Introductory Number Theory


 Merryl Anissa Parsons
 1 years ago
 Views:
Transcription
1 Introductory Number Theory Course No Sring 2006 Michael Stoll Contents 1. Very Basic Remarks 2 2. Divisibility 2 3. The Euclidean Algorithm 2 4. Prime Numbers and Unique Factorization 4 5. Congruences 5 6. Corime Integers and Multilicative Inverses 6 7. The Chinese Remainder Theorem 9 8. Fermat s and Euler s Theorems Structure of F and (Z/ n Z) The RSA Crytosystem Discrete Logarithms Quadratic Residues Quadratic Recirocity Another Proof of Quadratic Recirocity Sums of Squares Geometry of Numbers Ternary Quadratic Forms Legendre s Theorem adic Numbers The Hilbert Norm Residue Symbol Pell s Equation and Continued Fractions Ellitic Curves Primes in arithmetic rogressions The Prime Number Theorem 75 References 80
2 2 1. Very Basic Remarks The following roerties of the integers Z are fundamental. (1) Z is an integral domain (i.e., a commutative ring such that ab = 0 imlies a = 0 or b = 0). (2) Z 0 is wellordered: every nonemty set of nonnegative integers has a smallest element. (3) Z satisfies the Archimedean Princile: if n > 0, then for every m Z, there is k Z such that kn > m. 2. Divisibility 2.1. Definition. Let a, b be integers. We say that a divides b, written a b, if there is an integer c such that b = ac. In this case, we also say that a is a divisor of b or that b is a multile of a. We have the following simle roerties (for all a, b, c Z). (1) a a, 1 a, a 0. (2) If 0 a, then a = 0. (3) If a 1, then a = ±1. (4) If a b and b c, then a c. (5) If a b, then a bc. (6) If a b and a c, then a b ± c. (7) If a b and b < a, then b = 0. (8) If a b and b a, then a = ±b Definition. We say that d is the greatest common divisor of a and b, written d = gcd(a, b) or d = a b, if d a and d b, d 0, and for all integers k such that k a and k b, we have k d. We say that m is the least common multile of a and b, written m = lcm(a, b) or m = a b, if a m and b m, m 0, and for all integers n such that a n and b n, we have m n. In a similar way, we define the greatest common divisor and least common multile for any set S of integers. We have the following simle roerties. (1) gcd( ) = 0, lcm( ) = 1. (2) gcd(s 1 S 2 ) = gcd(gcd(s 1 ), gcd(s 2 )), lcm(s 1 S 2 ) = lcm(lcm(s 1 ), lcm(s 2 )). (3) gcd({a}) = lcm({a}) = a. (4) gcd(ac, bc) = c gcd(a, b). (5) gcd(a, b) = gcd(a, ka + b). 3. The Euclidean Algorithm How can we comute the gcd of two given integers? The key for this is the last roerty of the gcd listed above. In order to make use of it, we need the oeration of division with remainder.
3 3.1. Proosition. Given integers a and b with b 0, there exist unique integers q ( quotient ) and r ( remainder ) such that 0 r < b and a = bq + r. Proof. Existence: Consider S = {a kb : k Z, a kb 0}. Then S Z 0 is nonemty and therefore has a smallest element r = a qb for some q Z. We have r 0 by definition, and if r b, then r b would also be in S, hence r would not have been the smallest element. Uniqueness: Suose a = bq + r = bq + r with 0 r, r < b. Then b r r and 0 r r < b, therefore r = r. This imlies bq = bq, hence q = q (since b 0) Algorithm GCD (Euclidean Algorithm). Given integers a and b, we do the following. (1) Set n = 0, a 0 = a, b 0 = b. (2) If b n = 0, return a n as the result. (3) Write a n = b n q n + r n with 0 r n < b n. (4) Set a n+1 = b n, b n+1 = r n. (5) Relace n by n + 1 and go to ste 2. We claim that the result returned is gcd(a, b). (Observe that 0 b n+1 < b n if the loo is continued, hence the algorithm must terminate.) Proof. We show that for all n that occur in the loo, we have gcd(a n, b n ) = gcd(a, b). The claim follows, since the return value a n = gcd(a n, 0) = gcd(a n, b n ) for the last n. For n = 0, we have gcd(a 0, b 0 ) = gcd( a, b ) = gcd(a, b). Now suose that we know gcd(a n, b n ) = gcd(a, b) and that b n 0 (so the loo is not terminated). Then gcd(a n+1, b n+1 ) = gcd(b n, a n b n q n ) = gcd(b n, a n ) = gcd(a n, b n ) (use roerty (5) of the gcd) Theorem. Fix a, b Z. The integers of the form xa + yb with x, y Z are exactly the multiles of d = gcd(a, b). In articular, there are x, y Z such that d = xa + yb. Proof. Since d divides both a and b, d also has to divide xa+yb. So these numbers are multiles of d. For the converse, it suffices to show that d can be written as xa + yb. This follows by induction from the Euclidean