Download a(x)

UNIT II
FINITE FIELDS AND NUMBER THEORY
Group
• A group G, sometimes denoted by {G, .}, is a set of
elements with binary operations denoted as ., that
associates to each ordered pair (a,b) of elements in G
an element(a . b) in G, such that the following axioms
are obeyed
Axioms obeyed
– (A1)Closure : If a and b belong to G, then a.b is also in G
– (A2)Associative law:(a.b).c = a.(b.c)
– (A3)Identity e:
e.a = a.e = a
– (A4)Inverse a-1:
a.a-1 = e
• if (A5)commutative a.b = b.a
– then forms an abelian group
Group
• If a group has a finite no. of elements FINITE Group
• Order is equal to the no. of elements in the group
• if commutative a.b = b.a
– then forms an abelian group
Cyclic Group
• Exponentiation is repeated application of group operator
– example:
a3 = a.a.a
• and let identity be: e=a0
• a group is cyclic if every element is a power of some fixed element
– ie b = ak
for some a and every b in group
• a is said to be a generator G of the group
• Eg: Additive group of integers is an infinite cyclic group, generated by element 1.
Ring
• A ring R, sometimes denoted by {R, +, x}, is a set of elements with two binary operations, called addition and multiplication, such that for all a, b, c in R the following axioms are obeyed
Ring
• an abelian group with addition operation • (M1) closure under multiplication
• (M2) associativity of multiplication
• (M3) distributive : a(b+c) = ab + ac
(a+b)c = ac + bc
• Eg:
n‐square matrices over the real numbers form a ring
• (M4) commutative • Eg: S be the set of even integers under usual operations of addition and multiplication is a commutative ring
Ring
• Integral Domain
– (M5) Multiplicative identity : There is an element 1 in R such that a1= 1a=a
– (M6) No Zero divisors : If a, b in R and ab=0, then
either
a=0 0r b=0
• Eg: Set of integers positive, negative, Zero under usual operations of addition and multiplication
Field
• A field F, sometimes denoted by {F, +, x}, is a set of elements with two binary operations, called addition and multiplication, such that for all a, b, c in F the following axioms are obeyed
• (A1‐M6) F is an integral domain
• (M7) multiplicative inverse: For each a in F, except 0, there is an element a‐1 such that aa‐1 =(a‐1)a=1
• Eg : rational numbers, real numbers, complex numbers
Divisors
• We say that a nonzero b divides a if a=mb for some m, where a, b, and m are integers. That is, b divides a if there is no remainder on division. The notation b|a is commonly used to mean b divides a. Also, if b|a, we say that b is divisor of a
Relations
•
•
•
•
If a|1, then a=±1
If a|b and b|a, then a=±b
Any b ≠ 0 divides 0;
If b|g and b|h, then b|(mg+nh) for arbitary
integers m and n.
– If b|g, then g is of the form g=b×g1 for some integer g1
– If b|h, then h is of the form h=b×h1 for some integer h1
Properties of Congruences
• Congruences have the following properties:
– a ≡ b(mod n) if n|(a-b)
– a ≡ b(mod n) implies b ≡ a(mod
n)...
– a ≡ b(mod n) and b ≡ c(mod n)
imply
a ≡ c(mod n)
Modular Arithmetic operations
• Properties
– [(a mod n)+(b mod n)] mod n=(a+b) mod n
– [(a mod n)‐(b mod n)] mod n=(a‐b) mod n
– [(a mod n)×(b mod n)] mod n=(a×b) mod n
Exponentiation
• 117 mod 13
• 112= 121 ≡ 4(mod 13)
• 114= (112)2 = 42 ≡ 3 mod 13
• 117 mod 13 = 11×4×3 ≡ 132 ≡ 2 mod 13
Modulo 8 Example
Properties of Modular Arithmetic
• Define the set Zn as the set of non negative integers less than n:
Zn={0,1,…..(n‐1)}
• This is set of residues or residue classes modulo n.
•
•
•
•
•
Eg: residue class modulo 4 are
[0]={…,‐16,‐12,‐8,‐4,0,4,8,12,16,….}
[1]={….,‐15,‐11,‐7,‐3,1,5,9,13,17,……}
[2]={….,‐14,‐10,‐6,‐2,2,6,10,14,18,…}
[3]={….,‐13,‐9,‐5,‐1,3,7,11,15,19,….}
Modulo 7 Example
...
-21 -20 -19 -18 -17 -16 -15
-14 -13 -12 -11 -10 -9 -8
-7 -6 -5 -4 -3 -2 -1
0
1
2
3
4
5
6
7
8
9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31 32 33 34
...
Modular Arithmetic
• (a+b)
• (a×b)
≡ (a+c) mod n then b ≡ c mod n
≡ (a×c) mod n then b ≡ c mod n
if a and n are relatively prime
Greatest Common Divisor (GCD)
• a common problem in number theory
• GCD (a,b) of a and b is the largest number that divides evenly into both a and b – eg GCD(60,24) = 12
• often want no common factors (except 1) and hence numbers are relatively prime
– eg GCD(8,15) = 1
– hence 8 & 15 are relatively prime Euclid's GCD Algorithm
• an efficient way to find the GCD(a,b)
• uses theorem that: – GCD(a,b) = GCD(b, a mod b)
• Euclid's Algorithm to compute GCD(a,b):
• Assumption : a > b > 0 1. A->a, B->b
2. If B=0 return A=gcd(a,b)
3. R = A mod B
4. A <- B
5. B <- R
6. goto 2
Algorithm Progression
• A1=B1×Q1+R1
• A2=B2 ×Q2+R2
• A3=B3 ×Q3+R3
• A4=B4 ×Q4+R4
Find GCD
•
•
•
•
•
•
•
•
465,527
1970,1066
24140,16762
4655,12075
46189,1066
1197,5320
4389,133
2106,2784
Example GCD(1970,1066)
1970 = 1 x 1066 + 904
1066 = 1 x 904 + 162
904 = 5 x 162 + 94
162 = 1 x 94 + 68
94 = 1 x 68 + 26
68 = 2 x 26 + 16
26 = 1 x 16 + 10
16 = 1 x 10 + 6
10 = 1 x 6 + 4
6 = 1 x 4 + 2
4 = 2 x 2 + 0
gcd(1066, 904)
gcd(904, 162)
gcd(162, 94)
gcd(94, 68)
gcd(68, 26)
gcd(26, 16)
gcd(16, 10)
gcd(10, 6)
gcd(6, 4)
gcd(4, 2)
gcd(2, 0)
Galois Fields
• finite fields play a key role in cryptography
• can show number of elements in a finite field must be a power of a prime pn
• known as Galois fields
• denoted GF(pn)
• in particular often use the fields:
– GF(p)
– GF(2n)
Galois Fields GF(p)
• GF(p) is the set of integers {0,1, … , p‐1} with arithmetic operations modulo prime p
• these form a finite field
– since have multiplicative inverses
• hence arithmetic is “well‐behaved” and can do addition, subtraction, multiplication, and division without leaving the field GF(p)
Example GF(7)
Finding Inverses
•
•
can extend Euclid’s algorithm:
Gcd(m,b) = 1 & m > b
EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m);
(B1, B2, B3)=(0, 1, b)
2. if B3 = 0
return A3 = gcd(m, b); no inverse
3. if B3 = 1
return B3 = gcd(m, b); B2 = b–1 mod m
4. Q = A3 div B3
5. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)
6. (A1, A2, A3)=(B1, B2, B3)
7. (B1, B2, B3)=(T1, T2, T3)
8. goto 2
– mT1+bT2=T3 mA1+bA2=A3 mB1+bB2=B3
Find Multiplicative Inverse
•
•
•
•
1759,550
23,120
1234 mod 4321
550 mod 1769
Inverse of 550 in GF(1759)
Polynomial Arithmetic
• can compute using polynomials
• several alternatives available
– ordinary polynomial arithmetic
– poly arithmetic with coords mod p
– poly arithmetic with coords mod p and polynomials mod M(x)
Ordinary Polynomial Arithmetic
• add or subtract corresponding coefficients
• multiply all terms by each other
• eg
– let f(x) = x3 + x2 + 2 and g(x) = x2 – x + 1
f(x) + g(x) = x3 + 2x2 – x + 3
f(x) – g(x) = x3 + x + 1
f(x) x g(x) = x5 + 3x2 – 2x + 2
Polynomial Arithmetic with Modulo Coefficients
• when computing value of each coefficient do calculation modulo some value
• could be modulo any prime
• but we are most interested in mod 2
– ie all coefficients are 0 or 1
– eg. let f(x) = x3 + x2 and g(x) = x2 + x + 1
f(x) + g(x) = x3 + x + 1
f(x) x g(x) = x5 + x2
Modular Polynomial Arithmetic
• can write any polynomial in the form:
– f(x) = q(x) g(x) + r(x)
– can interpret r(x) as being a remainder
– r(x) = f(x) mod g(x)
• if have no remainder say g(x) divides f(x)
• if g(x) has no divisors other than itself & 1 say it is irreducible (or prime) polynomial
• arithmetic modulo an irreducible polynomial forms a field
Polynomial GCD
•
can find greatest common divisor for polys
– c(x) = GCD(a(x), b(x)) if c(x) is the poly of greatest degree which divides both a(x), b(x)
– can adapt Euclid’s Algorithm to find it:
– EUCLID[a(x), b(x)]
1. A(x) = a(x); B(x) = b(x)
2. 2. if B(x) = 0 return A(x) = gcd[a(x), b(x)]
3. R(x) = A(x) mod B(x)
4. A(x) ¨ B(x)
5. B(x) ¨ R(x)
6. goto 2
Modular Polynomial Arithmetic
• can compute in field GF(2n) – polynomials with coefficients modulo 2
– whose degree is less than n
– hence must reduce modulo an irreducible poly of degree n (for multiplication only)
• form a finite field
• can always find an inverse
– can extend Euclid’s Inverse algorithm to find
Example GF(23)
Prime Numbers
• prime numbers only have divisors of 1 and self – they cannot be written as a product of other numbers • eg. 2,3,5,7 are prime
• prime numbers are central to number theory
• list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
Prime Factorisation
• to factor a number n is to write it as a product of other numbers: n=a x b x c
• note that factoring a number is relatively hard compared to multiplying the factors together to generate the number • the prime factorisation of a number n is when its written as a product of primes – eg. 91=7x13 ; 3600=24x32x52
Prime Factorisation
• Any positive integer a can be written uniquely as
• The integer 12 is represented by { a2=2,a3=1}
• The integer 18 is represented by { a2=1,a3=2}
Relatively Prime Numbers & GCD
• two numbers a, b are relatively prime if have no common divisors apart from 1 – eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor • conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers
– eg. 300=22x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
Fermat's Theorem
• ap-1
≡
1 (mod p)
– where p is prime and gcd(a,p)=1
• also known as Fermat’s Little Theorem
• also ap ≡ a (mod p)
• useful in public key and primality testing
Fermat’s theorem
• Consider the set of positive integers less than p : {1,2,…p‐1} • Multiply each element by a, modulo p
• X= {a mod p,2a mod p…(p‐1)a mod p}
• So none of the elements of X is Zero because p does not divide a and no two integers are equal
• To see,
• Assume ja ≡ ka(mod p) 1 ≤ j < k ≤ p-1
• Since a and p are relatively prime eliminate a resulting in j
≡ k(mod p)
• This is not possible as j and k are positive integer less than p
• So (p‐1) elements of X are all positive integers and no two numbers are equal
Fermat’s Theorem
• a × 2a × ….. × (p‐1) ≡ [1 × 2 × ….. × (p‐1)](mod p)
• ap-1 (p-1)!≡ (p-1)!(mod p)
• We cancel (p-1)! Term because it is relatively prime to p
Ex. a=7,p=19
72=49 ≡ 11 mod 19
74 ≡121 ≡ 7 mod 19
78 ≡49 ≡11 mod 19
716 ≡121 ≡7 mod 19
718= 716 x 72 ≡ 7x11 ≡ 1 mod 19
Euler Totient Function ø(n)
• when doing arithmetic modulo n the complete set of residues is: 0..n-1
• reduced set of residues is those numbers (residues) which are relatively prime to n – eg for n=10, – complete set of residues is {0,1,2,3,4,5,6,7,8,9} – reduced set of residues is {1,3,7,9} • number of elements in reduced set of residues is called the Euler Totient Function ø(n)
Euler Totient Function ø(n)
• to compute ø(n) need to count number of residues to be excluded
• in general need prime factorization, but
– for p (p prime) – for p.q (p,q prime)
ø(p)
ø(pq)
= p-1
=(p-1)x(q-1)
• eg.
ø(37) = 36
ø(21) = (3–1)x(7–1) = 2x6 = 12
Euler's Theorem
• a generalisation of Fermat's Theorem • aø(n) ≡ 1 (mod n)
– for any a,n where gcd(a,n)=1
• eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11
Proof of Euler’s Thorem
• Theorem true if n is prime, because ø(n) =(n‐1) & fermat’s thm holds.
• Consider the set of integers, as R={x1,x2,..x ø(n)} • That is each element xi of R is a unique positive integer less than n with gcd(x i,n)=1
• Now multiply with a, modulo n
• S={(ax1 mod n), (ax2 mod n).....(a x ø(n) mod n)}
• The set S is permutation of R, by the reasons below
– Because a is relatively prime to n & xi is relatively prime to n, axi must also be relatively prime
– No duplicates if ax i mod n ≡ axj mod n, then xi
=xj
Testing of Primality
• To test a large no for primality Miller Rabin Algorithm is used
• Any positive odd integer n ≥ 3 can be expressed as
• n‐1 =2kq with k>0, q odd
• To see
• n‐1 is an even integer
• Divide (n‐1) by 2 until we get a odd number q as result for a total of k divisions
• If n a binary no just shift the no to right until the rightmost is 1, for a total of k shifts
Properties of Prime no
• First Property
– If p is prime and a is a positive integer less than p, then a2 mod p=1 if and only if either a mod p= 1 or a mod p = ‐1 mod p= p‐1 – (a mod p)( a mod p) = a2 mod p
– Thus either a mod p = 1 or a mod p = ‐1 then a2
mod p =1
– Conversly if a2 mod p =1, (a mod p)2 = 1 which is true only for a mod p= 1 or a mod p = ‐1 Properties of Prime no
• Second Property
Let p be a prime number >2,then p‐1=2kq,with k>0, q odd.[1 of the following conditions is true]
1. aq ≡ 1 mod p
2. One of the
numbers
k-1
aq,a2q,a4q,…a2 q is congruent to 1 mod p.
Miller Rabin Algorithm
• a test based on Fermat’s Theorem
• algorithm is:
TEST (n) is:
1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq
2. Select a random integer a, 1<a<n–1
3. if aq mod n = 1 then return (“maybe prime");
4. for j = 0 to k – 1 do
jq
2
mod n = n-1)
5. if (a
then return(" maybe prime ")
6. return ("composite")
Probabilistic Considerations
• if Miller‐Rabin returns “composite” the number is definitely not prime
• otherwise is a prime or a pseudo‐prime
• chance it detects a pseudo‐prime is < 1/4
• hence if repeat test with different random a then chance n is prime after t tests is:
– Pr(n prime after t tests) = 1‐4‐t
– eg. for t=10 this probability is > 0.99999
Distribution of primes
• prime number theorem states that primes near n are spaced on the average one every (ln n) integers
• All even numbers can be immediately rejected, so it is 0.5 ln(n).
• so in practice need only test 0.5 ln(n)
numbers of size n to locate a prime
• Eg: for numbers round 2^200 would check 0.5ln(2^200) = 69 numbers on average.
• This is only an average, can see successive odd primes, or long runs of composites.
Chinese Remainder Theorem
• CRT says it is possible to reconstruct integers in
a certain range from their residues modulo a
set of pair wise relatively prime moduli.
• Ex., 10 integers in Z10(0 to 9),can be reconstructed
from their two residues modulo 2 and 5
(relatively prime factors of 10).
• The known residues of a digit x are
• r2=0 (x mod 2=0 )and r5=3(x mod 5=3)
• Unique solution for x?
CRT
k
• Let M = ∏ m i
i = 1 are pair wise relatively prime.
where the m
i
• Represent any integer A in ZM by a k‐tuple whose
elements are in Zm using the following
i
correspondence
A ↔ (a1,a2,….,ak)
where ai = A mod mi . CRT makes 2 assertions
1. The mapping of above equation is one‐to‐one
correspondence between ZM and cartesian product
Zm1 x Zm2 x ….. Zmk.
