MAS 6217 (Fall 2017) Number Theory and Cryptography (Yiu) Inquiry Based Learning Modules A – F (in lieu of September 7–14 class lectures) Name: 1. The Euler ϕ-function: number of units in Zn Let n> 1 be an integer. The units in Zn form a multiplicative subgroup Z• Z Z n := {[a] ∈ n : [a][b] = [1] for some b ∈ }. The Euler ϕ-function ϕ(n) is the order of this group: Z• ϕ(n) := | n|, the number of units in Zn. Exercise. For each integer n in the table below, list the units in Zn and the value of ϕ(n): n ϕ(n) units in Zn 2 3 4 5 6 8 9 10 20 27 1 2. The Euler ϕ-function is a multiplicative function Theorem 1. The Euler ϕ-function is a multiplicative function, i.e., if gcd(m,n)=1, then ϕ(mn)= ϕ(m)ϕ(n). Proof. Consider the natural mapping F : Zmn → Zm × Zn given by F ([x]mn)=([x]m, [x]n). (i) Why is F is well defined? (ii) Why is F is onto? Since the domain and the range have the cardinality, the function F is also one-to-one, and is a bijection. ′ Z• Z• Z• (iii) Why does F restrict to a function F : mn → m × n ? (iv) Show that F ′ is a bijection and that this completes the proof of the theorem. 3. Calculation of ϕ(n) (a) Let p be a prime. (i) What is ϕ(p) ? (ii) What is ϕ(pk) for an integer k ≥ 1 ? (b) Make use of the results in (a) to show that 1 ϕ(n)= n 1 − . p Yp|n Exercise. For each integer n in the table below, find the value of ϕ(n): n ϕ(n) Calculation 64 81 100 108 120 MAS 6217 (Fall 2017) Number Theory and Cryptography (Yiu) Inquiry Based Learning Module B (in lieu of September 7 class lecture) 4. Fermat-Euler theorem Theorem 2 (Fermat-Euler). If gcd(a,n)=1, aϕ(n) ≡ 1 (mod n). Proof. Consider the function fa : Zn → Zn given by fa([x])=[ax]. (a) Why is fa one-to-one? (b) Why is fa onto? Z• Z• (c) Why does fa induce a bijection n → n ? Z• This means that if x1,..., xϕ(n) are the elements of n, then [ax1],..., [axϕ(n)] is a permutation of the same ϕ(n) elements. In other words, [ax1] ··· [axϕ(n)]=[x1] ··· [xϕ(n)], or ϕ(n) (a − 1)x1 ··· xϕ(n) ≡ 0 (mod n). (d) Why can we conclude that aϕ(n) ≡ 1 (mod n) ? Corollary 3 (Fermat’s Little Theorem). Let p be a prime, and a an integer. If p does not divide a, then ap−1 ≡ 1 (mod p). Proof. Z• 5. The order of an element in n Z• ϕ(n) Let a ∈ n. By the Fermat-Euler theorem a = 1, there is a smallest d Z• positive integer d := ordern(a) such that a = 1 ∈ n. Such an integer is Z• called the order of a in n. Proposition 4. ordern(a) is a divisor of ϕ(n). Proof. Let t = ordern(a), and write ϕ(n)= tq + r for some integers q and r, 0 ≤ r<t. Assume r =06 . Obtain a contradiction by showing that ar ≡ 1 (mod n): Therefore, r = 0, and ϕ(n) = tq. From this ordern(a) is a divisor of ϕ(n). Z• Exercise. For each integer n below, consider the elements in n other than 1. Compute the order by listing its successive powers modulo n: (1) n = 12 with ϕ(n)=4: a ordern(a) powers of a mod 12 5 7 11 (2) n = 15 with ϕ(n)=8: a ordern(a) powers of a mod 15 2 4 7 8 11 13 14 (3) n = 13 with ϕ(n)=12. a ordern(a) powers of a mod 13 2 3 4 5 6 7 8 9 10 11 12 Proposition 5. If ordern(a)= t, then t order (ak)= . n gcd(t, k) Proof. Let d = gcd(t, k) and write t = dt′, k = dk′ for integers t′, k′. Note that gcd(t′, k′)=1. ′ (1) Show that (ak)t =1. ′′ (2) Suppose (ak)t = 1 for some t′′ < t′. Show that kt′′ is a multiple of t = dt′. This means that t′′ is a multiple of t′, an impossibility. k ′ t This shows that ordern(a )= t = d . 6. Primality test for Mersenne numbers p Theorem 6. Let p be a prime. Every prime divisor of Mp := 2 − 1 is of the form 2kp +1 for some integer k. Show that this follows from Fermat’s little theorem. 11 Exercise. (4). Show that M11 =2 − 1 = 2047 is composite by explicitly factoring it. 13 (5) Show that M13 =2 − 1 = 8191 is a prime. MAS 6217 (Fall 2017) Number Theory and Cryptography (Yiu) Inquiry Based Learning Module C (in lieu of September 12 class lecture) 7. The sum d|n ϕ(d) Lemma 7. IfPf(n) is a multiplicative function, then so is F (n) := d|n f(d). Proof. Let m and n be relatively prime. P F (mn)= f(d) dX|mn = F (m)F (n). Theorem 8. d|n ϕ(d)= n. Proof. Let F (Pn) := d|n ϕ(d). (1) For a prime powerP pk, show that F (pk)= pk. By Lemma 7, F is a multiplicative function. ki (2) Let n = pi . Show that F (n)= n. Q Therefore, d|n ϕ(d)= n. P 8. Gauss’ theorem Theorem 9 (Gauss). If F is a finite field, the multiplicative group F • = F \ {0} is a cyclic group. Proof. Let q = |F |. For each d|q − 1, suppose there ψ(d) elements of order d in F ∗ = F \ {0}. (a) Why is q − 1= d|q−1 ψ(d) ? P (b) Note that there are at most d elements in F satisfying xd − 1=0. Why? (c) In fact, if α is element of order d, then the elements satisfying xd−1= 0 are precisely 1, α, α2,..., αd−1. How many of these have order d? (d) Conclude that ψ(d)=0 or ϕ(d). (e) Make use of this and Theorem 8 to conclude that there are exactly ϕ(d) elements of order d. Corollary 10. Let p be an odd prime. Z• (a) For each divisor t of p − 1, there are exactly ϕ(t) elements of p = Zp \ {0} of order t. (b) There are exactly ϕ(p − 1) primitive roots for p. Proof. Z• 9. When is n cyclic? Lemma 11. A cyclic group has at most one element of order 2. Proof. Let G be a cyclic group of order n, and a ∈ G a generator, i.e., an element of order n. Every element of G is of the form ak for some k ≤ n. (a) What is the order of ak? (b) When is this order equal to 2? (c) Deduce that if n is odd, there is no element of order 2. (d) Show that if n is even, there is only one element of order 2. Z• Proposition 12. If m = ab for relatively prime integers a, b ≥ 3, then m cannot be cyclic. Proof. Let m = ab for relatively prime integers a, b ≥ 3. (a) Why are there integers x1 and x2 satisfying the following simultane- ous congruences? x1 ≡−1 (mod a) x2 ≡ 1 (mod a) and (x1 ≡ 1 (mod b) (x2 ≡−1 (mod b). Z• (b) How do x1 and x2 give distinct elements of ab of order 2? Z• This shows that m cannot be cyclic. Z• k k Theorem 13. m is cyclic if and only if m = 2, 4, or p , 2p for an odd prime p. Proof. (⇒) Suppose Zm is cyclic, and m is a prime power. (i) For m =2k, k ≥ 3, give two elements of order 2. Therefore, m =2, 4, or pk for an odd prime p and k ≥ 1. (ii) Suppose m = ab for a,b > 1 with gcd(a,b)=1. Why must one of a, b equal to 2? Therefore, m =2, 4, pk, or 2pk for an odd prime p and k ≥ 1. (⇐) Give a generator when (iii) m =2: (iv) m =4: Z• For an odd prime p, let b ∈ p be a generator. Z• p−1 In Module D, we shall show that it b ∈ p is a generator with b =1+ ap for an integer q, then Z (1) when a 6≡ 0 (mod p), b is a generator of pk , k > 1, Z (2) when a ≡ 0 (mod p), b + p is a generator of pk , k > 1. Z• k (v) Give a generator of m for m =2p by making use the above result. MAS 6217 (Fall 2017) Number Theory and Cryptography (Yiu) Inquiry Based Learning Module D (in lieu of September 12 class lecture) Z• Z Generators of pk in terms of those of p for an odd prime Let p be an odd prime. The following two propositions A and B establish Z the theorem on generators of pk for an odd prime p and k > 1. Z• Theorem 14. Let p be an odd prime, and b ∈ p a generator with bp−1 =1+ ap for an integer a. Let q = pk, k > 1. Z• (a) If a 6≡ 0 (mod p), then b is a generator of q. Z• (b) If a ≡ 0 (mod p), then b + p is a generator of q. Proposition A. Suppose a is not divisible by p.