Algorithm: Leet N be the last value of n. Then d = a N 1 + b N 0; and if d = x n+1 a n+1 + y n+1 b n+1, then we have d = y n+1 a n + (x n+1 q n y n+1 )b n, so setting x n = y n+1 and y n = x n+1 q n y n+1, we have d = x n a n + y n b n. So in the end, we must also have d = x 0 a 0 + y 0 b 0. There is a simle extension of the Euclidean Algorithm that also comutes numbers x and y such that gcd(a, b) = xa + yb. It looks like this Algorithm XGCD (Extended Euclidean Algorithm). Given integers a and b, we do the following. (1) Set n = 0, a 0 = a, b 0 = b, x 0 = sign(a), y 0 = 0, u 0 = 0, v 0 = sign(b). (2) If b n = 0, return (a n, x n, y n ) as the result. (3) Write a n = b n q n + r n with 0 r n < b n. (4) Set a n+1 = b n, b n+1 = r n, x n+1 = u n, y n+1 = v n, u n+1 = x n u n q n, v n+1 = y n v n q n. (5) Relace n by n + 1 and go to ste 2. 3
4 4 By induction, one shows that a n = x n a + y n b and b n = u n a + v n b, so uon exit, the return values (d, x, y) satisfy xa + yb = d = gcd(a, b) Proosition. If n divides ab and gcd(n, a) = 1, then n divides b. Proof. By Thm. 3.3, there are x and y such that xa + yn = 1. We multily by b to obtain b = xab + ynb. Since n divides ab, n divides the right hand side and therefore also b. 4. Prime Numbers and Unique Factorization 4.1. Definition. A ositive integer is called a rime number (or simly a rime ), if > 1 and the only ositive divisors of are 1 and. (This is really the definition of an irreducible element in a ring!) 4.2. Proosition. If is a rime and a, b are integers such that ab, then a or b. (This is the general definition of a rime element in a ring!) Proof. We can assume that a (otherwise we are done). Then gcd(a, ) = 1 (since the only other ositive divisor of, namely itself, does not divide a). Then by Pro. 3.5, divides b. Now let n > 0 be a ositive integer. Then either n = 1, or n is a rime number, or else n has a roer divisor d such that 1 < d < n. Then we can write n = de where also 1 < e < n. Continuing this rocess with d and e, we finally obtain a reresentation of n as a roduct of rimes. (If n = 1, it is given by an emty roduct (a roduct without factors) of rimes.) 4.3. Theorem. This rime factorization of n is unique (u to ordering of the factors). Proof. By induction on n. For n = 1, this is clear (there is only one emty set... ). So assume that n > 1 and that we have written n = k = q 1 q 2... q l with rime numbers i, q j, where k, l 1. Now 1 divides the roduct of the q j s, hence 1 has to divide one of the q j s. U to reordering, we can assume that 1 q 1. But the only ositive divisors of q 1 are 1 and q 1, so we must in fact have 1 = q 1. Let n = n/ 1 = n/q 1, then n = k = q 2 q 3... q l. Since n < n, we know by induction that (erhas after reordering the q j s) k = l and j = q j for j = 2,..., k. This roves the claim.
5 4.4. Definition. This shows that we can write every nonzero integer n uniquely as n = ± v(n) where the roduct is over all rime numbers, and the exonents v (n) are nonnegative integers, all but finitely many of which are zero. v (n) is called the valuation of n at. We have the following simle roerties. (1) v (mn) = v (m) + v (n). (2) m n : v (m) v (n). (3) gcd(m, n) = min(v(m),v(n)), lcm(m, n) = max(v(m),v(n)). (4) v (m + n) min(v (m), v (n)), with equality if v (m) v (n). Proerty (3) imlies that gcd(m, n) lcm(m, n) = mn for ositive m, n. In general, we have gcd(m, n) lcm(m, n) = mn. If we set v (0) = +, then all the above roerties hold for all integers (with the usual conventions like min{e, } = e, e + =,... ). We can extend the valuation function from the integers to the rational numbers by setting ( r ) v = v (r) v (s) s (Exercise: check that this is welldefined). Proerties (1) and (4) above then hold for rational numbers, and a rational number x is an integer if and only if v (x) 0 for all rimes Congruences 5.1. Definition. Let a, b and n integers with n > 0. We say that a is congruent to b modulo n, written a b mod n, if n divides the difference a b Congruence is an equivalence relation. For fixed n and arbitrary a, b, c Z, we have: (1) a a mod n. (2) If a b mod n, then b a mod n. (3) If a b mod n and b c mod n, then a c mod n. Hence we can artition Z into congruence classes mod n : we let ā = a + nz = {a + nx : x Z} = {b Z : a b mod n} (in the ā notation, n must be clear from the context) and We then have Z/nZ = {ā : a Z}. a b mod n b ā ā = b.
