1. CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics

2. CS555Spring 2012/Topic 62 Outline and Readings Outline –Divisibility, Prime and composite numbers, The Fundamental theorem of arithmetic, Greatest Common Divisor, Modular operation, Congruence relation –The Extended Euclidian Algorithm –Solving Linear Congruence Readings: Katz and Lindell: 7.1.1, 7.1.2

3. CS555Spring 2012/Topic 63 Divisibility Definition Given integers a and b, with a  0, a divides b (denoted a|b) if  integer k, s.t. b = ak. a is called a divisor of b, and b a multiple of a. Proposition: (1) If a  0, then a|0 and a|a. Also, 1|b for every b (2) If a|b and b|c, then a | c. (3) If a|b and a|c, then a | (sb + tc) for all integers s and t.

4. CS555Spring 2012/Topic 64 Divisibility (cont.) Theorem (Division algorithm) Given integers a, b such that a>0, a<b then there exist two unique integers q and r, 0  r < a s.t. b = aq + r. Proof: Uniqueness of q and r: assume  q’ and r’ s.t b = aq’ + r’, 0  r’< a, q’ integer then aq + r=aq’ + r’  a(q-q’)=r’-r  q-q’ = (r’-r)/a as 0  r,r’ <a  -a < (r’-r) < a  -1 < (r’-r)/a < 1 So -1 < q-q’ < 1, but q-q’ is integer, therefore q = q’ and r = r’

5. CS555Spring 2012/Topic 65 Prime and Composite Numbers Definition An integer n > 1 is called a prime number if its positive divisors are 1 and n. Definition Any integer number n > 1 that is not prime, is called a composite number. Example Prime numbers: 2, 3, 5, 7, 11, 13, 17 … Composite numbers: 4, 6, 25, 900, 17778, …

6. CS555Spring 2012/Topic 66 Decomposition in Product of Primes Theorem (Fundamental Theorem of Arithmetic) Any integer number n > 1 can be written as a product of prime numbers (>1), and the product is unique if the numbers are written in increasing order. Example: 84 = 2 2  3  7

7. CS555Spring 2012/Topic 67 Classroom Discussion Question (Not a Quiz) Are the total number of prime numbers finite or infinite?

8. CS555Spring 2012/Topic 68 Greatest Common Divisor (GCD) Definition Given integers a > 0 and b > 0, we define gcd(a, b) = c, the greatest common divisor (GCD), as the greatest number that divides both a and b. Example gcd(256, 100)=4 Definition Two integers a > 0 and b > 0 are relatively prime if gcd(a, b) = 1. Example 25 and 128 are relatively prime.

9. CS555Spring 2012/Topic 69 GCD as a Linear Combination Theorem Given integers a, b > 0 and a > b, then d = gcd(a,b) is the least positive integer that can be represented as ax + by, x, y integer numbers. Proof: Let t be the smallest positive integer s.t. t = ax + by. We have d | a and d | b  d | ax + by, so d | t, so d  t. We now show t ≤ d. First t | a; otherwise, a = tu + r, 0 < r < t; r = a - ut = a - u(ax+by) = a(1-ux) + b(-uy), so we found another linear combination and r < t. Contradiction. Similarly t | b, so t is a common divisor of a and b, thus t ≤ gcd (a, b) = d. So t = d. Example gcd(100, 36) = 4 = 4  100 – 11  36 = 400 - 396

10. CS555Spring 2012/Topic 610 GCD and Multiplication Theorem Given integers a, b, m >1. If gcd(a, m) = gcd(b, m) = 1, then gcd(ab, m) = 1 Proof idea: ax + ym = 1 = bz + tm Find u and v such that (ab)u + mv = 1

11. CS555Spring 2012/Topic 611 GCD and Division Theorem Given integers a>0, b, q, r, such that b = aq + r, then gcd(b, a) = gcd(a, r). Proof: Let gcd(b, a) = d and gcd(a, r) = e, this means d | b and d | a, so d | b - aq, so d | r Since gcd(a, r) = e, we obtain d ≤ e. e | a and e | r, so e | aq + r, so e | b, Since gcd(b, a) = d, we obtain e ≤ d. Therefore d = e

12. CS555Spring 2012/Topic 612 Finding GCD Using the Theorem: Given integers a>0, b, q, r, such that b = aq + r, then gcd(b, a) = gcd(a, r). Euclidian Algorithm Find gcd (b, a) while a  0 do r  b mod a b  a a  r return b

13. CS555Spring 2012/Topic 613 Euclidian Algorithm Example Find gcd(143, 110) gcd (143, 110) = 11 143 = 1  110 + 33 110 = 3  33 + 11 33 = 3  11 + 0

14. CS555Spring 2012/Topic 614 Modulo Operation Definition: Example: 7 mod 3 = 1 -7 mod 3 = 2

15. CS555Spring 2012/Topic 615 Congruence Relation Definition: Let a, b, n be integers with n>0, we say that a  b (mod n), if a – b is a multiple of n. Properties: a  b (mod n) if and only if n | (a – b) if and only if n | (b – a) if and only if a = b+k·n for some integer k if and only if b = a+k·n for some integer k E.g., 32  7 (mod 5), -12  37 (mod 7), 17  17 (mod 13)

16. CS555Spring 2012/Topic 616 Properties of the Congruence Relation Proposition: Let a, b, c, n be integers with n>0 1.a  0 (mod n) if and only if n | a 2.a  a (mod n) 3.a  b (mod n) if and only if b  a (mod n) 4.if a  b and b  c (mod n), then a  c (mod n) Corollary: Congruence modulo n is an equivalence relation. Every integer is congruent to exactly one number in {0, 1, 2, …, n–1} modulo n

17. CS555Spring 2012/Topic 617 Equivalence Relation Definition A binary relation R over a set Y is a subset of Y  Y. We denote a relation (a,b)  R as aRb. example of relations over integers? Definition A relation is an equivalence relation on a set Y, if R is Reflexive: aRa for all a  R Symmetric: for all a, b  R, aRb  bRa. Transitive: for all a,b,c  R, aRb and bRc  aRc Example “=“ is an equivalence relation on the set of integers

18. CS555Spring 2012/Topic 618 More Properties of the Congruence Relation Proposition: Let a, b, c, n be integers with n>0 If a  b (mod n) and c  d (mod n), then: a + c  b + d (mod n), a – c  b – d (mod n), a·c  b·d (mod n) E.g., 5  12 (mod 7) and 3  -4 (mod 7), then, …

19. CS555Spring 2012/Topic 619 Multiplicative Inverse Definition: Given integers n>0, a, b, we say that b is a multiplicative inverse of a modulo n if ab  1 (mod n). Proposition: Given integers n>0 and a, then a has a multiplicative inverse modulo n if and if only if a and n are relatively prime.

20. CS555Spring 2012/Topic 620 Towards Extended Euclidian Algorithm Theorem: Given integers a, b > 0, then d = gcd(a,b) is the least positive integer that can be represented as ax + by, x, y integer numbers. How to find such x and y?

21. CS555Spring 2012/Topic 621 The Extended Euclidian Algorithm First computes b = q 1 a + r 1 a = q 2 r 1 + r 2 r 1 = q 3 r 2 + r 3  r k-3 =q k-1 r k-2 +r k-1 r k-2 = q k r k-1 Then computes x 0 = 0 x 1 = 1 x 2 = -q 1 x 1 +x 0  x k = -q k-1 x k-1 +x k-2 And y 0 = 1 y 1 = 0 y 2 = -q 1 y 1 +y 0  y k = -q k-1 y k-1 +y k-2 We have ax k + by k = r k-1 = gcd(a,b)

22. CS555Spring 2012/Topic 622 Extended Euclidian Algorithm Extended_Euclidian (a,b) x=1; y=0; d=a; r=0; s=1; t=b; while (t>0) { q =  d/t  ; u=x-qr; v=y-qs; w=d-qt; x=r; y=s; d=t; r=u; s=v; t=w; } return (d, x, y) end ax + by = d ar + bs = t Invariants:

23. CS555Spring 2012/Topic 623 Another Way Find gcd(143, 111) gcd (143, 111) = 1 143 = 1  111 + 32 111 = 3  32 + 15 32= 2  15 + 2 15 = 7  2 + 1 32 = 143  1  111 15 = 111  3  32 = 4  111  3  143 2 = 32  2  15 = 7  143  9  111 1 = 15 - 7  2 = 67  111 – 52  143

24. CS555Spring 2012/Topic 624 Linear Equation Modulo n If gcd(a, n) = 1, the equation has a unique solution, 0< x < n. This solution is often represented as a -1 mod n Proof: if ax 1  1 (mod n) and ax 2  1 (mod n), then a(x 1 -x 2 )  0 (mod n), then n | a(x 1 -x 2 ), then n | (x 1 -x 2 ), then x 1 -x 2 =0 How to compute a -1 mod n?

25. CS555Spring 2012/Topic 625 Examples Example 1: Observe that 3·5  1 (mod 7). Let us try to solve 3·x+4  3 (mod 7). Subtracts 4 from both side, 3·x  -1 (mod 7). We know that -1  6 (mod 7). Thus 3·x  6 (mod 7). Multiply both side by 5, 3·5·x  5·6 (mod 7). Thus, x  1·x  3·5·x  5·6  30  2 (mod 7). Thus, any x that satisfies 3·x+4  3 (mod 7) must satisfy x  2 (mod 7) and vice versa. Question: To solve that 2x  2 (mod 4). Is the solution x  1 (mod 4)?

26. CS555Spring 2012/Topic 626 Linear Equation Modulo (cont.) To solve the equation When gcd(a,n)=1, compute x = a -1 b mod n. When gcd(a,n) = d >1, do the following If d does not divide b, there is no solution. Assume d|b. Solve the new congruence, get x 0 The solutions of the original congruence are x 0, x 0 +(n/d), x 0 +2(n/d), …, x 0 +(d-1)(n/d) (mod n).

27. CS555Spring 2012/Topic 627 Solving Linear Congruences Theorem: Let a, n, z, z’ be integers with n>0. If gcd(a,n)=1, then az  az’ (mod n) if and only if z  z’ (mod n). More generally, if d:=gcd(a,n), then az  az’ (mod n) if and only if z  z’ (mod n/d). Example: 5·2  5·-4 (mod 6) 3·5  3·3 (mod 6)

28. Basic Number Theory Divisibility Let a,b be integers with a≠0. if there exists an integer k such that b=ka, we say a divides b which is denoted by a|b 11|143, 1993|3980021 ◇ if a≠0, then a|0 and a|a; 1|b for each b a|b and b|c → a|c a|b and a|c → a|sb+tc for all s, t

29. Prime Numbers An integer p>1 that is divisible only by 1 and itself is called a prime number, otherwise it is called composite (P.64) primegen.c generates prime numbers Let π(x) be the number of primes less than x, then π(x) ≈x/ln(x) as x→∞ Exercise Plot π(x) vs. x for x=2 16 to 2 32

30. A Plot of π(x)≈x/ln(x) vs. x

31. Prime Factorization Theorem Every positive integer is a product of primes. This factorization into primes is unique, up to reordering the factors 49500=2 2 3 2 5 3 11 If a prime p|ab, then either p|a or p|b Moreover, p|x 1 x 2 … x n →p|x j for some j 7|1430,

32. Greatest Common Divisor gcd gcd(343, 63)=7, gcd(12345,11111)=1 gcd(1993,3980021)=1993 Euclidean Algorithm to compute gcd(a,b) does not require the factorization of the numbers and is fast. gcd(482,1180)=2

33. Solving ax+by=1 when gcd(a,b)=1 Let a,b be integers with a 2 +b 2 ≠0, and gcd(a,b)=1, then ax+by=1 has an integer solution (x,y) ♪ Euclidean Algorithm Example 7(-2) + 5(3) =1 Solving ax+by=d with gcd(a,b)=d can be reduced as solving a 0 x + b 0 y = 1 where a=a 0 d, b=b 0 d

34. Congruences Let a,b,n be integers with n≠0. We say that a≡b (mod n) {read as a is congruent to b mod n} if n|(a-b) a=b+nk for an integer k is another description Example 32≡7 (mod 5)

35. Simple Properties Let a,b,c,n be integers with n≠0 (1) a≡0 (mod n) iff n|a (2) a≡a (mod n) (3) a≡b (mod n) iff b≡a (mod n) (4) a≡b and b≡c (mod n) → a≡c (mod n) (5) a≡b and c≡d (mod n) → a+c≡b+d, a−c≡b−d, ac≡bd (mod n) (6) ab≡ac (mod n) with n≠0, and gcd(a,n)=1, then b≡c (mod n)

36. Computational Properties Finding a -1 (mod n) Solving ax≡c (mod n) when gcd(a,n)=1 What if gcd(a,n)>1 ☺ Solve 11111x≡4 (mod 12345) ☻ Solve 12x≡21 (mod 39) ♫ How to solve x 2 ≡a (mod n)? □ Working with fractions (inverse ?)

37. The Chinese Remainder Theorem Let m 1, m 2, …, m k be integers with gcd(m i, m j ) = 1, there exists only one solution x (mod m 1 m 2 …m k ) to the simultaneous congruences [P.76- 78] x≡a 1 (mod m 1 ) x≡a 2 (mod m 2 ) : : x≡a k (mod m k )

38. Fermat's Little Theorem How to fast evaluate 2 1234 (mod 789)? How to fast evaluate X a (mod n)? If p is a prime and gcd(p,a)=1, then a p-1 ≡ 1 (mod p)

39. Euler’s φ-Function and Theorem φ(n)= #{a | 1 ≤ a ≤ n, gcd(a,n)=1}, that is, the number of positive integers which are relatively prime to n Examples: φ(15)=8, φ(16)=8, φ(17)=16 φ(pq)=(p-1)(q-1) if p and q are primes φ(p)=p-1 if p is a prime number φ(p r )=p r -p r-1 =p r (1- 1/p) If gcd(a,n)=1, then a φ(n) ≡ 1 (mod n)

40. Examples and Basic Principle [Page 82] What are the last three digits 7 803 ? Compute 2 43210 (mod 101) Let a,n,x,y be integers with n≥1 and gcd(a,n)=1. If x≡y (mod φ(n)), then a x ≡ a y (mod n) (Hint) x=y+kφ(n); by Euclidean Theorem

41. Primitive Roots If p is a prime, a primitive root mod p is a number g whose power yield every nonzero class mod p. {g k |0<k<p}={1,2,…,p-1} Proposition: Let g be a primitive root mod p (1)g n ≡1 (mod p) iff (p-1)|n or n≡0 (mod p-1) (2)g j ≡g k (mod p) iff j≡k (mod p-1) ♪ 3 is a primitive root mod 7 but not for mod 13

42. Inverting Matrices (mod n) A matrix M is invertible under (mod n) if gcd(det(M), n)=1 The inverse of A=[1 2;3 4] (mod 11) is A -1 =[9 1 ; 7 5] and det(A)= -2≡9 (mod 11) The inverse of M=[1 1 1; 1 2 3; 1 4 9] under (mod 11) is [3 3 6; 8 4 10; 1 4 6], where det(M)= ½ ≡ 6 (mod 11)

43. Square Roots mod n (1/9) X 2 ≡71 (mod 77) has solutions ±15, ±29 How to (efficiently) solve X 2 ≡b (mod pq), where p,q are (very close) primes? Every prime p (except 2) must satisfy p≡1 (mod 4) or p≡3 (mod 4) The square roots of 5 mod 11 are ±4

44. Square Roots mod n (2/9) Let p≡3 (mod 4) be prime and y is an integer such that x≡y (p+1)/4 (mod p). ♪ If y has a square root mod p, then the square roots of y mod p are x and –x ♪ If y has no square roots mod p, then –y has a square root mod p, and the square roots of –y are x and –x.

45. Square Roots mod n (3/9) Proof: x 4 ≡ y p+1 ≡ y 2. y p-1 ≡ y 2 (mod p) → (x 2 + y ) (x 2 - y ) ≡ 0 (mod p) Suppose both y and –y are squares mod p This is impossible.

46. Square Roots mod n (4/9) Lemma: Let p ≡ 3 (mod 4) be prime, then X 2 ≡ -1 (mod p) has no solutions. Proof: Let p = 4q+3 X 2 ≡ -1→ X p-1 ≡ -1 (p-1)/2 ≡ -1 2q+1 ≡-1 But X p-1 ≡ 1 (Fermat’s theorem)

47. Square Roots mod n (5/9) Suppose both y and –y are squares mod p, say y ≡ a 2 and -y ≡ b 2. Then (a/b) 2 ≡ -1 (mod p) But according to the previous lemma, (a/b) 2 ≡ -1 (mod p) is impossible

48. Square Roots mod n (6/9) 2.y ≡ x 2 (mod p), the square roots of y are ± x. 3.-y ≡ x 2 (mod p), the square roots of -y are ± x.

49. Examples for Square Roots (7/9) x 2 ≡ 5 (mod 11) (p+1)/4 = 3 x ≡ 5 3 ≡ 4(mod 11) Since 4 3 ≡ 5 (mod 11), the square root of 5 mod 11 are ±4

50. Examples for Square Roots (8/9) ◎ To solve x 2 ≡ 71 (mod 77) (1)x 2 ≡ 1 (mod 7) → x ≡±1 (mod 7) (2)x 2 ≡ 5 (mod 11) → x ≡±4 (mod 11) By Chinese remainder theorem x ≡±15, x ≡±29 (mod 77)

51. Square Roots mod n (9/9) Suppose n=pq is the product of two primes congruent to 3 mod 4 (type 4k+3), and let y with gcd(y,n)=1 has a square root mod n. Then finding the four solutions x=±a, ±b to x 2 ≡ y (mod n) is computationally equivalent to factoring n which is regarded as extremely difficult when n is large, say n has a length of 256 bits or higher

52. Group Theory Let G be a nonempty set and let ⊕ be a binary operation defined on GxG. G is said to be a group if (1)For any elements a,b in G, a ⊕ b is in G (2)(a ⊕ b) ⊕ c=a ⊕ (b ⊕ c) for any a,b,c in G (3)There exists a unit element e such that e ⊕ a=a ⊕ e for any a in G (4)For each a in G, there exists an inverse a -1 such that a -1 ⊕ a=a ⊕ a -1 = e

53. Field (Informal Definition) (F, +, ‧ ) is a nonempty set F with two binary operations +, ‧ such that (1) (F,+) is a commutative group with unit element 0 (2) (F’, ‧ ) is a commutative group with unit element 1, where F’=F\{0} (3) a ‧ (b+c)=(a ‧ b) + (a ‧ c) for any a,b,c

54. Examples Groups (Z,+) is a group, Z is the set of all integers Z p ={0, 1, 2, …, p-1} with + under (mod p) Z p-1 ={1,2,…,p-1} with x under (mod p) Fields (R,+,*) (Z p,+,x) under (mod p)

55. Finite Fields with Applications A field with finite elements Suppose we need to work in a field whose range is 0 to 2 8 -1 Z 256 ={0,1, ‥‥, 255} is not a field since 256 is not a prime GF(4)={0,1, ω, ω 2 } Z p (p is prime) GF(p n ) (p is prime)

56. Galois Field GF(p n ) Z 2 [X] be the set of polynomials whose coefficients are integers mod 2. e.g., X+1, X 6 +X 3 +1 are in this set GF(p n ) has p n elements, where p is prime Z p [X] mod an irreducible polynomial whose degree is p n. GF (2 8 ) = Z 2 [X] (mod X 8 +X 4 +X 3 +X+1)

57. Galois Field For every power p n of a prime p, there is exactly one finite field with p n elements It can be proved that two fields with p n elements constructed by two different polynomials of degree n are isomorphic

58. Multiplication of GF(2 n ) (X 7 + X 6 + X 3 + X + 1) (X)=? (mod X 8 + X 4 + X 3 + X + 1) 11001011 b 7 =1 Left shift one bit, we have b 6 b 5 b 4 b 3 b 2 b 1 b 0 0 = 10010110 ?=110010110 + 100011011 = 10001101 =X 7 +X 3 +X 2 +1

59. Linear Feedback Shift Register X n+4 ≡ X n + X n+1 (mod 2) A recurrence Eq. If the initial values are X 0 X 1 X 2 X 3 = 1101, The sequence is 1101011110001001101... Associated with the recurrence Eq. is X 4 +X+1 which is irreducible (mod 2) The k-th bit can be obtained by X k (1+X+X 3 ) (mod X 4 +X+1) for k ≧ 4