Number Theory

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

September 27, 2023

Why Number Theory?

• Public-key cryptography is more convenient

• All known constructions of public-key cryptography rely on hard number-theoretic problems

  • Factoring a product of two large primes
  • Discrete logarithms in cyclic groups

Diffie-Hellman Protocol

• Consider a finite set G which is closed under exponentiation with natural numbers
• For every n \in \mathbb{N} and g \in G, we have g^n \in G
• Assume G is a large set, say |G| \ge 2^{256}
• Also assume “discrete logarithms” are hard in G, i.e. it is difficult to estimate n given g^n
• Alice sends g^a and Bob sends g^b over a public channel
• Both can compute a shared secret g^{ab}

Primes and Divisibility

Divisors

• For a, b \in \mathbb{Z}, we say that a divides b if there exists an integer c such that b = ac
  • Written as a \mid b
  • If a does not divide b, we write a \nmid b
• Observation: If a \mid b and a \mid c, then a \mid (Xb + Yc) for any X, Y \in \mathbb{Z}.
• If a \mid b and a is positive, we call a a divisor of b.

Primes

• If a \mid b and a \notin \{1,b\} then a is called a nontrivial divisor, or a factor, of b.

• A positive integer p > 1 is prime if it has no factors, i.e. it has only two divisors: 1 and itself.

• A positive integer greater than 1 that is not prime is called composite

  • By convention, the number 1 is neither prime nor composite.

Fundamental Theorem of Arithmetic

• Every integer greater than 1 can be expressed uniquely as a product of primes, up to ordering

• Any positive integer N > 1 can be written as N = \prod_i p_i^{e_i} where p_i’s are distinct primes and the e_i’s are integers such that e_i \ge 1 for all i.

Division with Remainder

• Proposition: Let a be an integer and let b be a positive integer. Then there exist unique integers q, r for which a = qb + r and 0 \le r < b.

• We write r = a \bmod b

• Integers q and r can be computed in poly(\| a \|, \| b \|) time

  • \| a \| denotes the length of the binary representation of a
  • For example, \|3\| = 2 and \|17\| = 5

Proof of proposition uses the well-ordering principle of the integers. Any non-empty set of non-negative integers has a least element. Theorem 1.4 in Shoup

Greatest Common Divisor

Greatest Common Divisor

• The greatest common divisor of two integers a,b not both zero, written \gcd(a, b), is the largest integer c such that c \mid a and c \mid b.

  • \gcd(a,b) \ge 1
  • The value \gcd(0,0) is undefined.
  • For b \ge 1, \gcd(b,0) = \gcd(0,b) = b.
  • If p is a prime, then \gcd(a,p) is either 1 or p.

• If \gcd(a, b) = 1, we say that a and b are relatively prime

Euclidean Algorithm

• Algorithm: \textsf{GCD}(a,b)

• Input: Integers a, b with a \ge b > 0

• Output: \gcd(a,b)

  1. If b divides a, return b
  2. Else, return \textsf{GCD}(b, a \bmod b)

• If a = qb+r, then \gcd(a,b) = \gcd(b,r)

• Algorithm runs in time \mathcal{O}(\| a \| \times\| b \|)

Theorem 4.2 of Shoup

Another View of the Euclidean Algorithm

\begin{align*} a & = r_0,\\ b & = r_1,\\ r_0 & = r_1 q_1 + r_2 \quad (0 < r_2 < r_1),\\ & \vdots \\ r_{i-1} & = r_i q_i + r_{i+1} \quad (0 < r_{i+1} < r_i),\\ & \vdots \\ r_{\lambda-2} & = r_{\lambda-1} q_{\lambda-1} + r_{\lambda} \quad (0 < r_{\lambda} < r_{\lambda-1}),\\ r_{\lambda-1} & = r_{\lambda} q_{\lambda} \quad\quad\quad\quad\quad (r_{\lambda+1} = 0). \end{align*}

GCD as a Linear Combination

• Proposition: Let a,b be positive integers. Then there exist integers X, Y such that Xa + Yb = \gcd(a,b). Furthermore, \gcd(a,b) is the smallest positive integer that can be expressed this way.