6 Proosition. The ma {0, 1,..., n 1} Z/nZ, r r = r + nz is a bijection. In articular, Z/nZ has exactly n elements. Proof. The ma is clearly welldefined. It is injective: assume r = s with 0 r, s < n. Then r s mod n, so n r s and r s < n, therefore r = s. It is surjective: Let ā be a congruence class and write a = nq + r with 0 r < n. Then ā = r. Since the reresentative r of a class ā is given by the (least nonnegative) residue of a when divided by n, congruence classes are also called residue classes The congruence classes form a commutative ring. We define addition and multilication on Z/nZ: ā + b = a + b, ā b = ab We have to check that these oerations are welldefined. This means that if a a mod n and b b mod n, then we must have a + b a + b mod n and ab a b mod n. Now (a + b) (a + b ) = (a a ) + (b b ) is divisible by n, and also ab a b = (a a )b + a (b b ) is divisible by n. Once these oerations are welldefined, all the commutative ring axioms carry over immediately from Z to Z/nZ Congruences are useful. Why are congruences a useful concet? They give us a kind of Mickey Mouse image of the integers (luming together many integers into one residue class, thus losing information), with the advantage that the resulting structure Z/nZ has only finitely many elements. This means that all sorts of questions that are difficult to answer with resect to Z are effectively (though not necessarily efficiently, if n is large) decidable with resect to Z/nZ. If we can show in this way that something is imossible over Z/nZ, then this often imlies a negative answer for Z, too. Consider, for examle, the equation x 2 + y 2 15 z 2 = 7. Does it have a solution in integers? That to decide seems to be hard. On the other hand, we can very easily make a table of all ossible values of the left hand side in Z/8Z: it is easy to see that a square is always 0, 1, or 4 mod 8, and adding three of these values (note that 15 1 mod 8) leads to all residue classes mod 8 with one excetion the left hand side is never 7 mod 8. So a solution is not ossible in Z/8Z. But any solution in Z would lead to an image solution in Z/8Z, hence there can be no solution in Z either. 6. Corime Integers and Multilicative Inverses When does a class ā have a multilicative inverse in Z/nZ? We have to solve the congruence ax 1 mod n; equivalently, there need to exist integers x and y such that ax + ny = 1. By Thm. 3.3, this is equivalent with gcd(a, n) = 1. In this case, we say that a and n are relatively rime or a and n are corime, and sometimes write a n. We can use the extended Euclidean Algorithm to find the inverse.
7 Theorem. The ring Z/nZ is a field if and only if n is a rime number. Proof. Clear for n = 1 (a field has at least two elements 0 and 1, and 1 is not a rime number). For n > 1, Z/nZ is not a field if and only if there is some a Z, not divisible by n, such that d = gcd(n, a) > 1. This imlies that 1 < d < n is a roer divisor of n, hence n is not a rime. Conversely, if d is a roer divisor of n, then gcd(n, d) = d, and d is not invertible. If gcd(n, a) = 1, then ā is called a rimitive residue class mod n ; its uniquely determined multilicative inverse in Z/nZ is denoted ā 1. The rime residue classes form a grou, the multilicative grou (Z/nZ) of the ring Z/nZ. When n = is rime, then the field Z/Z is also denoted F ; we have F = F \{ 0} for the multilicative grou; in articular, #F = Definition. The Euler φ function is defined for n > 0 by φ(n) = #(Z/nZ) = #{a Z : 0 a < n, a n}. n φ(n) We have that n is rime if and only if φ(n) = n Proosition. If is rime and e 1, then φ( e ) = e 1 ( 1). Proof. Clear for e = 1. For e > 1, observe that a e φ( e ) = #{a Z : 0 a < e, a} = e #{a Z : 0 a < e, a} = e e 1 = ( 1) e 1. a a, so 6.4. A Recurrence. Counting the numbers between 0 (inclusive) and n (exclusive) according to their gcd with n (which can be any (ositive) divisor d of n), we obtain ( n ) φ = φ(d) = n. d d n d n This can be read as a recurrence for φ(n): φ(n) = n We get d n,d<n φ(d). φ(1) = 1 0 = 1, φ(2) = 2 φ(1) = 1, φ(3) = 3 φ(1) = 2, φ(4) = 4 φ(2) φ(1) = 2, φ(6) = 6 φ(3) φ(2) φ(1) = 2, etc. Obviously, the recurrence determines φ(n) uniquely: If integers a n (n 1) satisfy a d = n, d n then a n = φ(n). This still holds if the n s are restricted to be divisors of some fixed integer N.
8 A Question. The following icture reresents in black the corime airs (m, n) with 0 m, n 100. The black squares aear to be fairly evenly distributed, so the following question should make sense. What is the robability that two random (ositive) integers are corime? Take a large ositive integer N and consider all airs (m, n) with 1 m, n N. Call f(n) the number of such airs with m n. Since m n for all m, n, where m = m/ gcd(m, n), n = n/ gcd(m, n), we can count the airs according to their gcd. We get N 2 = #{(m, n) : 1 m, n N} N = #{(m, n) : 1 m, n N, gcd(m, n) = g} = = g=1 N #{(m, n ) : 1 m, n N/g, m n } g=1 N f ( N/g ) g=1 The robability we are looking for is P = lim N P (N), where P (N) = f(n)/n 2. We get N N/g 2 1 = P ( N/g ). N 2 g=1 Observe that the terms in the sum are between 0 and 1/g 2, hence the sum is uniformly absolutely convergent. Passing to the limit as N, we obtain P 1 = g, 2 hence P = g=1 1 = 6 g 2 π g=1
9 9 (Exercise: where is the ga in this argument?) We can aly what we have learned to linear congruences. Given a, b, and n, what are the solutions x of ax b mod n? In other words, for which x Z does there exist a y Z such that ax + ny = b? 6.6. Theorem. The congruence ax b mod n has no solutions unless gcd(a, n) b. If there are solutions, they form a residue class modulo n/gcd(a, n). Proof. By Thm. 3.3, the condition gcd(a, n) b is necessary and sufficient for solutions to exist. Let g = gcd(a, n). If g b, we can divide the equation ax+ny = b by g to get a x + n y = b, where a = a g, n = n g, b = b g. Then gcd(a, n ) = 1, and we can solve the equation ā x = b for x (in Z/n Z): x = b (ā ) 1. So the set of solutions x is given by this residue class modulo n. 7. The Chinese Remainder Theorem Now let us consider simultaneous congruences: x a mod m, x b mod n Is such a system solvable? What does the solution set look like? If d = gcd(m, n), then we obviously need to have a b mod d for a solution to exist. On the other hand, when m n, solutions do always exist Chinese Remainder Theorem. If m n, then the above system has solutions x; they form a residue class modulo mn. Proof. Since m n, we can find u and v with mu+nv = 1 by Thm Consider x = anv + bmu. We have x = anv + bmu anv = a amu a mod m and similarly x b mod n. So solutions exist. Now we show that y is anoher solution if and only if mn y x. If mn divides y x, then m and n both divide y x, hence y x a mod m and y x b mod n. Now assume y is another solution. Then m and n both divide y x. So n y x = mt. By Pro. 3.5, n t and hence mn mt = y x. There is a straightforward extension to more than two simultaneous congruences Chinese Remainder Theorem. If the numbers m 1, m 2,..., m k are corime in airs, then the system of congruences x a 1 mod m 1, x a 2 mod m 2,..., x a k mod m k has solutions; they form a residue class modulo m 1 m 2... m k. Proof. Induction on k using Thm Note that a b, a c imlies a bc. Now we can answer the question from the beginning of this section.
10 Theorem. The system x a mod m, x b mod n has solutions if and only if a b mod gcd(m, n). If solutions exist, they form a residue class modulo lcm(m, n). Proof. We have already seen that the condition is necessary. Let d = gcd(m, n). We can find u and v such that mu + nv = b a by Thm Then x = a + mu = b nv is a solution. As in the roof of Thm. 7.1, we see that y is another solution if and only if m and n both divide y x. This means that the solutions form a residue class modulo lcm(m, n). We can give the Chinese Remainder Theorem a more algebraic formulation Theorem. Assume that m 1, m 2,..., m k are corime in airs. Then the natural ring homomorhism Z/m 1 m 2... m k Z Z/m 1 Z Z/m 2 Z Z/m k Z is an isomorhism. In articular, we have an isomorhism of multilicative grous (Z/m 1 m 2... m k Z) = (Z/m1 Z) (Z/m 2 Z) (Z/m k Z). Proof. By the above, the homomorhism is bijective, hence an isomorhism A Formula for φ. The Chinese Remainder Theorem 7.4 imlies that φ(mn) = φ(m) φ(n) if m n. A similar formula holds for roducts with more factors. Alying this to the rime factorization of n, we get φ(n) = v(n) 1 ( 1) = n ( 1 1 ). n n 8. Fermat s and Euler s Theorems A very nice roerty of the finite fields F and all their extension fields is that the ma x x is not only comatible with multilication: (xy) = x y, but also with addition! 8.1. Theorem ( Freshman s Dream ). Let F be a field of rime characteristic (this means that 1 F = 0 F ; for us, the basic examle is F = F ). Then for all x, y F, we have (x + y) = x + y. Proof. By the Binomial Theorem, ( ) ( ) ( ) ( ) (x+y) = x + x 1 y+ x 2 y x k y k + + xy 1 +y. 1 2 k 1 Now the binomial coefficients ( k) for 1 k 1 all are integers divisible by (why?), and since F is of characteristic, all the corresonding terms in the formula vanish, leaving only x + y. We can use this to give one roof of the following fundamental fact.
11 8.2. Theorem (Fermat s Little Theorem). Let be a rime number. For all ā F, we have ā = ā. (Equivalently, for all a Z, divides a a.) 11 Proof. First Proof: By induction on a. a = 0 is clear. Now, by Thm. 8.1, divides (a+1) a 1 for all a Z. But then also divides ((a+1) (a+1)) (a a), hence: a a (a + 1) (a + 1) This gives the inductive ste uwards and downwards, hence the claim holds for all a Z. Second Proof: Easy roof using Algebra. ā = 0 is clear. Hence it suffices to show that ā 1 = 1 for all ā 0. This is a consequence of the fact that #F = 1 and the general theorem that g #G = 1 for any g in any finite grou G. Third Proof: By Combinatorics (for a > 0). Consider utting beads that can have colors from a set of size a at equidistant laces around a circle (to form necklaces ). There will be a necklaces in total, a of which will consist of beads of only one color. The remaining a a come in bunches of, obtained by rotation, so has to divide a a. The algebra roof can readily be generalized Theorem (Euler). Let n be a ositive integer. Then for all a Z with a n, we have a φ(n) 1 mod n. Proof. Under the assumtion, ā (Z/nZ), and by definition, #(Z/nZ) = φ(n). By the general fact from algebra used in the second roof of Thm. 8.2, the claim follows Examle. What is mod 15? By Thm. 8.3, mod 15 (as φ(15) = 8). On the other hand, 11 3 mod 8, and mod 8 (in fact, already 3 2 is 1 mod 8). So = (11 4 ) mod 8, and then = mod A Consequence of Fermat s Little Theorem. Consider the olynomial X X with coefficients in F. By Fermat s Little Theorem 8.2, every element ā F is a root of this olynomial. Now F is a field, and so we can divide out the roots successively to find that X X = ā F (X ā). This imlies that for any olynomial f(x) dividing X X (in the olynomial ring F [X]), the number of its distinct roots in F equals the degree deg f(x). More generally, if f is any olynomial in F [X], we can comute the number of distinct roots of f in F by the formula #{ā F : f(ā) = 0} = deg gcd(f, X X).
12 12 9. Structure of F and (Z/ n Z) Fermat s Theorem 8.2 tells us that the multilicative order of any nonzero element ā of F (this is the smallest ositive integer n such that ā n = 1) divides 1. (The set of all n such that ā n = 1 consists exactly of the multiles of the order.) Now the question arises, are there elements of order 1? In other, more algebraic terms, is the grou F cyclic? The answer is yes Theorem. The multilicative grou F is cyclic. (In other words, there exist elements ḡ F such that all ā F are owers of ḡ. The corresonding integers g are called rimitive roots mod.) Proof. Obviously, all elements of F of order dividing d (where d is a divisor of 1) will be roots of X d 1. Since d divides 1, X d 1 divides X 1 1 and hence also X X (as olyomials). By 8.5, it follows that X d 1 has exactly d roots in F. Let a d be the number of elements of exact order d. Then we get d = k d a k. By the statement in 6.4, it follows that a d = φ(d); in articular, a 1 = φ( 1) 1. Hence rimitive roots exist Examles. The roof shows that there are exactly φ( 1) essentially distinct rimitive roots mod. For the first few rimes, we get the following table. Prime Primitive Roots , 3 7 3, , 3, 8, , 6, 7, 11 There is a famous conjecture, named after Artin, that asserts that every integer g 1 that is not a square is a rimitive root mod infinitely many different rimes. (Why are squares no good?) This has been roven assuming another famous conjecture, the Extended Riemann Hyothesis. The best unconditional result so far seems to be that the statement is true for all allowed integers, with at most three excetions. On the other hand, the statement is not known to hold for any articular integer g! 9.3. Proosition. Let G be a finite multilicative abelian grou of order n. An element g G is a generator of G (and so G is cyclic) if and only if g n/q 1 G for all rime divisors q of n. Proof. If g is a generator, then n is the least ositive integer m such that g m = 1 G, hence the condition is necessary. Now if g is not a generator, then its order m divides n, but is smaller than n, hence m divides n/q for some rime divisor q of n. It follows that g n/q = 1 G. Let us use this result to show that (Z/ n Z) is cylic if is an odd rime and n 1.
