Some Facts from Number Theory

Similar documents
RSA Encryption. Computer Science 52. Encryption: A Quick Overview. Spring Semester, 2017

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Basic elements of number theory

Basic elements of number theory

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

1 Overview and revision

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

8 Primes and Modular Arithmetic

Introduction to Public-Key Cryptosystems:

Number Theory and Group Theoryfor Public-Key Cryptography

Number Theory A focused introduction

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Intermediate Math Circles February 26, 2014 Diophantine Equations I

Applied Cryptography and Computer Security CSE 664 Spring 2017

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Numbers. Çetin Kaya Koç Winter / 18

ECEN 5022 Cryptography

Senior Math Circles Cryptography and Number Theory Week 2

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

CMPUT 403: Number Theory

18 Divisibility. and 0 r < d. Lemma Let n,d Z with d 0. If n = qd+r = q d+r with 0 r,r < d, then q = q and r = r.

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Introduction to Number Theory

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Algorithmic number theory. Questions/Complaints About Homework? The division algorithm. Division

Applied Cryptography and Computer Security CSE 664 Spring 2018

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

MATH 145 Algebra, Solutions to Assignment 4

Greatest Common Divisor MATH Greatest Common Divisor. Benjamin V.C. Collins, James A. Swenson MATH 2730

Number Theory Notes Spring 2011

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Lecture 4: Number theory

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Number Theory Proof Portfolio

Remainders. We learned how to multiply and divide in elementary

Elementary Number Theory MARUCO. Summer, 2018

Algorithms CMSC Basic algorithms in Number Theory: Euclid s algorithm and multiplicative inverse

ECE596C: Handout #11

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

The Euclidean Algorithm and Multiplicative Inverses

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

Beautiful Mathematics

CS250: Discrete Math for Computer Science

Wednesday, February 21. Today we will begin Course Notes Chapter 5 (Number Theory).

CPSC 467: Cryptography and Computer Security

CS2800 Questions selected for fall 2017

Mat Week 8. Week 8. gcd() Mat Bases. Integers & Computers. Linear Combos. Week 8. Induction Proofs. Fall 2013

Number Theory. Zachary Friggstad. Programming Club Meeting

Iterated Encryption and Wiener s attack on RSA

Ma/CS 6a Class 4: Primality Testing

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

CPSC 467b: Cryptography and Computer Security

Numbers, Groups and Cryptography. Gordan Savin

Student Responsibilities Week 8. Mat Section 3.6 Integers and Algorithms. Algorithm to Find gcd()

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Introduction to Number Theory

Ch 4.2 Divisibility Properties

Number Theory Alex X. Liu & Haipeng Dai

Topic Contents. Factoring Methods. Unit 3: Factoring Methods. Finding the square root of a number

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

An Algorithm for Prime Factorization

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Homework #2 solutions Due: June 15, 2012

Discrete Mathematics with Applications MATH236

Elementary Properties of the Integers

download instant at

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Chapter 4 Finite Fields

1. Factorization Divisibility in Z.

Basic Algorithms in Number Theory

a the relation arb is defined if and only if = 2 k, k

4 Powers of an Element; Cyclic Groups

Public Key Encryption

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Mathematical Foundations of Cryptography

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Topics in Cryptography. Lecture 5: Basic Number Theory

A SURVEY OF PRIMALITY TESTS

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Number Theory. Modular Arithmetic

1. Algebra 1.7. Prime numbers

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Solution Sheet (i) q = 5, r = 15 (ii) q = 58, r = 15 (iii) q = 3, r = 7 (iv) q = 6, r = (i) gcd (97, 157) = 1 = ,

Elementary Number Theory Review. Franz Luef

Intermediate Math Circles February 29, 2012 Linear Diophantine Equations I

Basic Algorithms in Number Theory

1. multiplication is commutative and associative;

The following is an informal description of Euclid s algorithm for finding the greatest common divisor of a pair of numbers:

A Few Primality Testing Algorithms

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

MATH 361: NUMBER THEORY FOURTH LECTURE

Transcription:

