Theory of Computation Transparency No. 3-1 Chapter 3 Introduction to Number Theory and Its applications Cheng-Chia Chen

Introduction Transparency No. 3-2 outline  Division  Prime  Gcd and Lcm  Modular Arithmetic  Chinese Remainder Theorem  Fermat’s little theorem  The RSA algorithm

Introduction Transparency No. 3-3 Division Def: a,b  Z with a ≠ 0.  We say a divides b (written a | b) if  k  Z s.t. b = ka a | b =>  a is a factor (or divisor) of b and  b is a multiple of a.  Ex: 3 | 12 ( ∵ 12 = 4 x 3 ) -4 | 8, 13 | 0 (0 = 0 x 13) not (3 | 7)

Introduction Transparency No. 3-4 Properties of | 1.a | b /\ a |c  a | b + c 2.a | b  a | bc for all c  Z 3.| is reflexive ( a | a for all a  Z ) 4.| is transitive ( a | b /\ b | c  a | c ) pf: a | b /\ b | c  b = k 1 a and c = k 2 b for some k 1, k 2  Z  c = k 2 (k 1 a) = (k 1 k 2 ) a 5.a | b /\ b | a  |a| = |b|)

Introduction Transparency No. 3-5 Primes  An integer p > 1 is said to be prime if  n  N + ( n | p  n = 1 \/ n = p ). I.e., the only positive factors of p are 1 and p.  p > 1 and is not prime => P is composite.  Examples: 7 is prime primes < 20 include : 2,3,5,7,11,13,17,19.

Introduction Transparency No. 3-6 The fundamental theorem of arithmetic (FTA)  n  N + > 1, there exists a unique increasing sequence of primes p 1 ≤ p 2 ≤ … ≤ p k ( k ≥ 1) s.t. n = p 1 x p 2 … x p k.  Ex: 100 = 2 x 2 x 5 x = 3 x 3 x 3 x 37.

Introduction Transparency No. 3-7 Proof of FTA  ( Existence) by Math Ind. Basis: n = 1, 2 ok. Ind. n > 1. if n is prime, then n = p 1, where p 1 = n and k = 1. if n is not prime then n = n 1 x n 2 with n 1,n 2 < n. => by ind. hyp. n 1 = q 1 x q 2 … x q t n 2 = r 1 x r 2 … r s => n = n 1 x n 2 = q 1 x … x q t x r 1 x … x r s. => n = p 1 x … x p s+t. where p 1,…,p s+t is an increasing reordering of q 1,…,q t and r 1,…,r t.  Uniqueness: let n = p 1 x … x p k x q 1 x … x q s = p 1 x … x p k x r 1 x … x r t where q 1 ≠ r 1 => n – n = p 1 x … x p k x (q 1 x … x q t – r 1 x … r t ) ≠ 0 ( a contradiction !! shown later).

Introduction Transparency No. 3-8 Theorem 3  If n is composite =>  a ≤ s.t. a | n. pf: n is composite => n = p x q with p, q > 1. if p > /\ q > => p q > = n. a contradiction Hence n must have a factor ≤ Example: 101 is a prime. pf:   = 10. But no prime ≤ 10 is a factor of 101.

Introduction Transparency No. 3-9 The division algorithm  a  Z, d  N +  i q,r s.t. a = qd + r where 0 ≤ r < d. Def: if a = dq + r Then d is called the divisor( 除數 ) a : dividend( 被除數 ) q: quotient( 商數 ) r: remainder( 餘數 )  Examples: 101 = 11 ∙ = -4 ∙  Note: d | a iff r = 0.

Introduction Transparency No Proof of the division algorithm Existence: Consider the Z-indexed sequence : … a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), …  Let r = a – qd be the smallest nonnegative number in the sequence. 1. since the sequence is strictly increasing toward infinity such q (and r) must exist and unique. 2. if r ≥ d  r’ =r-d =a – (q+1) d ≥ 0 is another nonnegative number in the sequence smaller than r. That’s a contradiction. Hence r must < d. Uniqueness: If both (q,r) and (q’,r’) satisfy the condition. Then r – r’ = (q’-q) d (*). Since –d < r-r’ < d (*) and (q’-q)d is a multiple of d, (*) holds only if r-r’ = 0 = q-q’. QED

Introduction Transparency No gcd and lcm  a,b  Z, ab ≠ 0. if d | a and d | b  d is a common divisor of a and b.  gcd(a,b) = def the greatest common divisor of a and b. Notes: 1. The set cd(a,b) = {x > 0 : x | a and x | b} is a finite subset of N + ( ∵ {1}  cd  {1,… min(a,b)}  gcd(a,b) must exist. Ex: gcd(24,36) = ? factors of 24 : 1,2,3,4,6,12,24 factors of 36: 1,2,3,4,6,9,12,18,36  cd(24,36) = {1,2,3,4,6,12}  gcd(24,36) = The same definition (cd and gcd) can be extended to more than two arguments. (ex: cd(8,12,18) = {1,2} and gcd(8,12,18) = 2. )

Introduction Transparency No Relatively prime  If gcd(a,b) = 1 we say a and b are relatively prime(r.p.). Ex: gcd(17,22) = 1.  a 1,a 2,…a n are pairwise r.p. if gcd(a i,a j ) = 1 for all 1 ≤ i < j ≤ n. Ex: 10,17,21 are p.r.p. 10,19,24 are not p.r.p since gcd(10,24) = 2.  Proposition 1: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then gcd(a,b) = s = def p 1 z 1 p 2 z 2 … p n z n where z i = min(x i,y i ) for all 0 ≤ i ≤ n. Ex: 100 = and 30 = => gcd(100,30) =

Introduction Transparency No lcm ( least common multiple)  a,b  Z c  N + if a|c and b|c  d is a common multiple of a and b.  lcm(a,b) = def the least common multiple of a and b. Note: The set cm(a,b) = {x > 0 |, a|x and b|x} ≠ ∅ ( ∵ { a∙b}  cm  lcm(a,b) must exist. Proposition 2: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then lcm(a,b) = t = def p 1 z 1 p 2 z 2 … p n z n where z i = max(x i,y i ) for all 0 ≤ i ≤ n. pf: Since t  cm(a,b), it suffices to show t is a lower bound of cm(a,b). Then  c  cm(a,b), p i x i | a | c and p i y i | b|c =>p i max(x i,y i ) | c => t =  p i Z i |c. Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.

Introduction Transparency No Modular Arithmetic Def 8: m  N +, a  Z. a mod m = def the remainder of a divided by m.  Ex: 17 mod 5 = mod 9 = 2. Def 9: a,b  Z, m  N +. a ≡ b (mod m) means m | (a-b). i.e., a and b have the same remainder when divided by m. i.e., a mod m = b mod m we say a is congruent to b (module m).  Ex: 17 ≡ 5 (mod 6) ? 24 ≡ 14 (mod 6) ?

Introduction Transparency No Properties of congruence Theorem 6: a ≡ b (mod m) iff a = km + b for some k  Z. pf: a ≡ b (mod m)  (a-b) = km  a = km + b. Theorem 7: If m > 0, a ≡ b (mod m) and c ≡ d (mod m), then (1) a + c ≡ b + d (mod m), (2) ac ≡ bd (mod m), (3) - a ≡ - b (mod m) pf: By the premise, a = km + b and c = sm + d for some k,s.  a + c = (b + d) + (k + s) m, ac = bd + (kd + sb + skm) m, and (-a - -b) = (-k) m  (1),(2) and (3) hold. Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5)  18 ≡ 3, 77 ≡ 2 and - 7 ≡ - 2.

Introduction Transparency No The Euclidean Algorithm Lemma 1: a = bq + r  gcd(a,b) = gcd(b,r). pf: It suffices to show that cd(a,b) = cd(b,r). But for any integer d : d | a /\ d | b  d | r since r = (a-bq), and d | b /\ d | r  d | a since a= bq + r. Hence cd(a,b) = cd(b,r), and gcd(a,b) = gcd(b,r). Note: 1.if a = bq + 0  gcd(a,b) = gcd(b,0) = b. 2.Corollary: gcd(a, b) = gcd(b,c) if a is a linear combination(l.c.) of b and c, and c is a l.c. of a and b.

Introduction Transparency No A simple algorithm:  gcd(a,b) // a, b ≥ 0. if (b == 0) return a; else return gcd(b, a mod b); Notes: 1. this algorithm is very efficient. (O(log b) by Lame’s lamma). 2. The (tail) recursion of the above alg can be replaced by an iterative version as follows:  igcd(int a, int b) // a, b ≥ 0. while (b != 0) { // (a,b)  (b, a % b) ; int temp = a; a = b; b = temp % b ; } return x

Introduction Transparency No gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2. aba = qb+ rqr =1x = 1x = 1 x = 2 x =42 x

Introduction Transparency No Theorem 1  a > b ≥ 0  gcd(a,b) = sa + tb for some s,t  Z. i.e., gcd(a,b) is a linear integer combination of a and b. Pf: By induction on b. Basis: b = 0.  gcd(a,b) = a = 1 ∙ a + 0 ∙ b. Inductive case: b > 0. case1: b | a  gcd(a,b) = b = 0 a + 1 b. case2: b ∤ a  gcd(a,b) = gcd(b,r) where 0 ≤ r = a mod b < b. By I.H. gcd(b,r) = sb + t r. But r = a - bq ∴ gcd(a,b) = gcd(b,r) = sb + tr = sb + t(a – bq) = t a + (s – qt) b. QED  Conclusion: (s n, t n ) = (t n+1, s n+1 – q n t n+1 ).

Introduction Transparency No Example  gcd(252, 198) = 18 = ___∙ ___ ∙ 198. Sol: Exercise: Let L(a,b) = {sa + tb | s,t  Z } be the set of all linear combinations of a and b. Show that gcd(a,b) = the smallest positive member of L(a,b). pf: let g = gcd(a,b). By Theorem 1, g is a linear combination of a and b. Hence g  L(a,b). Now let m = sa + tb be any positive number in L(a,b). Then since g | a and g | b, we have g | sa+tb = m > 0 and hence g  m. As a result g is the least of L(a,b). Theorem 1.1: gcd(a,b) is the least positive integer combination of a and b.

Introduction Transparency No gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2 = 1x2+0x0.  = … = -5*662+8*414. aba = qb+ rqr =1x = 1x = 1 x = 2 x =41 x nsnsn tntn 1-58 =3-1* =-2-1* = 1-1*(-2) 41s-qt = *0 = qst qnqn s n =t n+1 s n+1 -q n t n+1 = t n s n+1 t n+1

Introduction Transparency No The extended gcd algorithm // input: a  b  0; // output: (c, s, t) s.t. c = gcd(a,b) = s a + t b. egcd(a,b) : Z 3 { if( b == 0 ) { return (a, 1, 0) ; } let (rlt, s, t) = egcd(b, a mod b) ; return (rlt, t, s – t * ( a / b)) ; }  What is a non-recursive algorithm for egcd ?

Introduction Transparency No Non-recursive algorithm for egcd // input: a  b  0; // output: (c, s, t) s.t. c = gcd(a,b) = s a + t b. Egcd(int a, int b ) { Stack s = new Stack() ; while( b != 0 ) { s.push(a / b ) ; // integer division (a,b)  (b, a%b) } int s = 1, t = 0, rlt = a; while( ! s.isEmpty()) { int q = s.pop() ; (s,t)  (t, s – q * t ) ; } return (rlt, s, t) ;

Introduction Transparency No Lemma 1 and Lemma 2 Lemma 1:gcd(a,b) = 1 /\ a | bc  a | c. ( must remember!) pf: gcd(a,b) = 1  1 = sa + tb for some s,t  Z  c = sac + tbc = sac + tka ∵ a | bc = (sc + tk) ∙ a ∴ a | c. Corollary 1’: a | bc  a/d | c, where d = gcd(a,b). Lemma 2’: p : prime /\ p ∤ a  gcd(p,a) = 1. Pf: cd(p,a)  factors of p = {1,p}. but p is not a factor of a. Hence gcd(p,a) = 1. Lemma 2: p : prime /\ p | a 1 a 2 … a n  p | a i for some i. Pf: By ind. on n. Basis: n = 1. trivial. Ind. case: n = k + 1. p | a 1 a 2 … a k a k+1. If p | a 1 we are done. O/W p ∤ a 1 and gcd(p, a 1 ) = 1 by lem2’. By Lem 1 : p | ( a 2 … a k+1 )  p | a i for some 2 ≤ i ≤ k+1 by IH.

Introduction Transparency No Uniqueness of FTA Pf: Suppose  two distinct sequences p 1, …, p s and q 1, …, q t with n = p 1 x … x p s = q 1 x … x q t  Removing all common primes on both sides : m = def p i1 x … p iu = q j1 x … x q jv  1 where p i ≠ q j for all p i and q j.  p i1 | m = q j1 x … x q jv  p i1 | q j for some j ( a contradiction!!).

Introduction Transparency No Theorem 2  m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1  a ≡ b (mod m). Pf: ac ≡ bc (mod m)  m | (ac – bc) = (a – b) c. ∵ gcd(m,c) = 1 ∴ m | (a – b) ∴ a ≡ b (mod m). Notes: 1.In general we have: ac ≡ bc (mod m) implies a ≡ b (mod m/d) where d = gcd(m,c). 2.If m is a prime and not (c ≡ 0 (mod m)) [  gcd(m,c) = 1], then ac ≡ bc implies => a ≡ b (mod m). Like ordinary arithmetic.

Introduction Transparency No Lemma 3: Let c be a positive integer, then gcd(ac, bc) = c gcd(a,b). pf: It is easy to see that d is a common divisor of (a, b) iff cxd is a common divisor of (ca,cb). Hence cd(ca,cb) = { cxd | d  cd(a,b)} and gcd(ca,cb) = max { cxd | d  cd(a,b)} = c x gcd(a,b)

Introduction Transparency No  Lemma 4: Let a = p 1 x 1 p 2 x 2 … p m x m, b = q 1 y 1 q 2 y 2 … q n y n where all p i ’s and q j ’s are primes and all x i, y j >0. If {p 1,…,p m }  {q 1,…,q n } = , then gcd(a,b) = 1. pf: Assume gcd(a,b)  1 and r be any prime factor of gcd(a,b). Then we have r | a and r | b. But, by Lemma 2, this implies r must be one of {p 1,…,p m } and one of {q 1,..,q n }. This implies {p 1,…,p m }  {q 1,…,q n } = , a contradiction! Hence gcd(a,b) = 1.

Introduction Transparency No Proof of Proposition 1 for gcd  Proposition 1: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then gcd(a,b) = s = def p 1 z 1 p 2 z 2 … p n z n where z i = min(x i,y i ) for all 0 ≤ i ≤ n. pf: Let c = a/s and d = b/s. Then c = p 1 x 1 p 2 x 2 … p n x n / p 1 z 1 p 2 z 2 … p n z n  Z d = p 1 y 1 p 2 y 2 … p n y n / p 1 z 1 p 2 z 2 … p n z n  Z Hence by lemma 3, gcd(a,b) = s gcd(c,d). But since c and d has no common prime factor, By Lemma 4, gcd(c,d) =1. As a result, gcd(a,b)= s. Exercise: Show that c is a factor of a = p 1 x 1 p 2 x 2 … p n x n iff c = p 1 y 1 p 2 y 2 … p n y n where x k ≥ y k ≥ 0 for all n ≥ k ≥ 0.

Introduction Transparency No Linear Congruence Ex: Find an x such that 7 x ≡ 2 (mod 5). sol: x= 6. How to find? Analog: how to solve the equation ax = b ? let a -1 be the inverse of a (i.e. 1/a) => a -1 ax = a -1 b => x = a -1 b = b/a. Def: Equations of the form ax ≡ b (mod m) are called linear congruence equations. Def: Given (a,m), any integer a’ satisfying the condition: a a’ ≡ 1 (mod m) is called the inverse of a (mod m). Ex: Since 7 x 3 ≡ 1 (mod 5), 3 is an inverse of 7 mod 5. Hence 3x2 = 6 is a solution of 7x ≡ 2(mod 5)

Introduction Transparency No General solution of ax ≡ b (mod m) Proposition: a a’ ≡ 1 (mod m)  x = a’ b + km is the general solution of the congruence equation ax ≡ b (mod m) Pf: 1. aa’ ≡ 1 => aa’ b ≡ b => a (a’b + km) ≡ b (mod m)  a’b + km is a solution for any k  Z. 2. y is a solution  ay ≡ b (mod m) => a’ay ≡ a’b(mod m) => 1* y ≡ a’ay ≡ a’b (mod m) => y ≡ a’b (mod m) => m | (y – a’b)  y = a’b + km for some k.

Introduction Transparency No Theorem 3 (uniqueness of inverse)  m > 0, gcd(a,m) = 1. Then  b  Z s.t. 1. ab ≡ 1 (mod m) 2. if ab ≡ ac [≡ 1]  b ≡ c (mod m). Pf: 1. gcd(a,m) = 1. Then  b,t with ba + tm =1. since ab –1 = (-t) m, ab ≡ 1 (mod m). 2. Since gcd(a,m)=1, by Theorem 2, we can divide a from both sides. Note: Theorem 3 means that the inverse of a mod m uniquely exists (and hence is well defined) if a and m are relatively prime.

Introduction Transparency No Examples Ex: Find a s.t. 3a ≡ 1 (mod 7). Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and can be computed by the Euclidean algorithm: 7 = 3 X  1 = (-2).  3 (-2 ) ≡ 1 (mod 7)  a = k for all k  Z. EX: Find all solutions of 3x ≡ 4 (mod 7). Sol: -2 is an inverse of 3 (mod 7). Hence 3 (-2) ≡ 1 (mod 7) => 3 (-2) 4 ≡ 1 4 (mod 7) -- particular solution => x = 4 (-2) + 7k where k  Z is a general solution of x.

Introduction Transparency No The Chinese Remainder Theorem  EX: Find all integer x satisfying the equations simultaneously: x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7)  Theorem 4: m 1,m 2,…,m n : pairwise relatively prime. The system of congruence equations: x ≡ a 1 (mod m 1 ) x ≡ a 2 (mod m 2 ) … x ≡ a n (mod m n ) has a unique solution modulo m = m 1 m 2 … m n.

Introduction Transparency No How the CRT problem is solved  Find a polynomial f(x) of degree < n passing through n points. Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4).  Intuition: 1. For each point (a i, b i ) where i  [1,n], construct a polynomial f i (x) of order < n with the properties: 1.1. f i (a i ) = b i and 1.2. f i (a k ) = 0 for all k  [1,n]  i. Suppose we can find all such f i (x)’s, then F(x) =  j = 1..n f j (x) is the solution. pf: F(a i ) = f i (a i ) +  k  i f k (a i ) = b i + 0 for all i  [1,n]

Introduction Transparency No  Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4). Solution: 1. Find f 1 (x) with f 1 (1) = 2 and f 1 (3) = f 1 (5) = 0. => f 1 (x) must have a factor (x-3)(x-5) = c1 (x-3)(x-5) => since f 1 (1)= 2, 2 = c1 (1-3)(1-5) => c1 = 2/(1-3)(1-5) => f 1 (x) = 2 (x-3)(x-5) /(1-3)(1-5) 2. Similarly, f 2 (x) = 5 (x-1)(x-5) /(3-1)(3-5) f 3 (x) = 4 (x-1)(x-3)/(5-1)(5-3) and F(x) = f 1 (x) + f 2 (x) + f 3 (x) is the solution.

Introduction Transparency No Proof of the Chinese remainder theorem (CRT) Pf: Let M k = m / m k for 1 ≤ k ≤ n. Note: 1. gcd(m k, M k ) = 1 and 2. m i | M k if i ≠ k. Hence  s k, y k s.t. s k m k + y k M k = 1. Hence y k is an inverse of M k mod m k. Now M k y k ≡ 1 (mod m k ) and M k y k ≡ 0 (mod m j ) for all j ≠ k. Let x = a 1 M 1 y 1 + … + a n M n y n then x ≡ a 1 M 1 y 1 + … + a n M n y n ≡ a k M k y k ≡ a k (mod m k ) for all 1 ≤ k ≤ n.

Introduction Transparency No Proof of the uniqueness part If x and y satisfying the equations, then x-y ≡ 0 (mod m k ) for all k = 1..n. =>  s 1,…,s n with x-y = s 1 m 1 = … = s n m n. since gcd(m i, m k ) = 1 for all i ≠ k and m k | s 1 m 1, we have m k | s 1 for all k ≠ 1. Hence, by Lem(*) s 1 is a multiple of m 2 m 3 … m n and x-y = s 1 m 1 is a multiple of m = m 1 m 2 … m k. Hence x ≡ y (mod m). QED Lem(*):If gcd(m,n)=1,then m | s and n | s implies mn | s. pf: m | s and n | s means s = km = t n. Hence n | km. but since (m,n) = 1, we have n | k. Hence mn | km = s.

Introduction Transparency No Example  Find x ≡ (2,3,2) (mod (3,5,7)) respectively.  Sol: imimi aiai MiMi y i = M i - 1 (mod m i )a i M i y i 132m/3=3535 y 1 ≡ 1 (mod 3)  -1 2 x 35 x m/5=2121 y 2 ≡ 1 (mod 5)  1 3 x 21 x 1 372m/7=1515 y 3 ≡ 1 (mod 7)  1 2 x 15 x 1 m = 105 x = = 23.

Introduction Transparency No An application of CRT  Instead of using binary representation, we can use m 1,m 2,…,m n : n pairwise relatively primes as the base of integer representations:  Ex: let (m 1,… m 5 ) = (19, 23, 29, 31,41) 99 = (4, 7, 12, 6, 17) 88 = (12, 19, 1, 26, 6) = (16, 3, 13, 1, 23) 99x88 = (10, 18, 12, 1, 20). Problems: 1. How to detect if a+b (or a*b) overflows ? 2. How to compare values (when will a < b )?

Introduction Transparency No Fermat’s little theorem  Let a be any positive integer and p a prime number. 1. If gcd(p,a) =1, then a p-1 ≡ 1 (mod p). 2. a p ≡ a (mod p). Ex: 1. p = 17, a = 2  2 16 = = 3855 x  2 16 ≡ 1 (mod 17). 2. p = 3, a = 20  20 3 – 20 = 8000 –20 = 7980 is a multiple of 3. Hence 20 3 ≡ 20 (mod 3).

Introduction Transparency No Proof of Fermat’s little theorem Lemma:  1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p). Pf: ia ≡ ja (mod p)  p | (j-i) a. Since gcd(p,a)=1, p |(j-i). But 0 < j-i < p, p does not divide (j-i), a contradiction. Similarly, since not(p | i ) and gcd(p,a) = 1, not(p | ia). The above lemma means ia and ja have different remainders when divided by p. Hence a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)  (p-1)! a p-1 ≡ (p-1) ! (mod p). Then p | (p-1)! (a p-1 –1). ∵ p does not divide (p-1)!, p | a p-1 –1, and hence a p-1 ≡ 1 (mod p). 2. if gcd(p,a) = p  0 ≡ a ≡ a p (mod p). if gcd(p,a) = 1  a p-1 ≡ 1 (mod p)  a p ≡ a (mod p).

Introduction Transparency No Public key encryption and RSA Encryption ( 加密 ) Decryption ( 解密 ) M M’ (plain text) cipher text C public keyprivate key Public key can be known to the public Private key is kept secret.

Introduction Transparency No The RSA algorithm  p.q: two large primes (  768bits broken, 1024 digits recommended now),  768bits broken  n = pq  e = any number with gcd(e, (p-1)(q-1)) = 1.  d = inverse of e (mod (p-1)(q-1)). (i.e., de ≡ 1 (mod (p-1)(q-1)))  public key = (n,e) private key = (n,d) note : public and private keys are symmetric. C = M e (mod n) and M’ = C d (mod n). Theorem : M’ ≡ M (mod n). Hence if 0  M’, M M’ = M.

Introduction Transparency No Proof of the correctness of the RSA algorithm  M’ = C d ≡ (M e ) d ≡ M de // ∵ de ≡ 1 (mod (p-1)(q-1)) ≡ M 1+k(p-1)(q-1) (mod n) for some integer k case1: gcd(M,p) = 1. Then C d = M ∙ (M (p-1) ) k(q-1) ≡ M ∙ 1 k(q-1) ≡ M (mod p) ---(1) ( by Fermat’s little theorem) case2: gcd(M,p) = p (i.e., M = mp for some integer m) Then C d = (mp) k(p-1)(q-1)+1 ≡ 0 ≡ M (mod p) Similarly, it can be shown that C d ≡ M (mod q) --- (2)  M’ = C d ≡ M (mod n). ∵ C d -M is a multiple of p and q => C d -M is a multiple of lcm(p,q) = pq = n. (or by Chinese Remainder Theorem, M’ is the only value in [0, n-1] satisfying (1) and (2) ).

Introduction Transparency No Example p = 43, q = 59  n = pq = 43 ∙ 59 = choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1. d = 937 is an inverse of 13 mod To transmit ‘STOP’= : 2 blocks of length 4.  mod 2537 = 2081, mod 2537 = 2182  C = Receive  M’ 1 = (mod 2537) =0704 M’ 2 = (mod 2537) = 1115  M’ = = ‘HELP’. Issue: How to compute (mod 2537) quickly ?

Introduction Transparency No Why is it hard to break RSA ? Given public key (e, n), to find (d,n) we need : => 1. decompose n into pq 2. find the inverse d of e modulo (p-1)(q-1). Step 2 is easy (Quick Euclidean Alg.) But step 1 : factorization of large number is computationally a hard work.

Introduction Transparency No How to compute b n (mod m) for large n  mpow1(b, n, m) { // b, n, m: int ; n  ;m > 0 int rlt = 1; while( n != 0) rlt = rlt * b; return (rlt % m);  Problem: rlt will overflow quickly in the loop!  mpow2(b, n, m) { // b, n, m: int ; n  ;m > 0 int rlt = 1; while( n != 0) rlt = (rlt * b) % m ; return rlt ; Problem : need perform * and % operations n times

Introduction Transparency No How to compute b n (mod m) for large n  c.f.: Section 3.6 (page226 ; Algorithm 5)  mp(r, b, n, m) // find (rb n mod m) using (tail) recursion if(n == 0) return r % m; if(n == 2k+1) return mp(r b, bxb, k, m); if(n == 2k >0 ) return mp(r, bxb, k, m); }  mp3(b,n,m) { return mp(1, b, n, m) ;}  mpower(b, n, m){//non-recursive version of mpow3(&mp) int rlt = 1; power = b % m ; n’ = n; while( n’ > 0) { // invariant: rlt * power n’ = b n (mod m) if( n’ % 2 == 1) rlt = (rlt * power) % m ; power = power * power % m ; n’ = n’ / 2 } return rlt; // running time = O(log n) rb (2k+1) = rb (bb) k

Introduction Transparency No Example  Compute mod 645 using mp3 (&mpower):  Note: 644 =( ) 2 mp3(3, 644, 645)  mp(1, 3, 644, 645)  mp(1, 9, 322, 645)  mp(1, 81, 161, 645)  (81, 81 2  111, 80, 645)  mp(81,  66, 40, 645)  mp(81, 66 2  486, 20, 645)  mp(81,  126, 10, 645)  mp(81,126 2  396, 5, 645)  mp(81x396  471,  81, 2, 645)  mp(471, 81 2  111, 1, 645)  mp(471x111  36,  66, 0, 645) = 36 (rlt, power, n’, m)