Number Theory and Group Theory for Public-Key
Cryptography
TDA352, DIT250
Wissam Aoudi
Chalmers University of Technology
November 15, 2016
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
Agenda
1
Motivation
2
Modular Arithmetics
3
Euler Totient Function
4
Fermat’s Theorem & Euler’s Theorem
5
Chinese Remainder Theorem
6
Group Theory
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
1 / 26
Agenda
1
Motivation
2
Modular Arithmetics
3
Euler Totient Function
4
Fermat’s Theorem & Euler’s Theorem
5
Chinese Remainder Theorem
6
Group Theory
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
1 / 26
Motivation
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Motivation
Operating modulo
integers: modular
arithmetics
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
How to speed-up
decryption?
Chinese Remainder
Theorem
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
What is the group of invertible
elements mod N? or what is a group
to begin with?
Group Theory
How to speed-up
decryption?
Chinese Remainder
Theorem
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
What is the group of invertible
elements mod N? or what is a group
to begin with?
Group Theory
How to speed-up
decryption?
Chinese Remainder
Theorem
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Agenda
1
Motivation
2
Modular Arithmetics
3
Euler Totient Function
4
Fermat’s Theorem & Euler’s Theorem
5
Chinese Remainder Theorem
6
Group Theory
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
2 / 26
Some facts about divisibility and primes
Definition (Division)
Let b be a non-zero integer; we say that b divides an integer a, written
b | a, if there exists an integer k such that a = kb.
Example
4 | 12, since 12 = 3 × 4, (k = 3)
3 | 39, since 39 = 13 × 3, (k = 13)
Division Algorithm
Let a, b ∈ Z with a > 0, then there exist unique integers q, r such that
a = qb + r, with 0 ≤ r < b.
Example
a = 13, b = 6, then 13 = 2 × 6 + 1, (q = 2, r = 1)
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
3 / 26
Some facts about divisibility and primes
Definition (Prime Numbers)
A positive integer p > 1 is said to be a prime if it is divisible by 1 and
itself only.
Example
3, 5, 13, 19, 37, 83, 274,207,281 − 1 (largest as of Jan 2016 with ≈ 22 million
digits).
Some facts about primes
there are infinitely many prime numbers.
they are the building blocks of the natural
any natural
Q numbers:
ai
number N > 1 can be written as N = m
p
,
where
pi is the i th
i=1 i
prime, and ai ∈ N (Fundamental Theorem of Arithmetics).
there is no formula/algorithm that can generate the nth prime number
it is known that the asymptotic distribution of primes among the
positive integers is given by: π(x) ∼ logx x (Prime Number Theorem)
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
4 / 26
Some facts about divisibility and primes
Greatest Common Divisor
The Greatest Common Divisor of two integers is the largest integer that divides
both of them.
Definition (GCD)
The GCD of two positive integers a and b, is the positive integer d such that
i) d | a and d | b (Common Divisor).
ii) if e | a and e | b, then e | d (Greatest such divisor).
Question VVWJ349
Use the Euclidean algorithm to compute d = GCD(120, 42).
1 d = 3
2 d = 7
3 d = 6
4 d = 1
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
5 / 26
Some facts about divisibility and primes
Greatest Common Divisor
The Greatest Common Divisor of two integers is the largest integer that divides
both of them.
Definition (GCD)
The GCD of two positive integers a and b, is the positive integer d such that
i) d | a and d | b (Common Divisor).
ii) if e | a and e | b, then e | d (Greatest such divisor).
Question VVWJ349
Use the Euclidean algorithm to compute d = GCD(120, 42).
1 d = 3
2 d = 7
3 d = 6
4 d = 1
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
5 / 26
Some facts about divisibility and primes
Greatest Common Divisor
The Greatest Common Divisor of two integers is the largest integer that divides
both of them.
Definition (GCD)
The GCD of two positive integers a and b, is the positive integer d such that
i) d | a and d | b (Common Divisor).
ii) if e | a and e | b, then e | d (Greatest such divisor).
Euclidean Algorithm
function gcd(a,b)
if b = 0
return a;
else
return gcd(b, a mod b);
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
6 / 26
Some facts about divisibility and primes
Definition (Relative Primality)
If GCD(a, b) = 1, then a and b are said to be relatively prime ( or
coprime).
