Number Theory and Cryptography: Basic Facts About Numbers and Cryptography, Study notes of Number Theory

Download Number Theory and Cryptography: Basic Facts About Numbers and Cryptography and more Study notes Number Theory in PDF only on Docsity! Unit NT Number Theory and Cryptography Section 1: Basic Facts About Numbers In this section, we shall take a look at some of the most basic properties of Z, the set of inte- gers. We look at properties related to parity (even, odd), prime factorization, irrationality of square roots, and modular arithmetic. First we recall some standard notation for sets of various basic types of numbers. • R denotes the real numbers, • Z denotes the integers, • Q denotes the rational numbers (ratios of integers), • N denotes the nonnegative integers (the “natural numbers”), • N+ denotes the nonzero natural numbers (the positive integers), • N+ 2 denotes the set of natural numbers greater than or equal to 2. Note that R − Q is the set of irrational numbers. Example 1 (Odd and even integers) A basic subdivision of Z is into the odd integers and the even integers. An element of Z is even if it is “of the form 2t,” where t ∈ Z. An element of Z is odd if it is not even. The odd integers are all of the form 2t + 1, where t ∈ Z. (This should be proved, but we will not do so.) The phrase “of the form 2t” can be written precisely as ∀n ∈ Z, (n is even) if and only if (∃ t ∈ Z such that n = 2t). The most elementary mathematical facts about odd and even integers concern the closure properties.1 Here is the closure property for multiplication: The integers m and n are both odd if and only if mn is odd. (Equivalently, by negating both sides of “if and only if,” at least one the integers m or n is even if and only if mn is even. ) To show the “only if” part, suppose that if m and n are both odd, say m = 2j +1 and m = 2k+1. Then mn = 4jk+2j +2k+1 = 2(2jk+j +k)+1 is of the form 2t + 1 where t = 2jk + j + k. Thus, mn is odd. To show the “if” part, we use the inverse. Suppose that at least one of m or n is even. Without loss of generality, we may suppose that m is even, say m = 2j. Then mn = 2jn is of the form 2t where t = jn. Thus, mn is even. A similar statement for addition is that, for integers m and n, m + n is odd if and only if one of them is odd and the other is even. 1 A function on S ×S has the closure property on S if its image is contained in S. Here S is the odd integers and the function is multiplication. NT-1 Number Theory and Cryptography From the closure property for multiplication of odd integers, you can prove by induction that for any k ≥ 1, and any integer m, mk is odd if and only if m is odd. Logically equivalent is that mk is even if and only if m is even. The fact that mk is odd if m is odd can also be proved using the binomial theorem, which you should have seen in high school: (x + y)k = k ∑ i=1 ( k i ) xiyk−i. Since m is odd, m = 2j +1 for some integer j. Let x = 2j and y = 1. Written another way, mk = (2j + 1)k = 1 + (2j)1 ( k 1 ) + (2j)2 ( k 2 ) + · · · + (2j)k ( k k ) . In this form mk is obviously 1 plus an even integer and hence odd. Prime Numbers and Factorization Most mathematicians would agree that the most important concept in number theory is the notion of a prime. Definition 1 (Prime and composite numbers) A natural number n is prime if n ≥ 2 and the only divisors of n are n and 1. We denote the set of prime numbers by P. An integer n ≥ 2 that is not prime is composite. The number 2 is the smallest prime and the only even prime. The other primes less than 20 are 3, 5, 7, 11, 13, 17, 19. Example 2 (Prime factorization of any integer n ≥ 2) Consider the integer 226512. It ends in 2 so it is divisible by 2. (We say that “n is divisible by m,” indicated by the notation m | n, if n = qm for some integer q.) In fact, 226512/2 = 113256. We can divide by 2 again, 113256/2 = 56628; and again, 56628/2 = 28314; and again, 38314/2 = 14157. That’s it. We can’t divide by 2 anymore, so we have 226512 = 24 × 14157. But, it is easy to check that 14157 is divisible by 3 to get 4719 which is again divisible by 3 to get 1573. That’s it for dividing by 3, so we have 226512 = 24×32×1573. Continuing in this manner, we end up with 226512 = 24 × 32 × 112 × 13. We have written 226512 as a product of primes. Also, the notation m 6 | n means that n is not divisible by m. Can every integer greater than 1 be written as a product of primes? What about a single prime p? It is convenient to adopt the terminology that a single prime p is a product of one prime, itself.2 2 We could go even further and say that 1 is also can be written as an empty product. In fact, mathematicians do this: They say that an empty sum is 0 and an empty product is 1. You may think this strange, but you’ve already seen it with exponents: The notation an stands for the product of n copies of a. Thus a0 is the product of no copies of a, and you learned that we define a0 = 1 when you studied exponents. This is done so that the rule an+m = anam will work when n = 0. NT-2 Section 1: Basic Facts About Numbers There are some basic properties of irrational and rational numbers lurking beneath the surface here. If the product xy of two numbers is irrational, one of the numbers must be irrational. Equivalently (the contrapositive), if x and y are both rational, say x = a/b and y = c/d, then xy = ac/bd is rational. Likewise, if the sum x + y of two numbers is irrational, one of the numbers must be irrational (prove this). Some students think these statements mean that the product of two nonzero irrational numbers is irrational and the sum of two irrational numbers is irrational, both statements are false: √ 2 × √ 2 = 2 and (− √ 2) + √ 2 = 0. It is true, however, that if x 6= 0 is rational and y is irrational, then the product xy is irrational. To prove this statement, use the contrapositive. If xy = a/b then y = a/bx. Since x 6= 0 is rational, say x = c/d, this implies that y = ad/cb is rational. Example 4 (The rational numbers are countable) We want to show that we can create a list a1, a2, a3, . . . such that every rational number appears on the list. We do this as follows: Step 1. Start the list with 0, 1/1,−1/1 and set k = 3. Step 2. Append to the list all rational numbers in reduced form where the sum of the numerator and denominator (ignoring signs) is k. Begin with the largest numerators and proceed to the smallest, listing positive numbers and then negative ones. (Thus, for k = 3 we append 2/1, 1/2,−1/2,−2/1 and for k = 4 we append 3/1, 1/3,−1/3,−3/1.) Step 3. Increase k by one and go to Step 2. The list begins a1 = 0, a2 = 1/1, a3 = −1/1, k = 3 : a4 = 2/1, a5 = 1/2, a6 = −1/2, a7 = −2/1, k = 4 : a8 = 3/1, a9 = 1/3, a10 = −1/3, a11 = −3/1, k = 5 : a12 = 4/1, a13 = 3/2, a14 = 2/3, a15 = 1/4, a15 = −1/4, a16 = −2/3, a17 = −3/2, a18 − 4/1, Note that each rational number occurs exactly once in the list. In some sense, the number of rational numbers is the same as the number of positive integers since we have one rational number for each positive integer (the subscript of a)! Because we can form such a list, we say that the set of rational numbers is countable. More simply, people say that the rationals are countable. Example 5 (The real numbers are not countable) We must show that it is impossible to form a list of the real numbers. How can we do this? We must show that, no matter what list of real numbers we have, there is some real number that is not on the list. Suppose we have a list a1, a2, . . . of real numbers. Let dk be the kth digit after the decimal point in ak. For example, if a4 = 2.718281828 . . . (the number e), then d4 = 2. If dk = 1, let bk = 2 and, if dk 6= 1, let bk = 1. Look at the number r = 0.b1b2b3 . . .. We claim it is not in the list. Why is this? Suppose someone claims, for example that a99 = r. By definition, d99 is the ninety-ninth digit of a99 after the decimal point. Since b99 6= d99, the numbers r and a99 differ in their ninety-ninth digits. Thus r 6= a99. NT-5 Number Theory and Cryptography Arguments of this type are called diagonal arguments. Why is this? A picture can help. Here ∗ stands for a digit we are not interested in and we have dropped all the digits before the decimal points. a1 =.d1 ∗ ∗ ∗ ∗ ∗ . . . a2 =.∗ d2 ∗ ∗ ∗ ∗ . . . a3 =.∗ ∗ d3 ∗ ∗ ∗ . . . a4 =.∗ ∗ ∗ d4 ∗ ∗ . . . a5 =.∗ ∗ ∗ ∗ d5 ∗ . . . The digits d1, d2, . . . that we are changing appear in a diagonal pattern. The diagonal is not always so straightforward in a diagonal argument. Remainders and Modular Arithmetic We all know from elementary school that if we divide one integer x by another d > 0, we get a quotient q and a remainder r, where 0 ≤ r < d. In other words, x = qd+r, 0 ≤ r < d. For example, if x = 234 and d = 21, then q = 11 and r = 3. Thus, 234 = 11×21+3. There are 21 possible remainders that can be gotten by dividing some randomly chosen integer by 21. These remainders belong to the set {0, 1, 2, . . . , 20}. The set Z of all integers can be partitioned (divided up) into 21 subsets 21Z, 21Z + 1, 21Z + 2, . . . , 21Z + 20 according to these remainders. Note that, for a set S of numbers aS + b = {as + b | s ∈ S} so that 21Z + 4 = {. . . ,−17, 4, 25, . . .}. We have just seen that 234 belongs to the subset 21Z+3. (The set 21Z+3 equals {3 +21k | k = 0,±1,±2, . . . }.) For general d > 0, instead of d = 21, we get dZ, dZ + 1, dZ + 2, . . . , dZ + (d − 1) The sets dZ + j are called residue classes modulo d. If x = qd+r, 0 ≤ r < d, then we denote this fact by x modulo d = r or by x mod d = r. In this usage, “mod” is called a binary operation. Given any pair of integers x and d > 0, computing x mod d always results in some integer r, 0 ≤ r < d. The word “mod” is also used to convey the information that “x and x′ belong to the same residue class mod d.” The notation is x = x′ (mod d) or x 6= x′ (mod d) to express the facts (respectively) that “x and x′ belong to the same residue class mod d,” or, “x and x′ do not belong to the same residue class mod d.” Often you will see ≡ used instead of = in these expressions. Because of the possible confusion between these two uses, we will use the C program- ming language notation for the binary operation. Let’s summarize all this in a definition. Definition 2 (Residue classes and “mod”) Let d ≥ 2 be an integer For 0 ≤ j < d the set dZ + j = {nd + j | n ∈ Z} is called a residue class modulo d. The notation “mod” is used in two ways: NT-6 Section 1: Basic Facts About Numbers • x = x′ (mod d) This means that x and x′ belong to the same reside class modulo d. In other words, when x and x′ are divided by d they have the same remainder. We say that x and y are equal modulo d (or mod d). For reasons we will learn later, this is referred to as “using mod as an equivalence relation.” The notation x ≡ x′ (mod d) is also used to indicate that x and y are equal modulo d. If the value of d is clear, people often write x ≡ x′, omitting (mod d). • x mod d = r or x% d = r This means that when x is divided by d the remainder is r where 0 ≤ r < d. Used this way, “mod” is a binary operator. To avoid confusion, we will use the C programming language notation r = x% d. Since the two uses of “mod” involve different placement of “mod,” you should not be confused as to which use is intended. Example 6 (A fact about remainders) There is something important about remainders that they may not have discussed in elementary school. Suppose x = qd+r and x′ = q′d+r′. Then, subtracting and dividing by d gives x − x′ d = (q − q′)d + (r − r′) d = q − q′ + r − r′ d . Note that since 0 ≤ r < d and 0 ≤ r′ < d we must have 0 ≤ |r−r′| < d. This means that the only way that r−r′ d can be an integer is that |r− r′| = 0 or r = r′. This seems like a trivial point, but it is very important. It means that x and x′ have the same remainder when divided by d (i.e., belong to the same residue class mod d) if and only if d divides x−x′. For example 7666 and 7652 belong to the same residue class modulo 7 since 7666− 7652 = 14, which is 0 modulo 7. The notation x = x′ (mod d) behaves like equality in many ways. The following theorem lists three of them. Theorem 4 (Arithmetic with mod) The notation x = x′ (mod d) behaves like equality for addition, subtraction and multiplication. In other words, if x = x′ (mod d) and y = y′ (mod d) then x + y = x′ + y′ (mod d), x − y = x′ − y′ (mod d) and xy = x′y′ (mod d). We talk about addition modulo d or simply modular addition, and similarly for subtraction and multiplication. Notice that we did not say x/y = x′/y′ mod d. It is not true in general. For example, 2 = 8 (mod 6) and 2 = 2 (mod 6) but 2/2 6= 8/2 (mod 6). Proof: We prove addition. By definition x + y = x′ + y′ (mod d) means that (x + y) − (x′ + y′) is divisible by d. But (x + y) − (x′ + y′) d = (x − x′) + (y − y′) d = x − x′ d + y − y′ d . NT-7 Number Theory and Cryptography Exercises for Section 1 1.1. Prove the statement if true, otherwise find a counterexample. (a) For all natural numbers x and y, x + y is odd if one of x and y even and the other is odd. (b) For all natural numbers x and y, if x + y is odd then one of x and y even and the other is odd. 1.2. Prove the statement if true, otherwise find a counterexample. (a) The difference of any two odd integers is odd. (b) If the sum of two integers is even, one of them must be even. 1.3. Prove the statement if true, otherwise find a counterexample. (a) The product of two integers is even if and only if at least one of them is even. (b) The product of two integers is odd if and only if at least one of them is odd. 1.4. Prove the statement if true, otherwise find a counterexample. (a) For any integers m and n, m3 − n3 is even if and only if m − n is even. (b) For any integers m and n, m3 − n3 is odd if and only if m − n is odd. 1.5. Prove the statement if true, otherwise find a counterexample. (a) For all integers n > 2, n3 − 8 is composite. (b) For all integers n, (−1)n = −1 if and only if n is odd. 1.6. Prove the statement if true, otherwise find a counterexample. (a) ∀ n ∈ Z, n2 + n + 5 is odd. (b) ∀ n ∈ Z, (6(n2 + n + 1) − (5n2 − 3) is a perfect square). (c) ∃ M > 0, ∀ n > M , (n2 − n + 11 is prime). (d) There is a unique prime p of the form n2 + 2n − 3. 1.7. Prove the statement if true, otherwise find a counterexample. (a) For all integers n > 0, either n is a perfect square or, n = x + y where x and y are perfect squares or, n = x + y + z where x, y, and z perfect squares. (b) The product of four consecutive positive integers is never a perfect square. 1.8. Prove the statement if true, otherwise find a counterexample. NT-10 Section 1: Basic Facts About Numbers (a) For all distinct positive integers m and n, either m1/2 + n1/2 and m1/2 − n1/2 are both rational or both irrational. Hint: Consider ( m1/2 + n1/2 ) ( m1/2 − n1/2 ) . (b) For all distinct positive integers, if either m1/2+n1/2 or m1/2−n1/2 are rational then both m and n are perfect squares. (c) For all distinct positive integers m and n, both m and n are perfect squares if and only if m + 2m1/2n1/2 + n is a perfect square. (d) Which of (a), (b) and (c) are true if m 6= n is changed to m = n? 1.9. Prove that an integer n > 1 is composite if and only if p divides n for some prime p ≤ n1/2. 1.10. Write the following rational numbers as the ratio a/b of two integers a and b > 0. (a) 3.1415 (b) 0.30303030 . . . (c) 6.32152152152152 . . . 1.11. Let x ∈ R satisfy the equation ax+b cx+d = 1 where a, b, c, and d are rational. Is x rational? Explain. 1.12. In each case, if the statement is true, prove it, if false, give a counterexample. (a) The sum of three consecutive integers is zero (mod 3). (b) The product of two even integers is zero (mod 4). (c) An integer is divisible by 16 only if it is divisible by 8. (d) For all odd integers n, 3n + 3 is divisible by 6. 1.13. In each case, if the statement is true, prove it, if false, give a counterexample. (a) ∀ a, b, c ∈ Z, if a | b then a | bc. (b) ∀ a, b, c ∈ Z, if a | b and b | c, then a | c (c) ∀ a, b, c ∈ Z, if a | c then ab | c. 1.14. In each case, if the statement is true, prove it, if false, give a counterexample. (a) ∀ a, b, c ∈ Z, if a | (b + c) then a | b and a | c. (b) ∀ a, b, c ∈ Z, if a | bc then a | b or a | c. (c) ∀ a, b ∈ Z, if a | b then a2 | b2. (d) ∀ a, b ∈ Z, if a | 6 b then a | 6 or a | b. 1.15. In each case, factor the given number into a product of powers of distinct primes. NT-11 Number Theory and Cryptography (a) 1404. (b) 9702. (c) 89250. 1.16. Let n = pe1 1 · · · pek k be the factorization of n into powers of distinct primes. Let m ≥ 1 be an integer. (a) What is the factorization of nm into powers of distinct primes? (b) If s > 0 is an integer but s1/m is not, must s1/m be irrational? Explain your answer. 1.17. In each case, factor the given number into a product of powers of distinct primes. Recall that n! = n(n − 1)(n − 2) · · · 1 is the product of the first n integers. (a) 20!. How many terminal zeros in this number? (b) (20!)2. How many terminal zeros in this number? (c) (20!)3. How many terminal zeros in this number? 1.18. Prove that if x is a nonzero natural number then 3 | x if and only if 3 divides the sum of the decimal digits of x. 1.19. Prove or give a counterexample: The product of any four consecutive integers is equal to 0 (mod 8). 1.20. Prove that, for all integers n > 1, n2 − 3 6= 0 (mod 4). 1.21. Prove that, for all odd integers n, n4 = 1 (mod 16). 1.22. If m − n has remainder 0 when divided by d does that mean the m and n each have the same remainder when divided by d? Support your answer by giving a counterexample or a proof. 1.23. For all integers m,n, a, b, if m mod d = a and n mod d = b does that mean that (m + n) mod d = a + b? 1.24. (a) Prove: If j = k (mod d), then dZ + j = dZ + k. (b) Prove: If j 6= k (mod d), then (dZ + j) ∩ (dZ + k) is the empty set. 1.25. If a > 0, loga(x) is the unique number such that aloga(x) = x. (a) Suppose that p and q are two different primes. Prove that logp(q) is irrational. (b) Is the result in (a) true if p and q are allowed to be composite numbers? Justify your answer. (c) For integers k and m, prove that loga(b) = k/m if and only if ak = bm. 1.26. In each case, if the statement is true, prove it, if false, give a counterexample. NT-12 Section 2: Cryptography and Secrecy Example 10 (Industrial espionage) Let’s return to our factories that have been happily communicating secretly with each other. Suppose Joe, who does industrial espionage for a competitor is able to intercept the ciphertext as it passes over the internet. He wants to know what orders are being placed; that is, he wants to find the plaintext. (He knows how to interpret the plaintext since lots of people at factories A and B know what it means.) Joe manages to get an employee to place a fake order, say 11110000. 11110000 plaintext 11000111 key K 00110111 ciphertext Bob intercepts the ciphertext and adds it to the plaintext as follows: 00110111 ciphertext 11110000 plaintext 11000111 key K Now Joe has the key. Clever guy! Except that the key and messages are much longer and the function fK is not so simple, this sort of stuff goes on in the real world all of the time. For example, K might be anywhere from 64 to 128 bits, so there are anywhere from 264 to 2128 possibilities for K. You might ask why Joe didn’t just get an employee to tell him key. The key is in the computer program. Only a few people, if any, know what it is. Well then, how did Joe know that fK was plaintext plus key? In the real world, people use standard encryption algorithms (i.e., standard functions) that are public knowledge. When your computer browser is in secure mode, it is using a standard algorithm that Joe knows about. How can a company prevent Joe from getting their secrets this way? When we’re thinking about this, we should imagine that the key is longer (64 to 128 bits) and that the plaintext is much longer. Here are some possibilities. • Make it harder for Joe to get K. ◦ We could improve employee loyalty. This may be difficult. A more reliable solution would be preferred. ◦ We could invent an encryption system so that, even with plaintext and ciphertext, it is hard for Joe to compute K. Later, we’ll discuss a way to do this. • Change K frequently. ◦ Sending out a new K may be feasible with two factories. It’s much harder if there are a hundred — there are logistic and security problems. Why can’t we simply encrypt the new K and send it out? Because, if Joe has the old K, he can read the message and get the new one. ◦ When two computers want to communicate, have them decide on a K for that communication. This sounds impossible since Joe could eavesdrop. Later, we’ll discuss a way to do this. • Make Joe’s knowledge of K useless. ◦ We could invent an encryption system so that, even with K and ciphertext it is hard for Joe to compute plaintext without some additional (secret) information. Later, we’ll discuss a way to do this. NT-15 Number Theory and Cryptography The gcd, lcm and φ Functions We now discuss some number theory functions that are important in cryptography. After we understand them, we’ll use them in the Diffie-Hellman and RSA protocols. Definition 3 (Greatest common divisor and least common multiple) If k, n and n/k are integers, we write k | n (read “k divides n”) and we call k a divisor of n and we call n a multiple of k. The greatest common divisor of m and n is the largest (positive) k such that k is a divisor of m and k is a divisor of n. It is denoted by gcd(m,n). The least common multiple of m and n is the smallest positive integer k such that k is a multiple of m and k is a multiple of n. It is denoted by lcm(m,n). For example, if m = 6, its positive divisors are 1, 2, 3 and 6. Its positive multiples are 6, 12, 18, . . . The greatest common divisor of 6 and 9 is 3, written gcd(6, 9) = 3. Similarly, lcm(6, 9) = 18. The gcd(120, 26) = 2. It is also the case that 5 × 120 − 23 × 26 = 2. In other words, there are integers a = 5 and b = −23 such that am + bn = gcd(m,n) where m = 120 and n = 26. This is a fact that is true for any m and n. That is, we claim Theorem 5 (The gcd as a linear combination) The greatest common divisor of m and n is a linear combination, with integral coefficients, of m and n. Corollary (All common divisors) An integer k divides m and n if and only if it divides gcd(m,n). Proof: We can see why this must be true without knowing how to compute the coefficients a and b. The set S = {Am + Bn | A,B ∈ Z, Am + Bn > 0} is a nonempty set of positive integers (since |m| ∈ S) and therefore has a least element (by common sense at this point). Let am+ bn = L be this least element. Note that L | m. If not, we would have m = qL+r, 0 < r < L. Thus, r = m − qL = m − q(am + bn) = (1 − qa)m − (qb)n ∈ S. This would contradict the minimality of L since 0 < r < L. Similarly, L | n. Thus, L is a common divisor of m and n. Any integer x that is a common divisor of m and n divides any element Am + Bn of S and thus x | L. Thus, L = gcd(m,n) is the greatest common divisor of m and n. This proves that am + bn = gcd(m,n). In the last couple of sentences of the previous paragraph, we concluded that, if x divides both m n, then x | gcd(m,n). Conversely, suppose x | gcd(m,n). This means that x divides both m and n. This proves the corollary. NT-16 Section 2: Cryptography and Secrecy Example 11 (Some properties of gcd and lcm) Let n > 0 and m > 0 be positive integers and let n = pe1 1 pe2 2 · · · pek k and m = pf1 1 pf2 2 · · · pfk k be factorizations of m and n into primes where some of the exponents fi or ei may be zero (in order to make k and the list of pi the same for both factorizations). For example, n = 6500 = 22 × 53 × 13 and m = 24696 = 23×32×73 would, using this convention, be written as n = 22×30×53×70×131 and m = 23 × 32 × 50 × 73 × 130. The following theorem is the general result of which this example is a special case. We will not prove it. You should think carefully about the example and make up some of your own until you see why the theorem is true. Theorem 6 (Computing gcd and lcm) If n = pe1 1 pe2 2 · · · pek k and m = pf1 1 pf2 2 · · · pfk k , then gcd(m,n) = p min(e1,f1) 1 p min(e2,f2) 2 · · · pmin(ek,fk) k and lcm(m,n) = p max(e1,f1) 1 p max(e2,f2) 2 · · · pmax(ek,fk) k . Applying this to 6500 = 22 × 30 × 53 × 70 × 131 and 24696 = 23 × 32 × 50 × 73 × 130 gives gcd(6500, 24696) = 22 × 30 × 50 × 70 × 130 = 4 and lcm(6500, 24696) = 23 × 32 × 53 × 73 × 131 = 40131000. This is really pretty easy! The theorem has various consequences. • Every divisor d = pd1 1 pd2 2 · · · pdk k of m and n has di ≤ ei and di ≤ fi. Thus di ≤ min(ei, fi) and so d is also a divisor of gcd(m,n). That is, every common divisor of m and n is a divisor of gcd(m,n). (We also proved this in the process of proving Theorem 5.) Conversely, every divisor of gcd(m,n) is a common divisor of m and n. • Similarly, every common multiple of m and n is a multiple of lcm(m,n). Conversely, every multiple of lcm(m,n) is a common multiple of m and n. • gcd(m,n)lcm(m,n) = mn because min(ei, fi)+max(ei, fi) = ei +fi and so the pi term in gcd(m,n)lcm(m,n) is p min(ei,fi) i p max(ei,fi) i = p min(ei,fi)+max(ei,fi) i = pei+fi i = pei i pfi i . • If d is a common divisor of m and n, then gcd(m/d, n/d) = gcd(m,n)/d. In particular, when d = gcd(m,n), we have gcd(m/d, n/d) = 1. We omit the proof. The one thing you have to do to use the previous method for computing greatest common divisors and least common multiples is to factor n and m into primes. That can be difficult for big numbers. This method for computing gcd and lcm is more of theoretical or conceptual interest than of practical interest. Commonly available software for your computer will compute the gcd and the lcm quickly and efficiently for most integers that you may be interested in, without having to factor the integers. In the next example, we discuss the method that the software uses. NT-17 Number Theory and Cryptography Example 14 (Properties of the Euler φ function) We have noted that φ(12) = 4. Since gcd(1, 1) = 1, we have φ(1) = 1. For any prime p, we have φ(p) = p − 1 because gcd(k, p) = 1 for k = 1, 2, . . . , p − 1. Suppose n = pq is the prime factorization of n and p 6= q. We can list the positive integers less than n that are not relatively prime to n. There are two classes of such numbers. The q multiples of p: p, 2p, 3p, . . . , qp and the p multiples of q: q, 2q, 3q, . . . , pq. Except for qp = pq, these two lists have no numbers in common (why?). Thus, the total number of positive integers less than or equal to n that are not relatively prime to n is q + p − 1. Thus, the number of number less than or equal to n = pq that are relatively prime to n is pq − (p + q − 1) = (p − 1)(q − 1). The set of numbers less than n that are relatively prime to n has a name. It is called the group of units of n and the numbers in that set are called units. The reason for this name is beyond the scope of our course, but does not involve difficult concepts. The Euler φ function and the group of units come into computer science in connection with computer security. It is the basis for a certain type of encryption known as RSA (discussed below) and is used in a common encryption protocol called PGP (Pretty Good Privacy). The key property that makes the group of units useful in this context is that aφ(n) = 1 (mod n) whenever a is a unit. We won’t prove this fact, but let’s look at an example. Suppose n = 12. We know that φ(12) = 4 and that the units are {1, 5, 7, 11}. Clearly 1φ(12) = 1 (mod 12). What about the other units? We have 52 = 25 = 1 (mod 12). Thus 54 = 12 = 1 (mod 12). We could do the same calculations for 7 and 11. Here’s another way. Since 7 = −5 (mod 12), 74 = (−1)454 = 54 = 1 (mod 12). Likewise, 11 = −1 (mod 12) and so 114 = (−1)4 = 1 (mod 12). You may have noticed that a2 = 1 (mod 12) for all units a. There’s no guarantee that φ(n) is the least power for which aφ(n) = 1 (mod n) for all units a. If n = pq then, since φ(n) = (p − 1)(q − 1), this property becomes m(p−1)(q−1) = 1 (mod pq) when gcd(m,pq) = 1. This fact will be important in our discussion of the RSA protocol. Cryptography on the Internet Suppose two people — Alice and Bob — wish to communicate secretly, but anyone can eavesdrop on there conversation. How can they do this? We already saw in Example 9 how they could do this, and we saw how some problems could arise because of espionage. There’s another problem we haven’t mentioned. What if Alice and Bob don’t have a secret key K that they both know? Cryptography on the internet addresses this. It uses “public-information algorithms”: No prior secret communication between Alice and Bob is needed — it’s all done publicly. There are two approaches in use. • Somehow Alice and Bob can develop a secret key even though someone is eavesdropping on their conversation. In this process, Alice and Bob usually play similar roles and so this is known as symmetric encryption. NT-20 Section 2: Cryptography and Secrecy • Alice can make known to the world data that allows people to encrypt messages to send to her but makes it hard for people other than Alice to decrypt them. Bob can do the same. Since this information (the key) is publicly known, this approach is called public key cryptography. These approaches depend on what are called trapdoor functions. A trapdoor function is an invertible function g such that, given g(x) it is hard to compute x. Such functions are also called one-way functions, but this is a bit misleading since it suggests that g is not invertible. We will discuss protocols that use two different trapdoor functions. Example 15 (Discrete logs and better encryption) There are many ways to design a system such that, knowing the plaintext and ciphertext, it is still hard to recover the key. The method we describe here is not actually used, but it lays some of the groundwork for our next example. If you use your calculator, you can easily compute 117 = 19487171. If you know that 19487171 is of the form 11x, for some x, you can equally well use your calculator to get x. From high school, you should remember that x = log11(19487171). Probably, you would do that calculation using the LOG or LN button on your calculator as follows: LOG(19487171)/LOG(11) = 7. In any case, it is pretty easy. But, a seemingly innocent modification makes this sort of calculation very difficult in many cases. If we compute 11t %163 for t = 0, 2, . . . , 161, we get each of the numbers 1, 2, . . . , 162 exactly once — but they are in a mixed up order. Instead of 117, let’s compute 117 %163. The answer is 32. Now its not so easy to solve the equation 32 = 11x %163 for x even though we know there is a unique x between 0 and 161. For small numbers like these, it can be done by trying all 0 ≤ x < 162. But, for big numbers with hundreds of digits, it seems to be all but impossible by any presently available methods. This problem of recovering an exponent from an exponentiated expression after it has been reduced modulo some number is called the discrete logarithm problem and the exponent is called the discrete logarithm. Here is how we might use discrete logarithms to make it very hard for Joe’s espionage when Alice and Bob have a secret key K. We choose a large modulus p that never changes. When someone wants to send a message P , the computer chooses a “base” b at random and computes bK % p. Call the result of this computation L. The computer uses L to encrypt P by whatever method is being used for encryption. Thus, the computer obtains fL(P ) = C. It sends b and C. The computer at the other end computes bK % p to obtain L and uses it to decrypt the message. What can the spy Joe do? Suppose the encryption method is the one used in Exam- ple 10: We simply write L as a binary number and add it bitwise to the message P . Since the modulus p is fixed, we’ll assume Joe knows what it is. As before, Joe gets his friend to send a message, so he has P , C and b for this particular message — call them P1, C1 and b1. From P1 and C1, Joe recovers L1. Later, someone else sends a message P2. The computer chooses a random b2, computes bK 2 % p = L2 and C2. By eavesdropping Joe gets b2 and C2. • To decrypt the message, Joe needs to find L2 so that he can add it bitwise to C2. • To get L2 he needs K because L2 = bK 2 (mod p) and he knows b2. NT-21 Number Theory and Cryptography • To get K he needs to solve the discrete log problem because he has b1 and L1 and bK 1 = L1 (mod p). This is too hard, so Joe gives up. There was nothing special about adding L bitwise to P . Whatever method was used, Joe would still want to recover K and so would need to carry out the steps in the previous paragraph. Suppose the values of b and p are known and fixed. The function g, defined by g(n) = bn % p, is thought to be a trapdoor function. Finding n from g(n) is referred to as computing the discrete log of bn. As remarked in the previous example, computing the discrete log is believed to be very difficult. Thus g is believed to be a trapdoor function. Suppose Alice and Bob want to communicate over the internet in secrecy, but have no shared key K. They must somehow construct K even though Joe can read their commu- nications. Example 16 (Diffie-Hellman: a symmetric key-exchange protocol) Here is how two computers can use the difficulty of the discrete log problem to generate a key K that they will share. Everyone agrees on a modulus p that is built into a program all computers can use. They also agree on a base b. Thus everyone, including the spy Joe, knows p and b. For purposes of illustration, we take p = 163 and b = 11. The values actually used on the internet are much bigger. We call the two computers that want to communicate A and B. Computer A chooses, in secret, a random number s with 1 < s < p− 1. Let us say 13 is chosen by A. Then A computes bs % p = S and sends S to computer B. In our example, S = 19 since 1113 %163 = 19. Meanwhile, B carries out the same process, choosing t and computing T , which it sends to A. Let us say B chooses t = 23. Thus B computes5 T = 1123 %163 = 116. Where are we now? Both computers and the spy Joe know that S = 19 and T = 116. Only computer A knows that s = 13 and only computer B knows that t = 23. In general, the public information is b, p, S and T ; however, s and t are not public information since they were never sent over the internet. What do the computers do now? Computer A uses its secret number s and computes T s % p = K. In our case, 11613 %163 = 154, so K = 154. Likewise, B computes St % p = K, which is 1923 %163 = 154 in our case. That’s amazing — A and B have the same number! Why is this? With all calculations modulo p, we have T s = (bt)s = bts = (bs)t = St (mod p). Where does this leave Joe? The obvious way for him to get key is to find either s or t since he already knows S and T . To find s, he needs to solve the discrete log problem bs = S (mod p). Likewise for T . Maybe there is a clever way for Joe to get K easily from b, p, S and T . At the present time, nobody knows of any such method, so Joe is stuck. 5 The following computations and others like it can be done by using software packages such as GNU-MP, Maple R© and Mathematica R©. If you have to do it on a pocket calculator, it’s best to do it in steps taking advantage of the properties of modular arithmetic. NT-22 Section 2: Cryptography and Secrecy 2.5. Using the Euclidean algorithm, find A and B such that Am+Bn = gcd(m.n) where m = 59400 and n = 16200. 2.6. Using the Euclidean algorithm, find A and B such that Am+Bn = gcd(m.n) where m = 163 and n = 86. 2.7. Prove that gcd(a, b) divides lcm(a, b). 2.8. In each case find lcm(120, 108) (a) by prime factorization and (b) by the Euclidean algorithm. 2.9. Suppose a and b are positive integers. Prove directly from the definition of the least common multiple that a | b if and only if lcm(a, b) = b. 2.10. Following Example 16, suppose p = 163, b = 11. Computer A still chooses 13, but B chooses 15 instead of 23. What is the common key that results? 2.11. Suppose that, in Example 16, one of the computers chooses 1. Explain how the spy Joe can detect that and get their shared key. *2.12. Suppose that N is a prime in the RSA protocol of Example 17. How can the spy Joe find the message M if he has e, N and the encrypted message M e %N = C? *2.13. Using the same numbers as in Example 17, decrypt the message 2. *2.14. Consider the RSA protocol (Example 17). Suppose that N = 5 × 13 and e = 7. What is d? *2.15. Consider the RSA protocol (Example 17). Explain why d and e must both be chosen to be odd. NT-25 Number Theory and Cryptography Multiple Choice Questions for Review In each case there is one correct answer (given at the end of the problem set). Try to work the problem first without looking at the answer. Understand both why the correct answer is correct and why the other answers are wrong. 1. “If k > 1 then 2k − 1 is not a perfect square.” Which of the following is a correct proof? (a) If 2k − 1 = n2 then 2k−1 − 1 = (n− 1)2 and n2+1 (n−1)2+1 = 2k 2k−1 = 2. But this latter ratio is 2 if and only if n = 1 or n = 3. Thus, 2k −1 = n2 leads to a contradiction. (b) If 2k − 1 = n2 then 2k = n2 +1. Since 2 divides n2, 2 does not divide n2 +1. This is a contradiction since obviously 2 divides 2k. (c) 2k − 1 is odd and an odd number which is a perfect square can’t differ from a power of two by one. (d) 2k − 1 is odd and an odd number can never be a perfect square. (e) If 2k − 1 = n2 then n is odd. If n = 2j + 1 then 2k − 1 = (2j + 1)2 = 4j2 + 4j + 1 which implies that 2k, k > 1 is divisible by 2 but not by 4. This is a contradiction. 2. The repeating decimal number 3.14159265265265 . . . written as a ratio of two integers a/b is (a) 313845111/99990000 (b) 313844841/99900000 (c) 313845006/99990000 (d) 313845106/99900000 (e) 313845123/99000000 3. Which of the following statements is true: (a) A number is rational if and only if its square is rational. (b) An integer n is odd if and only if n2 + 2n is odd. (c) A number is irrational if and only if its square is irrational. (d) A number n is odd if and only if n(n + 1) is even (e) At least one of two numbers x and y is irrational if and only if the product xy is irrational. 4. Which of the following statements is true: (a) A number k divides the sum of three consecutive integers n, n + 1, and n + 2 if and only if it divides the middle integer n + 1. (b) An integer n is divisible by 6 if and only if it is divisible by 3. (c) For all integers a, b, and c, a | bc if and only if a | b and a | c. (d) For all integers a, b, and c, a | (b + c) if and only if a | b and a | c. NT-26 Review Questions (e) If r and s are integers, then r | s if and only if r2 | s2. 5. For all N ≥ 0, if N = k(k + 1)(k + 2) is the product of three consecutive non-negative integers then for some integer s > k, N is divisible by a number of the form (a) s2 − 1 (b) s2 − 2 (c) s2 (d) s2 + 1 (e) s2 + 2 6. To one percent accuracy, the number of integers n in the list 04 , 14 , 24 , . . . , 10004 such that n%16 = 1 is (a) 20 percent (b) 50 percent (c) 30 percent (d) 35 percent (e) 25 percent 7. Which of the following statements is TRUE: (a) For all odd integers n, ⌈n/2⌉ = n+1 2 . (b) For all real numbers x and y, ⌈x + y⌉ = ⌈x⌉ + ⌈y⌉. (c) For all real numbers x, ⌈x2⌉ = (⌈x⌉)2. (d) For all real numbers x and y, ⌊x + y⌋ = ⌊x⌋ + ⌊y⌋. (e) For all real numbers x and y, ⌊xy⌋ = ⌊x⌋⌊y⌋. 8. Which of the following statements is logically equivalent to the statement, “If a and b 6= 0 are rational numbers and r 6= 0 is an irrational number, then a+br is irrational.” (a) If a and b 6= 0 are rational and r 6= 0 is real, then a + br is rational only if r is irrational. (b) If a and b 6= 0 are rational and r 6= 0 is real, then a + br is irrational only if r is irrational. (c) If a and b 6= 0 are rational and r 6= 0 is real, then r is rational only if a + br is rational. (d) If a and b 6= 0 are rational and r 6= 0 is real, then a + br is rational only if r is rational. (e) If a and b 6= 0 are rational and r 6= 0 is real, then a + br is irrational only if r is rational. 9. The number of primes of the form |n2 − 6n + 5| where n is an integer is (a) 0 (b) 1 (c) 2 (d) 3 (e) 4 NT-27