short called GMP, is a portable library written in C for

arbitrary precision arithmetic on integers, rational numbers, and oating-point numbers.

It aims to provide the fastest possible arithmetic for all applications that need higher

precision than is directly supported by the basic C types. Many applications use just a

few hundred bits of precision; but some applications may need thousands or even millions

of bits. GMP is designed to give good performance for both, by choosing algorithms

based on the sizes of the operands, and by carefully keeping the overhead at a minimum.

The speed of GMP is achieved by using fullwords as the basic arithmetic type, by using

sophisticated algorithms, by including carefully optimized assembly code for the most

common inner loops for many different CPUs, and by a general emphasis on speed (as

opposed to simplicity or elegance).

Our implementation has two parts. The rst part is the generation of RSA private

and public keys and the second part is the message encryption. We acheive the rst

part by randomly selecting the two primes using the function mpz nextprime() and then

calculating required private and public keys. The function mpz nextprime() takes a range

as input argument and outputs the next prime from the range. In case-2 of RSA, we

select two primes 3 mod 4, the range is a 50 digit number. The implementation is foracademic purpose and doesnot adhere to the RSA standards. Below is the output of the

program showing the private and public keys of case-2 RSA on Z [i] .

47


55/63

[root@kadarla case2_rsa]# gcc -lgmp -lm -o Grsa_keys2 Grsa_keys2.c

[root@kadarla case2_rsa]# ./Grsa_keys2

Enter a prime range = 98547554223366987455212258899523321335563222155300

RSA Private Keys:

p1 = 98547554223366987455212258899523321335563222155307

p2 = 98547554223366987455212258899523321335563222155523phi n = 94315571636809643281409487683297202744915402422024259799500584739854626429188

3063420594603231522153072401481456253297479591393840029256356332424411789173371

767841087264643819839240282755339567466944

d = 18863114327361928656281897536659440548983080484404851959900116947970925285837752

6126841189206463044306144802962912506594959182787680058512712664848823578346743535

68217452928763967848056551067913493389

-RSA Public Keys:-

(n, e)= (97116204434074565660125164155424608060706582098713072383382143140171072641420

33929754400318413810561, 5 )

For the same range, the keys would differ when RSA is implemented on Z as shown

below:

[root@kadarla root]# gcc -lgmp -lm -o rsakeys-gmp rsakeys-gmp.c

[root@kadarla Zi-gmp]# ./rsakeys-gmp

Enter a prime range = 98547554223366987455212258899523321335563222155300

RSA Private Keys:

p[1] = 98547554223366987455212258899523321335563222155307

p[2] = 98547554223366987455212258899523321335563222155523

phi n = 9711620443407456566012516415542460806070658209871110143229767580042196

839624234883111729191969499732

d = 64744136289383043773416776103616405373804388065807400954865117200281312264

16156588741152794646333155

48


56/63

-RSA Public Keys:-

(n, e) = (97116204434074565660125164155424608060706582098713072383382143140171

07264142033929754400318413810561, 3 )

The value of (n) to be very large when RSA is implemented on Z [i] . The next part is

to encrypt a message using the above generated public keys. We do this in steps writing

5 different functions as shown below

1. PT2PTN(): This function maps plain-text to numbers as follows {a = 0 , b = 1 ....z =25, = 26}2. PTN2MBN(): This function divides the plain text numbers to blocks called message

block numbers where message block length is supplied as input

3. MBN2CBN(): This is the RSA encryption function which uses the public keys to

encrypt the message blocks.

4. CBN2CTN(): This function maps the cipher block numbers to cipher text numbers

where the cipher block length is supplied as input.

5. CTN2CT(): This function maps the numbers back to cipher text.

As an example we encrypt the following plain-text using the above generated public keys

of RSA on Z [i]

