Elliptic curves: Theory and Applications. Day 3: Counting points.

Size: px
Start display at page:

Download "Elliptic curves: Theory and Applications. Day 3: Counting points."

Transcription

1 Elliptic curves: Theory and Applications. Day 3: Counting points. Elisa Lorenzo García Université de Rennes Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

2 Counting points: basic idea Let E be the curve y 2 = x 3 + x + 1 over F 5. To count points on E, we make a list of the possible values of x, then of x 3 + x + 1 (mod 5), then of the square roots y of x 3 + x + 1 (mod 5). This yields the points on E. Therefore, E(F 5 ) has order 9. The complexity is O(q). x x 3 + x + 1 y Points 0 1 ±1 (0, 1), (0, 4) ±1 (2, 1), (2, 4) 3 1 ±1 (3, 1), (3, 4) 4 4 ±2 (4, 2), (4, 3) Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

3 Complexity In order to well-define the complexity, we have to define the available operations and its cost. In the arithmetic complexity, the operations with integers have a unit cost: addition, subtraction, multiplications and division. For an algorithm we always give the worse case complexity. Example. The complexity for computing n! is O(n). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

4 Complexity In order to well-define the complexity, we have to define the available operations and its cost. In the arithmetic complexity, the operations with integers have a unit cost: addition, subtraction, multiplications and division. For an algorithm we always give the worse case complexity. Example. The complexity for computing n! is O(n). The notation O( ). The meaning of f (n) = O(g(n)) when n is that there exist K > 0 and A > 0, such that for all n > A, one has f (n) K g(n). Example. O(3x log(x)) = O(x 5 ). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

5 Counting points: another basic idea Theorem Let E be an elliptic curve defined by y 2 = x 3 + Ax + B over F q. Then #E(F q ) = q ( x 3 ) + Ax + B. F q x F q Corollary Let x 3 + Ax + B be a polynomial with A, B F q, where q is odd. Then ( x 3 ) + Ax + B 2 q F q x F q Again the complexity is O(q). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

6 Counting points: Baby Step - Giant Step Let P E(F q ). We want to find an integer k such that kp =. Let #E(F q ) = N. Then, NP =. We do not know N yet, but we know that q q N q q. We could try all values of N in this range and see which ones satisfy NP =. This takes around 4 q steps. However, it is possible to speed this up to around 4q 1/4 steps by the following algorithm. 1. Compute Q = (q + 1)P. 2. Choose an integer m with m > q 1/4. Compute and store the points jp for j = 0, 1, 2,..., m. 3. Compute the points Q + k(2mp) for k = m, (m 1),..., m until there is a match Q + k(2mp) = ±jp with a point (or its negative) on the stored list. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

7 Counting points: Baby Step - Giant Step 4. Conclude that (q mk ± j)p =. Let M = q mk ± j. 5. Factor M. Let p 1,..., p r be the distinct prime factors of M. 6. Compute (M/p i )P for i = 1,..., r. If (M/p i )P = for some i, replace M with M/p i and go back to step (5). If (M/p i )P for all i then M is the order of the point P. 7. If we are looking for #E(F q ), then repeat steps (1)-(6) with randomly chosen points in E(F q ) until the least common multiple of the orders divides only one integer N with q q N q q. Then N = #E(F q ). Remarks: Assuming that there is a match, this method clearly produces an integer that annihilates P. But why is there a match? Why does step (6) yield the order of P? Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

8 Counting points: Baby Step - Giant Step To save storage space, it might be more efficient to store only the x coordinates of the points jp (along with the corresponding integer j), since looking for a match with ±jp only requires the x-coordinate. When a match is found, the two possible y-coordinates can be recomputed. Computing Q + k(2mp) can be done by computing Q and 2mP once for all. To get from Q + k(2mp) to Q + (k + 1)(2mP), simply add 2mP rather than recomputing everything. Similarly, once jp has been computed, add P to get (j + 1)P. We are assuming that we can factor M. If not, we can at least find all the small prime factors p i and check that (M/p i )P for these. Then M will be a good candidate for the order of P. Why is the method called Baby Step - Giant Step? The baby steps are from a point jp to (j + 1)P. The giant steps are from a point k(2mp) to (k + 1)(2mP), since we take the bigger step 2mP. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

9 Counting points: Baby Step - Giant Step Example Let E be the elliptic curve y 2 = x 3 10x + 21 over F 557. Let P = (2, 3). We follow the BS-GS algorithm. 1 Q = 558P = (418, 33). 2 Let m = 5, which is greater than 557 1/4. The list of jp is, (2, 3), (58, 164), (44, 294), (56, 339), (132, 364). 3 When k = 1, we have Q + k(2mp) = (2, 3), which matches the point on our list for j = 1. 4 We have (q mk j)p = 567P =. 5 Factor 567 = Compute (567/3)P = 189P =. We now have 189 as a candidate for the order of P. 6 Factor 189 = Compute (189/3)P = (38, 535) and (189/7)P = (136, 360). Therefore 189 is the order of P. Hence, #E(F 557 ) = 567. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

10 Counting points: Schoof s Algorithm Complexity O(log 8 q). Improvements by Atkins and Elkies. Suppose E is an elliptic curve given by y 2 = x 3 + Ax + B over F q. We know, by Hasse s theorem, that #E(F q ) = q + 1 a, with a 2 q. Let S = {2, 3, 5, 7,..., L} be a set of primes such that l > 4 q. l S If we can determine a mod l for each prime l S, then we know a mod l, and therefore a is uniquely determined. Let l be prime. For simplicity, we assume l p, where p is the characteristic of F q. We also assume that q is odd. We want to compute a (mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

11 The Chinese Remainder theorem Theorem (The Chinese Remainder theorem) Let n 1,..., n k be pairwise coprime integers greater than 1. Let a 1,..., a k be any integers, then there exists an integer x such that x a 1 (mod n 1 )..., x a k (mod n k ) and any two such x are congruent modulo N = n i. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

12 Counting points: Schoof s Algorithm l = 2: If x 3 + Ax + B has a root e F q, then (e, 0) E[2] and (e, 0) E(F q ), so E(F q ) has even order. In this case, q + 1 a 0(mod 2), so a is even. If x 3 + Ax + B has no roots in F q, then E(F q ) has no points of order 2, and a is odd. To determine whether x 3 + Ax + B has a root in F q, we could try all the elements in F q, but there is a faster way. Recall that the roots of x q x are exactly the elements of F q. Therefore, x 3 + Ax + B has a root in F q if and only if it has a root in common with x q x. The Euclidean algorithm, applied to polynomials, yields the gcd of the two polynomials. If q is very large, the polynomial x q has very large degree. Therefore, it is more efficient to compute x q x q (mod x 3 + Ax + B) by successive squaring, and then use the result to compute gcd(x q x, x 3 + Ax + B) = gcd(x q x, x 3 + Ax + B). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

13 Counting points: Schoof s Algorithm When n is odd, we have the division polynomial ψ n and (x, y) E[n] ψ n (x) = 0. On the other hand, the Frobenius endomorphism φ q (x, y) = (x q, y q ) satisfies φ 2 q aφ q + q = 0. Let (x, y) be a point of order l. Then (x q2, y q2 ) + q l (x, y) = a l (x q, y q ), where q l = q(mod l) and a l = a(mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

14 Counting points: Schoof s Algorithm 1. Choose a set of primes S = {2, 3, 5,..., L} (with p / S) such that l S l > 4 q. 2. If l = 2, we have a 0(mod 2) if and only if gcd(x 3 + Ax + B, x q x) For each odd prime l S, do the following. (a) Let q l q(mod l) with q l < l/2. (b) Compute the x-coordinate x of (x, y ) = (x q2, y q2 ) + q l (x, y)mod ψ l. (c) For j = 1, 2,..., (l 1)/2, do the following. i. Compute the x-coordinate x j of (x j, y j ) = j(x, y). ii. If x x q j 0(mod ψ l ), go to step (iii). If not, try the next value of j (in step (c)). If all values 1 j (l 1)/2 have been tried, go to step (d). iii. Compute y and y j. If (y y q j )/y 0(mod ψ l), then a j(mod l). If not, then a j(mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

15 Counting points: Schoof s Algorithm 3. (Cont.) (d) If all values 1 j (l 1)/2 have been tried without success, let w 2 q (mod l). If w does not exist, then a 0(mod l). (e) If gcd(numerator(x q x w ), ψ l ) = 1, then a 0 (mod l). Otherwise, compute gcd(numerator((y q y w )/y), ψ l ). If this gcd is not 1, then a 2w (mod l). Otherwise, a 2w (mod l). 4. Use the knowledge of a (mod l) for each l S to compute a (mod l). Choose the value of a that satisfies this congruence and such that a 2 q. The number of points in E(F q ) is q + 1 a. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

16 Counting points: Schoof s algorithm Let E be the elliptic curve y 2 = x 3 + 2x + 1 mod 19. Then #E(F 19 ) = a. We want to determine a. We ll show that 1(mod 2) a 2(mod 3) 3(mod 5) Putting these together yields a 23(mod 30). Since a < 2 19 < 9, we must have a = 7. We start with l = 2. We compute x 19 x x + 14 (mod x 3 + 2x + 1) by successive squaring and then use the result to compute gcd(x 19 x, x 3 + 2x + 1) = gcd(x x + 14, x 3 + 2x + 1) = 1. It follows that x 3 + 2x + 1 has no roots in F 19. Therefore, there is no 2-torsion in E(F 19 ), so a 1 (mod 2). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26.

17 Counting points: Schoof s algorithm For l = 3, we proceed as in Schoof s algorithm and eventually get to j = 1. We have q 2 = 361 and we have q 1 (mod 3). Therefore, q l = 1 and we need to check whether (x 361, y 361 ) + (x, y) = ±(x 19, y 19 ) for (x, y) E[3]. The third division polynomial is ψ 3 = 3x x x 4. We compute the x-coordinate of (x 361, y 361 ) + (x, y): ( y 361 ) 2 ( y (x x 361 x 361 x = (x x + 1) 180 ) x + 1) x x 361 x 361 x, x Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

18 Counting points: Schoof s algorithm where we have used the relation y 2 = x 3 + 2x + 1. We need to reduce this mod ψ 3. The natural way to start is to use the extended Euclidean algorithm to find the inverse of x 361 x (mod ψ 3 ). However, gcd(x 361 x, ψ 3 ) = x 8 1, so the multiplicative inverse does not exist. We could remove x 8 from the numerator and denominator of (x 3 + 2x + 1) x 361, x but this is unnecessary. Instead, we realize that since x = 8 is a root of ψ 3, the point (8, 4) E(F 19 ) has order 3. Therefore, so a 2(mod 3). #E(F 19 ) = a 0 (mod 3), Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

19 Factoring and primality testing The problems of factorization and primality testing are related, but are very different in nature. The largest announced factorization up to the year 2007 was of an integer with 200 digits. However, it was at that time possible to prove primality of primes of several thousand digits. It is possible to prove that a number is composite without finding a factor. One way is to show that a n 1 1(mod n) for some a with gcd(a, n) = 1. Theorem (Fermat s little theorem) If n is prime and gcd(a, n) = 1, then a n 1 1(mod n). It follows that n must be composite, even though we have not produced a factor. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

20 Factoring and primality testing Of course, if a n 1 1(mod n) for several random choices of a, we might suspect that n is probably prime. But how can we actually prove n is prime? If n has only a few digits, we can divide n by each of the primes up to n. However, if n has hundreds of digits, this method will take too long (much longer than the predicted life of the universe). Definition If a n 1 1 (mod n), we say that n is a pseudo-prime in base a. If n is pseudo-prime for all base a coprime to n, we say it is a Carmichael number. Similarly, suppose we have proved that a number is composite. How do we find the factors? Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

21 Factoring algorithms In the mid 1980 s, Hendrik Lenstra gave new impetus to the study of elliptic curves by developing an efficient factoring algorithm that used elliptic curves. It turned out to be very effective for factoring numbers of around 60 decimal digits, and, for larger numbers, finding prime factors having around 20 to 30 decimal digits. Example. We want to factor Let E be the elliptic curve y 2 = x x 2mod 4453 and let P = (1, 3). Let s try to compute 3P. First, we compute 2P. The slope of the tangent line at P is 3x y = (mod 4453). We used the fact that gcd(6, 4453) = 1 to find (mod 4453). Using this slope, we find that 2P = (x, y), with x , y 3713(x 1) Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

22 Factoring algorithms To compute 3P, we add P and 2P. The slope is = But gcd(4331, 4453) = Therefore, we have found the factor 61 of 4453, and 4453 = Recall that E(Z 4453 ) = E(F 61 ) E(F 73 ). If we look at the multiples of P mod 61 we have P (1, 3), 2P (1, 58), 3P, 4P (1, 3),...(mod 61). However, the multiples of P mod 73 are P (1, 3), 2P (25, 18), 3P (28, 44),..., 64P (mod 73). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

23 Factoring algorithms 1. Choose several (usually around 10 to 20) random elliptic curves E i : y 2 = x 3 + A i x + B i and points P i mod n. 2. Choose an integer B (perhaps around 10 8 ) and compute [B!]P i on E i for each i. 3. If step 2 fails because some slope does not exist mod n, then we have found a factor of n. 4. If step 2 succeeds, increase B or choose new random curves E i and points P i and start over. Steps 2, 3 and 4 can often be done in parallel using all of the curves E i simultaneously. The elliptic curve method is very successful in finding a prime factor p of n when p < Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

24 Primality tests Suppose n is an integer of several hundred decimal digits. It is usually easy to decide with reasonable certainty whether n is prime or composite. But suppose we actually want to prove that our answer is correct. If n is composite, then usually either we know a nontrivial factor or n failed a pseudoprimality test (for example, perhaps a n 1 1(mod n) for some a). Therefore, when n is composite, it is usually easy to prove it, and the proof can be stated in a form that can be checked easily. But if n is prime, the situation is more difficult. Cohen and Lenstra developed methods involving Jacobi sums that work well for primes of a few hundred digits. However, for primes of a thousand digits or more, the most popular method currently in use involves elliptic curves. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

25 Primality tests Proposition Let n > 1 be an integer, and let n 1 = rs with r n. Suppose that, for each prime l r, there exists an integer a l with ( ) 1(mod n) and gcd a (n 1)/l l 1, n = 1. a n 1 l Then n is prime. The converse can be proved to be also true. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

26 Primality tests Theorem Let n > 1 and let E be an elliptic curve mod n. Suppose there exist distinct prime numbers l 1,..., l k and finite points P i E(Z n ) such that 1. l i P i = for 1 i k. 2. k i=1 l i > (n 1/4 + 1) 2. Then n is prime. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

27 Primality tests Example. Let n = 907. Let E be the elliptic curve y 2 = x x 2 mod n. Let l = 71. Then l > (907 1/4 + 1) Let P = (819, 784). Then 71P = and 907 is prime. Of course, we needed the fact that 71 is prime, which could also be proved using the same result, or by direct calculation. How did we find E and P? First, we looked at a few elliptic curves mod 907 until we found one whose order was divisible by a prime l that was slightly larger than (If we had chosen l 907 then we would not have made much progress, since we would still have needed to prove the primality of l). In fact, to find the order of the curve, we started with curves where we knew a point. In the present case, E has the point (1, 3). Using Baby Step, Giant Step, we found the order of (1, 3) to be 923 = Then we took P = 13(1, 3), which has order 71. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26

Applied Cryptography and Computer Security CSE 664 Spring 2018

Applied Cryptography and Computer Security CSE 664 Spring 2018 Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the

More information

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /

More information

Counting points on elliptic curves over F q

Counting points on elliptic curves over F q Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite

More information

3 The fundamentals: Algorithms, the integers, and matrices

3 The fundamentals: Algorithms, the integers, and matrices 3 The fundamentals: Algorithms, the integers, and matrices 3.4 The integers and division This section introduces the basics of number theory number theory is the part of mathematics involving integers

More information

4 Number Theory and Cryptography

4 Number Theory and Cryptography 4 Number Theory and Cryptography 4.1 Divisibility and Modular Arithmetic This section introduces the basics of number theory number theory is the part of mathematics involving integers and their properties.

More information

Math 109 HW 9 Solutions

Math 109 HW 9 Solutions Math 109 HW 9 Solutions Problems IV 18. Solve the linear diophantine equation 6m + 10n + 15p = 1 Solution: Let y = 10n + 15p. Since (10, 15) is 5, we must have that y = 5x for some integer x, and (as we

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-13 Recap Divisibility Prime Number Theorem Euclid s Lemma Fundamental Theorem of Arithmetic Euclidean Algorithm Basic Notions - Section

More information

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00 Solutions to 8.78 Problem Set 4 - Fall 008 Due Tuesday, Oct. 7 at :00. (a Prove that for any arithmetic functions f, f(d = f ( n d. To show the relation, we only have to show this equality of sets: {d

More information

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures

More information

CHAPTER 3. Congruences. Congruence: definitions and properties

CHAPTER 3. Congruences. Congruence: definitions and properties CHAPTER 3 Congruences Part V of PJE Congruence: definitions and properties Definition. (PJE definition 19.1.1) Let m > 0 be an integer. Integers a and b are congruent modulo m if m divides a b. We write

More information

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635 COMP239: Mathematics for Computer Science II Prof. Chadi Assi assi@ciise.concordia.ca EV7.635 The Euclidean Algorithm The Euclidean Algorithm Finding the GCD of two numbers using prime factorization is

More information

Basic elements of number theory

Basic elements of number theory Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a

More information

Basic elements of number theory

Basic elements of number theory Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation

More information

A Few Primality Testing Algorithms

A Few Primality Testing Algorithms A Few Primality Testing Algorithms Donald Brower April 2, 2006 0.1 Introduction These notes will cover a few primality testing algorithms. There are many such, some prove that a number is prime, others

More information

Applied Cryptography and Computer Security CSE 664 Spring 2017

Applied Cryptography and Computer Security CSE 664 Spring 2017 Applied Cryptography and Computer Security Lecture 11: Introduction to Number Theory Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline What we ve covered so far: symmetric

More information

One can use elliptic curves to factor integers, although probably not RSA moduli.

One can use elliptic curves to factor integers, although probably not RSA moduli. Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties

More information

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences. MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences. Congruences Let n be a postive integer. The integers a and b are called congruent modulo n if they have the same

More information

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1 4. Primality testing 4.1. Introduction. Factorisation is concerned with the problem of developing efficient algorithms to express a given positive integer n > 1 as a product of powers of distinct primes.

More information

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them. Fermat s Little Theorem Fermat s little theorem is a statement about primes that nearly characterizes them. Theorem: Let p be prime and a be an integer that is not a multiple of p. Then a p 1 1 (mod p).

More information

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p. Chapter 6 Prime Numbers Part VI of PJE. Definition and Fundamental Results Definition. (PJE definition 23.1.1) An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p. If n > 1

More information

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of

More information

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0). LARGE PRIME NUMBERS 1. Fast Modular Exponentiation Given positive integers a, e, and n, the following algorithm quickly computes the reduced power a e % n. (Here x % n denotes the element of {0,, n 1}

More information

Congruence of Integers

Congruence of Integers Congruence of Integers November 14, 2013 Week 11-12 1 Congruence of Integers Definition 1. Let m be a positive integer. For integers a and b, if m divides b a, we say that a is congruent to b modulo m,

More information

Part II. Number Theory. Year

Part II. Number Theory. Year Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler

More information

Part V. Chapter 19. Congruence of integers

Part V. Chapter 19. Congruence of integers Part V. Chapter 19. Congruence of integers Congruence modulo m Let m be a positive integer. Definition. Integers a and b are congruent modulo m if and only if a b is divisible by m. For example, 1. 277

More information

1 Overview and revision

1 Overview and revision MTH6128 Number Theory Notes 1 Spring 2018 1 Overview and revision In this section we will meet some of the concerns of Number Theory, and have a brief revision of some of the relevant material from Introduction

More information

AN EXPOSITION OF SCHOOF S ALGORITHM

AN EXPOSITION OF SCHOOF S ALGORITHM AN EXPOSITION OF SCHOOF S ALGORITHM ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY Abstract. Elliptic curves have a number of important applications in different areas, including cryptography. In particular,

More information

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d 10. Linear congruences In general we are going to be interested in the problem of solving polynomial equations modulo an integer m. Following Gauss, we can work in the ring Z m and find all solutions to

More information

Basic Algorithms in Number Theory

Basic Algorithms in Number Theory Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms

More information

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer. CHAPTER 2 INTRODUCTION TO NUMBER THEORY ANSWERS TO QUESTIONS 2.1 A nonzero b is a divisor of a if a = mb for some m, where a, b, and m are integers. That is, b is a divisor of a if there is no remainder

More information

MATH 361: NUMBER THEORY FOURTH LECTURE

MATH 361: NUMBER THEORY FOURTH LECTURE MATH 361: NUMBER THEORY FOURTH LECTURE 1. Introduction Everybody knows that three hours after 10:00, the time is 1:00. That is, everybody is familiar with modular arithmetic, the usual arithmetic of the

More information

A Guide to Arithmetic

A Guide to Arithmetic A Guide to Arithmetic Robin Chapman August 5, 1994 These notes give a very brief resumé of my number theory course. Proofs and examples are omitted. Any suggestions for improvements will be gratefully

More information

Chapter 3 Basic Number Theory

Chapter 3 Basic Number Theory Chapter 3 Basic Number Theory What is Number Theory? Well... What is Number Theory? Well... Number Theory The study of the natural numbers (Z + ), especially the relationship between different sorts of

More information

ECEN 5022 Cryptography

ECEN 5022 Cryptography Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,

More information

Finite Fields and Elliptic Curves in Cryptography

Finite Fields and Elliptic Curves in Cryptography Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem

More information

HOMEWORK 11 MATH 4753

HOMEWORK 11 MATH 4753 HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question

More information

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer? Chapter 3: Theory of Modular Arithmetic 25 SECTION C Solving Linear Congruences By the end of this section you will be able to solve congruence equations determine the number of solutions find the multiplicative

More information

a the relation arb is defined if and only if = 2 k, k

a the relation arb is defined if and only if = 2 k, k DISCRETE MATHEMATICS Past Paper Questions in Number Theory 1. Prove that 3k + 2 and 5k + 3, k are relatively prime. (Total 6 marks) 2. (a) Given that the integers m and n are such that 3 (m 2 + n 2 ),

More information

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups

More information

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory. CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,

More information

Notes on Systems of Linear Congruences

Notes on Systems of Linear Congruences MATH 324 Summer 2012 Elementary Number Theory Notes on Systems of Linear Congruences In this note we will discuss systems of linear congruences where the moduli are all different. Definition. Given the

More information

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime. LARGE PRIME NUMBERS 1. Fermat Pseudoprimes Fermat s Little Theorem states that for any positive integer n, if n is prime then b n % n = b for b = 1,..., n 1. In the other direction, all we can say is that

More information

CONTEMPORARY CRYPTOSYSTEMS

CONTEMPORARY CRYPTOSYSTEMS CONTEMPORARY CRYPTOSYSTEMS TIAN MA Abstract. This paper mainly focuses on contemporary cryptography principles and methods, and how number theory and elliptic cruves are used to establish the foundations

More information

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Algorithms (II) Yu Yu. Shanghai Jiaotong University Algorithms (II) Yu Yu Shanghai Jiaotong University Chapter 1. Algorithms with Numbers Two seemingly similar problems Factoring: Given a number N, express it as a product of its prime factors. Primality:

More information

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

CHAPTER 6. Prime Numbers. Definition and Fundamental Results CHAPTER 6 Prime Numbers Part VI of PJE. Definition and Fundamental Results 6.1. Definition. (PJE definition 23.1.1) An integer p is prime if p > 1 and the only positive divisors of p are 1 and p. If n

More information

Lecture 11 - Basic Number Theory.

Lecture 11 - Basic Number Theory. Lecture 11 - Basic Number Theory. Boaz Barak October 20, 2005 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that a divides b,

More information

Schoof s Algorithm for Counting Points on E(F q )

Schoof s Algorithm for Counting Points on E(F q ) Schoof s Algorithm for Counting Points on E(F q ) Gregg Musiker December 7, 005 1 Introduction In this write-up we discuss the problem of counting points on an elliptic curve over a finite field. Here,

More information

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer? Chapter 3: Theory of Modular Arithmetic 25 SECTION C Solving Linear Congruences By the end of this section you will be able to solve congruence equations determine the number of solutions find the multiplicative

More information

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is LARGE PRIME NUMBERS 1. Fermat Pseudoprimes Fermat s Little Theorem states that for any positive integer n, if n is prime then b n % n = b for b = 1,..., n 1. In the other direction, all we can say is that

More information

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks. Elliptic Curves Cryptography and factorization Part VIII Elliptic curves cryptography and factorization Cryptography based on manipulation of points of so called elliptic curves is getting momentum and

More information

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic...... 3 2.2

More information

COUNTING POINTS ON ELLIPTIC CURVES OVER F q

COUNTING POINTS ON ELLIPTIC CURVES OVER F q COUNTING POINTS ON ELLIPTIC CURVES OVER F q RENYI TANG Abstract. In this expository paper, we introduce elliptic curves over finite fields and the problem of counting the number of rational points on a

More information

Definition of a finite group

Definition of a finite group Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *

More information

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Elliptic Curves Spring 2013 Lecture #8 03/05/2013 18.783 Elliptic Curves Spring 2013 Lecture #8 03/05/2013 8.1 Point counting We now consider the problem of determining the number of points on an elliptic curve E over a finite field F q. The most naïve

More information

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}. 2 Arithmetic This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}. (See [Houston, Chapters 27 & 28]) 2.1 Greatest common divisors Definition 2.16. If a, b are integers, we say

More information

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test Introduction to Algorithms (CS 482) Cornell University Instructor: Bobby Kleinberg Lecture Notes, 25 April 2008 The Miller-Rabin Randomized Primality Test 1 Introduction Primality testing is an important

More information

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant CS265/CME309, Fall 2018. Instructor: Gregory Valiant Primality Testing [These notes may not be distributed outside this class without the permission of Gregory Valiant.] 1 Introduction Prime numbers are

More information

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology. MATH 501 Discrete Mathematics Lecture 6: Number theory Prof. Dr. Slim Abdennadher, slim.abdennadher@guc.edu.eg German University Cairo, Department of Media Engineering and Technology 1 Number theory Number

More information

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation 1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational

More information

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: Linear Congruences The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: ax b (mod m), a, b Z, m N +. (1) If x 0 is a solution then so is x k :=

More information

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups

More information

Simultaneous Linear, and Non-linear Congruences

Simultaneous Linear, and Non-linear Congruences Simultaneous Linear, and Non-linear Congruences CIS002-2 Computational Alegrba and Number Theory David Goodwin david.goodwin@perisic.com 09:00, Friday 18 th November 2011 Outline 1 Polynomials 2 Linear

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues

More information

Primality testing: then and now

Primality testing: then and now Seventy-five years of Mathematics of Computation ICERM, November 1 3, 2018 Primality testing: then and now Carl Pomerance Dartmouth College, Emeritus University of Georgia, Emeritus In 1801, Carl Friedrich

More information

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives

More information

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006 Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Spring 2006 1 / 1 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 2.4 2.6 of Rosen Introduction I When talking

More information

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime. PUTNAM TRAINING NUMBER THEORY (Last updated: December 11, 2017) Remark. This is a list of exercises on Number Theory. Miguel A. Lerma Exercises 1. Show that the sum of two consecutive primes is never twice

More information

1. multiplication is commutative and associative;

1. multiplication is commutative and associative; Chapter 4 The Arithmetic of Z In this chapter, we start by introducing the concept of congruences; these are used in our proof (going back to Gauss 1 ) that every integer has a unique prime factorization.

More information

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya BBM 205 Discrete Mathematics Hacettepe University http://web.cs.hacettepe.edu.tr/ bbm205 Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya Resources: Kenneth Rosen,

More information

Congruent Number Problem and Elliptic curves

Congruent Number Problem and Elliptic curves Congruent Number Problem and Elliptic curves December 12, 2010 Contents 1 Congruent Number problem 2 1.1 1 is not a congruent number.................................. 2 2 Certain Elliptic Curves 4 3 Using

More information

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2 8. p-adic numbers 8.1. Motivation: Solving x 2 a (mod p n ). Take an odd prime p, and ( an) integer a coprime to p. Then, as we know, x 2 a (mod p) has a solution x Z iff = 1. In this case we can suppose

More information

Lecture 2. The Euclidean Algorithm and Numbers in Other Bases

Lecture 2. The Euclidean Algorithm and Numbers in Other Bases Lecture 2. The Euclidean Algorithm and Numbers in Other Bases At the end of Lecture 1, we gave formulas for the greatest common divisor GCD (a, b), and the least common multiple LCM (a, b) of two integers

More information

Elementary Number Theory. Franz Luef

Elementary Number Theory. Franz Luef Elementary Number Theory Congruences Modular Arithmetic Congruence The notion of congruence allows one to treat remainders in a systematic manner. For each positive integer greater than 1 there is an arithmetic

More information

MATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions

MATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions MATH 11/CSCI 11, Discrete Structures I Winter 007 Toby Kenney Homework Sheet 5 Hints & Model Solutions Sheet 4 5 Define the repeat of a positive integer as the number obtained by writing it twice in a

More information

1. Algebra 1.7. Prime numbers

1. Algebra 1.7. Prime numbers 1. ALGEBRA 30 1. Algebra 1.7. Prime numbers Definition Let n Z, with n 2. If n is not a prime number, then n is called a composite number. We look for a way to test if a given positive integer is prime

More information

Elementary Number Theory and Cryptography, 2014

Elementary Number Theory and Cryptography, 2014 Elementary Number Theory and Cryptography, 2014 1 Basic Properties of the Integers Z and the rationals Q. Notation. By Z we denote the set of integer numbers and by Q we denote the set of rational numbers.

More information

Basic Algorithms in Number Theory

Basic Algorithms in Number Theory Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi #2 - Discrete Logs, Modular Square Roots, Polynomials, Hensel s Lemma & Chinese Remainder

More information

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Elliptic Curves Spring 2013 Lecture #12 03/19/2013 18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring

More information

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Number Theory Math 420 Silverman Exam #1 February 27, 2018 Name: Number Theory Math 420 Silverman Exam #1 February 27, 2018 INSTRUCTIONS Read Carefully Time: 50 minutes There are 5 problems. Write your name neatly at the top of this page. Write your final answer

More information

Introduction to Cryptology. Lecture 19

Introduction to Cryptology. Lecture 19 Introduction to Cryptology Lecture 19 Announcements HW6 due today HW7 due Thursday 4/20 Remember to sign up for Extra Credit Agenda Last time More details on AES/DES (K/L 6.2) Practical Constructions of

More information

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6 CS 70 Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6 1 Modular Arithmetic In several settings, such as error-correcting codes and cryptography, we sometimes

More information

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z: NUMBER SYSTEMS Number theory is the study of the integers. We denote the set of integers by Z: Z = {..., 3, 2, 1, 0, 1, 2, 3,... }. The integers have two operations defined on them, addition and multiplication,

More information

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today? 2 Mod math Modular arithmetic is the math you do when you talk about time on a clock. For example, if it s 9 o clock right now, then it ll be 1 o clock in 4 hours. Clearly, 9 + 4 1 in general. But on a

More information

Theory of Numbers Problems

Theory of Numbers Problems Theory of Numbers Problems Antonios-Alexandros Robotis Robotis October 2018 1 First Set 1. Find values of x and y so that 71x 50y = 1. 2. Prove that if n is odd, then n 2 1 is divisible by 8. 3. Define

More information

Wilson s Theorem and Fermat s Little Theorem

Wilson s Theorem and Fermat s Little Theorem Wilson s Theorem and Fermat s Little Theorem Wilson stheorem THEOREM 1 (Wilson s Theorem): (p 1)! 1 (mod p) if and only if p is prime. EXAMPLE: We have (2 1)!+1 = 2 (3 1)!+1 = 3 (4 1)!+1 = 7 (5 1)!+1 =

More information

198 VOLUME 46/47, NUMBER 3

198 VOLUME 46/47, NUMBER 3 LAWRENCE SOMER Abstract. Rotkiewicz has shown that there exist Fibonacci pseudoprimes having the forms p(p + 2), p(2p 1), and p(2p + 3), where all the terms in the products are odd primes. Assuming Dickson

More information

Counting points on hyperelliptic curves

Counting points on hyperelliptic curves University of New South Wales 9th November 202, CARMA, University of Newcastle Elliptic curves Let p be a prime. Let X be an elliptic curve over F p. Want to compute #X (F p ), the number of F p -rational

More information

M381 Number Theory 2004 Page 1

M381 Number Theory 2004 Page 1 M81 Number Theory 2004 Page 1 [[ Comments are written like this. Please send me (dave@wildd.freeserve.co.uk) details of any errors you find or suggestions for improvements. ]] Question 1 20 = 2 * 10 +

More information

CSE 311 Lecture 13: Primes and GCD. Emina Torlak and Kevin Zatloukal

CSE 311 Lecture 13: Primes and GCD. Emina Torlak and Kevin Zatloukal CSE 311 Lecture 13: Primes and GCD Emina Torlak and Kevin Zatloukal 1 Topics Modular arithmetic applications A quick wrap-up of Lecture 12. Primes Fundamental theorem of arithmetic, Euclid s theorem, factoring.

More information

Introduction to Public-Key Cryptosystems:

Introduction to Public-Key Cryptosystems: Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each

More information

Advanced Algorithms and Complexity Course Project Report

Advanced Algorithms and Complexity Course Project Report Advanced Algorithms and Complexity Course Project Report Eklavya Sharma (2014A7PS0130P) 26 November 2017 Abstract This document explores the problem of primality testing. It includes an analysis of the

More information

Primality testing: then and now

Primality testing: then and now Primality testing: then and now Mathematics Department Colloquium Boise State University, February 20, 2019 Carl Pomerance Dartmouth College (emeritus) University of Georgia (emeritus) In 1801, Carl Friedrich

More information

Chapter 5. Number Theory. 5.1 Base b representations

Chapter 5. Number Theory. 5.1 Base b representations Chapter 5 Number Theory The material in this chapter offers a small glimpse of why a lot of facts that you ve probably nown and used for a long time are true. It also offers some exposure to generalization,

More information

WXML Final Report: Primality of Polynomials

WXML Final Report: Primality of Polynomials WXML Final Report: Primality of Polynomials William Stein, Travis Scholl, Astrid Berge, Daria Micovic, Xiaowen Yang Autumn 016 1 Introduction The density of certain types of primes is a classical question

More information

MATH 145 Algebra, Solutions to Assignment 4

MATH 145 Algebra, Solutions to Assignment 4 MATH 145 Algebra, Solutions to Assignment 4 1: a) Find the inverse of 178 in Z 365. Solution: We find s and t so that 178s + 365t = 1, and then 178 1 = s. The Euclidean Algorithm gives 365 = 178 + 9 178

More information

3.2 Solving linear congruences. v3

3.2 Solving linear congruences. v3 3.2 Solving linear congruences. v3 Solving equations of the form ax b (mod m), where x is an unknown integer. Example (i) Find an integer x for which 56x 1 mod 93. Solution We have already solved this

More information

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points. Math 152, Problem Set 2 solutions (2018-01-24) All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points. 1. Let us look at the following equation: x 5 1

More information

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory COMS W4995 Introduction to Cryptography September 29, 2005 Lecture 8: Number Theory Lecturer: Tal Malkin Scribes: Elli Androulaki, Mohit Vazirani Summary This lecture focuses on some basic Number Theory.

More information

Postmodern Primality Proving

Postmodern Primality Proving Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 1 / 29 Postmodern Primality Proving Preda Mihăilescu Mathematical Institute, University of Göttingen, Germany June

More information

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage Cryptosystem Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage f(m). The receiver computes f 1 (f(m)). Advantage: Cannot

More information