finite fields and number theory - india’s premier ...2).pdf · group • if a group has a finite...
TRANSCRIPT
UNIT II
FINITE FIELDS AND NUMBER THEORY
Group
• A group G, sometimes denoted by {G, .}, is a set ofelements with binary operations denoted as ., thatassociates to each ordered pair (a,b) of elements in Gan element(a . b) in G, such that the following axiomsare obeyed
Axioms obeyed
– (A1)Closure : If a and b belong to G, then a.b is also in G
– (A2)Associative law:(a.b).c = a.(b.c)– (A3)Identity e: e.a = a.e = a– (A4)Inverse a-1: a.a-1 = e
• if (A5)commutative a.b = b.a– then forms an abelian group
Group
• If a group has a finite no. of elements FINITE Group
• Order is equal to the no. of elements in the group
• if commutative a.b = b.a– then forms an abelian group
Cyclic Group
• Exponentiation is repeated application of group operator– example: a3 = a.a.a
• and let identity be: e=a0
• a group is cyclic if every element is a power of some fixed element– ie b = ak for some a and every b in group
• a is said to be a generator G of the group• Eg: Additive group of integers is an infinite cyclic group, generated by element 1.
Ring
• A ring R, sometimes denoted by {R, +, x}, is a set of elements with two binary operations, called addition and multiplication, such that for all a, b, c in R the following axioms are obeyed
Ring
• an abelian group with addition operation • (M1) closure under multiplication• (M2) associativity of multiplication• (M3) distributive : a(b+c) = ab + ac
(a+b)c = ac + bc• Eg:
n‐square matrices over the real numbers form a ring• (M4) commutative • Eg: S be the set of even integers under usual operations of addition
and multiplication is a commutative ring
Ring
• Integral Domain– (M5) Multiplicative identity : There is an element 1 in R such
that a1= 1a=a– (M6) No Zero divisors : If a, b in R and ab=0, then
either a=0 0r b=0• Eg: Set of integers positive, negative, Zero under usual operations of
addition and multiplication
Field
• A field F, sometimes denoted by {F, +, x}, is a set of elements with two binary operations, called addition and multiplication, such that for all a, b, c in F the following axioms are obeyed
• (A1‐M6) F is an integral domain
• (M7) multiplicative inverse: For each a in F, except 0, there is an element a‐1 such that aa‐1 =(a‐1)a=1
• Eg : rational numbers, real numbers, complex numbers
Divisors
• We say that a nonzero b divides a if a=mb for some m, where a, b, and m are integers. That is, b divides a if there is no remainder on division. The notation b|a is commonly used to mean b divides a. Also, if b|a, we say that b is divisor of a
Relations
• If a|1, then a=±1• If a|b and b|a, then a=±b• Any b ≠ 0 divides 0;• If b|g and b|h, then b|(mg+nh) for arbitaryintegers m and n.– If b|g, then g is of the form g=b×g1 for some integer g1
– If b|h, then h is of the form h=b×h1 for some integer h1
Properties of Congruences
• Congruences have the following properties:– a ≡ b(mod n) if n|(a-b)– a ≡ b(mod n) implies b ≡ a(mod n)...
– a ≡ b(mod n) and b ≡ c(mod n) imply a ≡ c(mod n)
Modular Arithmetic operations
• Properties– [(a mod n)+(b mod n)] mod n=(a+b) mod n
– [(a mod n)‐(b mod n)] mod n=(a‐b) mod n
– [(a mod n)×(b mod n)] mod n=(a×b) mod n
Exponentiation
• 117 mod 13• 112= 121 ≡ 4(mod 13)
• 114= (112)2 = 42 ≡ 3 mod 13• 117 mod 13 = 11×4×3 ≡ 132 ≡ 2 mod 13
Modulo 8 Example
Properties of Modular Arithmetic
• Define the set Zn as the set of non negative integers less than n:Zn={0,1,…..(n‐1)}
• This is set of residues or residue classes modulo n.
