Chapter 1: The Integers – Z
Divisibility
• d | n means d divides n evenly: n = kd, k
integer.
• a 6= 0 ⇒ a | 0, a | a. 1 | b, b integer.
• a | b and b | c ⇒ a | c.
• d | x and d | y ⇒ d | (ax + by) a, b ∈ Z.
• Remember GCD, LCM:
gcd(m, n)(m, n 6= 0) is least positive
integer of form xm + yn with x, y ∈ Z
• n | N ⇒ (x%N )%n = x%n.
• Two numbers are relatively prime if only 1
and -1 divide both ⇒ Their GCD is 1.
1
Primes Prime number divisible only by self
and 1; Infinite number of them (Euclid).
Easy proof.
If π(x) is number of primes
≤ x, π(x) ≈ x/ ln(x) (proved 1896). So they
are pretty dense: a 100-digit prime every few
hundred numbers.
2
Equivalence Relations
A ”relation” R on a set S is a subset of S × S
i.e. a set of ordered pairs (x, y) of elements
of S, such that (x, y) ∈ S ⇔ R(x, y) holds.
A function is relation: a set R of pairs such
that for every s ∈ S there is exactly one pair
(s, t) ∈ R. Typically we write f (s) = t. * An
”equivalence relation” is another special sort
of relation, with three properties.
• Reflexivity: For all x ∈ S, (x, x) ∈ R
• Symmetry: If (x, y) ∈ R ⇒ (y.x) ∈ R.
• Transitivity: (x, y), (y, z) ∈ R ⇒ (x, z) ∈ R.
3
Equivalence Relations cont.
Often we will write xRy, or generically, x ∼ y ,
rather than (x, y) ∈ R.
E.g. of equivalence relation: ordinary equality
(of integers, sets, or most others we are used
to).
For any member x of a set S, we can define
an ”equivalence class” x̄ relative to a relation
∼ on S as the set of all elements y ∈ S such
that x ∼ y.
The set of all equivalence classes of ∼ on S is
denoted S/ ∼ . These classes are mutually
disjoint, and their union is all of S. Such a
set of subsets is called a ”partition” of S.
Conversely, any partition of S defines an
equivalence relation.
4
Integers mod m
• a, b, n ∈ Z, n 6= 0. Then a ≡ b
(mod m) if
a − b is a multiple of n (a = b + nk: they
have same remainder if divided by n).
• Congruence
(mod m) is an equivalence
relation, and integers mod m is just the
collection of equivalence classes, denoted
Z/m.
• Z/m can be represented 0̄, 1̄, ..., m ¯
− 1, for
instance: pick reps 0, 1, ...m − 1.
• Remember
(x + y)%m = ((x%m) + (y%m))%m,
(x ∗ y)%m = ((x%m) ∗ (y%m))%m?
These are because you can prove
(+, −, ×) behave well with congruence
and define analogous operations on the
equivalence classes, so you get
associativity, distributivity, etc.
5
More Congruence
a, b, c, d, n, n 6= 0 ∈ Z, a ≡ b
(mod n). Then
(mod n), c ≡ d
a + c ≡ b + d, a − c ≡ b − d, ac ≡ bd
(mod n).
Congruences inherit:
• Distributivity
• Associativity of +, ×:
(x + y) + z ≡ x + (y + z)
(xy)z ≡ x(yz)
(mod m)
(mod m)
• +, × identities: 0 + x ≡ x + 0 ≡ x
(mod m), 1 · x ≡ x · 1 ≡ x
(mod m)
6
Just-for-fun Applications
We can find the ones-place digit of the
decimal expansion of 3999.
= 3 ∗ 3 ∗ 3 ∗ (34)996/4%10 = 27 ∗ 81249%10
= 7 × 1249%10 = 7
We can prove that x2 − y 2 = 2002 has no
integer solutions. note that mod 4,
02 = 0, 12 = 1, 22 = 0, 32 = 1. hence x2 − y 2
must be 0, 1, or -1 = 3 (mod 4). but
2002 = 2 (mod 4), so it cannot be such a
difference.
