# LECTURE NOTES IN CRYPTOGRAPHY

Size: px
Start display at page:

Transcription

1 1 LECTURE NOTES IN CRYPTOGRAPHY Thomas Johansson 2005/2006 c Thomas Johansson 2006

2 2

3 Chapter 1 Abstract algebra and Number theory Before we start the treatment of cryptography we need to review some basic facts from number theory and abstract algebra. 1.1 Number theory The set of integers {..., 2, 1, 0, 1, 2,...} is denoted by Z. Denition 1.1. Let a, b Z. We say that a divides b (written a b) if there exists an integer c such that b = ac. The following facts are easily checked. (i) a a. (ii) If a b and b c then a c. (iii) If a b and a c then a (bx + cy) for any x, y Z. (iv) If a b and b a then a = ±b. Let a and b be integers with b 1. Then an ordinary long division of a by b yields two integers q and r such that a = qb + r, where 0 r < b. (1.1) The integers q and r are called the quotient and the remainder, respectively, and they are unique. Denition 1.2. The remainder ( r ) of a divided by b is denoted a mod b. The quotient ( q ) of a divided by b is denoted a div b. Example 1.1. Let a = 47 and b = 7. Then a mod b = 5 and a div b = 6. We call an integer c a common divisor of integers a and b if c a and c b. 3

4 4 Chapter 1. Abstract algebra and Number theory Denition 1.3. A non-negative integer d is called the greatest common divisor of integers a and b if (i) d is a common divisor of a and b. (ii) for every other common divisor c it hold that c d. The greatest common divisor of integers a and b is denoted gcd(a, b). Clearly, gcd(a, b) is the largest positive integer dividing both a and b (except gcd(0, 0) = 0). Example 1.2. The common divisors of 28 and 42 are {±2, ±7, ±14} and gcd(28, 42) = 14. In a similar fashion as above we dene the least common multiple. Denition 1.4. A non-negative integer d is called the least common multiple of integers a and b if (i) a d and b d. (ii) for every integer c such that a c and b c we have d c. The least common multiple of integers a and b is denoted lcm(a, b). Clearly, lcm(a, b) is the smallest positive integer divisible by both a and b. The following relationship is often useful. If a and b are positive integers, then lcm(a, b) gcd(a, b) = a b. (1.2) Two integers a, b are called relatively prime if gcd(a, b) = 1. Also, an integer p 2 is called prime if its only positive divisors are 1 and p. Otherwise p is called a composite. Prime numbers play a fundamental role in cryptography. Let us review some known facts about them. Let π(x) denote the number of primes x. Some known facts about primes. (i) There are innitely many primes. (ii) lim x π(x) x/ ln x = 1. (iii) For x 17, x/ ln x < π(x) < x/ ln x. The following theorem is a well known result. Theorem 1.1 (Unique factorization theorem). Every integer n 2 can be written as a product of prime powers, n = p e 1 1 pe 2 2 pe k k, where p 1, p 2,..., p k are distinct primes and e 1, e 2,... e k are positive integers. Furthermore, the factorization is unique up to rearrangement of factors.

5 5 The proof of this theorem is not as easy as it may seem. We refer to any textbook in number theory. The unique factorization theorem can be used to express the greatest common divisor and the least common multiple in a simple way. If a = p e 1 1 pe 2 2 pe k k and b = p f 1 1 pf 2 2 pf k k, where e i, f i, i = 1, 2,... k are now nonnegative integers, then gcd(a, b) = p min(e 1,f 1 ) 1 p min(e 2,f 2 ) 2 p min(e k,f k ) k (1.3) and lcm(a, b) = p max(e 1,f 1 ) 1 p max(e 2,f 2 ) 2 p max(e k,f k ) k. (1.4) Denition 1.5. For n 1, let φ(n) denote the number of integers in the interval [1, n] which are relatively prime to n. This function is called the Euler phi function. Let us prove the following facts concerning the Euler phi function. Theorem 1.2. (i) If p is a prime, then φ(p) = p 1. (ii) If gcd(a, b) = 1 then φ(ab) = φ(a)φ(b). (iii) If n = p e 1 1 pe 2 2 pe k k then Proof. The proof is left as an exercise. φ(n) = (p e 1 1 pe )(p e 2 2 pe ) (p e k k p e k 1 k ). Let us consider the problem of computing the greatest common divisor between two integers. We could use the expression derived in (1.3), but this requires us to rst nd the prime factors of the two integers. This is not always an easy task, as we will see later. Fortunately, there is an easier and better way of calculating the greatest common divisor. It relies on the following simple fact. Lemma 1.3. If a and b are positive integers with a > b, then gcd(a, b) = gcd(b, a mod b). Proof. The proof is left as an exercise. Of course, we can now use the above lemma repeatedly until the problem is small enough to be trivially solved. This leads to the famous Euclidean algorithm for computing gcd(a, b). Algorithm 1.1 (Euclidean algorithm). INPUT: Two non-negative integers a, b where a b. OUTPUT: gcd(a, b) FLOW: 1. Set r 0 a, r 1 b, i While r i 0 do: 2.1 Set r i+1 r i 1 mod r i, i i Return(r i 1 ).

6 6 Chapter 1. Abstract algebra and Number theory In essence, the algorithm sets r 0 = a, r 1 = b and then computes the following set of long divisions, r 0 = q 1 r 1 + r 2 r 1 = q 2 r 2 + r 3... r i 2 = q i 1 r i 1 + r i r i 1 = q i r i. Since gcd(a, b) = gcd(r 0, r 1 ) = gcd(r 1, r 2 ) =... = gcd(r i 1, r i ) = r i, the algorithm terminates with the correct answer. Let us illustrate the Euclidean algorithm with an example. Example 1.3. Compute gcd(1495, 1365). We have 1495 = = = , and gcd(1495, 1365) = 65. The following fact is important. Theorem 1.4. Let a and b be two non-negative integers. Then there exist integers x, y such that gcd(a, b) can be written as gcd(a, b) = ax + by. Proof. Following the set of long divisions above we have for some integers x, y Z. gcd(a, b) = r i = r i 2 q i 1 r i 1 = r i 2 q i 1 (r i 3 q i 2 r i 2 ).. = r 0 x + r 1 y = ax + by, In the proof of the theorem, we see how we can calculate the integers x and y. There is also an extended version of Euclidean algorithm which returns not only gcd(a, b) but also the integers x, y. So when we need to calculate x, y we can either use Eulidean algorithm and then go backwards again, as in the proof, or we can use an extended version of the Eulidean algorithm.

