Basic Number Theory

Cryptography – CS 507
Erkay Savas
Sabanci University
[email protected]
 Basic Notation
• Divisibility (of integers)
– Let a and b be integers with a ≠ 0. We say that a
divides b, if there is an integer k s.t. b = a · k.
– Denoted as a | b.
• Propositions
– For every a≠0, a | 0 and a | a. Also 1 | b for every b.
– If a | b and b | c, then a | c
– If a | b and a | c, then a | (s · b + t · c) for all s and t.

10/22/2002 Erkay Savas 2

 Prime Numbers
• A number p > 1 that is divisible only by 1 and
itself is called a prime number. An integer that is
not a prime number is called composite number.
• Prime Number Theorem: Let π(x) be the # of
primes less than x. Then
π(x) → x/ln x as x → ∞ (i.e. π(x) ≈ x/ln x)
• Theorem: Every positive integer is a product of
primes. This factorization is unique.
• Lemma: If p is a prime and it divides a product of
integers a · b, then either p | a or p | b.

10/22/2002 Erkay Savas 3

 Greatest Common Divisor (GCD)
• GCD of a and b is the largest positive integer that
divides both integers. Denoted as gcd(a, b).
• Computation gcd of a and b can be done
– by factoring a and b into primes
Example: gcd(1728, 135)
1728 = 26 · 32 and 135 = 33 · 5 => gcd(1728, 135) = 32 = 9.
– by using Euclidean algorithm
Utilizes division by remainder.

10/22/2002 Erkay Savas 4

 Example: Euclidean algorithm
• gcd(482, 1180)
1180 = 2 · 482 + 216

482 = 2 · 216 + 50
216 = 4 · 50 + 16
50 = 3 · 16 + 2
16 = 8 · 2 + 0
The last nonzero remainder is the gcd

10/22/2002 Erkay Savas 5

 GCD
• Theorem: Let a and b be two integers, with at
least one of them nonzero, and let d = gcd(a, b).
Then there exist integers x, y s.t. a·x + b ·y = d. In
particular, if a and b are relatively prime(i.e.
gcd(a, b) = 1) then a·x +b ·y = 1.
• In the last case, x is called the multiplicative
inverse of a w.r.t. b since a·x ≡ 1 mod b.

10/22/2002 Erkay Savas 6

 Solving a · x + b · y = d
Algorithm Extended Euclidean algorithm (EEA)
INPUT: two non-negative integers a and b with a ≥ b
OUTPUT: d = gcd(a, b) and integers x and y s.t. a·x+b·y = d.
1. If b = 0 then d ← a, x ← 1, y←0 and return(d, x, y).
2. x2 ←1, x1 ←0, y2 ←0, y1 ←1.
3. While b > 0 do the following:
4. q ← a/b, r ← a - qb, x ← x2 - qx1, y ← y2 – qy1
5. a ← b, b ← r, x2 ← x1, x1 ← x, y2 ← y1, and y1← y
6. Set d ← a, x ← x2, y ← y2, and return(d, x, y).

10/22/2002 Erkay Savas 7

 Example EEA a = 4864 and b = 3458
q r x y a b x2 x1 y2 y1
- - - - 4864 3458 1 0 0 1
1 1406 1 -1 3458 1406 0 1 1 -1
2 646 -2 3 1406 646 1 -2 -1 3
2 114 5 -7 646 114 -2 5 3 -7
5 76 -27 38 114 76 5 -27 -7 38
1 38 32 -45 76 38 -27 32 38 -45
2 0 -91 128 38 0 32 -91 -45 128

10/22/2002 Erkay Savas 8

 Congruence Classes
• Let a, b, and n be integers with n ≠ 0. We say that
– a ≡ b (mod n)
(a is congruent to b mod n) if a- b is a multiple of
(positive or negative) n.
Thus, a = b + k·n for some integer k (positive or
negative)
– Proposition: a, b, c, d, n integers with n ≠ 0 and a ≡ b
(mod n) and c ≡ d (mod n). Then
a+ c ≡ b+ d (mod n), a- c ≡ b- d (mod n),
a · c ≡ b · d (mod n)

10/22/2002 Erkay Savas 9

 Division in Congruence Classes
• We can divide by a (mod n) when gcd(a, n)=1
• Example: Solve 2x + 7 ≡ 3 (mod 17)
• Example: Solve 5x + 6 ≡ 13 (mod 15).
• Proposition: Suppose gcd(a, n)=1. Let s and t be
integers s.t. a · s + n · t = 1. Then
a · s ≡ 1 (mod n)
s is called the multiplicative inverse of a (mod n)
• Extended Euclidean algorithm is a fairly efficient
method of computing multiplicative inverses in
congruence classes.

