Review of Number System Z
Review of Number System Z
Review of Number System Z
9/22/2005
• Publish e and n.
How to encode
E(x) = xe % n
How to decrypt
D(y) = y d % n What is d?
1
D(E(x)) = (X e )d % n = X kϕ(n) X % n
= X ed % n = [X ϕ(n) ]k X % n
kϕ(n)+1
= X % n = 1k X % n = X
ϕ(n) = number of integers i, 1 ≤ i ≤ n − 1 which are relatively prime to n.
i and n relatively prime means they have no common factors except 1, i.e. gcd(i, n) = 1
ϕ(6) = 2. 1, /2, //
3, //
4, 5. so, 2. Need to learn more about primes.
1. Unique factorization: Every integer factors into primes in essentially one way. e.x.
63 = 3 · 3 · 7
2. Every polynomial with real coefficients factors into prime polyomials (irreducible poly-
nomials) in essentially one way. e.x. x2 − 1 = (x − 1)(x + 1).
How to get to unique factorization. Suppose we can write n as a product of primes in two
ways:
n = p1 p2 p3 p4 . . . pc
n = q1 q2 q3 q4 . . . qd
Now p1 |n, so p1 |q1 q2 . . . qd . So by Euclid’s Lemma, p1 |qi for some i. So, pi = qi .
Goal is to write 1 = 13s + 104t
p = 13, a = 104
114 = 8 · 13 + 10
13 = 1 · 10 + 3
10 = 2 · 33 + 1
And then “backwards.”
1 = 10 − 3 · 3
= 10 − 3 · (13 − 10)
= 4 · 10 − 3 · 13
= 4 · (114 − 8 · 13) − 3 · 13
= 4 · 114 − 35 · 13
2
Same proof shows that polys with real coefficients factor in essentially only one way.
Division Alg. ⇒ Euclidean Algorithm
Euclidean Algorithm ⇒ Euclid’s Lemma
Euclid’s Lemma ⇒ Unique Factorization
Division algorithm: Given positive integer d, and integer n, we can write n = qd + r for
0 ≤ r < d.
Division algorithm for polynomials: Given non-zero polynomial d and polynomial n,
we can write n = qd + r where degree of r is less than the degree of d.
9/27/2005
Example of RSA
n = 5 · 11 = 55 (n = pq product of two primes).
e=3
publish n = 5, e = 3 (secret p = 5, q = 11).
E(x) = x3 . (ex. E(41) = 413 % 55 = 6)
To decode: D(x) = xd % 55. We need d with (xe )d % 55 = x.
Euler’s Theorem:
X ϕ(n) % n = 1
Where ϕ(n) is the numer of integers i in range a ≤ i ≤ n with gcd(i, n) = 1, provided
gcd(x, n = 1.
3
Explanation
Look at Z/n . Inside Z/n , we have (Z/n )∗ = all elements of Z/n which have multiplicative
inverses mod n = all elements i in Z/n with gcd(i, n) = 1.
Z/6 = {1, 5}
Z/7 = {1, 2, 3, 4, 5, 6}
Z/15 = {1, 2, 4, 7, 8, 11, 13, 14}
Size of (Z/n )∗ is ϕ(n)
10/4/2005
homework, problem 3 hints: (a) Can Alice find ϕ(n)? And (b) Can she find some integer
multiple of ϕ(n)? Use this multiple to find something “just as good”. This means you can
use it to decode.
Let’s talk about Z/n = {0, 1, 2, . . . , n − 1}. Can add and multiply.
Also, (Z/n )∗ consists of all elemenest of Z/n which have multiplicative inverses only consid-
ering mult.
Size of (Z/n )∗ = ϕ(n).
Given a ∈ (Z/n )∗ , how many square roots does it have. (Square root means b with b2 = a ∈
Z/n )
Answer depends on a.
Ex a = 1 in Z/7 . Sqrts are 1, 6.
a = 4 in Z/7 . Sqrts are 2, 5.
a = 5 in Z/7 . Sqrts are nonexistant.
First, look at sqrt problem in (Z/p )∗ when p is prime.
Know (1) size of (Z/p )∗ = p − 1. (2) If a has a sqrt b, it has another sqrt −b, so one sqrt
implies at least 2 sqrts. (3) An element in (Z/p )∗ has at most 2 sqrts.
