Number theory. Myrto Arapinis School of Informatics University of Edinburgh. October 9, /29

Similar documents
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Introduction to Sets and Logic (MATH 1190)

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

With Question/Answer Animations. Chapter 4

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Carmen s Core Concepts (Math 135)

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 3

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Integers and Division

Mathematical Foundations of Public-Key Cryptography

Discrete Mathematics GCD, LCM, RSA Algorithm

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Elementary Number Theory Review. Franz Luef

Ma/CS 6a Class 2: Congruences

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Number Theory and Group Theoryfor Public-Key Cryptography

CS2800 Questions selected for fall 2017

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Introduction to Number Theory. The study of the integers

Public Key Cryptography

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

5: The Integers (An introduction to Number Theory)

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

Introduction to Public-Key Cryptosystems:

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

MATH 145 Algebra, Solutions to Assignment 4

CPSC 467b: Cryptography and Computer Security

Ma/CS 6a Class 2: Congruences

Number Theory and Cryptography

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

ICS141: Discrete Mathematics for Computer Science I

Section Summary. Division Division Algorithm Modular Arithmetic

Cryptography: Joining the RSA Cryptosystem

basics of security/cryptography

Elementary Number Theory MARUCO. Summer, 2018

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

ECE596C: Handout #11

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Chapter 5: The Integers

4 Powers of an Element; Cyclic Groups

Lecture 3.1: Public Key Cryptography I

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Congruence of Integers

Discrete Mathematics and Probability Theory Summer 2017 Course Notes Note 6

Lecture 1: Introduction to Public key cryptography

CS March 17, 2009

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

4 Number Theory and Cryptography

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

CS483 Design and Analysis of Algorithms

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

For your quiz in recitation this week, refer to these exercise generators:

Basic elements of number theory

Basic elements of number theory

1 Overview and revision

Number theory (Chapter 4)

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

1. multiplication is commutative and associative;

Inverses. Today: finding inverses quickly. Euclid s Algorithm. Runtime. Euclid s Extended Algorithm.

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Number Theory A focused introduction

NOTES ON SIMPLE NUMBER THEORY

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Topics in Cryptography. Lecture 5: Basic Number Theory

PRIME NUMBERS YANKI LEKILI

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Discrete mathematics I - Number theory

2k n. k=0. 3x 2 7 (mod 11) 5 4x 1 (mod 9) 2 r r +1 = r (2 r )

Number Theory and Algebra: A Brief Introduction

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Ma/CS 6a Class 1. Course Details

Iterated Encryption and Wiener s attack on RSA

Number theory (Chapter 4)

Mathematical Foundations of Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Rings and modular arithmetic

ECE 646 Lecture 5. Motivation: Mathematical Background: Modular Arithmetic. Public-key ciphers. RSA keys. RSA as a trap-door one-way function

2.2 Inverses and GCDs

Ma/CS 6a Class 3: The RSA Algorithm

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Math.3336: Discrete Mathematics. Primes and Greatest Common Divisors

Math.3336: Discrete Mathematics. Mathematical Induction

download instant at

The Fundamental Theorem of Arithmetic

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

CPSC 467: Cryptography and Computer Security

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Chapter 8 Public-key Cryptography and Digital Signatures

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Transcription:

Number theory Myrto Arapinis School of Informatics University of Edinburgh October 9, 2014 1/29

Division Definition If a and b are integers with a 6= 0, then a divides b if there exists an integer c such that b = ac Theorem Let a, b, c be integers, where a 6= 0 1. If a b anda c, then a (b + c) 2. If a b, then a bc 3. If a b andb c, then a c 2/29

Division Definition If a and b are integers with a 6= 0, then a divides b if there exists an integer c such that b = ac Theorem Let a, b, c be integers, where a 6= 0 1. If a b anda c, then a (b + c) 2. If a b, then a bc 3. If a b andb c, then a c Proof 1. a b, 9k b. b = k b a and a c, 9k c. c = k c a. Butthen b + c =(k b + k c ) a which by definition implies that a (b + c) 2. a b, 9k b. b = k b a. Butthenbc = k b a c which by definition implies that a bc 3. a b, 9k b. b = k b a and b c, 9k c. c = k c b. Butthen c = k c k b a which by definition implies that a c 2/29

Division algorithm Theorem If a is an integer and d a positive integer, then there are unique integers q and r, with 0 apple r < d, such that a = dq + r 3/29

Division algorithm Theorem If a is an integer and d a positive integer, then there are unique integers q and r, with 0 apple r < d, such that a = dq + r Proof (by contradiction) Assume 9q 1, q 2, r 1, r 2 such that a = dq 1 + r 1, a = dq 2 + r 2,and(q 1, r 1 ) 6= (q 2, r 2 ). But then, d = r 1 r 2 q 2 q 1 Now since 0 apple r 1, r 2 < m, itmustbethat d < r 1 r 2 < d. But since q 1, q 2 2 Z, itnecessarilyisthecasethat d < r 1 r 2 < d q 2 q 1 Which contradicts our hypothesis that d = r 1 r 2 q 2 q 1. 3/29

Congruence relation Definition If a and b are integers and m is a positive integer, then a is congruent to b modulo m, denoted a b (mod m), i m (a b) Example 17 5 (mod 6) because 6 divides 17 5 = 12 24 14 (mod 6) because 24 14 = 10 is not divisible by 6 4/29

A theorem on congruences Definition Let m be a positive integer. The integers a and b are congruent modulo m i there is an integer k such that a = b + km 5/29

A theorem on congruences Definition Let m be a positive integer. The integers a and b are congruent modulo m i there is an integer k such that a = b + km Proof (() Ifa b (mod m), then by the definition of congruence m (a b). Hence, there is an integer k such that a b = km and equivalently a = b + km ()) If there is an integer k such that a = b + km, then km = a b. Hence,m (a b) anda b (mod m) 5/29

Congruences of sums, di erences, and products Theorem Let m be a positive integer. If a b (mod m) and c d (mod m), thena+ c b + d (mod m), a c b d (mod m), andac bd (mod m) 6/29

Congruences of sums, di erences, and products Theorem Let m be a positive integer. If a b (mod m) and c d (mod m), thena+ c b + d (mod m), a c b d (mod m), andac bd (mod m) Proof Since a b (mod m) and c d (mod m), by the Theorem above there are integers s and t with b = a + sm and d = c + tm. Therefore, b + d =(a + sm)+(c + tm) =(a + c)+m(s + t), and bd =(a + sm)(c + tm) =ac + m(at + cs + stm). Hence, a + c b + d (mod m) andac bd (mod m) Corollary Let m be a positive integer and let a and b be integers. Then (a + b) mod m =((amodm)+(bmodm)) mod m ab mod m =((amodm)(b modm)) mod m 6/29

Arithmetic modulo m Let Z m = {0, 1,, m 1} Theoperation + m is defined as a + m b =(a + b) modm. This is addition modulo m Theoperation m is defined as a m b =(a b) modm. Thisis multiplication modulo m Using these operations is said to be doing arithmetic modulo m Example Find 7 + 11 9and7 11 9 Solution Using the definitions above: 7+ 11 9 = (7 + 9) mod 11 = 16 mod 11 = 5 and 7 11 9=(7 9) mod 11 = 63 mod 11 = 8 7/29

Arithmetic modulo m The operations + m and m satisfy many of the same properties as ordinary addition and multiplication Closure If a, b 2 Z m,thena + m b and a m b belong to Z m Associativity If a, b, c 2 Z m,then(a + m b)+ m c = a + m (b + m c) and (a m b) m c = a m (b m c) Commutativity If a, b 2 Z m,thena + m b = b + m a and a m b = b m a Identity elements The elements 0 and 1 are identity elements for addition and multiplication modulo m, respectively.ifa 2 Z m then a + m 0=a and a m 1=a Additive inverses If 0 6= a 2 Z m,thenm a is the additive inverse of a modulo m. Moreover, 0 is its own additive inverse a + m (m a) =0and0+ m 0=0 Distributivity If a, b, c 2 Z m,then a m (b + m c)=(a m b)+ m (a m c) and (a + b) c =(a c)+ (b c) 8/29

Multiplicative inverses Addition and multiplication mod m is easy. What about division? 9/29

Multiplicative inverses Addition and multiplication mod m is easy. What about division? Over the reals, dividing by a number x is the same as multiplying by y =1/x 9/29

Multiplicative inverses Addition and multiplication mod m is easy. What about division? Over the reals, dividing by a number x is the same as multiplying by y =1/x Similarly when we wish to divide by x mod m, wewishtofind y mod m such thatx x y 1(modm) 9/29

Multiplicative inverses Addition and multiplication mod m is easy. What about division? Over the reals, dividing by a number x is the same as multiplying by y =1/x Similarly when we wish to divide by x mod m, wewishtofind y mod m such thatx x y 1(modm) Example Let x =8andm = 15. Then 2x = 16 1 (mod 15), so 2 is a multiplicative inverse of 8 (mod 15) 9/29

Multiplicative inverses Addition and multiplication mod m is easy. What about division? Over the reals, dividing by a number x is the same as multiplying by y =1/x Similarly when we wish to divide by x mod m, wewishtofind y mod m such thatx x y 1(modm) Example Let x =8andm = 15. Then 2x = 16 1 (mod 15), so 2 is a multiplicative inverse of 8 (mod 15) Example Let x = 12 and m = 15. Then the sequence {ax (mod m) a =0, 1, 2,...} is periodic, and takes on the values {0, 12, 9, 6, 3}. Thus 12 has no multiplicative inverse mod 15 9/29

