Section 20 -- Fermat`s and Euler`s theorems

advertisement
Section 20 – Fermat’s and Euler’s theorems
Instructor: Yifan Yang
Spring 2007
The multiplicative group of nonzero elements in a field
Theorem
The nonzero elements of a field form a group under the field
multiplication.
Proof.
Straightforward. See Exercise 37 of Section 18.
Notation
The mutliplicative group of nonzero elements in a field F will be
denoted by F × .
Fermat’s theorem
Theorem (20.1, Little theorem of Fermat)
Let p be a prime. Then for all integers a not divisible by p, we
have
ap−1 ≡ 1 mod p.
Proof.
The group Z×
p has p − 1 elements. Then by the Lagrange
p−1 ≡ 1 mod p.
theorem (Theorem 10.10), for all a ∈ Z×
p,a
Corollary and examples
Corollary (20.2)
Let p be a prime. Then
ap ≡ a
mod p
for all a ∈ Z.
Example 1. Let us compute the remainder of 7103 when
divided by 17.
Solution. By Fermat’s theorem, we have 716 ≡ 1 mod 17.
Thus,
7103 = 76×16+7 = (716 )6 (77 ) ≡ 77 = 7(73 )2
= 7(343)2 ≡ 7 · 9 ≡ 12
mod 17.
Examples
Example 2. Prove that n33 − n is divisible by 15 for all n.
Solution. We need to show that n33 − n is divisible by both 3
and 5. Here we demonstrate n33 − n ≡ 0 mod 5, and leave
n33 − n ≡ 0 mod 3 as an exercise.
If 5|n, then n33 is clearly congruent to n modulo 5. If 5 - n, then
n33 − n = n(n32 − 1) = n((n4 )8 − 1) ≡ n(1 − 1) = 0
mod 5.
Euler’s generalization
Theorem (20.6)
The set Z×
n of nonzero elements of Zn that are not zero divisors
forms a group.
Proof.
• closed:
• Suppose that a and b are not 0 nor zero divisors. We need
to show that ab is neither 0 nor a zero divisor.
• Since a and b are not 0 nor zero divisors, ab 6= 0.
• Now suppose that (ab)c = 0.
• Then a(bc) = 0. Since a is not 0 nor a zero divisors,
bc = 0.
• By the same token bc = 0 implies c = 0. Thus ab is not a
zero divisor.
Proof of Theorem 20.6, continued
• associativity: obvious.
• identity: 1 is the multiplicative identity.
• inverse:
• We will argue along the same line as the proof of Theorem
19.11 that every finite integral domain is a field.
×
• Let a1 , . . . , ak be the elements of Z×
n . For a ∈ Zn , we
consider aa1 , . . . , aak .
• Suppose that aai = aaj . Then a(ai − aj ) = 0.
• Since a is not 0 nor a zero divisor, we have ai − aj = 0 or
equivalently ai = aj .
• This shows that aa1 , . . . , aak are all distinct, and thus one of
them must be 1.
• This shows that a has an inverse in Z×
n .
Euler’s φ-function
Definition
The Euler’s φ-function φ(n) is defined as the number of
elements in Z×
n . (By Theorem 19.3,
φ(n) = {1 ≤ k ≤ n : gcd(k , n) = 1}.)
Example
1. Z×
12 = {1, 5, 7, 11}. Thus φ(12) = 4.
2. Z×
15 = {1, 2, 4, 7, 8, 11, 13, 14}, and φ(15) = 8.
Remark
In general, φ(n) = n
Q
p|n,p primes (1
− 1/p).
Euler’s theorem
Theorem (20.8, Euler’s theorem)
Let n be a positive integer. Then for all integers a relatively
prime to n, we have
aφ(n) ≡ 1
mod n.
Proof.
Similar to the proof of Fermat’s theorem. (Apply the Lagrange
theorem to the group Z×
n .)
Example
Let us compute 499 mod 35. We have 4φ(35) ≡ 1 mod 35, i.e.,
424 ≡ 1 mod 35. Thus, 499 ≡ 43 = 64 ≡ 29 mod 35.
In-class exercises
1. Find the remainder of 31105 , when divided by 23.
2. Find the remainder of 29980 , when divided by 37.
3. Find the remainder of 23000 , when divided by 35.
4. Find the remainder of 21000 , when divided by 27.
Finding a−1 modulo n using the Euclidean algorithm
Example. Find the multiplicative inverse of 11 modulo 29.
Solution. We have
29 = 2 × 11 + 7
11 = 1 × 7 + 4
7=1×4+3
4 = 1 × 3 + 1.
Thus
1=4−1×3
= 4 − 1 × (7 − 1 × 4) = 2 × 4 − 1 × 7
= 2 × (11 − 1 × 7) − 1 × 7 = 2 × 11 − 3 × 7
= 2 × 11 − 3 × (29 − 2 × 11) = 8 × 11 − 3 × 29.
We see that the multiplicative inverse of 11 modulo 29 is 8.
Solving ax ≡ b mod n
Theorem (20.10)
Let n be a positive integer and let a ∈ Zn be relatively prime to
n. Then for each b ∈ Zn , the equation ax = b has a unique
solution in Zn .
Proof.
Let a−1 be the multiplicative inverse of a in Zn . Then a−1 b is
the unique solution of ax = b in Zn .
Theorem (20.12)
Let n be a positive integer and let a, b ∈ Zn . Let d = gcd(a, n).
The equation ax = b has a solution in Zn if and only if d divides
b. When d divides b, the equation has exactly d solutions in Zn .
Proof.
• d - b. For all integers c, all elements in the residue class
ac + nZ = {ac + kn : k ∈ Z} are all multiples of
d = gcd(a, n). They cannot be congruent to b modulo n if
b is not a multiple of d.
Proof of Theorem 20.12, continued
• d|b.
n a b
x−
, that is, x
• Observe that n|(ax − b) ⇐⇒
d
d
d
is a solution of ax ≡ b mod n if and only if x is a solution of
(a/d)x ≡ (b/d) mod (n/d).
• Now a/d and n/d are relatively prime. Thus, by Theorem
20.10, there is a unique residue class s modulo n/d that
satisfies (a/d)s ≡ b/d mod n/d.
• Among all the residue classes modulo n, the residue
classes represented by
s, s + n/d, · · · , s + (d − 1)n/d
are precisely the solutions of ax = b mod n.
Examples
Example 1. Solve 12x ≡ 27 mod 18 in integers.
Solution. The gcd of 12 and 18 is 6, which does not divide 27.
Thus the equation has no solutions in integer.
Examples
Example 2. Find all solutions of 15x ≡ 27 mod 18 in integers.
Solution.
• An integer a satisfies 15a ≡ 27 mod 18 if and only if it
satisfies 5a ≡ 9 mod 6.
• The multiplicative inverse of 5 modulo 6 is 5. Thus if
5a ≡ 9 mod 6, then a ≡ 5 × 9 ≡ 3 mod 6.
• The solutions are 3 + 6k for k ∈ Z.
• Note that the integers 3 + 6k fall in three residue classes
3 + 18Z, 9 + 18Z, and 15 + 18Z modulo 18.
Examples
Example 3. Find all solutions of 123x ≡ 78 mod 1671.
Solution.
• The gcd of 123 and 1671 is 3, and an integer a is a
solution of 123x ≡ 78 mod 1671 if and only if it is a
solution of 41x ≡ 26 mod 557.
• Using the Euclidean algorithm, we find the inverse of 41
modulo 557 is 394.
• Thus, The solution set of 41x ≡ 26 mod 557 is
{26 × 394 + 557k : k ∈ Z} = {218 + 557k : k ∈ Z}.
In-class exercises
1. Find the multiplicative inverse of 37 modulo 53.
2. Find the multiplicative inverse of 35 modulo 59.
3. Solve 24x ≡ 63 mod 67 in integers.
4. Solve 27x ≡ 69 mod 165 in integers.
Application to cryptography
RSA algorithm.
• Invented by Clifford Cocks in 1973. Also by Rivest, Shamir,
and Adleman independently in 1977.
• Is a public-key cryptosystem (meaning that the encryption
key is open to public).
• Still widely used in electronic commerce.
• Uses the properties that it is easy to determine whether a
large integer is a prime, but it is very difficult to factorize a
large composite number.
RSA algorithm
Key selection.
• Choose two large primes p and q, and let n = pq. This n
will be made public.
• Pick a positive integer e < φ(n) such that gcd(e, φ(n)) = 1.
This e will be released as the public key.
• Compute d that satisfies de ≡ 1 mod φ(n) (i.e.,
de = 1 + k φ(n) for some k ). This d is the private key.
RSA algorithm
Encryption phase.
• Alice sends (n, e) to Bob and keeps the private key d in a
safe place.
• Suppose that m is the message that Bob wishes to encrypt
and send to Alice. He computes c ≡ me mod n and send
c.
Decryption phase.
• To decipher the code c, Alice computes c d modulo n.
• Now by Euler’s Theorem, we have
c d ≡ mde = m1+k φ(n) ≡ m
mod n.
Thus, Alice does recover the message m.
Example
• Choose p = 13, q = 19, and n = 247. We have
φ(n) = 12 × 18 = 216.
• Choose e = 23. We find d = 47 satisfies
23 × 47 = 1081 ≡ 1 mod φ(n).
• Let m = 90 be the message. We find c ≡ 9023 ≡ 181
mod 247.
• Now
c d = 18147 ≡ 90
mod 247,
which is indeed the original message.
Computational aspects of RSA
• To find a large prime number, we can use Fermat’s
theorem to test whether an integer n is a prime number.
Namely, if there exists an integer a such that an−1 6≡ 1
mod n, then by Fermat’s theorem, n cannot be a prime. On
the other hand, if we randomly choose hundreds of
integers a and an−1 are all congruent to 1 modulo n, then
there is a great chance that n is a prime number.
• There are composite numbers n satisfying an−1 ≡ 1
mod n for all a with gcd(a, n) = 1. The Fermat primality
test fails for these integers. These integers are called the
Carmichael numbers. Examples of such integers are 561,
1729, and so on.
Computational aspects of RSA
• To determine the integer d such that de ≡ 1 mod φ(n), we
use the Euclidean algorithm. (See earlier slides.)
• To compute me (or c d ) modulo n. We use the successive
2
2
3
0
squaring method. That is, we compute m2 , m2 , m2 , m2 ,
. . . modulo n first. Write e = a0 20 + a1 21 + · · · + ak 2k ,
where ai = 0 or 1. Then
m e = m a0 2
0 +···+a
k2
k
0
1
k
= (m2 )a0 (m2 )a1 . . . (m2 )ak .
Homowork
Problems 4, 6, 12, 14, 27, 28, 29 of Section 20.
Download