10/11/2005
from page 216+ of the textbook:
In Z/∗p , have primitive root g.
Then elements of Z/∗p are:
g 0 , g 1 , g 2 , g 3 , · · · , g p−2
1 g
x = a mod m
x = b mod n
4
Example
x=2 mod 3
x=1 mod 5
Since m and n are relatively prime, can find s and t with sm + tn = 1. Now look at equation:
Claim Set of solutions to system is same as set of solutions to equation. First, let’s show
that any solution to equation is also a solutions to the system.
Given
x0 = a(tn) + b(sm) mod mn
Thus,
x0 = a(tn) + b(sm) mod m
Thus,
x0 = a(tn) mod m
= a(1 − sm) mod m
= a − asm mod m
= a mod m
x=2 mod 3
x=1 mod 5
m = 3, n = 5, so sm + tn = 2 · 3 + (−1)5 = 1.
x0 = 2(−5) + 1 · 6 mod 15
= −10 + 6 mod 15
= −4 mod 15
= 11 mod 15
Checking...
11 = 2 mod 3
11 = 1 mod 5
5
This gives all solutions to the system.
Find all solutions to Z 2 = 1 mod 15. Look at:
z2 = 1 mod 3
z2 = 1 mod 5
6
Method 1:
complete the square: x2 + 4x + 3 = (x − 2)2 − 1 = [(x − 2) − b] · [(x − 2) + b], where b2 = 1.
Method 2:
x2 − 4x + 3 = (x − 2)2 − 1
set (x − 2)2 − 1 = 0
(x − 2)2 = 1
x − 2 = b with b2 = 1
x = 2 + b gives roots.
Method
√ 3: Using
√ the quadratic
√ formula
4± 16−4·3 4± 4 4±2 1
2
= 2
= 2
= 2 ± 1
Roots are: b2 = 1 mod 7
b2 = 1 mod 11
11 = 7 + 4
7=4+3
4=3+1
1=4−3
= 4 − (7 − 4) = 2 · 4 − 7
= 2(11 − 7) − 7
= 2 · 11 − 3 · 7
“Knitting” solutions together then:
a b 22 · a − 21 · b mod 77
1 1 1
-1 -1 -1
1 -1 43
-1 1 -43
Pick b = 43: x2 − 4x + 3 = [(x − 2) + 43] · [(x − 2) + 43] = (x − 45)(x − 41) mod 77.
Euler’s criteria for the existence of square roots
p odd prime, y relatively prime to p
p−1
y 2 = 1 mod p ⇐⇒ y has a square root.
p−1
y 2 = −1 mod p ⇐⇒ y does not have a square root.
If p is a prime with p = 3 mod 4.
p−1
If y has a square root, then one square root is give by y 2 mod p.
Warning: If y does not have a square root, the above does not give a valid answer.
Example
(Z/11 )∗ = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
[(Z/11 )∗ ]2 = {12 = 1, 22 = 4, 32 = 9, 42 = 5, 52 = 3, 62 = 3, 72 = 5, 82 = 9, 92 = 4, 102 = 1}
Is 2 a square root? 25 = 32 = −1 mod 11, so no.
Is 3 a square root? 35 = 1 mod 11, so yes.
53 = 125 = 4 mod 11, so 4 is a square root of 5.
23 = 8 but 8 is not a square root of 2!!
7
Issues with RSA
As n gets large, density of primes near n gets small. In fact, there are arbitrarily large gaps
in sequence of primes.
Fermat’s Theorem
If we know that p is a prime, then yp − 1 = 1 mod p (if y is relatively prime to p).
If for some y, y p−1 6= 1 mod p, then p is not prime.
If a number passes the Fermat test for base b, it is a Fermat pseudo-prime.
10/18/2005
Pseudo-Primes
A pseudo-prime is a number which passes some primality test. If the test fails, then the
number is definitely composite. If it passes the test, then it is “likely” to be prime. “Likely”
is very vague. We can figure out some probabilities for this.
First example of a primality test: Fermat Test:
Given n look at 2n−1 % n.
If 2n−1 % n 6= 1, n is definitely composite.
If 2n−1 % n = 1, n is “likely” to be prime. (It is a Fermat Pseudoprime)
What if n passes this test? Is n prime? Well, do the same test, but with a different base.
Use Fermat Test base b. (gcd(b, n) = 1).
Given n look at bn−1 % n.
If bn−1 % n 6= 1, n is definitely composite.
If bn−1 % n = 1, n is “likely” to be prime.
Unfortunately, there are composite numbers which pass Fermat Test base b for every b. Ex:
n = 561.
Euler Test Asks, Does x2 = b mod n have a solution?
0
if gcd(b, n) 6= 1
b
= 1 if x2 = b mod n has a solution
n 2
−1 if x2 = b · · · has no solutions
Know if p is prime:
b p−1
=b 2 mod p
p 2
(Euler’s Criteria. p. 232)
p−1
Rk If n is not prime, b 2 mod n is ???
8
Euler Test (base b)
p−1 p−1
If nb 2 6= b 2 mod n, then n is definitely composite. If b
n 2
= b 2 mod n, then n is
likely to be prime.
Fact: If n is not prime, half the b’s will show this. (1 < b < n)
Solovay-Strassen Test Want to know if n is prime or composite. Pick k random b’s.
Apply Euler Test to n with each of these b’s.
2. If n passes test for all the b’s, then n is prime with probability 1 − ( 21 )k
1
Ex: If k = 10, 1 − ( 12 )10 = 1 − 1000 ≈ .999
1 20 1
If k = 20, 1 − ( 2 ) = 1 − 106 ≈ .999999
Miller-Rabin Test If it fails, definitely composite. If it passes, is prime with probability
3/4. (It is a Strong Pseudoprime)
n is the positive integer to be tested.
b is a random number 1 < b < n − 1.
Write n − 1 = 2r · m (with m odd). Do:
Compute b0 = bm % n
If b0 = ±1 mod n, STOP: n is prime with probability 3/4. Otherwise, continue.
While s < r, compute bs = (bs−1 )2 % n.
If bs = −1 mod n, STOP. n is prime with probability 3/4.
If bs = 1 mod n (2 > 1), n is definitely composite.
Why is n definitely composite?
So 1 has a square root (mod n) other than ±1. Hence n is not prime. If none of
b1 , b2 , b3 , . . . , br−1 equals -1, n is definitely composite.
Ex n = 9, n − 1 = 8 = 23 · 1, r = 3, m = 1. Pick b = 5.
b0 = 51 % 9 b0 = 5.
Is b0 = ±1 mod 9? No. Continue.
b1 = 52 % 9 = 25 % 9 = 7.
Is b1 = ±1 mod 9? No. Continue.
b2 = 72 % 9 = 49 % 9 = 4 6= ±1.
Hence, 9 is definitely composite.
Ex n = 11, n − 1 = 10 = 2 · 5 · 1, r = 1, m = 5. Pick b = 3.
b0 = bm = 35 % 11 = 1.
Is b0 = ±1 mod 11? Yes. STOP. n is probably prime.
10/20/2005
on page 269
9
Testing n, Using “random” b, write n − 1 = 2r · m for m odd.
b0 = bm % n
If b0 = ±1, Stop. n is probably prime. Otherwise continue.
Let bs = (bs−1 )2 ,
If (for s < r ), bs = −1 % n, Stop. n is probably prime.
If (for s < r ), bs = 1 % n, Stop. n is definitely composite.
If none of b0 , b1 , b2 , . . . , br−1 = ±1, then stop: n is definitily composite.
Why
b0 = bm
b1 = (bm )2 = b2m
b2 = (b2 m)2 = b4m
b3 = (b4 m)2 = b8m o
i
In general, bi = b2 m . Now suppose none of b0 , b1 , b2 , . . . , br−1 = ±1.
r
Look at br = (br−1 )2 = b2 m = bn−1 .
If br % n 6= 1, then n is composite by Fermat Test.
If br % n = 1, then 1 = br = (br−1 )2 with br−1 6= ±1, so n is composite.
Example n = 1001, b = 2, n − 1 = 1000 = 23 · 125
b0 = 2125 = 32 % 1001 32 6= ±1 % 1001 continue.
22 = 4
24 = 16
28 = 256
21 6 = 2562 % 1001 = 471
b1 = (32)2 % 1001 = 23 6= ±1 % 1001 continue.
b2 = (23)2 % 1001 = 529 6= ±1 % 1001 continue.
1001 is definitely composite.
[section on fast modular exponentiation. page 207.]
On test Two
4. Ch. 13: §13.2 & 13.3. Know how to solve x2 = a mod pq and
x = a mod p
x = b mod q
Also, Euler’s Theorem & Euler’s Criterion for square roots.