7
Fermat’s Little Theorem
If p is prime, then xp ≡ x
integers x.
(mod p) for all
So if p does not divide x (relatively prime),
then xp−1 ≡ 1 (mod p) and xp−2 = x−1
(mod p).
Little Lemma:
gcd(bm − 1, bn − 1) = b(gcd(m,n)) − 1, so for
numbers of form bn, is n is composite, then
for all factors d of n, bn − 1 and bd − 1 have a
factor in common: bd − 1.
Can help exponentiation:
21000%17 = 28 ∗ 216∗62%17 = 28%17 = 1.
8
FLT Proof
Note that binomial coefficients are integers,
and have form C(p, i) = p!/(i!(p − i)!). Thus
all the non-trivial binomial coefficients are
divisible by p. Prove by induction: Clearly
FLT true for x = 1. Suppose we know that
xp ≡ x (mod p) for some x. Then
P
(x + 1)p = 0≤i≤p C(p, i)xi1(p−i) =
P
xp + 0≤i≤p−1 C(p, i)xi + 1 ≡ x + 1 (mod p),
since induction hypothesis is xp ≡ x (mod p).
Needs slight extension for x < 0.
9
Unique Factorization
• Any integer may be factored into a
product of distinct primes in just one way.
Nontrivial proof (Garrett).
e1 ee2
en
e
e
N = ±p1 p2 ...pn .
• Euler phi function φ(N ) = number of
integers i, 0 ≤ i ≤ N , relatively prime to N .
• p prime, a, b ∈ Z. Then p | (ab) ⇒ p | a or
p | b or both.
• Generalizing, if prime divides product it
divides at least one factor.
10
Phi Function
We know can write
e
e
N = ±p11 p22 ...penn .
If N factored as above, φ(N ) =
e −1
e −1
en −1
(p1 − 1)p11
(p2 − 1)p12 ...(pn − 1)p1
Proof by counting (combinatorics) using
inclusion-exclusion principle (Garrett) – more
later!.
Another way to write this, easier to
remember maybe...
φ(N ) = N (1 − 1/p1)(1 − 1/p2)...(1 − 1/pn)
11
Finding Primes (factors)
• Divide by all i <
q
(n)
• Eratosthenes’s Sieve
• Identities: x2 − y 2 = (x − y)(x + y),
• x5 +y 5 = (x+y)(x4 −x3y +x2y 2 −xy 3 +y 4),
etc.
• Mersenne prime: 2n − 1 prime.
• Fermat prime: 2n + 1 prime.
12
Euclidean Algorithm
More efficient GCD-finder than factoring.
Also finds x, y such that mx + ny = gcd(m, n).
It’s “repeated remaindering”, or repeated
reduction mod x.
Fast: number of steps to compute GCD of
x, y, x > y is ≤ 2 log2 y. (Cute proof in
Garrett).
13
Euclidean Algorithm E.g.
E.g., to find gcd(210, 119):
210 119 91 28 -
1
1
3
4
* 119 = 91
* 91 = 28
* 28 = 7
*
7 = 0
==> gcd is 7
E.g. gcd(26, 19):
26
19
7
5
2
-
1
2
1
2
2
*
*
*
*
*
19
7
5
2
1
=
=
=
=
=
7
5
2
1
0
==> gcd is 1
14
Find Multiplicative Inverse
To do division: can divide by a
gcd(a, n) = 1.
(mod n) if
If m 6= 0, ±1, x relatively prime to m: Then x
has multiplicative inverse modulo m. In any
expression ax + bm = 1, a is a multiplicative
inverse for x modulo m, since ax ≡ 1
(mod m).
And if x has mult. inv. mod m, x, m are rel.
prime.
