Lecture 11 - Basic Number Theory.

Similar documents
1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Theoretical Cryptography, Lectures 18-20

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

CSE 521: Design and Analysis of Algorithms I

Basic elements of number theory

Basic elements of number theory

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Continuing discussion of CRC s, especially looking at two-bit errors

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Homework 7 solutions M328K by Mark Lindberg/Marie-Amelie Lawn

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

3 The fundamentals: Algorithms, the integers, and matrices

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Ma/CS 6a Class 4: Primality Testing

cse547, math547 DISCRETE MATHEMATICS Professor Anita Wasilewska

Applied Cryptography and Computer Security CSE 664 Spring 2018

basics of security/cryptography

4 Powers of an Element; Cyclic Groups

The running time of Euclid s algorithm

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Number theory (Chapter 4)

Lecture 7: Number Theory Steven Skiena. skiena

Number theory (Chapter 4)

10 Concrete candidates for public key crypto

1. Algebra 1.7. Prime numbers

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Theoretical Cryptography, Lecture 13

Lecture 6: Deterministic Primality Testing

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Introduction to Public-Key Cryptosystems:

4 Number Theory and Cryptography

Simultaneous Linear, and Non-linear Congruences

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Basic Algorithms in Number Theory

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

1 Rabin Squaring Function and the Factoring Assumption

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

7. Prime Numbers Part VI of PJE

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Lecture 6: Introducing Complexity

CPSC 467b: Cryptography and Computer Security

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Lecture 7 Number Theory Euiseong Seo

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Factorization & Primality Testing

MATH 115, SUMMER 2012 LECTURE 12

Commutative Rings and Fields

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

CPSC 467: Cryptography and Computer Security

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

Basic Algorithms in Number Theory

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

CPSC 467b: Cryptography and Computer Security

CS483 Design and Analysis of Algorithms

(a) 14 and 42 (b) 33 and 18 (c) 45 and 108 (d) 24 and 2039, given that 2039 is a prime number

Some Facts from Number Theory

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Entry Number:2007 mcs Lecture Date: 18/2/08. Scribe: Nimrita Koul. Professor: Prof. Kavitha.

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

PRACTICE PROBLEMS: SET 1

Clock Arithmetic. 1. If it is 9 o clock and you get out of school in 4 hours, when do you get out of school?

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

Applied Cryptography and Computer Security CSE 664 Spring 2017

Chapter 14: Divisibility and factorization

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

Number Theory Alex X. Liu & Haipeng Dai

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

The RSA cryptosystem and primality tests

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

Congruence of Integers

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Lecture 8: Finite fields

MATH 115, SUMMER 2012 LECTURE 4 THURSDAY, JUNE 21ST

Senior Math Circles Cryptography and Number Theory Week 2

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Winter Camp 2009 Number Theory Tips and Tricks

CS March 17, 2009

ENEE 457: Computer Systems Security. Lecture 5 Public Key Crypto I: Number Theory Essentials

Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography

Ma/CS 6a Class 4: Primality Testing

Advanced Algorithms and Complexity Course Project Report

Lecture 8: Number theory

An Algorithm for Prime Factorization

IRREDUCIBILITY TESTS IN F p [T ]

Algorithmic number theory. Questions/Complaints About Homework? The division algorithm. Division

Introduction to Information Security

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

1. multiplication is commutative and associative;

Transcription:

Lecture 11 - Basic Number Theory. Boaz Barak October 20, 2005 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that a divides b, denoted a b if there s a k such that ka = b. We say that p is prime if for a > 0, a p only for a = 1 and a = p Unique factorization. Theorem 1 (Unique factorization). For every n > 0, there are unique primes p 1,..., p k such as n is the multiplication of these primes. We typically order the primes from small to big, and group together multiplications of the same prime, and so the unique factorization of n is its representation of the form p i 1 1 p i 2 2 p i l Basic property of prime and co-prime numbers. Two easy consequences of the unique factorization theorem: If p and q are co-prime and both p n and q n, then pq n. If p ab then either p a or p b. How many primes exist. Another nice fact to know about primes is that there are infinitely many of them. (It is not immediately obvious from the unique factorization theorem initially you might think that perhaps the only primes are {2, 3, 5} and all other numbers are of the form 2 i 3 j 5 k ) In fact, we have the following theorem: Theorem 2 (Chebychev s theorem). Let p(n) denote the number of primes between 1 and n. Then, p(n) = Ω( n log n ). This means in particular that if you choose a random l-bit integer, with probability Ω( 1 l ) it will be prime. Chebychev s theorem actually has a very short and simple proof (see Shoup s book). It is known actually that p(n) = n ln n (1 + o(1)). This is called the prime number theorem (there s also an OK proof for this). 1 l.