[root@kadarla case2_rsa]# gcc -lgmp -lm -o Gencrypt2-gmp Gencrypt2-gmp.c

[root@kadarla case2_rsa]# ./Gencrypt2-gmp

Alert_1:: Do you have RSA keys ready? y/n : y

Plain-Text Message = mathematics may be defined as the subject in which we

never know what we are talking about nor whether what

we are saying is true

Message length is = 129

Alphabet Class Number = 27

Enter n = 971162044340745656601251641554246080607065820987130723833821431

4017107264142033929754400318413810561

Actual block length, abl = 69

49

57/63

Minimum Cipher Block Length, cbl = 70

Enter Message-Block-Length For Encryption [Note: mbl < abl] : 43

Message-block-number of plain-text with blocksize(43) ::

mbn[0] = 15754866149035924850212993359496879570471099587086488944416453

mbn[1] = 18331787890887951871819684128671887954495434824983463431010847

mbn[2] = 2026560498171032771030822284718166822523221774816038667153658

Enter Cipher-Block-Length = 70

RSA Encryption STARTS ######

Enter e = 5

cbn[0] = 4667094709720118300123404500992861235764345504619348360427

457137306006109270494152290963108008540539

cbn[1] = 6771550807318265625034943811225787486383476175513776079365

25550264331024291962891193284151371698975

cbn[2] = 100953040395440494220240228946462035324107344786291017643

7904880923119743580518382065251206168177318

Cipher-Text Message = iay tbkdpe enzchjbaeshqpevcwvpqgfdyusfdmbimxzea

dyqfabtcokqrswvnkvsljabemvpcfmqykcucxjtiqd wztwsloyovadzlwdwzjdotdhkoopcfo

fowdmkncyllibdbboybtyysmgfvkbohm yzqsihlumeiliniddlsthiqj msgesbly

znxknurqtlneeqhcwcxnw

The decryption of the cipher text is achieved in the similar way as encryption by 5 dif-

ferent functions which take private keys as the input. The details are as given below:

1. CT2CTN(): This function maps cipher-text to numbers as follows {a = 0 , b = 1 ....z =25, = 26}2. CTN2CBN(): This function divides the cipher text numbers to blocks called cipher

block numbers where cipher block length is supplied as input

50


58/63

3. CBN2MBN(): This is the RSA decryption function which uses the private keys to

decrypt the cipher blocks.

4. MBN2PTN(): This function maps the message block numbers to plain-text numbers

where the message block length is supplied as input.

5. PTN2PT(): This function maps the numbers back to plain-text.

[root@kadarla case2_rsa]# gcc -lgmp -lm -o Gdecrypt2-gmp Gdecrypt2-gmp.c

[root@kadarla case2_rsa]# ./Gdecrypt2-gmp

Cipher-Text Message = iay tbkdpe enz chjbaeshqpevcwvpqgfdyusfdmbimxzeady

qfabtcokqrswvnkvsljabemvpcfmqykcucxjtiqd wztwsloyovad

zlwdwzjdotdhkoopcfofowdmkncyllibdbboybtyysmgfvkbohmyzqsih

lumeiliniddlsthiqjmsgesblyzn

Cipher-Text Length = 210

Enter mbl and cbl used in Encryption: 43 70

Message Block Length,mbl = 43

Cipher Block Length,cbl = 70

Cipher-Block-Number of Cipher-Text with blocksize(70) ::cbn[0] = 466709470972011830012340450099286123576434550461934836

0427457137306006109270494152290963108008540539

cbn[1] = 677155080731826562503494381122578748638347617

551377607936525550264331024291962891193284151371698975

cbn[2] = 10095304039544049422024022894646203532410734478629101764379

04880923119743580518382065251206168177318

RSA Decryption STARTS ######

Enter n = 971162044340745656601251641554246080607065820987130723833

8214314017107264142033929754400318413810561

Enter d = 18863114327361928656281897536659440548983080484404851959

51


59/63

90011694797092528583775261268411892064630443061448029629125

065949591827876800585127126648488235783467435356

8217452928763967848056551067913493389

mbn[0] = 15754866149035924850212993359496879570471099587086488944416453

mbn[1] = 18331787890887951871819684128671887954495434824983463431010847

mbn[2] = 2026560498171032771030822284718166822523221774816038667153658

Plain-Text Message = mathematics may be defined as the subject in which we

never know what we are talking about nor whether what

we are saying is true

52


60/63

6.1 Conclusions

We constructed some efficient multi-precision algorithms for Z [i] arithmetic and showed

that the existing cryptographic schemes can be extended to Z [i] elds. The well dened

gaussian integer arithmetic and certain advantages it offers on implementing cryptographic

schemes over Z [i] elds, like smaller keys and faster computations with same security,

enable us to develop future cryptographic products using Z [i] elds.

