Download Discrete mathematics I - Number theory Congruences

Discrete mathematics I - Number theory
Congruences
Emil Vatai <[email protected]> (based on hungarian slides by László Mérai)∗
February 21, 2017
Outline
Contents
1 Congruences
1
2 Linear congruences
3
3 Simultaneous congruences
5
4 Residue classes
8
5 Euler-Fermat theorem and the totient function
10
6 The multiplicative group
13
7 Discrete logarithm
14
8 Applications
15
1
Congruences
Congruences
For questions about divisibility, often only the remainder from the euclidean
division is important:
• days of the week;
• number of hours, . . .
Example 1 (Equal remainders). 16 mod 3 = 1, 4 mod 3 = 1: for division by 3
we have 16 ”= ” 4.
∗ Financed from the financial support ELTE won from the Higher Education Restructuring
Fund of the Hungarian Government.
1
Definition 2 (Congruence). Let a, b, m be integers. If m | a − b, then we say a
is congruent to b with modulus m (or a and b are congruent modulo m) written
as
a ≡ b (mod m).
If a and b are not congruent (with some modulus m) then they are incongruent.
Equivalent formulation
Alternative notation
The following all mean m | a − b
• a ≡ b (mod m),
• a ≡ b mod m,
• a ≡ b (m).
Equivalent formulation:
a ≡ b (mod m) ⇔ a mod m = b mod m, that is we get the same remainder
when dividing by m.
Example 3 (Congruences). 16 ≡ 4 (mod 3) since 3 | 16 − 4 ⇔ 16 mod 3 = 1 =
4 mod 3; 16 ≡ 4 (mod 2) since 2 | 16 − 4 ⇔ 16 mod 2 = 0 = 4 mod 2; 16 6≡ 4
(mod 5) since 5 - 16 − 4 ⇔ 16 mod 5 = 1 6= 4 = 4 mod 5.
Properties of congruence
Theorem 4 (Properties of congruence).
1. a ≡ a (mod m) (reflexivity);
2. a ≡ b (mod m) ⇒ b ≡ a (mod m) (symmetry);
3. a ≡ b (mod m) ∧ b ≡ c (mod m) ⇒ a ≡ c (mod m) (transitivity);
Ergo, the congruence modulo m is an equivalence relation.
Proof.
1. m | 0 = a − a;
2. m | a − b ⇒ m | b − a = −(a − b);
3. m | a − b ∧ m | b − c ⇒ m | a − c = (a − b) + (b − c);
Properties of congruence
Theorem 5 (Properties of congruence).
b (mod m0 );
1. a ≡ b (mod m) ∧ m0 | m ⇒ a ≡
2. a ≡ b (mod m) ∧ c ≡ d (mod m) ⇒ a + c ≡ b + d (mod m);
3. a ≡ b (mod m) ∧ c ≡ d (mod m) ⇒ ac ≡ bd (mod m).
Proof.
1. m0 | m | a − b ⇒ m0 | a − b;
2. m | a − b ∧ m | c − d ⇒ m | (a + c) − (b + d) = (a − b) + (c − d);
3. a = q1 m + b ∧ c = q2 m + d ⇒ ac = (q1 m + b)(q2 m + d) = m(q1 q2 m + q1 d +
q2 b) + bd.
2
Properties of congruence
Example 6 (Properties of congruences). What is 345 mod 7 =?
345 = 34 · 10 + 5 ≡ 6 · 3 + 5 = 18 + 5 ≡ 4 + 5 = 9 ≡ 2 (mod 7).
Reminder: a ≡ b (mod m), c ≡ d (mod m) ⇒ ac ≡ bd (mod m)
Corollary
If a ≡ b (mod m) then ac ≡ bc (mod m).
Example 7 (Properties of congruence). 14 ≡ 6 (mod 8) then 42 ≡ 18 (mod 24)
The converse is not true! 2 · 7 ≡ 2 · 3 (mod 8) but 7 6≡ 3 (mod 8).
The converse is not true
Theorem 8 (Division). Let a, b, c, m be integers. Then
m
)
ac ≡ bc (mod m) ⇔ a ≡ b (mod (c,m)
Corollary
ac ≡ bc (mod m), (c, m) = 1 ⇔ a ≡ b (mod m).