Multiplicative inverses Addition and multiplication mod m is easy. What about division? Over the reals, dividing by a number x is the same as multiplying by y =1/x Similarly when we wish to divide by x mod m, wewishtofind y mod m such thatx x y 1(modm) Example Let x =8andm = 15. Then 2x = 16 1 (mod 15), so 2 is a multiplicative inverse of 8 (mod 15) Example Let x = 12 and m = 15. Then the sequence {ax (mod m) a =0, 1, 2,...} is periodic, and takes on the values {0, 12, 9, 6, 3}. Thus 12 has no multiplicative inverse mod 15 Not all integers have an inverse mod m 9/29

Primes Definition A positive integer p > 1 is called prime i the only positive factors of p are 1 and p. Otherwise it is called composite Theorem (Fundamental Theorem of Arithmetic) Every positive integer greater than 1 can be written uniquely as a prime or as the product of its prime factors, written in order of nondecreasing size. Proof by induction (see slides on induction) Example 765 = 3 3 5 17 = 3 2 5 17 10 / 29

There are infinitely many primes - Euclid (325-265 BCE) Lemma Every natural number greater than one is either prime or it has a prime divisor 11 / 29

There are infinitely many primes - Euclid (325-265 BCE) Lemma Every natural number greater than one is either prime or it has a prime divisor Proof Suppose towards a contradiction that there are only finitely many primes p 1, p 2, p 3,...,p k. Consider the number q = p 1 p 2 p 3...p k + 1, the product of all the primes plus one. By hypothesis q cannot be prime because it is strictly larger than all the primes. Thus, by the lemma, it has a prime divisor, p. Because p 1, p 2, p 3,...,p k are all the primes, p must be equal to one of them, so p is a divisor of their product. So we have that p divides p 1 p 2 p 3...p k,andp divides q, butthatmeansp divides their di erence, which is 1. Therefore p apple 1. Contradiction. Therefore there are infinitely many primes. 11 / 29

The Sieve of Eratosthenes (276-194 BCE) How to find all primes between 2 and n? 12 / 29

The Sieve of Eratosthenes (276-194 BCE) How to find all primes between 2 and n? A very ine prime cient method of determining if a number n is Try every integer i apple p n and see if n is divisible by i: 1. Write the numbers 2,...,n into a list. Let i := 2 2. Remove all strict multiples of i from the list 3. Let k be the smallest number present in the list s.t. k > i. Then let i := k 4. If i > p n then stop else go to step 2 Testing if a number is prime can be done e ciently in polynomial time [Agrawal-Kayal-Saxena 2002], i.e., polynomial in the number of bits used to describe the input number. E cient randomized tests had been available previously. 12 / 29

Greatest common divisor Definition Let a, b 2 Z {0}. The largest integer d such that d a and also d b is called the greatest common divisor of a and b. It is denoted by gcd(a, b) Example gcd(24, 36) = 12 13 / 29

Greatest common divisor Definition Let a, b 2 Z {0}. The largest integer d such that d a and also d b is called the greatest common divisor of a and b. It is denoted by gcd(a, b) Example gcd(24, 36) = 12 Definition The integers a and b are relatively prime (coprime) i gcd(a, b) =1 Example 17 and 22 (Note that 22 is not a prime) 13 / 29

Gcd by Prime Factorizations Suppose that the prime factorizations of a and b are: a = p a 1 1 pa 2 2 pan n b = p b 1 1 pb 2 2 pbn n where each exponent is a nonnegative integer (possibly zero). Then gcd(a, b) =p min(a 1,b 1 ) 1 p min(a 2,b 2 ) 2 pn min(an,bn) This number clearly divides a and b. No larger number can divide both a and b. Proof by contradiction and the prime factorization of a postulated larger divisor. Factorization is a very ine cient method to compute gcd. The Euclidian algorithm is much better. 14 / 29

Euclidian algorithm Euclidian algorithm algorithm gcd(x,y) if y = 0 then return(x) else return(gcd(y,x mod y)) Thed Euclidian algorithm relies on the fact that 8x, y 2 Z. x > y! gcd(x, y) = gcd(y, x mod y) 15 / 29

Euclidian algorithm (proof of correctness) Lemma Let a = bq + r,where a, b, q, andr are integers. Then gcd(a, b) = gcd(b, r) 16 / 29

Euclidian algorithm (proof of correctness) Lemma Let a = bq + r,where a, b, q, andr are integers. Then gcd(a, b) = gcd(b, r) Proof ()) Suppose that d divides both a and b. Thend also divides a bq = r. Hence, any common divisor of a and b must also be a common divisor of b and r (() Suppose that d divides both b and r. Thend also divides bq + r = a. Hence, any common divisor of b and r must also be a common divisor of a and b. Therefore, gcd(a, b) = gcd(b, r) 16 / 29

