Discrete Mathmatics

CSE 1107

Module
Number Theory
Rosen, Sections 3-4 to 3-7.

1
 The Integers and Division

Of course, you already know what the integers are, and what division
is…

However: There are some specific notations, terminology, and

theorems associated with these concepts which you may not know.

These form the basics of number theory.

– Vital in many important algorithms today (hash

functions,
cryptography, digital signatures; in general, on-line
security).
2
 The divides operator

New notation: 3 | 12
– To specify when an integer evenly divides another integer
– Read as “3 divides 12”

The not-divides operator: 5 | 12

– To specify when an integer does not evenly divide another integer
– Read as “5 does not divide 12”

3
 Divides, Factor, Multiple

Let a,bZ with a0.

Defn.: a|b  “a divides b” : ( cZ: b=ac)

“There is an integer c such that c times a equals b.”
– Example: 312  True, but 37  False.

Iff a divides b, then we say a is a factor or a divisor of b, and b is a

multiple of a.

Ex.: “b is even” :≡ 2|b. Is 0 even? Is −4?

4
 Results on the divides operator

If a | b and a | c, then a | (b+c)

– Example: if 5 | 25 and 5 | 30, then 5 | (25+30)

If a | b, then a | bc for all integers c

– Example: if 5 | 25, then 5 | 25*c for all ints c

If a | b and b | c, then a | c
– Example: if 5 | 25 and 25 | 100, then 5 | 100

(“common facts” but good to repeat for background)

5
 Divides Relation

Theorem: a,b,c  Z:
1. a|0
2. (a|b  a|c)  a | (b + c)
3. a|b  a|bc
4. (a|b  b|c)  a|c

Corollary: If a, b, c are integers, such that a | b and a | c, then

a | mb + nc whenever m and n are integers.

6
 Proof of (2)

Show a,b,c  Z: (a|b  a|c)  a | (b + c).

Let a, b, c be any integers such that a|b and a|c, and show that a | (b + c).

By defn. of | , we know s: b=as, and t: c=at.

Let s, t, be such integers.

Then b+c = as + at = a(s+t).

So, u: b+c=au, namely u=s+t. Thus a|(b+c). QED

7
 Divides Relation

Corollary: If a, b, c are integers, such that a | b and a | c, then

a | mb + nc whenever m and n are integers.

Proof:
From previous theorem part 3 (i.e., a|b  a|be) it follows that
a | mb and a | nc ; again, from previous theorem part 2 (i.e., (a|
b  a|c)  a | (b + c)) it follows that a | mb + nc
 The Division “Algorithm”

Theorem:
Division Algorithm --- Let a be an integer and d a positive
integer. Then there are unique integers q and r, with 0 ≤r < d,
such that a = dq+r.
It’s really a theorem, not an algorithm…
Only called an “algorithm” for historical reasons.

• q is called the quotient

• r is called the remainder
• d is called the divisor
• a is called the dividend 9
 •q is called the quotient
•r is called the remainder
•d is called the divisor
•a is called the dividend

What are the quotient and remainder when 101 is divided

by 11?

a d q r
101 = 11  9 + 2

We write:
q = 9 = 101 div 11
r = 2 = 101 mod 11

10
 If a = 7 and d = 3, then q = 2 and r = 1, since 7 = (2)(3) + 1.
If a = −7 and d = 3, then q = −3 and r = 2, since −7 = (−3)(3) + 2.

So: given positive a and (positive) d, in order to get r we repeatedly

subtract d from a, as many times as needed so that what remains, r, is
less than d.

Given negative a and (positive) d, in order to get r we repeatedly

add d to a, as many times as needed so that what remains, r, is
positive (or zero) and less than d.
11
 Theorem:
Division “Algorithm” --- Let a be an integer and d a positive integer. Then
there are unique integers q and r, with 0 ≤r<d, such that a=dq+r.

Proof:
We’ll use the well-ordering property directly that states that every set of
nonnegative integers has a least element.

a) Existence

We want to show the existence of q and r, with the property that

a = dq+r, 0 ≤r <d
Consider the set of non-negative numbers of the form a - dq, where q is an integer.

Hmm. Can this set be empty?

Note: this set is non empty since q can be a negative integer with large
absolute value.

By the well-ordering property, S has a least element, r = a - d q 0.

 • q is called the quotient
• r is called the remainder
• d is called the divisor
• a is called the dividend
(Existence, cont.)
r is non-negative; also, r < d.
otherwise if r≥ d, there would be a smaller nonnegative element in S, namely

a - d(q0+1) ≥ 0.

But then a-d(q0+1), which is smaller than a-dq0, is an element of S, contradicting that
a-dq0 was the smallest element of S.

So, it cannot be the case that r ≥ d, proving the existence of 0 ≤ r < d and q.
b) Uniqueness

Suppose

 q, Q, r , R 0  r , R  d such that a  dq  r and a  dQ  R.

Without loss of generality we may assume that q ≤ Q.

Subtracting both equations we have: d (q-Q) = (R – r) (*)

So, d divides (R-r); so, either |d| ≤ | (R –r)| or (R – r) = 0.

Since –d < R - r < d (because 0  r, R  d )

i.e., |R-r| < d, we must have R – r = 0.

So, R = r.

Substituting into the original two equations,

we have dq = d Q (note d≠0) and thus q=Q, proving uniqueness.
(or directly from (*)) QED
 Modular arithmetic
If a and b are integers and m is a positive integer, then
“a is congruent to b modulo m” if m divides a-b
– Notation: a ≡ b (mod m)
– Rephrased: m | a-b
– Rephrased: a mod m = b mod m Note “=“ sign.
– If they are not congruent: a ≡ b (mod m)

Example: Is 17 congruent to 5 modulo 6?

– Rephrased: 17 ≡ 5 (mod 6)
– As 6 divides 17-5, they are congruent
Example: Is 24 congruent to 14 modulo 6?
– Rephrased: 24 ≡ 14 (mod 6)
– As 6 does not divide 24-14 = 10, they are not congruent

Note: this is a different use of “” than the meaning “is defined as” used before.
Time-keeping on a clock gives an
example of modular arithmetic.
(mod 12 in the US;
or mod 24, using the 24hr clock.
Naturally imposed by the periodicity of
earth’s rotation.)
16
 Where is -1?
Spiral Visualization of mod
Where is -7?
The spiral/circular view is useful
to keep in mind when doing
Example shown: ≡0 modular arithmetic!
modulo-5 (mod 5) 20
arithmetic 15 ≡1
10 (mod 5)
≡ 4 19 5 21
14 16
(mod 5) 9
4 0 11
6
3
1 Congruence classes
2
8 7 modulo 5.
13 12
18 17
22 ≡ 2
≡3
(mod 5) (mod 5) Collapses infinite
set of numbers into
So, e.g., 19 is congruent to 9 modulo 5. 5 classes.
 More on congruences

Theorem: Let a and b be integers, and let m be a positive integer.

Then a ≡ b (mod m) if and only if a mod m = b mod m

Theorem:
Let m be a positive integer. The integers a and b are congruent modulo m if
and only if there is an integer k such that a = b + km

Example: 17 and 5 are congruent modulo 6, so

17 = 5 + 2*6
5 = 17 - 2*6
 Even even more on congruence

Theorem: Let m be a positive integer. If a ≡ b (mod m) and c ≡ d (mod m),

then a+c ≡ (b+d) (mod m) and ac ≡ bd (mod m)

Example
– We know that 7 ≡ 2 (mod 5) and 11 ≡ 1 (mod 5)
– Thus, 7+11 ≡ (2+1) (mod 5), or 18 ≡ 3 (mod 5)
– Thus, 7*11 ≡ 2*1 (mod 5), or 77 ≡ 2 (mod 5)

19
Applications of Congruences

20
 Hashing Functions

Also known as:

– hash functions, hash codes, or just hashes.
Two major uses:

– Indexing hash tables

• Data structures which support O(1)-time access.

– Creating short unique IDs for long documents.

• Used in digital signatures – the short ID can be signed, rather than the
long document.

21
 Hash Functions
Example: Consider a a record that is identified by the SSN (9 digits) of
the customer or customer name itself (mapped into binary number).
How can we assign a memory location to a record so that later on it’s
easy to locate and retrieve such a record?

Solution to this problem  a good hashing function.

Records are identified using a key (k), which uniquely identifies each
record.
If you compute the hash of the same data at different times, you should
get the same answer – if not then the data has been modified.

22
 Hash Function Requirements

A hash function h: A→B is a map from a set A to a smaller set B

(i.e., |A| ≥ |B|).

An effective hash function should have the following properties:

– It should cover (be onto) its codomain B.

– It should be efficient to calculate.
– The cardinality of each pre-image of an element of B should be about the
same.
 b1,b2B: |h−1(b1)| ≈ |h−1(b2)|
• That is, elements of B should be generated with roughly uniform probability.
– Ideally, the map should appear random, so that clearly “similar” elements of
A are not likely to map to the same (or similar) elements of B.
23
 Why are these important?

To make computations fast and efficient.

So that any message can be hashed.
To prevent a message being replaced with another with the same hash value.
To prevent the sender claiming to have sent x 2 when in fact the message was x1.

24
 Hash Function Requirements

Furthermore, for a cryptographically secure hash function:

– Given an element bB, the problem of finding an aA such that h(a)=b
should have average-case time complexity of Ω(|B|c) for some c>0.

• This ensures that it would take exponential time in the length of an ID for
an opponent to “fake” a different document having the same ID.

25
 A Simple Hash Using mod
Let the domain and codomain be the sets of all natural numbers
below certain bounds:
A = {aN | a < alim}, B = {bN | b < blim}

Then an acceptable (although not great!) hash function from A to

B (when alim≥blim) is

h(a) = a mod blim.

It has the following desirable hash function properties:

– It covers or is onto its codomain B (its range is B).
– When alim ≫ blim, then each bB has a preimage of about
the same size,
• Specifically, |h−1(b)| = alim/blim or alim/blim.
 A Simple Hash Using mod

– However, it has the following limitations:

• It is not very random. Why not?

For example, if all a’s encountered happen to have the
same residue mod blim, they will all map to the same b!
(see also “spiral view”) But ok, if input data is
uniformly distributed.
• It is definitely not cryptographically secure.
– Given a b, it is easy to generate a’s that map to it.
How?
We know that for any nN, h(b + n blim) = b.
 Collision

Because a hash function is not one-to-one (there are more possible keys
than memory locations) more than one record may be assigned to the
same location  we call this situation a collision.

What to do when a collision happens?

One possible way of solving a collision is to assign the first free location
following the occupied memory location assigned by the hashing
function.

There are other ways… for example chaining

(At each spot in the hash table, keep a linked list of keys sharing this hash
value, and do a sequential search to find the one we need. )
 Digital Signature Application
Many digital signature systems use a cryptographically secure (but public) hash
function h which maps arbitrarily long documents down to fixed-length (e.g.,
1,024-bit) “fingerprint” strings.
Document signing procedure:
– Given a document a to sign, quickly compute its hash b = h(a).
– Compute a certain function c = f(b) that is known only to the signer
• This step is generally slow, so we don’t want to apply it to the whole document.
– Deliver the original document together with the digital signature c.

Signature verification procedure:

– Given a document a and signature c, quickly find a’s hash b = h(a).
– Compute b′ = f −1(c). (Possible if f’s inverse f −1 is made public (but not f ).)
– Compare b to b′; if they are equal then the signature is valid.

What if h was not cryptographically secure?

Note that if h were not cryptographically secure, then an opponent could easily
forge a different document a′ that hashes to the same value b, and thereby attach
someone’s digital signature to a different document than they actually signed, and
fool the verifier!
Pseudorandom numbers

30
 Pseudorandom numbers

Computers cannot generate truly random numbers – that’s why we call them
pseudo-random numbers!

Linear Congruential Method: Algorithm for generating pseudorandom numbers.

Choose 4 integers
– Seed x0: starting value
– Modulus m: maximum possible value
– Multiplier a: such that 2 ≤ a < m
– Increment c: between 0 and m

In order to generate a sequence of pseudorandom numbers, {x n | 0≤ xn <m}, apply

the formula:
xn+1 = (axn + c) mod m
31
 Pseudorandom numbers

Formula: xn+1 = (axn + c) mod m

Let x0 = 3, m = 9, a = 7, and c = 4

x1 = 7x0+4 = 7*3+4 = 25 mod 9 = 7

x2 = 7x1+4 = 7*7+4 = 53 mod 9 = 8
x3 = 7x2+4 = 7*8+4 = 60 mod 9 = 6
x4 = 7x3+4 = 7*6+4 = 46 mod 9 = 1
x5 = 7x4+4 = 7*1+4 = 11 mod 9 = 2
x6 = 7x5+4 = 7*2+4 = 18 mod 9 = 0
x7 = 7x6+4 = 7*0+4 = 4 mod 9 = 4
x8 = 7x7+4 = 7*4+4 = 32 mod 9 = 5 Quite random!

32
 Pseudorandom numbers

Formula: xn+1 = (axn + c) mod m

Let x0 = 3, m = 9, a = 7, and c = 4

This sequence generates:

3, 7, 8, 6, 1, 2, 0, 4, 5, 3 , 7, 8, 6, 1, 2, 0, 4, 5, 3
– Note that it repeats!
– But it selects all the possible numbers before doing so

The common algorithms today use m = 232-1

– You have to choose 4 billion numbers before it repeats
Multiplier 75 = 16,807 and increment c = 0 (pure multiplicative generator)
33
3 million random bits per dollar
Quite a bargain…

34
 Cryptology
(secret messages)

35
 The Caesar cipher

Julius Caesar used the following procedure to encrypt

messages

A function f to encrypt a letter is defined as:

f(p) = (p+3) mod 26
– Where p is a letter (0 is A, 1 is B, 25 is Z, etc.)

