A. Algebra and Number Theory

Transcription

1 A. Algebra and Number Theory Public-key cryptosystems are based on modular arithmetic. In this section, we summarize the concepts and results from algebra and number theory which are necessary for an understanding of the cryptographic methods. Textbooks on number theory and modular arithmetic include [HarWri79], [IreRos82], [Rose94], [Forster96] and [Rosen2000]. This section is also intended to establish notation. We assume that the reader is familiar with the elementary notions of algebra, such as groups, rings and fields. A.1 The Integers Z denotes the ring of integers; N = {z Z z > 0} denotes the subset of natural numbers. We first introduce the notion of divisors and the fundamental Euclidean algorithm which computes the greatest common divisor of two numbers. Definition A.1. Let a, b Z: 1. a divides b if there is some c Z, with b = ac. We write a b for a divides b. 2. d N is called the greatest common divisor of a and b, if: a. d a and d b. b. If t Z divides both a and b, then t divides d. The greatest common divisor is denoted by gcd(a, b). 3. If gcd(a, b) = 1, then a is called relatively prime to b, or prime to b for short. Theorem A.2 (Division with remainder). Let z, a Z, a 0. Then there are unique numbers q, r Z, such that z = q a + r and 0 r < a. Proof. In the first step, we prove that such q and r exist. If a > 0 and z 0, we may apply induction on z. For 0 z < a we obviously have z = 0 a + z. If z a, then, by induction, z a = q a + r for some q and r, 0 r < a, and hence z = (q + 1) a + r. If z < 0 and a > 0, then we have just shown the existence of an equation z = q a + r, 0 r < a. Then z = q a if r = 0, and z = q a r = q a a + (a r) = (q + 1) a + (a r) and

2 290 A. Algebra and Number Theory 0 < a r < a. If a < 0, then a > 0. Hence z = q ( a) + r = q a + r, with 0 r < a. To prove uniqueness, consider z = q 1 a + r 1 = q 2 a + r 2. Then 0 = (q 1 q 2 ) a + (r 1 r 2 ). Hence a divides (r 1 r 2 ). Since r 1 r 2 < a, this implies r 1 = r 2, and then also q 1 = q 2. Remark. r is called the remainder of z modulo a. We write z mod a for r. The number q is the (integer) quotient of z and a. We write z div a for q. The Euclidean Algorithm. Let a, b Z, a > b > 0. The greatest common divisor gcd(a, b) can be computed by an iterated division with remainder. Let r 0 := a, r 1 := b and r 0 = q 1 r 1 + r 2, 0 < r 2 < r 1, r 1 = q 2 r 2 + r 3, 0 < r 3 < r 2,. r k 1 = q k r k + r k+1, 0 < r k+1 < r k,.. r n 2 = q n 1 r n 1 + r n, 0 < r n < r n 1, r n 1 = q n r n + r n+1, 0 = r n+1. By construction, r 1 > r 2 >.... Therefore, the remainder becomes 0 after a finite number of steps. The last remainder 0 is the greatest common divisor, as is shown in the next proposition. Proposition A r n = gcd(a, b). 2. There are numbers d, e Z with gcd(a, b) = da + eb. Proof. 1. From the equations considered in reverse order, we conclude that r n divides r k, k = n 1, n In particular, r n divides r 1 = b and r 0 = a. Now let t be a divisor of a = r 0 and b = r 1. Then t r k, k = 2, 3,..., and hence t r n. Thus, r n is the greatest common divisor. 2. Iteratively substituting r k+1 by r k 1 q k r k, we get with integers d and e. r n = r n 2 q n 1 r n 1 = r n 2 q n 1 (r n 3 q n 2 r n 2 ) = (1 + q n 1 q n 2 ) r n 2 q n 1 r n 3. = da + eb, We have shown that the following algorithm, called Euclid s algorithm, outputs the greatest common divisor. abs(a) denotes the absolute value of a.

3 A.1 The Integers 291 Algorithm A.4. int gcd(int a, b) 1 while b 0 do 2 r a mod b 3 a b 4 b r 5 return abs(a) We now extend the algorithm, such that not only gcd(a, b) but also the coefficients d and e of the linear combination gcd(a, b) = da+eb are computed. For this purpose, we write the recursion using matrices ( rk r k+1 ) r k 1 = q k r k + r k+1 ( ) ( ) rk = Q k, where Q k =, k = 1,..., n. r k 1 q k Multiplying the matrices, we get ) ( rn r n+1 = Q n Q n 1... Q 1 ( r0 r 1 The first component of this equation yields the desired linear combination for r n = gcd(a, b). Therefore, we have to compute Q n Q n 1... Q 1. This is accomplished by iteratively computing the matrices ( ) ( ) Λ 0 =, Λ k = Λ k 1, k = 1,..., n, q k to finally get Λ n = Q n Q n 1... Q 1. In this way, we have derived the following algorithm, called the extended Euclidean algorithm. On inputs a and b it outputs the greatest common divisor and the coefficients d and e of the linear combination gcd(a, b) = da + eb. ).

4 292 A. Algebra and Number Theory Algorithm A.5. int array gcdcoef (int a, b) 1 λ 11 1, λ 22 1, λ 12 0, λ while b 0 do 3 q a div b 4 r a mod b 5 a b 6 b r 7 t 21 λ 21 ; t 22 λ 22 8 λ 21 λ 11 q λ 21 9 λ 22 λ 12 q λ λ 11 t λ 12 t return (abs(a), λ 11, λ 12 ) We analyze the running time of the Euclidean algorithm. Here we meet the Fibonacci numbers. Definition A.6. The Fibonacci numbers f n are recursively defined by f 0 := 0, f 1 := 1, f n := f n 1 + f n 2, for n 2. Remark. The Fibonacci numbers can be non-recursively computed using the formula f n = 1 (g n g n ), 5 where g and g are the solutions of the equation x 2 = x + 1: g := 1 ( 1 + ) 5 and g := 1 g = 1 2 g = 1 ( 1 ) 5. 2 See, for example, [Forster96]. Definition A.7. g is called the Golden Ratio. 1 Lemma A.8. For n 2, f n g n 2. In particular, the Fibonacci numbers grow exponentially fast. Proof. The statement is clear for n = 2. By induction on n, assuming that the statement holds for n, we get f n+1 = f n + f n 1 g n 2 + g n 3 = g n 3 (1 + g) = g n 3 g 2 = g n 1. Proposition A.9. Let a, b Z, a > b > 0. Assume that computing gcd(a, b) by the Euclidean algorithm takes n iterations (i.e., using n divisions with remainder). Then a f n+1 and b f n. 1 It is the proportion of length to width which the Greeks found most beautiful.