Multiplicative inverses Theorem Let m, x be positive integers. gcd(m, x) =1i x has a multiplicative inverse modulo m (and it is unique (modulo m)). 17 / 29

Multiplicative inverses Theorem Let m, x be positive integers. gcd(m, x) =1i x has a multiplicative inverse modulo m (and it is unique (modulo m)). Proof ()) Consider the sequence of m numbers 0, x, 2x,...(m 1)x. Wefirstshowthatthesearealldistinct modulo m. To verify the above claim, suppose that ax mod m = bx mod m) for two distinct values a, b in the range 0 apple a, b apple m 1. Then we would have (a b)x 0(mod m), or equivalently, (a b)x = km for some integer k. But since x and m are relatively prime, it follows that a b must be an integer multiple of m. This is not possible since a,b are distinct non-negative integers less than m. Now, since there are only m distinct values modulo m, itmust then be the case that ax 1(mod m) for exactly one a (modulo m). This a is the unique multiplicative inverse. 17 / 29

Gcd as a linear combination Theorem (Bézout s theorem) If x and y are positive integers, then there exist integers a and b such that gcd(x, y) =ax + by (Proof in exercises of Section 5.2) Example 2 = gcd(6, 14) = ( 2) 6+1 14 Extended Euclidian algorithm The Bézout coe cients can be computed as follows: algorithm extended-gcd(x,y) if y = 0 then return(x, 1, 0) else (d, a, b) := extended-gcd(y, x mod y) return((d, b, a - (x div y) * b)) 18 / 29

The multiplicative group Z m Definition Let Z m = {x 1 apple x < m and gcd(x, m) =1}. Together with multiplication modulo m, this is called the multiplicative group modulo m. It is closed, associative, has a neutral element (namely 1) and every element has an inverse. 19 / 29

Fermat s little theorem Theorem If p is prime and p 6 a, then a p 1 1(mod p). Furthermore,for every integer a we have a p a (mod p) Fermat s little theorem is useful in computing the remainders modulo p of large powers of integers Example Find 7 222 mod 11 By Fermat s little theorem, we know that 7 10 1 (mod 11), and so (7 10 ) k 1 (mod 11) for every positive integer k. Therefore, 7 222 =7 22= 10+2 =(7 10 ) 22 7 2 122 49 5 (mod 11). Hence, 7 222 mod 11 = 5 20 / 29

Public-key encryption in pictures Alice Bob 21 / 29

Public-key encryption in pictures Alice Bob From Alice: I want to send you a secret 22 / 29

Public-key encryption in pictures Alice Bob From Alice: I want to send you a secret 23 / 29

Public-key encryption in pictures Alice Bob From Alice: I want to send you a secret 24 / 29

Public-key encryption in pictures Alice Bob From Alice: I want to send you a secret 25 / 29

Public-key encryption in pictures Alice Bob From Alice: I want to send you a secret 26 / 29

RSA: key generation Choose two distinct prime numbers p and q. Prime integers can be e ciently found using a primality test Let n = pq and k =(p 1)(q 1). (In particular, k = Z n ) Choose an integer e such that 1 < e < k and gcd(e, k) = 1; i.e. e and k are coprime (n, e) isreleasedasthepublickey Let d be the multiplicative inverse of e modulo k, i.e. de 1(mod k). (Computed using the extendede uclidean algorithm) (n, d) istheprivatekeyandkeptsecret 27 / 29

RSA: encryption and decryption Alice transmits her public key (n, e) to Bob and keeps the private key secret Encryption If Bob wishes to send message M to Alice. 1. He turns M into an integer m, suchthat0apple m < n by using an agreed-upon reversible protocol known as a padding scheme 2. He computes the ciphertext c corresponding to c = m e mod n. This can be done quickly using the method of exponentiation by squaring. 3. Bob transmits c to Alice. Decryption Alice can recover m from c by 1. Using her private key exponent d via computing m = c d mod n 2. Given m, she can recover the original message M by reversing the padding scheme 28 / 29

RSA: correctness of decryption Given that c = m e mod n, is m = c d mod n? c d =(m e ) d m ed (mod n) By construction, d and e are each others multiplicative inverses modulo k, i.e.ed 1(modk). Also k =(p 1)(q 1). Thus ed 1 = h(p 1)(q 1) for some integer h. We consider m ed mod p If p 6 m then m ed = m h(p 1)(q 1) m =(m p 1 ) h(q 1) m 1 h(q 1) m m (mod p) (by Fermat s little theorem) Otherwise m ed 0 m (mod p) Symmetrically, m ed m (mod q) Since p, q are distinct primes, we have m ed m (mod pq). Since n = pq, wehavec d m ed m (mod n) 29 / 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback