Chapter 3 Introduction to Number Theory and Its applications

Theory of Computation

Transparency No. 3-1

Chapter 3Introduction to Number

Theory and Its applications

Cheng-Chia Chen

Introduction


outline

Division Prime Gcd and Lcm Modular Arithmetic Chinese Remainder Theorem Fermat’s little theorem The RSA algorithm

Introduction


Division

Def: a,b Z with a ≠ 0. We say a divides b (written a | b) if

k Z s.t. b = ka a | b =>

a is a factor (or divisor) of b and b is a multiple of a.

Ex: 3 | 12 ( 12 = 4 x 3 )∵ -4 | 8, 13 | 0 (0 = 0 x 13) not (3 | 7)

Introduction


Properties of |

1. a | b /\ a |c a | b + c

2. a | b a | bc for all c Z

3. | is reflexive ( a | a for all a Z )

4. | is transitive ( a | b /\ b | c a | c ) pf: a | b /\ b | c b = k1 a and c = k2 b for some k1, k2 Z

c = k2 (k1 a) = (k1 k2) a

5. a | b /\ b | a |a| = |b|)

Introduction


Primes

An integer p > 1 is said to be prime if n N+ ( n | p n = 1 \/ n = p ). I.e., the only positive factors of p are 1 and p.

p > 1 and is not prime => P is composite. Examples:

7 is prime primes < 20 include : 2,3,5,7,11,13,17,19.

Introduction


The fundamental theorem of arithmetic (FTA)

n N+ > 1, there exists a unique increasing sequence of primes p1 ≤ p2 ≤ … ≤ pk ( k ≥ 1) s.t.

n = p1 x p2 … x pk.

Ex: 100 = 2 x 2 x 5 x 5 999 = 3 x 3 x 3 x 37.

Introduction


Proof of FTA

( Existence) by Math Ind. Basis: n = 1, 2 ok. Ind. n > 1. if n is prime, then n = p1, where p1 = n and k = 1. if n is not prime then n = n1 x n2 with n1,n2 < n. => by ind. hyp. n1 = q1 x q2 … x qt

n2 = r1 x r2 … rs => n = n1 x n2 = q1 x … x qt x r1 x … x rs. => n = p1 x … x ps+t. where p1,…,ps+t is an increasing reordering

of q1,…,qt and r1,…,rt. Uniqueness:

let n = p1 x … x pk x q1 x … x qs = p1 x … x pk x r1 x … x rt where q1 ≠ r1 => n – n = p1 x … x pk x (q1 x … x qt – r1 x … rt) ≠ 0 ( a contradiction !! shown later).

Introduction


Theorem 3

If n is composite => a ≤ s.t. a | n.

pf: n is composite => n = p x q with p, q > 1.

if p > /\ q > =>

p q > = n. a contradiction

Hence n must have a factor ≤

Example: 101 is a prime.

pf: = 10.

But no prime ≤ 10 is a factor of 101.

Introduction


The division algorithm

a Z, d N+

i q,r s.t. a = qd + r where 0 ≤ r < d.

Def: if a = dq + r Then d is called the divisor(除數 ) a : dividend(被除數 ) q: quotient(商數 ) r: remainder(餘數 )

Examples: 101 = 11 ∙ 9 + 2 -11 = -4 ∙ 3 + 1

Note: d | a iff r = 0.

Introduction


Proof of the division algorithm

Existence: Consider the Z-indexed sequence :

… a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), … Let r = a – qd be the smallest nonnegative number in

the sequence.

1. since the sequence is strictly increasing toward infinity such q (and r) must exist and unique.

2. if r ≥ d r’ =r-d =a – (q+1) d ≥ 0 is another nonnegative number in the sequence smaller than r. That’s a contradiction. Hence r must < d.

Uniqueness: If both (q,r) and (q’,r’) satisfy the condition. Then r – r’ = (q’-q) d (*) .

Since –d < r-r’ < d (*) and (q’-q)d is a multiple of d,

(*) holds only if r-r’ = 0 = q-q’. QED

Introduction


gcd and lcm

a,b Z, ab ≠ 0.

if d | a and d | b d is a common divisor of a and b. gcd(a,b) =def the greatest common divisor of a and b.

Notes: 1. The set cd(a,b) = {x > 0 : x | a and x | b} is a finite subset of N+ ( {1} ∵ cd {1,… min(a,b)} gcd(a,b) must exist. Ex: gcd(24,36) = ? factors of 24 : 1,2,3,4,6,12,24 factors of 36: 1,2,3,4,6,9,12,18,36 cd(24,36) = {1,2,3,4,6,12} gcd(24,36) = 12.

2. The same definition (cd and gcd) can be extended to more than two arguments. (ex: cd(8,12,18) = {1,2} and gcd(8,12,18) = 2. )

Introduction


Relatively prime

If gcd(a,b) = 1 we say a and b are relatively prime(r.p.). Ex: gcd(17,22) = 1.

a1,a2,…an are pairwise r.p. if

gcd(ai,aj) = 1 for all 1 ≤ i < j ≤ n. Ex: 10,17,21 are p.r.p. 10,19,24 are not p.r.p since gcd(10,24) = 2.

Proposition 1: If a = p1x1 p2

x2 … pn

xn , b = p1

y1 p2

y2 … pn

yn,

where p1 < p2 …< pn are primes and all xi, yj ≥ 0,

then gcd(a,b) = s =def p1z1 p2

z2 … pn

zn

where zi = min(xi,yi) for all 0 ≤ i ≤ n. Ex: 100 = 223052 and 30 = 213151 => gcd(100,30) = 213051.

Introduction


lcm ( least common multiple)

a,b Z c N+

if a|c and b|c d is a common multiple of a and b. lcm(a,b) =def the least common multiple of a and b.

Note: The set cm(a,b) = {x > 0 |, a|x and b|x} ≠ ( { a∙b} ∅ ∵ cm lcm(a,b) must exist.

Proposition 2:

If a = p1x1 p2

x2 … pn

xn , b = p1

y1 p2

y2 … pn

yn, where

p1 < p2 …< pn are primes and all xi, yj ≥ 0,

then lcm(a,b) = t =def p1z1 p2

z2 … pn

zn

where zi = max(xi,yi) for all 0 ≤ i ≤ n.

pf: Since tcm(a,b), it suffices to show t is a lower bound of cm(a,b). Then c cm(a,b), pi

xi | a | c and pi

yi | b|c =>pi max(x

i,y

i) |

c => t = piZi |c.

Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.

Introduction


Modular Arithmetic

Def 8: m N+, a Z.

a mod m =def the remainder of a divided by m. Ex:

17 mod 5 = 2 -133 mod 9 = 2.

Def 9: a,b Z, m N+. a ≡ b (mod m) means m | (a-b).

i.e., a and b have the same remainder when divided by m. i.e., a mod m = b mod m we say a is congruent to b (module m).

Ex: 17 ≡ 5 (mod 6) ? 24 ≡ 14 (mod 6) ?

Introduction


Properties of congruence

Theorem 6: a ≡ b (mod m) iff a = km + b for some k Z.pf: a ≡ b (mod m) (a-b) = km a = km + b.Theorem 7: If m > 0, a ≡ b (mod m) and c ≡ d (mod m),

then (1) a + c ≡ b + d (mod m), (2) ac ≡ bd (mod m), (3) - a ≡ - b (mod m)

pf: By the premise, a = km + b and c = sm + d for some

k,s. a + c = (b + d) + (k + s) m, ac = bd + (kd + sb + skm) m, and (-a - -b) = (-k) m (1),(2) and (3) hold. Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5) 18 ≡ 3, 77 ≡ 2 and - 7 ≡ - 2.

Introduction


The Euclidean Algorithm

Lemma 1: a = bq + r gcd(a,b) = gcd(b,r).

pf: It suffices to show that cd(a,b) = cd(b,r). But for any integer d :

d | a /\ d | b d | r since r = (a-bq) , and

d | b /\ d | r d | a since a= bq + r.

Hence cd(a,b) = cd(b,r), and gcd(a,b) = gcd(b,r).

Note:1. if a = bq + 0 gcd(a,b) = gcd(b,0) = b.2. Corollary: gcd(a, b) = gcd(b,c) if a is a linear

combination(l.c.) of b and c, and c is a l.c. of a and b.

Introduction


A simple algorithm:

gcd(a,b) // a , b ≥ 0.

if (b == 0) return a;

else return gcd(b, a mod b);

Notes:

1. this algorithm is very efficient.

(O(log b) by Lame’s lamma).

2. The (tail) recursion of the above alg can be replaced by an iterative version as follows:

igcd(int a, int b) // a , b ≥ 0.

while (b != 0) { // (a,b) (b, a % b) ;

int temp = a; a = b; b = temp % b ; }

return x

Introduction


gcd(662, 414) = ?

∴ gcd(662,414) = gcd(414,248) = …

= gcd(2,0) = 2.

a b a = qb+ r q r

662 414 662=1x414+248 1 248

414 248 414= 1x 248 + 166 1 166

248 166 248= 1 x 166 + 82 1 82

166 82 166= 2 x 82 + 2 2 2

82 2 82=42 x 2 + 0 42 0

2 0

Introduction


Theorem 1

a > b ≥ 0 gcd(a,b) = sa + tb for some s,t Z. i.e., gcd(a,b) is a linear integer combination of a and b.

Pf: By induction on b. Basis: b = 0. gcd(a,b) = a = 1 ∙ a + 0 ∙ b. Inductive case: b > 0. case1: b | a gcd(a,b) = b = 0 a + 1 b. case2: b a ∤ gcd(a,b) = gcd(b,r) where 0 ≤ r = a mod b < b. By I.H. gcd(b,r) = sb + t r. But r = a - bq ∴ gcd(a,b) = gcd(b,r) = sb + tr = sb + t(a – bq) = t a + (s – qt) b. QED Conclusion: (sn, tn) = (t n+1, sn+1 – qntn+1).

Introduction


Example

gcd(252, 198) = 18 = ___∙ 252 + ___ ∙ 198.

Sol:

Exercise: Let L(a,b) = {sa + tb | s,t Z } be the set of all linear combinations of a and b. Show that gcd(a,b) = the smallest positive member of L(a,b).

pf: let g = gcd(a,b). By Theorem 1, g is a linear combination of a and b. Hence g L(a,b).

Now let m = sa + tb be any positive number in L(a,b). Then since g | a and g | b , we have g | sa+tb = m > 0 and hence g m. As a result g is the least of L(a,b).

Theorem 1.1: gcd(a,b) is the least positive integer combination of a and b.

Introduction


gcd(662, 414) = ?

∴ gcd(662,414) =

gcd(414,248) = …

= gcd(2,0) = 2 = 1x2+0x0. = … = -5*662+8*414.

a b a = qb+ r q r

662 414 662=1x414+248 1 248

414 248 414= 1x 248 + 166 1 166

248 166 248= 1 x 166 + 82 1 82

166 82 166= 2 x 82 + 2 2 2

82 2 82=41 x 2 + 0 41 0

2 0

n sn tn

1 -5 8 =3-1*-5

2 3 -5 =-2-1*3

3 -2 3 =1-1*(-2)

4 1 s-qt = -2

5 0 1-41*0 = 1

6 1 0

q s t

qn sn =tn+1 sn+1-qntn+1 = tn

sn+1 tn+1

Introduction


The extended gcd algorithm

// input: a b 0;

// output: (c, s, t) s.t. c = gcd(a,b) = s a + t b.

egcd(a,b) : Z3 {

if( b == 0 ) { return (a, 1, 0) ; }

let (rlt, s, t) = egcd(b, a mod b) ;

return (rlt, t, s – t * ( a / b)) ; }

What is a non-recursive algorithm for egcd ?

Introduction


Non-recursive algorithm for egcd

// input: a b 0;

// output: (c, s, t) s.t. c = gcd(a,b) = s a + t b.

Egcd(int a, int b) {

Stack<int> s = new Stack() ;

while( b != 0 ) {

s.push(a / b ) ; // integer division

(a,b) (b, a%b) }

int s = 1, t = 0, rlt = a;

while( ! s.isEmpty()) {

int q = s.pop() ;

(s,t) (t, s – q * t ) ; }

return (rlt, s, t) ;

Introduction


Lemma 1 and Lemma 2

Lemma 1:gcd(a,b) = 1 /\ a | bc a | c. ( must remember!)

pf: gcd(a,b) = 1 1 = sa + tb for some s,t Z c = sac + tbc = sac + tka a | bc∵ = (sc + tk) ∙ a a | c.∴Corollary 1’: a | bc a/d | c, where d = gcd(a,b) .

Lemma 2’: p : prime /\ p a ∤ gcd(p,a) = 1.

Pf: cd(p,a) factors of p = {1,p}. but p is not a factor of a.

Hence gcd(p,a) = 1.

Lemma 2: p : prime /\ p | a1 a 2 … an p | ai for some i.

Pf: By ind. on n. Basis: n = 1. trivial.

Ind. case: n = k + 1. p | a1 a 2 … ak a k+1.

If p | a1 we are done.

O/W p a∤ 1 and gcd(p, a1) = 1 by lem2’.

By Lem 1 : p | ( a 2 … ak+1 ) p | ai for some 2 ≤ i ≤ k+1 by IH.

Introduction


Uniqueness of FTA

Pf: Suppose two distinct sequences

p1 , … , ps and q1 , … , qt with

n = p1 x … x ps = q1 x … x qt

Removing all common primes on both sides :

m =def pi1 x … piu = qj1x … x qjv 1

where pi ≠ qj for all pi and qj.

pi1 | m = qj1x … x qjv

pi1 | qj for some j ( a contradiction!!).

Introduction


Theorem 2

m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1

a ≡ b (mod m).

Pf: ac ≡ bc (mod m)

m | (ac – bc) = (a – b) c.

∵ gcd(m,c) = 1 m | (a – b)∴ ∴ a ≡ b (mod m).

Notes:

1. In general we have: ac ≡ bc (mod m) implies a ≡ b (mod m/d) where d = gcd(m,c).

2. If m is a prime and not (c ≡ 0 (mod m)) [ gcd(m,c) = 1], then ac ≡ bc implies => a ≡ b (mod m). Like ordinary arithmetic.

Introduction


Lemma 3: Let c be a positive integer, then gcd(ac, bc) = c gcd(a,b).

pf: It is easy to see that

d is a common divisor of (a, b)

iff cxd is a common divisor of (ca,cb).

Hence cd(ca,cb) = { cxd | d cd(a,b)}

and gcd(ca,cb) = max { cxd | d cd(a,b)}

= c x gcd(a,b)

Introduction


Lemma 4: Let a = p1x1 p2

x2 … pm

xm , b = q1

y1 q2

y2 …

qnyn where all pi’s and qj’s are primes and all xi, yj >0.

If {p1,…,pm} {q1,…,qn} =, then gcd(a,b) = 1.

pf: Assume gcd(a,b) 1 and r be any prime factor of gcd(a,b). Then we have r | a and r | b.

But, by Lemma 2, this implies r must be one of {p1,…,pm} and one of {q1,..,qn}.

This implies {p1,…,pm} {q1,…,qn} = , a contradiction!

Hence gcd(a,b) = 1.

Introduction


Proof of Proposition 1 for gcd Proposition 1: If a = p1

x1 p2

x2 … pn

xn , b = p1

y1 p2

y2 … pn

yn, where p1 < p2 …< pn

are primes and all xi, yj ≥ 0,

then gcd(a,b) = s =def p1z1 p2

z2 … pn

zn

where zi = min(xi,yi) for all 0 ≤ i ≤ n.

pf: Let c = a/s and d = b/s.

Then c = p1x1 p2

x2 … pn

xn / p1

z1 p2

z2 … pn

zn Z

d = p1y1 p2

y2 … pn

yn / p1

z1 p2

z2 … pn

zn Z

Hence by lemma 3, gcd(a,b) = s gcd(c,d).

But since c and d has no common prime factor,

By Lemma 4, gcd(c,d) =1. As a result, gcd(a,b)= s. Exercise: Show that c is a factor of a = p1

x1 p2

x2 … pn

xn iff c = p1

y1 p2

y2 … pn

yn where xk ≥ yk ≥ 0 for all

n ≥ k ≥ 0.

Introduction


Linear Congruence

Ex: Find an x such that 7 x ≡ 2 (mod 5). sol: x= 6. How to find? Analog: how to solve the equation ax = b ? let a-1 be the inverse of a (i.e. 1/a) => a-1ax = a-1b => x = a-1b = b/a.Def: Equations of the form ax ≡ b (mod m) are called linear congruence equations.Def: Given (a,m), any integer a’ satisfying the

condition: a a’ ≡ 1 (mod m) is called the inverse of a (mod m).Ex: Since 7 x 3 ≡ 1 (mod 5), 3 is an inverse of 7 mod 5. Hence 3x2 = 6 is a solution of 7x ≡ 2(mod 5)

Introduction


General solution of ax ≡ b (mod m)

Proposition: a a’ ≡ 1 (mod m) x = a’ b + km is the general solution of the congruence equation ax ≡ b (mod m)

Pf: 1. aa’ ≡ 1 => aa’ b ≡ b => a (a’b + km) ≡ b (mod m)

a’b + km is a solution for any k Z.

2. y is a solution ay ≡ b (mod m)

=> a’ay ≡ a’b(mod m)

=> 1* y ≡ a’ay ≡ a’b (mod m)

=> y ≡ a’b (mod m) => m | (y – a’b)

y = a’b + km for some k.

Introduction


Theorem 3 (uniqueness of inverse)

m > 0, gcd(a,m) = 1. Then bZ s.t. 1. ab ≡ 1 (mod m) 2. if ab ≡ ac [≡ 1] b ≡ c (mod m).

Pf: 1. gcd(a,m) = 1. Then b,t with ba + tm =1.

since ab –1 = (-t) m, ab ≡ 1 (mod m).

2. Since gcd(a,m)=1, by Theorem 2, we can divide a

from both sides.

Note: Theorem 3 means that the inverse of a mod m uniquely exists (and hence is well defined) if a and m are relatively prime.

Introduction


Examples

Ex: Find a s.t. 3a ≡ 1 (mod 7).

Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and can be computed by the Euclidean algorithm:

7 = 3 X 2 + 1 1 = 7 + 3 (-2). 3 (-2 ) ≡ 1 (mod 7)

a = -2 + 7k for all k Z.

EX: Find all solutions of 3x ≡ 4 (mod 7).

Sol: -2 is an inverse of 3 (mod 7). Hence

3 (-2) ≡ 1 (mod 7)

=> 3 (-2) 4 ≡ 1 4 (mod 7) -- particular solution

=> x = 4 (-2) + 7k where k Z is a general solution of x.

Introduction


The Chinese Remainder Theorem

EX: Find all integer x satisfying the equations simultaneously: x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7)

Theorem 4: m1,m2,…,mn : pairwise relatively prime. The system of congruence equations: x ≡ a1 (mod m1)

x ≡ a2 (mod m2)

… x ≡ an (mod mn)

has a unique solution modulo m = m1 m2 … mn.

Introduction


How the CRT problem is solved

Find a polynomial f(x) of degree < n passing through n points. Ex: Find a polynomial of degree < 3 passing through (1,2),

(3,5),(5,4).

Intuition: 1. For each point (ai, bi) where i [1,n] , construct a

polynomial fi(x) of order < n with the properties:

1.1. fi(ai) = bi and

1.2. fi(ak) = 0 for all k [1,n] i.

Suppose we can find all such fi(x)’s, then

F(x) = j = 1..n fj(x) is the solution.

pf: F(ai) = fi(ai) + k i fk(ai) = bi + 0 for all i [1,n]

Introduction


Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4).

Solution:

1. Find f1(x) with f1(1) = 2 and f1(3) = f1(5) = 0.

=> f1(x) must have a factor (x-3)(x-5) = c1 (x-3)(x-5)

=> since f1(1)= 2, 2 = c1 (1-3)(1-5) => c1 = 2/(1-3)(1-5)

=> f1(x) = 2 (x-3)(x-5) /(1-3)(1-5)

2. Similarly,

f2(x) = 5 (x-1)(x-5) /(3-1)(3-5)

f3(x) = 4 (x-1)(x-3)/(5-1)(5-3)

and F(x) = f1(x) + f2(x) + f3(x) is the solution.

Introduction


Proof of the Chinese remainder theorem (CRT)

Pf: Let Mk = m / mk for 1 ≤ k ≤ n.

Note:

1. gcd(mk, Mk) = 1 and

2. mi | Mk if i ≠ k. Hence

sk, yk s.t. sk mk + yk Mk = 1. Hence

yk is an inverse of Mk mod mk. Now

Mk yk ≡ 1 (mod mk) and

Mk yk ≡ 0 (mod mj) for all j ≠ k. Let

x = a1 M1 y1 + … + an Mn yn then

x ≡ a1 M1 y1 + … + an Mn yn ≡ ak Mk yk ≡ ak (mod mk) for all 1 ≤ k ≤ n.

Introduction


Proof of the uniqueness part

If x and y satisfying the equations, then

x-y ≡ 0 (mod mk) for all k = 1..n. =>

s1,…,sn with x-y = s1 m1 = … = sn mn.

since gcd(mi, mk) = 1 for all i ≠ k and

mk | s1 m1, we have mk | s1 for all k ≠ 1.

Hence, by Lem(*) s1 is a multiple of m2 m3 … mn and

x-y = s1 m1 is a multiple of m = m1 m2 … mk.

Hence x ≡ y (mod m). QED

Lem(*):If gcd(m,n)=1,then m | s and n | s implies mn | s.

pf: m | s and n | s means s = km = t n. Hence n | km. but since (m,n) = 1, we have n | k. Hence mn | km = s.

Introduction


Example

Find x ≡ (2,3,2) (mod (3,5,7)) respectively. Sol:

i mi ai Mi yi = Mi-1 (mod mi) ai Mi yi

1 3 2 m/3=35 35 y1 ≡ 1 (mod 3)

-1

2 x 35 x -1

2 5 3 m/5=21 21 y2 ≡ 1 (mod 5)

1

3 x 21 x 1

3 7 2 m/7=15 15 y3 ≡ 1 (mod 7)

1

2 x 15 x 1

m =

105

x = -70 + 63 + 30 = 23.

Introduction


An application of CRT

Instead of using binary representation, we can use

m1,m2,…,mn : n pairwise relatively primes as the base

of integer representations: Ex: let (m1,… m5 ) = (19, 23, 29, 31,41)

99 = (4, 7, 12, 6, 17)

88 = (12, 19, 1, 26, 6).

----------------------------------------------------------------

99+88 = (16, 3, 13, 1, 23)

99x88 = (10, 18, 12, 1, 20).

Problems: 1. How to detect if a+b (or a*b) overflows ?

2. How to compare values (when will a < b )?

Introduction


Fermat’s little theorem

Let a be any positive integer and p a prime number.

1. If gcd(p,a) =1, then a p-1 ≡ 1 (mod p).

2. ap ≡ a (mod p).

Ex:

1. p = 17, a = 2 216 = 65536 = 3855 x 17 + 1

216 ≡ 1 (mod 17).

2. p = 3, a = 20 203 – 20 = 8000 –20 = 7980 is a multiple of 3. Hence 203 ≡ 20 (mod 3).

Introduction


Proof of Fermat’s little theorem

Lemma:1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p).

Pf: ia ≡ ja (mod p) p | (j-i) a. Since gcd(p,a)=1, p |(j-i).

But 0 < j-i < p, p does not divide (j-i), a contradiction.

Similarly, since not(p | i ) and gcd(p,a) = 1, not(p | ia).

The above lemma means ia and ja have different remainders when divided by p. Hence

a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)

(p-1)! ap-1 ≡ (p-1) ! (mod p). Then

p | (p-1)! (a p-1 –1). p does not divide (p-1)!,∵ p | ap-1 –1, and hence a p-1 ≡ 1 (mod p).

2. if gcd(p,a) = p 0 ≡ a ≡ ap (mod p).

if gcd(p,a) = 1 ap-1 ≡ 1 (mod p) ap ≡ a (mod p).

Introduction


Public key encryption and RSA

Encryption(加密 )

Decryption(解密 )

M

M’ (plain text)

cipher textC

public key private key

• Public key can be known to the public• Private key is kept secret.

Introduction


The RSA algorithm

p.q: two large primes ( 768bitsbroken, 1024 digits recommended now),

n = pq e = any number with gcd(e, (p-1)(q-1)) = 1. d = inverse of e (mod (p-1)(q-1)). (i.e., de ≡ 1 (mod (p-1)(q-1))) public key = (n,e) private key = (n,d)note : public and private keys are symmetric. C = Me (mod n) and M’ = Cd (mod n).Theorem : M’ ≡ M (mod n).

Hence if 0 M’, M < n => M’ = M.

Introduction


Proof of the correctness of the RSA algorithm

M’ = Cd ≡ (Me)d ≡ Mde // de ≡ 1 (mod (p-1)(q-1)) ∵ ≡ M1+k(p-1)(q-1) (mod n) for some integer k case1: gcd(M,p) = 1. Then Cd = M ∙ (M(p-1))k(q-1) ≡ M ∙ 1 k(q-1) ≡ M (mod p) ---(1) ( by Fermat’s little theorem) case2: gcd(M,p) = p (i.e., M = mp for some integer m) Then Cd = (mp)k(p-1)(q-1)+1 ≡ 0 ≡ M (mod p)Similarly, it can be shown that Cd ≡ M (mod q) --- (2)

M’ = Cd ≡ M (mod n). ∵ Cd-M is a multiple of p and q => Cd-M is a multiple of

lcm(p,q) = pq = n. (or by Chinese Remainder Theorem, M’ is the only value

in [0, n-1] satisfying (1) and (2) ).

Introduction


Example

p = 43, q = 59 n = pq = 43 ∙ 59 = 2537.

choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1.

d = 937 is an inverse of 13 mod 2436.

1. To transmit ‘STOP’=1819 1415 : 2 blocks of length 4.

181913 mod 2537 = 2081,

141513 mod 2537 = 2182

C = 2081 2182.

2. Receive 0981 0461 M’1 = 0981937 (mod 2537) =0704

M’2 = 0461937 (mod 2537) = 1115

M’ = 0704 1115 = ‘HELP’.

Issue: How to compute 0981937 (mod 2537) quickly ?

Introduction


Why is it hard to break RSA ?

Given public key (e, n), to find (d,n) we need :

=> 1. decompose n into pq

2. find the inverse d of e modulo (p-1)(q-1).

Step 2 is easy (Quick Euclidean Alg.)

But step 1 : factorization of large number is computationally a hard work.

Introduction


How to compute bn (mod m) for large n

mpow1(b, n, m) { // b, n , m: int ; n ;m > 0

int rlt = 1;

while( n != 0) rlt = rlt * b;

return (rlt % m); Problem: rlt will overflow quickly in the loop! mpow2(b, n, m) { // b, n , m: int ; n ;m > 0

int rlt = 1;

while( n != 0) rlt = (rlt * b) % m ;

return rlt ;

Problem : need perform * and % operations n times

Introduction


How to compute bn (mod m) for large n

c.f.: Section 3.6 (page226 ; Algorithm 5) mp(r, b, n, m) // find (rbn mod m) using (tail) recursion

if(n == 0) return r % m;

if(n == 2k+1) return mp(r b , bxb, k, m);

if(n == 2k >0 ) return mp(r, bxb, k, m); } mp3(b,n,m) { return mp(1, b, n, m) ;} mpower(b, n, m){//non-recursive version of mpow3(&mp)

int rlt = 1; power = b % m ; n’ = n;

while( n’ > 0) { // invariant: rlt * powern’ = bn (mod m)

if( n’ % 2 == 1) rlt = (rlt * power) % m ;

power = power * power % m ; n’ = n’ / 2 }

return rlt; // running time = O(log n)

rb(2k+1) = rb (bb)k

Introduction


Example

Compute 3 644 mod 645 using mp3 (&mpower): Note: 644 =(10100 00100)2

mp3(3, 644, 645)

mp(1, 3, 644, 645) mp(1, 9, 322, 645)

mp(1, 81, 161, 645) (81, 812 111, 80, 645) mp(81, 1112 66, 40, 645) mp(81, 662 486, 20, 645) mp(81, 4862 126, 10, 645) mp(81,1262 396, 5, 645)mp(81x396 471, 3962 81, 2, 645)mp(471, 812 111, 1, 645)mp(471x111 36, 1112 66, 0, 645) = 36

(rlt, power, n’, m)

Documents

Chapter 3 Introduction to Number Theory and Its applications