Definition (Bézout Identity)
Let a, b be two positive integers, and d = GCD(a, b), then there exist
unique values s, t ∈ Z, such that d = as + bt. That is, d can be written
as a linear combination of a, b.
Example
Find the GCD of 456 and 100 and write it as a linear combination (using
extended Euclidean algorithm)
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
7 / 26
Some facts about divisibility and primes
Remainder
456
100
Wissam Aoudi
456s + 100t
1
0
Quotient
0
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
456 ÷ 100 = 4
Remainder
456
100
Wissam Aoudi
456s + 100t
1
0
0
1
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
Wissam Aoudi
456s + 100t
1
0
0
1
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
456 - 4*100 = 56
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
0
1
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
0
1
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
1 - 4*0 = 1
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
1
0
1
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
1
0
1
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
0 - 4*1 = -4
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
1
0
1
-4
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
1
0
1
-4
Quotient
4
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
100 ÷ 56 = 1
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
1
0
1
-4
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
Wissam Aoudi
456s + 100t
1
0
1
0
1
-4
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
100 - 1*56 = 44
Remainder
456
100
56
44
Wissam Aoudi
456s + 100t
1
0
1
0
1
-4
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
44
Wissam Aoudi
456s + 100t
1
0
1
0
1
-4
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
0 - 1*1 = -1
Remainder
456
100
56
44
Wissam Aoudi
456s + 100t
1
0
1
-1
0
1
-4
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
44
Wissam Aoudi
456s + 100t
1
0
1
-1
0
1
-4
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
1 - 1*(-4) = 5
Remainder
456
100
56
44
Wissam Aoudi
456s + 100t
1
0
1
-1
0
1
-4
5
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
44
Wissam Aoudi
456s + 100t
1
0
1
-1
0
1
-4
5
Quotient
4
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
56 ÷ 44 = 1
Remainder
456
100
56
44
Wissam Aoudi
456s + 100t
1
0
1
-1
0
1
-4
5
Quotient
4
1
1
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
Remainder
456
100
56
44
12
8
4
0
Wissam Aoudi
456s + 100t
1
0
1
-1
2
-7
9
0
1
-4
5
-9
32
-41
Quotient
4
1
1
3
1
2
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Some facts about divisibility and primes
4 = 456*9 - 100*41
Remainder
GCD
Wissam Aoudi
456
100
56
44
12
8
4
0
456s + 100t
1
0
1
-1
2
-7
9
0
1
-4
5
-9
32
-41
Quotient
4
1
1
3
1
2
Bézout's
coefficients
Number Theory and Group Theory for Public-Key Cryptography
8 / 26
Modular Arithmetics
Definition (Congruence)
Let a, b, n be positive integers such that a, b have the same remainder
upon dividing by n, then we say that a is congruent to b modulo n,
written
a ≡ b (mod n).
Facts (If a ≡ b (mod n), then)
1 n | a − b.
2 a = b + kn, (for some k ∈ Z).
General properties of congruences
kn ≡ 0 (mod n), (for any k ∈ Z).
a + kn ≡ a (mod n), (for any k ∈ Z).
Examples
23 ≡ 8 (mod 5), since 5 | 23 − 8 = 15
−1 ≡ 5 (mod 6), since 6 | −1 − 5 = −6
7 6≡ 8 (mod 3), since 3 - 7 − 8 = −1 (here - means ”does not divide”).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
9 / 26
Modular Arithmetics
Modular arithmetics modulo 12, we see it everyday: the 12-hour clock
0
9
3
6
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
10 / 26
Modular Arithmetics
Modular arithmetics modulo 12, we see it everyday: the 12-hour clock
0
9
3
6
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
10 / 26
Modular Arithmetics
Modular arithmetics modulo 12, we see it everyday: the 12-hour clock
9 + 5 = 14 = 2 + 12 = 2 (mod 12)
0
2
9
3
6
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
10 / 26
Modular Arithmetics
Definition (Linear Congruence)
A congruence of the form ax ≡ b (mod n) is called a linear congruence, which has a
solution if and only if there exists x0 ∈ {0, 1, ..., n − 1} such that ax0 ≡ b (mod n).