6.2 Future Work

One of the most important operations required in the implementation of cryptographic

protocols is division. Though we could come up with some division algorithms, there

are difficulties in constructing a complete binary analog division algorithm for gaussian

integers and such algorithm is yet to be designed.

53


61/63

References

[1] Kyung Mi Kim, Unpublished paper The Cryptanalysis of RSA over Gaussian in-

tegers

[2] Boris S Verkhovsky and Andre Mutovic Primality Testing Algorithm Using

Pythagorean Integers, International Conference on Computer Science and Infor-

mation Systems, June 15-18, 2005.

[3] K. Ireland and M. Rosen, A classical Introduction to Modern Number Theory,

2nd ed., Springer-verlag,1990.

[4] Keith Conrad Notes on Gaussian Integers, www.math.uconn.edu/kconrad

/math330/Zinotes.pdf

[5] J. T. Cross, The Euler - function in the Gaussian integers, Amer.math.Monthly,

vol. 90 (1983), pp. 518-528.

[6] Greg Dresden and Wayne Dymacek, Finding Factors of Factor Rings over Gaussian

Integers, link http://home.wlu.edu/dresdeng/papers/factorrings.pdf

[7] I.Katai and J.Szabo Canonical number systems for complex Integers, Acta Sci-

entiarium Mathematicarum, 1975 pp. 255-260.

[8] P. Zimmermann, A Proof of GMP fast division and square root implementations,

September 2000. http://www.loria.fr/zimmerma/papers

[9] Steve Benson, Euclids (Gaussian) Algorithm: A Lattice Approach, 25:2, 1994,

118-124

[10] William J. Gilbert, Arithmetic in Complex Bases, Mathematics magazine, Vol.57,

No.2(Mar.,1984), 77-81

54


62/63

[11] K.Z. Pekmetzi, Complex number multipliers, IEE proceedings, Vol.136, Jan 1989.

[12] Donald E. Knuth, An Imaginary Number System, Communications of the ACM,

April 1960 vol. 3, Issue 4.

[13] Weilert A, (1+i)-ary GCD computation in Z [i] as an analogue to the binary GCD

algorithm, J. Sumb. Comput., 30, 605-617.

[14] George E. Collins, A Fast Euclidean Algorithm for Gaussian Integers, J. Symbolic

Computation(2002) 33, 385-392

[15] W. Diffe and M. Hellman, New directions in crptography, IEEE Trans. on Infor-

mation Theory, vol. 22, pp. 644-654, 1976.

[16] R.L Rivest, A. Shamir, and L.M Adleman, A Method for Obtaining Digital Sig-

nature and Public key cryptosystems Communications of the ACM, Vol.21. n. 2,

Feb 1978, pp. 120-126

[17] R. Lidl, H. Niederreiter, Finite Fields, Ency. of Math. and Its Appln. Cambridge

University Press, 1997.

[18] A. M. Odlyzko, Discrete Logarithms in nite elds and their Crypographic signif-

icance link www.dtc.umn.edu/odlyzko/doc/arch/discrete.logs.pdf

[19] W. Diffe and M. Hellman, New directions in crptography, IEEE Trans. on Infor-

mation Theory, vol. 22, pp. 644-654, 1976.

[20] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete

logarithms, IEEE Trans. on Information Theory, vol. 31, pp. 469-472, 1985.

[21] A.N El-Kassar, Ramzi Haraty, Y.A Awad and N.C Debnath, Modied RSA in the

domains of gaussian integers and polynomials over nite elds Int.J.Appl.Math

published in 2005

[22] N. Tsuchimura, Computational Results for Gaussian Moat Problem, March 2004

METR 2004-13.

[23] The Prime Pages - prime number research, records and resources,

http://primes.utm.edu/

55


63/63

Acknowledgments

I express my indebtedness and sincere thanks to Prof. V. R. Sule for seeing potential in

me and giving me an opportunity to work on this project and for his constant encourage-

ment during my M.tech project. I would also like to thank all my colleagues and friends

in computing lab for their help and support. I am thankful to Amit Kalele for discussions

and also for constant help

Kiran K Kadarla

June, 2005

Documents

Kiran Kadarla MTP Dissertation