elementary number theory and...

Elementary Number Theory and Algebra

1

Greatest Common Divisors and Least Common Multipliers

Zdef= {. . . ,−2,−1, 0, 1, 2, . . .}

gcd(a, b) the greatest common divisor of a, b ∈ Z − {0}If gcd(a, b) = 1, then a, b are relatively prime to each other.

lcm(a, b) the least common multiplier of a, b ∈ Z − {0}

2

The Euclidean Algorithm

Computes the gcd of two positive integers a0 and a1

Performs the following sequence of divisions (Suppose a0 > a1)

a0 = a1 q1 + a2

a1 = a2 q2 + a3

...

ak−2 = ak−1 qk−1 + ak

ak−1 = ak qk

For a0, a1, . . . , ak,

gcd(a0, a1) = · · · = gcd(ak−1, ak) = ak

3

Extended Euclidean Algorithm

Let α0, α1, . . . , αk and β0, β1, . . . , βk be defined by

α0 = 1 β0 = 0

α1 = 0 β1 = 1

αj = αj−2 − qj−1αj−1 βj = βj−2 − qj−1βj−1

Then,

αja0 + βja1 = aj

Thus, αka0 + βka1 = ak

4

Example

a0 = 770, a1 = 336

α0 = 1 β0 = 0

α1 = 0 β1 = 1

770 = 336 × 2 + 98 α2 = 1 β2 = −2

336 = 98 × 3 + 42 α3 = −3 β3 = 7

98 = 42 × 2 + 14 α4 = 7 β4 = −16

42 = 14 × 3

7 × 770 + (−16) × 336 = 14

5

Congruence

Suppose that a and b are integers and that n is a positive integer.

If n divides a − b, then a is congruent to b modulo n, which is

denoted by

a ≡ b (mod n).

Cf.) mod as a binary operation

a mod n is the remainder when a is divided by n.

E.g.) 13 ≡ 4 (mod 9)

13 mod 9 = 4

6

The Chinese Remainder Theorem (1/2)

n1, n2, . . . , nk positive integers, any two of which are relatively

prime to each other

Then, for integers c1, c2, . . . , ck,

⎧⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎩

x ≡ c1 (mod n1)

x ≡ c2 (mod n2)

· · ·x ≡ ck (mod nk)

has a unique solution in {0, 1, . . . , N − 1}, where N =

k∏i=1

ni.

7

The Chinese Remainder Theorem (2/2)

The solution is

x =k∑

i=1

ci Ni yi mod N,

where, for 1 ≤ i ≤ k,

Ni = N/ni,

yi = Ni−1 mod ni.

8

Example

⎧⎪⎪⎨⎪⎪⎩

x ≡ 2 (mod 7)

x ≡ 6 (mod 8)

x ≡ 7 (mod 11)

N = 7 × 8 × 11 = 616

N1 = 88, y1 = 88−1 mod 7 = 4−1 mod 7 = 2

N2 = 77, y2 = 77−1 mod 8 = 5−1 mod 8 = 5

N3 = 56, y3 = 56−1 mod 11 = 1−1 mod 11 = 1

x = 2 × 88 × 2 + 6 × 77 × 5 + 7 × 56 × 1 mod 616

= 590

9

The Euler Totient Function

Let n ≥ 1 be an integer

The Euler totient function

φ(n)def= |{x |x ∈ Z ∧ 1 ≤ x ≤ n ∧ gcd(x, n) = 1}|

Thm. 1 If n = pe11 pe2

2 · · · pekk is the prime factorization of n, then

φ(n) = n

(1 − 1

p1

) (1 − 1

p2

)· · ·

(1 − 1

pk

)

�

Notations: Zn = {0, 1, . . . , n − 1}Z

∗n = {x |x ∈ Zn ∧ gcd(x, n) = 1}

Note: φ(n) = |Z∗n| for n ≥ 2

10

Example

n = 60 = 22 × 3 × 5

φ(60) = 60

(1 − 1

2

) (1 − 1

3

) (1 − 1

5

)

= 60

(1 −

(1

2+

1

3+

1

5

)+

(1

2 × 3+

1

2 × 5+

1

3 × 5

)− 1

2 × 3 × 5

)

2’s multiple

3’s multiple 5’s multiple

11

Euler’s Theorem

Thm. 2 Let a and n be positive integers.

gcd(a, n) = 1 ⇒ aφ(n) ≡ 1 (mod n)

proof) Let f : Z∗n → Z

∗n such that f(x) = ax mod n. f is a 1-to-1

mapping since gcd(a, n) = 1 and a has its inverse in Z∗n. Let

Z∗n = {b1, b2, . . . , bφ(n)}. Then,

φ(n)∏i=1

bi ≡φ(n)∏i=1

(abi) ≡ aφ(n)

φ(n)∏i=1

bi (mod n),

which implies aφ(n) ≡ 1 (mod n). �

12

Fermat’s Little Theorem

Cor. 1 Let a and p be positive integers.

If p is prime and gcd(a, p) = 1, then

ap−1 ≡ 1 (mod p).

proof) φ(p) = p − 1.

13

Group

A set G is a group with respect to the operation ◦ if

• ◦ is closed: a ◦ b ∈ G for every a, b ∈ G,

• ◦ is associative: (a ◦ b) ◦ c = a ◦ (b ◦ c) for every a, b, c ∈ G,

• G has an identity I: There exists I ∈ G such that

a ◦ I = I ◦ a = a for every a ∈ G

• For every a ∈ G, there exists an inverse a−1 ∈ G such that

a ◦ a−1 = a−1 ◦ a = I

G is called an additive group if ◦ is represented by the addition.

G is called a multiplicative group if ◦ is represented by the multiplication.

14

Example I

Zn is a group with respect to the addition modulo n.

• The operation is closed,

• The operation is associative,

• 0 is the identity,

• For every a ∈ Zn, −a(= n − a) is the inverse of a.

15

Example II

Z∗n is a group with respect to the multiplication modulo n.

• The operation is closed,

• The operation is associative,

• 1 is the identity,

• For every a ∈ Z∗n, there exists an inverse a−1 ∈ Z

∗n because

There exist α, β ∈ Z such that α a + β n = 1. Thus,

α a ≡ 1 (mod n).

α mod n is the inverse of a.

16

Example II

Z∗21 = {1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20}

Using the extended Euclidean algorithm,

−10 × 2 + 1 × 21 = 1

Thus,

2−1 ≡ −10 ≡ 11 (mod 21)

17

Example II: Multiplication Table of Z∗21

1 2 4 5 8 10 11 13 16 17 19 20

1 1 2 4 5 8 10 11 13 16 17 19 20

2 2 4 8 10 16 20 1 5 11 13 17 19

4 4 8 16 20 11 19 2 10 1 5 13 17

5 5 10 20 4 19 8 13 2 17 1 11 16

8 8 16 11 19 1 17 4 20 2 10 5 13

10 10 20 19 8 17 16 5 4 13 2 1 11

11 11 1 2 13 4 5 16 17 8 19 20 10

13 13 5 10 2 20 4 17 1 19 11 16 8

16 16 11 1 17 2 13 8 19 4 20 10 5

17 17 13 5 1 10 2 19 11 20 16 8 4

19 19 17 13 11 5 1 20 16 10 8 4 2

20 20 19 17 16 13 11 10 8 5 4 2 1

18

Some Properties

Let G be a finite (multiplicative) group.

Def. 1 The order of G is the number of the elements in G. �

Def. 2 The order of a ∈ G is the smallest integer m > 0 such

that am = 1. �

Thm. 3 Let n be the order of G. Then, for ∀a ∈ G, the order of

a divides n. �

Cor. 2 Let n be the order of G. Then, for ∀a ∈ G, an = 1. �

Euler’s theorem follows from Corollary 2.

19

Proof of Theorem 3

Suppose that the order of a ∈ G is k.

A = {a1, a2, . . . , ak} is a subgroup of G.

b1A = {b1a1, b1a

2, . . . , b1ak}

b2A = {b2a1, b2a

2, . . . , b2ak}

...

b�A = {b�a1, b�a

2, . . . , b�ak}, where bi ∈ A ∪ b1A ∪ · · · ∪ bi−1A.

Then, A ∩ biA = φ, biA ∩ bjA = φ for i, j ∈ {1, . . . , �} and i = j,

and A ∪ b1A ∪ · · · ∪ b�A = G.

Thus, (� + 1)k = n.

20

Cyclic Group

Def. 3 G is called a cyclic group if it has an element whose order

is equal to the order of G. �

Def. 4 Let G be a cyclic group. Then, a ∈ G is called a primitive

element if its order is equal to that of G. �

Thm. 4 The number of the elements of order d in the

multiplicative group Z∗p is either 0 or φ(d) if p is prime. �

Thm. 5 The multiplicative group Z∗p is a cyclic group if p is

prime. �

21

Proof of Theorem 4

Lem. 1 For any positive integer m, let

f(x) = xm + c1xm−1 + · · · + cm−1x + cm,

where c1, c2, . . . , cm are integers. Then, f(x) ≡ 0 (mod p) has at

most m solutions in Zp if p is prime. �

Suppose that Z∗p has an element a of order d. Then, from Lem. 1,

A = {a1, a2, . . . , ad} is the set of all solutions of xd − 1 ≡ 0

(mod p) in Z∗p. Thus, all the elements of order d in Z

∗p is in A.

Let dk be the order of ak. Then, d | k dk since

(ak)dk = ak dk = 1.

Thus, dk = lcm(d, k)/k = d/ gcd(d, k). dk = d iff gcd(d, k) = 1.

22

Proof of Theorem 5

Lem. 2 For any positive integer n,

∑d |n

φ(d) = n.

�

From Thm. 3, Thm. 4 and Lem. 2, Z∗p has primitive elements.

23

Example: Z∗p, p Is Prime

For Z∗11, the number of the primitive elements is φ(10) = 4.

1 2 3 4 5 6 7 8 9 10 ord.

1 1 1 1 1 1 1 1 1 1 1 1

2 2 4 8 5 10 9 7 3 6 1 10

3 3 9 5 4 1 3 9 5 4 1 5

4 4 5 9 3 1 4 5 9 3 1 5

5 5 3 4 9 1 5 3 4 9 1 5

6 6 3 7 9 10 5 8 4 2 1 10

7 7 5 2 3 10 4 6 9 8 1 10

8 8 9 6 4 10 3 2 5 7 1 10

9 9 4 3 5 1 9 4 3 5 1 5

10 10 1 10 1 10 1 10 1 10 1 2

24

Quadratic Residues and Quadratic Non-residues (1/2)

Let n, a be positive integers such that gcd(n, a) = 1.

a is called a quadratic residue modulo n if x2 ≡ a (mod n) has a

solution in Zn.

a is called a quadratic non-residue modulo n if x2 ≡ a (mod n)

has no solution in Zn.

For simplicity,

QR mod n quadratic residue modulo n

QNR mod n quadratic non-residue modulo n

25

Quadratic Residues and Quadratic Non-residues (2/2)

Thm. 6 Let p be an odd prime.

a is a QR mod p ⇔ a(p−1)/2 ≡ 1 (mod p)

Proof) If a is a QR mod p, then x2 ≡ a (mod p) for ∃x ∈ Z∗p.

Thus, a(p−1)/2 ≡ xp−1 ≡ 1 (mod p).

Suppose that a(p−1)/2 ≡ 1 (mod p). Let g be a primitive element

mod p. Then, a ≡ gk (mod p) for ∃k ∈ Zp−1. Since

a(p−1)/2 ≡ g(p−1)k/2 ≡ 1 (mod p) and g is a primitive element mod

p, k is even. Thus, a is a QR mod p. �

26

The Legendre Symbol (1/2)

Let p be an odd prime and a be a positive integer. The Legendre

symbol is defined as follows:

(a

p

)=

⎧⎪⎪⎨⎪⎪⎩

0 if a ≡ 0 (mod p)

1 if a is a QR mod p

−1 if a is a QNR mod p.