10/22/2002 Erkay Savas 10

 Chinese Remainder Theorem (CRT)
• Suppose gcd(m, n) = 1. Given a and b, there exists
exactly one solution x (mod m · n) to the simultaneous
congruences
x ≡ a (mod m) and x ≡ b (mod n)
• Example: Solve
x ≡ 3 (mod 7) and x ≡ 5 (mod 15)
• Solution: (works only for small numbers).
First congruence class: 5, 20, 35, 50, 65, 80, 95, …
Calculate the congruences of these numbers (mod 7)
5, 6, 0, 1, 2, 3, 4. => The result is x = 80.

10/22/2002 Erkay Savas 11

 Gauss’s algorithm for general case CRT
• Simultaneous congruences
x ≡ a1 (mod n1), x ≡ a2 (mod n2), …, x ≡ ak (mod nk)
has a unique solution modulo n = n1 n2 …nk
• Gauss’s algorithm:
x = ∑ik=1 ai N i M i mod n, where
N i = n ni and M i = N i−1 mod ni

• Assignment: Study Garner’s algorithm for CRT

Handbook of Applied Cryptography, pages 612-613.

10/22/2002 Erkay Savas 12

 Example
• Solve x ≡ 3 (mod 7) and x ≡ 5 (mod 15)
• a1 = 3 and a2 = 5, n1 = 7 and n2 = 15, and n=
7·15=105
• N1 = n / n1 = 105/7 = 15
M1 = N1-1 mod n1 = 15-1 mod 7 = 1
• N2 = n / n2 = 105/15 = 7
M2 = N2-1 mod n2 = 7-1 mod 15 = 13
• x = a1 N1 M1 + a2 N2 M2 = 3·15·1 + 5·7·13 mod 105 =
500 mod 105 = 80.
• Solve the same problem with Garner’s algorithm.
10/22/2002 Erkay Savas 13
CRT has a very important application in
RSA cryptography

Think of performing xa (mod n) where n = p · q

 Modular Exponentiation
• xa (mod n)
• Example: 21234 mod 789,
Naïve method: raise 2 to 1234 and then take the
modulus. Is it practical (possible)?
Practical method: Use binary expansion of the
exponent.

1234 = (10011010010)2

10/22/2002 Erkay Savas 15

 Modular exponentiation example
• 21234 mod 789 and 1234 = (10011010010)2
x=2
x = 2·2 = 4
x = 4·4 = 16
x = 16·16 =256 and x = 256·2=512
x = 512·512=196 and x = 196·2=392
x = 392·392=598
All operations are
x = 598·598=187 and x =187·2=374
performed modulo 789
x = 374·374=223
x = 223·223=22
x =22·22=484 and x =484·2=179
x =179 ·179=481

10/22/2002 Erkay Savas 16

 Fermat’s little theorem and Euler’s
theorem
• Fermat’s little theorem: If p is a prime and p
does not divide a, then
ap-1 ≡ 1 (mod p)
• Euler’s theorem: If gcd(a, n)=1, then
aφ(n) ≡ 1 (mod n)
where φ(n) is defined as the number of integers
1≤ a ≤ n such that gcd(a, n)=1 and called as
Euler’s φ-function.
• φ(p) = (p-1)

10/22/2002 Erkay Savas 17

 Euler’s totient function
• If n = p · q then φ(n) = (p-1)·(q-1) (prove this).
• If p is a prime and n = pr , then we must remove
every pth number (i.e. p, p2, …, pr-1) in order to
get the list of a’s with gcd(a, n)=1, which yields
φ(pr) = (1-1/p) pr.
• In general case any integer can be written as
t  1
n = ∏ pi therefore φ ( n ) = n ⋅ ∏ 1 − 
i =1 p n p