Note that a linear congruence is like a linear equation except that it is solved modulo n.
Lemma
The linear congruence ax ≡ 1 (mod n) is solvable (i.e., has a solution) if and only if
GCD(a, n) = 1
(i.e., a and n are relatively prime).
Very useful to compute modular inverses for RSA!
Recall: in RSA we know the encryption exponent e, and we want to find the
decryption exponent d such that e · d ≡ 1 (mod ϕ(N)). That is, given e, we solve
the linear congruence e · x ≡ 1 (mod ϕ(N)), the solution to which is exactly d.
We say ”d is the modular inverse of e”, or the ”inverse of e (mod ϕ(N))”.
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
11 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
What is the group of invertible
elements mod N? or what is a group
to begin with?
Group Theory
How to speed-up
decryption?
Chinese Remainder
Theorem
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
11 / 26
Agenda
1
Motivation
2
Modular Arithmetics
3
Euler Totient Function
4
Fermat’s Theorem & Euler’s Theorem
5
Chinese Remainder Theorem
6
Group Theory
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
11 / 26
Euler Totient Function
Definition (Totient Function)
The totient function (or Euler Phi function) ϕ(·) : N → N, is defined to be the
number of positive integers less than n and relatively prime to n. That is,
ϕ(n) = |{k ∈ N, such that k < n and GCD(n, k) = 1}|.
Facts (important for RSA!)
if p is prime, then ϕ(p) = p − 1.
if N = pq, where p, q are primes, then ϕ(N) = (p − 1)(q − 1). Why?
ϕ is a multiplicative function, meaning that, if GCD(p, q) = 1, then
ϕ(pq) = ϕ(p)ϕ(q). (can you prove this?!)
Moreover, as p, q are primes, ϕ(p) = p − 1, and ϕ(q) = q − 1.
Question XNUC944
ϕ(35) =?
1 34
2 24
3 14
4 4
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
12 / 26
Euler Totient Function
Definition (Totient Function)
The totient function (or Euler Phi function) ϕ(·) : N → N, is defined to be the
number of positive integers less than n and relatively prime to n. That is,
ϕ(n) = |{k ∈ N, such that k < n and GCD(n, k) = 1}|.
Facts (important for RSA!)
if p is prime, then ϕ(p) = p − 1.
if N = pq, where p, q are primes, then ϕ(N) = (p − 1)(q − 1). Why?
ϕ is a multiplicative function, meaning that, if GCD(p, q) = 1, then
ϕ(pq) = ϕ(p)ϕ(q). (can you prove this?!)
Moreover, as p, q are primes, ϕ(p) = p − 1, and ϕ(q) = q − 1.
Question XNUC944
ϕ(35) =?
1 34
2 24
3 14
4 4
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
12 / 26
Euler Totient Function
Example
ϕ(10) = |{1, 3, 7, 9}| = 4.
ϕ(7) = |{1, 2, 3, 4, 5, 6}| = 6. Is there a formula for ϕ(N)? Yes!
Formula for Euler’s Phi Function
ϕ(pa ) = pa−1 (p − 1).
ϕ is multiplicative, i.e., if GCD(a, b) = 1, then ϕ(ab) = ϕ(a)ϕ(b)
a
a
a
Hence, for N = p11 p22 · · · pi i ,
a a
a
a
a
a
ϕ(N) = ϕ(p11 p22 · · · pi i ) = ϕ(p11 )ϕ(p22 ) · · · ϕ(pi i )
a −1
= p11
a −1
(p1 − 1)p22
a −1
(p2 − 1) · · · pi i
(pi − 1).
Example
ϕ(600) = ϕ(23 · 3 · 52 ) = ϕ(23 ) · ϕ(3) · ϕ(52 ) = 22 (2 − 1) · (3 − 1) · 5(5 − 1) = 160.
Note that in order to apply the above formula, we need to know the prime
decomposition of N.
Good news for RSA! Finding ϕ(N) (and subsequently p, q) is as hard as factoring N.
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
13 / 26
Euler Totient Function
Question GEDN694
ϕ(ϕ(50)) = ?
1 70
2 20
3 8
4 1
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
14 / 26
Euler Totient Function
Question GEDN694
ϕ(ϕ(50)) = ?
1 70
2 20
3 8
4 1
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
14 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
What is the group of invertible
elements mod N? or what is a group
to begin with?
Group Theory
How to speed-up
decryption?
Chinese Remainder
Theorem
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
14 / 26
Agenda
1
Motivation
2
Modular Arithmetics
3
Euler Totient Function
4
Fermat’s Theorem & Euler’s Theorem
5
Chinese Remainder Theorem
6
Group Theory
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
14 / 26
Fermat’s Theorem & Euler’s Theorem
Fermat’s Theorem
Let a be a positive integer, and p a prime such that p does not divide a, then
ap−1 ≡ 1 (mod p).
Example
538 ≡ ? (mod 13).
a = 5, p = 13 (note that 13 - 5).
538 ≡ (512 )3 · 52 ≡ (1)3 · 25 ≡ 1 · 12 ≡ 12 (mod 13).
Euler’s Theorem
Let a, n be two relatively prime positive integers with n > 1, then
aϕ(n) ≡ 1 (mod n).
Exercise: Find the remainder of 335 when divided by 20.
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
15 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
What is the group of invertible
elements mod N? or what is a group
to begin with?
Group Theory
How to speed-up
decryption?
Chinese Remainder
Theorem
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
15 / 26
Agenda
1
Motivation
2
Modular Arithmetics
3
Euler Totient Function
4
Fermat’s Theorem & Euler’s Theorem
5
Chinese Remainder Theorem
6
Group Theory
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
15 / 26
Chinese Remainder Theorem
Chinese Remainder Theorem ( a special case )
Let N = pq, where p, q are distinct primes, and let a, b be any two integers, then the
system of linear congruences
(
x ≡ a (mod p)
x ≡ b (mod q)
is solvable, and has a unique solution modulo pq.
Moreover, the unique solution x is given by x = atq + bsp, where s, t are the Bézout
coefficients of p, q respectively (i.e., s, t satisfy sp + tq = 1).
Motivation
The importance of CRT is that if the prime factors p, q of an integer N are known, then
computations modulo N can be reduced to computations√modulo p and q separately. In
RSA, p, q are
√ chosen to be of roughly the same size (∼ N), and for a sufficiently large
value of N, N is much smaller than N, and consequently arithmetics modulo p and q
are way cheaper.
Exercise: Let M = 2016, N = 143 = 11 · 13, use CRT to solve M mod N.
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
16 / 26
Motivation
Euler's Totient
Function
Operating modulo
integers: modular
arithmetics
What is the group of invertible
elements mod N? or what is a group
to begin with?
Group Theory
How to speed-up
decryption?
Chinese Remainder
Theorem
Where does this come
from?
Euler's Theorem
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
16 / 26
Agenda
1
Motivation
2
Modular Arithmetics
3
Euler Totient Function
4
Fermat’s Theorem & Euler’s Theorem
5
Chinese Remainder Theorem
6
Group Theory
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
16 / 26
Group Theory
Definition (Group Under Addition)
A group G is a set, together with an operation +, satisfying the following properties
1
CLOSURE For all a, b ∈ G , the result of the operation +, i.e., a + b , is also in G .
2
ASSOCIATIVITY For all a, b , c ∈ G , it holds that, (a + b ) + c = a + (b + c ).
3
IDENTITY ELEMENT There exists an element e ∈ G , such that, for every
element a ∈ G , it holds that a + e = e + a = a.
4
INVERSE ELEMENT For each a ∈ G , there exists an element b ∈ G , such that
a + b = b + a = e (the inverse of a is usually denoted as −a).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
16 / 26
Group Theory
Definition (Group Under Multiplication)
A group G is a set, together with an operation ·, satisfying the following properties
1
CLOSURE For all a, b ∈ G , the result of the operation ·, i.e., a · b , is also in G .
2
ASSOCIATIVITY For all a, b , c ∈ G , it holds that, (a · b ) · c = a · (b · c ).
3
IDENTITY ELEMENT There exists an element e ∈ G , such that, for every
element a ∈ G , it holds that a · e = e · a = a.
