Euler s ϕ function. Carl Pomerance Dartmouth College

Similar documents
A 1935 Erdős paper on prime numbers and Euler s function

The ranges of some familiar arithmetic functions

The ranges of some familiar arithmetic functions

The ranges of some familiar functions

Iterated Encryption and Wiener s attack on RSA

Irreducible radical extensions and Euler-function chains

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

The first dynamical system

Amicable numbers. CRM Workshop on New approaches in probabilistic and multiplicative number theory December 8 12, 2014

Order and chaos. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Statistics in elementary number theory

2 More on Congruences

Counting subgroups of the multiplicative group

Order and chaos. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

On the number of elements with maximal order in the multiplicative group modulo n

Two problems in combinatorial number theory

Sums and products. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA. Dartmouth Mathematics Society May 16, 2012

The RSA Cipher and its Algorithmic Foundations

HOW OFTEN IS EULER S TOTIENT A PERFECT POWER? 1. Introduction

Applied Cryptography and Computer Security CSE 664 Spring 2018

Departmento de Matemáticas, Universidad de Oviedo, Oviedo, Spain

Dense product-free sets of integers

Sums and products. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA. Providence College Math/CS Colloquium April 2, 2014

Sums and products. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

Number Theory A focused introduction

CSE 521: Design and Analysis of Algorithms I

Repeated Values of Euler s Function. a talk by Paul Kinlaw on joint work with Jonathan Bayless

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

The multiplicative order mod n, on average

Carmichael numbers and the sieve

Lecture Notes, Week 6

RSA Cryptosystem and Factorization

Distribution of Prime Numbers Prime Constellations Diophantine Approximation. Prime Numbers. How Far Apart Are They? Stijn S.C. Hanson.

Factorization & Primality Testing

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Number Theory and Group Theoryfor Public-Key Cryptography

The Average Number of Divisors of the Euler Function

Part II. Number Theory. Year

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Basic Algorithms in Number Theory

Sums and products: What we still don t know about addition and multiplication

ON CARMICHAEL NUMBERS IN ARITHMETIC PROGRESSIONS

Ma/CS 6a Class 4: Primality Testing

Summary Slides for MATH 342 June 25, 2018

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Counting in number theory. Fibonacci integers. Carl Pomerance, Dartmouth College. Rademacher Lecture 3, University of Pennsylvania September, 2010

CPSC 467b: Cryptography and Computer Security

TWO REMARKS ON ITERATES OF EULER S TOTIENT FUNCTION

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Math/Mthe 418/818. Review Questions

MATH 145 Algebra, Solutions to Assignment 4

Balanced subgroups of the multiplicative group

CIS 551 / TCOM 401 Computer and Network Security

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Quasi-reducible Polynomials

Gaps between primes: The story so far

COMP4109 : Applied Cryptography

Discrete Structures Lecture Primes and Greatest Common Divisor

On the number of co-prime-free sets. Neil J. Calkin and Andrew Granville *

Part IA Numbers and Sets

Carmichael numbers with a totient of the form a 2 + nb 2

Almost Primes of the Form p c

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

A Guide to Arithmetic

Zsigmondy s Theorem. Lola Thompson. August 11, Dartmouth College. Lola Thompson (Dartmouth College) Zsigmondy s Theorem August 11, / 1

The Impossibility of Certain Types of Carmichael Numbers

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Primality testing: then and now

CS March 17, 2009

Math 259: Introduction to Analytic Number Theory The Selberg (quadratic) sieve and some applications

ECEN 5022 Cryptography

PALINDROMIC SUMS OF PROPER DIVISORS. Paul Pollack Department of Mathematics, University of Georgia, Athens, GA 30602, USA

Primality testing: then and now

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

CPSC 467b: Cryptography and Computer Security

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Basic elements of number theory

Basic elements of number theory

Cryptography: Joining the RSA Cryptosystem

On Carmichael numbers in arithmetic progressions

Integer factorization, part 1: the Q sieve. D. J. Bernstein

FERMAT S TEST KEITH CONRAD

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Introduction to Public-Key Cryptosystems:

