Number-Theoretic Algorithms Fahad Mehmood (15-NTU-1077)M.Ahmad (15-NTU-1077) Introduction:Number hypothesis was once seen as a wonderful yet to agreat extent pointless subject in unadulterated science. Today number-theoreticalgorithms are used widely, due in large part to the invention of cryptographicschemes based on large prime numbers. These schemes are feasible because we can?nd large primes easily, and they are secure because we do not know how tofactor the product of large primes (or solve related problems, such ascomputing discrete logarithms) ef?ciently. This chapter presents some of thenumber theory and related algorithms that underlie such applications.Divisibility and divisorsThe thoughtof one whole number being distinguishable by another is a focal one in thehypothesis of numbers. The notation d | a (read “d divides a”)means that a = kd for some integer k.Every integer divides 0.

If a > 0 and d |a, then |d| |a|. If d | a,then we also say that a is a multiple of d.If d does not divide a, we write.If d | a and d 0, we say that d isa divisor of a. Note that d | a ifand only if -d | a, so that no generality islost by defining the divisors to be nonnegative, with the understanding thatthe negative of any divisor of a also divides a.

Adivisor of an integer a is at least 1 but not greaterthan |a|. For example, the divisors of 24 are 1, 2, 3, 4, 6, 8, 12,and 24.Every integer a isdivisible by the trivial divisors 1 and a.

Nontrivial divisors of a are also called factors of a.For example, the factors of 20 are 2, 4, 5, and 10.Prime and composite numbers:An integer a > 1 whose only divisors arethe trivial divisors 1 and a is said to be a prime number(or, more simply, a prime).

Primes have many specialproperties and play a critical role in number theory. The small primes, inorder, are2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53,59, … Exercise 33.1-1 asks you to prove that there areinfinitely many primes. An integer a > 1 that is not primeis said to be a composite number (or, more simply,a composite).

For example, 39 is composite because 3 | 39.The integer 1 is said to be a unit and is neither primenor composite. Similarly, the integer 0 and all negative integers are neitherprime nor composite. Greatest common divisor:Euclid’s algorithm:The following gcd algorithmis described in the Elements of Euclid (circa 300 B.C.), although it may be of evenearlier origin. EUCLID (a, b)1 if b = 02 then returna3 else returnEUCLID (b,a mod b)For instance of the running of EUCLID, think about thecalculation of gcd (30, 21):EUCLID (30, 21) = EUCLID(21, 9) = EUCLID(9, 3) = EUCLID(3, 0) = 3 .

In this computation, there are threerecursive invocations of EUCLID.The extended form of Euclid’s algorithmEXTENDED-EUCLID(a, b)1 f b =02 then return(a, 1, 0)3 (d’,x’,y’) EXTENDED-EUCLID(b, a mod b)4 (d,x,y) (d’,y’,x’ – a/b y’)5 return (d,x,y) Modular arithmetic:A group (S,) is a setS together with a binary operation characterized on S for which the accompanyingproperties hold.1. Closure: For all a, b S, we have a b S.2. Identity: Thereis an element e S such that e a = a e = a forall a S.3.

Associativity: Forall a, b, c S, we have (a b) c = a (b c).4. Inverses: Foreach a S, there exists aunique element b S suchthat a b = b a = e.

Subgroups:If (S, ) is a group, S’ S, and (S’, ) is also a group, then (S’, ) is said to be a subgroup of(S, ). For example, the even integersform a subgroup of the integers under the operation of addition. The followingtheorem provides a useful tool for recognizing subgroups.If (S,) is a finite group and S’is any subset of S such that a b S’ for all a,b S’, then (S’,) is a subgroup of (S,).For example, the set {0, 2, 4, 6} forms a subgroup of Z8,since it is closed under the operation + (that is, it is closed under +8).