7 7 Algorithm 1.2 (Extended Euclidean algorithm). INPUT: Two non-negative integers a, b where a b. OUTPUT: d = gcd(a, b) and two integers x, y such that d = ax + by. FLOW: 1. If b = 0 then return(a,x 1,y 0). 2. Set x 2 1, x 1 0, y 2 0, y While b > 0 do: 3.1 q adiv b, r a qb, x x 2 qx 1, y y 2 qy 1, 3.2 a b, b r, x 2 x 1, x 1 x, y 2 y 1, y 1 y. 4. Set d a, x x 2, y y 2 and Return(d, x, y). Example 1.4. Compute gcd(1495, 1365) and nd two integers x, y such that gcd(1495, 1365) = 1495x y. q r x y a b x 2 x 1 y 2 y So gcd(1495, 1365) = 65 = 1495 ( 10) If we instead of using the extended version of the Euclidean algorithm would use the standard version and then go backwards, we would get and backwards 1495 = = = = = ( ) = The integers modulo n Let n be a positive integer. If a and b are integers, then a is said to be congruent to b modulo n, which is written a b (mod n), if n divides (a b). We call n the modulus of the congruence. We can check the following properties. Theorem 1.5. For a, a 1, b, b 1, c Z we have

8 8 Chapter 1. Abstract algebra and Number theory (i) a b (mod n) if and only if a and b leaves the same remainder when divided by n. (ii) a a (mod n). (iii) If a b (mod n) then b a (mod n). iv) If a b (mod n) and b c (mod n), then a c (mod n). v) If a a 1 (mod n) and b b 1 (mod n), then a + b a 1 + b 1 (mod n) and ab a 1 b 1 (mod n). The properties ii), iii), and iv) are called reexivity, symmetry and transitivity, respectively. Proof. The proof can be found in any textbook on number theory. From the above we can see that the integers in the set {..., n, 0, n, 2n,...} are all congruent to each other modulo n. Similarly, the integers in the set {..., n + 1, 1, n + 1, 2n + 1,...} are all congruent to each other modulo n. So the relation of congruence modulo n partitions Z into n sets, called equivalence classes (each integer belongs to exactly one equivalence class). Since all elements in an equivalence class have the same remainder r, we use r as an representative for the equivalence class. Denition 1.6. The integers modulo n, denoted Z n, is the set of (equivalence classes of) integers {0, 1,..., n 1}. Addition, subtraction, and multiplication are performed modulo n. Example 1.5. Calculate , 7 11 and 7 11 in Z = = 7 + ( 11) = = = 77 mod 12 = 5. As we have seen, addition, subtraction, and multiplication are trivially performed in Z n. However, the concept of division is a bit trickier. Denition 1.7. Let a Z n. The multiplicative inverse of a is an integer x Z n such that ax = 1. If such an integer x exists, then a is said to be invertible and x is called the inverse of a, denoted a 1. Denition 1.8. Division of a by an element b in Z n (written a/b) is dened as ab 1, and only dened if b is invertible. Lemma 1.6. Let a Z n. Then a is invertible if and only if gcd(a, n) = 1. Proof. Assume that gcd(a, n) = 1. We know that 1 = gcd(a, n) = xa + yn for some x, y Z. Then x mod n is an inverse to a. Now assume gcd(a, n) > 1. If a has an inverse x then a x = 1 mod n, which means 1 = a x+n y for some x, y Z, directly contradicting the assumption.

9 9 Example 1.6. Calculate 7/11 in Z 12. By denition 7/11 = We use Euclidean algorithm to nd integers such that gcd(11, 12) = 1 = This gives 11 1 = 11 and 7/11 = = 7 11 = 5. A very important basic result is the Chinese remainder theorem, or CRT for short. Theorem 1.7 (Chinese Remainder Theorem). Let the integers n 1, n 2,..., n k be pairwise relatively prime. Then the system of congruences x a 1 (mod n 1 ) x a 2 (mod n 2 ). x a k (mod n k ) has a unique solution modulo n = n 1 n 2 n k. Proof. Algorithm 1.3 (Gauss's algorithm). The solution x to the system of congruences promised by the CRT can be calculated as k x = a i N i M i mod n, where N i = n/n i and M i = N 1 i mod n i. i=1 The CRT allows us to change the way we represent elements. Suppose we are considering the integers modulo n, where n = n 1 n 2 and gcd(n 1, n 2 ) = 1. An element a Z n has a unique representation from the pair (a mod n 1, a mod n 2 ). Let us denote this map by γ : Z n Z n1 Z n2. The following properties are easily veried. (i) γ(a) = γ(b) if and only if a = b. ii) For all (a 1, a 2 ) Z n1 Z n2 there exists an a such that γ(a) = (a 1, a 2 ). (ii) γ(a + b) = γ(a) + γ(b). (iii) γ(ab) = γ(a)γ(b). These properties make γ an isomorphism. This roughly means that we can use any of the two representations when we do calculus. Example 1.7. We would like to calculate 9 10 in Z 10 in two ways, direct calculation and through the CRT. Direct calculation gives 9 10 = (81 mod 10) 5 = 1 5 = 1.

10 10 Chapter 1. Abstract algebra and Number theory Using the CRT, we rst set n = n 1 n 2, where n 1 = 2, n 2 = 5. This gives N 1 = 5, N 2 = 2, M 1 = 5 1 mod 2 = 1 and M 2 = 2 1 mod 5 = 3. Then we calculate the CRT representation a 1 = 9 10 mod 2 = 1 a 2 = 9 10 mod 5 = 4 10 mod 5 = 1 Finally, we can reconstruct the integer in Z 10 corresponding to (a 1, a 2 ) = (1, 1) through Gauss's algorithm, 2 x = a i N i M i mod 10 = = 1. i=1 Let us continue and dene the multiplicative group of Z n, denoted Z n, as the set of all invertible elements, i.e., Z n = {a Z n gcd(a, n) = 1}. The order of Z n refers to the number of elements in Z n and is also denoted Z n. It follows from the denition of the Euler phi function that Z n = φ(n). Since the product of two invertible elements is again an invertible element, we say that Z n is closed under multiplication. Theorem 1.8 (Euler's theorem). If a Z n then a φ(n) 1 (mod n). Proof. Let Z n = {a 1, a 2,..., a φ (n)}. Looking at the set of elements A = {aa 1, aa 2,..., aa φ (n)}, it is easy to see that A = Z n. So we have two ways of writing the product of all elements, i.e., φ(n) i=1 aa i = φ(n) i=1 a i, leading to φ(n) i=1 a = a φ(n) = 1. A special case of Euler's theorem is celebrated as Fermat's little theorem. Corollary 1.9 (Fermat's little theorem). Let p be a prime. If gcd(a, p) = 1 then a p 1 1 (mod p). From Euler's theorem we see that when working in Z n all exponents can be reduced modulo φ(n). Let a Z n. The order of the element a, denoted ord(a) is dened as the least positive integer t such that a t = 1.