Decryption: f-1(p) = (p-3) mod 26

This is called a substitution cipher

– You are substituting one letter with another
36
 The Caesar cipher

Encrypt “go cavaliers”

– Translate to numbers: g = 6, o = 14, etc.
• Full sequence: 6, 14, 2, 0, 21, 0, 11, 8, 4, 17, 18
– Apply the cipher to each number: f(6) = 9, f(14) = 17, etc.
• Full sequence: 9, 17, 5, 3, 24, 3, 14, 11, 7, 20, 21
– Convert the numbers back to letters 9 = j, 17 = r, etc.
• Full sequence: jr wfdydolhuv

Decrypt “jr wfdydolhuv”

– Translate to numbers: j = 9, r = 17, etc.
• Full sequence: 9, 17, 5, 3, 24, 3, 14, 11, 7, 20, 21
– Apply the cipher to each number: f-1(9) = 6, f-1(17) = 14, etc.
• Full sequence: 6, 14, 2, 0, 21, 0, 11, 8, 4, 17, 18
– Convert the numbers back to letters 6 = g, 14 = 0, etc.
• Full sequence: “go cavaliers”

37
 Rot13 encoding

A Caesar cipher, but translates letters by 13 instead of 3

– Then, apply the same function to decrypt it, as 13+13=26
Rot13 stands for “rotate by 13”

Example:
>echo Hello World | rot13
Uryyb Jbeyq
> echo Uryyb Jbeyq | rot13
Hello World

38
Primes and Greatest Common Divisor
 Prime numbers

A positive integer p is prime if the only positive factors of p are 1 and p

– If there are other factors, it is composite
– Note that 1 is not prime!
• It’s not composite either – it’s in its own class

An integer n is composite if and only if there exists an integer a such

that a | n and 1 < a < n

40
 Fundamental theorem of arithmetic
Fundamental Theorem of Arithmetic:

Every positive integer greater than 1 can be uniquely written as a prime or as

the product of two or more primes where the prime factors are written in
order of non-decreasing size

Examples
– 100 = 2 * 2 * 5 * 5
– 182 = 2 * 7 * 13
– 29820 = 2 * 2 * 3 * 5 * 7 * 71

In a fundamental sense, primes are the building blocks of the natural numbers.
 Fundamental theorem of arithmetic:
Strong Induction
[from before]
Show that if n is an integer greater than 1, then n can be written as the
product of primes.
1 - Hypothesis P(n) - n can be written as the product of primes.

2 – Base case – P(2) 2 can be written a 2 (the product of itself)

3 – Inductive Hypothesis - P(j) is true for  2 ≤j ≤k, j integer.

a) k+1 is prime – in this case it’s the product of itself;

4 – Inductive step?
b) k+1 is a composite number and it can be written as
the product of two positive integers a and b, with 2 ≤a ≤ b ≤ k+1.
What’s missing? By the inductive hypothesis, a and b can be written as the
product of primes, and so does k+1 ,

Uniqueness proof,
soon…
QED
 Composite factors

Theorem: If n is a composite integer, then n has a prime divisor

less than or equal to the square root of n
Proof
– Since n is composite, it has a factor a such that 1<a<n
– Thus, n = ab, where a and b are positive integers greater than 1
– Either a≤n or b≤n (Otherwise, assume a > n and b > n, then
ab > n*n > n. Contradiction.)
– Thus, n has a divisor not exceeding n
– This divisor is either prime or a composite
• If the latter, then it has a prime factor (by the FTA)
– In either case, n has a prime factor less than n

QED
 Showing a number is prime

E.g., show that 113 is prime. How?

Solution
– The only prime factors less than 113 = 10.63 are 2, 3, 5, and 7
– None of these divide 113 evenly
– Thus, by the fundamental theorem of arithmetic, 113 must be prime

44
 Showing a number is composite

Show that 899 is composite.

Solution
– Divide 899 by successively larger primes, starting with 2
– We find that 29 and 31 divide 899

45
On a linux system or in cygwin, enter “factor 899”

> factor 899

899: 29 31

>factor 89999999999999999
89999999999999999: 7 7 13 6122449 23076923
 Some “random” numbers factored (using “factor”)

12304: 2 2 2 2 769
12304038495: 3 5 7 3109 37691
29485404038495: 5 5897080807699
294854040334945723: 67 2472061 1780217629
29485404033420344: 2 2 2 1109 3323422456427
294854043485472: 2 2 2 2 2 3 151 173 117574409
29485404203484: 2 2 3 101 103 229 1031411
9348492404203484: 2 2 7 23 14516292553111
928439237492742742: 2 13 89 10453 12821 2993831
9284392329378472: 2 2 2 31321 37053384029
9284392329378472323: 3 3 3 307 1120085936708707
Hmm. Apparent pattern of a several small prime factors ending with one or two
very large primes. Real? Still many mysteries in prime number patterns …
Open questions about exact distribution of primes closely related to the main
open problem in math: the Riemann hypothesis concerning distr. of zeros of
the Riemann zeta-function.
Theorem: There are infinitely many primes.

See our earlier proof by contradiction.

48
 Mersenne numbers
Mersenne number: any number of the form 2n-1

Mersenne prime: any prime of the form 2p-1, where p is

also a prime
– Example: 25-1 = 31 is a Mersenne prime
– But 211-1 = 2047 is not a prime (23*89) 

If M is a Mersenne prime, then M(M+1)/2 is a perfect

number
– A perfect number equals the sum of its divisors
– Example: 23-1 = 7 is a Mersenne prime, thus 7*8/2 = 28 is a perfect
number
• 28 = 1+2+4+7+14

– Example: 25-1 = 31 is a Merenne prime, thus 31*32/2 = 496 is a

perfect number
496 = 2*2*2*2*31  1+2+4+8+16+31+62+124+248 = 496
The largest primes found are Mersenne primes.

Since, 2p-1 grows fast, and there is a quite efficient test – Lucas-Lehmer
test – for determining if a Mersenne prime is prime.
52
So, there’s still some easy cash to be made! 

53
9,808,358 digits… that’s close!  54
12M digit prime found! Prize awarded Oct. 14!

55
TIME’s Best Inventions of 2008.

56
Also, what special patterns are there (if any) in the digits of prime numbers?
57
 The prime number theorem
The ratio of the number of primes not exceeding x and x/ln(x) approaches 1 as x
grows without bound
– Rephrased: the number of prime numbers less than x is approximately x/ln(x)
(in 1792 by Gauss at 15...)
– Rephrased: the chance of an number x being a prime number is (roughly) 1 / ln(x)
(density: there are n numbers up to n with roughly n/ln(n)
being prime. So, frequency of primes among n numbers is around 1/ln(n).)
– So, less frequent for higher x
– But still, there are many primes!! (key for crypto!!)

Consider 200 digit prime numbers

– ln (10200)  460
– The chance of a 200 digit number being prime is 1/460
– If we only choose odd numbers, the chance is 2/460 = 1/230
So, actually x /(ln x – 1) is better estimate of number of primes .
 Greatest common divisor

The greatest common divisor of two integers a and b is the largest

integer d such that d | a and d | b
– Denoted by gcd(a,b)

Examples
– gcd (24, 36) = 12
– gcd (17, 22) = 1
– gcd (100, 17) = 1
 Relative primes

Two numbers are relatively prime if they don’t have any common
factors (other than 1)
– Rephrased: a and b are relatively prime if
gcd (a,b) = 1

gcd (25, 16) = 1, so 25 and 16 are relatively prime

63
 Pairwise relative prime

A set of integers a1, a2, … an are pairwise relatively prime if, for
all pairs of numbers, they are relatively prime
– Formally: The integers a1, a2, … an are pairwise relatively
prime if gcd(ai, aj) = 1 whenever 1 ≤ i < j ≤ n.

Example: are 10, 17, and 21 pairwise relatively prime?

– gcd(10,17) = 1, gcd (17, 21) = 1, and gcd (21, 10) = 1
– Thus, they are pairwise relatively prime
Example: are 10, 19, and 24 pairwise relatively prime?
– Since gcd(10,24) ≠ 1, they are not

64
 More on gcd’s

Given two numbers a and b, rewrite them as:

a  p1a1 p2a2 ... pnan , b  p1b1 p2b2 ... pnbn

– Example: gcd (120, 500)

• 120 = 23*3*5 = 23*31*51
• 500 = 22*53 = 22*30*53
Then compute the gcd by the following formula:

gcd(a, b)  p1min( a1 ,b1 ) p2min( a2 ,b2 ) ... pnmin( an ,bn )

– Example: gcd(120,500) = 2min(3,2) 3min(1,0) 5min(1,3) = 22 30 51 = 20

 Least common multiple

The least common multiple of the positive integers a and b is the

smallest positive integer that is divisible by both a and b.
– Denoted by lcm (a, b)

lcm(a, b)  p1max( a1 ,b1 ) p2max( a2 ,b2 ) ... pnmax( an ,bn )

Example: lcm(10, 25) = 50

What is lcm (95256, 432)?

– 95256 = 233572, 432=2433
– lcm (233572, 2433) = 2max(3,4)3max(5,3)7max(2,0)
= 24 35 72 = 190512
 lcm and gcd theorem

Theorem: Let a and b be positive integers.

Then a*b = gcd(a,b) * lcm (a, b)

Example: gcd (10,25) = 5, lcm (10,25) = 50

So, 10*25 = 5*50

Example: gcd (95256, 432) = 216, lcm (95256, 432) = 190512

So, 95256*432 = 216*190512 (likely)
Two algs.: Exp. in # of digits! 
How do we find the gcd? 1)Try all #s up to smallest
2)Factor #s.
 Euclid’s Algorithm for GCD
Finding GCDs by comparing prime factorizations can be difficult when
the prime factors are not known! And, no fast alg. for factoring is
known. (except …)
On quantum computer!
Euclid discovered: For all ints. a, b

gcd(a, b) = gcd((a mod b), b).

How can this be useful? (assume a>b)

Sort a, b so that a>b, and then (given b>1) Euclid of

(a mod b) < a, so problem is simplified. Alexandria
325-265 B.C.
Theorem: Let a =bq+r, where a, b, q, and r are integers.
Then gcd(a,b) = gcd(b,r)

Suppose a and b are the natural numbers whose gcd has to be

determined. And suppose the remainder of the division of a by b is r.
Therefore a = qb + r where q is the quotient of the division.

Any common divisor of a and b is also a divisor of r. To see why this is

true, consider that r can be written as r = a − qb. Now, if there is a
common divisor d of a and b such that a = sd and b = td, then
r = (s−qt)d. Since all these numbers, including s−qt, are whole
numbers, it can be seen that r is divisible by d. (Also, by corollary
on slide 6.)

Similarly, any common divisor of b and r is also a divisor of a. Note that

a = qb +r. Hence a common divisor of b and r also divides a.

It follows that gcd(a,b) = gcd(b,r).

QED
 Euclidean Algorithm

Lemma: Let a = bq + r, where a, b, q, and r are

integers. Then gcd(a, b) = gcd(b, r)

procedure procedure (a,b:positive integers)

x := a
y := b
while y  0 Arises when r = 0. So, y
begin
r := x mod y divides x. But “x:=y” and
x := y “y:=0”, so return x. Also
y := r note that gcd(a,0) = a.
end { gcd(a, b) is x }

What about the “y=0” case? Do we need a >= b? hmm…

70
 Euclid’s Algorithm Example
gcd(372,164) = gcd(164,2000+
372 mod 164).
yr alg. makes
E-commerce
– 372 mod 164 = 372164 possible! = 372328 = 44.
372/164 = 372164·2
gcd(164,44) = gcd(44, 164 mod 44).
– 164 mod 44 = 16444 164/44 = 16444·3 = 164132 = 32.
gcd(44,32) = gcd(32, 44 mod 32)
= gcd(32,12) = gcd(12, 32 mod 12)
= gcd(12,8) = gcd(8, 12 mod 8)
= gcd(8,4) = gcd(4, 8 mod 4)
= gcd(4,0) = 4.

So, we repeatedly swap the numbers. Largest first. “mod” reduces

them quickly!
O(log b) divisions. Linear in #digits of b!
Complexity? Guess… Compare to direct search for divisor.
(Lame`’s thm. Section 4.3)
Integers and Algorithms

72
 Base-b number systems

Ordinarily, we write base-10 representations of numbers, using digits 0-9.

Of course, any base b>1 will work.
For any positive integers n,b, there is a unique sequence
ak ak-1… a1a0 of digits ai<b such that: Hmm. What about base 1?
Unary notation; “mainly” quite inefficient.
Why bother with
k
n  a b i “unary”?
i Complexity of algs.:
The “base b i 0 always think about, what
expansion is the length of the input.
Some problems still
of n” 73
hard even with unary input!
 Base Systems

Theorem: Base b expansion of a number

Let b be a positive integer greater than 1. Then if n is a positive

integer, it can be expressed uniquely in the form

n = ak bk ^k + ak-1 bk-1 ^(k-1)+ … + a1 b^1 + a0

Where k is a non-negative integer, a0, a1, …, ak are nonnegative

integers less than b, and ak ≠0

(Proof by induction)
74
 Bases of Particular Interest

Used “only” because we

have 10 fingers
Base b=10 (decimal):
10 digits: 0,1,2,3,4,5,6,7,8,9. The modern
digital world!
Base b=2 (binary):
2 digits: 0,1. (“Bits”=“binary digits.”)
Base b=8 (octal):
Octal digits correspond to
8 digits: 0,1,2,3,4,5,6,7. groups of 3 bits

Base b=16 (hexadecimal):

16 digits: 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F
Hex digits give groups of 4 bits
 Converting to Base b

(An algorithm, informally stated.)

To convert any integer n to any base b>1:
To find the value of the rightmost (lowest-order)
digit, simply compute n mod b.
Now, replace n with the quotient n/b.
Repeat above two steps to find subsequent digits,
until n is gone (=0).
 Constructing Base b Expansions

procedure base b expansion (n:positive integer)

q := n
k := 0
while (q  0)
begin
ak := q mod b
q :=  q / b 
k := k + 1
end {the base b expansion of n is (ak-1 ak-2 . . . a1 a0 )b }

78
N=25 in binary?
N  25
a0  25 mod 2  1 So, we have 25 in binary
N  25 / 2  12 is 11001.
a1  12 mod 2  0
N  12 / 2  6
a2  6 mod 2  0
N  6/2  3
a 3  3 mod 2  1
N  3/ 2 1
a4  1 mod 2  1
N= 23670 in hexadecimal?

23670 mod 16 = 6;
6

N=  23670/16  = 1479 mod 16 = 7 76

N=  1479/16  = 92 mod 16 = 12 C76

N= 92/16  = 5 mod 16 = 5 5C76

80
 Addition of Integers
in Binary Notation
As you have known since grade 1 or before …  Correctness
proof?
procedure add (a,b:positive integers)
c := 0
for j := 0 to n - 1 Complexity? (#additions)
begin
d :=  (aj + bj + c) / 2  O(n),
sj := aj + bj + c - 2d where n is number of bits!
c := d (log of the size of the number)
end
sj := c
{the binary expansion of the sum is (sn sn-1 . . . s0 )2 }

{the binary expansions of a and b are:

an-1,an-2,… a1,a0 and
bn-1,bn-2,… b1,b0}
 Multiplying Integers

procedure multiply (a,b:positive integers)

c := 0
for j := 0 to n - 1 Complexity? (additions and shifts)
begin
if bj then cj := a shifted j places O(n2)
else cj := 0
end
p := 0
for j := 0 to n – 1
p := p + cj
{p is the value of ab }
{the binary expansions of a and b are:
an-1,an-2,… a1,a0 and
82
bn-1,bn-2,… b1,b0} Note: There are more efficient algorithms for multiplication!
 Modular Exponentiation

Problem: Given large integers b (base), n (exponent), and

m (modulus), efficiently compute bn mod m.

– Note that bn itself may contain a very large number of digits.

Yet, this is a type of calculation that is commonly required

in modern cryptographic algorithms! Hmm.
 Modular Exponentiation:
Using Binary Expansion of exponent n
The binary expansion of n
Note that:
ak 1 2 k 1  ak 2 2 k 2   a0 2 0
b b
n

2 k 1 ak 1 2 k 2 a k 2 2 0 a0
 (b )  (b )    (b )

We can compute b to various powers of 2 by repeated squaring.

– Then multiply them into the partial product, or not, depending on
– whether the corresponding ai bit is 1.

Problem solved?
Crucially, we can do the mod m operations as we go along,
because of the various identity laws of modular arithmetic.
– All the numbers stay small.
 11
Example: 3 Note: 11 = (1011)2

So, 311  383231

By successively squaring: 32  9; 34  9 2  81;38  812  6561

Therefore: 3  3 3 3  6561 9  3  177,147

11 8 2 1

The algorithm successively computes:

2 4 2 k 1
b mod m, b mod m, b mod m, , b mod m,
2j
multiplyin g together the terms b mod m, where a j  1
 Modular Exponentiation

procedure modular exponentiation (b:integer, ak−1 ak−2 …a0:binary representation

of n, m: positive integer)
x := 1
power := b mod m
for i := 0 to k−1
begin
if ai = 1 then x := (x ． power) mod m
power := (power ． power) mod m
end
2i 1 22i 2i 2i
return x b b  (b )  (b )

86
Example: 3644 mod 645 Aside: 3644 is HUGE but final
answer between 0 and 644. 
Note: 644 = (1010000100)2
Steps performed by the algorithm:

So , 3644 mod 645 = 36.

Key point: you compute successive powers but numbers
stay small because of repeated Mod operation!
Two Additional Applications:

1 - Performing arithmetic with large numbers

2 - Public Key System

 require some additional results in Number Theory

 Additional Number Theory Results
Theorem:
 a,b integers, a,b >0: s,t: gcd(a,b) = sa + tb

Lemma 1:
 a,b,c>0: gcd(a,b)=1 and a | bc, then a|c

Lemma 2:
– If p is prime and p|a1a2…an (integers ai),
then i: p|ai.

Theorem 2:
– If ac ≡ bc (mod m) and gcd(c,m)=1,
then a ≡ b (mod m).
 Proof of Theorem 1
Theorem 1: a≥ b≥ 0 st: gcd(a,b) = sa + tb
Proof: By induction over the value of the larger argument a.

Note: From Euclid theorem (“reducing the size of a”), we know that gcd(a,b) =
gcd(b,c) with c = a mod b, in which case a = kb +c for some integer k,
so c = a − kb.

With b < a and c < b (see base case below for boundary cases), by the inductive
hypothesis (strong induction), we can assume that uv: gcd(b,c) = ub +vc.
Substituting for c, this is ub+v(a−kb), which we can
regroup to get va + (u−vk)b. So, now let s = v, and let t = u−vk, and we’re done with
induction step. Base case?

The base case is solved by considering: s = 1, t = 0, which works for gcd(a,0),

or if a=b originally (also handles gcd(0,0)). QED
 Example:

gcd(252,198) = 18.

Let’s express 18 as a linear combination of 252 and 198.

Using the divisions performed by the Euclid Algorithm:

252 = 1 198 + 54 (from 252 mod 198 = 54)

198 =
So, 3  54 + 36 (from
gcd(252,198) = 18 198
= 4mod 54 =– 36)
x 252 5 x 198.
54 = 1  36 +18 etc.
36 = 2  18 gcd(252,198) =
I.e., the gcd is a linear combination of the original numbers. gcd(198,54) =
Intriguing
So, 18 = 54 -property of 3the
1  36 (fromrd gcd!! One of the mulipliers has to be negative.
equation)
36 = 198 – 3  54 (from 2 equation)
th gcd(54,36) =
Therefore 18 = 54 - 1  (198 – 3  54) = 4  54 – 1  198 gcd(36,18) =
But 54 = 252 - 1 198; so substituting this expression for 54:
gcd(18,0) =
18 = 4 (252 - 1 198) - 1  198 = 4  252 – 5  198 18
E.g.
gcd(17,5) = 1 (i.e. one argument is prime, or relative primes)

1 = -7 x 17 + 24 x 5
= 8 x 17 – 27 x 5

0, 17, 34, 51, 68, 85, 102, 119, 136 …

92
 Proof of Lemma 1

Lemma 1: gcd(a,b) = 1 and a|bc, then a|c.

Proof: Applying theorem 1, s, t: sa+tb = 1. Multiplying through by c,

we have that sac + tbc = c. Since a|bc is given, we know that a|tbc,
and obviously a|sac. Thus, it follows that a|(sac+tbc). So, we have
that a|c. ■

Alt. proof: Consider the prime factorization of a, b, and c.

Aside: But, why don’t we want to use this property for now?
 Proof of Lemma 2

Lemma 2: If prime p|a1…an then i: p|ai.

Proof: If n=1, this is immediate since p|a1 then p|a1.

Suppose the lemma is true for all n<k and suppose
p|a1…ak. Consider m=a1…ak-1. If p|m, then we have
it inductively. Otherwise, we have p|mak but ¬(p|
m). Since m is not a multiple of p, and p has no
factors, m has no common factors with p, thus
gcd(m,p)=1. So, by applying lemma 1, p|ak. ■
94
 Uniqueness of Prime Factorizations
The “other” part of proving the Fundamental Theorem of Arithmetic.

“The prime factorization of any number n is unique.”

Theorem: If p1…ps = q1…qt are equal products of two
nondecreasing sequences of primes, then s=t and pi = qi for all i.
Proof: Assume (without loss of generality) that all primes in
common have already been divided out, so that ij: pi ≠ qj. But
since p1…ps = q1…qt, we have that p1|q1…qt, since p1·(p2…ps) =
q1…qt. Then applying lemma 2, j: p1|qj. Since qj is prime, it has
no divisors other than itself and 1, so it must be that pi=qj. This
contradicts the assumption ij: pi ≠ qj. The only resolution is that
after the common primes are divided out, both lists of primes were
empty, so we couldn’t pick out p1. In other words, the two lists
must have been identical to begin with!
Aside: Property is so well-known, that there is a temptation to
assume it’s “obvious”. Not so. You need the proof! If it were
QED
false, math would be very different. (primes are the building blocks of numbers)
 Proof of Theorem 2

Theorem 2: If ac ≡ bc (mod m) and gcd(c,m)=1,

then a ≡ b (mod m).

Proof: Since ac ≡ bc (mod m), this means

m | ac−bc. Factoring the right side, we get m | c(a − b).
Since gcd(c,m)=1 (c and m are relative prime), lemma 1
implies that m | a−b, in other words, a ≡ b (mod m).
QED
96
 An Application of Theorem 2

Suppose we have a pure-multiplicative pseudo-random

number generator {xn} using a multiplier a that is
relatively prime to the modulus m.
– Then the transition function that maps from xn to xn+1 is
bijective. One-to-one but why onto? Hmm?
• Because if xn+1 = axn mod m = axn′ mod m, then xn=xn′ (by theorem 2).
– This in turn implies that the sequence of numbers generated
cannot repeat until the original number is re-encountered.
– And this means that on average, we will visit a large fraction
of the numbers in the range 0 to m−1 before we begin to
Can you construct a small cycle?
repeat!
• Intuitively, because the chance of hitting the first number in the
sequence is 1/m, so it will take Θ(m) tries on average to get to it.
– Thus, the multiplier a ought to be chosen relatively prime to
the modulus, to avoid repeating too soon.
 Linear Congruences, Inverses
A congruence of the form ax ≡ b (mod m) is called a linear congruence.
– To solve the congruence is to find the x’s that satisfy it.

An inverse of a, modulo m is any integer a′ such that a′a ≡ 1 (mod m).

– If we can find such an a′, notice that we can then solve ax ≡ b by multiplying
through by it, giving a′ax ≡ a′b, thus 1·x ≡ a′b, thus x ≡ a′b (mod m).

Theorem 3:
If gcd(a,m) = 1 and m>1, then a has a unique (modulo m) inverse a′.

Proof: By theorem 1, st: sa+tm = 1, so sa+tm ≡ 1 (mod m).

Since tm ≡ 0 (mod m), sa ≡ 1 (mod m). Thus s is an inverse of a (mod m).

Theorem 2 guarantees that if ra ≡ sa ≡ 1 (mod m) and gcd(a,m) = 1,

then r ≡ s (mod m). Thus this inverse is unique mod m.
(All inverses of a are in the same congruence class as s.)
QED

Linear congruences are the basis for doing arithmetic with very large integers.
Example:
Find an inverse of 4 modulo 9

Since gcd(4, 9) = 1, we know that there is an inverse of 4, modulo 9.

Using the Euclidean algorithm to find the greatest common divisor :

9=2 4+1

So, -2 4 + 1  9 = 1

Take mod 9 both sides.: -2 x 4 ≡ 1 (mod 9).

It follows that -2 is an inverse of 4 module 9.

We have: -2 x 4 = -8.
And -8 mod 9 = 1.
Also, so is every integer congruent to -2 modulo 9,
e.g., -2, 7, -11, 16, etc.
What are the solutions of the linear congruence 4x ≡ 5 (mod 9)?

Since we know that -2 is an inverse for 4 mod 9, we can multiply both sides of
the linear congruence:

-2  4x ≡ -2  5 (mod 9)

Since -8 ≡ 1 (mod 9) and -10 ≡ 8 (mod 9), it follows that

x ≡ -10 ≡ 8 (mod 9).

(We can check that indeed, 4x ≡ 4  8 ≡ 5 (mod 9).)

So, solutions to the congruence are integers x such that x ≡ 8 (mod) 9,

namely, 8, 17, 26, …, and -1, -10, etc.
Ancient Chinese Puzzle:

There are certain things whose number is unknown. When divided by

3, the remainder is 2; when divided by 5, the remainder is 3; and
when divided by 7, the remainder is 2. What is the number of things?

Stated formally: Argh!!


What’s x such that: s ?
s x ≡ 23 (mod 105)
x mod 3 = 2 ue
x mod 5 = 3 G but how??
x mod 7 = 2
I.e., we have to solve a set of
Or, equivalently,
linear congruences.
x ≡ 2 (mod 3)
Note you need the different
x ≡ 3 (mod 5)
“modulos” to have it
x ≡ 2 (mod 7)
make sense.
 Chinese Remainder Theorem
Theorem: (Chinese remainder theorem.) Let m1,…,mn > 0
be relative prime. Then the system of equations
x ≡ ai (mod mi) (for i=1 to n) has a unique solution
modulo m = m1·…·mn.

Proof: Let Mi = m/mi. Thus gcd(mi, Mi)=1.

So by thm 3, yi such that yi Mi ≡ 1 (mod mi).
Now let x = ∑i ai yi Mi.
Since mi | Mk for k ≠ i, we have Mk ≡ 0 (mod mi).
So, x mod mi = ∑l al yl Ml mod mi = ai yi Mi mod mi = ai mod mi.

Thus, x ≡ ai (mod mi). Holds for each i.

Thus, the congruences hold.

(Uniqueness left as exercise.) QED

102
What’s x such that: m = m1·…·mn.
x ≡ 2 (mod 3) (So, a1 = 2, etc. Mi = m/mi
x ≡ 3 (mod 5) and m1 = 3 etc.)
x ≡ 2 (mod 7)? yi Mi ≡ 1 (mod mi).
Using the Chinese Remainder theorem: x = ∑i ai yi Mi
m = 357 = 105

M1 = m/3 = 105/3 = 35
2 is an inverse of M1 = 35 (mod 3) (since 35x2 ≡ 1 (mod 3)
M2 = m/5 = 105/5 = 21
1 is an inverse of M2 = 21 (mod 5) (since 21x1 ≡ 1 (mod 5)
M3 = m/7 = 15
1 is an inverse of M3 = 15 (mod 7) (since 15x1 ≡ 1 (mod 7)

So , x ≡ 2  2  35 + 3  1  21 + 2  1  15 = 233 ≡ 23 (mod 105)

So answer: x ≡ 23 (mod 105)

We’re solving equations in modular arithmetic!!

 Computer Arithmetic with Large Ints

By Chinese Remainder Theorem, an integer a

where 0 ≤ a < m = ∏ mi, gcd(mi,mj≠i) = 1,
can be represented by a’s residues mod mi as
an n-tuple: (a mod m1, a mod m2, …, a mod mn)

Implicitly, represents the equations

x ≡ ai (mod mi), with ai = a mod mi.

By the CRT, there is a unique solution (mod m) to these

equations. Consider x ≡ a mod m, with m = ∏ mi.
Example:

How to represent uniquely non-integer integers less than 12 by pairs,

where the first component is the remainder of the integer upon division by
3 and the second component is the remainder of the integer upon division
by 4? (note: 3 and 4 are relative prime.)

We represent x by the tuple (x mod 3, x mod 4).

Finding the remainder of each integer divide by 3 and 4, we obtain:

0=(0,0); 1=(1,1); 2=(2,2); 3=(0,3); 4=(1,0); 5=(2,1); 6=(0,2);

7=(1,3); 8=(2,0); 9= (0,1); 10 = (1,2); 11= (2,3)

E.g. 5 = ((5 mod 3), (5 mod 4))

Note we have the right “number of pairs”, i.e., 12.

One for each number up to 4x3 -1. Also, we are using two small numbers
to represent a bigger one (up to the size of the product of the smaller
numbers.)
 Computer Arithmetic with Large Ints

To perform arithmetic upon large integers

represented in this way,
– Simply perform ops on these separate residues!
• Each of these might be done in a single machine op.
• The ops may be easily parallelized on a vector machine.

– Works so long as the desired result < m.

Example: Suppose we can perform operation with integers less than
100
can be done easily; we can restrict ourselves to integers less than 100, if
we represent the integers using their remainders modulo pairwise
relatively prime integers less than 100; e.g., 99, 98, 97, 95.

By the Chinese remainder theorem, any number up to

9998  97  95 = 89,403,930 can be represented uniquely by its
remainders when divided by these four moduli.

E.g, the number

123,684 can be represented as
(123,684 mod 99; 123,684 mod 98; 123,684 mod 97; 123,684 mod 95) = (33,8,9,89)
413,456 can be represented as
(413,456 mod 99; 413,456 mod 98; 413,456 mod 97; 413,456 mod 95) = (32,92,42,16)
To perform a sum we only have to sum the residues:
(33, 8, 9, 89)+(32, 92 , 42, 16)
= (65 mod 99. 100 mod98, 51mod97, 105mod95)
= (65, 2, 51, 10)

To find the sum we just have to solve the system of linear congruences
(see earlier slides):

x ≡ 65 (mod99)
x ≡ 2 (mod98)
x ≡ 51 (mod97)
x ≡ 10 (mod95)

Solution: 537,140
 “Bigger” Example
For example, the following numbers are relatively prime:
m1 = 225−1 = 33,554,431 = 31 · 601 · 1,801
m2 = 227−1 = 134,217,727 = 7 · 73 · 262,657
m3 = 228−1 = 268,435,455 = 3 · 5 · 29 · 43 · 113 · 127
m4 = 229−1 = 536,870,911 = 233 · 1,103 · 2,089
m5 = 231−1 = 2,147,483,647 (prime)

Thus, we can uniquely represent all numbers up to

m = ∏mi ≈ 1.4×1042 ≈ 2139.5 by their residues ri modulo these five mi.
– E.g., 1030 = (r1 = 20,900,945; r2 = 18,304,504; r3 = 65,829,085;
r4 = 516,865,185; r5 = 1,234,980,730)

To add two such numbers in this representation,

– Just add their corresponding residues using machine-native 32-bit integers.
– Take the result mod 2k−1:
• If result is ≥ the appropriate 2k−1 value, subtract out 2k−1
– Note: No carries are needed between the different pieces!

– Do we save on space (# digits)?

 Pseudoprimes

Recall:

Theorem: If n is a composite integer, then n has a prime

divisor less than or equal to the square root of n

So to check if a number n is prime, we check if all its

prime factors less than n divide n. If not, the number is
prime.
Is there a faster way of checking if a number is prime?
 Pseudoprimes
Ancient (?)
Chinese mathematicians noticed that whenever n is
prime, 2n−1 ≡ 1 (mod n).
– Calculate using mod exponentiation.
– Some also claimed that the converse was true.

However, it turns out that the converse is not true!

– If 2n−1≡1 (mod n), it doesn’t follow that n is prime.

• For example, 341=11·31, but 2 340 ≡ 1 (mod 341). (not so easy to find the
counter example.  use modular exponentiation)

Composites
If conversenwas
withtrue,
this property are called
what would be apseudoprimes.
great test for primality?
– More generally, if bn−1 ≡ 1 (mod n) and n is composite, then n is called a
pseudoprime to the base b.
vs. Fermat’s Last Thm.
a^n + b^n = c^n has Fermat’s Little Theorem
no solutions for n >= 3.

Fermat generalized the ancient observation that

2p−1≡1 (mod p) for primes p to the following more
general theorem:
Theorem: (Fermat’s Little Theorem.)
– If p is prime and a is an integer not divisible by p,
then
ap−1 ≡ 1 (mod p).
– Furthermore, for every integer a
ap ≡ a (mod p).
112
Proof outline in ex. 17, sect. 3.7.
 Consider: ap−1 ≡ 1 (mod p).

E.g., p = 5, a = 6, gives ap−1 ≡ 1 (mod p)

64 = 1296 = 259 x 5 + 1

But, if p is NOT prime, e.g.,

p = 8, a = 6, gives ap−1≡ 0 (mod p)
67 = 279,936 = 34,992 * 8 + 0

What does this suggest as a primality test?

113
 Carmichael numbers

These are sort of the “ultimate pseudoprimes.”

A Carmichael number is a composite n such that
a n−1 ≡ 1 (mod n) for all a relatively prime to n.

The smallest few are 561, 1105, 1729, 2465, 2821,

6601, 8911, 10585, 15841, 29341.

These numbers are important since they fool the Fermat primality test:
They are “Fermat liars”.
The Miller-Rabin (’76 / ’80) randomized primality testing algorithm
eliminates problems with Carmichael problems. Polytime in number of digits!
 Number Theory:
RSA and Public-key Cryptography

Alice and Bob have never met but they would like to
exchange a message. Eve would like to eavesdrop.

They could come up with a good

encryption algorithm and exchange the
encryption key – but how to do it without
Eve getting it? (If Eve gets it, all security
is lost.)

CS folks found the solution:

public key encryption. Quite remarkable
that that is feasible. 117
 Number Theory:
Public Key Encryption

RSA – Public Key Cryptosystem (why RSA?)

Uses modular arithmetic and large primes  Its security comes from the computational difficulty
of factoring large numbers. 118
 Public Key Cryptography

In private key cryptosystems, the same secret “key” string is used to both encode and
decode messages.
– This raises the problem of how to securely communicate the key strings.
In public key cryptosystems, instead there are two complementary keys.
– One key decrypts the messages that the other one encrypts.
This means that one key (the public key) can be made public, while the other (the
private key) can be kept secret from everyone.
– Messages to the owner can be encrypted by anyone using the public key, but can only
be decrypted by the owner using the private key.
• Like having a private lock-box with a slot for messages.
– Or, the owner can encrypt a message with the private key, and then anyone can decrypt
it, and know that only the owner could have encrypted it.
• This is the basis of digital signature systems.

The most famous public-key cryptosystem is RSA.

– It is based entirely on number theory and uses all the number theory we have
seen so far.
 Rivest-Shamir-Adleman (RSA)

The private key consists of:

– A pair p, q of large random prime numbers, and
– d, an inverse of e modulo (p−1)(q−1), but not e itself.

The public key consists of:

– The product n = pq (but not p and q), and
– An exponent e that is relatively prime to (p−1)(q−1).

To encrypt a message encoded as an integer M < n:

– Compute C = Me mod n. (using exponentiation mod n)

To decrypt the encoded message C,

– Compute M = Cd mod n. (again, using exponentiation mod n)
 RSA Approach

Encode:
C = Me (mod n)
M is the plaintext; C is ciphertext
n = pq with p and q large primes (e.g. 200 digits long!)
e is relative prime to (p-1)(q-1)

Decode:
Cd = M (mod pq)
d is inverse of e modulo (p-1)(q-1)

The process of encrypting and decrypting a message

correctly results in the original message (and it’s fast!)
121
 RSA Approach

Encode:
C = Me (mod n)
M is the plaintext; C is ciphertext
n = pq with p and q large primes (e.g. 200 digits long!)
e is relative prime to (p-1)(q-1)

Ex: Encode “STOP” using RSA, with p=43;q=59 therefore n=4359=2537, e =13;
(note that gcd(e,(p-1),(q-1)) = gcd(13,4258)=1)

S  18 P 19 O 14 T15 i.e, 1819 1415, grouped into blocks of 4

1819 and 1415
Each block is encrypted using C = Me (mod n)
1819 13 mod 2537 = 2081
1451 13 mod 2537 = 2182
Encrypted message = 2081 2182 122
 RSA Approach

Given the message: 0981 0461, how to decode it?

Decode:
Cd = M (mod pq)
d is inverse of e modulo (p-1)(q-1)

d = 937 is an inverse of 13 mod (4258=2436)

0981 937 mod 2537= 0704 and 0461 937 mod 2537 = 1115
So, the decoded message is 0704 1115

07 H
04  E
11 L
15  P

123
 Why RSA Works

Theorem (Correctness of RSA): (Me)d ≡ M (mod n).

Proof:

By the definition of d, we know that de ≡ 1 [mod (p−1)(q−1)].

– Thus by the definition of modular congruence,

k: de = 1 + k(p−1)(q−1).
– So, the result of decryption is

Cd ≡ (Me)d = Mde = M1+k(p−1)(q−1) (mod n)

124
 Proof cont.
We had:
Cd ≡ (Me)d = Mde = M1+k(p−1)(q−1) (mod n)
Assuming that M is not divisible by either p or q,

– Which is nearly always the case when p and q are very large

– Fermat’s Little Theorem tells us that

Mp−1≡1 (mod p) and Mq−1≡1 (mod q)
Thus, we have that the following two congruences hold:

First: Cd ≡ M · (Mp−1)k(q−1) ≡ M·1k(q−1) ≡ M (mod p)

Second: Cd ≡ M·(Mq−1)k(p−1) ≡ M·1k(p−1) ≡ M (mod q)

Hmm. System of modular equations…

125
 Proof cont.
We had:
Cd ≡ (Me)d = Mde = M1+k(p−1)(q−1) (mod n)
Assuming that M is not divisible by either p or q,

– Which is nearly always the case when p and q are very large

– Fermat’s Little Theorem tells us that

Mp−1≡1 (mod p) and Mq−1≡1 (mod q)
Thus, we have that the following two congruences hold:

First: Cd ≡ M · (Mp−1)k(q−1) ≡ M·1k(q−1) ≡ M (mod p)

Second: Cd ≡ M·(Mq−1)k(p−1) ≡ M·1k(p−1) ≡ M (mod q)

Hmm. System of modular equations…

126
 Proof cont.
Thus, we have that the following two congruences hold:

First: Cd ≡ M · (Mp−1)k(q−1) ≡ M·1k(q−1) ≡ M (mod p)

Second: Cd ≡ M·(Mq−1)k(p−1) ≡ M·1k(p−1) ≡ M (mod q)

Hmm. System of modular equations…

And since gcd(p,q) = 1, we can use the Chinese Remainder Theorem

to show that therefore Cd ≡ M (mod pq), since

If Cd ≡ M (mod pq) then s: Cd = s p q + M,

so Cd ≡ M (mod p) and also Cd ≡ M (mod q).

Thus, M is a solution to these two congruences,

so (by CRT) it’s the only solution.
QED

127