Algebra and Number Theory

Transcription

1 2016 Fall, Algebra and Number Theory p. 1 Algebra and Number Theory Wen-Guey Tzeng Computer Science Department National Chiao Tung University

2 2016 Fall, Algebra and Number Theory p. 2 Residues Letaand b be integers and n be a positive integer. a b: a divides b, or a is a divisor of b. gcd(a, b): greatest common divisor. Relatively prime a b: gcd(a, b) = 1. Prime factorization: n = p e 1 1 p e 2 2 p e k k, where p i s are different primes. Euler s totient function is ϕ(n) = p e p e p e k 1 k S : the number of elements in the sets. (p 1 1)(p 2 1) (p k 1).

3 2016 Fall, Algebra and Number Theory p. 3 Definition 1 (congruent modulo) a b (mod n) if and only if n (a b). Definition 2 (congruent residue) For an integer a, "r = a mod n", where r is the least non-negative integer such that a r (mod n). Equivalently, r = a a/n n. (a mod n±b mod n) mod n = (a±b) mod n. (a mod n b mod n) mod n = (a b) mod n. a±b a±c (mod n) b c (mod n). a b a c (mod n) and a n b c (mod n).

4 2016 Fall, Algebra and Number Theory p. 4 Euclidean algorithm Find gcd(a, b) efficiently. Find integers r and s with ra + sb = gcd(a, b) efficiently.

5 2016 Fall, Algebra and Number Theory p. 5 Related problems 1. Congruential residue: given a,band n, solve ax b (mod n). Ifb = 1,x = a 1 mod n. 2. kth roots: given a and n, solve x k a (mod n) (or x = a 1/k mod n). 3. Primality test: given n, determine whether n is prime? 4. Factoring: given n, find all prime factors of n. 5. Discrete logarithm: given g,y and n, solve g x y (mod n) (orx = log g y mod n).

6 2016 Fall, Algebra and Number Theory p. 6 Efficiency 1. The runtime is polynomially proportional to the length (size) of the input. 2. For a given number n, there are two measures: value val(n) (or simply, n) length (size)len(n) (or n ). 3. We have len(n) = log 2 val(n) Note thatval(n) = O(2 n ). For example,val(13) = 13 and len(13) = a b mod n is polynomial-time computable, with respect to len(a) + len(b) + len(n).

7 2016 Fall, Algebra and Number Theory p. 7 Chinese remainder theorem There is a solution for the equation system x r i (mod n i ),1 i m, where n i n j fori j. Solution x = r 1 N 1 (N 1 1 mod n 1 )+ +r m N m (N 1 m mod n m ), where N i = n 1 n 2 n m /n i.

8 2016 Fall, Algebra and Number Theory p. 8 Isomorphism ψ : Z n Z n1 Z n2 Z nm ψ(x) (x mod n 1,x mod n 2,...,x mod n m ) Example n = pq,x (x mod p,x mod q) : Z n Z p Z q. Application to compute x = a b mod n we compute (x 1 = a b mod p,x 2 = a b mod q). Combine x 1,x 2 forx.

9 2016 Fall, Algebra and Number Theory p. 9 Group Group G = (S, ): a set S and an operator such that: 1. (Closure) For everyx,y S,x y S. 2. (Associativity) For every x, y, z S, (x y) z = x (y z). 3. (Identity) There is e S such that for everyx S, x e = e x = x. 4. (Inverse) For everyx S, there is y S such that x y = e. G is Abelian (or commutative) if for everyx,y S, x y = y x.

10 2016 Fall, Algebra and Number Theory p (Z,+): Z is the set of integers and+is the regular addition. 2. (Q\{0}, ): Q is the set of all rational numbers and is the regular multiplication. 3. (Z n,+): + Z n + = {0,1,...,n 1} and + is the congruent addition (mod n). 4. (Zn, ): Zn = {x x Z n,gcd(x,n) = 1} and is the congruent multiplication (modn). 5. (Z[x],+): Z[x] is the set of all polynomials with coefficients overz and + is the addition of polynomials.

11 2016 Fall, Algebra and Number Theory p. 11 Finite group ord(g) or G : the number of elements in G. {}}{ g k = g g g. k Theorem 3 IfGis a finite group, g G,g G = e. Proof. LetG = {g 1,g 2,...,g m } and G g = {gg 1,gg 2,...,gg m }. We have G g = G, which implies g 1 g 2 g m = gg 1 gg 2 gg m. Therefore,g 1 g 2 g m = g m g 1 g 2 g m, and thus g m = e.

12 2016 Fall, Algebra and Number Theory p. 12 (Fermat): a p 1 mod p = 1 for1 a p 1. (Euler): a ϕ(n) mod n = 1 for a n. IfGis finite, for any g G,g i = g i mod G. For any g G,g 1 = g G 1.

13 2016 Fall, Algebra and Number Theory p. 13 Subgroup H = (S, ) is a subgroup ofg = (S, ) if H is a group and S S. The smallest subgroup of G is ({e}, ) and the largest subgroup is itself (S, ).

14 2016 Fall, Algebra and Number Theory p. 14 Theorem 4 (Lagrange s Theorem) IfH is a subgroup of a finite group G, then ord(h) ord(g). Corollary 5 Iford(G) is prime, G has only two trivial subgroups.

15 2016 Fall, Algebra and Number Theory p. 15 Theorem 6 For any g G, g = {g i i 0} is a subgroup of G. Definition 7 The order ofg is the leastnsuch thatg n = e. Also, ord(g) = g.

16 2016 Fall, Algebra and Number Theory p. 16 Cyclic group A group G is cyclic if and only if there is g G with g = G. The elementg is called a generator (primitive root) of G. Every group G of a prime order is cyclic and every element in G {e} is a generator. Every subgroup H of a cyclic group is also cyclic with generatorg ord(g)/ord(h). LetGbe cyclic and ord(g) = m. Then,g is a generator of G if and only if g m/p 1 for every prime factor p of m.

17 2016 Fall, Algebra and Number Theory p. 17 GroupZ p Zp is cyclic. ord(zp) isp 1, not prime. The number of generators is ϕ(p 1). QR p = {a a x 2 has solutions } is a group. QNR p = {a a x 2 has no solutions} is not a group. For odd primep, QR p = QNR p = (p 1)/2. Ifgcd(k,p 1) = 1, it is easy to compute the k-th root a 1/k mod p = a k mod p, where kk = 1 (mod p 1).

18 2016 Fall, Algebra and Number Theory p. 18 Compute square roota 1/2 mod p Case p = 4k +3:a 1/2 = a (p+1)/4 mod p. Case p = 4k +1: let(p 1)/2 = 2 L r,r is odd. 1. Idea: find s > 0, a r b 2s = 1. Thus, a 1/2 = a (r+1)/2 b s. 2. Method: (a) Randomly find b QNR p, that is, b (p 1)/2 = 1. (b) Lety 0 = a 2Lr b s 0 = 1,s 0 = 0. Fori = 1 to L do (wherey i = a 2L ir b s i = 1) ify 1/2 i 1 = a2l ir b s i 1/2 = 1 then s i = s i 1 /2 elses i = s i 1 /2+(p 1)/2 Note: All s i are even and all y i = 1. Think about! (c) y L = a r b s L = 1, wheres L is even.

19 2016 Fall, Algebra and Number Theory p. 19 Example: p = 41,a = 21. Find b = 6 QNR 41,6 20 mod p = 1

20 2016 Fall, Algebra and Number Theory p. 20 Computea 1/2 mod pq 1. Compute x 1 = a 1/2 mod p and x 2 = a 1/2 mod q 2. By the CRT, we have a 1/2 = [x 1 q(q 1 mod p)+x 2 p(p 1 mod q)] mod pq.

21 2016 Fall, Algebra and Number Theory p. 21 Legendre symbol Definition 8 For an odd prime p and a Z, L(a,p) = ( a 1 if [a] QR p p ) = 1 if [a] QR p 0 if p a Euler s criteria: L(a,p) = a (p 1)/2 mod p. Quadratic reciprocity: for odd primespand q, L(p,q) L(q,p) = ( 1) (p 1)(q 1)/4. Multiplicative: L(ab, p) = L(a, p)l(b, p).

22 2016 Fall, Algebra and Number Theory p. 22 Euler s criterion Theorem 9 Letpbe prime. For any a Zp,a QR p if and only ifa (p 1)/2 1 (mod p). Proof. ( ) Since a QR p,a = b 2 mod p. Thus, a (p 1)/2 (b 2 ) (p 1)/2 1 (mod p). ( ) Letg be the generator of Zp and a = g i for some 1 i p 1. Thus, a (p 1)/2 g i(p 1)/2 1 (mod p). We have p 1 i(p 1)/2 i is even.