11 11 Lemma Let a Z n. If a s = 1 for some s, then ord(a) s. In particular, ord(a) φ(n). Proof. Let t = ord(a). By long division s = qt + r, where r < t. Then a s = a qt+r = a qt a r and since a t = 1 we have a s = a r and a r = 1. But r < t so we must have r = 0 and so ord(a) s. Denition 1.9. Let a Z n. If ord(a) = φ(n), then a is said to be a generator (or a primitive element) of Z n. Furthermore, if Z n has a generator then Z n is said to be cyclic. It is clear that if a Z n is a generator, then every element in Z n can be expressed as a i for some integer i. So we can write Z n = {a i 0 i φ(n) 1}. Finally, we shortly introduce the concept of quadratic residues. An element a Z n is said to be a quadratic residue modulo n (or a square) if there exists an x Z n such that x 2 = a. Otherwise, a is called a quadratic non-residue modulo n. If x 2 = a then x is called the square root of a modulo n. Example 1.8. Determine the quadratic residues in Z 11, knowing that it is cyclic. Knowing that Z 11 is cyclic, it can be expressed as Z 11 = {a i 0 i 10}, where ord(a) = φ(11) = 10. As 10 factors as 10 = 2 5 the possible orders for any element are 1, 2, 5, or 10. We try to nd a generator a. We start by testing a = 2. As 2 2 = 4, 2 5 = 10, we know that 2 must be a generator of Z 11 without having to test further. An element b = a i is a quadratic residue if there is an x = 2 j such that x 2 = b, or 2 2j = 2 i for some j. This makes it clear that the quadratic residues are the elements of the form a i where i is even. This gives the set {2 0 = 1, 2 2 = 4, 2 4 = 5, 2 6 = 9, 2 8 = 3}. 1.3 Basic abstract algebra In the previous sections we have presented various aspects concerning the integers and calculus modulo n. However, this covered just a few examples of algebraic structures. In this section we briey review some basic concepts from abstract algebra, which provides a more general treatment of algebraic structures Groups A binary operation on a set S is a mapping from S S to S. Our general purpose is to introduce various environments where we can perform dierent operations, which are similar to what we are used to do with the ordinary numbers, like the real numbers. A binary operation on the real numbers could for example be addition. In our world of cryptography, as in many other areas, we must be able to represent our elements in an exact way when implemented. As an innite set does not support this, we are in general only interested in nite sets.

12 12 Chapter 1. Abstract algebra and Number theory Denition A group (G, ) is a set G and a binary operation on G which satises the following. (i) a (b c) = (a b) c for all a, b, c G (associativity). (ii) There is a special element 1 G such that a 1 = 1 a = a for all a G. (iii) For each a G there is an element a 1 G such that a a 1 = a 1 a = 1. We call 1 the identity element and we call a 1 the inverse of a. Furthermore, if (iv) a b = b a for all a, b G, then G is called abelian (or commutative). Denition A group is nite if the number of elements in G ( G ) is nite. The number of elements is called the order of the group. If we recall the treatment of number theory, we see that the set of integers Z with the addition operation, denoted (Z, +), is a group. Finite groups are (Z n, +), and (Z n, ), where denotes multiplication modulo n. Note that (Z n, ) is not a group. Neither is (Z, ). A non-empty subset H of a group G is called a subgroup of G, if it is itself a group with respect to the operation of G. Similar to what we dened before, we say that a group G is cyclic if there is an element a G such that each b G can be written as a i for some integer i. The element a is called a generator of G. The order of an element a G is the least positive integer such that a t = 1, if such an integer exists. If it does not, then the order of a is dened to be. Lemma Let a G be an element of nite order t. Then the set of all powers of a forms a cyclic subgroup of G, denoted by < a >. Furthermore, the order of < a > is t. We can note some further properties. Suppose a n = 1 for some n > 0. Perform a long division and write n = k ord(a) + r, where 0 r ord(a). Then 1 = a n = a =k ord(a)+r = a r and r = 0. So we must have ord(a) n. Another interesting property. If G is a nite group, all elements must have nite order. Choose k as the product of the orders of all dierent elements in G. Then a k = 1 for all a G. The conclusion is that there exists a positive integer k such that a k = 1 all the time (for any a G). Let H be a subgroup in G and pick an element a G. A set of elements of the form ah = {ah h H} is called a left coset of H. If G is commutative we simply call it a coset. The set consisting of of all such left cosets is written G/H. We note that H itself is a left coset. Furthermore, every left coset contains the same number of elements (the order of H) and every element is contained in exactly one left coset. So the elements of G are partitioned into G / H dierent cosets, each containing H elements. This leads to the following famous result. Theorem 1.12 (Lagrange's theorem). If G is a nite group and H is a subgroup of G, then H divides G. In particular, if a G then the order of a divides G. We end the section by another observation. If G is a prime number, then the order of an element a is either 1 or G. In particular, if G is a prime number then G must be cyclic.

13 Rings A group was dened through a set G together with one binary operation. A ring is dened through a set R together with two binary operations. Denition A ring (with unity) (R, +, ) consists of a set R with two binary operations, denoted + and, on R, satisfying the following conditions: (i) (R, +) is an abelian group with an identity element denoted 0. (ii) a (b c) = (a b) c, for all a, b, c R (associative). (iii) There is a multiplicative identity denoted 1, with 1 0, such that 1 a = a 1 = a, for all a R. (iv) a (b + c) = (a b) + (a c) and (b + c) a = (b a) + (c a), for all a, b, c R. A commutative ring is a ring where additionally (v) a b = b a, for all a, b R. One example of a commutative ring is (Z, +, ), where + and are the usual operations of addition and multiplication. Another example is Z n with addition and multiplication modulo n. Note that the additive inverse of an element a R is denoted a. So the subtraction expression a b should be interpreted as a + ( b). The multiplication a b is equivalently written ab; similarily, a 2 = aa = a a. Denition An element a R is called an invertible element (or a unit) if there is an element b R such that a b = b a = 1. The set of units in a ring R forms a group under multiplication. For example, the group of units of the ring Z n is Z n. The multiplicative inverse of an element a R is denoted by a 1, assuming that it exists. The division expression a/b should then be interpreted as a b 1. Denition A commutative ring where all nonzero elements have (multiplicative) inverses is called a eld. Denition The characteristic of a eld is the least integer m > 0 such that m {}}{ = 0. If no such integer m exists, the characteristic is dened to be 0. Examples of elds are the rational numbers Q, the real numbers R and the complex numbers C. Note that the set of integers under the usual operations of addition and multiplication is not a eld, since the only elements with multiplicative inverses are 1 and 1. Theorem Z n is a eld if and only if n is a prime number. If n is a prime, the characteristic of Z n is n. Finally, a subset F of a eld E is called a subeld of E if F is itself a eld with respect to the operations of E. Then we say that E is an extension eld of F.

14 14 Chapter 1. Abstract algebra and Number theory Polynomial rings Denition A polynomial in the indeterminate x over the ring R is an expression of the form f(x) = a n x n + + a 2 x 2 + a 1 x + a 0, where each a i R, a n 0, and n 0. We say that f(x) has degree n, denoted deg f(x) = n. We also allow f(x) to be the polynomial with all coecients zero, in which case the degree is dened to be. A polynomial f(x) is said to be monic if the leading coecient is equal to 1, i.e., a n = 1. Denition Let R be a commutative ring. Then the polynomial ring, denoted by R[x] is the ring formed by the set of all polynomials in the indeteminate x having coecients from R. The operations are addition and multiplication of polynomials, with the coecient aritmethic performed in R. Example 1.9. Compute (x 2 + 2x + 9)(x x 2 + x + 7) in Z 12 [x]. (x 2 + 2x + 9)(x x 2 + x + 7) = x x 4 + x 3 + 7x 2 + 2x x 3 + 2x 2 + 2x + +9x 3 + 3x 2 + 9x + 3 = x 5 + x 4 + 8x x + 3. We now consider the polynomial ring F [x], where F denotes an arbitrary eld. As we will see, the polynomial ring F [x] has many properties in common with integers. Denition A polynomial f(x) F [x] of degree d 1 is called irreducible if it cannot be written as a product of two polynomials in F [x], both of degree less than d. Irreducible polynomials are the polynomial ring counterpart of prime numbers. Similar as for integers, we have a division algorithm for polynomials. Lemma If g(x), h(x) F [x], with h(x) 0, then there are polynomials q(x), r(x) F [x] such that g(x) = q(x)h(x) + r(x), where deg r(x) < deg h(x). Furthermore, q(x) and r(x) are unique and are referred to as the quotient and the remainder, respectively. The remainder r(x) is also denoted by g(x) mod h(x). Example Compute (x x 2 + x + 7) mod (x 2 + 2x + 9) in Z 13 [x]. Long division of polynomials. By (x x 2 + x + 7) (x 2 + 2x + 9) x = 11x 2 2x 2 + x 9x + 7 = 9x 2 + 5x + 7 (9x 2 + 5x + 7) (x 2 + 2x + 9) 9 = 5x 5x = 4 we have (x x 2 + x + 7) = (x 2 + 2x + 9) (x + 9) + 4, so (x x 2 + x + 7) mod (x 2 + 2x + 9) = 4.

15 15 If g(x), h(x) F [x], then h(x) is said to divide g(x), written as h(x) g(x), if g(x) mod h(x) = 0. Let f(x) be some xed polynomial in F [x]. Similar as for the integers, we can dene congruences of polynomials in F [x] based on division by f(x). Denition Let g(x), h(x) F [x]. then g(x) is said to be congruent to h(x) modulo f(x) if f(x) (g(x) h(x)). We denote this by g(x) h(x) (mod f(x)). We can verify a lot of properties regarding congruences between polynomials. Theorem For g(x), h(x), g 1 (x), h 1 (x), s(x) F [x] we have (i) g(x) h(x) (mod f(x)) if and only if g(x) and h(x) leaves the same remainder when divided by f(x). (ii) g(x) g(x) (mod f(x)). (iii) If g(x) h(x) (mod f(x)) then h(x) g(x) (mod f(x)). iv) If g(x) h(x) (mod f(x)) and h(x) s(x) (mod f(x)), then g(x) s(x) (mod f(x)). v) If g(x) g 1 (x) (mod f(x)) and h(x) h 1 (x) (mod f(x)), then g(x)+h(x) g 1 (x)+h 1 (x) (mod f(x)) and g(x)h(x) g 1 (x)h 1 (x) (mod f(x)). The properties ii), iii), and iv) are again called reexivity, symmetry and transitivity, respectivly. The proof of the theorem is again not given here. From the above properties we see that the polynomials in F [x] can be divided into sets, called equivalence classes, where each equivalence class contains all polynomials that leaves a certain remainder when divided by f(x). Furthermore, since the remainder r(x) itself is a polynomial in the equivalence class, we use it as a representative of the equivalence class. Note that deg r(x) < deg f(x). Denition By F [x]/(f(x)) we denote the set of (equivalence classes of) polynomials in F [x] of degree less than deg f(x). The addition and multiplication operations are performed modulo f(x). Theorem F [x]/(f(x)) is a commutative ring. Theorem If f(x) F [x] is irreducible, then F [x]/(f(x)) is a eld. 1.4 Finite elds A nite eld is a eld which contains a nite number of elements. The number of elements is also called the order of the eld. We now give a few results which are out of the scope of this text to prove. Theorem (i) If F is a nite eld, then the order of F is p m for some prime p and integer m 1.

16 16 Chapter 1. Abstract algebra and Number theory (ii) For every prime power order p m, there is a unique (up to isomorphism) nite eld of order p m. This eld is denoted by F p m, or GF (p m ). Two elds are isomorphic if they are structually the same, but elements have dierent representation. We know already that for p prime Z p is a eld of order p. So we associate the nite eld F p with Z p and its representation. Theorem (i) If F q is a nite eld of order q = p m, p prime, then the characteristic of F q is p. Furthermore, F q contains a copy of Z p as a subeld. (ii) Let F q be a nite eld of order q = p m. Then every subeld of F q has order p n for some positive integer n where n m. Conversely, if n m then there are exactly one subeld of F q of order p n. (iii) An element a F q is in the subeld F p n if and only if a pn 1 = 1. The non-zero elements of F q all have inverses and thus they form a group under multiplication. This group is called the multiplicative group of F q and denoted by F q. It can be shown that F q is a cyclic group (of order q 1). Especially, this means that a q 1 = 1 for all a F q. Denition A generator of the cyclic group F q is called a primitive element. We know already that the nite elds of prime order p can be realized by a simple modulo p arithmetic. The question that remains is how to realize the nite elds of prime power order p m, where m > 1. In order to do this we need to extend the theory of greatest common divisors and the Euclidean algorithm to the polynomial ring F [x]. Denition Let g(x), h(x) Z p [x], where not both are zero. Then the greatest common divisor of g(x) and h(x), denoted gcd(g(x), h(x)), is the monic polynomial of greatest degree in Z p [x] which divides both g(x) and h(x). By denition gcd(0, 0) = 0. Similar to the fundamental theorem of arithmetics, we have Theorem Every non-zero polynomial f(x) Z p [x] has a factorization f(x) = af 1 (x) e 1 f 2 (x) e2 f k (x) e k, where each f i is a distinct monic irreducible polynomial in Z p [x], the e i are positive integers, and a Z p. The factorization is unique up to rearrangement of factors. Now we give the polynomial version of the Euclidean algorithm. Algorithm 1.4 (Euclidean algorithm for polynomials). INPUT: Two non-negative polynomials a(x), b(x) F q [x]. OUTPUT: gcd(a(x), b(x)) FLOW: 1. Set r 0 (x) a(x), r 1 (x) b(x), i 1.

17 17 2. While r i (x) 0 do: 2.1 Set r i+1 (x) r i 1 (x) mod r i (x), i i Return(r i 1 (x)). Here is an example. Example Compute gcd(x 3 + x 2 + 2x + 2, x 2 + x + 1) in Z 3. x 3 + x 2 + 2x + 2 = x (x 2 + x + 1) + x + 2 (x 2 + x + 1) = (x + 2) (x + 2) + 0 So gcd(x 3 + x 2 + 2x + 2, x 2 + x + 1) = x + 2. Theorem Let a(x) and b(x) be two non-negative polynomials in F q [x]. Then there exist polynomials s(x), t(x) such that gcd(a(x), b(x)) can be written as gcd(a(x), b(x)) = a(x)s(x) + b(x)t(x). Example Continuing from Example 1.11, we can directly write gcd(x 3 + x 2 + 2x + 2, x 2 + x + 1) = (x + 2) = (x 3 + x 2 + 2x + 2) x (x 2 + x + 1), so s(x) = 1 and t(x) = x = 2x. As for the integer case, there is also an extended version of the Euclidean algorithm that in addition to gcd(a(x), b(x)) also returns the polynomials s(x), t(x) above Finite eld arithmetics The most common representation for the elements of a nite eld F q, where q = p m, p prime, is a polynomial basis representation. Theorem Let f(x) Z p [x] be an irreducible polynomial of degree m. Then Z p [x]/(f(x)) is a nite eld of order p m. The elements are all polynomials of degree less than m. Addition and multiplication of elements is performed modulo f(x). The following fact assures that all nite elds can be represented in this manner. Lemma For each m 1, there exists a monic irreducible polynomial of degree m over Z p. Example Let us examine the eld F 2 3. To construct it we need an irreducible polynomial of degree 3 over F 2. The polynomial π(x) = x 3 + x + 1 is indeed an irreducible polynomial since π(0) = π(1) = 1. The elements are the polynomials of degree less than 3, i.e., the set F 2 3 = {0, 1, x, x + 1, x 2, x 2 + 1, x 2 + x, x 2 + x + 1}.

18 18 Chapter 1. Abstract algebra and Number theory Addition of the elements x and x + 1 gives (x 2 + 1) + (x + 1) = x 2 + x, and multiplication of the elements x and x + 1 gives so (x 2 + 1)(x + 1) = x 2. (x 2 + 1)(x + 1) = x 3 + x 2 + x + 1 x 2 (mod π)(x), Our elements in F q are represented by polynomials in the indeterminate x. As we might want consider polynomials over F q, we now change the representation of the elements. The argument goes as follows. The polynomial f(x) is irreducible over Z p. However, there exists some element α in some extension eld F q for which f(α) = 0. Instead of representing our elements as polynomials in the indeterminate x we represent them using α and the fact that f(α) = 0. From a practical point of view, this simply means that our indeterminate x in the elements is replaced by α. Example Considering the previous example, π(x) = x 3 + x + 1. We introduce α through π(α) = 0. This gives us the rule α 3 = α + 1. The elements are and, for example using the reduction rule α 3 = α + 1. F 2 3 = {0, 1, α, α + 1, α 2, α 2 + 1, α 2 + α, α 2 + α + 1}, (α 2 + 1)(α + 1) = α 3 + α 2 + α + 1 = α 2, Let us look at the arithmetics in a nite eld with element representation as above. Addition of two elements is done by usual addition of two polynomials in F q. Multiplying two elements g(α) and h(α) is done by usual multiplication of the two polynomials and then a reduction of the result through f(α) = 0. Finally, multiplicative inverses can be computed by going backwards in the Euclidean algorithm for F q [x]. We might also want to consider an alternative representation through powers of α. Denition An irreducible polynomial f(x) Z p [x] is called primitive if the element α corresponding to f(α) = 0 is a generator of F q. As α is a generator of F q, every non-zero element of F q can be written as a power of α, i.e., α i for some i, 0 i q 1. This gives us an alternative element representation, namely as powers of α. This will give a very simple multiplication operation, but instead the addition is more complicated and involves a polynomial modulo reduction. If we want to do extensive calculations in small nite elds, the best approach is to tabulate both representations side by side, and use the one most suitable for the operation.

19 19 (Binary representation) Polynomial basis Power of α α α 0100 α 2 α α 3 α α + 1 α α 2 + α α α 3 + α 2 α α 3 + α + 1 α α α α 3 + α α α 2 + α + 1 α α 3 + α 2 + α α α 3 + α 2 + α + 1 α α 3 + α α α α 14 Table 1.1: Table representation of the eld with 16 elements using π(x) = x 4 + x + 1, π(α) = 0. Example Let us represent F 2 4 using the primitive polynomial π(x) = x 4 + x + 1 and π(x) = 0. Using the rule α 4 = α + 1 we can either represent our elements in a polynomial basis or as powers of α. We get the table in Table 1.1 for the elements in F 2 4 (each row corresponds to one element). Note that α 15 = 1. Having this table representation of the eld, it is very easy to perform operations by switching to the most apropriate representation. For example, calculating and Finally α/(α + 1) is calculated as (α 3 + α + 1)(α 3 + α) = [ switch repr.] = α 7 α 9 = α 16 = α (α 3 + α + 1) 1 = (α 7 ) 1 = α 7 = α 7+15 = α 8. α/(α + 1) = α/α 4 = α 3 = α Exercises Exercise 1.1. (a) Calculate gcd(222, 1870). (b) Find integers x and y such that gcd(222, 1870) = 222x y.

20 20 Chapter 1. Abstract algebra and Number theory Exercise 1.2. (a) Find the value of φ(36). (b) Write up all the units in Z 36. (c) Calculate 5 1 in Z 36. Exercise 1.3. (a) Write 143 = Let x = 2 and calculate x 1 in Z 143. (b) Now we do the same again but we use CRT. Calculate x 1 (mod 11) and x 1 (mod 13). (c) Use the result in (b) to recover the value of x 1 in Z 143. Exercise 1.4. Find all integer solutions to the following system of congruences. x 3 (mod 7) x 1 (mod 13) x 13 (mod 17) Exercise 1.5. Find all integer solutions to the following system of congruences. x 3 (mod 3) x 1 (mod 7) x 13 (mod 14) Exercise 1.6. (a) Calculate 2/5 in Z 8. (b) Find ord(5) in Z 8. (c) Is Z 8 a cyclic group? Exercise 1.7. Find the square root of 10 in Z 13. Exercise 1.8. Let S be the set of binary triples, i.e, S = {(s 0, s 1, s 2 ), s i Z 2 }. Let the operation be bitwise addition. (a) Show that S is a group. (b) What is the order of the group? (c) What is the order of the element (1, 1, 1)?

21 21 (d) Is there a generator in the group? Exercise 1.9. Find a generator for the additive group Z 13 (under the addition operation). Exercise Find all subgroups in the multiplicative group Z 19 operation). (under the multiplication Exercise Prove that Z 4 is not a eld. Exercise Let F be the nite eld F 8 constructed using the irreducible polynomial f(x) = x 3 + x + 1 over F 2. Let F be the nite eld F 8 constructed using the irreducible polynomial f(x) = x 3 + x over F 2. Find an isomorphism γ between F and F, i.e, tabulate γ(a) for all a F. Exercise Let F 2 4 F 2, f(α) = 0. be constructed using the irreducible polynomial f(x) = x 4 + x + 1 over (a) Calculate (α 3 + 1) (α 2 + α). (b) Calculate (α 3 + 1) 1. (c) Calculate (α 3 + 1) 357. (d) Solve the linear equation (α 3 + 1)x = α. (e) Solve the equation ((α 3 + 1)x + α) 28 = 1. Exercise For each of the polynomials, nd out if they are reducible, irreducible and/or primitive, (a) x 4 + x + 1 over Z 2, (b) x 4 + x 3 + x 2 + x + 1 over Z 2 (c) x 4 + x over Z 2, (d) x 4 + x + 1 over Z 3.

### Public-key Cryptography: Theory and Practice

Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues

### Basic elements of number theory

Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a

### Basic elements of number theory

Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation

### Mathematics for Cryptography

Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1

### Number Theory and Group Theoryfor Public-Key Cryptography

Number Theory and Group Theory for Public-Key Cryptography TDA352, DIT250 Wissam Aoudi Chalmers University of Technology November 21, 2017 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography

### ECEN 5022 Cryptography

Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,

### Chapter 4 Finite Fields

Chapter 4 Finite Fields Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers what constitutes a number

### Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

Background on Groups, Rings, and Finite Fields Andreas Klappenecker September 12, 2002 A thorough understanding of the Agrawal, Kayal, and Saxena primality test requires some tools from algebra and elementary

### 2 ALGEBRA II. Contents

ALGEBRA II 1 2 ALGEBRA II Contents 1. Results from elementary number theory 3 2. Groups 4 2.1. Denition, Subgroup, Order of an element 4 2.2. Equivalence relation, Lagrange's theorem, Cyclic group 9 2.3.

### Finite Fields. Mike Reiter

1 Finite Fields Mike Reiter reiter@cs.unc.edu Based on Chapter 4 of: W. Stallings. Cryptography and Network Security, Principles and Practices. 3 rd Edition, 2003. Groups 2 A group G, is a set G of elements

### Introduction to finite fields

Chapter 7 Introduction to finite fields This chapter provides an introduction to several kinds of abstract algebraic structures, particularly groups, fields, and polynomials. Our primary interest is in

### Foundations of Cryptography

Foundations of Cryptography Ville Junnila viljun@utu.fi Department of Mathematics and Statistics University of Turku 2015 Ville Junnila viljun@utu.fi Lecture 7 1 of 18 Cosets Definition 2.12 Let G be a

### Introduction to Information Security

Introduction to Information Security Lecture 5: Number Theory 007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Number Theory Divisibility

### Mathematical Foundations of Cryptography

Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography

### Algebra Review 2. 1 Fields. A field is an extension of the concept of a group.

Algebra Review 2 1 Fields A field is an extension of the concept of a group. Definition 1. A field (F, +,, 0 F, 1 F ) is a set F together with two binary operations (+, ) on F such that the following conditions

### Applied Cryptography and Computer Security CSE 664 Spring 2017

Applied Cryptography and Computer Security Lecture 11: Introduction to Number Theory Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline What we ve covered so far: symmetric

### A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Byte multiplication 1 Field arithmetic A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties: F is an abelian group under addition, meaning - F is closed under

### MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION 1. Polynomial rings (review) Definition 1. A polynomial f(x) with coefficients in a ring R is n f(x) = a i x i = a 0 + a 1 x + a 2 x 2 + + a n x n i=0

### Congruences and Residue Class Rings

Congruences and Residue Class Rings (Chapter 2 of J. A. Buchmann, Introduction to Cryptography, 2nd Ed., 2004) Shoichi Hirose Faculty of Engineering, University of Fukui S. Hirose (U. Fukui) Congruences

### Coding Theory ( Mathematical Background I)

N.L.Manev, Lectures on Coding Theory (Maths I) p. 1/18 Coding Theory ( Mathematical Background I) Lector: Nikolai L. Manev Institute of Mathematics and Informatics, Sofia, Bulgaria N.L.Manev, Lectures

### Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm April 11, 2010 1 Algebra We start by discussing algebraic structures and their properties. This is presented in more depth than what we

### Contents. 4 Arithmetic and Unique Factorization in Integral Domains. 4.1 Euclidean Domains and Principal Ideal Domains

Ring Theory (part 4): Arithmetic and Unique Factorization in Integral Domains (by Evan Dummit, 018, v. 1.00) Contents 4 Arithmetic and Unique Factorization in Integral Domains 1 4.1 Euclidean Domains and

### Finite Fields and Error-Correcting Codes

Lecture Notes in Mathematics Finite Fields and Error-Correcting Codes Karl-Gustav Andersson (Lund University) (version 1.013-16 September 2015) Translated from Swedish by Sigmundur Gudmundsson Contents

### 17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8

Contents 17 Galois Fields 2 17.1 Introduction............................... 2 17.2 Irreducible Polynomials, Construction of GF(q m )... 3 17.3 Primitive Elements... 6 17.4 Roots of Polynomials..........................

### Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures

### Applied Cryptography and Computer Security CSE 664 Spring 2018

Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the

### 1. Factorization Divisibility in Z.

8 J. E. CREMONA 1.1. Divisibility in Z. 1. Factorization Definition 1.1.1. Let a, b Z. Then we say that a divides b and write a b if b = ac for some c Z: a b c Z : b = ac. Alternatively, we may say that

### Section VI.33. Finite Fields

VI.33 Finite Fields 1 Section VI.33. Finite Fields Note. In this section, finite fields are completely classified. For every prime p and n N, there is exactly one (up to isomorphism) field of order p n,

### Lecture 7: Polynomial rings

Lecture 7: Polynomial rings Rajat Mittal IIT Kanpur You have seen polynomials many a times till now. The purpose of this lecture is to give a formal treatment to constructing polynomials and the rules

### Math 547, Exam 2 Information.

Math 547, Exam 2 Information. 3/19/10, LC 303B, 10:10-11:00. Exam 2 will be based on: Homework and textbook sections covered by lectures 2/3-3/5. (see http://www.math.sc.edu/ boylan/sccourses/547sp10/547.html)

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively

### CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory

### Outline. MSRI-UP 2009 Coding Theory Seminar, Week 2. The definition. Link to polynomials

Outline MSRI-UP 2009 Coding Theory Seminar, Week 2 John B. Little Department of Mathematics and Computer Science College of the Holy Cross Cyclic Codes Polynomial Algebra More on cyclic codes Finite fields

### g(x) = 1 1 x = 1 + x + x2 + x 3 + is not a polynomial, since it doesn t have finite degree. g(x) is an example of a power series.

6 Polynomial Rings We introduce a class of rings called the polynomial rings, describing computation, factorization and divisibility in such rings For the case where the coefficients come from an integral

### Math 2070BC Term 2 Weeks 1 13 Lecture Notes

Math 2070BC 2017 18 Term 2 Weeks 1 13 Lecture Notes Keywords: group operation multiplication associative identity element inverse commutative abelian group Special Linear Group order infinite order cyclic

### Homework 8 Solutions to Selected Problems

Homework 8 Solutions to Selected Problems June 7, 01 1 Chapter 17, Problem Let f(x D[x] and suppose f(x is reducible in D[x]. That is, there exist polynomials g(x and h(x in D[x] such that g(x and h(x

### COUNTING POINTS ON VARIETIES OVER FINITE FIELDS

COUNTING POINTS ON VARIETIES OVER FINITE FIELDS OLOF BERGVALL 1. Abstract algebra In this section we briey recall the basic concepts and results from abstract algebra. 1.1. Groups. Denition 1.1. Let S

### Chapter 5. Modular arithmetic. 5.1 The modular ring

Chapter 5 Modular arithmetic 5.1 The modular ring Definition 5.1. Suppose n N and x, y Z. Then we say that x, y are equivalent modulo n, and we write x y mod n if n x y. It is evident that equivalence

### A Generalization of Wilson s Theorem

A Generalization of Wilson s Theorem R. Andrew Ohana June 3, 2009 Contents 1 Introduction 2 2 Background Algebra 2 2.1 Groups................................. 2 2.2 Rings.................................

### 1 Overview and revision

MTH6128 Number Theory Notes 1 Spring 2018 1 Overview and revision In this section we will meet some of the concerns of Number Theory, and have a brief revision of some of the relevant material from Introduction

### A connection between number theory and linear algebra

A connection between number theory and linear algebra Mark Steinberger Contents 1. Some basics 1 2. Rational canonical form 2 3. Prime factorization in F[x] 4 4. Units and order 5 5. Finite fields 7 6.

### RINGS: SUMMARY OF MATERIAL

RINGS: SUMMARY OF MATERIAL BRIAN OSSERMAN This is a summary of terms used and main results proved in the subject of rings, from Chapters 11-13 of Artin. Definitions not included here may be considered

### The number of ways to choose r elements (without replacement) from an n-element set is. = r r!(n r)!.

The first exam will be on Friday, September 23, 2011. The syllabus will be sections 0.1 through 0.4 and 0.6 in Nagpaul and Jain, and the corresponding parts of the number theory handout found on the class

### Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

1 / 25 Finite Fields Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 25, 2014 2 / 25 Fields Definition A set F together

### Modular Arithmetic and Elementary Algebra

18.310 lecture notes September 2, 2013 Modular Arithmetic and Elementary Algebra Lecturer: Michel Goemans These notes cover basic notions in algebra which will be needed for discussing several topics of

### Basic Algebra. Final Version, August, 2006 For Publication by Birkhäuser Boston Along with a Companion Volume Advanced Algebra In the Series

Basic Algebra Final Version, August, 2006 For Publication by Birkhäuser Boston Along with a Companion Volume Advanced Algebra In the Series Cornerstones Selected Pages from Chapter I: pp. 1 15 Anthony

### Factorization in Polynomial Rings

Factorization in Polynomial Rings Throughout these notes, F denotes a field. 1 Long division with remainder We begin with some basic definitions. Definition 1.1. Let f, g F [x]. We say that f divides g,

### Number Theory Proof Portfolio

Number Theory Proof Portfolio Jordan Rock May 12, 2015 This portfolio is a collection of Number Theory proofs and problems done by Jordan Rock in the Spring of 2014. The problems are organized first by

### x 3 2x = (x 2) (x 2 2x + 1) + (x 2) x 2 2x + 1 = (x 4) (x + 2) + 9 (x + 2) = ( 1 9 x ) (9) + 0

1. (a) i. State and prove Wilson's Theorem. ii. Show that, if p is a prime number congruent to 1 modulo 4, then there exists a solution to the congruence x 2 1 mod p. (b) i. Let p(x), q(x) be polynomials

### Finite Fields. Sophie Huczynska. Semester 2, Academic Year

Finite Fields Sophie Huczynska Semester 2, Academic Year 2005-06 2 Chapter 1. Introduction Finite fields is a branch of mathematics which has come to the fore in the last 50 years due to its numerous applications,

### Finite Fields: An introduction through exercises Jonathan Buss Spring 2014

Finite Fields: An introduction through exercises Jonathan Buss Spring 2014 A typical course in abstract algebra starts with groups, and then moves on to rings, vector spaces, fields, etc. This sequence

### Reducibility of Polynomials over Finite Fields

Master Thesis Reducibility of Polynomials over Finite Fields Author: Muhammad Imran Date: 1976-06-02 Subject: Mathematics Level: Advance Course code: 5MA12E Abstract Reducibility of certain class of polynomials

### Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

The first exam will be on Monday, June 8, 202. The syllabus will be sections. and.2 in Lax, and the number theory handout found on the class web site, plus the handout on the method of successive squaring

### Elementary Number Theory Review. Franz Luef

Elementary Number Theory Review Principle of Induction Principle of Induction Suppose we have a sequence of mathematical statements P(1), P(2),... such that (a) P(1) is true. (b) If P(k) is true, then

### Group Theory. 1. Show that Φ maps a conjugacy class of G into a conjugacy class of G.

Group Theory Jan 2012 #6 Prove that if G is a nonabelian group, then G/Z(G) is not cyclic. Aug 2011 #9 (Jan 2010 #5) Prove that any group of order p 2 is an abelian group. Jan 2012 #7 G is nonabelian nite

### SOLUTIONS TO PROBLEM SET 1. Section = 2 3, 1. n n + 1. k(k + 1) k=1 k(k + 1) + 1 (n + 1)(n + 2) n + 2,

SOLUTIONS TO PROBLEM SET 1 Section 1.3 Exercise 4. We see that 1 1 2 = 1 2, 1 1 2 + 1 2 3 = 2 3, 1 1 2 + 1 2 3 + 1 3 4 = 3 4, and is reasonable to conjecture n k=1 We will prove this formula by induction.

### 0 Sets and Induction. Sets

0 Sets and Induction Sets A set is an unordered collection of objects, called elements or members of the set. A set is said to contain its elements. We write a A to denote that a is an element of the set

### 1 2 3 style total. Circle the correct answer; no explanation is required. Each problem in this section counts 5 points.

1 2 3 style total Math 415 Examination 3 Please print your name: Answer Key 1 True/false Circle the correct answer; no explanation is required. Each problem in this section counts 5 points. 1. The rings

### MTH310 EXAM 2 REVIEW

MTH310 EXAM 2 REVIEW SA LI 4.1 Polynomial Arithmetic and the Division Algorithm A. Polynomial Arithmetic *Polynomial Rings If R is a ring, then there exists a ring T containing an element x that is not

### Notes for Math 345. Dan Singer Minnesota State University, Mankato. August 23, 2006

Notes for Math 345 Dan Singer Minnesota State University, Mankato August 23, 2006 Preliminaries 1. Read the To The Student section pp. xvi-xvii and the Thematic Table of Contents. 2. Read Appendix A: Logic

### 1 Structure of Finite Fields

T-79.5501 Cryptology Additional material September 27, 2005 1 Structure of Finite Fields This section contains complementary material to Section 5.2.3 of the text-book. It is not entirely self-contained

### ALGEBRA I (LECTURE NOTES 2017/2018) LECTURE 9 - CYCLIC GROUPS AND EULER S FUNCTION

ALGEBRA I (LECTURE NOTES 2017/2018) LECTURE 9 - CYCLIC GROUPS AND EULER S FUNCTION PAVEL RŮŽIČKA 9.1. Congruence modulo n. Let us have a closer look at a particular example of a congruence relation on

### Numbers. Çetin Kaya Koç Winter / 18

Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as

### Chapter 4 Mathematics of Cryptography

Chapter 4 Mathematics of Cryptography Part II: Algebraic Structures Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 4.1 Chapter 4 Objectives To review the concept