4
INVERSE ELEMENT For each a ∈ G , there exists an element b ∈ G , such that
a · b = b · a = e (the inverse of a is usually denoted as a−1 ).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
16 / 26
Group Theory
Example (Z is a group under addition)
For all a, b ∈ Z, a + b ∈ Z (we say Z is closed under addition).
For all a, b , c ∈ Z, (a + b ) + c = a + (b + c ) (Z is associative).
For every element a ∈ Z, a + 0 = 0 + a = a (0 is the identity ∈ Z).
For each element a ∈ Z, there exists an element −a ∈ Z, such that
a + (−a) = −a + a = 0 (every element in Z has an additive inverse).
But Z is not a group under multiplication, because although closed, associative, and has
identity 1, there exists an element (in fact all elements except for 1 and −1) that has no
inverse. For instance, 5 is in ∈ Z, but 5 · x = 1 has no solution ∈ Z.
On the other hand, the set of rational numbers Q (without the element 0), is a group
under multiplication, since it is closed, associative, has identity 1, and for every element
a ∈ Q, the linear equation a · x = 1 always has the solution x = a−1 = 1/a (in particular,
5−1 = 1/5).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
17 / 26
Group Theory
Group of Integers Modulo N
Define ZN as the set of integers modulo N (e.g., Z6 = {0, 1, 2, 3, 4, 5}), then ZN is a group
under addition. Let us prove that for N = 3, i.e., for Z3 = {0, 1, 2}
1 CLOSURE
0 + 0 = 0 (mod 3)
0 + 2 = 2 (mod 3)
1 + 2 = 3 = 0 (mod 3)
0 + 1 = 1 (mod 3)
1 + 1 = 2 (mod 3)
2 + 2 = 4 = 1 (mod 3)
2
ASSOCIATIVITY
3
IDENTITY ELEMENT
4
INVERSES
(0 + 1) + 2 = 0 + (1 + 2) (mod 3)
0 + 0 = 0 (mod 3)
1 + 0 = 1 (mod 3)
2 + 0 = 2 (mod 3)
0 + 0 = 0 (mod 3) 1 + (−1) = 1 + 2 = 3 = 0 (mod 3) 2 + (−2) = 2 + 1 = 3 = 0 (mod 3)
But Z6 is not a group under multiplication because not every element has an inverse (e.g., there
exists no x ∈ Z6 such that 4 · x = 1 (mod 6)).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
18 / 26
Group Theory
So, to make the set of integers modulo N a group under multiplication, we should
only choose the elements a that have inverses, i.e., for which there exists x such
that a · x ≡ 1 (mod N).
Recall the lemma: a · x ≡ 1 (mod N) if and only if GCD(a, N) = 1.
Multiplicative Group of Integers Modulo N
Define Z∗N to be the set of integers modulo N and relatively prime to N, that is,
Z∗N = {a ∈ ZN , such that GCD(a, N) = 1}.
Then, Z∗N is a group under multiplication.
Example
Z∗6 = {1, 5}.
Z∗14 = {1, 3, 5, 9, 11, 13}.
Z∗11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}.
Z∗N is a fundamental group for RSA!
It is an algebraic structure where the correctness property of RSA holds.
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
19 / 26
Group Theory
Definition (Order of a Group)
The order of a group G is its cardinality, i.e., the number of elements in its set. It is
denoted as ord(G) or |G|.
Example
ord(Z4 ) = |{0, 1, 2, 3}| = 4
ord(ZN ) = |{0, 1, ..., N − 1}| = N
ord(Z∗N ) = ?
Lemma
The order of Z∗N is ϕ(N). [recall the definition of ϕ(N)]
Example
|Z∗15 | = ϕ(15) = ϕ(3 · 5) = (3 − 1) · (5 − 1) = 8.
[recall that ϕ(p · q) = (p − 1)(q − 1) if p, q are primes]
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
20 / 26
Groups
Definition (Order of an Element in a Group)
The order of an element a in a (multiplicative) group G is the smallest positive integer n
such that an = e, where e is the (multiplicative) identity element of G.
Example
Z∗9 = {1, 2, 4, 5, 7, 8} [note: In Z∗N , the identity is always 1]
What is the order of 2 in Z∗9 ?