23 2016 Fall, Algebra and Number Theory p. 23 GroupG q of a prime orderq Merits: every element except1is a generator. Ifp = 2q +1, then the subgroup G q = QR p = {g 2 mod p g G} is a group of order q. Example: p = 11 = G 5 = {1,3,4,5,9} mod 11 The general form isp = kq +1, whereq is a sufficiently large prime, say, 160 bits. Then, the subgroup G q = {g k g Zp} = {g g = e, or ord(g) = q} which is the kth residuosity.

24 2016 Fall, Algebra and Number Theory p. 24 DL assumption R n : the set ofn-bit primep = 2q+1, whereq is also prime. Assumption 10 No probabilistic poly-time algorithm can solve any significant portion of instances of x = log g y mod p, where p = 2q +1 is prime and g,y G q. Formally, for any probabilistic poly-time algorithm A, for any k > 0, there ism 0, such that for any m > m 0, Pr p R m,g G q \{1},y G q [A(y,g,p) = log g y mod p] 1/m k.

25 2016 Fall, Algebra and Number Theory p. 25 GroupZ n Hard problems (ϕ(n) is unknown) 1. To find prime factorization of n. 2. To determine quadratic residuosity over Zn. 3. To solve the kth root problem overzn for any fixed k To find generators of Zn if Z n is cyclic. Zn is cyclic iffn = 2,4,p k, or 2p k, where p is odd prime. Forn = pq,a QR n if and only if a QR p and a QR q.

26 2016 Fall, Algebra and Number Theory p. 26 Factoring n = pq and computingϕ(n) 1. Factoring n = pq computing ϕ(n): easy. 2. Computing ϕ(n) factoring n = pq: ϕ(n) = (p 1)(q 1) = n (p+q)+1. Leta = p+q = n ϕ(n)+1 and b = n = pq. Solve the quadratic equation x 2 ax+b = 0 for p and q.

27 2016 Fall, Algebra and Number Theory p. 27 Jacobi Symbol Definition 11 For an odd n = p e 1 1 p e 2 2 p e r r and a Z, J(a,n) = ( a n ) = L(a,p 1) e 1 L(a,p 2 ) e2 L(a,p r ) e r. Letn = pq. IfJ(a,n) = 1,a QNR n ; J(a,n) = 1 does not imply a QR n. Since it may be J(a,n) = 1 = L(a,p) L(a,q) = ( 1)( 1). Quadratic reciprocity law: n and m are odd with gcd(n,m) = 1, J(m,n) = ( 1) (m 1)(n 1)/4 J(n,m). J(a,n): poly-time computable without prime factors ofn.

28 2016 Fall, Algebra and Number Theory p. 28 LetJ +1 n = {a Z n J(a,n) = 1}. LetJ 1 n = {a Z n J(a,n) = 1}. QR n J +1 n. Elements in J +1 n \QR n are called pseudo-squares of Z n. J 1 n QNR n. If an odd n = m 2 for some m,j(a,n) = 1 for alla. Otherwise, J +1 n = J 1 n = ϕ(n)/2.

29 2016 Fall, Algebra and Number Theory p. 29 Blum integer n = pq, where p mod 4 = q mod 4 = 3. 1 J +1 n, but 1 QR n. J +1 n = J 1 n = ϕ(n)/2. QR n = ϕ(n)/4. J +1 n QR n = J +1 n QNR n = ϕ(n)/4.

30 2016 Fall, Algebra and Number Theory p. 30 QR assumption J(a,n) leaks information about a. LetB m be the set of Blum integers ofm-bit length. Assumption 12 No probabilistic poly-time algorithm can solve the problem: given a Blum integernand a number a with J(a,n) = 1, determine whethera QR n. Formally, for any probabilistic poly-time algorithm A, for any k > 0, there ism 0, for everym > m 0, Pr n Bm,a Zn,J(a,n)=1[A(a,n) = L(a,n)] 1/2+1/m k.

31 2016 Fall, Algebra and Number Theory p. 31 Primes 1. π(x) = {p x p is prime} x ln(x). The density 1/ln(x) is quite high. 2. π b,c (x) = {p x p = bk +c is prime,k Z} 3. π b,c (x) x. ϕ(b)ln(x) = {p x p = bk +c is prime,k is prime} x. ϕ(b)ln(x/b)ln(x)

32 2016 Fall, Algebra and Number Theory p. 32 Solovay-Strassen primality test LetB n = {a Zn J(a,n) = a (n 1)/2 mod n}. B n is a subgroup of Zn. Ifnis an odd prime,b n = Zn. Fact: Ifnis not prime and B n = Zn, then n = p 1 p 2 p k.

