the structure of finite rings
DESCRIPTION
The structure of finite rings. and finite exponentiation. The multiplicative residues. We have seen that the finite ring Z p is a field, that is, every non-zero element of Z p has a multiplicative inverse. - PowerPoint PPT PresentationTRANSCRIPT
The structure of finite rings
and finite exponentiation
The multiplicative residues
• We have seen that the finite ring ZZp is a field, that is, every non-zero element of ZZp has a multiplicative inverse.
• It is a convention to write ZZp* for the
non-zero elements {1, 2, 3, ..., p-1}.
• ZZp* is the set of multiplicative residues
modulo p.
Modular exponentiation
• Public key cryptography explores the properties of the exponentiation function in ZZp
*
• Defined as repeated multiplication: – g5 mod p := g * g * g * g * g mod p.
• To exponentiate by negative values, exponentiate the inverse:– g-3 := g-1 * g-1 * g-1 mod p.
Exponent rules
• Addition/subtraction rules:– gk gj = gk+j in ZZn
*
– gk g-j = gk-j in ZZn*
• Multiplication rule:– (gk)j = gkj in ZZn
*
Non-prime modulus
• If n is not prime, then not all non-zero elements are invertible.
• In this case, we write ZZn* for the
invertible elements only.
• Examples:– ZZ14
* = {1, 3, 5, 9, 11, 13}
– ZZ15* = {1, 2, 4, 7, 8, 11, 13, 14}
Generators
• Consider the following:– In ZZ14
* = {1, 3, 5, 9, 11, 13};• 32 =9 mod 14; 33 =13 mod 14; 34 = 11 mod 14;
35 = 5 mod 14; 36 = 1 mod 14.
• In ZZ14* every element is a power of 3.
We say that 3 is a generator.
• Do generators always exist?
Prime modulus
• If n is a prime, or twice a prime, then ZZn*
always has a generator. – We have already seen this for n = 14 = 2*7.
• Otherwise, generators do not exist.– An important case is when n = pq, where both
p and q are odd and prime. In this case, there is an element that generates 1/2 of ZZn
* .
Example
• ZZ15* = {1, 2, 4, 7, 8, 11, 13, 14}
– 21 =2 mod 15; 22 =4 mod 15; 23 =8 mod 15; 24 =1 mod 15 – 41 = 4 mod 15; 42 = 1 mod 15;– 71 =7 mod 15; 72 =4 mod 15; 73 =13 mod 15; 74 =1 mod 15;– 81 =8 mod 15; 82 =4 mod 15; 83 =2 mod 15; 84 =1 mod 15;– 111 =11 mod 15; 112= 1 mod 15;– 131 =13 mod 15; 132 =4 mod 15; 133 =7 mod 15;
134 =1 mod 15;– 141 = 14 mod 15; 142 =1 mod 15;
• No element is a generator, as predicted
Order of an element
• Take g in ZZn* . The list
– g1, g2, ..., gk, k = 1, 2, ...
must eventually repeat.– Otherwise get infinite sequence of elements from a finite
set, a contradiction. • Let gj = gk, j < k. k = j + t.
– gj = gk = g j+t; – gj = g j+t = gj gt; – gt = 1
• Cancellation rule applies because g is invertible
Order (continued)
• We have shown that:– g is invertible if and only if there is t > 1
such that gt = 1 mod ZZn* .
– Indeed, if g is invertible we have shown that t exists. On the other hand, if t exists, then g has an inverse, equal to gt-1.• g g t-1 = gt = 1 in ZZn
* .
• The smallest such t is the order of g.
Order of ZZn*
• The order of an element can also be defined as the size of the set generated by it:– t = order(g) = #{g, g2, g3, ..., gt = 1}
• The order of the group ZZn* is simply its
cardinality | ZZn* |. The function
(n) = | ZZn* |
is called the Euler totient function.
Euler totient
• We know that all non-zero residues modulo a prime p are invertible. In other words:– (p) = p - 1, if p is a prime.
• It is easy to see that, if n = p q is a product of two primes, then (n) = (p - 1)(q - 1) = (p) (q)
• In general: (n) (m) = (nm) if n, m are relatively prime.
Relations between orders
• Fact: If g is a residue in ZZn* , then
– order(g) divides (n) = order(ZZn* ).
• An important special case is when p is a prime. In that case, – order(g) divides p-1– gp-1 = (gt)k = 1k = 1 mod p; t =
order(g)
Fermat’s Little Theorem
• The previous result is called Fermat’s Little Theorem.
• (FLT) For every non-zero g in ZZp* , where
p is a prime:– gp-1 = 1 mod p
• This can be generalized for all g in ZZp* ,
– gp = g mod p
Generalizing FLT
• For any finite ring ZZn* :
– g(n) = 1 mod n, g in ZZn* .
• Proof will not be given.
• The special case n = pq is important.
• Claim: If n is a product of two primes:– g(n)+1 = g mod n, g in ZZn
= {0, 1, ..., n-1}
The Remainder Theorem
• In order to appreciate the structure of finite rings when the modulus is composite, the remainder theorem applies:
• Given n = s t, where GCD(s, t) = 1– For each element a mod n, there
corresponds a unique pair • (b mod s, c mod t).
Example (CRT)
• n = 15 = 3*5– a = 7 mod 15 corresponds to
• (1 mod 3, 2 mod 5)
• To go from “a mod n” to (b mod s, c mod t):– Just compute b = a mod s, c = a mod t.
• How to go backwards?– Let represent s-1 mod t, represents t-1 mod s.
CRT backwards
• Given (b mod s, c mod t), compute– a = c s + b t mod n
• In other words a = c s + b t + k n• Consider ”a mod s” (similar for a mod t)
– a mod s = – c s + b t + k s t mod s = – b t mod s = – b mod s
CRT backwards example
• given b = 1 mod 3, c = 5 mod 7• Compute 3-1 mod 7 = 5, as
3*5 = 1 mod 7• Compute 7-1 mod 3 = 1, as
7 = 1 mod 3• a =1 * 7 * 1 + 5 * 3 * 5 = 82 mod 21
= 19 mod 21
Returning to FLT for n = pq
• To prove:– g(n)+1 = g mod n, g in ZZn
= {0, 1, ..., n-1}, when n = pq, and p, q are primes.
– For invertible elements, i.e., GCD(g, n) = 1, it is the previous claim
– For g=0 mod n, i.e., GCD(g, n) = n it is clear.
• Consider now the case GCD(g, n) = p.
FLT (continued)
• By the CRT, g is defined by – g is invertible mod q– g = 0 mod p
• We get that – gq = g mod q– gq = 0 = g mod p
• By backwards CRT, we get– gq = g mod pq; g (n)+1 = gpq - p - q +2 =
= g-p+2 (gq)p-1 = g mod pq