5. Recently
10
13.5 Square Root Oracle
6. And Ch. 16
Test Two
11
Remarks Motivated by RSA
Discussion About Primes
1. (a ∗ b) ∗ c = a ∗ (b ∗ c)
12
Remark If a ∗ b = b ∗ a for all a and b in G, we say that the group is “commutative” or
“abelian”.
Ex
13
More examples of Groups:
Rotations of a square:
4. R0 ≡ identity.
2. G = Z. H = odd integers. Not a subgroup. If you add two odd integers, you get an
even integer.
5. G = All symmetries of equilateral triangle. H = all flips, together with identity. Not
a subgroup: you can combine two flips to get a rotation.
hgi = {g, g 2 , g 3 , g 4 , . . .} = {g n : n ∈ Z}
14
h2i = {1, 2, 4, 8, 5, 10, 9, 7, 3, 6} = (Z/11 )∗
h3i = {1, 3, 9, 5, 4}
Theorem (Lagrange) If G is a finite group, and H is a subgroup of G, then the order of H
divides order of G.
11/15/2005
Let g ∈ G
Definition: Order G = |G| = size of G Def: Order g = |hgi| = smallest positive integer
such that g n = e, the identitiy.
Example: (Z/7 )∗ |(Z/7 )∗ | = 6
What is the order of 2 in (Z/7 )∗ ?
20 =1
21 =2
22 =4
23 =8=1
Answer: 3
Theorem: If g ∈ G, then |g| divides |G|. Proof: |g| = |hgi|, and by lagrange’s Theorem, the
order of a subgroup divides the order of a group.
EX: what are the possible orders of elements in (Z/107 )∗ ?
Solution: |(Z/107 )∗ | = 106, (106 = 2 · 52) so possible orders of elements are: 1, 2, 53, 106
Theorem: If g ∈ G, and |G| = n, then g n = e
Proof : Let d = |g|, know d|n. Then g n = (g d )n/d = en/d = e
Correlary: (Another proof of Euler’s Theorem) If x is relatively prime to p, then X p−1 = 1
mod p. (p prime.) Proof: |(Z/p )∗ | = p−, so by previous theorem, X p−1 = 1 mod p.
Look at discrete logs:
Given b, Primitive root mod p. Given a, want to solve b` = a mod p.
√
One attack Let G be a cyclie group. Let n = |G|. Let m = b nc
Given b and a in G, know b is a generatory.
hbi = G. Find ` such that b` = `.
Example Solve 43` = 2 mod 31. Don’t know `, but in any case ` can be written as
0≤j<m
` = mi + j
0≤i<m
15
√
m = b 30c = 5 compute powers of b:
j 0 1 2 3 4
3j 1 3 9 27 19
Now compute:
2=2
2 · 3−5 = 2 · 6 = 12
2 · 3−10 = 2(3−5 )2 = 12 · 6 = 10
2 · 3−15 = 2(3−5 )3 = 10 · 6 = 29
2 · 3−20 = 2(3−5 )4 = 29 · 6 = 19
2 · 3−20 = 34 .
2 = 324 .
` = 24
Exponential Notation in Groups
G is any group, g is an element in G.
Definition g 0 = e, g 1 = g, g 2 = g × g. And in general g k = g × g × · · · × g.
g −1 = inverse of g
g −2 = (g −1 )2
g −k = (g −1 )k
11/17/2005
Pollard – Find Discrete Logs – Factor – (depends on “Birthday Paradox”)
Use Pollard’s Method to factor 5893
Given n (# we want to factor)
Start with x = 2, y = x2 + 1 = 5.
Compute gcd(x − y, n)
16
P (23) ≈ 50.7%
Calculate P (n)
P (1) = 0
P (2) = 1/365
364
P (3) = 1 − P (All birthdays distinct) = 1 − ( 365 ) · ( 363
365
) ≈ 0.008
P (4) = 1 − ( 364
365
) · ( 363
365
) · ( 362
365
) ≈ 0.016
So,
364 363 365 − (n − 1)
P (n) = 1 − P (All birthdays distinct) = · ···
365 365 365
1
√
P (n) becomes > 2
for moderately small n. (roughtly n > N)
What does this have to do with Pollard’s Method?