• Proof

  • Consider the set I = \{\hat{X}a + \hat{Y}b \mid \hat{X}, \hat{Y} \in \mathbb{Z}\}
  • Let d be the smallest positive integer in I
  • We claim that d = \gcd(a,b)

Extended Euclidean Algorithm

\begin{align*} a & = r_0,\\ b & = r_1,\\ r_0 & = r_1 q_1 + r_2 \quad (0 < r_2 < r_1),\\ & \vdots \\ r_{\lambda-2} & = r_{\lambda-1} q_{\lambda-1} + r_{\lambda} \quad (0 < r_{\lambda} < r_{\lambda-1}),\\ r_{\lambda-1} & = r_{\lambda} q_{\lambda} \quad\quad\quad\quad\quad (r_{\lambda+1} = 0). \end{align*}

Additionally, define

\begin{align*} s_0 = 1, &\quad t_0 = 0\\ s_1 = 0, &\quad t_1 = 1\\ s_{i+1} = s_{i-1} - s_iq_i, &\quad t_{i+1} = t_{i-1} - t_i q_i \end{align*}

for i \in \{1,\ldots,\lambda\}

Proposition: For i=0,1,\ldots,\lambda+1, we have a s_i + b t_i = r_i. In particular as_\lambda + b t_\lambda = \gcd(a,b)

Two Useful Results

• Proposition: Let c \mid ab and \gcd(a, c) = 1, then c \mid b. Thus, if p is prime and p \mid ab then either p \mid a or p \mid b.
• Proposition: Let a \mid N, b \mid N and \gcd(a, b) = 1, then ab \mid N.

Modular Arithmetic

Congruences

• Let a,b,N \in \mathbb{Z} with N > 1
• Notation [a \bmod N] denotes the remainder of a upon division by N
• We say that a and b are congruent modulo N, written a = b \bmod N, if [a \bmod N] = [b \bmod N].
• Note that a = b \bmod N if and only if N \mid (a-b).

Division modulo N

• Congruence modulo N obeys the standard rules of arithmetic with respect to addition, subtraction, and multiplication

• But not division in general

• a = a' \bmod N and b = b' \bmod N does not necessarily mean a/b = a'/b' \bmod N

  • For example, 6 = 30 \bmod 24. But 3 \neq 15 \bmod 24.

Multiplicative Inverses

• For b \in \mathbb{Z}, if there exists c \in \mathbb{Z} such that bc = 1 \bmod N, we say b is invertible modulo N

  • We call c a multiplicative inverse of b modulo N.

  • We denote the multiplicative inverse of b by b^{-1}

• Mult. inverses modulo N are unique when they exist

• Division by b modulo N is only defined when b is invertible modulo N

• Proposition: Let b, N be integers with b \ge 1 and N > 1. Then b is invertible modulo N \iff \gcd(b, N) = 1.

Group Theory

Definition of a Group

• Let G be a set. A binary operation \circ on G is simply a function with domain G \times G.

• For g, h \in G, we write g \circ h to represent \circ (g, h).

• A group is a set G along with a binary operation which satisfies:

  • Closure: For all g, h \in G, g \circ h \in G.
  • Existence of identity: There exists an identity e \in G such that for all g \in G, e \circ g = g \circ e = g.
  • Existence of inverses: For all g \in G there exists an element h \in G such that g \circ h = h \circ g = e. Such an h is called the inverse of g.
  • Associativity: For all g_1, g_2, g_3 \in G, (g_1 \circ g_2) \circ g_3 = g_1 \circ (g_2 \circ g_3).

Examples of Groups

• \mathbb{R} with +

• \mathbb{R} \setminus \{0\} with \times

• \mathbb{R} is not a group with subtraction as the operation

• For a set S, the set of bijective functions f: S \mapsto S with function composition as the operator

• When the binary operation is understood, we simply call the set G a group.

Finite Groups

• If G has a finite number of elements, we say G is a finite group

  • We use |G| to denote the order of the group

  • Example: \mathbb{Z}_N = \{0,1,\ldots, N-1\} under modulo N addition for N > 1

• Corollary: There exists a group of every finite order N \ge 1

Additive and Multiplicative Notation

• Instead of an operator like \circ we will use additive or multiplicative notation.

• Additive notation

  • Group operation on g,h is denoted by g+h
  • The inverse of g is denoted by -g
  • We will write h-g to mean h + (-g)
  • The identity of the group will be denoted by 0.

• Multiplicative notation

  • Group operation on g,h is denoted by gh
  • The inverse of g is denoted by g^{-1}
  • The identity of the group will be denoted by 1

Cancellation Law

• The usual cancellation law is valid for any group.

• Lemma Let G be a group and a,b,c \in G. If ac = bc, then a = b.

Some Useful Results

• The identity in a group is unique

• Each element g in a group has a unique inverse

• For every g \in G, \left( g^{-1} \right)^{-1} = g

• For every g,h \in G, \left( gh \right)^{-1} = h^{-1}g^{-1}

Abelian Groups

• A group is abelian if for all g, h \in G, g h = h g.

  • Example of non-abelian group: The set of bijective functions on \{x_1, x_2, x_3\} under composition operation

• Cryptography typically involves finite abelian groups

Group Exponentiation

• For a positive integer m, and group element g mg = m \cdot g = \underbrace{g+\cdots+g}_{m \text{ times}}

  • For positive integers m, m', mg + m'g = (m+m')g
  • In abelian groups, mg+ mh = m(g+h)

• For a positive integer m, and group element g g^m = \underbrace{g\cdots g}_{m \text{ times}}

  • For positive integers m, m', g^m \cdot g^{m'} = g^{m+m'}
  • In abelian groups, g^m\cdot h^m = (gh)^{m}

• For zero or negative integers, we define

  • 0 g = 0 and g^0 = 1
  • (-m)g = m(-g)
  • Note that (-m)g = -(mg)
  • g^{-m} = \left(g^{-1}\right)^m
  • Note that g^{-m} = \left(g^{m}\right)^{-1}

Subgroups

Subgroups

• If G is a group, a nonempty subset H \subseteq G is a subgroup of G if H itself forms a group under the same operation associated with G.

  • Consider subgroups of \mathbb{Z}_6 = \{0,1,2,3,4,5\}.

• Every group G has the trivial subgroups G and \{e\} where e is the identity of G.

Alternate Characterizations of Subgroups

• Proposition A nonempty subset H of a group G is called a subgroup of G if and only if

  • g + h \in H for all g, h \in H.
  • -g \in H for all g \in H.

• Proposition A nonempty subset H of a finite group G is called a subgroup of G if and only if

  • g + h \in H for all g, h \in H.

Lagrange’s Theorem

• Lagrange’s Theorem If H is a subgroup of a finite group G, then |H| divides |G|.

  • Example: Consider \mathbb{Z}_6 = \{0,1,2,3,4,5\} again.

Cosets of a Subgroup

• Definition Let H be a subgroup of a group G. For any g \in G, the set H + g = \left\{ h+ g \mid h \in H \right\} is called a right coset of H.

• For abelian groups, there is only a notion of a coset as both right and left cosets are the same

• Example H = \left\{ 0,3 \right\} is a subgroup of \mathbb{Z}_6 = \left\{ 0,1,2,3,4,5 \right\}. It has right cosets

  • H + 0 = \left\{ 0,3 \right\}, H + 1 = \left\{ 1,4 \right\}, H + 2 = \left\{ 2,5 \right\},
  • H + 3 = \left\{ 0,3 \right\}, H + 4 = \left\{ 1,4 \right\}, H + 5 = \left\{ 2,5 \right\}.

Proof of Lagrange’s Theorem

• Lemma Two right cosets of a subgroup are either equal or disjoint.
• Lemma If H is a finite subgroup, then all its right cosets have the same cardinality.
• Proof follows from these two lemmas

Consequences of Lagrange’s Theorem

• Theorem: Let G be a finite group of order m. Then for any element g \in G, we have g^m = 1.

• Corollary: Let G be a finite group of order m > 1. Then for any element g \in G and any integer x, we have g^x = g^{[x \bmod m]}.

• Corollary: Let G be a finite group of order m > 1. Let e > 0 be an integer, and define the function f_e : G \mapsto G by f_e(g) = g^e.

  • If \gcd(e,m) = 1, then f_e is a bijection.
  • If d = e^{-1} \bmod m, then f_d is the inverse of f_e.

• To prove the theorem, consider the subgroup generated by g
• g^{k_2} = g^{k_1} for some k_2 > k_1 \ge 1. Let k_2 be the smallest such number. Then g^{k_2-k_1} = 1

The Group \mathbb{Z}_N^*

The Group \mathbb{Z}_N^*

• Recall that \mathbb{Z}_N = \{0,1,\ldots,N-1\} is a group under addition modulo N
• For N > 1, define the set \mathbb{Z}_N^* = \left\{ b \in \{1,\ldots,N-1\} \mid \gcd(b,N) = 1 \right\}
• Proposition: Let N > 1 be an integer. Then \mathbb{Z}_N^* is an abelian group under multiplication modulo N.

• The only tricky part of the proof is arguing that \gcd([ab \bmod N], N) = 1

Euler phi function

• The Euler phi function \phi: \mathbb{N} \mapsto \mathbb{N} is defined as

  • \phi(1) = 1
  • For N > 1, \phi(N) = |\mathbb{Z}_N^*|

• Properties

  • If p is a prime, then \phi(p) = p-1
  • If p is a prime and e is a positive integer, then \phi(p^e) = p^{e-1}(p-1)
  • If \gcd(p, q) = 1, then \phi(pq) = \phi(p)\phi(q)
  • Let N = \prod_{i} p_i^{e_i}, where the \{p_i\} are distinct primes and e_i \ge 1. Then \phi(N) = \prod_i p_i^{e_i-1}(p_i-1).

Previous Corollaries Applied to \mathbb{Z}_N^*

• Corollary: Let N > 1 and a\in \mathbb{Z}_N^*. Then a^{\phi(N)} = 1 \bmod N.

  • Fermat’s little theorem: If p is a prime, a \in \mathbb{Z} and p \nmid a, then a^{p-1} = 1 \bmod p.

• Corollary: Fix N > 1. For integer e > 0, define f_e: \mathbb{Z}_N^* \mapsto \mathbb{Z}_N^* by f_e(x) = [x^e \bmod N].

  • If \gcd(e,\phi(N)) = 1, then f_e is a bijection.
  • If d = e^{-1} \bmod \phi(N), then f_d is the inverse of f_e.

Chinese Remainder Theorem

There are certain things whose number is unknown. If we count them by threes, we have two left over; by fives, we have three left over; and by sevens, two are left over. How many things are there?

– Sunzi Suanjing, 3rd century CE

Group Isomorphism

• Definition: Groups (G, \star) and (H, \otimes) are isomorphic if there exists a bijection \phi : G \mapsto H such that \begin{equation*} \phi(\alpha \star \beta) = \phi(\alpha) \otimes \phi(\beta) \end{equation*} for all \alpha,\beta \in G
• If G and H are isomorphic, we write G \simeq H.
• Example: \{0,1\} with modulo 2 addition is isomorphic to \{1,-1\} with multiplication

Direct Product of Groups

• Given groups (G, \star) and (H, \otimes), we can define a new group G\times H as follows