Extended EA also works backwards from EA:
if the gcd(x, m) was 1, can find a and b s.t.
ax + bm = 1. (nice neat algorithm does
everything in a surprisingly cool way!
(Garrett)).
15
E.g. EEA for 19, 26
1 =
=
=
=
5 - 2 * 2
5 - 2 * (7 - 1 * 5) = -2 * 7 + 3 * 5
-2 * 7 + 3 * (19 - 2 * 7) = 3 * 19 - 8 * 7
3 * 19 - 8 *(26 - 1 * 19)= -8 *26 + 11 *19
From this we get that the multiplicative
inverse of 19 mod 26 is 11.
16
Fun with Division
Find a−1 with EEA.
Solve ax ≡ c (mod m) when gcd(a, m) = 1
(or evaluate fraction c/a (mod m) ) EEA
yields s, b s.t. sa + bm = 1, and x ≡ cs
(mod m), also the value of the fraction.
Solve ax ≡ b
(mod m) if gcd(a, m) = d > 1.
• Unless d | b no solution.
• Solve (a/d)x ≡ (b/d)
(mod n/d) to get
soln x0.
• All Solns are of form
x0 + q(n/d), 0 ≤ q ≤ (d − 1).
17
Fast Exponentiation
To evaluate xe%m, represent e as a binary
number e = e0 + e1 · 2 + e2 · 22...en · 2n.
Then precompute power-of-two powers of x
by repeated squaring: x2 = x · x, x4 = (x2)2,
etc.
Then
Then xe = xe0 (x2)e1 · · · (xn)en %m, performing
the reduction after every multiplication.
18
Algorithm
Compute be
(mod m):
• Start with triple (X, E, Y ) = (b, e, 1)
• if E is odd, replace Y with X ∗ Y %m, E
with E − 1
• if E is even, replace X with X ∗ X%m, E
with E/2.
• When E = 0, done. Y = be%m. Takes at
most 2 log2 e steps, proportional to the
number of digits in e. For reduction mod
m, the numbers never get larger than m2.
19
Square Roots and More
Given reduced value x and modulus, how find
√
x (mod m)? Number can have more than
two square roots: 42 = 16, 62 = 36, so mod
36 - 16 = 20, 16 % 20 = 36 % 20 = 16, and
hence 16 has (at least) square roots
±4 = 4, 16 and ±6 = 6, 14..
For prime modulus p, at most two roots ±x
exist. (easy proof RN10). If p = 3 (mod 4),
there is a formula for roots of actual squares
mod p: Let x = y (p+1)/4 (mod p). If y has a
square root mod p then they are ±x. If y
doesn’t, then −y does: ±x.
More: if n is relatively prime to p − 1 for some
prime p, then every integer y has an nth root
mod p: y r %p, where r is a multiplicative
inverse of n (mod p − 1).
Why not choose primes ≡ 3
RSA? p. 87.
(mod 4) for
20
Roots mod Composites
A basic tool for decomposing composite
modular problems, and useful the other
direction too: ”Sun Ze’s theorem” AKA the
Chinese Remainder Theorem. Known since
about 450 AD, and in more general form
since 1250.
CRT: Let m1, m2, ..., mk be integers with ms
mutually relatively prime:
i 6= j ⇒ gcd(mi, mk ) = 1. Not enough that
(m1, m2), (m2, m3), (m3, m4) etc. rel. prime:
consider m1, m2, ..., mk = 4, 5, 4, 5, 4, 5...
Given integers a1, a2, ..., ak , there is exactly
one solution (mod m1m2...mk ) to the
simultaneous congruences
x ≡ a1 (mod m1), x ≡ a2
..., x ≡ ak (mod mk ).
(mod m2),
21
Special Case: 2 congruences
gcd(m, n) = 1 so let sm + tn = 1, thus
t = n−1 (mod m), s = m−1 (mod n).
