elementary number theory and...
TRANSCRIPT
Elementary Number Theory and Algebra
1
Greatest Common Divisors and Least Common Multipliers
Zdef= {. . . ,−2,−1, 0, 1, 2, . . .}
gcd(a, b) the greatest common divisor of a, b ∈ Z − {0}If gcd(a, b) = 1, then a, b are relatively prime to each other.
lcm(a, b) the least common multiplier of a, b ∈ Z − {0}
2
The Euclidean Algorithm
Computes the gcd of two positive integers a0 and a1
Performs the following sequence of divisions (Suppose a0 > a1)
a0 = a1 q1 + a2
a1 = a2 q2 + a3
...
ak−2 = ak−1 qk−1 + ak
ak−1 = ak qk
For a0, a1, . . . , ak,
gcd(a0, a1) = · · · = gcd(ak−1, ak) = ak
3
Extended Euclidean Algorithm
Let α0, α1, . . . , αk and β0, β1, . . . , βk be defined by
α0 = 1 β0 = 0
α1 = 0 β1 = 1
αj = αj−2 − qj−1αj−1 βj = βj−2 − qj−1βj−1
Then,
αja0 + βja1 = aj
Thus, αka0 + βka1 = ak
4
Example
a0 = 770, a1 = 336
α0 = 1 β0 = 0
α1 = 0 β1 = 1
770 = 336 × 2 + 98 α2 = 1 β2 = −2
336 = 98 × 3 + 42 α3 = −3 β3 = 7
98 = 42 × 2 + 14 α4 = 7 β4 = −16
42 = 14 × 3
7 × 770 + (−16) × 336 = 14
5
Congruence
Suppose that a and b are integers and that n is a positive integer.
If n divides a − b, then a is congruent to b modulo n, which is
denoted by
a ≡ b (mod n).
Cf.) mod as a binary operation
a mod n is the remainder when a is divided by n.
E.g.) 13 ≡ 4 (mod 9)
13 mod 9 = 4
6
The Chinese Remainder Theorem (1/2)
n1, n2, . . . , nk positive integers, any two of which are relatively
prime to each other
Then, for integers c1, c2, . . . , ck,
⎧⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎩
x ≡ c1 (mod n1)
x ≡ c2 (mod n2)
· · ·x ≡ ck (mod nk)
has a unique solution in {0, 1, . . . , N − 1}, where N =
k∏i=1
ni.
7
The Chinese Remainder Theorem (2/2)
The solution is
x =k∑
i=1
ci Ni yi mod N,
where, for 1 ≤ i ≤ k,
Ni = N/ni,
yi = Ni−1 mod ni.
8
Example
⎧⎪⎪⎨⎪⎪⎩
x ≡ 2 (mod 7)
x ≡ 6 (mod 8)
x ≡ 7 (mod 11)
N = 7 × 8 × 11 = 616
N1 = 88, y1 = 88−1 mod 7 = 4−1 mod 7 = 2
N2 = 77, y2 = 77−1 mod 8 = 5−1 mod 8 = 5
N3 = 56, y3 = 56−1 mod 11 = 1−1 mod 11 = 1
x = 2 × 88 × 2 + 6 × 77 × 5 + 7 × 56 × 1 mod 616
= 590
9
The Euler Totient Function
Let n ≥ 1 be an integer
The Euler totient function
φ(n)def= |{x |x ∈ Z ∧ 1 ≤ x ≤ n ∧ gcd(x, n) = 1}|
Thm. 1 If n = pe11 pe2
2 · · · pekk is the prime factorization of n, then
φ(n) = n
(1 − 1
p1
) (1 − 1
p2
)· · ·
(1 − 1
pk
)
�
Notations: Zn = {0, 1, . . . , n − 1}Z
∗n = {x |x ∈ Zn ∧ gcd(x, n) = 1}
Note: φ(n) = |Z∗n| for n ≥ 2
10
Example
n = 60 = 22 × 3 × 5
φ(60) = 60
(1 − 1
2
) (1 − 1
3
) (1 − 1
5
)
= 60
(1 −
(1
2+
1
3+
1
5
)+
(1
2 × 3+
1
2 × 5+
1
3 × 5
)− 1
2 × 3 × 5
)
2’s multiple
3’s multiple 5’s multiple
11
Euler’s Theorem
Thm. 2 Let a and n be positive integers.