  • The elements of G \times H are ordered pairs (g,h) with g \in G and h \in H

  • The group operation \circ of G \times H is defined as \begin{equation*} (g,h) \circ (g', h') = (g \star g', h \otimes h'). \end{equation*}

Chinese Remainder Theorem

• Theorem Let N = pq where p,q are integers greater than 1 which are relatively prime. Then \begin{equation*} \mathbb{Z}_N \simeq \mathbb{Z}_p \times \mathbb{Z}_q \text{ and } \mathbb{Z}_N^* \simeq \mathbb{Z}_p^* \times \mathbb{Z}_q^*. \end{equation*}
• Moreover, the function f : \mathbb{Z}_N \mapsto \mathbb{Z}_p \times \mathbb{Z}_q defined by \begin{equation*} f(x) = \left( [x \bmod p], [x \bmod q] \right) \end{equation*} is an isomorphism from \mathbb{Z}_N to \mathbb{Z}_p \times \mathbb{Z}_q
• The restriction of f to \mathbb{Z}_N^* is an isomorphism from \mathbb{Z}_N^* to \mathbb{Z}_p^* \times \mathbb{Z}_q^*

Going from \mathbb{Z}_p \times \mathbb{Z}_q to \mathbb{Z}_N

• How to go from (x_p, x_q) = (x \bmod p, x \bmod q) to x \bmod N?

  • Compute X,Y such that Xp + Yq = 1.
  • Set 1_p \coloneqq Yq \bmod N and 1_q \coloneqq Xp \bmod N.
  • Compute x \coloneqq x_p \cdot 1_p + x_q \cdot 1_q \bmod N.

• Lemma: Given integers x, p, q, we have \gcd(x,pq) = 1 if and only if \gcd(x,p) = 1 and \gcd(x,q) =1.

Extension of CRT

• An extension of the Chinese remainder theorem says that if p_1, p_2 \ldots, p_l are pairwise relatively prime (i.e., \gcd(p_i, p_j) = 1 for all i \neq j) and N = \Pi_{i=1}^l p_i, then \begin{align*} \mathbb{Z}_N & \simeq \mathbb{Z}_{p_1} \times \mathbb{Z}_{p_2} \times \cdots \times \mathbb{Z}_{p_l}, \\ \mathbb{Z}_N^* & \simeq \mathbb{Z}_{p_1}^* \times \mathbb{Z}_{p_2}^* \times \cdots \times \mathbb{Z}_{p_l}^*. \end{align*}

Using the CRT

• Example: \mathbb{Z}_{15}^* = \{1,2,4,7,8,11,13,14\} is isomorphic to \mathbb{Z}_3^* \times \mathbb{Z}_5^*.
• Compute 14 \cdot 13 \bmod 15
• Compute 11^{53} \bmod 15
• Compute 18^{25} \bmod 35

Examples 9.27, 9.28, 9.29 of KL

Inverting the f map in general

• Let m_1,m_2,\ldots,m_l be pairwise relatively prime positive integers with M = m_1 m_2 \cdots m_l

• Then the unique solution modulo M of the system of congruences \begin{align*} x & = a_1 \bmod m_1 \\ x & = a_2 \bmod m_2 \\ & \vdots \\ x & = a_l \bmod m_l \end{align*} is given by \begin{equation*} x = a_1 M_1 y_1 + a_2 M_2 y_2 + \cdots + a_l M_l y_l \end{equation*} where M_i = \frac{M}{m_i} and M_iy_i = 1 \bmod m_i.

pp 163, 164 of ENT by Rosen

Example

• Solve for x modulo 105 which satisfies the following congruences. \begin{align*} x & = 1 \bmod 3 \\ x & = 2 \bmod 5 \\ x & = 3 \bmod 7 \end{align*}

Further reading

• Sections 9.1, 9.2 of Katz and Lindell

• Sections 4.1, 4.2 of Shoup