### Notes on Systems of Linear Congruences

MATH 324 Summer 2012 Elementary Number Theory Notes on Systems of Linear Congruences In this note we will discuss systems of linear congruences where the moduli are all different. Definition. Given the

### MATH 361: NUMBER THEORY FOURTH LECTURE

MATH 361: NUMBER THEORY FOURTH LECTURE 1. Introduction Everybody knows that three hours after 10:00, the time is 1:00. That is, everybody is familiar with modular arithmetic, the usual arithmetic of the

### Discrete valuation rings. Suppose F is a field. A discrete valuation on F is a function v : F {0} Z such that:

Discrete valuation rings Suppose F is a field. A discrete valuation on F is a function v : F {0} Z such that: 1. v is surjective. 2. v(ab) = v(a) + v(b). 3. v(a + b) min(v(a), v(b)) if a + b 0. Proposition:

### Finite Fields. Sophie Huczynska (with changes by Max Neunhöffer) Semester 2, Academic Year 2012/13

Finite Fields Sophie Huczynska (with changes by Max Neunhöffer) Semester 2, Academic Year 2012/13 Contents 1 Introduction 3 1 Group theory: a brief summary............................ 3 2 Rings and fields....................................

### Discrete Mathematics with Applications MATH236

Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics, Statistics and Computer Science University of KwaZulu-Natal Pietermaritzburg Campus Semester 1, 2013 Tong-Viet

### Linear Cyclic Codes. Polynomial Word 1 + x + x x 4 + x 5 + x x + x f(x) = q(x)h(x) + r(x),

Coding Theory Massoud Malek Linear Cyclic Codes Polynomial and Words A polynomial of degree n over IK is a polynomial p(x) = a 0 + a 1 + + a n 1 x n 1 + a n x n, where the coefficients a 1, a 2,, a n are

### Coding Theory and Applications. Solved Exercises and Problems of Cyclic Codes. Enes Pasalic University of Primorska Koper, 2013

Coding Theory and Applications Solved Exercises and Problems of Cyclic Codes Enes Pasalic University of Primorska Koper, 2013 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a collection of solved

### INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

INTEGERS PETER MAYR (MATH 2001, CU BOULDER) In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes. 1. Divisibility Definition. Let a, b

### Chuck Garner, Ph.D. May 25, 2009 / Georgia ARML Practice

Some Chuck, Ph.D. Department of Mathematics Rockdale Magnet School for Science Technology May 25, 2009 / Georgia ARML Practice Outline 1 2 3 4 Outline 1 2 3 4 Warm-Up Problem Problem Find all positive

### Chapter 1. Greatest common divisor. 1.1 The division theorem. In the beginning, there are the natural numbers 0, 1, 2, 3, 4,...,

Chapter 1 Greatest common divisor 1.1 The division theorem In the beginning, there are the natural numbers 0, 1, 2, 3, 4,..., which constitute the set N. Addition and multiplication are binary operations

### COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication

### 2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

2 Arithmetic This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}. (See [Houston, Chapters 27 & 28]) 2.1 Greatest common divisors Definition 2.16. If a, b are integers, we say

### NOTES ON FINITE FIELDS

NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining

### Notes on Primitive Roots Dan Klain

Notes on Primitive Roots Dan Klain last updated March 22, 2013 Comments and corrections are welcome These supplementary notes summarize the presentation on primitive roots given in class, which differed

### YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We

### K. Ireland, M. Rosen A Classical Introduction to Modern Number Theory, Springer.

Chapter 1 Number Theory and Algebra 1.1 Introduction Most of the concepts of discrete mathematics belong to the areas of combinatorics, number theory and algebra. In Chapter?? we studied the first area.

### Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives

### A. Algebra and Number Theory

A. Algebra and Number Theory Public-key cryptosystems are based on modular arithmetic. In this section, we summarize the concepts and results from algebra and number theory which are necessary for an understanding

### 4 PRIMITIVE ROOTS Order and Primitive Roots The Index Existence of primitive roots for prime modulus...

PREFACE These notes have been prepared by Dr Mike Canfell (with minor changes and extensions by Dr Gerd Schmalz) for use by the external students in the unit PMTH 338 Number Theory. This booklet covers

### Numbers, Groups and Cryptography. Gordan Savin

Numbers, Groups and Cryptography Gordan Savin Contents Chapter 1. Euclidean Algorithm 5 1. Euclidean Algorithm 5 2. Fundamental Theorem of Arithmetic 9 3. Uniqueness of Factorization 14 4. Efficiency

### Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,

### Information Theory. Lecture 7

Information Theory Lecture 7 Finite fields continued: R3 and R7 the field GF(p m ),... Cyclic Codes Intro. to cyclic codes: R8.1 3 Mikael Skoglund, Information Theory 1/17 The Field GF(p m ) π(x) irreducible

### MATH 145 Algebra, Solutions to Assignment 4

MATH 145 Algebra, Solutions to Assignment 4 1: a) Find the inverse of 178 in Z 365. Solution: We find s and t so that 178s + 365t = 1, and then 178 1 = s. The Euclidean Algorithm gives 365 = 178 + 9 178

### 18. Cyclotomic polynomials II

18. Cyclotomic polynomials II 18.1 Cyclotomic polynomials over Z 18.2 Worked examples Now that we have Gauss lemma in hand we can look at cyclotomic polynomials again, not as polynomials with coefficients

### Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.

Glossary 1 Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.23 Abelian Group. A group G, (or just G for short) is

### COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

COMP239: Mathematics for Computer Science II Prof. Chadi Assi assi@ciise.concordia.ca EV7.635 The Euclidean Algorithm The Euclidean Algorithm Finding the GCD of two numbers using prime factorization is

### Factorization in Integral Domains II

Factorization in Integral Domains II 1 Statement of the main theorem Throughout these notes, unless otherwise specified, R is a UFD with field of quotients F. The main examples will be R = Z, F = Q, and

### Abstract Algebra, Second Edition, by John A. Beachy and William D. Blair. Corrections and clarifications

1 Abstract Algebra, Second Edition, by John A. Beachy and William D. Blair Corrections and clarifications Note: Some corrections were made after the first printing of the text. page 9, line 8 For of the

### Math 511, Algebraic Systems, Fall 2017 July 20, 2017 Edition. Todd Cochrane

Math 511, Algebraic Systems, Fall 2017 July 20, 2017 Edition Todd Cochrane Department of Mathematics Kansas State University Contents Notation v Chapter 0. Axioms for the set of Integers Z. 1 Chapter 1.

### NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

NUMBER THEORY Anwitaman DATTA SCSE, NTU Singapore Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by William

### Part II. Number Theory. Year

Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler

### = 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

8. p-adic numbers 8.1. Motivation: Solving x 2 a (mod p n ). Take an odd prime p, and ( an) integer a coprime to p. Then, as we know, x 2 a (mod p) has a solution x Z iff = 1. In this case we can suppose

### NOTES ON SIMPLE NUMBER THEORY

NOTES ON SIMPLE NUMBER THEORY DAMIEN PITMAN 1. Definitions & Theorems Definition: We say d divides m iff d is positive integer and m is an integer and there is an integer q such that m = dq. In this case,