Introduction to Number Theory Discrete Mathematics 6th edition, 2005 Chapter 5 Introduction to Number Theory Divisors Representations of Integers and Integer Algorithms The Euclidean Algorithm The RSA Public-Key Cryptosystem

5.1 Divisors Definition Let n and d be integers, d0. We say that d divides n if there exists an integer q satisfying n=dq. We call q the quotient and d a divisor or factor of n. If d divides n, we write d|n. If d does not divide n, we write d∤n.

Divisors Theorem 5.1.3 Let m, n, and d be integers If d|m and d|n then d|(m+n) If d|m and d|n then d|(m-n) If d|m then d|mn Proof 1. d|m and d|n  m= dq1 and n= dq2 for some integer q1 and q2 (by definition) m+n = dq1 + dq2 = d ( q1+ q2 )  d|(m+n)

Prime and Composite Prime Composite An integer greater than 1 whose only positive divisors are itself and 1 is called prime(소수). Composite An integer greater than 1 that is not prime is called composite (합성수). Theorem 5.1.7 A positive integer n greater than 1 is composite if and only if n has a divisor d satisfying 2d n

Testing Whether an Integer is Prime This algorithm determines whether the integer n>1 is prime. If n is prime, the algorithm returns 0. If n is composite, the algorithm returns a divisor d satisfying 2dn. Input: n Output: d is_prime(n) { for d=2 to n if (n mod d ==0) return d return 0 } // algorithm 5.1.8

Simulation Try n = 9 Try n = 11 d = 2 to floor(root(9))=3 9 mod 2: not zero 9 mod 3: zero  return (not prime) Try n = 11 d = 2 to floor(root(11)) = 3 11 mod 2: not zero 11 mod 3: not zero return (prime)

Fundamental Theorem of Arithmetic Any integer greater than 1 can be written as a product of primes. Moreover, if the primes are written in nondecreasing order, the factorization is unique. In symbols, if n = p1p2…pi, where the pk are primes and p1  p2  …  pi, and n = p1’p2’…pj’, where the pk’ are primes and p1’ p2’  …  pj’, then i=j and pk=pk’ for all k=1,…,i.

Fundamental Theorem of Arithmetic The number of primes is infinite. Proof Let p1 , p2 , … , pn denotes all of the distinct primes less than or equal to p. Consider the integer m=p1p2…pn+1. Notice that when m is divided by pi, the remainder is 1: m = piq + 1, q = p1p2…pi-1pi+1 … pn. Therefore, for all i=1 to n, pi does not divide m. Let p’ be a prime factor of m. Then p’ is not equal to any of pi. Since p1 , p2 , … , pn is a list of all of the primes less than or equal to p, we must have p’>p.

Greatest Common Divisor m and n: integers, m0 and n0 A common divisor (공약수) of m and n is an integer divides both m and n. GCD (최대 공약수) gcd(m,n): the greatest common divisor of m and n.

Greatest Common Divisor Theorem 5.1.17 Let m and n be integers, m>1, n>1, with prime factorization m = p1 p2 …pl and n = p1 p2 …pl (If pi is not a factor of m(n), let ai(bi)=0) Then, gcd(m,n)=p1 p2 … pl a1 a2 al b1 b2 bl min(a1,b1) min(a2,b2) min(al,,bl) Example 82320 = 24315173110 950796 = 22325074111 gcd(82320, 950796) = 22315073110 = 4116

Least Common Multiple Common Multiple LCM (최소공배수) m and n: positive integers A common multiple (공배수) of m and n is an integer divisible by both m and n. LCM (최소공배수) lcm(m,n): the least common multiple of m and n.

Least Common Multiple Theorem 5.1.22 Let m and n be integers, m>1, n>1, with prime factorization m = p1 p2 …pl and n = p1 p2 …pl (If pi is not a factor of m(n), let ai(bi)=0) Then, lcm(m,n)=p1 p2 … pl a1 a2 al b1 b2 bl max(a1,b1) max(a2,b2) max(al,,bl) Example 82320 = 24315173110 950796 = 22325074111 lcm(82320, 950796) = 24325174111 = 19015920

GCD and LCM Theorem 5.1.25 For any positive integers m and n, gcd(m,n)  lcm(m,n) = mn Proof If m=1  gcd(m,n)=1 & lcm(m,n)=n  gcd(m,n)  lcm(m,n) = mn If n=1  gcd(m,n)=1 & lcm(m,n)=m We assume m>1 & n>1. min(x,y)+max(x,y) = x+y m = p1 p2 …pl n = p1 p2 …pl gcd(m,n)= p1 … pl lcm(m,n)= p1 … pl gcd(m,n)  lcm(m,n) = p1 … pl = p1 … pl = [p1 … pl ] [p1 … pl ] = mn a1 a2 al b1 b2 bl min(a1,b1) min(al,,bl) max(a1,b1) max(al,,bl) min(a1,b1)+max(a1,b1) min(al,,bl)+max(al,,bl) a1+b1 al+bl a1 al b1 bl

GCD and LCM Example Using theorem 5.1.25 mn gcd(30, 105) = 15 gcd(30, 105)  lcm(30, 105) = 15  210 = 3150 = 30  105 Using theorem 5.1.25 lcm(m,n) = mn gcd(m,n)

5.2 Representation of Integers and Integer Algorithms Number System Binary digits: 0 and 1, called bits. In this section we study: binary, hexadecimal and octal number systems. Review of decimal system: Example: 45,238 is equal to 8 ones 8 x 1 = 8 3 tens 3 x 10 = 30 2 hundreds 2 x 100 = 200 5 thousands 5 x 1000 = 5000 4 ten thousands 4 x 10000 = 40000

Binary number system From binary to decimal: The number 1101001 is equivalent to 1 one 1x20 = 1 1 two 0x21 = 0 0 four 0x22 = 0 1 eight 1x23 = 8 0 sixteen 0x24 = 0 1 thirty-two 1x25 = 32 1 sixty-four 1x26 = 64 105 in decimal base

Computer Representation of Integers Computer systems represent integers in binary The number of bits necessary to represent a positive integer n n = 1x2k + bk-1x2k-1 + … + b0x20, bi = 0 or 1  2k  n  k  lg n n = 1x2k + bk-1x2k-1 + … + b0x20  1x2k + 1x2k-1 + … + 1x20 = 2k+1 -1 < 2k+1  lg n < k+1  k+1  1+ lg n < k+2  k+1 = 1 + lg n : the number of bits required to represent n

The worst case time of Algo. 5.1.8 (slide p5) The worst-case time : (n) The size s (=k+1) of the input n s  1 + lg n  2 lg n  lg n  s/2 for all n2 (1/2) lg n  s/4 for all n2 lg n1/2  s/4 for all n2 n  cs for all n2, where c=21/4 The worst-case time is at least Cn  Ccs  exponential time in the input size s C^1/4 > C^0 = 1

Binary to Decimal This algorithm returns the decimal value of the base b integer cncn-1…c1c0 Input: c, n, b Output: dec_val base_b_to_dec(c, n, b) { dec_val = 0 power = 1 for i=0 to n { dec_val = dec_val + ci*power power = power*b } return dec_val c4 c3 c2 c1 c0 (b) = c0*1 c1 *b c2 *b2 c3 *b3 + c4 *b4 ------------------------- dec_val

Decimal to Binary The number 7510 is equivalent to  7510 = 10010112 75 = 2 x 37 + remainder 1 37 = 2 x 18 + remainder 1 18 = 2 x 9 + remainder 0 9 = 2 x 4 + remainder 1 4 = 2 x 2 + remainder 0 2 = 2 x 1 + remainder 0 1 = 2 x 0 + remainder 1  7510 = 10010112 (write the remainders in reverse order preceded by the quotient) quotient

Decimal to Binary Algorithm to convert a positive integer m to the base b integer cncn-1…c1c0 Input: m, b Output: c, n dec_to_base_b(m, b, c, n) { n = -1 while (m > 0) { n = n+1 // LSB first cn = m mod b // remainder m = m/b // quotient }

Hexadecimal number System Decimal vs Hexadecimal Addition Add 23A16 + 8F16 23A16 + 8F16 2C916 Decimal system 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 A B C D E F Hexadecimal system

Hexadecimal from/to Decimal Hexadecimal → Decimal The hexadecimal number 3A0B16 is 11 x 160 = 11 0 x 161 = 0 10 x 162 = 2560 3 x 163 = 12288 1485910 Decimal → Hexadecimal Given the number 234510 2345 = 146 x 16 + remainder 9 146 = 9 x 16 + remainder 2 234510 is equivalent to the hexadecimal number 92916

Binary addition 1 1 1  carry ones 1001012 + 1100112 10110002 Binary addition table Adding binary numbers Example: add 1001012 + 1100112 1 1 1  carry ones 1001012 + 1100112 10110002  1 10

Binary Addition This algorithm adds the binary numbers anan-1…a1a0 and bnbn-1…b1b0 and stores the sum in sn+1snsn-1…s1s0 Input: a, b, n Output: s binary_additon(a, b, n, s) { carry = 0 for i=0 to n { si = (ai + bi + carry) mod 2 carry = (ai + bi + carry)/2 } sn+1 = carry

Hexadecimal addition 1 1  carry ones 8 4F16 + 4 2EA16 4 B3 916 Adding hexadecimal numbers Example: add 84F16 + 42EA16 84F16 + 42EA16 = 2127 + 17130 = 19257 1 1  carry ones 8 4F16 + 4 2EA16 4 B3 916

Exponentiation Algorithm to compute a power an Using repeated multiplication an = a·a···a n-1 multiplication Using repeated squaring For example, a29 a2 = a·a  1 multiplication a4 = a2·a2  1 additional multiplication a8 = a4·a4  1 additional multiplication a16 = a8·a8  1 additional multiplication 29 = 1 + 4 + 8 + 16 a29 = a1 · a4 · a8 · a16 n a’s 0 2 1 1 1 1 1 + + + + + + = 7 multiplications

Exponentiation Using repeated squaring Decimal to binary successive division by 2 binary representation is the sequence of remainders Binary representation of the exponent for example, a29 = a111012 = a16 · a8 · a4 · a1 current value of n 29 14 7 3 1 Quotient When n divided by 2 14 7 3 1 x a a2 a4 a8 a16 n mod 2 1 result a Unchanged a·a4 = a5 a5·a8 = a13 a13·a16 = a29

Exponentiation Algorithm computes an using repeated squaring. Input: a, n Output: an exp_via_repeated_squaring(a, n) { result = 1 x = a while (n > 0) { if (n mod 2 == 1) result = result * x x = x * x n = n/2 } return result

Simulation a = 4, n = 29 (429) Result = 1 x = 4 n > 0 (while) 29 mod 2 = 1  result = 1 * 4 = 4 x = 4 * 4 = 4^2 n = floor (n/2) = 14 14 mod 2 = 0  result = 4 x = 16 * 16 = 4^4 n = floor (n/2) = 7 7 mod 2 = 1  result = 4 * 4^4 = 4^5 x = 4^4 * 4^4 = 4^8 n = floor (n/2) = 3 3 mod 2 = 1  result = 4^5 * 4^8 = 4^13 x = 4^8 * 4^8 = 4^16 n = floor (n/2) = 1 1 mod 2 = 1  result = 4^13 * 4^16 = 4^29 x = 4^16 * 4^16 = 4^32 n = floor (n/2) = 0 While loop ends and returns the result = 4^29

Exponentiation Mod z Theorem 5.2.17 If a, b, and z are positive integers, ab mod z = [(a mod z)(b mod z)] mod z Proof Let w=ab mod z, x=a mod z, and y=b mod z. ab = q1z+w  w = ab-q1z similarly, a = q2z + x, b = q3z + y w = ab-q1z = (q2z + x)(q3z + y) - q1z = (q2q3z + q2y + q3 x - q1)z + xy = qz + xy, where q = q2q3z+q2y+q3 x-q1 xy = -qz + w  w is the remainder when xy is divided by z (w = xy mod z)  ab mod z = [(a mod z)(b mod z)] mod z

Exponentiation Mod z For example, a29 mod z To compute a29, we successively computed a, a5 = a·a4, a13 = a5·a8, a29 = a13·a16 To compute a29 mod z, we successively compute a mod z, a5 mod z, a13 mod z, a29 mod z a2 mod z = [(a mod z)(a mod z)] mod z a4 mod z = [(a2 mod z)(a2 mod z)] mod z a8 mod z = [(a4 mod z)(a4 mod z)] mod z a16 mod z = [(a8 mod z)(a8 mod z)] mod z a5 mod z = [(a mod z)(a4 mod z)] mod z a13 mod z = [(a5 mod z)(a8 mod z)] mod z a29 mod z = [(a13 mod z)(a16 mod z)] mod z

Exponentiation Mod z For example, 57229 mod 713 5722 mod 713 = [(572 mod 713)(572 mod 713)] mod 713 5724 mod 713 = [(5722 mod 713)(5722 mod 713)] mod 713 5728 mod 713 = [(5724 mod 713)(5724 mod 713)] mod 713 57216 mod 713 = [(5728 mod 713)(5728 mod 713)] mod 713 5725 mod 713 = [(572 mod 713)(5724 mod 713)] mod 713 57213 mod 713 = [(5725 mod 713)(5728 mod 713)] mod 713 57229 mod 713 = [(57213 mod 713)(57216 mod 713)] mod 713

Exponentiation Mod z by Repeated Squaring This algorithm computes an mod z using repeated squaring Input: a, n, z Output: an mod z exp_mod_via_repeated_squaring(a, n, z) { result = 1 x = a mod z while (n > 0) { if (n mod 2 == 1) result = (result * x) mod z x = (x * x) mod z n = n/2 } return result

Simulation a = 572, n = 29, z = 713 Result = 1 x = 572 mod 713 = 572 n > 0 (while) 29 mod 2 = 1  result = (1 * 572) mod 713 x = (572 * 572) mod 713 n = floor (n/2) = 14 14 mod 2 = 0  result = 572 mod 713 (stays) x = [(572 * 572) mod 713] * [(572 * 572) mod 713] = [572^4 mod 713 ] n = floor (n/2) = 7 7 mod 2 = 1  result = [572 mod 713] * [572^4 mod 713] = 572^5 mod 713 x = [572^8 mod 713 ] n = floor (n/2) = 3 3 mod 2 = 1  result = 572^8 mod 713 * 572^5 mod 713 = 572^13 mod 713 x =572^16 mod 713 n = floor (n/2) = 1 1 mod 2 = 1  result = =572^16 mod 713 * 572^13 mod 713 = 572^29 mod 713 x = 572^32 mod 713 n = floor (n/2) = 0 While loop ends and returns the result = 572^29 mod 713 a = 572 n = 29 z = 713 29 mod 2  result = 572 mod 713 x = [572 mod 713]*[572 mod 713] mod 713 = [572^2 mod 713] 14 mod 2  0  x 만 제곱 = 517^4 mod 713 / result stays 7 mod 2  1  x 계속 제곱 = 514^8 mod 713 / result is updated [572 mod 17] [572^4 mod 713] mod 713  [572^5 mod 713] ! 나머지 1일 때만 result updated and effectively added to make total ^29 like before example in computing a^29

5.3 The Euclidean algorithm Euclid algorithm an efficient algorithm for finding the greatest common divisor of two integers gcd(a, b) = gcd(b, a mod b) Example a = 105, b = 30 gcd(105, 30) = gcd(30,105 mod 30) = gcd(30, 15) = gcd(15, 30 mod 15) = gcd(15, 0) gcd(15, 0) = 15  gcd(105,30) = 15

5.3 The Euclidean algorithm Theorem 5.3.2: If a is a nonnegative integer, b is a positive integer, and r = a mod b, then gcd(a, b) = gcd(b, r) Proof a = bq + r, 0r<b Let c be a common divisor of a and b  c|bq  c|a and c|bq  c | (a-bq) (=r)  c is a common divisor of b and r If c is a common divisor of b and r  c|bq and c|bq + r (=a)  c is a common divisor of a and b  gcd(a, b) = gcd(b, r) a = bq + r c divides a and bq Because c divides a and b (as assumption) c divides bq and bq + r bq + r  bq + (a – bq) c divides bq, and a-bq (all of these) QED

Euclid Algorithm This algorithm finds the gcd of the nonnegative integers a and b (not both a and b are zero) Input: a, b Output: greatest common divisor of a and b gcd(a, b) { // make a largest if (a < b) swap(a, b) while (b = 0) { r = a mod b a = b b = r } return a gcd(105, 30) gcd(30, 105 mod 30) = gcd(30, 15) gcd(15, 30) mod 15 = gcd(15, 0) gcd(15, 0)  15 gcd(a, b) = gcd(b, r) = gcd(b, a mod b)

Simulation gcd(105, 30) a < b? not so (no swap) b != 0  r = 105 mod 30 a = 30 b = r = 105 mod 30 = 15 Go back to beginning and start gcd again  gcd(30, 15) b != 0  r = 30 mod 15 = 0 a = 15 b = r = 0 Go back to beginning and start gcd again  gcd(15, 0) b == 0  return a = 15 gcd(105, 30) gcd(30, 105 mod 30) = gcd(30, 15) gcd(15, 30) mod 15 = gcd(15, 0) gcd(15, 0)  15

A Special Result (Using Euclid Algorithm) Theorem 5.3.7: If a and b are nonnegative integers, not both zero, there exist integers s and t such that gcd(a, b) = sa + tb Example Find s and t such that gcd(273,110) = s*273 + t*110 1. Find gcd(273,110) (=1) 2. Work back, beginning with the last equation Do the things in the left and you get things in the middle column (Middle column can be directly be derived by reverse from the left column) Now we can express 1, 4, and 53 by the equations from middle column and back substitute one by one to get the final s = 27 and t = -67 s t a 273 110 53 4 b 1 r 273 mod 110 = 53 110 mod 53 = 4 53 mod 4 = 1 4 mod 1 = 0 = 27*273 - 67*110 1 = 27*(273 - 110*2) - 13*110 53 = 273 - 110*2 4 = 110 - 53*2 1 = 53 - 4*13 = 27*53 - 13*110 1 = 53 - (110 - 53*2)*13 1 = 53 - 4*13

Inverse Modulo Modulo convention Inverse Modulo of b (mod m) “0 (mod 5)” vs. “0 (mod 4)” N (mod 5)  N can be 0, 1, 2, 3, 4 Inverse Modulo of b (mod m) bb-1 = 1 (mod m) Multiply some number and get remainder of 1 when divided by m That number must be also (mod m) number E.g. Inverses for (mod 5) numbers 0  (0 * 0-1) mod 5 = 1? Does not exist 1  (1 * 1-1) mod 5 = 1? 1 (mod 5) 2  (2 * 2-1) mod 5 = 1? 3 (mod 5) 3  (3 * 3-1) mod 5 = 1? 2 (mod 5) 4  (4 * 4-1) mod 5 = 1? 4 (mod 5)

Inverse Modulo We know that if gcd (e, Φ) = 1 1 = ed + Φ y d is inverse modulo of e (mod Φ) divide ed by Φ and you get remainder = 1 e and Φ are mutually prime (서로소) 서로소?

Computing an Inverse Modulo Example: e = 110,  = 273. gcd(e, ) = 1 and -67e + 27 =1 (slide p40) ed mod  = 110(-67) mod 273 = 1 d = -67 (it is not between 0 and 273) s = d mod  = -67 mod 273 = 206 The inverse of 110 modulo 273 is 206

5.4 The RSA public-key cryptosystem Cryptosystems: systems for secure communications Used by government, industry, investigation agencies, etc. Sender encrypts a message Receiver decrypts the message RSA (Rivest, Shamir, Adleman) system Messages are represented as numbers Based on the fact that no efficient algorithm exists for factoring large digit integers in polynomial time O(nk).

The Oldest and Simplest System If a key is defined as character: replaced by: original message : encrypted message : decrypted message : Simple systems are easily broken E A I B J C F U X G V H W P K L M S N R O Q T Y D Z S Q E A N R D U M O K Y S M K O R N A E Y L W I

RSA p, q, d(decryption key): secret Messages are represented as numbers A, B, C, …  1, 2, 3, … SEND MONEY  20, 5, 15, 1, 14, 16, 15, 5, 26 (single integer)  200515011416150526 1. Choose two primes p, q and compute n=pq 2. Compute =(p-1)(q-1) 3. Choose e such that gcd(e,)=1 4. Compute d, 0<d<, satisfying ed mod  =1 5. n, e(encryption key, prime): public p, q, d(decryption key): secret 6. To send a message m, encrypt m c = me mod n 7. Decrypt a encrypted message c m = cd mod n s is inverse modulo of n mod phi

RSA (example) p=23, q=41, n = pq = 943, =(p-1)(q-1) = 880 Choose e = 7 (relatively prime to 880) public: n = 943 / secret: e = 7, p = 23, q = 41 Message: M=35 B sends: C = Me (mod n) = 357 (mod 943) = 545 A wants to get M = 35 from C = 545 Find d such that ed = 1 (mod (p-1)(q-1)) 7d = 1 (mod 880) d = 503 since 7*503 = 3521 = 4 (880) + 1 Cd = 545503 503 = 256 + 128 + 64 + 32 + 16 + 4 + 2 + 1 545503 = 545256 * 545128 * 54564 * … M = Cd (mod 943) = 545256 (mod 943) * 545128 (mod 943) * … = 35 !