Theory of Computation Transparency No. 1-1 Chapter 2 Introduction to Number Theory and Its applications Cheng-Chia Chen October 2005

Introduction Transparency No. 1-2 outline  Division  Prime  Gcd and Lcm  Modular Arithmetic  Chinese Remainder Theorem  Fermat’s little theorem  The RSA algorithm

Introduction Transparency No. 1-3 Division Def: a,b  Z with a ≠ 0.  We say a divides b (written a | b) if 9 k  Z s.t. b = ka a | b =>  a is a factor (or divisor) of b and  b is a multiple of a.  Ex: 3 | 12 ( * 12 = 4 x 3 ) -4 | 8, 13 | 0 (0 = 0 x 13) 3 - 7

Introduction Transparency No. 1-4 Properties of | 1.a | b /\ a |c  a | b + c 2.a | b  a | bc for all c  Z 3.| is reflexive ( a | a for all a  Z ) 4.| is transitive ( a | b /\ b | c ) a | c ) pf: a | b /\ b | c  b = k 1 a and c = k 2 b for some k 1, k 2  Z  c = k 2 (k 1 a) = (k 1 k 2 ) a 5.a | b /\ b | a  |a| = |b|)

Introduction Transparency No. 1-5 Primes  An integer p > 1 is said to be prime if  n  N + ( n | p  n = 1 \/ n = p ). I.e., the only positive factors of p are 1 and p.  p > 1 is not prime => P is composite.  Examples: 7 is prime primes < 20 include : 2,3,5,7,11,13,17,19.

Introduction Transparency No. 1-6 The fundamental theorem of arithmetic (FTA)  n  N + > 1, there exists a unique increasing sequence of primes p 1 ≤ p 2 ≤ … ≤ p k ( k ≥ 1) s.t. n = p 1 x p 2 … x p k.  Ex: 100 = 2 x 2 x 5 x = 3 x 3 x 3 x 37.

Introduction Transparency No. 1-7 Proof of FTA  ( Existence) by Math Ind. Basis: n = 1, 2 ok. Ind. n > 1. if n is prime, then n = p 1, where p 1 = n and k = 1. if n is not prime then n = n 1 x n 2 with n 1,n 2 < n. => by ind. hyp. n 1 = q 1 x q 2 … x q t n 2 = r 1 x r 2 … r s => n = n 1 x n 2 = q 1 x … x q t x r 1 x … x r s. => n = p 1 x … x p s+t. where p 1,…,p s+t is an increasing reordering of q 1,…,q t and r 1,…,r t.  Uniqueness: let n = p 1 x … x p k x q 1 x … x q s = p 1 x … x p k x r 1 x … x r t where q 1 ≠ r 1 => n – n = p 1 x … x p k x (q 1 x … x q t – r 1 x … r t ) ≠ 0 ( a contradiction !!).

Introduction Transparency No. 1-8 Theorem 3  If n is composite =>  a ≤ s.t. a | n. pf: n is composite => n = p x q with p, q > 1. if p > /\ q > => p q > = n. a contradiction Hence n must have a factor ≤ Example: 101 is a prime. pf:   = 10. But no prime ≤ 10 is a factor of 101.

Introduction Transparency No. 1-9 The division algorithm  a  Z, d  N +  i q,r s.t. a = qd + r where 0 ≤ r < d. Def: if a = dq + r Then d is called the divisor( 除數 ) a : dividend( 被除數 ) q: quotient( 商數 ) r: remainder( 餘數 )  Examples: 101 = 11 ∙ = -4 ∙  Note: d | a iff r = 0.

Introduction Transparency No Proof of the division algorithm Existence: Consider the Z-indexed sequence : … a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), …  Let r = a – qd be the smallest nonnegative number in the sequence. 1. since the sequence is strictly increasing toward infinity such q (and r) must exist and unique. 2. if r ≥ d  r’ =r-d =a – (q+1) d ≥ 0 is another nonnegative number in the sequence smaller than r. That’s a contradiction. Hence r must < d. Uniqueness: If both (q,r) and (q’,r’) satisfy the condition. Then r – r’ = (q’-q) d (*). Since 0  r-r’ < d (*) and (q’-q)d is a multiple of d, (*) holds only if r-r’ = 0 = q-q’. QED

Introduction Transparency No gcd and lcm  a,b  Z, ab ≠ 0. if d | a and d | b  d is a common divisor of a and b.  gcd(a,b) = def the greatest common divisor of a and b. Note: The set cd = {x > 0 |, x | a and x | b} is a finite subset of N + ( ∵ {1}  cd  {1,… min(a,b)}  gcd(a,b) must exist.  Example: gcd(24,36) = ? factors of 24 : 1,2,3,4,6,12,24 factors of 36: 1,2,3,4,6,9,12,18,36  cd(24,36) = {1,2,3,4,6,12}  gcd(24,36) = 12.

Introduction Transparency No Relatively prime  If gcd(a,b) = 1 we say a and b are relatively prime(r.p.). Ex: gcd(17,22) = 1.  a 1,a 2,…a n are pairwise r.p. if gcd(a i,a j ) = 1 for all 1 ≤ i < j ≤ n. Ex: 10,17,21 are p.r.p. 10,19,24 are not p.r.p since gcd(10,24) = 2.  Proposition 1: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then gcd(a,b) = s = def p 1 z 1 p 2 z 2 … p n z n where z i = min(x i,y i ) for all 0 ≤ i ≤ n.

Introduction Transparency No The proof 1. s  cd(a,b). what are the quotients of a and b when divided by s ? 2.t | a = p 1 x 1 p 2 x 2 … p n x n /\ q is a prime factor of t => q  {p 1,…,p n } pf: q is prime and q | t | a. Hence q = p j.for some j. (see later lemma) 3. t | a = p 1 x 1 p 2 x 2 … p n x n iff t = p 1 d 1 p 2 d 2 … p n d n for some d 1,…d n with d i ≤ x i for 1 ≤ i ≤ n. pf: if-part: trivial. only-if: if t = 1, then we are done. Otherwise, let q be any prime factor of t. By 2, q = p j for some j. Now let t’ = t/p j and a’ = a/p j. Then t’ | a’ = p 1 x 1 …p j ( x j -1) … p n x n and by I.H on a’, t’ = p 1 d 1 p 2 d 2 … p n d n for some d 1,…d n with d i ≤ x i for 1 ≤ i != j≤ n and d j ≤ x j -1. Then t = t x p j = p 1 d 1 p 2 d 2 … p n d n for some d 1,…d n with d i ≤ x i for 1 ≤ i ≤ n.

Introduction Transparency No Corollary:  t t  cd(a,b)  t = p 1 d 1 p 2 d 2 … p n d n for some d 1,…d n with d i ≤ x i, d i ≤ y i,and d i ≤ z i.  Ex: 120 = 2 3 ∙3 1 ∙ = 2 2 ∙5 3  gcd(120,500) = 2 2 ∙3 0 ∙5 1 = 20

Introduction Transparency No lcm ( least common multiplier)  a,b  Z c  N + if a|c and b|c  d is a common multiplier of a and b.  lcm(a,b) = def the least common multiplier of a and b. Note: The set cm = {x > 0 |, a|x and b|x} ≠ ∅ ( ∵ { a∙b}  cm  lcm(a,b) must exist. Proposition 2: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then lcm(a,b) = t = def p 1 z 1 p 2 z 2 … p n z n where z i = max(x i,y i ) for all 0 ≤ i ≤ n. pf: p i x i | a | cm and p i y i | b ｜ cm =>p i max(x i,y i ) | cm => t | cm. Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.

Introduction Transparency No Modular Arithmetic Def 8: m  N +, a  Z. a mod m = def the remainder of a when divided by m.  Ex: 17 mod 5 = mod 9 = 2. Def 9: a,b  Z, m  N +. a ≡ b (mod m) means m | (a-b). i.e., a and b have the same remainder when divided by m. i.e., a mod m = b mod m we say a is congruent to b (module m).  Ex: 17 ≡ 5 (mod 6) ? 24 ≡ 14 (mod 6) ?

Introduction Transparency No Properties of congruence Theorem 6: a ≡ b (mod m) iff a = km + b for some k  Z. pf: a ≡ b (mod m)  (a-b) = km  a = km + b. Theorem 7: If m > 0, a ≡ b (mod m) and c ≡ d (mod m), then (1) a + c ≡ b + d (mod m) (2) ac ≡ bd (mod m). pf: By the premise, a = km + b and c = sm + d for some k,s.  a + c = (b + d) + (k + s) m and ac = bd + (kd + sb + skm) m  (1) and (2) hold. Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5)  18 ≡ 3 and 77 ≡ 2.

Introduction Transparency No The Euclidean Algorithm Lemma 1: a = bq + r  gcd(a,b) = gcd(b,r). pf: it suffices to show that cd(a,b) = cd(b,r). But d|a /\ d | b  d | (a-bq) = r, and d | b /\ d | r  d | bq + r = a. Hence cd(a,b) = cd(b,r). Note: if a = bq + 0  gcd(a,b) = gcd(b,0) = b.  A simple algorithm: gcd(a,b) // a ≥ b ≥ 0. if (b == 0) return a; else return gcd(b, a mod b); Note: this algorithm is very efficient. (Lame’s lamma).

Introduction Transparency No gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2. aba = qb+ rqr =1x = 1x = 1 x = 2 x =42 x

Introduction Transparency No Theorem 1  a > b ≥ 0  gcd(a,b) = sa + tb for some s,t  Z. i.e., gcd(a,b) is a linear combination of a and b. Pf: By induction on b. Basis: b = 0.  gcd(a,b) = a = 1 ∙ a + 0 ∙ b. Inductive case: b > 0. case1: b | a  gcd(a,b) = b = 0 a + 1 b. case2: b ∤ a  gcd(a,b) = gcd(b,r) where 0 ≤ r = a mod b < b. By I.H. gcd(b,r) = sb + t r. But r = a - bq ∴ gcd(a,b) = gcd(b,r) = sb + tr = sb + t(a – bq) = t a + (s – qt) b. QED

Introduction Transparency No Example  gcd(252, 198) = 18 = ___∙ ___ ∙ 198. Sol: Exercise: Let L(a,b) = {sa + tb | s,t  Z } is the set of all linear combinations of a and b. Show that gcd(a,b) = the smallest positive member of L(a,b). pf: let m = sa + tb be any positive member of L(a,b) with m  gcd(a,b) = g. Since g | a and g | b, we have g | sa+tb => g  m Hence m = g.

Introduction Transparency No Lemma 1 and Lemma 2 Lemma 1:gcd(a,b) = 1 /\ a | bc  a | c. pf: gcd(a,b) = 1  1 = sa + tb for some s,t  Z  c = sac + tbc = sac + tka ∵ a | bc = (sc + tk) ∙ a ∴ a | c. Lemma 2’: p : prime /\ p ∤ a  gcd(p,a) = 1. Pf: cd(p,a)  factors of p = {1,p}. but p is not a factor of a. Hence gcd(p,a) = 1. Lemma 2: p : prime /\ p | a 1 a 2 … a n  p | a i for some i. Pf: By ind. on n. Basis: n = 1. trivial. Ind. case: n = k + 1. p | a 1 a 2 … a k a k+1. If p | a 1 we are done. O/W p ∤ a 1 and gcd(p, a 1 ) = 1 by lem2’. By Lem 1 : p | ( a 2 … a k+1 )  p | a i for some 2 ≤ i ≤ k+1 by IH.

Introduction Transparency No Uniqueness of FTA Pf: Suppose  two distinct sequences p 1, …, p s and q 1, …, q t with n = p 1 x … x p s = q 1 x … x q t  Removing all common primes on both sides : m = def p i1 x … p iu = q j1 x … x q jv where p i ≠ q j for all p i and q j.  p i1 | m = q j1 x … x q jv  p i1 | q j for some j ( a contradiction!!).

Introduction Transparency No Theorem 2 m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1  a ≡ b (mod m). Pf: ac ≡ bc (mod m)  m | (ac – bc) = (a – b) c. ∵ gcd(m,c) = 1 ∴ m | (a – b) ∴ a ≡ b (mod m).

Introduction Transparency No Linear Congruence Ex: Find all x such that 7 x ≡ 2 (mod 5). Def: Equations of the form ax ≡ b (mod m) are called linear congruence equations. Def: Given (a,m), any integer a’ satisfying the condition: a a’ ≡ 1 (mod m) is called the inverse of a (mod m). Proposition: a a’ ≡ 1 (mod m)  x = a’ b + km is the general solution of the congruence equation ax ≡ b (mod m) Pf: 1. a’b + km is a solution for any k  Z. 2. y is a solution  ay ≡ b (mod m) => a’ay ≡ a’b (mod m) => y ≡ a’ay ≡ a’b (mod m) => y ≡ a’b (mod m) => m | (y – a’b)  y = a’b + km for some k.

Introduction Transparency No Theorem 3  m > 0, gcd(a,m) = 1. Then  b  Z s.t. 1. ab ≡ 1 (mod m) 2. if ab ≡ ac [≡ 1]  b ≡ c (mod m). Pf: 1. gcd(a,m) = 1. Then  b,t with ba + tm =1. since m | ba –1 and hence ab ≡ 1 (mod m). 2. Direct from Theorem 2. Note: Theorem 3 means That the inverse of a mod m uniquely exists (and hence is well defined) if a and m are relatively prime.

Introduction Transparency No Examples Ex: Find a s.t. 3a ≡ 1 (mod 7). Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and can be computed by the Euclidean algorithm: 7 = 3 X  1 = (-2).  3 (-2 ) ≡ 1 (mod 7)  a = k for all k  Z. EX: Find all solutions of 3x ≡ 4 (mod 7). Sol: -2 is an inverse of 3 (mod 7). Hence x = 4 (-2) + 7k where k  Z are all solutions of x.

Introduction Transparency No The Chinese Remainder Theorem  EX: Find all integer x satisfying the equations simultaneously: x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7)  Theorem 4: m 1,m 2,…,m n : pairwise relatively prime. The system of congruence equations: x ≡ a 1 (mod m 1 ) x ≡ a 2 (mod m 2 ) … x ≡ a n (mod m n ) has a unique solution modulo m = m 1 m 2 … m n.

Introduction Transparency No Proof of the Chinese remainder theorem (CRT) Pf: Let M k = m / m k for 1 ≤ k ≤ n. Note: 1. gcd(m k, M k ) = 1 and 2. m i | M k if i ≠ k. Hence  s k, y k s.t. s k m k + y k M k = 1. Hence y k is an inverse of M k mod m k. Now M k y k ≡ 1 (mod m k ) and M k y k ≡ 0 (mod m j ) for all j ≠ k. Let x = a 1 M 1 y 1 + … + a n M n y n then x ≡ a 1 M 1 y 1 + … + a n M n y n ≡ a k M k y k ≡ a k (mod m k ) for all 1 ≤ k ≤ n.

Introduction Transparency No Proof of the uniqueness part If x and y satisfying the equations, then x-y ≡ 0 (mod m k ) for all k = 1..n. =>  s 1,…,s n with x-y = s 1 m 1 = … = s n m n. since gcd(m i, m k ) = 1 for all i ≠ k and m k | s 1 m 1, we have m k | s 1 for all k ≠ 1. Hence s 1 is a multiple of m 2 m 3 … m n and x-y = s 1 m 1 is a multiple of m = m 1 m 2 … m k. Hence x ≡ y (mod m). QED

Introduction Transparency No Example  Find x ≡ (2,3,2) (mod (3,5,7)) respectively.  Sol: imimi aiai MiMi y i = M i - 1 (mod m i )a i M i y i 132m/3=3535 y 1 ≡ 1 (mod 3)  -1 2 x 35 x m/5=2121 y 2 ≡ 1 (mod 5)  1 3 x 21 x 1 372m/7=1515 y 3 ≡ 1 (mod 7)  1 2 x 15 x 1 m = 105 x = = 23.

Introduction Transparency No An application of CRT  Instead of using binary representation, we can use m 1,m 2,…,m n : n pairwise relatively primes as the base of integer representations: e.g.: let (m 1,… m 5 ) = (19, 23, 29, 31,41) 99 = (4, 7, 12, 6, 17) 88 = (12, 19, 1, 26, 6) = (16, 3, 13, 1, 23) 99x88 = (10, 18, 12, 1, 20).

Introduction Transparency No Fermat’s little theorem  p: prime, a  N. Then 1. if (p - a) then a p-1 ≡ 1 (mod p). Moreover, 2. for all a, a p ≡ a (mod p). Ex: 1. p = 17, a = 2  2 16 = = 3855 x  2 16 ≡ 1 (mod 17). 2. p = 3, a = 20  20 3 – 20 = 8000 –20 = 7980 is a multiple of 3. Hence 20 3 ≡ 20 (mod 3).

Introduction Transparency No Proof of Fermat’s little theorem Lemma:  1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p). Pf: ia ≡ ja (mod p)  p | (j-i) a. Since p - a, p |(j-i). But 0 < j-i < p, p - (j-i), a contradiction. 1. Note the above lemma means ia and ja have different remainders when divided by p. Hence a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)  (p-1)! a p-1 ≡ (p-1) ! (mod p). Then p | (p-1)! (a p-1 –1). ∵ p - (p-1)!, p | a p-1 –1, and hence a p-1 ≡ 1 (mod p). 2. if p | a  p | a (a p-1 –1) = a p – a  a p ≡ a (mod p). if p - a  a p-1 ≡ 1 (mod p)  a p ≡ a (mod p).

Introduction Transparency No Public key encryption and RSA Encryption ( 加密 ) Decryption ( 解密 ) M M’ (plain text) cipher text C public keyprivate key Public key can be known to the public Private key is kept secret.

Introduction Transparency No The RSA algorithm  p.q: two large primes ( > 200 digits, 1024 digits recommended now),  n = pq  e = any number with gcd(e, (p-1)(q-1)) = 1.  d = inverse of e (mod (p-1)(q-1)). (i.e., de ≡ 1 (mod (p-1)(q-1)))  public key = (n,e) private key = (n,d) note : public and private keys are symmetric. C = M e (mod n) and M’ = C d (mod n). Theorem : M’ ≡ M (mod n).

Introduction Transparency No Proof of the correctness of the RSA algorithm  M’ = C d ≡ (M e ) d ≡ M de ≡ M 1 +k(p-1)(q-1) (mod n) [ ∵ de ≡ 1 (mod (p-1)(q-1)) ] Assume gcd(M,p) = gcd(M,q) = 1. (i.e., p - M and q - M its probability is (p-1)(q-1)/pq ≈ 1. or we can let M < min(p,q)). Then C d = M ∙ (M (p-1) ) k(q-1) ≡ M ∙ 1 k(q-1) (mod p) = M ∙ (M (q-1) ) k(p-1) ≡ M ∙ 1 k(p-1) (mod q) ( by Fermat’s little theorem)  M’ = C d ≡ M (mod n). ∵ C d -M is a multiple of p and q

Introduction Transparency No Example p = 43, q = 59  n = pq = 43 ∙ 59 = choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1. d = 937 is an inverse of 13 mod To transmit ‘STOP’= : 2 blocks of length 4.  mod 2537 = 2081, mod 2537 = 2182  C = Receive  M’ 1 = (mod 2537) =0704 M’ 2 = (mod 2537) = 1115  M’ = = ‘HELP’.

Introduction Transparency No Why is it hard to break RSA ? Given public key (e, n), to find (d,n) we need : => 1. decompose n into pq 2. find the inverse d of e modulo (p-1)(q-1). Step 2 is easy (Quick Euclidean Alg.) But step 1 : factorization of large number is computationally a hard work.