NumTheory

About This Presentation

Title:

NumTheory

Description:

The material will try to cover ideas of primality (how do we determine ... If a | b, then either |a| |b| or b = 0. This implies that a | b and b | a = a = b. ... – PowerPoint PPT presentation

Number of Views:123

Avg rating:3.0/5.0

Slides: 78

Provided by: giampier

Category:

Tags: numtheory | bb

more less

Transcript and Presenter's Notes

Title: NumTheory

1
NumTheory

This set of lectures will introduce the
mathematics necessary to understand, and
implement, the RSA encryption algorithm. The
methods and results are applicable to most
encryption systems.
The material will try to cover ideas of primality
(how do we determine that a number is prime?) of
solutions of equations in finite fields (solve ax
b (mod n)) - actually just division rings,
thats what makes decryption hard compute the
results of raising a large integer to a large
exponent mod another large integer and other
necessary ideas.
Large input large integer many bits (n gt 100)
to represent it.
Polytime Algorithm runs in time polynomial in
the number of bits

2
NumTheory

Operations on integers can no longer be swept
under the rug their cost is NOT constant, but
depends on the number of bits.
The sum of n1 and n2 has cost O(max(lg n1, lg
n2)).
Multiplication of n1 and n2 has cost
Division and remainder have costs similar to
multiplication, using naïve algorithms.
It is possible to come up with more efficient
algorithms for multiplication
We will not pursue them here.

3
NumTheory

Def. Z , -2, -1, 0, 1, 2, N 0, 1, 2,
.
Def. d a (d divides a) ltgt a kd for some
integer k.
Claims
every integer divides 0.
If a gt 0 and d a, then d a.
If d a we say a is a multiple of d.
If d a and d 0, we say d is a divisor of a.
d a ltgt - d a.
A divisor of a is at least 1 but not gt a.
Every integer a is divisible by 1 and a (trivial
divisors).
Nontrivial divisors are called factors.

4
NumTheory

Primes and composites.
Def. any integer a gt 1 whose only divisors are
the trivial divisors 1 and a is said to be prime.
Any integer a gt 1 which is not prime is said to
be composite.
Theorem 31.1. For any integer a and any positive
integer n, there are unique integers q and r such
that 0 r lt n and a qn r.
Proof. Omitted - see ref. given in text. You
could start with a 0, then move to 0 lt a lt n,
then on to a n, further to a gt n, and finally
conclude with a lt 0.

5
NumTheory

Def. the value is the quotient of
the division.
Def. the value r a mod n is the remainder or
residue of the division.
n a ltgt a mod n 0.
Def. is the
equivalence class modulo n containing the integer
a. Sometimes we use Zn an 0 a lt n
sometimes we may use Zn 0, 1, , n-1.
Keep track and dont get lost.

6
NumTheory

Common Divisors and GCDs. If d a and d b,
the d is a common divisor of a and b.
Properties
d a and d b gt d (a b) and d (a - b).
More generally d a and d b gt d (ax by)
for any integers x and y.
If a b, then either a b or b 0. This
implies that a b and b a gt a b.
Def. gcd(a, b) for a, b integers, not both
zero, is the largest of the common divisors of a
and b.
Note gcd(0, 9) 9. gcd(0, 0) 0 (by
definition).

7
NumTheory

Properties of the gcd.
a, b not both 0, 1 gcd(a, b) min(a, b).
gcd(a, b) gcd(b, a)
gcd(a, b) gcd(-a, b)
gcd(a, b) gcd(a, b)
gcd(a, 0) a
gcd(a, ka) a for any k in Z.

8
NumTheory

Theorem 31.2. Let a and b be integers, not both
0. Then gcd(a, b) is the smallest positive
element of the set of
linear combinations of a and b.
Proof. Let s be the smallest positive linear
combination of a and b, s ax by for some
. Let The arithmetic of floors (p.
51) gives
a linear combination of a and b. Also, a mod s lt
s implies that a mod s 0, since s is, by
construction, the smallest positive such linear
combination. This gives that s a. An identical
chain gives s b. Thus s is a divisor of both a
and b, implying that gcd(a, b) s.