Ma/CS 6a Class 4: Primality Testing

On Values Taken by the Largest Prime Factor of Shifted Primes

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Mathematical Foundations of Public-Key Cryptography

Mathematics of Public Key Cryptography

The RSA cryptosystem and primality tests

Public Key Cryptography

On the average number of divisors of the Euler function

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

HOMEWORK 11 MATH 4753

Compositions with the Euler and Carmichael Functions

Transcription:

Euler s ϕ function Carl Pomerance Dartmouth College

Euler s ϕ function: ϕ(n) is the number of integers m [1, n] with m coprime to n. Or, it is the order of the unit group of the ring Z/nZ. Euler: If a is coprime to n, then a ϕ(n) 1 (mod n). 1

Euler s theorem is the basis of the RSA Cryptosystem: If integers E, D satisfy ED 1 (mod ϕ(n)), then a ED a (mod n) for every integer a coprime to n. (In fact, this holds for all integers a if n is squarefree, such as the product of two different large primes.) Encrypt message a : b = a E (mod n). Decrypt: a = b D (mod n). To encrypt, one should know E, n. To decrypt, D as well. 2

Note that it is easy to compute a E (mod n) given a, E, n and similarly it is easy to compute b D (mod n). Further, given ϕ(n), it is easy to come up with pairs E, D with ED 1 (mod ϕ(n)). Indeed, keep choosing random numbers D until one is found that is coprime to ϕ(n), and then use Euclid s algorithm to find E. As a public-key system, E, n are released to the public, but D is kept secret. Then anyone can send you encrypted messages that only you can read. 3

The security of the RSA Cryptosystem is connected to our ability to compute ϕ(n): For p prime, ϕ(p) = p 1; more generally, ϕ(p k ) = p k p k 1 = p k (1 1/p). By the Chinese Remainder Theorem, ϕ(n) = n p prime p n ( 1 1 p ). 4

So, knowing the prime factorization of n, one can compute ϕ(n) rapidly in deterministic polynomial time. What about the converse? Given n and ϕ(n) can one compute the prime factorization of n in deterministic polynomial time? Yes, if n = pq, where p, q are different primes, since ϕ(n) = (p 1)(q 1), so that n 1 ϕ(n) = p + q. In general, the Extended Riemann Hypothesis implies that there is a deterministic, polynomial time algorithm to compute the prime factorization of n, given n and ϕ(n). 5

A random polynomial time algorithm to get a nontrivial factorization: We may assume ϕ(n) < n 1 and that n and ϕ(n) are coprime. Write ϕ(n) = 2 s m, where m is odd. Choose a at random from [1, n 1]. We may assume a and n are coprime. Note that a ϕ(n) 1 = (a m 1)(a m + 1)(a 2m + 1) (a 2s 1 m + 1). Fact: n divides the product, but the chance that n divides a factor is at most 1/2. 6

Some natural questions to ask about a function from N to N: 1. What is ϕ(n) on average? That is, what can be said about as x grows? n x ϕ(n) 2. What is typically true about the size of ϕ(n)? 3. What about extremes for ϕ(n)? 4. What is true on average or typically about ϕ(n) arithmetically? 7

Euler s function on average The chance that two random integers are both divisible by the prime p is 1/p 2. So, the chance that no prime p divides both should be (1 1p ) 2 We have so that 1 1 p 2 = ( p 2 α = α := p 2 1 p prime ) 1 = ( 1 1 n=1 n 2. 1 + 1 p 2 + 1 p 4 + ) 1, = 1 ζ(2) = 6 π 2. 8

Thus, the probability that two random integers are coprime is 6/π 2. Another interpretation: Choose a lattice point (m, n) at random; the probability that it is visible is 6/π 2. Using these thoughts it is easy to see that as x. n x ϕ(n) 3 π 2x2 9

Extreme values of ϕ(n) are also fairly easy: lim sup ϕ(n) n = 1, in fact, lim inf lim inf ϕ(n) n = 0, ϕ(n) n/ log log n = e γ. 10

Clearly ϕ(n)/n jumps around a bit: if n has only large prime factors, the ratio is close to 1, but if n has many small prime factors, it is close to 0. One can ask for a distribution function. That is, let u be a real variable in [0, 1] and consider {n : ϕ(n)/n u}. Does this set have an asymptotic density D(u), and if so, how does D(u) vary with u? Schoenberg, 1928: D(u) exists, it is strictly monotone, and varies continuously with u. It has an infinite one-sided derivative on a dense subset of [0, 1]. 11

Let ω(n) denote the number of primes p with p n. For example, ω(1) = 0, ω(100) = 2, ω(1001) = 3. Hardy and Ramanujan, 1917: Normally ω(n) log log n. That is, for each ɛ > 0, the set of n with (1 ɛ) log log n < ω(n) < (1 + ɛ) log log n has asymptotic density 1. Erdős and Kac, 1939 : For each real number u, the set has asymptotic density {n : ω(n) log log n + u log log n} 1 u 2π e x2 /2 dx, the Gaussian normal distribution. 12

What can be said about ω(ϕ(n))? Erdős and P, 1985: For each real number u, the set { n : ω(ϕ(n)) 1 2 (log log n)2 + u } (log log n) 3/2 3 has asymptotic density G(u). 13

Euler s function and groups Burnside, Dickson, Szele: There is exactly one isomorphism class for groups of order n precisely when n and ϕ(n) are coprime. Erdős, 1948: The number of integers n in [1, x] with n coprime to ϕ(n) is ( e γ + o(1) ) x as x. log log log x 14

Carmichael s conjecture R. D. Carmichael conjectured that ϕ is never 1 to 1. That is, for each n there is some m n with ϕ(m) = ϕ(n). For example: If n is odd, let ϕ(2n) = ϕ(n). Or if 2 n, then ϕ(n/2) = ϕ(n). If 4 n, then 3 n, since otherwise ϕ(3n/2) = ϕ(n). And if 3 n, then ϕ(2n/3) = ϕ(n). Etc. An elementary theorem: If n has the property that p 2 n for each prime p with p 1 n, then n is a counterexample to Carmichael s conjecture. A challenge: prove no number n satisfies the hypothesis! 15

Let V (x) denote the number of integers in [1, x] that are values of ϕ. Elementary thoughts: 1 is the only odd value of ϕ. 14 is the first even number that s not a value. The next is 26. Do we expect V (x) 1 2x? Or V (x) cx? Or V (x) = o(x)? 16

Idea: Most numbers have many different prime factors, so most values of ϕ are divisible by a large power of 2. But most numbers are not divisible by a large power of 2. So V (x) = o(x) as x. Pillai, 1929: There is some c > 0 such that V (x) x/(log x) c for all large x. Erdős, 1935: V (x) = x/(log x) 1+o(1) as x. 17

Erdős and Hall, 1973, 1976: There are c 1, c 2 > 0 such that for all large x, x log x exp ( c 1 (log log log x) 2 ) x V (x) log x exp ( c 2 (log log x) 1/2 ). Maier and P, 1988: There is a number c > 0 such that as x, V (x) = x log x exp ( (c + o(1))(log log log x) 2 ). Ford, 1998: Found secondary factors so as to have the correct order of magnitude of V (x). We still don t have an asymptotic formula for V (x), nor do we know even that V (2x) 2V (x) as x. 18

Sierpiński s conjecture For each integer k 2 there is some number v such that ϕ(n) = v has exactly k solutions n. Ford, 1999: Yes. In fact, a positive proportion of ϕ values satisfy this. (The proportion depends on k.) Ford went on to prove in the case k = 1 (Carmichael s conjecture), that if there is just one value v with a unique pre-image, than a positive proportion of all values have a unique pre-image. 19

So, we ve seen that most numbers are not values of ϕ, maybe no number is a value exactly once, and for each k 2 there are numbers v which are a value exactly k times. How large can k be as a function of v? Erdős, 1935: There is some α > 0 such that for infinitely many numbers v, the equation ϕ(n) = v has at least v α solutions. 20