If (S, ) is a finite group and (S, ) is a subgroup of (S, ), then |S’| is a divisorof |S|.A subgroup S’of a group S is said to be a proper subgroupif S’ S. The followingcorollary will be used in our analysis of the Miller-Rabin primarily testprocedure.If S’ is a proper subgroup of afinite group S, then |S’| |S|/2.

Solving modular linearequations:Let d = gcd(a, n), and assume that d = ax’ + ny’ for a fewnumbers x’ and y’ (for instance, as figured by EXTENDED EUCLID). In the eventthat d | b, at that point the condition ax b (mod n) has as one of its answersthe esteem x0, wherex0 = x'(b/d) mod n.Proof Since ax’ d (mod n),we haveax0 ax'(b/d) (mod n) d(b/d) (mod n) b (mod n) ,and thus x0 isa solution to ax b (mod n).The Chinese remainder theorem:Theorem: If m1,m2,…,mkare relatively prime and a1,a2,…,ak are integers, thenx ? a1(mod m1)x ? a2(mod m2)x ? ak(mod mk)have a unique solution modulo m, where m = m1m2…mk.

(Thatis, there is a solution x with and all other solutions are congruent modulo m to this solution.)Steps of solution: Compute m = m1 m2 … mn . Determine M1 = m/m1 ; M2= m/m2 ; … ; Mn= m/mn· Find the inverse of M1 mod m1, M2 mod m2 , …, Mn mod mn which are y1 ,y2 ,…, yn · (4) Compute x = a1 M1y1 + a2 M2 y2+…+ an Mn yn · (5) Solve x ? y (mod m)Powers of an element:Similarly as it is normal to consider the products of agiven component a, modulo n, it is regularly normal to consider the arrangementof forces of a, modulo n, where :a0,a1,a2,a3,…, Raising to powers with repeatedsquaring:Let bk, bk-1,. .

. , b1,b0 be the binaryrepresentation of b. (That is, the binary representation is k +1 bits long, bk is the most significant bit,and b0 is the least significant bit.) The followingprocedure computes ac mod n as c isincreased by doublings and incrementations from 0 to b.

MODULAR-EXPONENTIATION(a,b,n)1 c 02 d 13 let bk, bk-1,. . . , b0 be the binary representation ofb4 for i k downto 05 do c 2c6 d (d d) mod n7 if bi= 18 thenc c + 19 d (d a) mod n10 return dThe RSA public-keycryptosystem:An open key cryptosystem can be utilized to encode messagessent between two imparting parties with the goal that a busybody who catchesthe scrambled messages won’t have the capacity to decipher them. An open keycryptosystem likewise empowers a gathering to annex an unforgeable”advanced mark” to the finish of an electronic message. Such a markis the electronic variant of a written by hand signature on a paper report. Itcan be effectively checked by anybody, produced by nobody, yet loses itslegitimacy if any piece of the message is modified.

It hence gives verificationof both the personality of the underwriter and the substance of the markedmessage. It is the ideal apparatus for electronically marked businesscontracts, electronic checks, electronic buy orders, and other electronicinterchanges that must be confirmed. Public-key cryptosystems:The RSA open key cryptosystem depends on the emotionalcontrast between the simplicity of discovering extensive prime numbers and thetrouble of figuring the result of two huge prime numbers.In an open key cryptosystem, every member has both an openkey and a mystery key. Each key is a snippet of data. For instance, in the RSAcryptosystem, each key comprises of a couple of whole numbers. The members”Alice” and “Bob” are customarily utilized as a part ofcryptography cases; we signify their open and mystery keys as PA, SA forAlice and PB, SB for Bob.Every member makes his own open and mystery keys.

Every keephis mystery key mystery, yet he can uncover his open key to anybody or evendistribute it. Truth be told, it is frequently advantageous to accept thateverybody’s open key is accessible in an open index, with the goal that anymember can without much of a stretch get people in general key of some othermember. General society and mystery keys determine capacities thatcan be connected to any message. Let mean the arrangement of reasonable messages.