9
NumTheory

By prop. 2 on slide 6, gcd(a, b) s gcd(a, b)
divides both a and b, and s is a linear
combination of a and b. By prop. 2 on slide 3,
gcd(a, b) s. Combining both inequalities gcd(a,
b) s. Q.E.D.
A number of quick corollaries follow.
Corollary 31.3. For any integers a and b, d a
and d b gt d gcd(a, b).
Corollary 31.4. For all integers a and b, and any
nonnegative integer n, gcd(an, bn) ngcd(a, b).
Corollary 31.5. For all positive integers n, a
and b, n ab and gcd(n, a) 1 gt nb.

10
NumTheory

Relatively Prime Integers.
Def. Two integers a and b are relatively prime
ltgt gcd(a, b) 1.
Theorem 31.6. For any integers a, b and p,
gcd(a, p) 1 and gcd(b, p) 1 gt gcd(ab, p)
1.
Proof. Thm. 31.2 gt there exist integers x, y,
x, y, s.t. ax py 1, bx py 1.
Multiplying (products of equals give equals) and
rearranging ab(xx) p(ybx yax pyy)
1. Since we have shown 1 to be a (positive)
linear combination of ab and p, Thm. 31.2 gt
gcd(ab, p) 1.
Def. integers n1, n2, ,nk are pairwise
relatively prime if i ? j gt gcd(ni, nj) 1.

11
NumTheory

Theorem 31.7. For all primes p and all integers
a, b, p ab gt p a or p b or both.
Proof. By contradiction. Assume p ab but p does
not divide either a or b. Then gcd(a, p)
gcd(b, p) 1. Thm. 31.6 gt gcd(ab, p) 1,
contradicting the assumption pab, since pab gt
gcd(ab, p) p.
Theorem 31.8. A composite integer a can be
written in exactly one way as a product of the
form where the pi are prime. p1 lt p2 lt lt pr,
and the ei are positive integers.
Proof. Omitted - see any Elementary Number Theory
textbook. Or go to the web

12
NumTheory

GCD. We need an efficient algorithm for the
computation of the gcd of two positive integers
and we now turn to this task. If we could factor
two integers into their unique prime
factorizations, then we could retrieve the gcd
quite easily
Unfortunately, we have NO quick algorithms (
polytime) for deriving the unique factorizations
of integers. As it turns out, fortunately,
computing the gcd of two integers is quite bit
simpler.

13
NumTheory

Theorem 31.9. (GCD Recursion Theorem) For any
nonnegative integer a and positive integer b,
gcd(a, b) gcd(b, a mod b).
Proof. We will show that gcd(a, b) gcd(b, a mod
b) and that gcd(b, a mod b) gcd(a, b). Being
both non-negative, they must then be equal.
gcd(a, b) gcd(b, a mod b). Clearly, gcd(a, b)
a and gcd(a, b) b. Also, (a mod b) a - qb,
where We have just written (a mod b)
as a linear combination of a and b, which implies
that gcd(a, b) (a mod b). Since, also, gcd(a,
b) b, Corollary 31.3 gt gcd(a, b) gcd(b, a
mod b).
gcd(b, a mod b) gcd(a, b). Let d gcd(b, a
mod b). Then d b and d (a mod b). Since a
qb (a mod b), with

14
NumTheory

a is a linear combination of b and (a mod b).
Then d a. Since it already divided b, it must
divide gcd(a, b).
The two numbers must then be the same, since they
divide each other. QED.
Euclids Algorithm (300 BCE or earlier).
Euclid(a, b) // a, b arbitrary nonnegative
integers
if b 0
then return a
else return Euclid(b, a mod b)
Ex E(30, 21) E(21, 9) E(9, 3) E(3, 0) 3.

15
NumTheory

(define Euclid
(lambda (a b)
(cond (( b 0) a)
(t (Euclid b (modulo a b))))))
gt (Euclid 2004 3007)
1
gt (Euclid 2004 3006)
1002
gt (Euclid
399329365943301336627648219299564142176550525332
1274299487403
182936264887895880284594206658830546140958201871
358425476529)
1

16
NumTheory

Correctness of Euclid(). Thm. 31.9 tells us that
the recursive steps are correct, since they dont
change the successive gcds. The termination step
occurs when we are trying to compute gdc(a, 0).
But gcd(a, 0) a a, and the result follows.
We mentioned earlier that no efficient algorithms
for the computation of the prime divisors of a
given integer exist - at this moment, anyway.
What can we say about the efficiency of the
Euclidean Algorithm for the computation of the
gcd?

17
NumTheory

We assume a gt b 0. If not the algorithm just
adds a recursive call with the arguments
exchanged, so we end up in the desired
configuration. Fk is the kth Fibonacci number.
Lemma 31.10. If a gt b 1, and the invocation
Euclid(a, b) performs k calls, then a Fk2 and
b Fk1.
Proof. By induction on k.
Base Case. Let k 1. Since b 1, and F2 1,
b F2 Fk1. a gt b gt a 2 F3 gt a Fk2.
Induction assumption. Assume the lemma is true if
k - 1 recursive calls have been made.
Induction Step. Prove lemma true after k
recursive calls have been made.

18
NumTheory

Since k gt 0, we must have b gt 0, and thus
Euclid(a, b) must call Euclid(b, a mod b)
recursively, which now makes k - 1 recursive
calls. By the inductive hypothesis, b Fk1,
and (a mod b) Fk. We now have the chain of
equalities and inequalities
QED
Theorem 31.11. (Lames Theorem) For any integer k
1, if a gt b 1 and b lt Fk1, then the call
Euclid(a, b) makes fewer than k recursive calls.
Proof. Obvious from the previous Lemma.

19
NumTheory

That this is a best bound follows from the
observation that
gcd(Fk1, Fk) gcd(Fk, (Fk1 mod Fk)
gcd(Fk, Fk-1).
We can also observe that where
is the golden ratio. This
allows us to conclude that the number of
recursive calls to Euclid(a, b) is O(lg b). In
terms of two -bit numbers, there will be O(
) arithmetic operations and - bit
operations (assuming costs for
multiplication and division).
The current form of the Euclidean algorithm is
not ideal for our uses.

20
NumTheory

The Extended Euclidean Algorithm will compute
both the gcd and the coefficients in the linear
combination giving rise to the gcd d gcd(a, b)
xa yb.
Extended-Euclid(a, b)
if b 0
then return (a, 1, 0)
(d, x, y) lt-- Extended-Euclid(b, a mod b)
(d, x, y) lt-- (d, y, x - floor(a/b)y)
return (d, x, y)
We must prove the algorithm correct.

21
NumTheory

Example. The recursive calls follow one another
to the last line, returning (3, 1, 0), with d
3, x 1, y 0.
The successive returns involve the computations

(d, x, y) lt-- (d, y, x - floor(a/b)y) where
(a, b) are the parameters at entry. (3, 1, 0) --gt
(3, 0, 1 - 20) (3, 0, 1) --gt (3,
1, 0 - 21) (3, 1, -2) --gt (3, -2,
1 - 1(-2)) (3, -2, 3) --gt (3, 3,
-2 - 33) (3, 3, -11) --gt (3, -11,
3 - 1(-11)) (3, -11, 14)
22
NumTheory

Correctness. After computing gcd(a, b), the
algorithm computes, at each stage of the
recursion, the coefficients that give the gcd as
a linear combination of the incoming parameters,
given their values from the calling level of the
recursion. This is an induction at level 0 we
have a gt 0, b 0, d a, x 1, y 0, and d
xa yb a is correct. At any higher level we
have d d xb y(a mod b) - where a and
(a mod b) are the parameters passed down to the
next recursion. Then
d d xb y(a mod b) xb y(a -
floor(a/b)b)
ya (x - yfloor(a/b))b
so that y and (x - yfloor(a/b)) are indeed
the coefficients in terms of the incoming
parameters.

23
NumTheory

Pass the computed values back up, along with the
(unchanged) value for the gcd.
The number of calls is exactly the same as that
for the standard Euclidean algorithm O(lg b) for
a gt b gt 0.
Note, furthermore, that Euclid() is naturally
tail-recursive, while Extended-Euclid is not.

24
NumTheory

Scheme Code
(define Ext-Euclid (lambda (a b)
(cond (( b 0) (cons a '(1 0)))
(t (let ((res (Ext-Euclid b (modulo a
b)))
(d (car res))
(x (caddr res))
(y (- (cadr res) ( x (floor (/ a
b))))))
(,d ,x ,y)))))) (cons d (cons x (cons y
'())))
gt (Ext-Euclid 325 777)
(1 208 -87)
gt (modulo ( 208 325) 777)
1

25
NumTheory

Modular Arithmetic. One of the problems we must
solve is due to the fact that raising large
numbers to large powers would have two effects
the storage space required would be, for all
practical purposes, infinite the time required
would be, for all practical purposes, infinite.
The second problem can be solved by clever
algorithms - and well see how to solve it later
the first problem is solved via the observation
that no REALLY large numbers need be involved
all operations need only be carried out within
the context of modular arithmetic with numbers of
no more than a few hundreds of binary digits in
length. Well see the application details later
- we study modular arithmetic now

26
NumTheory

Finite Groups. A group is a set S
together with a binary operation defined on S
for which the following properties hold
Closure
Identity
Associativity
Inverses For each
If a group S satisfies the commutative law
the group is said to be abelian. If
the group is said to be finite.

27
NumTheory

Examples groups of integers modulo n.
Additive group Z6. Multiplicative
group Z15

28
NumTheory

Zn set of integers modulo n.
Operations addition () and multiplication ().
We define them as
an n bn a bn an n bn
abn,
where we use the standard integer operations on
elements of the equivalence class to compute an
integer in the equivalence class, and then revert
to the equivalence class.
With n, we have the additive group modulo n (Zn
, n).
Theorem 31.12. (Zn , n) is an abelian group.
Proof. You need to show that properties 1) - 4)
are satisfied and that commutativity is also
satisfied. The additive inverse of k is n - k.

29
NumTheory

The multiplicative group (Zn, n) consists of
only those elements of Zn which are relatively
prime to n the others do not have multiplicative
inverses.
Theorem 31.13. (Zn, n) is a finite abelian
group.Proof. Most properties are easy to check,
except for the existence and uniqueness of the
multiplicative inverse. This is where the
extended euclidean algorithm comes in handy.
Given an, let a be any element of the
equivalence class. Let (d, x, y) be the output of
Extended-Euclid(a, n). Since a and n are
relatively prime, d gcd(a, n) 1 xa
yn ltgt Thus xn is a multiplicative inverse
of an, modulo n.

30
NumTheory

The Euler phi function. The size (cardinality)
of Zn (Zn, n) is denoted by
where p runs over all the primes dividing n. It
can be easily seen that, if n is a prime, the
size of Zn is exactly n - 1. The size of Z15 is
given by
which we can also check from the table on slide
25. No proof that the phi-function computes the
cardinality of Zn will be provided.

31
NumTheory

Subgroups. If is a group, and
is also a group, then is said to
be a subgroup of
Theorem 31.14. If is a finite
group, and such that,
then is a subgroup of .
Proof. Exercise. Note the result is NOT true
for infinite groups the positive even integers
are closed under addition, but they are NOT a
subgroup of the integers.
Corollary 31.15. (Lagranges Theorem) If
is a finite group, and is a subgroup of
, then S is a divisor of S.
Proof. See http//members.tripod.com/dogschool/l
agrange.html

32
NumTheory

Def. A subgroup S of S is said to be a proper
subgroup if S ? S.
Corollary 31.16. If S is a proper subgroup of a
group S, then S S/2.

33
NumTheory

Subgroups generated by an element.
Let a be an element of a finite group S.
Define , where the sum is taken k
times.
Ex.
Z6 a 2 gt a(1) 2, a(2) 4, a(3) 0, a(4)
2,
Zn a(k) ka mod n
Zn a(k) ak mod n.
Def. the subgroup generated by a ltagt a(k)
k 1.
a is said to generate ltagt, or to be a generator
of ltagt.

34
NumTheory

Properties.
S finite gt ltagt finite.
associative gt gt ltagt
is closed gt ltagt is a subgroup of S.
Ex.
Z6 lt0gt 0 lt1gt 0, 1, 2, 3, 4, 5 lt2gt
0, 2, 4.
Z7 lt1gt 1 lt2gt 1, 2, 4 lt3gt 1, 2, 3,
4, 5, 6.
Def. the order of a in the group S, ord(a), is
the smallest positive integer t such that a(t)
e.

35
NumTheory

Theorem 31.17. For any finite group and
any , ord(a) ltagt.
Proof. Let t ord(a). a(t) e gt
, for k 1.
If i gt t, then a(i) a(j) for some j lt i no new
elements. So ltagt a(1), a(2), , a(t) and
ltagt t.
To prove the opposite inequality, assume that
ltagt lt t. Then at least two of the elements
a(1), a(2), , a(t) must be the same a(i) a(j)
for some 1 i lt j t. Then a(ik) a(jk) for
all k 0. Replacing k by t-j, we have
a(i(t-j)) a(j(t-j)) e, which contradicts the
assumption that t is the order of a i(t-j) lt t.
So all elements in a(1), a(2), , a(t) must be
distinct, and the conclusion follows.

36
NumTheory

Corollary 31.18. The sequence a(1), a(2), ,
a(t), is periodic with period t ord(a)
We can now think of a(0) e, a(i) a(i mod t).
Corollary 31.19. If is a finite group
with identity e, then, for all , a(S)
e.
Proof. Lagranges Theorem implies ord(a) S,
so where t ord(a). Thus a(S)
a(0) e.

37
NumTheory

Modular linear equations.
Find the solutions of the equation
where a gt 0 and n gt 0.
Application finding keys in the RSA public key
cryptosystem.
Assume a, b, n to be given. Find all x (if any)
that satisfy the equation.

38
NumTheory

Lagranges Theorem gives some immediate results
let ltagt denote the (additive) subgroup of Zn
generated by a. Observe that ltagt a(x) x gt 0
ax mod n x gt 0. We can conclude (from
Lagranges Theorem) that ltagt must be a divisor
of n.
Theorem 31.20. For any positive integers a and
n, if d gcd(a, n), then
ltagt ltdgt 0, d, 2d, , ((n/d) - 1)d, in Zn
and thus ltagt n/d.
Proof. We will show that

39
NumTheory

Start by showing Extended-Euclid(a,
n) produces integers x and y s.t. ax ny
d. This implies that which, in
turn, implies that Then, every multiple of d
is in ltagt, since every multiple of a multiple of
a is a multiple of a. So all multiples of d are
in ltagt. The first result follows.
To show that assume Then m
ax (mod n) for some integer x, and m ax ny
for some integer y. But da and dn, so that
dm, which implies
Combining, we have that Since
there are exactly n/d multiples of d between 0
and n-1 inclusive, we must have that ltagt n/d.

40
NumTheory

Corollary 31.21. The equation
is solvable for the unknown x ltgt gcd(a, n)
b.
Corollary 31.22. The equation
either has d gcd(a, n) distinct solutions
modulo n, or it has no solutions.
Proof. If has a solution,
then By Theorem 31.17, ord(a)
ltagt and so (by Cor. 31.18 and Thm. 31.20), the
sequence ai (mod n) i 0, 1, is periodic
with period ltagt n/d. If , then b
appears exactly d times in the sequence ai (mod
n) i 0, 1, , n-1, since the length-(n/d)
block of values ltagt is repeated exactly d times
as i increases from 0 to n-1. The indices x of
the d positions for which ax (mod n) b are the
solutions of the equation .

41
NumTheory

Theorem 31.23. Let d gcd(a, n), d ax ny
for some inetegers x, y. If db, then
has as one of its solution the
value x0 x(b/d) mod n.
Proof.
and thus x0 is the desired solution.

42
NumTheory

Theorem 31.24. If is
solvable (db, where d gcd(a, n)), and x0 is
any solution to this equation, then the equation
has exactly d distinct solutions, mod n, given by
xi x0 i(n/d) for i 0, 1, , d-1.
Proof. n/d gt 0 and 0 i(n/d) lt n for i 0, 1,
, d-1, gt x0, x1, , xd-1 are all distinct, mod
n. For i 0, 1, , d-1, we have
so that xi is a solution, too. Cor. 31.22 gt
there are exactly d solutions so x0, x1, , xd-1
must be all of them.