Computer Science 52 Some Facts from Number Theory Fall Semester, 2014 These notes are adapted from a document that was prepared for a different course several years ago. They may be helpful as a summary of the facts that we use in Computer Science 52 as we study RSA encryption. The exercises in this document are left over from the previous course; although they are a tremendous amount of fun, they are not part of the assigned work for Computer Science 52. 1 Quotients and Remainders If m and n are integers, and n 0, then there is a unique pair of integers q and r satisfying m = qn + r, and 0 r < n. Not surprisingly, q is the quotient and r is the remainder when m is divided by n. 1 We say that n divides m, or n is a divisor of m, when the remainder is zero. The notation n m is used to signify that n divides m. An integer p is a prime number if 1 < p and the only divisors of p are ±1 and ±p. We write a b (mod n) if b a is divisible by n. 2 This notion, called congruence, is an equivalence relation. All the usual laws of arithmetic hold for congruence; for example, we have the distributivity of multiplication over addition and the associativity of multiplication. a(b + c) ab + ac (mod n) a(bc) (ab)c (mod n) When computing arithmetic results for a congruence, it does not hurt replace a value by its remainder on division by n. This keeps the results in the range 3 between 0 and n. 1 Be aware that different processors compute remainders differently. The remainder operator % in C may yield a result r which does not satisfy the stated inequality, but this will happen only when one or both of the arguments is negative. 2 The notation is potentially confusing. Here, mod is not used as an operator; we are not saying that a is equivalent to (b mod n). Rather, the equivalence between a and b depends on n. A better notation might be a n b. 3 For encryption, n is most likely much larger than the largest possible integer. For this, we need multi-word data structures and special library routines for the arithmetic operations. 1

2 Divisors Suppose that a and b are integers, with one or both being non-zero. An integer d is a greatest common divisor of a and b if 1. d a, 2. d b, and 3. if e a and e b, then e d. According to this definition, if d is a greatest common divisor of a and b, then so is d. We use the notation gcd(a, b) to denote the unique positive greatest common divisor. The integers a and b are relatively prime if gcd(a, b) = 1. The following theorem characterizes the greatest common divisor. As we shall see, it provides an extremely useful tool. Theorem 1 Suppose a and b are integers, at least one of which is non-zero, and let d be the least positive integer of the form ua + vb. Then d = gcd(a, b). Proof: First observe that there are positive integers of the form ua + vb. (If a is positive, just take u to be 1 and v to be 0. If a is negative, take u to be 1 and v to be 0. If a is zero, then b is non-zero take u to be 0 and v to be ±1.) Therefore, there is a least positive integer d of the appropriate form. Suppose that d = u 0 a + v 0 b. Divide a by d to obtain a quotient q and remainder r : a = qd + r and 0 r < d. Then r = a qd = (1 qu 0 )a + ( qv 0 )b, so r is of the form ua + vb. But d was the least positive value of that form, and r is less than d. Therefore r cannot be positive. The only possibility is for r to be zero, and in that case, d divides a. In the same way, we conclude that d divides b. If e divides both a and b, then e divides the combination u 0 a+v 0 b. Hence e divides d. This completes the proof that d = gcd(a, b). Corollary 2 If gcd(a, n) = 1, then there is an integer u such that ua 1 (mod n). Proof: There are integers u and v such that ua + vn = 1. We see that ua 1 = ( v)n, so n divides ua 1 and ua 1 (mod n). Corollary 3 If gcd(a, n) = gcd(b, n) = 1, then gcd(ab, n) = 1. Proof: Again, there are integers u and v such that ua+vn = 1. Similarly, there are u and v such that u b + v n = 1. Multiply the left hand sides of the two equations to get another expression that equals 1: (uu )ab + (uav + u bv + vv )n = 1. 2

The least positive combination of ab and n is therefore 1, and gcd(ab, n) = 1. Another useful idea is Euler s totient function, which is defined as follows. Let n be a non-zero integer. Then ϕ(n) is the number of integers between 1 and n 1 (inclusive) which are relatively prime to n. That is, ϕ(n) is the cardinality of the set {j 1 j < n and gcd(j, n) = 1}. Exercise 2.1. Show, directly from the definition, that gcd(a, b) is unique. Exercise 2.2. Suppose that a and n are relatively prime and n divides ab. Show that n divides b. Exercise 2.3. Prove that a is relatively prime to b if and only if there are integers u and v such that ua + vb = 1. Exercise 2.4. Prove that p is a prime number if and only if ϕ(p) = p 1. Exercise 2.5. If p and q are different primes, show that ϕ(pq) = (p 1)(q 1). Exercise 2.6. If p is a prime number and k is positive, what is the value of ϕ(p k )? 3 Euclid s Algorithm Theorem 1 is essential for characterizing the greatest common divisor, but it does not directly give a very efficient algorithm for computing the gcd. The following properties of the gcd function lead to Euclid s algorithm for computing the greatest common divisor. Theorem 4 For integers a and b, not both zero, we have the following properties: 1. gcd(a, 0) = a. 2. gcd(a, b) = gcd(b, a). 3. gcd(a, b) = gcd( a, b). 4. If a = qb + r, then gcd(a, b) = gcd(r, b). Proof: The first three properties can be proved directly from the definition of the greatest common divisor. For the fourth, note that ua + vb = ur + (uq + v)b, so that any number of the form ua + vb can also be written in the form u r + v b. Conversely, any number of the latter form can be written as a combination of a and 3

a = abs(a0); b = abs(b0); while ((a!= 0) && (b!= 0)) if (a < b) b = b % a; else a = a % b; gcd = (a == 0)? b : a; Figure 1: Euclid s algorithm for computing the greatest common divisor. b. The set of positive integers of the form ua + vb is the same as the set of positive integers of the form u r + v b. The least element of the set is the same in both cases, and gcd(a, b) = gcd(r, b). Euclid s algorithm uses the properties of Theorem 4 to preserve loop invariants. Suppose that the we wish to compute the greatest common divisor of two integers whose values are stored in the C variables a0 and b0. The C code below starts by establishing three invariants: 0 a 0 b gcd(a, b) = gcd(a0, b0). This is easily done with the two assignments at the top of the code in Figure 1. Properties 2 and 3 from Theorem 4 show that the invariant is established. The invariants are preserved by the loop of Figure 1. Even though a or b may be changed by an iteration of the loop, both variables remain non-negative. Moreover, property 4 from Theorem 4 guarantees that the gcd does not change. On each iteration, either a or b is made smaller. One of the variables must eventually reach zero, and the loop will terminate. When it does, the other variable contains the greatest common divisor by property 1. This is the value selected by the last line in Figure 1. For encryption, we often want to express the greatest common divisor in terms of the original numbers a0 and b0, gcd = u*a0 + v*b0. In fact, the coefficients u and v are often more important than the value of the gcd itself. 4

It is easy to modify the Euclid s algorithm to provide the extra information. simply use four new variables and maintain two additional invariants. We a = ua a0 + va b0 b = ub a0 + vb b0 If we initialize the four variables correctly and preserve the invariants inside the loop, then one pair of coefficients either ua and va or else ub and vb will be the desired coefficients at the completion of the loop. Exercise 3.1. Fill in the details in extending Euclid s algorithm to find u and v such that u*a0 + v*b0 is the greatest common divisor of a0 and b0. Exercise 3.2. Show that Euclid s algorithm makes at most 2(log 2 a0 + log 2 b0) loop iterations. (In two iterations, either a or b becomes at least one bit shorter. Can you find a better bound?) 4 Fermat s Theorem The following theorem is the heart of the RSA algorithm. Theorem 5 (Fermat s Theorem) If n 0 and gcd(m, n) = 1, then m ϕ(n) 1 (mod n). Proof: Consider the integers between 1 and n 1 which are relatively prime to n. There are ϕ(n) of them, and we can list them: a 1, a 2,... a ϕ(n). (1) For each i satisfying 1 i ϕ(n), let a i be the remainder upon division of ma i by n. Both m and a i are relatively prime to n, so by Corollary 3 the product ma i is relatively prime to n. Further, by property 4 of Theorem 4, the remainder a i is relatively prime to n. Therefore, a i occurs among the elements of the list (1). We next show that the elements in the list a 1, a 2,... a ϕ(n) (2) are all different. If a j = a k, then ma j ma k (mod n). We have that n divides m(a j a k ), so by the result of Exercise 2, n divides a j a k. Because of the range of values of the a i s, this means that a j = a k, or equivalently, that j = k. Therefore, the lists (1) and (2) contain exactly the same numbers, although perhaps in different orders. 5