For instance, may be the arrangement of all limited lengthbit successions. We require that general society and mystery keys determinecoordinated capacities from to itself. The capacity comparing to Alice’sopen key PA is meant PA(), and the capacity relating to her mystery key SA is meant SA(). The capacities PA( ) and SA( ) arealong these lines stages of . We accept that the capacities PA() and SA( ) areproficiently calculable given the comparing key PA or SA.The general population and mystery keys for any member are a”coordinated match” in that they indicate capacities that areinverses of each other.

That is,M = SA(PA(M))The RSA cryptosystem:In the RSA public-key cryptosystem, aparticipant creates his public and secret keys with the following procedure.1. Select at random two large prime numbers p and q.The primes p and q might be, say, 100 decimaldigits each.2. Compute n by the equation n = pq.3. Select a little odd whole number e that is moderatelyprime to (n), which, by condition (33.

20), measures up to (p-1)(q – 1).4. Compute d as the multiplicative inverseof e, modulo (n). (Corollary 33.26guarantees that d exists and is uniquely defined.)5. Publish the pair P = (e, n,) ashis RSA public key.

6. Keep secret the pair S = (d, n)as his RSA secret key.For this scheme, the domain is the set Zn.The transformation of a message M associated with a publickey P = (e, n) isP(M) = Me(mod n) .Primality testing:The density of prime numbers:For someapplications, (for example, cryptography), we have to discover substantial”random” primes. Fortunately, large primes are not too rare, so thatit is not too time-consuming to test random integers of the appropriate sizeuntil a prime is found.

The prime distribution function (n) specifies the numberof primes that are less than or equal to n. For example, (10) = 4, since there are 4prime numbers less than or equal to 10, namely, 2, 3, 5, and 7. The primenumber theorem gives a useful approximation to (n).

For some applications, (for example, cryptography), we haveto discover substantial “random” primes. Luckily, extensive primesare not very uncommon, with the goal that it isn’t excessively tedious, makingit impossible to test arbitrary numbers of the proper size until the point thata prime is found. The prime distribution function (n) determines thequantity of primes that are not exactly or equivalent to n.

For instance, (n) = 4, since there are4 prime numbers not exactly or equivalent to 10, specifically, 2, 3, 5, and 7.The prime number hypothesis gives a helpful guess to (n).WITNESS(a,n)1 let bk, bk-1,…,b0 be the binaryrepresentation of n – 12 d 13 for i k downto 04 do x d5 d (d d) mod n6 ifd = 1 and x 1 and x n – 17 thenreturn TRUE8 ifbi = 19 thend (d a) mod n10 if d 111 then returnTRUE12 return FALSE MILLER-RABIN(n,s) 1 for j = 1 to s 2 a = RANDOM(1,n-1) 3 if WITNESS(a,n) 4 return COMPOSITE 5 return PRIMEInteger factorization:Assume we have a number n that wewish to factor, that is, to disintegrate into a result of primes. The primalitytrial of the previous segment would reveal to us that n is composite, howeverit more often than not doesn’t disclose to us the prime variables of n.Calculating a substantial whole number n is by all accounts considerably moretroublesome than essentially deciding if n is prime or composite.

It isinfeasible with the present supercomputers and the best calculations to date tofactor a self-assertive 200-decimal-digit number.Pollard’s rho heuristic:Trial division by all whole numbers up to B is ensured tofactor totally any number up to B2. For the same amount of work, thefollowing procedure will factor any number up to B4 (unlesswe’re unlucky). Since the procedure is only a heuristic, neither its runningtime nor its success is guaranteed, although the procedure is very effective inpractice.POLLARD-RHO(n)1 i 12 x1 RANDOM(0, n – 1)3 y x14 k 25 while TRUE6 do i i + l8 d gcd(y – xi, n)9 if d 1 and d n10 thenprint d11 if i= k12 theny xi13 k 2k