27

The Legendre Symbol (2/2)

Thm. 7 Let p be an odd prime.(a

p

)= a(p−1)/2 mod p

Proof) It is trivial if a ≡ 0 (mod p).

If a ≡ 0 (mod p), gcd(a, p) = 1 and ap−1 ≡ 1 (mod p).(a(p−1)/2 + 1

) (a(p−1)/2 − 1

) ≡ 0 (mod p)

a(p−1)/2 ≡ ±1 (mod p).

Thus,

a(p−1)/2 ≡ 1 (mod p) ⇔ a is a QR mod p (Thm. 6)

a(p−1)/2 ≡ −1 (mod p) ⇔ a is a QNR mod p �

28

The Jacobi Symbol

Let n and a be positive integers. Furthermore, let n be odd and its

prime factorization be n = pe11 · · · pek

k . The Jacobi symbol is

defined as follows:

(a

n

)=

k∏i=1

(a

pi

)ei

.

The Jacobi symbol can be computed without the prime

factorization of n. It can be computed in O((log n)2) steps.

29

Useful Properties to Compute a Jacobi Symbol

1. If m1 ≡ m2 (mod n), then(m1

n

)=

(m2

n

).

2.

(2

n

)=

⎧⎨⎩

1 if n ≡ ±1 (mod 8)

−1 if n ≡ ±3 (mod 8).

3.(m1m2

n

)=

(m1

n

) (m2

n

).

In particular,(m

n

)=

(2

n

)k (t

n

)if m = 2kt, where t is odd.

4. If m is odd, then(m

n

)= (−1)(m−1)(n−1)/4

( n

m

).

30

Primality Testing

To set up the widely used asymmetric cryptosystems such as RSA,

it is necessary to generate large random primes.

In practise, this is done in the following way:

1. Pick up a large integer at random,

2. Test if it is prime or not.

31

Primality Testing

How many random integers should be generated until a prime is

found?

Thm. 8 (the prime number theorem) The number of

primes not exceeding N is approximately N/ ln N . �

The number of k-bit primes is approximately,

2k

ln 2k− 2k−1

ln 2k−1≈ 2k−1

ln 2k−1≈ 2k−1

(k − 1) ln 2

Thus, if k is large,

Pr[A random k-bit integer is a prime] ≈ 1

0.693 k

32

Primality Testing

• Deterministic poly-time algorithm was found!

Agrawal, Kayal and Saxena (Aug. 2002)

Still impractical

• Probabilistic poly-time algorithms (practical)

– Solovay-Strassen primality test

– Miller-Rabin primality test

These two algorithms always give a correct answer if the given

integer is prime, while, if a composite is given, they may give

an incorrect answer “it is prime.”

33

Solovay-Strassen Primality Test

Let n be an integer to be tested.

1. Select a random integer a such that 1 ≤ a ≤ n − 1.

2. If(

an

)= 0, then output “n is composite” and quit.

3. Output

⎧⎨⎩

“n is prime” if(

an

) ≡ a(n−1)/2 (mod n)

“n is composite” otherwise

and quit.

The probability that the algorithm outputs “n is prime” when n is

a composite is at most 1/2.

34

Miller-Rabin Primality Test

Let n be an integer to be tested.

1. Write n − 1 = 2km, where m is odd.

2. Select a random integer a such that 1 ≤ a ≤ n − 1.

3. Compute b = am mod n.

4. If b ≡ 1 (mod n), then output “n is prime” and quit.

5. for i = 0 to k − 1

if b ≡ −1 (mod n) then output “n is prime” and quit

else b = b2 mod n

6. Output “n is composite” and quit

35

Miller-Rabin Primality Test

The probability that the algorithm outputs “n is prime” when n is

a composite is at most 1/4.

36

Exercises

1. Prove the Chinese remainder theorem.

2. Prove Thm. 1.

3. In the proof of Thm. 3, why A ∪ b1A ∪ · · · ∪ b�A = G?

4. Prove Lem. 2.

5. Prove that the Miller-Rabin test always answers “it is prime” if

the given input is prime.