If
x ≡ a (mod m)
x ≡ b (mod n)
then
x = atn + bsm
(mod mn)
22
General Case: n congruences
Recall special case: in brief, x = atn + bsm
(mod mn) Generally, with m1, . . . , mn rel.
prime, simul. congruences
x ≡ b1 (mod m1)
x ≡ b2 (mod m2)
...
x ≡ bn (mod mn),
Let the product M = m1m2 . . . mn, and Mi be
M with mi divided out: Mi = M/mi. This
incomplete product is what we take the
inverse of, and specializes to s = m−1
(mod n) and t = n−1 (mod m) in the
2-congruence case. So let Ti = Mi−1
(mod mi). Then
x = T1M1b1 + . . . + TnMnbn (mod M )
is the unique solution modulo M of the
system of n congruences.
23
Square Roots and Factoring
T 6.3 (RSA) Basic Principle: Let n be
integer, suppose there are integers x, y with
x2 ≡ y 2 but x not ≡ ±y (mod n). Then n is
composite, and gcd(x − y, n) is a nontrivial
factor of n.
Proof: Let d = gcd(x − y, n). If trivial d = n
then x ≡ y (mod n), which it isn’t by
assumption. If trivial d = 1, we know basic
result that a | bc, gcd(a, b) = 1 ⇒ a | c. Here we
know that n divides x2 − y 2 = (x + y)(x − y).
Assuming d = 1 means n doesn’t divide
(x − y) so n | (x + y). But that contradicts
the assumption that x not ≡ −y (mod n).
24
Square Roots mod Composite (cont.)
Suppose we want the square root of 71 (mod
77). If x2 ≡ 71 (mod 77) then x2 ≡ 71 ≡ 1
(mod 7) and x2 ≡ 71 ≡ 5 (mod 11). We can
figure out that x = ±1 (mod 7), x = ±4
(mod 11).
So now we have four sets of two congruences
(a, b) = (1, 4), (−1, 4), (1, −4), (−1, −4) we can
combine to get a solution (mod 77)
consistent with both. Doing that and
CRTing gives the four square roots:
±15, ±29 (mod 77)
25
Backwards...
Thus we have an example of a bad choice of
p, q (7 and 11) if we want to pick them so
their product doesn’t give them away. If we
know, for example, the square roots of 71
mod 77, we know that 152 ≡ 292 ≡ 71
(mod 77)by the Basic Principle 77 is
composite and gcd(15 − 29, 77) = 7 is a
non-trivial factor. Factoring n could be slow
but all the operations needed for CRT and
GCD, exponentiations, are fast. So
If n = pq is product of two primes congruent
to 3 (mod 4), and if y is a number relatively
prime to n with a square root (mod n). Then
finding the four solutions ±a, ±b to x2 ≡ y
(mod m) is computationally equivalent to
factoring n. And conversely.
26
Chinese Bagel
The k = 2 case can be graphically
representated on a torus, e.g. 3x5
x%5
| 0 1 2 3 4
---|--------------0 |00 06 12 03 09
x%3 1 |10 01 07 13 04
2 |05 11 02 08 14
27
Back to roots mod composites Find x
such that x2 = y (mod pq). Such an x must
also satisfy x2 = y (mod p), x2 = y
(mod q). Sun Ze’s theorem tells us, given
y1 ∈ Z/p and y2 ∈ Z/q, how to find the unique
y ∈ Z/pq that satisfies y%p = y1 and
y%q = y2.
Find x2 = −1 (mod 221). 221 = 13 · 17.
The square roots of -1 mod 13 are 5 and 8,
and the square roots of -1 mod 17 are 4 and
13. We also can find that 1 = 4 * 13 - 3 *
17. Taking m = 13, n = 17, and one pair of
roots, a = 5 and b = 4, and plugging into
the CRT formula, we get
x = 4 · 4 · 13 + 5 · (−3) · 17 = 208 − 255 =
−47 ≡ 174 (mod 221). Checking,
1742 = 30276 ≡ 220 ≡ −1 (mod 221).