• Eg: residue class modulo 4 are• [0]={…,‐16,‐12,‐8,‐4,0,4,8,12,16,….}• [1]={….,‐15,‐11,‐7,‐3,1,5,9,13,17,……}• [2]={….,‐14,‐10,‐6,‐2,2,6,10,14,18,…}• [3]={….,‐13,‐9,‐5,‐1,3,7,11,15,19,….}
Modulo 7 Example
... -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8-7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 67 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ...
Modular Arithmetic
• (a+b) ≡ (a+c) mod n then b ≡ c mod n
• (a×b) ≡ (a×c) mod n then b ≡ c mod n if a and n are relatively prime
Greatest Common Divisor (GCD)
• a common problem in number theory
• GCD (a,b) of a and b is the largest number that divides evenly into both a and b – eg GCD(60,24) = 12
• often want no common factors (except 1) and hence numbers are relatively prime– eg GCD(8,15) = 1– hence 8 & 15 are relatively prime
Euclid's GCD Algorithm
• an efficient way to find the GCD(a,b)• uses theorem that: – GCD(a,b) = GCD(b, a mod b)
• Euclid's Algorithm to compute GCD(a,b):• Assumption : a > b > 0 1. A->a, B->b2. If B=0 return A=gcd(a,b)3. R = A mod B4. A <- B5. B <- R6. goto 2
Algorithm Progression
• A1=B1×Q1+R1
• A2=B2 ×Q2+R2
• A3=B3 ×Q3+R3
• A4=B4 ×Q4+R4
Find GCD
• 465,527• 1970,1066• 24140,16762• 4655,12075• 46189,1066• 1197,5320• 4389,133• 2106,2784
Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904)1066 = 1 x 904 + 162 gcd(904, 162)904 = 5 x 162 + 94 gcd(162, 94)162 = 1 x 94 + 68 gcd(94, 68)94 = 1 x 68 + 26 gcd(68, 26)68 = 2 x 26 + 16 gcd(26, 16)26 = 1 x 16 + 10 gcd(16, 10)16 = 1 x 10 + 6 gcd(10, 6)10 = 1 x 6 + 4 gcd(6, 4)6 = 1 x 4 + 2 gcd(4, 2)4 = 2 x 2 + 0 gcd(2, 0)
Galois Fields
• finite fields play a key role in cryptography
• can show number of elements in a finite field must be a power of a prime pn
• known as Galois fields
• denoted GF(pn)
• in particular often use the fields:– GF(p)– GF(2n)
Galois Fields GF(p)
• GF(p) is the set of integers {0,1, … , p‐1} with arithmetic operations modulo prime p
• these form a finite field– since have multiplicative inverses
• hence arithmetic is “well‐behaved” and can do addition, subtraction, multiplication, and division without leaving the field GF(p)
Example GF(7)
Finding Inverses• can extend Euclid’s algorithm:• Gcd(m,b) = 1 & m > b
EXTENDED EUCLID(m, b)1. (A1, A2, A3)=(1, 0, m);
(B1, B2, B3)=(0, 1, b)2. if B3 = 0
return A3 = gcd(m, b); no inverse3. if B3 = 1
return B3 = gcd(m, b); B2 = b–1 mod m4. Q = A3 div B35. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)6. (A1, A2, A3)=(B1, B2, B3)7. (B1, B2, B3)=(T1, T2, T3)8. goto 2
– mT1+bT2=T3 mA1+bA2=A3 mB1+bB2=B3
Find Multiplicative Inverse
• 1759,550
• 23,120
• 1234 mod 4321
• 550 mod 1769
Inverse of 550 in GF(1759)
Polynomial Arithmetic
• can compute using polynomials
• several alternatives available– ordinary polynomial arithmetic– poly arithmetic with coords mod p– poly arithmetic with coords mod p and polynomials mod M(x)
Ordinary Polynomial Arithmetic
• add or subtract corresponding coefficients
• multiply all terms by each other
• eg– let f(x) = x3 + x2 + 2 and g(x) = x2 – x + 1f(x) + g(x) = x3 + 2x2 – x + 3
f(x) – g(x) = x3 + x + 1
f(x) x g(x) = x5 + 3x2 – 2x + 2
Polynomial Arithmetic with Modulo Coefficients
• when computing value of each coefficient do calculation modulo some value
• could be modulo any prime
• but we are most interested in mod 2– ie all coefficients are 0 or 1– eg. let f(x) = x3 + x2 and g(x) = x2 + x + 1f(x) + g(x) = x3 + x + 1
f(x) x g(x) = x5 + x2
Modular Polynomial Arithmetic
• can write any polynomial in the form:– f(x) = q(x) g(x) + r(x)– can interpret r(x) as being a remainder– r(x) = f(x) mod g(x)
• if have no remainder say g(x) divides f(x)• if g(x) has no divisors other than itself & 1 say it is irreducible (or prime) polynomial
• arithmetic modulo an irreducible polynomial forms a field
Polynomial GCD
• can find greatest common divisor for polys– c(x) = GCD(a(x), b(x)) if c(x) is the poly of greatest degree
which divides both a(x), b(x)– can adapt Euclid’s Algorithm to find it:– EUCLID[a(x), b(x)]1. A(x) = a(x); B(x) = b(x)2. 2. if B(x) = 0 return A(x) = gcd[a(x), b(x)]3. R(x) = A(x) mod B(x)4. A(x) ¨ B(x)5. B(x) ¨ R(x)6. goto 2
Modular Polynomial Arithmetic
• can compute in field GF(2n) – polynomials with coefficients modulo 2
– whose degree is less than n– hence must reduce modulo an irreducible poly of degree n (for multiplication only)
• form a finite field
• can always find an inverse– can extend Euclid’s Inverse algorithm to find
Example GF(23)
Prime Numbers
• prime numbers only have divisors of 1 and self
– they cannot be written as a product of other numbers
• eg. 2,3,5,7 are prime
• prime numbers are central to number theory
• list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
Prime Factorisation
• to factor a number n is to write it as a product of other numbers: n=a x b x c
• note that factoring a number is relatively hard compared to multiplying the factors together to generate the number
• the prime factorisation of a number n is when its written as a product of primes – eg. 91=7x13 ; 3600=24x32x52
Prime Factorisation
• Any positive integer a can be written uniquely as
• The integer 12 is represented by { a2=2,a3=1}
• The integer 18 is represented by { a2=1,a3=2}
Relatively Prime Numbers & GCD
• two numbers a, b are relatively prime if have no common divisors apart from 1 – eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor
• conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers– eg. 300=22x31x52 18=21x32 henceGCD(18,300)=21x31x50=6
Fermat's Theorem
• ap-1 ≡ 1 (mod p)– where p is prime and gcd(a,p)=1
• also known as Fermat’s Little Theorem• also ap ≡ a (mod p)
• useful in public key and primality testing
Fermat’s theorem
• Consider the set of positive integers less than p : {1,2,…p‐1}
• Multiply each element by a, modulo p• X= {a mod p,2a mod p…(p‐1)a mod p}• So none of the elements of X is Zero because p does not divide a and no two integers are equal
• To see,• Assume ja ≡ ka(mod p) 1 ≤ j < k ≤ p-1• Since a and p are relatively prime eliminate a resulting in j ≡ k(mod p)
• This is not possible as j and k are positive integer less than p• So (p‐1) elements of X are all positive integers and no two
numbers are equal
Fermat’s Theorem
• a × 2a × ….. × (p‐1) ≡ [1 × 2 × ….. × (p‐1)](mod p)• ap-1 (p-1)!≡ (p-1)!(mod p)• We cancel (p-1)! Term because it is relatively prime to p
Ex. a=7,p=1972=49 ≡ 11 mod 1974 ≡121 ≡ 7 mod 1978 ≡49 ≡11 mod 19716 ≡121 ≡7 mod 19
718= 716 x 72 ≡ 7x11 ≡ 1 mod 19
Euler Totient Function ø(n)
• when doing arithmetic modulo n the complete set of residues is: 0..n-1
• reduced set of residues is those numbers (residues) which are relatively prime to n
– eg for n=10, – complete set of residues is {0,1,2,3,4,5,6,7,8,9}
– reduced set of residues is {1,3,7,9} • number of elements in reduced set of residues is called the Euler Totient Function ø(n)
Euler Totient Function ø(n)
• to compute ø(n) need to count number of residues to be excluded
• in general need prime factorization, but– for p (p prime) ø(p) = p-1– for p.q (p,q prime) ø(pq) =(p-1)x(q-1)
• eg.ø(37) = 36ø(21) = (3–1)x(7–1) = 2x6 = 12
Euler's Theorem
• a generalisation of Fermat's Theorem • aø(n) ≡ 1 (mod n)– for any a,n where gcd(a,n)=1
• eg.a=3;n=10; ø(10)=4; hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;hence 210 = 1024 = 1 mod 11
Proof of Euler’s Thorem
• Theorem true if n is prime, because ø(n) =(n‐1) & fermat’s thm holds.
• Consider the set of integers, as R={x1,x2,..x ø(n)} • That is each element xi of R is a unique positive integer less than n with gcd(x i,n)=1
• Now multiply with a, modulo n• S={(ax1 mod n), (ax2 mod n).....(a x ø(n) mod n)}• The set S is permutation of R, by the reasons below– Because a is relatively prime to n & xi is relatively prime to n, axi must also be relatively prime
– No duplicates if ax i mod n ≡ axj mod n, then xi =xj
Testing of Primality
• To test a large no for primality Miller Rabin Algorithm is used
• Any positive odd integer n ≥ 3 can be expressed as
• n‐1 =2kq with k>0, q odd
• To see• n‐1 is an even integer• Divide (n‐1) by 2 until we get a odd number q as result for a total of k divisions
• If n a binary no just shift the no to right until the rightmost is 1, for a total of k shifts
Properties of Prime no
• First Property– If p is prime and a is a positive integer less than p, then a2 mod p=1 if and only if either a mod p= 1 or a mod p = ‐1 mod p= p‐1
– (a mod p)( a mod p) = a2 mod p
– Thus either a mod p = 1 or a mod p = ‐1 then a2
mod p =1
– Conversly if a2 mod p =1, (a mod p)2 = 1 which is true only for a mod p= 1 or a mod p = ‐1
Properties of Prime no
• Second PropertyLet p be a prime number >2,then p‐1=2kq,with k>0,
q odd.[1 of the following conditions is true]1. aq ≡ 1 mod p2. One of the numbers aq,a2q,a4q,…a2
k-1q is congruent to -1 mod p.
Miller Rabin Algorithm
• a test based on Fermat’s Theorem• algorithm is:
TEST (n) is:1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq2. Select a random integer a, 1<a<n–13. if aq mod n = 1 then return (“maybe prime");4. for j = 0 to k – 1 do5. if (a2
jq mod n = n-1)then return(" maybe prime ")
6. return ("composite")
Probabilistic Considerations
• if Miller‐Rabin returns “composite” the number is definitely not prime
• otherwise is a prime or a pseudo‐prime
• chance it detects a pseudo‐prime is < 1/4• hence if repeat test with different random a then chance n is prime after t tests is:– Pr(n prime after t tests) = 1‐4‐t
– eg. for t=10 this probability is > 0.99999
Distribution of primes
• prime number theorem states that primes near n are spaced on the average one every (ln n) integers
• All even numbers can be immediately rejected, so it is 0.5 ln(n).
• so in practice need only test 0.5 ln(n)numbers of size n to locate a prime
• Eg: for numbers round 2^200 would check 0.5ln(2^200) = 69 numbers on average.
• This is only an average, can see successive odd primes, or long runs of composites.
Chinese Remainder Theorem
• CRT says it is possible to reconstruct integers ina certain range from their residues modulo aset of pair wise relatively prime moduli.
• Ex., 10 integers in Z10(0 to 9),can be reconstructedfrom their two residues modulo 2 and 5(relatively prime factors of 10).
• The known residues of a digit x are• r2=0 (x mod 2=0 )and r5=3(x mod 5=3)• Unique solution for x?
CRT
• Let M = where the mi are pair wise relatively prime.• Represent any integer A in ZM by a k‐tuple whoseelements are in Zmi
using the followingcorrespondenceA ↔ (a1,a2,….,ak)
where ai = A mod mi . CRT makes 2 assertions1. The mapping of above equation is one‐to‐one
correspondence between ZM and cartesian productZm1 x Zm2 x ….. Zmk.
2. Operations performed on the elements of ZM can beequivalently performed on corresponding k‐tuples.
∏=
k
iim
1
First assertion:• Transformation from A to (a1,a2,…ak) is unique.• i.e., ai=A mod mi.(ai is unique)• to compute A(mod M)– Let Mi = M/mi for 1≤i≤ K[Mi=m1 x m2…x mi‐1 x mi+1x…mk]. Let
• Now compute,
• Second assertion can be stated as follows.
If A ↔ (a1,a2,….,ak)and B ↔ (b1,b2,….,bk)then
(A+B) mod m↔((a1+b1)mod m1,…,(ak+bk)mod mk)(A-B) mod m↔((a1-b1)mod m1,…,(ak-bk)mod mk)(AxB) mod m↔((a1xb1)mod m1,…,(akxbk)mod mk)
Discrete Logarithms• from Euler’s theorem have aø(n) ≡ 1 mod n • Consider general expression am≡1(mod n),• If a and n are relatively prime, then there is at least 1
integer m that satisfies above equation. The least positive exponent is referred in many ways– The order of a(mod n)– The exponent to which a belongs (mod n)– The length of the period generated by a.
• Consider the powers of 7 mod 1971 ≡7 mod 19,72 ≡11 mod 19,73 ≡1 mod 19,74 ≡7 mod 19,75 ≡11 mod 19Length of the period is smallest +ve exponent m such that 7m ≡1 mod 19
Primitive root• Some of the sequences are of length 18.• If a is a primitive root of p(prime number),thena,a2,…ap-1 are distinct(mod p).
Primitive roots of 19 -?• Not all integers have primitive roots. Only
integers with primitive roots are of the form2,4,pα and 2pα , where p is any odd prime andα is positive integer.
a a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16 a17 a18
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 4 8 16 13 7 14 9 18 17 15 11 3 6 12 5 10 1
3 9 8 5 15 7 2 6 18 16 10 11 14 4 12 17 13 1
4 16 7 9 17 11 6 5 1 4 16 7 9 17 11 6 5 1
5 6 11 17 9 7 16 4 1 5 6 11 17 9 7 16 4 1
6 17 7 4 5 11 9 16 1 6 17 7 4 5 11 9 16 1
7 11 1 7 11 1 7 11 1 7 11 1 7 11 1 7 11 1
8 7 18 11 12 1 8 7 18 11 12 1 8 7 18 11 12 1
9 5 7 6 16 11 4 17 1 9 14 7 13 16 8 4 2 1
10 5 12 6 3 11 15 17 18 9 14 7 13 16 8 4 2 1
11 7 1 11 7 1 11 7 1 11 7 1 11 7 1 11 7 1
12 11 18 7 8 1 12 11 18 7 8 1 12 11 18 7 8 1
13 17 12 4 14 11 10 16 18 6 2 7 15 5 8 9 3 1
14 6 8 17 10 7 3 4 18 5 13 11 2 9 12 16 15 1
15 16 12 9 2 11 13 5 18 4 3 7 10 17 8 6 14 1
16 9 11 5 4 7 17 6 1 16 9 11 5 4 7 17 6 1
17 4 11 16 6 7 5 9 1 17 4 11 16 6 7 5 9 1
Logarithms for Modular Arithmetic
• the inverse problem to exponentiation is to find the discrete logarithm of a number modulo p
• that is to find x such that y = gx (mod p)• this is written as x = logg y (mod p)• if g is a primitive root then it always exists, otherwise it may not, eg.x = log3 4 mod 13 has no answer x = log2 3 mod 13 = 4 by trying successive powers
Logarithms for Modular Arithmetic
• while exponentiation is relatively easy, finding discrete logarithms is generally a hard problem
• For any integer b and primitive root a of prime p, find a unique exponent such that
b≡ai(mod p)i is referred to as discrete logarithm of number b for the base
a(mod p)
• dloga,p(1)=0 since a0 mod p=1• dloga,p(a)=1 since a1 mod p=a