Basic Algorithms in Number Theory

Similar documents
Basic Algorithms in Number Theory

CPSC 467b: Cryptography and Computer Security

Basic Algorithms in Number Theory

Number Theory and Group Theoryfor Public-Key Cryptography

CPSC 467: Cryptography and Computer Security

Numbers. Çetin Kaya Koç Winter / 18

Elementary Number Theory Review. Franz Luef

Basic elements of number theory

Basic elements of number theory

Number Theory Basics Z = {..., 2, 1, 0, 1, 2,...} For, b Z, we say that divides b if z = b for some. Notation: b Fact: for all, b, c Z:

2. THE EUCLIDEAN ALGORITHM More ring essentials

Number theory (Chapter 4)

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Applied Cryptography and Computer Security CSE 664 Spring 2017

Finite Fields. Mike Reiter

Lecture Notes. Advanced Discrete Structures COT S

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

4 Powers of an Element; Cyclic Groups

The Euclidean Algorithm and Multiplicative Inverses

The Chinese Remainder Theorem

Arithmetic Algorithms, Part 1

Number Theory and Algebra: A Brief Introduction

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Some Facts from Number Theory

Congruence of Integers

Discrete mathematics I - Number theory

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Number Theory. Zachary Friggstad. Programming Club Meeting

CPSC 467b: Cryptography and Computer Security

Iterated Encryption and Wiener s attack on RSA

LECTURE 4: CHINESE REMAINDER THEOREM AND MULTIPLICATIVE FUNCTIONS

Number Theory. Modular Arithmetic

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

CMPUT 403: Number Theory

ECE596C: Handout #11

CHAPTER 3. Congruences. Congruence: definitions and properties

1. Given the public RSA encryption key (e, n) = (5, 35), find the corresponding decryption key (d, n).

Chapter 2. Divisibility. 2.1 Common Divisors

4 Number Theory and Cryptography

1. Factorization Divisibility in Z.

Topics in Cryptography. Lecture 5: Basic Number Theory

A Guide to Arithmetic

NOTES ON SIMPLE NUMBER THEORY

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

A SURVEY OF PRIMALITY TESTS

A Readable Introduction to Real Mathematics

2WF15 - Discrete Mathematics 2 - Part 1. Algorithmic Number Theory

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

Number Theory Course notes for MA 341, Spring 2018

PREPARATION NOTES FOR NUMBER THEORY PRACTICE WED. OCT. 3,2012

3 The fundamentals: Algorithms, the integers, and matrices

Introduction to Public-Key Cryptosystems:

Public Key Encryption

Divisibility. Def: a divides b (denoted a b) if there exists an integer x such that b = ax. If a divides b we say that a is a divisor of b.

2301 Assignment 1 Due Friday 19th March, 2 pm

Introduction to Cybersecurity Cryptography (Part 5)

CSE20: Discrete Mathematics

Applied Cryptography and Computer Security CSE 664 Spring 2018

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Algebra for error control codes

Chinese Remainder Theorem

Mathematics for Cryptography

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Remainders. We learned how to multiply and divide in elementary

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Name: Mathematics 1C03

CS2800 Questions selected for fall 2017

Ch 4.2 Divisibility Properties

1. multiplication is commutative and associative;

Lecture 4: Number theory

MATH 145 Algebra, Solutions to Assignment 4

Public Key Cryptography

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

CSC 474 Information Systems Security

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.

Math 4400 First Midterm Examination September 21, 2012 ANSWER KEY. Please indicate your reasoning and show all work on this exam paper.

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Solutions to Practice Final 3

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

EUCLID S ALGORITHM AND THE FUNDAMENTAL THEOREM OF ARITHMETIC after N. Vasiliev and V. Gutenmacher (Kvant, 1972)

Discrete Mathematics GCD, LCM, RSA Algorithm

Carmen s Core Concepts (Math 135)

Summary Slides for MATH 342 June 25, 2018

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Ma/CS 6a Class 2: Congruences

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Homework #2 solutions Due: June 15, 2012

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Introduction to Cryptography. Lecture 6

Solution to Problem Set 3

Chapter 1 A Survey of Divisibility 14

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

FROM GROUPS TO GALOIS Amin Witno

Mathematical Foundations of Cryptography

5: The Integers (An introduction to Number Theory)

Number Theory A focused introduction

M381 Number Theory 2004 Page 1

Euclidean Domains. Kevin James

Transcription:

Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi #2-b - Euclidean Algorithm. September 2 nd 2015 SEAMS School 2015 Number Theory and Applications in Cryptography and Coding Theory University of Science, Ho Chi Minh, Vietnam August 31 - September 08, 2015

Basic Algorithms in Number Theory Algorithmic Complexity... 2 PROBLEM 11. Diophantine Equations: PROBLEM 11. Diophantine Equations: Given f(x 1,..., X n ) Z[X 1,..., X n ], find x = (x 1,..., x n ) Z n such that f(x) = 0. For a general f this is an undecidable problem (Matijasevic, Robinson, Davis, Putnam). Although the problem might be easy for some specific f, there is no algorithm (efficient or otherwise) that takes f as input and always determines whether f(x) = 0 has a solution in integers. Hilbert s tenth problem is the tenth on the list of Hilbert s problems of 1900. Given a Diophantine equation with any number of unknown quantities and with rational integral numerical coefficients: To devise a process according to which it can be determined in a finite number of operations whether the equation is solvable in rational integers.

Basic Algorithms in Number Theory Algorithmic Complexity... 3 La Scuola di Atene (Raffaello Sanzio) Euclide di Alessandria Birth: 325 A.C. (approximately) Death: 265 A.C. (approximately) The Euclidean Algorithm

Basic Algorithms in Number Theory Algorithmic Complexity... 4 Extended Euclidean Algorithm Let a, b N (not both zero), we will also assume that a b. The gcd(a, b) is greatest common divisor of a and b. Clearly gcd(a, 0) = a. If the factorization of a and b is known the it is easy to compute gcd(a, b). In fact gcd(a, b) = p min{v p(a),v p (b)}. p prime The p adic valuation v p (n) of an integer n is v p (n) = max{α 0 such that p α divides n} so that the product above is indeed finite. Furthermore gcd(a, b) = min{ xa + yb > 0 such that x, y Z}.

Basic Algorithms in Number Theory Algorithmic Complexity... 5 Extended Euclidean Algorithm From the above identity it follows immediately that gcd(a, b) exists and that gcd(a, b) = xa + by for appropriate x, y Z. In many applications it is crucial to compute x, y that realize the above identity and they are called the Bezout coefficients. Theorem. Given a, b N, 0 < b a, then there exists x, y, z such that z = gcd(a, b) and z = ax + by. Furthermore they can be computed with an algorithm (EEA) with bit complexity O(log 2 a).

Basic Algorithms in Number Theory Algorithmic Complexity... 6 Extended Euclidean Algorithm It is based on successive divisions: a = b q 0 + r 1 b = r 1 q 1 + r 2 r 1 = r 2 q 2 + r 3 r 2 = r 3 q 3 + r 4.. r k 2 = r k 1 q k 1 + r k r k 1 = r k q k Note that a = bq 0 + r 1 bq 0 (r 1 q 1 + r 2 )q 0 r 1 q 1 q 0 r k q k q k 1 q 0 q k q k 1 q 0,

Basic Algorithms in Number Theory Algorithmic Complexity... 7 Extended Euclidean Algorithm The j + 1 th division requires time O(log r j log q j ) and using the fact that log r i log b, we obtain that the total time for running the EEA is k O(log b log q k ) = O(log b log(q 0 q k )) = O(log b log a). j=0 A variation of the EEC with the same complexity but other advantages is Binary gcd-algorithm (J. Stein 1967) (a, b) = if a < b then (b, a) if b = 0 then a if 2 a, 2 b then 2(a/2, b/2) if 2 a, 2 b then (a/2, b) if 2 a, 2 b then (a, b/2) else ((a b)/2, b)

Basic Algorithms in Number Theory Algorithmic Complexity... 8 Binary GCD Algorithm 1. (1547, 560) = (1547, 280) 2. (1547, 280) = (1547, 140) 3. (1547, 140) = (1547, 70) 4. (1547, 70) = (1547, 35) 5. (1547, 35) = (756, 35) 6. (756, 35) = (378, 35) 7. (378, 35) = (189, 35) 8. (189, 35) = (77, 35) 9. (77, 35) = (35, 21) 10. (35, 21) = (7, 21) 11. (21, 7) = (7, 7) 12. (7, 7) = (7, 0) = 7

Basic Algorithms in Number Theory Algorithmic Complexity... 9 The EEA Extended Euclidean Algorithm a = b q 0 + r 1 b = r 1 q 1 + r 2 r 1 = r 2 q 2 + r 3 r 2 = r 3 q 3 + r 4.. r k 2 = r k 1 q k 1 + r k r k 1 = r k q k produces quotients q 0,, q k and remainders r 1,..., r k. It is easy to check that integers α 1,..., α k and β 1,..., β k such that i = 1,..., k r i = α i a + β i b. Since (a, b) = r k, this shows the existence of the Bezout coefficients. The integers (α i, β i ), i = 0,..., k are called partial Bezout coefficients.

Basic Algorithms in Number Theory Algorithmic Complexity... 10 Extended Euclidean Algorithm Furthermore the following recursive formulas hold: α 0 = 0, α 1 = 1 β 0 = 1, β 1 = q 0 α i = α i 2 q i 1 α i 1 β i = β i 2 q i 1 β i 1 that can be written in matrix form as: α 0 α 1 = 0 1, α i = α i 2 α i 1 1. β 0 β 1 1 q 0 β i β i 2 β i 1 q i 1

Basic Algorithms in Number Theory Algorithmic Complexity... 11 Example. (1547, 560) = 7 EEC: 1547 = 2 560 + 427 560 = 1 427 + 133 427 = 3 133 + 28 133 = 4 28 + 21 28 = 1 21 + 7 GCD 21 = 3 7 So that (q 0, q 1, q 2, q 3, q 4, q 5 ) = (2, 1, 3, 4, 1, 3).

Basic Algorithms in Number Theory Algorithmic Complexity... 12 Example: (1547, 560) = 7 continues. α 0 = 0, α 1 = 1 β 0 = 1, β 1 = q 0 α i = α i 2 q i 1 α i 1 β i = β i 2 q i 1 β i 1 i q i α i β i 0 2 0 1 1 1 1 2 2 3 1 3 3 4 4 11 4 1 17 47 5 3 21 58 In fact: 7 = 21 1547 58 560.

Basic Algorithms in Number Theory Algorithmic Complexity... 13 Analysis of EEC on a, b N Assume that a > b. We want to show that the number of iterations (i.e. the number of divisions needed) during the EEA is (in the worst case) O(log a). Fibonacci Numbers: F 1 = F 2 = 1 and F n = F n 1 + F n 2. In the very special case when a = F n and b = F n 1 then r 1 = F n 2, r 2 = F n 3,... r n 2 = F 1 = 1 and r n 1 = 0. From this we deduce that 1. gcd(f n, F n 1 ) = 1 2. The number of divisions required by EEA is O(n). Proposition. Let θ = ( 5 + 1)/2. Then F n = θn + (1 θ) n 5. Hence log F n nθ (so that n = O(log F n )). Proof. By induction.