21 = 2 6= 1 in Z∗9
24 = 16 = 7 6= 1 in Z∗9
22 = 4 6= 1 in Z∗9
25 = 32 = 5 6= 1 in Z∗9
23 = 8 6= 1 in Z∗9
26 = 64 = 1 in Z∗9
Note: ord(2) = ord(Z∗9 ) ⇒ 2 is a generator of Z∗9 , which means that Z∗9 is a cyclic
group (definition in a couple of slides).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
21 / 26
Group Theory
Lemma
For every element a of a group G, it holds that, the order of a divides the order of
G, i.e.,
ord(g) | ord(G).
Example
Z∗9 = {1, 2, 4, 5, 7, 8}, |Z∗9 | = ϕ(9) = 6
What is the order of 2 in Z∗9 ?
21 = 2 6= 1 in Z∗9
24 = 16 = 7 6= 1 in Z∗9
22 = 4 6= 1 in Z∗9
25 = 32 = 5 6= 1 in Z∗9
Z∗9
26 = 64 = 1 in Z∗9
3
2 = 8 6= 1 in
since |2| in Z∗9 must be a divisor of 6, i.e., 1, 2, 3, or 6. This means that we do
not need to check 24 , 25 since 4, 5 are not divisors of 6.
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
22 / 26
Group Theory
Lemma
Let G be a group with identity element e, and let a ∈ G, then
a|G| = e.
Revisiting Euler’s and Fermat’s Theorems
Let a ∈ Z∗N , then
a is relatively prime to N, i.e., GCD(a, N) = 1.
|Z∗N | = ϕ(N).
∗
Therefore by the previous lemma, a|ZN | = aϕ(N) = 1 in Z∗N , or equivalently
aϕ(N) ≡ 1 (mod N). [Euler 0 sTheorem!]
Fermat’s theorem is a special case where a ∈ Z∗p , where p is prime, so that
aϕ(p) = ap−1 ≡ 1 (mod p).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
23 / 26
Group Theory
Definition (Subgroups)
A non-empty subset H of a group G is said to be a subgroup of G, if H is itself a group
under the same operation of G.
Subgroup Test
A non-empty subset H of a group G with the multiplication operation · is a subgroup of
G, if and only if for all a, b ∈ H
a · b ∈ H, and
a−1 ∈ H, for all a ∈ H.
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
24 / 26
Group Theory
Definition (Generators)
Let G be a group and a ∈ G. Define
< a >= {ai , i ∈ N},
then, < a > is a subgroup of G, called the subgroup generated by a.
Lemma (Group Generator)
An element a of a group G is called a generator of G if < a >= G. That is, every
element g of G can be written as a power of a, i.e.,
for all g ∈ G, g = ak (k ∈ N).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
25 / 26
Group Theory
Definition (Cyclic Groups)
A group G is called a cyclic group if it has a group generator, i.e., if
there exists an element a ∈ G such that < a >= G.
Moreover, a is a generator of G if and only if |< a >|= |a| = |G|.
Example
In Z∗11 , 2 is a generator since: [recall first that |2| divides |Z∗11 |]
we have |Z∗11 | = ϕ(11) = 10, and in Z∗11
21 = 2 6= 1
22 = 4 6= 1
25 = 32 = 10 6= 1
210 = 1024 = 1
Thus, |2| = 10 = |Z∗11 |. Therefore 2 is a generator of Z∗11 and Z∗11 is cyclic.
Indeed Z∗11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} = {20 , 21 , 28 , 22 , 24 , 29 , 27 , 23 , 26 , 25 }.
Exercise: Show that Z∗8 is not cyclic.
In fact, Z∗N is cyclic if and only if N = 2, 4, p a , 2p a (p > 2 a prime, a ∈ N).
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
26 / 26
References
1
2
”Cryptography and Network Security: Principles and practice” (Chapters 4.4,
8.1-8.3, 8.5, 9.2).
”Introduction to Modern Cryptography”, Lindell and Katz
(Chapter 7.1.1, 7.1.3, 7.1.4, 7.2).”
Thank you for your attention!
Wissam Aoudi
Number Theory and Group Theory for Public-Key Cryptography
26 / 26
© Copyright 2026 Paperzz