1 / 44

Chapter 2 Introduction to Number Theory and Its applications

Chapter 2 Introduction to Number Theory and Its applications. Cheng-Chia Chen. outline. Division Prime Gcd and Lcm Modular Arithmetic Chinese Remainder Theorem Fermat’s little theorem The RSA algorithm. Division. Def: a,b  Z with a ≠ 0. We say a divides b (written a | b) if

janus
Download Presentation

Chapter 2 Introduction to Number Theory and Its applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 2Introduction to NumberTheory and Its applications Cheng-Chia Chen

  2. outline • Division • Prime • Gcd and Lcm • Modular Arithmetic • Chinese Remainder Theorem • Fermat’s little theorem • The RSA algorithm

  3. Division Def: a,b Z with a ≠ 0. • We say a divides b (written a | b) if 9k Z s.t. b = ka • a | b => • a is a factor (or divisor) of b and • b is a multiple of a. • Ex: • 3 | 12 ( * 12 = 4 x 3 ) • -4 | 8, • 13 | 0 (0 = 0 x 13) • 3 - 7

  4. Properties of | • a | b /\ a |c  a | b + c • a | b  a | bc for all c Z • | is reflexive ( a | a for all a Z ) • | is transitive ( a | b /\ b | c ) a | c ) • pf: a | b /\ b | c  • b = k1 a and c = k2 b for some k1, k2Z •  c = k2 (k1 a) = (k1 k2) a • a | b /\ b | a  |a| = |b|)

  5. Primes • An integer p > 1 is said to be prime if •  n N+ ( n | p  n = 1 \/ n = p ). • I.e., the only positive factors of p are 1 and p. • p > 1 is not prime => P is composite. • Examples: • 7 is prime • primes < 20 include : 2,3,5,7,11,13,17,19.

  6. The fundamental theorem of arithmetic (FTA) • n N+ > 1, there exists a unique increasing sequence of primes p1 ≤ p2 ≤ … ≤ pk ( k ≥ 1) s.t. n = p1 x p2 … x pk. • Ex: • 100 = 2 x 2 x 5 x 5 • 999 = 3 x 3 x 3 x 37.

  7. Proof of FTA • ( Existence) by Math Ind. • Basis: n = 1, 2 ok. • Ind. n > 1. • if n is prime, then n = p1, where p1 = n and k = 1. • if n is not prime then n = n1 x n2 with n1,n2 < n. • => by ind. hyp. n1 = q1 x q2 … x qt • n2 = r1 x r2 … rs • => n = n1 x n2 = q1 x … x qt x r1 x … x rs. • => n = p1 x … x ps+t. where p1,…,ps+t is an increasing reordering of q1,…,qt and r1,…,rt. • Uniqueness: • let n = p1 x … x pk x q1 x … x qs • = p1 x … x pk x r1 x … x rt where q1 ≠ r1 • => n – n = p1 x … x pk x (q1 x … x qt – r1 x … rt) • ≠ 0 ( a contradiction !! shown later).

  8. Theorem 3 • If n is composite =>  a ≤ s.t. a | n. pf: n is composite => n = p x q with p, q > 1. if p > /\ q > => p q > = n. a contradiction Hence n must have a factor ≤ Example: 101 is a prime. pf:  = 10. But no prime ≤ 10 is a factor of 101.

  9. The division algorithm • a Z, d N+ i q,r s.t. a = qd + r where 0 ≤ r < d. Def: if a = dq + r Then • d is called the divisor(除數) • a : dividend(被除數) • q: quotient(商數) • r: remainder(餘數) • Examples: • 101 = 11 ∙ 9 + 2 • -11 = -4 ∙ 3 + 1 • Note: d | a iff r = 0.

  10. Proof of the division algorithm Existence: Consider the Z-indexed sequence : … a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), … • Let r = a – qd be the smallest nonnegative number in the sequence. 1. since the sequence is strictly increasing toward infinity such q (and r) must exist and unique. 2. if r ≥ d  r’ =r-d =a – (q+1) d ≥ 0 is another nonnegative number in the sequence smaller than r. That’s a contradiction. Hence r must < d. Uniqueness: If both (q,r) and (q’,r’) satisfy the condition. Then r – r’ = (q’-q) d (*) . Since –d <r-r’ < d (*) and (q’-q)d is a multiple of d, (*) holds only if r-r’ = 0 = q-q’. QED

  11. gcd and lcm • a,b Z, ab ≠ 0. if d | a and d | b  d is a common divisor of a and b. • gcd(a,b) =def the greatest common divisor of a and b. Note: The set cd = {x > 0 |, x | a and x | b} is a finite subset of N+ (∵ {1}  cd  {1,… min(a,b)}  gcd(a,b) must exist. • Example: • gcd(24,36) = ? • factors of 24 : 1,2,3,4,6,12,24 • factors of 36: 1,2,3,4,6,9,12,18,36 •  cd(24,36) = {1,2,3,4,6,12} •  gcd(24,36) = 12.

  12. Relatively prime • If gcd(a,b) = 1 we say a and b are relatively prime(r.p.). • Ex: gcd(17,22) = 1. • a1,a2,…an are pairwise r.p. if gcd(ai,aj) = 1 for all 1 ≤ i < j ≤ n. • Ex: • 10,17,21 are p.r.p. • 10,19,24 are not p.r.p since gcd(10,24) = 2. • Proposition 1: If a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 … pnyn, where p1 < p2 …< pn are primes and all xi, yj ≥ 0, then gcd(a,b) = s =def p1z1 p2z2 … pnzn where zi = min(xi,yi) for all 0 ≤ i ≤ n.

  13. The proof 1. s  cd(a,b). • what are the quotients of a and b when divided by s ? • t | a = p1x1 p2x2 … pnxn /\ q is a prime factor of t=> q  {p1,…,pn} pf: q is prime and q | t | a. Hence q = pj.for some j. (see later lemma) 3. t | a = p1x1 p2x2 … pnxn iff t = p1d1 p2d2 … pndn for some d1,…dn with 0 ≤ di ≤ xi for 1 ≤ i ≤ n. pf: if-part: trivial. only-if: if t = 1, then we are done. Otherwise, let q be any prime factor of t. By 2, q = pj for some j. Now let t’ = t/pj and a’ = a/pj. Then t’ | a’ = p1x1 …pj (xj -1) … pnxn and by I.H on a’, t’ = p1d1 p2d2 … pndn for some d1,…dn with di ≤ xi for 1 ≤ i  j≤ n and dj ≤ xj -1. Then t = t x pj = p1d1 p2d2 … pndn for some d1,…dn with di ≤ xi for 1 ≤ i ≤ n.

  14. 4.Corollary: t t  cd(a,b)  t = p1d1 p2d2 … pndn for some d1,…dn with di ≤ xi , di ≤ yi ,and di ≤ zi. • Ex: • 120 = 23 ∙31 ∙51 • 500 = 22 ∙53 •  gcd(120,500) = 22 ∙30 ∙51 = 20

  15. lcm ( least common multiplier) • a,b Z cN+ if a|c and b|c  d is a common multiplier of a and b. • lcm(a,b) =def the least common multiplier of a and b. Note: The set cm = {x > 0 |, a|x and b|x} ≠ ∅ (∵ { a∙b}  cm  lcm(a,b) must exist. Proposition 2: If a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 … pnyn, where p1 < p2 …< pn are primes and all xi, yj ≥ 0, then lcm(a,b) = t =def p1z1 p2z2 … pnzn where zi = max(xi,yi) for all 0 ≤ i ≤ n. pf: pixi | a | cm and piyi | b|cm =>pimax(xi,yi) | cm => t | cm. Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.

  16. Modular Arithmetic Def 8: m N+, a Z. a mod m =def the remainder of a divided by m. • Ex: • 17 mod 5 = 2 • -133 mod 9 = 2. Def 9: a,b Z, m N+. a ≡ b (mod m) means m | (a-b). • i.e., a and b have the same remainder when divided by m. • i.e., a mod m = b mod m • we say a is congruent to b (module m). • Ex: • 17 ≡ 5 (mod 6) ? • 24 ≡ 14 (mod 6) ?

  17. Properties of congruence Theorem 6:a ≡ b (mod m) iff a = km + b for some k Z. pf: a ≡ b (mod m)  (a-b) = km  a = km + b. Theorem 7:If m > 0, a ≡ b (mod m) and c ≡ d (mod m), then (1) a + c ≡ b + d (mod m) (2) ac ≡ bd (mod m). pf: By the premise, a = km + b and c = sm + d for some k,s.  a + c = (b + d) + (k + s) m and ac = bd + (kd + sb + skm) m  (1) and (2) hold. Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5)  18 ≡ 3 and 77 ≡ 2.

  18. The Euclidean Algorithm Lemma 1: a = bq + r  gcd(a,b) = gcd(b,r). pf: It suffices to show that cd(a,b) = cd(b,r). But for any integer d : • d | a /\ d | b  d | r since r = (a-bq) , and • d | b /\ d | r  d | a since a= bq + r. • Hence cd(a,b) = cd(b,r), and gcd(a,b) = gcd(b,r). Note: • if a = bq + 0  gcd(a,b) = gcd(b,0) = b. • Corollary: gcd(a, b) = gcd(b,c) if a is a linear combination(l.c.) of b and c, and c is a l.c. of a and b.

  19. A simple algorithm: • gcd(a,b) // a ≥ b ≥ 0. if (b == 0) return a; else return gcd(b, a mod b); Note: this algorithm is very efficient. (O(log b) by Lame’s lamma).

  20. gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2.

  21. Theorem 1 • a > b ≥ 0  gcd(a,b) = sa + tb for some s,t Z. • i.e., gcd(a,b) is a linear combination of a and b. Pf: By induction on b. Basis: b = 0.  gcd(a,b) = a = 1 ∙ a + 0 ∙ b. Inductive case: b > 0. case1: b | a  gcd(a,b) = b = 0 a + 1 b. case2: b ∤ a  gcd(a,b) = gcd(b,r) where 0 ≤ r = a mod b < b. By I.H. gcd(b,r) = sb + t r. But r = a - bq ∴ gcd(a,b) = gcd(b,r) = sb + tr = sb + t(a – bq) = t a + (s – qt) b. QED • Conclusion: (sn, tn) = (t n+1, sn+1 – qntn+1).

  22. Example • gcd(252, 198) = 18 = ___∙ 252 + ___ ∙ 198. Sol: Exercise: Let L(a,b) = {sa + tb | s,t Z } is the set of all linear combinations of a and b. Show that gcd(a,b) = the smallest positive member of L(a,b). pf: let m = sa + tb be any positive member of L(a,b) with m  gcd(a,b) = g. Since g | a and g | b , we have g | sa+tb => g  m Hence m = g.

  23. gcd(662, 414) = ? ∴ gcd(662,414) = gcd(414,248) = … = gcd(2,0) = 2.

  24. Lemma 1 and Lemma 2 Lemma 1:gcd(a,b) = 1 /\ a | bc  a | c. ( must remember!) pf: gcd(a,b) = 1  1 = sa + tb for some s,t Z  c = sac + tbc = sac + tka ∵ a | bc = (sc + tk) ∙ a ∴ a | c. Lemma 2’: p : prime /\ p ∤ a  gcd(p,a) = 1. Pf: cd(p,a)  factors of p = {1,p}. but p is not a factor of a. Hence gcd(p,a) = 1. Lemma 2: p : prime /\ p | a1 a 2 … an p | ai for some i. Pf: By ind. on n. Basis: n = 1. trivial. Ind. case: n = k + 1. p | a1 a 2 … ak a k+1. If p | a1 we are done. O/W p ∤ a1 and gcd(p, a1) = 1 by lem2’. By Lem 1 : p | ( a 2 … ak+1 )  p | ai for some 2 ≤ i ≤ k+1 by IH.

  25. Uniqueness of FTA Pf: Suppose  two distinct sequences p1 , … , ps and q1 , … , qt with n = p1 x … x ps = q1 x … x qt Removing all common primes on both sides : m =def pi1 x … piu = qj1x … x qjv 1 where pi ≠ qj for all pi and qj.  pi1 | m = qj1x … x qjv  pi1 | qj for some j ( a contradiction!!).

  26. Theorem 2 m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1  a ≡ b (mod m). Pf: ac ≡ bc (mod m)  m | (ac – bc) = (a – b) c. ∵ gcd(m,c) = 1 ∴ m | (a – b) ∴ a ≡ b (mod m). Note: if m is a prime then if ac ≡ bc and not (c ≡ 0 (mod m)) => a ≡ b. • Like ordinary arithmetic.

  27. Linear Congruence Ex: Find an x such that 7 x ≡ 2 (mod 5). sol: x= 6. How to find? Analog: how to solve the equation ax = b ? let a’ be the inverse of a (i.e. 1/a) => a’ax = a’b => x = a’b Def: Equations of the form ax ≡ b (mod m) are called linear congruence equations. Def: Given (a,m), any integer a’ satisfying the condition: a a’ ≡ 1 (mod m) is called the inverse of a(mod m). Ex: Since 7 x 3 ≡ 1 (mod 5), 3 is an inverse of 7 mod 5. Hence 3x2 = 6 is a solution of 7x ≡ 2(mod 5)

  28. General solution of ax ≡ b (mod m) Proposition:a a’ ≡ 1 (mod m)  x = a’ b + km is the general solution of the congruence equation ax ≡ b (mod m) Pf: 1. aa’ ≡ 1 => aa’ b ≡ b => a (a’b + km) ≡ b (mod m)  a’b + km is a solution for any k Z. 2. y is a solution  ay ≡ b (mod m) => a’ay ≡ a’b(mod m) => y ≡ a’ay ≡ a’b (mod m) => y ≡ a’b (mod m) => m | (y – a’b)  y = a’b + km for some k.

  29. Theorem 3 (uniqueness of inverse) • m > 0, gcd(a,m) = 1. Then  bZ s.t. • 1. ab ≡ 1 (mod m) • 2. if ab ≡ ac [≡ 1] b ≡ c (mod m). Pf: 1. gcd(a,m) = 1. Then  b,t with ba + tm =1. since ab –1 = (-t) m, ab ≡ 1 (mod m). 2. Since gcd(a,m)=1, by Theorem 2, we can divide a from both sides. Note: Theorem 3 means That the inverse of a mod m uniquely exists (and hence is well defined) if a and m are relatively prime.

  30. Examples Ex: Find a s.t. 3a ≡ 1 (mod 7). Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and can be computed by the Euclidean algorithm: 7 = 3 X 2 + 1  1 = 7 + 3 (-2).  3 (-2 ) ≡ 1 (mod 7)  a = -2 + 7k for all k Z. EX: Find all solutions of 3x ≡ 4 (mod 7). Sol: -2 is an inverse of 3 (mod 7). Hence 3 (-2) ≡ 1 (mod 7) => 3 (-2) 4 ≡ 1 4 (mod 7) -- particular solution => x = 4 (-2) + 7k where k Z is a general solution of x.

  31. The Chinese Remainder Theorem • EX: Find all integer x satisfying the equations simultaneously: • x ≡ 2 (mod 3) • x ≡ 3 (mod 5) • x ≡ 2 (mod 7) • Theorem 4: m1,m2,…,mn : pairwise relatively prime. The system of congruence equations: • x ≡ a1 (mod m1) • x ≡ a2 (mod m2) • … • x ≡ an (mod mn) • has a unique solution modulo m = m1 m2 … mn.

  32. How the CRT problem is solved • Find a polynomial f(x) of degree < n passing through n points. • Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4). • Intuition: • 1. For each point (ai, bi) where i  [1,n] , construct a polynomial fi(x) of order < n with the properties: • 1.1. fi(ai) = bi and • 1.2. fi(ak) = 0 for all k [1,n]  i. • Suppose we can find all such fi(x)’s, then • F(x) = Sj = 1..n fj(x) is the solution. • pf: 1. F(ai) = fi(ai) + S k  i fk(ai) = bi + 0 for all i  [1,n]

  33. Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4). Solution: 1. Find f1(x) with f1(1) = 2 and f1(3) = f1(5) = 0. => f1(x) must have a factor (x-3)(x-5) = c1 (x-3)(x-5) => since f1(1)= 2, 2 = c1 (1-3)(1-5) => c1 = 2/(1-3)(1-5) => f1(x) = 2 (x-3)(x-5) /(1-3)(1-5) 2. Similarly, f2(x) = 5 (x-1)(x-5) /(3-1)(3-5) f3(x) = 4 (x-1)(x-3)/(5-1)(5-3) and F(x) = f1(x) + f2(x) + f3(x) is the solution.

  34. Proof of the Chinese remainder theorem (CRT) Pf: Let Mk = m / mk for 1 ≤ k ≤ n. Note: 1. gcd(mk, Mk) = 1 and 2. mi | Mk if i ≠ k. Hence  sk, yk s.t. sk mk + yk Mk = 1. Hence yk is an inverse of Mk mod mk. Now Mk yk ≡ 1 (mod mk) and Mk yk ≡ 0 (mod mj) for all j ≠ k. Let x = a1 M1 y1 + … + an Mn yn then x ≡ a1 M1 y1 + … + an Mn yn ≡ ak Mk yk ≡ ak (mod mk) for all 1 ≤ k ≤ n.

  35. Proof of the uniqueness part If x and y satisfying the equations, then x-y ≡ 0 (mod mk) for all k = 1..n. =>  s1,…,sn with x-y = s1 m1 = … = sn mn. since gcd(mi, mk) = 1 for all i ≠ k and mk | s1 m1, we have mk | s1 for all k ≠ 1. Hence s1 is a multiple of m2 m3 … mn and x-y = s1 m1 is a multiple of m = m1 m2 … mk. Hence x ≡ y (mod m). QED

  36. Example • Find x ≡ (2,3,2) (mod (3,5,7)) respectively. • Sol:

  37. An application of CRT • Instead of using binary representation, we can use m1,m2,…,mn : n pairwise relatively primes as the base of integer representations: e.g.: let (m1,… m5 ) = (19, 23, 29, 31,41) 99 = (4, 7, 12, 6, 17) 88 = (12, 19, 1, 26, 6). ---------------------------------------------------------------- 99+88 = (16, 3, 13, 1, 23) 99x88 = (10, 18, 12, 1, 20).

  38. Fermat’s little theorem • p: prime, a N. Then 1. if (p - a) then a p-1 ≡ 1 (mod p). Moreover, 2. for all a, ap ≡ a (mod p). Ex: 1. p = 17, a = 2  216 = 65536 = 3855 x 17 + 1  216 ≡ 1 (mod 17). 2. p = 3, a = 20  203 – 20 = 8000 –20 = 7980 is a multiple of 3. Hence 203 ≡ 20 (mod 3).

  39. Proof of Fermat’s little theorem Lemma:1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p). Pf: ia ≡ ja (mod p)  p | (j-i) a. Since p - a, p |(j-i). But 0 < j-i < p, p - (j-i), a contradiction. 1. Note the above lemma means ia and ja have different remainders when divided by p. Hence a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)  (p-1)! ap-1 ≡ (p-1) ! (mod p). Then p | (p-1)! (a p-1 –1). ∵ p - (p-1)!, p | ap-1 –1, and hence a p-1 ≡ 1 (mod p). 2. if p | a  0 ≡ a ≡ ap (mod p). if p - a  ap-1 ≡ 1 (mod p)  ap ≡ a (mod p).

  40. public key Encryption (加密) Decryption (解密) M C cipher text M’ (plain text) Public key encryption and RSA private key • Public key can be known to the public • Private key is kept secret.

  41. The RSA algorithm • p.q: two large primes ( > 200 digits, 1024 digits recommended now), • n = pq • e = any number with gcd(e, (p-1)(q-1)) = 1. • d = inverse of e (mod (p-1)(q-1)). (i.e., de ≡ 1 (mod (p-1)(q-1)))  public key = (n,e) private key = (n,d) note : public and private keys are symmetric. C = Me (mod n) and M’ = Cd (mod n). Theorem : M’ ≡ M (mod n).

  42. Proof of the correctness of the RSA algorithm • M’ = Cd ≡ (Me)d ≡ Mde ≡ M1 +k(p-1)(q-1) (mod n) [∵ de ≡ 1 (mod (p-1)(q-1)) ] Assume gcd(M,p) = gcd(M,q) = 1. (i.e., p - M and q - M its probability is (p-1)(q-1)/pq ≈ 1. or we can simply restrict M to be < min(p,q)). Then Cd = M ∙ (M(p-1))k(q-1) ≡ M ∙ 1 k(q-1) (mod p) = M ∙ (M(q-1))k(p-1) ≡ M ∙ 1 k(p-1) (mod q) ( by Fermat’s little theorem)  M’ = Cd ≡ M (mod n). ∵ Cd-M is a multiple of p and q => Cd-M is a multiple of lcm(p,q) = pq = n.

  43. Example p = 43, q = 59  n = pq = 43 ∙ 59 = 2537. choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1. d = 937 is an inverse of 13 mod 2436. 1. To transmit ‘STOP’=1819 1415 : 2 blocks of length 4.  181913 mod 2537 = 2081, 141513 mod 2537 = 2182  C = 2081 2182. 2. Receive 0981 0461  M’1 = 0981937 (mod 2537) =0704 M’2 = 0461937 (mod 2537) = 1115  M’ = 0704 1115 = ‘HELP’.

  44. Why is it hard to break RSA ? Given public key (e, n), to find (d,n) we need : => 1. decompose n into pq 2. find the inverse d of e modulo (p-1)(q-1). Step 2 is easy (Quick Euclidean Alg.) But step 1 : factorization of large number is computationally a hard work.

More Related