Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
Document related concepts
no text concepts found
Transcript 
Textbook: Introduction to Cryptography 2nd ed.
By J.A. Buchmann
Chap 2 Congruences and Residue Class Rings
Department of Computer Science and Information Engineering,
Chaoyang University of Technology
朝陽科技大學資工系
Speaker: Fuw-Yi Yang 楊伏夷
伏夷非征番,
道德經 察政章(Chapter 58) 伏者潛藏也
道紀章(Chapter 14) 道無形象, 視之不可見者曰夷
Fuw-Yi Yang
1
Contents
Congruences
Semigroups
Groups
Residue class ring
Fields
Division in the residue class ring
Analysis of the operation in the residue class ring
Multiplicative group of residue mod m
Order of group elements
Subgroups
Fermat’s Little Theorem
Fast exponentiation
Fuw-Yi Yang
2
Contents
Fast evaluation of power products
Computation of element orders
The Chinese Remainder Theorem
Decomposition of the residue class ring
A formula for the Euler -function
Polynomials
Polynomials over fields
Construction of finite fields
The structure of the unit group of finite fields
Structure of the multiplicative group of residues modulo
a prime number
Fuw-Yi Yang
3
2.1 Congruences: Definition
Definition 2.1.1
m is a positive integer, a and b are integers.
We say that a is congruent to b modulo m, and we write
a  b mod m, if m divides the b – a.
Example 2.1.2
We have -2  19 mod 21, 10  0 mod 2.
Fuw-Yi Yang
4
2.1 Congruences: satisfying equivalence relation
It can be easily verified that congruence modulo m is an
equivalence relation on the integers. This means that
1. Reflexivity
Any integer is congruent to itself modulo m.
2. Symmetry
a  b mod m implies b  a mod m.
3. Transitivity
a  b mod m and b  c mod m implies a  c mod m.
Fuw-Yi Yang
5
2.1 Congruences: equivalent statements
Lemma 2.1.3 The following statements are equivalent:
1. a  b mod m .
2. There is k  Z with a = b + k  m.
3. When dividing by m, both a and b leave the same
remainder.
Fuw-Yi Yang
6
2.1 Congruences: Residue class of a mod m
The equivalent class of a consists of all integers that are
obtained from a by adding integer multiplies of m; i.e.,
{b: b  a mod m} = a + mZ.
The equivalent class is called residue class of a mod m.
The set of residue classes mod m is denoted by Z/mZ.
Example 2.1.4~2.1.6
Fuw-Yi Yang
7
2.1 Congruences: Residue class of a mod m
Theorem 2.1.7
a  b mod m and c  d mod m implies -a  -b mod m,
a + c  b + d mod m, and a  c  b  d mod m.
Proof. 1. a  b mod m  b  a mod m (Symmetry)
m | (a - b)  m | (-a + b)  -a  -b mod m
2. m | (a - b) and m | (c - d) 
m | [(a - b) - (c - d)] 
m | [(a + c) - (b + d)]  a + c  b + d mod m
3. a = b + k  m and c = d + l  m 
a  c = b  d + n  m  a  c  b  d mod m
Fuw-Yi Yang
8
2.1 Congruences: Residue class of a mod m
Example 2.1.8 We want to prove that the fifth Fermat
number 225 + 1 is divisible by 641.
Ans. 641 = 640 + 1 = 5  27 + 1
 5  27  -1 mod 641
 54  228  1 mod 641 (Theorem 2.1.7)
also 641 = 625 + 16 = 54 + 24  54  -24 mod 641
Thus -232 1 mod 641
 1 + 232 0 mod 641.
Fuw-Yi Yang
9
2.2 Semigroups
Definition 2.2.1 If X is a set, a map ◦: X  X X which
sends a pair (x1, x2) of elements from X to the element x1
◦ x2 is called an operation on X.
Definition 2.2.3
The sum of the residue classes
a + mZ and b + mZ is (a + b) + mZ.
The product of the residue classes
a + mZ and b + mZ is (a  b) + mZ.
Fuw-Yi Yang
10
2.2 Semigroups
Definition 2.2.5
Let ◦ be an operation on the set X.
It is called associative
if (a ◦ b) ◦ c = a ◦( b ◦ c) holds for all a, b, c  X.
It is called commutative
if a ◦ b = b ◦ a for all a, b  X.
Example 2.2.6 Addition and multiplication on the set of
real numbers are associative and commutative. The
same is true for addition and multiplication in Z/mZ.
Fuw-Yi Yang
11
2.2 Semigroups
Definition 2.2.7 A pair (H, ◦) consisting of a set H and
an associative operation ◦ on H is called a semigroup.
The semigroup is called commutative or abelian if the
operation ◦ is commutative.