We could find 3 other roots by plugging in
the other combinations, and in general we
could find up to 2n roots where n is the
number of distinct prime factors.
28
Euler’s Theorem
Generalized FLT. Proved more easily with
tools from Group Theory (RN12). Recall
Euler phi-function φ(n) is number of integers
b s.t. 0 < b < n and gcd(b, n) = 1.
Theorem: For x, n relatively prime, xφ(n) ≡ 1
(mod n)
If n prime, φ(n) = (n − 1) and we have FLT.
Proof is like FLT proof too.
Examples ...
29
Using Euler’s Theorem
With a, n, x, y ∈ Z, n ≥ 1, gcd(a, n) = 1,
x≡y
(mod φ(n)) ⇒ ax ≡ ay
(mod n).
So modding out φ(n) in the exponent can
save you work
With x = y + φ(n)k, clearly
ax = ay+φ(n)k = ay (aφ(n))k ≡ ay 1k ≡ ay
(mod n)
30
Key Exchange Example
How communicate short message (say a
192-bit key) on a public channel? Physical
lock analogy.
• Alice publishes p prime > 192 bits.
φ(p) = p − 1.
• A finds random a, gcd(a, p − 1) = 1, B
similarly finds a b.
• A sends K1 ≡ K a
• B sends K2 ≡ K1b
• A sends K3 ≡ K2a
(mod p) to B
(mod p) to A
−1
(mod p) to B
• B computes K3b−1 ≡ K aba
−1 b−1
(mod p) ≡ K
31
Primitive Roots – Why do we care?
Related to discrete logs.
Concept used in ciphers like El Gamal and
Elliptic Curve, Discrete Log ciphers.
32
Primitive Roots, Discrete Logs
For n a positive integer, g is a primitive root
(or multiplicative generator) modulo n if for
every x relatively prime to n there is an
integer l so that g l ≡ x (mod n).
For prime n, multiplying g by itself eventually
generates all the non-zero congruence classes
mod n.
For fixed (base) g and a given x, the integer l
is the discrete logarithm of x base g modulo
n.
Most integers have no primitive root: 8
doesn’t.
33
Prim. Root Properties
• For prime modulus p there are φ(p − 1)
primitive roots.
• If g is prim. root of prime p, g n ≡ 1
(mod p) ⇔ n ≡ 0
• If ditto, g j ≡ g k
(mod p − 1).
(mod p − 1).
(mod p) ⇔ j ≡ k
34
Prim. Root Existence
Theorem: The only integers n with primitive
roots modulo n are of forms:
• n = pe, p an odd prime and e ≥ 1.
• n = 2pe ditto
• n = 2, 4.
Raising any element h of Z/n to successive
powers has to cycle, and so comes back to h,
and thus it must be that ht ≡ 1 (mod n) for
some value(s) of t. The smallest such t is
called the order of h (mod n).
Fact: the order of a prim. root modulo a
prime p is p − 1, and the order of a prim. root
modulo pe is (p − 1)pe−1.
35
Quadratic Symbols – Why?
• “The algorithm here for fast computation
of ’quadratic symbols’ is fundamental to
many algorithms. Perhaps second in
importance only to ehe Euclidean
algorithm, this is another of the good
algorithms we have.” – Garrett.
• Does a number have a square root
(mod n)?
• Fast implementation of Euler’s Criterion
(T. 3.10, p.88).
• Rewrite rules allow for simplification and
ultimately evaluation of Legendre and
Jacobi symbols.
36
Jacobi Symbols
• Jacobi symbols display “quadratic
reciprocity” property.
• QR the first result of modern number
theory (Gauss, 1796): relates two things
that have no obvious reason to be related.
x ).
• Time: 2 log2 n for ( n
37