Fuw-Yi Yang1 Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 1 Integers Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝陽科技大學資工系 Speaker: Fuw-Yi Yang 楊伏夷 伏夷非征番, 道德經 察政章 (Chapter 58) 伏 者潛藏也 道紀章 (Chapter 14) 道無形象, 視之不可見者曰 夷

Fuw-Yi Yang2 Contents Basics Divisibility Representation of integers O- and  -notation Cost of +, *,  with remainder Polynomial time Greatest common divisor Euclidean algorithm Extended Euclidean algorithm Analysis of the Extended Euclidean algorithm Factoring into primes Exercise

Fuw-Yi Yang3 1.1 Basics N = {1, 2, 3, 4, 5,…} is the set of positive integers and Z = {0,  1,  2,  3, …} is the set of integers. The rational numbers are denoted by Q and the real number by R. N  Z  Q  R A set M of real numbers is called bounded from below if there is a real number  such that all elements of M are greater than . We also say that M is bounded from below by . Example. The set of positive integers is bounded from below by 0, but the set of even integers is not bounded from below.

Fuw-Yi Yang4 1.1 Basics For any real number , we write  = max{b  Z: b   }. Hence,  is the greatest integer, which is less than or equal to . This number exists because the set {b  Z: b   } is bounded from above. Example We have  3.43  = 3 and   = -4.

Fuw-Yi Yang5 1.1 Basics Finally we need induction. If a statement, which dependents on a positive integer n, is true for n = 1 and if the truth for any integer m with 1  m  n implies the truth for n + 1, then the statement is true for any positive integer n. Example We wish to prove …+ n = n(n + 1) / 2. next page

Fuw-Yi Yang6 1.1 Basics Example We wish to prove …+ n = n(n + 1) / basis: prove that the statement holds true for n =1.  It is clear that the statement holds true for n =1. 2. Inductive step: prove that if the statement holds for n = m, then the same statement also holds for n = m + 1.  Assume the statement holds true for n = m, then the same statement also holds for n = m + 1 as shown below.  m(m + 1) / 2 + (m + 1) = (m 2 + m + 2m + 2) / 2 = (m + 1)(m + 2) / 2

Fuw-Yi Yang7 1.2 Divisibility Definition We say that a divides n if there is an integer b with n = ab. If a divides n, then a is called a divisor of n, n is called a multiple of a, and we write a | n. Example We have 13 | 182 because 182 = 14 * 13. Likewise, we have -5 | 30 because 30 = (-6) * (-5). The divisors of 30 are  1,  2,  3,  5,  6,  10,  15,  30. Any integer a divides 0 (a | 0) because 0 = a * 0. The only integer that is divisible by 0 is 0 because n = 0 * b implies n = 0.

Fuw-Yi Yang8 1.2 Divisibility Theorem If a | b and b | c, then a | c. 2. If a | b, then ac | bc for all c. 3. If c | a and c | b, then c | da + eb for all d and e. 4. If a | b and b  0, then |a|  |b|. 5. If a | b and b | a, then |a| = |b|. Proof:…

Fuw-Yi Yang9 1.2 Divisibility Theorem If a and b are integers, b > 0, then there are uniquely determined integers q and r such that a = qb + r and 0  r < b, namely q =  a/b  and r = a - bq. Proof: If a = qb + r and 0  r < b, then 0  r/b < b/b, 0  a/b - q < 1, a/b  q > a/b - 1. Hence q =  a/b  and r = a - bq. In the above, the integer q is called the (intergral) quotient and r is the remainder of the division of a and b. We write r = a mod b. If a is replaced by a mod b, then we say that a is reduced modulo b.

Fuw-Yi Yang Representation of Integers In books, integers are written in decimal expansion. On computers, binary expansion is used. More generally, integers can be represented using the co-called g-adic expansion. Example We have log 2 8 = 3 because 2 3 = 8. Also log 8 8 = 1 because 8 1 = 8. Example The sequence (0, 1, 1, 1, 0) is an element of {0, 1} 5. Also {1, 2} 2 = {(1, 1), (1, 2), (2, 1), (2, 2)}.

