Lecture from: 30.10.2024 | Video: Videos ETHZ

Modular Arithmetics

Addition and Multiplication of Modular Congruences

Let m be a positive integer, and let a, b, c, and d be integers. If and , then:

  1. Addition: .
  2. Multiplication: .

Addition

  • Assumptions: and . This means there exist integers k and l such that and .
  • Adding the Equations: Adding these equations, we get:
  • Conclusion: Since is an integer, we have shown that and have the same remainder when divided by m:

Multiplication

  • Assumptions: and . This means there exist integers k and l such that and .
  • Multiplying the Equations: Multiplying these equations, we get:
  • Conclusion: Since is an integer, we have shown that and have the same remainder when divided by m:

Congruences and Polynomial Expressions in Modular Arithmetic

Let m be a positive integer, and let be a multivariate polynomial in k variables with integer coefficients. If for , then:

Example:

Proof: Evaluating a polynomial involves a sequence of additions and multiplications. We have already established that congruences are preserved under addition and multiplication modulo m:

Lemma: If and , then:

Therefore, in each step of evaluating the polynomial f, the congruence modulo m will be maintained. Since we are performing a sequence of operations that preserve congruences, the final result of evaluating will be congruent modulo m to the final result of evaluating .

The Set of Residues:

The set of residues, denoted by , is a fundamental concept in modular arithmetic.

Definition: The set of residues is the set of possible remainders when integers are divided by m. It consists of the integers from 0 to m-1:

Example:

Lemma:

This lemma states that any integer a is congruent modulo m to its remainder Rm(a) when divided by m.

Proof

By the Division Algorithm, we can write a as , where q is the quotient and is the remainder. Since qm is a multiple of m, it is congruent to 0 modulo m. Therefore, we have:

Lemma:

This lemma establishes a key relationship between modular congruences and remainders: Two integers are congruent modulo m if and only if they have the same remainder when divided by m.

Proof

Forward Direction: If , then by definition there exists an integer k such that . Since km is a multiple of m, it is congruent to 0 modulo m. Therefore, we have: This implies that a and b have the same remainder when divided by m:

Reverse Direction: If , then by the Division Algorithm, we can write a as and b as . Since , we have: Subtracting the second equation from the first, we get:

Therefore, is a multiple of m, which implies that .

Modular Arithmetic with Polynomials (Corollary 4.17)

This corollary provides a powerful tool for simplifying computations involving polynomials in modular arithmetic. It states that for a multivariate polynomial with integer coefficients, and , the remainder of when divided by is the same as the remainder of when divided by .

In other words, we can replace each variable in the polynomial with its remainder modulo before evaluating the polynomial, and the result will have the same remainder when divided by .

Formal Statement:

Let be a multi-variate polynomial in variables with integer coefficients, and let . Then:

Proof:

The proof of this corollary follows directly from the properties of modular congruences and the fact that polynomial evaluation involves a sequence of additions and multiplications.

  1. Congruence Preservation: We know that if , then and . This means congruences are preserved under both addition and multiplication modulo .
  2. Remainders and Congruences: We have previously established that for all .
  3. Applying Congruence Preservation: Since each term in the polynomial is a sum and/or product of the variables, we can repeatedly apply the property of congruence preservation to replace each with its corresponding remainder . This will lead to a new expression congruent modulo to the original expression.
  4. Resulting Remainder: Since the final expression is congruent modulo to the original, they have the same remainder when divided by . This means the remainder of is equal to the remainder of when divided by .

Example:

Let’s consider the polynomial , and we want to find the remainder when is divided by 5.

  1. Replace with Remainders: and .
  2. Evaluate with Remainders: .
  3. Final Remainder: .

Therefore, the remainder when is divided by 5 is 3.

Another Example:

This corollary is a crucial tool for simplifying calculations involving polynomials in modular arithmetic. It allows us to work with smaller numbers (remainders) instead of large numbers, significantly reducing the complexity of computations. This is particularly helpful when dealing with large numbers or repeated calculations.