5 A.1 The Integers 293 Proof. Let r 0 := a, r 1 := b and consider r 0 = q 1 r 1 + r 2, r 1 = q 2 r 2 + r 3,.. r n 2 = q n 1 r n 1 + r n, r n 1 = q n r n, and f n+1 = f n + f n 1, f n = f n 1 + f n 2,.. f 3 = f 2 + f 1, f 2 = f 1. By induction, starting with i = n and descending, we show that r i f n+1 i. For i = n, we have r n f 1 = 1. Now assume the inequality proven for i. Then r i 1 = q i r i + r i+1 r i + r i+1 f n+1 i + f n+1 (i+1) = f n+1 (i 1). Hence a = r 0 f n+1 and b = r 1 f n. Notation. As is common use, we denote by x the greatest integer less than or equal to x (the floor of x), and by x the smallest integer greater than or equal to x (the ceiling of x). Corollary A.10. Let a, b Z. Then the Euclidean algorithm computes gcd(a, b) in at most log g (a) + 1 iterations. Proof. Let n be the number of iterations. From a f n+1 g n 1 (Lemma A.8) we conclude n 1 log g (a). The Binary Encoding of Numbers. Studying algorithms with numbers as inputs and outputs, we need binary encodings of numbers (and residues, see below). We always assume that integers n 0 are encoded in the standard way as unsigned integers: The sequence z k 1 z k 2... z 1 z 0 of bits z i {0, 1}, 0 i k 1, is the encoding of k 1 n = z 0 + z z k 2 2 k 2 + z k 1 2 k 1 = z i 2 i. If the leading digit z k 1 is not zero (i.e., z k 1 = 1), we call n a k-bit integer, and k is called the binary length of n. The binary length of n N is usually denoted by n. Of course, we only use this notation if it cannot be confused with the absolute value. The binary length of n N is log 2 (n) + 1. The numbers of binary length k are the numbers n N with 2 k 1 n 2 k 1. The Big-O Notation. To state estimates, the big-o notation is useful. Suppose f(k) and g(k) are functions of the positive integers k which take positive (not necessarily integer) values. We say that f(k) = O(g(k)) if there is a constant C such that f(k) C g(k) for all sufficiently large k. For i=0

6 294 A. Algebra and Number Theory example, 2k 2 + k + 1 = O(k 2 ) because 2k 2 + k + 1 4k 2 for all k 1. In our examples, the constant C is always small, and we use the big-o notation for convenience. We do not want to state a precise value of C. Remark. Applying the classical grade school methods, we see that adding and subtracting two k-bit numbers requires O(k) binary operations. Multiplication and division with remainder can be done with O(k 2 ) binary operations (see [Knuth98] for a more detailed discussion of time estimates for doing arithmetic). Thus, the greatest common divisor of two k-bit numbers can be computed by the Euclidean algorithm with O(k 3 ) binary operations. Next we will show that every natural number can be uniquely decomposed into prime numbers. Definition A.11. Let p N, p 2. p is called a prime (or a prime number) if 1 and p are the only positive divisors of p. A number n N which is not a prime is called a composite. Remark. If p is a prime and p ab, a, b Z, then either p a or p b. Proof. Assume that p does not divide a and does not divide b. Then there are d 1, d 2, e 1, e 2 Z, with 1 = d 1 p + e 1 a, 1 = d 2 p + e 2 b (Proposition A.3). Then 1 = d 1 d 2 p 2 + d 1 e 2 bp + e 1 ad 2 p + e 1 e 2 ab. If p divided ab, then p would divide 1, which is impossible. Thus, p does not divide ab. Theorem A.12 (Fundamental Theorem of Arithmetic). Let n N, n 2. There are pairwise distinct primes p 1,..., p r and exponents e 1,..., e r N, e i 1, i = 1,..., r, such that n = r i=1 p e i i. The primes p 1,..., p r and exponents e 1,..., e r are unique. Proof. By induction on n we obtain the existence of such a decomposition. n = 2 is a prime. Now assume that the existence is proven for numbers n. Either n + 1 is a prime or n + 1 = l m, with l, m < n + 1. By assumption, there are decompositions of l and m and hence also for n + 1. In order to prove uniqueness, we assume that there are two different decompositions of n. Dividing both decompositions by all common primes, we get (not necessarily distinct) primes p 1,..., p s and q 1,..., q t, with {p 1,..., p s } {q 1,..., q t } = and p 1... p s = q 1... q t. Since p 1 q 1... q t, we conclude from the preceding remark that there is an i, 1 i t, with p 1 q i. This is a contradiction.

7 A.2 Residues 295 A.2 Residues In public-key cryptography, we usually have to compute with remainders modulo n. This means that the computations take place in the residue class ring Z n. Definition A.13. Let n N, n 2: 1. a, b Z are congruent modulo n, written as a b mod n, if n divides a b. This means that a and b have the same remainder when divided by n: a mod n = b mod n. 2. Let a Z. [a] := {x Z x a mod n} is called the residue class of a modulo m. 3. Z n := {[a] a Z} is the set of residue classes modulo n. Remark. As is easily seen, congruent modulo n is a symmetric, reflexive and transitive relation, i.e., it is an equivalence relation. The residue classes are the equivalence classes. A residue class [a] is completely determined by one of its members. If a [a], then [a] = [a ]. An element x [a] is called a representative of [a]. Division with remainder by n yields the remainders 0,..., n 1. Therefore, there are n residue classes in Z n : Z n = {[0],..., [n 1]}. The integers 0,..., n 1 are called the natural representatives. The natural representative of [x] Z n is just the remainder (x mod n) of x modulo n (see division with remainder, Theorem A.2). If, in the given context, no confusion is possible, we sometimes identify the residue classes with their natural representatives. Since we will study algorithms whose inputs and outputs are residue classes, we need binary encodings of the residue classes. The binary encoding of [x] Z n is the binary encoding of the natural representative x mod n as an unsigned integer (see our remark on the binary encoding of non-negative integers in Section A.1). Definition A.14. By defining addition and multiplication as [a] + [b] = [a + b] and [a] [b] = [a b], Z n becomes a commutative ring, with unit element [1]. It is called the residue class ring modulo n. Remark. The sum [a] + [b] and the product [a] [b] do not depend on the choice of the representatives by which they are computed, as straightforward computations show. For example, let a [a] and b [b]. Then n a a and n b b. Hence n a + b (a + b), and therefore [a + b] = [a + b ].