Example 2.2.8 Commutative semigroups are
(Z, +), (Z, ), (Z/mZ, +), (Z/mZ, ).
Let (H, ◦) be a semigroup, and a1 = a and an+1 = a ◦an
for a  H and n  N. Then an ◦am = an+m , (an)m = amn.
If a, b  H and a ◦b =b ◦a then (a ◦b)n =an ◦bn
Fuw-Yi Yang
12
2.2 Semigroups
Definition 2.2.9 A neutral element of the semigroup (H, ◦) is an
element e  H which satisfies e ◦ a = a ◦ e for all a  H. If the
semigroup contains a neutral element, then it is called monoid.
A semigroup has at most one neutral element (exercise 2.23.3).
Definition 2.2.10 If e is the neutral element of the semigroup (H, ◦)
and if a  H, then b  H is called an inverse of a if a ◦ b = b ◦ a = e.
If a has an inverse, then a is called invertible in the semigroup H.
In a monoid, each element has at most one inverse (exercise 2.23.5).
Fuw-Yi Yang
13
2.2 Semigroups
Example 2.2.11
The neutral element of the semigroup (Z, +) is 0.
The inverse of a is -a.
The neutral element of the semigroup (Z, ) is 1.
The only invertible elements are 1 and -1.
The neutral element of the semigroup (Z/mZ, +) is the residue class mZ.
The inverse of a + mZ is -a + mZ.
The neutral element of the semigroup (Z/mZ, ) is 1 + mZ.
The invertible elements are ….
Fuw-Yi Yang
14
2.3 Groups
Definition 2.3.1 A group is a monoid in which any element is
invertible. The group is called commutative or abelian if the monoid is
commutative.
Fuw-Yi Yang
15
2.3 Groups
Example 2.3.2
The monoid (Z, +) is an abelian group.
The monoid (Z, ) is not a group because not every element is
invertible.
The monoide (Z/mZ, +) is an abelian group.
Let (G, ) be a group, and a1 = a, an+1 = a ◦an, a-1 denotes the inverse of
a and a-n = (a-1)n for a  G and n  N.
Then an ◦am = an+m , (an)m = amn.
If a, b  G and a ◦b =b ◦a then (a ◦b)n =an ◦bn
Fuw-Yi Yang
16
2.3 Groups
Theorem 2.3.3 (cancellation rules)
Let (G, ) be a group and a,b,c  G.
Then ca = cb implies a = b and ac = bc implies a = b .
(multiplied by c-1)
Definition 2.3.4
The order of a group or a semigroup is the number of its elements.
Example 2.3.5
The additive group Z has infinite order.
The additive group Z/mZ has order m.
Fuw-Yi Yang
17
2.4 Residue class ring
Definition 2.4.1 A ring is a triple (R, +, ) such that (R, +) is an
abelian group and (R, ) is a semigroup.
In addition, x  (y + z) = x  y + x  z and (x + y)  z = x  z + y  z
for x, y , z  R. (distributive law)
The ring is called commutative if the semigroup (R, ) is commutative.
A unit element of the ring is a neutral element of the semigroup (R, ).
Example 2.4.2
The triple (Z, +, ) is a commutative ring with unit element 1.
The triple (Z/mZ, +, ) is a commutative ring with unit element 1+mZ.
(Called residue class ring modulo m)
Fuw-Yi Yang
18
2.4 Residue class ring
Definition 2.4.3 (writing R for (R, +, ) )
Let R be a ring with unit element. An element a of R is called invertible
or a unit if it is invertible in the multiplicative semigroup of R.
The element a is called a zero divisor if it is nonzero and there is a
nonzero b  R with ab = 0 or ba = 0.
Exercise 2.23.9
The units of a commutative ring R form a group. It is called the unit
group of R and is denoted by R*.
Fuw-Yi Yang
19
2.4 Residue class ring
Example 2.4.4
The ring of integers contains no zero divisors.
The zero divisor of the residue class ring Z/mZ are the residue classes
a + mZ with 1 < gcd(a, m) < m.
In fact, if a + mZ is a zero divisor of Z/mZ, then there is an integer b
with ab  0 mod m but neither a  0 mod m nor b  0 mod m. Hence m
is a divisor of ab but neither of a nor of b. This means that 1 < gcd(a, m)
< m. If, conversely, 1 < gcd(a, m) < m and b = m/gcd(a, m), then a  0
mod m, b  0 mod m, ab  0 mod m. Therefore, a + mZ is a zero divisor
of Z/mZ.
If p is a prime, then Z/pZ contains no zero divisors.
Fuw-Yi Yang
20
2.5 Fields
Definition 2.5.1 A field is commutative ring in which every nonzero
element is invertible.
Example 2.5.2
The set of integers is not a field.
