Discrete mathematics I - Number theoryEmil Vatai <vatai@inf.elte.hu>

(based on hungarian slides by László Mérai)∗

January 31, 2018

Outline

Contents1 Number theory 1

1.1 Divisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Primes, irreducible elements . . . . . . . . . . . . . . . . . . . . . 31.3 Euclidean division . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Euclidean algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 61.5 Elementary number theory . . . . . . . . . . . . . . . . . . . . . 9

2 Congruences 112.1 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Linear congruences . . . . . . . . . . . . . . . . . . . . . . . . . . 132.3 Simultaneous congruences . . . . . . . . . . . . . . . . . . . . . . 152.4 Residue classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.5 Euler-Fermat theorem and the totient function . . . . . . . . . . 202.6 The multiplicative group . . . . . . . . . . . . . . . . . . . . . . . 232.7 Discrete logarithm . . . . . . . . . . . . . . . . . . . . . . . . . . 232.8 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

1 Number theory1.1 DivisibilityDivisibility

If a and b are rational numbers, the division a/b can always be performed(and the result is a rational number).

If a and b are integers, the division a/b can not always be performed (thequotient will not always be an integer).

Definition 1 (Divisibility). The integer a is a divisor of the integer b: a | b, ifthere exists an integer c for which a · c = b (that is b/a is an integer if a 6= 0).

∗Financed from the financial support ELTE won from the Higher Education RestructuringFund of the Hungarian Government.

1

Example 2 (Divisibility). • 1 | 13, because 1 · 13 = 13; 1 | n, because 1 ·n =n;

• 6 | 12, because 6 · 2 = 12; −6 | 12, because (−6) · (−2) = 12.

– The definition can be extended to Gaussian-integers: {a+ bi : a, b ∈Z}.

∗ i | 13, because i · (−13i) = 13∗ 1 + i | 2, because (1 + i) · (1− i) = 2.

Properties of divisibility

ProperiesFor each a, b, c, · · · ∈ Z

1. a | a;

2. a | b ∧ b | c⇒ a | c;

3. a | b ∧ b | a⇒ a = ±b;

4. a | b ∧ a′ | b′ ⇒ aa′ | bb′;

5. a | b⇒ ac | bc;

6. ac | bc ∧ c 6= 0⇒ a | b;

7. a | b1, . . . , a | bk ⇒ a | c1b1 + · · ·+ ckbk

8. a | 0, since a · 0 = 0;

9. 0 | a⇔ a = 0;

10. 1 | a,−1 | a;

Example 3 (Divisibility). 1. 6 | 6;

2. 2 | 6 ∧ 6 | 12⇒ 2 | 12;

3. 3 | −3 ∧ −3 | 3⇒ 3 = ±3;

4. 2 | 4 ∧ 3 | 9⇒ 2 · 3 | 4 · 9;

5. 3 | 6⇒ 5 · 3 | 5 · 6;

6. 3 · 5 | 6 · 5 ∧ 5 6= 0⇒ 3 | 6;

7. 3 | 6, 3 | 9⇒ 3 | 6c1 + 9c2 for each c1, c2.

8. a | 0, since a · 0 = 0;

9. 0 | a⇔ 0 · c = a;

10. 1 · a = a, −1 · (−a) | a;

2

UnitsThe factor ±1 is irrelevant for divisibility.

Definition 4 (Unit). If an ε is a divisor of every other number, then ε is calleda unit.

PropositionThere are two units in the set of integers: 1, −1.

Proof. ±1 are clearly units.Conversely, if ε is a unit, then 1 = ε · q for some integer q. Because |ε| ≥ 1,

|q| ≥ 1 ⇒ |ε| = 1, that is ε = ±1.

Example 5 (Unit). In the set of Gaussian-integers i is a unit: a+ bi = i(b− ai).

Associated elementsThe integers 12 and −12 are the same from the perspective of divisibility.

Definition 6 (Associated elements). Two numbers are associated if they areeach others divisors.

Remarka and b are associated if and only if a | b and b | a.

Definition 7 (Trivial divisor). Trivial divisors of n are the numbers associatedwith n and the units. Other divisors are proper divisors.

Example 8 (Divisor of 6). • The divisors: {±1,±2,±3,±6}

• Trivial divisors are: {±1,±6}

• The proper divisors: {±2,±3}

1.2 Primes, irreducible elementsPrimes, irreducible elements

Definition 9 (Irreducible). A nonzero and non-unit number is irreducible if ithas only trivial divisors.

Example 10 (Irreducible elements). Integers 2,−2, 3,−3, 5,−5 are irreducible;6 is not irreducible, because 6 = 2 · 3.

Definition 11 (Prime). A non-zero, non-unit p number is a prime number, ifp | ab⇒ (p | a ∨ p | b) (for any a, b).

Example 12 (Primes). 2,−2, 3,−3, 5,−5 are prime; 6 is not a prime number,because 6 | 2 · 3 but 6 - 2 and 6 - 3.

3

Primes, irreducibles

Theorem 13 (Primes and irreducbles). Each prime number is irreducible.

Proof. Let p be a prime number and let p = ab be a factorization. We have toprove, that a or b is a unit.

Because p = ab, p | ab, which means e.g. p | a. Then a = pk = a(bk), i.e.bk = 1, implying that b and k are units.

RemarkThe converse is not always true:

• In the set Z it is true, (see later);

• The set {a+ bi√

5 : a, b ∈ Z} it is not true.

1.3 Euclidean divisionEuclidean division

Theorem 14 (Euclidean division). For all integers a, b 6= 0 there exist uniqueintegers q and r for which

a = bq + r ∧ 0 ≤ r < |b|. (1)

Proof. This proof for non-negative numbers can be applied to all integers.

1. Existence: induction by a.

• If a < b, then a = b · 0 + a (q = 0, r = a).• If a ≥ b, then suppose that numbers less than a can be written as

(1). Let a− b = bq∗+ r∗. Then a = b(q∗+ 1) + r∗ and let q = q∗+ 1,r = r∗.

2. Uniqueness: Let a = bq + r = bq′ + r′. Then b(q − q′) = r′ − r. This canbe only if q = q′ and r = r′.

Euclidean division

Definition 15 (mod). Let a and b be integers (b 6= 0). Let a = b · q + r(0 ≤ r < |b|). Then a mod b = r.

Remark: q = ba/bc, if b > 0, and q = da/be, if b < 0.

Example 16 (mod). • 123 mod 10 = 3, 123 mod 100 = 23, 123 mod 1000 =123;

• 123 mod −10 = 3, . . .

• −123 mod 10 = 7, −123 mod 100 = 77, −123 mod 1000 = 877;

• −123 mod −10 = 7, . . .

4

Euclidean divisionExample 17 (mod). • If it is 9 o’clock now, what time will it be after 123

hours?Let us divide 123 by 24: 123 = 24 · 5 + 3. 9 + 3 = 12: noon!If it is 9 o’clock now, what time will it be after 116 hours?Let us divide 116 by 24: 116 = 24 · 4 + 20. So 9 + 20 = 29. We have areduction again: 29 = 24 · 1 + 5: it will be 5 A.M.!

• Which day of the week will the 10th of November be next year? Whichday of the week was the 14th of September before two years?Mon= 0, Tue= 1, Wed= 2, Thu= 3, Fri= 4, Sat= 5, Sun= 6

• Divide 365 by 7: 365 = 7 · 52 + 1.Monday + 1 day = 0 + 1 = 1 = Tuesday

• Divide −(365 + 366) (2012 was a leap year) by 7: −731 = 7 · (−105) + 4.

Friday + 3 days = 4 + 4 = 8 red.= 1 = Tuesday.

Numeral systemsIn the base 10 numeral system the number 123: 123 = 100 + 20 + 3 =

1 · 102 + 2 · 101 + 3 · 100.In the base 2 numeral system the number 123:

1111011(2) = 1 · 26 + 1 · 25 + 1 · 24 + 1 · 23 + 0 · 22 + 1 · 21 + 1 · 20

= 1 · 64 + 1 · 32 + 1 · 16 + 1 · 8 + 0 · 4 + 1 · 2 + 1 · 1(10)

Theorem 18 (Representation of numbers). Let q > 1 be a fixed integer. Theneach non-negative integer n can uniquely be written in the form n =

∑ki=0 aiq

i,where 0 ≤ ai < q is an integer, ak 6= 0.

1. This expression is the number n written in the base q num. sys.

2. q is the base of the numeral system.

3. a0, . . . , ak are the digits of n.

4. k = dlogq ne.

Numeral systemsn written in the base q numeral system: n =

∑ki=0 aiq

i.

Proof. The proof is by induction.

1. For n = 0 the theorem is true.

2. Suppose each integer less than n can be written uniquely in a base qnumeral system. Because of the Euclidean division theorem, there exists aunique integer 0 ≤ a0 < q, for which n = cq+a0, that is, q | n−a0. Becauseof the induction hypothesis we can express n−a0

q =∑ki=1 aiq

i−1 (in a baseq numeral system), and this expression is unique. Then n =

∑ki=0 aiq

i.

5

Numeral systemsThe previous proof provides a method to express the numbers:

Example 19 (Representation). Let us write in base 2 numeral system the numbern = 123 (expressed in base 10).

i n n mod 2 n−ai

2 Digits0 123 1 123−1

2 11 61 1 61−1

2 1 12 30 0 30−0

2 0 113 15 1 15−1

2 1 0114 7 1 7−1

2 1 10115 3 1 3−1

2 1 110116 1 1 1−1

2 1 111011

1.4 Euclidean algorithmGreatest common divisor

Definition 20 (Greatest common divisor). The integer d is the greatest commondivisor (or gcd) of integers a and b if: d | a, d | b, and if c | a, c | b then c | d.

The integer d is the gcd of integers a1, a2, . . . , an (n ∈ N+) if: d | a1, d |a2, . . . d | an, and if c | a1, c | a2, . . . c | an then c | d.

Least common multipleThe least common multiple (or lcm) of numbers a and b is m if: a | m, b | m,and a | c, b | c ⇒ m | c.

The lcm of numbers a1, a2, . . . , an (n ∈ N+) ism if: a1 | m, a2 | m, . . . , an | mand if a1 | c, a2 | c, . . . , an | c then m | c.

NotationLet (a, b) = gcd(a, b) be the non-negative greatest common divisor! Let [a, b] =lcm(a, b) be the non-negative least common multiple!

Greatest common divisor

Definition 21 (Relative prime). • The numbers a and b are relative primeif (a, b) = 1.

• The numbers a1, a2, . . . , an are relative prime if (a1, a2, . . . , an) = 1 (i.e. iftheir greatest common divisor is one).

• The numbers a1, a2, . . . , an are mutually (or pairwise) relative prime, ifi 6= j implies (ai, aj) = 1.

Remarks

• Attention! The “greatest” does not refer to the usual ordering: −3 is alsothe greatest common divisor of 12 and 9.

• The greatest common divisor is unique disregarding association.

• Example: 35 and 12 are relative prime while 20 and 12 are not.

6

Euclidean algorithm

Theorem 22 (Euclidean algorithm). Each pair of integers has a greatest com-mon divisor and it can be determined using the euclidean algorithm.

Proof. If one of the numbers is 0, then the other one will be the gcd. Let a andb be non-zero integers. Let us do the following divisions:

a = bq1 + r1, 0 < r1 < |b|,b = r1q2 + r2, 0 < r2 < r1,

r1 = r2q3 + r3, 0 < r3 < r2,

...rn−2 = rn−1qn + rn, 0 < rn < rn−1,

rn−1 = rnqn+1

Gcd is the last 6= 0 remainder: (a, b) = rn. Here a = r−1, b = r0,

Proof (continued).

a = bq1 + r1, 0 < r1 < |b|,b = r1q2 + r2, 0 < r2 < r1,

r1 = r2q3 + r3, 0 < r3 < r2,

...rn−2 = rn−1qn + rn, 0 < rn < rn−1,

rn−1 = rnqn+1

The algorithm terminates after a finite number of steps: |b| > r1 > r2 > . . ..The remainder rn is a common divisor: rn | rn−1 ⇒ rn | rn−1qn+ rn = rn−2

⇒ . . . ⇒ rn | b ⇒ rn | a.rn is the greatest common divisor: let c | a, c | b ⇒ c | a − bq1 = r1 ⇒

c | b− r1q2 = r2 ⇒ . . . ⇒ c | rn−2 − rn−1qn = rn.

Calculating the GCD, euclidean algorithmExample 23 (Euclidean algorithm). Let us calculate the value of (172, 62).

i ri qi ri−2 = ri−1qi + ri– 172 – –– 62 – –1 48 2 172 = 62 · 2 + 482 14 1 62 = 48 · 1 + 143 6 3 48 = 14 · 3 + 64 2 2 14 = 6 · 2 + 25 0 3 6 = 2 · 3 + 0

The greatest common divisor: (172, 62) = 2

7

Calculating the GCD using recursion

Theorem 24 (Theorem). Let a 6= 0. If b = 0, then (a, b) = a. If b 6= 0, then(a, b) = (|b|, a mod |b|).

Proof. If b = 0, the theorem is trivial. Since (a, b) = (|a|, |b|), we can supposethat a, b > 0. If b 6= 0, let us divide a by |b|: a = |b| · q + (a mod |b|). This isthe first line of the euclidean alg.

Example 25 ((172,62)).

(a, b) a mod |b|(172, 62) 48(62, 48) 14(48, 14) 6(14, 6) 2(6, 2) 0

GCD, further observationsSimilarly, we can define the greatest common divisor of multiple numbers

(HW): (a1, a2, . . . , an).

Proposition (HW)Each collection a1, a2, . . . , an of integers, has (there exists) a greatest commondivisor (a1, a2, . . . , an) and (a1, a2, . . . , an) = ((. . . (a1, a2), . . . an−1), an).

Proposition (HW)For each a, b, c integer (ca, cb) = c(a, b) is true.

Extended euclidean algorithm

Theorem 26 (Extended euclidean algorithm). For each a, b integer there existintegers x, y, so that (a, b) = x · a+ y · b.

Proof. Let qi, ri be the quotient and the remainder obtained by the euclideanalgorithm.

Let x−1 = 1, x0 = 0 and for i ≥ 1 let xi = xi−2 − qixi−1. Similarly lety−1 = 0, y0 = 1 and for i ≥ 1 let yi = yi−2 − qiyi−1.

Then for i ≥ 1, xia+ yib = ri. Suppose for all ∀j < i, xja+ yjb = rj is true.ri = ri−2 − ri−1qi, so ri = xi−2a+ yi−2b− (xi−1a+ yi−1b)qi after rearranging,ri = xia+ yib.

Ergo xna+ ynb = rn = (a, b).

Extended euclidean algorithm

• Algorithm: ri−2 = ri−1, qi + ri,

– x−1 = 1, x0 = 0, xi = xi−2 − qixi−1

– y−1 = 0, y0 = −1, yi = yi−2 − qiyi−1

Extended euclidean algorithmLet us calculate (172, 62) and solve the 172x+ 62y = (172, 62) equation!

8

i rn qn xi yi ri = 172xi + 62yi−1 172 – 1 0 172 = 172 · 1 + 62 · 00 62 – 0 1 62 = 172 · 0 + 62 · 11 48 2 1 −2 48 = 172 · 1 + 62 · (−2)2 14 1 −1 3 14 = 172 · (−1) + 62 · 33 6 3 4 −11 6 = 172 · 4 + 62 · (−11)4 2 2 −9 25 2 = 172 · (−9) + 62 · 255 0 3 – – –

The solution: 2 = 172 · (−9) + 62 · 25, x = −9, y = 25.

1.5 Elementary number theoryIrreducibles, primes (reminder)

• t is irreducible: if it has only trivial divisors of the form ε, t, ε · t (where εis a unit).

• p is prime: if p | ab ⇒ p | a or p | b.

• p is prime ⇒ p is irreducible.

On the set of integers the converse is also true.

Theorem 27 (Irreducible integers are prime). Every irreducible number is alsoa prime number.

Proof. Let p be an irreducible number, and let p | ab. Assume p - b. Then pand b are relative prime. Using the extended euclidean algorithm we can obtainx, y integers, so that px+ by = 1. Therefore pax+ aby = a. Since p divides theleft hand side, it also divides the right hand side: p | a.

The fundamental theorem of number theory

Theorem 28 (Fundamental theorem of number theory). Every non-zero, non-unit number can uniquely be written as a product of primes ignoring associatedelements and order.

Proof. The proof is only for non negative integers, but it can be generalized.Existence: Induction: for n = 2, n = 3 it is true (primes). Generally if n is

prime, then we are finished, if not, it can be divided into a product in a non-trivial way. The factors are can be factorized base on the induction hypothesis.

Uniqueness: Induction: for n = 2, n = 3 it is true (primes). Assumen = p1p2 · · · pk = q1q2 · · · q`, where p1, p2 · · · , pk, q1, q2, . . . , q` are primes. p1divides the left hand side⇒ it divides the right hand side, suppose p1 = q1. Aftersimplification: n′ = p2 · · · pk = q2 · · · q`. Because of the induction hypothesis,this is true.

Fundamental theorem of number theory

9

Definition 29 (Canonical form). The canonical form of a non-zero integer nis:

n = ±pα11 pα2

2 · · · pα`

` = ±∏̀i=1

pαii

where p1, p2,. . . , p` are positive primes, α1, α2,. . . , α` positive integers.

Corollary (HW)Let n, m > 1 positive integers: n = pα1

1 pα22 · · · p

α`

` , m = pβ11 pβ2

2 · · · pβ`

` , (whereαi, βi ≥ 0 non-negative integers!). Then

• (a, b) = pmin{α1,β1}1 p

min{α2,β2}2 · · · pmin{α`,β`}

` ,

• [a, b] = pmax{α1,β1}1 p

max{α2,β2}2 · · · pmax{α`,β`}

` ,

• (a, b) · [a, b] = a · b.

Number of divisors

Definition 30 (The τ function). τ(n) is the number of (positive) divisors foran integer n > 1.

Calculating τ(n)Let n > 1 be an integer, n = pα1

1 pα22 · · · p

α`

` its canonical form. Then τ(n) =(α1 + 1) · (α2 + 1) · · · (α` + 1).

Proof. The possible divisors of n can be obtained by iterating all the βi expo-nents in the expression d = pβ1

1 pβ22 · · · p

β`

` over the set {0, 1, . . . , αi}. There areαi + 1 choices for each exponent.

Example 31 (τ(n)). τ(6) = 4: divisors: 1, 2, 3, 6;τ(96) = 12: divisors: 1, 2, 3,4, 6, . . .

τ(2 · 3) = (1 + 1) · (1 + 1); τ(25 · 3) = (5 + 1) · (1 + 1).

About primes

Theorem 32 (Euclid’s theorem). There are infinitely many primes.

Proof. Indirect. Assume there are finite many primes. Let them be p1, . . . , pk.Consider the integer n = p1 · · · pk + 1. This is not divisible by either primep1, . . . , pk, so the factorization of n has to contain an additional prime.

Theorem 33 (Dirichlet’s theorem). If a, d are integers, d > 0, (a, d) = 1, thenthere are infinitely many primes of the form ak + d.

10

About primes

Theorem 34 (Prime number theorem). The number of primes ≤ x is ∼ x

ln x

x Number of primes x/ ln x10 4 4, 33100 25 21, 711000 168 144, 7610000 1229 1085, 73

Sieve of EratosthenesHow to find all the primes up to the integer n. Start with all the integersfrom 2 to n. 2 is prime. The (non-trivial) multiples of 2 are not prime, sothey are eliminated. The next number is 3 which is also a prime. The (non-trivial) multiples of 3 are not prime, so they we eliminate them. . . Repeat thisprocedure up to

√n. The integers which were not eliminated are the primes.

2 Congruences2.1 CongruencesCongruences

For questions about divisibility, often only the remainder from the euclideandivision is important:

• days of the week;

• number of hours, . . .

Example 35 (Equal remainders). 16 mod 3 = 1, 4 mod 3 = 1: for division by 3we have 16 ”=” 4.

Definition 36 (Congruence). Let a, b,m be integers. If m | a−b, then we say ais congruent to b with modulus m (or a and b are congruent modulo m) writtenas

a ≡ b (mod m).If a and b are not congruent (with some modulus m) then they are incongruent.

Equivalent formulation

Alternative notationThe following all mean m | a− b

• a ≡ b (mod m),

• a ≡ b mod m,

• a ≡ b (m).

Equivalent formulation:a ≡ b (mod m) ⇔ a mod m = b mod m, that is we get the same remainderwhen dividing by m.

11

Example 37 (Congruences). 16 ≡ 4 (mod 3) since 3 | 16− 4 ⇔ 16 mod 3 = 1 =4 mod 3; 16 ≡ 4 (mod 2) since 2 | 16 − 4 ⇔ 16 mod 2 = 0 = 4 mod 2; 16 6≡ 4(mod 5) since 5 - 16− 4 ⇔ 16 mod 5 = 1 6= 4 = 4 mod 5.

Properties of congruence

Theorem 38 (Properties of congruence). 1. a ≡ a (mod m) (reflexivity);

2. a ≡ b (mod m)⇒ b ≡ a (mod m) (symmetry);

3. a ≡ b (mod m) ∧ b ≡ c (mod m)⇒ a ≡ c (mod m) (transitivity);Ergo, the congruence modulo m is an equivalence relation.

Proof. 1. m | 0 = a− a;

2. m | a− b⇒ m | b− a = −(a− b);

3. m | a− b ∧m | b− c⇒ m | a− c = (a− b) + (b− c);

Properties of congruence

Theorem 39 (Properties of congruence). 1. a ≡ b (mod m) ∧ m′ | m ⇒a ≡ b (mod m′);

2. a ≡ b (mod m) ∧ c ≡ d (mod m)⇒ a+ c ≡ b+ d (mod m);

3. a ≡ b (mod m) ∧ c ≡ d (mod m)⇒ ac ≡ bd (mod m).

Proof. 1. m′ | m | a− b⇒ m′ | a− b;

2. m | a− b ∧m | c− d⇒ m | (a+ c)− (b+ d) = (a− b) + (c− d);

3. a = q1m+ b∧ c = q2m+d⇒ ac = (q1m+ b)(q2m+d) = m(q1q2m+ q1d+q2b) + bd.

Properties of congruenceExample 40 (Properties of congruences). What is 345 mod 7 =?

345 = 34 · 10 + 5 ≡ 6 · 3 + 5 = 18 + 5 ≡ 4 + 5 = 9 ≡ 2 (mod 7).Reminder: a ≡ b (mod m), c ≡ d (mod m) ⇒ ac ≡ bd (mod m)

CorollaryIf a ≡ b (mod m) then ac ≡ bc (mod m).Example 41 (Properties of congruence). 14 ≡ 6 (mod 8) then 42 ≡ 18 (mod 8)

The converse is not true! 2 · 7 ≡ 2 · 3 (mod 8) but 7 6≡ 3 (mod 8).

Divisibility and relative primes

Theorem 42 (Statement). ∀a, b, c ∈ Z : (a | bc ∧ (a, b) = 1 =⇒ a | c)

Proof. Using the extended Euclidean algorithm to obtain x and y, such thatax + by = 1, so c = xac + ybc = (xc)a + y(bc). Using the statement about thedivisibility of linear combinations we have a | c.

12

The converse is not true

Theorem 43 (Division). Let a, b, c, m be integers. Thenac ≡ bc (mod m) ⇔ a ≡ b (mod m

(c,m) )

Corollaryac ≡ bc (mod m), (c,m) = 1 ⇔ a ≡ b (mod m).Example 44 (Division). 2 · 7 ≡ 2 · 3 (mod 8) ⇒ 7 ≡ 3 (mod 8

2 ).

Proof. Let d = (c,m). Thenm | c(a − b) ⇔ m

d| cd

(a − b) . Since(md,c

d

)= 1, we have m

d| (a − b) ⇔

a ≡ b (mod m

d).

2.2 Linear congruencesLinear congruences

Let us solve the congruence 2x ≡ 5 (mod 7).If x is a solution of x ≡ y (mod 7), then y is also a solution.Let us find the solution in the set {0, 1, . . . , 6}.

• x = 0 ⇒ 2x = 0 6≡ 5 (mod 7);

• x = 1 ⇒ 2x = 2 6≡ 5 (mod 7);

• x = 2 ⇒ 2x = 4 6≡ 5 (mod 7);

• x = 3 ⇒ 2x = 6 6≡ 5 (mod 7);

• x = 4 ⇒ 2x = 8 ≡ 1 6≡ 5 (mod 7);

• x = 5 ⇒ 2x = 10 ≡ 3 6≡ 5 (mod 7);

• x = 6 ⇒ 2x = 12 ≡ 5 (mod 7).

The solution of the congruence: {6 + 7k : k ∈ Z}.Is there a better method?Let us solve the congruence 23x ≡ 4 (mod 211). Do we need 211 tries?

Linear congruences

Theorem 45 (Solution of linear congruences). Let a, b, m be integers withm > 1. Then if there is a solution for ax ≡ b (mod m) ⇔ (a,m) | b. If this isthe case, the number of incongruent solutions modulo m equals (a,m).Proof. ax ≡ b (mod m) ⇔ ax+my = b for some y integer.

(a,m) | a and (a,m) | m ⇔ (a,m) | ax+my = b.If d = (a,m) | b let a′ = a/d, b′ = b/d, m′ = m/d: a′x+m′y = b′

Since (a′,m′) = 1 using the extended euclidean algorithm we can calculatex0, y0, so a′x0 +m′y0 = 1⇒ a′(b′x0)+m′(b′y0) = b′, that is x1 = b′x0, y1 = b′y0will be the solutions.

Number of solutions: let (x, y) be a (pair of) solutions. Subtracting theequations equations a′x + m′y = b′ and a′x1 + m′y1 = b′ we get: a′(x − x1) =m′(y1 − y) ⇒ m′ | x − x1 ⇒ x = x1 + m′k: for k = 0, 1, . . . d − 1 we haveincongruent solutions. (y = y1 − ka′).

13

Linear Congruences

1. ax ≡ b (mod m) ⇔ ax+my = b.

2. Let us solve the ax+my = (a,m) equation (ext. euc. alg.).

3. If (a,m) | b ⇔ a solution exists.

4. The solution: xi = b(a,m)x+ k m

(a,m) : k = 0, 1, . . . , (a,m)− 1.

Example 46 (Solving congruences).

i rn qn xi−1 23 – 10 211 – 01 23 0 12 4 9 −93 3 5 464 1 1 −555 0 3 –

Example 47 (23x ≡ 4 (211)). ri−2 = ri−1qi + ri, x−1 = 1, x0 = 0, xi =xi−2 − qixi−1

GCD: (23, 211) = 1 | 4 ⇒ One solution: x = 4(−55) ≡ 202 (mod 211).All solutions: {202 + 211k : k ∈ Z}.These are solutions: 23 · (202 + 211k)− 4 = 4642 + 211k = (22 + k) · 211

Linear congruencesExample 48 (Solving congruences). Solve the 10x ≡ 8 (mod 22) congruence!

i rn qn xi−1 10 – 10 22 – 01 10 0 12 2 2 −23 0 5 –

The algorithm: ri−2 = ri−1qi + ri, x−1 = 1, x0 = 0, xi = xi−2 − qixi−1,y−1 = 0, y0 = −1, yi = yi−2 − qiyi−1

GCD: (10, 22) = 2 | 8 ⇒ A pair of solutions: x1 = 4(−2) ≡ 14 (mod 22),x2 = 4(−2) + 22

2 ≡ 14 + 11 ≡ 3 (mod 22).All solutions: {14 + 22k : k ∈ Z} ∪ {3 + 22k : k ∈ Z}.These are solutions: x1 = 14: 10 · 14− 8 = 132 = 6 · 22 x2 = 3: 10 · 3− 8 =

22 = 1 · 22.

Linear Diophantine equations

Linear Diophantine equationsDefinition: equations with integer solutions.

Linear Diophantine equations: ax+ by = c, where a, b, c ∈ Z.This is equivalent with the ax ≡ c (mod b), or by ≡ c (mod a) congruence.ax+ by = c can be solved if and only if (a, b) | c, and then the solutions can

be obtained using the extended euclidean algorithm.

14

Other Diophantine equationsx2 + y2 = −4: Doesn’t have (real) solutions.

x2 − 4y2 = 3: doesn’t have integer solutions, because the remainders(mod 4) is: x2 ≡ 3 (mod 4). But this can not be, because the remainder ofa square has to be 0 or 1:

Squares (mod 4)

x x2 mod 44k 04k + 1 14k + 2 04k + 3 1

2.3 Simultaneous congruencesSimultaneous congruences

We want to find an integer x, which simultaneously satisfies the followingcongruences:

2x ≡ 1 (mod 3)4x ≡ 3 (mod 5)

The solution for the congruences separately:

x ≡ 2 (mod 3)x ≡ 2 (mod 5)

We can see x = 2 will be a solution!

• 2, 17, 32, . . . ,2 + 15k;

• Other solutions?

• How do we solve the general case:

x ≡ 2 (mod 3)x ≡ 3 (mod 5)

Simultaneous congruencesProblem: Solve the following system of congruences:

a1x ≡ b1 (mod m1)a2x ≡ b2 (mod m2)

...anx ≡ bn (mod mn)

15

The congruences aix ≡ bi (mod mi) can be solved separately:

x ≡ c1 (mod m1)x ≡ c2 (mod m2)...x ≡ cn (mod mn)

Simultaneous congruencesProblem: Solve the following system of congruences:

x ≡ c1 (mod m1)x ≡ c2 (mod m2)...x ≡ cn (mod mn)

We can assume that m1,m2 . . . ,mn are relative prime.If e.g. m1 = m′1d, m2 = m′2d, the first two congruences can be substituted

with the following (Proof later)

x ≡ c1 (mod m′1)x ≡ c1 (mod d)x ≡ c2 (mod m′2)x ≡ c2 (mod d)

If here c1 6≡ c2 (mod d), then there is no solution, otherwise one of the congru-ences can be deleted.

Chinese remainder theorem

Theorem 49 (Chinese remainder theorem). Let 1 < m1,m2 . . . ,mn be relativeprime numbers, c1, c2, . . . , cn integers. Then the

x ≡ c1 (mod m1)x ≡ c2 (mod m2)...x ≡ cn (mod mn)

system of congruences can be solves, and the solutions are congruent to eachother modulo m1 ·m2 · · ·mn.

Chinese remainder theoremx ≡ c1 (mod m1), x ≡ c2 (mod m2), . . ., x ≡ cn (mod mn). x =?

16

Proof. Letm = m1m2. Using the extended euclidean algorithm solve them1x1+m2x2 = 1 equation. Let c1,2 = m1x1c2+m2x2c1. Then c1,2 ≡ cj (mod mj) (j =1, 2). If x ≡ c1,2 (mod m), then x is the solution of the first two congruences.Converse: if x is a solution of the first two congruences, then m1 and m2 aredivisors of x− c1,2, therefore their product is also a divisor: x ≡ c1,2 (mod m).This gives us an equivalent system of congruences to the original:

x ≡ c1,2 (mod m1m2)x ≡ c3 (mod m3)...x ≡ cn (mod mn)

Then induction by n provides us with the proof.

Simultaneous congruencesExample 50 (Simultaneous congruences). Solve the following system of congru-ences:

x ≡ 2 (mod 3)x ≡ 3 (mod 5)

• Let us solve the 3x1 + 5x2 = 1 equation.

• The solution: x1 = −3, x2 = 2⇒ c1,2 = 3·(−3)·3+5·2·2 = −27+20 = −7.

• All the solutions: {−7 + 15k : k ∈ Z} = {8 + 15k : k ∈ Z}.

Simultaneous congruencesExample 51 (Example).

x ≡ 2 (mod 3)x ≡ 3 (mod 5)x ≡ 4 (mod 7)

c1,2=8=⇒{x ≡ 8 (mod 15)x ≡ 4 (mod 7)

Example 52 (Example). • Let us solve the 15x1,2 + 7x3 = 1 equation.

• Solutions: x1,2 = 1, x3 = −2. ⇒ c1,2,3 = 15 ·1 ·4+7 · (−2) ·8 = 60−112 =−52.

• All the solutions: {−52 + 105` : ` ∈ Z} = {53 + 105` : ` ∈ Z}.

2.4 Residue classesResidue classes

Often, the solution is not just one integer (family of integers), but an entireset (set of families):

• 2x ≡ 5 (mod 7), sol.: {6 + 7k : k ∈ Z}

• 10x ≡ 8 (mod 22), sol.: {14 + 22k : k ∈ Z}, {3 + 22k : k ∈ Z}.

17

Definition 53 (Residue classes). For a fixed modulus m and integer a, theintegers congruent to a constitute the residue (or congruence) class representedby a: a = {x ∈ Z : x ≡ a (mod m)} = {a+ km : k ∈ Z}. The set of all residueclasses is denoted by Zm = {a : 0 ≤ a < m}.

Example 54 (Residue class). The solution of 2x ≡ 5 (mod 7): 6The solution of 10x ≡ 8 (mod 22): 14, 3.With modulus m = 7, 2 = 23 = {. . . ,−5, 2, 9, 16, 23, 30, . . . }Generally: a = b ⇔ a ≡ b (mod m).

Complete residue system

Definition 55 (Complete residue system). For a fixed modulusm, the completeresidue system modulo m is a set containing exactly one element from eachcongruence class modulo m.

Example 56 (CRS). {33,−5, 11,−11,−8} is a complete residue system modulo5.

A popular choices for complete residue systems:

• Least non-negative residue system modulo m:

– {0, 1, . . . ,m− 1};

• Least absolute value residue system modulo m:

–{

0,±1, . . . ,±m−12}, if 2 - m;

–{

0,±1, . . . ,±m−22 , m2

}, if 2 | m.

Reduced residue system

RemarkIf one element of a congruence class is relative prime to the modulus, then allthe elements are too:: (a+ `m,m) = (a,m) = 1.

Definition 57 (Reduced residue system). For a fixed modulus m, the reducedresidue system modulo m is a set containing exactly one element from all thecongruence classes with elements relative prime to m.

For a fixed modulus m, if (a,m) = 1, then the residue class a representedby a is a reduced residue class. The set of reduced residue classes is denoted byZ∗m = {a : 1 ≤ a < m, (a,m) = 1}.

Example 58 (RRS). {1, 2, 3, 4} is a reduced residue system modulo 5.{1,−1} is a reduced residue system modulo 3.{1, 19, 29, 7} is a reduced residue system modulo 8.{0, 1, 2, 3, 4} is not a reduced residue system modulo 5.

Operations on residue classesOperations between residue classes can be defined in a natural way:

Definition 59 (Addition and multiplication). For a fixed modulus m, and a, bintegers let:

a+ bdef= a+ b; a · b def= a · b

18

PropositionThis definition is meaningful, because if a = a∗, b = b∗, then a + b = a∗ + b∗,and a · b = a∗ · b∗

Proof. Since a = a∗, b = b∗ ⇒ a ≡ a∗ (mod m), b ≡ b∗ (mod m) ⇒ a + b ≡a∗ + b∗ (mod m) ⇒ a+ b = a∗ + b∗ ⇒ a+ b = a∗ + b∗.

Similar proof applies to the multiplication.

Residue classesOperations between residue classes can be defined in a natural way: a+ b =

a+ b; a · b = a · b.

Definition 60 (Operations). For a fixed modulus m, let Zm be the set ofresidue classes modulo m. Then addition and multiplication can be defined onthis set.

Example 61 (Z3,+).

+ 0 1 20 0 1 21 1 2 02 2 0 1

Example 62 (Z3, ·).

· 0 1 20 0 0 01 0 1 22 0 2 1

Example

Example 63 (Z4,+).

+ 0 1 2 30 0 1 2 31 1 2 3 02 2 3 0 13 3 0 1 2

Example 64 (Z4, ·).

· 0 1 2 30 0 0 0 01 0 1 2 32 0 2 0 13 0 3 2 1

Residue classes

Theorem 65 (Multiplicative group). • Let m > 1 be an integer. If 1 <(a,m) < m, then a is a zero divisor in Zm: for a there exists a b 6= 0, soa · b = 0

• If (a,m) = 1, then a has a reciprocal (multiplicative inverse) in Zm: fora there exists a x, so a · x = 1.

• Ergo, if m is prime, division by any non-zero prime is possible.

Example 66 (Zero divisors and multiplicative inverse). Letm = 9. 6·3 = 18 = 0.(2, 9) = 1, so 2 · 5 = 10 = 1.

19

Proof. Let d = (a,m). Then a · md = ad ·m ≡ 0 (mod m), which if b = m/d then

a · b = 0.If (a,m) = 1, then using the ext.euc.alg. we can obtain x, y integers, such

that ax+my = 1. Then ax ≡ 1 (mod m) i.e. a · x = 1.

2.5 Euler-Fermat theorem and the totient functionEuler’s totient ϕ function

Definition 67 (Totient function). For a m > 0 integer, let ϕ(m) be the numberof positive integers less then and relative prime to m: ϕ(m) = |{i : 0 < i <m, (m, i) = 1}|.

Example 68 (Totient function). • ϕ(5) = 4: integers relative prime to 5:1, 2, 3, 4;

• ϕ(6) = 2: integers relative prime to 6: 1, 5;

• ϕ(12) = 4: integers relative prime to 12: 1, 5, 7, 11.

• ϕ(15) = 8: integers relative prime to 15: 1, 2, 4, 7, 8, 11, 13, 14.

Remark: ϕ(m) is the number of reduced congruence classes modulo m.

Euler functionϕ(m) = |{i : 0 < i < m, (m, i) = 1}|

Theorem 69 (Calculating the ϕ(n)). Let the factorization ofm bem = pe11 p

e22 · · · p

e`

` .Then

ϕ(m) = m ·∏̀i=1

(1− 1

pi

)=∏̀i=1

(peii − p

ei−1i

)=∏̀i=1

pei−1i (pi − 1)

Example 70 (Calculating the ϕ(n)). • ϕ(5) = 5(1− 1

5)

= 4;

• ϕ(6) = 6(1− 1

2) (

1− 13)

= 2;

• ϕ(12) = 12(1− 1

2) (

1− 13)

= 4;

• ϕ(15) = 15(1− 1

3) (

1− 15)

= 8.

Euler-Fermat theorem

Theorem 71 (Euler-Fermat). Let m > 1 be an integer, a an integer for which(a,m) = 1. Then aϕ(m) ≡ 1 (mod m).

Theorem 72 (Fermat). Let p be a prime, p - a. Then ap−1 ≡ 1 (mod p), orif is an arbitrary integer a then ap ≡ a (mod p). (A direct consequence of theE-F thm)

Example 73 (Euler Fermat theorem). • ϕ(6) = 2 ⇒ 52 = 25 ≡ 1 (mod 6);

• ϕ(12) = 4 ⇒ 54 = 625 ≡ 1 (mod 12); 74 = 2401 ≡ 1 (mod 12).

• Caution! 24 = 16 ≡ 4 6≡ 1 (mod 12), because (2, 12) = 2 6= 1.

20

The proof of Euler-Fermat theoremLemmaLet m > 1 be an integer, a1, a2 . . . , am a complete residue system modulo m.Then for each integer a, b, if (a,m) = 1, then a · a1 + b, a · a2 + b . . . , a · am + bis also a complete residue system. Further, if a1, a2, . . . , aϕ(m) is a reducedresidue system modulo m, then a ·a1, a ·a2 . . . , a ·aϕ(m) is also a reduced residuesystem.

Proof. If i 6= j then aai + b ≡ aaj + b (mod m) ⇔ aai ≡ aaj (mod m). Since(a,m) = 1, we divide by a: ai ≡ aj (mod m). So a ·a1 +b, a ·a2 +b . . . , a ·am+bare pairwise incongruent. Since we have m different numbers, it is a completeresidue system.

If (ai,m) = 1, then (a,m) = 1 ⇒ (a · ai,m) = 1. Further a · a1, a · a2. . . , a ·aϕ(m) are pairwise incongruent, their number is ϕ(m)⇔ reduced residuesystem.

The proof of Euler-Fermat theorem

Theorem 74 (Euler-Fermat). (a,m) = 1 ⇒ aϕ(m) ≡ 1 (mod m).

ProofLet a1, a2, . . . , aϕ(m) be a reduced residue system modulo m. Since (a,m) = 1⇒ a · a1, a · a2 . . . , a · aϕ(m) is also a reduced residue system. Therefore

aϕ(m)ϕ(m)∏j=1

aj =ϕ(m)∏j=1

a · aj ≡ϕ(m)∏j=1

aj (mod m)

Because∏ϕ(m)j=1 aj is relative prime to m, we can simplify:

aϕ(m) ≡ 1 (mod m)

Euler-Fermat theorem

Theorem 75 (Euler-Fermat). (a,m) = 1 ⇒ aϕ(m) ≡ 1 (m)

Example 76 (E-F theorem). • What is the last digit of 3111 in the decimalnumber system?

– What is 3111 mod 10?– ϕ(10) = 4 ⇒ 3111 = 34·27+3 =

(34)27 · 33 ≡ 127 · 33 = 27 ≡ 7 (10)

• Solve the 2x ≡ 5 (mod 7) congruence!

– ϕ(7) = 6. Multiply both sides by 25. Then– 5 · 25 ≡ 26x ≡ x (mod 7). And now 5 · 25 = 5 · 32 ≡ 5 · 4 = 20 ≡ 6

(mod 7).

• Solve the 23x ≡ 4 (mod 211) congruence!

– ϕ(211) = 210. Multiply both sides by 2209. Then– 4·23209 ≡ 23210x ≡ x (mod 211). And now 4·23209 ≡ . . . (mod 211).

21

Exponentiation by squaring (fast exponentiation)Let m, a, n be positive integers, m > 1. We would like to calculate efficiently

the remainder an mod m.Write n in the base 2 (binary) numeral system:

n =k∑i=0

εi2i = (εkεk−1 . . . ε1ε0)(2) where ε0, ε1, . . . , εk ∈ {0, 1}

Let nj (0 ≤ j ≤ k) be the number defined by the first j + 1 digits:nj = bn/2k−jc = (εkεk−1 . . . εk−j+1)(2)Then for each j the remainder xj ≡ anj (mod m):n0 = ε0 = 1, x0 = a. nj = 2 · nj−1 + εj ⇒

xj = aεjx2j−1 mod m =

{x2j−1 mod m, if εj = 0

aεjx2j−1 mod m, if εj = 0

⇒ xk = an mod m.The correctness follows from the following formula (Proof HW): an =

∏ki=0(a2i)εi

where n =∑ki=0 εi2i.

Fast exponentiationExample 77 (Fast exponentiation). How much is 3111 mod 10? (Euler-Fermat⇒ 7)

111(10) = 1101111(2) here k = 6, a = 3.

j nj xj = aεj · x2j−1 xj mod 10

0 1 – 31 1 x1 = 3 · 32 72 0 x2 = 72 93 1 x3 = 3 · 92 34 1 x4 = 3 · 32 75 1 x5 = 3 · 72 76 1 x6 = 3 · 72 7

Fast exponentiationExample 78 (Lin.cong. with fast exponentiation). Let us solve the congruence23x ≡ 4 (mod 211). Euler-Fermat⇒ x ≡ 4 ·23209 ≡ . . . (mod 211). How muchis 23209 mod 211?

209(10) = 11010001(2) itt k = 7, a = 23.

j nj xj = aεj · x2j−1 xj mod 211

0 1 – 231 1 x1 = 23 · 232 1402 0 x2 = 1402 1883 1 x3 = 23 · 1882 1404 0 x4 = 1402 1885 0 x5 = 1882 1076 0 x6 = 1072 557 1 x6 = 23 · 552 156

x ≡ 4 · 23209 ≡ 4 · 156 ≡ 202 (mod 211).

22

2.6 The multiplicative groupGenerators

Theorem 79 (Generating the multiplicative group). Let p be a prime. Thenin Z∗p there exists a generator (primitive root), i.e. there is an integer 1 <g < p, which yields every reduced congruence class when raised to differentpowers of integer: {g0 = 1, g , g2, . . . , gp−1} = Z∗p, i.e. {1 = g0, g mod p, g2 modp, . . . , gp−1 mod p} = {1, 2, . . . , p− 1}.

Example 80 (3 is a generator modulo 7).

31 = 3 = 30 · 3 ≡ 1 · 3 = 3 ≡ 3 mod 732 = 9 = 31 · 3 ≡ 3 · 3 = 9 ≡ 2 mod 733 = 27 = 32 · 3 ≡ 2 · 3 = 6 ≡ 6 mod 734 = 81 = 33 · 3 ≡ 6 · 3 = 18 ≡ 4 mod 735 = 243 = 34 · 3 ≡ 4 · 3 = 12 ≡ 5 mod 736 = 729 = 35 · 3 ≡ 5 · 3 = 15 ≡ 1 mod 7

GeneratorExample 81 (2 mod 11 and mod 7). • 2 is a generator modulo 11

n 1 2 3 4 5 6 7 8 9 102n mod 11 2 4 8 5 10 9 7 3 6 1

• 2 is not a generator modulo 7

n 1 2 3 4 5 62n mod 7 2 4 1 2 4 1

2.7 Discrete logarithmDiscrete logarithm

Definition 82 (Discrete logarithm). Let p be a prime, g a generator modulop. Then the a ∈ Z: (p - a) g base discrete logarithm (or index) of a is:

logg a = n : a ≡ gn mod p, 0 ≤ n < p− 1.

Example 83 (3 is a gen. mod 7). n 1 2 3 4 5 63n 3 2 6 4 5 1

3n 3 2 6 4 5 1n 1 2 3 4 5 6

Example 84 (Discrete logarithm). a 3 2 6 4 5 1log3 a 1 2 3 4 5 6

a 1 2 3 4 5 6log3 a 6 2 1 4 5 3

23

Discrete logarithmExample 85 (a). 2 is a generator modulo 11

n 1 2 3 4 5 6 7 8 9 102n mod 11 2 4 8 5 10 9 7 3 6 1

Table of logarithms:

a 1 2 3 4 5 6 7 8 9 10log2 a 10 1 8 2 4 9 7 3 6 2

Theorem 86 (Properties of the discrete logarithm). Let p be a prime, g agenerator p, 1 ≤ a, b < p, n ∈ Z. Then

logg(a · b) ≡ logg a+ logg b (mod p− 1)logg (an) ≡ n · logg a (mod p− 1)

2.8 ApplicationsApplications

Field of applications of number theory:

• Cryptography

– encryption of messages;– digital signatures;– authentication and authorization,

• Code theory

Caesar cipher (code)Julius Caesar communicated with his soldiers using the following cipher:Let us match the letters of the (English) alphabet with the set {0, 1, . . . , 25}

:a 7→ 0b 7→ 1c 7→ 2...z 7→ 25

• Encryption key s ∈ {0, 1, . . . , 25}.

• Encryption For a ∈ {0, 1, . . . , 25} encrypt a using the a 7→ a + s mod 26map. The encryption is letter-wise.

• Decryption For b ∈ {0, 1, . . . , 25} decrypt b using the b 7→ a − s mod 26map. Decryption is letter-wise.

Example 87 (Caesar - Rot13). Encryption of hello using s = 13 as the key:hello → 7 4 11 11 14 encryption→ 20 17 24 24 1 → uryyburyyb: Decryption with the key s = 13:uryyb → 20 17 24 24 1 decryption→ 7 4 11 11 14 → hello

24

Caesar cipher (code)For the key s = 13 we have: Rot13.Encryption and decryption is done with the same key: −13 ≡ 13 (mod 26).This cipher is not secure: it can be cracked by analyzing the frequency of

occurrence of letters (al-Kindi 9 century a.d. )If we use a different (random) keys at different positions in the message ⇒

security is mathematically proven.In practice: One Time Pad – OTP• Message: binary form: m = 100100101

• Key: binary sequence: s = 010110110

• Encryption: bitwise XOR (mod2 addition):m = 100100101

XOR s = 010110110c = 110010011

Crucial point: transferring the secret key s.

RSARon Rivest, Adi Shamir and LeonardAdleman suggested the following method

in 1977:RSA encryption

• Generating the keys: Let p, q be two (big, ~1024 bit) primes, n = p · q.

• Let e ∈ {1, . . . , ϕ(n)}, so that (e, ϕ(n)) = 1.

• Let d be the solution of the congruence ex ≡ 1 (mod ϕ(n)).

• Keys: public key (n, e) and private (secret) key d.

• Encryption of the message 0 ≤ m < n: c = me mod n.

• Decryption for an encrypted message 0 ≤ c < n: m = cd mod n.

Correctness of the algorithmcd ≡ (me)d = me·d = mk·ϕ(n)+1 E-F≡ m (mod n)

RSAActually m just a key for another encryption.The procedure is secure, because we can not efficiently factorize the n = p ·q

product.Problem

• Find the divisors of the following numbers.RSA-100= 5226050279225333605356183781326374297180681149613806886 57908494580122963258952897654000350692006139

RSA-2048= 25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992 68739280728777673597141834727026189637501497182469116507761337985909570009733045974880842840179742910064245869181719511874612151517265463228221686998754918242 24336372590851418654620435767984233871847744479207399342365848238242811981638150106748104516603773060562016196762561338441436038339044149526344321901146575444 54178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357

25

RSA

Factorization of RSA-2048:

• Trial-division (the sieve of Eratosthenes): for a number n about ∼√n

divisions are needed:

• RSA-2048 ∼ 22048, ∼ 21024 divisions.

• For ∼ 109 ≈ 230 divisions per second ⇒ 21024/230 = 2994 seconds areneeded to factorise.

– 2994 seconds ≈ 2969 years.

• The same with 2 computers: 2968 years.

– The same with the best (known) algorithm: 2500000000000000000000000000000years (= 2, 5 · 1030)

– The age of the universe: 1, 38 · 1010 years.

RSAExample 88 (RSA). • Generating the keys:

– Let p = 61, q = 53 and n = 61 · 53 = 3233, ϕ(3233) = 3120.– Let e = 17. Using the extended euclidean algorithm: d = 2753– Public key: (n = 3233, e = 17);– Private (secret) key: d = 2753.

• Encryption: Let m = 65.

– c = 2790 ≡ 6517 (mod 3233)

• Decryption: If c = 2790:

– 27902753 ≡ 65 (mod 3233)

Digital signature

• e and d change rolls (Separate keys are needed for encryption):

• Signature: Let s = md mod n, then the signed message: (m, s).

• Verification: m ?≡ se (mod n).

26

Diffie-Hellman key exchange protocolThe first public key cryptography system was developed by Whitfield Diffie

and Martin Hellman, and published in 1976.

Alice Bobchooses: a ∈R {0, 1, . . . , p− 2} chooses: b ∈R {0, 1, . . . , p− 2}ga

−→gb

←−calculates:

(gb)a calculates: (ga)b

common key: gab common key: gab

• Public parameters:

– p (large) prime, g generator modp.

• Keys:

– Alice’s private key a: 1 ≤ a < p− 1, public key ga mod p– Bob’s private key b: 1 ≤ a < p− 1, public key gb mod p

• Common key: gab mod p.

Diffie-Hellman key exchange protocolThe protocol is secure, because calculating the discrete logarithm is hard.If p ∼ 22048 (2048 bits), calculating the discrete logarithm takes ∼ 1030

years.Example 89 (Diffie-Hellman). • Public parameters: Let p = 11, g = 2.

• Keys:

– Alice’s private key a = 4, public key 24 mod p = 5– Bob private key b = 8, public key 28 mod p = 3

• Common key:(gb)a = 34 mod p = 4, (ga)b = 58mod = 4.

27