theory of computation transparency no. 3-1 chapter 3 introduction to number theory and its...
Post on 25-Dec-2015
220 Views
Preview:
TRANSCRIPT
Theory of Computation
Transparency No. 3-1
Chapter 3Introduction to Number
Theory and Its applications
Cheng-Chia Chen
Introduction
Transparency No. 3-2
outline
Division Prime Gcd and Lcm Modular Arithmetic Chinese Remainder Theorem Fermat’s little theorem The RSA algorithm
Introduction
Transparency No. 3-3
Division
Def: a,b Z with a ≠ 0. We say a divides b (written a | b) if
k Z s.t. b = ka a | b =>
a is a factor (or divisor) of b and b is a multiple of a.
Ex: 3 | 12 ( 12 = 4 x 3 )∵ -4 | 8, 13 | 0 (0 = 0 x 13) not (3 | 7)
Introduction
Transparency No. 3-4
Properties of |
1. a | b /\ a |c a | b + c
2. a | b a | bc for all c Z
3. | is reflexive ( a | a for all a Z )
4. | is transitive ( a | b /\ b | c a | c ) pf: a | b /\ b | c b = k1 a and c = k2 b for some k1, k2 Z
c = k2 (k1 a) = (k1 k2) a
5. a | b /\ b | a |a| = |b|)
Introduction
Transparency No. 3-5
Primes
An integer p > 1 is said to be prime if n N+ ( n | p n = 1 \/ n = p ). I.e., the only positive factors of p are 1 and p.
p > 1 and is not prime => P is composite. Examples:
7 is prime primes < 20 include : 2,3,5,7,11,13,17,19.
Introduction
Transparency No. 3-6
The fundamental theorem of arithmetic (FTA)
n N+ > 1, there exists a unique increasing sequence of primes p1 ≤ p2 ≤ … ≤ pk ( k ≥ 1) s.t.
n = p1 x p2 … x pk.
Ex: 100 = 2 x 2 x 5 x 5 999 = 3 x 3 x 3 x 37.
Introduction
Transparency No. 3-7
Proof of FTA
( Existence) by Math Ind. Basis: n = 1, 2 ok. Ind. n > 1. if n is prime, then n = p1, where p1 = n and k = 1. if n is not prime then n = n1 x n2 with n1,n2 < n. => by ind. hyp. n1 = q1 x q2 … x qt
n2 = r1 x r2 … rs => n = n1 x n2 = q1 x … x qt x r1 x … x rs. => n = p1 x … x ps+t. where p1,…,ps+t is an increasing reordering
of q1,…,qt and r1,…,rt. Uniqueness:
let n = p1 x … x pk x q1 x … x qs = p1 x … x pk x r1 x … x rt where q1 ≠ r1 => n – n = p1 x … x pk x (q1 x … x qt – r1 x … rt) ≠ 0 ( a contradiction !! shown later).
Introduction
Transparency No. 3-8
Theorem 3
If n is composite => a ≤ s.t. a | n.
pf: n is composite => n = p x q with p, q > 1.
if p > /\ q > =>
p q > = n. a contradiction
Hence n must have a factor ≤
Example: 101 is a prime.
pf: = 10.
But no prime ≤ 10 is a factor of 101.
Introduction
Transparency No. 3-9
The division algorithm
a Z, d N+
i q,r s.t. a = qd + r where 0 ≤ r < d.
Def: if a = dq + r Then d is called the divisor(除數 ) a : dividend(被除數 ) q: quotient(商數 ) r: remainder(餘數 )
Examples: 101 = 11 ∙ 9 + 2 -11 = -4 ∙ 3 + 1
Note: d | a iff r = 0.
Introduction
Transparency No. 3-10
Proof of the division algorithm
Existence: Consider the Z-indexed sequence :
… a-3d, a-2d, a-d, a, a-(-d), a-(-2d), a-(-3d), … Let r = a – qd be the smallest nonnegative number in
the sequence.
1. since the sequence is strictly increasing toward infinity such q (and r) must exist and unique.
2. if r ≥ d r’ =r-d =a – (q+1) d ≥ 0 is another nonnegative number in the sequence smaller than r. That’s a contradiction. Hence r must < d.
Uniqueness: If both (q,r) and (q’,r’) satisfy the condition. Then r – r’ = (q’-q) d (*) .
Since –d < r-r’ < d (*) and (q’-q)d is a multiple of d,
(*) holds only if r-r’ = 0 = q-q’. QED
Introduction
Transparency No. 3-11
gcd and lcm
a,b Z, ab ≠ 0.
if d | a and d | b d is a common divisor of a and b. gcd(a,b) =def the greatest common divisor of a and b.
Notes: 1. The set cd(a,b) = {x > 0 : x | a and x | b} is a finite subset of N+ ( {1} ∵ cd {1,… min(a,b)} gcd(a,b) must exist. Ex: gcd(24,36) = ? factors of 24 : 1,2,3,4,6,12,24 factors of 36: 1,2,3,4,6,9,12,18,36 cd(24,36) = {1,2,3,4,6,12} gcd(24,36) = 12.
2. The same definition (cd and gcd) can be extended to more than two arguments. (ex: cd(8,12,18) = {1,2} and gcd(8,12,18) = 2. )
Introduction
Transparency No. 3-12
Relatively prime
If gcd(a,b) = 1 we say a and b are relatively prime(r.p.). Ex: gcd(17,22) = 1.
a1,a2,…an are pairwise r.p. if
gcd(ai,aj) = 1 for all 1 ≤ i < j ≤ n. Ex: 10,17,21 are p.r.p. 10,19,24 are not p.r.p since gcd(10,24) = 2.
Proposition 1: If a = p1x1 p2
x2 … pn
xn , b = p1
y1 p2
y2 … pn
yn,
where p1 < p2 …< pn are primes and all xi, yj ≥ 0,
then gcd(a,b) = s =def p1z1 p2
z2 … pn
zn
where zi = min(xi,yi) for all 0 ≤ i ≤ n. Ex: 100 = 223052 and 30 = 213151 => gcd(100,30) = 213051.
Introduction
Transparency No. 3-13
lcm ( least common multiple)
a,b Z c N+
if a|c and b|c d is a common multiple of a and b. lcm(a,b) =def the least common multiple of a and b.
Note: The set cm(a,b) = {x > 0 |, a|x and b|x} ≠ ( { a∙b} ∅ ∵ cm lcm(a,b) must exist.
Proposition 2:
If a = p1x1 p2
x2 … pn
xn , b = p1
y1 p2
y2 … pn
yn, where
p1 < p2 …< pn are primes and all xi, yj ≥ 0,
then lcm(a,b) = t =def p1z1 p2
z2 … pn
zn
where zi = max(xi,yi) for all 0 ≤ i ≤ n.
pf: Since tcm(a,b), it suffices to show t is a lower bound of cm(a,b). Then c cm(a,b), pi
xi | a | c and pi
yi | b|c =>pi max(x
i,y
i) |
c => t = piZi |c.
Theorem 5: gcd(a,b) ∙ lcm(a,b) = a b.
Introduction
Transparency No. 3-14
Modular Arithmetic
Def 8: m N+, a Z.
a mod m =def the remainder of a divided by m. Ex:
17 mod 5 = 2 -133 mod 9 = 2.
Def 9: a,b Z, m N+. a ≡ b (mod m) means m | (a-b).
i.e., a and b have the same remainder when divided by m. i.e., a mod m = b mod m we say a is congruent to b (module m).
Ex: 17 ≡ 5 (mod 6) ? 24 ≡ 14 (mod 6) ?
Introduction
Transparency No. 3-15
Properties of congruence
Theorem 6: a ≡ b (mod m) iff a = km + b for some k Z.pf: a ≡ b (mod m) (a-b) = km a = km + b.Theorem 7: If m > 0, a ≡ b (mod m) and c ≡ d (mod m),
then (1) a + c ≡ b + d (mod m), (2) ac ≡ bd (mod m), (3) - a ≡ - b (mod m)
pf: By the premise, a = km + b and c = sm + d for some
k,s. a + c = (b + d) + (k + s) m, ac = bd + (kd + sb + skm) m, and (-a - -b) = (-k) m (1),(2) and (3) hold. Ex: 7 ≡ 2 (mod 5), 11 ≡ 1 (mod 5) 18 ≡ 3, 77 ≡ 2 and - 7 ≡ - 2.
Introduction
Transparency No. 3-16
The Euclidean Algorithm
Lemma 1: a = bq + r gcd(a,b) = gcd(b,r).
pf: It suffices to show that cd(a,b) = cd(b,r). But for any integer d :
d | a /\ d | b d | r since r = (a-bq) , and
d | b /\ d | r d | a since a= bq + r.
Hence cd(a,b) = cd(b,r), and gcd(a,b) = gcd(b,r).
Note:1. if a = bq + 0 gcd(a,b) = gcd(b,0) = b.2. Corollary: gcd(a, b) = gcd(b,c) if a is a linear
combination(l.c.) of b and c, and c is a l.c. of a and b.
Introduction
Transparency No. 3-17
A simple algorithm:
gcd(a,b) // a , b ≥ 0.
if (b == 0) return a;
else return gcd(b, a mod b);
Notes:
1. this algorithm is very efficient.
(O(log b) by Lame’s lamma).
2. The (tail) recursion of the above alg can be replaced by an iterative version as follows:
igcd(int a, int b) // a , b ≥ 0.
while (b != 0) { // (a,b) (b, a % b) ;
int temp = a; a = b; b = temp % b ; }
return x
Introduction
Transparency No. 3-18
gcd(662, 414) = ?
∴ gcd(662,414) = gcd(414,248) = …
= gcd(2,0) = 2.
a b a = qb+ r q r
662 414 662=1x414+248 1 248
414 248 414= 1x 248 + 166 1 166
248 166 248= 1 x 166 + 82 1 82
166 82 166= 2 x 82 + 2 2 2
82 2 82=42 x 2 + 0 42 0
2 0
Introduction
Transparency No. 3-19
Theorem 1
a > b ≥ 0 gcd(a,b) = sa + tb for some s,t Z. i.e., gcd(a,b) is a linear integer combination of a and b.
Pf: By induction on b. Basis: b = 0. gcd(a,b) = a = 1 ∙ a + 0 ∙ b. Inductive case: b > 0. case1: b | a gcd(a,b) = b = 0 a + 1 b. case2: b a ∤ gcd(a,b) = gcd(b,r) where 0 ≤ r = a mod b < b. By I.H. gcd(b,r) = sb + t r. But r = a - bq ∴ gcd(a,b) = gcd(b,r) = sb + tr = sb + t(a – bq) = t a + (s – qt) b. QED Conclusion: (sn, tn) = (t n+1, sn+1 – qntn+1).
Introduction
Transparency No. 3-20
Example
gcd(252, 198) = 18 = ___∙ 252 + ___ ∙ 198.
Sol:
Exercise: Let L(a,b) = {sa + tb | s,t Z } be the set of all linear combinations of a and b. Show that gcd(a,b) = the smallest positive member of L(a,b).
pf: let g = gcd(a,b). By Theorem 1, g is a linear combination of a and b. Hence g L(a,b).
Now let m = sa + tb be any positive number in L(a,b). Then since g | a and g | b , we have g | sa+tb = m > 0 and hence g m. As a result g is the least of L(a,b).
Theorem 1.1: gcd(a,b) is the least positive integer combination of a and b.
Introduction
Transparency No. 3-21
gcd(662, 414) = ?
∴ gcd(662,414) =
gcd(414,248) = …
= gcd(2,0) = 2 = 1x2+0x0. = … = -5*662+8*414.
a b a = qb+ r q r
662 414 662=1x414+248 1 248
414 248 414= 1x 248 + 166 1 166
248 166 248= 1 x 166 + 82 1 82
166 82 166= 2 x 82 + 2 2 2
82 2 82=41 x 2 + 0 41 0
2 0
n sn tn
1 -5 8 =3-1*-5
2 3 -5 =-2-1*3
3 -2 3 =1-1*(-2)
4 1 s-qt = -2
5 0 1-41*0 = 1
6 1 0
q s t
qn sn =tn+1 sn+1-qntn+1 = tn
sn+1 tn+1
Introduction
Transparency No. 3-22
The extended gcd algorithm
// input: a b 0;
// output: (c, s, t) s.t. c = gcd(a,b) = s a + t b.
egcd(a,b) : Z3 {
if( b == 0 ) { return (a, 1, 0) ; }
let (rlt, s, t) = egcd(b, a mod b) ;
return (rlt, t, s – t * ( a / b)) ; }
What is a non-recursive algorithm for egcd ?
Introduction
Transparency No. 3-23
Non-recursive algorithm for egcd
// input: a b 0;
// output: (c, s, t) s.t. c = gcd(a,b) = s a + t b.
Egcd(int a, int b) {
Stack<int> s = new Stack() ;
while( b != 0 ) {
s.push(a / b ) ; // integer division
(a,b) (b, a%b) }
int s = 1, t = 0, rlt = a;
while( ! s.isEmpty()) {
int q = s.pop() ;
(s,t) (t, s – q * t ) ; }
return (rlt, s, t) ;
Introduction
Transparency No. 3-24
Lemma 1 and Lemma 2
Lemma 1:gcd(a,b) = 1 /\ a | bc a | c. ( must remember!)
pf: gcd(a,b) = 1 1 = sa + tb for some s,t Z c = sac + tbc = sac + tka a | bc∵ = (sc + tk) ∙ a a | c.∴Corollary 1’: a | bc a/d | c, where d = gcd(a,b) .
Lemma 2’: p : prime /\ p a ∤ gcd(p,a) = 1.
Pf: cd(p,a) factors of p = {1,p}. but p is not a factor of a.
Hence gcd(p,a) = 1.
Lemma 2: p : prime /\ p | a1 a 2 … an p | ai for some i.
Pf: By ind. on n. Basis: n = 1. trivial.
Ind. case: n = k + 1. p | a1 a 2 … ak a k+1.
If p | a1 we are done.
O/W p a∤ 1 and gcd(p, a1) = 1 by lem2’.
By Lem 1 : p | ( a 2 … ak+1 ) p | ai for some 2 ≤ i ≤ k+1 by IH.
Introduction
Transparency No. 3-25
Uniqueness of FTA
Pf: Suppose two distinct sequences
p1 , … , ps and q1 , … , qt with
n = p1 x … x ps = q1 x … x qt
Removing all common primes on both sides :
m =def pi1 x … piu = qj1x … x qjv 1
where pi ≠ qj for all pi and qj.
pi1 | m = qj1x … x qjv
pi1 | qj for some j ( a contradiction!!).
Introduction
Transparency No. 3-26
Theorem 2
m > 0 /\ ac ≡ bc (mod m) /\ gcd(m,c) = 1
a ≡ b (mod m).
Pf: ac ≡ bc (mod m)
m | (ac – bc) = (a – b) c.
∵ gcd(m,c) = 1 m | (a – b)∴ ∴ a ≡ b (mod m).
Notes:
1. In general we have: ac ≡ bc (mod m) implies a ≡ b (mod m/d) where d = gcd(m,c).
2. If m is a prime and not (c ≡ 0 (mod m)) [ gcd(m,c) = 1], then ac ≡ bc implies => a ≡ b (mod m). Like ordinary arithmetic.
Introduction
Transparency No. 3-27
Lemma 3: Let c be a positive integer, then gcd(ac, bc) = c gcd(a,b).
pf: It is easy to see that
d is a common divisor of (a, b)
iff cxd is a common divisor of (ca,cb).
