ECEN 5022 Cryptography - University of Colorado...
Transcript of ECEN 5022 Cryptography - University of Colorado...
![Page 1: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/1.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
ECEN 5022 CryptographyElementary Algebra and Number Theory
Peter Mathys
University of Colorado
Spring 2008
Peter Mathys ECEN 5022 Cryptography
![Page 2: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/2.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Divisibility, Primes
I Definition. N denotes the set {1, 2, 3, . . .} of naturalnumbers and Z denotes the set of integers{. . . ,−2,−1, 0, 1, 2, . . .}. R denotes the real numbers and Cdenotes the complex numbers.
I Definition. The integer n is divisible by the integer d ,denoted by d |n, if a , d = n for some integer a.
I Definition. A positive integer p, p > 1, is called a prime if itis divisible only by ±p and ±1. Any integer greater than 1which is not prime is called composite.
I Theorem. (Euclid, 300 B.C.) There are infinitely many primes.
I Proof. Assume that the set of primes is finite, e.g.,{p1, p2, . . . , pn}. Then the integer N = 1 + p1p2 · · · pn is notdivisible by any of the primes p1, . . . pn.
Peter Mathys ECEN 5022 Cryptography
![Page 3: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/3.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Prime Numbers
I Between any two primes there can be arbitrarily large gaps.For instance, the sequence n! + 2, n! + 3, . . . n! + n containsn − 1 consecutive composite numbers.
I Definition. The prime counting function π(x) is defined by
π(x) = |{p prime | p ≤ x}| ,i.e., π(x) is equal to the number of primes less than or equalto x .
I Example: π(50) = 15 since
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47
are all primes p ≤ 50.
I Prime Number Theorem. (Hadamard, de la Vallee Poussin,1896) π(x) satisfies
limx→∞
π(x) ln(x)
x= 1 =⇒ π(x) ≈ x
ln x.
Peter Mathys ECEN 5022 Cryptography
![Page 4: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/4.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Example
I Using π(x) ≈ x/ ln x , the number of primes with n decimaldigits is
π(10n)− π(10n−1) ≈ 9n − 1
n (n − 1)10n−1 log10 e ≈ 10n
3n.
I Approximate numerical values are
n bits π(10n)− π(10n−1)
38 128 ≈ 3.5× 1036
77 256 ≈ 5.9× 1074
100 332 ≈ 3.9× 1097
154 512 ≈ 3.4× 10151
308 1024 ≈ 1.9× 10305
617 2048 ≈ 1.7× 10613
I As can be seen, there is no shortage for the number of primeswith n digits.
Peter Mathys ECEN 5022 Cryptography
![Page 5: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/5.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Greatest Common Divisor
I Definition: The greatest common divisor of two integers n1
and n2, denoted gcd(n1, n2), is the largest positive integerthat divides both n1 and n2.
I Definition: If gcd(n1, n2) = 1, then n1 and n2 are said to berelatively prime.
I Example: Fermat’s (little) theorem states that for p prime
p | (ap−1 − 1) , if gcd(a, p) = 1 ,
e.g., 5 divides 34 − 1 = 80, or 7 divides 26 − 1 = 63.
I Definition: The least common multiple of two integers n1
and n2, denoted lcm(n1, n2), is the smallest positive integerdivisible by both n1 and n2.
Peter Mathys ECEN 5022 Cryptography
![Page 6: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/6.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Division Algorithm
I Theorem: Division Algorithm. Given a pair of integers, cand d 6= 0, there is a unique pair of integers q and r , calledquotient and remainder, such that
c = q · d + r , 0 ≤ r < |d | .
I Proof: Assume that there are two solutions, i.e.,c = q1 · d + r1 = q2 · d + r2, with 0 ≤ r1 < |d | and0 ≤ r2 < |d |. Thus, (q1 − q2) · d = r2 − r1 and−|d | < r2 − r1 < |d |. But since r2 − r1 must be a multiple ofd , this implies that r2 − r1 = 0. Since d 6= 0, this also impliesthat q1 − q2 = 0 and thus q and r are unique. QED
Peter Mathys ECEN 5022 Cryptography
![Page 7: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/7.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Remainders
I Definition: The notation
r = Rd(c) ,
means that r is the remainder of c when divided by d .I Note: Another notation that is often used in connection with
remainders isr ≡ c (mod d) .
This means that “r is congruent to c modulo d”. In this case0 ≤ r < |d | is not guaranteed and thus r is not unique. Forexample, 9 ≡ 16 (mod 7) as well as 2 ≡ 16 (mod 7).
I Theorem: Computations with remainders satisfy
(i) Rd(a + b) = Rd
(Rd(a) + Rd(b)
).
(ii) Rd(a · b) = Rd
(Rd(a) · Rd(b)
).
I Proof: Left as an exercise.
Peter Mathys ECEN 5022 Cryptography
![Page 8: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/8.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Euclid’s Algorithm
I Euclid’s Algorithm. The greatest common divisor,gcd(n1, n2), of two integers n1, n2, n2 6= 0, is computed byrepeated application of the division algorithm as follows:
n1 = q2 n2 + n3
n2 = q3 n3 + n4... 0 ≤ ni+1 < |ni |
nm−2 = qm−1 nm−1 + nm
nm−1 = qm nm + 0 .
The process stops when a zero remainder is obtained. The lastnonzero remainder is the desired result, i.e., gcd(n1, n2) = nm.
I Proof: Sketch. Use the fact thatgcd(n1, n2) = gcd(n1 + kn2, n2), for any integer k.
Peter Mathys ECEN 5022 Cryptography
![Page 9: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/9.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Euclid’s Extended Algorithm
I Corollary: For any integers n1 and n2 6= 0 there exist integersa and b such that
gcd(n1, n2) = a n1 + b n2 .
That is, gcd(n1, n2) can be expressed as a linear combinationof n1 and n2.
I Proof: Use Euclid’s algorithm, starting with the last equationand work backwards to the first equation, to compute
gcd(n1, n2) = nm = nm−2 − qm−1 nm−1
nm−1 = nm−3 − qm−2 nm−2...
n3 = n1 − q2 n2 .
Then successively eliminate all the intermediate remaindersnm−1, nm−2, . . . , n3, to obtain gcd(n1, n2) as a linearcombination of n1 and n2 with integer coefficients. QED
Peter Mathys ECEN 5022 Cryptography
![Page 10: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/10.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
ai ai�2 � q ai�1
bi bi�2 � q bi�1
i i + 1
ni+1 = 0 ?
Output ni; ai; bi
ni = gcd(n1; n2)
= ai n1 + bi n2
STOP
q
�ni�1
ni
�
ni+1 ni�1 � q ni
Input n1; n2
Initialize
i 2
a1 1; b1 0
a2 0; b2 1
STARTEuclid's Algorithm
for gcd
no yes
Peter Mathys ECEN 5022 Cryptography
![Page 11: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/11.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Groups, Rings, Fields
I Over the reals R (or rationals Q or complex number C) onecan add, subtract, multiply, and divide.
I Over the integers Z one can add, subtract, and multiply.
I Group: Set of mathematical objects for which “addition” and“subtraction” are defined.
I Ring: Set of mathematical objects for which “addition”,“subtraction” and “multiplication” are defined.
I Field: Set of mathematical objects for which “addition”,“subtraction”, “multiplication” and “division” are defined.
I Note: “addition”, “subtraction”, “multiplication” and“division” are not necessarily the usual ‘+’, ‘−’, ‘×’ and ‘÷’.
Peter Mathys ECEN 5022 Cryptography
![Page 12: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/12.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Some Definitions
I Definition: A set S is an arbitrary collection of elements,without any predefined operations between the set elements.
I Definition: The cardinality |S| of a set S is the number ofobjects in the set. |S| can be finite, countably infinite, oruncountably infinite.
I Examples: The set of tea cups in a kitchen cabinet is a finiteset. The set Q of rational numbers is countably infinite. Theset R of real numbers is uncountably infinite.
Peter Mathys ECEN 5022 Cryptography
![Page 13: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/13.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Axioms
Let S denote a set of mathematical objects. For any a, b, c ∈ Sdefine the following axioms:
(A.1) a + b ∈ S Closure wrt +(A.2) a + (b + c) = (a + b) + c = a + b + c Associativity wrt +(A.3) a + 0 = 0 + a = a, 0 ∈ S Identity element wrt +(A.4) a + (−a) = (−a) + a = 0, (−a) ∈ S Inverse element wrt +(A.5) a + b = b + a Commutativity wrt +
(B.1) a · b ∈ S Closure wrt ·(B.2) a · (b · c) = (a · b) · c = a · b · c Associativity wrt ·(B.3) a · 1 = 1 · a = a, 1 ∈ S−{0} Identity element wrt ·(B.4) a · (a−1)=(a−1) · a = 1,
a, (a−1) ∈ S−{0} Inverse element wrt ·(B.5) a · b = b · a Commutativity wrt ·(C.1) (a + b) · c = a · c + b · c Distributivity
Peter Mathys ECEN 5022 Cryptography
![Page 14: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/14.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Groups, Rings, Fields
I Depending on the subset of axioms that are satisfied thefollowing arithmetic systems are defined:
Axioms satisfied Name
(A.1). . .(A.4) Group(A.1). . .(A.4),(A.5) Commutative Group(A.1). . .(A.5),(B.1). . .(B.3),(C.1) Ring with Identity(A.1). . .(A.5),(B.1). . .(B.3),(B.5),(C.1) Commutative Ring
with Identity(A.1). . .(A.5),(B.1). . .(B.5),(C.1) Field
I Note: Commutative groups (rings, fields) are also calledAbelian groups (rings, fields) in honor of Niels Henrik Abel(1802-1829).
Peter Mathys ECEN 5022 Cryptography
![Page 15: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/15.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Notation, Definitions
I Notation:I A group with set of elements G and operation ‘∗’ is denoted
by <G , ∗>.I A ring with set of elements R and operations ‘+’ and ‘·’ is
denoted by <R,+, ·>.I A field with set of elements F and operations ‘+’ and ‘·’ is
denoted by <F ,+, ·>.I Example: The set of all permutations of n objects forms a (generally
non-commutative) group under the operation of concatenation ofpermutations.
I Example: The set of all binary 2× 2 matrices forms a non-commutativering with identity under the operations of binary (i.e., modulo 2) matrixaddition and binary matrix multiplication. This ring has 16 elements.
I Example: The set of all polynomials in the indeterminate x with realcoefficients form a commutative ring with identity. This ring has aninifinite number of elements.
Peter Mathys ECEN 5022 Cryptography
![Page 16: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/16.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Finite Groups, Rings, Fields
I Definition: If |G | (or |R| or |F |) is finite then <G , ∗> is calleda finite group (or <R,+, ·> is called a finite ring, <F ,+, ·> iscalled a finite field).
I Definition: A finite field with q elements is denoted byGF(q), where GF stands for Galois field in honor of EvaristeGalois (1811-1832).
I Theorem: Finite Fields.
(i) If F is a finite field then F contains pm elements for someprime p and integer m ≥ 1.
(ii) For every prime power pm there is a unique (up toisomorphism) finite field of order pm, called GF pm or Fpm
Peter Mathys ECEN 5022 Cryptography
![Page 17: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/17.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Finite Groups, Rings, Fields
I Example: The integers 0, 1, . . . , 6 form the finite field GF (7)under the operations of addition and multiplication modulo 7.Here are the group operation tables for GF (7):
+ 0 1 2 3 4 5 60 0 1 2 3 4 5 61 1 2 3 4 5 6 02 2 3 4 5 6 0 13 3 4 5 6 0 1 24 4 5 6 0 1 2 35 5 6 0 1 2 3 46 6 0 1 2 3 4 5
× 0 1 2 3 4 5 60 0 0 0 0 0 0 01 0 1 2 3 4 5 62 0 2 4 6 1 3 53 0 3 6 2 5 1 44 0 4 1 5 2 6 35 0 5 3 1 6 4 26 0 6 5 4 3 2 1
Peter Mathys ECEN 5022 Cryptography
![Page 18: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/18.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
More Definitions
I Definition: The elements in a ring with identity which havean inverse with respect to the second operation are calledunits.
I Example: The ring which is obtained by adding andmultiplying integers modulo 10 has units 1,3,7, and 9.
I Definition: Let <G , ∗> be a group and let H be a nonemptysubset of G . Then H is called a subgroup of G if <H, ∗> is agroup.
I Example: In the group of non-zero integers under theoperation of multiplication modulo 7, the set of elements{1, 2, 4} forms a subgroup. Another subgroup is formed bythe set of elements {1, 6}.
Peter Mathys ECEN 5022 Cryptography
![Page 19: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/19.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
More Definitions
I Definition: Let <R,+, ·> be a ring and let H be a nonemptysubset of R. Then H is called a subring of R if <H,+, ·> is aring.
I Note: In particular, identity with respect to the firstoperation must be in H and closure must hold (under allspecified operations) for elements in H.
I Definition: Let <E ,+, ·> be a field. Then F ⊂ E is called asubfield of E if <F ,+, ·> is a field. The field E is called anextension field of F .
I Example: Consider the field of rational numbers Q, the fieldof real numbers R, and the field of complex numbers C. ThenQ ⊂ R ⊂ C , and Q is called a subfield of R and C is calledan extension field of R.
Peter Mathys ECEN 5022 Cryptography
![Page 20: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/20.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Isomorphism
I Definition: Isomorphism. Two groups <G ,+> and <G ′, ∗>are iomorphic if a one-to-one mapping f (.) exists such that
(i) a′ = f (a) (and thus a = f −1(a′)) for all a ∈ G and a′ ∈ G ′,(ii) if a′ = f (a), b′ = f (b), then
a′ ∗ b′ = f (a + b) (and thus a + b = f −1(a′ ∗ b′)) ,
for any a, b ∈ G (or any a′, b′ ∈ G ′).