Diffie-Hellman Key Exchange

The Diffie-Hellman (DH) key exchange, a groundbreaking achievement in cryptography, revolutionized secure communication by solving a fundamental problem: how to establish a shared secret key over an insecure channel. Before its invention, secure communication relied on pre-shared secrets, requiring a secure channel for key distribution—a major logistical hurdle, especially in wartime scenarios like WWII and even into the 1970s. This challenge persists today: how can we securely connect to a server over the insecure internet?

Diffie and Hellman’s ingenious solution, introduced in their landmark 1976 paper, leverages modular arithmetic and the concept of one-way functions, allowing two parties to generate a shared secret key without ever exchanging it directly. This seemingly paradoxical achievement remains impactful even today, particularly in a world where the National Security Agency (NSA) and other powerful entities constantly seek to intercept and decipher communications.

One-Way Functions

Central to DH is the concept of a one-way function. A one-way function, , is computationally efficient to compute in the forward direction (finding for any ), but computationally infeasible to invert (finding given ). A one-way function need not be injective ; multiple elements in can map to the same element in . The crucial property is the difficulty of inverting the function.

Formally, a function is considered one-way if there is no known algorithm with polynomial runtime complexity that can compute its inverse. This means the computational effort required to invert the function grows exponentially with the input size, making it practically impossible for large inputs. Even for hypothetical adversaries like the NSA with their advanced computing power, inverting a well-designed one-way function remains a formidable challenge.

Modular Arithmetic and the Discrete Logarithm Problem

Diffie and Hellman’s groundbreaking work leveraged modular arithmetic, specifically exponentiation modulo a large prime number , as a candidate one-way function. Let’s illustrate with a simplified example using .

For certain values (called generators or primitive roots, like in our example), the function generates all elements from to as varies. This forms a cyclic group. Calculating given , , and is computationally efficient using algorithms like “square-and-multiply.” However, finding given , , and (the Discrete Logarithm Problem or DLP) is computationally hard for large primes, forming the basis of DH’s security. This difficulty of inverting the modular exponentiation function makes it very challenging for even the most sophisticated adversaries, including those with the resources of the NSA, to break the DH protocol.

The Diffie-Hellman Protocol: Secure Key Establishment

The DH protocol allows Alice and Bob to establish a shared secret key as follows:

  1. Public Parameter Agreement: Alice and Bob publicly agree on a large prime and a generator .

  2. Private Key Generation: Alice chooses a secret random integer and Bob chooses a secret random integer .

  3. Public Key Computation: Alice computes and Bob computes .

  4. Public Key Exchange: Alice sends to Bob, and Bob sends to Alice. This exchange happens over the insecure channel. While the NSA or other eavesdroppers can intercept this information, it’s insufficient to compromise the security of the protocol.

  5. Shared Secret Calculation:

  • Alice computes .
  • Bob computes .

Both Alice and Bob now share the secret key without ever directly transmitting it. An eavesdropper, knowing , , , and , faces the computationally hard DLP to determine or , and thus, . Even with the resources of the NSA, this task is practically impossible for appropriately chosen large primes .

Beyond Primes and the Quantum Threat

The DH principle extends beyond modular arithmetic with primes ; any group with suitable properties can be used. Elliptic Curve Diffie-Hellman (ECDH) offers similar security with smaller key sizes, making it more practical for certain applications. However, both DH and ECDH are vulnerable to quantum computers running Shor’s algorithm, motivating research into post-quantum cryptography.

Prime Generation and Computational Hardness

Generating large prime numbers is crucial for DH security. Algorithms like the one developed by our beloved professor Ueli Maurer offer efficient prime generation, ensuring the difficulty of the DLP and thus the robustness of the DH protocol. The fundamental assumption of DH’s security is the computational hardness of the DLP, an assumption that is constantly being tested and refined.

Reduction and the Diffie-Hellman Problem

The Diffie-Hellman Problem (DHP) asks whether, given and , it’s feasible to compute . The DHP is computationally equivalent to the DLP ; an efficient solution to one implies an efficient solution to the other. This equivalence highlights the close relationship between the two problems and underscores the difficulty of both. If the NSA had a service that could efficiently compute given and , it would likely imply that they had also found a way to efficiently solve the DLP.