10/22/2002 Erkay Savas 18

 Example
• Example 1: 210 = 1024 ≡ 1 (mod 11)
• Example 2: Compute 2-1 (mod 11).
2·29 = 210 ≡ 1 (mod 11) => 2-1 ≡ 29 (mod 11) ≡
6 (mod 11).
• Example 3: φ(10) = φ(2·5) = (2-1) · (5-1) = 4.
{1, 3, 7, 9}
• Example 4: Compute 243210 (mod 101)
We know 2100 ≡ 1 (mod 101) =>
243210 = 2432x100 +10 = (2100)432 ·210 ≡ 210 (mod 101)
≡ 14 mod (101).

10/22/2002 Erkay Savas 19

 Important principle
• Let a, n, x, y be integers with n ≥ 1 and
gcd(a, n)=1. If x ≡ y (mod φ(n)) then
ax ≡ ay (mod n).
In other words, if you want to work mod n, you
should work mod φ(n) in the exponent.
• Proof: x = y + φ(n)·k from congruence relation.
Then
a x = a y +φ ( n ) k ≡ a y (aφ ( n ) ) k ≡ a y 1k ≡ a y (mod n)

10/22/2002 Erkay Savas 20

 Example
• Compute 21301 mod 100.

• Solution 1: 21301 ≡ 52 mod 100.

• Solution 2: φ(100) = 100 ·(1-1/2) ·(1-1/5) = 40.

1301 ≡ 21 ( mod φ(100))
21301 ≡ 21301 (mod 40) (mod 100) ≡ 221 (mod 100)
≡ 52 (mod 100).

10/22/2002 Erkay Savas 21

 Primitive Roots
• Consider powers of 3 (mod 7):
31 ≡ 3, 32 ≡ 2, 33 ≡ 6, 34 ≡ 4, 35 ≡ 5, 36 ≡ 1
powers of 3 generate all the nonzero congruence
class elements mod 7. Such elements are called
primitive roots or multiplicative generators in the
congruence class.
• If p is a prime, there are φ(p-1) primitive roots
mod p.
• Let g be a primitive root for the prime p. Then
If n is an integer, then gn ≡ 1 (mod p) iff
n ≡ 0 (mod p-1).
10/22/2002 Erkay Savas 22
 Square roots mod n
• Suppose x2 ≡ b (mod n) where n = pq, has a solution.
• If the factorization of n is known, the equation can be
solved quite easily.
• Conversely, if we know all solutions, then it is easy to
factor n.
• Proposition: Let p ≡ 3 (mod 4) be prime and let y be an
integer. Let x ≡ y(p+1)/4 (mod p).
1. If y has a square root mod p, then the square roots of y mod
p are ±x.
2. If y has no square root mod p, then –y has a square root mod
p, and the square roots of -y mod p are ±x.

10/22/2002 Erkay Savas 23

 Square roots Mod n
• Example: Find the square root of 5 mod 11.
• (p+1)/4=3 => 53 mod 11=4. Then ±4 are square
roots of 5 mod 11.
• Example: Find the square root of 2 mod 11.
• Square roots for composite modulus.
• Example: x2 ≡ 71 (mod 77)
77 = 1×11 => x2 ≡ 1 (mod 7) and x2 ≡ 5 (mod 11)
=> x ≡ ±1 (mod 7) and x ≡ ±4 (mod 11)
Solve the rest using CRT.

10/22/2002 Erkay Savas 24

 Square roots Mod n
• x ≡ 1 (mod 7) and x ≡ 4 (mod 11) => x ≡ 15 (mod 77)
• x ≡ 1 (mod 7) and x ≡ -4 (mod 11) => x ≡ 29 (mod 77)
• x ≡ -15 (mod 77) and x ≡ -29 (mod 77)
• Can we factor n if we know all four solutions?
• Let n=pq is the product of two primes and we know
the four solutions x = ±a, ±b of x2 ≡ y (mod n) .
We know that a ≡ b (mod p) and a ≡ -b (mod q). Thus,
p (a-b) and q ⁄(a-b). This means that gcd(a-b, n) = p.
This is a nontrivial factor of n.
• Taking square root modulo n, where n=pq if
factorization is not known is as hard as factorization.
10/22/2002 Erkay Savas 25
 Finite Fields
• If p is a prime, the congruence class {0, 1,…, p-1} forms a
finite field. There are two operations defined in a field:
addition (subtraction) and multiplication. Since every non-
zero element has a multiplicative inverse we can also
define the division operation.
• We use Fp or GF(p) to denote the prime finite field. GF is
read as galois field after a famous French Mathematician,
Evarista Galois, who died in a duel at the age of 21 before
founding the finite field theory.
• Is set of integers a field?
• Give an example of infinite field.

10/22/2002 Erkay Savas 26

 A special class of finite fields
• GF(2) is finite field with two elements {0,1} and
called binary field.
• Let f(x) = xn+an-1 xn-1+…+a1 x+a0 be an
irreducible binary polynomial (i.e. ai ∈ {0,1} 0 ≤ I
≤n-1). This means it has no solutions in GF(2). All
the solutions are in the binary extension field,
GF(2n).
• In order to construct a binary extension field
GF(2n) we need an irreducible polynomial of
degree n.

10/22/2002 Erkay Savas 27

 Binary extension fields
• Example: Irreducible polynomial x3+x+1 can be
used to construct GF(23).
• A simple method to construct this field is to find
all the binary polynomials whose degrees are
smaller than the degree of the irreducible
polynomial(n=3).
• GF(23)={0, 1, x, x+1, x2, x2+1, x2+x, x2+x+1}
• In computer we can use binary strings to represent
these elements as
GF(23)={000, 001, 010, 011, 100, 101, 110, 111}

10/22/2002 Erkay Savas 28

 Operations in GF(2n).
• Addition is an operations that act on the
corresponding coefficients of the two polynomials
when the polynomial representation is used.
Example: (x+1)+(x2+1) = x2+ x
• Subtraction is identical to the addition.
• Multiplication is done by using polynomial
arithmetic when the polynomial representation is
used. Two steps are involved:
1. Polynomial multiplication
2. Reduction with irreducible polynomial

10/22/2002 Erkay Savas 29

 Multiplication in GF(2n).
• Example: (x+1)×(x2+1) in GF(23) with x3+x+1 .

Step 1: x3+x+ x2+1 which is not the element of

GF(23) then a reduction step is necessary
Step 2: The remainder of the following division is
the result:
x3+x+ x2+1/(x3+x+1) = x2.

10/22/2002 Erkay Savas 30

 Division in GF(2n).
• Every non-zero element has a multiplicative
inverse; i.e. for every element of GF(2n) a(x),
there exists b(x) s.t. a(x)×b(x) ≡ 1 (mod f(x)).
• Thus the division by a non-zero element of GF(2n)
is defined.

10/22/2002 Erkay Savas 31

 Primitive polynomials and elements
• The root of some irreducible polynomials can be used to
construct the binary extension field.
• Example: f(x)=x4+x+1
Let f(α)=0, then α4+α+1=0 => α4=α+1.
• 0 α7=α4+α3 = α3+α +1
1 α8=α4+α2+α= α2+1
α α9= α3+α
α2 α10=α4+α2 =α2+α+1
α3 α11=α3+α2+α
α4=α+1 α12=α4+α3+α2= α3+α2+α+1
α5=α2+α α13=α4+α3+α2 +α= α3+α2 +1
α6=α3+α2 α14= α4+α3+α=α3+1
α15= α4+α= α+1+α = 1
10/22/2002 Erkay Savas 32
 Primitive polynomials and elements
• Such polynomials are called primitive polynomials while
the root of a primitive polynomial is called primitive
element.
• Example:f(x)=x4+x3+x2+x+1 is not a primitive polynomial.
0
1
α
α2
α3
α4= α3+α2+α+1
α5= α4+α3+α2+α= α3+α2+α+1+α3+α2+α=1
α6=α
α7=α2
10/22/2002 Erkay Savas 33