Example 9 (Division). 2 · 7 ≡ 2 · 3 (mod 8) ⇒ 7 ≡ 3 (mod 82 ).
Proof. Let d = (c, m). Then
m c m
m c
| (a − b) . Since
,
= 1, we have
| (a − b) ⇔
m | c(a − b) ⇔
d d
d d
d
m
a ≡ b (mod ).
d
2
Linear congruences
Linear congruences
Let us solve the congruence 2x ≡ 5 (mod 7).
If x is a solution of x ≡ y (mod 7), then y is also a solution.
Let us find the solution in the set {0, 1, . . . , 6}.
• x = 0 ⇒ 2x = 0 6≡ 5 (mod 7);
• x = 1 ⇒ 2x = 2 6≡ 5 (mod 7);
• x = 2 ⇒ 2x = 4 6≡ 5 (mod 7);
• x = 3 ⇒ 2x = 6 6≡ 5 (mod 7);
• x = 4 ⇒ 2x = 8 ≡ 1 6≡ 5 (mod 7);
• x = 5 ⇒ 2x = 10 ≡ 3 6≡ 5 (mod 7);
• x = 6 ⇒ 2x = 12 ≡ 5 (mod 7).
The solution of the congruence: {6 + 7k : k ∈ Z}.
Is there a better method?
Let us solve the congruence 23x ≡ 4 (mod 211). Do we need 211 tries?
3
Linear congruences
Theorem 10 (Solution of linear congruences). Let a, b, m be integers with
m > 1. Then if there is a solution for ax ≡ b (mod m) ⇔ (a, m) | b. If this is
the case, the number of incongruent solutions modulo m equals (a, m).
Proof. ax ≡ b (mod m) ⇔ ax + my = b for some y integer.
(a, m) | a and (a, m) | m ⇔ (a, m) | ax + my = b.
If d = (a, m) | b let a0 = a/d, b0 = b/d, m0 = m/d: a0 x + m0 y = b0
Since (a0 , m0 ) = 1 using the extended euclidean algorithm we can calculate
x0 , y0 , so a0 x0 +m0 y0 = 1 ⇒ a0 (b0 x0 )+m0 (b0 y0 ) = b0 , that is x1 = b0 x0 , y1 = b0 y0
will be the solutions.
Number of solutions: let (x, y) be a (pair of) solutions. Subtracting the
equations equations a0 x + m0 y = b0 and a0 x1 + m0 y1 = b0 we get: a0 (x − x1 ) =
m0 (y1 − y) ⇒ m0 | x − x1 ⇒ x = x1 + m0 k: for k = 0, 1, . . . d − 1 we have
incongruent solutions. (y = y1 − ka0 ).
Linear Congruences
1. ax ≡ b (mod m) ⇔ ax + my = b.
2. Let us solve the ax + my = (a, m) equation (ext. euc. alg.).
3. If (a, m) | b ⇔ a solution exists.
4. The solution: xi =
b
(a,m) x
m
+ k (a,m)
: k = 0, 1, . . . , (a, m) − 1.
Example 11 (Solving congruences).
i
−1
0
1
2
3
4
5
rn
23
211
23
4
3
1
0
qn
–
–
0
9
5
1
3
xi
1
0
1
−9
46
−55
–
Example 12 (23x ≡ 4 (mod 211)). The algorithm: ri−2 = ri−1 qi + ri , x−1 = 1,
x0 = 0, xi = xi−2 − qi xi−1
GCD: (23, 211) = 1 | 4 ⇒ One solution: x = 4(−55) ≡ 202 (mod 211).
All solutions: {202 + 211k : k ∈ Z}.
These are solutions: 23 · (202 + 211k) − 4 = 4642 + 211k = (22 + k) · 211
Linear congruences
Example 13 (Solving congruences). Solve the 10x ≡ 8 (mod 22) congruence!
i
−1
0
1
2
3
rn
10
22
10
2
0
qn
–
–
0
2
5
4
xi
1
0
1
−2
–
The algorithm: ri−2 = ri−1 qi + ri , x−1 = 1, x0 = 0, xi = xi−2 − qi xi−1 ,
y−1 = 0, y0 = −1, yi = yi−2 − qi yi−1
GCD: (10, 22) = 2 | 8 ⇒ A pair of solutions: x1 = 4(−2) ≡ 14 (mod 22),
x2 = 4(−2) + 22
2 ≡ 14 + 11 ≡ 3 (mod 22).
All solutions: {14 + 22k : k ∈ Z} ∪ {3 + 22k : k ∈ Z}.
These are solutions: x1 = 14: 10 · 14 − 8 = 132 = 6 · 22 x2 = 3: 10 · 3 − 8 =
22 = 1 · 22.
Linear Diophantine equations
Linear Diophantine equations
Definition: equations with integer solutions.
Linear Diophantine equations: ax + by = c, where a, b, c ∈ Z.
This is equivalent with the ax ≡ c (mod b), or by ≡ c (mod a) congruence.
ax + by = c can be solved if and only if (a, b) | c, and then the solutions can
be obtained using the extended euclidean algorithm.
Other Diophantine equations
x2 + y 2 = −4: Doesn’t have (real) solutions.
x2 − 4y 2 = 3: doesn’t have integer solutions, because the remainders
(mod 4) is: x2 ≡ 3 (mod 4). But this can not be, because the remainder of
a square has to be 0 or 1:
Squares (mod 4)
x2 mod 4
0
1
0
1
x
4k
4k + 1
4k + 2
4k + 3
3
Simultaneous congruences
Simultaneous congruences
We want to find an integer x, which simultaneously satisfies the following
congruences:
2x ≡ 1
(mod 3)
4x ≡ 3
(mod 5)
The solution for the congruences separately:
x ≡ 2 (mod 3)
x ≡ 2 (mod 5)
We can see x = 2 will be a solution!
• 2, 17, 32, . . . ,2 + 15k;
• Other solutions?
5
• How do we solve the general case:
x≡2
(mod 3)
x≡3
(mod 5)
Simultaneous congruences
Problem: Solve the following system of congruences:
a1 x ≡ b1
(mod m1 )
a2 x ≡ b2
..
.
(mod m2 )
a n x ≡ bn
(mod mn )
The congruences ai x ≡ bi (mod mi ) can be solved separately:
x ≡ c1
(mod m1 )
x ≡ c2
..
.
(mod m2 )
x ≡ cn
(mod mn )
Simultaneous congruences
Problem: Solve the following system of congruences:
x ≡ c1
(mod m1 )
x ≡ c2 (mod m2 )
..
.
x ≡ cn (mod mn )
We can assume that m1 , m2 . . . , mn are relative prime.
If e.g. m1 = m01 d, m2 = m02 d, the first two congruences can be substituted
with the following (Proof later)
x ≡ c1
(mod m01 )
x ≡ c1
(mod d)
x ≡ c2
(mod m02 )
x ≡ c2
(mod d)
If here c1 6≡ c2 (mod d), then there is no solution, otherwise one of the congruences can be deleted.
6
Chinese remainder theorem
Theorem 14 (Chinese remainder theorem). Let 1 < m1 , m2 . . . , mn be relative
prime numbers, c1 , c2 , . . . , cn integers. Then the
x ≡ c1
(mod m1 )
x ≡ c2
..
.
(mod m2 )
x ≡ cn
(mod mn )
system of congruences can be solves, and the solutions are congruent to each
other modulo m1 · m2 · · · mn .
Chinese remainder theorem
x ≡ c1 (mod m1 ), x ≡ c2 (mod m2 ), . . ., x ≡ cn (mod mn ). x =?
Proof. Let m = m1 m2 . Using the extended euclidean algorithm solve the m1 x1 +
m2 x2 = 1 equation. Let c1,2 = m1 x1 c2 +m2 x2 c1 . Then c1,2 ≡ cj (mod mj ) (j =
1, 2). If x ≡ c1,2 (mod m), then x is the solution of the first two congruences.
Converse: if x is a solution of the first two congruences, then m1 and m2 are
divisors of x − c1,2 , therefore their product is also a divisor: x ≡ c1,2 (mod m).
This gives us an equivalent system of congruences to the original:
x ≡ c1,2
(mod m1 m2 )
x ≡ c3
..
.
(mod m3 )
x ≡ cn
(mod mn )
Then induction by n provides us with the proof.
Simultaneous congruences
Example 15 (Simultaneous congruences). Solve the following system of congruences:
x≡2
(mod 3)
x≡3
(mod 5)
• Let us solve the 3x1 + 5x2 = 1 equation.
• The solution: x1 = −3, x2 = 2 ⇒ c1,2 = 3·(−3)·3+5·2·2 = −27+20 = −7.
• All the solutions: {−7 + 15k : k ∈ Z} = {8 + 15k : k ∈ Z}.
7
Simultaneous congruences
Example 16 (Example).

(
(mod 3)
 c =8 x ≡ 8 (mod 15)
1,2
x ≡ 3 (mod 5) =⇒

x ≡ 4 (mod 7)

x ≡ 4 (mod 7)
x≡2
Example 17 (Example).
• Let us solve the 15x1,2 + 7x3 = 1 equation.
• Solutions: x1,2 = 1, x3 = −2. ⇒ c1,2,3 = 15 · 1 · 4 + 7 · (−2) · 8 = 60 − 112 =
−52.
• All the solutions: {−52 + 105` : ` ∈ Z} = {53 + 105` : ` ∈ Z}.
4
Residue classes
Residue classes
Often, the solution is not just one integer (family of integers), but an entire
set (set of families):
• 2x ≡ 5 (mod 7), sol.: {6 + 7k : k ∈ Z}
• 10x ≡ 8 (mod 22), sol.: {14 + 22k : k ∈ Z}, {3 + 22k : k ∈ Z}.
Definition 18 (Residues classes). For a fixed modulus m and integer a, the
integers congruent to a constitute the residue (or congruence) class represented
by a: a = {x ∈ Z : x ≡ a (mod m)} = {a + km : k ∈ Z}. The set of all residue
classes is denoted by Z∗m = {a : 1 ≤ a < m, (a, m) = 1}.
Example 19 (Residue class). The solution of 2x ≡ 5 (mod 7): 6
The solution of 10x ≡ 8 (mod 22): 14, 3.
With modulus m = 7, 2 = 23 = {. . . , −5, 2, 9, 16, 23, 30, . . . }
Generally: a = b ⇔ a ≡ b (mod m).
Complete residue system
Definition 20 (Complete residue system). For a fixed modulus m, the complete
residue system modulo m is a set containing exactly one element from each
congruence class modulo m.
Example 21 (CRS). {33, −5, 11, −11, −8} is a complete residue system modulo
5.
A popular choices for complete residue systems:
• Least non-negative residue system modulo m:
– {0, 1, . . . , m − 1};
• Least absolute value residue system modulo m:
– 0, ±1, . . . , ± m−1
, if 2 - m;
2
m−2 m
– 0, ±1, . . . , ± 2 , 2 , if 2 | m.
8
Reduced residue system
Remark
If one element of a congruence class is relative prime to the modulus, then all
the elements are too:: (a + `m, m) = (a, m) = 1.
Definition 22 (Reduced residue system). For a fixed modulus m, the reduced
residue system modulo m is a set containing exactly one element from all the
congruence classes with elements relative prime to m.
For a fixed modulus m, if (a, m) = 1, then the residue class a represented
by a is a reduced residue class. The set of reduced residue classes is denoted by
Z∗m = {a : 1 ≤ a < m, (a, m) = 1}.
Example 23 (RRS). {1, 2, 3, 4} is a reduced residue system modulo 5.
{1, −1} is a reduced residue system modulo 3.
{1, 19, 29, 7} is a reduced residue system modulo 8.
{0, 1, 2, 3, 4} is not a reduced residue system modulo 5.
Operations on residue classes
Operations between residue classes can be defined in a natural way:
Definition 24 (Addition and multiplication). For a fixed modulus m, and a, b
integers let:
def
def
a + b = a + b;
a·b = a·b
Proposition
This definition is meaningful, because if a = a∗ , b = b∗ , then a + b = a∗ + b∗ ,
and a · b = a∗ · b∗
Proof. Since a = a∗ , b = b∗ ⇒ a ≡ a∗ (mod m), b ≡ b∗ (mod m) ⇒ a + b ≡
a∗ + b∗ (mod m) ⇒ a + b = a∗ + b∗ ⇒ a + b = a∗ + b∗ .
Similar proof applies to the multiplication.
Residue classes
Operations between residue classes can be defined in a natural way: a + b =
a + b; a · b = a · b.
Definition 25 (Operations). For a fixed modulus m, let Zm be the set of
residue classes modulo m. Then addition and multiplication can be defined on
this set.
Example 26 (Z3 , +).
+
0
1
2
Example 27 (Z3 , ·).
·
0
1
2
9
0
0
1
2
0
0
0
0
1
1
2
0
1
0
1
2
2
2
0
1
2
0
2
1
Example
Example 28 (Z4 , +).
+
0
1
2
3
Example 29 (Z4 , ·).
·
0
1
2
3
0
0
1
2
3
0
0
0
0
0
1
1
2
3
0
1
0
1
2
3
2
2
3
0
1
2
0
2
0
2
3
3
0
1
2
3
0
3
1
1
Residue classes
Theorem 30 (Multiplicative group).
• Let m > 1 be an integer. If 1 <
(a, m) < m, then a is a zero divisor in Zm : for a there exists a b, so
a·b=0
• If (a, m) = 1, then a has a reciprocal (multiplicative inverse) in Zm : for
a there exists a x, so a · x = 1.
• Ergo, if m is prime, division by any non-zero prime is possible.
Example 31 (Zero divisors and multiplicative inverse). Let m = 9. 6·3 = 18 = 0.
(2, 9) = 1, so 2 · 5 = 10 = 1.
a
Proof. Let d = (a, m). Then a · m
d = d · 0 ≡ 0 (mod m), which if b = m/d then
a · b = 0.
If (a, m) = 1, then using the ext.euc.alg. we can obtain x, y integers, such
that ax + my = 1. Then ax ≡ 1 (mod m) i.e. a · x = 1.
5
Euler-Fermat theorem and the totient function
Euler’s totient ϕ function
Definition 32 (Totient function). For a m > 0 integer, let ϕ(m) be the number
of positive integers less then and relative prime to m: ϕ(m) = |{i : 0 < i <
m, (m, i) = 1}|.
Example 33 (Totient function).
1, 2, 3, 4;
• ϕ(5) = 4: integers relative prime to 5:
• ϕ(6) = 2: integers relative prime to 6: 1, 5;
• ϕ(12) = 4: integers relative prime to 12: 1, 5, 7, 11.
• ϕ(15) = 8: integers relative prime to 15: 1, 2, 4, 7, 8, 11, 13, 14.
Remark: ϕ(m) is the number of reduced congruence classes modulo m.
10
Euler function
ϕ(m) = |{i : 0 < i < m, (m, i) = 1}|
Theorem 34 (Calculating the ϕ(n)). Let the factorization of m be m = pe11 pe22 · · · pe` ` .
Then
ϕ(m) = m ·
` Y
i=1
1−
1
pei i
Example 35 (Calculating the ϕ(n)).
• ϕ(5) = 5 1 −
• ϕ(6) = 6 1 − 12 1 − 31 = 2;
• ϕ(12) = 12 1 − 212 1 − 13 = 4;
• ϕ(15) = 15 1 − 13 1 − 15 = 8.
1
5
= 4;
Euler-Fermat theorem
Theorem 36 (Euler-Fermat). Let m > 1 be an integer, a an integer for which
(a, m) = 1. Then aϕ(m) ≡ 1 (mod m).
Theorem 37 (Fermat). Let p be a prime, p - a. Then ap−1 ≡ 1 (mod p), or
if is an arbitrary integer a then ap ≡ a (mod p). (A direct consequence of the
E-F thm)
Example 38 (Euler Fermat theorem).
• ϕ(6) = 2 ⇒ 52 = 36 ≡ 1 (mod 6);
• ϕ(12) = 4 ⇒ 54 = 625 ≡ 1 (mod 12); 74 = 2401 ≡ 1 (mod 12).
• Caution! 24 = 16 ≡ 2 6≡ 1 (mod 12), because (2, 12) = 2 6= 1.
The proof of Euler-Fermat theorem
Lemma
Let m > 1 be an integer, a1 , a2 . . . , am a complete residue system modulo m.
Then for each integer a, b, if (a, m) = 1, then a · a1 + b, a · a2 + b . . . , a · am + b
is also a complete residue system. Further, if a1 , a2 , . . . , aϕ(m) is a reduced
residue system modulo m, then a·a1 , a·a2 . . . , a·aϕ(m) is also a reduced residue
system.
Proof. If i 6= j then aai + b ≡ aaj + b (mod m) ⇔ aai ≡ aaj (mod m). Since
(a, m) = 1, we divide by a: ai ≡ aj (mod m). So a·a1 +b, a·a2 +b . . . , a·am +b
are pairwise incongruent. Since we have m different numbers, it is a complete
residue system.
If (ai , m) = 1, then (a, m) = 1 ⇒ (a · ai , m) = 1. Further a · a1 , a · a2
. . . , a · aϕ(m) are pairwise incongruent, their number is ϕ(m) ⇔ reduced residue
system.
11
The proof of Euler-Fermat theorem
Theorem 39 (Euler-Fermat). (a, m) = 1 ⇒ aϕ(m) ≡ 1 (mod m).
Proof
Let a1 , a2 , . . . , aϕ(m) be a reduced residue system modulo m. Since (a, m) = 1
⇒ a · a1 , a · a2 . . . , a · aϕ(m) is also a reduced residue system. Therefore
ϕ(m)
aϕ(m)
Y
ϕ(m)
aj =
j=1
Because
Qϕ(m)
j=1
Y
ϕ(m)
a · aj ≡
j=1
Y
aj
(mod m)
j=1
aj is relative prime to m, we can simplify:
aϕ(m) ≡ 1
(mod m)
Euler-Fermat theorem
Theorem 40 (Euler-Fermat). (a, m) = 1 ⇒ aϕ(m) ≡ 1 (m)
Example 41 (E-F theorem).
number system?
• What is the last digit of 3111 in the decimal
– What is 3111 mod 10?
27 3
– ϕ(10) = 4 ⇒ 3111 = 34·27+3 = 34
· 3 ≡ 127 · 33 = 27 ≡ 7 (10)
• Solve the 2x ≡ 5 (mod 7) congruence!
– ϕ(7) = 6. Multiply both sides by 25 . Then
– 5 · 25 ≡ 26 x ≡ x (mod 7). And now 5 · 25 = 5 · 32 ≡ 5 · 4 = 20 ≡ 6
(mod 7).
• Solve the 23x ≡ 4 (mod 211) congruence!
– ϕ(211) = 210. Multiply both sides by 2209 . Then
– 4·23209 ≡ 23210 x ≡ x (mod 211). And now 4·23209 ≡ . . . (mod 211).
Exponentiation by squaring (fast exponentiation)
Let m, a, n be positive integers, m > 1. We would like to calculate efficiently
the remainder an mod m.
Write n in the base 2 (binary) numeral system:
n=
k
X
εi 2i = (εk εk−1 . . . ε1 ε0 )(2) where ε0 , ε1 , . . . , εk ∈ {0, 1}
i=0
Let nj (0 ≤ j ≤ k) be the number defined by the first j + 1 digits:
nj = bn/2k−j c = (εk εk−1 . . . εk−j+1 )(2)
Then for each j the remainder xj ≡ anj (mod m):
n0 = ε0 = 1, x0 = a. nj = 2 · nj−1 + εj ⇒
x2j−1 mod m,
if εj = 0
εj 2
xj = a xj−1 mod m =
εj 2
a xj−1 mod m, if εj = 0
⇒ xk = an mod m.
Qk
i ε i
The correctness follows from the following formula (Proof HW): an = i=0 a2
Pk
where n = i=0 εi 2i .
12
Fast exponentiation
Example 42 (Fast exponentiation). How much is 3111 mod 10? (Euler-Fermat
⇒ 7)
111(10) = 1101111(2) here k = 6, a = 3.
j
0
1
2
3
4
5
6
nj
1
1
0
1
1
1
1
xj =
x1
x2
x3
x4
x5
x6
=
=
=
=
=
=
aεj · x2j−1
–
3 · 32
72
3 · 92
3 · 32
3 · 72
3 · 72
xj mod 10
3
7
9
3
7
7
7
Fast exponentiation
Example 43 (Lin.cong. with fast exponentiation). Let us solve the congruence
23x ≡ 4 (mod 211). Euler-Fermat ⇒ x ≡ 4 · 23209 ≡ . . . (mod 211). How much
is 23209 mod 211?
209(10) = 11010001(2) itt k = 7, a = 23.
j
0
1
2
3
4
5
6
7
nj
1
1
0
1
0
0
0
1
xj =
x1
x2
x3
x4
x5
x6
x6
=
=
=
=
=
=
=
aεj · x2j−1
–
23 · 232
1402
23 · 1882
1402
1882
1072
23 · 552
xj mod 211
23
140
188
140
188
107
55
156
x ≡ 4 · 23209 ≡ 4 · 156 ≡ 202 (mod 211).
6
The multiplicative group
Generators
Theorem 44 (Generating the multiplicative group). Let p be a prime. Then
in Z∗p there exists a generator (primitive root), i.e. there is an integer 1 <
g < p, which yields every reduced congruence class when raised to different
powers of integer: {g 0 = 1, g , g 2 , . . . , g p−1 } = Z∗p , i.e. {1 = g 0 , g mod p, g 2 mod
p, . . . , g p−1 mod p} = {1, 2, . . . , p − 1}.
Example 45 (3 is a generator modulo 7).
31
32
33
34
35
36
=
=
=
=
=
=
3
9
27
81
243
729
=
=
=
=
=
=
30 · 3
31 · 3
32 · 3
33 · 3
34 · 3
35 · 3
≡
≡
≡
≡
≡
≡
1·3
3·3
2·3
6·3
4·3
5·3
13
=
=
=
=
=
=
3
9
6
18
12
15
≡
≡
≡
≡
≡
≡
3
2
6
4
5
1
mod 7
mod 7
mod 7
mod 7
mod 7
mod 7
Generator
Example 46 (2 mod 11 and mod 7).
n
2n mod 11
1
2
2
4
• 2 is a generator modulo 11
3
8
4
5
5
10
6
9
7
7
8
3
2
4
3
1
4
2
5
4
6
1
9
6
10
1
• 2 is not a generator modulo 7
n
2n mod 7
7
1
2
Discrete logarithm
Discrete logarithm
Definition 47 (Discrete logarithm). Let p be a prime, g a generator modulo
p. Then the a ∈ Z: (p - a) g base discrete logarithm (or index) of a is:
a ≡ g n mod p,
logg a = n :
n
3n
Example 48 (3 is a gen. mod 7).
3n
n
3
1
2
2
6
3
4
4
Example 49 (Discrete logarithm).
a
log3 a
1
6
2
2
0 ≤ n < p − 1.
1
3
2
2
5
5
1
6
a
log3 a
3
1
3
1
4
4
5
5
3
6
4
4
5
5
2
2
6
3
4
4
8
3
9
6
10
1
6
1
5
5
1
6
6
3
Discrete logarithm
Example 50 (a). 2 is a generator modulo 11
n
2n mod 11
1
2
2
4
3
8
4
5
5
10
6
9
7
7
Table of logarithms:
a
log2 a
1
10
2
1
3
8
4
2
5
4
6
9
7
7
8
3
9
6
10
2
Theorem 51 (Properties of the discrete logarithm). Let p be a prime, g a
generator p, 1 ≤ a, b < p, n ∈ Z. Then
logg (a · b) ≡ logg a + logg b (mod p − 1)
logg (an ) ≡ n · logg a (mod p − 1)
14
8
Applications
Applications
Field of applications of number theory:
• Cryptography
– encryption of messages;
– digital signatures;
– authentication and authorization,
• Code theory
Caesar cipher (code)
Julius Caesar communicated with his soldiers using the following cipher:
Let us match the letters of the (English) alphabet with the set {0, 1, . . . , 25}
:
a 7→
b 7→
c 7→
..
.
0
1
2
z 7→
25
• Encryption key s ∈ {0, 1, . . . , 25}.
• Encryption For a ∈ {0, 1, . . . , 25} encrypt a using the a 7→ a + s mod 26
map. The encryption is letter-wise.
• Decryption For b ∈ {0, 1, . . . , 25} decrypt b using the b 7→ a − s mod 26
map. Decryption is letter-wise.
Example 52 (Caesar - Rot13). Encryption of hello using s = 13 as the key:
encryption
hello → 7 4 11 11 14
→
20 17 24 24 1 → uryyb
uryyb: Decryption with the key s = 13:
uryyb → 20 17 24 24 1
decryption
→
7 4 11 11 14 → hello
Caesar cipher (code)
For the key s = 13 we have: Rot13.
Encryption and decryption is done with the same key: −13 ≡ 13 (mod 26).
This cipher is not secure: it can be cracked by analyzing the frequency of
occurrence of letters (al-Kindi 9 century a.d. )
If we use a different (random) keys at different positions in the message ⇒
security is mathematically proven.
In practice: One Time Pad – OTP
• Message: binary form: m = 100100101
• Key: binary sequence: s = 010110110
15
• Encryption: bitwise XOR (mod2 addition):
m = 100100101
XOR
s = 010110110
c = 110010011
Crucial point: transferring the secret key s.
RSA
Ron Rivest, Adi Shamir and Leonard Adleman suggested the following method
in 1977:
RSA encryption
• Generating the keys: Let p, q be two (big, ~1024 bit) primes, n = p · q.
• Let e ∈ {1, . . . , ϕ(n)}, so that (e, ϕ(n)) = 1.
• Let d be the solution of the congruence ex ≡ 1 (mod ϕ(n)).
• Keys: public key (n, e) and private (secret) key d.
• Encryption of the message 0 ≤ m < n: c = me mod n.
• Decryption for an encrypted message 0 ≤ c < n: m = cd mod n.
Correctness of the algorithm
d
E-F
cd ≡ (me ) = me·d = mk·ϕ(n)+1 ≡ m (mod n)
RSA
Actually m just a key for another encryption.
The procedure is secure, because we can not efficiently factorize the n = p · q
product.
Problem
• Find the divisors of the following numbers.
RSA-100 = 5226050279225333605356183781326374297180681149613806886 57908494580122963258952897654
RSA-2048 = 2519590847565789349402718324004839857142928212620403202777713783604366202070759
5556264018525880784406918290641249515082189298559149176184502808489120072844992 6873928072877767359714183472702618963750
5974880842840179742910064245869181719511874612151517265463228221686998754918242 2433637259085141865462043576798423387184
0106748104516603773060562016196762561338441436038339044149526344321901146575444 5417842402092461651572335077870774981712
7899885040445364023527381951378636564391212010397122822120720357
RSA
Factorization of RSA-2048:
• Trial-division (the sieve of Eratosthenes): for a number n about ∼
divisions are needed:
• RSA-2048 ∼ 22048 , ∼ 21024 divisions.
16
√
n
• For ∼ 109 ≈ 230 divisions per second ⇒ 21024 /230 = 2994 seconds are
needed to factorise.
– 2994 seconds ≈ 2969 years.
• The same with 2 computers: 2968 years.
– The same with the best (known) algorithm: 2500000000000000000000000000000
years (= 2, 5 · 1030 )
– The age of the universe: 1, 38 · 1010 years.
RSA
Example 53 (RSA).
–
–
–
–
• Generating the keys:
Let p = 61, q = 53 and n = 61 · 53 = 3233, ϕ(3233) = 3120.
Let e = 17. Using the extended euclidean algorithm: d = 2753
Public key: (n = 3233, e = 17);
Private (secret) key: d = 2753.
• Encryption: Let m = 65.
– c = 2790 ≡ 6517 (mod 3233)
• Decryption: If c = 2790:
– 27902753 ≡ 65 (mod 3233)
Digital signature
• e and d change rolls (Separate keys are needed for encryption):
• Signature: Let s = md mod n, then the signed message: (m, s).
?
• Verification: m ≡ se (mod n).
Diffie-Hellman key exchange protocol
The first public key cryptography system was developed by Whitfield Diffie
and Martin Hellman, and published in 1976.
Alice
chooses: a ∈R {0, 1, . . . , p − 2}
Bob
chooses: b ∈R {0, 1, . . . , p − 2}
ga
−→
gb
←−
b
calculates: (g a )
ab
common key: g
b a
calculates: g
common key: g ab
• Public parameters:
– p (large) prime, g generator modp.
• Keys:
– Alice’s private key a: 1 ≤ a < p − 1, public key g a mod p
– Bob’s private key b: 1 ≤ a < p − 1, public key g b mod p
• Common key: g ab mod p.
17
Diffie-Hellman key exchange protocol
The protocol is secure, because calculating the discrete logarithm is hard.
If p ∼ 22048 (2048 bits), calculating the discrete logarithm takes ∼ 1030
years.
Example 54 (Diffie-Hellman).
• Public parameters: Let p = 11, g = 2.
• Keys:
– Alice’s private key a = 4, public key 24 mod p = 5
– Bob private key b = 8, public key 28 mod p = 3
a
b
• Common key: g b = 34 mod p = 4, (g a ) = 58 mod = 4.
18