13 9.4. Theorem. Let g be a rimitive root modulo, where is an odd rime. Then one of g and g + is a rimitive root modulo n for all n 1. Proof. We know that g 1 = 1 + a for some a Z. If a, let h = g; otherwise we set h = g + ; then we have h 1 = 1 + a with a : (g + ) 1 = g 1 + ( 1)g 2 + b 2 1 k mod 2 (with some integer b) where k g 2 mod is not divisible by. Hence we have in both cases that h a mod 2 with a. Now I claim that for all n 0, we have h n ( 1) 1 + a n+1 mod n+2. This follows by induction from the case n = 0: h n+1 ( 1) = ( h n ( 1) ) = (1 + (a + b) n+1 ) = 1 + (a + b) n+1 + c n+3 = 1 + a n+2 + (b + c) n+3 Here b and c are suitable integers, and the enultimate equality uses that 3 (since then the last term in the binomial exansion, (a + b) (n+1), is divisible by n+3, as are the intermediate ones, even when n = 0). Now let n 2, and let q be a rime divisor of φ( n ) = n 1 ( 1). If q divides 1, then h ( 1)/q 1 mod, hence also h n 1 ( 1)/q h ( 1)/q 1 mod, so h n 1 ( 1)/q 1 mod n. If q =, then we have just seen that h n 2 ( 1) 1 mod n. So by Pro. 9.3, h {g, g + } is a rimitive root mod n The RSA Crytosystem The basic idea of Public Key Crytograhy is that each articiant has two keys: A ublic key that is known to everybody and serves to encryt messages, and a rivate key that is known only to her or him and is used to decryt messages. For this idea to work, two conditions have to be satisfied: (1) Both encrytion and decrytion must be reasonably fast (with keys of a size satisfying the next condition) (2) It must be imossible to comute the rivate key from the ublic key in less than a very large amount of time (how large will deend on the desired level of security) Bob s Public Key Bob s Private Key Encrytion Algorithm Cihertext Decrytion Algorithm Alice Plaintext Eve Plaintext Bob
14 14 The first ublished system (1977) satisfying these assumtions was designed by Rivest, Shamir and Adleman, and is called the RSA Crytosystem (after their initials). However, already in 1973, Clifford Cocks at GCHQ (the British NSA equivalent) came u with the same system. It was not used by GCHQ, and Cocks contribution only ublicly acknowledged in The idea was that finding the rime factors of a large number is very hard, whereas knowing them would allow you to do ceratin things quickly The setu. To generate a ublicrivate key air, one takes two large rime numbers and q (of 160 or more decimal digits, say). The ublic key then consists of n = q and another ositive integer e that has to be corime with lcm( 1, q 1) and can be taken to be fairly (but not too) small (in order to make encrytion more efficient). Encrytion roceeds as follows. The message is encoded in one or several numbers 0 m < n (e.g., by taking bunches of bits of length less than the length of n (measured in bits)). Then each number m is encryted as c = m e mod n. In order to decryt such a c, we need to be able to undo the exonentiation by e. In order to do this, we use Fermat s Little Theorem 8.2 and the Chinese Remainder Theorem 7.1: Since e lcm( 1, q 1), we can comute d such that de 1 mod lcm( 1, q 1) (using the XGCD Algorithm). Then c d = m de m mod and modq by Fermat s Little Theorem and so c d m mod n by the Chinese Remainder Theorem. So the ublic key is the air (n, e) and the rivate key the air (n, d). Encrytion is m m e mod n, decrytion is c c d mod n Why is it ractical? Encrytion and decrytion are reasonably fast: they involve exonentiation mod n, which can be done in O((log n) 2 log e) time (where e is the exonent), or even in O(log n log log n log e), using fast multilication. Also, it is ossible to select suitable rimes and q in reasonable time: there are algorithms that rove that a given number is rime in olynomial time (olynomial in log ), and gas between rimes are on average of size log, so one can exect to find a rime in olynomial time. The remaining stes in choosing the ublicrivate key air are relatively fast. For examle, my lato running the comuter algebra system MAGMA, takes about 4 seconds to find a rime of 100 digits, and about 12 seconds to find a rime of 120 digits Why is it considered secure? In order to get m from c, one needs a number t such that c t m mod n. For general m, this means that te 1 mod lcm( 1, q 1). Then te 1 is a multile of lcm( 1, q 1), and we can use this in order to factor n in the following way. Note that if n is an odd rime, then there are exactly two square roots of 1 in the ring Z/nZ (which is a field of characteristic not 2 in this case), namely (the residue classes of) 1 and 1. However, when n = q is the roduct of two distinct odd rimes, then there are four such square roots; they are obtained from airs of square roots of 1 mod and mod q via the Chinese Remainder Theorem 7.1. If x 2 1 mod n, but x ±1 mod n, then we can use x to factor n: we have that n divides x 2 1 = (x 1)(x + 1), but n divides neither factor on the right, so gcd(x 1, n) has to be a roer divisor of n.
15 Now suose we know a multile f of lcm( 1, q 1). Write f = 2 r s with s odd (note that r 1 since 1 and q 1 are even). Now ick a random 1 < w < n 1. If gcd(w, n) 1, then we have found a roer divisor of n. Otherwise, we successively comute w 0 = w s mod n, w 1 = w 2 0 mod n, w 2 = w 2 1 mod n,..., w r = w 2 r 1 mod n By Fermat s Little Theorem 8.2 and the Chinese Remainder Theorem 7.1, w r = 1. Now if there is some j such that w j ±1 mod n, but w j+1 1 mod n, we have found a square root of 1 mod n that will slit n as exlained above. One can check (see [Sti, Sect ]) that the robability of success is at least 1/2. Hence we need no more than two tries on average to factor n. Conversely, if we have and q, we can easily comute a suitable t (in fact, our d in the rivate key is found that way). The ushot is that in order to break the system, we have to factor n. Now factorization aears to be a hard roblem: even though quite some effort has been invested into develoing good factoring algorithms (in articular since this is relevant for crytograhy! you can win rize money if you factor certain numbers), and we now have considerably better algorithms than thirty years ago (say), the erformance of the best known algorithms is still much worse than olynomial time. The comlexity is something like ( ex O( 3 ) log n(log log n) 2 ). This is already quite a bit better than exonential (in log n), but grows fast enough to make factorization of 300digit numbers or so infeasible. For examle, again MAGMA on my lato needs 14 seconds to factor a roduct of two 20digit rimes and 3 minutes to factor a roduct of two 30digit rimes. But note that there is an efficient algorithm (at least in theory) for factoring integers on a quantum comuter. So if quantum comuters become a reality, crytosystems based on the difficulty of factorization like RSA will be dead. 11. Discrete Logarithms In RSA, we use modular exonentiation with a fixed exonent, where the base is the message. There are other crytosystems, which in some sense work the other way round: they use exonentiation with a fixed base and varying exonent. This can be done in the multilicative grou of a finite field F, or even in a more general setting The Discrete Logarithm Problem. Let G be a finite cyclic grou of order n, with generator g. The roblem of finding a Z/nZ from g and g a is known as the Discrete Logarithm Problem: We want to find the logarithm of g a to the base g. If x = g a, then sometimes the notation a = log g x is used. The difficulty of this roblem deends on the reresentation of the grou G. (1) The simlest case is G = Z/nZ (the additive grou), g = 1. Then log g x = x, and the roblem is trivially solved. (2) It is more interesting to choose G = F, with g a rimitive root mod (or rather, its image in F ). If the grou order #G = 1 has a large rime factor (e.g., 1 = 2q or 4q where q is rime), then here, the DLP 15
Elementary Number Theory: Primes, Congruences, and Secrets
This is age i Printer: Oaque this Elementary Number Theory: Primes, Congruences, and Secrets William Stein November 16, 2011 To my wife Clarita Lefthand v vi Contents This is age vii Printer: Oaque this
More informationLectures on the Dirichlet Class Number Formula for Imaginary Quadratic Fields. Tom Weston
Lectures on the Dirichlet Class Number Formula for Imaginary Quadratic Fields Tom Weston Contents Introduction 4 Chater 1. Comlex lattices and infinite sums of Legendre symbols 5 1. Comlex lattices 5
More information
Number Theory Naoki Sato
Number Theory Naoki Sato 0 Preface This set of notes on number theory was originally written in 1995 for students at the IMO level. It covers the basic background material
More informationAlgebra & Number Theory. A. Baker
Algebra & Number Theory [0/0/2009] A. Baker Department of Mathematics, University of Glasgow. Email address: a.baker@maths.gla.ac.uk URL: http://www.maths.gla.ac.uk/ ajb Contents Chapter. Basic Number
More informationNUMBER RINGS. P. Stevenhagen
NUMBER RINGS P. Stevenhagen Universiteit Leiden 2012 Date of this online version: September 24, 2012 Please send any comments on this text to psh@math.leidenuniv.nl. Mail address of the author: P. Stevenhagen
More informationAn Introductory Course in Elementary Number Theory. Wissam Raji
An Introductory Course in Elementary Number Theory Wissam Raji 2 Preface These notes serve as course notes for an undergraduate course in number theory. Most if not all universities worldwide offer introductory
More informationWhat Is Number Theory?
Chapter 1 What Is Number Theory? Number theory is the study of the set of positive whole numbers 1, 2, 3, 4, 5, 6, 7,..., which are often called the set of natural numbers. We will especially want to study
More informationHow many numbers there are?
How many numbers there are? RADEK HONZIK Radek Honzik: Charles University, Department of Logic, Celetná 20, Praha 1, 116 42, Czech Republic radek.honzik@ff.cuni.cz Contents 1 What are numbers 2 1.1 Natural
More information8430 HANDOUT 3: ELEMENTARY THEORY OF QUADRATIC FORMS
8430 HANDOUT 3: ELEMENTARY THEORY OF QUADRATIC FORMS PETE L. CLARK 1. Basic definitions An integral binary quadratic form is just a polynomial f = ax 2 + bxy + cy 2 with a, b, c Z. We define the discriminant
More informationRevised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)
Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.
More informationElliptic Modular Forms and Their Applications
Elliptic Modular Forms and Their Applications Don Zagier MaxPlanckInstitut für Mathematik, Vivatsgasse 7, 53111 Bonn, Germany Email: zagier@mpimbonn.mpg.de Foreword These notes give a brief introduction
More informationONEDIMENSIONAL RANDOM WALKS 1. SIMPLE RANDOM WALK
ONEDIMENSIONAL RANDOM WALKS 1. SIMPLE RANDOM WALK Definition 1. A random walk on the integers with step distribution F and initial state x is a sequence S n of random variables whose increments are independent,
More informationMatthias Beck Gerald Marchesi Dennis Pixton Lucas Sabalka
Matthias Beck Gerald Marchesi Dennis Pixton Lucas Sabalka Version.5 Matthias Beck A First Course in Complex Analysis Version.5 Gerald Marchesi Department of Mathematics Department of Mathematical Sciences
More informationTHE CONGRUENT NUMBER PROBLEM
THE CONGRUENT NUMBER PROBLEM KEITH CONRAD 1. Introduction A right triangle is called rational when its legs and hypotenuse are all rational numbers. Examples of rational right triangles include Pythagorean
More informationWHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?
WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly
More informationIntroduction to finite fields and their applications
Introduction to finite fields and their applications RUDOLF LIDL University of Tasmania, Hobart, Australia HARALD NIEDERREITER Austrian Academy of Sciences. Vienna, Austria ree'wi d18e U,l,muy of W, t
More informationYou know from calculus that functions play a fundamental role in mathematics.
CHPTER 12 Functions You know from calculus that functions play a fundamental role in mathematics. You likely view a function as a kind of formula that describes a relationship between two (or more) quantities.
More informationGeneralized compact knapsacks, cyclic lattices, and efficient oneway functions
Generalized compact knapsacks, cyclic lattices, and efficient oneway functions Daniele Micciancio University of California, San Diego 9500 Gilman Drive La Jolla, CA 920930404, USA daniele@cs.ucsd.edu
More informationWHICH SCORING RULE MAXIMIZES CONDORCET EFFICIENCY? 1. Introduction
WHICH SCORING RULE MAXIMIZES CONDORCET EFFICIENCY? DAVIDE P. CERVONE, WILLIAM V. GEHRLEIN, AND WILLIAM S. ZWICKER Abstract. Consider an election in which each of the n voters casts a vote consisting of
More informationA new probabilistic public key algorithm based on elliptic logarithms
A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa
More informationA Modern Course on Curves and Surfaces. Richard S. Palais
A Modern Course on Curves and Surfaces Richard S. Palais Contents Lecture 1. Introduction 1 Lecture 2. What is Geometry 4 Lecture 3. Geometry of InnerProduct Spaces 7 Lecture 4. Linear Maps and the Euclidean
More informationOrthogonal Bases and the QR Algorithm
Orthogonal Bases and the QR Algorithm Orthogonal Bases by Peter J Olver University of Minnesota Throughout, we work in the Euclidean vector space V = R n, the space of column vectors with n real entries
More informationSwitching Algebra and Logic Gates
Chapter 2 Switching Algebra and Logic Gates The word algebra in the title of this chapter should alert you that more mathematics is coming. No doubt, some of you are itching to get on with digital design
More informationAlgebraic Number Theory. J.S. Milne
Algebraic Number Theory J.S. Milne Version 3.06 May 28, 2014 An algebraic number field is a finite extension of Q; an algebraic number is an element of an algebraic number field. Algebraic number theory
More informationSemiSimple Lie Algebras and Their Representations
i SemiSimple Lie Algebras and Their Representations Robert N. Cahn Lawrence Berkeley Laboratory University of California Berkeley, California 1984 THE BENJAMIN/CUMMINGS PUBLISHING COMPANY Advanced Book
More informationAnalytic Number Theory
Analytic Number Theory Donald J. Newman Springer Graduate Texts in Mathematics 77 Editorial Board S. Axler F.W. Gehring K.A. Ribet Springer New York Berlin Heidelberg Barcelona Hong Kong London Milan Paris
More informationSELECTIONS FROM THE ARITHMETIC GEOMETRY OF SHIMURA CURVES I: MODULAR CURVES
SELECTIONS FROM THE ARITHMETIC GEOMETRY OF SHIMURA CURVES I: MODULAR CURVES PETE L. CLARK These are notes accompanying a sequence of three lectures given in the UGA number theory seminar in August and
More informationRegular Languages are Testable with a Constant Number of Queries
Regular Languages are Testable with a Constant Number of Queries Noga Alon Michael Krivelevich Ilan Newman Mario Szegedy Abstract We continue the study of combinatorial property testing, initiated by Goldreich,
More informationAlgebraic Number Theory
Algebraic Number Theory Johan Bosman Notes by Florian Bouyer Copyright (C) Bouyer 011 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation
More informationSome Basic Techniques of Group Theory
Chapter 5 Some Basic Techniques of Group Theory 5.1 Groups Acting on Sets In this chapter we are going to analyze and classify groups, and, if possible, break down complicated groups into simpler components.
More information