SlideShare a Scribd company logo

wilson's and fermat little theorem .ppt

Download as PPT, PDF
J
JayLagman3

little theorem

Education
1 of 92
In particular, when p is a prime & k not a multiple of p, then gcd(k,p)=1. If i  j (mod p), then i·k  j·k (mod p) Therefore, k mod p, 2k mod p, …, (p-1)k mod p are all different numbers. Fermat’s Little Theorem Claim 1: Assume gcd(k,n) = 1. If i·k  j·k (mod n), then i  j (mod n). Claim 2: Assume gcd(k,n) = 1. If i  j (mod n), then i·k  j·k (mod n) . For example, when p=7 and k=3, 3 mod 7 = 3, 2·3 mod 7 = 6, 3·3 mod 7 = 2, 4·3 mod 7 = 5, 5·3 mod 7 = 1, 6·3 mod 7 = 4 Notice that in the above example every number from 1 to 6 appears exactly once.
In particular, when p is a prime & k not a multiple of p, then gcd(k,p)=1. If i  j (mod p), then i·k  j·k (mod p) Therefore, k mod p, 2k mod p, …, (p-1)k mod p are all different numbers. Fermat’s Little Theorem Each of ik mod p cannot be equal to 0, because p is a prime number Let ci = ik mod p. So 1 <= c1 <= p-1, 1 <= c2 <= p-1, …, 1< = cp-1 <= p-1 By the above we know that c1,c2,…,cp-2,cp-1 are all different. So for each i from 1 to p-1, there is exactly one cj such that cj = i. Therefore, we have (k mod p)·(2k mod p)·…·((p-1)k mod p) = c1·c2·…·cp-2·cp-1 = 1·2·3…·(p-2)·(p-1)
Fermat’s Little Theorem 1  kp-1 (mod p) Theorem: If p is prime & k not a multiple of p For example, when p=5, k=4, we have kp-1 mod p = 44 mod 5 = 1 “Proof” 4·3·2·1  [(4 mod 5) (2·4 mod 5) (3·4 mod 5) (4·4 mod 5)] (mod 5)  [4 · (2·4) · (3·4) · (4·4)] (mod 5)  [44 · (1·2·3·4)] (mod 5) Since gcd(1·2·3·4, 5)=1, we can cancel 1·2·3·4 on both sides. This implies 1  44 (mod 5) By the previous slide or direct calculation
Fermat’s Little Theorem 1  kp-1 (mod p) Theorem: If p is prime & k not a multiple of p Proof. 1·2···(p-1)  (k mod p · 2k mod p·…·(p-1)k mod p) mod p  (k·2k ··· (p-1)k) mod p  (kp-1)·1·2 ··· (p-1) (mod p) So, by cancelling 1·2 ··· (p-1) on both sides applying Claim 1 (we can cancel them because gcd(1·2 ··· (p-1), p)=1), we have 1  kp-1 (mod p) By 2 slides before By the multiplication rule
Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) First we consider the easy direction. If p is not a prime, assume p >= 5, (for p=4, 3!  2 (mod 4) ) Then p=qr for some 2 <= q < p and 2 <= r < p. If q ≠ r, then both q and r appear in (p-1)!, and so (p-1)!  0 (mod p). If q = r, then p = q2 > 2q (since we assume p > 5 and thus q > 2). then both q and 2q are in (p-1)!, and so again (p-1)!  0 (mod p).
Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) To prove the more interesting direction, first we need a lemma. Lemma. If p is a prime number, x2  1 (mod p) if and only if x  1 (mod p) or x  -1 (mod p) Proof. x2  1 (mod p) iff p | x2 - 1 iff p | (x – 1)(x + 1) iff p | (x – 1) or p | (x+1) iff x  1 (mod p) or x  -1 (mod p) Lemma: p prime and p|a·b iff p|a or p|b.
Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) Let’s get the proof idea by considering a concrete example. 10!  1·2·3·4·5·6·7·8·9·10 mod 11  1·10·(2·6)·(3·4)·(5·9)·(7·8) mod 11  1·-1·(1)·(1)·(1)·(1) mod 11  -1 mod 11 Besides 1 and 10, the remaining numbers are paired up into multiplicative inverse!
Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) Proof. Since p is a prime, every number from 1 to p-1 has a multiplicative inverse. By the Lemma, every number 2 <= k <= p-2 has an inverse k’ with k≠k’. Since p is odd, the numbers from 2 to p-2 can be grouped into pairs (a1,b1),(a2,b2),…,(a(p-3)/2,b(p-3)/2) so that aibi  1 (mod p) Therefore, (p-1)!  1·(p-1)·2·3·····(p-3)·(p-2) (mod p)  1·(p-1)·(a1b1)·(a2b2)·····(a(p-3)/2b(p-3)/2) (mod p)  1·(-1)·(1)·(1)·····(1) (mod p)  -1 (mod p)
Chinese Remainder Theorem Dec 29 Picture from http://img5.epochtimes.com/i6/801180520191974.jpg ……………………… ……………………… ……………………… ……………………… ……………………… ………………………
This Lecture In this lecture we will study the Chinese remainder theorem, which is a method to solve equations about remainders. • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
Case Study ax  b (mod n) How to solve the following equation? 2x  3 (mod 7) For example, consider the equation Suppose there is a solution x to the equation, then there is a solution x in the range from 0 to 6, because we can replace x by x mod 7. Then we can see that x=5 is a solution. Also, 5+7, 5+2·7, 5+3·7, …, 5-7, 5-2·7…, are solutions. Therefore the solutions are of the form 5+7k for some integer k.
One Equation ax  b (mod n) How to solve the following equation? 2x  3 (mod 7) 5x  6 (mod 9) 4x  -1 (mod 5) 4x  2 (mod 6) 10x  2 (mod 7) 3x  1 (mod 6) x = 5 + 7k for any integer k x = 3 + 9k for any integer k x = 1 + 5k for any integer k x = 2 + 3k for any integer k x = 3 + 7k for any integer k no solutions
One Equation: Relatively Prime Case 1: a and n are relatively prime ax  b (mod n) Without loss of generality, we can assume that 0 < a < n. Because we can replace a by a mod n without changing the equation. e.g. 103x  6 (mod 9) is equivalent to 4x  6 (mod 9). Since a and n are relatively prime, there exists a multiplicative inverse a’ for a. Hence we can multiply a’ on both sides of the equation to obtain x  a’b (mod n) Therefore, a solution always exists when a and n are relatively prime.
One Equation: Common Factor Case 2: a and n have a common factor c>=2. ax  b (mod n) Case 2a: c divides b. ax  b (mod n)  ax = b + nk for some integer k  a1cx = b1c + n1ck  a1x = b1 + n1k  a1x  b1 (mod n1) In Case (2a) we can simplify the equation, and solve the new equation instead. we assume c|a and c|n and also c|b.
One Equation: Common Factor Case 2: a and n have a common factor c>=2. ax  b (mod n) Case 2b: c does not divides b. ax  b (mod n)  ax = b + nk for some integer k  a1cx = b + n1ck  a1x = b/c + n1k This is a contradiction, since a1x and n1k are integers, but b/c is not an integer since c does not divide b. Therefore, in Case 2b, there is no solution.
One Equation Theorem. Let a, b, n be given integers. The above equation has a solution if and only if gcd(a,n) | b. Furthermore, if the condition gcd(a,n) | b is satisfied, then the solutions are of the form y mod (n/gcd(a,n)) for some integer y. ax  b (mod n) Proof. First, divide b by gcd(a,n). If not divisible, then there is no solution by Case (2b). If divisible, then we simplify the solution as in Case (2a). Then we proceed as in Case (1) to compute the solution.
One Equation: Exercise 87x  3 (mod 15) no solutions Replace 87 by 87 mod 15 12x  3 (mod 15) Divide both sides by gcd(12,15) = 3 4x  1 (mod 5) Compute the multiplicative inverse of 4 modulo 5 x  4 + 5k 114x  5 (mod 22) Replace 114 by 114 mod 22 4x  5 (mod 22) Divide both sides by gcd(4,22) = 2 Because 2 does not divide 5. Important: to be familiar with the extended Euclidean algorithm to compute gcd and to compute multiplicative inverse.
Example: n = 123, k=37 123 = 3·37 + 12 so 12 = n - 3k 37 = 3·12 + 1 so 1 = 37 – 3·12 = k – 3(n-3k) = 10k - 3n 12 = 12·1 + 0 done, gcd=1 Computing Multiplicative Inverse So 1 = 10k-3n. Then we know that 10 is the multiplicative inverse of 37 under modulo 123.
This Lecture • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
Ancient Application of Number Theory Starting from 1500 soldiers, after a war, about 400-500 soldiers died. 韓信 Now we want to know how many soldiers are left. Form groups of 3 soldiers
Ancient Application of Number Theory ……………………… ……………………… ……………………… ……………………… ……………………… ……………………… There are 2 soliders left. Form groups of 5 soldiers
Ancient Application of Number Theory ……………………… ……………………… ……………………… ……………………… ……………………… There are 3 soliders left. Form groups of 7 soldiers
Ancient Application of Number Theory ……………………… ……………………… ……………………… ……………………… ……………………… ……………………… ……………………… There are 2 soliders left. We have 1073 soliders. How could he figure it out?!
The Mathematical Question x  2 (mod 3) x  3 (mod 5) x  2 (mod 7) 1000 <= x <= 1100 + x = 1073 How to solve this system of modular equations?
This Lecture • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
Two Equations c1 x  d1 (mod m1) c2 x  d2 (mod m2) x  a1 (mod n1) x  a2 (mod n2) Find a solution to satisfy both equations simultaneously. First we can solve each equation to reduce to the following form. (Of course, if one equation has no solution, then there is no solution.) There may be no solutions simultaneously satisfying both equations. For example, consider x  1 (mod 3), x  2 (mod 3). x  1 (mod 6), x  2 (mod 4).
Two Equations x  2 (mod 3) x  4 (mod 7) Case 1: n1 and n2 are relatively prime. x = 2+3u and x = 4+7v for some integers u and v. 2+3u = 4+7v => 3u = 2+7v => 3u  2 (mod 7) 5 is the multiplicative inverse for 3 under modulo 7 Multiply 5 on both sides gives: 5·3u  5·2 (mod 7) => u  3 (mod 7) => u = 3 + 7w Therefore, x = 2+3u = 2+3(3+7w) = 11+21w So any x  11 (mod 21) is the solution. Where did we use the assumption that n1 and n2 are relatively prime?
Two Equations x  2 (mod 3) x  4 (mod 7) Assume n1 and n2 are relatively prime. The original idea is to construct such an x directly. Let x = 3·a + 7·b Note that when x is divided by 3, the remainder is decided by the second term. And when x is divided by 7, the remainder is decided by the first term. More precisely, x mod 7 = (3·a + 7·b) mod 7 = 3a mod 7 Similarly, x mod 3 = (3·a + 7·b) mod 3 = 7b mod 3 Therefore, to satisfy the equations, we just need to find a such that 3a mod 7 = 4 and b such that 7b mod 3 = 2.
Two Equations x  2 (mod 3) x  4 (mod 7) Assume n1 and n2 are relatively prime. The original idea is to construct such an x directly. Let x = 3·a + 7·b Since 3 and 7 are relatively prime, both the equations can be solved. The first equation is 3a  4 (mod 7), and the answer is a=6. Similarly, the second equation is 7b  2 (mod 3), and the answer is b=2. So one answer is x = 3a+7b = 3(6)+7(2) = 32. Therefore, to satisfy the equations, we just need to find a such that 3a mod 7 = 4 and b such that 7b mod 3 = 2.
Two Equations x  2 (mod 3) x  4 (mod 7) Assume n1 and n2 are relatively prime. The original idea is to construct such an x directly. Let x = 3·a + 7·b So one answer is x = 3a+7b = 3(6)+7(2) = 32. Note that 32 + 3·7·k is also a solution to satisfy both equations. The only solutions are of the form 32 + 21k for some integer k. Are there other solutions? Are there other solutions?
Three Equations Let x = 5·7·a + 3·7·b + 3·5·c x  2 (mod 3) x  3 (mod 5) x  2 (mod 7) So the first (second, third) term is responsible for the first (second, third) equation. More precisely, x mod 3 = (5·7·a + 3·7·b + 3·5·c) mod 3 = 5·7·a mod 3 x mod 5 = (5·7·a + 3·7·b + 3·5·c) mod 5 = 3·7·b mod 5 x mod 7 = (5·7·a + 3·7·b + 3·5·c) mod 7 = 3·5·c mod 7 Therefore, to satisfy the equations, we want to find a,b,c to satisfy the following: x mod 3 = 35a mod 3 = 2 x mod 5 = 21b mod 5 = 3 x mod 7 = 15c mod 7 = 2
Three Equations Let x = 5·7·a + 3·7·b + 3·5·c x  2 (mod 3) x  3 (mod 5) x  2 (mod 7) So the first (second, third) term is responsible for the first (second, third) equation. Now we just need to solve the following three equations separately. 35a  2 (mod 3), 21b  3 (mod 5), 15c  2 (mod 7). This is equal to 2a  2 (mod 3), b  3 (mod 5), c  2 (mod 7) Therefore, we can set a = 1, b = 3, c = 2. Then x = 35a+21b+15c = 35(1)+21(3)+15(2) = 128. Note that 128+3·5·7·k = 128+105k is also a solution. Since 韓信 knows that 1000 <= x <= 1100, he concludes that x = 1073. Wait, but how does he know that there is no other solution?
This Lecture • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
Chinese Remainder Theorem x  a1 (mod n1) x  a2 (mod n2) x  ak (mod nk) Theorem: If n1,n2,…,nk are relatively prime and a1,a2,…,ak are integers, then have a simultaneous solution x that is unique modulo n, where n = n1n2…nk. We will give a proof when k=3, but it can be extended easily to any k.
Proof of Chinese Remainder Theorem N1 = n2 n3 N1x1  1 (mod n1) Let x = a1N1x1 + a2N2x2 + a3N3x3 x  a1 (mod n1) Let N2 = n1 n3 N3 = n1 n2 Since Ni and ni are relatively prime, this implies that there exist x1 x2 x3 N2x2  1 (mod n2) N3x3  1 (mod n3) So, a1N1x1  a1 (mod n1), a2N2x2  a2 (mod n2), a3N3x3  a3 (mod n3) x  a1 N1x1 (mod n1) Since n1|N2 and n1|N3, Since N1x1  1 (mod n1), Similarly, x  a2 (mod n2) x  a3 (mod n3)
Uniqueness x  a1 (mod n1) x  a2 (mod n2) x  ak (mod nk) Suppose there are two solutions, x and y, to the above system. Then x – y  0 (mod ni) for any i. This means that ni | x – y for any i. Since n1,n2,…,nk are relatively prime, this means that n1n2…nk | x – y. (why?) Therefore, x = y (mod n1n2…nk). So there is a unique solution in every n1n2…nk numbers.
General Systems What if n1,n2,…,nk are not relatively prime? x  3 (mod 10) x  8 (mod 15) x  5 (mod 84) x  3 (mod 2)  1 (mod 2) x  8 (mod 3)  2 (mod 3) x  8 (mod 5)  3 (mod 5) x  5 (mod 4)  1 (mod 4) x  5 (mod 3)  2 (mod 3) x  5 (mod 7) x  3 (mod 5) (a) (b) (c) (d) (e) (f) (g) (b) and (d) are the same. (c) and (f) are the same. (e) is stronger than (a). So we reduce the problem to the relatively prime case. The answer is 173 (mod 420).
Quick Summary First we talk about how to solve one equation ax  b (mod n). The equation has solutions if and only if gcd(a,n) divides b. Then we talk about how to find simultaneous solutions to two equations a1x  b1 (mod n1) and a2x  b2 (mod n2). First use the technique in one equation to reduce to the form x  c1 (mod n1) and x  c2 (mod n2). By setting x = k1n1 + k2n2, then we just need to find k1 and k2 so that c2  k1 n1 (mod n2) and c1  k2 n2 (mod n1). These equations can be solved separately by using techniques for one equation. The same techniques apply for more than two equations. And the solution is unique mod n1 n2…nk if there are k equations. Finally, when n1 n2…nk are not relatively prime, we show how to reduce it back to the relatively prime case.
A Faster Method x  3 (mod 10) x  8 (mod 15) x  5 (mod 84) There is another method to solve the system of modular equations. From the third equation we know that x = 5+84u. Plug it into the second equation gives 5+84u  8 (mod 15) => 84u  3 (mod 15). Solving this would give us u  2 (mod 5) => u = 2 + 5v. Therefore x = 5+84u = 5+84(2+5v) = 173 + 420v. Plug it into the first equation gives 173+420v  3 (mod 10) => 420v = -170 (mod 10). This equation is always true. So we can conclude that x = 173+420v, or equivalently x  173 (mod 420). This method can also be used to prove the Chinese Remainder Theorem. It is much faster (no need to find factorization), requiring only k-1 Euclidean algorithm.
Cryptography Dec 29
This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer science – the design of cryptosystem. •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem
Cryptography Alice Bob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal: Even though an adversary can listen to your conversation, the adversary can not learn what the message was. message
Cryptography Alice Bob adversary Goal: Even though an adversary can listen to your conversation, the adversary can not learn what the message was. message -> f(message) f(message) encrypt the message decrypt the message f(message) -> message But the adversary has no clue how to obtain message from f(message) A difficult goal!
Key Alice Bob adversary Goal: Even though an adversary can listen to your conversation, the adversary can not learn what the message was. message -> f(message,key) f(message, key) encrypt the message using the key decrypt the message using the key f(message,key) -> message But the adversary can not decrypt f(message,key) without the key Use number theory!
This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem
Turing’s Code (Version 1.0) The first step is to translate a message into a number “v i c t o r y” -> 22 09 03 20 15 18 25 Beforehand The sender and receiver agree on a secret key, which is a large number k. Encryption The sender encrypts the message m by computing: m* = m · k Decryption The receiver decrypts m by computing: m*/k = m · k/k = m
Turing’s Code (Version 1.0) Alice Bob adversary mk m = message k = key encrypted message = mk Why the adversary cannot figure out m? mk = received message k = key decrypted message = mk/k=m The adversary doesn’t have the key k, and so can only factor mk to figure out m, but factoring is a difficult task to do.
Turing’s Code (Version 1.0) Alice Bob adversary mk m = message k = key encrypted message = mk mk = received message k = key decrypted message = mk/k=m So why don’t we use this Turing’s code today? Major flaw: if you use the same key to send two messages m and m’, then from mk and m’k, we can use gcd(mk,m’k) to figure out k, and then decrypt every message.
Turing’s Code (Version 2.0) Beforehand The sender and receiver agree on a large prime p, which may be made public. (This will be the modulus for all our arithmetic.) They also agree on a secret key k in {1, 2, . . . , p − 1}. Encryption The message m can be any integer in the set {0, 1, 2, . . . , p − 1}. The sender encrypts the message m to produce m* by computing: m* = mk mod p Decryption Let k’ be the multiplicative inverse of k under modulo p. m*  mk (mod p) m*k’  m (mod p) m*k’ = m
Turing’s Code (Version 2.0) Alice Bob adversary m* = mk mod p m = message k = key encrypted message = mk mod p Why the adversary cannot figure out m? m* = received message k = key decrypted message = m*k’ =m Many m and k can produce m* as output, just impossible to determine m without k. Public information p
Turing’s Code (Version 2.0) Alice Bob adversary m* = mk mod p m = message k = key encrypted message = mk mod p m* = received message k = key decrypted message = m*k’ =m If the adversary somehow knows m, then first compute m’ := multiplicative inverse of m m*  mk (mod p) m*m’  k (mod p) So the adversary can figure out k. Public information p So why don’t we use this Turing’s code today? plain-text attack
This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem
Private Key Cryptosystem Alice Bob adversary message -> f(message,key) f(message, key) encrypt the message using the key decrypt the message using the key f(message,key) -> message But the adversary can not decrypt f(message,key) without the key Two parties have to agree on a secret key, which may be difficult in practice. If we buy books from Amazon, we don’t need to exchange a secret code. Why is it secure?
Public Key Cryptosystem Alice Bob adversary message -> f(message,Bob’s key) f(message, Bob’s key) encrypt the message using Bob’s key decrypt the message f(message,Bob’s key) -> message But the adversary can not decrypt f(message, Bob’s key)! Public information: Key for Alice Public information: Key for Bob Only Bob can decrypt the message sent to him! How is it possible??? There is no need to have a secret key between Alice and Bob.
RSA Cryptosystem RSA are the initials of three Computer Scientists, Ron Rivest, Adi Shamir and Len Adleman, who discovered their algorithm when they were working together at MIT in 1977.
This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
Generating Public Key Alice Bob How Bob creates his public keys? • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key > 150 digits Secret key only known to Bob. public key: e and n secret key: d
Encrypting Message Alice Bob • Look at Bob’s homepage for e and n. • Send y = xe mod n How Alice sends a message to Bob? message x Send y = xe mod n Alice does not need to know Bob’s secret key to send the message. public key: e and n secret key: d
Alice Bob • Receive y = xe mod n • Compute z = yd mod n How Bob recover Alice’s message? public key: e and n secret key: d message x Send y = xe mod n Bob uses z is the original message that Alice sent. Decrypting Message
RSA Cryptosystem Alice Bob public key: e and n secret key: d message x Send y = xe mod n • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key Compute z = yd mod n Key generation Encrypting message Decrypting message
This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
RSA Cryptosystem Alice Bob For the RSA cryptosytem to work, we need to show: 1) z = x 2) Without the secret key d, we can not compute the original message before the sun burns out. public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n with additional assumptions…
Correctness Alice Bob Note that z = yd mod n = xed mod n. Therefore we need to prove x = xed mod n. p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p (b) x mod q = xed mod q (c) x mod n = xed mod n public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n 1) z = x Therefore, if Alice sends x < n, then Bob can recover correctly.
Correctness Alice Bob Hence, xed mod p = x1+k(p-1)(q-1) mod p = x·xk(p-1)(q-1) mod p = x·(xk(q-1))(p-1) mod p Note that de = 1 + kT public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p 1) z = x = 1 + k(p-1)(q-1)
Correctness Alice Bob Fermat’s little theorem: If p | a, then ap-1  1 mod p public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) Hence, xed mod p = x1+k(p-1)(q-1) mod p = x·xk(p-1)(q-1) mod p = x·(xk(q-1))(p-1) mod p = x mod p (a) x mod p = xed mod p 1) z = x a
Correctness Alice Bob Hence, xed mod p = x1+k(p-1)(q-1) mod p = x·xk(p-1)(q-1) mod p = x·(xk(q-1))(p-1) mod p public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p 1) z = x What if p | a? a This means p | xk(q-1), implying p | x, since p is prime Since p | x, we have xed mod p = x mod p = 0.
Correctness Alice Bob Note that z = yd mod n = xed mod n. Therefore we need to prove x = xed mod n. p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p (b) x mod q = xed mod q (c) x mod n = xed mod n public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n 1) z = x (c) can be proved directly, also follows from Chinese Remainder theorem. The same proof.
This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
Why is this Secure? Alice Bob Method 1: From y=xe mod n, don’t know how to compute x. Thus not possible to work backward. It is an example of an “one-way” function. public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) 2) Without the secret key d, we can not compute the original message before the sun burns out. adversary
Why is this Secure? Alice Bob public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) Method 2: Factor n = pq. Compute secrete key d. Then decrypt everything! No one knows an efficient way to do factoring. 2) Without the secret key d, we can not compute the original message before the sun burns out. adversary The security is based on assumptions that some computational problems are hard.
This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
RSA Example Alice Bob p=5 q=11 n = 55 T = 40 e = 7 d = 23 x=33 How to compute it efficiently? public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) First Bob generated his keys. Then Alice sends the encrypted message. y = 3323 mod 55 y = 84298649517881922539738734663399137 mod 55
Exponentiation 1444 mod 713 = 144 * 144 * 144 * 144 mod 713 = 20736 * 144 * 144 mod 713 = 59 * 144 * 144 mod 713 = 8496 * 144 mod 713 = 653 * 144 mod 713 = 94032 mod 713 = 629 mod 713 20736 * 20736 mod 713 = 59 * 59 mod 713 = 3481 mod 713 = 629 mod 713 To compute exponentiation mod n This still takes too long when the exponent is large. This is much more efficient.
Repeated Squaring 14450 mod 713 = 14432 14416 1442 mod 713 = 648·485·59 mod 713 = 242 1442 mod 713 = 59 1444 mod 713 = 1442 ·1442 mod 713 = 59·59 mod 713 = 629 1448 mod 713 = 1444·1444 mod 713 = 629·629 mod 713 = 639 14416 mod 713 = 1448·1448 mod 713 = 639·639 mod 713 = 485 14432 mod 713 = 14416·14416 mod 713 = 485·485 mod 713 = 648 Note that 50 = 32 + 16 + 2
Generating Public Key • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key How to choose large prime numbers efficiently? Given a large number, how to check whether it is prime efficiently?
Primality Testing Given a large integer n, determine quickly whether n is prime First test: for i = 1,…,√n, check if i divides n. Need some number theory! We are talking about n with 150 digits. This simply takes too long (2150 steps, sun will burn out). We are looking for an exponential improvement (instead of n, we can only afford roughly log(n) steps), like we did in the extended GCD algorithm.
Primality Testing It doesn’t seem to help, since we don’t know how to compute (n-1)! mod n quickly (in roughly log(n) steps). Theorem: n is a prime if and only if (n-1)!  -1 (mod n)
Primality Testing 1  an-1 (mod n) Theorem: If n is prime & a not a multiple of n Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Example. Show that 1763 is composite (not a prime number). Let a=2, n=1763. 21762 (mod 1763) = 142 ≠ 1 Therefore, it is composite by (the contrapositive of) Fermat’s little theorem.
Primality Testing Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Example. Show that 1387 is composite (not a prime number). Let a=2, n=1387. 21386 (mod 1387) = 1 can not tell whether n is prime or not. Try a=3 31386 (mod 1387) = 1238 ≠ 1 this shows n is composite.
Primality Testing Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. “Fermat” test Given n, choose a < n Compute an-1 (mod n) If an-1 (mod n) ≠ 1 conclude that n is a composite number If an-1 (mod n) = 1 try another a Each test takes about log(n) steps. It depends on how many a that we need to try…
Primality Testing Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. “Fermat” test Given n, choose a < n Compute an-1 (mod n) If an-1 (mod n) ≠ 1 conclude that n is a composite number If an-1 (mod n) = 1 try another a Unfortunately, there exists n which is composite, but an-1 (mod n) = 1 for every a! These are called Carmichael numbers (e.g. 561, 1105, 1729, etc…)
Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Lemma. If n is a prime number, x2  1 (mod n) if and only if x  1 (mod n) or x  -1 (mod n) Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. For n=1387 and a=2, Fermat’s test fails because 21386  1 (mod 1387). Example Note that it is (2693)2 However 2693  512 (mod 1387)  1 (mod 1387) By contrapositive 2, we can conclude that 1387 is a composite number.
Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Strong primality test Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) ≠1 Composite by contrapositive 1.
Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 Composite by contrapositive 2. ≠1 & ≠-1 Strong primality test
Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 Continue to go backward and check =1 Strong primality test
Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 End the test and say it is a “probable” prime. =1 =-1 Strong primality test
Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 End the test and say it is a “probable” prime. =1 =1 =1 =1 Strong primality test
Primality Testing Given n, pick an a Let n’ = n-1 (so n’ is an even number) If an’ (mod n) ≠ 1, then stop and say “n is composite”. n’ := n’/2; While n’ is an integer do If an’ (mod n) = -1, then stop and say “n is a probable prime”. If an’ (mod n) ≠ 1, then stop and say “n is composite”. n’ := n’/2; Stop and say “n is a probable prime”. Strong primality test
Primality Testing Theorem: if n is composite, for more than half of a < n, the strong primality test will say n is composite! So, given a composite n, if we pick a random a, the strong primality test will be incorrect with probability <= 1/2. Thus, if we repeat the procedure for 10000 times, then the probability that the strong primality test is still incorrect is very small (e.g. much smaller than our computer will suddenly crash). For a particular a, the strong primality test takes “about” log(n) steps. But again, there exists n which is composite but pass the test… This is the most efficient method used in practice!
Generating Public Key • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key How to choose large prime numbers efficiently? Prime number theorem: From 1 to n, there are roughly n/log(n) prime numbers. Pick a random large number, do the (randomized) strong primality tests, until we find a prime! Similar idea
Remarks •We have derived everything from basic principle. •RSA cryptosystem is one of the most important achievements in compute science. (The researchers won the Turing award for their contribution.) •Number theory is also very useful in coding theory (e.g. compression). •Mathematics is very important in computer science.
More Remarks Theorem: if n is composite, for more than half of a < n, the strong primality test will say n is composite! The proof uses Chinese Remainder theorem and some elementary number theory. (Introduction to Algorithms, MIT press) Theroem (Primes is in P, 2004) There is an efficient and deterministic primality test. Conjecture: It is enough to try a to up to roughly log(n). Major Open Problem: Is there an efficient algorithm to compute the prime factorization?

Recommended

Research Project Primus
Research Project PrimusResearch Project Primus
Research Project PrimusPredrag Terzic
 
Lec_4.pdf
Lec_4.pdfLec_4.pdf
Lec_4.pdfMattupallipardhu
 
DAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxDAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxvaishnavi339314
 
Construction of BIBD’s Using Quadratic Residues
Construction of BIBD’s Using Quadratic ResiduesConstruction of BIBD’s Using Quadratic Residues
Construction of BIBD’s Using Quadratic Residuesiosrjce
 
CSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptx
CSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptxCSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptx
CSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptxgbikorno
 
A Proof of Twin primes and Golbach's Conjecture
A Proof of Twin primes and Golbach's ConjectureA Proof of Twin primes and Golbach's Conjecture
A Proof of Twin primes and Golbach's Conjecturenikos mantzakouras
 
Trig substitution
Trig substitutionTrig substitution
Trig substitutiondynx24
 
555_Spring12_topic06.ppt
555_Spring12_topic06.ppt555_Spring12_topic06.ppt
555_Spring12_topic06.pptSnehSinha6
 

Recommended

Research Project Primus
Research Project PrimusResearch Project Primus
Research Project PrimusPredrag Terzic
 
Lec_4.pdf
Lec_4.pdfLec_4.pdf
Lec_4.pdfMattupallipardhu
 
DAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxDAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxvaishnavi339314
 
Construction of BIBD’s Using Quadratic Residues
Construction of BIBD’s Using Quadratic ResiduesConstruction of BIBD’s Using Quadratic Residues
Construction of BIBD’s Using Quadratic Residuesiosrjce
 
CSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptx
CSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptxCSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptx
CSE1107 Chinese Remainder Theorem in Discrete Mathmatics.pptxgbikorno
 
A Proof of Twin primes and Golbach's Conjecture
A Proof of Twin primes and Golbach's ConjectureA Proof of Twin primes and Golbach's Conjecture
A Proof of Twin primes and Golbach's Conjecturenikos mantzakouras
 
Trig substitution
Trig substitutionTrig substitution
Trig substitutiondynx24
 
555_Spring12_topic06.ppt
555_Spring12_topic06.ppt555_Spring12_topic06.ppt
555_Spring12_topic06.pptSnehSinha6
 
Stochastic Processes Homework Help
Stochastic Processes Homework HelpStochastic Processes Homework Help
Stochastic Processes Homework HelpExcel Homework Help
 
X ch 1 real numbers
X ch 1 real numbersX ch 1 real numbers
X ch 1 real numbersAmruthaKB2
 
Equivariance
EquivarianceEquivariance
Equivariancemustafa sarac
 
A study on number theory and its applications
A study on number theory and its applicationsA study on number theory and its applications
A study on number theory and its applicationsItishree Dash
 
Analysis Of Algorithms Ii
Analysis Of Algorithms IiAnalysis Of Algorithms Ii
Analysis Of Algorithms IiSri Prasanna
 
Number theory
Number theoryNumber theory
Number theorymanikanta361
 
Matdis 3.4
Matdis 3.4Matdis 3.4
Matdis 3.4Claudia Primasiwi
 
F4 02 Quadratic Expressions And
F4 02 Quadratic Expressions AndF4 02 Quadratic Expressions And
F4 02 Quadratic Expressions Andguestcc333c
 
Ch08
Ch08Ch08
Ch08nathanurag
 
Binomial Theorem
Binomial TheoremBinomial Theorem
Binomial Theoremitutor
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceinventy
 
ADVANCED ALGORITHMS-UNIT-3-Final.ppt
ADVANCED ALGORITHMS-UNIT-3-Final.pptADVANCED ALGORITHMS-UNIT-3-Final.ppt
ADVANCED ALGORITHMS-UNIT-3-Final.pptssuser702532
 
Maths04
Maths04Maths04
Maths04sansharmajs
 
Proof of Beal's conjecture
Proof of Beal's conjecture Proof of Beal's conjecture
Proof of Beal's conjecture nikos mantzakouras
 
New stack
New stackNew stack
New stackDreams4school
 
2018 mtap for g10 with answers
2018 mtap for g10 with answers2018 mtap for g10 with answers
2018 mtap for g10 with answersJashey Dee
 
New Pythagorean Triples copy
New Pythagorean Triples copyNew Pythagorean Triples copy
New Pythagorean Triples copyAndrew Erskine
 
Stacks image 1721_36
Stacks image 1721_36Stacks image 1721_36
Stacks image 1721_36Dreams4school
 
Binomial theorem
Binomial theorem Binomial theorem
Binomial theorem Harshit Sharma
 
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...inventionjournals
 
Taylor_and_Maclaurin_Series_Calculus.ppt
Taylor_and_Maclaurin_Series_Calculus.pptTaylor_and_Maclaurin_Series_Calculus.ppt
Taylor_and_Maclaurin_Series_Calculus.pptJayLagman3
 
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptx
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptxteaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptx
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptxJayLagman3
 

More Related Content

Similar to wilson's and fermat little theorem .ppt

Stochastic Processes Homework Help
Stochastic Processes Homework HelpStochastic Processes Homework Help
Stochastic Processes Homework HelpExcel Homework Help
 
X ch 1 real numbers
X ch 1 real numbersX ch 1 real numbers
X ch 1 real numbersAmruthaKB2
 
A study on number theory and its applications
A study on number theory and its applicationsA study on number theory and its applications
A study on number theory and its applicationsItishree Dash
 
Analysis Of Algorithms Ii
Analysis Of Algorithms IiAnalysis Of Algorithms Ii
Analysis Of Algorithms IiSri Prasanna
 
F4 02 Quadratic Expressions And
F4 02 Quadratic Expressions AndF4 02 Quadratic Expressions And
F4 02 Quadratic Expressions Andguestcc333c
 
Binomial Theorem
Binomial TheoremBinomial Theorem
Binomial Theoremitutor
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceinventy
 
ADVANCED ALGORITHMS-UNIT-3-Final.ppt
ADVANCED ALGORITHMS-UNIT-3-Final.pptADVANCED ALGORITHMS-UNIT-3-Final.ppt
ADVANCED ALGORITHMS-UNIT-3-Final.pptssuser702532
 
2018 mtap for g10 with answers
2018 mtap for g10 with answers2018 mtap for g10 with answers
2018 mtap for g10 with answersJashey Dee
 
New Pythagorean Triples copy
New Pythagorean Triples copyNew Pythagorean Triples copy
New Pythagorean Triples copyAndrew Erskine
 
Stacks image 1721_36
Stacks image 1721_36Stacks image 1721_36
Stacks image 1721_36Dreams4school
 
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...inventionjournals
 

Similar to wilson's and fermat little theorem .ppt (20)

Stochastic Processes Homework Help
Stochastic Processes Homework HelpStochastic Processes Homework Help
Stochastic Processes Homework Help
 
X ch 1 real numbers
X ch 1 real numbersX ch 1 real numbers
X ch 1 real numbers
 
Equivariance
EquivarianceEquivariance
Equivariance
 
A study on number theory and its applications
A study on number theory and its applicationsA study on number theory and its applications
A study on number theory and its applications
 
Analysis Of Algorithms Ii
Analysis Of Algorithms IiAnalysis Of Algorithms Ii
Analysis Of Algorithms Ii
 
Number theory
Number theoryNumber theory
Number theory
 
Matdis 3.4
Matdis 3.4Matdis 3.4
Matdis 3.4
 
F4 02 Quadratic Expressions And
F4 02 Quadratic Expressions AndF4 02 Quadratic Expressions And
F4 02 Quadratic Expressions And
 
Ch08
Ch08Ch08
Ch08
 
Binomial Theorem
Binomial TheoremBinomial Theorem
Binomial Theorem
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
 
ADVANCED ALGORITHMS-UNIT-3-Final.ppt
ADVANCED ALGORITHMS-UNIT-3-Final.pptADVANCED ALGORITHMS-UNIT-3-Final.ppt
ADVANCED ALGORITHMS-UNIT-3-Final.ppt
 
Maths04
Maths04Maths04
Maths04
 
Proof of Beal's conjecture
Proof of Beal's conjecture Proof of Beal's conjecture
Proof of Beal's conjecture
 
New stack
New stackNew stack
New stack
 
2018 mtap for g10 with answers
2018 mtap for g10 with answers2018 mtap for g10 with answers
2018 mtap for g10 with answers
 
New Pythagorean Triples copy
New Pythagorean Triples copyNew Pythagorean Triples copy
New Pythagorean Triples copy
 
Stacks image 1721_36
Stacks image 1721_36Stacks image 1721_36
Stacks image 1721_36
 
Binomial theorem
Binomial theorem Binomial theorem
Binomial theorem
 
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...
On Triplet of Positive Integers Such That the Sum of Any Two of Them is a Per...
 

More from JayLagman3

Taylor_and_Maclaurin_Series_Calculus.ppt
Taylor_and_Maclaurin_Series_Calculus.pptTaylor_and_Maclaurin_Series_Calculus.ppt
Taylor_and_Maclaurin_Series_Calculus.pptJayLagman3
 
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptx
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptxteaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptx
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptxJayLagman3
 
construction of true or false test items
construction of true or false test itemsconstruction of true or false test items
construction of true or false test itemsJayLagman3
 
Mathematics_Literacy_Module_3 .ppt
Mathematics_Literacy_Module_3 .pptMathematics_Literacy_Module_3 .ppt
Mathematics_Literacy_Module_3 .pptJayLagman3
 
CO2 slope of the line mathematics 8.pptx
CO2 slope of the line mathematics 8.pptxCO2 slope of the line mathematics 8.pptx
CO2 slope of the line mathematics 8.pptxJayLagman3
 
triangle inequalities theorems .ppt
triangle inequalities theorems .ppttriangle inequalities theorems .ppt
triangle inequalities theorems .pptJayLagman3
 
math 8 triangle inequalities theorem .ppt
math 8 triangle inequalities theorem .pptmath 8 triangle inequalities theorem .ppt
math 8 triangle inequalities theorem .pptJayLagman3
 
triangle inequalities theorem mathematics 8
triangle inequalities theorem mathematics 8triangle inequalities theorem mathematics 8
triangle inequalities theorem mathematics 8JayLagman3
 
Structural Learning Theory (Math 102).pdf
Structural Learning Theory (Math 102).pdfStructural Learning Theory (Math 102).pdf
Structural Learning Theory (Math 102).pdfJayLagman3
 
PH_Geo_4-1_Congruent_Figures_[1] (2).ppt
PH_Geo_4-1_Congruent_Figures_[1] (2).pptPH_Geo_4-1_Congruent_Figures_[1] (2).ppt
PH_Geo_4-1_Congruent_Figures_[1] (2).pptJayLagman3
 
Learning Theory 202021 students .ppt
Learning Theory 202021 students .pptLearning Theory 202021 students .ppt
Learning Theory 202021 students .pptJayLagman3
 
EAA - table of specifications (tos).pptx
EAA - table of specifications (tos).pptxEAA - table of specifications (tos).pptx
EAA - table of specifications (tos).pptxJayLagman3
 
Modular Arithmetic and congruence of integers.ppt
Modular Arithmetic and congruence of integers.pptModular Arithmetic and congruence of integers.ppt
Modular Arithmetic and congruence of integers.pptJayLagman3
 
Cyclic Groups and Subgroups in abstract algebra.ppt
Cyclic Groups and Subgroups in abstract algebra.pptCyclic Groups and Subgroups in abstract algebra.ppt
Cyclic Groups and Subgroups in abstract algebra.pptJayLagman3
 
the integral test in calculus iii.pptx
the integral test in calculus iii.pptxthe integral test in calculus iii.pptx
the integral test in calculus iii.pptxJayLagman3
 
solving linear system by elimination method.pptx
solving linear system by elimination method.pptxsolving linear system by elimination method.pptx
solving linear system by elimination method.pptxJayLagman3
 
Elementary Properties of Groups .ppt
Elementary Properties of Groups .pptElementary Properties of Groups .ppt
Elementary Properties of Groups .pptJayLagman3
 
Propositional-equivalence and formalization.pptx
Propositional-equivalence and formalization.pptxPropositional-equivalence and formalization.pptx
Propositional-equivalence and formalization.pptxJayLagman3
 
proposition, truth tables and tautology.pptx
proposition, truth tables and tautology.pptxproposition, truth tables and tautology.pptx
proposition, truth tables and tautology.pptxJayLagman3
 
behaviorism and the teaching of mathematics.pptx
behaviorism and the teaching of mathematics.pptxbehaviorism and the teaching of mathematics.pptx
behaviorism and the teaching of mathematics.pptxJayLagman3
 

More from JayLagman3 (20)

Taylor_and_Maclaurin_Series_Calculus.ppt
Taylor_and_Maclaurin_Series_Calculus.pptTaylor_and_Maclaurin_Series_Calculus.ppt
Taylor_and_Maclaurin_Series_Calculus.ppt
 
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptx
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptxteaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptx
teaching-math-in-the-intermediate-grades-240204104047-7f32f49b.pptx
 
construction of true or false test items
construction of true or false test itemsconstruction of true or false test items
construction of true or false test items
 
Mathematics_Literacy_Module_3 .ppt
Mathematics_Literacy_Module_3 .pptMathematics_Literacy_Module_3 .ppt
Mathematics_Literacy_Module_3 .ppt
 
CO2 slope of the line mathematics 8.pptx
CO2 slope of the line mathematics 8.pptxCO2 slope of the line mathematics 8.pptx
CO2 slope of the line mathematics 8.pptx
 
triangle inequalities theorems .ppt
triangle inequalities theorems .ppttriangle inequalities theorems .ppt
triangle inequalities theorems .ppt
 
math 8 triangle inequalities theorem .ppt
math 8 triangle inequalities theorem .pptmath 8 triangle inequalities theorem .ppt
math 8 triangle inequalities theorem .ppt
 
triangle inequalities theorem mathematics 8
triangle inequalities theorem mathematics 8triangle inequalities theorem mathematics 8
triangle inequalities theorem mathematics 8
 
Structural Learning Theory (Math 102).pdf
Structural Learning Theory (Math 102).pdfStructural Learning Theory (Math 102).pdf
Structural Learning Theory (Math 102).pdf
 
PH_Geo_4-1_Congruent_Figures_[1] (2).ppt
PH_Geo_4-1_Congruent_Figures_[1] (2).pptPH_Geo_4-1_Congruent_Figures_[1] (2).ppt
PH_Geo_4-1_Congruent_Figures_[1] (2).ppt
 
Learning Theory 202021 students .ppt
Learning Theory 202021 students .pptLearning Theory 202021 students .ppt
Learning Theory 202021 students .ppt
 
EAA - table of specifications (tos).pptx
EAA - table of specifications (tos).pptxEAA - table of specifications (tos).pptx
EAA - table of specifications (tos).pptx
 
Modular Arithmetic and congruence of integers.ppt
Modular Arithmetic and congruence of integers.pptModular Arithmetic and congruence of integers.ppt
Modular Arithmetic and congruence of integers.ppt
 
Cyclic Groups and Subgroups in abstract algebra.ppt
Cyclic Groups and Subgroups in abstract algebra.pptCyclic Groups and Subgroups in abstract algebra.ppt
Cyclic Groups and Subgroups in abstract algebra.ppt
 
the integral test in calculus iii.pptx
the integral test in calculus iii.pptxthe integral test in calculus iii.pptx
the integral test in calculus iii.pptx
 
solving linear system by elimination method.pptx
solving linear system by elimination method.pptxsolving linear system by elimination method.pptx
solving linear system by elimination method.pptx
 
Elementary Properties of Groups .ppt
Elementary Properties of Groups .pptElementary Properties of Groups .ppt
Elementary Properties of Groups .ppt
 
Propositional-equivalence and formalization.pptx
Propositional-equivalence and formalization.pptxPropositional-equivalence and formalization.pptx
Propositional-equivalence and formalization.pptx
 
proposition, truth tables and tautology.pptx
proposition, truth tables and tautology.pptxproposition, truth tables and tautology.pptx
proposition, truth tables and tautology.pptx
 
behaviorism and the teaching of mathematics.pptx
behaviorism and the teaching of mathematics.pptxbehaviorism and the teaching of mathematics.pptx
behaviorism and the teaching of mathematics.pptx
 

Recently uploaded

Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfVivekanand Anglo Vedic Academy
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
 
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...AzmatAli747758
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativePeter Windle
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfThiyagu K
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chipsGeoBlogs
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxbennyroshan06
 
plant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated cropsplant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated cropsparmarsneha2
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptxJosvitaDsouza2
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
 
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...Denish Jangid
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPCeline George
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxRaedMohamed3
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345beazzy04
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleCeline George
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...Jisc
 

Recently uploaded (20)

Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
 
plant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated cropsplant breeding methods in asexually or clonally propagated crops
plant breeding methods in asexually or clonally propagated crops
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
 
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERP
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 

wilson's and fermat little theorem .ppt

  • 1. In particular, when p is a prime & k not a multiple of p, then gcd(k,p)=1. If i  j (mod p), then i·k  j·k (mod p) Therefore, k mod p, 2k mod p, …, (p-1)k mod p are all different numbers. Fermat’s Little Theorem Claim 1: Assume gcd(k,n) = 1. If i·k  j·k (mod n), then i  j (mod n). Claim 2: Assume gcd(k,n) = 1. If i  j (mod n), then i·k  j·k (mod n) . For example, when p=7 and k=3, 3 mod 7 = 3, 2·3 mod 7 = 6, 3·3 mod 7 = 2, 4·3 mod 7 = 5, 5·3 mod 7 = 1, 6·3 mod 7 = 4 Notice that in the above example every number from 1 to 6 appears exactly once.
  • 2. In particular, when p is a prime & k not a multiple of p, then gcd(k,p)=1. If i  j (mod p), then i·k  j·k (mod p) Therefore, k mod p, 2k mod p, …, (p-1)k mod p are all different numbers. Fermat’s Little Theorem Each of ik mod p cannot be equal to 0, because p is a prime number Let ci = ik mod p. So 1 <= c1 <= p-1, 1 <= c2 <= p-1, …, 1< = cp-1 <= p-1 By the above we know that c1,c2,…,cp-2,cp-1 are all different. So for each i from 1 to p-1, there is exactly one cj such that cj = i. Therefore, we have (k mod p)·(2k mod p)·…·((p-1)k mod p) = c1·c2·…·cp-2·cp-1 = 1·2·3…·(p-2)·(p-1)
  • 3. Fermat’s Little Theorem 1  kp-1 (mod p) Theorem: If p is prime & k not a multiple of p For example, when p=5, k=4, we have kp-1 mod p = 44 mod 5 = 1 “Proof” 4·3·2·1  [(4 mod 5) (2·4 mod 5) (3·4 mod 5) (4·4 mod 5)] (mod 5)  [4 · (2·4) · (3·4) · (4·4)] (mod 5)  [44 · (1·2·3·4)] (mod 5) Since gcd(1·2·3·4, 5)=1, we can cancel 1·2·3·4 on both sides. This implies 1  44 (mod 5) By the previous slide or direct calculation
  • 4. Fermat’s Little Theorem 1  kp-1 (mod p) Theorem: If p is prime & k not a multiple of p Proof. 1·2···(p-1)  (k mod p · 2k mod p·…·(p-1)k mod p) mod p  (k·2k ··· (p-1)k) mod p  (kp-1)·1·2 ··· (p-1) (mod p) So, by cancelling 1·2 ··· (p-1) on both sides applying Claim 1 (we can cancel them because gcd(1·2 ··· (p-1), p)=1), we have 1  kp-1 (mod p) By 2 slides before By the multiplication rule
  • 5. Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) First we consider the easy direction. If p is not a prime, assume p >= 5, (for p=4, 3!  2 (mod 4) ) Then p=qr for some 2 <= q < p and 2 <= r < p. If q ≠ r, then both q and r appear in (p-1)!, and so (p-1)!  0 (mod p). If q = r, then p = q2 > 2q (since we assume p > 5 and thus q > 2). then both q and 2q are in (p-1)!, and so again (p-1)!  0 (mod p).
  • 6. Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) To prove the more interesting direction, first we need a lemma. Lemma. If p is a prime number, x2  1 (mod p) if and only if x  1 (mod p) or x  -1 (mod p) Proof. x2  1 (mod p) iff p | x2 - 1 iff p | (x – 1)(x + 1) iff p | (x – 1) or p | (x+1) iff x  1 (mod p) or x  -1 (mod p) Lemma: p prime and p|a·b iff p|a or p|b.
  • 7. Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) Let’s get the proof idea by considering a concrete example. 10!  1·2·3·4·5·6·7·8·9·10 mod 11  1·10·(2·6)·(3·4)·(5·9)·(7·8) mod 11  1·-1·(1)·(1)·(1)·(1) mod 11  -1 mod 11 Besides 1 and 10, the remaining numbers are paired up into multiplicative inverse!
  • 8. Wilson’s Theorem Theorem: p is a prime if and only if (p-1)!  -1 (mod p) Proof. Since p is a prime, every number from 1 to p-1 has a multiplicative inverse. By the Lemma, every number 2 <= k <= p-2 has an inverse k’ with k≠k’. Since p is odd, the numbers from 2 to p-2 can be grouped into pairs (a1,b1),(a2,b2),…,(a(p-3)/2,b(p-3)/2) so that aibi  1 (mod p) Therefore, (p-1)!  1·(p-1)·2·3·····(p-3)·(p-2) (mod p)  1·(p-1)·(a1b1)·(a2b2)·····(a(p-3)/2b(p-3)/2) (mod p)  1·(-1)·(1)·(1)·····(1) (mod p)  -1 (mod p)
  • 9. Chinese Remainder Theorem Dec 29 Picture from http://img5.epochtimes.com/i6/801180520191974.jpg ……………………… ……………………… ……………………… ……………………… ……………………… ………………………
  • 10. This Lecture In this lecture we will study the Chinese remainder theorem, which is a method to solve equations about remainders. • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
  • 11. Case Study ax  b (mod n) How to solve the following equation? 2x  3 (mod 7) For example, consider the equation Suppose there is a solution x to the equation, then there is a solution x in the range from 0 to 6, because we can replace x by x mod 7. Then we can see that x=5 is a solution. Also, 5+7, 5+2·7, 5+3·7, …, 5-7, 5-2·7…, are solutions. Therefore the solutions are of the form 5+7k for some integer k.
  • 12. One Equation ax  b (mod n) How to solve the following equation? 2x  3 (mod 7) 5x  6 (mod 9) 4x  -1 (mod 5) 4x  2 (mod 6) 10x  2 (mod 7) 3x  1 (mod 6) x = 5 + 7k for any integer k x = 3 + 9k for any integer k x = 1 + 5k for any integer k x = 2 + 3k for any integer k x = 3 + 7k for any integer k no solutions
  • 13. One Equation: Relatively Prime Case 1: a and n are relatively prime ax  b (mod n) Without loss of generality, we can assume that 0 < a < n. Because we can replace a by a mod n without changing the equation. e.g. 103x  6 (mod 9) is equivalent to 4x  6 (mod 9). Since a and n are relatively prime, there exists a multiplicative inverse a’ for a. Hence we can multiply a’ on both sides of the equation to obtain x  a’b (mod n) Therefore, a solution always exists when a and n are relatively prime.
  • 14. One Equation: Common Factor Case 2: a and n have a common factor c>=2. ax  b (mod n) Case 2a: c divides b. ax  b (mod n)  ax = b + nk for some integer k  a1cx = b1c + n1ck  a1x = b1 + n1k  a1x  b1 (mod n1) In Case (2a) we can simplify the equation, and solve the new equation instead. we assume c|a and c|n and also c|b.
  • 15. One Equation: Common Factor Case 2: a and n have a common factor c>=2. ax  b (mod n) Case 2b: c does not divides b. ax  b (mod n)  ax = b + nk for some integer k  a1cx = b + n1ck  a1x = b/c + n1k This is a contradiction, since a1x and n1k are integers, but b/c is not an integer since c does not divide b. Therefore, in Case 2b, there is no solution.
  • 16. One Equation Theorem. Let a, b, n be given integers. The above equation has a solution if and only if gcd(a,n) | b. Furthermore, if the condition gcd(a,n) | b is satisfied, then the solutions are of the form y mod (n/gcd(a,n)) for some integer y. ax  b (mod n) Proof. First, divide b by gcd(a,n). If not divisible, then there is no solution by Case (2b). If divisible, then we simplify the solution as in Case (2a). Then we proceed as in Case (1) to compute the solution.
  • 17. One Equation: Exercise 87x  3 (mod 15) no solutions Replace 87 by 87 mod 15 12x  3 (mod 15) Divide both sides by gcd(12,15) = 3 4x  1 (mod 5) Compute the multiplicative inverse of 4 modulo 5 x  4 + 5k 114x  5 (mod 22) Replace 114 by 114 mod 22 4x  5 (mod 22) Divide both sides by gcd(4,22) = 2 Because 2 does not divide 5. Important: to be familiar with the extended Euclidean algorithm to compute gcd and to compute multiplicative inverse.
  • 18. Example: n = 123, k=37 123 = 3·37 + 12 so 12 = n - 3k 37 = 3·12 + 1 so 1 = 37 – 3·12 = k – 3(n-3k) = 10k - 3n 12 = 12·1 + 0 done, gcd=1 Computing Multiplicative Inverse So 1 = 10k-3n. Then we know that 10 is the multiplicative inverse of 37 under modulo 123.
  • 19. This Lecture • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
  • 20. Ancient Application of Number Theory Starting from 1500 soldiers, after a war, about 400-500 soldiers died. 韓信 Now we want to know how many soldiers are left. Form groups of 3 soldiers
  • 21. Ancient Application of Number Theory ……………………… ……………………… ……………………… ……………………… ……………………… ……………………… There are 2 soliders left. Form groups of 5 soldiers
  • 22. Ancient Application of Number Theory ……………………… ……………………… ……………………… ……………………… ……………………… There are 3 soliders left. Form groups of 7 soldiers
  • 23. Ancient Application of Number Theory ……………………… ……………………… ……………………… ……………………… ……………………… ……………………… ……………………… There are 2 soliders left. We have 1073 soliders. How could he figure it out?!
  • 24. The Mathematical Question x  2 (mod 3) x  3 (mod 5) x  2 (mod 7) 1000 <= x <= 1100 + x = 1073 How to solve this system of modular equations?
  • 25. This Lecture • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
  • 26. Two Equations c1 x  d1 (mod m1) c2 x  d2 (mod m2) x  a1 (mod n1) x  a2 (mod n2) Find a solution to satisfy both equations simultaneously. First we can solve each equation to reduce to the following form. (Of course, if one equation has no solution, then there is no solution.) There may be no solutions simultaneously satisfying both equations. For example, consider x  1 (mod 3), x  2 (mod 3). x  1 (mod 6), x  2 (mod 4).
  • 27. Two Equations x  2 (mod 3) x  4 (mod 7) Case 1: n1 and n2 are relatively prime. x = 2+3u and x = 4+7v for some integers u and v. 2+3u = 4+7v => 3u = 2+7v => 3u  2 (mod 7) 5 is the multiplicative inverse for 3 under modulo 7 Multiply 5 on both sides gives: 5·3u  5·2 (mod 7) => u  3 (mod 7) => u = 3 + 7w Therefore, x = 2+3u = 2+3(3+7w) = 11+21w So any x  11 (mod 21) is the solution. Where did we use the assumption that n1 and n2 are relatively prime?
  • 28. Two Equations x  2 (mod 3) x  4 (mod 7) Assume n1 and n2 are relatively prime. The original idea is to construct such an x directly. Let x = 3·a + 7·b Note that when x is divided by 3, the remainder is decided by the second term. And when x is divided by 7, the remainder is decided by the first term. More precisely, x mod 7 = (3·a + 7·b) mod 7 = 3a mod 7 Similarly, x mod 3 = (3·a + 7·b) mod 3 = 7b mod 3 Therefore, to satisfy the equations, we just need to find a such that 3a mod 7 = 4 and b such that 7b mod 3 = 2.
  • 29. Two Equations x  2 (mod 3) x  4 (mod 7) Assume n1 and n2 are relatively prime. The original idea is to construct such an x directly. Let x = 3·a + 7·b Since 3 and 7 are relatively prime, both the equations can be solved. The first equation is 3a  4 (mod 7), and the answer is a=6. Similarly, the second equation is 7b  2 (mod 3), and the answer is b=2. So one answer is x = 3a+7b = 3(6)+7(2) = 32. Therefore, to satisfy the equations, we just need to find a such that 3a mod 7 = 4 and b such that 7b mod 3 = 2.
  • 30. Two Equations x  2 (mod 3) x  4 (mod 7) Assume n1 and n2 are relatively prime. The original idea is to construct such an x directly. Let x = 3·a + 7·b So one answer is x = 3a+7b = 3(6)+7(2) = 32. Note that 32 + 3·7·k is also a solution to satisfy both equations. The only solutions are of the form 32 + 21k for some integer k. Are there other solutions? Are there other solutions?
  • 31. Three Equations Let x = 5·7·a + 3·7·b + 3·5·c x  2 (mod 3) x  3 (mod 5) x  2 (mod 7) So the first (second, third) term is responsible for the first (second, third) equation. More precisely, x mod 3 = (5·7·a + 3·7·b + 3·5·c) mod 3 = 5·7·a mod 3 x mod 5 = (5·7·a + 3·7·b + 3·5·c) mod 5 = 3·7·b mod 5 x mod 7 = (5·7·a + 3·7·b + 3·5·c) mod 7 = 3·5·c mod 7 Therefore, to satisfy the equations, we want to find a,b,c to satisfy the following: x mod 3 = 35a mod 3 = 2 x mod 5 = 21b mod 5 = 3 x mod 7 = 15c mod 7 = 2
  • 32. Three Equations Let x = 5·7·a + 3·7·b + 3·5·c x  2 (mod 3) x  3 (mod 5) x  2 (mod 7) So the first (second, third) term is responsible for the first (second, third) equation. Now we just need to solve the following three equations separately. 35a  2 (mod 3), 21b  3 (mod 5), 15c  2 (mod 7). This is equal to 2a  2 (mod 3), b  3 (mod 5), c  2 (mod 7) Therefore, we can set a = 1, b = 3, c = 2. Then x = 35a+21b+15c = 35(1)+21(3)+15(2) = 128. Note that 128+3·5·7·k = 128+105k is also a solution. Since 韓信 knows that 1000 <= x <= 1100, he concludes that x = 1073. Wait, but how does he know that there is no other solution?
  • 33. This Lecture • One equation • Ancient application • Two equations and three equations • Chinese Remainder theorem
  • 34. Chinese Remainder Theorem x  a1 (mod n1) x  a2 (mod n2) x  ak (mod nk) Theorem: If n1,n2,…,nk are relatively prime and a1,a2,…,ak are integers, then have a simultaneous solution x that is unique modulo n, where n = n1n2…nk. We will give a proof when k=3, but it can be extended easily to any k.
  • 35. Proof of Chinese Remainder Theorem N1 = n2 n3 N1x1  1 (mod n1) Let x = a1N1x1 + a2N2x2 + a3N3x3 x  a1 (mod n1) Let N2 = n1 n3 N3 = n1 n2 Since Ni and ni are relatively prime, this implies that there exist x1 x2 x3 N2x2  1 (mod n2) N3x3  1 (mod n3) So, a1N1x1  a1 (mod n1), a2N2x2  a2 (mod n2), a3N3x3  a3 (mod n3) x  a1 N1x1 (mod n1) Since n1|N2 and n1|N3, Since N1x1  1 (mod n1), Similarly, x  a2 (mod n2) x  a3 (mod n3)
  • 36. Uniqueness x  a1 (mod n1) x  a2 (mod n2) x  ak (mod nk) Suppose there are two solutions, x and y, to the above system. Then x – y  0 (mod ni) for any i. This means that ni | x – y for any i. Since n1,n2,…,nk are relatively prime, this means that n1n2…nk | x – y. (why?) Therefore, x = y (mod n1n2…nk). So there is a unique solution in every n1n2…nk numbers.
  • 37. General Systems What if n1,n2,…,nk are not relatively prime? x  3 (mod 10) x  8 (mod 15) x  5 (mod 84) x  3 (mod 2)  1 (mod 2) x  8 (mod 3)  2 (mod 3) x  8 (mod 5)  3 (mod 5) x  5 (mod 4)  1 (mod 4) x  5 (mod 3)  2 (mod 3) x  5 (mod 7) x  3 (mod 5) (a) (b) (c) (d) (e) (f) (g) (b) and (d) are the same. (c) and (f) are the same. (e) is stronger than (a). So we reduce the problem to the relatively prime case. The answer is 173 (mod 420).
  • 38. Quick Summary First we talk about how to solve one equation ax  b (mod n). The equation has solutions if and only if gcd(a,n) divides b. Then we talk about how to find simultaneous solutions to two equations a1x  b1 (mod n1) and a2x  b2 (mod n2). First use the technique in one equation to reduce to the form x  c1 (mod n1) and x  c2 (mod n2). By setting x = k1n1 + k2n2, then we just need to find k1 and k2 so that c2  k1 n1 (mod n2) and c1  k2 n2 (mod n1). These equations can be solved separately by using techniques for one equation. The same techniques apply for more than two equations. And the solution is unique mod n1 n2…nk if there are k equations. Finally, when n1 n2…nk are not relatively prime, we show how to reduce it back to the relatively prime case.
  • 39. A Faster Method x  3 (mod 10) x  8 (mod 15) x  5 (mod 84) There is another method to solve the system of modular equations. From the third equation we know that x = 5+84u. Plug it into the second equation gives 5+84u  8 (mod 15) => 84u  3 (mod 15). Solving this would give us u  2 (mod 5) => u = 2 + 5v. Therefore x = 5+84u = 5+84(2+5v) = 173 + 420v. Plug it into the first equation gives 173+420v  3 (mod 10) => 420v = -170 (mod 10). This equation is always true. So we can conclude that x = 173+420v, or equivalently x  173 (mod 420). This method can also be used to prove the Chinese Remainder Theorem. It is much faster (no need to find factorization), requiring only k-1 Euclidean algorithm.
  • 41. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer science – the design of cryptosystem. •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem
  • 42. Cryptography Alice Bob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal: Even though an adversary can listen to your conversation, the adversary can not learn what the message was. message
  • 43. Cryptography Alice Bob adversary Goal: Even though an adversary can listen to your conversation, the adversary can not learn what the message was. message -> f(message) f(message) encrypt the message decrypt the message f(message) -> message But the adversary has no clue how to obtain message from f(message) A difficult goal!
  • 44. Key Alice Bob adversary Goal: Even though an adversary can listen to your conversation, the adversary can not learn what the message was. message -> f(message,key) f(message, key) encrypt the message using the key decrypt the message using the key f(message,key) -> message But the adversary can not decrypt f(message,key) without the key Use number theory!
  • 45. This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem
  • 46. Turing’s Code (Version 1.0) The first step is to translate a message into a number “v i c t o r y” -> 22 09 03 20 15 18 25 Beforehand The sender and receiver agree on a secret key, which is a large number k. Encryption The sender encrypts the message m by computing: m* = m · k Decryption The receiver decrypts m by computing: m*/k = m · k/k = m
  • 47. Turing’s Code (Version 1.0) Alice Bob adversary mk m = message k = key encrypted message = mk Why the adversary cannot figure out m? mk = received message k = key decrypted message = mk/k=m The adversary doesn’t have the key k, and so can only factor mk to figure out m, but factoring is a difficult task to do.
  • 48. Turing’s Code (Version 1.0) Alice Bob adversary mk m = message k = key encrypted message = mk mk = received message k = key decrypted message = mk/k=m So why don’t we use this Turing’s code today? Major flaw: if you use the same key to send two messages m and m’, then from mk and m’k, we can use gcd(mk,m’k) to figure out k, and then decrypt every message.
  • 49. Turing’s Code (Version 2.0) Beforehand The sender and receiver agree on a large prime p, which may be made public. (This will be the modulus for all our arithmetic.) They also agree on a secret key k in {1, 2, . . . , p − 1}. Encryption The message m can be any integer in the set {0, 1, 2, . . . , p − 1}. The sender encrypts the message m to produce m* by computing: m* = mk mod p Decryption Let k’ be the multiplicative inverse of k under modulo p. m*  mk (mod p) m*k’  m (mod p) m*k’ = m
  • 50. Turing’s Code (Version 2.0) Alice Bob adversary m* = mk mod p m = message k = key encrypted message = mk mod p Why the adversary cannot figure out m? m* = received message k = key decrypted message = m*k’ =m Many m and k can produce m* as output, just impossible to determine m without k. Public information p
  • 51. Turing’s Code (Version 2.0) Alice Bob adversary m* = mk mod p m = message k = key encrypted message = mk mod p m* = received message k = key decrypted message = m*k’ =m If the adversary somehow knows m, then first compute m’ := multiplicative inverse of m m*  mk (mod p) m*m’  k (mod p) So the adversary can figure out k. Public information p So why don’t we use this Turing’s code today? plain-text attack
  • 52. This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem
  • 53. Private Key Cryptosystem Alice Bob adversary message -> f(message,key) f(message, key) encrypt the message using the key decrypt the message using the key f(message,key) -> message But the adversary can not decrypt f(message,key) without the key Two parties have to agree on a secret key, which may be difficult in practice. If we buy books from Amazon, we don’t need to exchange a secret code. Why is it secure?
  • 54. Public Key Cryptosystem Alice Bob adversary message -> f(message,Bob’s key) f(message, Bob’s key) encrypt the message using Bob’s key decrypt the message f(message,Bob’s key) -> message But the adversary can not decrypt f(message, Bob’s key)! Public information: Key for Alice Public information: Key for Bob Only Bob can decrypt the message sent to him! How is it possible??? There is no need to have a secret key between Alice and Bob.
  • 55. RSA Cryptosystem RSA are the initials of three Computer Scientists, Ron Rivest, Adi Shamir and Len Adleman, who discovered their algorithm when they were working together at MIT in 1977.
  • 56. This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
  • 57. Generating Public Key Alice Bob How Bob creates his public keys? • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key > 150 digits Secret key only known to Bob. public key: e and n secret key: d
  • 58. Encrypting Message Alice Bob • Look at Bob’s homepage for e and n. • Send y = xe mod n How Alice sends a message to Bob? message x Send y = xe mod n Alice does not need to know Bob’s secret key to send the message. public key: e and n secret key: d
  • 59. Alice Bob • Receive y = xe mod n • Compute z = yd mod n How Bob recover Alice’s message? public key: e and n secret key: d message x Send y = xe mod n Bob uses z is the original message that Alice sent. Decrypting Message
  • 60. RSA Cryptosystem Alice Bob public key: e and n secret key: d message x Send y = xe mod n • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key Compute z = yd mod n Key generation Encrypting message Decrypting message
  • 61. This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
  • 62. RSA Cryptosystem Alice Bob For the RSA cryptosytem to work, we need to show: 1) z = x 2) Without the secret key d, we can not compute the original message before the sun burns out. public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n with additional assumptions…
  • 63. Correctness Alice Bob Note that z = yd mod n = xed mod n. Therefore we need to prove x = xed mod n. p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p (b) x mod q = xed mod q (c) x mod n = xed mod n public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n 1) z = x Therefore, if Alice sends x < n, then Bob can recover correctly.
  • 64. Correctness Alice Bob Hence, xed mod p = x1+k(p-1)(q-1) mod p = x·xk(p-1)(q-1) mod p = x·(xk(q-1))(p-1) mod p Note that de = 1 + kT public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p 1) z = x = 1 + k(p-1)(q-1)
  • 65. Correctness Alice Bob Fermat’s little theorem: If p | a, then ap-1  1 mod p public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) Hence, xed mod p = x1+k(p-1)(q-1) mod p = x·xk(p-1)(q-1) mod p = x·(xk(q-1))(p-1) mod p = x mod p (a) x mod p = xed mod p 1) z = x a
  • 66. Correctness Alice Bob Hence, xed mod p = x1+k(p-1)(q-1) mod p = x·xk(p-1)(q-1) mod p = x·(xk(q-1))(p-1) mod p public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p 1) z = x What if p | a? a This means p | xk(q-1), implying p | x, since p is prime Since p | x, we have xed mod p = x mod p = 0.
  • 67. Correctness Alice Bob Note that z = yd mod n = xed mod n. Therefore we need to prove x = xed mod n. p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) (a) x mod p = xed mod p (b) x mod q = xed mod q (c) x mod n = xed mod n public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n 1) z = x (c) can be proved directly, also follows from Chinese Remainder theorem. The same proof.
  • 68. This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
  • 69. Why is this Secure? Alice Bob Method 1: From y=xe mod n, don’t know how to compute x. Thus not possible to work backward. It is an example of an “one-way” function. public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) 2) Without the secret key d, we can not compute the original message before the sun burns out. adversary
  • 70. Why is this Secure? Alice Bob public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) Method 2: Factor n = pq. Compute secrete key d. Then decrypt everything! No one knows an efficient way to do factoring. 2) Without the secret key d, we can not compute the original message before the sun burns out. adversary The security is based on assumptions that some computational problems are hard.
  • 71. This Lecture •Introduction to cryptograph •“Turing code” •Public key cryptography •RSA cryptosystem •Key generation, encryption, decryption •Correctness •Secure? •Computational issues
  • 72. RSA Example Alice Bob p=5 q=11 n = 55 T = 40 e = 7 d = 23 x=33 How to compute it efficiently? public key: e and n secret key: d message x Send y = xe mod n Compute z = yd mod n p, q prime n = pq T = (p-1)(q-1) e s.t. gcd(e,T)=1 de = 1 (mod T) First Bob generated his keys. Then Alice sends the encrypted message. y = 3323 mod 55 y = 84298649517881922539738734663399137 mod 55
  • 73. Exponentiation 1444 mod 713 = 144 * 144 * 144 * 144 mod 713 = 20736 * 144 * 144 mod 713 = 59 * 144 * 144 mod 713 = 8496 * 144 mod 713 = 653 * 144 mod 713 = 94032 mod 713 = 629 mod 713 20736 * 20736 mod 713 = 59 * 59 mod 713 = 3481 mod 713 = 629 mod 713 To compute exponentiation mod n This still takes too long when the exponent is large. This is much more efficient.
  • 74. Repeated Squaring 14450 mod 713 = 14432 14416 1442 mod 713 = 648·485·59 mod 713 = 242 1442 mod 713 = 59 1444 mod 713 = 1442 ·1442 mod 713 = 59·59 mod 713 = 629 1448 mod 713 = 1444·1444 mod 713 = 629·629 mod 713 = 639 14416 mod 713 = 1448·1448 mod 713 = 639·639 mod 713 = 485 14432 mod 713 = 14416·14416 mod 713 = 485·485 mod 713 = 648 Note that 50 = 32 + 16 + 2
  • 75. Generating Public Key • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key How to choose large prime numbers efficiently? Given a large number, how to check whether it is prime efficiently?
  • 76. Primality Testing Given a large integer n, determine quickly whether n is prime First test: for i = 1,…,√n, check if i divides n. Need some number theory! We are talking about n with 150 digits. This simply takes too long (2150 steps, sun will burn out). We are looking for an exponential improvement (instead of n, we can only afford roughly log(n) steps), like we did in the extended GCD algorithm.
  • 77. Primality Testing It doesn’t seem to help, since we don’t know how to compute (n-1)! mod n quickly (in roughly log(n) steps). Theorem: n is a prime if and only if (n-1)!  -1 (mod n)
  • 78. Primality Testing 1  an-1 (mod n) Theorem: If n is prime & a not a multiple of n Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Example. Show that 1763 is composite (not a prime number). Let a=2, n=1763. 21762 (mod 1763) = 142 ≠ 1 Therefore, it is composite by (the contrapositive of) Fermat’s little theorem.
  • 79. Primality Testing Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Example. Show that 1387 is composite (not a prime number). Let a=2, n=1387. 21386 (mod 1387) = 1 can not tell whether n is prime or not. Try a=3 31386 (mod 1387) = 1238 ≠ 1 this shows n is composite.
  • 80. Primality Testing Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. “Fermat” test Given n, choose a < n Compute an-1 (mod n) If an-1 (mod n) ≠ 1 conclude that n is a composite number If an-1 (mod n) = 1 try another a Each test takes about log(n) steps. It depends on how many a that we need to try…
  • 81. Primality Testing Contrapositive. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. “Fermat” test Given n, choose a < n Compute an-1 (mod n) If an-1 (mod n) ≠ 1 conclude that n is a composite number If an-1 (mod n) = 1 try another a Unfortunately, there exists n which is composite, but an-1 (mod n) = 1 for every a! These are called Carmichael numbers (e.g. 561, 1105, 1729, etc…)
  • 82. Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Lemma. If n is a prime number, x2  1 (mod n) if and only if x  1 (mod n) or x  -1 (mod n) Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. For n=1387 and a=2, Fermat’s test fails because 21386  1 (mod 1387). Example Note that it is (2693)2 However 2693  512 (mod 1387)  1 (mod 1387) By contrapositive 2, we can conclude that 1387 is a composite number.
  • 83. Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Strong primality test Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) ≠1 Composite by contrapositive 1.
  • 84. Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 Composite by contrapositive 2. ≠1 & ≠-1 Strong primality test
  • 85. Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 Continue to go backward and check =1 Strong primality test
  • 86. Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 End the test and say it is a “probable” prime. =1 =-1 Strong primality test
  • 87. Primality Testing Contrapositive 1. If 1  an-1 (mod n) and a is not a multiple of n, then n is not a prime number. Contrapositive 2. If x2  1 (mod n) but x  1 (mod n) and x  -1 (mod n) then n is a composite number. Let n-1 = 2kd Pick an a. Compute a2kd (mod n), a2k-1d (mod n), a2k-2d (mod n),…, ad (mod n) =1 End the test and say it is a “probable” prime. =1 =1 =1 =1 Strong primality test
  • 88. Primality Testing Given n, pick an a Let n’ = n-1 (so n’ is an even number) If an’ (mod n) ≠ 1, then stop and say “n is composite”. n’ := n’/2; While n’ is an integer do If an’ (mod n) = -1, then stop and say “n is a probable prime”. If an’ (mod n) ≠ 1, then stop and say “n is composite”. n’ := n’/2; Stop and say “n is a probable prime”. Strong primality test
  • 89. Primality Testing Theorem: if n is composite, for more than half of a < n, the strong primality test will say n is composite! So, given a composite n, if we pick a random a, the strong primality test will be incorrect with probability <= 1/2. Thus, if we repeat the procedure for 10000 times, then the probability that the strong primality test is still incorrect is very small (e.g. much smaller than our computer will suddenly crash). For a particular a, the strong primality test takes “about” log(n) steps. But again, there exists n which is composite but pass the test… This is the most efficient method used in practice!
  • 90. Generating Public Key • Choose 2 large prime numbers p and q. • Set n = pq and T = (p-1)(q-1) • Choose e ≠1 so that gcd(e,T)=1 • Calculate d so that de = 1 (mod T) • Publish e and n as public keys • Keep d as secret key How to choose large prime numbers efficiently? Prime number theorem: From 1 to n, there are roughly n/log(n) prime numbers. Pick a random large number, do the (randomized) strong primality tests, until we find a prime! Similar idea
  • 91. Remarks •We have derived everything from basic principle. •RSA cryptosystem is one of the most important achievements in compute science. (The researchers won the Turing award for their contribution.) •Number theory is also very useful in coding theory (e.g. compression). •Mathematics is very important in computer science.
  • 92. More Remarks Theorem: if n is composite, for more than half of a < n, the strong primality test will say n is composite! The proof uses Chinese Remainder theorem and some elementary number theory. (Introduction to Algorithms, MIT press) Theroem (Primes is in P, 2004) There is an efficient and deterministic primality test. Conjecture: It is enough to try a to up to roughly log(n). Major Open Problem: Is there an efficient algorithm to compute the prime factorization?

Editor's Notes

  1. Claim1 was shown in earlier slides. So you need not prove claim 1. Claim 2 is just rephrasing Claim 1. So these two claims were shown.