A. Algebra and Number Theory Public-key cryptosystems are based on modular arithmetic. In this section, we summarize the concepts and results from algebra and number theory which are necessary for an understanding of cryptographic methods. Textbooks on number theory and modular arithmetic include [HarWri79], [IreRos82], [Rose94], [Forster96] and [Rosen00]. This section is also intended to establish notation. We assume that the reader is familiar with elementary notions of algebra such as groups, rings and fields. A.1 The Integers Z denotes the ring of integers; N = fz 2 Z j z > 0g denotes the subset of natural numbers. We first introduce the notion of divisors and the fundamental Euclidean algorithm which computes the greatest common divisor of two numbers. Definition A.1. Let a; b 2 Z: 1. a divides b if there is some c 2 Z with b = ac. b is called a multiple of a. We write a j b for \a divides b". 2. d 2 N is called the greatest common divisor of a and b if: a. d divides a and d divides b. b. If d0 2 Z divides both a and b, then d0 divides d. The greatest common divisor is denoted by gcd(a; b). 3. If gcd(a; b) = 1, then a is called relatively prime to b, or prime to b for short. 4. m 2 N is called the least common multiple of a and b if: a. m is a multiple of a and of b. b. If m0 2 Z is a multiple of a and b, then m divides m0. The least common multiple is denoted by lcm(a; b). Proposition A.2. Let a; b 2 Z. Then gcd(a; b) · lcm(a; b) = ja · bj. © Springer-Verlag Berlin Heidelberg 2015 397 H. Delfs, H. Knebl, Introduction to Cryptography , Information Security and Cryptography, DOI 10.1007/978-3-662-47974-2 398 A. Algebra and Number Theory Proof. We may assume that a; b ≥ 0. If a = 0 or b = 0, then lcm(a; b) = 0 and the equation holds. Let a; b > 0 and m := lcm(a; b). Since ab is a multiple of a and b, m divides ab, i.e., ab = md. We now show that d = ab/m = gcd(a; b). 0 We have a = m/bd and b = m/ad, which means that d divides a and b. Let d be a divisor of a and b. Then ab/d0 = a/d0b is a multiple of a and b. Hence m 0 divides a/d0b. It follows that d divides d = ab/m. 2 Theorem A.3 (Division with remainder). Let z; a 2 Z; a =6 0. Then there are unique numbers q; r 2 Z such that z = q · a + r and 0 ≤ r < jaj. Proof. In the first step, we prove that such q and r exist. If a > 0 and z ≥ 0, we may apply induction on z. For 0 ≤ z < a we obviously have z = 0 · a + z. If z ≥ a, then, by induction, z − a = q · a + r for some q and r; 0 ≤ r < a, and hence z = (q + 1) · a + r. If z < 0 and a > 0, then we have just shown the existence of an equation −z = q · a + r; 0 ≤ r < a. Then z = −q · a if r = 0, and z = −q · a − r = −q · a − a + (a − r) = −(q + 1) · a + (a − r) and 0 < a − r < a. If a < 0, then −a > 0. Hence z = q · (−a) + r = −q · a + r, with 0 ≤ r < jaj. To prove uniqueness, consider z = q1 · a + r1 = q2 · a + r2. Then 0 = (q1 − q2) · a + (r1 − r2). Hence a divides (r1 − r2). Since jr1 − r2j < jaj, this implies r1 = r2, and then also q1 = q2. 2 Remark. r is called the remainder of z modulo a. We write z mod a for r. The number q is the (integer) quotient of z and a. We write z div a for q. The Euclidean Algorithm. Let a; b 2 Z, a > b > 0. The greatest common divisor gcd(a; b) can be computed by an iterated division with remainder. Let r0 := a; r1 := b and r0 = q1r1 + r2; 0 < r2 < r1; r1 = q2r2 + r3; 0 < r3 < r2; . rk−1 = qkrk + rk+1; 0 < rk+1 < rk; . rn−2 = qn−1rn−1 + rn; 0 < rn < rn−1; rn−1 = qnrn + rn+1; 0 = rn+1: By construction, r1 > r2 > : : : . Therefore, the remainder becomes 0 after a finite number of steps. The last remainder =6 0 is the greatest common divisor, as is shown in the next proposition. Proposition A.4. 1. rn = gcd(a; b). 2. There are numbers d; e 2 Z with gcd(a; b) = da + eb. A.1 The Integers 399 Proof. 1. From the equations considered in reverse order, we conclude that rn divides rk, k = n − 1; n − 2 :::. In particular, rn divides r1 = b and r0 = a. Now let t be a divisor of a = r0 and b = r1. Then t j rk; k = 2; 3;:::; and hence t j rn. Thus, rn is the greatest common divisor. 2. Iteratively substituting rk+1 by rk−1 − qkrk, we get rn = rn−2 − qn−1 · rn−1 = rn−2 − qn−1 · (rn−3 − qn−2 · rn−2) = (1 + qn−1qn−2) · rn−2 − qn−1 · rn−3 . = da + eb; with integers d and e. 2 We have shown that the following algorithm, called Euclid's algorithm, outputs the greatest common divisor. abs(a) denotes the absolute value of a. Algorithm A.5. int gcd(int a; b) 1 while b =6 0 do 2 r a mod b 3 a b 4 b r 5 return abs(a) We now extend the algorithm such that not only gcd(a; b) but also the coefficients d and e of the linear combination gcd(a; b) = da+eb are computed. For this purpose, we write the recursion rk−1 = qkrk + rk+1 using matrices ( ) ( ) ! rk rk−1 0 1 = Qk ; where Qk = ; k = 1; : : : ; n: rk+1 rk 1 −qk Multiplying the matrices, we get ( ) ( ) rn r0 = Qn · Qn−1 · ::: · Q1 : rn+1 r1 The first component of this equation yields the desired linear combination for rn = gcd(a; b). Therefore, we have to compute Qn · Qn−1 · ::: · Q1. This is accomplished by iteratively computing the matrices 400 A. Algebra and Number Theory ! ! 1 0 0 1 Λ0 = ;Λk = Λk−1; k = 1; : : : ; n; 0 1 1 −qk to finally get Λn = Qn · Qn−1 · ::: · Q1. In this way, we have derived the following algorithm, called the extended Euclidean algorithm. On inputs a and b it outputs the greatest common divisor and the coefficients d and e of the linear combination gcd(a; b) = da + eb. Algorithm A.6. int array gcdCoef (int a; b) 1 λ11 1; λ22 1; λ12 0; λ21 0 2 while b =6 0 do 3 q a div b 4 r a mod b 5 a b 6 b r 7 t21 λ21; t22 λ22 8 λ21 λ11 − q · λ21 9 λ22 λ12 − q · λ22 10 λ11 t21 11 λ12 t22 12 return (abs(a); λ11; λ12) We analyze the running time of the Euclidean algorithm. Here we meet the Fibonacci numbers. Definition A.7. The Fibonacci numbers fn are recursively defined by f0 := 0; f1 := 1; fn := fn−1 + fn−2; for n ≥ 2: Remark. The Fibonacci numbers can be non-recursively computed using the formula 1 n n fn = p (g − g~ ); 5 where g andg ~ are the solutions of the equation x2 = x + 1: ( ) ( ) 1 p 1 1 p g := 1 + 5 andg ~ := 1 − g = − = 1 − 5 : 2 g 2 See, for example, [Forster96]. Definition A.8. The number g is called the Golden Ratio.1 n−2 Lemma A.9. For n ≥ 2, fn ≥ g . In particular, the Fibonacci numbers grow exponentially fast. 1 It is the proportion of length to width which the Greeks found most beautiful. A.1 The Integers 401 Proof. The statement is clear for n = 2. By induction on n, assuming that the statement holds for ≤ n, we get n−2 n−3 n−3 n−3 2 n−1 fn+1 = fn + fn−1 ≥ g + g = g (1 + g) = g g = g : 2 Proposition A.10. Let a; b 2 Z, a > b > 0. Assume that computing gcd(a; b) by the Euclidean algorithm takes n iterations (i.e., using n divisions with remainder). Then a ≥ fn+1 and b ≥ fn. Proof. Let r0 := a; r1 := b and consider r0 = q1r1 + r2; fn+1 = fn + fn−1; r1 = q2r2 + r3; fn = fn−1 + fn−2; . and . rn−2 = qn−1rn−1 + rn; f3 = f2 + f1; rn−1 = qnrn; f2 = f1: By induction, starting with i = n and descending, we show that ri ≥ fn+1−i. For i = n, we have rn ≥ f1 = 1. Now assume the inequality proven for ≥ i. Then ri−1 = qiri + ri+1 ≥ ri + ri+1 ≥ fn+1−i + fn+1−(i+1) = fn+1−(i−1): Hence a = r0 ≥ fn+1 and b = r1 ≥ fn. 2 Notation. As is common use, we denote by bxc the greatest integer less than or equal to x (the \floor" of x), and by dxe the smallest integer greater than or equal to x (the \ceiling" of x). Corollary A.11. Let a; b 2 Z. Then the Euclidean algorithm computes b c gcd(a; b) in at most logg(a) + 1 iterations. n−1 Proof. Let n be the number of iterations.