8 296 A. Algebra and Number Theory Doing multiplications in a ring, we are interested in those elements which have a multiplicative inverse. They are called the units. Definition A.15. Let R be a commutative ring with unit element e. An element x R is called a unit if there is an element y R with x y = e. We call y a multiplicative inverse of x. The subset of units is denoted by R. Remark. The multiplicative inverse of a unit x is uniquely determined, and we denote it by x 1. The set of units R is a subgroup of R with respect to multiplication. Example. In Z, elements a and b satisfy a b = 1 if and only if both a and b are equal to 1, or both are equal to 1. Thus, 1 and 1 are the only units in Z. The residue class rings Z n contain many more units, as the subsequent considerations show. For example, if p is a prime then every residue class in Z p different from [0] is a unit. An element [x] Z n in a residue class ring is a unit if there is a residue class [y] Z n with [x] [y] = [1], i.e., n divides x y 1. Proposition A.16. An element [x] Z n is a unit if and only if gcd(x, n) = 1. The multiplicative inverse [x] 1 of a unit [x] can be computed using the extended Euclidean algorithm. Proof. If gcd(x, n) = 1, then there is an equation xb + nc = 1 in Z, and the coefficients b, c Z can be computed using the extended Euclidean algorithm A.5. The residue class [b] is an inverse of [x]. Conversely, if [x] is a unit, then there are y, k Z with x y = 1 + k n. This implies gcd(x, n) = 1. Corollary A.17. Let p be a prime. Then every [x] [0] in Z p is a unit. Thus, Z p is a field. Definition A.18. The subgroup Z n := {x Z n x is a unit in Z n } of units in Z n is called the prime residue class group modulo n. Definition A.19. Let M be a finite set. The number of elements in M is called the cardinality or order of M. It is denoted by M. We introduce the Euler phi function, which gives the number of units modulo n. Definition A.20. ϕ : N N, n Z n is called the Euler phi function or the Euler totient function. Proposition A.21 (Euler). ϕ(d) = n. d n

9 A.2 Residues 297 Proof. If d is a divisor of n, let Z d := {x 1 x n, gcd(x, n) = d}. Each k {1,..., n} belongs to exactly one Z d. Thus n = d n Z d. Since x x/ d is a bijective map from Z d to Z n/d, we have Z d = ϕ(n/ d ), and hence n = d n ϕ( n/ d ) = d n ϕ(d). Corollary A.22. Let p be a prime and k N. Then ϕ(p k ) = p k 1 (p 1). Proof. By Euler s result, ϕ(1) + ϕ(p) ϕ(p k ) = p k and ϕ(1) + ϕ(p) +...+ϕ(p k 1 ) = p k 1. Subtracting both equations yields ϕ(p k ) = p k p k 1 = p k 1 (p 1). Remarks: 1. By using the Chinese Remainder Theorem below (Section A.3), we will also get a formula for ϕ(n) if n is not a power of a prime (Corollary A.30). 2. At some points in the book we need a lower bound for the fraction ϕ(n)/ n of units in Z n. In [RosSch62] it is proven that ϕ(n) > n e γ 2.6, with Euler s constant γ = log(log(n)) + log(log(n)) This inequality implies, for example, that ϕ(n) > n 6 log(log(n)) for n , as a straightforward computation shows. The RSA cryptosystem is based on old results by Fermat and Euler. 2 These results are special cases of the following proposition. Proposition A.23. Let G be a finite group and e be the unit element of G. Then x G = e for all x G. Proof. Since we apply this result only to Abelian groups, we assume in our proof that the group G is Abelian. A proof for the general case may be found in most introductory textbooks on algebra. The map µ x : G G, g xg, multiplying group elements by x, is a bijective map (multiplying by x 1 is the inverse map). Hence, g, and this implies x G = e. g G g = g G xg = x G g G As a first corollary of Proposition A.23, we get Fermat s Little Theorem. Proposition A.24 (Fermat). Let p be a prime and a Z be a number that is prime to p (i.e., p does not divide a). Then a p 1 1 mod p. 2 Pierre de Fermat ( ) and Leonhard Euler ( ).

10 298 A. Algebra and Number Theory Proof. The residue class [a] of a modulo p is a unit, because a is prime to p (Proposition A.16). Since Z p = p 1 (Corollary A.17), we have [a] p 1 = 1 by Proposition A.23. Remark. Fermat stated a famous conjecture known as Fermat s Last Theorem. It says that the equation x n + y n = z n has no solutions with non-zero integers x, y and z, for n 3. For more than 300 years, Fermat s conjecture was one of the outstanding challenges of mathematics. It was finally proven in 1995 by Andrew Wiles. Euler generalized Fermat s Little Theorem. Proposition A.25 (Euler). Let n N and let a Z be a number that is prime to n. Then a ϕ(n) 1 mod n. Proof. It follows from Proposition A.23, in the same way as Proposition A.24. The residue class [a] of a modulo n is a unit and Z n = ϕ(n). Fast Modular Exponentiation. In cryptography, we often have to compute a power x e or a modular power x e mod n. This can be done efficiently by the fast exponentiation algorithm. The idea is that if the exponent e is a power of 2, say e = 2 k, then we can exponentiate by successively squaring: x e = x 2k = ((((... (x 2 ) 2 ) 2...) 2 ) 2 ) 2. In this way we compute x e by k squarings. For example, x 16 = (((x 2 ) 2 ) 2 ) 2. If the exponent is not a power of 2, then we use its binary representation. Assume that e is a k-bit number, 2 k 1 e < 2 k. Then Hence, e = 2 k 1 e k k 2 e k e e 0, (with e k 1 = 1) = (2 k 2 e k k 3 e k e 1 ) 2 + e 0 = (... ((2e k 1 + e k 2 ) 2 + e k 3 ) e 1 ) 2 + e 0. x e = x (...((2e k 1+e k 2 ) 2+e k 3 ) e 1 ) 2+e 0 = = (x (...((2e k 1+e k 2 )) 2+e k 3 ) e 1 ) 2 x e 0 = = (... (((x 2 x e k 2 ) 2 x e k 3 ) 2...) 2 x e 1 ) 2 x e 0. We see that x e can be computed in k 1 steps, with each step consisting of squaring the intermediate result and, if the corresponding binary digit e i of e is 1, an additional multiplication by x. If we want to compute the modular power x e mod n, then we take the remainder modulo n after each squaring and multiplication: x e mod n = (... (((x 2 x e k 2 mod n) 2 x e k 3 mod n) 2...) 2 x e1 mod n) 2 x e0 mod n. We obtain the following algorithm for fast modular exponentiation.