g.c.d For two integers a and b, their g.c.d is the largest d such that d a and d b. The g.c.d can be shown to be the largest common part of their factorization. That is, if p, q, r are primes and a = pq 2 and b = q 3 r then gcd(a, b) = q 2. If a and b factor into disjoint sets of primes then gcd(a, b) = 1. In particular for every two different primes p, q gcd(p, q) = 1. If gcd(a, b) = 1 we say that a and b are co-prime to one another. Modulu For every two numbers a and b there is unique k and r such that 0 r b 1 and a = kb + r. In this case we say that r = a (mod b). Clearly b a iff a (mod b) = 0. Also note that for all a, b, c and a + b (mod c) = (a (mod c) + b (mod c)) (mod c) a b (mod c) = (a (mod c) b (mod c)) (mod c) If a (mod b) = a (mod b) we say that a and a are equivalent modulu b, sometimes denoting this by a b a. We denote by Z b the set {0,..., b 1}. When we add or multiply two elements from Z b we use addition/multiplication modulu b. Chinese reminder theorem. Let p and q be two prime numbers (actually can be also just co-prime) and let n = pq. Consider the following function from Z n to Z p Z q : f(x) = x (mod p), x (mod q). We claim the following properties of this function: 1. f( ) preserves addition: f(x + x ) = f(x) + f(x ). (In the right hand side f(x) + f(x ) means that we add the first element of both pairs mod p and the second element mod q. This follows from the fact that the modulu operation has this property. 2. f( ) preserves multiplication: f(x x ) = f(x) f(x ). Again, this follows from the fact that the modulu operation has this property. 3. f( ) is one-to-one. Indeed, if there exist x > x with f(x) = f(x ) then f(x x ) = 0, 0. Which means that p x x and q x x which implies pq = n x x which can t happen for a number between 1 and n 1. 4. f( ) is onto. This follows from the fact that Z n = Z p Z q. Operations we can do efficiently We can do the following operations efficiently (polynomial in the number of bits it takes to describe the inputs) 2

1. Addition and multiplication modulu some n 2. Exponentiation modulu n. We can not compute x y (mod n) by repeated multiplications since that can take y operation which is too many. Rather we separate y to a sum of powers of two (binary notation): y = 2 i + 2 j + 2 k thus we need to compute x 2i cdotx 2j x 2k. We can compute x 2i in i multiplications by repeated squaring. 3. Taking inverse modulu n. If gcd(x, n) = 1 then the extended gcd algorithm gives a y such that xy (mod n) = 1. We sometimes denote y = x 1. Non-trivial efficient operations. We ll show we can do the following two things efficiently: 1. Take a square root modulu a prime. That is, for a prime p and a Z p, find b such that a = b 2 (mod p) if such a b exists. 2. Primality testing: given a number n decide whether it is a prime or a composite number. Fermat s little theorem We ll use the following theorem of Fermat: for every prime p and number 1 a p 1. a p 1 = 1 (mod p). We note that this is actually a consequence of a more general theorem on groups. Facts about square roots. When we work in Z p, we denote by x the number such that x x = 0 (mod p). In other words, x = p x. Note that it s always the case that x x since otherwise we d have 2x = p which means that p is even. We know that over the reals any number a has either zero square roots (if its negative) or two square roots + a and a if its positive. It turns out a similar thing holds for Z p : every a Z p has either no square roots, or two square roots of the form x and x. To prove this first note that if x 2 = a (mod p) then ( x) 2 = a (mod p). Thus, if a has any square roots it has at least two of them. Now we ll prove that if x and y are square roots of the same value then x = ±y. Indeed, if x 2 = y 2 (mod p) this means that x 2 y 2 = 0 (mod p) or that p (x+y)(x y). Since p is prime this means that either p x+y (meaning x = y (mod p)) or p x y (meaning x = y (mod p)). Taking square root modulu prime: We re given a prime p and a number a which has a square root x, and we want to find x (or x). We can assume p is odd (if p is the only even prime, namely two, then we can easily solve this problem mod p). p (mod 4) can be either 1 or 3. We 3

start with the case that p (mod 4) = 3. That is, p = 4t + 3. In this case we claim that a t+1 is a square root of a. Indeed, write a = x 2. Then (a t+1 ) 2 = x 4(t+1) = x 4t+4 = x p 1+2 = x p 1 x 2 = 1 a. See http://www.wisdom.weizmann.ac.il/ oded/ps/rnd/l11.ps for the algorithm in the case p = 1 (mod 4). (We note that in that case we use a probabilistic algorithm). Square roots modulu composites We note the following property about square roots modulu composites: if an odd number n is a product of (powers of) at least 2 distinct primes, then every number a that has square root mod n, has at least 4 square roots. Indeed, if n is of this form then n = pq for some co-prime p and q (i.e., p is the power of the first prime, and q is the rest). If x 2 = a (mod n) then consider the Chinese-remainder function f( ) and denote f(x) = (x, x ) and f(a) = a, a. Then, we get that x 2, x 2 = a 2, a 2 but this holds also for all four possible combinations ±x, ±x. Primality testing: Let SQRT (a, p) denote our algorithm that on input a, p outputs either fail or a number x such that x 2 = a (mod p). We ll use that to test whether n is prime. To test whether n is prime, we first check that n is odd and is not a power of some number. If not, we choose a random number 1 x n 1, compute a = x 2 (mod n) and run SQRT (a, p). If it returns fail decide that n is a composite. If it returns some number x such that x 2 = a (mod p) then if x = ±x then decide that n is a prime. Otherwise decide that n is a composite. Theorem 3. If n is prime then our algorithm finds this with probability at least 0.99. If n is composite then algorithm finds this with probability 0.1. (Note that we can amplify the success probability of this algorithm using generic techniques.) Proof. First for our analysis We first make SQRT into a deterministic algorithm by simply choosing coins for SQRT and hardwiring it into to the algorithm. The case of n prime is pretty easy. Suppose n is a composite which is odd and is not a prime power. For every x, say that x is good if SQRT (x 2 ) is either fail or is equal to x ±x. Since there are at least 4 roots for every a, we get that at least two of them 4

are good (there are at most two bad roots for each a). If we hit a good x then we output the right answer. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback