Number-Theoretic Algorithms (UNIT-4) ADVANCED ALGORITHMS Number-Theoretic Algorithms (UNIT-4)

Elementary Number-theoretic Notions : a) Divisibility and Divisors : The notation d | a (d divides a) means : a = kd for some integer k. Here, ‘a’ is multiple of ‘d’. Here, if d  0, then d is ‘divisor’ of a. The ‘trivial divisors’ of a are : 1, a The nontrivial divisors of a are called factors of a Ex-1 : Find the divisors and trivial divisors of 24. The trivial divisors of 24 : 1 24 The divisors of 24 : 1,2,3,4,6,8,12, and 24 The factors of 24 : 2,3,4,6,8,12

b) Prime and Composite Numbers : An integer a > 1, whose only divisors are trivial divisors ‘1’ and ‘a’ is a ‘Prime Number’. An integer a > 1, which is not a prime number, is called ‘Composite Number’. Ex-2 : Find all the first 5 prime numbers. 2,3,5,7,11 39 is a composite no. since it divides by 3. 1 is called unit & is neither prime nor composite. Similarly 0 and all –ve nos. are neither prime nor composite.

TH-4.1 : Division Theorem “ For any integer ‘a’ and any positive integer ‘n’, there exists unique integers ‘q’ and ‘r’ such that 0 ≤ r < n and a = qn + r”. The value q =  a/n  is the quotient of the division. The value r = a mod n is the remainder of the division. Here n | a ( n divides a), if and only if a mod n = 0. Ex-3 : Find the quotient and remainder of 12 and 67. The quotient : 5 The remainder : 7

c) Common Divisors & Greatest CD : If ‘d’ is a divisor of ‘a’ and ‘d’ is also divisor of ‘b’ then ‘d’ is a common divisor of ‘a’ and ‘b’. Note : a) ‘1’ is a common divisor of any two integers. b) If a | b and b | a then a =  b Important Property : If d | a and d | b then d | (a + b) & d | (a – b)  If d | a and d | b then d | (ax + by) Ex-4: Find all the common divisors of 24 and 30.  1 2 3 6

Greatest Common Divisor : The GCD of two integers a and b , not both Zero, is the largest of the common divisors of a and b. GCD(24, 30) = 6 Note : GCD(a,0) = |a| Relatively Prime Integers : Two integers ‘a’ and ‘b’ are relatively prime if their only common divisor is 1. i.e., gcd(a,b) = 1 The relatively primes are : (8,15) -do- : (10,21)

TH-4.2 : If a and b are any two integers, then gcd(a,b) is the smallest positive element s of the set s = (ax + by). Ex-5: Let a =6 & b = 21, Find the values of x , y. TH-4.3 : For any integers a, b and p, if both gcd(a,p) = 1 and gcd(b,p) = 1, then gcd(ab,p) = 1. TH-4.4 : For all primes p and all integers a and b, if p | ab then p | a or p | b or both. Unique Factorization : There is exactly one way to write any composite integer ‘a’ as a product of the form a = p1^ e1. p2^ e2. p3^ e3…… pr^ er where all pi are prime, p1<p2<..<pr and ei are +ve integers.

Common Divisors & Greatest CD : Let there are two positive integers ‘a’ and ‘b’  a = p1^ e1. p2^ e2. p3^ e3…… pr^ er b = p1^ f1. p2^ f2. p3^ f3…… pr^ fr Here, gcd(a,b) = p1 ^ min(e1 , f1 ). p2 ^ min(e2 , f2 ). ……. pr ^ min(er , fr ). Ex-6 : Let a = 90 b = 150 Find the value of gcd(a,b) using above rule. Here, a = 2 x 32 x 5 b = 2 x 3 x 52  gcd(a,b) = 2 x 3 x 5

TH-4.5 : GCD recursion theorem : For any non-negative integer ‘a’ and any positive integer ‘b’, we have gcd (a,b) = gcd (b, a mod b) Proof : case-1 : Let d = gcd (a,b)  d | a & d | b Here, a mod b = a – q b where q =  a / b  Since, a mod b is a linear combination of ‘a’ and ‘b’, we can say that d | (a mod b). So, d | b and d | (a mod b)  d | gcd (b, a mod b)  gcd (a,b) | gcd (b, a mod b) ….(1)

Case-2 : Let d = gcd (b, a mod b).  d | b & d | (a mod b) Since, a = q b + (a mod b) where q =  a / b  we have that a is a linear combination of ‘b’ and ‘a mod b’  d | a Hence, we can say that d | a & d | b  d | gcd(a,b)  gcd(b,a mod b) | gcd(a,b) ……(2) From (1) and (2) we can say that gcd (a,b) = gcd (b, a mod b) //

2 a)Euclid’s Algorithm : Let a and b are non-negative integers. EUCLID (a,b) If (b = = 0) 2 return a 3 else return EUCLID(b, a mod b) Ex-7 : Find the value of gcd(30,21) using Euclid algorithm. EUCLID(30,21) = EUCLID (21,9) = EUCLID (9,3) = EUCLID (3,0) = 3. This computation calls EUCLID recursively three times.

b) Extended Euclid’s Algorithm : In this algorithm we find additional information like the values of ‘x’ and ‘y’, where d = gcd (a,b) = ax + by EXTENDED-EUCLID(a,b) 1 If b = = 0 return (a,1,0) else (d’, x’, y’) = EXTENDED-EUCLID(b, a mod b) (d,x,y) = (d’, y’, x’ -  a / b  y’) return (d, x, y)

In the above algorithm, d = a x + b y d’ = bx’ + (a mod b) y’ because d = d’, we have ax + by = bx’ + (a mod b) y’ = bx’ + (a – b a / b  ) y’ = a y’ + b (x’ -  a / b  y’) So, x = y’ & y = (x’ -  a / b  y’) Ex-8 : Find the value of gcd(99,78) and corres- ponding x, y values using EE algorithm.

Step-1 : a = 99 b =78 a / b = 1 d = gcd(99,78) = 3 Here, a = 99 = 1. 78 + 21 78 = 3. 21 + 15 21 = 1. 15 + 6 15 = 2.6 + 3 6 = 2. 3 + 0 And 3 = 15 - 2 . 6 = 15 – 2 (21 – 1. 15) = 3.15 - 2.21 = 3(78 – 3.21) – 2.21 = 3. 78 – 11. 21 = 3. 78 – 11(99 – 1.78) = 3.78 - 11.99 + 11.78 = -11.99 + 14.78  3 = gcd(99,78) = -11.99 + 14. 78 …(1)

Step-2 : a = 78 b = 21 a / b = 3 d = gcd(78,21) = 3 21 = 1. 15 + 6 Here, a = 78 = 3. 21 + 15 21 = 1. 15 + 6 15 = 2.6 + 3 6 = 2. 3 + 0 And 3 = 15 - 2 . 6 = 15 – 2 (21 – 1. 15) = 3.15 - 2.21 = 3(78 – 3.21) – 2.21 = 3. 78 – 11. 21 So, x = 3 y = -11  3 = gcd(78,21) = 3.78 - 11. 21 …(2)

Step-3 : a = 21 b = 15 a / b = 1 d = gcd(21,15) = 3 Here, a = 21 = 1. 15 + 6 15 = 2.6 + 3 6 = 2. 3 + 0 And 3 = 15 - 2 . 6 = 15 – 2 (21 – 1. 15) = 3.15 - 2.21 So, x = -2 y = 3  3 = gcd(21,15) = -2.21 + 3. 15 …(3)

Step-4 : a = 15 b = 6 a / b = 2 d = gcd(15,6) = 3 Here, a = 15 = 2.6 + 3 6 = 2. 3 + 0 And 3 = 15 - 2 . 6 So, x = 1 y = -2  3 = gcd(15,6) = 1.15 - 2. 6 …(4)

Step-5 : a = 6 b = 3 a / b = 2 d = gcd(6,3) = 3 Here, a = 6 = 2. 3 + 0 And 3 = 0.6 + 1.3 So, x = 0 y = 1  3 = gcd(6,3) = 0.6 + 1. 3 …(5) Step-6 : a = 3 b = 0 a / b = - d = gcd(3,0) = 3 Here, a = 3 = 1. 3 + 0.0 And 3 = 1.3 + 0.0 So, x = 1 y = 0  3 = gcd(3,0) = 1.3 + 0. 0 …(6)

So, the final output of EE algorithm is as follows : a b a / b d x y 99 78 1 3 -11 14 78 21 3 3 3 -11 21 15 1 3 -2 3 15 6 2 3 1 -2 6 3 2 3 0 1 3 0 -- 3 1 0

a) Group : A group (S,) is a set S together with 3. Modular Arithmetic : a) Group : A group (S,) is a set S together with binary operation  defined on S for which the following properties hold : i) Closure : For all a, b  S, a  b  S. ii) Identity : There exists an element e  S, called the identity of the group,  a  e = e  a = a for all a  S. iii) Associativity : For all a, b, c  S, we have (a  b)  c = a  (b  c) iv) Inverse : For each a  S, there exists a unique element b  S, called the inverse of ‘a’, such that (a  b) = (b  a) = e

Abelian Group : A group (S,) is said to be ‘Abelian Group’, if it satisfies the commutative property. (a  b) = (b  a) Finite Group : A group (S,) is said to be ‘Finite Group’, if it satisfies the property. |S| <  Sub-Group : If (S,) is a group, and S’  S and (S’,) is also a group, then (S’,) is a sub group of (S’,) Galois Field : The set of integers (0,1,2,…,p-1), where p is a prime, is called GF(p).

Multiplicative Inverse : The factor b-1 is the ‘multiplicative inverse’ of b in GF(p).  b b-1 mod p = 1 Ex-9 : Find the multiplicative inverses of the following, where p = 7. 1 2 3 4 5 6 Answer : 1 4 5 2 3 6 Ex-10 : Find the multiplicative inverses of the 1 2 3 4 5 6 7 8 9 10 (p = 11) Answer : 1 6 4 3 9 2 8 7 5 10

Ex-11 : Let the moduli be p1 = 3, p2 = 5, p3 = 7 Let us consider the integers : 10, 15 Here, 10 = (10 mod 3, 10 mod 5, 10 mod 7) = (1, 0, 3) Here, 15 = (15 mod 3, 15 mod 5, 15 mod 7) = (0, 0, 1) Modular Addition : 10 + 15 = (25 mod 3, 25 mod 5, 25 mod 7) = (1, 0, 4) & (1+0 mod 3, 0+0 mod 5, 3+1 mod 7) = (1, 0, 4) Modular Subtraction : 15 – 10 = (5 mod 3, 5 mod 5, 5 mod 7) = (2, 0, 5) & (0 – 1 mod 3, 0 – 0 mod 5, 1 – 3 mod 7) = (2, 0, 5)

Modular Multiplication : 10 * 15 = (150 mod 3, 150 mod 5, 150 mod 7) = (0, 0, 3) & (1*0 mod 3, 0*0 mod 5, 3*1 mod 7) = (0, 0, 3) Prime Divisors : The divisors, which are prime numbers are called ‘Prime Divisors. Euler’s Phi Function : For a given integer ‘n’, the following function is called ‘EPF’.  (n) = n.  (1 – 1/p) Ex-12 : Find the value of EPF where n = 45.  (45) = 45 (1-1/3) (1-1/5) = 24

Basis for Chinese Remainder Theorem : Ex-13 : Find the lowest integer x such that it leaves remainders 2, 3 and 2 when divided by 3, 5 and 7. The Answer : 23 4. Chinese Remainder Theorem : TH : Let n = n1. n2. n3…nk, where n are pairwise relatively prime. Find the value of ‘a’, where a  ai mod ni for i = 1,2,3,…,k i.e., a  (a1. a2. a3…ak) Here ai = a mod ni

Proof : Let us define mi = n / ni for i = 1,2,3,…,k i.e, m = n1. n2.…ni-1 ni+1.…nk Now let ci = mi(mi -1 mod ni ) for i = 1,2,…,k Here mi, ni are relatively prime. Finally, the value of ‘a’ is : a  (a1 c1 + a2 c2 + a3 c3 + … + ak ck) (mod n ) Ex-14 : Find the value of ‘a’ for the following equations using Chinese Remainder Theorem : a  2 (mod 5) a  3 (mod 13)

Here a1 = 2 n1 = 5 m2 = 5 n = 65 a2 = 3 n2 = 13 m1 = 13 Because 13 -1  2 (mod 5) and 5  8 (mod 3) We have c1 = 13 ( 2 mod 5) = 26 c2 = 5 ( 8 mod 13) = 40 a  2. 26 + 3.40 (mod 65)  52 + 120 (mod 65)  42 Ex-15 : Find the value of ‘x’ using CRT, x  4 (mod 5) x  5 (mod 11) The answer is : 49

5. Powers of an Element : Consider the sequence of powers of ‘a’, modulo n where a ∊ Zn*. For example, i 0 1 2 3 4 5 6 7 8 9 3i mod 7 1 3 2 6 4 5 1 3 2 6 2i mod 7 1 2 4 1 2 4 1 2 4 1 Now, < 2 > = {1, 2, 4} in Z7* < 3 > = {1, 3, 2, 6, 4, 5} in Z7* Here, ord7 (2) = 3 & ord7 (3) = 6

6 (a) Euler’s Theorem : For any integer n > 1 a ^  (n)  1 (mod n) for all a ∊ Zn* 6 (b) Fermat’s Theorem : If p is a prime, then ap - 1  1 (mod p) Note that if p is a prime, then a ^ (p) = p - 1 Ex-16 : Prove the Euler theorem for the following. Let n = 7  (n) = 6 & a = {1, 2, 4}

7. RSA Cryptosystem : In RSA Cryptosystem, the public and private keys are generated as follows : a) Select at random two large prime numbers p and q such that p ≠ q. b) Compute n = pq c) Select a small odd integer ‘e’ that is relatively prime to p-1 and q-1. (public exponent) d) Compute the integer ‘d’ (private exponent) from e, p and q such that de ≡ 1 mod L, where L = LCM [ (p-1), (q-1) ]

e) Publish P = (e,n) RSA Public Key Secret S = (d,n) RSA Secret Key Here, e = ENCRYPT(m) = me mod n d = DECRYPT(c) = cd mod n Ex-17 : Apply RSA algorithm for the following. p = 5 q = 11 e = 3 Here n = pq = 55 (n) = 40 and d : ed ≡ 1 mod L L = 20 So, d = 7

Let A = Message(m) B = m2 mod n C = m3 mod n (encrypted message) D = c2 mod n E = c3 mod n F = c6 mod n G = c7 mod n (decrypted message) A B C D E H G 0 0 0 0 0 0 0 1 1 1 1 1 1 1 2 4 8 9 17 14 2 3 9 27 14 48 49 3 4 16 9 26 14 31 4

Here, the first column is message sent. A B C D E H G 5 25 15 5 20 15 5 6 36 51 16 46 26 6 7 49 13 4 52 9 7 8 9 17 14 18 49 8 9 26 14 31 49 36 9 Here, the first column is message sent. the third column is cipher text the last column is decrypted message.

for all integers ‘b’ which are relatively prime to ‘n’. 8. Primality Testing : a) Carmichael number A Carmichael number is a composite positive integer which satisfies the following formula. bn-1 ≡ 1 ( mod n) for all integers ‘b’ which are relatively prime to ‘n’. Def : A positive composite integer ‘n’ is a CN, iff ‘n’ is square-free and for all prime divisors p of n, it is true that (p – 1) | (n – 1). The first Carmichael Number is : 561

The Procedure MILLER-RABIN is a probabilistic search for a proof that n is composite. In the following procedure, ‘s’ is the number of times the value of ‘a’ is to be chosen at random. b) MILLER-RABIN (n,s) for j = 1 to s a = RANDOM(1, n-1) if WITNESS (a,n) return COMPOSITE return PRIME

1. Let t and u be such that t ≥ 1. u is odd, and n-1 = 2t u c) WITNESS(a,n) 1. Let t and u be such that t ≥ 1. u is odd, and n-1 = 2t u 2. x0 = MODULAR-EXPONENTIATION(a,u,n) 3. for i = 1 to t 4. xi = x2i-1 mod n 5. if ( xi = = 1) and ( xi-1 ≠ 1) and ( xi-1 ≠ n-1) 6. return TRUE 7. if xt ≠ 1 8. return TRUE 9. return FALSE

d) MODULAR-EXPONENTIATION (a, b, n) 1. c = 0 d = 1 3. Let (bk , bk-1 , …..,b1 , b0 ) for i = k downto 0 c = 2c 6. d = (d.d) mod n 7. if bi = = 1 8. c = c + 1 9. d = (d.a) mod n 10. return d

Ex-18 : Let ‘n’ be a carmichael number. n = 561 So, here n – 1 = 560 If n – 1 is written in the form of n-1 = 2t u, then t = 4 and u = 35 Let the value of ‘a’ is chosen from the algorithm as : 7 From the WITNESS algorithm, find the value of x0. Here, call the MODULAR_EXPONENTIATION(a,u,n) where a = 7 & u = 35 & n = 561

From above, the value of ‘d’ returned is : 241 i init 5 4 3 2 1 0 bi -- 1 0 0 0 1 1 c 0 1 2 4 8 17 35 d 1 7 49 157 526 160 241 Here, d = ac mod n (c = b = u) From above, the value of ‘d’ returned is : 241 Here, x0 ≡ a35 ≡ 241 (mod 561). Note : Further we can have a70 ≡ 298 (mod n) a140 ≡ 166 (mod n) a280 ≡ 67 (mod n) a560 ≡ 1 (mod n)

So, the sequence is : (241, 298, 166, 67, 1) Thus, WITNESS discovers 1 in the last squaring step, since a560 ≡ 1 (mod n) Therefore, a = 7 is the witness to the compo- siteness of ‘n’. WITNESS(7,N) returns TRUE. MILLER-RABIN returns COMPOSITE Note : 561 = 3 . 11 . 17

9. Integer Factorization : This is the process of integer factorization into a product of primes. Pollard’s rho heuristic : This heuristic here helps in finding the product of primes for the given integer. POLLARD-RHO(n) 1. i = 1 x1 = RANDOM(0, n-1) y = x1 k = 2

5. While TRUE i = i + 1 xi = (x2i-1 - 1 ) mod n d = gcd(y – xi , n) if ( d  1) and (d  n) print d 11. if ( i = = k) 12. y = xi 13. k = 2k Note : The above algorithm generates a set of factors which are primes for the given integer.

Ex-19 : Pollard’s Rho Heuristic Let n = 1387 So, Initialization : i = 1 x1 = 2 y = 2 k = 2 WHILE : STEP-1 : i= 2 xi = (x2i-1 - 1 ) mod n  x2 = 3 d = gcd(y – xi , n)  d = 1 if [ (d  1) and ( d  n) ] FALSE if ( i = =k) TRUE y = 3 k = 4

STEP-2 : i= 3 xi = (x2i-1 - 1 ) mod n  x3 = 8 d = gcd(y – xi , n)  d = 1 if [ (d  1) and ( d  n) ] FALSE if ( i = =k) FALSE STEP-3 : i= 4 xi = (x2i-1 - 1 ) mod n  x4 = 63 d = gcd(y – xi , n)  d = 1 if [ (d  1) and ( d  n) ] FALSE if ( i = =k) TRUE y = 63 k = 8

STEP-4 : i= 5 xi = (x2i-1 - 1 ) mod n  x5 = 1194 d = gcd(y – xi , n)  d = 1 if [ (d  1) and ( d  n) ] FALSE if ( i = = k) FALSE STEP-5 : i = 6 xi = (x2i-1 - 1 ) mod n  x6 = 1186 d = gcd(y – xi , n)  d = 1 if [ (d  1) and ( d  n) ] FALSE if ( i = = k) FALSE

STEP-6 : i = 7 xi = (x2i-1 - 1 ) mod n  x7 = 177 d = gcd(y – xi , n)  d = 19 if [ (d  1) and ( d  n) ] TRUE  Print d = 19 if ( i = = k) FALSE If the process is continued like this, we get another factor : 73 The relation among the Xi values are shown in the next slide :

310 996 396 814 84 x7 177 x6 1186 120 x5 1194 339 529 x4 63 595 1053 x3 8 x2 3 x1 2