Basic Algorithms in Number Theory Algorithmic Complexity... 14 Analysis of EEC on a, b N Consequence. If a = F n and b = F n 1, then EEA requires O(log a) divisions! Proposition. Assume that a > b 1. If the EEA to compute gcd(a, b) requires k divisions, Then a F k+2 and b F k+1. Proof. Let us first show that r k j F j+1. Indeed by induction or j: r k = gcd(a, b) 1 = F 1, r k 1 1 = F 2 r k j = q k (j 1) r k (j 1) + r k (j 2) F j + F j 1 = F j+1. Hence b = r 0 F k+1 and a = q 0 b + r 1 F k+1 + F k = F k+2. Consequence. The number of divisions k = O(log F k+2 ) = O(log a) a, b. A more careful analysis (the fact that the size of the integers decreases exponentially) of EEA shows that the bit complexity is O(log 2 a).

Basic Algorithms in Number Theory Algorithmic Complexity... 15 Geometric GCD algorithm (probably the original one) To compute (a, b) with a b > 0, consider the rectangle with base a and height b. Remove from it a square of maximal area obtaining a rectangle of sizes a and a b. Reorder them (if needed) and then repeat the process of removing a square. Keep on removing squares till it is left a square. The edge of the final square is the gcd. Example. (1547, 560) = (987, 560) = (427, 560) = (427, 133) = (294, 133) = (161, 133) = (28, 133) = (105, 28) = (77, 28) = (49, 28) = (21, 28) = (21, 7) = (14, 7) = (7, 7) = 7

Basic Algorithms in Number Theory Algorithmic Complexity... 16 Extended GCD algorithm (EEA) Input: a, b N, a > b Output: x, y, z where z = gcd(a, b) and z = ax + by 1. (X, Y, Z) = (1, 0, a) 2. (x, y, z) = (0, 1, b) While Z > 0 q := Z/z (X, Y, Z) = (x, y, z) (x, y, z) = (X qx, Y qy, Z qz) Output X, Y, Z To show that it is correct it is enough to check that after one iteration (X 1, Y 1, Z 1 ) = (1, q 0, r 1 ) and after k iterations (X k, Y k, Z k ) = (X k 2 q k 1 X k 1, Y k 2 q k 2 Y k 2, Z k 2 q k 1 Z k 1 ) = (α k, β k, r k ).

Basic Algorithms in Number Theory Algorithmic Complexity... 17 The Euler ϕ function A first important application of EEA is to determine the inverses in Z/mZ Theorem. Let a Z and m N with m > 1. Then a mod m is invertible (i.e. b Z/mZ with ab 1 mod m) iff gcd(a, m) = 1. Furthermore the arithmetic inverse b can be computed with time O(log m 2 ). Proof. If gcd(a, m) = 1 then in time O(log m 2 ) we can compute x, y Z such that 1 = xa + ym. Hence b = x mod m has the required property. Conversely if ab 1 mod m, then 1 = ab + km for an appropriate k Z. This implies that gcd(a, m) divides 1 and finally gcd(a, m) = 1. Corollary. The set U(Z/mZ) of invertible elements of Z/mZ coincides with We define the Euler ϕ function as {a N s.t. 1 a m, gcd(a, m) = 1}. ϕ(n) = #U(Z/mZ) = #{a N s.t. 1 a m, gcd(a, m) = 1}.

Basic Algorithms in Number Theory Algorithmic Complexity... 18 The Euler ϕ function continues ϕ(1) = 1, ϕ(p) = p 1, ϕ(p α ) = p α 1 (p 1) ϕ(mn) = ϕ(m)ϕ(n) if gcd(m, n) = 1. This is a consequence of the Chinese Remainder Theorem (we shall meet it later). Hence if we can factor n = p α 1 1 pα r r, then ϕ(n) is easy to compute. it is enough to compute n p n 1 1/p. If we know that k { = ϕ(n) and that n = q p } then we can factor n In fact {p, q} =. ϕ(n) n 1± (ϕ(n) n 1) 2 4n 2 An important Theorem of Euler: If a U(Z/mZ) then a ϕ(n) 1 mod n. The latter is crucial in RSA encryption and decryption

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback