Section 20 – Fermat’s and Euler’s theorems Instructor: Yifan Yang Spring 2007 The multiplicative group of nonzero elements in a field Theorem The nonzero elements of a field form a group under the field multiplication. Proof. Straightforward. See Exercise 37 of Section 18. Notation The mutliplicative group of nonzero elements in a field F will be denoted by F × . Fermat’s theorem Theorem (20.1, Little theorem of Fermat) Let p be a prime. Then for all integers a not divisible by p, we have ap−1 ≡ 1 mod p. Proof. The group Z× p has p − 1 elements. Then by the Lagrange p−1 ≡ 1 mod p. theorem (Theorem 10.10), for all a ∈ Z× p,a Corollary and examples Corollary (20.2) Let p be a prime. Then ap ≡ a mod p for all a ∈ Z. Example 1. Let us compute the remainder of 7103 when divided by 17. Solution. By Fermat’s theorem, we have 716 ≡ 1 mod 17. Thus, 7103 = 76×16+7 = (716 )6 (77 ) ≡ 77 = 7(73 )2 = 7(343)2 ≡ 7 · 9 ≡ 12 mod 17. Examples Example 2. Prove that n33 − n is divisible by 15 for all n. Solution. We need to show that n33 − n is divisible by both 3 and 5. Here we demonstrate n33 − n ≡ 0 mod 5, and leave n33 − n ≡ 0 mod 3 as an exercise. If 5|n, then n33 is clearly congruent to n modulo 5. If 5 - n, then n33 − n = n(n32 − 1) = n((n4 )8 − 1) ≡ n(1 − 1) = 0 mod 5. Euler’s generalization Theorem (20.6) The set Z× n of nonzero elements of Zn that are not zero divisors forms a group. Proof. • closed: • Suppose that a and b are not 0 nor zero divisors. We need to show that ab is neither 0 nor a zero divisor. • Since a and b are not 0 nor zero divisors, ab 6= 0. • Now suppose that (ab)c = 0. • Then a(bc) = 0. Since a is not 0 nor a zero divisors, bc = 0. • By the same token bc = 0 implies c = 0. Thus ab is not a zero divisor. Proof of Theorem 20.6, continued • associativity: obvious. • identity: 1 is the multiplicative identity. • inverse: • We will argue along the same line as the proof of Theorem 19.11 that every finite integral domain is a field. × • Let a1 , . . . , ak be the elements of Z× n . For a ∈ Zn , we consider aa1 , . . . , aak . • Suppose that aai = aaj . Then a(ai − aj ) = 0. • Since a is not 0 nor a zero divisor, we have ai − aj = 0 or equivalently ai = aj . • This shows that aa1 , . . . , aak are all distinct, and thus one of them must be 1. • This shows that a has an inverse in Z× n . Euler’s φ-function Definition The Euler’s φ-function φ(n) is defined as the number of elements in Z× n . (By Theorem 19.3, φ(n) = {1 ≤ k ≤ n : gcd(k , n) = 1}.) Example 1. Z× 12 = {1, 5, 7, 11}. Thus φ(12) = 4. 2. Z× 15 = {1, 2, 4, 7, 8, 11, 13, 14}, and φ(15) = 8. Remark In general, φ(n) = n Q p|n,p primes (1 − 1/p). Euler’s theorem Theorem (20.8, Euler’s theorem) Let n be a positive integer. Then for all integers a relatively prime to n, we have aφ(n) ≡ 1 mod n. Proof. Similar to the proof of Fermat’s theorem. (Apply the Lagrange theorem to the group Z× n .) Example Let us compute 499 mod 35. We have 4φ(35) ≡ 1 mod 35, i.e., 424 ≡ 1 mod 35. Thus, 499 ≡ 43 = 64 ≡ 29 mod 35. In-class exercises 1. Find the remainder of 31105 , when divided by 23. 2. Find the remainder of 29980 , when divided by 37. 3. Find the remainder of 23000 , when divided by 35. 4. Find the remainder of 21000 , when divided by 27. Finding a−1 modulo n using the Euclidean algorithm Example. Find the multiplicative inverse of 11 modulo 29. Solution. We have 29 = 2 × 11 + 7 11 = 1 × 7 + 4 7=1×4+3 4 = 1 × 3 + 1. Thus 1=4−1×3 = 4 − 1 × (7 − 1 × 4) = 2 × 4 − 1 × 7 = 2 × (11 − 1 × 7) − 1 × 7 = 2 × 11 − 3 × 7 = 2 × 11 − 3 × (29 − 2 × 11) = 8 × 11 − 3 × 29. We see that the multiplicative inverse of 11 modulo 29 is 8. Solving ax ≡ b mod n Theorem (20.10) Let n be a positive integer and let a ∈ Zn be relatively prime to n. Then for each b ∈ Zn , the equation ax = b has a unique solution in Zn . Proof. Let a−1 be the multiplicative inverse of a in Zn . Then a−1 b is the unique solution of ax = b in Zn . Theorem (20.12) Let n be a positive integer and let a, b ∈ Zn . Let d = gcd(a, n). The equation ax = b has a solution in Zn if and only if d divides b. When d divides b, the equation has exactly d solutions in Zn . Proof. • d - b. For all integers c, all elements in the residue class ac + nZ = {ac + kn : k ∈ Z} are all multiples of d = gcd(a, n). They cannot be congruent to b modulo n if b is not a multiple of d. Proof of Theorem 20.12, continued • d|b. n a b x− , that is, x • Observe that n|(ax − b) ⇐⇒ d d d is a solution of ax ≡ b mod n if and only if x is a solution of (a/d)x ≡ (b/d) mod (n/d). • Now a/d and n/d are relatively prime. Thus, by Theorem 20.10, there is a unique residue class s modulo n/d that satisfies (a/d)s ≡ b/d mod n/d. • Among all the residue classes modulo n, the residue classes represented by s, s + n/d, · · · , s + (d − 1)n/d are precisely the solutions of ax = b mod n. Examples Example 1. Solve 12x ≡ 27 mod 18 in integers. Solution. The gcd of 12 and 18 is 6, which does not divide 27. Thus the equation has no solutions in integer. Examples Example 2. Find all solutions of 15x ≡ 27 mod 18 in integers. Solution. • An integer a satisfies 15a ≡ 27 mod 18 if and only if it satisfies 5a ≡ 9 mod 6. • The multiplicative inverse of 5 modulo 6 is 5. Thus if 5a ≡ 9 mod 6, then a ≡ 5 × 9 ≡ 3 mod 6. • The solutions are 3 + 6k for k ∈ Z. • Note that the integers 3 + 6k fall in three residue classes 3 + 18Z, 9 + 18Z, and 15 + 18Z modulo 18. Examples Example 3. Find all solutions of 123x ≡ 78 mod 1671. Solution. • The gcd of 123 and 1671 is 3, and an integer a is a solution of 123x ≡ 78 mod 1671 if and only if it is a solution of 41x ≡ 26 mod 557. • Using the Euclidean algorithm, we find the inverse of 41 modulo 557 is 394. • Thus, The solution set of 41x ≡ 26 mod 557 is {26 × 394 + 557k : k ∈ Z} = {218 + 557k : k ∈ Z}. In-class exercises 1. Find the multiplicative inverse of 37 modulo 53. 2. Find the multiplicative inverse of 35 modulo 59. 3. Solve 24x ≡ 63 mod 67 in integers. 4. Solve 27x ≡ 69 mod 165 in integers. Application to cryptography RSA algorithm. • Invented by Clifford Cocks in 1973. Also by Rivest, Shamir, and Adleman independently in 1977. • Is a public-key cryptosystem (meaning that the encryption key is open to public). • Still widely used in electronic commerce. • Uses the properties that it is easy to determine whether a large integer is a prime, but it is very difficult to factorize a large composite number. RSA algorithm Key selection. • Choose two large primes p and q, and let n = pq. This n will be made public. • Pick a positive integer e < φ(n) such that gcd(e, φ(n)) = 1. This e will be released as the public key. • Compute d that satisfies de ≡ 1 mod φ(n) (i.e., de = 1 + k φ(n) for some k ). This d is the private key. RSA algorithm Encryption phase. • Alice sends (n, e) to Bob and keeps the private key d in a safe place. • Suppose that m is the message that Bob wishes to encrypt and send to Alice. He computes c ≡ me mod n and send c. Decryption phase. • To decipher the code c, Alice computes c d modulo n. • Now by Euler’s Theorem, we have c d ≡ mde = m1+k φ(n) ≡ m mod n. Thus, Alice does recover the message m. Example • Choose p = 13, q = 19, and n = 247. We have φ(n) = 12 × 18 = 216. • Choose e = 23. We find d = 47 satisfies 23 × 47 = 1081 ≡ 1 mod φ(n). • Let m = 90 be the message. We find c ≡ 9023 ≡ 181 mod 247. • Now c d = 18147 ≡ 90 mod 247, which is indeed the original message. Computational aspects of RSA • To find a large prime number, we can use Fermat’s theorem to test whether an integer n is a prime number. Namely, if there exists an integer a such that an−1 6≡ 1 mod n, then by Fermat’s theorem, n cannot be a prime. On the other hand, if we randomly choose hundreds of integers a and an−1 are all congruent to 1 modulo n, then there is a great chance that n is a prime number. • There are composite numbers n satisfying an−1 ≡ 1 mod n for all a with gcd(a, n) = 1. The Fermat primality test fails for these integers. These integers are called the Carmichael numbers. Examples of such integers are 561, 1729, and so on. Computational aspects of RSA • To determine the integer d such that de ≡ 1 mod φ(n), we use the Euclidean algorithm. (See earlier slides.) • To compute me (or c d ) modulo n. We use the successive 2 2 3 0 squaring method. That is, we compute m2 , m2 , m2 , m2 , . . . modulo n first. Write e = a0 20 + a1 21 + · · · + ak 2k , where ai = 0 or 1. Then m e = m a0 2 0 +···+a k2 k 0 1 k = (m2 )a0 (m2 )a1 . . . (m2 )ak . Homowork Problems 4, 6, 12, 14, 27, 28, 29 of Section 20.