Decisional Diffie-Hellman (DDH)

The Decisional Diffie-Hellman (DDH) problem further explores the hardness of distinguishing from a random value. It asks: given , , and a candidate , can we efficiently determine if is the correct shared secret or a randomly generated value? This problem is believed to be difficult, even for an organization like the NSA.

Imagine, for example, that the NSA had a service that could efficiently crack DH and provide you with given and . Could you verify that this is indeed a valid key? Solving the DDH problem would allow you to do exactly that, potentially undermining the security of the DH protocol.

Practical Security Concerns and Extensions

While DH offers strong theoretical security, practical implementations must consider vulnerabilities like man-in-the-middle attacks. An attacker could intercept the exchange of public keys, pretending to be both Alice and Bob, and establish separate shared secrets with each party. This allows the attacker to decrypt and modify the communication between Alice and Bob without their knowledge.

Authentication mechanisms, such as digital signatures and certificates, are crucial for mitigating these attacks and ensuring the secure deployment of DH. These mechanisms provide a way to verify the authenticity of the parties involved in the key exchange, making it much more difficult for attackers to impersonate legitimate users.

Multiplicative Inverses

The concept of a multiplicative inverse is crucial in modular arithmetic, particularly in the context of solving modular equations. Given an integer and a modulus , the multiplicative inverse of modulo is an integer that satisfies the congruence:

In simpler terms, finding the multiplicative inverse of modulo means finding a number such that when you multiply and and take the remainder upon division by , you get 1.

Existence and Uniqueness:

Not every number has a multiplicative inverse modulo . The existence and uniqueness of the inverse depend on the greatest common divisor (GCD) of and .

Lemma 4.18 states that the congruence equation has a solution in if and only if . Furthermore, the solution is unique.

Proof:

  • () If satisfies , then for some integer . Note that divides both and , hence also , which is 1. Thus .
  • () Assume now that . According to Corollary 4.5 there exist integers and such that . Since we have . Hence is a solution in , and thus is a solution in .

To prove uniqueness of in , suppose there is another solution in . Then , thus and hence divides . Since , must divide . Therefore and hence .

Definition 4.9: If , the unique solution to the congruence equation is called the multiplicative inverse of modulo . One also uses the notation or .

Calculating the Multiplicative Inverse using the Extended Euclidean Algorithm

The extended Euclidean algorithm is a powerful tool for calculating multiplicative inverses. Given integers and , it finds integers and such that .

  1. Apply the Extended Euclidean Algorithm: Apply the extended Euclidean algorithm to and . If the gcd is 1, the algorithm produces integers and such that .
  2. The Inverse: The integer is the multiplicative inverse of modulo . If is negative, you can add to it until you get a positive representative.

Example: Find the inverse of 5 modulo 11.

  1. Extended Euclidean Algorithm:
    • Rearranging:
  2. The Inverse: From the equation , we see that . Thus, is the inverse. To get a positive representative, add 11: . So, . Check: , so .

The Chinese Remainder Theorem

The Chinese Remainder Theorem (CRT) provides a method for solving systems of congruences, where we seek a single integer that satisfies multiple congruences with different moduli.

The Essence of the CRT:

The CRT states that if we have a system of congruences:

where are pairwise relatively prime integers (their greatest common divisors are all 1), and are any integers, then this system has a unique solution satisfying , where .

Theorem 4.19: Let be pairwise relatively prime integers and let . For every list with for , the system of congruence equations

for has a unique solution satisfying .

Proof: Let . Hence because every factor (where ) of is relatively prime to and thus so is . Thus there exists an satisfying

Note that for all we have and thus Therefore for all . Hence the integer defined by satisfies all the congruences. In order to prove uniqueness, observe that for two solutions and , for all , i.e., is a multiple of all the and hence of . Thus .

Continue here: 14 Algebraic Structures and Operations, Monoids, Inverses, Groups, Group Properties, Landscape of Groups