That is, there has to be a one-to-one correspondence betweenthe elements of the two groups which is preserved under thegroup operations ‘+’ and ‘∗’.
I Note: Isomorphism for rings and fields is defined analogously.In this case the one-to-one correspondence must be preservedfor both operations of the rings/fields.
Peter Mathys ECEN 5022 Cryptography
![Page 21: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/21.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Subgroups
I To obtain a subgroup H of a finite group G , one can proceedas follows. Take any h ∈ G and let H be the set{h, h ∗ h, h ∗ h ∗ h, . . .}, or, using a more concise notation,
H = {h, h2, h3, . . . , hc = 1} ,
where c , called the order of H, is the smallest positive integersuch that hc = 1.
I Example: Consider the group G = {1, 2, . . . , 12} of integersunder the operation of multiplication modulo 13. Startingfrom h = 5, the set
H = {51 = 5, 52 = 12, 53 = 8, 54 = 1} ,
is obtained, which forms a subgroup of G of order 4.
Peter Mathys ECEN 5022 Cryptography
![Page 22: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/22.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Subgroups
I Theorem: If G is a finite group and h ∈ G , then a smallestpositive integer c , called the order of the element h, existssuch that hc = 1. Moreover, the first element in the sequenceh, h2, h3, . . . which is repeated is h itself.
I Proof: The element h is a member of a finite group and thusa repetition must eventually occur in h, h2, h3, . . ., that is,there must be two positive integers k,m, m > k, such thathk = hm. Since h−k must be an element of G, one can write
1 = hk · h−k = hm · h−k = hm−k ,
which proves that there is at least one positive integer c suchthat hc = 1. But then hc+1 = h and, since h, h2, . . . , hc mustall be distinct (otherwise c is not smallest positive integer suchthat hc = 1), h is the first element which is repeated. QED
Peter Mathys ECEN 5022 Cryptography
![Page 23: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/23.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
(Sub)Groups
I Definition: h, h2, h3, . . . , hc = 1 is called a cycle.
I Note: A cycle is a subgroup.
I Definition: A group that consists of all the powers of one ofits elements, say, α, is called a cyclic group (i.e.,G = {α, α2, . . . , αc = 1}). The element α is called a primitiveelement or a generator of the group.
I Example: Let <G , ·> be the set of integers undermultiplication modulo 13. Then, choosing α = 2,
α0 = 1 α4 = 3 α8 = 9 α12 = 1α1 = 2 α5 = 6 α9 = 5α2 = 4 α6 = 12 α10 = 10α3 = 8 α7 = 11 α11 = 7
Thus, <G , ·> is a cyclic group and α = 2 is a primitiveelement in this group.
Peter Mathys ECEN 5022 Cryptography
![Page 24: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/24.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Generator of a Group
I Definition: Generator of a group. A subset X of a group<G , ∗> is called a generator if every element of G can beexpressed in the form xi ∗ xj ∗ . . . . If X is a finite set, then Gis said to be finitely generated.
I Example: X = {2} is a generator of the group of integersunder modulo 13 multiplication.
I Example: X = {2, 11} is a generator of the group of integers{1, 2, 4, 7, 8, 11, 13, 14} under multiplication modulo 15. Notethat this group is not cyclic.
Peter Mathys ECEN 5022 Cryptography
![Page 25: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/25.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Coset Decomposition of a Group
I Definition: Coset Decomposition of finite group withrespect to subgroup. A finite group <G , ∗> can bedecomposed with respect to a subgroup <H, ∗> as follows:
h1 = 1 h2 h3 . . . hn
g2 ∗ h1 = g2 g2 ∗ h2 g2 ∗ h3 . . . g2 ∗ hn
g3 ∗ h1 = g3 g3 ∗ h2 g3 ∗ h3 . . . g3 ∗ hn...
......
. . ....
gm ∗ h1 = gm gm ∗ h2 gm ∗ h3 . . . gm ∗ hn
The rows of the coset decomposition are called cosets. Thefirst row is the subgroup H. The elements h1, g2, g3, . . . , gm inthe first column are called coset leaders.
Peter Mathys ECEN 5022 Cryptography
![Page 26: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/26.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Coset Decomposition of a Group
I In general the construction of the coset decompositionproceeds as follows:
I Start with the elements of H in the first row (each elementoccurs exactly once).
I Then choose an (arbitrary) element of G which has not yetappeared in the table as coset leader and complete thecorresponding coset. Repeat this step until all elements of Gare used.