11 A.3 The Chinese Remainder Theorem 299 Algorithm A.26. int ModPower(int x, e, n) 1 y x; 2 for i BitLength(e) 2 downto 0 do 3 y y 2 x Bit(e,i) mod n 4 return y In particular, we get Proposition A.27. Let l = log 2 e. The computation of x e mod n can be done by l squarings, l multiplications and l divisions. Proof. The binary length k of e is log 2 (e) + 1. A.3 The Chinese Remainder Theorem The Chinese Remainder Theorem provides a method of solving systems of congruences. The solutions can be found using an easy and efficient algorithm. Theorem A.28. Let n 1,..., n r N be pairwise relatively prime numbers, i.e., gcd(n i, n j ) = 1 for i j. Let b 1, b 2,..., b r be arbitrary integers. Then there is an integer b such that b b i mod n i, i = 1,..., r. Furthermore, the remainder b mod n is unique, where n = n 1... n r. The statement means that there is a one-to-one correspondence between the residue classes modulo n and tuples of residue classes modulo n 1,..., n r. This one-to-one correspondence preserves the additive and multiplicative structure. Therefore, we have the following ring-theoretic formulation of Theorem A.28. Theorem A.29 (Chinese Remainder Theorem). Let n 1,..., n r N be pairwise relatively prime numbers, i.e., gcd(n i, n j ) = 1, for i j. Let n = n 1... n r. Then the map ψ : Z n Z n1... Z nr, [x] ([x mod n 1 ],..., [x mod n r ]) is an isomorphism of rings. Remark. Before we give a proof, we review the notion of an isomorphism. It means that ψ is a homomorphism and bijective. Homomorphism means that ψ preserves the additive and multiplicative structure. More precisely, a map f : R R between rings with unit elements e and e is called a (ring) homomorphism if f(e) = e and f(a + b) = f(a) + f(b), f(a b) = f(a) f(b) for all a, b R.

12 300 A. Algebra and Number Theory If f is a bijective homomorphism, then, automatically, the inverse map g = f 1 is also a homomorphism. Namely, let a, b R. Then a = f(a) and b = f(b), and g(a b ) = g(f(a) f(b)) = g(f(a b)) = a b = g(a ) g(b ) (analogously for + instead of ). Being an isomorphism, as ψ is, is an extremely nice feature. It means, in particular, that a is a unit in R if and only if f(a) is a unit R (to see this, compute e = f(e) = f(a a 1 ) = f(a) f(a 1 ), hence f(a 1 ) is an inverse of f(a)). And the same equations hold in domain and range. For example, we have a 2 = b in R if and only if f(a) 2 = f(b) (note that f(a) 2 = f(a 2 )). Thus, b is a square if and only if f(b) is a square (we will use this example in Section A.7). Isomorphism means that the domain and range may be considered to be the same for all questions concerning addition and multiplication. Proof (of Theorem A.29). Since each n i divides n, the map is well defined, and it obviously is a ring homomorphism. The domain and range of the map have the same cardinality (i.e., they contain the same number of elements). Thus, it suffices to prove that ψ is surjective. Let t i := n/ ni = k i n k. Then t i 0 mod n k for all k i, and gcd(t i, n i ) = 1. Hence, there is a d i Z with d i t i 1 mod n i (Proposition A.16). Setting u i := d i t i, we have u i 0 mod n k, for all k i, and u i 1 mod n i. This means that the element (0,..., 0, 1, 0,..., 0) (the i-th component is 1, all other components are 0) is in the image of ψ. If ([x 1 ],..., [x r ]) Z n1... Z nr is an arbitrary element, then ψ( r i=1 x i u i ) = ([x 1 ],..., [x r ]). Remarks: 1. Actually, the proof describes an efficient algorithm for computing a number b, with b b i mod n i, i = 1,..., r (recall our first formulation of the Chinese Remainder Theorem in Theorem A.28). In a preprocessing step, the inverse elements [d i ] = [t i ] 1 are computed modulo n i using the extended Euclidean algorithm (Proposition A.16). Then b can be computed as b = r i=1 b i d i t i, for any given integers b i, 1 i r. We mainly apply the Chinese Remainder Theorem with r = 2 (for example, in the RSA cryptosystem). Here we simply compute coefficients d and e with 1 = d n 1 + e n 2 (using the extended Euclidean algorithm A.5), and then b = d n 1 b 2 + e n 2 b The Chinese Remainder Theorem can be used to make arithmetic computations modulo n easier and (much) more efficient. We map the operands to Z n1... Z nr by ψ and do our computation there. Z n1... Z nr is a direct product of rings. Addition and multiplication are done componentwise, i.e., we perform the computation modulo n i, for i = 1,..., r.

13 A.4 Primitive Roots and the Discrete Logarithm 301 Here we work with (much) smaller numbers. 3 Finally, we map the result back to Z n by ψ 1 (which is easily done, as we have seen in the preceding remark). As a corollary of the Chinese Remainder Theorem, we get a formula for Euler s phi function for composite inputs. Corollary A.30. Let n N and n = p e pe r r into primes (as stated in Theorem A.12). Then: 1. Z n is isomorphic to Z e p Z p er. r 2. Z n is isomorphic to Z p e 1... Z 1 p. e r r In particular, we have for Euler s phi function that r ) ϕ(n) = n (1 1pi. i=1 be the decomposition of n Proof. The ring isomorphism of Theorem A.29 induces, in particular, an isomorphism on the units. Hence, ϕ(n) = ϕ(p e1 1 )... ϕ(pe r r ), and the formula follows from Corollary A.22. A.4 Primitive Roots and the Discrete Logarithm Definition A.31. Let G be a finite group and let e be the unit element of G. Let x G. The smallest n N with x n = e is called the order of x. We write this as ord(x). Remark. There are exponents n N, with x n = e. Namely, since G is finite, there are exponents m and m, m < m, with x m = x m. Then m m > 0 and x m m = e. Lemma A.32. Let G be a finite group and x G. Let n N with x n = e. Then ord(x) divides n. Proof. Let n = q ord(x) + r, 0 r < ord(x) (division with remainder). Then x r = e. Since 0 r < ord(x), this implies r = 0. Corollary A.33. Let G be a finite group and x G. Then ord(x) divides the order G of G. Proof. By Proposition A.23, x G = e. Lemma A.34. Let G be a finite group and x G. Let l Z and d = gcd(l, ord(x)). Then ord(x l ) = ord(x)/ d. 3 For example, if n = pq (as in an RSA scheme) with 512-bit numbers p and q, then we compute with 512-bit numbers instead of with 1024-bit numbers.

14 302 A. Algebra and Number Theory Proof. Let r = ord(x l ). From (x l ) ord(x)/d = (x ord(x) ) l/d = e we conclude r ord(x)/ d. Choose numbers a and b with d = a l + b ord(x) (Proposition A.3). From x r d = x r a l+r b ord(x) = x l r a = e, we derive ord(x) r d. Definition A.35. Let G be a finite group. G is called cyclic if there is an x G which generates G, i.e., G = {x, x 2, x 3,..., x ord(x) 1, x ord(x) = e}. Such an element x is called a generator of G. Theorem A.36. Let p be a prime. Then Z p is cyclic, and the number of generators is ϕ(p 1). Proof. For 1 d p 1, let S d = {x Z p ord(x) = d} be the units of order d. If S d, let a S d. The equation X d 1 has at most d solutions in Z p, since Z p is a field (Corollary A.17). Hence, the solutions of X d 1 are just the elements of A := {a, a 2,..., a d }. Each x S d is a solution of X d 1, and therefore S d A. Using Lemma A.34 we derive that S d = {a c 1 c < d, gcd(c, d) = 1}. In particular, we conclude that S d = ϕ(d) if S d (and an a S d exists). By Fermat s Little Theorem (Proposition A.24), Z p is the disjoint union of the sets S d, d p 1. Hence Z p = p 1 = d p 1 S d. On the other hand, p 1 = d p 1 ϕ(d) (Proposition A.21), and we see that S d = ϕ(d) must hold for all divisors d of p 1. In particular, S p 1 = ϕ(p 1). This means that there are ϕ(p 1) generators of Z p. Definition A.37. Let p be a prime. A generator g of the cyclic group Z p is called a primitive root of Z p or a primitive root modulo p. Remark. It can be proven that Z n is cyclic if and only if n is one of the following numbers: 1, 2, 4, p k or 2p k ; p a prime, p 3, k 1. Proposition A.38. Let p be a prime. Then x Z p is a primitive root if and only if x (p 1)/q [1] for every prime q which divides p 1. Proof. An element x is a primitive root if and only if x has order p 1. Since ord(x) divides p 1 (Corollary A.33), either x (p 1)/q = [1] for some prime divisor q of p 1 or ord(x) = p 1. We may use Proposition A.38 to generate a primitive root for those primes p for which we know (or can efficiently compute) the prime factors of p 1. Algorithm A.39. int PrimitiveRoot(prime p) 1 Randomly choose an integer g, with 0 < g < p 1 2 if g (p 1) div q 1 mod p, for all primes q dividing p 1 3 then return g 4 else go to 1

15 A.4 Primitive Roots and the Discrete Logarithm 303 Since ϕ(p 1) > (p 1)/ 6 log(log(p 1)) (see Section A.2), we expect to find a primitive element after O(log(log(p))) iterations (see Lemma B.12). No efficient algorithm is known for the computation of primitive roots for arbitrary primes. The problem is to compute the prime factors of p 1, which we need in Algorithm A.39. Often there are primitive roots which are small. Algorithm A.39 is used, for example, in the key-generation procedure of the ElGamal cryptosystem (see Section 3.5.1). There the primes p are chosen in such a way that the prime factors of p 1 can be derived efficiently. Lemma A.40. Let p be a prime and let q be a prime that divides p 1. Then the set G q = {x Z p ord(x) = q or x = [1]}, which consists of the unit element [1] and the elements of order q, is a subgroup of Z p. G q is a cyclic group, and every element x Z p of order q, i.e., every element x G q, x [1], is a generator. G q is generated, for example, by g (p 1)/q, where g is a primitive root modulo p. G q is the only subgroup of G of order q. Proof. Let x, y G q. Then (xy) q = x q y q = [1], and therefore ord(xy) divides q. Since q is a prime, we conclude that ord(xy) is 1 or q. Thus xy G q, and G q is a subgroup of Z p. Let h Z p be an element of order q, for example, h := g p 1/q, where g is a primitive root modulo p. Then {h 0, h 1, h 2,... h q 1 } G q. The elements of G q are solutions of the equation X q 1 in Z p. This equation has at most q solutions in Z p, since Z p is a field (Corollary A.17). Therefore {h 0, h 1, h 2,... h q 1 } = G q, and h is a generator of G q. If H is any subgroup of order q and z H, z [1], then ord(z) divides q, and hence ord(z) = q, because q is a prime. Thus z G q, and we conclude that H = G q. Computing Modulo a Prime. The security of many cryptographic schemes is based on the discrete logarithm assumption, which says that x g x mod p is a one-way function. Here p is a large prime and the base element g is 1. either a primitive root modulo p, i.e., a generator of Z p, or 2. it is an element of order q in Z p, i.e., a generator of the subgroup G q of order q, and q is a (large) prime that divides p 1. Examples of such schemes which we discuss in this book are ElGamal s encryption and digital signatures, the digital signature standard DSS (see Section 3.5), commitment schemes (see Section 4.3.2), electronic elections (see Section 4.4) and digital cash (see Section 4.5). When setting up such schemes, generators g of Z p or G q have to be selected. This can be difficult or even infeasible in the first case, because we must know the prime factors of p 1 in order to test whether a given element g is a primitive root (see Algorithm A.39 above). On the other hand, it is easy to find a generator g of G q. We simply take a random element h Z p and set g := h (p 1)/q. The order of g divides q, because g q = h p 1 = [1].

16 304 A. Algebra and Number Theory Since q is a prime, we conclude that ord(g) = 1 or ord(g) = q. Therefore, if g [1], then ord(g) = q and g is a generator of G q. To implement cryptographic operations, we have to compute in Z p or in the subgroup G q. The following rules simplify these computations. 1. Let x Z p. Then x k = x k, if k k mod (p 1). In particular, x k = x k mod (p 1), i.e., exponents can be reduced by modulo (p 1), and x k = x p 1 k. 2. Let x Z p be an element of order q, i.e., x G q. Then x k = x k, if k k mod q. In particular, x k = x k mod q, i.e., exponents can be reduced by modulo q, and x k = x q k. The rules state that the exponents are added and multiplied modulo (p 1) or modulo q. The rules hold, because x p 1 = [1] for x Z p (Proposition A.24) and x q = [1] for x G q, which implies that x k+l (p 1) = x k x l (p 1) = x k ( x p 1) l = x k [1] l = x k for x Z p and x k+l q = x k x l q = x k (x q ) l = x k [1] l = x k for x G q. These rules can be very useful in computations. For example, let x Z p and k {0, 1,..., p 2}. Then you can compute the inverse x k of x k by raising x to the (p 1 k)-th power, x k = x p 1 k, without explicitly computing an inverse by using, for example, the Euclidean algorithm. Note that (p 1 k) is a positive exponent. Powers of x are efficiently computed by the fast exponentiation algorithm (Algorithm A.26). In many cases it is also possible to compute the k-th root of elements in Z p. 1. Let x Z p and k N with gcd(k, p 1) = 1, i.e., k is a unit modulo p 1. Let k 1 be the inverse of k modulo p 1, i.e., k k 1 1 mod (p 1). ( Then x k 1) k = x, i.e., x k 1 is a k-th root of x in Z p. 2. Let x Z p be an element of order q, i.e., x G q, and k N with 1 k < q. Let k 1 be the inverse of k modulo q, i.e., k k 1 1 mod q. ( Then x k 1) k = x, i.e., x k 1 is a k-th root of x in Z p. It is common practice to denote the k-th root x k 1 by x 1/k. You can apply analogous rules of computation to elements g k in any finite group G. Proposition A.23, which says that g G is the unit element, implies that exponents k are added and multiplied modulo the order G of G. A.5 Polynomials and Finite Fields A finite field is a field with a finite number of elements. In Section A.2, we met examples of finite fields: The residue class ring Z n is a field, if and only

17 A.5 Polynomials and Finite Fields 305 if n is a prime. The fields Z p, p a prime number, are called the finite prime fields, and they are also denoted by F p. Finite fields are extensions of these prime fields. Field extensions are constructed by using polynomials. So we first study the ring of polynomials with coefficients in a field k. A.5.1 The Ring of Polynomials Let k[x] be the ring of polynomials in one variable X over a (not necessarily finite) field k. The elements of k[x] are the polynomials F (X) = a 0 + a 1 X + a 2 X a d X d = d a i X i, with coefficients a i k, 0 i d. If we assume that a d 0, then the leading term a d X d really appears in the polynomial, and we call d the degree of F, deg(f ) for short. The polynomials of degree 0 are just the elements of k. The polynomials in k[x] are added and multiplied as usual: 1. We add two polynomials F = d i=0 a ix i and G = e i=0 b ix i, assume d e, by adding the coefficients (set a i = 0 for d < i e): F + G = e (a i + b i )X i. i=0 2. The product of two polynomials F = d i=0 a ix i and G = e i=0 b ix i is ( de i ) F G = a k b i k X i. i=0 With this addition and multiplication, k[x] becomes a commutative ring with unit element. The unit element of k[x] is the unit element 1 of k. The ring k[x] has no zero divisors, i.e., if F and G are non-zero polynomials, then the product F G is also non-zero. The algebraic properties of the ring k[x] of polynomials are analogous to the algebraic properties of the ring of integers. Analogously to Definition A.1, we define for polynomials F and G what it means that F divides G and the greatest common divisor of F and G. The greatest common divisor is unique up to a factor c k, c 0, i.e., if A is a greatest common divisor of F and G, then c A is also a greatest common divisor, for c k = k \ {0}. A polynomial F is (relatively) prime to G if the only common divisors of F and G are the units k of k. Division with remainder works as with the integers. The difference is that the size of a polynomial is measured by using the degree, whereas the absolute value was used for an integer. k=0 i=0

18 306 A. Algebra and Number Theory Theorem A.41 (Division with remainder). Let F, G k[x], G 0. Then there are unique polynomials Q, R k[x], such that F = Q G + R and 0 deg(r) < deg(g). Proof. The proof runs exactly in the same way as the proof of Theorem A.2: Replace the absolute value with the degree. R is called the remainder of F modulo G. We write F mod G for R. The polynomial Q is the quotient of F and G. We write F div G for Q. You can compute a greatest common divisor of polynomials F and G by using the Euclidean algorithm, and the extended Euclidean algorithm yields the coefficients C, D k[x] of a linear combination A = C F + D G, with A a greatest common divisor of F and G. If you have obtained such a linear combination for one greatest common divisor, then you immediately get a linear combination for any other greatest common divisor by multiplying with a unit from k. In particular, if F is prime to G, then the extended Euclidean algorithm computes a linear combination 1 = C F + D G. We also have the analogue of prime numbers. Definition A.42. Let P k[x], P k. P is called irreducible (or a prime) if the only divisors of P are the elements c k and c P, c k, or, equivalently, if whenever one can write P = F G with F, G k[x], then F k or G k. A polynomial Q k[x] which is not irreducible is called reducible or a composite. As the ring Z of integers, the ring k[x] of polynomials is factorial, i.e., every element has a unique decomposition into irreducible elements. Theorem A.43. Let F k[x], F 0, be a non-zero polynomial. There are pairwise distinct irreducible polynomials P 1,..., P r, r 0, exponents e 1,..., e r N, e i 1, i = 1,..., r, and a unit u k, such that F = u r i=1 P ei i. This factorization is unique in the following sense: If s F = v i=1 is another factorization of F, then we have r = s, and after a permutation of the indices i we have Q i = u i P i, with u i k, and e i = f i for 1 i r. Q f i i

19 A.5 Polynomials and Finite Fields 307 Proof. The proof runs in the same way as the proof of the Fundamental Theorem of Arithmetic (Theorem A.12). A.5.2 Residue Class Rings As in the ring of integers, we can consider residue classes in k[x] and residue class rings. Definition A.44. Let P k[x] be a polynomial of degree 1: 1. F, G k[x] are congruent modulo P, written as F G mod P, if P divides F G. This means that F and G have the same remainder when divided by P, i.e., F mod P = G mod P. 2. Let F k[x]. [F ] := {G k[x] G F mod P } is called the residue class of F modulo P. As before, congruent modulo is an equivalence relation, the equivalence classes are the residue classes, and the set of residue classes k[x]/p k[x] := {[F ] F k[x]} is a ring. Residue classes are added and multiplied by adding and multiplying a representative: [F ] + [G] := [F + G], [F ] [G] := [F G]. We also have a natural representative of [F ], the remainder F mod P of F modulo P : [F ] = [F mod P ]. As remainders modulo P, we get all the polynomials which have a degree < deg(p ). Therefore, we have a one-to-one correspondence between k[x]/p k[x] and the set of residues {F k[x] deg(f ) < deg(p )}. We often identify both sets: k[x]/p k[x] = {F k[x] deg(f ) < deg(p )}. Two residues F and G are added or multiplied by first adding or multiplying them as polynomials and then taking the residue modulo P. Since the sum of two residues F and G has a degree < deg(p ), it is a residue, and we do not have to reduce. After a multiplication, we have, in general, to take the remainder. Addition : (F, G) F + G, Multiplication : (F, G) F G mod P. Let n := deg(p ) be the degree of P. The residue class ring k[x]/p k[x] is an n-dimensional vector space over k. A basis of this vector space is given by the elements [1], [X], [X 2 ],..., [X n 1 ]. If k is a finite field with q elements, then k[x]/p k[x] consists of q n elements.

20 308 A. Algebra and Number Theory Example. Let k = F 2 = Z 2 = {0, 1} be the field with two elements 0 and 1 consisting of the residues modulo 2, and P := X 8 + X 4 + X 3 + X + 1 k[x]. The elements of k[x]/p k[x] may be identified with the binary polynomials b 7 X 7 + b 6 X b 1 X + b 0, b i {0, 1}, 0 i 7, of degree 7. The ring k[x]/p k[x] contains 2 8 = 256 elements. We have, for example, (X 6 + X 3 + X 2 + 1) (X 5 + X 2 + 1) = X 11 + X 7 + X 6 + X 4 + X = X 3 (X 8 + X 4 + X 3 + X + 1) mod (X 8 + X 4 + X 3 + X + 1). Thus, X 6 +X 3 +X 2 +1 is a unit in k[x]/p k[x], and its inverse is X 5 +X We may characterize units as in the integer case. Proposition A.45. An element [F ] k[x]/p k[x] is a unit if and only if F is prime to P. The multiplicative inverse [F ] 1 of a unit [F ] can be computed using the extended Euclidean algorithm. Proof. The proof is the same as the proof in the integer case (see Proposition A.16). Recall that the inverse may be calculated as follows: If F is prime to P, then the extended Euclidean algorithm produces a linear combination C F + D P = 1, with polynomials C, D k[x]. We see that C F 1 mod P. Hence, [C] is the inverse [F ] 1. If the polynomial P is irreducible, then all residues modulo P, i.e., all polynomials with a degree < deg(p ), are prime to P. So we get the same corollary as in the integer case. Corollary A.46. Let P be irreducible. Then every [F ] [0] in k[x]/p k[x] is a unit. Thus, k[x]/p k[x] is a field. Remarks: 1. Let P be an irreducible polynomial of degree n. The field k is a subset of the larger field k[x]/p k[x]. We therefore call k[x]/p k[x] an extension field of k of degree n. 2. If P is reducible, then P = F G, with polynomials F, G of degree < deg(p ). Then [F ] [0] and [G] [0], but [F ] [G] = [P ] = [0]. [F ] and [G] are zero divisors. They have no inverse, and we see that k[x]/p k[x] is not a field. A.5.3 Finite Fields Now, let k = Z p = F p be the prime field of residues modulo p, p Z a prime number, and let P F p [X] be an irreducible polynomial of degree

21 A.5 Polynomials and Finite Fields 309 n. Then k[x]/p k[x] = F p [X]/P F p [X] is an extension field of F p. It is an n-dimensional vector space over F p, and it contains p n elements. In general, there is more than one irreducible polynomial of degree n over F p. Therefore there are more finite fields with p n elements. For example, if Q F p [X] is another irreducible polynomial of degree n, Q cp for all c k, then F p [X]/QF p [X] is a field with p n elements, different from k[x]/p k[x]. But one can show that all the finite fields with p n elements are isomorphic to each other in a very natural way. As the mathematicians state it, up to canonical isomorphism, there is only one finite field with p n elements. It is denoted by F p n or by GF(p n ). 4 If you need a concrete representation of F p n, then you choose an irreducible polynomial P F p [X] of degree n, and you have F p n = F p [X]/P F p [X]. But there are different representations, reflecting your degrees of freedom when choosing the irreducible polynomial. One can also prove that in every finite field k, the number k of elements in k must be a power p n of a prime number p. Therefore, the fields F p n are all the finite fields that exist. In cryptography, finite fields play an important role in many places. For example, the classical ElGamal cryptosystems are based on the discrete logarithm problem in a finite prime field (see Section 3.5), the elliptic curves used in cryptography are defined over finite fields, and the basic encryption operations of the Advanced Encryption Standard AES are algebraic operations in the field F 2 8 with 2 8 elements. The AES is discussed in this book (see Section 2.2.2). This motivates the following closer look at the fields F 2 n. We identify F 2 = Z 2 = {0, 1}. Let P = X n + a n 1 X n a 1 X + a 0, a i {0, 1}, 0 i n 1 be a binary irreducible polynomial of degree n. Then F 2 n = F p [X]/P F p [X], and we may consider the binary polynomials A = b n 1 X n 1 +b n 2 X n b 1 X +b 0 of degree n 1 (b i {0, 1}, 0 i n 1) as the elements of F 2 n. Adding two of these polynomials in F 2 n means to add them as polynomials, and multiplying them means to first multiply them as polynomials and then take the remainder modulo P. Now we can represent the polynomial A by the n-dimensional vector b n 1 b n 2... b 1 b 0 of its coefficients. In this way, we get a binary representation of the elements of F 2 n; the elements of F 2 n are just the bit strings of length n. To add two of these elements means to add them as binary vectors, i.e., you add them bitwise modulo 2, which is the same as bitwise XORing: b n 1 b n 2... b 1 b 0 + c n 1 c n 2... c 1 c 0 = (b n 1 c n 1 )(b n 2 c n 2 )... (b 1 c 1 )(b 0 c 0 ). To multiply two elements is more complicated: You have to convert the bit strings to polynomials, multiply them as polynomials, reduce modulo P and 4 Finite fields are also called Galois fields, in honor of the French mathematician Évariste Galois ( ).

22 310 A. Algebra and Number Theory take the coefficients of the remainder. The 0-element of F 2 n is and the 1-element is In the Advanced Encryption Standard AES, encryption depends on algebraic operations in the finite field F 2 8. The irreducible binary polynomial P := X 8 + X 4 + X 3 + X + 1 is taken to represent F 2 8 as F 2 [X]/P F 2 [X] (we already used this polynomial in an example above). Then the elements of F 2 8 are just strings of 8 bits. In this way, a byte is an element of F 2 8 and vice versa. One of the core operations of AES is the so-called S-Box. The AES S-Box maps a byte x to its inverse x 1 in F 2 8 and then modifies the result by an F 2 -affine transformation (see Section 2.2.2). We conclude this section with examples for adding, multiplying and inverting bytes in F = , = , = , = As is common practice, we sometimes represent a byte and hence an element of F 2 8 by two hexadecimal digits. Then the examples read as follows: 4D + 25 = 68, BD 69 = FC, 4D 25 = 01, 4D 1 = 25. A.6 Quadratic Residues We will study the question as to which of the residues modulo n are squares. Definition A.47. Let n N and x Z. We call that x is a quadratic residue modulo n if there is an element y Z with x y 2 mod n. Otherwise, x is called a quadratic non-residue modulo n. Examples: 1. The numbers 0, 1, 4, 5, 6 and 9 are the quadratic residues modulo The numbers 0, 1, 3, 4, 5 and 9 are the quadratic residues modulo 11. Remark. The property of being a quadratic residue depends only on the residue class [x] Z n of x modulo n. An integer x is a quadratic residue modulo n if and only if its residue class [x] is a square in the residue class ring Z n (i.e., if and only if there is some [y] Z n with [x] = [y] 2 ). The residue class [x] is often also called a quadratic residue. In most cases we are only interested in the quadratic residues x which are units modulo n (i.e., x and n are relatively prime, see Proposition A.16).

23 A.6 Quadratic Residues 311 Definition A.48. The subgroup of Z n that consists of the residue classes represented by a quadratic residue is denoted by QR n : QR n = {[x] Z n There is a [y] Z n with [x] = [y] 2 }. It is called the subgroup of quadratic residues or the subgroup of squares. The complement of QR n is denoted by QNR n := Z n \ QR n. It is called the subset of quadratic non-residues. We give a criterion for determining the quadratic residues modulo a prime. Lemma A.49. Let p be a prime > 2 and g Z p be a primitive root of Z p. Let x Z p. Then [x] QR p if and only if x g t mod p for some even number t, 0 t p 2. Proof. Recall that Z p is a cyclic group generated by g (Theorem A.36). If [x] QR p, then x y 2 mod p, and y g s mod p for some s. Then x = g 2s mod p g t mod p, with t := 2s mod (p 1) (the order of g is p 1) and 0 t p 2. Since p 1 is even, t is also even. Conversely, if x g t mod p, and t is even, then x (g t/2 ) 2 mod p, which means that x QR p. Proposition A.50. Let p be a prime > 2. Exactly half of the elements of Z p are squares, i.e., QR p = (p 1)/ 2. Proof. Since half of the integers x with 0 x p 2 are even, the proposition follows from the preceding lemma. Definition A.51. Let p be a prime > 2, and let x Z be prime to p. ( ) { x +1 if [x] QRp, := p 1 if [x] QR p, ( is called the Legendre symbol of x mod p. For x Z with p x, we set x p ) := 0. Proposition A.52 (Euler s criterion). Let p be a prime > 2, and let x Z. Then ( ) x x (p 1)/2 mod p. p Proof. If p divides x, then both sides are congruent 0 modulo p. Suppose p does not divide x. Let [g] Z p be a primitive element. We first observe that g (p 1)/2 1 mod p. Namely, [g] (p 1)/2 is a solution of the equation X 2 1 over the field Z p. Hence, g (p 1)/2 ±1 mod p. However, g (p 1)/2 mod p 1, because the order of [g] is p 1. Let [x] = [g] t, 0 t p 2. By Lemma A.49, [x] QR p if and only if t is even. On the other hand, x (p 1)/2 g t(p 1)/2 ±1 mod p, and it is 1 mod p if and only if t is even. This completes the proof.

24 312 A. Algebra and Number Theory Remarks: 1. The Legendre symbol is multiplicative in x: ( ) ( ) ( ) xy x y =. p p p This immediately follows, for example, from Euler s criterion. It means that [xy] QR p if and only if either both [x], [y] QR p or both [x], [y] / QR p. ( 2. The Legendre symbol x p is a homomorphism of groups. ) depends only on x mod p, and the map ( Z p {1, 1}, x We do not give proofs of the following two important results. Proofs may be found, for example, in [HarWri79], [Rosen2000], [Koblitz94] and [Forster96]. Theorem A.53. Let p be a prime > 2. Then: { ( ) 1 +1 if p 1 mod 4, 1. p = ( 1) (p 1)/2 = 1 if p 3 mod 4. { ( ) 2 +1 if p ±1 mod 8, 2. p = ( 1) (p2 1)/8 = 1 if p ±3 mod 8. Theorem A.54 (Law of Quadratic Reciprocity). Let p and q be primes > 2, p q. Then ( ) ( ) p q = ( 1) (p 1)(q 1)/4. q p We generalize the Legendre symbol for composite numbers. Definition A.55. Let n Z be a positive odd number and n = r the decomposition of n into primes. Let x Z. ( x := n) r ( x i=1 is called the Jacobi symbol of x mod n. Remarks: 1. The value of ( x n) only depends on the residue class [x] Zn. p i ) ei x p ) i=1 pe i i be

25 A.6 Quadratic Residues If [x] QR n, then [x] QR p for all primes p that divide n. Hence, ( x ) n = 1. The converse is not true, in general. For example, let n = pq be the product of two primes. Then ( ) ( ) ( ) x n = x x p q can be 1, whereas ( ) ( ) x x both p and q are 1. This means that x mod p (and x mod q), and hence x mod n are not squares. 3. The Jacobi symbol is multiplicative in both arguments: ( xy ) ( x ( y ( x ) ( x ( x = and =. n n) n) mn m) n) 4. The map Z n {1, 1}, [x] ( x n) is a homomorphism of groups. 5. J +1 n := {[x] Z n ( x n) = 1} is a subgroup of Z n. Lemma ( A.56. Let n 3 be an odd integer. If n is a square (in Z), then x ) n = 1 for all x. Otherwise, half of the elements of Z n have a Jacobi symbol of 1, i.e., J +1 n = ϕ(n)/ 2. Proof. If n is a square, then the exponents e i in the prime factorization of n are all even (notation as above), and the Jacobi symbol is always 1. If n is not a square, then there is an odd e i, say e 1. By the Chinese Remainder Theorem (Theorem A.29), we find a unit x which is a quadratic non-residue modulo p 1 and a quadratic residue modulo p i for i = 2,..., r. Then ( x n) = 1, and mapping [y] to [y x] yields a one-to-one map from J +1 n to Z n \ J +1 n. Theorem A.57. Let n 3 be an odd integer. Then: 1. ( { ) 1 +1 if n 1 mod 4, n = ( 1) (n 1)/2 = 1 if n 3 mod ( { 2 n) = ( 1) (n +1 if n ±1 mod 8, 2 1)/8 = 1 if n ±3 mod 8. Proof. Let f(n) = ( 1) (n 1)/2 for statement 1 and f(n) = ( 1) (n2 1)/8 for statement 2. You can easily check that f(n 1 n 2 ) = f(n 1 )f(n 2 ) for odd numbers n 1 and n 2 (for statement 2, consider the different cases of n 1, n 2 mod 8). Thus, both sides of the equations ( ) 1 n = ( 1) (n 1)/2 and ) = ( 1) (n 2 1)/8 are multiplicative in n, and the proposition follows from ( 2 n Theorem A.53. Theorem A.58 (Law of Quadratic Reciprocity). Let n, m 3 be odd integers. Then ( m ) ( = ( 1) (n 1)(m 1)/4 n ). n m