* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Document
Survey
Document related concepts
List of important publications in mathematics wikipedia , lookup
Vincent's theorem wikipedia , lookup
List of prime numbers wikipedia , lookup
Georg Cantor's first set theory article wikipedia , lookup
Four color theorem wikipedia , lookup
Factorization wikipedia , lookup
Mathematical proof wikipedia , lookup
Elementary mathematics wikipedia , lookup
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Fermat's Last Theorem wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Transcript
Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 1 Integers Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝陽科技大學資工系 Speaker: Fuw-Yi Yang 楊伏夷 伏夷非征番, 道德經 察政章(Chapter 58) 伏者潛藏也 道紀章(Chapter 14) 道無形象, 視之不可見者曰夷 Fuw-Yi Yang 1 Contents Basics Divisibility Representation of integers O- and -notation Cost of +, *, with remainder Polynomial time Greatest common divisor Euclidean algorithm Extended Euclidean algorithm Analysis of the Extended Euclidean algorithm Factoring into primes Exercise Fuw-Yi Yang 2 1.1 Basics N = {1, 2, 3, 4, 5,…} is the set of positive integers and Z = {0, 1, 2, 3, …} is the set of integers. The rational numbers are denoted by Q and the real number by R. NZQR A set M of real numbers is called bounded from below if there is a real number such that all elements of M are greater than . We also say that M is bounded from below by . Example. The set of positive integers is bounded from below by 0, but the set of even integers is not bounded from below. Fuw-Yi Yang 3 1.1 Basics For any real number , we write = max{b Z: b }. Hence, is the greatest integer, which is less than or equal to . This number exists because the set {b Z: b } is bounded from above. Example 1.1.1 We have 3.43 = 3 and -3.43 = -4. Fuw-Yi Yang 4 1.1 Basics Finally we need induction. If a statement, which dependents on a positive integer n, is true for n = 1 and if the truth for any integer m with 1 m n implies the truth for n + 1, then the statement is true for any positive integer n. Example 1.1.1 We wish to prove 1 + 2 + 3 + …+ n = n(n + 1) / 2. next page Fuw-Yi Yang 5 1.1 Basics Example 1.1.1 We wish to prove 1 + 2 + 3 + …+ n = n(n + 1) / 2. 1. basis: prove that the statement holds true for n =1. It is clear that the statement holds true for n =1. 2. Inductive step: prove that if the statement holds for n = m, then the same statement also holds for n = m + 1. Assume the statement holds true for n = m, then the same statement also holds for n = m + 1 as shown below. m(m + 1) / 2 + (m + 1) = (m2 + m + 2m + 2) / 2 = (m + 1)(m + 2) / 2 Fuw-Yi Yang 6 1.2 Divisibility Definition 1.2.1 We say that a divides n if there is an integer b with n = ab. If a divides n, then a is called a divisor of n, n is called a multiple of a, and we write a | n. Example 1.2.2 We have 13 | 182 because 182 = 14 * 13. Likewise, we have -5 | 30 because 30 = (-6) * (-5). The divisors of 30 are 1, 2, 3, 5, 6, 10, 15, 30. Any integer a divides 0 (a | 0) because 0 = a * 0. The only integer that is divisible by 0 is 0 because n = 0 * b implies n = 0. Fuw-Yi Yang 7 1.2 Divisibility Theorem 1.2.3 1. If a | b and b | c, then a | c. 2. If a | b, then ac | bc for all c. 3. If c | a and c | b, then c | da + eb for all d and e. 4. If a | b and b 0, then |a| |b|. 5. If a | b and b | a, then |a| = |b|. Proof:… Fuw-Yi Yang 8 1.2 Divisibility Theorem 1.2.4 If a and b are integers, b > 0, then there are uniquely determined integers q and r such that a = qb + r and 0 r < b, namely q = a/b and r = a - bq. Proof: If a = qb + r and 0 r < b, then 0 r/b < b/b, 0 a/b - q < 1, a/b q > a/b - 1. Hence q = a/b and r = a - bq. In the above, the integer q is called the (intergral) quotient and r is the remainder of the division of a and b. We write r = a mod b. If a is replaced by a mod b, then we say that a is reduced modulo b. Fuw-Yi Yang 9 1.3 Representation of Integers In books, integers are written in decimal expansion. On computers, binary expansion is used. More generally, integers can be represented using the co-called g-adic expansion. Example 1.3.1 We have log2 8 = 3 because 23 = 8. Also log8 8 = 1 because 81 = 8. Example 1.3.2 The sequence (0, 1, 1, 1, 0) is an element of {0, 1}5. Also {1, 2}2 = {(1, 1), (1, 2), (2, 1), (2, 2)}. Fuw-Yi Yang 10 1.3 Representation of Integers Theorem 1.3.3 Let g be an integer, g > 1. For each positive integer a, there is a uniquely determined positive integer k and a uniquely determined sequence (a1, …, ak) {0,…,g - 1}k with a1 0 and k a g k i (Eq. 1.1). In addition, k = logg a + 1, and ai is the i 1 i k j intergral quotient of (a - ij11 a j g ) by gk - i for 1 i k . Proof: see next page. Fuw-Yi Yang 11 1.3 Representation of Integers Proof: 1. uniqueness of k: gk - 1 a gk , hence k = logg a + 1. 2. uniqueness of sequence (a1, …, ak): 2.1 basis: for k = 1, set a1 = a. 2.2 inductive step: let k > 1 and there is a representation as Eq. 1.1, then , 0 a - a1 gk - 1 < gk – 1 and therefore 0 a / gk - 1 - a1 < 1. Therefore, a1 is the intergral quotient of a divided by gk – 1 and is uniquely determined. Set a = a - a1 gk - 1. Either we have a = 0, in which case ai = 0, 0 i k or a = k ai g k i is the uniquely i 2 determined representation of a by the induction hypothesis (the statement is true for k = m). Next page Fuw-Yi Yang 12 1.3 Representation of Integers It is clear that a representation Eq. 1.1 exists. We only need to set a1 = a / gk - 1 and to take the other coefficients from the representation a = a - a1 gk - 1. end of proof Fuw-Yi Yang 13 1.3 Representation of Integers Definition 1.3.4 The sequence (a1, …, ak) from Theorem 1.3.3 is called the g-adic expansion of a. Its element are called digits. Its length is k = logg a + 1. If g = 2, the sequence is called the binary expansion of a. If g = 16, then the sequence is called the hexadecimal expansion of a. Instead of (a1, …, ak), we also write a1a2 … ak. Example 1.3.5 The sequence 10101 is the binary expansion of 24 + 22 + 20 = 21. Fuw-Yi Yang 14 1.3 Representation of Integers Example 1.3.6 Determine the binary expansion of 105. Since 26 < 105 < 27, it is of length 7. a1 = 105 / 26 = 1, a = a - a1 26 = 41, a = a; a2 = 41 / 25 = 1, a = a - a2 25 = 9 , a = a; a3 = 9 / 24 = 0, a = a - a3 24 = 9 , a = a; a4 = 9 / 23 = 1, a = a - a4 23 = 1 , a = a; a5 = 1 / 22 = 0, a = a - a5 22 = 1 , a = a; a6 = 1 / 21 = 0, a = a - a6 23 = 1 , a = a; a7 = 1 / 20 = 1, a = a - a7 20 = 0; Fuw-Yi Yang 15 1.4 O- and -Notation When designing a cryptographic algorithm, it is necessary to estimate how much computing time and how much storage it requires. To simplify such estimates, we introduce the O- and -notation. Let k be a positive integer, X, Y, Nk and f : X R 0, g : Y R 0, functions. We write f = O(g) if there are positive integers B and C such that for all (n1, …, nk) Nk with ni > B, 1 i k the following is true: 1. (n1, …, nk) XY; that is,f(n1, …, nk) and g(n1, …, nk) are defined. 2. f(n1, …, nk) Cg(n1, …, nk). This means that almost always f(n1, …, nk) Cg(n1, …, nk). We also write g = (f). If g is constant, then we write f = O(1). Fuw-Yi Yang 16 1.5 Cost of +, *, and / with remainder In many cryptographic applications, multi-precision integers must be added, multiplied, and divided with remainder. To estimate the running time of such applications, we must study how long such operations take. To do so, one has to choose a model of computation that is as similar as possible to real computations. Fuw-Yi Yang 17 1.5 Cost of +, *, and / with remainder Here we only use a naïve model, which, however, yields reasonable estimates. Let a and b be integers. 1. Adding a and b requires time O(max{size a, size b}). 2. Multiplying a and b requires time O((size a)( size b)). 3. Dividing a with remainder by b requires time O((size b)( size q)), where q is the quotient. All algorithms use space O(size a + size b). Fuw-Yi Yang 18 1.6 Polynomial time When analyzing a cryptographic algorithm, we must show that it works efficiently but is difficult to break. We make the notion of efficiency more precise. Suppose an algorithm receives as input integers z1,…,zn. We say that the algorithm has polynomial running time if there are nonnegative integers e1,…,en such that the running time of the algorithm is O((size z1)e1) ((size z2)e2)…((size zn)en). An algorithm is considered to be efficient if it has polynomial running time. Observe, however, that in order for the algorithm to be efficient in practice, the exponent ei and the O-constant must be small. Fuw-Yi Yang 19 1.7 Greatest common divisor We define the greatest common divisor of two integers. Definition 1.7.1 A common divisor of a and b is an integer that divides both a and b. Theorem 1.7.2 Among all common divisors of two integers a and b, which are not both zero, there is exactly one greatest (with respect to ). It is called the greatest common divisor (gcd) of a and b. Proof. Let a 0, By Theorem 1.2.3, all divisors of a are bounded by |a|. Therefore, among the common divisors of a and b there is a unique greatest. end of proof Fuw-Yi Yang 20 1.7 Greatest common divisor For completeness, we set the greatest common divisor of 0 and 0 to 0. Hence, the greatest common divisor of two numbers is never negative. Example 1.7.3 The greatest common divisor of 18 and 30 is 6. The greatest common divisor of -10 and 30 is 10. The greatest common divisor of integers a1, …, ak, k 1 is defined as follows. If at least one of the ai is nonzero, then gcd(a1, …, ak) is the greatest positive integer that divides all the ai. If all the ai are zero, then we set gcd(a1, …, ak) = 0. Fuw-Yi Yang 21 1.7 Greatest common divisor We present an important way of representing a greatest common divisor. We need the following notion. If 1, …, k are real numbers, then we have 1Z + …+ kZ = {1z1 + …+ kzk : zk Z, 1 i k}. This is the set of all integer linear combination of the ai. Example 1.7.4 The set of all integer linear combination of 3 and 4 is 3Z + 4Z. It contains 1 = 3*(-1) + 4*(1). It therefore also contains all integer multiples of 1. Hence, this set is Z. Fuw-Yi Yang 22 1.7 Greatest common divisor Theorem 1.7.5 The set of all integer linear combination of a and b is the set of all integers multiples of gcd(a, b); i.e. aZ + bZ = gcd(a, b)Z. Proof. For a = b = 0, the assertion is obviously correct, so let a or b be nonzero. Set I = aZ + bZ. Let g be the smallest positive integer in I. We claim that I = gZ. 1. Choose a nonzero element c in I. 2. By Theorem 1.2.4, there are q, r with c = qg + r and 0 r < g. 3. Therefore, r = c - qg belongs to I. 4. But g is the smallest positive integer in I, it must r = 0 and c = qg. It remains to be shown that g = gcd(a, b). Next page Fuw-Yi Yang 23 1.7 Greatest common divisor It remains to be shown that g = gcd(a, b). 1. g is a common divisor of a and b, since a, b I, and I = gZ. 2. g I, there are x, y with g = ax + by. 3. If d is a common divisor of a and b, then d is also a divisor of g. 4. Theorem 1.2.3 implies |d| g. (d | g , g 0, |d| g) 5. g = gcd(a, b). end of proof Fuw-Yi Yang 24 1.7 Greatest common divisor Corollary 1.7.6 For all a, b, n the equation ax + by = n is solvable in integers x and y if and only if gcd(a, b) divides n. Proof. If there are x and y with ax + by = n, then n aZ + bZ and by Theorem 1.7.5 we have n gcd(a, b) Z, which implies that n is a multiple of gcd(a, b). Conversely, if n is a multiple of gcd(a, b), then n is an element of gcd(a, b) Z. It follows from Theorem 1.7.5 that n aZ + bZ. Therefore, there are integers x and y with ax + by = n. end of proof Fuw-Yi Yang 25 1.7 Greatest common divisor Corollary 1.7.7 There are integers x and y with ax + by = gcd(a, b). Proof. From Corollary 1.7.6. Corollary 1.7.8 There is exactly one nonnegative common divisor of a and b, which is divisible by all other common divisors of a and b, namely the greatest common divisor of a and b. Proof. By Corollary 1.7.7 there are integers x and y with ax + by = gcd(a, b). Therefore every common divisor of a and b is a divisor of gcd(a, b). Conversely, let g be a nonnegative divisor of a and b that is divisible by every common divisors of a and b. If a = b = 0, then g = 0. If a or b is nonzero, then by Theorem 1.2.3 every common divisor of a and b is g. Therefore g = gcd(a, b). end of proof Fuw-Yi Yang 26 1.8 Euclidean algorithm The Euclidean algorithm determines the greatest common divisor of two integers very efficiently. It is based on the following theorem. Theorem 1.8.1 (|a| |b|) 1. If b = 0, then gcd(a, b) = |a|. 2. If b 0, then gcd(a, b) = gcd(|b|, a mod |b|). Proof. The first assertion is obviously correct. We prove the second assertion. By Theorem 1.2.4, there is an integer q with a = q|b| + (a mod |b|). (a = qb + r) Therefore the greatest common divisor of a and b divides the greatest common divisor of |b| and (a mod |b|) and vice versa. Since both greatest common divisors are nonnegative, the assertion follows from Theorem 1.2.3. end of proof Fuw-Yi Yang 27 1.8 Euclidean algorithm Example 1.8.2 We want to compute gcd(100, 35). From Theorem 1.8.1, we obtain gcd(100, 35) = gcd(35, 100 mod 35) = gcd(35, 5) = gcd(5, 35 mod 5) = gcd(5, 0) = 5. Fuw-Yi Yang 28 1.8 Euclidean algorithm The following Theorem prove the correctness of the Euclidean algorithm (euclid(int a, int b, int gcd)). euclid(int a, int b, int gcd) { int r a = |a|, b = |b| while (b 0) { r = a % b, a = b, b = r} gcd = a } Theorem 1.8.3 The Euclidean algorithm computes the greatest common divisor of a and b. next page Fuw-Yi Yang 29 1.8 Euclidean algorithm Theorem 1.8.3 The Euclidean algorithm computes the greatest common divisor of a and b. Proof. To prove that the Euclidean algorithm terminates and yields gcd(a, b), we introduce some notation. We set r0 = |a|, r1 = |b| and for k 1 and rk 0 rk+1 = rk-1 mod rk. --- 1.3 Then r2, r3,… is the sequence of remainders that are computed in the while-loop of the Euclidean algorithm. Also after the kth iteration of the while-loop, we have a = rk, b = rk +1. next page Fuw-Yi Yang 30 1.8 Euclidean algorithm Then r2, r3,… is the sequence of remainders that are computed in the while-loop of the Euclidean algorithm. Also after the kth iteration of the while-loop, we have a = rk, b = rk +1. It follows from Theorem 1.8.1 that the greatest common divisor of a and b is not changed in the algorithm, so we only need to prove that there is k such that rk = 0. But this follows from the fact that by Eq. 1.3 the sequence (rk)k 1 is strictly decreasing. This concludes the correctness proof for the Euclidean algorithm. end of proof Fuw-Yi Yang 31 1.8 Euclidean algorithm The Euclidean algorithm compute gcd(a, b) very efficiently. To prove the efficiency, we estimate the number of iterations required by the algorithm. For simplicity, we assume a > b > 0. This is no restriction, since the Euclidean algorithm requires one step to determine gcd(a, b) (if b = 0) or to produce this situation. Let rn be the last nonzero remainder in the sequence (rk). Then n is the number of iterations, which the algorithm requires to compute gcd(a, b). Furthermore, since rk+1 = rk-1 mod rk, --- 1.3 let qk = rk-1 / rk, 1 k n. --- 1.4 Then qk is the quotient of rk-1 divided by rk, and we have rk-1 = qk rk + rk+1. --- 1.5 Fuw-Yi Yang 32 1.8 Euclidean algorithm Example 1.8.4 If a = 100 and b = 35, then we obtain the remainder sequence: k 0 1 2 3 4 rk 100 35 30 5 0 qk 2 1 6 Lemma 1.8.5 We have qk 1 for 1 k n - 1 and qn 2. Proof. Since rk-1 > rk > rk+1, it follows from Eq. 1.5 that qk 1 for 1 k n. Suppose qn = 1. Then rn-1 = rn, and this is impossible because the sequence of remainders is strictly decreasing. Therefore qn 2. end of proof Fuw-Yi Yang 33 1.8 Euclidean algorithm Theorem 1.8.7 In the Euclidean algorithm, let a > b > 0. Also, let = (1 + 51/2) / 2. Then the number of iterations in the algorithm is at most (log b) / (log ) + 1 < 1.441 * log2 b + 1. Proof. end of proof Fuw-Yi Yang 34 1.9 Extended Euclidean algorithm Corollary 1.7.7 tells us that there are integers x, y with gcd(a, b) = ax + by. In this section, we extend the Euclidean algorithm in such a way that it also determines such coefficients x and y. Fuw-Yi Yang 35 1.9 Extended Euclidean algorithm—example Example: Compute x, y s.t. ax + by = gcd(a, b) The example computes expressions of the form ri = a xi + b yi --- 11 for the remainder in each step i of the Euclidean algorithm. From rk+1 = rk-1 mod rk, --- 1.3 we have ri = ri-2 - ri-2 / ri-1 ri-1. Also, by Eq. 11, ri = axi-2 + byi-2 - ri-2 / ri-1(axi-1 + byi-1 ) = a (xi-2 - ri-2 / ri-1 xi-1) + b (yi-2 - ri-2 / ri-1 yi-1) The first two argument r1 and r2: r1 = a = a 1 + b 0 (x1 = 1, y1 = 0) r2= b = a 0 + b 1 (x2 = 0, y2 = 1) Example: next page Fuw-Yi Yang 36 1.9 Extended Euclidean algorithm --example Example: Compute x, y s.t. 120x + 23y = gcd(120, 23) r1 = 120 = 120 * 1 + 23 * 0 (x1 = 1, y1 = 0) r2= 23 = 120 * 0 + 23 * 1 (x2 = 0, y2 = 1) ri = ri-2 - ri-2/ri-1 ri-1, ri = a (xi-2 - ri-2/ri-1 xi-1) + b (yi-2 - ri-2/ri-1 yi-1) r3= 5 = 120 - 5 * 23 = (120 * 1 + 23 * 0) - 5 * (120 * 0 + 23 * 1) = 120 * 1 + 23 * (-5) r4= 3 = 23 - 4 * 5 = (120 * 0 + 23 * 1) - 4 * (120 * 1 + 23 * (-5)) = 120 * (-4) + 23 * (21) r5= 2 = 5 - 1 * 3 = (120 * 1 + 23 * (-5)) - 1 * (120 * (-4) + 23 * (21)) = 120 * (5) + 23 * (-26) r6= 1 = 3 - 1 * 2 = (120 * (-4) + 23 * (21)) - (120 * (5) + 23 * (-26)) = 120 * (-9) + 23 * (47) r7= 0 = 2 - 1 * 2 end of example Fuw-Yi Yang 37 1.9 Extended Euclidean algorithm Corollary 1.7.7 tells us that there are integers x, y with gcd(a, b) = ax + by. As in Section 1.8, we denote by r0, …, rn+1 the sequence of remainders and by q1, …, qn the sequence of quotients that are computed in the course of the algorithm. We now explain the construction of two sequence (xk) and (yk), such that x = (-1)nxn and y = (-1)n+1yn are the required coefficients. Fuw-Yi Yang 38 1.9 Extended Euclidean algorithm We set x0 = 1, x1 = 0, y0 = 0, y1 = 1. Furthermore, we let xk+1 = qk xk + xk-1, yk+1 = qk yk + yk-1, 1 k n. ---1.7 (normal form ri = a (xi-2 - ri-2 / ri-1 xi-1) + b (yi-2 - ri-2 / ri-1 yi-1)) We assume that a and b are nonnegative. Theorem 1.9.1 We have rk = a (-1)kxk + b (-1)k+1yk for 0 k n + 1. Proof. 1. r0 = a = a * 1 + b * 0 = a x0 + b y0 2. r1 = b = a * 0 + b * 1 = a x1 + b y1 end of proof Fuw-Yi Yang 39 1.9 Extended Euclidean algorithm Theorem 1.9.1 We have rk = a (-1)kxk + b (-1)k+1yk for 0 k n + 1. Proof. 1. r0 = a = a * 1 - b * 0 = a x0 - b y0 2. r1 = b = a * (-1)0 + b * 1 = -a x1 + b y1 3. let k 2 and suppose that the assertion is true for all k< k. 4. Then rk = rk-2 - rk-2 / rk-1 rk-1= rk-2 - qk-1rk-1 rk = a (-1)k-2xk-2 + b (-1)k-1yk-2 - qk-1(a (-1)k-1xk-1 + b (-1)kyk-1) = a (-1)k(xk-2 + qk-1xk-1) + b (-1)k+1(yk-2 + qk-1yk-1) = a (-1)kxk + b (-1)k+1yk . end of proof Note we have x = (-1)nxn, y = (-1)n+1yn, and rn = a (-1)nxn + b (-1)n+1yn. Fuw-Yi Yang 40 1.9 Extended Euclidean algorithm Example 1.9.2 Compute x, y s.t. 100x + 35y = gcd(100, 35) r1 = 100 = 100 * 1 + 35 * 0 (x1 = 1, y1 = 0) r2= 35 = 100 * 0 + 35 * 1 (x2 = 0, y2 = 1) ri = ri-2 - ri-2/ri-1 ri-1, ri = a (xi-2 - ri-2/ri-1 xi-1) + b (yi-2 - ri-2/ri-1 yi-1) r3= 30 = 100 - 2 * 35 = (100 * 1 + 35 * 0) - 2 * (100 * 0 + 35 * 1) = 100 * 1 + 35 * (-2) r4= 5 = 35 - 1 * 30 = (100 * 0 + 35 * 1) - 1 * (100 * 1 + 35 * (-2)) = 100 * (-1) + 35 * (3) r5= 0 = 30 - 6 * 5 end of example Fuw-Yi Yang 41 1.10 Analysis of the extended Euclidean algorithm Theorem 1.10.5 The extended Euclidean algorithm uses O((size a) (size b)) to compute gcd(a, b) including a representation gcd(a, b) = ax + by. end of theorem Fuw-Yi Yang 42 1.11 Factoring into primes A central notion of elementary number theory is that of a prime number. Prime numbers are used in many cryptographic algorithms. In this section, we introduce prime numbers and prove that every positive integer is a product of primes in which the factors are unique up to permutation. Definition 1.11.1 An integer p > 1 is called a prime number if it has exactly two positive divisors, namely 1 and p. We denote the set of all primes (prime numbers) by P. An integer a > 1 that is not a prime is called composite. Fuw-Yi Yang 43 1.11 Factoring into primes Theorem 1.11.2 Every integer a > 1 has a prime divisor. Proof. The integer a has a divisor that is greater than 1, namely a. Among all divisors of a that are greater than 1, let p be the smallest. Then p must be prime. Otherwise, p would have a divisor b with 1 < b < p a. This contradicts the assumption that p is the smallest divisor of a that is greater than 1. end of proof Fuw-Yi Yang 44 1.11 Factoring into primes Theorem 1.11.3 If a prime number divides the product of two integers, then it divides at least one factor. Proof. Suppose that the prime number p divides ab but not a. 1. p is a prime number, gcd(a, p) = 1. 2. By Corollary 1.7.7, there are integers x, y with 1 = ax + py. 3. 1 = ax + py b = axb + pyb. 4. p divides ab p divides b. end of proof Fuw-Yi Yang 45 1.11 Factoring into primes Corollary 1.11.4 If a prime number p divides a product q1…qk of prime numbers, then p is equal to one of the factors q1,…,qk. Proof. The proof uses induction on k. 1. If k = 1, then p is a divisor of q1 which is greater than 1, hence p = q1. 2. If k > 1, then p divides q1(q2 …qk). By Lemma 1.11.3, the prime p divides q1 or (q2 …qk). 3. Both q1 and (q2 …qk) have fewer than k factors, the assertion follows from the induction hypothesis. end of proof Fuw-Yi Yang 46 1.11 Factoring into primes Theorem 1.11.5 Every integer a > 1 can be written as the product of prime numbers. Up to permutation, the factors in this product are uniquely determined. Proof. The proof uses induction on a. 1. If a = 2, the theorem is true. 2. If a > 2, then by Theorem 1.11.2, there is a prime divisor p of a. If a / p = 1, then a = p and the assertion holds. Let a / p > 1. By the induction hypothesis, a / p is a product of primes. (a > a / p, a / p satisfies Theorem 1.11.5) 3. Therefore a is also a product of primes. This proves the existence of the prime factor decomposition of a. Next page show the uniqueness. Fuw-Yi Yang 47 1.11 Factoring into primes 4. Let a = p1…pk and a = q1…ql be factorization of a into prime numbers. 5. By Corollary 1.11.4, the prime p1 is equal to one of the primes q1,…,ql. 6. By permuting the qi, we can make sure that p1 = q1. 7. But by the induction hypothesis, the factorization of a / p1 = a / q1 into prime numbers is unique. 8. Hence, k = l and pi = qi for 1 i k after an appropriate permutation of the qi. end of proof Fuw-Yi Yang 48 1.11 Factoring into primes Theorem 1.11.6 The French mathematician Pierre de Fermat thought that all of the so-called Fermat numbers Fi = 22i + 1 are primes. F0 = 3, F1 = 5, F2 = 17, F3 = 257,… However, F5 = 641* 6700417. Fuw-Yi Yang 49