gcd(a, n) = 1 ⇒ aφ(n) ≡ 1 (mod n)
proof) Let f : Z∗n → Z
∗n such that f(x) = ax mod n. f is a 1-to-1
mapping since gcd(a, n) = 1 and a has its inverse in Z∗n. Let
Z∗n = {b1, b2, . . . , bφ(n)}. Then,
φ(n)∏i=1
bi ≡φ(n)∏i=1
(abi) ≡ aφ(n)
φ(n)∏i=1
bi (mod n),
which implies aφ(n) ≡ 1 (mod n). �
12
Fermat’s Little Theorem
Cor. 1 Let a and p be positive integers.
If p is prime and gcd(a, p) = 1, then
ap−1 ≡ 1 (mod p).
proof) φ(p) = p − 1.
13
Group
A set G is a group with respect to the operation ◦ if
• ◦ is closed: a ◦ b ∈ G for every a, b ∈ G,
• ◦ is associative: (a ◦ b) ◦ c = a ◦ (b ◦ c) for every a, b, c ∈ G,
• G has an identity I: There exists I ∈ G such that
a ◦ I = I ◦ a = a for every a ∈ G
• For every a ∈ G, there exists an inverse a−1 ∈ G such that
a ◦ a−1 = a−1 ◦ a = I
G is called an additive group if ◦ is represented by the addition.
G is called a multiplicative group if ◦ is represented by the multiplication.
14
Example I
Zn is a group with respect to the addition modulo n.
• The operation is closed,
• The operation is associative,
• 0 is the identity,
• For every a ∈ Zn, −a(= n − a) is the inverse of a.
15
Example II
Z∗n is a group with respect to the multiplication modulo n.
• The operation is closed,
• The operation is associative,
• 1 is the identity,
• For every a ∈ Z∗n, there exists an inverse a−1 ∈ Z
∗n because
There exist α, β ∈ Z such that α a + β n = 1. Thus,
α a ≡ 1 (mod n).
α mod n is the inverse of a.
16
Example II
Z∗21 = {1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20}
Using the extended Euclidean algorithm,
−10 × 2 + 1 × 21 = 1
Thus,
2−1 ≡ −10 ≡ 11 (mod 21)
17
Example II: Multiplication Table of Z∗21
1 2 4 5 8 10 11 13 16 17 19 20
1 1 2 4 5 8 10 11 13 16 17 19 20
2 2 4 8 10 16 20 1 5 11 13 17 19
4 4 8 16 20 11 19 2 10 1 5 13 17
5 5 10 20 4 19 8 13 2 17 1 11 16
8 8 16 11 19 1 17 4 20 2 10 5 13
10 10 20 19 8 17 16 5 4 13 2 1 11
11 11 1 2 13 4 5 16 17 8 19 20 10
13 13 5 10 2 20 4 17 1 19 11 16 8
16 16 11 1 17 2 13 8 19 4 20 10 5
17 17 13 5 1 10 2 19 11 20 16 8 4
19 19 17 13 11 5 1 20 16 10 8 4 2
20 20 19 17 16 13 11 10 8 5 4 2 1
18
Some Properties
Let G be a finite (multiplicative) group.
Def. 1 The order of G is the number of the elements in G. �
Def. 2 The order of a ∈ G is the smallest integer m > 0 such
that am = 1. �
Thm. 3 Let n be the order of G. Then, for ∀a ∈ G, the order of
a divides n. �
Cor. 2 Let n be the order of G. Then, for ∀a ∈ G, an = 1. �
Euler’s theorem follows from Corollary 2.
19
Proof of Theorem 3
Suppose that the order of a ∈ G is k.
A = {a1, a2, . . . , ak} is a subgroup of G.
b1A = {b1a1, b1a
2, . . . , b1ak}
b2A = {b2a1, b2a
2, . . . , b2ak}
...
b�A = {b�a1, b�a
2, . . . , b�ak}, where bi ∈ A ∪ b1A ∪ · · · ∪ bi−1A.