Fuw-Yi Yang Representation of Integers Theorem Let g be an integer, g > 1. For each positive integer a, there is a uniquely determined positive integer k and a uniquely determined sequence (a 1, …, a k )  {0,…,g - 1} k with a 1  0 and (Eq. 1.1). In addition, k =  log g a  + 1, and a i is the intergral quotient of (a - ) by g k - i for 1  i  k. Proof: see next page.

Fuw-Yi Yang Representation of Integers Proof: 1. uniqueness of k: g k - 1  a  g k, hence k =  log g a  uniqueness of sequence (a 1, …, a k ): 2.1 basis: for k = 1, set a 1 = a. 2.2 inductive step: let k > 1 and there is a representation as Eq. 1.1, then, 0  a - a 1 g k - 1 < g k – 1 and therefore 0  a / g k a 1 < 1. Therefore, a 1 is the intergral quotient of a divided by g k – 1 and is uniquely determined. Set a = a - a 1 g k - 1. Either we have a = 0, in which case a i = 0, 0  i  k or a = is the uniquely determined representation of a by the induction hypothesis (the statement is true for k = m). Next page

Fuw-Yi Yang Representation of Integers It is clear that a representation Eq. 1.1 exists. We only need to set a 1 =  a / g k - 1  and to take the other coefficients from the representation a = a - a 1 g k - 1. end of proof

Fuw-Yi Yang Representation of Integers Definition The sequence (a 1, …, a k ) from Theorem is called the g-adic expansion of a. Its element are called digits. Its length is k =  log g a  + 1. If g = 2, the sequence is called the binary expansion of a. If g = 16, then the sequence is called the hexadecimal expansion of a. Instead of (a 1, …, a k ), we also write a 1 a 2 … a k. Example The sequence is the binary expansion of = 21.

Fuw-Yi Yang Representation of Integers Example Determine the binary expansion of 105. Since 2 6 < 105 < 2 7, it is of length 7. a 1 =  105 / 2 6  = 1, a = a - a = 41, a = a; a 2 =  41 / 2 5  = 1, a = a - a = 9, a = a; a 3 =  9 / 2 4  = 0, a = a - a = 9, a = a; a 4 =  9 / 2 3  = 1, a = a - a = 1, a = a; a 5 =  1 / 2 2  = 0, a = a - a = 1, a = a; a 6 =  1 / 2 1  = 0, a = a - a = 1, a = a; a 7 =  1 / 2 0  = 1, a = a - a = 0;

Fuw-Yi Yang O- and  -Notation When designing a cryptographic algorithm, it is necessary to estimate how much computing time and how much storage it requires. To simplify such estimates, we introduce the O- and  -notation. Let k be a positive integer, X, Y,  N k and f : X  R  0, g : Y  R  0, functions. We write f = O(g) if there are positive integers B and C such that for all (n 1, …, n k )  N k with n i > B, 1  i  k the following is true: 1. (n 1, …, n k )  X  Y; that is,f(n 1, …, n k ) and g(n 1, …, n k ) are defined. 2. f(n 1, …, n k )  Cg(n 1, …, n k ). This means that almost always f(n 1, …, n k )  Cg(n 1, …, n k ). We also write g =  (f). If g is constant, then we write f = O(1).

Fuw-Yi Yang Cost of +, *, and / with remainder In many cryptographic applications, multi-precision integers must be added, multiplied, and divided with remainder. To estimate the running time of such applications, we must study how long such operations take. To do so, one has to choose a model of computation that is as similar as possible to real computations.

Fuw-Yi Yang Cost of +, *, and / with remainder Here we only use a naïve model, which, however, yields reasonable estimates. Let a and b be integers. 1. Adding a and b requires time O(max{size a, size b}). 2. Multiplying a and b requires time O((size a)( size b)). 3. Dividing a with remainder by b requires time O((size b)( size q)), where q is the quotient. All algorithms use space O(size a + size b).

Fuw-Yi Yang Polynomial time When analyzing a cryptographic algorithm, we must show that it works efficiently but is difficult to break. We make the notion of efficiency more precise. Suppose an algorithm receives as input integers z 1,…,z n. We say that the algorithm has polynomial running time if there are nonnegative integers e 1,…,e n such that the running time of the algorithm is O((size z 1 ) e 1 ) ((size z 2 ) e 2 )…((size z n ) e n ). An algorithm is considered to be efficient if it has polynomial running time. Observe, however, that in order for the algorithm to be efficient in practice, the exponent e i and the O-constant must be small.

Fuw-Yi Yang Greatest common divisor We define the greatest common divisor of two integers. Definition A common divisor of a and b is an integer that divides both a and b. Theorem Among all common divisors of two integers a and b, which are not both zero, there is exactly one greatest (with respect to  ). It is called the greatest common divisor (gcd) of a and b. Proof. Let a  0, By Theorem 1.2.3, all divisors of a are bounded by |a|. Therefore, among the common divisors of a and b there is a unique greatest. end of proof

Fuw-Yi Yang Greatest common divisor For completeness, we set the greatest common divisor of 0 and 0 to 0. Hence, the greatest common divisor of two numbers is never negative. Example The greatest common divisor of 18 and 30 is 6. The greatest common divisor of -10 and 30 is 10. The greatest common divisor of integers a 1, …, a k, k  1 is defined as follows. If at least one of the a i is nonzero, then gcd(a 1, …, a k ) is the greatest positive integer that divides all the a i. If all the a i are zero, then we set gcd(a 1, …, a k ) = 0.

Fuw-Yi Yang Greatest common divisor We present an important way of representing a greatest common divisor. We need the following notion. If  1, …,  k are real numbers, then we have  1 Z + …+  k Z = {  1 z 1 + …+  k z k : z k  Z, 1  i  k}. This is the set of all integer linear combination of the a i. Example The set of all integer linear combination of 3 and 4 is 3Z + 4Z. It contains 1 = 3*(-1) + 4*(1). It therefore also contains all integer multiples of 1. Hence, this set is Z.

Fuw-Yi Yang Greatest common divisor Theorem The set of all integer linear combination of a and b is the set of all integers multiples of gcd(a, b); i.e. aZ + bZ = gcd(a, b)Z. Proof. For a = b = 0, the assertion is obviously correct, so let a or b be nonzero. Set I = aZ + bZ. Let g be the smallest positive integer in I. We claim that I = gZ. 1. Choose a nonzero element c in I. 2. By Theorem 1.2.4, there are q, r with c = qg + r and 0  r < g. 3. Therefore, r = c - qg belongs to I. 4. But g is the smallest positive integer in I, it must r = 0 and c = qg. It remains to be shown that g = gcd(a, b). Next page

Fuw-Yi Yang Greatest common divisor It remains to be shown that g = gcd(a, b). 1. g is a common divisor of a and b, since a, b  I, and I = gZ. 2. g  I, there are x, y with g = ax + by. 3. If d is a common divisor of a and b, then d is also a divisor of g. 4. Theorem implies |d|  g. (d | g, g  0,  |d|  g) 5. g = gcd(a, b). end of proof

Fuw-Yi Yang Greatest common divisor Corollary For all a, b, n the equation ax + by = n is solvable in integers x and y if and only if gcd(a, b) divides n. Proof. If there are x and y with ax + by = n, then n  aZ + bZ and by Theorem we have n  gcd(a, b) Z, which implies that n is a multiple of gcd(a, b). Conversely, if n is a multiple of gcd(a, b), then n is an element of gcd(a, b) Z. It follows from Theorem that n  aZ + bZ. Therefore, there are integers x and y with ax + by = n. end of proof

Fuw-Yi Yang Greatest common divisor Corollary There are integers x and y with ax + by = gcd(a, b). Proof. From Corollary Corollary There is exactly one nonnegative common divisor of a and b, which is divisible by all other common divisors of a and b, namely the greatest common divisor of a and b. Proof. By Corollary there are integers x and y with ax + by = gcd(a, b). Therefore every common divisor of a and b is a divisor of gcd(a, b). Conversely, let g be a nonnegative divisor of a and b that is divisible by every common divisors of a and b. If a = b = 0, then g = 0. If a or b is nonzero, then by Theorem every common divisor of a and b is  g. Therefore g = gcd(a, b). end of proof