Hence cd(ca,cb) = { cxd | d cd(a,b)}
and gcd(ca,cb) = max { cxd | d cd(a,b)}
= c x gcd(a,b)
Introduction
Transparency No. 3-28
Lemma 4: Let a = p1x1 p2
x2 … pm
xm , b = q1
y1 q2
y2 …
qnyn where all pi’s and qj’s are primes and all xi, yj >0.
If {p1,…,pm} {q1,…,qn} =, then gcd(a,b) = 1.
pf: Assume gcd(a,b) 1 and r be any prime factor of gcd(a,b). Then we have r | a and r | b.
But, by Lemma 2, this implies r must be one of {p1,…,pm} and one of {q1,..,qn}.
This implies {p1,…,pm} {q1,…,qn} = , a contradiction!
Hence gcd(a,b) = 1.
Introduction
Transparency No. 3-29
Proof of Proposition 1 for gcd Proposition 1: If a = p1
x1 p2
x2 … pn
xn , b = p1
y1 p2
y2 … pn
yn, where p1 < p2 …< pn
are primes and all xi, yj ≥ 0,
then gcd(a,b) = s =def p1z1 p2
z2 … pn
zn
where zi = min(xi,yi) for all 0 ≤ i ≤ n.
pf: Let c = a/s and d = b/s.
Then c = p1x1 p2
x2 … pn
xn / p1
z1 p2
z2 … pn
zn Z
d = p1y1 p2
y2 … pn
yn / p1
z1 p2
z2 … pn
zn Z
Hence by lemma 3, gcd(a,b) = s gcd(c,d).
But since c and d has no common prime factor,
By Lemma 4, gcd(c,d) =1. As a result, gcd(a,b)= s. Exercise: Show that c is a factor of a = p1
x1 p2
x2 … pn
xn iff c = p1
y1 p2
y2 … pn
yn where xk ≥ yk ≥ 0 for all
n ≥ k ≥ 0.
Introduction
Transparency No. 3-30
Linear Congruence
Ex: Find an x such that 7 x ≡ 2 (mod 5). sol: x= 6. How to find? Analog: how to solve the equation ax = b ? let a-1 be the inverse of a (i.e. 1/a) => a-1ax = a-1b => x = a-1b = b/a.Def: Equations of the form ax ≡ b (mod m) are called linear congruence equations.Def: Given (a,m), any integer a’ satisfying the
condition: a a’ ≡ 1 (mod m) is called the inverse of a (mod m).Ex: Since 7 x 3 ≡ 1 (mod 5), 3 is an inverse of 7 mod 5. Hence 3x2 = 6 is a solution of 7x ≡ 2(mod 5)
Introduction
Transparency No. 3-31
General solution of ax ≡ b (mod m)
Proposition: a a’ ≡ 1 (mod m) x = a’ b + km is the general solution of the congruence equation ax ≡ b (mod m)
Pf: 1. aa’ ≡ 1 => aa’ b ≡ b => a (a’b + km) ≡ b (mod m)
a’b + km is a solution for any k Z.
2. y is a solution ay ≡ b (mod m)
=> a’ay ≡ a’b(mod m)
=> 1* y ≡ a’ay ≡ a’b (mod m)
=> y ≡ a’b (mod m) => m | (y – a’b)
y = a’b + km for some k.
Introduction
Transparency No. 3-32
Theorem 3 (uniqueness of inverse)
m > 0, gcd(a,m) = 1. Then bZ s.t. 1. ab ≡ 1 (mod m) 2. if ab ≡ ac [≡ 1] b ≡ c (mod m).
Pf: 1. gcd(a,m) = 1. Then b,t with ba + tm =1.
since ab –1 = (-t) m, ab ≡ 1 (mod m).
2. Since gcd(a,m)=1, by Theorem 2, we can divide a
from both sides.
Note: Theorem 3 means that the inverse of a mod m uniquely exists (and hence is well defined) if a and m are relatively prime.
Introduction
Transparency No. 3-33
Examples
Ex: Find a s.t. 3a ≡ 1 (mod 7).
Sol: since gcd(3,7) = 1. the inverse of 3 (mod 7) exists and can be computed by the Euclidean algorithm:
7 = 3 X 2 + 1 1 = 7 + 3 (-2). 3 (-2 ) ≡ 1 (mod 7)
a = -2 + 7k for all k Z.
EX: Find all solutions of 3x ≡ 4 (mod 7).
Sol: -2 is an inverse of 3 (mod 7). Hence
3 (-2) ≡ 1 (mod 7)
=> 3 (-2) 4 ≡ 1 4 (mod 7) -- particular solution
=> x = 4 (-2) + 7k where k Z is a general solution of x.
Introduction
Transparency No. 3-34
The Chinese Remainder Theorem
EX: Find all integer x satisfying the equations simultaneously: x ≡ 2 (mod 3) x ≡ 3 (mod 5) x ≡ 2 (mod 7)
Theorem 4: m1,m2,…,mn : pairwise relatively prime. The system of congruence equations: x ≡ a1 (mod m1)
x ≡ a2 (mod m2)
… x ≡ an (mod mn)
has a unique solution modulo m = m1 m2 … mn.
Introduction
Transparency No. 3-35
How the CRT problem is solved
Find a polynomial f(x) of degree < n passing through n points. Ex: Find a polynomial of degree < 3 passing through (1,2),
(3,5),(5,4).
Intuition: 1. For each point (ai, bi) where i [1,n] , construct a
polynomial fi(x) of order < n with the properties:
1.1. fi(ai) = bi and
1.2. fi(ak) = 0 for all k [1,n] i.
Suppose we can find all such fi(x)’s, then
F(x) = j = 1..n fj(x) is the solution.
pf: F(ai) = fi(ai) + k i fk(ai) = bi + 0 for all i [1,n]
Introduction
Transparency No. 3-36
Ex: Find a polynomial of degree < 3 passing through (1,2),(3,5),(5,4).
Solution:
1. Find f1(x) with f1(1) = 2 and f1(3) = f1(5) = 0.
=> f1(x) must have a factor (x-3)(x-5) = c1 (x-3)(x-5)
=> since f1(1)= 2, 2 = c1 (1-3)(1-5) => c1 = 2/(1-3)(1-5)
=> f1(x) = 2 (x-3)(x-5) /(1-3)(1-5)
2. Similarly,
f2(x) = 5 (x-1)(x-5) /(3-1)(3-5)
f3(x) = 4 (x-1)(x-3)/(5-1)(5-3)
and F(x) = f1(x) + f2(x) + f3(x) is the solution.
Introduction
Transparency No. 3-37
Proof of the Chinese remainder theorem (CRT)
Pf: Let Mk = m / mk for 1 ≤ k ≤ n.
Note:
1. gcd(mk, Mk) = 1 and
2. mi | Mk if i ≠ k. Hence
sk, yk s.t. sk mk + yk Mk = 1. Hence
yk is an inverse of Mk mod mk. Now
Mk yk ≡ 1 (mod mk) and
Mk yk ≡ 0 (mod mj) for all j ≠ k. Let
x = a1 M1 y1 + … + an Mn yn then
x ≡ a1 M1 y1 + … + an Mn yn ≡ ak Mk yk ≡ ak (mod mk) for all 1 ≤ k ≤ n.
Introduction
Transparency No. 3-38
Proof of the uniqueness part
If x and y satisfying the equations, then
x-y ≡ 0 (mod mk) for all k = 1..n. =>
s1,…,sn with x-y = s1 m1 = … = sn mn.
since gcd(mi, mk) = 1 for all i ≠ k and
mk | s1 m1, we have mk | s1 for all k ≠ 1.
Hence, by Lem(*) s1 is a multiple of m2 m3 … mn and
x-y = s1 m1 is a multiple of m = m1 m2 … mk.
Hence x ≡ y (mod m). QED
Lem(*):If gcd(m,n)=1,then m | s and n | s implies mn | s.
pf: m | s and n | s means s = km = t n. Hence n | km. but since (m,n) = 1, we have n | k. Hence mn | km = s.
Introduction
Transparency No. 3-39
Example
Find x ≡ (2,3,2) (mod (3,5,7)) respectively. Sol:
i mi ai Mi yi = Mi-1 (mod mi) ai Mi yi
1 3 2 m/3=35 35 y1 ≡ 1 (mod 3)
-1
2 x 35 x -1
2 5 3 m/5=21 21 y2 ≡ 1 (mod 5)
1
3 x 21 x 1
3 7 2 m/7=15 15 y3 ≡ 1 (mod 7)
1
2 x 15 x 1
m =
105
x = -70 + 63 + 30 = 23.
Introduction
Transparency No. 3-40
An application of CRT
Instead of using binary representation, we can use
m1,m2,…,mn : n pairwise relatively primes as the base
of integer representations: Ex: let (m1,… m5 ) = (19, 23, 29, 31,41)
99 = (4, 7, 12, 6, 17)
88 = (12, 19, 1, 26, 6).
----------------------------------------------------------------
99+88 = (16, 3, 13, 1, 23)
99x88 = (10, 18, 12, 1, 20).
Problems: 1. How to detect if a+b (or a*b) overflows ?
2. How to compare values (when will a < b )?
Introduction
Transparency No. 3-41
Fermat’s little theorem
Let a be any positive integer and p a prime number.
1. If gcd(p,a) =1, then a p-1 ≡ 1 (mod p).
2. ap ≡ a (mod p).
Ex:
1. p = 17, a = 2 216 = 65536 = 3855 x 17 + 1
216 ≡ 1 (mod 17).
2. p = 3, a = 20 203 – 20 = 8000 –20 = 7980 is a multiple of 3. Hence 203 ≡ 20 (mod 3).
Introduction
Transparency No. 3-42
Proof of Fermat’s little theorem
Lemma:1≤i<j≤p-1, ia ≢ ja (mod p) and ia ≢ 0 (mod p).
Pf: ia ≡ ja (mod p) p | (j-i) a. Since gcd(p,a)=1, p |(j-i).
But 0 < j-i < p, p does not divide (j-i), a contradiction.
Similarly, since not(p | i ) and gcd(p,a) = 1, not(p | ia).
The above lemma means ia and ja have different remainders when divided by p. Hence
a x 2a x … (p-1) a ≡ 1 x 2 … x (p-1) = (p-1)! (mod p)
(p-1)! ap-1 ≡ (p-1) ! (mod p). Then
p | (p-1)! (a p-1 –1). p does not divide (p-1)!,∵ p | ap-1 –1, and hence a p-1 ≡ 1 (mod p).
2. if gcd(p,a) = p 0 ≡ a ≡ ap (mod p).
if gcd(p,a) = 1 ap-1 ≡ 1 (mod p) ap ≡ a (mod p).
Introduction
Transparency No. 3-43
Public key encryption and RSA
Encryption(加密 )
Decryption(解密 )
M
M’ (plain text)
cipher textC
public key private key
• Public key can be known to the public• Private key is kept secret.
Introduction
Transparency No. 3-44
The RSA algorithm
p.q: two large primes ( 768bitsbroken, 1024 digits recommended now),
n = pq e = any number with gcd(e, (p-1)(q-1)) = 1. d = inverse of e (mod (p-1)(q-1)). (i.e., de ≡ 1 (mod (p-1)(q-1))) public key = (n,e) private key = (n,d)note : public and private keys are symmetric. C = Me (mod n) and M’ = Cd (mod n).Theorem : M’ ≡ M (mod n).
Hence if 0 M’, M < n => M’ = M.
Introduction
Transparency No. 3-45
Proof of the correctness of the RSA algorithm
M’ = Cd ≡ (Me)d ≡ Mde // de ≡ 1 (mod (p-1)(q-1)) ∵ ≡ M1+k(p-1)(q-1) (mod n) for some integer k case1: gcd(M,p) = 1. Then Cd = M ∙ (M(p-1))k(q-1) ≡ M ∙ 1 k(q-1) ≡ M (mod p) ---(1) ( by Fermat’s little theorem) case2: gcd(M,p) = p (i.e., M = mp for some integer m) Then Cd = (mp)k(p-1)(q-1)+1 ≡ 0 ≡ M (mod p)Similarly, it can be shown that Cd ≡ M (mod q) --- (2)
M’ = Cd ≡ M (mod n). ∵ Cd-M is a multiple of p and q => Cd-M is a multiple of
lcm(p,q) = pq = n. (or by Chinese Remainder Theorem, M’ is the only value
in [0, n-1] satisfying (1) and (2) ).
Introduction
Transparency No. 3-46
Example
p = 43, q = 59 n = pq = 43 ∙ 59 = 2537.
choose e = 13 with gcd(13, (43-1)(59-1)=2436)=1.
d = 937 is an inverse of 13 mod 2436.
1. To transmit ‘STOP’=1819 1415 : 2 blocks of length 4.
181913 mod 2537 = 2081,
141513 mod 2537 = 2182
C = 2081 2182.
2. Receive 0981 0461 M’1 = 0981937 (mod 2537) =0704
M’2 = 0461937 (mod 2537) = 1115
M’ = 0704 1115 = ‘HELP’.
Issue: How to compute 0981937 (mod 2537) quickly ?
Introduction
Transparency No. 3-47
Why is it hard to break RSA ?
Given public key (e, n), to find (d,n) we need :
=> 1. decompose n into pq
2. find the inverse d of e modulo (p-1)(q-1).
Step 2 is easy (Quick Euclidean Alg.)
But step 1 : factorization of large number is computationally a hard work.
Introduction
Transparency No. 3-48
How to compute bn (mod m) for large n
mpow1(b, n, m) { // b, n , m: int ; n ;m > 0
int rlt = 1;
while( n != 0) rlt = rlt * b;
return (rlt % m); Problem: rlt will overflow quickly in the loop! mpow2(b, n, m) { // b, n , m: int ; n ;m > 0
int rlt = 1;
while( n != 0) rlt = (rlt * b) % m ;
return rlt ;
Problem : need perform * and % operations n times
Introduction
Transparency No. 3-49
How to compute bn (mod m) for large n
c.f.: Section 3.6 (page226 ; Algorithm 5) mp(r, b, n, m) // find (rbn mod m) using (tail) recursion
if(n == 0) return r % m;
if(n == 2k+1) return mp(r b , bxb, k, m);
if(n == 2k >0 ) return mp(r, bxb, k, m); } mp3(b,n,m) { return mp(1, b, n, m) ;} mpower(b, n, m){//non-recursive version of mpow3(&mp)
int rlt = 1; power = b % m ; n’ = n;
while( n’ > 0) { // invariant: rlt * powern’ = bn (mod m)
if( n’ % 2 == 1) rlt = (rlt * power) % m ;
power = power * power % m ; n’ = n’ / 2 }
return rlt; // running time = O(log n)
rb(2k+1) = rb (bb)k
Introduction
Transparency No. 3-50
Example
Compute 3 644 mod 645 using mp3 (&mpower): Note: 644 =(10100 00100)2
mp3(3, 644, 645)
mp(1, 3, 644, 645) mp(1, 9, 322, 645)
mp(1, 81, 161, 645) (81, 812 111, 80, 645) mp(81, 1112 66, 40, 645) mp(81, 662 486, 20, 645) mp(81, 4862 126, 10, 645) mp(81,1262 396, 5, 645)mp(81x396 471, 3962 81, 2, 645)mp(471, 812 111, 1, 645)mp(471x111 36, 1112 66, 0, 645) = 36
(rlt, power, n’, m)
top related