NUMBER THEORY AND ALGEBRA - PowerPoint PPT Presentation

NUMBER THEORY AND ALGEBRA

• a, b, c, d - integers & belong to set ℤ
• algebraic operations –: “+”, “-”, and “” – valid with set
• a + b, a – b, a + b + c + d, ab, bd
•  all integers &belong to set ℤ
• members of ℤ satisfy
• {addition, subtraction, multiplication} rules
• {commutation, association, distribution} laws

• (a + b) + c = a + (b + c)
• (ab) c = a (bc)
• Commutative laws:
• a + b = b + a
• ab = ba
• Distributive law:
• (a + b) c = ac + bc
• ring  set members satisfy
• addition, subtraction, multiplication &
• associative, distributive laws
• commutative ring  satisfies commutative property - additional

• infinite commutative rings

 set with infinite number of members

other examples of rings, commutative rings, infinite commutative rings?

• Division
• a, b – integers: a > b.
• a divisible by b?
• Yes  quotient q: integer & q ℤ
• b ‌∣ a ‘b divides a’
• c ∤ a ‘c does not divide a’

• c ∣ a & c ∣ b c common factor of a & b
• 80808 & 31863 ← 3, 13 – common factors
• greatest common denominator – gcd (80808, 31863)  related & important concept
• school book approach to get gcd  Factorize 80808 & 31863 as product of prime numbers
• 80808 = 2  2 2  3  7 13  37
• {2, 2, 2, 3, 7, 13, 37}← factor set of 80808
• 31863 = 3  13 19  43
• {3, 13, 19, 43} ← factor set of 31863
• {3, 13 } ← common factors set of 80808 & 31863
• 3  13 = 39 ← desired gcd.
•  gcd(80808, 31863) = 39

Euclidean algorithm - Division for Euclidean algorithm

Division for Euclidean algorithm – cont’d

• previous remainder – 39  desired gcd
• Generalize for set (a, b) with a > b
• a = q2 b + r2: q2 quotient & r2 remainder
• b = q3 r2 + r3 continue until remainder = 0
• r2 = q4 r3 + r4
• r3 = q5 r4 + r5 .
• . . . .
• rn-2 = qn rn-1 + rn
• rn-1 = qn+1 rn + 0
•  gcd(a, b) = rn

• ri = qi+2 ri+1 + ri+2
• Any divisor of ri & ri+1 divisor of ri+2
• gcd(ri , ri+1 ) = gcd(ri+1 , ri+2 )
• equation valid for all i
• gcd(a , b ) = rn .

Algorithm 1.1 Euclidean Algorithm

Input: a, b

Output: gcd (a, b)

r0 ←a

r1 ←b

n ←1

while rn ≠ 0

n ← n – 1

gcd (a, b) ← rn

Euclidean algorithm - Computational process flow & Results

•  ‘Extended Euclidean Algorithm’
• r2 = a - q2b; Substitute in Equation for r3
• r3 = b - q3 (a - q2b)
• = - q3a + (q2q3 + 1) b; Substitute in Equation for r4
• r4 = r2- q4 (b - q3r2)
• = (q3q4 + 1) a - (q2 + q4 + q2q3q4) b: Continue until rn
• rn = ua + vb: u & v – integers
•  expresses gcd (a, b) as linear combination of a & b.
• Let gcd (a, b) = c 
• u a + vb = c ← linear Diophantine equation in u and v
• Given a, b, & c, infinite set of solutions for the (u, v) pair
• Wade through sequence of equations in Euclidean algorithm to get gcd (a, b) & get (u, v) pair values

Algorithm 1.2 Extended Euclidean Algorithm

Input: a, b: Output: gcd (a, b); u, v

r0 ← a; r1 ← b

u0 ← 1; u1 ← 0

v0 ← 0; v1 ← 0

n ← 1

while (rn+1 ≠ 0)

n ← n -1

gcd(a, b) ← rn; u ← un; v ← vn

Computational process flow for extended Euclidean algorithm

• use extended Euclidean algorithm  get u & v values



• u a + vb = c
• Extended Euclidean algorithm  set (u0, v0):

 Add & subtract



(u0 + kb) a + (v0 – k b ) = c

←generalized version

• Diophantine equation  infinite number of solutions
• set (u0, v0)  particular solution

• a & m integers: a > m
• express a as
• a = qm + rq - quotient & r- remainder
• r – ‘residue’ – obtained by dividing a by m
• residue r can represent a
• r called ‘a modulus m’ - expressed as 
• r≡a (mod m )
• r ← representation can be generalized and used for all a ℤ.
• Examples
• 2 ≡ 14 (mod 12)
• 2 ≡ 26 (mod 24)
• 2 ≡ 38 (mod 36)
• representation - visualized as arranging integers in circular fashion as with a clock

Integers

arranged to

conform to

congruence

modulo 12

2 ≡ - 10 (mod 12) ←negative numbers

•  addpositive / negative multiples of 12 (in general m) to number &
• bring result within (0, 1, 2, 3, . . . ,11) range.
• . – 22,-10, 2,14, 26, . same representation  2
• . – 23,-11,1,13, 25, . same representation  1
• . – 22, -10, 2, 14, 26, . ‘congruent modulo 12’ Generalize:a, b, & c - 3 integers:
• a (mod m) = b (mod m) = c (mod m)
• a, b, & c – ‘congruent’

congruence property expressed as

• a≡b (mod m)
• ≡c (mod m)
•  a - b, b - c, a – c divisible by m
• additional examples:
• 12 ≡ 18 (mod 15)
• - 3 ≡ -18 (mod 15)
• 12 ≡ - 3 (mod 15)
• 7 ≡ 18 (mod 11)
• 4 ≡ - 18 (mod 11)
• [0, 1, 2, . . . ,m-1]←‘the set of least residues’-ℤm.

Cryptography starts here



•  same representation – 0 – in ℤm
• set of integers {. . -2m+a, -m+a, a, m+a, 2m+a, . . . }  same representation – a – in ℤm
• set – {. . -2m+a, -m+a, a, m+a, 2m+a, . . . } – is called ‘the residue class [a]m’
• [3]13 = {. . . -23, -10, 3, 16, 29, . . }
• [0]13 = {. . . -26, -13, 0, 13, 26, . . . }
• smallest positive number of a residue class is present in the set of least residues
• given integer c, identifying an a ℤm such that
• a≡c (mod m)  ‘reducing c modulo m’.

• add 25 & 47 with m = 7
• (25 + 47)(mod 7) ≡ 72 (mod 7) ≡ 2
• same can be obtained as
• (25(mod 7) + 47(mod 7))(mod 7) ≡ (4 + 5) (mod 7) ≡ 2
• Similarly (25 – 47)(mod 7) ≡ (-22) (mod 7) ≡ 6
• Alternatively
• (25 – 47)(mod 7) ≡ (25(mod 7) – 47(mod 7))(mod 7)
• ≡ (4 – 5) (mod 7) ≡ 6
• add two integers in ℤ7; reduce result modulo 7,

 result in ℤ7

See table for general addition of two numbers a and b (mod 7) 

Addition of a & b modulo 7

• modular addition / subtraction using of look-up table not practical
• Use relations
• (a + b)(mod m) ≡ (a(mod m) + b(mod m))( mod m)
• (a – b)(mod m) ≡ (a(mod m) – b(mod m))( mod m)

• (25  47)(mod 7) ≡ (25(mod 7)  47(mod 7))(mod 7)
• ≡ (4  5)(mod 7) ≡ 20(mod 7 ) ≡ 6
• same result obtained as
• (25  47)(mod7) ≡ 1175(mod7) ≡ 6
• multiply two integers in ℤ7 are & reduce result modulo 7  result in ℤ7
• Modular multiplication of a & b (mod 7) ?
•  use table 

Table for ‘mod 7’ multiplication

• Modular multiplication using table is not practical
• Use relation
• (ab)(mod m) ≡ (a(mod m) b(mod m))(mod m)

• (3 + 4)(mod 7) ≡ 0
• role of 4 in ℤ7 same as that of -3 in ℤ
• 4 ‘additive inverse’ of 3 in ℤ7 & vice versa
• Every element in ℤ7 has an additive inverse
•  a unique inverse ← also an element of ℤ7
• generalized version:
• For any integer a ℤm, b ℤm is the additive inverse of a if (a + b)(mod m) ≡ 0
• a is the additive inverse of b
• Additive inverse - a unique element in ℤm
• m - even integer? inverse of m/2 is m/2 itself.

• a & b ℤm :
• b is multiplicative inverse of a if ab≡ 1(mod m)
• multiplicative inverse of a designated a-1  a-1≡b
• roleof a-1 in ℤm same as reciprocal of a as a real number
• multiplication of c ℤm by a-1 ← analogous to dividing c by a in the set of real numbers
• When m is a small integer, use ‘table of multiplicative inverses’ for modular algebra

All non-zero elements of ℤ7 & their respective inverses

• Two facts 
• Every integer in ℤ7 has a multiplicative inverse.
• a given integer has one & only one multiplicative inverse

Table  multiplication table for ℤ6

• 5 has an inverse which is 5 itself 5-1 = 5

• No multiplicative inverses for 2,3,&4 in ℤ6
•  they have a common divisor with 6!
• With a, bℤm, a has multiplicative inverse b
• iff gcd (a, m) =1

Proof:

• Let a≡b-1(mod m)
•  ab≡ 1(mod m)
• = 1 + mc for some cℤ
•  ab – mc = 1
• Invoke Diophantone!
•  gcd (a, m) = 1
•  aℤm has multiplicative inverse

iffgcd (a, m) = 1

Use multiplicative inverse to carry out equivalent of division in ℤm

• Example in ℤ7:
• 3/4  3  4-1
• Use table of inverses
•  4-1 ≡ 2 (mod 7)
• (mod 7)
• ≡ 6 (mod 7)

Similarly

• m is small?
•  Use table of inverses & multiply by inverse of divisor
• for‘division’
• Not practical with values of m used in cryptography
• Use extended Euclidean algorithm
• Solve Diophantine Equation
•  get multiplicative inverse
• & do ‘division’

Obtain 3407-1(mod 4363)

• (Incidentally 3407 and 4363 are primes)
• Use extended Euclidean algorithm
• -1536  4363 + 1967  3407 = 1
• Or
• 1967  3407 = 1 + 1536  4363
• 3407-1≡ 1967 (mod 4363)

gcd (a, b) =1 a & brelatively prime

•  also called ‘coprimes’.
• 27 & 28 ← coprimes.
• 27 & 30 not relatively prime - not coprimes
• ℤ*m← All numbers relatively prime to m in ℤm
• ℤ*m. = {all a ℤm such that (a, m) = 1}
• ℤ*14 = {1, 3, 5, 9, 11, 13}
• 7  ℤ*14
• All elements in ℤ*m have inverses (mod m)
• 3 has inverse in ℤ14 ; 7 does not have inverse

total number of elements in ℤ*m  (m)

• (m) ←‘Euler phi function’ or ‘Euler totient function’
• ℤ*14 = {1, 3, 5, 9, 11, 13}  (14) = 6
• ℤ*7 = {1, 2, 3, 4, 5, 6}  (7) = 6
• If p is prime number
•  all a ℤp relatively prime to p
•  ℤ*p = ℤp  (p) = p – 1
• 7 is a prime  ℤ*7 = ℤ7
• (7) = 6
• 29 is a prime number  (29) = 28

*

• m = 9, n =5, and r = 2
• Table lists values (2 + 5i )(mod 9) for all i from 0 to 8

• (2 + 5i )(mod 9) congruent to  elements of ℤm
• r, n, m ℤ, m & n being relatively prime 
• r, r+n, r+2n, . . . r + (m-1)n ← congruent to ℤm (= {0, 1, 2, . . . m-1})
• Let i, j ℤ both being less than m:
• Suppose in + r≡jn + r (mod m) This implies i n ≡jn (mod m) ← contradicts the assumption
• in + r ≠ (jn + r) (mod m) r, r+n, r+2n, . . . r + (m-1)n
• distinct from each other - form elements of ℤm in some order

*

• Arrange integers 1 to mn in matrix form as in Table
• n columns and m rows

*

• Let i ℤm* i has common factor with m
•  All elements in ith row have common factor with m
• Generalize  elements in all such rows not in ℤmn*
•  restrict to rows with index i ℤm* to identify elements in ℤmn*
• Consider numbers in first (top) row in Table
• According to above lemma, they are congruent modulo n to ℤn
• (n) of these are in ℤm* and hence in ℤmn*
• Similarly with all (m) rows in [4] above
• (mn) = (m) (n)

• m1, m2, m3, . . mk – relatively prime
•  (m1 m2 m3. . . mk) =

( m1) ( m2) ( m3). . . . ( mk)

•  Withp1 and p2 – two primes
• (p1p2) = (p1- 1) (p2– 1)
• Generalize
• p1, p2, . . ,pk are all prime
•  (p1p2. . .pk )= (p1- 1) (p2– 1). . (pk– 1)

• 630 = 18  35
• (630) = (18)(35)
• ℤ18* = {1, 5, 7, 11, 13, 17}
• (18) = 6
• (35) = (5)(7)
• = 4  6 (since 5 and 7 are primes)
• = 24
• (630) = 6  24
• = 144

• numbers a for which gcd(a, pe)  1, are all multiples of p less than pe
• These are p, 2 p, 3 p, , . . . pe-1 p
• There are pe-1of these
• ( pe ) = pe - pe-1
• (113 ) = 113 – 112
• = 1210

•  gcd( ) = 1
• ( ) = ( )( )
• =
• m = 

• Find (1323) 1323 = 33 72
• (1323) = (33) (7 2)
• = (33 – 32) (72 – 7)
• = 756
• Find (287375)  287375 = 53 112 19
• (287375) = (53)(112)(19)
• (287375) = 287375
• = = 198000

• Repeated multiplication & modular - tedious
• Repeated squaring & selective multiplication - more appealing
• Compute 23971(mod 503)
• 971 = 29 + 28 + 27 + 26 + 23 + 21 + 20

• ≡ 401(mod 503)

• Express b as binary number as
• b = bn-12n-1 + bn-22n-2 + bn-32n-3 + . . . b020
• Make c = 1 & i = 0; make d≡ (mod m)
• Get c≡cb0d(mod m).
• Make i = i +1;d≡ dd(mod m); c≡cbid(mod m)
• Repeat step 6 for all i up to & including i = n-1
• Each number in the sequence (mod m)
•  square of the previous one
• Procedure given as Algorithm 1.3.

Algorithm 1.3 Fast Exponentiation Algorithm

• Input: a, b, m
• Output: c≡ab(mod m)
• c ← 1; i ← 0; d ←
• while (i ≠ n) (b is an n bit number)

• p ℤ← not divisible by 1 to p – 1
•  p a prime number
• 1,2,3,5,7, 11, 13, 17, 19, 23 ←prime numbers. Properties:.
• If a < p gcd(a, p) = 1
• ℤ*p = ℤp
• (p) = p – 1
• Every integer ← product of powers of primes.
• 84 = 22 3  7
• 84721 = 73 13  19

n ℤp  gcd(n, p) = 1

•  every element in ℤp has a multiplicative inverse
• (Additional to additive inverse = p – n)
• Algebraic operations - addition, subtraction, multiplication, & division in any combination  ok in ℤp
• Get y≡ (435 + 962  321 – 276  3407-1) 751 3407-1(mod 4363)
• Substitute 3407-1≡ 1967 (mod 4363)
• y ≡ (435 + 962  321 – 276  1967)  751 1967(mod 4363) ≡- 457 (mod 4363) ≡
• ≡ 3906 (mod 4363)

• a ℤ  p ∤ a  ap-1 ≡ 1(mod p) &
• p ∣ a ≡ap-1 ≡ 0(mod p)
• Proof:
• p ∣ a a = kp where kℤ
•  ap-1 = kp-1pp-1 ≡ 0(mod p)
• p ∤ a 
• b = ak where k ℤp
• a & k not divisible by p ak not divisible by p
• ak(mod p)  non-zero for every k ℤp

a(mod p), 2a(mod p), 3a(mod p) all non-zero

• For i , k ℤp
• ai(mod p) ≢ ak(mod p)
• Else ai(modp) ≡ak(modp) or a(i – k) ≡ 0(modp)
• not true since a & i – k not divisible by p
• a(mod p), 2a(mod p), 3a(mod p), . . (p–1)a(mod m)  all distinct
• represent set of all numbers in ℤp in some permuted order
• (a. 2a. 3a. . . . (p–1)a )(mod p) = ((p–1)!)(mod p)
• (a. 2a. 3a. . . . (p–1)a )(mod p) ≡ (ap–1(p–1)!)(mod p)
• ≡ (ap–1)(mod p)(p–1)!)(mod p) ≡((p–1)!)(mod p).
• Cancel ((p–1)!)(mod p) ap–1 ≡ 1

• Use fast exponentiation & evaluate 330(mod 31)
• 330(mod 31) ≡≡ 1
• 35 is not a prime number
• 334 =  334≡ (mod 31)
• ≡ 4(mod 31)
• ≠1(mod 31)

• 561 = 3  11  17  561 is composite
• 2560≡ 1(mod 561) ? Beware of fifth columns!
• ap-1≡ 1(mod p)← only one way check for primality

563  prime  a562≡ 1(mod 563)  a  ℤ563

• 567  2566 ≢ 1(mod 567)
• (2566(mod 567) ≡
• ≡ 103  103  460  16  4 (mod 567)
• ≡ 412 (mod 567)
•  567  not a prime
• Find 3-1(mod 31): using Fermat’s theorem (& not Extended Euclidean Algorithm)
• 31 is a prime  330≡ 1 (mod 31)
•  3-1≡ 330-1(mod 31) ≡ 329(mod 31) ≡ 21 (mod 31)
• Find 592-1(mod 1831):1831 is a prime
•  5921830≡ 1 (mod 1831)
•  592-1≡ 5921829(mod 1831) ≡ 1265 (mod 1831)

*

• Find (mod 31) using Fermat’s theorem
• 27 = 33
•  27 ≡ (33 (mod 31)  330 (mod 31))(mod 31)
• ≡ 33 330 (mod 31) ≡ 330+3 (mod 31) ≡ 333 (mod 31)
• Take 11-1 power 
• ≡ 27 (mod 31)

• m  integer  a unique product of powers of primes
•  qi primes & factors of m
•  wide use in cryptography

ai(mod11) values for all a and i values

gi(mod p) takes all values in ℤp as i changes from 1 to p – 1  g is a ‘primitive element’ of ℤp

2, 6, 7, & 8  primitive elements of ℤ11

• (10) = 4  total number of primitive elements
• ℤ10* = {1, 3, 7, 9}
•  primitive elements  2i(mod 11) for i ℤ10*
• Use one primitive element in ℤp & get all others as its ith powers where i ℤ10*
•  verify with ℤ11
• For all a ℤp sequence ai(mod p)  cyclic
• Number of integers in sequence‘order’ of a
• More precisely order is the smallest integer value of i for which ai(mod p) = 1 for an a ℤp.
• ℤ11  order of non-primitive elements is 5 or 2

generalize:

• k order for element a ℤp
• i = kq  ≡ 1(mod p)
• k  i ai≡ 1(mod p).
• Specifically ap-1≡ 1(mod p)
• k (p – 1)  generalize:
• a ℤp  If an≡ 1(mod p), order of a divides n Specifically order divides p – 1
• Summarize  :
• The order of a ℤp is p – 1 or one of its factors

• a ℤp  order of a is p-1 or a factor of p-1
•  check whethera is a primitive element of ℤp
• a is a primitive element of ℤp iff
•  1(mod p)
• for all which are factors of (p-1)
• if n is order of a ℤp, n divides p-1; the above result follows from this
• step by step procedure to check whether a ℤp is a primitive element:
• Factorize (p-1) & get all factors
• For all evaluate a(p-1)/ (mod p)
• If none of them is 1(mod p), a is a primitive element.

• For ℤ11 p – 1 = 10  factors - 5 & 2
• a primitive element if a5 ≢ 1(mod p) & a2 ≢ 1(mod p)
• 2, 6, 7, & 8 satisfy both conditions; these are the primitive elements
• Other six integers in ℤ11 do not satisfy both conditions  They are not primitive elements of 11
• ℤ37Check whether 2,3, 5, & 7 are primitive elements
• p = 37  p – 1 = 36 = 22 32 = 4  9
• If a ℤp such that a36/4 = a9 ≢ 1(mod 37) &
• a36/9 = a4 ≢ 1(mod 37)
•  a is a primitive element – See Table 

• a ℤm  a(m)≡ 1(mod m) provided gcd (a, m) =1.
• Verify Euler’s theorem for elements in ℤ10 relatively prime to 10
• m = 10  3, 7, & 9 relatively prime to 10
• ℤ10* = {1, 3, 7, 9}  (10) = 4
• 34 = 81 ≡ 1(mod10)
• 74≡ 1(mod10)
• 94≡ 1(mod10)
•  (n) useful in modular arithmetic in various ways

• ℤ28* = {1, 3, 5, 9, 11, 13, 15, 17, 19, 23, 25, 27}
• (28) = 12
•  912(mod28) ≡ 1(mod28)
•  936(mod28) ≡ 1(mod28)
• Similarly 940≡ 9(mod28)

• 457 = 9(mod28)
• 2491 = 20712 + 7
• 4572491(mod28) ≡ 92491 (mod28)
• ≡ 9(20712+7) (mod28)
• ≡ 97 (mod28)
• ≡ 9(mod28)

• use following theorem & get all primitive elements from one known primitive element
• If g is a primitive element modulo m, gk is a primitive element if gcd(k, (p)) = 1.
• Specifically if m is a prime p, k ℤp-1*.
• Obtain all primitive elements of 37.
• 2 is a primitive element of 37
• Values of 2i for all i from 1 to 36 (= p-1)
• ℤp-1* = {1, 5, 7, 11, 13, 17, 19, 23, 25, 29, 31, 35}
• i ℤ36 & respective 2i values in bold face letters in Table

2i (mod 37) values

• ℤp-1* = {1, 5, 7, 11, 13, 17, 19, 23, 25, 29, 31, 35}
• primitive elements of ℤ37
•  2, 5, 13, 15, 17, 18, 19, 20, 22, 24, 32, and 35

• extend concept of logarithms to ℤp
• g ℤpg a primitive element;
• x & h ℤp such that gx h(mod p)

x: ‘discrete logarithm’ of h to base g

• x exists for every h & vice versa
• log10 2 = 0.30103  Use infinite series with 2 & compute log10 2
• 10 0.30103 = 2  Use infinite series with 0.30103 & compute 10 0.30103
• With continuous real numbers computing log equally difficult or easy
• With discrete logarithm given x computing h – ok
• given h computing x – much more difficult!
• ‘Monotonicity’– absent an apparent unpredictability!

Note apparent lack of order in dependent variable values

• g = 13  a primitive element of ℤ1319
• gx≡ h(mod p)

x ~ h plot for g = 13 in ℤ1319

Let (mod p) ≡h1 & (mod p) ≡h2

• h1h2≡ (mod p)
• ≡ (mod p)
•  log h1h2≡(log h1 + log h2)(mod p)
• discrete logarithm satisfies the property
• ‘logarithm of the product of two integers is the sum of logarithms of the two integers
• log(h1h2-1) ≡ (logh1 (mod p) – logh2(mod p))(mod p)
•  analogous to relation Log = log h1 – log h2
• gx+(p-1)k(mod p) ≡ gx(mod p) ≡h  x + (p-1)k
• discrete logarithm of h (mod p) for all k
• It is customary to use x ℤp as discrete logarithm

Discrete logarithm of ratio of two elements 

• Use discrete logarithm of inverse of ‘denominator’.
• (mod p)≡(mod p) x1 = x2 (mod(p-1)).
• a ≡ℤp & ax≡ h(mod p) but a is not a primitive element
• x discrete logarithm of h to base a
• the logarithm exists only for h expressed as powers of a (mod p)
• Find discrete logarithm of (437)(824) in ℤ1319- base 13
• 1319  prime &13 is a primitive element of ℤ1319 (Incidentally 824 = 437-1(mod 1319))
• h1 = 437 & h2-1≡ 824(mod 1319)
• h2h2-1≡ (437  824)(mod 1319) ≡ 273  1319 + 1
• h2h2-1≡ 1(mod 1319)  log(h2h2-1 ) ≡ 1

Find discrete logarithm of (6)(437)-1 in ℤ1319- base 13

• (6  437-1)(mod 1319) ≡ (6  824)(mod 1319)
• ≡ 987(mod 1319)
• check: 987  437 = 327  1319 +6 ≡ 6(mod 1319)
• Do brute force computation of powers of 13 (mod 1319) until (Salvation day!) we get x value
• x = 689

• Obtain n =
• Form list of (n + 1) elements – 1, g1, g2, . . gn.
• Let f≡g-n  Form list of (n + 1) elements

h, hf, hf2, . . . hfn.

• Scan the two lists &and identify one element from first list that matches with one of the elements in the second list –with indices i & j
• gi≡hfj (mod p)  gi+jn≡h (mod p)
• i + jn is DL of h

For a given p  g & f - fixed

• For a given h update lists in parallell, check for match & stop on match.
• See book for algorithm

• p = 1319, g = 13 & = 37
• n-1≡ 37-1(mod 1319) ≡ 713 (mod1319) using extended Euclidean algorithm
• h = 437
• Both arrays in Table  match at 21st element
• 1321≡ 437(mod 1319)  DL is 21
• first list  multiply element by g & obtain next element
•  ‘baby step’ – g being (usually) a small integer
• Second list multiply element by g-n & obtain next element  ‘giant step’
•  ‘baby step giant step’ algorithm
• Each list  maximum n modular multiplications

& ( n + 1) entries

• x≡ 4 (mod 10)
• x≡ 6 (mod 13) - Solve for x
•  10 & 13 intentionally chosen  gcd (10, 13) = 1
• first congruence x = 4 + 10 k (#)k ℤ
• Substitute in second congruence gives
• 4 + k10 ≡ 6 (mod 13) = 6 + 13l  k, l ℤ
•  10k =2 + 13l*
• 10  4 = 40 ≡ 1 (mod 13) 10-1mod13 ≡ 4
• Multiplication of equation * by 4 gives
• 40k = 8 + 13  4l
• k≡ 8 (mod 13)  Substitute in (#) 
•  x = 84 smallest positive integer value for x

• Solve each and combine results
• Use solution of multiple congruences
•  using ‘Chinese remainder theorem’
• m1, m2, m3, . . . mt ℤ such that gcd(mi, mj) = 1 for every pair of i & j (ij)
• mi, mj relatively prime when taken in pairs
• Simultaneous congruences x≡ a1(mod m1),

x≡ a2(mod m2), x≡ a3(mod m3), , x≡ at(mod mt)

has a solution.

• If c1 and c2 are two solutions

c2≡c1(mod (m1 m2 m3. . . mt))

• c1 = a1 + km1
• With k ℤ every c1 satisfies first congruence
• Let xi≡ci mod(m1 m2 m3. . . mi)
•  Satisfies all congruences 1 to i
•  x = ci + km1 m2 m3. . . miwhere k ℤ
• Select k such that (i+1)th congruence is satisfied
• Continue till i = t & get x

• first congruence x = 4 + k 10 #
• Substitute in second  4 + k 10 ≡ 6 (mod 13)
• k 10 ≡ 2 (mod 13)
• k satisfies equation k 10 = 2 + l  13 *
• Since
• 4  10 = 40 ≡ 1 (mod 13)  10-1≡ 4 (mod 13)
• Multiplying both sides of Equation (*) by 4
• k 40 = 8 + l  13  4
• Take congruent modulo 13  k = 8
• Substitute in Equation (# ) x = 84(mod130)
• satisfies first two congruences.
• Use with third congruence & similar procedure 
• 84 + k1 130 ≡ 4 (mod 7)  k1 130 ≡ -80 (mod7)
• ≡ - 3 (mod 7) ≡ 4 (mod 7)

• k1 4 ≡ 4 (mod7)
• Smallest k1 satisfying this congruence  k1 = 1
• Substitution in Equation (1.44) gives
• x≡ (84 + 1  130)(mod(130  7)  simplify 
• x≡ 214(mod910)  x satisfies first three congruences
• Use with fourth congruence 
• 214 + k2 910 ≡ 2 (mod 11) Solve for k2 as earlier
• k2 = 1 smallest value of k2
• x = 214 + 910
• = 1124

*

• Let M = m1m2m3. . . mt &
• y1≡M1-1(mod m1) ; . . y2≡M2-1(mod m2). . .
• Consider  y = a1y1M1 + a2y2M2 + a3y3M3 +. . . atytMt
• y1M1 ≡ 1(mod m1)  a1y1M1(mod m1) ≡a1
• a2y2M2, a3y3M3,. . . atytMt all divisible by m1.
• y(mod m1) ≡ a1
• Similarly y(mod m2) ≡ a2 . . y(mod mt) ≡ at
• y satisfies all congruences
•  y(mod M) satisfies all the congruences.

*

• Solve  x≡ 4(mod 10) ≡ 6(mod 13)

≡ 4(mod 7) ≡ 2(mod 11)

• mi, Mi, yi, & aiyiMi values computed  Table
• M = 10010 & 81204(mod 10010) ≡ 1124
•  1124 satisfies all congruences.

• Fermat’s little theorem
• Chinese remainder theorem
• Properties of numbers
• Get discrete logarithms & powers of numbers to specific modulus
• g ℤp primitive element & a≡g2k(mod p)
• b –square root of a (mod p) : b≡ gk(mod p)
• a(p+1)/2≡g(p+1)k(mod p)
• ≡g(p-1)kg2k(mod p)
• ≡g2k(mod p)
• a(p+1)/4≡gk(mod p)
• (Implicit) condition  a has a square root

• an≡ana(p-1)(mod p)
• ≡a(p-1+ n)(mod p)
• If (p-1) is divisible by n , let p-1 =jn
• an≡a(j+1)n (mod p)
• a≡a(j+1)(mod p)
• Factorize j+1 & obtain corresponding different roots of a modulo p

*

• Obtain square root of 4473 modulo 28547:
•  28547 is a prime.
• Let a = 4473
• 4473(p+1)/4≡ 447328548/4(mod 28547)
• ≡ 44737137(mod 28547)
• ≡ 12333(mod 28547)
• Check: 2 is a primitive element
• 4473 ≡ 2948(mod 28547)
• &
• 12333 ≡ 2474(mod 28547)

• 30319 is a prime
• p+2 = 30321
• 1452330321 = 1452330318 145233
• ≡ 145233(mod 30319)
• Taking cube roots
• 1452310107 ≡ 14523(mod 30319)
• Taking cube roots (after swapping left & right sides of above equation)
• (14523)1/3≡ 145233369(mod 30319)
• ≡ 25340(mod 30319)

*

• 1319 is a prime:
• For a ℤ1319 use a1320 & obtain different possible roots of a:
• a1318≡ 1(mod 1319)
• a1320≡a2(mod 1319)
• a≡a660(mod 1319)
• 660 = 223511
• Different roots of a can be obtained as powers of a(mod 1319)
• Some of them are given below:
• (a)1/4≡a165(mod 1319)
• (a)1/5≡a132(mod 1319)
• (a)1/11≡a60(mod 1319)
• (a)1/12≡a55(mod 1319)

*

• A novel procedure available for DLs with p in the form 2n+1
• Such ps - restricted in number -17, 257, 65537, . . )
• DL of 7 to base 3 modulo 17:
• 17  prime & 3  a primitive elements
• We have to compute x : 3x≡7 (mod 17)
• x can be any number in range 0 to 15
• x = 20x0 + 21x1 + 22x2 + 23x3
• Evaluate x0, x1, x2, & x3 by successively powering above equation by 23, 22, and 21

*

• Take both sides to the power 23:
• 

 All powers of ≡ 1 (mod 17)



≡ 78 (mod 17) 

≡ 16 (mod 17) x0 = 1 

*

• Multiplying by 3-1(mod 17) ≡ 6(mod 17) and simplify
• Taking both sides to power 32 and simplify
• ≡ 16(mod 17)  x1 = 1 
• Continue  x2 = 0 & x3 = 1
• x = x0 + 2x1 + 22x2 + 23x3 = 11
• Check
• 311≡ 7(mod 17)

*

• steps :
• p – 1 = 2n & h≡gx (mod p)
• For a given x, h has range 0 to 2n– 1
• x = 20x0 + 21x1 + 22x2 + . . . 2n-1xn-1
• With
• Take 2n-1th power, simplify, & evaluate x0
• Substitute x0 , simplify & get
• Take 2n-2th power, simplify, and evaluate x1
• Repeat steps until all xi including xn-1 are evaluated

*

• procedure – DL: n-bit binary number n iterative steps
•  extend to e digit number to radix q
• DL: e-digit number  range 0 to qe-1
• Consider prime p with p – 1 = qeq2
• Let g ℤp : ≡ 1 (mod p)
• g: q2th power of a primitive element & not a primitive element of p
• Express h as gx(mod p)
•  x = DL of h to base g (mod p)

*

• x = q0x0 + q1x1 + q2x2 + . . . . + qe-1xe-1
• Take both sides to the power qe-1.
• LHS: =
• = (mod p) since & all its integral powers are equal to 1 (mod p).
• Prepare look-up table of x0 ~
• q entries: Use table & identify x0 value
• Substitute 



*

• Multiply by (mod p) & get
• Take both sides to power qe-2
• Repeat steps & evaluate x1  Use same LUT
• Repeat steps & form reduced equation
• Continue iterative procedure to evaluate all xi including xe-1

*

• Evaluate DL of 60 to base 4 with p = 163
• 163 is a prime, 162 = 2  34
• 2  ℤ163 is a primitive element &
• Express 60 as 4x≡ 60 (mod 163)
• x has range 0 to 34 – 1
• x = x0 + 3x1 + 9x2 + 27x3 (note 9 = 32 & 27 = 33)
• Take both sides to power 27 & simplify
• 427≡ 104 (mod 163) & 454≡ 58 (mod 163)
• x0 = 2
• Substitute, multiplying by 16-1 ≡ 51 (mod 163)) & simplify

*

 x1 = 1

•  Take 9th power & simplify
• Substitute, multiply by 64-1 (≡ 135 (mod 163)), & simplify
• Take 3rd power & simplify x2 = 0
• Since 454≡ 58 (mod 163) x3 = 2
• Substitute for x0, x1, x2, and x3
• x = 2 + 3  1+ 9  0 + 27  2
• = 59  59 is the desired DL
• Check: 459≡ 60 (mod 163)

*

DL based on the factors of p-1

g, h, & x ℤp: g is a primitive element of ℤp

Factorize p-1 

 q1, q2, . . qt are primes & e1, e2, . . et respective integer exponents.

Obtain for all i from 1 to t.

Evaluate for all i from 1 to t.

Evaluate for all i from 1 to t.

Use procedure of last algorithm & obtain DL - xi of hi to base gi for all i from 1 to t

*





Note: definition of hi & gi implies xi exists

Express x as a set of multiple congruences

:k – an integer

 implies the congruence x≡x1(mod

x≡x2(mod . . . x≡xt(mod

Use Chinese remainder theorem & solve above congruences & evaluate x

*

• Find log3597 (mod 18523).
• 18523 is a prime & 3 is a primitive element
• p – 1 = 2  33 73
• qi, , , &
• Are in Table
• Exponent of 2 is zero  x1 = 0

*

&

 x20 = 1

$

Use g2 & h2

x23-digit ternary number:



Take 32 power & simplify using #





Substitute in #, use 17365-1≡ 7406 (mod 18523) & simplify 

Take 3rd power & simplify 

 x21 = 1

*

$



• Substitute in , multiply by 17365-3 & simplify 
• Since 154592≡ 3064 (mod 18523)  x22 = 2
• Using the values of x20, x21, & x22 we get
• x2 = 1 + 3  1 + 32  2 = 22
• Proceed similarly to evaluate x3  x3 = 25
• x1, x2, & x3 satisfy congruences:
• x≡ 0 (mod 2); x≡ 22 (mod 27); x≡ 25 (mod 343)
• Solve these congruences
•  x = 17518 ← smallest positive value of x.
• Check: 317158 ≡ 597 (mod 18523)

Leave out PPTs – 35, 36, 37, 54, 82, 83, 87 – 102 :  All these have ‘ ’ mark at top right corner

*