Given n, set x = 2, y = x2 + 1.
x1 2 y1 5
x2 5 y2 677
x3 26 y3 2756
x4 677 y4 2844
x5 4569 y5 1000
x6 2756 y6 ...
Note: x2i = yi Why? Surely, x2 = x1 2 + 1 = y1 . If we know x2i = yi , Let’s evaluate x2k .
2 2
x2k = (x2k−1 )2 + 1 = (x2k−2 )2 + 1 + 1 = (yk−1 )2 + 1 + 1 = yk
17
Look at gcd(x − y, n) = g. If 1 < g < n, found factor of n. Otherwise, Replace x by x2 + 1,
y by (y 2 + 1)2 + 1.
Example: n = 45811
x y x − y gcd(x − y, 45811)
2 5 -3 1
5 677 -672 1
26 2590 -2569 1
677 11289 -2167 1
220 1000 -10612 1
2590 1
19695 1
11289 1
41131 1
4743 30180 -25437 61
So, gcd(−25437, 45811) = 61.
Note, this is all done modulo 45811
Why does this work? Suppose (secretly) that d is a fator of n. If we do calculations mod
d, how long will it take to get a repear (xj = xi mod√ d, i < j)? Might take d steps, but
probability of a repeat is greater than a/2 for about d steps (birthday paradox).
Why does this mean that gcd(xk − yk , n) > 0 for some small k. Showing by example:
Supposed that x15 = x11 mod d. Then x16 = x12 , x17 = x13 , etc. That is, if the difference
in the subscripts is 4, the x’s will be the same, provided subscripts are ≥ 11. Similarly, if
the difference in subscripts is a multiple of 4, the x’s will be the same. Then x24 = x12 . So,
y12 = x12 mod d, so gcd(x12 − y12 , n) will be at least d.
Some Review
G is a group, g is an element of G. Look at {g 0 = e, g 1 = g, g 2 , g 3 , g 4 , . . .}
Question 1: Must there be a repeat? (g j = g i , i 6= j) No. G = positive reals, using
multiplications, g = 2.
Question 2: If G is finite, must there be a repeat? Yes, there are only a finite number
of possibilities for each g i , so eventually we will get a g j = g i , for some i 6= j.
Question 3: Suppose there is a repeat? Could first repeat be g 15 = g 11 ? No.
g 15 g −11 = g 11 g −11
g4 = g0
Lesson: first repeat must be g k = e, k some non-negative integer.
If g is a primative root in (Z/101 )∗ , what is k? k = 100. If g is a primative root, then
everything must be covered before there is a repeat.
If g is some element in (Z/101 )∗ and k is smallest positive number with g k = 1,
what are the possibilities for k? k must be a divisor of |(Z/101 )∗ | = 100 So, 1, 2, 4, 5,
10, 20, 25, 50, 100 are all posibilities.
18
On test three (From email)
Since we haven’t had much HW lately, I have been asked to list some problems and sections
relevant to the third midterm.
• 16.6 Miller-Rabin Test – You did have HW on this; if you want more exercises, try
16.6.01 and 16.6.06
• Groups Chapter 17 – We spent a fair amount of time discussing groups. One reason
we did this was so we could better understand the structure of (Z/p )∗ , and we need to
understand (Z/p )∗ so we can use discrete logs in ElGamil and Diffie-Hellman. There
will not be any proofs on the exam, but you may have to analyze various situations,
as you have done on previous exams.
Here are some specific problems to work on:
17.1: 03,04 17.2: 01,05,06,07,09 17.6: 05,09 (don’t so this by checking lot’s of cases;
there is a short, simple explanation),10
• 27.1 Baby step Giant step for discrete logs – 27.1: 01,09,12
In connection with Pollard’s Rho method, we discussed the birthday paradox. See pages
28-30. Suppose there is an experiment which has N equally likely outcomes. If we perform
the experiment n times, we want to know the probability that two or more outcomes will
be the same. The “paradox” is that even when n is much smaller than N , the probability
is quite high. For example, if the experiment is picking a person and asking their birthday
(N = 365), when n = 23 the probability of two people having the same birthday is already
more than 1/2.
11/29/2005
Pollard’s Rho Method for Discrete Logs: Working mod p (prime), given b and c, want
to find L such that bL = c. (L = logb c)
Say working in some cycle group G (Recall that (Z/p )∗ ) is cyclic)
Divide G into three non-overlapping parts S1 , S2 , S3 .