I Note that the array constructed in this way is alwaysrectangular and the construction always stops since G is finite.For non-Abelian groups left coset decompositions withelements gi ∗ hj are distinguished from right cosetdecompositions with elements hj ∗ gi .
Peter Mathys ECEN 5022 Cryptography
![Page 27: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/27.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Coset Decomposition of a Group
I Theorem: Every element of G appears exactly once in acoset decomposition of G .
I Proof: omitted.
I Corollary: If H is a subgroup of G , then |H| divides |G |.I Proof: Follows from the rectangular structure of the coset
decomposition. QED
I Theorem: Lagrange. The order of a finite group is divisibleby the order of any of its elements.
I Proof: The group contains the cyclic subgroup generated byany element of the group. The above corollary thus proves thetheorem. QED
Peter Mathys ECEN 5022 Cryptography
![Page 28: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/28.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Ring of Integers Modulo n
I Definition: Zn denotes the ring of integers modulo n withoperations + (addition mod n) and · (multiplication mod n).The elements of Zn are 0, 1, . . . , n − 1.
I Definition: The set of residues modulo n that are relativelyprime to n is denoted Z∗n . Since any a ∈ Z∗n satisfiesgcd(a, n) = 1, a−1 exists and thus Z∗n forms an Abelian groupunder multiplication modulo n. The elements a ∈ Z∗n are theunits of Zn.
Peter Mathys ECEN 5022 Cryptography
![Page 29: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/29.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Euler’s Totient Function
I Definition: Euler’s Totient Function φ. Euler’s totientfunction, φ(n), evaluated at a positive integer n, is given by
φ (n) = |{0 ≤ r < n| gcd (r , n) = 1}| ,
i.e., it is the number of integers in the set {0, 1, 2, . . . , n − 1}that are relatively prime to n. By definition, φ(1) = 1.
I Euler’s totient function can be computed as follows. Assumethat n = pe1
1 pe22 · · · p
ekk is the factorization of n into distinct
prime powers. Then
φ(n) =m∏
i=1
pei−1i (pi − 1) = n
m∏i=1
(1− 1
pi
).
Peter Mathys ECEN 5022 Cryptography
![Page 30: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/30.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Euler’s Totient Function
I Note that if gcd(n1, n2) = 1, then φ(n1 n2) = φ(n1) φ(n2),and thus
φ(n) = φ(pe11 ) φ(pe2
2 ) · · · φ(pemm ) ,
where φ(peii ) = pei−1
i (pi − 1). Note that this also implies thatφ(n) ≥ 1.
I Theorem: The order of the group Z∗n is φ (n).
I Proof: Follows directly from the definition of Euler’s totientfunction φ (n). QED
Peter Mathys ECEN 5022 Cryptography
![Page 31: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/31.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Euler’s Theorem
I Theorem: Euler’s Theorem. If a ∈ Z∗n , then
aφ (n) = 1 (mod n) .
I Proof: The elements {r1, r2, . . . , rm} of Z∗n are all integers0 < r < n such that gcd(r , n) = 1 and thus |Z∗n | = φ(n) = m.For each i , 1 ≤ i ≤ m, there is a unique j , 1 ≤ j ≤ m suchthat ari = rj (mod n). Since both a and ri are relatively primeto n, ari is also relatively prime to n and thus
ar1 · ar2 · · · arm︸ ︷︷ ︸= am (r1 · r2 · · · rm)
= r1 · r2 · · · rm (mod n)
This implies that (am − 1) r1 · r2 · · · rm = 0 (mod n) andbecause of gcd(ri , n) = 1 for all i it follows thatam = aφ(n) = 1 (mod n). QED
Peter Mathys ECEN 5022 Cryptography
![Page 32: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/32.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Fermat’s Little Theorem
I Corollary: Fermat’s Little Theorem. Suppose p is a primeand a ∈ Z∗p . Then
ap−1 = 1 (mod p) .
I Proof: Z∗p is a multiplicative group of order φ(p) = p − 1.QED
Peter Mathys ECEN 5022 Cryptography
![Page 33: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/33.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Chinese Remainder Theorem
I Theorem: (The Chinese Remainder Theorem.) Givenn1, n2, . . . , nk such that gcd (ni , nj) = 1 for i 6= j , the set ofsimultaneous congruences
x = ai (mod ni ) , i = 1, 2, . . . , k ,
has a unique solution x modulo N = n1 n2 · · · nk .
I Proof: Define Ni = N/ni . Note that gcd (Ni , ni ) = 1. Thus,using Euclid’s extended algorithm,
gcd (Ni , ni ) = 1 = Mi Ni+mi ni =⇒ Mi Ni = 1 (mod ni ).
Therefore, the desired solution is
x = a1 M1 N1 + a2 M2 N2 + . . . + ak Mk Nk (mod N) .
Check: x = ai Mi Ni = ai (mod ni ).
Peter Mathys ECEN 5022 Cryptography
![Page 34: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/34.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Chinese Remainder Theorem
I Proof: (contd.) To prove uniqueness of the solution, supposethat x and x ′ are two different solutions satisfying
x = ai (mod ni ) , i = 1, 2, . . . , k ,
x ′ = ai (mod ni ) , i = 1, 2, . . . , k .
Then
∆ = x − x ′ = 0 (mod ni ) , i = 1, 2, . . . , k .
Thus, ∆ is divisible by n1, n2, . . . , nk . Since gcd (ni , nj) = 1for i 6= j , ∆ must satisfy
∆ = m N , m integer , N = n1 n2 · · · nk ,
which implies ∆ = 0 (mod N). QED
Peter Mathys ECEN 5022 Cryptography
![Page 35: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/35.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Chinese Remainder Theorem
Example: n1 = 3, n2 = 4, n3 = 5, and thus N = 60,N1 = 60/3 = 20, N2 = 60/4 = 15, and N3 = 60/5 = 12. Supposethat
x = 2 (mod 3) , x = 1 (mod 4) , x = 4 (mod 5) .
Compute the quantities
gcd (N1, n1) = gcd (20, 3) = 1 = −1 · 20 + 7 · 3 =⇒ M1 = −1 = 2 (mod 3) ,gcd (N2, n2) = gcd (15, 4) = 1 = −1 · 15 + 4 · 4 =⇒ M2 = −1 = 3 (mod 4) ,gcd (N3, n3) = gcd (12, 5) = 1 = −2 · 12 + 5 · 5 =⇒ M3 = −2 = 3 (mod 5) .
The solution x is then obtained as
x = 2·2·20+1·3·15+4·3·12 = 80+45+144 = 269 = 29 (mod 60).
Check:
29 = 2 (mod 3) , 29 = 1 (mod 4) , 29 = 4 (mod 5) .
Peter Mathys ECEN 5022 Cryptography
![Page 36: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/36.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Quadratic Residues
I Definition: An element x ∈ Z∗n is called a quadratic residuemodulo n (QRn) if x = y2 (mod n) for some y ∈ Z∗n .Otherwise, if no such y ∈ Z∗n exists, x is called a quadraticnon-residue modulo n (QNRn).
I Note: If x ∈ QRn then an element y exists such that√
x = y(mod n).
I Example: If n = 13 (prime)
y : 1 2 3 4 5 6 7 8 9 10 11 12
y 2: 1 4 9 3 12 10 10 12 3 9 4 1
Thus, QR13 = {1, 3, 4, 9, 10, 12}, and QNR13 = {2, 5, 6, 7, 8, 11} and
√1 = ±1 (mod 13),
√3 = ±4 (mod 13),
√4 = ±2 (mod 13),√
9 = ±3 (mod 13),√
10 = ±6 (mod 13),√
12 = ±5 (mod 13).
Peter Mathys ECEN 5022 Cryptography
![Page 37: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/37.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Quadratic Residues
I Example: If n = 21 (composite)
y : 1 2 4 5 8 10 11 13 16 17 19 20
y2: 1 4 16 4 1 16 16 1 4 16 4 1
Thus, QR21 = {1, 4, 16}, andQNR21 = {2, 5, 8, 10, 11, 13, 17, 19, 20}. Note that 33 = 9(mod 21), or 72 = 7 (mod 21), but 3, 9, and 7 are not inZ∗21. Each square root now has 4 solutions:
√1 = ±1 (mod 21), and
√1 = ±8 (mod 21),√
4 = ±2 (mod 21), and√
4 = ±5 (mod 21),√16 = ±4 (mod 21), and
√16 = ±10 (mod 21).
Peter Mathys ECEN 5022 Cryptography
![Page 38: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/38.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Legendre Symbol, Euler’s Criterion
I Definition: Legendre symbol. Suppose p is an odd prime.Then, for any x , the Legendre symbol L(x , p) is defined as
L(x , p) =
0 , if x = 0 (mod p) ,1 , if x ∈ QRp ,−1 , if x ∈ QNRp .
L(x , p) can be computed easily using the following theorem.
I Theorem: Euler’s criterion. For all primes p > 2, and allx ∈ Zp
x (p−1)/2 = L(x , p) (mod p) .
Peter Mathys ECEN 5022 Cryptography
![Page 39: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/39.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Euler’s Criterion
I Proof: If x = 0 the result is trivially true. Thus, assume thatx ∈ Z∗p . Then, according to Fermat’s Little Theorem,xp−1 = 1 (mod p) and either
x (p−1)/2 = 1 (mod p) , or x (p−1)/2 = −1 (mod p) .
If x ∈ QRp, i.e., x = y2 (mod p) for some y ∈ Z∗p , then
x (p−1)/2 = (y2)(p−1)/2
= yp−1 = 1 (mod p) .
Conversely, if x ∈ QNRp, then x 6= y2 (mod p) for y ∈ Z∗pand thus x (p−1)/2 must be congruent to −1 modulo p. QED
Peter Mathys ECEN 5022 Cryptography
![Page 40: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/40.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Jacobi Symbol
I Definition: Jacobi symbol. Let n be any positive oddinteger with prime factorization
n = pe11 · p
e22 · . . . · p
ekk .
Then, for any x , the Jacobi symbol J(x , n) is defined as
J(x , n) = L(x , p1)e1 · L(x , p2)
e2 · . . . · L(x , pk)ek .
I An important special case in cryptography is the case n = p q,where p and q are distinct odd primes. In this case
J(x , n) =
0 , ⇒ gcd(x , n) 6= 1 ,−1 , ⇒ x ∈ QNRn ,
1 , ⇒ x ∈ QRn or x ∈ QNRn .
If J(x , n) = L(x , p) L(x , q) = 1, it is impossible to tell whetherx ∈ QRn or not since both 1× 1 and (−1)× (−1) are equal toone. In the first case x ∈ QRn, in the second case x ∈ QNRn.
Peter Mathys ECEN 5022 Cryptography
![Page 41: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/41.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Jacobi Symbol
I Theorem: Properties of Jacobi symbol. The Jacobisymbol satisfies the following properties which make it easy tocompute J(x , n), n odd:
(1) J(x ± n, n) = J(x , n) ,(2) J(x · y , n) = J(x , n) · J(y , n) ,(3) J(x ,m · n) = J(x ,m) · J(x , n) ,(4) J(1, n) = 1
(5) J(−1, n) = (−1)(n−1)/2 =
{1 , if n = 1 (mod 4) ,−1 , if n = −1 (mod 4) ,
(6) J(2, n) = (−1)(n2−1)/8 =
{1 , if n = ±1 (mod 8) ,−1 , if n = ±3 (mod 8) ,
(7) If x , n odd and gcd(x , n) = 1
J(x , n) · J(n, x) = (−1)(x−1)(n−1)/4 , or equivalently,
J(x , n) =
{−J(n, x) , if x = n = 3 (mod 4) ,
J(n, x) , otherwise .
Peter Mathys ECEN 5022 Cryptography
![Page 42: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/42.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Primality Tests
I A decision problem is a problem where a question is posedthat can be answered by “yes” or “no”.
I A probabilistic algorithm is an algorithm that uses some formof randomness, e.g., random numbers, during its execution.
I Definition: A yes-biased Monte Carlo Algorithm is aprobabilistic algorithm for a decision problem in which a “yes”answer is always correct, but a “no” answer may be incorrect,e.g., with probability ≤ ε.
I Example: The Solovay-Strassen algorithm is a yes-biasedMonte Carlo algorithm for composite integers n with ε = 1/2.Thus, if the algorithm answers “yes” then n is composite forsure, but if it answers “no” then n may still be composite,with probability ≤ 1/2.
Peter Mathys ECEN 5022 Cryptography
![Page 43: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/43.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Pseudo-Primes
I Example: According to Fermat’s Little Theorem, every primen must satisfy xn−1 = 1 (mod n) for x ∈ Zn. Thus, if for agiven n an x is found such that this statement is not true,then it is known that n is composite. But some compositesmay actually pass this test, which motivates the followingdefinition.
I Definition: If n is an odd composite number and x ∈ Z∗n isan integer such that
xn−1 = 1 (mod n) ,
holds, then n is called a pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is a pseudo-prime.
Peter Mathys ECEN 5022 Cryptography
![Page 44: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/44.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Distribution of Pseudo-Primes
0 500 1000 1500 2000 25000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
n
Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Pseudo−Prime to Base a
I Definition: A Carmichael number is a composite integer nsuch that
xn−1 = 1 (mod n) ,
holds for every x ∈ Z∗n . The first few Carmichael numbers are561, 1105, 1729, 2465.
Peter Mathys ECEN 5022 Cryptography
![Page 45: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/45.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Euler Pseudo-Primes
I Definition: Let n be an odd integer and let J(x , n) denotethe Jacobi symbol. If n is composite and x ∈ Z∗n satisfies (cf.Euler’s criterion)
x (n−1)/2 ≡ J(x , n) (mod n) ,
then n is called an Euler pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is an Euler pseudo-prime.
I Example: The number n = 91 (= 7× 13) is an Euler pseudo-prime tothe base x = 9 since (quite obviously 9 ∈ QR91)
92 = 81 , 93 = 9× (−10) = 1 ⇒ 9(91−1)/2 = (93)15 = 1 = J(9, 91) .
But 91 is not an Euler pseudo-prime to the base 4 since
4(91−1)/2 = (46)7 × 43 = 64 6= J(4, 91) = 1 .
Question: Are there any composite numbers n which are Eulerpseudo-primes to every x ∈ Z∗n ?
Peter Mathys ECEN 5022 Cryptography
![Page 46: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/46.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Distribution of Euler Pseudo-Primes
0 500 1000 1500 2000 25000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
n
Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Euler Pseudo−Prime to Base a
I Theorem: If n is an odd composite integer, then n is an Eulerpseudo-prime to the base x for at most 50% of all x such thatgcd(x , n) = 1. Holds with equality for n = 1729, 2465, . . ..
Peter Mathys ECEN 5022 Cryptography
![Page 47: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/47.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Solovay-Strassen Primality Test
I Theorem: Solovay-Strassen 1977. For any odd integern > 1 the following statements are equivalent:
(1) n is prime.(2) x (n−1)/2 = J(x , n) (mod n) holds for all x ∈ Z∗
n .
I Solovay-Strassen Primality Test. This is a probabilistic testwhich is based on the above theorem. Assume n > 1 is anodd integer. The steps for each test are:
(1) Choose a random integer x , 1 < x < n − 1.(2) If J(x , n) = x (n−1)/2 (mod n) then answer “n is prime,” else
answer “n is composite.”
I Note: It will never happen that the answer is “n is composite” if n isindeed a prime. But with probability at most 1/2 it can happen that theanswer is “n is prime” if n is indeed composite. By repeating the test asufficient number of times, the probability of error can be made arbitrarilysmall (≈ 2−m where m is the number of tests performed).
Peter Mathys ECEN 5022 Cryptography
![Page 48: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/48.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Strong Pseudo-Primes
I Theorem: Miller 1976. For any odd integer n > 1 writen − 1 = 2s m, where m is odd. Then the following statementsare equivalent:
(1) n is prime.(2) For all x ∈ Z∗
n , if xm 6= 1 (mod n), then there exists an i ,
0 ≤ i < k such that x2i m = −1 (mod n).
I Definition: Let n = 2s m + 1, m odd, be an odd integer. If nis composite and x ∈ Z∗n satisfies
either xm ≡ 1 (mod n) ,
or there exists i , 0 ≤ i < k , such that (xm)2i
= −1 (mod n) ,
then n is called a strong pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is a strong pseudo-prime.
Peter Mathys ECEN 5022 Cryptography
![Page 49: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/49.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Distribution of Strong Pseudo-Primes
0 500 1000 1500 2000 25000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
n
Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Strong Pseudo−Prime to Base a
I Example: Let n = 133 (= 7× 19) and thus n − 1 = 132 = 22 × 33.Testing with x ∈ Z∗133 yields
x = 11 : 1133 = 1 =⇒ “n is prime”x = 12 : 1233 = 132 =⇒ “n is prime”x = 13 : 1333 = 27 , (1333)2 = 64 =⇒ “n is composite”
n = 133 is strong pseudo-prime to base 11, 12, but not to base 13.
Peter Mathys ECEN 5022 Cryptography
![Page 50: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1c0cbc62bcb103122558d/html5/thumbnails/50.jpg)
PrimesGroups, Rings, Fields
Ring of Integers Modulo n
Miller-Rabin Primality Test
I Miller-Rabin Primality Test. This is a probabilistic testwhich is based on Miller’s theorem. Assume n > 1 is an oddinteger and write n− 1 = 2s m, where m is odd. The steps foreach test are:
(1) Choose a random integer x , 1 < x < n − 1.(2) Compute b = xm (mod n)(3) If b = 1 (mod n) then answer “n is prime” and stop.(4) For i = 0 to s − 1 do(5) If b = −1 (mod n) then answer “n is prime” and stop, else
b ← b2 (mod n)(6) If you did not quit in step (3) or (5), answer “n is composite.”
I Note: Like in the Solovay-Strassen test, it will never happen in theMiller-Rabin test that the answer is “n is composite” if n is indeed aprime. But with probability at most 1/4 it can happen that the answer is“n is prime” if n is indeed composite. By repeating the test a sufficientnumber of times, the probability of error can be made arbitrarily small(≈ 4−m where m is the number of tests performed).
Peter Mathys ECEN 5022 Cryptography