Numbers, Groups and Cryptography Gordan Savin Contents Chapter 1. Euclidean Algorithm 5 1. Euclidean Algorithm 5 2. Fundamental Theorem of Arithmetic 9 3. Uniqueness of Factorization 13 4. Efficiency of the Euclidean Algorithm 16 Chapter 2. Groups and Arithmetic 19 1. Groups 19 2. Congruences 23 3. Modular arithmetic 26 4. Theorem of Lagrange 28 5. Chinese Remainder Theorem 31 Chapter 3. Rings and Fields 37 1. Fields and Wilson’s Theorem 37 2. Field Characteristic and Frobenius 40 3. Quadratic Numbers 43 Chapter 4. Primes 47 1. Infinitude of primes 47 2. Primes in progression 50 3. Perfect Numbers and Mersenne Primes 53 4. The Lucas Lehmer test 56 Chapter 5. Roots 61 1. Roots 61 2. Property of the Euler Function 64 3. Primitive roots 65 4. Discrete logarithm 68 5. Cyclotomic Polynomials 70 Chapter 6. Quadratic Reciprocity 75 1. Squares modulo p 75 2. When is −1 or 2 a square modulo p? 79 3. Quadratic Reciprocity 82 Chapter 7. Applications of Quadratic Reciprocity 85 1. Fermat primes 85 3 4 CONTENTS 2. Quadratic Fields and the Circle Group 87 3. Lucas Lehmer test revisited 90 Chapter 8. Sums of two squares 95 1. Sums of two squares 95 2. Gaussian integers 99 3. Method of descent revisited 104 Chapter 9. Pell’s Equations 107 1. Shape numbers and Induction 107 2. Square-Triangular Numbers and Pell Equation 110 3. Dirichlet’s approximation 113 4. Pell Equation: classifying solutions 116 5. Continued Fractions 118 Chapter 10. Cryptography 123 1. Diffie-Hellman key exchange 123 2. RSA Code 126 3. ElGamal Code 130 Chapter 11. Primality testing 135 1. Miller Rabin test 135 2. p − 1 method 139 3. p + 1 method 142 4. Quadratic sieve 145 Chapter 12. Elliptic curves 149 1. Cubic curves 149 2. Degenerate curves 153 3. Curves modulo p 158 4. The curve y2 = x3 + bx 162 Chapter 13. Factoring and testing using elliptic curves 165 1. Lenstra’s factoring method 165 2. Degenerate curves modulo p 169 3. Elliptic curve test for Mersenne primes 172 CHAPTER 1 Euclidean Algorithm 1. Euclidean Algorithm Euclid was a Greek mathematician who lived in Alexandria around 300 B.C. He devised a clever and fast algorithm to find the greatest common divisor of two integers. In a modern language, the Euclidean Algorithm is simply division with remainder. Recall that dividing two positive integers a, b means finding a positive integer q, called a quotient, such that a = qb + r with 0 ≤ r < b. The number r is called a remainder. If r = 0 then we say that b divides a, and write b|a. For example, 3 | 6 whereas 4 - 6. Dividing two integers is probably the most difficult of the four standard binary operations. However, some of the most fundamental properties, such as the uniqueness of factorization, are based on the Euclidean Algorithm. But how is this related to finding the Greatest Common Divisor (or simply gcd) of two integers m and n? If factorizations of m and n into prime factors are known, then it is easy to figure out what the gcd is. Consider, for example, m = 756 and n = 360. Then 756 = 22 · 33 · 7 and 360 = 23 · 32 · 5. We see that 2 and 3 are the only primes appearing in factorizations of both numbers. Moreover, 22 and 32 are the greatest powers of 2 and 3, respectively, which divide both 500 and 600. It follows that gcd(756, 360) = 22 · 32 = 36. There are two issues here, however. First, we have secretly assumed the uniqueness of factorization. The second issue, also very important, is that factoring into primes is a very difficult process, in general. A much better way was discovered by Euclid. Assume, for example, that we want to find the greatest common divisor of 60 and 22. Subtract 60 − 22 = 38. Notice that any number dividing 60 and 22 also divides 22 and 38. Conversely, any number that divides 22 and 38 also divides 22 + 38 = 60 and 22. Thus, instead of looking for common divisors of 60 and 22, we can look at common divisors of 22 and 38 instead. Since the later pair of numbers is smaller, the 5 6 1. EUCLIDEAN ALGORITHM problem of finding the greatest common divisor of 60 and 22 has just become easier, and we have accomplished that without ever dividing or multiplying two numbers. In fact, we can do even better. Instead of subtracting 22 from 60 once, we can subtract it twice, to get 60 − 2 × 22 = 16. Thus we get that gcd(60, 22) = gcd(22, 16). Of course, we do not stop here. Since 22 − 16 = 6, it follows that gcd(22, 16) = gcd(16, 6) and so on. At every step we replace a pair (a, b) by a pair (b, r) where r is the reminder of the division of a by b. The whole division process in this case is given here: 60 = 2 · 22 + 16 22 = 1 · 16 + 6 16 = 2 · 6 + 4 6 = 1 · 4 + 2 4 = 2 · 2 + 0 This shows that gcd(60, 22) = gcd(22, 16) = ··· = gcd(4, 2) = 2. The last statement is obvious since 2 divides 4. In general, starting with a pair of numbers a and b we use the division algorithm to generate a sequence of numbers (b > r1 > r2 > . .) as follows. First, we divide a by b: a = q1b + r1, then divide b by r1 , and so on... b = q2r1 + r2 r1 = q3r2 + r3 . rn−2 = qnrn−1 + rn rn−1 = qn+1rn + 0. This process stops when the remainder is 0. Since b > r1 > r2 ... it stops in less then b steps. We claim that the last non-zero remainder rn is equal to the greatest common divisor of a and b. In order to verify this, notice that the first equation a = qb + r1 implies that any common divisor of b and r1 also divides a. Likewise, if we rewrite the first equation as a − qb = r1, it is clear that any common divisor of a and b also divides r1. This shows that gcd(a, b) = gcd(b.r1). Arguing in this fashion, we see that gcd(a, b) = gcd(b, r1) = ... = gcd(rn−1, rn) = rn 1. EUCLIDEAN ALGORITHM 7 where, of course, the last statement is obvious since rn divides rn−1. We can summarize what we have discovered: Euclidean Algorithm gives an effective way to compute the greatest com- mon divisor of two integers. Moreover, the algorithm does not rely on the uniqueness of factorization. The Euclidean Algorithm can be viewed as a special case of the Contin- ued Fractions algorithm. We need some notation before proceeding to the definition of the algorithm. If α is a real number then let√ [α] denote the greatest integer less than or equal to α√. For example, since 2 = 1.4 ... the greatest integer less than or equal to 2 is 1: √ [ 2] = 1. Note that [α] = α if α is an integer. The Continued Fraction algorithm is defined as follows: (1) Let α > 1, and put β = α − [α]. (2) If β = 0 stop, else put α1 = 1/β and go to (1). In order to illustrate the relation between the two algorithms, let us work out the case when α = 60/22. Then the Continued Fraction Algorithm generates the following numerical data. i [αi] βi αi+1 0 2 16/22 22/16 1 1 6/16 16/6 2 2 4/6 6/4 3 1 2/4 4/2 4 2 0 STOP Here, of course, we put α0 = α and β0 = β. As it can be seen from the table, the Continued Fraction Algorithm generates the same numbers as the Euclidean Algorithm starting with the pair (60, 22). More precisely, if α = a/b and b > r1 > r2 ... are non-negative integers generated by the Euclidean Algorithm applied to the pair (a, b), then r1 r2 r3 β = , β1 = , β2 = ... b r1 r2 and [α] = q1, [α1] = q2, [α2] = q3 ... Since rn+1 = 0 for some n, βn = 0 and we are out of the loop, eventually, for every rational number (fraction). The name (continued fraction) come from the fact the process can be recorded as 60 16 1 = 2 + = 2 + 6 = ... 22 22 1 + 22 8 1. EUCLIDEAN ALGORITHM 1 ... = 2 + 1 . 1 + 1 2+ 1 1+ 2 The continued fraction, in turn, gives a series of - so called - partial conver- gents: 1 1 1 1 2, 2 + , 2 + 1 , 2 + 1 and 2 + 1 . 1 1 + 2 1 + 1 1 + 1 2+ 1 2+ 1 1+ 2 An easy calculation gives that these five partial convergents are equal to, respectively, 8 11 30 60 2, 3, , and = . 3 4 11 22 A√ rather different phenomenon occurs when we apply the algorithm to α = 2. Then going through the loop for the first time yields √ √ √ √ (1) α = 2, β = 2 − [ 2] = 2 − 1. (2) 1 1 √ α1 = = √ = 2 + 1. β 2 − 1 Going through the loop for the second time yields √ √ √ √ (1) α1 = 2 + 1, β1 = 2 + 1 − [ 2 + 1] = 2 − 1. (2) 1 1 √ α2 = = √ = 2 + 1. β1 2 − 1 √ In words, the second output is α2 = 2 + 1, the same as the first output of the algorithm. Of course, the third output will be the same, and so on: √ α1 = α2 = α3 = ... = 2 + 1. We see that the Continued Fraction√ algorithm is stuck in the loop in this√ case. In particular, this shows that 2 is not a fraction. We can write 2 as a continued fraction √ 1 2 = 1 + .