Algebra and Number Theory

Transcription

1 2012 Fall, Algebra and Number Theory p. 1/37 Algebra and Number Theory Wen-Guey Tzeng Department of Computer Science National Chiao Tung University

2 2012 Fall, Algebra and Number Theory p. 2/37 Residues Letaand b be integers and n be a positive integer. a b: a divides b, or a is a divisor of b. gcd(a, b): greatest common divisor. Relatively prime a b: gcd(a, b) = 1. Prime factorization: n = p e 1 1 p e 2 2 p e k k, wherep i s are different primes. Euler s totient function is ϕ(n) = p e p e p e k 1 k S : the number of elements in the set S. (p 1 1)(p 2 1) (p k 1).

3 2012 Fall, Algebra and Number Theory p. 3/37 Definition 1 (congruent modulo) a b (mod n) if and only if n (a b). Definition 2 (congruent residue) For an integera, "r = a mod n", where r is the least non-negative integer such that a r (mod n). Equivalently, r = a a/n n. (a mod n±b mod n) mod n = (a±b) mod n. (a mod n b mod n) mod n = (a b) mod n. a±b a±c (mod n) b c (mod n). a b a c (mod n) and a n b c (mod n).

4 2012 Fall, Algebra and Number Theory p. 4/37 Euclidean algorithm Find gcd(a, b) efficiently. Find integers r and s with ra + sb = gcd(a, b) efficiently.

5 2012 Fall, Algebra and Number Theory p. 5/37 Related problems 1. Congruential residue: given a, b and n, solve ax b (mod n). Ifb = 1,x = a 1 mod n. 2. kth roots: given a and n, solve x k a (mod n) (or x = a 1/k mod n). 3. Primality test: given n, determine whether n is prime? 4. Factoring: given n, find all prime factors of n. 5. Discrete logarithm: given g,y and n, solve g x y (mod n) (or x = log g y mod n).

6 2012 Fall, Algebra and Number Theory p. 6/37 Efficiency 1. The runtime is polynomially proportional to the length (size) of the input. 2. For a given numbern, there are two measures: value val(n) (or simply, n) length (size) len(n) (or n ). 3. We have len(n) = log 2 val(n) Note thatval(n) = O(2 n ). For example,val(13) = 13 and len(13) = a b mod n is polynomial-time computable, with respect to len(a) + len(b) + len(n).

7 2012 Fall, Algebra and Number Theory p. 7/37 Chinese remainder theorem There is a solution for the equation system x r i (mod n i ),1 i m, wheren i n j for i j. Solution x = r 1 N 1 (N 1 1 mod n 1 )+ +r m N m (N 1 m mod n m), wheren i = n 1 n 2 n m /n i.

8 2012 Fall, Algebra and Number Theory p. 8/37 Isomorphism ψ : Z n Z n1 Z n2 Z nm ψ(x) (x mod n 1,x mod n 2,...,x mod n m ) Example n = pq,x (x mod p,x mod q) : Z n Z p Z q. Application to compute x = a b mod n we compute (x 1 = a b mod p,x 2 = a b mod q). Combine x 1,x 2 for x.

9 2012 Fall, Algebra and Number Theory p. 9/37 Group Group G = (S, ): a sets and an operator such that: 1. (Closure) For everyx,y S, x y S. 2. (Associativity) For every x, y, z S, (x y) z = x (y z). 3. (Identity) There ise S such that for everyx S, x e = e x = x. 4. (Inverse) For everyx S, there isy S such that x y = e. G is Abelian (or commutative) if for everyx,y S, x y = y x.

10 2012 Fall, Algebra and Number Theory p. 10/37 1. (Z,+): Z is the set of integers and+is the regular addition. 2. (Q\{0}, ): Q is the set of all rational numbers and is the regular multiplication. 3. (Z n,+): + Z n = {0,1,...,n 1} and + is the congruent addition (mod n). 4. (Zn, ): Zn = ({x x Z n,gcd(x,n) = 1}. is the congruent multiplication (modn). 5. (Z[x],+): Z[x] is the set of all polynomials with coefficients over Z and + is the addition of polynomials.

11 2012 Fall, Algebra and Number Theory p. 11/37 Finite group ord(g) or G : the number of elements in G. {}}{ g k = g g g. k Theorem 3 IfGis a finite group, g G,g G = e. Proof. LetG = {g 1,g 2,...,g m } and G g = {gg 1,gg 2,...,gg m }. We haveg g = G, which implies g 1 g 2 g m = gg 1 gg 2 gg m. Therefore,g 1 g 2 g m = g m g 1 g 2 g m, and thus g m = e.

12 2012 Fall, Algebra and Number Theory p. 12/37 (Fermat): a p 1 mod p = 1 for 1 a p 1. (Euler): a ϕ(n) mod n = 1 fora n. IfGis finite, for any g G,g i = g i mod G. For any g G,g 1 = g G 1.

13 2012 Fall, Algebra and Number Theory p. 13/37 Subgroup H = (S, ) is a subgroup of G = (S, ) if H is a group and S S. The smallest subgroup of G is({e}, ) and the largest subgroup is itself (S, ). Theorem 4 (Lagrange s Theorem) IfH is a subgroup of a finite group G, then ord(h) ord(g).

14 2012 Fall, Algebra and Number Theory p. 14/37 Corollary 5 Iford(G) is prime, G has only two trivial subgroups. Theorem 6 For any g G, g = {g i i 0} is a subgroup of G. Definition 7 The order ofg is the least n such that g n = e. Also, ord(g) = g.

15 2012 Fall, Algebra and Number Theory p. 15/37 Cyclic group A group G is cyclic if and only if there isg G with g = G. The elementg is called a generator (primitive root) of G. Every group G of a prime order is cyclic and every element in G {e} is a generator. Every subgroup H of a cyclic group is also cyclic with generator g ord(g)/ord(h). LetGbe cyclic and ord(g) = m. Then, g is a generator of G if and only if g m/p 1 for every prime factorpofm.

16 2012 Fall, Algebra and Number Theory p. 16/37 GroupZ p Zp is cyclic. ord(zp) is p 1, not prime. The number of generators isϕ(p 1). QR p = {a a x 2 has solutions } is a group. QNR p = {a a x 2 has no solutions} is not a group. For odd prime p, QR p = QNR p = (p 1)/2. Ifgcd(k,p 1) = 1, it is easy to compute the k-th root a 1/k mod p = a k mod p, wherekk = 1 (mod p 1).

17 2012 Fall, Algebra and Number Theory p. 17/37 Compute square roota 1/2 mod p Casep = 4k +3: a 1/2 = a (p+1)/4 mod p. Casep = 4k +1: let(p 1)/2 = 2 L r, r is odd. 1. Idea: find s > 0,a r b 2s = 1. Thus, a 1/2 = a (r+1)/2 b s. 2. Method: (a) Randomly find b QNR p, that is, b (p 1)/2 = 1. (b) Lety 0 = a 2Lr b s 0 = 1, s 0 = 0. For i = 1 to L do (wherey i = a 2L ir b s i = 1) if y 1/2 i 1 = a2l ir b s i 1/2 = 1 then s i = s i 1 /2 else s i = s i 1 /2+(p 1)/2 Note: All s i are even and ally i = 1. Think about! (c) y L = a r b s L = 1, wheres L is even.

18 2012 Fall, Algebra and Number Theory p. 18/37 Computea 1/2 mod pq 1. Compute x 1 = a 1/2 mod p and x 2 = a 1/2 mod q 2. By the CRT, we have a 1/2 = [x 1 q(q 1 mod p)+x 2 p(p 1 mod q)] mod pq.

19 2012 Fall, Algebra and Number Theory p. 19/37 Legendre symbol Definition 8 For an odd prime p and a Z, L(a,p) = ( a 1 if [a] QR p p ) = 1 if [a] QR p 0 if p a Euler s criteria: L(a,p) = a (p 1)/2 mod p. Quadratic reciprocity: for odd primespand q, L(p,q) L(q,p) = ( 1) (p 1)(q 1)/4. Multiplicative: L(ab, p) = L(a, p)l(b, p). L( 1,p) = 1 if and only if p mod 4 = 1. L(2,p) = 1 if and only if p mod 8 = ±1.

20 2012 Fall, Algebra and Number Theory p. 20/37 Euler s criterion Theorem 9 Letpbe prime. For any a Zp, a QR p if and only if a (p 1)/2 1 (mod p). Proof. ( ) Sincea QR p,a = b 2 mod p. Thus, a (p 1)/2 (b 2 ) (p 1)/2 1 (mod p). ( ) Letg be the generator of Zp and a = g i for some 1 i p 1. Thus, a (p 1)/2 g i(p 1)/2 1 (mod p). We havep 1 i(p 1)/2 i is even.

21 2012 Fall, Algebra and Number Theory p. 21/37 GroupG q of a prime orderq Merits: every element except1is a generator. Ifp = 2q +1, then the subgroup G q = QR p = {g 2 mod p g G} is a group of order q. Example: p = 11 = G 5 = {1,3,4,5,9} mod 11 The general form is p = kq +1, where q is a sufficiently large prime, say, 160 bits. Then, the subgroup G q = {g k g Zp } = {g g = e, or ord(g) = q} which is the kth residuosity.

22 2012 Fall, Algebra and Number Theory p. 22/37 DL assumption R n : the set ofn-bit primep = 2q+1, whereq is also prime. Assumption 10 No probabilistic poly-time algorithm can solve any significant portion of instances ofx = log g y mod p, where p = 2q +1 is prime and g,y G q. Formally, for any probabilistic poly-time algorithm A, for any k > 0, there is m 0, such that for any m > m 0, Pr p R m,g G q \{1},y G q [A(y,g,p) = log g y mod p] 1/m k.

23 2012 Fall, Algebra and Number Theory p. 23/37 GroupZ n Hard problems (ϕ(n) is unknown) 1. To find prime factorization ofn. 2. To determine quadratic residuosity over Zn. 3. To solve the kth root problem over Zn for any fixed k To find generators of Zn if Z n is cyclic. Zn is cyclic iff n = 2,4,p k, or 2p k, wherepis odd prime. For n = pq,a QR n if and only ifa QR p and a QR q.

24 2012 Fall, Algebra and Number Theory p. 24/37 Factoring n = pq and computingϕ(n) 1. Factoring n = pq computing ϕ(n): easy. 2. Computing ϕ(n) factoring n = pq: ϕ(n) = (p 1)(q 1) = n (p+q)+1. Leta = p+q = n ϕ(n)+1 and b = n = pq. Solve the quadratic equation x 2 ax+b = 0 forpand q.

25 2012 Fall, Algebra and Number Theory p. 25/37 Jacobi Symbol Definition 11 For an odd n = p e 1 1 p e 2 2 p e r r and a Z, J(a,n) = ( a n ) = L(a,p 1) e 1 L(a,p 2 ) e2 L(a,p r ) e r. Letn = pq. IfJ(a,n) = 1,a QNR n ; J(a,n) = 1 does not imply a QR n. Since it may be J(a,n) = 1 = L(a,p) L(a,q) = ( 1)( 1). Quadratic reciprocity law: n and m are odd with gcd(n,m) = 1, J(m,n) = ( 1) (m 1)(n 1)/4 J(n,m). J(a,n): poly-time computable without prime factors of n.

26 2012 Fall, Algebra and Number Theory p. 26/37 LetJ +1 n = {a Z n J(a,n) = 1}. LetJ 1 n = {a Z n J(a,n) = 1}. QR n J +1 n. Elements in J +1 n \QR n are called pseudo-squares of Z n. J 1 n QNR n. If an odd n = m 2 for somem, J(a,n) = 1 for alla. Otherwise, J +1 n = J 1 n = ϕ(n)/2.

27 2012 Fall, Algebra and Number Theory p. 27/37 Blum integer n = pq, wherep mod 4 = q mod 4 = 3. 1 J +1 n, but 1 QR n. J +1 n = J 1 n = ϕ(n)/2. QR n = ϕ(n)/4. J +1 n QR n = J +1 n QNR n = ϕ(n)/4.

28 2012 Fall, Algebra and Number Theory p. 28/37 QR assumption J(a,n) leaks information about a. LetB m be the set of Blum integers of m-bit length. Assumption 12 No probabilistic poly-time algorithm can solve the problem: given a Blum integer n and a number a with J(a,n) = 1, determine whether a QR n. Formally, for any probabilistic poly-time algorithm A, for any k > 0, there is m 0, for everym > m 0, Pr n Bm,a Zn,J(a,n)=1[A(a,n) = L(a,n)] 1/2+1/m k.

29 2012 Fall, Algebra and Number Theory p. 29/37 Primes 1. π(x) = {p x p is prime} x ln(x). The density 1/ln(x) is quite high. 2. π b,c (x) = {p x p = bk +c is prime,k Z} 3. π b,c (x) x. ϕ(b)ln(x) = {p x p = bk +c is prime,k is prime} x. ϕ(b)ln(x/b)ln(x)

30 2012 Fall, Algebra and Number Theory p. 30/37 Solovay-Strassen primality test LetB n = {a Z n J(a,n) = a(n 1)/2 mod n}. B n is a subgroup of Z n. Ifnis an odd prime,b n = Z n. Fact: If n is not prime and B n = Zn, then n = p 1 p 2 p k.

31 2012 Fall, Algebra and Number Theory p. 31/37 Theorem 13 Ifnis an odd composite, B n ϕ(n)/2. Proof. By the above fact, we consider n = p 1 p 2...p k only. Letv QNR p1. Find x for: 1. x 1 (mod p 2 p 3 p k ), and 2. x v (mod p 1 ). IfB n = Zn, J(x,n) = J(v,p 1 )J(1,p 2 p 3 p k ) = 1 = x (n 1)/2 mod n. Therefore,x (n 1)/2 1 (mod p 2 p 3 p k ). This contradicts with x (n 1)/2 1 (mod p 2 p 3 p k ).

32 2012 Fall, Algebra and Number Theory p. 32/37 Algorithm Input: odd n>1; 1. Randomly selectsa 1,a 2,...,a m Zn; 2. If some a i B n, output(composite); 3. Output (PRIME). Error probabilities Pr[output=PRIME n is not prime] 1/2 m. Pr[output=PRIME n is prime] = 1.

33 2012 Fall, Algebra and Number Theory p. 33/37 Example Test if n = 221 is prime? Randomly choose a 1 = 47 and compute a (n 1)/2 mod n = mod 221 = 1 mod 221 and J(47,221) = 1 Randomly choose a 2 = 2 and compute a (n 1)/2 mod n = mod 221 = 30 mod 221 and J(2,221) = 1 Thus, 221 is not prime.

34 2012 Fall, Algebra and Number Theory p. 34/37 Rabin-Miller primality test Letn 1 = 2 t u, u is odd. LetB n = {b Zn θ(b,n) = 1}, where 1 if b u = 1 orb u2j = 1 for some0 j t 1 θ(b,n) = 0 otherwise. B n is a subgroup of Zn. Ifnis an odd prime,b n = Zn. Ifnis odd and composite, B n ϕ(n)/4. Error probabilities Pr[output=PRIME n is not prime] 1/4 m. Pr[output=PRIME n is prime] = 1.

35 2012 Fall, Algebra and Number Theory p. 35/37 Poly-time algorithm for Primality AKS algorithm, March, 2003 O(logn 12 ) Latest: O(logn 6 ) Theorem 14 For any a Zp, p is prime if and only if (x a) p x p a (mod p). (1) Consider (x a) p x p a (mod x r 1,p). This can be evaluated in O(r 2 log 3 p). Ifpis prime, it holds for all(a,r).

36 2012 Fall, Algebra and Number Theory p. 36/37 Ifpis composite, it holds for a few (a,r). There exists a prime r of size O(log 6 p) such that - r 1 contains a prime factorq of size at leastr 1/2+δ for some constant δ > 0, and - q ord r (n) Ifpis composite, for any such r, the number of a s that satisfies the equation is smaller than O(r 1/2 logp). A deterministic poly-time algorithm for primality test is to find an (r,a) that does not satisfy (x a) p x p a (mod x r 1,p). The runtime iso(log 12 n).

37 2012 Fall, Algebra and Number Theory p. 37/37 Input: n > 1; 1. if (n is of form a b, b > 1), then return(composite); 2. r=2; 3. while (r < n) { 4. if (gcd(n,r) 1) then return(composite); 5. if (r is prime) 6. letq be the largest prime factor of r 1; 7. if (q 4 rlogn) and n (r 1)/q 1 (mod r), then break; 8. r=r+1; } 9. for a=1 to 2 rlogn 10. if ((x a) n x n a (mod x r 1,n)), then return (COMPOSITE); 11. return(prime).