Idea of proof: There is some c > 0 such that a positive proportion of the primes p y 1+c have all prime factors of p 1 at most y. (Uses Brun s sieve method.) Now take subsets of these primes with product below e y. If n is one of these products, then ϕ(n) has prime factors all below y. There are many such n s, but not many numbers below e y with all prime factors below y. So, some value is inordinately popular. The current record has c > 2, and there are infinitely many values v of ϕ with more than v 0.7 pre-images. It is conjectured that c can be arbitrarily large and that the exponent 0.7 can be replaced with any number < 1. 21

Lehmer s question If n is prime, then ϕ(n) n 1. Can ϕ(n) be a proper divisor of n 1? Little is known. Though we ve searched, we know no such number. Failing a proof that there are none, can we at least show there are few of them? Yes, but we don t know that they are eventually sparser than the set of squares! Just in: Banks, Güloğlu, and Nevans have shown that the number of such n in [1, x] is, for all large x, at most x 1/2 /(log x) 1/8. 22

Carmichael s function Recall that ϕ(n) is the order of the unit group of Z/nZ. Let λ(n) denote the exponent of this group. That is, λ(n) is the least positive integer l such that a l 1 (mod n) for every integer a coprime to n. Since the unit group is cyclic when n = p is a prime, we have λ(p) = p 1. In general, λ(p a ) = ϕ(p a ) except when p = 2, a 3, when λ(2 a ) = 1 2 ϕ(2a ). And n = p a 1 1... pa k k implies λ(n) = lcm[λ(p a 1 1 ),..., λ(pa k k )]. 23

One can ask, like with Lehmer s question: can λ(n) divide n 1 for n composite? It is easy to see that if λ(n) n 1, then for every integer a. a n a (mod n) For example, n = 561. It is 3 11 17, and lcm[2, 10, 16] = 80, which is a divisor of 560. Such composite numbers are called Carmichael numbers. Alford, Granville, P, 1994: There are infinitely many Carmichael numbers. 24

Euler chains Starting with n, consider the sequence n, ϕ(n), ϕ(ϕ(n)),.... Eventually you reach 1 and there the sequence becomes constant. Let k(n) be the number of steps to reach 1. For example, k(1) = 0, k(2) = 1, k(3) = 2, k(100) = 6, etc. Pillai, 1929 For all n, k(n) log n/ log 2 and this is attained when n is a power of 2. Further, k(2 3 j ) = j + 1 and this gives the minimal order of k(n), namely log n/ log 3. 25

Let K(n) be the totally additive function (K(ab) = K(a) + K(b)) such that K(2) = 1 and K(p) = K(p 1) for each odd prime p. Then K(n) is the number of even terms in the Euler chain for n, so K(n) = k(n) or k(n) 1. (Essentially, Shapiro, 1943.) Erdős, Granville, P, Spiro, 1990. Conditionally on the Elliott Halberstam conjecture, there is some α > 0 such that k(n) α log n on a set of asymptotic density 1. Here, 1 α = lim x x p x K(p), but we do not know how to prove unconditionally that this limit exists. 26

Luca, P, 2007. The product of all of the distinct primes that divide some member of the Euler chain for n exceeds n (1 ɛ) log log n/ log log log n for all large n in a set of asymptotic density 1. This result can be used to show that for almost all n, the degree D(n) of the smallest algebraic number field that contains the nth roots of unity and which can be reached by a sequence of prime-degree radical Galois extensions, has D(n) greater than any fixed power of n. 27

We know very little about Carmichael chains where we iterate λ to get to 1. Consider reverse Euler chains, where given n we try to find n 1 with ϕ(n 1 ) = n and continue with this. There is an infinite such chain if and only if n is in the range of each iterate of ϕ. Luca, P, 2008. The number n is in the range of each iterate of ϕ if and only if n = 1 or is of the form 2 a 3 b with a > 0. It s possible to show that if λ(n) n, then n is in the range of each iterate of λ. There are more than x 0.7 such numbers n x. Is n = 10 in the range of each iterate of λ? 28

Further problems Consider the function U which sends n to the isomorphism class of the unit group of Z/nZ. What about the range of this function? That is, how does the number of unit groups with order in [1, x] compare with the total number of abelian groups with order in [1, x]? Is Carmichael s conjecture true for U(n)? What about Sierpiński s conjecture? These and other questions are addressed by Bayless, 2008. 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback