Presentation is loading. Please wait.

Presentation is loading. Please wait.

Theory of Computation Transparency No. 3-1 Chapter 3 Introduction to Number Theory and Its applications Cheng-Chia Chen.

Published byDarcy Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "Theory of Computation Transparency No. 3-1 Chapter 3 Introduction to Number Theory and Its applications Cheng-Chia Chen."— Presentation transcript:

1 Theory of Computation Transparency No. 3-1 Chapter 3 Introduction to Number Theory and Its applications Cheng-Chia Chen

2 Introduction Transparency No. 3-2 outline  Division  Prime  Gcd and Lcm  Modular Arithmetic  Chinese Remainder Theorem  Fermat’s little theorem  The RSA algorithm

3 Introduction Transparency No. 3-3 Division Def: a,b  Z with a ≠ 0.  We say a divides b (written a | b) if  k  Z s.t. b = ka a | b =>  a is a factor (or divisor) of b and  b is a multiple of a.  Ex: 3 | 12 ( ∵ 12 = 4 x 3 ) -4 | 8, 13 | 0 (0 = 0 x 13) not (3 | 7)

4 Introduction Transparency No. 3-4 Properties of | 1.a | b /\ a |c  a | b + c 2.a | b  a | bc for all c  Z 3.| is reflexive ( a | a for all a  Z ) 4.| is transitive ( a | b /\ b | c  a | c ) pf: a | b /\ b | c  b = k 1 a and c = k 2 b for some k 1, k 2  Z  c = k 2 (k 1 a) = (k 1 k 2 ) a 5.a | b /\ b | a  |a| = |b|)

5 Introduction Transparency No. 3-5 Primes  An integer p > 1 is said to be prime if  n  N + ( n | p  n = 1 \/ n = p ). I.e., the only positive factors of p are 1 and p.  p > 1 and is not prime => P is composite.  Examples: 7 is prime primes < 20 include : 2,3,5,7,11,13,17,19.

6 Introduction Transparency No. 3-6 The fundamental theorem of arithmetic (FTA)  n  N + > 1, there exists a unique increasing sequence of primes p 1 ≤ p 2 ≤ … ≤ p k ( k ≥ 1) s.t. n = p 1 x p 2 … x p k.  Ex: 100 = 2 x 2 x 5 x 5 999 = 3 x 3 x 3 x 37.

7 Introduction Transparency No. 3-7 Proof of FTA  ( Existence) by Math Ind. Basis: n = 1, 2 ok. Ind. n > 1. if n is prime, then n = p 1, where p 1 = n and k = 1. if n is not prime then n = n 1 x n 2 with n 1,n 2 < n. => by ind. hyp. n 1 = q 1 x q 2 … x q t n 2 = r 1 x r 2 … r s => n = n 1 x n 2 = q 1 x … x q t x r 1 x … x r s. => n = p 1 x … x p s+t. where p 1,…,p s+t is an increasing reordering of q 1,…,q t and r 1,…,r t.  Uniqueness: let n = p 1 x … x p k x q 1 x … x q s = p 1 x … x p k x r 1 x … x r t where q 1 ≠ r 1 => n – n = p 1 x … x p k x (q 1 x … x q t – r 1 x … r t ) ≠ 0 ( a contradiction !! shown later).

8 Introduction Transparency No. 3-8 Theorem 3  If n is composite =>  a ≤ s.t. a | n. pf: n is composite => n = p x q with p, q > 1. if p > /\ q > => p q > = n. a contradiction Hence n must have a factor ≤ Example: 101 is a prime. pf:   = 10. But no prime ≤ 10 is a factor of 101.

9 Introduction Transparency No. 3-9 The division algorithm  a  Z, d  N +  i q,r s.t. a = qd + r where 0 ≤ r < d. Def: if a = dq + r Then d is called the divisor( 除數 ) a : dividend( 被除數 ) q: quotient( 商數 ) r: remainder( 餘數 )  Examples: 101 = 11 ∙ 9 + 2 -11 = -4 ∙ 3 + 1  Note: d | a iff r = 0.

10 Introduction Transparency No. 3-10 Proof of the division algorithm Existence: Consider the Z-indexed sequence : … a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), …  Let r = a – qd be the smallest nonnegative number in the sequence. 1. since the sequence is strictly increasing toward infinity such q (and r) must exist and unique. 2. if r ≥ d  r’ =r-d =a – (q+1) d ≥ 0 is another nonnegative number in the sequence smaller than r. That’s a contradiction. Hence r must < d. Uniqueness: If both (q,r) and (q’,r’) satisfy the condition. Then r – r’ = (q’-q) d (*). Since –d < r-r’ < d (*) and (q’-q)d is a multiple of d, (*) holds only if r-r’ = 0 = q-q’. QED

11 Introduction Transparency No. 3-11 gcd and lcm  a,b  Z, ab ≠ 0. if d | a and d | b  d is a common divisor of a and b.  gcd(a,b) = def the greatest common divisor of a and b. Notes: 1. The set cd(a,b) = {x > 0 : x | a and x | b} is a finite subset of N + ( ∵ {1}  cd  {1,… min(a,b)}  gcd(a,b) must exist. Ex: gcd(24,36) = ? factors of 24 : 1,2,3,4,6,12,24 factors of 36: 1,2,3,4,6,9,12,18,36  cd(24,36) = {1,2,3,4,6,12}  gcd(24,36) = 12. 2. The same definition (cd and gcd) can be extended to more than two arguments. (ex: cd(8,12,18) = {1,2} and gcd(8,12,18) = 2. )

12 Introduction Transparency No. 3-12 Relatively prime  If gcd(a,b) = 1 we say a and b are relatively prime(r.p.). Ex: gcd(17,22) = 1.  a 1,a 2,…a n are pairwise r.p. if gcd(a i,a j ) = 1 for all 1 ≤ i < j ≤ n. Ex: 10,17,21 are p.r.p. 10,19,24 are not p.r.p since gcd(10,24) = 2.  Proposition 1: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then gcd(a,b) = s = def p 1 z 1 p 2 z 2 … p n z n where z i = min(x i,y i ) for all 0 ≤ i ≤ n. Ex: 100 = 2 2 3 0 5 2 and 30 = 2 1 3 1 5 1 => gcd(100,30) = 2 1 3 0 5 1.

13 Introduction Transparency No. 3-13 lcm ( least common multiple)  a,b  Z c  N + if a|c and b|c  d is a common multiple of a and b.  lcm(a,b) = def the least common multiple of a and b. Note: The set cm(a,b) = {x > 0 |, a|x and b|x} ≠ ∅ ( ∵ { a∙b}  cm  lcm(a,b) must exist. Proposition 2: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then lcm(a,b) = t = def p 1 z 1 p 2 z 2 … p n z n where z i = max(x i,y i ) for all 0 ≤ i ≤ n. pf: Since t  cm(a,b), it suffices to show t is a lower bound of cm(a,b). Then  c  cm(a,b), p i x i | a | c and p i y i | b|c =>p i max(x i,y i ) | c => t =  p i Z i |c. Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.

14 Introduction Transparency No. 3-14 Modular Arithmetic Def 8: m  N +, a  Z. a mod m = def the remainder of a divided by m.  Ex: 17 mod 5 = 2 -133 mod 9 = 2. Def 9: a,b  Z, m  N +. a ≡ b (mod m) means m | (a-b). i.e., a and b have the same remainder when divided by m. i.e., a mod m = b mod m we say a is congruent to b (module m).  Ex: 17 ≡ 5 (mod 6) ? 24 ≡ 14 (mod 6) ?

15 Introduction Transparency No. 3-15 Properties of congruence Theorem 6: a ≡ b (mod m) iff a = km + b for some k  Z. pf: a ≡ b (mod m)  (a-b) = km  a = km + b. Theorem 7: If m > 0, a ≡ b (mod m) and c ≡ d (mod m), then (1) a + c ≡ b + d (mod m), (2) ac ≡ bd (mod m), (3) - a ≡ - b (mod m) pf: By the premise, a = km + b and c = sm + d for some k,s.  a + c = (b + d) + (k + s) m, ac = bd + (kd + sb + skm) m, and (-a - -b) = (-k) m  (1),(2) and (3) hold. Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5)  18 ≡ 3, 77 ≡ 2 and - 7 ≡ - 2.

16 Introduction Transparency No. 3-16 The Euclidean Algorithm Lemma 1: a = bq + r  gcd(a,b) = gcd(b,r). pf: It suffices to show that cd(a,b) = cd(b,r). But for any integer d : d | a /\ d | b  d | r since r = (a-bq), and d | b /\ d | r  d | a since a= bq + r. Hence cd(a,b) = cd(b,r), and gcd(a,b) = gcd(b,r). Note: 1.if a = bq + 0  gcd(a,b) = gcd(b,0) = b. 2.Corollary: gcd(a, b) = gcd(b,c) if a is a linear combination(l.c.) of b and c, and c is a l.c. of a and b.

17 Introduction Transparency No. 3-17 A simple algorithm:  gcd(a,b) // a, b ≥ 0. if (b == 0) return a; else return gcd(b, a mod b); Notes: 1. this algorithm is very efficient. (O(log b) by Lame’s lamma). 2. The (tail) recursion of the above alg can be replaced by an iterative version as follows:  igcd(int a, int b) // a, b ≥ 0. while (b != 0) { // (a,b)  (b, a % b) ; int temp = a; a = b; b = temp % b ; } return x

18 Introduction Transparency No. 3-18 gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2. aba = qb+ rqr 662414662=1x414+2481248 414248414= 1x 248 + 1661166 248166248= 1 x 166 + 82182 16682166= 2 x 82 + 222 82282=42 x 2 + 0420 20

19 Introduction Transparency No. 3-19 Theorem 1  a > b ≥ 0  gcd(a,b) = sa + tb for some s,t  Z. i.e., gcd(a,b) is a linear integer combination of a and b. Pf: By induction on b. Basis: b = 0.  gcd(a,b) = a = 1 ∙ a + 0 ∙ b. Inductive case: b > 0. case1: b | a  gcd(a,b) = b = 0 a + 1 b. case2: b ∤ a  gcd(a,b) = gcd(b,r) where 0 ≤ r = a mod b < b. By I.H. gcd(b,r) = sb + t r. But r = a - bq ∴ gcd(a,b) = gcd(b,r) = sb + tr = sb + t(a – bq) = t a + (s – qt) b. QED  Conclusion: (s n, t n ) = (t n+1, s n+1 – q n t n+1 ).

20 Introduction Transparency No. 3-20 Example  gcd(252, 198) = 18 = ___∙ 252 + ___ ∙ 198. Sol: Exercise: Let L(a,b) = {sa + tb | s,t  Z } be the set of all linear combinations of a and b. Show that gcd(a,b) = the smallest positive member of L(a,b). pf: let g = gcd(a,b). By Theorem 1, g is a linear combination of a and b. Hence g  L(a,b). Now let m = sa + tb be any positive number in L(a,b). Then since g | a and g | b, we have g | sa+tb = m > 0 and hence g  m. As a result g is the least of L(a,b). Theorem 1.1: gcd(a,b) is the least positive integer combination of a and b.

21 Introduction Transparency No. 3-21 gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2 = 1x2+0x0.  = … = -5*662+8*414. aba = qb+ rqr 662414662=1x414+2481248 414248414= 1x 248 + 1661166 248166248= 1 x 166 + 82182 16682166= 2 x 82 + 222 82282=41 x 2 + 0410 20 nsnsn tntn 1-58 =3-1*-5 23-5 =-2-1*3 3-23 = 1-1*(-2) 41s-qt = -2 501-41*0 = 1 61 0 qst qnqn s n =t n+1 s n+1 -q n t n+1 = t n s n+1 t n+1

22 Introduction Transparency No. 3-22 The extended gcd algorithm // input: a  b  0; // output: (c, s, t) s.t. c = gcd(a,b) = s a + t b. egcd(a,b) : Z 3 { if( b == 0 ) { return (a, 1, 0) ; } let (rlt, s, t) = egcd(b, a mod b) ; return (rlt, t, s – t * ( a / b)) ; }  What is a non-recursive algorithm for egcd ?

23 Introduction Transparency No. 3-23 Non-recursive algorithm for egcd // input: a  b  0; // output: (c, s, t) s.t. c = gcd(a,b) = s a + t b. Egcd(int a, int b ) { Stack s = new Stack() ; while( b != 0 ) { s.push(a / b ) ; // integer division (a,b)  (b, a%b) } int s = 1, t = 0, rlt = a; while( ! s.isEmpty()) { int q = s.pop() ; (s,t)  (t, s – q * t ) ; } return (rlt, s, t) ;

24 Introduction Transparency No. 3-24 Lemma 1 and Lemma 2 Lemma 1:gcd(a,b) = 1 /\ a | bc  a | c. ( must remember!) pf: gcd(a,b) = 1  1 = sa + tb for some s,t  Z  c = sac + tbc = sac + tka ∵ a | bc = (sc + tk) ∙ a ∴ a | c. Corollary 1’: a | bc  a/d | c, where d = gcd(a,b). Lemma 2’: p : prime /\ p ∤ a  gcd(p,a) = 1. Pf: cd(p,a)  factors of p = {1,p}. but p is not a factor of a. Hence gcd(p,a) = 1. Lemma 2: p : prime /\ p | a 1 a 2 … a n  p | a i for some i. Pf: By ind. on n. Basis: n = 1. trivial. Ind. case: n = k + 1. p | a 1 a 2 … a k a k+1. If p | a 1 we are done. O/W p ∤ a 1 and gcd(p, a 1 ) = 1 by lem2’. By Lem 1 : p | ( a 2 … a k+1 )  p | a i for some 2 ≤ i ≤ k+1 by IH.

25 Introduction Transparency No. 3-25 Uniqueness of FTA Pf: Suppose  two distinct sequences p 1, …, p s and q 1, …, q t with n = p 1 x … x p s = q 1 x … x q t  Removing all common primes on both sides : m = def p i1 x … p iu = q j1 x … x q jv  1 where p i ≠ q j for all p i and q j.  p i1 | m = q j1 x … x q jv  p i1 | q j for some j ( a contradiction!!).

26 Introduction Transparency No. 3-26 Theorem 2  m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1  a ≡ b (mod m). Pf: ac ≡ bc (mod m)  m | (ac – bc) = (a – b) c. ∵ gcd(m,c) = 1 ∴ m | (a – b) ∴ a ≡ b (mod m). Notes: 1.In general we have: ac ≡ bc (mod m) implies a ≡ b (mod m/d) where d = gcd(m,c). 2.If m is a prime and not (c ≡ 0 (mod m)) [  gcd(m,c) = 1], then ac ≡ bc implies => a ≡ b (mod m). Like ordinary arithmetic.

27 Introduction Transparency No. 3-27 Lemma 3: Let c be a positive integer, then gcd(ac, bc) = c gcd(a,b). pf: It is easy to see that d is a common divisor of (a, b) iff cxd is a common divisor of (ca,cb). Hence cd(ca,cb) = { cxd | d  cd(a,b)} and gcd(ca,cb) = max { cxd | d  cd(a,b)} = c x gcd(a,b)

28 Introduction Transparency No. 3-28  Lemma 4: Let a = p 1 x 1 p 2 x 2 … p m x m, b = q 1 y 1 q 2 y 2 … q n y n where all p i ’s and q j ’s are primes and all x i, y j >0. If {p 1,…,p m }  {q 1,…,q n } = , then gcd(a,b) = 1. pf: Assume gcd(a,b)  1 and r be any prime factor of gcd(a,b). Then we have r | a and r | b. But, by Lemma 2, this implies r must be one of {p 1,…,p m } and one of {q 1,..,q n }. This implies {p 1,…,p m }  {q 1,…,q n } = , a contradiction! Hence gcd(a,b) = 1.

29 Introduction Transparency No. 3-29 Proof of Proposition 1 for gcd  Proposition 1: If a = p 1 x 1 p 2 x 2 … p n x n, b = p 1 y 1 p 2 y 2 … p n y n, where p 1 < p 2 …< p n are primes and all x i, y j ≥ 0, then gcd(a,b) = s = def p 1 z 1 p 2 z 2 … p n z n where z i = min(x i,y i ) for all 0 ≤ i ≤ n. pf: Let c = a/s and d = b/s. Then c = p 1 x 1 p 2 x 2 … p n x n / p 1 z 1 p 2 z 2 … p n z n  Z d = p 1 y 1 p 2 y 2 … p n y n / p 1 z 1 p 2 z 2 … p n z n  Z Hence by lemma 3, gcd(a,b) = s gcd(c,d). But since c and d has no common prime factor, By Lemma 4, gcd(c,d) =1. As a result, gcd(a,b)= s. Exercise: Show that c is a factor of a = p 1 x 1 p 2 x 2 … p n x n iff c = p 1 y 1 p 2 y 2 … p n y n where x k ≥ y k ≥ 0 for all n ≥ k ≥ 0.

30 Introduction Transparency No. 3-30 Linear Congruence Ex: Find an x such that 7 x ≡ 2 (mod 5). sol: x= 6. How to find? Analog: how to solve the equation ax = b ? let a -1 be the inverse of a (i.e. 1/a) => a -1 ax = a -1 b => x = a -1 b = b/a. Def: Equations of the form ax ≡ b (mod m) are called linear congruence equations. Def: Given (a,m), any integer a’ satisfying the condition: a a’ ≡ 1 (mod m) is called the inverse of a (mod m). Ex: Since 7 x 3 ≡ 1 (mod 5), 3 is an inverse of 7 mod 5. Hence 3x2 = 6 is a solution of 7x ≡ 2(mod 5)

31 Introduction Transparency No. 3-31 General solution of ax ≡ b (mod m) Proposition: a a’ ≡ 1 (mod m)  x = a’ b + km is the general solution of the congruence equation ax ≡ b (mod m) Pf: 1. aa’ ≡ 1 => aa’ b ≡ b => a (a’b + km) ≡ b (mod m)  a’b + km is a solution for any k  Z. 2. y is a solution  ay ≡ b (mod m) => a’ay ≡ a’b(mod m) => 1* y ≡ a’ay ≡ a’b (mod m) => y ≡ a’b (mod m) => m | (y – a’b)  y = a’b + km for some k.

32 Introduction Transparency No. 3-32 Theorem 3 (uniqueness of inverse)  m > 0, gcd(a,m) = 1. Then  b  Z s.t. 1. ab ≡ 1 (mod m) 2. if ab ≡ ac [≡ 1]  b ≡ c (mod m). Pf: 1. gcd(a,m) = 1. Then  b,t with ba + tm =1. since ab –1 = (-t) m, ab ≡ 1 (mod m). 2. Since gcd(a,m)=1, by Theorem 2, we can divide a from both sides. Note: Theorem 3 means that the inverse of a mod m uniquely exists (and hence is well defined) if a and m are relatively prime.

33 Introduction Transparency No. 3-33 Examples Ex: Find a s.t. 3a ≡ 1 (mod 7). Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and can be computed by the Euclidean algorithm: 7 = 3 X 2 + 1  1 = 7 + 3 (-2).  3 (-2 ) ≡ 1 (mod 7)  a = -2 + 7k for all k  Z. EX: Find all solutions of 3x ≡ 4 (mod 7). Sol: -2 is an inverse of 3 (mod 7). Hence 3 (-2) ≡ 1 (mod 7) => 3 (-2) 4 ≡ 1 4 (mod 7) -- particular solution => x = 4 (-2) + 7k where k  Z is a general solution of x.

34 Introduction Transparency No. 3-34 The Chinese Remainder Theorem  EX: Find all integer x satisfying the equations simultaneously: x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7)  Theorem 4: m 1,m 2,…,m n : pairwise relatively prime. The system of congruence equations: x ≡ a 1 (mod m 1 ) x ≡ a 2 (mod m 2 ) … x ≡ a n (mod m n ) has a unique solution modulo m = m 1 m 2 … m n.

35 Introduction Transparency No. 3-35 How the CRT problem is solved  Find a polynomial f(x) of degree < n passing through n points. Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4).  Intuition: 1. For each point (a i, b i ) where i  [1,n], construct a polynomial f i (x) of order < n with the properties: 1.1. f i (a i ) = b i and 1.2. f i (a k ) = 0 for all k  [1,n]  i. Suppose we can find all such f i (x)’s, then F(x) =  j = 1..n f j (x) is the solution. pf: F(a i ) = f i (a i ) +  k  i f k (a i ) = b i + 0 for all i  [1,n]

36 Introduction Transparency No. 3-36  Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4). Solution: 1. Find f 1 (x) with f 1 (1) = 2 and f 1 (3) = f 1 (5) = 0. => f 1 (x) must have a factor (x-3)(x-5) = c1 (x-3)(x-5) => since f 1 (1)= 2, 2 = c1 (1-3)(1-5) => c1 = 2/(1-3)(1-5) => f 1 (x) = 2 (x-3)(x-5) /(1-3)(1-5) 2. Similarly, f 2 (x) = 5 (x-1)(x-5) /(3-1)(3-5) f 3 (x) = 4 (x-1)(x-3)/(5-1)(5-3) and F(x) = f 1 (x) + f 2 (x) + f 3 (x) is the solution.

37 Introduction Transparency No. 3-37 Proof of the Chinese remainder theorem (CRT) Pf: Let M k = m / m k for 1 ≤ k ≤ n. Note: 1. gcd(m k, M k ) = 1 and 2. m i | M k if i ≠ k. Hence  s k, y k s.t. s k m k + y k M k = 1. Hence y k is an inverse of M k mod m k. Now M k y k ≡ 1 (mod m k ) and M k y k ≡ 0 (mod m j ) for all j ≠ k. Let x = a 1 M 1 y 1 + … + a n M n y n then x ≡ a 1 M 1 y 1 + … + a n M n y n ≡ a k M k y k ≡ a k (mod m k ) for all 1 ≤ k ≤ n.

38 Introduction Transparency No. 3-38 Proof of the uniqueness part If x and y satisfying the equations, then x-y ≡ 0 (mod m k ) for all k = 1..n. =>  s 1,…,s n with x-y = s 1 m 1 = … = s n m n. since gcd(m i, m k ) = 1 for all i ≠ k and m k | s 1 m 1, we have m k | s 1 for all k ≠ 1. Hence, by Lem(*) s 1 is a multiple of m 2 m 3 … m n and x-y = s 1 m 1 is a multiple of m = m 1 m 2 … m k. Hence x ≡ y (mod m). QED Lem(*):If gcd(m,n)=1,then m | s and n | s implies mn | s. pf: m | s and n | s means s = km = t n. Hence n | km. but since (m,n) = 1, we have n | k. Hence mn | km = s.

39 Introduction Transparency No. 3-39 Example  Find x ≡ (2,3,2) (mod (3,5,7)) respectively.  Sol: imimi aiai MiMi y i = M i - 1 (mod m i )a i M i y i 132m/3=3535 y 1 ≡ 1 (mod 3)  -1 2 x 35 x -1 253m/5=2121 y 2 ≡ 1 (mod 5)  1 3 x 21 x 1 372m/7=1515 y 3 ≡ 1 (mod 7)  1 2 x 15 x 1 m = 105 x = -70 + 63 + 30 = 23.

40 Introduction Transparency No. 3-40 An application of CRT  Instead of using binary representation, we can use m 1,m 2,…,m n : n pairwise relatively primes as the base of integer representations:  Ex: let (m 1,… m 5 ) = (19, 23, 29, 31,41) 99 = (4, 7, 12, 6, 17) 88 = (12, 19, 1, 26, 6). ---------------------------------------------------------------- 99+88 = (16, 3, 13, 1, 23) 99x88 = (10, 18, 12, 1, 20). Problems: 1. How to detect if a+b (or a*b) overflows ? 2. How to compare values (when will a < b )?

41 Introduction Transparency No. 3-41 Fermat’s little theorem  Let a be any positive integer and p a prime number. 1. If gcd(p,a) =1, then a p-1 ≡ 1 (mod p). 2. a p ≡ a (mod p). Ex: 1. p = 17, a = 2  2 16 = 65536 = 3855 x 17 + 1  2 16 ≡ 1 (mod 17). 2. p = 3, a = 20  20 3 – 20 = 8000 –20 = 7980 is a multiple of 3. Hence 20 3 ≡ 20 (mod 3).

42 Introduction Transparency No. 3-42 Proof of Fermat’s little theorem Lemma:  1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p). Pf: ia ≡ ja (mod p)  p | (j-i) a. Since gcd(p,a)=1, p |(j-i). But 0 < j-i < p, p does not divide (j-i), a contradiction. Similarly, since not(p | i ) and gcd(p,a) = 1, not(p | ia). The above lemma means ia and ja have different remainders when divided by p. Hence a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)  (p-1)! a p-1 ≡ (p-1) ! (mod p). Then p | (p-1)! (a p-1 –1). ∵ p does not divide (p-1)!, p | a p-1 –1, and hence a p-1 ≡ 1 (mod p). 2. if gcd(p,a) = p  0 ≡ a ≡ a p (mod p). if gcd(p,a) = 1  a p-1 ≡ 1 (mod p)  a p ≡ a (mod p).

43 Introduction Transparency No. 3-43 Public key encryption and RSA Encryption ( 加密 ) Decryption ( 解密 ) M M’ (plain text) cipher text C public keyprivate key Public key can be known to the public Private key is kept secret.

44 Introduction Transparency No. 3-44 The RSA algorithm  p.q: two large primes (  768bits broken, 1024 digits recommended now),  768bits broken  n = pq  e = any number with gcd(e, (p-1)(q-1)) = 1.  d = inverse of e (mod (p-1)(q-1)). (i.e., de ≡ 1 (mod (p-1)(q-1)))  public key = (n,e) private key = (n,d) note : public and private keys are symmetric. C = M e (mod n) and M’ = C d (mod n). Theorem : M’ ≡ M (mod n). Hence if 0  M’, M M’ = M.

45 Introduction Transparency No. 3-45 Proof of the correctness of the RSA algorithm  M’ = C d ≡ (M e ) d ≡ M de // ∵ de ≡ 1 (mod (p-1)(q-1)) ≡ M 1+k(p-1)(q-1) (mod n) for some integer k case1: gcd(M,p) = 1. Then C d = M ∙ (M (p-1) ) k(q-1) ≡ M ∙ 1 k(q-1) ≡ M (mod p) ---(1) ( by Fermat’s little theorem) case2: gcd(M,p) = p (i.e., M = mp for some integer m) Then C d = (mp) k(p-1)(q-1)+1 ≡ 0 ≡ M (mod p) Similarly, it can be shown that C d ≡ M (mod q) --- (2)  M’ = C d ≡ M (mod n). ∵ C d -M is a multiple of p and q => C d -M is a multiple of lcm(p,q) = pq = n. (or by Chinese Remainder Theorem, M’ is the only value in [0, n-1] satisfying (1) and (2) ).

46 Introduction Transparency No. 3-46 Example p = 43, q = 59  n = pq = 43 ∙ 59 = 2537. choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1. d = 937 is an inverse of 13 mod 2436. 1. To transmit ‘STOP’=1819 1415 : 2 blocks of length 4.  1819 13 mod 2537 = 2081, 1415 13 mod 2537 = 2182  C = 2081 2182. 2. Receive 0981 0461  M’ 1 = 0981 937 (mod 2537) =0704 M’ 2 = 0461 937 (mod 2537) = 1115  M’ = 0704 1115 = ‘HELP’. Issue: How to compute 0981 937 (mod 2537) quickly ?

47 Introduction Transparency No. 3-47 Why is it hard to break RSA ? Given public key (e, n), to find (d,n) we need : => 1. decompose n into pq 2. find the inverse d of e modulo (p-1)(q-1). Step 2 is easy (Quick Euclidean Alg.) But step 1 : factorization of large number is computationally a hard work.

48 Introduction Transparency No. 3-48 How to compute b n (mod m) for large n  mpow1(b, n, m) { // b, n, m: int ; n  ;m > 0 int rlt = 1; while( n != 0) rlt = rlt * b; return (rlt % m);  Problem: rlt will overflow quickly in the loop!  mpow2(b, n, m) { // b, n, m: int ; n  ;m > 0 int rlt = 1; while( n != 0) rlt = (rlt * b) % m ; return rlt ; Problem : need perform * and % operations n times

49 Introduction Transparency No. 3-49 How to compute b n (mod m) for large n  c.f.: Section 3.6 (page226 ; Algorithm 5)  mp(r, b, n, m) // find (rb n mod m) using (tail) recursion if(n == 0) return r % m; if(n == 2k+1) return mp(r b, bxb, k, m); if(n == 2k >0 ) return mp(r, bxb, k, m); }  mp3(b,n,m) { return mp(1, b, n, m) ;}  mpower(b, n, m){//non-recursive version of mpow3(&mp) int rlt = 1; power = b % m ; n’ = n; while( n’ > 0) { // invariant: rlt * power n’ = b n (mod m) if( n’ % 2 == 1) rlt = (rlt * power) % m ; power = power * power % m ; n’ = n’ / 2 } return rlt; // running time = O(log n) rb (2k+1) = rb (bb) k

50 Introduction Transparency No. 3-50 Example  Compute 3 644 mod 645 using mp3 (&mpower):  Note: 644 =(10100 00100) 2 mp3(3, 644, 645)  mp(1, 3, 644, 645)  mp(1, 9, 322, 645)  mp(1, 81, 161, 645)  (81, 81 2  111, 80, 645)  mp(81, 111 2  66, 40, 645)  mp(81, 66 2  486, 20, 645)  mp(81, 486 2  126, 10, 645)  mp(81,126 2  396, 5, 645)  mp(81x396  471, 396 2  81, 2, 645)  mp(471, 81 2  111, 1, 645)  mp(471x111  36, 111 2  66, 0, 645) = 36 (rlt, power, n’, m)

Download ppt "Theory of Computation Transparency No. 3-1 Chapter 3 Introduction to Number Theory and Its applications Cheng-Chia Chen."

Similar presentations

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.

1 Lect. 12: Number Theory. Contents Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Extended Euclid’s Algorithm.
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
1 Section 2.4 The Integers and Division. 2 Number Theory Branch of mathematics that includes (among other things): –divisibility –greatest common divisor.

1 Section 2.4 The Integers and Division. 2 Number Theory Branch of mathematics that includes (among other things): –divisibility –greatest common divisor.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Number Theory and Cryptography

Number Theory and Cryptography
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Basic properties of the integers

Basic properties of the integers
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Elementary Number Theory and Methods of Proof. Basic Definitions An integer n is an even number if there exists an integer k such that n = 2k. An integer.

Elementary Number Theory and Methods of Proof. Basic Definitions An integer n is an even number if there exists an integer k such that n = 2k. An integer.
Chapter 4 Properties of the integers: mathematical induction Yen-Liang Chen Dept of IM NCU.

Chapter 4 Properties of the integers: mathematical induction Yen-Liang Chen Dept of IM NCU.
3 Gallon Jug5 Gallon Jug Greatest Common Divisor Lecture 8: Sep 30.

3 Gallon Jug5 Gallon Jug Greatest Common Divisor Lecture 8: Sep 30.
Theory of Computation Transparency No. 1-1 Chapter 2 Introduction to Number Theory and Its applications Cheng-Chia Chen October 2002.

Theory of Computation Transparency No. 1-1 Chapter 2 Introduction to Number Theory and Its applications Cheng-Chia Chen October 2002.
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.

Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
Theory of Computation Transparency No. 1-1 Chapter 2 Introduction to Number Theory and Its applications Cheng-Chia Chen October 2005.

Theory of Computation Transparency No. 1-1 Chapter 2 Introduction to Number Theory and Its applications Cheng-Chia Chen October 2005.
CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.

CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.
Properties of the Integers: Mathematical Induction

Properties of the Integers: Mathematical Induction
CSE 311 Foundations of Computing I Lecture 12 Primes, GCD, Modular Inverse Spring 2013 1.

CSE 311 Foundations of Computing I Lecture 12 Primes, GCD, Modular Inverse Spring
Fall 2002CMSC 203 - Discrete Structures1 Let us get into… Number Theory.

Fall 2002CMSC Discrete Structures1 Let us get into… Number Theory.
CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.

CS555Spring 2012/Topic 61 Cryptography CS 555 Topic 6: Number Theory Basics.

Similar presentations

Ads by Google