33 2016 Fall, Algebra and Number Theory p. 33 Theorem 13 Ifnis an odd composite, B n ϕ(n)/2. Proof. By the above fact, we consider n = p 1 p 2...p k only. Letv QNR p1. Find x for: 1. x 1 (mod p 2 p 3 p k ), and 2. x v (mod p 1 ). If B n = Zn,J(a,n) = x (n 1)/2 mod n. Also, J(x,n) = J(x,p 1 )J(x,p 2 p 3 p n ) = J(v,p 1 )J(1,p 2 p 3 p k ) = 1. Therefore,x (n 1)/2 1 (mod p 2 p 3 p k ). This contradicts with x (n 1)/2 1 (mod p 2 p 3 p k ).

34 2016 Fall, Algebra and Number Theory p. 34 Algorithm Input: odd n>1; 1. Randomly selects a 1,a 2,...,a m Zn; 2. If a i B n 3. then output(composite) 4. else output (PRIME). Error probabilities Pr[output=PRIME n is not prime] 1/2 m. Pr[output=COMPOSITE n is prime] = 0.

35 2016 Fall, Algebra and Number Theory p. 35 Example Test if n = 221 is prime? Randomly choose a 1 = 47 and compute a (n 1)/2 mod n = mod 221 = 1 mod 221 and J(47,221) = 1 Randomly choose a 2 = 2 and compute a (n 1)/2 mod n = mod 221 = 30 mod 221 and J(2,221) = 1 Thus, 221 is not prime.

36 2016 Fall, Algebra and Number Theory p. 36 Rabin-Miller primality test Letn 1 = 2 t u,uis odd. LetB n = {b Zn θ(b,n) = 1}, where 1 if b u = 1 or b u2j = 1 for some 0 j t 1 θ(b,n) = 0 otherwise. B n is a subgroup of Zn. Ifnis an odd prime,b n = Zn. Ifnis odd and composite, B n ϕ(n)/4. Error probabilities Pr[output=PRIME n is not prime] 1/4 m. Pr[output=COMPOSITE n is prime] =.

37 2016 Fall, Algebra and Number Theory p. 37 Poly-time algorithm for Primality AKS algorithm, August, 2002 O(logn 12 ) Latest: O(logn 6 ) under some hypothesis. Principles: For any a Zp and 1 r p,pis prime if and only if (x a) p x p a (mod p,x r 1). (1) The following equation can be evaluated in O(r 2 log 3 p). (x a) p x p a (mod x r 1,p). (2)

38 2016 Fall, Algebra and Number Theory p. 38 Ifpis prime, Equation (2) holds for all(a,r). Ifpis composite, Equation (2) holds for a few(a,r). But, there are still too many(a,r) s (more than polynomial number) to check deterministically. For any p (prime or composite), there exists a primer of size O(log 6 p) such that - r 1 contains a prime factorq of size at leastr 1/2+δ for some constant δ > 0, and - q ord r (p) Ifpis composite, for any suchr, the numbersof a s that satisfy Equation (2) is smaller than O(r 1/2 logp). Ifpis prime, for any such r, all(a,r) s satisfy Equation (2).

39 2016 Fall, Algebra and Number Theory p. 39 Therefore, A deterministic poly-time algorithm for determining primality of p, is to find one suitable r and test(r,a 1 ),(r,a 2 ),...,(r,a s ) on Equation (2), for any distinct a 1,a 2,...,a s. If any of them does not satisfy, then p is not prime, else p is prime. This suitable r is small and can be found in polynomial-time. r = O(log 6 p) This s is small. s = O( rlogp).

40 2016 Fall, Algebra and Number Theory p. 40 Input: n > 1; 1. if (n is of forma b,b > 1), then return(composite); 2. r=2; 3. while (r < n) { 4. if (gcd(n,r) 1) then return(composite); 5. if (r is prime) 6. let q be the largest prime factor of r 1; 7. if (q 4 rlogn) and n (r 1)/q 1 (mod r), then break; 8. r=r+1; } 9. for a=1 to 2 rlogn 10. if ((x a) n x n a (mod x r 1,n)), then return (COMPOSITE); 11. return(prime).