43
NumTheory

Now to construct them.
Modular-Linear-Equation-Solver(a, b, n)
(d, x, y) lt- Extended-Euclid(a, n)
if d b
then x0 lt- x(b/d) mod n
for i lt- 0 to d - 1
do print (x0 i(n/d)) mod n
else print no solutions

44
NumTheory

(define Mod-Lin-Eq-Solver
(lambda (a b n)
(let ((res (Ext-Euclid a n))
(d (car res)))
(if ( (modulo b (car res)) 0)
(let ((x0 (modulo ( (cadr res) (/ b (car
res))) n)))
(define Solns
(lambda (index)
(if (lt index d)
(cons (modulo ( x0 ( index (/ n d)))
n)
(Solns ( index 1)))
())))
(Solns 0))
'()))))
(Mod-Lin-Eq-Solver 14 30 100)
(95 45)

45
NumTheory

Time Complexity the computation of d, x and y
takes time O(lg n). The loop in the if statement
takes time O(gcd(a, n)). Total O(lg n gcd(a,
n)).
Corollary 31.25. For any n gt 1, if gcd(a, n) 1,
then the equation has a
unique solution, modulo n.
Corollary 31.26. For any n gt 1, if gcd(a, n) 1,
then the equation has a
unique solution, modulo n. Otherwise, it has no
solution.
Note if a and n are relatively prime, a has a
multiplicative inverse, modulo n.

46
NumTheory

The existence of a unique solution would be
obvious if we were working within a field - but
RSA requires just a ring, not even an integral
domain. The result says that all we need is to
make sure that the element of the ring Zn chosen
is relatively prime wrt to the order of the
generator relative primality suffices for unique
multiplicative inverses.
Furthermore, the inverse can be computed
efficiently by means of the Extended Euclidean
algorithm
O(lg n gcd(a, n)).

47
NumTheory

The Chinese Remainder Theorem. This theorem
provides a correspondence between a set of
equations modulo a set of parwise relatively
prime (integer) moduli and an equation modulo
their product.
It is, essentially, a structure theorem
where the correspondence is based on
componentwise addition and multiplication modulo
ni.
Note that we do not need the nis to be prime,
just pairwise relatively prime.

48
NumTheory

Theorem 31.27. Let n n1 n2 nk, where the ni
are pairwise relatively prime. Consider the
correspondence for i 1, 2, , k. Then
the mapping is a 1-to-1
correspondence between Zn and
The operations correspond as follows

49
NumTheory

Proof. We need to provide a way to go from one
representation to the other
, and showing that the operations carry over
in the way indicated. The transformation
is quite easy simply use ai a
mod ni.
Going backward ( ) is a
bit more complicated. We start by defining
quantities mi n/ni n1 n2 ni-1 ni1 nk,
and then ci mi (mi-1 mod ni), which are always
well-defined since mi and ni are relatively prime
by definition of mi. We can now construct a in
terms of the ai and ci as
This, clearly, provides a mapping in both
directions. We need to show it is the correct
mapping.

50
NumTheory

We need to show that the construction produces a
number a that satisfies
Note that and that We
have the correspondence where the single 1
occurs in the ith coordinate. For each i we
have
Exactly as we wished to show.
We still need to complete the proof that the
correspondence is 1-to-1. This will be complete
if we can show that the chain

51
NumTheory

allows the conclusion that
We leave the details to the student.
The main thing is that we now have a way of
reconstructing an equivalence class in Zn as soon
as we have the corresponding equivalence classes
for any decomposition of n into a product of
relatively prime integers.

52
NumTheory

Corollary 31.28. If n1, n2, , nk are pairwise
relatively prime and n n1n2nk, then, for any
integers a1, a2, , ak, the set of simultaneous
equations for i 1, 2, ,
k, has a unique solution modulo n for the unknown
x.
Corollary 31.29. If n1, n2, , nk are pairwise
relatively prime and n n1n2nk, then, for all
integers x and a,

53
NumTheory

Example.
Given the two equations what is a mod
65? Note that 65 513.
The table of moduli wrt 5 and 13 for all integers
in Z65.

54
NumTheory

Knowing that
find a mod 65.
We have
a1 2, n1 5 , m1 n/n1 13,
a2 3, n2 13, m2 n/n2 5.
We can compute

55
NumTheory

We can just choose to work mod n OR mod ni - for
a set of (smaller than n) relatively prime
factors whose product is n. Under a number of
conditions, the latter choice may be preferable
the bit representations of the numbers may be
kept smaller, allowing us to use more efficient
storage and, possibly, algorithms.

56
NumTheory

Powers of an Element. The RSA algorithm requires
the taking of very large powers or very large
numbers, modulo some other very large numbers.
We now look at some of the ideas and problems
behind this task.
We are going to be concerned with the behavior of
elements of rings of integers modulo an integer,
and of the multiplicative groups Zn.
Theorem 31.30. (Eulers Theorem) For any
integer n gt 1,
Proof. Recall the Euler Phi-function

57
NumTheory

The function gives the cardinality of Zn, and
Corollary 31.19 proved that, for every
Theorem 31.31. (Fermats Theorem) If p is prime,
then
Proof. This is simply a specialization of the
previous theorem to the case n a prime. Note that
Fermat lived approximately a century before
Euler.

58
NumTheory

Some notes towards non-primality.
We will need to come up with fast computational
methods to determine whether a given number is
composite - and we cannot just try all primes
less than the square root of the number. The
results in the next few slides give some ideas on
what kind of different directions one might take.

59
NumTheory

Def. if ord(g) Zn, then every element of
Zn is a power of g, modulo n g is said to be a
primitive root or generator of Zn. Ex 3 is a
primitive root of Z7, but 2 is not 2i 1, 2,
4, 1, 2, 4, 1, 3i 1, 3, 2, 6, 4, 5, 1,.
If Zn possesses a primitive root, it is said to
be cyclic.
Theorem 31.32. The values of n gt 1 for which Zn
is cyclic are 2, 4, pe, and 2pe, for all primes p
gt 2 and all positive integers e.
Proof. Omitted.

60
NumTheory

Def. (Discrete Logarithm) If g is a primitive
root of Zn and a is any element of Zn, a z in
Zn such that is called the discrete
logarithm (or index) of a, modulo n, to the base
g indn,g(a).
Recall that the usual logarithm is a 1-to-1
function on the positive reals.
Theorem 31.33. If g is a primitive root of Zn,
then the equation holds if
and only if the equation
holds.
Proof.
Assume holds.

61
NumTheory

Then for some integer n. From
this
where we have used Eulers theorem.
2. Assume . The sequence of
powers of g generates every element of and
Corollary 31.18 implies that the
sequence of powers of g is periodic with period
This periodicity, in turn, implies that, if
, we must have

62
NumTheory

Theorem 31.34. If p is an odd prime and e 1,
the equation has only two
solutions x 1, and x -1.
Proof. Let n pe. Zn is cyclic and so has a
primitive root g. By definition of discrete
logarithm, and the equation
can be rewritten as
Note that indn,g(1) 0, so that the previous
theorem allows us to pass to the equivalent
equation
We must solve it for the unknown indn,g(x).

63
NumTheory

We observe that
Let
Also, d0 (everything divides 0). We are in the
form with a 2, b 0. Thm.
31.24 gives that this equation has exactly d 2
solutions (x has replaced indn,g(x)). The
logarithmic equivalence implies that the
original equation also has exactly 2 solutions.
An inspection gives two solutions of the form x
1 and x -1. They must be the ones
The next result is used in the Miller-Rabin
primality test.

64
NumTheory

Def. a number x is a nontrivial square root of
1, modulo n, if it satisfies the equation
but x is equivalent to neither of the
two trivial square roots, 1 and -1, modulo n.
Ex. 6 is a nontrivial square root of unity
modulo 35.
Corollary 31.35. If there exists a nontrivial
square root of 1, modulo n, then n is composite.
Proof. If so n cant be an odd prime or a power
of an odd prime.
so all square roots of 1 modulo 2 are
trivial. Thus n cannot be prime. Since n must be
gt 1 for a nontrivial square root of 1 to exists,
we have just shown n must be composite.

65
NumTheory

Powers and Repeated Squaring. Modular
exponentiation.
As it turns out, we will need to raise large
numbers to large powers modulo other large
numbers. The text has a fair discussion in terms
of bit operations basically, if all numbers
involved have k bits, the total number of bit
operations will be O(k3).
We will look at a Scheme implementation that does
not quite look at that level of detail, but which
allows similar complexity arguments to be used.

66
NumTheory

(define square (lambda (x) ( x x)))
(define expmod
(lambda (b e m)
(cond (( e 0) 1)
((even? e)
(remainder (square (expmod b (quotient
e 2) m)) m)) (else (remainder ( b (expmod b
(- e 1) m)) m)))))
gt (define p 1234567890987654321234567891041)
gt (define q 3234567890987654321234567891083)
gt (expmod p q ( (- p 1) (- q 1)))
14503940390677269618776339662804822941345319790325
91702901921

67
NumTheory

The depth of the recursion is never worse than 2
lg e each level involves some arithmetic, which
is never worse than O(max(lg b, lg e, lg m)2).
The total cost is thus in O(max(lg b, lg e, lg
m)3).

68
NumTheory

RSA. This is a public-key cryptosystem. It is
based on two current realities (which may change
in the future).
It is easy to generate large integers (several
hundred to a few thousand bits long) which are
prime with high probability - and therefore can
be used as primes.
It is hard to find the prime factors of a large
number. The amount of resources this
factorization takes is expected to be totally
unreasonable given the possible payoff.
It is a public-key cryptosystem because the
encryption key is public, accessible to anybody
who wishes to communicate with the final
decryptor.

69
NumTheory

The decryption key is private and, because of the
currently believed properties of large integers,
it is, for all intents and purposes, unachievable
within the resources that anyone can muster. It
is also possible - because of some side-effects
of the method - to provide unforgeable
signatures to otherwise openly readable
documents. Thus e-commerce is supported
Each key consists of a pair of integers. There is
a public key, P (e, n), and a secret key, S
(d, n).

70
NumTheory

Bob and Alice want to communicate. Bob has a
public key PB and a secret key SB Alice had
public and secret keys PA and SA, respectively.
Let D denote the set of permissible messages, let
M be a message that Bob wants to send to Alice.
Bob will use Alices public key to encrypt the
message and Alice will use her secret key to
decrypt it. An evesdropper who can listen to the
encrypted message will have no way to decrypt it.

71
NumTheory

The set of operations is just M SA(PA(M)). It
is important that message encryption and
decryption be computationally efficient. Since
SA and PA are inverses of each other, it is also
possible for Alice to encrypt a message M via
her secret key, and send the message into the
world where anyone, using her public key, can
read the message - after decrypting it - with
full confidence that the message came, in its
entirety, from Alice and not from a malicious
third party. The trick here is to allow the
receiver to know to use Alices public key - the
method of digital signatures requires the
sending of the clear message - with the name of
the sender - and an encrypted copy (the
signature). Decrypt the signature and check
equality - done.

72
NumTheory

Secure Signature

73
NumTheory

The RSA cryptosystem.
Select at random two large primes, p and q, p ?
q, each requiring at least 512 bits to represent.
Compute n pq.
Select a small odd integer e, relatively prime
to
Compute d as the multiplicative inverse of e
modulo
Publish the pair P (e, n) as the RSA public
key.
Keep secret the pair S (d, n), the RSA secret
key.
The domain D is the set Zn. All messages are
just large integers.

74
NumTheory

8. The transformation of a message M via the
public key is P(M) Me (mod n).
9. The transformation of a cyphertext C via the
secret key is S(C ) Cd (mod n).
Using the modular exponentiation algorithms
discussed earlier, the algorithm takes time
O(max(lg M, lg e, lg n)3).

75
NumTheory

Theorem 31.36 Correctness of RSA. The RSA
equations P(M) Me (mod n) and S(C ) Cd (mod
n) define inverse transformations of Zn,
satisfying equations M SA(PA(M)) and M
PA(SA(M)).
Proof. Combining the encryption and decryption
equations, we have, for any M in Zn, P(S(M))
S(P(M)) Med (mod n).
Since e and d are chosen as multiplicative
inverses modulo ed 1 k(p - 1)(q - 1)
for some integer k. If M ? 0 (mod p) we have

76
NumTheory

If then
Thus for all M.
Similarly, for all M.
By Corollary 31.29 to the Chinese Remainder
Theorem, for all M.
Done.

77
NumTheory

There is one major piece missing how do you find
large primes in a reasonable amount of time?
Deterministically, you dont. Probabilistically,
one has several tests, going back at least as far
back as Pierre de Fermat, that let us conclude,
with high probability, that a given number is
prime or, with absolute certainty, that it is
composite keep running the test - if the number
keeps passing, stop when you reach a probability
of being prime that you are willing to take a
chance on usually (with the right algorithm)
running as many copies of the test as there are
bits in the representation of the number gives
odds of success on the order of the number to
one. Section 31.8 gives some results.