2. Operations performed on the elements of ZM can be
equivalently performed on corresponding k‐tuples.
First assertion:
• Transformation from A to (a1,a2,…ak) is unique.
• i.e., ai=A mod mi.(ai is unique)
• to compute A(mod M)
– Let Mi = M/mi for 1≤i≤ K
[Mi=m1 x m2…x mi‐1 x mi+1x…mk]. Let
• Now compute,
• Second assertion can be stated as follows.
If A ↔ (a1,a2,….,ak)and
B ↔ (b1,b2,….,bk)
then
(A+B) mod m↔((a1+b1)mod m1,…,(ak+bk)mod mk)
(A-B) mod m↔((a1-b1)mod m1,…,(ak-bk)mod mk)
(AxB) mod m↔((a1xb1)mod m1,…,(akxbk)mod mk)
Discrete Logarithms
• from Euler’s theorem have aø(n) ≡ 1 mod n
• Consider general expression am≡1(mod n),
• If a and n are relatively prime, then there is at least 1
integer m that satisfies above equation. The least positive
exponent is referred in many ways
– The order of a(mod n)
– The exponent to which a belongs (mod n)
– The length of the period generated by a.
• Consider the powers of 7 mod 19
71 ≡7 mod 19,72 ≡11 mod 19,73 ≡1 mod 19,
74 ≡7 mod 19,75 ≡11 mod 19
Length of the period is smallest +ve exponent m such that
7m ≡1 mod 19
Primitive root
• Some of the sequences are of length 18.
• If a is a primitive root of p(prime number),then
a,a2,…ap-1 are distinct(mod p).
Primitive roots of 19 -?
• Not all integers have primitive roots. Only
integers with primitive roots are of the form
2,4,pα and 2pα , where p is any odd prime and
α is positive integer.
a
a2
a3
a4
a5
a6
a7
a8
a9
a10
a11
a12
a13
a14
a15
a16
a17
a18
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
4
8
16
13
7
14
9
18
17
15
11
3
6
12
5
10
1
3
9
8
5
15
7
2
6
18
16
10
11
14
4
12
17
13
1
4
16
7
9
17
11
6
5
1
4
16
7
9
17
11
6
5
1
5
6
11
17
9
7
16
4
1
5
6
11
17
9
7
16
4
1
6
17
7
4
5
11
9
16
1
6
17
7
4
5
11
9
16
1
7
11
1
7
11
1
7
11
1
7
11
1
7
11
1
7
11
1
8
7
18
11
12
1
8
7
18
11
12
1
8
7
18
11
12
1
9
5
7
6
16
11
4
17
1
9
14
7
13
16
8
4
2
1
10
5
12
6
3
11
15
17
18
9
14
7
13
16
8
4
2
1
11
7
1
11
7
1
11
7
1
11
7
1
11
7
1
11
7
1
12
11
18
7
8
1
12
11
18
7
8
1
12
11
18
7
8
1
13
17
12
4
14
11
10
16
18
6
2
7
15
5
8
9
3
1
14
6
8
17
10
7
3
4
18
5
13
11
2
9
12
16
15
1
15
16
12
9
2
11
13
5
18
4
3
7
10
17
8
6
14
1
16
9
11
5
4
7
17
6
1
16
9
11
5
4
7
17
6
1
17
4
11
16
6
7
5
9
1
17
4
11
16
6
7
5
9
1
Logarithms for Modular Arithmetic
• the inverse problem to exponentiation is to find the discrete logarithm of a number modulo p • that is to find x such that y = gx (mod p)
• this is written as x = logg y (mod p)
• if g is a primitive root then it always exists, otherwise it may not, eg.
x = log3 4 mod 13 has no answer x = log2 3 mod 13 = 4 by trying successive powers Logarithms for Modular Arithmetic
• while exponentiation is relatively easy, finding discrete logarithms is generally a hard problem • For any integer b and primitive root a of prime p, find a unique exponent such that b≡ai(mod p)
i is referred to as discrete logarithm of number b for the base a(mod p)
• dloga,p(1)=0 since a0 mod p=1
• dloga,p(a)=1 since a1 mod p=a