This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: U.C. Berkeley — CS276: Cryptography Lecture 2 – 1/24/2002 Professors Luca Trevisan and David Wagner Scribe: Jim Chou Lecture 2 – 1/24/2002 1 Another trapdoor function: Rabin’s function Rabin’s function is defined as: • Given a generator, G ( n ), pick two primes p, q each of magnitude ∼ 2 n/ 2 . Let, N = pq be the public key. • Trapdoor information: p , q . • F ( x, N ) = x 2 mod N (not injective); x ∈ Z ∗ N , x is a quadratic residue. We would like to (1) Find an inversion algorithm given p , q and (2) show the hardness of inversion given only N . We will consider the aforementioned two points in the following subsections. 1.1 Inversion of Rabin’s function Given a , we want to find x such that x 2 ≡ a mod N . If x 2 ≡ a mod N admits a solution then we call the solution a quadratic residue. In general, r 2 ≡ y mod N ( − r ) 2 ≡ y mod N Now, let us first consider x 2 ≡ a mod p for p prime. Under mod p , a polynomial of degree d will have at most d roots. If there is a solution to x 2 ≡ a mod p , then there will be exactly two square roots, because r 6≡ ( − r ) mod p . Therefore, x 2 ≡ a mod p has either zero or two solutions. Question : How many quadratic residues are there in 1, 2, ..., p-1 ? Answer : p − 1 2 , because every element of Z ∗ p is the root of some quadratic residue, and every quadratic residue has two roots. There is also polynomial time algorithm for finding the roots. Thus, x 2 ≡ a mod N is easy to invert when N is prime. Next, consider the case: x 2 ≡ a mod N ; N = pq, p, q > 2 , a 6 = 0 , gcd ( a, N ) = 1 There will be a solution iff x 2 ≡ a mod p and x 2 ≡ a mod q both admit solutions. Let us denote the solutions to x 2 ≡ a mod p as r p , − r p ∈ Z p and the solutions to x 2 ≡ a mod q as r q , − r q ∈ Z q . Then, consider the following four systems:....
View Full Document
- Spring '02
- quadratic residue, Rabin