Mathematics 360
A. Hulpke
Homework (due Dec 11)
67) Let p be a prime and q a divisor of p − 1 and 1 < a < p such that OrderMod p (a) = q. a) We know that
•
•
•
•
There are q different powers of a (including a 0 = 1) modulo p.
Any power of a has order dividing q.
Any element of order s dividing q can be obtained as power of a.
There are φ(s) elements of order s.
Conclude that q = ∑s∣q φ(s), i.e. the sum is over the divisors s of q.
p−1
b) Show that for an odd p there are at most 2 elements of odd order, i.e. at least half the elements modulo p are of
even order.
68) Factorize 9374251 using Pollard’s ρ-method (you do not need to group differences for Gcd calculations and may
choose to simply take differences instead of running a double-step loop).
You may use a computer for modulo arithmetic and for computing gcds and IsPrime for primality tests.
69) We consider the drawing of random elements (with repetition) from a set of p elements. Suppose that the first
repeated drawing occurs with the m-th (m ≥ 2) draw.
a) Using the inequality 1 − x ≤ e −x , show that for j ≥ 2, the probability
prob(m ≥ j) ≤ ∏ e −(i−1)/p ≤ e −( j−2)
2
/2 p
.
1≤i< j
b) The expected value for the number of choices m is defined as:
E(m) = ∑ j ⋅ prob(m = j)
= ∑ prob(m ≥ j)
j≥2
j≥2
(you do not need to show this). Show that:
E(m) ≤ 1 +
∫
0
∞
e −x
2
/2 p
dx ≤ 1 +
√
2p
∫
0
∞
2
e −x dx
(Hint: Riemann sum and substitution)
c) Assuming that the function f (x) = x 2 +1 produces “random” values, show that there is a constant c such that Pollard’s
√
ρ method will take in average c p steps to find a prime factor p.
70) Explain why it would not be a good idea to use the function f (x) = x + 1 in Pollard’s ρ method. (In the same way,
all linear functions will not work.)
71) Let n = pq be the product of two different primes and 1 < a < n with gcd(a, n) = 1, r = OrderModn (a) and
r
b ≡ a 2 ≡/ −1 (mod n). (Many such elements a exist – c.f. the Miller-Rabin primality test.)
We then know that b ≡/ 1 (mod n) and b 2 ≡ 1 (mod n), so b is one of the two other square roots of 1 we looked at when
analyzing the Miller-Rabin test. From this analysis we know (up to swapping the roles of p and q) that b ≡ −1 (mod p)
and b ≡ 1 (mod q).
Show that gcd(b − 1, n) =/ 1.
Note: You have thus shown that if you can determine OrderModn (a) cheaply, you can factor n cheaply. This is the basis
of Shor’s polynomial-time quantum algorithm for factorization.
Practice Problems:
3.23, 3.24, 3.25
Final
As announced in class the final will be given as a take-home final.