Fuw-Yi Yang Euclidean algorithm The Euclidean algorithm determines the greatest common divisor of two integers very efficiently. It is based on the following theorem. Theorem (|a|  |b|) 1. If b = 0, then gcd(a, b) = |a|. 2. If b  0, then gcd(a, b) = gcd(|b|, a mod |b|). Proof. The first assertion is obviously correct. We prove the second assertion. By Theorem 1.2.4, there is an integer q with a = q|b| + (a mod |b|). (a = qb + r) Therefore the greatest common divisor of a and b divides the greatest common divisor of |b| and (a mod |b|) and vice versa. Since both greatest common divisors are nonnegative, the assertion follows from Theorem end of proof

Fuw-Yi Yang Euclidean algorithm Example We want to compute gcd(100, 35). From Theorem 1.8.1, we obtain gcd(100, 35) = gcd(35, 100 mod 35) = gcd(35, 5) = gcd(5, 35 mod 5) = gcd(5, 0) = 5.

Fuw-Yi Yang Euclidean algorithm The following Theorem prove the correctness of the Euclidean algorithm (euclid(int a, int b, int gcd)). euclid(int a, int b, int gcd) { int r a = |a|, b = |b| while (b  0) { r = a % b, a = b, b = r} gcd = a } Theorem The Euclidean algorithm computes the greatest common divisor of a and b. next page

Fuw-Yi Yang Euclidean algorithm Theorem The Euclidean algorithm computes the greatest common divisor of a and b. Proof. To prove that the Euclidean algorithm terminates and yields gcd(a, b), we introduce some notation. We set r 0 = |a|, r 1 = |b| and for k  1 and r k  0 r k+1 = r k-1 mod r k Then r 2, r 3,… is the sequence of remainders that are computed in the while-loop of the Euclidean algorithm. Also after the kth iteration of the while-loop, we have a = r k, b = r k +1. next page

Fuw-Yi Yang Euclidean algorithm Then r 2, r 3,… is the sequence of remainders that are computed in the while-loop of the Euclidean algorithm. Also after the kth iteration of the while-loop, we have a = r k, b = r k +1. It follows from Theorem that the greatest common divisor of a and b is not changed in the algorithm, so we only need to prove that there is k such that r k = 0. But this follows from the fact that by Eq. 1.3 the sequence (r k ) k  1 is strictly decreasing. This concludes the correctness proof for the Euclidean algorithm. end of proof

Fuw-Yi Yang Euclidean algorithm The Euclidean algorithm compute gcd(a, b) very efficiently. To prove the efficiency, we estimate the number of iterations required by the algorithm. For simplicity, we assume a > b > 0. This is no restriction, since the Euclidean algorithm requires one step to determine gcd(a, b) (if b = 0) or to produce this situation. Let r n be the last nonzero remainder in the sequence (r k ). Then n is the number of iterations, which the algorithm requires to compute gcd(a, b). Furthermore, since r k+1 = r k-1 mod r k, let q k =  r k-1 / r k , 1  k  n Then q k is the quotient of r k-1 divided by r k, and we have r k-1 = q k r k + r k

Fuw-Yi Yang Euclidean algorithm Example If a = 100 and b = 35, then we obtain the remainder sequence: Lemma We have q k  1 for 1  k  n - 1 and q n  2. Proof. Since r k-1 > r k > r k+1, it follows from Eq. 1.5 that q k  1 for 1  k  n. Suppose q n = 1. Then r n-1 = r n, and this is impossible because the sequence of remainders is strictly decreasing. Therefore q n  2. end of proof k rkqkrkqk

Fuw-Yi Yang Euclidean algorithm Theorem In the Euclidean algorithm, let a > b > 0. Also, let  = ( /2 ) / 2. Then the number of iterations in the algorithm is at most (log b) / (log  ) + 1 < * log 2 b + 1. Proof. end of proof

Fuw-Yi Yang Extended Euclidean algorithm Corollary tells us that there are integers x, y with gcd(a, b) = ax + by. In this section, we extend the Euclidean algorithm in such a way that it also determines such coefficients x and y.

Fuw-Yi Yang Extended Euclidean algorithm — example Example: Compute x, y s.t. ax + by = gcd(a, b) The example computes expressions of the form r i = a x i + b y i for the remainder in each step i of the Euclidean algorithm. From r k+1 = r k-1 mod r k, we have r i = r i-2 -  r i-2 / r i-1  r i-1. Also, by Eq. 11, r i = ax i-2 + by i-2 -  r i-2 / r i-1  (ax i-1 + by i-1 ) = a (x i-2 -  r i-2 / r i-1  x i-1 ) + b (y i-2 -  r i-2 / r i-1  y i-1 ) The first two argument r 1 and r 2 : r 1 = a = a 1 + b 0 (x 1 = 1, y 1 = 0) r 2 = b = a 0 + b 1 (x 2 = 0, y 2 = 1) Example: next page

Fuw-Yi Yang Extended Euclidean algorithm --example Example: Compute x, y s.t. 120x + 23y = gcd(120, 23) r 1 = 120 = 120 * * 0 (x 1 = 1, y 1 = 0) r 2 = 23 = 120 * * 1 (x 2 = 0, y 2 = 1) r i = r i-2 -  r i-2 /r i-1  r i-1, r i = a (x i-2 -  r i-2 /r i-1  x i-1 ) + b (y i-2 -  r i-2 /r i-1  y i-1 ) r 3 = 5 = * 23 = (120 * * 0) - 5 * (120 * * 1) = 120 * * (-5) r 4 = 3 = * 5 = (120 * * 1) - 4 * (120 * * (-5)) = 120 * (-4) + 23 * (21) r 5 = 2 = * 3 = (120 * * (-5)) - 1 * (120 * (-4) + 23 * (21)) = 120 * (5) + 23 * (-26) r 6 = 1 = * 2 = (120 * (-4) + 23 * (21)) - (120 * (5) + 23 * (-26)) = 120 * (-9) + 23 * (47) r 7 = 0 = * 2 end of example

Fuw-Yi Yang Extended Euclidean algorithm Corollary tells us that there are integers x, y with gcd(a, b) = ax + by. As in Section 1.8, we denote by r 0, …, r n+1 the sequence of remainders and by q 1, …, q n the sequence of quotients that are computed in the course of the algorithm. We now explain the construction of two sequence (x k ) and (y k ), such that x = (-1) n x n and y = (-1) n+1 y n are the required coefficients.

Fuw-Yi Yang Extended Euclidean algorithm We set x 0 = 1, x 1 = 0, y 0 = 0, y 1 = 1. Furthermore, we let x k+1 = q k x k + x k-1, y k+1 = q k y k + y k-1, 1  k  n (normal form r i = a (x i-2 -  r i-2 / r i-1  x i-1 ) + b (y i-2 -  r i-2 / r i-1  y i-1 )) We assume that a and b are nonnegative. Theorem We have r k = a (-1) k x k + b (-1) k+1 y k for 0  k  n + 1. Proof. 1. r 0 = a = a * 1 + b * 0 = a x 0 + b y 0 2. r 1 = b = a * 0 + b * 1 = a x 1 + b y 1 end of proof

Fuw-Yi Yang Extended Euclidean algorithm Theorem We have r k = a (-1) k x k + b (-1) k+1 y k for 0  k  n + 1. Proof. 1. r 0 = a = a * 1 - b * 0 = a x 0 - b y 0 2. r 1 = b = a * (-1)0 + b * 1 = -a x 1 + b y 1 3. let k  2 and suppose that the assertion is true for all k< k. 4. Then r k = r k-2 -  r k-2 / r k-1  r k-1 = r k-2 - q k-1 r k-1 r k = a (-1) k-2 x k-2 + b (-1) k-1 y k-2 - q k-1 (a (-1) k-1 x k-1 + b (-1) k y k-1 ) = a (-1) k (x k-2 + q k-1 x k-1 ) + b (-1) k+1 (y k-2 + q k-1 y k-1 ) = a (-1) k x k + b (-1) k+1 y k. end of proof Note we have x = (-1) n x n, y = (-1) n+1 y n, and r n = a (-1) n x n + b (-1) n+1 y n.

Fuw-Yi Yang Extended Euclidean algorithm Example Compute x, y s.t. 100x + 35y = gcd(100, 35) r 1 = 100 = 100 * * 0 (x 1 = 1, y 1 = 0) r 2 = 35 = 100 * * 1 (x 2 = 0, y 2 = 1) r i = r i-2 -  r i-2 /r i-1  r i-1, r i = a (x i-2 -  r i-2 /r i-1  x i-1 ) + b (y i-2 -  r i-2 /r i-1  y i-1 ) r 3 = 30 = * 35 = (100 * * 0) - 2 * (100 * * 1) = 100 * * (-2) r 4 = 5 = * 30 = (100 * * 1) - 1 * (100 * * (-2)) = 100 * (-1) + 35 * (3) r 5 = 0 = * 5 end of example

Fuw-Yi Yang Analysis of the extended Euclidean algorithm Theorem The extended Euclidean algorithm uses O((size a) (size b)) to compute gcd(a, b) including a representation gcd(a, b) = ax + by. end of theorem

Fuw-Yi Yang Factoring into primes A central notion of elementary number theory is that of a prime number. Prime numbers are used in many cryptographic algorithms. In this section, we introduce prime numbers and prove that every positive integer is a product of primes in which the factors are unique up to permutation. Definition An integer p > 1 is called a prime number if it has exactly two positive divisors, namely 1 and p. We denote the set of all primes (prime numbers) by P. An integer a > 1 that is not a prime is called composite.

Fuw-Yi Yang Factoring into primes Theorem Every integer a > 1 has a prime divisor. Proof. The integer a has a divisor that is greater than 1, namely a. Among all divisors of a that are greater than 1, let p be the smallest. Then p must be prime. Otherwise, p would have a divisor b with 1 < b < p  a. This contradicts the assumption that p is the smallest divisor of a that is greater than 1. end of proof

Fuw-Yi Yang Factoring into primes Theorem If a prime number divides the product of two integers, then it divides at least one factor. Proof. Suppose that the prime number p divides ab but not a. 1. p is a prime number,  gcd(a, p) = By Corollary 1.7.7, there are integers x, y with 1 = ax + py = ax + py  b = axb + pyb. 4. p divides ab  p divides b. end of proof

Fuw-Yi Yang Factoring into primes Corollary If a prime number p divides a product q 1 …q k of prime numbers, then p is equal to one of the factors q 1,…,q k. Proof. The proof uses induction on k. 1. If k = 1, then p is a divisor of q 1 which is greater than 1, hence p = q If k > 1, then p divides q 1 (q 2 …q k ). By Lemma , the prime p divides q 1 or (q 2 …q k ). 3. Both q 1 and (q 2 …q k ) have fewer than k factors, the assertion follows from the induction hypothesis. end of proof

Fuw-Yi Yang Factoring into primes Theorem Every integer a > 1 can be written as the product of prime numbers. Up to permutation, the factors in this product are uniquely determined. Proof. The proof uses induction on a. 1. If a = 2, the theorem is true. 2. If a > 2, then by Theorem , there is a prime divisor p of a. If a / p = 1, then a = p and the assertion holds. Let a / p > 1. By the induction hypothesis, a / p is a product of primes. (a > a / p,  a / p satisfies Theorem ) 3. Therefore a is also a product of primes. This proves the existence of the prime factor decomposition of a. Next page show the uniqueness.

Fuw-Yi Yang Factoring into primes 4. Let a = p 1 …p k and a = q 1 …q l be factorization of a into prime numbers. 5. By Corollary , the prime p 1 is equal to one of the primes q 1,…,q l. 6. By permuting the q i, we can make sure that p 1 = q But by the induction hypothesis, the factorization of a / p 1 = a / q 1 into prime numbers is unique. 8. Hence, k = l and p i = q i for 1  i  k after an appropriate permutation of the q i. end of proof

Fuw-Yi Yang Factoring into primes Theorem The French mathematician Pierre de Fermat thought that all of the so-called Fermat numbers F i = 2 2 i + 1 are primes. F 0 = 3, F 1 = 5, F 2 = 17, F 3 = 257,… However, F 5 = 641*