Lecture Notes Number Theory and Cryptography Matt Kerr
Total Page:16
File Type:pdf, Size:1020Kb
Lecture notes Number Theory and Cryptography Matt Kerr Contents Introduction 5 Part 1. Primes and divisibility 9 Chapter 1. The Euclidean Algorithm 11 Chapter 2. Primes and factorization 21 Chapter 3. The distribution of primes 27 Chapter 4. The prime number theorem 35 Part 2. Congruences 43 Chapter 5. Modular arithmetic 45 Chapter 6. Consequences of Fermat’s theorem 53 Chapter 7. The Chinese Remainder Theorem 61 Chapter 8. Primality and compositeness testing 67 Chapter 9. Groups, rings, and fields 79 Chapter 10. Primitive roots 87 Chapter 11. Prime power moduli and power residues 93 Part 3. Introduction to cryptography 105 Chapter 12. Symmetric ciphers 107 Chapter 13. Public key cryptography 113 Chapter 14. Discrete log problem 117 3 4 CONTENTS Chapter 15. RSA Cryptosystem 125 Chapter 16. Introduction to PARI 131 Chapter 17. Breaking RSA 135 Part 4. Diophantine equations 141 Chapter 18. A first view of Diophantine equations 143 Chapter 19. Quadratic Diophantine equations 149 Chapter 20. Units in quadratic number rings 155 Chapter 21. Pell’s equation and related problems 163 Chapter 22. Unique factorization in number rings 171 Chapter 23. Elliptic curves 179 Chapter 24. Elliptic curves over Fp 189 Part 5. Elliptic cryptosystems 197 Chapter 25. Elliptic curve discrete log problem (ECDLP) 199 Chapter 26. Elliptic curve cryptography 207 Chapter 27. Lenstra’s factorization algorithm 211 Chapter 28. Pairing-based cryptography 215 Chapter 29. Divisors and the Weil pairing 221 Part 6. Algebraic numbers 231 Chapter 30. Algebraic number fields 233 Chapter 31. Discriminants and algebraic integers 239 Chapter 32. Ideals in number rings 247 Chapter 33. The ideal class group 253 Chapter 34. Fermat’s Last Theorem for regular exponents 259 Introduction Number theory has its roots in the study of the properties of the natural numbers N = f1, 2, 3, . .g and various “extensions” thereof, beginning with the integers Z = f..., −2, −1, 0, 1, 2, . .g and rationals a Q = b j a, b 2 Z, b 6= 0 . This leads directly to the first two parts of this course, of which the following may serve as a brief outline. ∗ ∗ ∗ I. Divisibility. • Euclidean algorithm and greatest common divisors. • Primes and the Fundamental Theorem of Algebra. • Results and conjectures concerning primes: Euclid’s theo- rem; the Riemann zeta function; arithmetic progressions. II. Congruences. • Modular (clock) arithmetic: ap−1 ≡ 1 (mod p) and its gener- alizations. • Chinese remainder theorem: given x ≡ a and x ≡ b, find x (p) (q) (mod pq). • A first view of primality testing and factorization. • Groups, rings and fields (especially finite abelian groups and finite fields). 5 6 INTRODUCTION • Primitive roots modulo a prime: e.g. mod 7, 3 · 3 ≡ 2, so 2 (7) has a square root! • Quadratic reciprocity: e.g., if 37 is a square modulo 11, this allows you to decide without computation whether 11 is a square modulo 37 (which it is). III. Cryptography (a first look). • Simple cryptosystems and symmetric ciphers. • Public key cryptography: answers the question “How can two parties communicate securely over an insecure channel without first privately exchanging some kind of ’key’ to each others’ messages?” They need a trapdoor function f that can be used to encode information easily but hard to invert with- out knowing “extra information”. • Diffie-Hellman key exchange (based on difficulty of solving ax ≡ b for x) and the discrete log problem. (p) • RSA cryptosystem: this is based on the difficulty of solving xe ≡ c when N = pq. (N) • Introduction to GP-PARI (computer package for number the- ory). • Pollard p − 1 factorization method: this helps us understand when RSA could be potentially broken. IV. Diophantine equations. • This is the part of number theory that studies polynomial equations in integers or rationals. A famous example is the insolubility of xm + ym = zm (apart from the “trivial” so- lution (0, 0, 0)) for m ≥ 3, known as Fermat’s last theorem (proved by Andrew Wiles). • Pythagoras’s theorem and Fibonacci numbers. • Pell’s equation (x2 − dy2 = ±1) and quadratic number fields. INTRODUCTION 7 • Cubic equations and the group law for elliptic curves.1 V. Elliptic curve cryptography. • The security of using elliptic curves for cryptography rests on the difficulty of solving an analogue of the discrete log problem. • We can also use the group law on an elliptic curve to factor large numbers (Lenstra’s algorithm). • A deeper, more flexible sort of cryptosystem can be obtained from the “Weil pairing” on m-torsion points of an elliptic curve. V. Algebraic numbers. • These appeared under the guise of “ideal numbers”p in the mid-19th century. Easy examples include a + b −1, where a, b 2 Z. • Cyclotomic fields and an “easy” case of Fermat’s last theo- rem. • Failure of unique factorization in general. • Irrationality and Galois groups. • Ideals and class groups. • Fermat’s last theorem (less easy case, still far from the whole thing). ∗ ∗ ∗ Now the natural numbers have a well-defined notion of order, which leads to the following property: 1Confusing terminology: these are not ellipses, which are defined by a quadratic 2 x2 + y = equation a2 b2 1, but rather are defined by cubic (and sometimes quartic) equations such as y2 = x3 + ax + b (or y2 = (1 − x2)(1 − k2x2)). They are called “elliptic” for the arcane historical reason that a related “elliptic integral” 2 2 1 p 1−k x dx arises in the course of determining the arclength of an ellipse. 0 ( − 2)( − 2 2) ´ 1 x 1 k x 8 INTRODUCTION THEOREM 1 (Principle of the least element). Let S ⊂ N be a nonempty subset. Then S has a least element, i.e. there exists s 2 S such that for every x 2 S, s ≤ x. (This also applies to N [ f0g.) Theorem 1 implies the well-known THEOREM 2 (Principle of mathematical induction). Let S(x) be a statement about any x 2 N. Suppose that (i) S(1) is true and (ii) S(x) true (8x < n) =) S(n) true. Them S(x) is true for all x 2 N. PROOF THAT THEOREM 1 =) THEOREM 2. Assume that (i) and (ii) hold, and suppose that F := fx 2 N j S(x) falseg is nonempty. Then F has a least element f , by Theorem 1. Hence, for any x < f , we have x 2/ F — i.e. S(x) is true. Now consider the following two cases: • f = 1: impossible, as it contradicts (i). • f > 1: by (ii), S( f ) is then true, contradicting f 2 F . Therefore our supposition was absurd, and F is empty. Part 1 Primes and divisibility CHAPTER 1 The Euclidean Algorithm We begin our discussion with the division algorithm: PROPOSITION 3. Given a, b 2 N, there exist unique q, r 2 Z such that a = b · q + r with 0 ≤ r < b. Of course, the “algorithm” isn’t in the formal statement, but in how we produce q and r. EXAMPLE 4. Suppose a = 313 and b = 9. In grade school, you learned to write 34 9 313 27 43 36 7 which yields 313 = 9 · 34 + 7 . |{z} |{z} q r The algorithm is simply long division with remainder. PROOF OF PROPOSITION 3. For the “existence” part, let S := fa − bk j k 2 Z, a − bk ≥ 0g ⊆ N [ f0g. Since a 2 S, S 6= Æ. Let r be the least element of S. Then r = a − bq ≥ 0 for some q 2 Z. If r ≥ b then S contains r − b = a − b(q + 1), contradicting minimality of r. So r < b. To see the uniqueness, write bq0 + r0 = a = bq + r, 11 12 1. THE EUCLIDEAN ALGORITHM with 0 ≤ r, r0 < b. This yields r = b(q0 − q) + r0, and if we had q0 > q, then q0 ≥ q + 1 would imply r ≥ b + r0 ≥ b + 0 = b, a contradiction. Symmetrically, one argues that q > q0 is 0 0 impossible. Therefore q = q and then also r = r . Next, we turn to divisibility and the GCD (= greatest common divisor). DEFINITION 5. Let a, b 2 Z, with b 6= 0. Then b j a () 9 c 2 Z such that a = bc. defn. (We say that “b divides a”.) Here are some basic examples: • everything divides 0; • 2ja () a is even; • bja () r = 0 in the division algorithm. and some basic properties: (i) ajb and bjc =) ajc (ii) ajb, c =) ajbx + cy for all x, y 2 Z (e.g. b + c, b − c) (iii) ajb and bja =) a = ±b. PROOF OF (III). Given b = ad, a = bc (and a, b 6= 0), we have a = adc =) dc = 1 =) d = ±1 = c. For any a, b 2 Z, not both 0, let S(a, b) := fd 2 N j dja, bg . DEFINITION 6. The GCD of a and b is (a, b) := the biggest element of S(a, b). (Of course, you need only check integers less than or equal to the smallest of jaj and jbj.) We say that a and b are relatively prime if (a, b) = 1. 1. THE EUCLIDEAN ALGORITHM 13 Again, here are some simple examples: • (4, −6) = 2 • (0, 7) = 7 • (12, 7) = 1 and some properties: (iv) (0, b) = b = (b, b) (v) (a, b) = (b, a) = (a, −b) (vi) (b, a − mb) = (a, b) for every m 2 Z. PROOF OF (VI). Let dja, b. Then dja − mb. Conversely, if djb, a − mb, then djmb + (a − mb) = a. So S(a, b) = S(b, a − mb) and they have identical largest elements. Property (vi) has the key consequence: LEMMA 7. Say a = bq + r in the division algorithm. Then (a, b) = (b, r).