Define a function f : G → G
cx
if x ∈ S1
f (x) = x2 if x ∈ S2
bx if x ∈ S3
19
(bni −nj )t = (cmj −mi )t
b(t)(ni −nj ) = c So L = (t)(ni − nj )
Example p = 38. 2 is a primitive root, so 2 generate cyclic group (Z/83 )∗ of order 82. Then
22 = 4 generates a cyclic subgroup G of (Z/83 )∗ , of order 41. Note: x ∈ G ⇐⇒ x is a
square mod 83.
Goal: given c, (a square mod 83), solve 4L = c.
Example Take c = 3 (ok that 3 is a square mod 83). So 4L = 3 does have a solution.
Start with x0 = 3m0 4n0 = 1. That is, take m0 = 1, n0 = 1.
Looking for i and j, with xi = xj .
Instead, define sequence {Yi } along with sequence {Xi } by rule
y0 = 1
yi = f (f (xi−1 )) = X2i
X = 3mx 4nx
Y = 3my 4ny
Divide G into three pieces:
S1 = {1, 4, 7, . . .} ∩ G f (x) = cx
S2 = {2, 5, 8, . . .} ∩ G f (x) = x2
S3 = {3, 6, 9, . . .} ∩ G f (x) = bx Fill out the table until we get an x value equal to a y
value.
x mx nx Y my ny
1 0 0 1 0 0
3 1 0 12 1 1
12 1 1 26 1 3
48 1 2 48 2 7
20
12/6/2005
Implementation of RSA
Say we want to use two primes of about 100 digits.
100 digits ≈ 333 bits. MSB (least significant bit) is 1, because otherwise it woulnd’t be 333
bits. LSB (least significant bit) is 1, otherwise it would be an even number and not prime.
So, we need to pick 331 bits at “random.”
How many ways to do this? 2331 ≈ 2 · 1099 (many). So we get a 333 bit number N . Need to
know if it’s prime. Use a primality test on this number. Miller-Rabin is in common use. If
N not prime, test N + 2, N + 4, N + 6, until you get prime p.
How long will this take? How likely is a large number to be prime?
Prime Number Theorem
Let Π(x) be the number of primes ≤ x. Then,
Π(x) 1
∼
x ln x
f (x)
(We say f (x) ∼ g(x) (f (x) assymptotic to g(x)) if limx→∞ g(x)
= 1.)
Example If x = 10100 ,
Π(x) 1 1 1
∼ 100
= =
x ln 10 100 ln(10) 230
1
That is, about 230
of the numbers ≤ 10100 are prime.
Do Better: Estimate number of primes between x and x + ∆x. (= Π(x + ∆x) − Π(x))
Π(x) 1 x
Now, x
∼ ln x
, so Π(x) ∼ ln x
. Thus,
x 0
Π(x + ∆x) ∼
= Π(x) + ∆x
ln x
Equivalent to:
Π(x + ∆x) − Π(x) ∼ x 0
=
∆x ln x
x 0 x0 ln x − x(ln x)0 ln x − x/x ln x − 1
= 2
= 2
=
ln x (ln x) (ln x) (ln x)2
Thus,
∆x
Π(x + δx) ∼= Π(x) +
ln x
∆x
This says, between x and x + ∆x, there are approximately ln x
primes. That is, in this rance
1
about ln x of number are prime.
In range, 10100 to 10100 + ∆x, about 1 ∼ 1 of number are prime.
100 = ln(10 ) 230
How many times should you apply Miller-Rabin test to any number until you are “Sure” it
is prime? apply once and get “Probably prime,” chance of error ≈ 14 . Apply k times, chance
of error = 212k
21
Digital Signatures (in RSA context)
Be sure that source of message is who it claims to be.
You have P and Q (private). Publish n (= P Q) and encryption exponent e. Only you know
decryption exponent d.
e d
Plaintext→Cyphertext→Plaintext
Goal: when I send you a message, I want to tack on a “digital signature” so you will know
that only I could have sent the message.
I have my own RSA implementation with public encryption exponent ē and private decryp-
¯
tion exponent d.
¯
Signature is d(H(plaintext)) for hash function H
12/8/2005
Existance of Primative Roots on (Z/p )∗ , p prime.
Look at polynomial (with (Z/p )∗ coefficient)
f (x) = X p−1 − 1
22