Download NUMBER THEORY AND ALGEBRA

NUMBER THEORY AND
ALGEBRA
1
• ℤ  set of integers { . . . . -3, -2, -1, 0, 1, 2,
3, . . . }
• a, b, c, d - integers & belong to set ℤ
• algebraic operations –: “+”, “-”, and “” –
valid with set
• a + b, a – b, a + b + c + d, a  b, b  d
•  all integers &belong to set ℤ
• members of ℤ satisfy
– {addition, subtraction, multiplication} rules
– {commutation, association, distribution} laws
2
•
•
•
•
•
•
•
•
•
Associative laws:
(a + b) + c = a + (b + c)
(a  b)  c = a  (b  c)
Commutative laws:
a+b=b+a
ab=ba
Distributive law:
(a + b)  c = a  c + b  c
ring  set members satisfy
– addition, subtraction, multiplication &
– associative, distributive laws
• commutative ring  satisfies commutative
property - additional
3
• commutative ring examples - set of real
numbers, set of complex numbers
• infinite commutative rings
 set with infinite number of members
other examples of rings, commutative rings,
infinite commutative rings?
•
•
•
•
•
•
Division
a, b – integers: a > b.
a divisible by b?
Yes  quotient q: integer & q  ℤ
b ∣ a  ‘b divides a’
c ∤ a  ‘c does not divide a’
4
•
•
•
•
•
•
•
•
•
•
•
•
a, b, & c ← integers
c ∣ a & c ∣ b  c common factor of a & b
80808 & 31863 ← 3, 13 – common factors
greatest common denominator – gcd (80808, 31863)
 related & important concept
school book approach to get gcd  Factorize 80808 &
31863 as product of prime numbers
80808 = 2  2 2  3  7 13  37
{2, 2, 2, 3, 7, 13, 37} ← factor set of 80808
31863 = 3  13 19  43
{3, 13, 19, 43} ← factor set of 31863
{3, 13 } ← common factors set of 80808 & 31863
3  13 = 39 ← desired gcd.
 gcd(80808, 31863) = 39
5
Euclidean algorithm - Division for Euclidean algorithm
31863
17082
14781
2301
975
80808
2
31863
1
17082
1
14781
6
2301
2
17082
80808 = 231863 + 17082
14781
31863 = 1  17082 + 14781
2301
17082 = 1  14781 + 2301
975
14781 = 6  2301 + 975
351
2301 = 2  975 + 351
6
Division for Euclidean algorithm – cont’d
351
975
2
273
78
351 = 1  273 + 78
39
273 = 3  78 + 39
0
78 = 2  39 + 0
273
3
39
975 = 2  351 + 273
351
1
78
273
78
2
7
•
•
•
•
•
•
•
•
•
•
•
remainder = 0 ?  stop
previous remainder – 39  desired gcd
Generalize for set (a, b) with a > b
a = q2  b + r2: q2 quotient & r2 remainder
b = q3  r2 + r3  continue until remainder = 0
r2 = q4  r3 + r4
r3 = q5  r4 + r5 .
....
rn-2 = qn  rn-1 + rn
rn-1 = qn+1  rn + 0
 gcd(a, b) = rn
8
•
•
•
•
•
•
rn ∣ rn-1  gcd(rn , rn-1 ) = rn
ri = qi+2  ri+1 + ri+2
Any divisor of ri & ri+1 divisor of ri+2
gcd(ri , ri+1 ) = gcd(ri+1 , ri+2 )
equation valid for all i
gcd(a , b ) = rn .
9
Algorithm 1.1 Euclidean Algorithm
Input: a, b
Output: gcd (a, b)
r0 ← a
r1 ← b
n ←1
while rn ≠ 0

 rn 1 
qn 1  

r
 n 


rn 1  rn 1  qn 1rn
n  n  1



n←n–1
gcd (a, b) ← rn
10
r0=a
r1=b
r2
r1
r2
r3
rn-1
rn
rn+1
rn
rn+1
gcd(a, b) = rn
n
q
rn-1
rn
1
2
80808 31863
2
1
31863 17082
3
1
17082 14781
4
6
14781 2301
5
2
2301 975
6
2
975
351
7
1
351
273
8
3
273
78
9
2
78
39
gcd (80808, 31863) = 39
rn+1
17082
14781
2301
975
351
273
78
39
Euclidean algorithm - Computational
process flow & Results
11
•
•
•
•
•
•
•
•
•
•
•
•
•
Retrace steps of Euclidean Algorithm
 ‘Extended Euclidean Algorithm’
r2 = a - q2  b; Substitute in Equation for r3
r3 = b - q3  (a - q2  b)
= - q3  a + (q2  q3 + 1)  b; Substitute in Equation for r4
r4 = r2 - q4  (b - q3  r2)
= (q3  q4 + 1) a - (q2 + q4 + q2  q3  q4)  b: Continue until rn 
rn = u  a + v  b: u & v – integers
 expresses gcd (a, b) as linear combination of a & b.
Let gcd (a, b) = c 
u  a + v  b = c ← linear Diophantine equation in u and v
Given a, b, & c, infinite set of solutions for the (u, v) pair
Wade through sequence of equations in Euclidean algorithm to
get gcd (a, b) & get (u, v) pair values
12
Algorithm 1.2 Extended Euclidean Algorithm
Input: a, b: Output: gcd (a, b); u, v
r0 ← a; r1 ← b
u0 ← 1; u1 ← 0
v0 ← 0; v1 ← 0
n←1
while (rn+1 ≠ 0)
  rn 1 
q  

r
  n 
r  r  q  r

0
1
 n 1
updating r values
rn 1  rn ; rn  rn 1 


u n 1  u0  q  u1
u  u ; u  u updating u values
n n
n 1 
 n 1
vn 1  v0  q  v1 

updating v values
vn 1  vn ; vn  vn 1 
n ← n -1
gcd(a, b) ← rn; u ← un; v ← vn
13
r0 = a
r1=b
r2
u0=1
r1
r2
r3
rn-1
rn
rn+1
rn
rn+1
gcd(a, b) = rn
u1=0
u2
v0=0
u1
u2
u3
un-1
un
un+1
un
un+1
u = un
v1=1
v2
v1
v2
v3
vn-1
vn
vn+1
vn
vn+1
v = vn
Computational process flow for extended Euclidean algorithm
14
• Solve linear Diophantine equation
for (a = 80808, b = 31863)
• use extended Euclidean algorithm  get u & v values
n
q
rn-1
1
2
2
rn
rn+1
un-1
un
un+1
vn-1
vn
vn+1
80808 31863
17082
1
0
1
0
1
-2
1
31863 17082
14781
0
1
-1
1
-2
3
3
1
17082 14781
2301
1
-1
2
-2
3
-5
4
6
14781 2301
975
-1
2
-13
3
-5
33
5
2
2301
975
351
2
-13
28
-5
33
-71
6
2
975
351
273
-13
28
-69
33
-71
175
7
1
351
273
78
28
-69
97
-71
175
-246
8
3
273
78
39
-69
97
-360
175
-246
913
9
2
78
39
gcd (80808, 31863) = 39; u = -360; v = 913; 39 = - 360 × 80808 + 913 × 31863
15
a
b
u  v 1
c
c
• ua+vb=c
• Extended Euclidean algorithm  set (u0, v0):
ab
a
b
u0  v0 1  Add & subtract k
c
c
c
a
b
(u0  kb)  (v0  kb) 1 
c
c

(u0 + kb)  a + (v0 – k  b ) = c ← generalized version
•Diophantine equation  infinite number of solutions
•set (u0, v0)  particular solution
16
•
•
•
•
•
•
•
•
•
•
•
•
•
Modular algebra
a & m integers: a > m
express a as
a = q  m + r  q - quotient & r- remainder
r – ‘residue’ – obtained by dividing a by m
residue r can represent a
r called ‘a modulus m’ - expressed as 
r ≡ a (mod m )
r ← representation can be generalized and used
for all a  ℤ.
Examples
2 ≡ 14 (mod 12)
2 ≡ 26 (mod 24)
2 ≡ 38 (mod 36)
representation - visualized as arranging integers in17
circular fashion as with a clock
-1
11
23
35
-12
0
12
24
-11
1
13
25
-8
4
16
28
-4
8
20
32
-9
3
15
27
-3
9
21
33
-2
10
22
34
- 10
2
14
26
Integers
arranged to
conform to
congruence
modulo 12 18
-7
5
17
29
-6
6
18
30
-5
7
19
31
• 2 ≡ - 10 (mod 12) ←negative numbers
•  add positive / negative multiples of 12 (in
general m) to number &
• bring result within (0, 1, 2, 3, . . . ,11) range.
• . – 22,-10, 2,14, 26, . same representation  2
• . – 23,-11,1,13, 25, . same representation  1
• . – 22, -10, 2, 14, 26, . ‘congruent modulo 12’
Generalize:a, b, & c - 3 integers:
• a (mod m) = b (mod m) = c (mod m)
• a, b, & c – ‘congruent’
19
•
•
•
•
•
•
•
•
•
•
•
congruence property expressed as
a ≡ b (mod m)
≡ c (mod m)
 a - b, b - c, a – c divisible by m
additional examples:
12 ≡ 18 (mod 15)
- 3 ≡ -18 (mod 15)
12 ≡ - 3 (mod 15)
7 ≡ 18 (mod 11)
Cryptography starts here
4 ≡ - 18 (mod 11)

[0, 1, 2, . . . ,m-1]←‘the set of least residues’-ℤ
20 m
.
• set of integers {. . . -2m, -m, 0, m, 2m, . . }
•  same representation – 0 – in ℤm
• set of integers {. . -2m+a, -m+a, a, m+a, 2m+a, . . . }
 same representation – a – in ℤm
• set – {. . -2m+a, -m+a, a, m+a, 2m+a, . . . } – is called
‘the residue class [a]m’
• [3]13 = {. . . -23, -10, 3, 16, 29, . . }
• [0]13 = {. . . -26, -13, 0, 13, 26, . . . }
• smallest positive number of a residue class is present
in the set of least residues
• given integer c, identifying an a  ℤm such that
• a ≡ c (mod m)  ‘reducing c modulo m’.
21
•
•
•
•
•
•
•
•
•
•
extend concepts of basic algebraic operations to ℤm
add 25 & 47 with m = 7
(25 + 47)(mod 7) ≡ 72 (mod 7) ≡ 2
same can be obtained as
(25(mod 7) + 47(mod 7))(mod 7) ≡ (4 + 5) (mod 7) ≡ 2
Similarly (25 – 47)(mod 7) ≡ (-22) (mod 7) ≡ 6
Alternatively
(25 – 47)(mod 7) ≡ (25(mod 7) – 47(mod 7))(mod 7)
≡ (4 – 5) (mod 7) ≡ 6
add two integers in ℤ7; reduce result modulo 7,
 result in ℤ7
See table for general addition of two numbers a and b
22
(mod 7) 
Addition of a & b modulo 7
a
0 1 2 3 4 5 6
b 0 0 1 2 3 4 5 6
1 1 2 3 4 5 6 0
2 2 3 4 5 6 0 1
3 3 4 5 6 0 1 2
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4
6 6 0 1 2 3 4 5
• modular addition / subtraction using of look-up table not
practical
• Use relations
(a + b)(mod m) ≡ (a(mod m) + b(mod m))( mod m)
(a – b)(mod m) ≡ (a(mod m) – b(mod m))( mod m)
23
•
•
•
•
•
•
extend concept to modular multiplication
(25  47)(mod 7) ≡ (25(mod 7)  47(mod 7))(mod 7)
≡ (4  5)(mod 7) ≡ 20(mod 7 ) ≡ 6
same result obtained as
(25  47)(mod7) ≡ 1175(mod7) ≡ 6
multiply two integers in ℤ7 are & reduce result modulo
7  result in ℤ7
• Modular multiplication of a & b (mod 7) ?
•  use table 
24
Table for ‘mod 7’ multiplication
a
0 1 2 3 4 5 6
b 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
• Modular multiplication using table is not practical
• Use relation
• (a b)(mod m) ≡ (a(mod m)  b(mod m))(mod m)
25
•
•
•
•
•
•
•
•
Consider integers 3 & 4 in ℤ7
(3 + 4)(mod 7) ≡ 0
role of 4 in ℤ7 same as that of -3 in ℤ
4 ‘additive inverse’ of 3 in ℤ7 & vice versa
Every element in ℤ7 has an additive inverse
 a unique inverse ← also an element of ℤ7
generalized version:
For any integer a  ℤm, b  ℤm is the additive
inverse of a if (a + b)(mod m) ≡ 0
•  a is the additive inverse of b
• Additive inverse - a unique element in ℤm
• m - even integer? inverse of m/2 is m/2 itself.
26
•
•
•
•
•
Extend concept of inverses to multiplicative inverses
a & b  ℤm :
b is multiplicative inverse of a if ab ≡ 1(mod m)
multiplicative inverse of a  designated a-1  a-1 ≡ b
role of a-1 in ℤm  same as reciprocal of a as a real
number
• multiplication of c  ℤm by a-1 ← analogous to
dividing c by a in the set of real numbers
• When m is a small integer, use ‘table of multiplicative
inverses’ for modular algebra
All non-zero elements of ℤ7 & their respective inverses 
a
1
2 3
4 5
6
a-1
1
4 5
2 3
6
Two facts 
1. Every integer in ℤ7 has a multiplicative inverse.
2. a given integer has one & only one multiplicative inverse
27
• Table  multiplication table for ℤ6
• 5 has an inverse which is 5 itself 5-1 = 5
b0
1
2
3
4
5
0
0
0
0
0
0
0
1
0
1
2
3
4
5
A
23
00
23
40
03
20
43
4
0
4
2
0
4
2
5
0
5
4
3
2
1
• No multiplicative inverses for 2,3,&4 in ℤ6
•  they have a common divisor with 6!
• With a, b  ℤm, a has multiplicative inverse b
iff gcd (a, m) =1
28
• Proof:
• Let a ≡ b-1(mod m)
•  ab ≡ 1(mod m)
•
= 1 + mc for some c  ℤ
• ab – mc = 1
•Invoke Diophantone!
• gcd (a, m) = 1
• a  ℤm has multiplicative inverse
iff gcd (a, m) = 1
29
• Use multiplicative inverse to carry out
equivalent of division in ℤm
• Example in ℤ7:
• 3/4  3  4-1
• Use table of inverses
•  4-1 ≡ 2 (mod 7)
3
•   3  2 (mod 7)
4
•
≡ 6 (mod 7)
30
Similarly
4
 4  31 (mod 7)
3
 4  5 (mod 7)
 6(mod 7)
• m is small?
•  Use table of inverses & multiply by inverse of divisor
for ‘division’
• Not practical with values of m used in cryptography
• Use extended Euclidean algorithm
• Solve Diophantine Equation
•  get multiplicative inverse
• & do ‘division’
31
•
•
•
•
•
•
•
Obtain 3407-1(mod 4363)
(Incidentally 3407 and 4363 are primes)
Use extended Euclidean algorithm
-1536  4363 + 1967  3407 = 1
Or
1967  3407 = 1 + 1536  4363
3407-1 ≡ 1967 (mod 4363)
32
•
•
•
•
•
•
•
•
•
•
gcd (a, b) =1  a & b relatively prime
 also called ‘coprimes’.
27 & 28 ← coprimes.
27 & 30 not relatively prime - not coprimes
ℤ*m ← All numbers relatively prime to m in ℤm
ℤ*m. = {all a  ℤm such that (a, m) = 1}
ℤ*14 = {1, 3, 5, 9, 11, 13}
7  ℤ*14
All elements in ℤ*m have inverses (mod m)
3 has inverse in ℤ14 ; 7 does not have inverse
33
• total number of elements in ℤ*m  (m)
• (m) ←‘Euler phi function’ or ‘Euler totient
function’
• ℤ*14 = {1, 3, 5, 9, 11, 13}  (14) = 6
• ℤ*7 = {1, 2, 3, 4, 5, 6}  (7) = 6
• If p is prime number
•  all a  ℤp relatively prime to p
•  ℤ*p = ℤp  (p) = p – 1
• 7 is a prime  ℤ*7 = ℤ7
•  (7) = 6
• 29 is a prime number  (29) = 28
34
• m = 9, n =5, and r = 2
• Table lists values (2 + 5i )(mod 9) for all i from 0 to 8
i
0 1 2 3 4 5 6 7 8
*
2+5i 2 7 3 8 4 0 5 1 6
• (2 + 5i )(mod 9) congruent to  elements of ℤm
• r, n, m  ℤ, m & n being relatively prime 
• r, r+n, r+2n, . . . r + (m-1)n ← congruent to ℤm (= {0, 1, 2, . . .
m-1})
• Let i, j  ℤ both being less than m:
• Suppose in + r ≡ jn + r (mod m) This implies i n ≡ jn (mod m)
← contradicts the assumption
•  in + r ≠ (jn + r) (mod m)  r, r+n, r+2n, . . . r + (m-1)n 
• distinct from each other - form elements of ℤm in some order
35
Multiplicative property of  : gcd (m, n) = 1 
(mn) =(m) (n)
*
• Arrange integers 1 to mn in matrix form as in Table
•  n columns and m rows
1
m+1
2m + 1
.....
m (n – 1) + 1
2
3
.
.
i
.
.
m
m+2
m+3
.
.
m+i
.
.
2m
2m + 2
2m + 3
.
.
2m + i
.
.
3m
.....
.....
.....
.....
.....
.....
.....
.....
m (n – 1) + 2
m (n – 1) + 3
.
.
m (n – 1) + i
.
.
nm
36
1. Let i  ℤm*  i has common factor with m *
2.  All elements in ith row have common factor
with m
3. Generalize  elements in all such rows not
in ℤmn*
4.  restrict to rows with index i  ℤm* to identify
elements in ℤmn*
5. Consider numbers in first (top) row in Table
6. According to above lemma, they are
congruent modulo n to ℤn
7. (n) of these are in ℤm* and hence in ℤmn*
8. Similarly with all (m) rows in [4] above
37
9. (mn) = (m) (n)
• Generalize
• m1, m2, m3, . . mk – relatively prime
•  (m1 m2 m3. . . mk) =
( m1) ( m2) ( m3). . . . ( mk)
•  With p1 and p2 – two primes
• (p1p2) = (p1- 1) (p2 – 1)
• Generalize
• p1, p2, . . ,pk are all prime
•  (p1p2. . .pk )= (p1- 1) (p2 – 1). . (pk – 1)
38
•
•
•
•
•
•
•
•
•
•
Obtain (630)
630 = 18  35
 (630) = (18)  (35)
ℤ18* = {1, 5, 7, 11, 13, 17}
(18) = 6
(35) = (5)  (7)
= 4  6 (since 5 and 7 are primes)
= 24
 (630) = 6  24
= 144
39
• p is prime & e positive integer :
• numbers a for which gcd(a, pe)  1, are all
multiples of p less than pe
• These are p, 2 p, 3 p, , . . . p e-1 p
• There are p e-1 of these
•  ( pe ) = pe - pe-1
• ( 113 ) = 113 – 112
•
= 1210
40
• p1 & p2 be primes; e1& e2 ← positive integers
•  gcd( p1e1 , p 2e2 ) = 1
•  (
p1e1


p2e 2
)=
(p1e1)

• = p1e1  p1e1 1 p2e2  p2e2 1
 (
 ( m) 


e1 1
p1

e2
p2

ek 
e1 e2 e3
 (m)  p1 p2 p3 ... pk 1

)

e3
ek
e1
e2
p

p

p
.
.
.

p
• m= 1
2
3
k
e1
p1
e2
p2
e2 1
p2


e3
p3

e3 1
p3
... 
ek
pk

ek 1
pk
1 
1 
1  
1 

 1 
 1  ... 1 
p1 
p2 
p3  
pk 41

• Combine properties of (m) & use 
• Find ( 1323) 1323 = 33  72
•  (1323) = (33)  (7 2)
•
= (33 – 32) (72 – 7)
•
= 756
• Find ( 287375)  287375 = 53  112  19
• ( 287375) = ( 53) ( 112) ( 19)
 1  1  1 
• ( 287375) = 287375 1  5 1  11 1  19 
287375 720
• =
1045
= 198000
42
Modular exponentiation of large numbers
• Repeated multiplication & modular - tedious
• Repeated squaring & selective multiplication
- more appealing
• Compute 23971(mod 503)
• 971 0= 29 + 28 + 27 + 26 + 23 + 21 + 20
23 2  23
21
23
21
23  23
20
 
20
2
 23
 529
 26 (mod 503 )
 23  26 (mod 503 )
 95 (mod 503 )
43
23
22
 
 23
21
2
 26 2 (mod 503 )
 173 (mod 503 )
• Continue similarly
23
23
 
 23
2
22
 252 (mod 503 )
23
24
 
 23
2
23
 126 (mod 503 )
23
25
 
 23
24
2
 409 (mod 503 )
44
 
26
23
 23
25
2
 285 (mod 503 )
 
27
23
 23
26
2
 242 (mod 503 )
23
23
 
 216 (mod 503 )
 23 
28
27
2
28
2
 23
29
 380 (mod 503 )
23
971
 23
2 9  2 8  2 7  2 6  2 3  21  2 0
 23971 ≡ 380  216  242  285  252  95  23 (mod 503)
•
≡ 401(mod 503)
45
1.
2.
3.
4.
5.
6.
7.
•
Generalized procedure to compute c ≡ ab(mod m)
Express b as binary number as
b = bn-12n-1 + bn-22n-2 + bn-32n-3 + . . . b020
20
Make c = 1 & i = 0; make d ≡ a (mod m)
Get c ≡ cb0d(mod m).
Make i = i +1;d ≡ d  d(mod m); c ≡ c  bi  d(mod m)
Repeat step 6 for all i up to & including i = n-1
Each number in the sequence (mod m)
•  square of the previous one
•
Procedure given as Algorithm 1.3.
46
•Algorithm 1.3 Fast Exponentiation Algorithm
•Input: a, b, m
•Output: c ≡ ab(mod m)
•c ← 1; i ← 0; d ←
•while (i ≠ n) (b is an n bit number)
c  c  bi  d

c  c   c   m
m

 

d  d  d

d  d   d   m


m

 

i  i  1
47
prime numbers
• p  ℤ← not divisible by 1 to p – 1
•  p a prime number
• 1,2,3,5,7, 11, 13, 17, 19, 23 ←prime numbers.
Properties:.
• If a < p  gcd(a, p) = 1
• ℤ*p = ℤp
• (p) = p – 1
• Every integer ← product of powers of primes.
• 84 = 22  3  7
• 84721 = 73  13  19
48
•
•
•
•
•
•
•
•
n  ℤp  gcd(n, p) = 1
 every element in ℤp has a multiplicative inverse
(Additional to additive inverse = p – n)
Algebraic operations - addition, subtraction,
multiplication, & division in any combination  ok in
ℤp
Get y ≡ (435 + 962  321 – 276  3407-1) 751
3407-1(mod 4363)
Substitute 3407-1 ≡ 1967 (mod 4363)
y ≡ (435 + 962  321 – 276  1967)  751
1967(mod 4363) ≡- 457 (mod 4363) ≡
≡ 3906 (mod 4363)
49
Fermat’s little theorem
•
•
•
•
•
•
•
•
•
a ℤ  p ∤ a  ap-1 ≡ 1(mod p) &
p ∣ a ≡ ap-1 ≡ 0(mod p)
Proof:
p ∣ a  a = kp where k ℤ
 ap-1 = kp-1  pp-1 ≡ 0(mod p)
p∤a
b = ak where k  ℤp
a & k not divisible by p  ak not divisible by p
ak(mod p)  non-zero for every k  ℤp
50
•
•
•
•
•
•
•
•
•
•
•
a(mod p), 2a(mod p), 3a(mod p) all non-zero
For i , k  ℤp
ai(mod p) ≢ ak(mod p)
Else ai(modp) ≡ ak(modp) or a(i – k) ≡ 0(modp)
not true since a & i – k not divisible by p
a(mod p), 2a(mod p), 3a(mod p), . . (p–1)a(mod m)
 all distinct
represent set of all numbers in ℤp in some permuted
order
(a. 2a. 3a. . . . (p–1)a )(mod p) = ((p–1)!)(mod p)
(a. 2a. 3a. . . . (p–1)a )(mod p) ≡ (ap–1(p–1)!)(mod p)
≡ (ap–1)(mod p)(p–1)!)(mod p) ≡((p–1)!)(mod p).
51
Cancel ((p–1)!)(mod p)  ap–1 ≡ 1
• p = 31 3p-1(mod 31) ≡ 330(mod 31)
• Use fast exponentiation & evaluate
330(mod 31)
2 4  2 3  2 2  21
30
• 3 (mod 31) ≡ 3
(mod 31) ≡ 1
• 35 is not a prime number
2 5  21
2 5  21
34
34
• 3 =3
3 ≡ 3
(mod 31)
•
≡ 4(mod 31)
•
≠1(mod 31)
•561 = 3  11  17  561 is composite
•2560 ≡ 1(mod 561) ? Beware of fifth columns!
•ap-1 ≡ 1(mod p)← only one way check for primality
52
•
•
•
•
•
•
•
•
•
•
•
•
563  prime  a562 ≡ 1(mod 563)  a  ℤ563
567  2566 ≢ 1(mod 567)
(2566(mod 567) ≡
2 9  2 5  2 4  2 2  21
2
(mod 567 )
≡ 103  103  460  16  4 (mod 567)
≡ 412 (mod 567)
 567  not a prime
Find 3-1(mod 31): using Fermat’s theorem (& not
Extended Euclidean Algorithm)
31 is a prime  330 ≡ 1 (mod 31)
 3-1 ≡ 330-1(mod 31) ≡ 329(mod 31) ≡ 21 (mod 31)
Find 592-1(mod 1831):1831 is a prime
 5921830 ≡ 1 (mod 1831)
 592-1 ≡ 5921829(mod 1831) ≡ 1265 (mod 1831) 53
•
•
•
•
•
*
Find 11 27 (mod 31) using Fermat’s theorem
27 = 33
 27 ≡ (33 (mod 31)  330 (mod 31))(mod 31)
≡ 33  330 (mod 31) ≡ 330+3 (mod 31) ≡ 333 (mod 31)
Take 11-1 power 
11
27  3 (mod 31)
11 33
  (mod 31)
(mod 31)
 3
33 1 11
3
33 11
 33 (mod 31)
•
≡ 27 (mod 31)
54
Fundamental theorem of arithmetic
• m  integer  a unique product of powers of primes
• m

ei
qi
 qi  primes &
qiei
factors of m
i
•  wide use in cryptography
12  2  3
2
36  2 2  32
18375  3  53  7 2
55
primitive element
i
2i(mod11)
3i(mod11)
4i(mod11)
5i(mod11)
6i(mod11)
7i(mod11)
8i(mod11)
9i(mod11)
10i(mod11)
1
2
3
4
5
6
7
8
9
10
2
4
9
5
3
3
5
9
4
1
3
8
5
9
4
7
2
6
3
10
4
5
4
3
9
9
3
4
5
1
5
10
1
1
1
10
10
10
1
10
6
9
3
4
5
5
4
3
9
1
7
7
9
5
3
8
6
2
4
10
8
3
5
9
4
4
9
5
3
1
9
6
4
3
9
2
8
7
5
10
10
1
1
1
1
1
1
1
1
1
ai(mod11) values for all a and i values
gi(mod p) takes all values in ℤp as i changes from 1 to
p – 1  g is a ‘primitive element’ of ℤp
56
•
•
•
•
•
•
•
•
•
•
2, 6, 7, & 8  primitive elements of ℤ11
(10) = 4  total number of primitive elements
ℤ10* = {1, 3, 7, 9}
 primitive elements  2i(mod 11) for i  ℤ10*
Use one primitive element in ℤp & get all others
as its ith powers where i  ℤ10*
 verify with ℤ11
For all a  ℤp  sequence ai(mod p)  cyclic
Number of integers in sequence ‘order’ of a
More precisely order is the smallest integer
value of i for which ai(mod p) = 1 for an a  ℤp.
ℤ11  order of non-primitive elements is 5 or 2
57
•
•
•
•
•
•
•
generalize:
k  order for element a  ℤp
kq
k q
i = kq  a  a
≡ 1(mod p)
k  i  ai ≡ 1(mod p).
Specifically ap-1 ≡ 1(mod p)
k (p – 1)  generalize:
a  ℤp  If an ≡ 1(mod p), order of a divides n
Specifically order divides p – 1
• Summarize  :
• The order of a  ℤp is p – 1 or one of its factors
 
58
Test for Primitive Element
•
•
•
•
•
•
•
•
•
•
a  ℤp  order of a is p-1 or a factor of p-1
 check whethera is a primitive element of ℤp
a is a primitive element of ℤp iff
e
( p 1) / qi i 1(mod p)
a
ei
q
for all i which are factors of (p-1)
if n is order of a  ℤp, n divides p-1; the above result
follows from this
step by step procedure to check whether a  ℤp is a
primitive element:
Factorize (p-1) & get all factors qiei
ei
ei
q
q
For all i evaluate a(p-1)/ i (mod p)
59
If none of them is 1(mod p), a is a primitive element.
• all primitive elements of 11:
• For ℤ11  p – 1 = 10  factors - 5 & 2
• a  primitive element if a5 ≢ 1(mod p) & a2 ≢ 1(mod
p)
• 2, 6, 7, & 8 satisfy both conditions; these are the
primitive elements
• Other six integers in ℤ11 do not satisfy both conditions
 They are not primitive elements of 11
• ℤ37 Check whether 2,3, 5, & 7 are primitive elements
• p = 37  p – 1 = 36 = 22  32 = 4  9
• If a  ℤp such that a36/4 = a9 ≢ 1(mod 37) &
• a36/9 = a4 ≢ 1(mod 37)
60
•  a is a primitive element – See Table 
2
29(mod 37)
≡ 31
24(mod 37)
≡ 16
2 is a
primitive
element
3
39(mod 37) ≡
36
34(mod 37) ≡
7
3 is a
primitive
element
5
59(mod 37) ≡
6
54(mod 37) ≡
33
5 is a
primitive
element
7
79(mod 37) ≡ 1
74(mod 37) ≡
33
7 is not a
primitive
element
61
euler’s theorem  generalization oF Fermat’s
little theorem
• a  ℤm  a(m) ≡ 1(mod m) provided gcd (a, m) =1.
• Verify Euler’s theorem for elements in ℤ10 relatively
prime to 10
• m = 10  3, 7, & 9 relatively prime to 10
• ℤ10* = {1, 3, 7, 9}  (10) = 4
• 34 = 81 ≡ 1(mod10)
• 74 ≡ 1(mod10)
• 94 ≡ 1(mod10)
•  (n) useful in modular arithmetic in various ways
62
• Evaluate 12th, 36th, 39th, and 40th powers of 9
(mod 28).
• ℤ28* = {1, 3, 5, 9, 11, 13, 15, 17, 19, 23, 25, 27}
•  (28) = 12
•  912(mod28) ≡ 1(mod28)
12 3
36
•  9 (mod28)  9
mod 28 ≡ 1(mod28)
9
39
 
mod 28   9  9 (mod 28)
36
3
 9 (mod 28)
1(mod 28)
3
• Similarly 940 ≡ 9(mod28)
63
•
•
•
•
•
•
•
•
•
Evaluate 4572491(mod28)
457 = 9(mod28)
2491 = 20712 + 7
4572491(mod28) ≡ 92491 (mod28)
≡ 9(20712+7) (mod28)
 
12 207
9
 97 mod 28
≡ 97 (mod28)
≡ 9(mod28)
64
•
•
•
•
•
•
•
•
Identification of Primitive Elements
use following theorem & get all primitive
elements from one known primitive element
If g is a primitive element modulo m, gk is a
primitive element if gcd(k, (p)) = 1.
Specifically if m is a prime p, k  ℤp-1*.
Obtain all primitive elements of 37.
2 is a primitive element of 37
Values of 2i for all i from 1 to 36 (= p-1)
ℤp-1* = {1, 5, 7, 11, 13, 17, 19, 23, 25, 29, 31,
35}
i  ℤ36 & respective 2i values in bold face letters
in Table
65
2i (mod 37) values
i
1
2
3
4
2i 2
4
8
16 32 27 17 34 31 25 13 26
i
6
7
8
9
10 11 12
13 14 15 16 17 18 19 20 21 22 23 24
2i 15 30 23 9
i
5
18 36 35 33 29 21 5
10
25 26 27 28 29 30 31 32 33 34 35 36
2i 20 3
6
12 24 11 22 7
14 28 19 1
•ℤp-1* = {1, 5, 7, 11, 13, 17, 19, 23, 25, 29, 31, 35}
•primitive elements of ℤ37
• 2, 5, 13, 15, 17, 18, 19, 20, 22, 24, 32, and 35
66
DISCRETE LOGARITHM
• extend concept of logarithms to ℤp
• g  ℤp  g a primitive element;
• x & h  ℤp such that gx  h(mod p)
 x: ‘discrete logarithm’ of h to base g
• x exists for every h & vice versa
• log10 2 = 0.30103  Use infinite series with 2 &
compute log10 2
• 10 0.30103 = 2  Use infinite series with 0.30103 &
compute 10 0.30103
• With continuous real numbers computing log equally
difficult or easy
• With discrete logarithm given x computing h – ok
• given h computing x – much more difficult!
• ‘Monotonicity’– absent an apparent unpredictability!
67
x
1
2
3
4
5
6
7
8
9
10
11
h
13
169
878
862
654
588
1049
447
535
360
723
x
12
13
14
15
16
17
18
19
20
21
22
h
166
839
355
658
640
406
2
26
338
437
405
Note apparent lack of order in
dependent variable values
• g = 13  a primitive element of ℤ1319
• gx ≡ h(mod p)
h
1
2
3
4
5
6
7
8
9
10
11
x
1318
18
692
36
1208
710
298
54
66
1226
682
h
12
13
14
15
16
17
18
19
20
21
22
x
728
1
316
582
72
905
84
206
1244
990
700
68
• x ~ h plot for g = 13 in ℤ1319
69
x1
Let
g (mod p) ≡ h1 & g x2 (mod p) ≡ h2
 h1h2 ≡ g x1 g x 2 (mod p)
≡ g x1  x2 (mod p)
 log h1h2 ≡ (log h1 + log h2 )(mod p)
discrete logarithm satisfies the property
‘logarithm of the product of two integers is the sum
of logarithms of the two integers
• log(h1h2-1) ≡ (logh1 (mod p) – logh2(mod p))(mod p)
•  analogous to relation Log h1 = log h1 – log h2
•
•
•
•
•
•
h2
• gx+(p-1)k(mod p) ≡ gx(mod p) ≡ h  x + (p-1)k
• discrete logarithm of h (mod p) for all k
• It is customary to use x  ℤp as discrete logarithm70
• Discrete logarithm of ratio of two elements 
• Use discrete logarithm of inverse of ‘denominator’.
x2
x1
g
g
•
(mod p) ≡
(mod p)  x1 = x2 (mod(p-1)).
• a ≡ ℤp & ax ≡ h(mod p) but a is not a primitive element
• x  discrete logarithm of h to base a
• the logarithm exists only for h expressed as powers of a
(mod p)
• Find discrete logarithm of (437)(824) in ℤ1319- base 13
• 1319  prime &13 is a primitive element of ℤ1319
(Incidentally 824 = 437-1(mod 1319))
• h1 = 437 & h2-1 ≡ 824(mod 1319)
• h2  h2-1 ≡ (437  824)(mod 1319) ≡ 273  1319 + 1
•  h2  h2-1 ≡ 1(mod 1319)  log(h2  h2-1 ) ≡ 1
71
• Find discrete logarithm of (6)(437)-1 in ℤ1319- base 13
• (6  437-1)(mod 1319) ≡ (6  824)(mod 1319)
•
≡ 987(mod 1319)
• check: 987  437 = 327  1319 +6 ≡ 6(mod 1319)
• Do brute force computation of powers of 13 (mod
1319) until (Salvation day!) we get x value
• x = 689
72
shank’s algorithm – ‘baby step giant step’
algorithm
• Obtain n = 1  p
• Form list of (n + 1) elements – 1, g1, g2, . . gn.
• Let f ≡ g-n  Form list of (n + 1) elements
h, hf, hf2, . . . hfn.
• Scan the two lists &and identify one element from
first list that matches with one of the elements in the
second list –with indices i & j
• gi ≡ hfj (mod p)  gi+jn ≡ h (mod p)
•  i + jn is DL of h
 
73
• For a given p  g & f - fixed
• For a given h update lists in parallell,
check for match & stop on match.
• See book for algorithm
74
• DL of 437 (mod 1319) to base 13:


n 1 1319 = 37
• p = 1319, g = 13 &
• n-1 ≡ 37-1(mod 1319) ≡ 713 (mod1319) using
extended Euclidean algorithm
• h = 437
• Both arrays in Table  match at 21st element
• 1321 ≡ 437(mod 1319)  DL is 21
• first list  multiply element by g & obtain next element
•  ‘baby step’ – g being (usually) a small integer
• Second list multiply element by g-n & obtain next
element  ‘giant step’
•  ‘baby step giant step’ algorithm
• Each list  maximum n modular multiplications
& ( n + 1) entries
75
Index - k
0
1
2
3
gk(mod 1319) 1
13
169
878 862 654 588 1049 447
hg-37k(mod
1319)
437
744
826
371 692 825 650 672
1129 250 157
Index- k
11
12
13
14
19
20
gk(mod 1319) 723
166
839
355 658 640 406 2
26
338 437
hg-37k(mod
1319)
502
1075
807 396 312 6
120
814 1081
1043
4
15
5
16
6
17
7
18
964
8
9
10
535 360
21
76
•
•
•
•
•
•
•
•
•
•
•
•
Chinese Remainder Theorem (CRT)
x ≡ 4 (mod 10)
x ≡ 6 (mod 13) - Solve for x
 10 & 13 intentionally chosen  gcd (10, 13) = 1
first congruence x = 4 + 10 k (#) k  ℤ
Substitute in second congruence gives
4 + k10 ≡ 6 (mod 13) = 6 + 13l  k, l  ℤ
 10k =2 + 13l*
10  4 = 40 ≡ 1 (mod 13) 10-1mod13 ≡ 4
Multiplication of equation * by 4 gives
40k = 8 + 13  4l
 k ≡ 8 (mod 13)  Substitute in (#) 
 x = 84 smallest positive integer value for x
77
• One approach to DLP  split problem into a set of
smaller DLPs
• Solve each and combine results
• Use solution of multiple congruences
•  using ‘Chinese remainder theorem’
• m1, m2, m3, . . . mt  ℤ such that gcd(mi, mj) = 1 for
every pair of i & j (i  j)
• mi, mj  relatively prime when taken in pairs
• Simultaneous congruences x ≡ a1(mod m1),
x ≡ a2(mod m2), x ≡ a3(mod m3), , x ≡ at(mod mt)
has a solution.
• If c1 and c2 are two solutions
c2 ≡ c1(mod (m1 m2 m3. . . mt))
78
Proof by induction
• c1 = a1 + km1
• With k  ℤ every c1 satisfies first
congruence
• Let xi ≡ ci mod(m1 m2 m3. . . mi)
•  Satisfies all congruences 1 to i
•  x = ci + km1 m2 m3. . . mi where k  ℤ
• Select k such that (i+1)th congruence is
satisfied
• Continue till i = t & get x
79
• Solve x ≡ 4(mod 10) ≡ 6(mod 13) ≡ 4(mod 7) ≡
2 (mod11)
• first congruence  x = 4 + k  10 #
• Substitute in second  4 + k  10 ≡ 6 (mod 13)
•  k  10 ≡ 2 (mod 13)
• k satisfies equation k  10 = 2 + l  13 *
• Since
• 4  10 = 40 ≡ 1 (mod 13)  10-1 ≡ 4 (mod 13)
• Multiplying both sides of Equation (*) by 4
• k  40 = 8 + l  13  4
• Take congruent modulo 13  k = 8
• Substitute in Equation (# )  x = 84(mod130)
• satisfies first two congruences.
• Use with third congruence & similar procedure 
• 84 + k1 130 ≡ 4 (mod 7)  k1 130 ≡ -80 (mod7)
• ≡ - 3 (mod 7) ≡ 4 (mod 7)
80
•
•
•
•
•
•
•
•
•
•
•
Since 130 = 4 + 18  7 above equation simplifies to
k1 4 ≡ 4 (mod7)
Smallest k1 satisfying this congruence  k1 = 1
Substitution in Equation (1.44) gives
x ≡ (84 + 1  130)(mod(130  7)  simplify 
x ≡ 214(mod910)  x satisfies first three congruences
Use with fourth congruence 
214 + k2 910 ≡ 2 (mod 11) Solve for k2 as earlier
k2 = 1 smallest value of k2
 x = 214 + 910
= 1124
81
Chinese remainder theorem - altered form
M
• Let M = m1m2m3. . . mt & M 1 
m1
•
•
•
•
•
•
•
•
*
y1 ≡ M1-1(mod m1) ; . . y2 ≡ M2-1(mod m2). . .
Consider  y = a1y1M1 + a2y2M2 + a3y3M3 +. . . atytMt
y1M1 ≡ 1(mod m1)  a1y1M1(mod m1) ≡ a1
a2y2M2, a3y3M3,. . . atytMt  all divisible by m1.
 y(mod m1) ≡ a1
Similarly y(mod m2) ≡ a2 . . y(mod mt) ≡ at
 y satisfies all congruences
 y(mod M) satisfies all the congruences.
82
• Solve  x ≡ 4(mod 10) ≡ 6(mod 13)
≡ 4(mod 7) ≡ 2(mod 11)
• mi, Mi, yi, & aiyiMi values computed  Table
• M = 10010 & 81204(mod 10010) ≡ 1124
•  1124 satisfies all congruences.
i mi Mi
yi yiMi aiyiMi
1
10 1001 1
1001 4004
2
13 770
9
6930 41580
3
7
1430 4
5720 22880
4
11 910
Σ aiyiMi
7
*
6370 12740
81204
83
• Use in different ways Fermat’s little theorem
Chinese remainder theorem
Properties of numbers
• Get discrete logarithms & powers of numbers to
specific modulus
• g  ℤp  primitive element & a ≡ g2k(mod p)
• b –square root of a (mod p) : b ≡ gk(mod p)
• a(p+1)/2 ≡ g(p+1)k(mod p)
•
≡ g(p-1)kg2k(mod p)
•
≡ g2k(mod p)
•  a(p+1)/4 ≡ gk(mod p)
• (Implicit) condition  a has a square root
84
•
•
•
•
•
•
•
ank ≡ anka(p-1)k(mod p)
 an ≡ ana(p-1)(mod p)
≡ a(p-1+ n)(mod p)
If (p-1) is divisible by n , let p-1 =jn
an ≡ a(j+1)n (mod p)
 a ≡ a(j+1)(mod p)
Factorize j+1 & obtain corresponding
different roots of a modulo p
85
*
• Obtain square root of 4473 modulo 28547:
•  28547 is a prime.
• Let a = 4473
• 4473(p+1)/4 ≡ 447328548/4(mod 28547)
•
≡ 44737137(mod 28547)
•
≡ 12333(mod 28547)
• Check: 2 is a primitive element
• 4473 ≡ 2948(mod 28547)
• &
• 12333 ≡ 2474(mod 28547)
86
•
•
•
•
•
•
•
•
Obtain cube root of 14523 modulo 30319:
30319 is a prime
p+2 = 30321
1452330321 = 1452330318  145233
≡ 145233(mod 30319)
Taking cube roots
1452310107 ≡ 14523(mod 30319)
Taking cube roots (after swapping left & right
sides of above equation)
• (14523)1/3 ≡ 145233369(mod 30319)
•
≡ 25340(mod 30319)
87
• 1319 is a prime:
*
• For a  ℤ1319 use a1320 & obtain different
possible roots of a:
• a1318 ≡ 1(mod 1319)
• a1320 ≡ a2(mod 1319)
• a ≡ a660(mod 1319)
• 660 = 223511
• Different roots of a can be obtained as powers of
a(mod 1319)
• Some of them are given below:
• (a)1/4 ≡ a165(mod 1319)
• (a)1/5 ≡ a132(mod 1319)
• (a)1/11 ≡ a60(mod 1319)
• (a)1/12 ≡ a55(mod 1319)
88
DLs for p of the form
*
2n+1
• A novel procedure available for DLs with p in the
form 2n+1
• Such ps - restricted in number -17, 257, 65537, . . )
• DL of 7 to base 3 modulo 17:
• 17  prime & 3  a primitive elements
• We have to compute x : 3x ≡7 (mod 17)
• x can be any number in range 0 to 15
• x = 20x0 + 21x1 + 22x2 + 23x3
3
x 0  21 x1  2 2 x 2  2 3 x 3
 7 mod 17 
• Evaluate x0, x1, x2, & x3 by successively powering
above equation by 23, 22, and 21
89
• Take both sides to the power 23:
•
3
2 3 x 0  2 4 x1   2 5 x 2  2 6 x 3
7
2 3 x0
2 6 x3
3
3
24
3
2 4 x1
3
25 x2
3
23
*
mod 17 
7
23
mod 17 
24
 1(mod 17 )  All powers of 3
 3
2 3 x0
7
23
mod 17 

≡ 1 (mod 17)
≡ 78 (mod 17) 
16 ≡ 16 (mod 17)  x0 = 1 
x0
1  21 x1  2 2 x 2  2 3 x3
3
 7 mod 17 
90
• Multiplying by 3-1(mod 17) ≡ 6(mod 17) and simplify
3
21 x1  2 2 x 2  2 3 x 3
 8 mod 17 
*
• Taking both sides to power 32 and simplify
x1
• 16 ≡ 16(mod 17)  x1 = 1  3
•
•
•
•
Continue  x2 = 0 & x3 = 1
x = x0 + 2x1 + 22x2 + 23x3 = 11
Check
311 ≡ 7(mod 17)
2  2 2 x2  23 x3
 8 mod17 
91
*
Procedure for primes - 2n+1
•
•
•
•
•
steps :
p – 1 = 2n & h ≡ gx (mod p)
For a given x, h has range 0 to 2n – 1
 x = 20x0 + 21x1 + 22x2 + . . . 2n-1xn-1
With
x 0  21 x1   2 2 x 2  2 3 x 3  . . .  2 n 1 x n 1
g
 h mod p 
• Take 2n-1th power, simplify, & evaluate x0
• Substitute x0 , simplify & get
g
21 x1  2 2 x 2  2 3 x 3  . . .  2 n 1 x n 1
 h1 mod p 
• Take 2n-2th power, simplify, and evaluate x1
• Repeat steps until all xi including xn-1 are
evaluated
92
*
• procedure – DL: n-bit binary number  n iterative
steps
•  extend to e digit number to radix q
• DL: e-digit number  range 0 to qe-1
• Consider primee p with p – 1 = qeq2
• Let g  ℤp : g q
≡ 1 (mod p)
• g: q2th power of a primitive element & not a primitive
element of p
• Express h as gx(mod p)
•  x = DL of h to base g (mod p)
93
*
Procedure
•
x = q0x0 + q1x1 + q2x2 + . . . . + qe-1xe-1
g
•
•
•
•
•
•
•
q 0 x 0  q 1 x1  q 2 x 2  q 3 x 3  . . .  q e 1 x e 1
 h mod p 
e-1.
Take both sides
to
the
power
q
q e 1 x 0  q e x1  q e 1 x 2  q e  2 x 3  . . .  q 2 ( e 1) x e 1
LHS: = g
e
e 1
q
= g q x 0 (mod p) since g
& all its integral
powers are equal to 1 (mod p).
 g
q e 1 x 0
h
q e 1
mod p 
mod p 
Prepare look-up table of x0 ~ g
 q entries: Use table & identify x0 value
Substitute 
•
x0
g g
q1 x1  q 2 x 2  q 3 x3  . . .  q e 1 x e 1
q e 1 x 0
 h mod p 
94
• Multiply by g
g
 x0
(mod p) & get
q 1 x1  q 2 x 2  q 3 x 3  . . .  q e 1 x e 1
*
 g  x0 h mod p 
• Take both sides to power qe-2
• Repeat steps & evaluate x1  Use same LUT
• Repeat steps & form reduced equation
• Continue iterative procedure to evaluate all xi
including xe-1
95
•
•
•
•
•
•
*
Evaluate DL of 60 to base 4 with p = 163
163 is a prime, 162 = 2  34
4
3
2  ℤ163 is a primitive element & 4  481 1(mod163)
Express 60 as 4x ≡ 60 (mod 163)
x has range 0 to 34 – 1
x = x0 + 3x1 + 9x2 + 27x3 (note 9 = 32 & 27 = 33)
4
x0  3 x1  9 x 2  27 x3
 60 mod 163 
• Take both sides to power 27 & simplify
27x0
4
 6027 mod163  58(mod163)
• 427 ≡ 104 (mod 163) & 454 ≡ 58 (mod 163)
•  x0 = 2
• Substitute, multiplying by 16-1 ≡ 51 (mod 163)) &
simplify
96
•4
3 x1  9 x 2  27 x3
126 mod 163 
*
•  Take 9th power & simplify
•4
27 x1
1269 mod163 104(mod163)  x1 = 1
• Substitute, multiply by 64-1 (≡ 135 (mod 163)), &
simplify
•
9 x 2  27 x3
4
•
•
•
•
•
•
 58 mod 163 
Take 3rd power & simplify  x2 = 0
Since 454 ≡ 58 (mod 163) x3 = 2
Substitute for x0, x1, x2, and x3
x = 2 + 3  1+ 9  0 + 27  2
= 59  59 is the desired DL
Check: 459 ≡ 60 (mod 163)
97
•
•
•
•
•
Pohlig Hellman Algorithm
DL based on the factors of p-1
g, h, & x  ℤp: g is a primitive element of ℤp
e
e
e
Factorize p-1  p  1  q1 1  q22  ... .  qt t
 q1, q2, . . qt are primes & e1, e2, . . et
respective integer exponents.
p 1
Obtain ai 
for all i from 1 to t.
*
qiei
ai
g

g
(mod p) for all i from 1 to t.
• Evaluate
i
a
• Evaluate hi  h i (mod p) for all i from 1 to t.
• Use procedure of last algorithm & obtain DL - xi
of hi to base gi for all i from 1 to t
98
*
• Note: definition of hi & gi implies xi exists
• Express x as a set of multiple congruences
x1
g1
 h1 (mod p)  g a1 x1  g xa1 (mod p)

g
•
a1 x1
g
ka1q1e1
g
xa1
:k – an integer
e1
q
•  implies the congruence x ≡ x1(mod 1 )
et
e2
•
x ≡ x2(mod q2 ) . . . x ≡ xt(mod qt )
• Use Chinese remainder theorem & solve
above congruences & evaluate x
99
•
•
•
•
•
*
Find log3597 (mod 18523).
18523 is a prime & 3 is a primitive element
p – 1 = 2  33  73
p 1
i
i
a
a
a

qi, i q ei , g i  g (mod p) , & hi  h (mod p)
i
Are in Table
Sl.N
o.
1
2
3
qi
ei ai
2
3
7
1
3
3
gi
hi
xi
9261 18522 1
0
686 1736 3292 22
54
8373 4984 25
• Exponent of 2 is zero  x1 = 0
100
•
•
•
•
•
•
•
•
•
*
Use g2 & h2 
17365  3292(mod18523)
2
x

x

x
3

x
3
x23-digit ternary number:
2
20
21
22
2
x 20
x 21 3
x 22 3
 17365
17365
 3292 (mod 18523 )
 17365
Take 32 power & simplify using
#
x2
17365  1(mod18523) 17365  1(mod18523)
3 x21 9
&
9 x22 9
 3292 (mod 18523 )
 17365
x 20
15458
15458 (mod 18523 )  x20 = 1

Substitute in #, use 17365-1≡ 7406
(mod
18523)
&
x 21 3
x 22 3 2
simplify  17365
17365
 4282 (mod 18523 ) $
• Take 3rd power & simplify 
9 x 20
9
• 15458x21 15458(mod18523)  x21 = 1
101
• Substitute in $, multiply by 17365-3 & simplify  *
x 22 3 2
17365
x22
15459
 3064 (mod 18523 )
 3064(mod18523)

Since 154592 ≡ 3064 (mod 18523)  x22 = 2
Using the values of x20, x21, & x22 we get
x2 = 1 + 3  1 + 32  2 = 22
Proceed similarly to evaluate x3  x3 = 25
x1, x2, & x3 satisfy congruences:
x ≡ 0 (mod 2); x ≡ 22 (mod 27); x ≡ 25 (mod
343)
• Solve these congruences
•  x = 17518 ← smallest positive value of x.
• Check: 317158 ≡ 597 (mod 18523)
•
•
•
•
•
•
102
• Leave out PPTs – 35, 36, 37, 54, 82, 83,
87 – 102 :  All these have ‘ * ’ mark at
top right corner
103