Then, A ∩ biA = φ, biA ∩ bjA = φ for i, j ∈ {1, . . . , �} and i = j,
and A ∪ b1A ∪ · · · ∪ b�A = G.
Thus, (� + 1)k = n.
20
Cyclic Group
Def. 3 G is called a cyclic group if it has an element whose order
is equal to the order of G. �
Def. 4 Let G be a cyclic group. Then, a ∈ G is called a primitive
element if its order is equal to that of G. �
Thm. 4 The number of the elements of order d in the
multiplicative group Z∗p is either 0 or φ(d) if p is prime. �
Thm. 5 The multiplicative group Z∗p is a cyclic group if p is
prime. �
21
Proof of Theorem 4
Lem. 1 For any positive integer m, let
f(x) = xm + c1xm−1 + · · · + cm−1x + cm,
where c1, c2, . . . , cm are integers. Then, f(x) ≡ 0 (mod p) has at
most m solutions in Zp if p is prime. �
Suppose that Z∗p has an element a of order d. Then, from Lem. 1,
A = {a1, a2, . . . , ad} is the set of all solutions of xd − 1 ≡ 0
(mod p) in Z∗p. Thus, all the elements of order d in Z
∗p is in A.
Let dk be the order of ak. Then, d | k dk since
(ak)dk = ak dk = 1.
Thus, dk = lcm(d, k)/k = d/ gcd(d, k). dk = d iff gcd(d, k) = 1.
22
Proof of Theorem 5
Lem. 2 For any positive integer n,
∑d |n
φ(d) = n.
�
From Thm. 3, Thm. 4 and Lem. 2, Z∗p has primitive elements.
23
Example: Z∗p, p Is Prime
For Z∗11, the number of the primitive elements is φ(10) = 4.
1 2 3 4 5 6 7 8 9 10 ord.
1 1 1 1 1 1 1 1 1 1 1 1
2 2 4 8 5 10 9 7 3 6 1 10
3 3 9 5 4 1 3 9 5 4 1 5
4 4 5 9 3 1 4 5 9 3 1 5
5 5 3 4 9 1 5 3 4 9 1 5
6 6 3 7 9 10 5 8 4 2 1 10
7 7 5 2 3 10 4 6 9 8 1 10
8 8 9 6 4 10 3 2 5 7 1 10
9 9 4 3 5 1 9 4 3 5 1 5
10 10 1 10 1 10 1 10 1 10 1 2
24
Quadratic Residues and Quadratic Non-residues (1/2)
Let n, a be positive integers such that gcd(n, a) = 1.
a is called a quadratic residue modulo n if x2 ≡ a (mod n) has a
solution in Zn.
a is called a quadratic non-residue modulo n if x2 ≡ a (mod n)
has no solution in Zn.
For simplicity,
QR mod n quadratic residue modulo n
QNR mod n quadratic non-residue modulo n
25
Quadratic Residues and Quadratic Non-residues (2/2)
Thm. 6 Let p be an odd prime.
a is a QR mod p ⇔ a(p−1)/2 ≡ 1 (mod p)
Proof) If a is a QR mod p, then x2 ≡ a (mod p) for ∃x ∈ Z∗p.
Thus, a(p−1)/2 ≡ xp−1 ≡ 1 (mod p).
Suppose that a(p−1)/2 ≡ 1 (mod p). Let g be a primitive element
mod p. Then, a ≡ gk (mod p) for ∃k ∈ Zp−1. Since
a(p−1)/2 ≡ g(p−1)k/2 ≡ 1 (mod p) and g is a primitive element mod
p, k is even. Thus, a is a QR mod p. �
26
The Legendre Symbol (1/2)
Let p be an odd prime and a be a positive integer. The Legendre
symbol is defined as follows:
(a
p
)=
⎧⎪⎪⎨⎪⎪⎩
0 if a ≡ 0 (mod p)
1 if a is a QR mod p
−1 if a is a QNR mod p.