Multiplying the numbers in either list gives the same result: or a 1 a 2... a ϕ(n) = a 1 a 2... a ϕ(n), a 1 a 2... a ϕ(n) ma 1 ma 2... ma ϕ(n) (mod n) m ϕ(n) a 1 a 2... a ϕ(n) (mod n). (3) Each term in the product a 1 a 2... a ϕ(n) is relatively prime to n. Using Corollary 3 inductively, the whole product is relatively prime to n. By Corollary 2, there is a number u such that ua 1 a 2... a ϕ(n) 1 (mod n). Multiplication by u effectively cancels a 1 a 2... a ϕ(n) from the members of Equation (3), leaving the desired result 1 m ϕ(n) (mod n). Corollary 6 (Fermat s Little Theorem) If p is a prime number, then for all integers m, m m p (mod p). Exercise 4.1. Prove Corollary 6, Fermat s Little Theorem. (Hint: Recall that ϕ(p) = p 1.) Exercise 4.2. The specific fact upon which the RSA algorithm rests concerns the product of two primes. If n is the product of two distinct primes p and q, prove that m m 1+ϕ(n) (mod n), for all integers m. (The proof of this fact is sketched in the RSA paper.) 5 Industrial Strength Primes Suppose that we have a number p that we think is prime. If we choose a random positive number a less than p, we can compute a p mod p. If the result is different from a, then by Corollary 6, Fermat s Little Theorem, we know that p is not prime. If the result is a, then p may, or may not, be prime. Now suppose that we repeat the test for many different values of a. If the two values are ever unequal, then we can declare with certainty thatp is not prime. If, after several tests, we do not discover evidence that p is non-prime, it is tempting to declare p to be a prime number. However, there is a chance that we will make a mistake and declare a number to be prime when it is in fact not. But by making many such tests, we can make the probability of such an error very low. A number declared prime on the basis of such a test is called an industrial strength prime. Nearly all non-prime numbers will, with high probability, be exposed by this process, but there are a few exceptions. Non-primes that will always be declared industrial 6

strength primes by our method are called Carmichael numbers. Although there is an infinite number of them, they are rare meaning that they are distributed sparsely among the integers. The smallest Carmichael number is 561. Using more sophisticated number theory, people have devised similar tests that do not have such a defect. These tests satisfy the two properties below: If p is prime, then every test will report it as prime. If p is not prime, then a given test will report it as prime with probability less than 1/2. Therefore, if we make k tests, the probability of an error is at most 1/2 k, a very small number. Observe that we are not making a statement about the probability that p is prime. A number is either prime or it is not; there is no chance involved. We are saying that, if a number is not prime, there is a small possibility that the test will give wrong information. To find an industrial strength prime number, we simply generate a random number and test it, as above, several times. If it survives, we have our result. If not, we try again with a different random number. Exercise 5.1. A question for thought: The strategy here is guess a number and see if it is prime; if not, guess again. This seems as bad, or worse, than a brute-force search for primes. Why do we find primes after only a reasonable number of guesses? 6 Polynomial-time Algorithms These notes have been evolving since 1996. At that time, industrial strength primality testing was the only technology available. More recently, in 2002, the AKS test for primality was developed. Refinements of it produce a deterministic test that tells us whether or not a k-bit integer is prime in O(k 6 ) time. There is, however, no known way of factoring composite numbers in deterministic polynomial time. 7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback