Download Lecture 2 Number Theory and Its applications

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts
no text concepts found
Transcript 
Theory of Computation
Chapter 3
Introduction to Number
Theory and Its
applications
Cheng-Chia Chen
Transparency No. 3-1
Introduction
outline







Division
Prime
Gcd and Lcm
Modular Arithmetic
Chinese Remainder Theorem
Fermat’s little theorem
The RSA algorithm
Transparency No. 3-2
Introduction
Division
Def: a,b  Z with a ≠ 0.
 We say a divides b (written a | b) if
k  Z s.t. b = ka
 a | b =>
 a is a factor (or divisor) of b and
 b is a multiple of a.
 Ex:




3 | 12 ( ∵ 12 = 4 x 3 )
-4 | 8,
13 | 0 (0 = 0 x 13)
not (3 | 7)
Transparency No. 3-3
Introduction
Properties of |
1. a | b /\ a |c  a | b + c
2. a | b  a | bc for all c  Z
3. | is reflexive ( a | a for all a  Z )
4. | is transitive ( a | b /\ b | c  a | c )
 pf: a | b /\ b | c 
 b = k1 a and c = k2 b for some k1, k2  Z
  c = k2 (k1 a) = (k1 k2) a
5. a | b /\ b | a  |a| = |b|)
Transparency No. 3-4
Introduction
Primes
 An integer p > 1 is said to be prime if
  n  N+ ( n | p  n = 1 \/ n = p ).
 I.e., the only positive factors of p are 1 and p.
 p > 1 and is not prime => P is composite.
 Examples:
 7 is prime
 primes < 20 include : 2,3,5,7,11,13,17,19.

Transparency No. 3-5
Introduction
The fundamental theorem of arithmetic (FTA)
 n  N+ > 1, there exists a unique increasing
sequence of primes p1 ≤ p2 ≤ … ≤ pk ( k ≥ 1) s.t.
n = p1 x p2 … x pk.
 Ex:
 100 = 2 x 2 x 5 x 5
 999 = 3 x 3 x 3 x 37.
Transparency No. 3-6
Introduction
Proof of FTA
 ( Existence) by Math Ind.








Basis: n = 1, 2 ok.
Ind. n > 1.
if n is prime, then n = p1, where p1 = n and k = 1.
if n is not prime then n = n1 x n2 with n1,n2 < n.
=> by ind. hyp. n1 = q1 x q2 … x qt
n2 = r1 x r2 … rs
=> n = n1 x n2 = q1 x … x qt x r1 x … x rs.
=> n = p1 x … x ps+t. where p1,…,ps+t is an increasing
reordering of q1,…,qt and r1,…,rt.
 Uniqueness:
 let n
= p1 x … x pk x q1 x … x qs

= p1 x … x pk x r1 x … x rt where q1 ≠ r1
 => n – n = p1 x … x pk x (q1 x … x qt – r1 x … rt)

≠ 0 ( a contradiction !! shown later).
Transparency No. 3-7
Introduction
Theorem 3
 If n is composite =>  a ≤
s.t. a | n.
pf: n is composite => n = p x q with p, q > 1.
if p >
/\ q >
=>
pq>
= n. a contradiction
Hence n must have a factor ≤
Example: 101 is a prime.
pf: 
 = 10.
But no prime ≤ 10 is a factor of 101.
Transparency No. 3-8
Introduction
The division algorithm
 a  Z, d  N+
i q,r s.t. a = qd + r where 0 ≤ r < d.
Def: if a = dq + r Then




d is called the divisor(除數)
a : dividend(被除數)
q: quotient(商數)
r: remainder(餘數)
 Examples:
 101 = 11 ∙ 9 + 2
 -11 = -4 ∙ 3 + 1
 Note: d | a iff r = 0.
Transparency No. 3-9
Introduction
Proof of the division algorithm
Existence: Consider the Z-indexed sequence :
… a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), …
 Let r = a – qd be the smallest nonnegative number in
the sequence.
1. since the sequence is strictly increasing toward
infinity such q (and r) must exist and unique.
2. if r ≥ d  r’ =r-d =a – (q+1) d ≥ 0 is another
nonnegative number in the sequence smaller than r.
That’s a contradiction. Hence r must < d.
Uniqueness: If both (q,r) and (q’,r’) satisfy the condition.
Then r – r’ = (q’-q) d (*) .
Since –d < r-r’ < d (*) and (q’-q)d is a multiple of d,
(*) holds only if r-r’ = 0 = q-q’. QED
Transparency No. 3-10
Introduction
gcd and lcm
 a,b  Z, ab ≠ 0.
if d | a and d | b  d is a common divisor of a and b.
 gcd(a,b) =def the greatest common divisor of a and b.
Notes: 1. The set cd(a,b) = {x > 0 : x | a and x | b} is a finite
subset of N+ (∵ {1}  cd  {1,… min(a,b)}  gcd(a,b)
must exist.
 Ex: gcd(24,36) = ?
 factors of 24 : 1,2,3,4,6,12,24
 factors of 36: 1,2,3,4,6,9,12,18,36
  cd(24,36) = {1,2,3,4,6,12}  gcd(24,36) = 12.
2. The same definition (cd and gcd) can be extended to more than
two arguments. (ex: cd(8,12,18) = {1,2} and gcd(8,12,18) = 2. )
Transparency No. 3-11
Introduction
Relatively prime
 If gcd(a,b) = 1 we say a and b are relatively prime(r.p.).
 Ex: gcd(17,22) = 1.
 a1,a2,…an are pairwise r.p. if
gcd(ai,aj) = 1 for all 1 ≤ i < j ≤ n.
 Ex:
 10,17,21 are p.r.p.
 10,19,24 are not p.r.p since gcd(10,24) = 2.
 Proposition 1: If a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 … pnyn,
where p1 < p2 …< pn are primes and all xi, yj ≥ 0,
then gcd(a,b) = s =def p1z1 p2z2 … pnzn
where zi = min(xi,yi) for all 0 ≤ i ≤ n.

Ex: 100 = 223052 and 30 = 213151 => gcd(100,30) = 213051.
Transparency No. 3-12
Introduction
lcm ( least common multiple)
 a,b  Z c N+
if a|c and b|c  d is a common multiple of a and b.
 lcm(a,b) =def the least common multiple of a and b.
Note: The set cm(a,b) = {x > 0 |, a|x and b|x} ≠ ∅ (∵ { a∙b}  cm 
lcm(a,b) must exist.
Proposition 2:
If
a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 … pnyn, where
p1 < p2 …< pn are primes and all xi, yj ≥ 0,
then lcm(a,b) = t =def p1z1 p2z2 … pnzn
where zi = max(xi,yi) for all 0 ≤ i ≤ n.
pf: Since tcm(a,b), it suffices to show t is a lower bound of
cm(a,b). Then c  cm(a,b), pixi | a | c and piyi | b|c =>pi max(xi,yi) |
c => t =  piZi |c.
Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.
Transparency No. 3-13
Introduction
Modular Arithmetic
Def 8: m  N+, a  Z.
a mod m =def the remainder of a divided by m.
 Ex:
 17 mod 5 = 2
 -133 mod 9 = 2.
Def 9: a,b  Z, m  N+.
a ≡ b (mod m) means m | (a-b).
 i.e., a and b have the same remainder when divided by m.
 i.e., a mod m = b mod m
 we say a is congruent to b (module m).
 Ex:
 17 ≡ 5 (mod 6) ?
 24 ≡ 14 (mod 6) ?
Transparency No. 3-14
Introduction
Properties of congruence
a ≡ b (mod m) iff
a = km + b for some k  Z.
pf: a ≡ b (mod m)  (a-b) = km  a = km + b.
Theorem 7: If m > 0, a ≡ b (mod m) and c ≡ d (mod m),
then
(1) a + c ≡ b + d (mod m)
(2)
ac ≡ bd (mod m).
pf: By the premise, a = km + b and c = sm + d for some
k,s.
 a + c = (b + d) + (k + s) m
and
ac = bd + (kd + sb + skm) m
 (1) and (2) hold.
Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5) 
18 ≡ 3 and 77 ≡ 2.
Theorem 6:
Transparency No. 3-15
Introduction
The Euclidean Algorithm
Lemma 1: a = bq + r  gcd(a,b) = gcd(b,r).
pf: It suffices to show that cd(a,b) = cd(b,r).
But for any integer d :

d | a /\ d | b  d | r since r = (a-bq) , and

d | b /\ d | r  d | a

Hence cd(a,b) = cd(b,r), and gcd(a,b) = gcd(b,r).
since a= bq + r.
Note:
1. if a = bq + 0  gcd(a,b) = gcd(b,0) = b.
2. Corollary: gcd(a, b) = gcd(b,c) if a is a linear
combination(l.c.) of b and c, and c is a l.c. of a and b.
Transparency No. 3-16
Introduction
A simple algorithm:
 gcd(a,b) // a ≥ b ≥ 0.
if (b == 0)
return a;
else
return gcd(b, a mod b);
Note: this algorithm is very efficient.
(O(log b) by Lame’s lamma).
Transparency No. 3-17
Introduction
gcd(662, 414) = ?
a
b
a = qb+ r
q
r
662
414
662=1x414+248
1
248
414
248
414= 1x 248 + 166
1
166
248
166
248= 1 x 166 + 82
1
82
166
82
166= 2 x 82 + 2
2
2
82
2
82=42 x 2 + 0
42
0
2
0
∴ gcd(662,414) = gcd(414,248) = …
= gcd(2,0) = 2.
Transparency No. 3-18
Introduction
Theorem 1
 a > b ≥ 0  gcd(a,b) = sa + tb for some s,t  Z.
 i.e., gcd(a,b) is a linear combination of a and b.
Pf: By induction on b.
Basis: b = 0.  gcd(a,b) = a = 1 ∙ a + 0 ∙ b.
Inductive case: b > 0.
case1: b | a  gcd(a,b) = b = 0 a + 1 b.
case2: b ∤ a  gcd(a,b) = gcd(b,r) where
0 ≤ r = a mod b < b.
By I.H. gcd(b,r) = sb + t r. But r = a - bq
∴ gcd(a,b) = gcd(b,r) = sb + tr
= sb + t(a – bq) = t a + (s – qt) b. QED
 Conclusion: (sn, tn) = (t n+1, sn+1 – qntn+1).
Transparency No. 3-19
Introduction
Example
 gcd(252, 198) = 18 = ___∙ 252 + ___ ∙ 198.
Sol:
Exercise: Let L(a,b) = {sa + tb | s,t  Z } be the set of all
linear combinations of a and b. Show that gcd(a,b) = the
smallest positive member of L(a,b).
pf: let g = gcd(a,b). By Theorem 1, g is a linear combination
of a and b. Hence g L(a,b).
Now let m = sa + tb be any positive number in L(a,b).
Then since g | a and g | b , we have g | sa+tb = m and
hence g  m. As a result g is the least of L(a,b).
Theorem 1.1: gcd(a,b) is the least positive integer
combination of a and b.
Transparency No. 3-20
Introduction
gcd(662, 414) = ?
a
b
a = qb+ r
q
r
n
sn
tn
662
414
662=1x414+248
1
248 1
-5
8 =3-1*-5
414
248
414= 1x 248 + 166 1
166 2
3
-5 =-2-1*3
248
166
248= 1 x 166 + 82
1
82
3
-2
3 =1-1*(-2)
166
82
166= 2 x 82 + 2
2
2
4
1
s-qt = -2
82
2
82=42 x 2 + 0
42
0
5
0
1-0*0 = 1
2
0
6
1
0
∴ gcd(662,414) =
gcd(414,248) = …
= gcd(2,0) = 2 = 1x2+0x0.
 = … = -5*662+8*414.
q
qn
s
t
sn =tn+1 sn+1-qntn+1 = tn
sn+1
tn+1
Transparency No. 3-21
Introduction
Lemma 1 and Lemma 2
Lemma 1:gcd(a,b) = 1 /\ a | bc  a | c. ( must remember!)
pf: gcd(a,b) = 1  1 = sa + tb for some s,t  Z
 c = sac + tbc = sac + tka ∵ a | bc
= (sc + tk) ∙ a ∴ a | c.
Lemma 2’: p : prime /\ p ∤ a  gcd(p,a) = 1.
Pf: cd(p,a)  factors of p = {1,p}. but p is not a factor of a.
Hence gcd(p,a) = 1.
Lemma 2: p : prime /\ p | a1 a 2 … an  p | ai for some i.
Pf: By ind. on n. Basis: n = 1. trivial.
Ind. case: n = k + 1. p | a1 a 2 … ak a k+1.
If p | a1 we are done.
O/W p ∤ a1 and gcd(p, a1) = 1 by lem2’.
By Lem 1 : p | ( a 2 … ak+1 )  p | ai for some 2 ≤ i ≤ k+1 by IH.
Transparency No. 3-22
Introduction
Uniqueness of FTA
Pf: Suppose  two distinct sequences
p1 , … , ps and q1 , … , qt with
n = p1 x … x ps = q1 x … x qt 
Removing all common primes on both sides :
m =def pi1 x … piu = qj1x … x qjv  1
where pi ≠ qj for all pi and qj.
 pi1 | m = qj1x … x qjv
 pi1 | qj for some j ( a contradiction!!).
Transparency No. 3-23
Introduction
Theorem 2
m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1 
a ≡ b (mod m).
Pf: ac ≡ bc (mod m)
 m | (ac – bc) = (a – b) c.
∵ gcd(m,c) = 1 ∴ m | (a – b)
∴ a ≡ b (mod m).
Note: Let m be a prime. Then
if ac ≡ bc and not (c ≡ 0 (mod m)) => a ≡ b.
 Like ordinary arithmetic.
Transparency No. 3-24
Introduction
Lemma 3: Let c be a positive integer, then gcd(ac, bc)
= c gcd(a,b).
pf: Let A = { sa + tb >0 | s,t Z }, and
B = { sac + tbc> 0 | s,t Z }.
Obviously, if m is the minimum of A, then mc must the
minimum of B.
O/W, let the minimum of B be s1 ac + t1 bc < mc for some
s1,t1. But this implies s1 a + t1 b < m, which contradicts
the fact that m is the minimum of A.
As a result, By Theorem 1.1,
gcd(ac,bc) = mc where m = gcd(a,b).
Transparency No. 3-25
Introduction
 Lemma 4: Let a = p1x1 p2x2 … pmxm , b = q1y1 q2y2 … qnyn
where all pi’s and qj’s are primes and all xi, yj >0.
If {p1,…,pm}  {q1,…,qn} =, then gcd(a,b) = 1.
pf: Assume gcd(a,b)  1 and r be any prime factor of
gcd(a,b). Then we have r | a and r | b.
But, by Lemma 2, this implies r must be one of {p1,…,pm}
and one of {q1,..,qn}.
As a result, since {p1,…,pm}  {q1,…,qn} = , r does not
exist and the assumption that gcd(a,b)  1 is false.
Transparency No. 3-26
Introduction
Proof of Proposition 1 for gcd
 Proposition 1: If a = p1x1 p2x2 … pnxn , b = p1y1 p2y2 …
pnyn, where p1 < p2 …< pn are primes and all xi, yj ≥ 0,
then gcd(a,b) = s =def p1z1 p2z2 … pnzn
where zi = min(xi,yi) for all 0 ≤ i ≤ n.
pf: Let c = a/s and d = b/s.
Then c = p1x1 p2x2 … pnxn / p1z1 p2z2 … pnzn  Z
d = p1y1 p2y2 … pnyn / p1z1 p2z2 … pnzn  Z
Hence by lemma 3, gcd(a,b) = s gcd(c,d).
But since c and d has no common prime factor,
By Lemma 4, gcd(c,d) =1. As a result, gcd(a,b)= s.
Exercise: Show that c is a factor of a = p1x1 p2x2 … pnxn iff c = p1y1
p2y2 … pnyn where xk ≥ yk ≥ 0 for all n ≥ k ≥ 0.
Transparency No. 3-27
Introduction
Linear Congruence
Ex: Find an x such that 7 x ≡ 2 (mod 5).
sol: x= 6. How to find?
Analog: how to solve the equation ax = b ?
let a-1 be the inverse of a (i.e. 1/a) =>
a-1ax = a-1b => x = a-1b = b/a.
Def: Equations of the form ax ≡ b (mod m) are called
linear congruence equations.
Def: Given (a,m), any integer a’ satisfying the condition:
a a’ ≡ 1 (mod m)
is called the inverse of a (mod m).
Ex: Since 7 x 3 ≡ 1 (mod 5), 3 is an inverse of 7 mod 5.
Hence 3x2 = 6 is a solution of 7x ≡ 2(mod 5)
Transparency No. 3-28
Introduction
General solution of ax ≡ b (mod m)
Proposition: a a’ ≡ 1 (mod m)  x = a’ b + km is the
general solution of the congruence equation ax ≡ b
(mod m)
Pf: 1. aa’ ≡ 1 => aa’ b ≡ b => a (a’b + km) ≡ b (mod m)
 a’b + km is a solution for any k Z.
2. y is a solution
 ay ≡ b (mod m)
=> a’ay ≡ a’b(mod m)
=> 1* y ≡ a’ay ≡ a’b (mod m)
=> y ≡ a’b (mod m)
=> m | (y – a’b)
 y = a’b + km for some k.
Transparency No. 3-29
Introduction
Theorem 3 (uniqueness of inverse)
 m > 0, gcd(a,m) = 1. Then  bZ s.t.
 1. ab ≡ 1 (mod m)
 2. if ab ≡ ac [≡ 1]  b ≡ c (mod m).
Pf: 1. gcd(a,m) = 1. Then  b,t with ba + tm =1.
since ab –1 = (-t) m, ab ≡ 1 (mod m).
2. Since gcd(a,m)=1, by Theorem 2, we can divide a
from both sides.
Note: Theorem 3 means that the inverse of a mod m
uniquely exists (and hence is well defined) if a and m
are relatively prime.
Transparency No. 3-30
Introduction
Examples
Ex: Find a s.t. 3a ≡ 1 (mod 7).
Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and
can be computed by the Euclidean algorithm:
7 = 3 X 2 + 1  1 = 7 + 3 (-2).  3 (-2 ) ≡ 1 (mod 7)
 a = -2 + 7k for all k Z.
EX: Find all solutions of 3x ≡ 4 (mod 7).
Sol: -2 is an inverse of 3 (mod 7). Hence
3 (-2) ≡ 1 (mod 7)
=> 3 (-2) 4 ≡ 1 4 (mod 7) -- particular solution
=> x = 4 (-2) + 7k where k Z is a general solution of x.
Transparency No. 3-31
Introduction
The Chinese Remainder Theorem
 EX: Find all integer x satisfying the equations
simultaneously:
 x ≡ 2 (mod 3)
 x ≡ 3 (mod 5)
 x ≡ 2 (mod 7)
 Theorem 4: m1,m2,…,mn : pairwise relatively prime.
The system of congruence equations:





x ≡ a1 (mod m1)
x ≡ a2 (mod m2)
…
x ≡ an (mod mn)
has a unique solution modulo m = m1 m2 … mn.
Transparency No. 3-32
Introduction
How the CRT problem is solved
 Find a polynomial f(x) of degree < n passing through
n points.
 Ex: Find a polynomial of degree < 3 passing through
(1,2),(3,5),(5,4).
 Intuition:
 1. For each point (ai, bi) where i  [1,n] , construct a
polynomial fi(x) of order < n with the properties:
 1.1. fi(ai) = bi and
 1.2. fi(ak) = 0 for all k [1,n]  i.
 Suppose we can find all such fi(x)’s, then
 F(x) = S j = 1..n fj(x) is the solution.
 pf: F(ai) = fi(ai) + S k  i fk(ai) = bi + 0 for all i  [1,n]
Transparency No. 3-33
Introduction
 Ex: Find a polynomial of degree < 3 passing through
(1,2),(3,5),(5,4).
Solution:
1. Find f1(x) with f1(1) = 2 and f1(3) = f1(5) = 0.
=> f1(x) must have a factor (x-3)(x-5) = c1 (x-3)(x-5)
=> since f1(1)= 2, 2 = c1 (1-3)(1-5) => c1 = 2/(1-3)(1-5)
=> f1(x) = 2 (x-3)(x-5) /(1-3)(1-5)
2. Similarly,
f2(x) = 5 (x-1)(x-5) /(3-1)(3-5)
f3(x) = 4 (x-1)(x-3)/(5-1)(5-3)
and F(x) = f1(x) + f2(x) + f3(x) is the solution.
Transparency No. 3-34
Introduction
Proof of the Chinese remainder theorem (CRT)
Pf: Let Mk = m / mk for 1 ≤ k ≤ n.
Note:
1. gcd(mk, Mk) = 1 and
2. mi | Mk if i ≠ k. Hence
 sk, yk s.t. sk mk + yk Mk = 1. Hence
yk is an inverse of Mk mod mk. Now
Mk yk ≡ 1 (mod mk) and
Mk yk ≡ 0 (mod mj) for all j ≠ k. Let
x = a1 M1 y1 + … + an Mn yn then
x ≡ a1 M1 y1 + … + an Mn yn ≡ ak Mk yk ≡ ak (mod mk) for
all 1 ≤ k ≤ n.
Transparency No. 3-35
Introduction
Proof of the uniqueness part
If x and y satisfying the equations, then
x-y ≡ 0 (mod mk) for all k = 1..n. =>
 s1,…,sn with x-y = s1 m1 = … = sn mn.
since gcd(mi, mk) = 1 for all i ≠ k and
mk | s1 m1, we have mk | s1 for all k ≠ 1.
Hence, by Lem(*) s1 is a multiple of m2 m3 … mn and
x-y = s1 m1 is a multiple of m = m1 m2 … mk.
Hence x ≡ y (mod m). QED
Lem(*):If gcd(m,n)=1,then m | s and n | s implies mn | s.
pf: m | s and n | s means s = km = t n. Hence n | km. but
since (m,n) = 1, we have n | k. Hence mn | km = s.
Transparency No. 3-36
Introduction
Example
 Find x ≡ (2,3,2) (mod (3,5,7)) respectively.
 Sol:
i
mi ai
Mi
yi = Mi-1 (mod mi)
ai Mi yi
1
3
2
m/3=35
2
5
3
m/5=21
3
7
2
m/7=15
m=
105
35 y1 ≡ 1 (mod 3)
 -1
21 y2 ≡ 1 (mod 5)
1
15 y3 ≡ 1 (mod 7)
1
2 x 35 x -1
3 x 21 x 1
2 x 15 x 1
x = -70 + 63 +
30 = 23.
Transparency No. 3-37
Introduction
An application of CRT

Instead of using binary representation, we can use
m1,m2,…,mn : n pairwise relatively primes as the base
of integer representations:
 Ex: let (m1,… m5 ) = (19, 23, 29, 31,41)
99 =
(4, 7, 12, 6, 17)
88 =
(12, 19, 1, 26, 6).
---------------------------------------------------------------99+88 = (16, 3, 13, 1, 23)
99x88 = (10, 18, 12, 1, 20).
Problems: 1. How to detect if a+b (or a*b) overflows ?
2. How to compare values (when will a < b )?
Transparency No. 3-38
Introduction
Fermat’s little theorem
 Let a be any positive integer and p a prime number.
1. If gcd(p,a) =1, then a p-1 ≡ 1 (mod p).
2. ap ≡ a (mod p).
Ex:
1. p = 17, a = 2  216 = 65536 = 3855 x 17 + 1
 216 ≡ 1 (mod 17).
2. p = 3, a = 20  203 – 20 = 8000 –20 = 7980 is a
multiple of 3. Hence 203 ≡ 20 (mod 3).
Transparency No. 3-39
Introduction
Proof of Fermat’s little theorem
Lemma:1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p).
Pf: ia ≡ ja (mod p)  p | (j-i) a. Since gcd(p,a)=1, p |(j-i).
But 0 < j-i < p, p does not divide (j-i), a contradiction.
Similarly, since not(p | i ) and gcd(p,a) = 1, not(p | ia).
The above lemma means ia and ja have different
remainders when divided by p. Hence
a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)
 (p-1)! ap-1 ≡ (p-1) ! (mod p). Then
p | (p-1)! (a p-1 –1). ∵ p does not divide (p-1)!,
p | ap-1 –1, and hence a p-1 ≡ 1 (mod p).
2. if gcd(p,a) = p  0 ≡ a ≡ ap (mod p).
if gcd(p,a) = 1  ap-1 ≡ 1 (mod p)  ap ≡ a (mod p).
Transparency No. 3-40
Introduction
Public key encryption and RSA
public key
M
Encryption
(加密)
private key
C
cipher text
Decryption
(解密)
M’ (plain text)
• Public key can be known to the public
• Private key is kept secret.
Transparency No. 3-41
Introduction
The RSA algorithm
 p.q: two large primes ( > 200 digits, 1024 digits
recommended now),
 n = pq
 e = any number with gcd(e, (p-1)(q-1)) = 1.
 d = inverse of e (mod (p-1)(q-1)).
(i.e., de ≡ 1 (mod (p-1)(q-1)))
 public key = (n,e)
private key = (n,d)
note : public and private keys are symmetric.
C = Me (mod n) and
M’ = Cd (mod n).
Theorem : M’ ≡ M (mod n).
Transparency No. 3-42
Introduction
Proof of the correctness of the RSA algorithm
 M’ = Cd ≡ (Me)d ≡ Mde
≡ M1 +k(p-1)(q-1) (mod n) [∵ de ≡ 1 (mod (p-1)(q-1)) ]
case1: gcd(M,p) = 1.
Then Cd = M ∙ (M(p-1))k(q-1) ≡ M ∙ 1 k(q-1) ≡ M (mod p) ---(1)
( by Fermat’s little theorem)
case2: gcd(M,p) = p (i.e., M = mp for some integer m)
Then Cd = (mp)k(p-1)(q-1)+1 ≡ 0 ≡ M (mod p)
Similarly, it can be shown that Cd ≡ M (mod q) --- (2)
 M’ = Cd ≡ M (mod n).
∵ Cd-M is a multiple of p and q => Cd-M is a multiple of
lcm(p,q) = pq = n.
(or by Chinese Remainder Theorem, M’ is the only
value in [0, n-1] satisfying (1) and (2) ).
Transparency No. 3-43
Introduction
Example
p = 43, q = 59  n = pq = 43 ∙ 59 = 2537.
choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1.
d = 937 is an inverse of 13 mod 2436.
1. To transmit ‘STOP’=1819 1415 : 2 blocks of length 4.
 181913 mod 2537 = 2081,
141513 mod 2537 = 2182
 C = 2081 2182.
2. Receive 0981 0461 
M’1 = 0981937 (mod 2537) =0704
M’2 = 0461937 (mod 2537) = 1115
 M’ = 0704 1115 = ‘HELP’.
Transparency No. 3-44
Introduction
Why is it hard to break RSA ?
Given public key (e, n), to find (d,n) we need :
=> 1. decompose n into pq
2. find the inverse d of e modulo (p-1)(q-1).
Step 2 is easy (Quick Euclidean Alg.)
But step 1 : factorization of large number is
computationally a hard work.
Transparency No. 3-45
Related documents