The set of real numbers forms a field.
The set of complex numbers forms a field.
The residue class ring modulo a prime number is a field.
Fuw-Yi Yang
21
2.6 Division in the residue class ring
Definition 2.6.1 Let R be a ring and a, n  R.
We say that a divides n if there is a b  R such that n = ab.
If the ring element a divides n, then a is called a divisor of n and n is
called a multiple of a, and we write a|n.
The residue class a + mZ is invertible in Z/mZ if and only if the
congruence ax  1 mod m is solvable. See Theorem 2.6.2
Fuw-Yi Yang
22
2.6 Division in the residue class ring
Theorem 2.6.2
The residue class a + mZ is invertible in Z/mZ if and only if
gcd(a, m) = 1.
If gcd(a, m) = 1, then the inverse of a + mZ is uniquely determined.
Proof. Let g = gcd(a, m) and x be a solution of ax  1 mod m.
g | m, g | a, and g | ax - 1  g | 1  g = 1
Conversely, let g = 1.  x, y such that ax + my = 1,  ax -1= my
 x is a solution of ax  1 mod m
 x + mZ is an inverse of a + mZ
Let v + mZ be another inverse of a + mZ.  ax  av mod m
 a(x - v)  0 mod m  m | a(x - v), together with 1 = gcd(a, m)
 m | (x - v)  x  v mod m
Fuw-Yi Yang
23
2.6 Division in the residue class ring
Example 2.6.3
Let m = 12. The residue class a + 12Z is invertible in Z/12Z if and
only if gcd(a, 12) = 1.
The invertible residue classes mod 12 are therefore
1 + 12Z , 5 + 12Z , 7 + 12Z , 11 + 12Z.
To find the inverse of element a with gcd(a, m) = 1, we use the
extended Euclidean algorithm.
Theorem 2.6.4 The residue class ring Z/mZ is a field if and only if m
is a prime number.
Proof. By theorem 2.6.2, the ring Z/mZ is a field if and only if 1 =
gcd(a, m) for all a with 1  a  m. This is true iff m is a peime number.
Fuw-Yi Yang
24
2.7 Analysis of the operations in the residue class ring
We assume that the elements of the residue class ring Z/mZ are
represented by their smallest nonnegative representatives. Under this
assumption, we estimate the running time of the operations in the
residue class ring.
Let a, b  {0, 1,…,m - 1}.
Theorem 2.7.1
Two residue classes modulo m can be added and substracted using
time and space O(size m).
They can be multiplied and divided using time O((size m)2) and space
O(size m).
Fuw-Yi Yang
25
2.8 Multiplicative group of residues mod m
Theorem 2.8.1
The set of all invertible residue classes modulo m is a finite abelian
group with respect to multiplication.
Proof. By Theorem 2.6.2, this set is the unit group of the residue class
rings mod m. (R*)
Fuw-Yi Yang
26
2.8 Multiplicative group of residues mod m
The group of invertible residue classes modulo m is called the
multiplicative group of residues modulo m and is written (Z/mZ)*.
Its order is denoted by φ(m).
The function
N  N, m  φ(m)
is called the Euler φ-function.
φ(m) is the number of integers a in {1,2,…,m} with gcd(a, m) = 1.
Fuw-Yi Yang
27
2.8 Multiplicative group of residues mod m
Example 2.8.2 The multiplicative group of residues modulo 12 is
(Z/12Z)* = { 1 + 12Z, 5 + 12Z, 7 + 12Z, 11 + 12Z}.
Its order is φ(12) = 4.
Theorem 2.8.3 If p is a prime number, then φ(p) = p - 1.
Proof. All numbers a between 1 and p - 1 are prime to p.
Theorem 2.8.4
  (d )  m
d |m, d 0
Fuw-Yi Yang
28
2.9 Order of group elements
Let G be a group that is multiplicatively written with neutral element 1.
Definition 2.9.1 Let g  G. If there is a positive integer e with ge = 1,
then the smallest such integer is called the order of g in G. Otherwise,
we say that the order of g in G is infinite.
Theorem 2.9.2 Let g  G and e  Z. Then ge = 1 iff e is divisible by
the order of g in G.
Proof. Let n be the order of g in G.
If e = kn, then ge = gkn = (gn)k = 1k = 1.
Conversely, let ge = 1 and e = qn + r with 0  r < n.
Then gr = ge-qn = geg-nq = 1.  r = 0.  n | e.
Fuw-Yi Yang
29
2.9 Order of group elements
Corollary 2.9.3 Let g  G with order n. Let k, l be integers.
Then gk = gl iff l  k mod n.
Proof. Let e = l – k. Then by Theorem 2.9.2 we have n | e.
It follows that l  k mod n.
Theorem 2.9.4 We determine the order of 2 + 13Z in (Z/13Z)*.
k
0
1
2
3
4
5
6
7
2k mod 13
1
2
4
8
3
6
12 11
Fuw-Yi Yang
8
9
10
11
12
9
5
10
7
1
30
2.9 Order of group elements
Theorem 2.9.5 If g  G is of finite order e and n  Z,
then the order of gn = e/gcd(e, n).
Proof. We have (gn)e/gcd(e, n) = (ge)n/gcd(e, n) = 1.
Theorem 2.9.3 implies that e/gcd(e, n) is a multiple of the order of gn.
Suppose 1 = (gn)k = gnk. Theorem 2.9.3 implies that e is a divisor of nk
and e/gcd(e, n) is a divisor of k.
 the order of gn = e/gcd(e, n).
Fuw-Yi Yang
31
2.10 Subgroups
Definition 2.10.1 A subset U of G is called a subgroup of G if U
together with the group operation of G is a group.
Example 2.10.2
For all g  G, the set {gk: k  Z} is a subgroup of G.
It is called the subgroup generated by g and is denoted by g.
If g has finite order e, then g = {gk: 0  k < e}.
In fact, for any integer x we have gx = gx mod e by Corollary 2.9.3.
Corollary 2.9.3. also implies that the order of g is e.
Example 2.10.3 2+13Z generates the full group (Z/13Z)*,
 4+13Z generates the group {k + 13Z: k = 1, 3, 4, 9, 10, 12}.
Fuw-Yi Yang
32
2.10 Subgroups
Definition 2.10.4 If G = g for some g  G, then G is called cyclic
and g is called a generator of G.
Example 2.10.5 The additive group Z is cyclic. It has two generators,
namely 1 and -1.
Theorem 2.10.6 If G is finite and cyclic, then G has exactly (|G|)
generators and they are all of order |G|.
Example 2.10.7 Since the order of 2 + 13Z in (Z/13Z)* is 12, the
group (Z/13Z)* is cyclic.
Fuw-Yi Yang
33
2.10 Subgroups
A map f: XY is called
injective if f(x) = f(y) implies x = y for all x, y  X,
surjective if for any y  Y there is x  X with f(x) = y,
bijective if it is injective and surjective.
A bijective map is also called a bijection. If there is a bijection
between two finite sets, then the sets have the same number of
elements.
Example 2.10.8 The map f: NN, n  f(n) = n. It is bijective.
The map f: NN, n  f(n) = n2. It is injective but not bijective.
The map f: {1, 2, 3, 4, 5 ,6} {0, 1, 2, 3, 4, 5}, n  f(n) = n mod 6. It
is bijective.
Fuw-Yi Yang
34
2.10 Subgroups
Theorem 2.10.9 If G is a finite group, then the order of each subgroup
of G divides the order of G.
Definition 2.10.10 If H is a subgroup of G, then the positive integer
|G| / |H| is called the index of H in G.
Fuw-Yi Yang
35
2.11 Fermat’s little theorem
Theorem 2.11.1 If gcd(a, m) = 1 then a(m) 1 mod m.
Proof. (Z/mZ)* is a finite abelian group of order (m),
This Theorem follows from Corollary 2.11.3.
Theorem 2.11.2 The order of every group element divides the group
order |G|.
Proof. By Theorem 2.10.9
Corollary 2.11.3 We have g|G| = 1 for all g  G.
Proof. By Theorem 2.11.2 and 2.9.3.
Fuw-Yi Yang
36
2.12 Fast Exponentiation
k
Let g  G and e be a positive integer. Let e   ei 2i be the binary
expansion of e. Note that eis are either 0 or 1.
e 2i

2i ei
i 0 i
g g
  (g ) 
k
k
e
i 0
g
i 0
2i
0i  k ,ei 1
From the formula, the following idea for computing ge are obtained.
1. Compute the successive squares g2i, 0  i  k.
2.Determine ge as the product of those g2i for which ei = 1.
3. g2i+1 = (g2i)2
Fuw-Yi Yang
37
2.12 Fast Exponentiation
Example 2.12.1 We determine 673 mod 100.
1. 73 = 1 + 23 + 26
2. 62 = 36, 622 = -4, 623 = 16, 624= 56, 625 = 36, 626 = -4 mod 100
673 = 6 623626 = 16 mod 100.
Fuw-Yi Yang
38
2.12 Fast Exponentiation
pow(group Element base, int exponent, groupElement result)
begin result = 1
while (exponent > 0)
if (isEven(exponent) == false)
result = result  base
base = base  base
exponent = exponent / 2
end end while
Theorem 2.12.2 Algorithm pow() computes baseexponent using at most
size(exponent) - 1 squarings and multiplications. It only stores a
constant number of group elements.
Fuw-Yi Yang
39
2.12 Fast Exponentiation
Corollary 2.12.3 If e is an integer and a  {0, …, m-1}, then the
computation of ae mod m requires time O((size e)(size m)2) and space
O(size e + size m).
Fuw-Yi Yang
40
2.13 Fast evaluation of power products
Let G be a finite abelian group, g1, …, gk be elements of G, and
e1,…,ek be nonnegative integers. We want to evaluate the power
product
k
A   g iei .
i 1
Assume that the binary expansion of the exponents ei are normalized
to equal length, and are represented as bi,n-1bi,n-2…bi,0 1  i  k. For at
least one i, let bi,n-1 be nonzero.
Fuw-Yi Yang
41
2.14 Computation of element orders
We discuss the problem of finding the order of an element g of a finite
group G or to check whether a given positive integer is the order of g.
Assume that
| G |   p e( p )
is known.
p||G|
(If the prime factorization of |G| is unknown, then it is not easy to find
the order of g.)
Theorem 2.14.1 For a prime divisor p of |G|, let f(p) be the greatest
integer such that g|G|/pf(p) = 1. Then order of g =  p e( p ) f ( p ) .
p||G|
Fuw-Yi Yang
42
2.14 Computation of element orders
Example 2.14.2 Let G be the multiplicative group of residues modulo
101. Its order is 100 = 22  52. Hence, e(2) = e(5) = 2.
We compute the order of 2 + 101Z.
1. Compute the number f(p) from Theorem 2.14.1,
for each p  factorization of | G |
p= 2 , let f(2) =1, g|G|/pf(p) = 222  52/21 = 250 = -1 mod 101  f(2) = 0.
p= 5 , let f(5) =1, g|G|/pf(p) = 222  52/51 = 220 = -6 mod 101  f(5) = 0.
2. The order of 2 is computed as  p e( p ) f ( p )  220  520  100 .
p||G|
Fuw-Yi Yang
43
2.14 Computation of element orders
Example 2.14.2.0 Let G be the multiplicative group of residues
modulo 101. Its order is 100 = 22  52. Hence, e(2) = e(5) = 2.
We compute the order of 5 + 101Z.
1. Compute the number f(p) from Theorem 2.14.1,
for each p  factorization of | G |
p= 2 , let f(2) =1, g|G|/pf(p) = 522  52/21 = 550 = 1 mod 101
let f(2) =2, 522  52/22 = 525 = 1 mod 101
 f(2) = 2.
p= 5 , let f(5) =1, g|G|/pf(p) = 522  52/51 = 520 = -6 mod 101  f(5) = 0.
2. The order of 5 is computed as  p e( p) f ( p)  222  520  25 .
p||G|
Fuw-Yi Yang
44
2.14 Computation of element orders
Corollary 2.14.3 Let n  N. If gn = 1 and gn / p  1 for each prime
divisor p of n, then n is the order of g.
Example 2.14.4 We claim that 25 is the order of the residue class 5 +
101Z in the multiplicative group of residues modulo 101.
In fact, 525  1 mod 101 and 55  -6 mod 101. Hence, the assertion
follows from Corollary 2.14.3.
Fuw-Yi Yang
45
2.15 The Chinese Remainder Theorem
Let m1,…mn be positive integers that are pairwise co-prime.
Let a1,…an be integers. We explain how to solve the following
simultaneous congruence:
x  a1 mod m1, x  a2 mod m2,…, x  an mod mn.
Set m = m1m2 …  mn, Mi = m/mi, 1  i  n.
gcd(mi, Mi) = 1  yi s.t. yi  Mi  1 mod mi.
Then we set x = (a1y1M1) +…+ (anynMn) mod m.
Clearly, x is the solution of the above simultaneous congruence. Since
x  (a1y1M1) +… + (aiyiMi) +… + (anynMn)  ai mod mi , 1  i  n.
Fuw-Yi Yang
46
2.15 The Chinese Remainder Theorem
Example 2.15.1 We want to solve the following simultaneous
congruence:
x  2 mod 4, x  1 mod 3, x  0 mod 5.
Set m = 4  3 5 = 60, M1 = 60/4 = 15, M2 = 60/3 = 20, M3 = 60/5 = 12.
Solve for y1M1  1 mod 4  y1 = -1
y2M2  1 mod 3  y2 = -1
y3M3  1 mod 3  y3 = 3
Then we set x = (a1y1M1) +…+ (anynMn)
= 2  -1  15 + 1  -1  20 + 0  3 12
= -50 = 10 mod 60.
Fuw-Yi Yang
47
2.15 The Chinese Remainder Theorem
Theorem 2.15.2 Chinese remainder theorem Let m1,…mn be pairwise
co-prime positive integers and let a1,…an be integers. Then the
simultaneous congruence:
x  a1 mod m1, x  a2 mod m2,…, x  an mod mn,
has a solution x which is unique mod m = m1 m2 …  mn.
Proof. The existence has been proved in previous pages. We prove the
uniqueness. Let x and x be two such solutions. Then
x  x mod mi, 1  i  n.
Since the numbers mi are pairwise co-prime, it follows that
x  x mod m.
Fuw-Yi Yang
48
2.15 The Chinese Remainder Theorem
crt(int moduli[], int x[], int numberOfModuli, int result)
begin
int multipliers[numberOfModuli], modulus, i, result = 0 ;
modulus = 1;
crtPrecomp(moduli, numberOfModuli, modulus, multipliers)
for (i = 0; i < numberOfModuli; i++)
result = result + multipliers[i] * x[i]) % modulus;
end
Fuw-Yi Yang
49
2.15 The Chinese Remainder Theorem
crtPrecomp(int moduli[], int numberOfModuli, int modulus, int
multipliers[])
begin
int i, m, M, inverse, gcd, y;
modulus = 1;
for (i = 0; i < numberOfModuli; i++)
modulus = modulus * moduli[i];
for (i = 0; i < numberOfModuli; i++)
m = moduli[i]; M = modulus / m;
Xeuclid(M, m, gcd, inverse, y);
multipliers[i] = inverse * M % modulus;
end
Fuw-Yi Yang
50
2.15 The Chinese Remainder Theorem
Theorem 2.15.3 Chinese remainder theorem The algorithm for
solving the simultaneous congruence
x  a1 mod m1, x  a2 mod m2,…, x  an mod mn,
requires time O((size m)2) and space O(size m).
Fuw-Yi Yang
51
2.16 Decomposition of the residue class ring
We use the Chinese remainder theorem to decompose the residue class
ring Z/mZ. Using the decomposition, we can reduce computations in a
large residue class ring Z/mZ to computations in many small residue
class rings Z/miZ.
Definition 2.16.1 Let R1, R2,…, Rn be rings. Their direct product
in1 Ri
is the set of all tuples (r1, r2, …, rn)  R1 R2  …  Rn
together with component-wise addition and multiplication.
Fuw-Yi Yang
52
2.16 Decomposition of the residue class ring
Example 2.16.2 Let R1 = Z/2Z and R2 = Z/9Z. Then
R = R1 R2 consists of all pairs (a + 2Z, b + 9Z), 0  a < 2, 0  b < 9.
Hence R has exactly 18 elements.
The unit element in R is (1 + 2Z, 1 + 9Z).
Fuw-Yi Yang
53
2.16 Decomposition of the residue class ring
Definition 2.16.3 Let (X, O1, …, On) and (Y, P1, …, Pn) be two sets
with n operations.
A map f : X  Y is called a homomorphism if
f(a Oi b) = f(a) Pi f(b) gilt for a, b  X and 1  i  n.
If the map is bijective, it is called an isomorphism.
Fuw-Yi Yang
54
2.16 Decomposition of the residue class ring
Example 2.16.4 If m is a positive integer, then the map
f : Z  Z/mZ, a a + mZ is a ring homomorphism.
f(a Oi b) = f(a) Pi f(b) gilt for a, b  X and 1  i  n.
Exercise 2.23.24 If G is a cyclic group of order n with generator g,
then
f : Z/nZ  G, e + nZ ge is an isomorphism of groups.
Fuw-Yi Yang
55
2.16 Decomposition of the residue class ring
Theorem 2.16.5 Let m1,…mn be pairwise co-prime positive integers
and let m = m1 m2 …  mn. Then the map
Z/mZ  in1 Z / mi Z , a + mZ (a + m1Z ,…, a + mnZ)
is an isomorphism of rings.
Proof.
1. If a  b mod m, then a  b mod mi for 1  i  n. (well defined)
2. The map is homomorphism.
3. The map is surjective and injective:
let (a1 + m1Z ,…, an + mnZ) in1 Z / mi Z . By Theorem 2.15.2
the tuple has unique preimage in Z/mZ.
Fuw-Yi Yang
56
2.17 A formula for the Euler φ-function
Theorem 2.17.1 Let m1,…mn be pairwise co-prime positive integers
and let m = m1 m2 …  mn. Thenφ(m) = φ(m1)  …  φ(mn).
Proof. Theorem 2.16.5 implies the map
(Z/mZ)*  in1 ( Z / mi Z ) *
, a + mZ (a + m1Z ,…, a + mnZ)
is an isomorphism of groups.
Therefore the number φ(m) of the elements of (Z/mZ)* is equal to
n
n
the number i 1 (mi ) of elements of i 1 ( Z / mi Z ) * .
Fuw-Yi Yang
57
2.17 A formula for the Euler φ-function
Theorem 2.17.2 Let m be a positive integers and m =  p|m p e( p )
Its prime factorization.
Thenφ(m) =  p|m ( p  1) p
e( p ) 1
p 1
.
 m p|m
p
e( p )

(
p
) .
Proof. Theorem 2.17.1 implies φ(m) =  p|m
φ(m) is the number of integers a in {1,…, m} with gcd(a, m) = 1.
φ(pe) is the number of integers a in {1,…, pe} with gcd(a, pe) = 1.
{1,2,…,p, p+1, p+2,…,2p, 2p+1,…,3p, …,pe}
There are pe/p = pe-1 subgroups , each has (p - 1) elements with gcd(a,
pe) = 1. Thus φ(pe) = (p - 1) pe-1.
Fuw-Yi Yang
58
2.18 Polynomials
Let R be a commutative ring with unit element 1 ≠0.
A polynomial in one variable over R is an expression
f(X) = anXn + an-1Xn -1 + …+ a1X + a0,
where X is the variable and the coefficients a0,…,an of the polynomial
are elements of R.
The set of all polynomials over R in the variable X is denoted by R[X].
Let an ≠0. Then n is called the degree of the polynomial. We write n =
deg f.
Fuw-Yi Yang
59
2.18 Polynomials
Example 2.18.1
The polynomials 2X3 + X + 1, X, 1 are elements of Z[X].
The first polynomial has degree 3, the second has degree 1, and the
third has degree 0.
If r  R, then
f(r) = anrn + an-1rn -1 + …+ a1r + a0
is the value of f at r.
If f(r) = 0, then r is called zero of f.
Fuw-Yi Yang
60
2.18 Polynomials
Example 2.18.2
The value of the polynomials 2X3 + X + 1  Z[X] at -1 is -2.
Example 2.18.3 Denote the elements of Z/2Z by 0 and 1.
Then X2 + 1  (Z/2Z)[X] has the zero 1.
Fuw-Yi Yang
61
2.18 Polynomials
If r  R, m  n , and
f(X) = anXn + an-1Xn -1 + …+ a1X + a0
g(X) = bmXm + bm-1Xm -1 + …+ b1X + b0
Then the sum of the polynomials f and g is
(f + g)(X) = (an+bn)Xn + …+ (a0+b0).
(bn,…,bm+1 are 0)
The product of the polynomials f and g is
(f g)(X) = cn+mXn+m + …+ c0,
k ab
c


where k
i 0 i k i , 0  k  m+n.
Fuw-Yi Yang
62
2.18 Polynomials
Assume that the operations of sum (+) and product () are defined as
previously, (R[X], +, ) is a commutative ring with unit element 1.
Fuw-Yi Yang
63
2.19 Polynomials over fields
Let K be a field.
Lemma 2.19.1
The ring K[X] of polynomials over K contains no zero divisors.
Lemma 2.19.2
If f, g  K[x], f, g ≠ 0, then deg(fg) = deg f + deg g.
Theorem 2.19.3
Let f, g  K[x], g ≠ 0. Then there are uniquely determined
polynomials q, r  K[x] with f = qg + r and r = 0 or deg r < deg g.
q is called quotient, and r remainder, written r = f mod g.
Fuw-Yi Yang
64
2.19 Polynomials over fields
Example 2.19.4
Let K = Z/2Z be the residue class ring mod 2. This ring is a field. The
elements are represented by their least nonnegative representatives, so
we write Z/2Z = {0, 1}. Let
f(x) = x3 + x + 1, g(x) = x2 + x.
We divide f with remainder by g.
f(x) = g(x) (x + 1) + 1
The quotient q = (x + 1), remainder r = 1.
Fuw-Yi Yang
65
2.19 Polynomials over fields
Theorem 2.19.5
Let f, g  K[x] with g ≠ 0, then the division with remainder of f by g
requires O((deg g + 1)(deg q + 1)) operations in K, if the quotient q of
the division is nonzero, and O(deg g) operation in K otherwise.
Theorem 2.19.3 implies the following corollary:
Corollary 2.19.6 If f is a nonzero polynomial in K[x] and if a is a zero
of f, then f = (x - a)q with q  K[x]. (i.e. (x - a) | f )
Proof. By Theorem 2.19.3, there are polynomials q,r  K[x] with
f = (x - a)q + r and r = 0. This implies 0 = f(a) = r; hence f = (x - a)q.
Fuw-Yi Yang
66
2.19 Polynomials over fields
Example 2.19.7
The polynomial x2 + 1  (Z/2Z)[x] has the zero 1 and therefore
x2 + 1 = (x - 1)2.
Corollary 2.19.8
A nonzero polynomial in f  K[x] has at most deg f zeros.
Proof. We prove the assertion by induction on n = deg f.
For n = 0, the assertion holds because f  K and f ≠0.
Let n > 0. If f has no zeros, then the assertion is true.
If f has a zero a, Corollary 2.19.6 implies f = (x - a)q and deg q = n - 1.
By the induction hypothesis, q has at most n - 1 zeros.
Therefore, f has at most n zeros.
Fuw-Yi Yang
67
2.19 Polynomials over fields
Example 2.19.9
The polynomial x2 + x  (Z/2Z)[x] has the zeros 0 and 1 in (Z/2Z).
By Corollary 2.19.8, it cannot have more zeros.
The polynomial x2 +1  (Z/2Z)[x] has the only zero 1 in (Z/2Z).
By Corollary 2.19.8, it could have at most two zeros.
The polynomial x2 + x +1  (Z/2Z)[x] has no zeros in (Z/2Z).
By Corollary 2.19.8, it could also have at most two zeros.
Fuw-Yi Yang
68
2.20 Construction of finite fields
We describe a method for constructing a finite field with pn elements
for any prime p and any positive integer n.
Up to isomorphy, this field is uniquely determined. It is denoted by
GF(pn). The prime number p is called the characteristic of the field.
The abbreviation GF stands for Galois field.
We already know from Theorem 2.6.4 that Z/pZ is a field with p
elements. It is denoted by GF(p).
Fuw-Yi Yang
69
2.20 Construction of finite fields
Let p be a prime number, let n be a positive integer, and let f be a
polynomial with coefficients in Z/pZ of degree n.
Assume that this polynomial is irreducible; that is, it cannot be written
as a product f = gh, where g and h are polynomials in (Z/pZ)[X] of
degree > 0.
The elements of the finite field , which is constructed now, are residue
classes mod f.
The residue class of a polynomial g  (Z/pZ)[X] consists of all
polynomials h in (Z/pZ)[X] such that g - h is a multiple of f.
For this residue class we write g + f (Z/pZ)[X]. We have
g + f(Z/pZ)[X] = {g + hf: h  (Z/pZ)[X] }
Fuw-Yi Yang
70
2.20 Construction of finite fields
Example 2.20.2
The residue classes in Z/2Z[X] mod f(X) = X2 + X + 1 are
f(Z/2Z), 1 + f(Z/2Z), X + f(Z/2Z), X + 1 + f(Z/2Z).
Let g, h  (Z/pZ)[X].
The sum of the residue classes of g and h mod f is defined as the
residue class of g + h.
The product of the residue classes of g and h mod f is the residue class
of the product of g and h.
With the addition and multiplication, the set of residue classes mod f
becomes a commutative ring with unit element 1 + f(Z/pZ)[X].
Fuw-Yi Yang
71
2.20 Construction of finite fields
Example 2.20.3
Let p = 2 and f(X) = X2 + X + 1.
The residue classes mod f are the residue classes of the polynomials
0, 1, X, X + 1 mod f .
Addition in GF(4)
Multiplication in GF(4)
+
0
0
0
1
1
X
X
1
1
0
X+1 X
X
X
X+1 0
X+1 X+1 X
1
X+1
X+1
1
0

1
X
X+1
Fuw-Yi Yang
1
1
X
X+1
X
X
X+1
1
X+1
X+1
1
X
72
2.21 The structure of the unit group of finite fields
Theorem 2.21.1
Let K be a finite field with q elements. Then for any divisor d of q - 1
there are exactly φ(d) elements of order d in the unit group K*.
Example 2.21.2 Consider the finite field Z/13Z. Its unit group is of
order 12. In this group, there is one element of order 1, one element of
order 2, two elements of order 3, two elements of order 4, two
elements of order 6, and four order of 12.
φ(1)=1, φ(2)=1, φ(3)=2, φ(4)=2, φ(6)=2, φ(12)=4
base
Order
1
2
3
4
5
6
7
8
9
10
11
12
1
12
3
6
4
12
12
4
3
6
12
2
Fuw-Yi Yang
73
2.21 The structure of the unit group of finite fields
Corollary 2.21.3
If K is a finite field with q elements, then its unit group K* is cyclic
of order q - 1. It has exactly φ(q - 1) generators.
Fuw-Yi Yang
74
2.22 Structure of the multiplicative group of residues modulo a
prime number
Corollary 2.22.1
The multiplicative group of residues modulo p is cyclic of order p - 1.
An integer a for which the residue class a + pZ generates the
multiplicative group of residues (Z + pZ)* is called a primitive root
mod p.
Example 2.22.2 Consider the finite field Z/13Z. There are four
primitive roots mod 13.
Fuw-Yi Yang
75
Related documents