27
The Legendre Symbol (2/2)
Thm. 7 Let p be an odd prime.(a
p
)= a(p−1)/2 mod p
Proof) It is trivial if a ≡ 0 (mod p).
If a ≡ 0 (mod p), gcd(a, p) = 1 and ap−1 ≡ 1 (mod p).(a(p−1)/2 + 1
) (a(p−1)/2 − 1
) ≡ 0 (mod p)
a(p−1)/2 ≡ ±1 (mod p).
Thus,
a(p−1)/2 ≡ 1 (mod p) ⇔ a is a QR mod p (Thm. 6)
a(p−1)/2 ≡ −1 (mod p) ⇔ a is a QNR mod p �
28
The Jacobi Symbol
Let n and a be positive integers. Furthermore, let n be odd and its
prime factorization be n = pe11 · · · pek
k . The Jacobi symbol is
defined as follows:
(a
n
)=
k∏i=1
(a
pi
)ei
.
The Jacobi symbol can be computed without the prime
factorization of n. It can be computed in O((log n)2) steps.
29
Useful Properties to Compute a Jacobi Symbol
1. If m1 ≡ m2 (mod n), then(m1
n
)=
(m2
n
).
2.
(2
n
)=
⎧⎨⎩
1 if n ≡ ±1 (mod 8)
−1 if n ≡ ±3 (mod 8).
3.(m1m2
n
)=
(m1
n
) (m2
n
).
In particular,(m
n
)=
(2
n
)k (t
n
)if m = 2kt, where t is odd.
4. If m is odd, then(m
n
)= (−1)(m−1)(n−1)/4
( n
m
).
30
Primality Testing
To set up the widely used asymmetric cryptosystems such as RSA,
it is necessary to generate large random primes.
In practise, this is done in the following way:
1. Pick up a large integer at random,
2. Test if it is prime or not.
31
Primality Testing
How many random integers should be generated until a prime is
found?
Thm. 8 (the prime number theorem) The number of
primes not exceeding N is approximately N/ ln N . �
The number of k-bit primes is approximately,
2k
ln 2k− 2k−1
ln 2k−1≈ 2k−1
ln 2k−1≈ 2k−1
(k − 1) ln 2
Thus, if k is large,
Pr[A random k-bit integer is a prime] ≈ 1
0.693 k
32
Primality Testing
• Deterministic poly-time algorithm was found!
Agrawal, Kayal and Saxena (Aug. 2002)
Still impractical
• Probabilistic poly-time algorithms (practical)
– Solovay-Strassen primality test
– Miller-Rabin primality test
These two algorithms always give a correct answer if the given
integer is prime, while, if a composite is given, they may give
an incorrect answer “it is prime.”
33
Solovay-Strassen Primality Test
Let n be an integer to be tested.
1. Select a random integer a such that 1 ≤ a ≤ n − 1.
2. If(
an
)= 0, then output “n is composite” and quit.
3. Output
⎧⎨⎩
“n is prime” if(
an
) ≡ a(n−1)/2 (mod n)
“n is composite” otherwise
and quit.
The probability that the algorithm outputs “n is prime” when n is
a composite is at most 1/2.
34
Miller-Rabin Primality Test
Let n be an integer to be tested.
1. Write n − 1 = 2km, where m is odd.
2. Select a random integer a such that 1 ≤ a ≤ n − 1.
3. Compute b = am mod n.
4. If b ≡ 1 (mod n), then output “n is prime” and quit.
5. for i = 0 to k − 1
if b ≡ −1 (mod n) then output “n is prime” and quit
else b = b2 mod n
6. Output “n is composite” and quit
35
Miller-Rabin Primality Test
The probability that the algorithm outputs “n is prime” when n is
a composite is at most 1/4.
36
Exercises
1. Prove the Chinese remainder theorem.
2. Prove Thm. 1.
3. In the proof of Thm. 3, why A ∪ b1A ∪ · · · ∪ b�A = G?
4. Prove Lem. 2.
5. Prove that the Miller-Rabin test always answers “it is prime” if
the given input is prime.