Lecture Notes on Number Theory
advertisement
Lecture Notes on Number Theory
Kunsoo Park
School of Computer Science and Engineering
Seoul National University
1
Groups, Rings and Fields
We will describe the definitions of groups, rings and fields, and see some examples of them,
especially finite fields.
Definition 1 A group (G, ∗) is a set G together with a binary operation ∗ on G such that the
following axioms are satisfied:
0.
1.
2.
3.
(G is closed under ∗.)
∗ is associative, i.e., (a ∗ b) ∗ c = a ∗ (b ∗ c) for all a, b, c ∈ G.
There is an identity element e for ∗ in G, i.e., e ∗ a = a ∗ e = a for all a ∈ G.
For each a ∈ G, there is an inverse a0 in G, i.e., a0 ∗ a = a ∗ a0 = e.
Definition 2 A group (G, ∗) is abelian if ∗ is commutative, i.e., a ∗ b = b ∗ a for all a, b ∈ G.
Let Zn = {0, 1, . . . , n − 1}. When addition + and multiplication · are used with Zn , they
will mean modular operations.
2
Example 1 (Zn , +) is an abelian group.
Since additive inverses exist in Zn , we can also subtract elements in Zn . We define a − b in
Zn to be (a + (−b)) mod n.
Definition 3 A group (G, ∗) is cyclic if there is some element x ∈ G that generates G. x is a
generator (or primitive element) for G.
Example 2 (Z4 , +) is cyclic and both 1 and 3 are generators.
2
Definition 4 A ring (R, +, ·) is a set R together with two binary operations + and · on R such
that the following operations are satisfied:
1. (R, +) is an abelian group.
2. · is associative.
3. Distributive laws hold, i.e., a(b + c) = (ab) + (ac) and (a + b)c = (ac) + (bc) for all
a, b, c ∈ R.
Example 3 (Z, +, ·), (Q, +, ·), (R, +, ·), (C, +, ·) and (Zn , +, ·) are all rings.
2
Definition 5 A ring in which multiplication is commutative is a commutative ring. A ring with
a multiplicative identity is a ring with unity.
1
Definition 6 A commutative ring R with unity is a field if every nonzero element has a multiplicative inverse in R.
Z is not a field. Q, R, C are fields. Now we will see finite fields.
Theorem 1 a ∈ Zn has a (unique) multiplicative inverse iff gcd(a, n) = 1. (a−1 denotes the
multiplicative inverse of a.)
Let Zn∗ = {a ∈ Zn : gcd(a, n) = 1}, i.e., the set of residues modulo n that are relatively
∗ = {1, 2, 4, 7, 8, 11, 13, 14}.
prime to n. For example, Z15
Theorem 2 If n is any positive integer, (Zn∗ , ·) is a group.
∗
The multiplication table of Z15
1
2
4
7
8
11
13
14
1
1
2
4
7
8
11
13
14
2
2
4
8
14
1
7
11
13
4
4
8
1
13
2
14
7
11
7
7
14
13
4
11
2
1
8
8
8
1
2
11
4
13
14
7
2
2
4
8
1
5
7
4
4
8
7
2
1
5
5
5
1
2
7
8
4
11
11
7
14
2
13
1
8
4
13
13
11
7
1
14
8
4
2
14
14
13
11
8
7
4
2
1
The multiplication table of Z9∗
1
1
2
4
5
7
8
1
2
4
5
7
8
7
7
5
1
8
4
2
8
8
7
5
4
2
1
The Euler phi function φ(n) denotes the size of Zn∗ .
Theorem 3 When n =
ei
i=1 pi
Qr
where pi ’s are distince primes and ei > 0, then
φ(n) =
r
Y
(pei i − piei −1 ) = n
i=1
r
Y
(1 −
i=1
Corollary 1 Some special cases:
• If gcd(m, n) = 1 then φ(mn) = φ(m)φ(n).
• If p is prime then φ(p) = p − 1.
• If p is prime and e ≥ 1 then φ(pe ) = pe−1 (p − 1).
Theorem 4 (Zp , +, ·) is a field if and only if p is prime.
∗
The multiplication table of Z11
2
1
).
pi
1
2
3
4
5
6
7
8
9
10
1
1
2
3
4
5
6
7
8
9
10
2
2
4
6
8
10
1
3
5
7
9
3
3
6
9
1
4
7
10
2
5
8
4
4
8
1
5
9
2
6
10
3
7
5
5
10
4
9
3
8
2
7
1
6
6
6
1
7
2
8
3
9
4
10
5
7
7
3
10
6
2
9
5
1
8
4
8
8
5
2
10
7
4
1
9
6
3
9
9
7
5
3
1
10
8
6
4
2
10
10
9
8
7
6
5
4
3
2
1
Note that 2−1 = 6 and 5−1 = 9.
2
Galois Fields
There is a finite field with pn elements for prime p and integer n ≥ 1, which is called GF(pn ).
Definition 7 Zp [x] for prime p denotes the set of all polynomials with coefficients in Zp . For
f (x) ∈ Zp [x], deg(f ) is the highest exponent in the terms of f .
Then (Zp [x], +, ·), where + and · are addition and multiplication of polynomials, is a ring.
Let f (x) be a monic polynomial (i.e., the coefficient of the highest term is 1). We define a ring
of polynomials modulo f (x), denoted by Zp [x]/f (x), where the two operations are addition and
multiplication of polynomials modulo f (x). Let n = deg(f ). Then the elements of Zp [x]/f (x)
are the pn polynomials in Zp [x] of degree at most n − 1:
an−1 xn−1 + · · · + a1 x + a0 ,
where an−1 , . . . , a0 ∈ Zp .
Recall that Zn is a field if and only if n is prime. The analog of primality for polynomials is
irreducibility.
Definition 8 A polynomial f (x) ∈ Zp [x] is irreducible if there do not exist nonconstant polynomials g(x), h(x) ∈ Zp [x] such that f (x) = g(x)h(x)
Example 4 f (x) = x3 + 3x + 2 is irreducible in Z5 [x]. If f is reducible, there must be a linear
factor x − a for some a ∈ Z5 . However, f (0) = 2, f (1) = 1, f (2) = 1, f (−1) = −2, f (−2) = −2.
2
Example 5 x3 + 1 is reducible in Z2 [x] since x3 + 1 = (x + 1)(x2 + x + 1). x3 + x + 1 and
x3 + x2 + 1 are irreducible in Z2 [x].
2
Theorem 5 (Zp [x]/f (x), +, ·) is a field if and only if f (x) is irreducible in Zp [x].
Example 6 Consider a multiplication in Z2 [x]/(x3 + x + 1).
(x2 + 1)(x2 + x + 1) = x4 + x3 + x + 1
in Z2 [x]. Since
x4 + x3 + x + 1 = (x + 1)(x3 + x + 1) + x2 + x,
we have (x2 + 1)(x2 + x + 1) = x2 + x in Z2 [x]/(x3 + x + 1).
3
2
There is at least one irreducible polynomial of any given degree n ≥ 1 in Zp [x]. Hence, there
is a finite field with pn elements for every prime p and every integer n ≥ 1.
There are usually many irreducible polynomials of degree n in Zp [x]. But the finite fields
constructed from any two irreducible polynomials of degree n are isomorphic. Therefore, there
is a unique finite field of size pn , which is denoted by GF (pn ). Finally, there are no finite fields
with r elements if r 6= pn .
In practice, finite fields GF (2n ) have been most studied because their elements can be easily
represented in binary strings.
The multiplication table of Z2 [x]/(x3 + x + 1)
001
010
011
100
101
110
111
001
001
010
011
100
101
110
111
010
010
100
110
011
001
111
101
011
011
110
101
111
100
001
010
100
100
011
111
110
010
101
001
101
101
001
100
010
111
011
110
110
110
111
001
101
011
010
100
111
111
101
010
001
110
100
011
Note that (x + 1)(x2 + x) = x3 + x = 1.
3
Cost Models
There are two cost models for algorithms.
• Uniform cost model: each word requires one unit of space and each instruction requires
one unit of time. For example, the input size of sorting n numbers is n, and the time
complexity of the bubble sort is O(n2 ).
• Logarithmic cost model: an integer n requires O(log n) space and the cost of an instruction
is proportional to the length of its operands.
If it is reasonable to assume that each number encountered in a problem can be stored in one
computer word, then the uniform cost model is appropriate. Otherwise, the logarithmic cost
model may be more appropriate.
The inputs of most algorithms in these notes are integers. Since these integers are usually
very big, we will use the logarithmic cost model. We assume that the integers are represented
in binary notation. Thus the length of the input n is O(log n), and a polynomial time algorithm
is one that runs in time O((log n)c ) for some constant c. All logarithms are to the base 2.
An addition of two integers n0 ≤ n can be done in O(log n) time, and a multiplication can
be done in O(log2 n) time. A reduction modulo n of an integer (polynomial in n) can be done
by a division in O(log2 n) time.
Definition 9 The Factoring Problem is: Given an integer n such that n = pq for large
primes p and q, find the factors p and q.
4
4
Extended Euclid Algorithm
We know that an element a ∈ Zn has a multiplicative inverse if gcd(a, n) = 1. In this section
we will see an efficient algorithm to compute a−1 .
The Euclid algorithm computes the greatest common divisor of two positive integers a, b.
Theorem 6 gcd(a, b) = gcd(b, a mod b).
Euclid(a, b)
if b = 0 then return a
else return Euclid(b, a mod b) fi
A consecutive pair of Fibonacci numbers (0, 1, 1, 2, 3, 5, 8, 13, 21, . . .) is the worst case for the
Euclid algorithm.
Theorem 7 If a, b < n, then the number of recursions in the Euclid algorithm is less than
1.5 log n + O(1).
Given a and b, the extended Euclid algorithm computes d, x, y such that d = gcd(a, b) =
ax + by.
Ext-Euclid(a, b)
if b = 0 then return (a, 1, 0)
else
(d0 , x0 , y 0 ) ← Ext-Euclid(b, a mod b)
(d, x, y) ← (d0 , y 0 , x0 − ba/bcy 0 )
return (d, x, y) fi
bx0
Correctness of Ext-Euclid: Let a = bq + r for 0 ≤ r < b. Assume inductively that d0 =
+ ry 0 . Then
d = d0 = bx0 + (a − bq)y 0
= ay 0 + b(x0 − qy 0 ).
Example 7 Ext-Euclid(75,28) proceeds as follows.
a
75
28
19
9
1
b
28
19
9
1
0
ba/bc
2
1
2
9
-
d
1
1
1
1
1
x
3
-2
1
0
1
y
-8
3
-2
1
0
2
Theorem 8 Given a, n such that gcd(a, n) = 1, a−1 mod n can be computed in polynomial time.
Proof. Find x, y such that ax + ny = gcd(a, n) = 1 by Ext-Euclid(a, n). Then n | (ax − 1),
so ax ≡ 1 (mod n). Thus a−1 = x mod n.
2
Note that Theorem 8 provides a proof of the existence of a−1 for Theorem 1.
5
5
The Chinese Remainder Theorem
Let n = n1 · · · nr , where ni ’s are pairwise relatively prime, i.e., gcd(ni , nj ) = 1 if i 6= j. Consider
a mapping h : Zn → Zn1 × · · · × Znr defined by
h(x) = (x mod n1 , . . . , x mod nr ).
The Chinese remainder theorem states that mapping h is a bijection and thus the structure of
Zn is identical to that of Zn1 × · · · × Znr .
Example 8 Let n1 = 5, n2 = 3 and n = n1 n2 = 15.
0
(0,0)
5
(0,2)
10
(0,1)
1
(1,1)
6
(1,0)
11
(1,2)
2
(2,2)
7
(2,1)
12
(2,0)
3
(3,0)
8
(3,2)
13
(3,1)
4
(4,1)
9
(4,0)
14
(4,2)
2
Lemma 1 Suppose a, b are any integers such that a | b and b > 0.
• (x mod b) mod a = x mod a for any x.
• x ≡ y (mod b) implies x ≡ y (mod a) for any x, y.
Theorem 9 (Chinese remainder theorem) The mapping h is a bijection. Furthermore,
given integers a1 , . . . , ar , the number x ∈ Zn such that x ≡ ai (mod ni ), 1 ≤ i ≤ r, is computed
by
x=
r
X
ai mi yi mod n,
i=1
where mi = n/ni and yi = m−1
i mod ni , 1 ≤ i ≤ r.
Proof. Since gcd(mi , ni ) = 1, yi = m−1
be computed by Ext-Euclid.
i mod ni exists and it canP
Now compute x mod nj , 1 ≤ j ≤ r. By Lemma 1, x mod nj = ri=1 ai mi yi mod nj . If i 6= j,
then
ai mi yi ≡ 0 (mod nj )
because nj | mi . Thus
x ≡ aj mj yj ≡ aj
(mod nj )
because mj yj ≡ 1 (mod nj ). Therefore, x is h−1 (a1 mod n1 , . . . , ar mod nr ). We have just
proved that h is onto (surjective). Since the domain and range of h have the same cardinality,
h must be one-to-one (injective). Hence h is a bijection.
2
Example 9 Solve the simultaneous equations: x ≡ 13
(mod 7).
n = 1680.
m1 = 112 ≡ 7
(mod 15) and y1 = 13.
6
(mod 15), x ≡ 5
(mod 16), x ≡ 4
m2 = 105 ≡ 9
m3 = 240 ≡ 2
(mod 16) and y2 = 9.
(mod 7) and y3 = 4.
The solution is
x ≡ 112 · 13 · 13 + 105 · 9 · 5 + 240 · 4 · 4
≡ 613
(mod 1680)
(mod 1680).
2
We will also use x ↔ (a1 , . . . , ar ) for h(x) = (a1 , . . . , ar ).
Corollary 2 If x ↔ (a1 , . . . , ar ) and y ↔ (b1 , . . . , br ), then
(x + y) mod n ↔ ((a1 + b1 ) mod n1 , . . . , (ar + br ) mod nr )
(x − y) mod n ↔ ((a1 − b1 ) mod n1 , . . . , (ar − br ) mod nr )
(xy) mod n ↔ (a1 b1 mod n1 , . . . , ar br mod nr )
Proof. ((x + y) mod n) mod ni = (x + y) mod ni = (x mod ni + y mod ni ) mod ni = (ai +
bi ) mod ni .
2
Corollary 3 For all integers x and a, x ≡ a (mod ni ) for 1 ≤ i ≤ r iff x ≡ a (mod n).
Proof. (if) By the definition of h.
(only if) Because h is a bijection.
6
2
Modular Exponentiation
Modular exponentiation is the following problem: Given x, a, n, compute xa mod n. The squareand-multiply algorithm computes modular exponentiation in polynomial time. Let ak · · · a1 a0
be the binary representation of a.
S&M(x, a, n)
z←1
for i ← k to 0 do
z ← z 2 mod n
if ai = 1 then z ← zx mod n fi
od
return z
Example 10 When a = 1101(2) , S&M computes 1, x1 , x11 , x110 , x1101 .
7
2
Powers of Elements
Definition 10 For a finite multiplicative group G, the order of an element a ∈ G is the smallest
positive integer r such that ar = 1. (ord(a) denotes the order of a.)
Theorem 10 (Lagrange) Let G be a multiplicative group of order n. Then the order of an
element a ∈ G divides n.
7
∗ , ord(2) = 4 and ord(4) = 2. In Z ∗ , ord(2) = 10 and ord(3) = 5.
Example 11 In Z15
11
2
∗
Table of powers for Z15
1
2
4
7
8
11
13
14
1
1
2
4
7
8
11
13
14
2
1
4
1
4
4
1
4
1
3
1
8
4
13
2
11
7
14
4
1
1
1
1
1
1
1
1
5
1
2
4
7
8
11
13
14
6
1
4
1
4
4
1
4
1
7
1
8
4
13
2
11
7
14
8
1
1
1
1
1
1
1
1
1
1
2
3
4
5
6
7
8
9
10
2
1
4
9
5
3
3
5
9
4
1
3
1
8
5
9
4
7
2
6
3
10
4
1
5
4
3
9
9
3
4
5
1
5
1
10
1
1
1
10
10
10
1
10
6
1
9
3
4
5
5
4
3
9
1
7
1
7
9
5
3
8
6
2
4
10
8
1
3
5
9
4
4
9
5
3
1
9
1
6
4
3
9
2
8
7
5
10
1
1
2
4
5
7
8
2
1
4
7
7
4
1
3
1
8
1
8
1
8
4
1
7
4
4
7
1
5
1
5
7
2
4
8
∗
Table of powers for Z11
1
2
3
4
5
6
7
8
9
10
10
1
1
1
1
1
1
1
1
1
1
Table of powers for Z9∗
1
2
4
5
7
8
6
1
1
1
1
1
1
Theorem 11 (Euler) For any integer n > 1, aφ(n) ≡ 1
(mod n) for all a ∈ Zn∗ .
Proof. By Theorem 2 Zn∗ is a multiplicative group of order φ(n).
Theorem 12 (Fermat) If p is prime, then ap−1 ≡ 1
Corollary 4 If p is prime, then ap ≡ a
2
(mod p) for all a ∈ Zp∗ .
(mod p) for all a ∈ Zp .
Theorem 13 If p is prime, then Zp∗ is a cyclic group of order p − 1. The number of generators
for Zp∗ is φ(p − 1).
∗ there are φ(p − 1) = 4 generators: 2, 6, 7, 8.
Example 12 In Z11
8
2
Definition 11 Let g be a fixed generator for Zp∗ . Each a ∈ Zp∗ has associated with it a unique
integer r ∈ {0, 1, . . . , p − 2} such that a ≡ g r (mod p). This r is denoted by indp,g (a) and is
called the index of a with respect to p, g.
2
Example 13 Let p = 11 and g = 2. Then indp,g (8) = 3 and indp,g (10) = 5.
Definition 12 The Discrete Log Problem is: Given p, g, a, compute indp,g (a).
It is an open problem whether the discrete log problem can be solved in polynomial time.
Theorem 14 The multiplicative group GF (pn )\{0} is a cyclic group of order pn − 1.
This provides further examples of cyclic groups in which the discrete log problem can be
defined.
8
Square Roots of 1
Theorem 15 If p is prime and f (x) = an xn + · · · + a0 is not identically zero (i.e., f (a) 6≡ 0
(mod p) for some a), then f (x) ≡ 0 (mod p) has at most n distinct solutions in Zp .
x2
Note that x2 ≡ 1 (mod 15) has four distinct solutions: x ≡ 1, −1, 4, −4
≡ 0 (mod 9) has three distinct solutions: x ≡ 0, 3, 6 (mod 9).
Corollary 5 If p is an odd prime, then the equation x2 ≡ 1
x ≡ 1, −1 (mod p).
(mod 15), and
(mod p) has two solutions, i.e.,
Definition 13 A number x is a nontrivial square root of 1 modulo n if it satisfies x2 ≡ 1
(mod n) but x 6≡ 1, −1 (mod n).
Corollary 6 If there exists a nontrivial square root of 1 modulo n, then n is composite.
Theorem 16 If n = pq for two distinct odd primes p, q, there are four distinct square roots of
1 modulo n.
Proof. x2 ≡ 1 (mod p) has two solutions, i.e., x = ±1 mod p. Similarly, x2 ≡ 1 (mod q)
has two solutions ±1 mod q.
Since x2 ≡ 1 (mod n) iff x2 ≡ 1 (mod p) and x2 ≡ 1 (mod q) by Corollary 3, there are
four square roots of 1 modulo n corresponding to (1, 1), (−1, −1), (1, −1) and (−1, 1) in Zp × Zq .
2
Example 14 When n = 15, (1, 1) ↔ 1, (−1, −1) ↔ 14, (1, −1) ↔ 11, (−1, 1) ↔ 4.
9
2
Quadratic Residues
Definition 14 Let p be an odd prime. An element x ∈ Zp∗ is a quadratic residue modulo p if
y 2 ≡ x (mod p) has a solution y ∈ Zp∗ . (Such y is a square root of x modulo p.) Otherwise, x
is a quadratic nonresidue modulo p.
9
Theorem 17 If p is an odd prime and g is any generator for Zp∗ , then a ∈ Zp∗ is a quadratic
residue iff indp,g (a) is even.
Proof. (if) Suppose a ≡ g 2r (mod p) for some r. Then g r mod p is a square root of a.
(only if) Suppose a ≡ b2 (mod p). Let r = indp,g (b). Then a ≡ g 2r (mod p). Thus
indp,g (a) ≡ 2r
(mod p − 1).
2
Since p − 1 is even, so is indp,g (a).
Corollary 7 If p is an odd prime, exactly a half of Zp∗ are quadratic residues.
∗ , 1, 3, 4, 5, 9 are quadratic residues. See Table of Powers for Z ∗ .
Example 15 In Z11
11
2
Definition 15 Let p be an odd prime. The Legendre symbol is defined as follows.
a
p
(
=
+1 if a is a quadratic residue modulo p
−1 if a is a quadratic nonresidue modulo p
Theorem 18 For all a, b ∈ Zp∗ ,
ab
p
a
p
b
.
p
=
Proof. By Theorem 17 and indp,g (ab) ≡ indp,g (a) + indp,g (b)
(mod p − 1).
2
Theorem 19 If p is an odd prime and g is a generator for Zp∗ , then
g (p−1)/2 ≡ −1
(mod p).
Proof. By Theorem 11 (g (p−1)/2 )2 ≡ 1 (mod p). There are two distinct square roots of 1
modulo p: 1 and −1 (see Theorem 15). Since g is of order p − 1, g (p−1)/2 6≡ 1 (mod p).
2
∗ , generators are 2, 6, 7, 8. 25 ≡ 65 ≡ 75 ≡ 85 ≡ −1
Example 16 In Z11
(mod 11).
2
We now describe an efficient way to compute the Legendre symbol, which implies a way to
check quadratic residuosity.
Theorem 20 (Euler’s criterion) If p is an odd prime, then
a(p−1)/2 ≡
a
p
(mod p)
for all a ∈ Zp∗ .
Proof. Suppose ( ap ) = 1. Then there exists b ∈ Zp∗ such that a ≡ b2
a(p−1)/2 ≡ bp−1 ≡ 1
(mod p). Hence
(mod p).
Suppose ( ap ) = −1. If g is any generator for Zp∗ , we have a ≡ g 2r+1
Theorem 17. Hence
a(p−1)/2 ≡ g r(p−1)+(p−1)/2 ≡ g (p−1)/2 ≡ −1
(mod p) for some r by
(mod p).
2
10
Let p be an odd prime. When x is a quadratic residue modulo p, we can compute square
roots of x in polynomial time. If p ≡ 3 (mod 4), there is a simple formula to compute square
roots of x modulo p.
(±x(p+1)/4 )2 ≡ x(p+1)/2
≡ x
(p−1)/2
≡ x
(mod p)
x
(mod p)
(mod p),
where the last equivalence follows from Theorem 20. Hence the two square roots of x modulo p
are ±x(p+1)/4 mod p. If p ≡ 1 (mod 4), there is a polynomial-time Las Vegas algorithm (but
no deterministic one) for computing square roots of x modulo p.
The Jacobi symbol generalizes the Legendre symbol, but not in the respect of indicating
quadratic residuosity.
Definition 16 Let n > 1 be an odd integer and the factorization of n be
symbol is defined as follows.
r ei
Y
a
a
=
.
n
pi
i=1
Example 17 ( 29 ) = ( 23 )2 = 1. However, the equation x2 ≡ 2
ei
i=1 pi .
Qr
The Jacobi
(mod 9) has no solutions.
2
Without knowing the factorization of n, we can compute Jacobi symbols by a variant of the
Euclid algorithm based on the following properties.
1.
2.
3.
4.
5.
6.
If a ≡ b (mod n), then ( na ) = ( nb ).
( n1 ) = 1.
(n−1)/2 .
( −1
n ) = (−1)
a b
( ab
n ) = ( n )( n ).
2
( n2 ) = (−1)(n −1)/8 .
(n−1)(m−1)/4 ( n ). (quadratic
If m and n are relatively prime odd integers, then ( m
n ) = (−1)
m
reciprocity)
Example 18 When a = 117 and n = 271,
117
271
=
=
=
=
37
117
6
37 2
3
37
37
3
− 37
− 13
=
= −1.
by 6 and 1
by 6 and 1
by 4
by 5
by 6 and 1
by 2
Since 271 is prime, we have in fact computed the Legendre symbol ( 117
271 ). (Thus 117 is a
quadratic nonresidue modulo 271.) This is another way to compute the Legendre symbol.
2
Theorem 21 When n > 1 is an odd integer, the Jacobi symbol ( na ) can be computed in polynomial time.
11
Proof. The algorithm is basically the same as the Euclid algorithm with special rules to
remove 2’s.
2
Theorem 22 (Bu, p246) Let n > 1 be an odd integer and the factorization of n be
An element x ∈ Zn∗ is a quadratic residue modulo n iff ( pxi ) = 1 for all 1 ≤ i ≤ r.
10
ei
i=1 pi .
Qr
Blum Integers
We introduce Blum integers and describe some material for the Blum-Blum-Shub generator.
Let n = pq, where p, q are distinct odd primes. Then the (p − 1)(q − 1) elements x in Zn∗ can
be divided into four types based on Legendre symbols ( xp ) = ±1 and ( xq ) = ±1: (+, +), (+, −),
(−, +), and (−, −).
Lemma 2 The number of elements in each type is (p − 1)(q − 1)/4.
Proof. By Corollary 7 a half of Zp∗ have Legendre symbol +1, and a half −1. Similarly for
Zq∗ . Hence, each type is a fourth of Zn∗ .
2
∗ = {1, 2, 4, 7, 8, 11, 13, 14}, 1,4 are in
Example 19 Let n = 15, where p = 3 and q = 5. In Z15
type (+, +), 7,13 in (+, −), 11,14 in (−, +), and 2,8 in (−, −).
2
For an element x ∈ Zn∗ , consider its Jacobi symbol ( nx ). If x is in (+, +) or (−, −), then the
Jacobi symbol is +1; otherwise, it is −1. By Theorem 22 only the elements of type (+, +) are
quadratic residues modulo n. Let QR(n) and Q̃R(n) be the elements in Zn∗ of type (+, +) and
(−, −), respectively. An element x ∈ Q̃R(n) is called a pseudo-square modulo n.
Definition 17 The Quadratic Residue Problem is: Given x ∈ Zn∗ such that ( nx ) = 1 and
n = pq for distinct odd primes p, q, is x a quadratic residue modulo n?
If the factorization n = pq is known, Quadratic Residue can be solved in polynomial
time. Otherwise, there does not appear to be any way to solve it efficiently.
Definition 18 An integer n = pq, where p, q are distinct odd primes and p ≡ q ≡ 3
is called a Blum integer.
(mod 4),
Lemma 3 Let p be an odd prime. Then −1 is a quadratic residue modulo p iff p ≡ 1
(mod 4).
(p−1)/2
Proof. By Euler’s criterion, ( −1
p ) ≡ (−1)
it is −1 if p ≡ 3 (mod 4).
(mod 4);
2
(mod p). Thus ( −1
p ) is 1 if p ≡ 1
Corollary 8 If n is a Blum integer, then −1 is a pseudo-square modulo n.
Lemma 4 Let p be an odd prime and a ∈ Zp∗ .
• If p ≡ 3
• If p ≡ 1
(mod 4), then one of a, −a is a QR and the other is a QNR.
(mod 4), then both a, −a are QRs or QNRs.
2
−1 a
Proof. ( −a
p ) = ( p )( p ).
12
Theorem 23 Let n = pq be a Blum integer. The function f : QR(n) → QR(n) such that
f (x) = x2 mod n is a permutation (one-to-one and onto) on QR(n).
Proof. It can be proved by showing that f −1 (x) for x ∈ QR(n) is unique in QR(n). Since
p ≡ 3 (mod 4), two square roots of x modulo p are ±x(p+1)/4 . Since
x(p+1)/4
p
!
(p+1)/4
=
x
p
= 1,
x(p+1)/4 is a QR modulo p and −x(p+1)/4 a QNR by Lemma 4. Similarly, x(q+1)/4 is a QR
modulo q and −x(q+1)/4 a QNR. Hence (x(p+1)/4 , x(q+1)/4 ) is the only square root of x which is
in QR(n).
2
The square root f −1 (x) ∈ QR(n) is called the principal square root of x.
11
Primality Tests
Definition 19 The prime distribution function π(n) denotes the number of primes ≤ n.
Theorem 24 (Prime number theorem)
π(n)
= 1.
n→∞ n/ ln n
lim
Suppose N ≤ n ≤ 2N . By Theorem 24, the number of primes between N and 2N is
approximately
N
N
2N
−
≈
.
ln 2N
ln N
ln N
Hence, if n is chosen at random in [N, 2N ], the probability that n is prime is approximately
1/ ln N .
Definition 20 A yes-biased Monte Carlo algorithm is a probabilistic algorithm for a decision
problem in which a “yes” answer is always correct, but a “no” answer may be incorrect. We say
that a yes-biased Monte Carlo algorithm has error probability if for any instance in which the
answer is “yes” the algorithm will give the incorrect answer “no” with probability at most .
The decision problem we want to solve is called Composites: Given an odd integer n > 2,
is n composite?
The Solovay-Strassen algorithm for Composites is given in pp.182–183 of Stinson.
We describe the Miller-Rabin algorithm. Theorem 12 (Fermat) implies that if there exists
a ∈ Zn+ that satisfies an−1 6≡ 1 (mod n), then n is composite. Such a is called a witness to the
compositeness of n. For most composite n’s, there are many such witnesses. Every a ∈ Zn+ − Zn∗
is a witness (i.e., an−1 6≡ 1 (mod n)) because a does not have a multiplicative inverse in Zn .
For example, when n = 15, |Zn+ − Zn∗ | = 6 and one half of Zn∗ are witnesses (a14 ≡ a6 6≡ 1
(mod 15)), so there are 10 witnesses out of 14. Thus the following procedure works for most
composite numbers.
13
choose random a < n
if an−1 6≡ 1 (mod n) then return “composite”
else return “possibly prime” fi
However, there are composite numbers n that satisfy an−1 ≡ 1 (mod n) for all a ∈ Zn∗ ,
which are called Carmichael numbers. The first three Carmichael numbers are 561 (= 3 · 11 · 17),
1105 and 1729. Since φ(561) = 2 · 10 · 16 = 320, there are only 240 witnesses out of 560.
Carmichael numbers are extremely rare, e.g., there are only 255 of them less than 100,000,000.
The Miller-Rabin algorithm uses both Theorem 12 (Fermat) and Corollary 6 (nontrivial
square root of 1), i.e., two types of witnesses.
Miller-Rabin
choose random a < n
let bk · · · b0 be the binary representation of n − 1
z←1
for i ← k to 0 do
y←z
z ← z 2 mod n
if z = 1 and y 6≡ ±1 (mod n) then return “composite” fi
if bi = 1 then z ← za mod n fi
od
if z 6= 1 then return “composite”
else return “possibly prime” fi
The algorithm is based on the square-and-multiply algorithm for modular exponentiation.
On the way of computing an−1 mod n, it checks if there is a nontrivial square root of 1 modulo
n.
Theorem 25 If n is an odd composite number, then the number of witnesses (a which causes
“composite” in Miller-Rabin) is at least (n − 1)/2.
Therefore, if we repeat Miller-Rabin s times, then the error probability is at most 2−s .
(s = 50 ∼ 100) Let A be the event that a given number is composite, and B the event that the
answer of Miller-Rabin is prime. The error probability is Prob(B|A).
Theorem 26 The Miller-Rabin algorithm (with s iterations) is a yes-biased Monte Carlo algorithm for Composites with error probability 2−s .
When Miller-Rabin answered that n is possibly prime after s iterations, what is the probability (confidence) that n is prime? It is not 1 − 2−s . It is 1 − Prob(A|B). See pp.185–186 of
Stinson. (s = 50 ∼ 100)
References
[An] D. Angluin, Lecture notes on the complexity of some problems in number theory, Technical
Report, Yale University, 1982.
[Bu] D.M. Burton, Elementary Number Theory, 2nd ed., Wm. C. Brown Publishers, 1989.
[St]
D.R. Stinson, Cryptography Theory and Practice, 3rd ed., CRC, 2006.
14
