Algebraic AlgorithmsIntroductory Number Theory and Abstract Algebra for Computer Science Applications

1. Introduction, Background, and Motivation
- 1.1. Overview
- 1.2. Informal motivating example: random number generation
2. Review of Logic with Sets, Relations, and Operators
3. Modular Arithmetic
Review 1. Properties, Algorithms, and Applications of Modular Arithmetic
4. Computational Complexity of Modular Arithmetic Algorithms
5. Algebraic Structures
Review 2. Algebraic Structures and their Properties
Appendix A. Python Reference
- A.1. Obtaining Python
- A.2. Assembling a Python module
- A.3. Common data structures (i.e., Python expressions)
- A.4. Function, procedure, and method invocations
- A.5. Comprehensions
- A.6. Other useful built-in functions
- A.7. Common Python definition and control constructs (i.e., Python statements)

[link] 1. Introduction, Background, and Motivation

[link] 1.1. Overview

When many real-world problems are addressed or solved mathematically and computationally, the details of those problems are abstracted away until they can be represented directly as idealized mathematical structures (e.g., numbers, sets, trees, graphs, matrices, and so on). In this course, we will study a collection of such idealized mathematical objects: integers, residues, groups, isomorphisms, and several others. We will see how these structures and their properties can be used for implementing useful computational solutions to problems such as random number generation, prime number generation, error correction, trusted and distributed storage and computation, secure communication, and others.

In covering the material for this course, we will use the standard language and conventions for discussing these mathematical structures that have been developed by the community of mathematicians over the course of history. You will need to become familiar with these conventions in order to find, identify, and use the structures and techniques that have already been developed for representing and solving certain computational problems. At the same time, we will also learn how modern programming languages and programming paradigms can be used to implement these structures and algorithms both accessibly and efficiently.

The development and application of mathematics involves abstraction. A problem can be viewed at multiple levels of abstraction, and in developing mathematics humans have adopted a variety of techniques that allow them to successfully employ abstraction to study natural phenomena and solve problems.

[link]

symbolic	abstract meaning	concrete meaning in application domain
2 + 3	5	five objects
{(1, 2), (1, 3)}	acyclic graph	file system
{(1, 2), (2, 3), (3, 1)}	graph with cycle	network
{(0,1), (1,2), (2,0)}	permutation	random number sequence

The above illustrates the different levels of abstraction that may exist for a given problem. We employ a language of symbols to denote certain abstract structures, which may correspond to actual structures in the world. A string of symbols corresponds to a particular abstract object. Notice that the actual object being modeled and the abstract structure behave the same way, and that this behavior implies certain rules about how we can manipulate the symbols without changing the object that they name. For example, we can represent the same graph using the two strings of symbols "{(1,2), (2,3), (3,1)}" and "{(1,2), (2,3), (3,1)}", or the same number of objects using "2 + 3", "3 + 2", "1 + 4", and so on.

In this course, we will begin to reviewing the terminology and concepts of logic, integer arithmetic, and set theory, which we will use throughout the course. We will then show that the algebraic properties of the integers also apply to congruence classes of integers (i.e., the properties of modular arithmetic operations), and we will derive and utilize theorems that have useful computer science applications (such as for generating random numbers and creating cryptographic protocols). We will then go further and show that some of the algebraic properties that hold in integer and modular arithmetic can also apply to any data structure, and we will study how to recognize and take advantage of these properties.

[link] 1.2. Informal motivating example: random number generation

Let us informally consider the problem of generating a sequence of random positive integers. Random number generators are needed in many situations and applications, including:

generating unique identifiers for database records, objects, etc.;
generating a one-time pad for a simple encryption scheme;
generating public and private keys for more sophisticated encryption and signature schemes;
simulation and approximation methods that employ random sampling (Monte-Carlo, and so on).

Different applications will impose different requirements on what is and is not a sufficiently "random" sequence of number. Suppose we adopt the following method:

n₀ = a number in the range (inclusive) 0 to 5;
n_i = (2 ⋅ n_i-1 + 1) mod 6.

We can consider another method:

n₀ = an initial seed integer 10⁴ > n ≥ 10³;
n_i = only the last four digits of n_i-1².

Frequent repetition of a sequence may or may not be allowed in our given application. Does the above method produce repeating numbers? How often? For how many initial seeds? How do we choose a good seed? We can measure a physical process or component (a clock, a keyboard), but even under these circumstances we need a way to reason about the range of random values the measurement produces, and the range of random values the application requires. How do we begin to approach and formally characterize these aspects of the problem so that we are certain we are meeting the requirements imposed by the application?

One way to model a random number generation process is to view it is a permutation. In fact, there is more than one way to view the process as a permutation. We could simply count up from 0 to m and apply the same permutation to each 0 ≤ n ≤ m in order to produce the nth random number in the sequence. Is there an efficient way (i.e., using no more memory than O(log m)) to compute a random number from each n such that a number never repeats?

In this course we will learn about a variety of mathematical structures and their properties that will allow us to precisely specify the above problem and others like it, to identify what solutions are appropriate for such a problem, and to implement these solutions correctly and, where necessary, efficiently.

[link] 2. Review of Logic with Sets, Relations, and Operators

In this section, we will review several abstract structures and associated properties (and the symbolic language used to represent them) that you should have already encountered in past courses. Simultaneously, we will review one way in which these structures can be implemented and manipulated within the modern programming language Python. As with most human languages that have developed organically over time, mathematics has a rich and often redundant vocabulary. We introduce many terms in this section that we will use consistently in this course. However, keep in mind that there are often other synonyms within mathematics and computer science for these structures.

[link] 2.1. Formulas without quantifiers

[link]

Definition: A logical formula or formula is a string of symbols that follow a certain syntax. If the formula is written using a correct syntax, we can ask about its meaning (i.e., is the formula true or false). The symbols or, and, not, implies, and iff are logical operators.

The basic building blocks (a.k.a., base cases) for formulas are true, false, and predicates. When a formula consists of only one of these (and no operators), it is an atomic formula. Like any formula, each atomic formula has a particular meaning (it is either true or it is false). Atomic formulas can be combined using logical operators to build up larger formulas. The table below provides a way to determine the meaning of a formula by breaking it down into its constituent parts.

formula	meaning	example of one possible Python representation
true	always true	`True`
false	always false	`False`
f₁ and f₂	only true if both f₁ and f₂ are true	`True and False`
f₁ or f₂	true if f₁ or f₂ (or both) are true	`True or (False and True)`
f₁ implies f₂	if f₁ is true, then f₂ must be true f₁ is false, or f₂ is true f₁ is "less than or equal to" f₂ (if false is 0 and true is 1)	`False <= True`
f₁ iff f₂	f₁ is true if and only if f₂ is true f₁ and f₂ are either both true or both false	`True == False`
¬ f	true if f is false	`not (True or (False and True))`
( f )	true if f is true	`(True and (not (False))`
predicate example	depends on the definition of the predicate	`isPrime(7)`

A predicate can have zero or more arguments. Whether a given atomic formula consisting of a predicate that takes at least one argument is true or false depends on the arguments supplied to it. For example, we see above for the predicate isPrime(?) that takes one argument, the meaning of isPrime(7) should be true but the meaning of isPrime(4) should be false.

The following table may help with gaining a good intuition for the meaning of the implies operator.

[link]

meaning of left-hand side (premise)	meaning of right-hand side (conclusion)	meaning of entire formula	comments
true	true	true	if the premise is true and the conclusion is true, the claim of implication is true; thus, the whole formula is true
true	false	false	if the premise is true but the conclusion is false, the conclusion is not implied by the premise, so the claim of implication is false; thus, the formula is false
false	true	true	if the conclusion is true on its own, it doesn't matter that the premise is false, because anything implies an independently true conclusion; thus, the claim of implication is true, and so is the entire formula
false	false	true	if we assume that a false premise is true, then "false" itself is "true"; in other words, false implies itself, so the formula is true

[link]

Example: Suppose we have the following formula involving two predicates the sun is visible and it is daytime:

the sun is visible ⇒ it is daytime

This formula might describe a property of our real-world experience of a person that is in a particular fixed location on the surface of the Earth. We could state that the above formula is always true (i.e., it is always an accurate description of the system it describes). For every possible assignment of values to each variable, the above formula is indeed accurate, in that it is true exactly in those situations that might occur on Earth, and false in any situation that cannot occur:

*the sun is visible*	*it is daytime*	meaning	interpretation
true	true	true	a sunny day
true	false	false
false	true	true	a cloudy day
false	false	true	nighttime

In particular, only one set of values causes the formula to be false: if the sun is in the sky, but it is not daytime. This is indeed impossible; all the others are possible (it may be day or night, or it may be cloudy during the day). The contrapositive of the formula is true if the formula is true:

¬(it is daytime) ⇒ ¬(the sun is visible)

Notice that the contrapositive of the above is a direct result of the fact that if the sun is visible ⇒ it is daytime must be true, the rows in the truth table in which it is false must be ignored, and then the only possible row in the truth table in which it is daytime is false is the one in which the sun is visible is also false.

[link] 2.2. Terms: integers and term operators that take integer inputs

[link]

Definition: A term is a string of symbols that represents some kind of mathematical structure. In our case, terms will initially represent integers or sets of integers. Terms may contain term operators. We can view these as functions that take terms as input and return terms as output. The term operators for terms that represent integers with which we will be working are +, -, ⋅, and mod.

term	what it represents	example of one possible Python representation
0	0	`0`
1	1	`1`
z₁ + z₂	the integer sum of z₁ and z₂	`3 + 4`
z₁ − z₂	the integer difference of z₁ and z₂	`(1 + 2) - 4`
z₁ ⋅ z₂	the integer product of z₁ and z₂	`3 * 5`
z₁ mod z₂	the remainder of the integer quotient z₁ / z₂ z₁ - ⌊ z₁/z₂ ⌋ ⋅ z₂	`17 % 5`
z₁^z₂	product of z₂ instances of z₁	`2**3` `pow(2,3)`

[link] 2.3. Formulas: relational operators and predicates dealing with integers

[link]

Definition: A term can only appear in a formula if it is an argument to a predicate. A few common predicates involving integers are represented using relational operators (e.g, ≤, ≥).

formula	what it represents	example of one possible Python representation
z₁ = z₂	true if z₁ and z₂ have the same meaning; false otherwise	`1 == 2`
z₁ < z₂	true if z₁ is less than z₂; false otherwise	`4 < 3`
z₁ > z₂	true if z₁ is greater than z₂; false otherwise	`4 > 3`
z₁ ≤ z₂	true if z₁ is less than or equal to z₂; false otherwise	`4 <= 3`
z₁ ≥ z₂	true if z₁ is greater than or equal to z₂; false otherwise	`4 >= 3`
z₁ ≠ z₂	true if z₁ is not equal to z₂; false otherwise	`4 != 3`

[link]

Example: We can define our own predicates as well. Notice that one way we can represent these in Python is by defining a function that returns a boolean result.

predicate definition	example of one possible Python representation
P(x) iff x > 0 and x < 2	`def P(x): return x > 0 and x < 2`
Q(x) iff x > 3	`Q = lambda x: x > 3`

formula	what it represents	example of one possible Python representation
P(1)	true	`P(1)`
P(1) or P(2)	true	`P(1) or P(2)`
Q(1) and Q(2)	false	`Q(1) and Q(2)`

We will use the following predicates throughout the course.

[link]

Definition: For any x,y ∈ ℤ, x | y iff y/x ∈ ℤ. If x | y, we then say that x is a factor of y.

[link]

Definition: For any y ∈ ℤ, y is prime iff for any integer x where 2 ≤ x < y, it is not true that x | y. In other words, y is prime if its only factors are 1 and y (itself).

[link]

formula	what it represents
x \| y	y / x ∈ ℤ x divides y y is divisible by x y is an integer multiple of x y mod x = 0 x is a factor of y
y is prime	y > 1 and x \| y implies x = 1 or x = y y > 1 and y is divisible only by 1 and itself

[link]

Example: We can define the divisibility and primality predicates in Python in the following way:


def divides(x, y):
    return y % x == 0   # The remainder of y/x is 0.

def prime(y):
    for x in range(2,y):
        if divides(x,y):
            return False
    return True

[link]

Example: We can gradually generalize our primality predicate from the previous example to work for any other predicate. Note that we restate the property slightly: a number is prime if no smaller number can divide it evenly, so if we ever find one that doesn't satisfy this property, we immediately return False. This is effectively the implementation of a quantifier, which we introduce further below.


def doesNotDivide(x, y):
    return y % x != 0   # The remainder of y/x is nonzero.

def prime(y):
    for x in range(2,y):
        if not doesNotDivide(x,y):
            return False
    return True

def checkAll(S, P):
    for x in S:
        if not P(x):
            return False
    return True

Given the above, it is now possible to get the same behavior provided by prime() by supplying appropriate arguments:


>>> checkAll(set(range(2,y)), lambda x: doesNotDivide(x,y))

[link]

Definition: For any x,y ∈ ℤ, x is a proper factor of y iff y/x ∈ ℤ and x < y.

[link] 2.4. Terms: finite sets of integers, term operators that take set inputs, and set comprehensions

[link]

Definition: A finite set of integers is an unordered, finite collection of zero or more integers with no duplicates. The following are examples of terms the meaning of which is a finite set of integers (with the exception of the set size terms, the meaning of which is a positive integer).

term	what it represents	example of one possible Python representation
∅	a set with no elements in it	`set()`
{1,2,3}	{1,2,3}	`{1,2,3}`
{2,..,5}	{2,3,4,5}	`set(range(2,6))`
{ x \| x ∈ {1,2,3,4,5,6}, x > 3 }	{4,5,6}	`{x for x in {1,2,3,4,5,6} if x > 3}`
\|{1,2,3,4}\|	4	`len({1,2,3,4})`

The following are term operators on terms the meaning of which is a finite set of integers.

term	what it represents	example of one possible Python representation
S₁ ∪ S₂	{z \| z ∈ ℤ, z ∈ S₁ or z ∈ S₂}	`{1,2,3}.union({4,5})` `{1,2,3} \| {4,5}`
S₁ ∩ S₂	{z \| z ∈ ℤ, z ∈ S₁ and z ∈ S₂}	`{1,2,3}.intersection({2,3,5})` `{1,2,3} & {2,3,5}`
\|S\|	the number of elements in S	`len({1,2,3})`

While the terms below do not represent finite sets of integers, we introduce the following two set terms in order to reference them throughout the notes.

[link]

Definition: Let ℤ be the set of all integers, and let ℕ be the set of all non-negative integers (i.e., positive integers and 0).

term	what it represents
ℕ	{0, 1, 2, ...}
ℤ	{..., -2, -1, 0, 1, 2, ...}

[link] 2.5. Formulas: quantifiers over finite sets of integers

[link]

Definition: Suppose we define the following two Python functions that take predicates (or, more specifically, functions that represent predicates) as input.


def forall(S, P):
    for x in S:
        if not P(x):
            return False
    return True

def exists(S, P):
    for x in S:
        if P(x):
            return True
    return False

We could redefine the above using comprehensions. We will also introduce a subset() operation on sets.


def forall(X, P):
  S = {x for x in X if P(x)}
  return len(S) == len(X)

def exists(X, P):
  S = {x for x in X if P(x)}
  return len(S) > 0

def subset(X,Y):
  return forall(X, lambda x: x in Y)

Then we can introduce the following definitions and corresponding Python examples.

formula	what it represents	example of one possible Python representation
1 ∈ {1,2,3}	true	`1 in {1,2,3}`
4 ∈ {1,2,3}	false	`4 in {1,2,3}`
∀ x ∈ {1,2,3}, x > 0 and x < 4	true	`forall({1,2,3}, lambda x: x > 0 and x < 4)`
∃ x ∈ {1,2,3}, x < 1 and x > 3	false	`exists({1,2,3}, lambda x: x < 1 or x > 3)`
∀ x ∈ ∅, f	true
∃ x ∈ ∅, f	false

Notice that when we quantify over an empty set with a universal quantifier ∀, the formula is always true. When we quantify over an empty set with an existential quantifier, the formula is always false (since no element satisfying any formula could exist if no elements exist at all). We can see that the Python functions for these quantifiers are consistent with this interpretation.

[link]

Fact: Let X = {x₁ , ..., x_n} be a finite set and let P be a predicate that applies to a single integer argument. Then we have the following correspondences between quantifiers and logical operators:

∀ x ∈ X, P(x)

iff

P(x₁) and P(x₂) and P(x₃) and ... and P(x_n)

∃ x ∈ X, P(x)

iff

P(x₁) or P(x₂) or P(x₃) or ... or P(x_n)

Notice that if X is empty, the "base case" for ∀ must be true (since that is the identity of the and logical operator), while the "base case" for ∃ must be false (since that is the identity of the or logical operator).

[link]

Exercise: Implement Python functions that correspond to formulas which can be used to define each of the following statements about a set X and a predicate P.

All the elements of a set X satisfy the predicate P.


# We provide two equivalent implementations.
            
def all(X, P):
    return  forall(X, P)
    
def all(X, P):
  S = {x for x in X if P(x)}
  return len(S) == len(X)

None of the elements of a set X satisfy the predicate P.


# We provide two equivalent implementations.

def none(X, P):
    return  forall(X, lambda x: not P(x))
    
def none(X, P):
  S = {x for x in X if P(x)}
  return len(S) == 0

At most one of the elements of a set X satisfy the predicate P.


def atMostOne(X, P):
  S = {x for x in X if P(x)}
  return len(S) <= 1

At least one of the elements of a set X satisfy the predicate P.


# We provide two equivalent implementations.

def atLeastOne(X, P):
  return exists(X, P)

def atLeastOne(X, P):
  S = {x for x in X if P(x)}
  return len(S) >= 1

[link]

Exercise: Use quantifiers to implement a Python function corresponding to the predicate p is prime for any integer p.


def prime(p):
    return  p > 1 and forall(set(range(2, p)), lambda n: p % n != 0)

[link] 2.6. Formulas: predicates dealing with finite sets of integers

[link]

Definition: The following are examples of formulas that contain relational operators dealing with finite sets of integers.

formula	what it represents	example of one possible Python representation
3 ∈ {1,2,3}	true	`3 in {1,2,3}`
{1,2} ⊂ {1,2,3}	true	`subset({1,2}, {1,2,3})`
{4,5} ⊂ {1,2,3}	false	`subset({4,5}, {1,2,3})`

Below are the general forms of formulas containing relational operators dealing with finite sets of integers.

formula	what it represents
z ∈ S	true if z is an element of S; false otherwise
S₁ ⊂ S₂	∀ z ∈ S₁, z ∈ S₂
S₁ = S₂	S₁ ⊂ S₂ and S₂ ⊂ S₁

[link] 2.7. Terms: set products and binary relations

[link]

Definition: The product of two sets X and Y is denoted X × Y and is defined to be the set of ordered pairs (x,y) for every possible combination of x ∈ X and y ∈ Y.

[link]

Example:

term	what it represents	example of one possible Python representation
{1,2} × {5,6,7}	{(1,5),(1,6),(1,7),(2,5),(2,6),(2,7)}	`{ (x,y) for x in {1,2} for y in {4,5,6,7} }`

[link]

Definition: A set R is a relation between the sets X and Y if R ⊂ X × Y. We also say that a set R is a relation on a set X if R ⊂ X × X.

[link]

Example: Suppose we have the sets X = {a, b, c} and Y = {D, E, F}. Then one possible relation between X and Y is {(a, D), (c, E)}. One possible relation on X is {(a, a), (a, b), (a, c), (b, b), (c, a)}.

[link] 2.8. Formulas: predicates dealing with relations

There are several common properties that relations may possess.

[link]

predicate	definition	visual example
X × Y is the set product of X and Y	X × Y = { (x,y) \| x ∈ X, y ∈ Y }	!relation({'a','b','c'}, {'x','y','z'}, {('a','x'),('a','y'),('a','z'),('b','x'),('b','y'),('b','z'),('c','x'),('c','y'),('c','z')})
R is a relation between X and Y	R ⊂ X × Y	!relation({'a','b','c'}, {'x','y','z'}, {('a','x'),('b','x'),('b','z'),('c','z')})
R is a function from X to Y R is a (many-to-one) map from X to Y	R is a relation between X and Y and ∀ x ∈ X, there is at most one y ∈ Y s.t. (x,y) ∈ R	!relation({'a','b','c'}, {'x','y','z'}, {('a','x'),('b','x'),('c','z')})
R is an injection from X to Y	R is a function from X to Y and ∀ y ∈ Y, there is at most one x ∈ X s.t. (x,y) ∈ R	!relation({'a','b','c'}, {'x','y','z'}, {('a','x'),('b','y')})
R is a surjection from X to Y	R is a function from X to Y and ∀ y ∈ Y, there is at least one x ∈ X s.t. (x,y) ∈ R	!relation({'a','b','c','d'}, {'x','y','z'}, {('a','x'),('c','y'),('d','z')})
R is a bijection between X and Y	R is an injection from X and Y and R is a surjection from X and Y	!relation({'a','b','c'}, {'x','y','z'}, {('a','y'),('b','z'),('c','x')})
R is a permutation on X	R ⊂ X × X and R is a bijection between X and X	!relation({'a','b','c'}, {('a','b'),('b','c'),('c','a')})
R is a reflexive relation on X	R ⊂ X × X and ∀ x ∈ X, (x,x) ∈ R	!relation({'a','b','c'}, {('a','a'),('b','b'),('c','c')})
R is a symmetric relation on X	R ⊂ X × X and ∀ x ∈ X, ∀ y ∈ X, (x,y) ∈ R implies (y,x) ∈ R	!relation({'a','b','c'}, {('a','b'),('b','a'),('c','c')})
R is a transitive relation on X	R ⊂ X × X and ∀ x ∈ X, ∀ y ∈ X, ∀ z ∈ X, ((x,y) ∈ R and (y,z) ∈ R) implies (x,z) ∈ R	!relation({'a','b','c'}, {('a','b'),('b','c'),('a','c')})
R is an equivalence relation on X R is a congruence relation on X	R ⊂ X × X and R is a reflexive relation on X and R is a symmetric relation on X and R is a transitive relation on X	!relation({'a','b','c'}, {('a','a'),('b','b'),('a','b'),('b','a'),('c','c')})

[link]

Exercise: Define the set of all even numbers between 0 and 100 (inclusive). There are at least two ways we can do this:


evens = { 2 * x for x in set(range(0,51)) }
evens = { x for x in set(range(0,101)) if x % 2 == 0 }

[link]

Exercise: Implement a Python function that computes the set product of two sets X and Y.


def product(X, Y):
  return { (x,y) for x in X for y in Y }

[link]

Exercise: Implement a Python function that takes a finite set of integers and builds the relation on that set correspondingto the operator relational operator ≤.


def leq(S):
  return { (x, y) for x in S for y in S if x <= y }

[link]

Exercise: Implement a Python function that determines whether a relation R is a relation over a set X.


# Using our definition of subset().
def relation(R, X):
  return subset(R, product(X, X))

# Using the built-in set implementation.
def relation(R, X):
  return R.issubset(product(X, X))

[link]

Exercise: One property of relations that is studied in other subject areas within computer science and mathematics is asymmetry. We say that R is an asymmetric relation on a set X if:

∀ x ∈ X, ∀ y ∈ X, (x,y) ∈ R implies ¬((y,x) ∈ R)

One example of an asymmetric relation is the "less than" relation on integers, usually represented using the < relational operator. How can we write a Python function that takes as its input a relation R and a set X and determines whether that relation is asymmetric? Recall that we can represent the implication logical operator using the Python operator <=.


def isAsymmetric(X, R):
  return relation(R,X) and forall(X, lambda a: forall(X, lambda b: ((a,b) in R) <= (not ((b,a) in R))))

[link] 2.9. Terms: set quotients and quotient maps

Given an equivalence relation on a set, we can partition that set into a collection of distinct subsets, called equivalence classes, such that all the elements of each subset are equivalent to one another.

[link]

Definition: For any set X and equivalence relation R on X, let the quotient set of X with respect to R, denoted X/R, be defined as:

X/R

{{y | y ∈ X, (x,y) ∈ R} | x ∈ X}

[link]

Exercise: Implement a Python function that takes two inputs (a set X and an equivalence relation R on that set), and outputs the quotient set X/R.


def quotient(X,R):
    return {frozenset({y for y in X if (x,y) in R}) for x in X}

Below, we evaluate the above function on an example input.


>>> quotient({1,2,3,4}, {(1,1),(2,2),(3,3),(2,3),(3,2),(4,4)})

{frozenset({4}), frozenset({2, 3}), frozenset({1})}

[link]

Definition: For a set X and a relation R over X, the relation that relates each x ∈ X to its equivalence class in X under R is called the quotient map. The function is typically denoted using [ ... ]. That is, [x] is the equivalence class of x under R.

[link]

Exercise: Implement a Python function that takes two inputs (a set X and an equivalence relation R on that set), and outputs the quotient map taking each element x ∈ X to its corresponding equivalence class [x] ∈ X/R.


def quotientMap(X,R):
  return {(x, frozenset({y for y in X if (x,y) in R})) for x in X}

[link]

Exercise: Determine whether {(x,y) | x ∈ ℤ, y ∈ ℤ, (x + y) mod 2 = 0} is an equivalence relation.

[link]

Example: Let X be a set of humans. Let R be the following relation R ⊂ X × X:

{ (x, y) | x ∈ X, y ∈ X, x is y or x is a relative of y }

Then R is an equivalence relation (we assume everyone is related to themselves, and that if two people are both related to the same person, then they are themselves related). Furthermore, the quotient set X/R is a separation of the humans in X into families of relatives. No one in any equivalence class (a.k.a., a family) in X/R is related to anyone in any other equivalence class, and everyone in each equivalence class in X/R is related to everyone else in that equivalence class. Thus, |X/R| is the number of distinct families of humans in the set X.

More generally, we can view the quotient set X/R as the separation of X into as many groups as possible such that no two relatives are separated into separate groups. We can illustrate this with a Python example. Suppose we have the following relation on the set {'Alice', 'Bob', 'Carl', 'Dan', and 'Eve'}:


R = {\
     ('Alice', 'Alice'), ('Bob', 'Bob'), ('Carl', 'Carl'), ('Dan', 'Dan'), ('Eve', 'Eve'),\
     ('Alice', 'Carl'), ('Carl', 'Alice'), ('Dan', 'Eve'), ('Eve', 'Dan')\
    }

We can then compute the set of families:


families = quotient({'Alice', 'Bob', 'Carl', 'Dan', 'Eve'}, R)

A visualization might look as follows:

#graph({'Alice','Carl','Bob','Dan','Eve'}, {('Alice','Alice'),('Bob','Bob'),('Carl','Carl'),('Dan','Dan'),('Eve','Eve'),('Alice','Carl'),('Carl','Alice'),('Dan', 'Eve'), ('Eve', 'Dan')})

[link] 3. Modular Arithmetic

Modular arithmetic can be viewed as a variant of integer arithmetic in which we introduce a congruence (or equivalence) relation on the integers and redefine the integer term operators so that they are defined on these congruence (or equivalence) classes.

[link] 3.1. Terms: congruence classes in ℤ/mℤ, term operators, and relations

[link]

Definition: For any m ∈ ℤ, define:

mℤ

{x ⋅ m | x ∈ ℤ}

[link]

Definition: For any k ∈ ℤ and m ∈ ℤ, we define the congruence class k + mℤ below:

k + mℤ

{k + (x ⋅ m) | x ∈ ℤ}

The word congruence is a synonym for equivalence; in the next definition below, each congruence class k + mℤ is an equivalence class in a particular quotient set in which numbers are grouped by the remainder k that they have when divided by the chosen modulus m.

[link]

Exercise: Show that the relation R = {(x,y) | x ∈ ℤ, y ∈ ℤ, x mod 17 = y mod 17} is an equivalence relation.

[link]

Definition: For any given m ∈ ℤ, we define the set of all congruence classes modulo m:

ℤ/mℤ

ℤ/{(x,y) | x ∈ ℤ, y ∈ ℤ, x mod m = y mod m}

In English, we can read the notation ℤ/mℤ as "ℤ modulo m" or simply "ℤ mod m".

[link]

Example: How do we determine whether 7 ∈ 2 + 5ℤ is a true formula? We can expand the notation 2 + 5ℤ into its definition:

∈

2 + 5ℤ

∈

{ 2 + 5 ⋅ z | z ∈ ℤ }

Thus, if 7 is in the set of elements of the form 2 + 5 ⋅ z, then we must be able to solve the following equation on integers for z:

2 + 5 ⋅ z

5 ⋅ z

Since we can solve for z, it is true that 7 ∈ 2 + 5ℤ.

Informally and intuitively, we could think of the structure of the above set as a logical consequence of letting all multiples of m be equivalent to 0. That is, if 0 = m = 2m = ..., then 1 = m + 1 = 2m + 1 = ..., and so on.

[link]

term	what it represents
z z mod m z + mℤ	{z + (a ⋅ m) \| a ∈ ℤ}
c₁ + c₂	{(x + y) \| x ∈ c₁, y ∈ c₂}
c₁ − c₂	{(x − y) \| x ∈ c₁, y ∈ c₂}
c₁ ⋅ c₂	{(x ⋅ y) \| x ∈ c₁, y ∈ c₂}
c^z	c ⋅ ... ⋅ c
c!	c ⋅ (c-1) ⋅ (c-2) ⋅ ... ⋅ 1

[link]

formula	what it represents
c₁ ≡ c₂	true only if c₁ ⊂ c₂ and c₂ ⊂ c₁, i.e., set equality applied to the congruence classes c₁ and c₂; false otherwise

[link] 3.2. Algebra of congruence classes

We use the familiar symbols +, -, ⋅, and 0, 1, 2, 3, 4, ... to represent operations on congruence classes. When these symbols are used to represent operations on integers, they have certain algebraic properties. This allows us, for example, to solve equations involving integers and variables, such as in the example below (in which we add the same integer to both sides, use associativity of + and commutativity of ⋅, and cancel 2 on both sides of the equation):

2 ⋅ x − 3

(2 ⋅ x − 3) + 3

1 + 3

2 ⋅ x

2 ⋅ 2

x ⋅ 2

2 ⋅ 2

Do the operations on congruence classes, represented by the operators +, -, and ⋅, also share the familiar algebraic properties of the corresponding operations on integers? In many cases they do, but in some cases these properties only apply under specific circumstances.

[link]

Example: Suppose we write the term 3 + 4 ≡ 2 where 2, 3, and 4 are congruence classes in ℤ/5ℤ. What is the meaning of this term? First, note the following equivalence.

{ x + y | x ∈ ℤ, y ∈ ℤ} = {z | z ∈ ℤ }

Now, we expand the definitions of congruence classes and the operation + on congruence classes below.

3 + 4

≡

(3 + 5ℤ) + (4 + 5ℤ)

{3 + a ⋅ 5 | a ∈ ℤ} + {4 + b ⋅ 5 | b ∈ ℤ}

{(x + y) | x ∈ {3 + a ⋅ 5 | a ∈ ℤ}, y ∈ {4 + b ⋅ 5 | b ∈ ℤ}}

{(3 + a ⋅ 5) + (4 + b ⋅ 5) | a ∈ ℤ, b ∈ ℤ}

{(3 + 4) + (a ⋅ 5) + (b ⋅ 5) | a ∈ ℤ, b ∈ ℤ}

{2 + 5 + (a ⋅ 5) + (b ⋅ 5) | a ∈ ℤ, b ∈ ℤ}

{2 + (1 + a + b) ⋅ 5 | a ∈ ℤ, b ∈ ℤ}

{2 + c ⋅ 5 | c ∈ ℤ}

≡

2 + 5ℤ

≡

[link]

Fact: The set ℤ/mℤ is closed under the operation represented by +.

[link]

Fact: It is the case that ℤ/mℤ = {0,...,m-1} where 0,...,m-1 are congruence classes, and thus, |ℤ/mℤ| = m.

[link]

Fact: The addition operation on congruence classes in ℤ/mℤ represented by + is commutative, associative, and has the additive identity 0 + mℤ (a.k.a., mℤ, or simply 0).

[link]

Fact: The multiplication operation on congruence classes in ℤ/mℤ represented by ⋅ is commutative, associative, and has the multiplicative identity 1 + mℤ (a.k.a., 1).

[link]

property	definition
ℤ/mℤ is closed under +	∀ x,y ∈ ℤ/mℤ, x + y ∈ ℤ/mℤ
+ is commutative on ℤ/mℤ	∀ x,y ∈ ℤ/mℤ, x + y ≡ y + x
+ is associative on ℤ/mℤ	∀ x,y,z ∈ ℤ/mℤ, (x + y) + z ≡ x + (y + z)
+ has a (left and right) identity 0 in ℤ/mℤ	∀ x ∈ ℤ/mℤ, 0 + x ≡ x and x + 0 ≡ x
ℤ/mℤ has inverses with respect to +	∀ x ∈ ℤ/mℤ, (m - x) + x ≡ 0
ℤ/mℤ is closed under ⋅	∀ x,y ∈ ℤ/mℤ, x ⋅ y ∈ ℤ/mℤ
⋅ is commutative on ℤ/mℤ	∀ x,y ∈ ℤ/mℤ, x ⋅ y ≡ y ⋅ x
+ is associative on ℤ/mℤ	∀ x,y,z ∈ ℤ/mℤ, (x ⋅ y) ⋅ z ≡ x ⋅ (y ⋅ z)
+ has a (left and right) identity 1 in ℤ/mℤ	∀ x ∈ ℤ/mℤ, 1 ⋅ x ≡ x and x ⋅ 1 ≡ x
⋅ distributes across + in ℤ/mℤ	∀ x,y,z ∈ ℤ/mℤ, x ⋅ (y + z) ≡ (x ⋅ y) + (x ⋅ z)

In the rest of this subsection, we derive some familiar algebraic properties for congruence classes. We derive some of these properties from the properties of the divisibility predicate (i.e., for any x, y ∈ ℤ, x | y iff y/x ∈ ℤ). These properties will allow us to use algebra to solve equations involving congruence classes in ℤ/mℤ.

It is worth considering why we choose to work with the set of congruence classes ℤ/mℤ = {0 + mℤ, 1 + mℤ, 2 + mℤ, ..., (m-1) + mℤ} and operations over it rather than simply working with equations involving integer variables and the modulus operator. Modular arithmetic textbooks can be written (and such textbooks exist) in which the techniques covered in these notes are used to solve integer equations of the form f(x) mod m = g(x) mod m for some functions f and g. Some of the reasons for using the set of congruence classes ℤ/mℤ include:

it is often possible to find the unique solution to an equation over ℤ/mℤ, while equations over ℤ involving the modulus operation may have infinitely many solutions;
the set ℤ/mℤ is finite, so there is always a finite number of possible solutions to test, even if this is very inefficient, while equations over the integers involving modulus have an infinite range of possible solutions to test;
the set ℤ/mℤ is a group and is a prototypical example of an algebraic structure, and gaining experience with algebraic structures is one of the purposes of this course, as algebraic structures are ubiquitous in computer science and its areas of application.

[link]

Fact: Given an equation involving congruence classes, we are allowed to add the same value to both sides. In other words, for any congruence classes a, b, c ∈ ℤ/mℤ, a ≡ b implies a + c ≡ b + c:

≡

b (mod m)

a + c

≡

a + c

To see that this is true, we can simply appeal to algebraic facts about integers:

a + c

b + c

(a + c) mod m

(b + c) mod m

a + c

≡

b + c (mod m)

Thus, the two congruence classes contain the same elements, so they are equivalent.

[link]

Fact: For any congruence classes a, b, c ∈ ℤ/mℤ, a ≡ b implies a - c ≡ b - c. We can adjust the argument for + in the following way:

a - c

b - c

(a - c) mod m

(b - c) mod m

a - c

≡

b - c (mod m)

We saw that we can add and subtract from both sides of an equation involving congruence classes. Can we also "divide" both sides by the same factor (or "cancel" that factor) in such an equation?

[link]

Example: Consider the following sequence of equations within ℤ/2ℤ:

≡

2 ⋅ 2

≡

2 ⋅ 3

≡

Clearly, 2 ≢ 3 (mod 2) since the left-hand side is even and the right-hand side is odd. Thus, cancelling 2 on both sides of the equation in the above case is not correct. On the other hand, we have the following:

≡

2 ⋅ 5

≡

2 ⋅ 3

≡

In the above case, cancelling 2 on both sides led to a true equation.

It seems that we cannot always "divide" by the same factor on both sides, but we can do so under certain conditions. In order to characterize at least some of the cases in which this is possible, we need a few preliminary facts.

[link]

Fact: For any a, m ∈ ℤ, a mod m = 0 iff we have that m | a. Thus, the following are all equivalent (i.e., all three are true at the same time):

a mod m

≡

0 (mod m)

≡

a (mod m)

We can derive the fact that m | a iff a mod m = 0 as follows. If a mod m = 0 then by definition of mod we have:

a - ⌊ a/m ⌋ ⋅ m

⌊ a/m ⌋ ⋅ m

a / m

⌊ a/m ⌋

a / m

∈

ℤ

If m | a then by definition of m | a we have:

a / m

∈

ℤ

a / m

⌊ a/m ⌋

⌊ a/m ⌋ ⋅ m

a - ⌊ a/m ⌋ ⋅ m

a mod m

[link]

Fact: For any a, b, c ∈ ℕ, if c|a then c|(a ⋅ b).

Because c|a, it must be that a/c ∈ ℤ. But then we have that:

(a ⋅ b) / c = (a / c) ⋅ b

Since (a / c) ∈ ℤ and b ∈ ℤ, (a / c) ⋅ b ∈ ℤ and (a ⋅ b) / c ∈ ℤ. Thus, c|(a ⋅ b).

[link]

Fact: In ℤ/mℤ, Multiplying by the 0 + mℤ congruence class yields the 0 + mℤ congruence class. For any a, b, m ∈ ℕ, if a ≡ 0 (mod m) then a ⋅ b ≡ 0 (mod m).

We can show this as follows:

≡

0 (mod m)

(a ⋅ b)

a ⋅ b

≡

0 (mod m)

Thus, 0 ∈ ℤ/mℤ behaves with respect to multiplication over ℤ/mℤ much the same way that 0 ∈ ℤ behaves with respect to multiplication over ℤ.

[link]

Example: For any a, b, m ∈ ℕ, it is not necessarily the case that just because a ⋅ b ≡ 0 (mod m), either a or b must be the congruence class 0 ∈ ℤ/mℤ. For example, let m = 6, a = 4, and b = 9. Then we have:

4 ⋅ 9

≡

0 (mod 6)

(2 ⋅ 2) ⋅ (3 ⋅ 3)

≡

0 (mod 6)

2 ⋅ (2 ⋅ 3) ⋅ 3

≡

0 (mod 6)

2 ⋅ 6 ⋅ 3

≡

0 (mod 6)

However, we have that:

∤

≢

0 (mod 6)

∤

≢

0 (mod 6)

Thus, the congruence class 0 ∈ ℤ/mℤ does not always behave the same way that 0 ∈ ℤ behaves.

[link]

Fact (Euclid's lemma): For any a, b, p ∈ ℤ, if p is prime and p | (a ⋅ b), then it must be that p|a or p|b (or both).

[link]

Fact: For any congruence classes a, b, c ∈ ℤ/pℤ, if c is not divisible by p then a ⋅ c ≡ b ⋅ c implies a ≡ b.

We can derive the above fact by using the following steps:

a ⋅ c

≡

b ⋅ c

(a ⋅ c) - (b ⋅ c)

≡

((a ⋅ c) - (b ⋅ c)) mod p

((a - b) ⋅ c) mod p

((a - b) ⋅ c)

By Euclid's lemma, the fact that c is not divisible by p requires that a - b must be divisible by p. Thus:

(a - b)

(a - b) mod p

a - b

≡

[link]

Example: Solve the following equation for all possible congruence classes x ∈ ℤ/3ℤ:

6 ⋅ x

≡

0 (mod 3)

Since 6 ≡ 0 mod 3, we can rewrite the equation as follows:

0 ⋅ x

≡

0 (mod 3)

Thus, any congruence class x ∈ {0 + 3ℤ, 1 + 3ℤ, 2 + 3ℤ} is a solution to the equation.

[link]

Example: Solve the following equation for all possible congruence classes x ∈ ℤ/5ℤ:

2 ⋅ x

≡

0 (mod 5)

We know that 2 ⋅ 0 ≡ 0 (mod 5), so we can rewrite the above by substituting the right-hand side of the equation:

2 ⋅ x

≡

2 ⋅ 0 (mod 5)

We can now cancel 2 on both sides of the equation using the cancellation law because 5 is prime and 2 ≢ 0 (mod 5):

≡

0 (mod 5)

Thus, the only solution is the single congruence class x = 0 + 5ℤ.

[link]

Example: Solve the following equation for all possible congruence classes x ∈ ℤ/11ℤ:

3 ⋅ x + 5

≡

6 (mod 11)

We can begin by subtracting 5 from both sides:

3 ⋅ x

≡

1 (mod 11)

We can then see that 12 ≡ 1 (mod 11), so we can substitute 1 with 12 on the right-hand side:

3 ⋅ x

≡

12 (mod 11)

We can then rewrite 12 as 3 ⋅ 4:

3 ⋅ x

≡

3 ⋅ 4 (mod 11)

Since 11 is prime and 3 ≢ 0 (mod 11), we can cancel the 3 on both sides to solve the problem:

≡

4 (mod 11)

Thus, the only solution is the single congruence class x = 4 + 11ℤ.

[link]

Example: Let a ∈ ℤ be any integer. Solve the following equation for all possible congruence classes x ∈ ℤ/7ℤ:

a + 3 ⋅ x

≡

6 - 6 ⋅ a (mod 7)

We can begin by adding 6 ⋅ a to both sides:

(a + 6 ⋅ a) + 3 ⋅ x

≡

6 (mod 7)

Now we can add a + 6 a to obtain 7 ⋅ a:

7 ⋅ a + 3 ⋅ x

≡

6 (mod 7)

We know that 7 ≡ 0 (mod 7), so we know that for any a ∈ ℤ, 7 ⋅ a ≡ 0 (mod 7). Thus, we can substitute the term 7 ⋅ a with 0:

0 + 3 ⋅ x

≡

6 (mod 7)

3 ⋅ x

≡

6 (mod 7)

3 ⋅ x

≡

3 ⋅ 2 (mod 7)

Since 7 is prime and 3 ≢ 0 (mod 7), we can cancel 3 on both sides:

≡

2 (mod 7)

Thus, the only solution is the single congruence class x = 2 + 7ℤ.

[link]

Exercise: Solve the following equation for all possible congruence classes x ∈ ℤ/13ℤ:

4 ⋅ x − 2

≡

10 (mod 13)

[link]

Exercise: Let a ∈ ℤ be any integer. Solve the following equation for all possible congruence classes x ∈ ℤ/19ℤ. Hint: notice that 17 + 19 = 36.

6 ⋅ x − 11

≡

6 (mod 19)

[link] 3.3. Multiplication by a congruence class as a permutation

We have seen that in certain situations, it is possible to cancel on both sides of an equation involving congruence classes. While Euclid's lemma made this possible, we might be interested in finding other ways to understand why cancelling is possible in this particular situation. In fact, the alternative explanation is useful in its own right because it can be applied to the practical problem of generating random numbers.

Let us consider the situations in which we can cancel on both sides in an equation involving integers. Suppose a,b,c ∈ ℤ, and:

a ⋅ c

b ⋅ c

It is possible to cancel in the above equation exactly when the operation of multiplication by c is invertible. In particular, if c is 0, then a ⋅ c = 0, and all information about a is lost (likewise for b ⋅ c = 0). So, if c = 0, the operation of multiplication by c is not invertible (i.e., multiple inputs map to the same output, namely 0, so multiplication by c = 0 is not a bijection), and it is not possible to cancel c on both sides. In all other situations where c ≠ 0, the operation is invertible (we can simply perform integer division by c on a ⋅ c and b ⋅ c). This raises a natural question: does the ability to cancel congruence classes on both sides of a congruence class equation also imply that the operation of multiplying by the congruence class that can be cancelled on both sides is an invertible operation? The answer is "yes".

For a prime p, multiplication by a congruence class in ℤ/pℤ corresponds to an invertible relation, also known as a bijection or a permutation.

[link]

Fact: For any p ∈ ℕ, for any a ∈ {1,...,p-1}, if p is prime then the following relation R is a permutation from {0, 1,...,p-1} to ℤ/pℤ (the non-zero congruence classes in ℤ/pℤ):

{ (0, (0 ⋅ a) mod p), (1, (1 ⋅ a) mod p), (2, (2 ⋅ a) mod p), ..., (p-1, ((p-1) ⋅ a) mod p) }

{ (i, (i ⋅ a) mod p) | i ∈ {0,...,p-1} }

Recall that R is a permutation if R is a bijection. In order to be a bijection, R must be both an injection and a surjection.

To show that R is an injection, suppose that it is not. We will derive a contradiction from this assumption, which will tell us that the assumption must be false.

If it is not injective, then there exist distinct i ∈ {0,...,p-1} and j ∈ {0,...,p-1} where without loss of generality j < i such that:

≠

(i ⋅ a) mod p

(j ⋅ a) mod p

But the above implies the following:

(i ⋅ a) mod p

(j ⋅ a) mod p

((i ⋅ a) - (j ⋅ a)) mod p

0 mod p

((i - j) ⋅ a) mod p

0 mod p

(i - j) ⋅ a

By Euclid's lemma, the above implies that p must divide either (i − j) or a. But also know that:

because a < p, p does not divide a;
because p > i - j > 0, p cannot divide (i − j).

Alternatively, notice that in (i ⋅ a) mod p = (j ⋅ a) mod p , we should be able to simply divide both sides of the equation by a because p is prime; however, this contradicts our initial assumption!

Since assuming that distinct i and j can be mapped to the same element when they are multiplied by a leads to a contradiction, it must be that this is not possible. Thus, no two distinct i and j map to the same result, so R is an injection from {0,...,p-1} to ℤ/pℤ and we have that:

|{0,...,p-1}|

|ℤ/pℤ|

Thus, since R maps to at least p distinct elements, and |ℤ/pℤ| has at most p elements, R must map to every element in ℤ/pℤ, so it is also a surjection by the Pigeonhole principle.

Since R is both an injection and a surjection from {1,...,p-1} to ℤ/pℤ - {0}, it must be a bijection, and thus a permutation.

[link]

Example: Consider 2 ∈ ℤ/5ℤ. We can write out the results of multiplying all the congruence classes in ℤ/5ℤ by the congruence class 2:

2 ⋅ 0

≡

0 (mod 5)

2 ⋅ 1

≡

2 (mod 5)

2 ⋅ 2

≡

4 (mod 5)

2 ⋅ 3

≡

1 (mod 5)

2 ⋅ 4

≡

3 (mod 5)

Notice that each congruence class in ℤ/5ℤ appears exactly once as a result.

[link] 3.4. Generating random numbers

Suppose we wish to automatically generate a sequence of "random" numbers using an algorithm. Before we can implement an algorithm and determine whether it solves our problem, we must first determine what constitutes an acceptable "random" sequence.

[link]

Example: Suppose we want to find a way to generate a "random" sequence v of positive integers. Assume we have only one requirement.

Requirement 1: The sequence v has m distinct positive integers between 0 and m-1, where v_i is the ith element in the sequence.

In this case, a relation R ⊂ ℕ × ℤ/mℤ that is a permutation would be sufficient. One such relation is:

v₀

0 mod m

v_i

(v_i-1 + 1) mod m

R₀

{(i, v_i) | i ∈ {0,...,m-1}}

Notice that the second term in (x, x mod m) is in this case the congruence class modulo m that corresponds to x. The relation R₀ is indeed a permutation, but it does not satisfy our intuitive notion of a random sequence because it simply counts from 0 to m − 1, so we impose another requirement.

Requirement 2: The sequence v must not be the trivial sequence (0,...,m-1).

Suppose we propose the following relation:

v₀

v_i

(v_i-1 + 2) mod m

R₁

{(i, v_i) | i ∈ {0,...,m-1}}

Notice that we can redefine R₁ above more concisely:

R₁

{(i, (0 + 2 ⋅ i) mod m) | i ∈ {0,...,m-1}}

Does R₁ always satisfy both requirements? Suppose that m is even. Then we have that there exists j ∈ {0,...,m-1} such that 2 ⋅ j = m. But this means that 2 ⋅ j ≡ 0, so 2 ⋅ (j+1) ≡ 2 ⋅ j + 2 ⋅ 1 ≡ 2 ⋅ 1 ≡ 2 and so on. This means that R₁ is not injective, so the first requirement is not met when m is even. Suppose we define R₂ to be a variant of R₁ parameterized by some b ∈ {0,...,m-1}:

R₂

{(i, (0 + b ⋅ i) mod m) | i ∈ {0,...,m-1}}

What conditions can we impose on b and m so that they satisfy both requirements?

After examining the permutation we can obtain by multiplying all the congruence classes in some set ℤ/pℤ by a particular a ∈ ℤ/pℤ, we might wonder if we can use this fact to implement a random number generator. One immediate benefit of this approach is that this approach would satisfy several conditions that we might associate with a "good" algorithm for generating random numbers:

the "state" of the algorithm is easy to store: it consists of a single congruence class in ℤ/pℤ, which can be represented using an integer;
it is possible to compute the ith random number in the sequence efficiently (i.e., with a single multiplication followed by a single modulus operation);
the sequence that is generated will contain exactly one instance of all the numbers in the chosen range {0,...,p-1};
the sequence that is generated can, at least in some cases, be a non-trivial sequence that might appear "random".

[link]

Fact: If m is prime and b ∈ {2,...,m-1}, then R₂ satisfies both requirements.

We know this is true because in this case, R is a permutation, so it satisfies Requirement 1. Furthermore, element v₁ = b, so v is never the trivial sequence. Thus, Requirement 2 is satisfied.

[link]

Algorithm: The following is one possible implementation of a simple random number generation algorithm.

inputs: upper bound (prime) p ∈ ℕ, seed a ∈ {0,...,p-1}, index i ∈ ∈ {0,...,p-1}
1. return (a ⋅ i) mod p

[link]

Exercise: What are some drawbacks (or unresolved issues) with building random sequences by choosing a prime m and some a ∈ {2,...,m-1}?

[link] 3.5. Greatest common divisor and related facts

It is actually possible to generalize Euclid's lemma so that it does not rely on prime numbers existing at all. In order to do so, however, we must first introduce concepts that make it possible to reason about a particular relationship between numbers that is similar to the property of primality, but is less restrictive.

[link]

Definition: For any two x, y ∈ ℤ, we define the greatest common divisor, denoted gcd(x,y), as the greatest integer z ∈ ℤ such that z | x and z | y. Equivalently, we can define it as the maximum of a set:

gcd(x,y)

max{z | z ∈ ℤ, z | x, z | y}

We can also define it recursively (not that z | 0 for all z ∈ ℤ because 0/z ∈ ℤ):

gcd(x,0)

gcd(x,y)

gcd(y, x mod y)

To see why the recursive definition of gcd works, consider two cases. If x < y, then the two inputs are simply reversed. This ensures that the first input x is eventually larger than the second input y. If x ≥ y and they share a greatest common divisor a, then we have for n = ⌊ x/y ⌋ that:

y' ⋅ a

x' ⋅ a

x mod y

x - (n ⋅ y)

(x' ⋅ a) - (n ⋅ y)

x' ⋅ a - ((n ⋅ y') ⋅ a)

(x' - n ⋅ y') ⋅ a

Notice that (x' - n ⋅ y') ⋅ a < x' ⋅ a, but that the new smaller value is still a multiple of a, so the greatest common divisor of this value and y is still a.

[link]

Example: Consider the number 8 and 9. The factors of 8 are 1, 2, 4, and 8, while the factors of 9 are 1, 3, and 9. Thus, the maximum of the numbers in the intersection {1,2,4,8} ∩ {1,3,9} is 1, so we have that gcd(8, 9) = 1.

[link]

Example: We can implement the inefficient algorithm for the greatest common divisor using Python in the following way:


def gcd(x, y):
  return max({z for z in range(0, min(x,y)) if x % z == 0 and y % z == 0})

[link]

Exercise: Consider the following relation:

{ (x, y) | gcd(x,y) ≠ 1 }

Is this an equivalence relation?

[link]

Fact: For any x ∈ ℤ, y ∈ ℤ, x | y iff gcd(x,y) = x.

[link]

Definition: For any x ∈ ℤ, y ∈ ℤ, x and y are relatively prime, relative primes, and coprime iff gcd(x,y) = 1.

[link]

Fact (Euclid's lemma generalization): For any a, b, c ∈ ℕ, if a | (b ⋅ c) and a and b are relatively prime, then it must be that a | c.

[link]

Fact: If m, a ∈ ℕ and x, y ∈ ℤ/mℤ where gcd(a, m) = 1 (i.e., a and m are coprime), and suppose we have that:

≢

y (mod m)

Then it must be that:

a ⋅ x

≢

a ⋅ y (mod m)

Notice that we can prove the above by contradiction. If we instead suppose that a ⋅ x ≡ a ⋅ y (mod m), then because a and m are coprime, by Euclid's generalized theorem, we can canel a on both sides of the equation to obtain x ≡ y (mod m).

[link]

Exercise: Solve the following problems using the algebraic facts you know about the gcd operation.

Find gcd(18,42).
Find gcd(2¹⁰⁰⁰, 2¹⁰⁰).
For a positive even integer a ∈ ℤ, find gcd(a/2, a - 1).
Suppose that for some a ∈ ℤ/mℤ, the set {i ⋅ a mod m | i ∈ {1,...,m-1}} contains every number in the set {1,...,m-1}. What is gcd(a, m)?

[link]

Exercise: Solve the following equation for all possible congruence classes x ∈ ℤ/16ℤ:

9 ⋅ x + 2

≡

4 (mod 16)

[link]

Exercise: Solve the following equation for all possible congruence classes x ∈ ℤ/15ℤ:

30 ⋅ x

≡

14 (mod 15)

[link]

Fact: For any a ∈ ℕ and m ∈ ℕ, if gcd(a,m) = 1, then {(i, (i ⋅ a) mod m) | i ∈ {0,...,m-1}} is a permutation.

The above can be proven by noticing that if gcd(a,m) = 1, then a does not divide m and m does not divide a. Notice that in this fact in which p was required to be prime, the fact that p is prime was not used in isolation; only the coprime relationship between p and a was required.

Using the generalization of Euclid's lemma, it is now possible to address the drawback we observed in our initial random number generating algorithm. We can now accept any upper bound m, not just a prime upper bound, and there is no need for either the algorithm or the user to find a prime p before generating random numbers. However, we have a new problem: how to do we obtain a non-trivial coprime for any given m?

[link]

Fact: For any m ∈ ℤ where m ≥ 2, gcd(m,m+1) = 1.

We can prove this fact by contradiction. Suppose there exists a factor z > 1 of m and m+1. In other words, gcd(m,m+1) > 1. Then we have that:

z ⋅ a

z ⋅ b

m + 1

(z ⋅ b) - (z ⋅ a)

m + 1 − m

z ⋅ (b − a)

b − a

1 / z

If z > 1 then 1/z ∉ ℤ, so (b − a) ∉ ℤ. Since b-a ∈ ℤ, this is a contradiction, so it must be that gcd(m, m+1) = z = 1.

[link]

Fact: Suppose that m ∈ ℕ is an odd positive integer. Then for any k ∈ ℕ, gcd(m, 2^k) = 1. This is because if m had any factors of 2, it would be even.

[link]

Fact: Suppose that m ∈ ℕ is of the form 2^k ⋅ m' for some odd m' and some k ≥ 1. Then m' ⋅ 2 and m have exactly the same prime factors, which means (m' ⋅ 2) − 1 and m share no factors, so gcd(m, (m' ⋅ 2) − 1) = 1.

[link]

Algorithm: The following algorithm uses this fact to generate a new coprime. In the worst case, it runs in a linear amount of time in the length of the bit representation of m, and it may in some cases return m − 1 as a result. Note that the operations below (e.g., multiplication ⋅ and subtraction −) are on congruence classes in ℤ/mℤ and not on integers.

inputs: positive integer m ∈ ℕ
1. p := any number in {3,...,m-1}
2. while p − 1 and m are not coprime
  1. p := p ⋅ gcd(p − 1, m)
3. return p − 1

Suppose that during the ith iteration of the algorithm, we have p_i. This algorithm works by "moving" the factors shared by m and that iteration's p_i − 1 quantity into p_i+1, thus ensuring m and p_i+1 in the subsequent iteration do share that factor (thus ensuring by this fact that m and p_i+1 − 1 in the next iteration do not share it).

[link]

Fact: Suppose that we have some m ∈ ℕ, and that we choose some b ∈ {2,...,m-1} such that b > m/2. Then it is guaranteed that:

gcd(m, b)

To see why, consider that if gcd(m, b) = b, this would mean that there exists some k ≥ 2 such that b ⋅ k = m, and this would mean that:

b ⋅ 2

≤

m/2

This contradicts our assumption that b > m/2, so it must be that gcd(m, b) < b. We can then further conclude that:

b / gcd(m, b)

Thus, if gcd(m, (b / gcd(m, b))) = 1, this provides a way to find a number that is greater than 1 and coprime with m. However, this is not guaranteed to work every time because it may still be that gcd(m, (b / gcd(m, b))) > 1. Under those conditions, the options would be to try a different b, or to use a different technique.

At this point, we can define an improved random number generation algorithm that works for any upper bound.

[link]

Algorithm: The following is another variant of a simple random number generation algorithm.

inputs: upper bound m ∈ ℕ, index i ∈ {0,...,m-1}
1. a := number in {2,...,m-1} s.t. a and m are coprime (always the same a for an m)
2. return (a ⋅ i) mod m

This algorithm has a more subtle flaw: poor choices of a (e.g., very small values such as 2) result in a very predictable "random" sequence. It is preferable to choose an a that is coprime with the upper bound m, and that falls somewhere between the middle and the upper quarter of the range {0,...,m-1} (i.e., between 0.5 ⋅ m and 0.75 ⋅ m).

[link]

Algorithm: In this variant, the algorithm attempts to find a coprime that is as close as possible to (4/7) ⋅ m. The value 4/7 is chosen in an ad hoc manner in this example. Other values in the range between 1/2 and 3/4 might also produce "nice"-looking results.

inputs: upper bound m ∈ ℕ, index i ∈ {0,...,m-1}
1. b := number in {2,...,m-1} s.t. b and m are coprime
2. for possible powers k in the range 1 to the bit length of m
  1. a := power b^k of b that is as close as possible to ((4/7) ⋅ m)
3. return (a ⋅ i) mod m

However, the above algorithm is not ideal, and common random number generators found in standard libraries (such as the linear congruential generator) use a slightly different fact about permutations that results in sequences that appear yet more "random". So far, we have learned enough to build a simplified version of a linear congruential generator in which the "multiplier" is one modulo the modulus (it happens to be a very simple extension of our existing permutation-based random number generator).

[link]

Fact: For any m ∈ ℕ, for any s ∈ ℤ/mℤ, the relation {(i, i + s) | i ∈ ℤ/mℤ} is a permutation. Note that this permutation merely "shifts" all the congruence classes up by s (wrapping around through m ≡ 0 any values that exceed m − 1).

[link]

Algorithm (simplified linear congruential generator): Below is a simplified version of a linear congruential generator (in which the "multiplier" is one modulo the modulus).

inputs: upper bound m ∈ ℕ, index i ∈ {0,...,m-1}
1. a := number in {2,...,m-1} s.t. a and m are coprime (with the same additional preferences found in this algorithm)
2. s := number in {1,...,m-1} (ideally, this number is different for each input m)
3. return (a ⋅ i + s) mod m

The fully generalized linear congruential generator has a few drawbacks if we want to construct an implementation that satisfies our desired criteria (i.e., full coverage of the domain ℤ/mℤ, no repetition, and the ability to compute the ith random number in the sequence with a small, constant number of arithmetic operations). In particular, we would need to find an additional "multiplier" k ∈ {2,...,m − 1} such that k − 1 shares all prime factors and factors of 4 with m (this is difficult to guarantee without the prime factorization of m).

[link]

Algorithm (linear congruential generator): Below is the implementation of a linear congruential generator. Note that it makes a recursive call to itself.

inputs to LCG: upper bound m ∈ ℕ, index i ∈ {0,...,m-1}
1. a := number in {2,...,m-1} s.t. a and m are coprime
2. s := number in {1,...,m-1} s.t. s and m are coprime
3. k := number in {1,...,m-1} s.t. k − 1 shares all prime factors and factors of 4 with m
4. if i = 0 then return s
5. else return (k ⋅ LCG(m, i − 1) + a) mod m

Under circumstances in which the modulus satisfies predetermined criteria (e.g., it is of the form m = 2^t for some t ∈ ℕ), it is easier to obtain an appropriate k. However, to determine the ith number in the sequence we would also need to either (1) maintain a counter in memory to keep track of the index of the current random number in the sequence, (2) compute a fairly large sum, or (3) perform an iterative loop or recursive chain of calls (as in the above implementation).

[link] 3.6. Generating prime numbers

Many applications require the generation of new primes. We have already seen a simple example in which generating new random sequences required prime numbers. Another important class of applications with this requirement are cryptographic schemes and protocols. In this section, we consider the problem of generating prime numbers, and in particular, random prime numbers in a particular range.

[link]

Algorithm: There exists a simple algorithm that is guaranteed to generate a new prime number distinct from any of its inputs, but it is not efficient.

inputs: set of primes {p₁ ,... , p_n}
1. n := p₁ ⋅ ... ⋅ p_n + 1
2. F := factors of n
3. return any element in F

The above algorithm must return a new prime distinct from any of the primes p₁ ,... , p_n. To see why, consider the following:

p₁ ⋅ ... ⋅ p_n

gcd(P, P + 1)

There are two possibilities: P+1 is prime, or P+1 is not prime.

If P+1 is prime, then P > p_i for all i ∈ {1,...,n}, so P+1 is a new prime.
If P+1 is not prime, it cannot share any factors with P since gcd(P, P + 1) = 1, so no factors of P+1 are in the set {p₁ ,... , p_n}. But it must have factors, so any of these factors will be different from the primes in the input set {p₁ ,... , p_n}.

Thus, the algorithm is a guaranteed method for generating new primes. It also constitutes a proof that there are infinitely many primes. Unfortunately, this algorithm is impractical because the new primes produced by it grow exponentially as the set of primes {p₁ ,... , p_n} is extended with new primes returned by the algorithm.

In practice, most algorithms that need to generate large primes for commercial applications simply choose from a range of numbers (e.g., at random) and filter out non-primes using some efficient algorithm that does not provide an absolute guarantee that the numbers that remain are all prime. As long as it is not too likely that the generated number is not a prime, this may be sufficient.

[link]

Example: Suppose we want to generate a d-digit prime number (in decimal representation). The prime number theorem states that for a given N, the number of primes in the range {2,...,N} is about N/(ln(N)). We can roughly estimate the number of primes with d-digit decimal representations using the following formula:

(10^d+1-1 / ln(10^d+1-1)) - (10^d / ln(10^d))

For d = 8, this value is about 4,780,406, so we can roughly say that the chances that an 8-digit number chosen at random (here we are ignoring the details of what distribution is used) is prime are about:

4,780,406/((10⁹ - 1) - 10⁸) ≈ 5.5/100

We can use our ability to generate random numbers in a specific range to build a generic algorithm template for generating prime numbers (without specifying exactly how we check that each candidate number we consider is prime).

[link]

Algorithm: Suppose we defined the following algorithm for generating a prime with a d-digit representation.

inputs: d ∈ ℕ
1. do
  1. n := a random number from {10^d, ..., 10^d+1-1}
  while n is not prime
2. return n

Assuming we were choosing numbers "well" with respect to their distribution (we are being imprecise here), we could optimistically hope that for d = 8, the above algorithm would only need to check for primality about 20 times (since roughly 1 out of every 20 numbers it tries should be a prime).

It remains to define an algorithm for checking whether an arbitrary input m ∈ ℕ is prime. We could check every number k between 2 and ⌊ √(m) ⌋ to see if it is a factor of m. However, ⌊ √(m) ⌋ still grows exponentially in the representation size of m. For example, for an n-bit input, an integer m in {0,...,2ⁿ-1} which must have a representation size of at least n bits, we have the following exponential running time:

√(m)

√(2ⁿ)

2^n/2

(2^1/2)ⁿ

≈

1.42ⁿ

If we only consider primes and not any of their multiples (i.e., we apply the Sieve of Eratosthenes to the set {2,...,⌊ √(m) ⌋}), we can decrease the number of times we check the divisibility of m. However, we would need to do a lot of extra work to filter out the multiples of primes. Modern algorithms such as ECPP run in polynomial time, but in practice it is currently difficult to implement a version of these algorithms that runs quickly enough for certain applications (or doesn't consume too much power, such as when it runs on mobile devices).

[link]

Algorithm: Given the above considerations, we introduce a modified algorithm.

inputs: d ∈ ℕ
1. do
  1. n := a random number from {10^d-1, ..., 10^d-1}
  while n is not probably prime
2. return n

It remains to define a subroutine for checking whether a number is probably prime (for some appropriate definition of "probably") that is very efficient.

[link] 3.7. Detecting probable prime numbers

In this subsection, we consider the problem of defining a very efficient algorithm to check whether a positive integer m ∈ ℕ is prime. In fact, the algorithm we consider will be detectors of some, but not all, composite numbers.

[link]

Fact: For any n ∈ ℕ, n is composite iff n > 1 and it is not the case that n is prime.

That is, the algorithms we consider recognizes prime numbers but with false positives. They only guarantee that there are no false negatives (i.e., if the algorithm outputs that its input is composite, then it is indeed composite; otherwise, the number may or may not be prime and we call it probably prime because we were not able to detect that it is composite). First, consider how an algorithm for checking primality that never has a "false" output behaves:

[link]

algorithm input	algorithm output	meaning	description
actually a composite number (this is not known at time of input)	composite	the input is composite	true negative
actually a prime number (this is not known at time of input)	prime	the input is prime	true positive

Compare the above table to the following table describing three possible conditions (and one forbidden condition) for an algorithm that detects probable primes.

[link]

algorithm input	algorithm output	meaning	description
actually a composite number (this is not known at time of input)	composite	the input is definitely composite	true negative
actually a composite number (this is not known at time of input)	probably prime	the input is either composite or prime	false positive
actually a prime number (this is not known at time of input)	probably prime	the input is either composite or prime	true positive
actually a prime number (this is not known at time of input)	composite	impossible	false negative (we will not consider algorithms that return such outputs)

Below is a comparison of the outputs of four possible probable prime algorithms on inputs in the range {2,...,10} ⊂ ℕ.

[link]

input number	perfect algorithm	perfect probable prime algorithm	less accurate probable prime algorithm	very inaccurate probable prime algorithm
2	prime	probably prime	probably prime	probably prime
3	prime	probably prime	probably prime	probably prime
4	composite	composite	probably prime	probably prime
5	prime	probably prime	probably prime	probably prime
6	composite	composite	composite	probably prime
7	prime	probably prime	probably prime	probably prime
8	composite	composite	probably prime	probably prime
9	composite	composite	composite	probably prime
10	composite	composite	probably prime	probably prime

[link]

Algorithm: We now define our first algorithm for testing whether a number is probably prime.

inputs: m ∈ ℕ, k ∈ ℕ
1. repeat k times:
  1. a := a random number from {2,...,m-1}
  2. if a | m then return composite
2. return probably prime

Notice that the above algorithm will never say that a prime number is actually composite. If it does not find a factor of m because it did not run for sufficiently many iterations, then it will indicate that m is probably prime. Thus, it will have no false negatives (i.e., an incorrect output indicating a prime number is composite).

[link]

Algorithm: We now define another algorithm for testing whether a number is probably prime.

inputs: m ∈ ℕ, k ∈ ℕ
1. repeat k times:
  1. a := a random number from {2,...,m-1}
  2. if a | m then return composite
  3. if gcd(a,m) ≠ 1 then return composite
2. return probably prime

The above algorithm is interesting because by using the gcd operation, we get more value out of each random number we try. In fact, the gcd operation runs in polynomial time but tells us if the intersection between the two sets of factors (the factors of a and the factors of m) contains any numbers. Checking this intersection using the naive approach would take exponential time.

The above algorithm is somewhat problematic if we want to have a good idea of how to set k given our desired level of confidence in the output. For example, how high should k be so that the probability that we detect a composite is more than 1/2? If we require that k ≈ √(m) to be sufficiently confident in the output, we might as well use the brute force method of checking every a ∈ {2,..., ⌊ √(m) ⌋}.

To define a more predictable testing approach for our algorithm, we derive a theorem that is frequently used in applications of modular arithmetic (in fact, this fact underlies the prime number generators found in many software applications).

[link]

Fact (Fermat's little theorem): For any p ∈ ℕ, for any a ∈ {1,...,p-1}, if p is prime then it is true that:

a^p-1

≡

1 (mod p)

We have already shown that if p is a prime then R defined as below is a permutation:

{ (1, (1 ⋅ a) mod p), (2, (2 ⋅ a) mod p), ..., (p-1, ((p-1) ⋅ a) mod p) }

{ (i, (i ⋅ a) mod p) | i ∈ {1,...,p-1} }

Next, to make our notation more concise, note that:

1 ⋅ 2 ⋅ ... ⋅ p-1

(p - 1)!

(1 ⋅ a) ⋅ (2 ⋅ a) ⋅ ... ⋅ ((p-1) ⋅ a)

a^p-1 (p - 1)!

Recall that p is prime, so p does not divide (p - 1)!. Thus, we can divide by (p - 1)! both sides of the following equation:

a^p-1 (p - 1)!

≡

1 ⋅ (p - 1)!

a^p-1

≡

We now have derived the statement of Fermat's little theorem.

[link]

Fact: A number p ∈ ℕ is prime iff p > 1 and for all a ∈ {1,...,p-1}, a^p-1 mod p = 1.

If we negate the statement above, we can define when a number is composite (i.e., when it is not prime) in a way that suggests a straightforward algorithm.

[link]

Definition: A number m ∈ ℕ is composite iff m > 1 and there exists a ∈ {1,...,m-1} such that a^m-1 mod m ≠ 1. In this case, a is a Fermat witness to the compositeness of m.

[link]

Definition: If for composite m ∈ ℕ and a ∈ {1,...,m-1}, we have that a^m-1 mod m = 1, then a is a Fermat liar and m is a pseudoprime with respect to a.

[link]

Algorithm (Fermat primality test): We now extend our algorithm. The following algorithm can be used to test whether a number is probably prime.

inputs: m ∈ ℕ, k ∈ ℕ
1. repeat k times:
  1. a := a random number from {2,...,m-1}
  2. if a | m then return composite
  3. if gcd(a,m) ≠ 1 then return composite
  4. if a^m-1 mod m ≠ 1 then return composite
2. return probably prime

If m is a prime, the above algorithm will always return probably prime.

For any given candidate a in the above algorithm, if the first test fails and gcd(a,m) ≠ 1 then a is a factor of m. Thus, in the worst case, the first is gcd(a,m) = 1 for all k instances of a that we consider. How many of these k instances must pass the second test before we are confident that m is prime? In fact, for most composite numbers m, k can be very low.

[link]

Fact: If for a composite m ∈ ℤ there is at least one Fermat witness a ∈ {2,...,m-1} such that gcd(a,m) = 1, then at least half of all a such that gcd(a,m) = 1 are Fermat witnesses.

Suppose that a is a Fermat witness and a₁,...,a_n are distinct Fermat liars. Then for every Fermat liar a_i we have that:

(a ⋅ a_i)^m-1

≡

a^m-1 ⋅ a_i^m-1 (mod m)

≡

a^m-1

But a is a Fermat witness, so a^m-1 mod m ≠ 1. Thus, (a ⋅ a_i)^m-1 mod m ≠ 1, so a ⋅ a_i is also Fermat witness. Furthermore, for any two distinct Fermat liars a_i and a_j we have by the generalized Euclid's lemma and the fact that a_i, a_j, and a are all coprime with m:

a_i

≢

a_j (mod m)

a ⋅ a_i

≢

a ⋅ a_j

Since there is a witness for every liar, there are at least as many witness as liars, so at least half the values are witnesses. How many numbers m have at least one Fermat witness? Equivalently, how many numbers have no Fermat witnesses?

[link]

Definition: For any m ∈ ℤ, if m has no coprime Fermat witnesses, then m is a Carmichael number, also known as a Fermat pseudoprime.

The distribuation of Carmichael numbers is high enough that the Fermat primality test is usually not used in favor of slightly more complex tests for probable primes. However, those tests follow a similar principle. The Fermat primality test is used in some deployed software applications (such as PGP).

[link]

for the chosen a we have...	what it means	probability of this occurring if m is a non-Carmichael composite
a \| m	a is a non-trivial factor of m, so m is composite	(# integers in {2,...,m-1} that are factors with m) / (m-2)
gcd(a,m) ≠ 1	m and a have a non-trivial factor, so m is composite	(# integers in {2,...,m-1} that share factors with m) / (m-2)
a^m-1 mod m ≠ 1	a is a Fermat witness that m is composite	at least 1/2

We can consider a particular example input for the primality test to see how each successive check in the algorithm can extract valuable information about whether the input is composite. The following table is for m = 15.

[link]

m = 15 and a = ...	2	3	4	5	6	7	8	9	10	11	12	13	14
a \| m	PP	C	PP	C	PP	PP	PP	PP	PP	PP	PP	PP	PP
gcd(a,m) ≠ 1	PP	C	PP	C	C	PP	PP	C	C	PP	C	PP	PP
a^m-1 mod m = ...	4	9	1	10	6	4	4	6	10	1	9	4	1

We can now summarize all the facts and algorithms we have introduced and how their relationships allow us to construct a prime number generator.

[link]

Euclid's
lemma
generalization

⇐

multiples of
coprime a in ℤ/mℤ
are a permutation

gcd(m,m+1) = 1

⇑

Fermat's
little
theorem

random
number
generator

⇒

coprime
generator

⇑

greatest
common
divisor
algorithm

⇐

Fermat
primality
test

⇐

probable
prime
detector

⇑

probable
prime
generator

[link] 3.8. Multiplicative inverses

To better understand multiplicative inverses, we first review the definition of an additive inverse.

[link]

Fact: For any m ∈ ℕ, every element in the set ℤ/mℤ has an inverse with respect to addition defined over ℤ/mℤ (i.e., an additive inverse). Consider any x ∈ ℤ/mℤ. Then p − x ∈ ℤ/mℤ and

x + (p − x)

≡

p (mod p)

≡

We denote by −x the additive inverse of x.

[link]

Example: What is the additive inverse of 2 ∈ ℤ/5ℤ?

The additive inverse is 5 − 2 = 3, since 2 + 3 mod 5 = 0.

There is more than one way to compute multiplicative inverses; in this subsection, we will present facts that will help us build algorithms for computing multiplicative inverses.

[link]

Definition: Given a positive integer m ∈ ℕ and a congruence classes x ∈ ℤ/mℤ, suppose there exists a congruence class y ∈ ℤ/mℤ such that:

x ⋅ y

≡

1 (mod m)

Then we say that y is the multiplicative inverse of x in ℤ/mℤ. We usually denote the multiplicative inverse of x as x^-1 (as is often done for multiplicative inverses over the integers, i.e., 2^-1 = 1/2).

[link]

Fact: Let p ∈ ℕ be a prime number, and let a ∈ ℤ/pℤ. Then we know by Fermat's little theorem that:

a^p-1

≡

1 (mod p)

But we can factor the above to get:

a ⋅ a^p-2

≡

1 (mod p)

Thus, the multiplicative inverse of a ∈ ℤ/pℤ is:

a^-1

≡

a^p-2 (mod p)

Note that:

a ⋅ a^-1

≡

a ⋅ a^p-2 (mod p)

≡

a^p-1

≡

[link]

Example: What is the multiplicative inverse of 2 ∈ ℤ/5ℤ? We can compute it as follows:

2^-1

≡

2^5-2 (mod 5)

≡

2³

≡

We can check to confirm that this is true:

2 ⋅ 3

≡

6 (mod 5)

≡

[link] 3.9. Chinese remainder theorem (CRT) and applications

In previous sections we presented facts that allowed us to solve certain individual equations with solution spaces corresponding to sets of congruence classes such as ℤ/mℤ. It is also possible to solve systems of equations over sets of congruence classes.

[link]

Theorem (Chinese remainder theorem): The Chinese remainder theorem (CRT) states that given primes p₁,...,p_k ∈ ℕ, for any a₁,...,a_k ∈ ℤ there exists a solution x ∈ ℤ to the system of equations:

x mod p₁

a₁

⋮

x mod p_k

a_k

We can also state the theorem in terms of congruences. Given primes p₁,...,p_k ∈ ℕ, for any a₁ ∈ ℤ/p₁ℤ, ..., a_k ∈ ℤ/p_kℤ there exists a unique solution x ∈ ℤ/(p₁ ⋅ ... ⋅ p_k)ℤ to the system of equations:

≡

a₁ (mod p₁)

⋮

≡

a_k (mod p_k)

In other words, all the solutions to the first system above are from the same congruence class of ℤ/(p₁ ⋅ ... ⋅ p_k)ℤ. The theorem applies even if p₁,...,p_k are only relatively prime or coprime.

[link]

Example: Solve the following system of equations for the unique solution x ∈ ℤ/10ℤ:

≡

3 (mod 5)

≡

0 (mod 2)

We can list the integers corresponding to each congruence class and find the unique integer in {0, ..., 2 ⋅ 5 - 1} that is in both lists:

3 + 5ℤ

{..., 3, 8, 13, 18, 23, 28, ...}

0 + 2ℤ

{..., 0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, ...}

We can compute the intersection, which should contain all the integers that satisfy both equations:

(3 + 5ℤ) ∩ (0 + 2ℤ)

{..., 8, 18, 28, ...}

This appears to be the congruence class 8 + 10ℤ. Thus, we have the unique solution:

≡

8 (mod 10)

The Chinese remainder theorem has many applications in a variety of contexts. In this section we present the following algorithms, which all rely on the ability to solve systems of equations involving congruence classes.

[link]

efficient
modular
arithmetic

⇓

Chinese
remainder
theorem

⇐

CRT solver

⇐

range
ambiguity
resolution

⇑

Shamir secret
sharing protocol

[link]

Fact: Given a, a ∈ ℤ, if a + b ∈ {0,...,m-1}, then it is true that

(a mod m) + (b mod m)

≡

a + b (mod m)

Likewise, if a ⋅ b ∈ {0,...,m-1}, then it is true that

(a mod m) ⋅ (b mod m)

≡

a ⋅ b (mod m)

[link]

Example (efficient modular arithmetic): Suppose we want to perform a large number of arithmetic operations in sequence. The operations could be specified as a program that operates on a single variable and performs a sequence of variable updates that correspond to arithmetic operations, such as the example below.

x + 6

x ⋅ 2

x − 17

x + 1

⋮

Suppose that over the course of the computation, x might become very large (e.g., 0 ≤ x ≤ 2^1000000000). However, we have an additional piece of information: once the sequence of operations ends, we know that 0 ≤ x < 1024.

Given our additional information about the range of the final output, we do not need to store 1000000000 bit numbers in order to perform the computation and get a correct result. It is sufficient to instead perform all the operations in ℤ/1024ℤ:

3 mod 1024

(x + 6) mod 1024

(x ⋅ 2) mod 1024

(x − 17) mod 1024

(x + 1) mod 1024

⋮

The above will produce the same result in ℤ/1024ℤ, and we will only need 1024 bits at any single point in the computation to store each intermediate result.

[link]

Example (efficient distributed modular arithmetic): Suppose that, as in the previous example, we want to perform a large number of arithmetic operations in sequence on large integers (e.g., in ℤ/2⁷⁰ℤ). However, our resources may be limited. For example, we may only have a collection of processors that can each perform arithmetic on relatively small integers (e.g., in ℤ/2⁸ℤ). Is it possible for us to perform this computation using these processors, and is it possible for us to speed up the computation by running the processors in parallel? We may assume that a single arithmetic computation in ℤ/2ⁿℤ running on a single processor takes n time steps to perform.

Suppose we have ten processors that can perform arithmetic computations in ℤ/2⁸ℤ or any smaller space (such as ℤ/2⁷ℤ). We can approach this problem by choosing a collection of primes p₁,...,p₁₀ such that 2⁷ < p_i < 2⁸, which implies that:

p₁ ⋅ ... ⋅ p₁₀

2⁷ ⋅ ... ⋅ 2⁷

≥

2⁷⁰

We can then perform the sequence of computations modulo each of the primes p_i to obtain ten results a₁, ..., a₁₀. Once we obtain the results, we can apply the Chinese remainder theorem to obtain x:

a₁ mod p₁

⋮

a₁₀ mod p₁₀

Since the product of the primes is greater than 2⁷⁰, the unique solution x to the above system of equations will be the correct result of the computation. Since the processors were running in parallel, the computation was about 10 times faster than it would have been if we had performed the computation in ℤ/2⁷⁰ℤ (or in sequence using a single processor that can perform computations in ℤ/2⁸ℤ).

[link]

Example (variant of range ambiguity resolution): Suppose we want to build a radar or other sensing device that sends signals out and listens for reflections of those signals in order to detect the distances of obstacles in the environment. The device has a clock that counts up from 0, one integer per second. If the device sends a single signal out that travels at 1 km per second at time 0 and receives a response in 12 seconds at time 12, it knows that the distance to the object and back is 12 km.

However, what if we cannot wait 12 seconds or more? For example, the obstacle may be moving quickly and we want to constantly update our best guess of the distance to that object. We would need to send signals more frequently (for example, every 5 seconds). But then if an object is 12 seconds away, we would have no way to tell when running in a steady state which of the signals we just received.

However, we can obtain some information in this scenario. Suppose we send a signal every 5 seconds, only when the clock's timer is at a multiple of 5. Equivalently, imagine the clock counts up modulo 5 (i.e., 0,1,2,3,4,0,1,2,3,4,0,...) and we only send signals when the clock is at 0. What information can we learn about the object's distance in this scenario? If the distance to the object and back is d, then we would learn d mod 5, because we would get the signal back when the clock is at 0, 1, 2, 3, or 4.

We can use multiple instances of the above device (each device using its own distinct frequency for sending signals) to build a device that can check for obstacles more frequently while not giving up too much accuracy. Pick a collection of primes p₁,..., p_n such that their product is greater than the distance to any possible obstacle (e.g., if this is a ship or plane, we could derive this by considering the line of sight and the Earth's curvature). Take n instances of the above devices, each with their own clock that counts in cycles through ℤ/p_iℤ and sends out a signal when the clock is at 0. Running in a steady state, if at any point in time the known offsets are a₁,...,a_n, we would know the following about the distance d to an obstacle:

≡

a₁ (mod p₁)

⋮

≡

a_n (mod p_n)

We can then use the Chinese remainder theorem to derive the actual distance d < p₁ ⋅ ... ⋅ p_n.

[link]

Protocol (Shamir secret sharing): Suppose there are N participants and we want to divide some secret information among them into N parts so that any k or greater number of participants can reconstruct the secret information, but no subset of fewer than k participants can reconstruct it. Let s ∈ ℤ be the secret information. Collect a set of randomly chosen relatively prime integers M = {m₁,...,m_N} such that:

the product of any collection of at least k integers in M is greater than s;
the product of any collection of k-1 integers in M is less than s.

Give each participant i ∈ {1,...,N} the value s mod m_i. Now, any number of participants n ≥ k can use the Chinese remainder theorem to solve for s.

Note: There are many alternative ways to implement Shamir secret sharing. Consider the following example using curve-fitting. We choose some large m ∈ ℤ, and then randomly select integers c₁,...,c_k ∈ ℤ/mℤ. We then use these integers as coefficients in a polynomial:

f(x)

s + c₁ x + c₂ x² + ... + c_k x^k

Each participant i ∈ {1,...,N} is given f(i). Any k participants can now use curve-fitting techniques or techniques for solving collections of equations (e.g., computing the reduced row echelon form of a matrix) to determine all the coefficients of f and, thus, solve for s.

[link] 3.10. Solving systems of equations with CRT solutions using multiplicative inverses

The Chinese remainder theorem guarantees that a unique solution exists to particular systems of equations involving congruence classes. But can these solutions be computed automatically and efficiently? In fact, they can. However, computing such solutions requires the ability to compute multiplicative inverses in ℤ/mℤ.

[link]

greatest
common
divisor
algorithm

Fermat's
little
theorem

Euler's
theorem

⇑

Bézout's
identity

⇐

extended
Euclidean
algorithm

⇐

algorithm for
finding
multiplicative
inverses

⇒

Euler's
totient
function φ

⇑

Chinese
remainder
theorem

⇐

CRT solver
for two
equations

⇑

induction

⇐

CRT solver
for n
equations

How is computing multiplicative inverses related to solving systems of equations that have solutions according to CRT? Consider the following example.

[link]

Example: Suppose we want to solve the following system of equations:

≡

1 (mod 5)

≡

0 (mod 4)

The above two equations are constraints on the integers that can be in the congruence class x. One way to state these constraints in English is: "x must be a multiple of 4, and x must be in 1 + 5ℤ". But then we can rewrite the above as a single equation:

4 ⋅ y

≡

1 (mod 5)

Then, we only need to solve for y, and let x = 4 ⋅ y. What is y? The above equation implies that y is the multiplicative inverse of 4 in ℤ/5ℤ. Thus, we can compute:

≡

4^-1 (mod 5)

≡

4^5-2 (mod 5)

≡

4³

≡

Thus, the multiplicative inverse of 4 in ℤ/5ℤ is itself. Plugging y into x = 4 ⋅ y gives us 16. Thus, we know by CRT that we have our unique solution in ℤ/(4 ⋅ 5)ℤ = ℤ/20ℤ:

≡

16 (mod 20)

The above example suggests that we can solve certain pairs of equations with CRT solutions if one of the congruence classes is 0 and the other 1. What if the other congruence class is not 1?

[link]

Example: Suppose we want to solve the following system of equations for x ∈ ℤ/15ℤ:

≡

4 (mod 5)

≡

0 (mod 3)

We can observe that we want some x that is a multiple of 3 and is in 4 + 5ℤ. We can set x = 3 ⋅ y for some y, and then we want to solve the following for y ∈ ℤ/5ℤ:

3 ⋅ y

≡

4 (mod 5)

Using Fermat's little theorem, we can compute the multiplicative inverse of 3 ∈ ℤ/5ℤ:

3^5-1

≡

1 (mod 5)

3^5-1 ⋅ 3^-1

≡

1 ⋅ 3^-1

3^(5-1)-1

≡

3^-1

3^5-2

≡

3^-1

3³

≡

3^-1

≡

3^-1

≡

3^-1

Thus, we know that the multiplicative inverse of 3 ∈ ℤ/5ℤ is 2, and we have that 2 ⋅ 3 ≡ 1 (mod 5). Notice that 4 ≡ 4 ⋅ 1 (mod 5):

3 ⋅ y

≡

4 (mod 5)

3 ⋅ y

≡

4 ⋅ 1 (mod 5)

Since 1 ≡ 2 ⋅ 3 (mod 5), we can substitute:

3 ⋅ y

≡

4 ⋅ (3 ⋅ 2) (mod 5)

We can cancel 3 on both sides using Euclid's lemma (since 5 is prime) or Euclid's generalized lemma (since 3 and 5 are coprime):

≡

4 ⋅ 2 (mod 5)

≡

Since we originally set x = 3 ⋅ y, we can now substitute and solve for x ∈ ℤ/15ℤ:

≡

3 ⋅ y (mod 15)

≡

3 ⋅ 3

≡

Thus, x ≡ 9 (mod 15) is a solution to our equation. We can confirm this:

≡

4 (mod 5)

≡

0 (mod 3)

[link]

Example: Note that what we actually did in the previous example when we cancelled 3 ∈ ℤ/5ℤ on both sides is that we multiplied both sides by the multiplicative inverse of 3 ∈ ℤ/5ℤ. Suppose we knew that the multiplicative inverse of 3 ∈ ℤ/5ℤ is 2. We can use this information to help us solve the following equation:

3 ⋅ x

≡

2 (mod 5)

We multiply both sides by 3^-1 ≡ 2 (mod 5):

3^-1 ⋅ 3 ⋅ x

≡

3^-1 ⋅ 2 (mod 5)

≡

2 ⋅ 2

≡

Notice that we have now reduced the problem of solving an equation with a single coefficient before x into the problem of finding the multiplicative inverse of the coefficient.

[link]

Example: Suppose we want to solve the following system of equations:

≡

0 (mod 11)

≡

4 (mod 7)

The above equations require that x ∈ ℤ/77ℤ be divisible by 11, and that x ∈ 4 + 7ℤ. Since x is divisible by 11, it is a multiple of 11, so we want to find x = 11 ⋅ y where:

11 ⋅ y

≡

4 (mod 7)

To solve the above, it is sufficient to multiply both sides of the equation by 11^-1 (mod 7). Since 11 ≡ 4 (mod 7), it is sufficient to find 4^-1 (mod 7).

11^-1

≡

4^-1 (mod 7)

≡

4^7-2

≡

4⁵

≡

1024

≡

Thus, we can multiply both sides to obtain:

11 ⋅ y

≡

4 (mod 7)

11^-1 ⋅ 11 ⋅ y

≡

11^-1 ⋅ 4

≡

2 ⋅ 4

≡

Thus, we have:

≡

11 ⋅ y (mod 77)

≡

11 ⋅ 1

≡

11 (mod 77)

[link]

Fact: Suppose we are given two unequal prime numbers p, q ∈ ℕ, and the following two equations:

≡

1 (mod p)

≡

0 (mod q)

This implies x must be a multiple of q, so rewrite x = q ⋅ y. Then we have:

q ⋅ y

≡

1 (mod p)

Thus, we can solve for q^-1 by computing:

q^-1

≡

q^p-2 (mod p)

Then we have:

q^-1 ⋅ q ⋅ y

≡

q^-1 ⋅ 1 (mod p)

≡

q^-1 (mod p)

≡

q ⋅ y (mod (p ⋅ q))

Notice that q ⋅ y is indeed a solution to the original system because:

q ⋅ y

≡

1 (mod p)

because y ≡ q^-1 (mod p);

q ⋅ y

≡

0 (mod q)

because q ⋅ y is a multiple of q.

[link]

Fact: Suppose we are given two unequal prime numbers p, q ∈ ℕ, and the following two equations where a ∈ ℤ/pℤ:

≡

a (mod p)

≡

0 (mod q)

This implies x must be a multiple of q and a multiple of a, so rewrite x = a ⋅ q ⋅ y. Then we have:

a ⋅ q ⋅ y

≡

a (mod p)

As in the previous fact, the above works if y = q^-1 (mod p), so compute:

q^-1 (mod p)

≡

a ⋅ q ⋅ y (mod (p ⋅ q))

Notice that a ⋅ q ⋅ y is indeed a solution to the original system because:

a ⋅ q ⋅ y

≡

a (mod p)

because y ≡ q^-1 (mod p);

a ⋅ q ⋅ y

≡

0 (mod q)

because a ⋅ q ⋅ y is a multiple of q.

[link]

Fact: Suppose we are given two unequal prime numbers p, q ∈ ℕ, and the following two equations where a ∈ ℤ/pℤ and b ∈ ℤ/qℤ:

≡

a (mod p)

≡

b (mod q)

Suppose we instead solve the following two systems:

x₁

≡

a (mod p)

x₁

≡

0 (mod q)

x₂

≡

0 (mod p)

x₂

≡

b (mod q)

Notice that x₁ + x₂ is a solution to the original system because:

x₁ + x₂

≡

x₁ + 0 (mod p)

≡

a + 0 (mod p)

≡

a (mod p)

x₁ + x₂

≡

0 + x₂ (mod q)

≡

0 + b (mod q)

≡

b (mod q)

We know how to solve the above two systems separately:

x₁

≡

a ⋅ q ⋅ q^-1 (mod (p ⋅ q))

x₂

≡

b ⋅ p ⋅ p^-1 (mod (p ⋅ q))

Thus, we have the solution to the original system:

≡

x₁ + x₂ (mod (p ⋅ q))

We have shown that we can solve a system of equations with a solution according to CRT if the moduli in the equations are both prime. What if the moduli are merely coprime? So far, we only needed a way to compute multiplicative inverses of numbers modulo a prime, and Fermat's little theorem was sufficient for this purpose. However, if the moduli are not prime, we need some other method to compute multiplicative inverses.

[link]

Fact: For any m ∈ ℕ, an x ∈ ℤ/mℤ has an inverse with respect to multiplication defined over ℤ/mℤ (i.e., a multiplicative inverse) iff gcd(x,m) = 1.

[link]

Fact (Bezout's identity): For any two integers x ∈ ℤ, y ∈ ℤ where x ≠ 0 or y ≠ 0, let z = gcd(x,y). Then there exist a ∈ ℤ and b ∈ ℤ such that:

a ⋅ x + b ⋅ y

[link]

Fact: For any two integers x ∈ ℤ, y ∈ ℤ where x ≠ 0 or y ≠ 0, and gcd(x,y) = 1, there exist a ∈ ℤ and b ∈ ℤ such that:

a ⋅ x + b ⋅ y

This fact is a special case of Bézout's identity (i.e., the case in which gcd(x,y) = 1).

[link]

Example: Suppose we have s,t ∈ ℤ such that:

5 ⋅ s + 3 ⋅ t

We can then do the following:

− 5 ⋅ t + (5 ⋅ s + 3 ⋅ t) + 5 ⋅ t

(5 ⋅ s − 5 ⋅ t) + (3 ⋅ t + 5 ⋅ t)

5 ⋅ (s − t) + 8 ⋅ t

Thus, we have converted a instance of Bézout's identity for 5 and 3 into an instance of Bézout's identity for 5 and 8.

We can repeat the above as many times as we want. Suppose we instead want Bézout's identity for 3 and 13. We can do the following:

− 5 ⋅ 2 ⋅ t + (5 ⋅ s + 3 ⋅ t) + 5 ⋅ 2 ⋅ t

(5 ⋅ s − 5 ⋅ 2 ⋅ t) + (3 ⋅ t + 5 ⋅ 2 ⋅ t)

5 ⋅ (s − 2 ⋅ t) + 13 ⋅ t

[link]

Fact: For any two integers a, b, s, t ℤ, suppose we have that:

a ⋅ s + b ⋅ t

Let us assume that a > b and that a mod b = r (in other words, for some k,

a mod b

b ⋅ k + r

Then we have that:

a ⋅ s + b ⋅ t

− b ⋅ k ⋅ s + (a ⋅ s + b ⋅ t) + b ⋅ k ⋅ s

(a ⋅ s − b ⋅ k ⋅ s) + (b ⋅ (t + k ⋅ s))

(a − b ⋅ k) ⋅ s + b ⋅ (t + k ⋅ s)

r ⋅ s + b ⋅ (t + k ⋅ s)

(a mod b) ⋅ s + b ⋅ (t + k ⋅ s)

Thus, for any instance of Bézout's identity for a and b and a > b, there must exist an instance of Bézout's identity for a mod b and b.

The above fact suggests that if we want to find the s and t coefficients for an equation a ⋅ s + b ⋅ t = 1 given a > b, we should try finding Bézout's identity for a mod b and b. But notice that:

a mod b

The above implies that the problem of finding the coefficients for an instance of Bézout's identity can be reduced to a smaller version of the problem: find Bézout's identity for a mod b and b can then be reduced further to finding b mod (a mod b) and a mod b. At this point, we have a strictly smaller instance of the problem:

a mod b

b mod (a mod b)

Thus, we can use recursion; the recursive algorithm that solves this problem is called the extended Euclidean algorithm, and is a modification of the recursive algorithm that computes the gcd of two numbers.

[link]

Algorithm (extended Euclidean algorithm): The collection of equations considered in the Chinese remainder theorem can be solved constructively (i.e., in a way that provides a concrete solution and not just a proof that a solution exists) by applying an extended version of the greatest common divisor algorithm. We provide the definition of the algorithm below.

extended Euclidean algorithm: x ∈ ℤ, y ∈ ℤ
1. if y = 0
  1. (s,t) := (1, 0)
  2. return (s,t)
2. otherwise
  1. (s,t) := extended Euclidean algorithm(y, x mod y)
  2. return (t, s - (⌊ x/y ⌋ ⋅ t) )

Given two inputs x ∈ ℤ, y ∈ ℤ, the extended Euclidean algorithm returns two integers u, v such that

u ⋅ x + v ⋅ y

gcd(x,y)

We can check that the above is indeed a solution to x ≡ a (mod m). Consider the following:

u ⋅ m + v ⋅ n

v ⋅ n

1 - u ⋅ m

v ⋅ n

≡

1 (mod m)

Furthermore, we have that:

((u ⋅ m) ⋅ b) mod m

Then, we can conclude:

((u ⋅ m) ⋅ b + (v ⋅ n) ⋅ a) mod m

0 + ((v ⋅ n) ⋅ a) mod m

0 + (1 ⋅ a) mod m

a mod m

Using a similar argument, we can show that the solution is also equivalent to b (mod m).

[link]

Example: Suppose we want to find the multiplicative inverse of 49 in ℤ/100ℤ and the multiplicative inverse of 100 in ℤ/49ℤ. We run the extended Euclidean algorithm on the inputs 49 and 100 to obtain the following instance of Bézout's identity:

(-24) ⋅ 100 + 49 ⋅ 49

We can use the above to find the multiplicative inverse of 49 in ℤ/100ℤ:

(-24) ⋅ 100 + 49 ⋅ 49

≡

1 (mod 100)

49 ⋅ 49

≡

1 (mod 100)

Thus, 49^-1 = 49 in ℤ/100ℤ. We can also find the multiplicative inverse of 100 in ℤ/49ℤ (also known as 2 ∈ ℤ/49ℤ):

(-24) ⋅ 100 + 49 ⋅ 49

≡

1 (mod 49)

-24 ⋅ 100

≡

1 (mod 49)

25 ⋅ 100

≡

1 (mod 49)

Thus, 100^-1 = 25 in ℤ/49ℤ.

[link]

Example: Suppose we want to solve the following system:

≡

23 (mod 100)

≡

31 (mod 49)

We use the extended Euclidean algorithm to find that:

(-24) ⋅ 100 + 49 ⋅ 49

This tells us that −24 is the inverse of 100 in ℤ/49ℤ and that 49 is the inverse of 49 in ℤ/100ℤ. Thus, to build 31 in ℤ/49ℤ, we need:

≡

1 ⋅ 31 (mod 49)

≡

(100 ⋅ 100^-1) ⋅ 31

≡

(100 ⋅ -24) ⋅ 31

To build 23 in ℤ/100ℤ, we need:

≡

1 ⋅ 23 (mod 100)

≡

(49 ⋅ 49^-1) ⋅ 23

≡

(49 ⋅ 49) ⋅ 23

Then the solutions to the system are in the congruence class:

≡

(100 ⋅ -24) ⋅ 31 + (49 ⋅ 49) ⋅ 23 (mod (100 ⋅ 49))

≡

-19177 mod 4900

≡

423

[link]

Algorithm: Suppose we are given a collection of equations of the following form such that m₁,...,m_k are all pairwise coprime.

≡

a₁ (mod m₁)

⋮

≡

a_k (mod m_k)

Let C be the set of these equations, where C_i is the ith equation. The following algorithm can be used to find a solution for this system of equations.

solve system of equations: C is a set of constraints x ≡ a_i mod m_i
1. while |C| > 1
  1. remove two equations C_i and C_j from C and solve them to obtain a new equation x ≡ c (mod m_i ⋅ m_j)
  2. add the new equation to C
2. return the one equation left in C

[link] 3.11. More practice with CRT

[link]

Example: Solve the following equation for x ∈ ℤ/5ℤ by multiplying both sides by the appropriate multiplicative inverse:

3 ⋅ x

≡

2 (mod 5)

[link]

Example: Solve the following system of equations for x ∈ ℤ/35ℤ by finding multiplicative inverses of 5 ∈ ℤ/7ℤ and 7 ∈ ℤ/5ℤ:

≡

4 (mod 5)

≡

2 (mod 7)

[link]

Example: Suppose you know that 7^-1 ≡ 3 (mod 10). Solve the following system of equations:

≡

0 (mod 2)

≡

1 (mod 5)

≡

3 (mod 7)

[link]

Example: Suppose we have a single processor that can perform arithmetic operations (addition, subtraction, multiplication, and modulus) on integers that can be represented with at most 11 bits (2¹¹ = 2048). On this processor, a single arithmetic operation can be performed in 11 time steps. We also have three other processors that can perform arithmetic on integers that can be represented with at most 4 bits (2⁴ = 16). Each of these processors can perform an arithmetic operation on 4-bit integers in 4 time steps.

For example, suppose we want to perform 1000 arithmetic operations on 11-bit integers. Using a single processor, this would require:

1000 ⋅ 11 = 11,000 time steps

If we use three coprime numbers 13, 14, and 15, and we use each of the three 4-bit processors to perform these operations modulo 13, 14, and 15 in parallel, 1000 operations would require:

1000 ⋅ 4 = 4,000 time steps

Note that 13 ⋅ 14 ⋅ 15 = 2730, and that 2730 > 2048, so:

13 ⋅ 14 ⋅ 15

2¹¹

Suppose it takes 1400 time steps to solve a system of three congruence equations of the following form:

≡

a (mod 13)

≡

b (mod 14)

≡

c (mod 15)

If we want to perform the computations as quickly as possible and we can use either the 11-bit processor or the three 4-bit processors, how many operations k would we need to perform before we decided to switch from the the 11-bit processor to the 4-bit processors?

[link]

Example: Suppose we are using echolocation to measure the distance to a wall that is at most 15 distance units away. We have two devices that emit sounds at two different frequencies. One device emits sound every 3 seconds, while the other device emits a sound every 11 seconds. Suppose we hear the following:

the device that emits a sound every 3 seconds hears a response 2 seconds after each time it emits a sound;
the device that emits a sound every 11 seconds hears a response 4 seconds after each time it emits a sound.

If sound travels one distance unit per second, how far away is the wall?

[link]

Example: Suppose Alice, Bob, and Eve are using the Shamir secret sharing protocol to store a combination for a lock; all three participants would need to work together to retrieve the secret lock combination in ℤ/60ℤ. They are each given the following equations:

Alice:

≡

1 (mod 3)

Bob:

≡

3 (mod 4)

Eve:

≡

2 (mod 5)

What is the lock combination?
The lock only permits anyone to try two incorrect combinations before locking down completely and becoming inaccessible. Suppose Eve has a chance to steal either Bob's secret information or Alice's secret information, but she can only choose one. Whose information should she steal in order to unlock the lock?

[link]

Example: Suppose we want to store a number n between 0 and 500,000 on a collection of 5-bit memory regions. However, we want to make sure that if any one of the memory regions is turned off, we can still recover the number exactly, without any missing information or errors. How many memory regions will we need to use? Note that 32³ = 32,768 and 32⁴ = 1,048,576.

[link]

Example: Suppose we make the following simplifications: for every t years,

when the Earth revolves around the sun, it travels a circumference of 1 unit, at a rate of 1 ⋅ t (once per year);
when the asteroid Ceres revolves around the sun, it travels a circumference of 5 units;
when the planet Jupiter revolves around the sun, it travels a circumference of 11 units.

Suppose that on June 21st, 2000, the Earth, Ceres, and Jupiter all align (i.e., one can draw a straight line through all three). Next, suppose that it is June 21st of some year between 2000 and 2055. At this time, there is no alignment. However, Jupiter aligned with earth on June 21st two years ago, and Ceres aligned with Earth on June 21st three year ago. What year is it?

[link] 3.12. Euler's totient function, Euler's theorem, and applications

[link]

Definition: For any input m ∈ ℕ, define Euler's totient function φ by:

φ(m)

|{k | k ∈ {1,...,m}, gcd(k,m) = 1}|

[link]

Example: Compute φ(15).

φ(15)

|{k | k ∈ {1,...,15}, gcd(k,15) = 1}|

|{1,2,4,7,8,11,13,14}|

[link]

Example: Suppose p ∈ ℕ is a prime number. What is φ(p)?

φ(p)

|{k | k ∈ {1,...,p}, gcd(k,p) = 1}|

|{1,2,3,...,p-1}|

p-1

[link]

Example: What is φ(15)?

φ(15)

|{k | k ∈ {1,...,15}, gcd(k,15) = 1}|

15 - |{k | k ∈ {1,...,15}, gcd(k,15) ≠ 1}|

15 - |{3,6,9,12,15} ∪ {5,10,15}|

15 - |{3,6,9,12}| - |{5,10}| - |{15}|

15 - (5-1) - (3-1) - 1

15 - 5 - 3 + 1 + 1 - 1

15 - 5 - 3 + 1

(3 ⋅ 5) - 5 - 3 + 1

(3-1) ⋅ (5-1)

2 ⋅ 4

[link]

Fact: For any x ∈ ℕ and y ∈ ℕ, if gcd(x,y) = 1 then:

φ(x) ⋅ φ(y)

φ(x ⋅ y)

[link]

Example: Suppose p ∈ ℕ and q ∈ ℕ are prime numbers. What is φ(p ⋅ q)?

φ(p ⋅ q)

φ(p) ⋅ φ(q)

(p-1) ⋅ (q-1)

[link]

Fact: For any prime p ∈ ℕ, we have that:

φ(p^k)

p^k - p^k-1

[link]

Fact: For any a ∈ ℕ and m ∈ ℕ, if a^m-1 mod m = 1 then:

a^m-1 mod m

a^m-1

1 + k ⋅ m

gcd(1 + k ⋅ m, k ⋅ m)

gcd(a^m-1, k ⋅ m)

gcd(a, k ⋅ m)

gcd(a, m)

Thus, a and m are coprime.

[link]

Example: Suppose m ∈ ℕ is a Carmichael number. At most how many Fermat liars does m have?

[link]

Fact: We can use φ to provide a formula for the probability that the Fermat primality test will detect that a Carmichael number m ∈ ℕ is actually composite. It is approximately:

(m - φ(m)) / m

To be more precise (since we do not check 0 or 1 in our actual implementation), it is:

((m - 3) - φ(m)) / (m - 3)

Unfortunately, Euler's totient function does not in general have a better upper bound than f(m) = m.

[link]

Example: How many elements of ℤ/mℤ have a multiplicative inverse in ℤ/mℤ? Since an x ∈ ℤ/mℤ has an inverse iff gcd(x,m) = 1. Thus, the set of such x is exactly the set {x | x ∈ {1,...,m}, gcd(k,m) = 1}. But this is the definition of φ(m). Thus, there are φ(m) elements in ℤ/mℤ that have a multiplicative inverse.

[link]

Theorem (Euler's theorem): For any m ∈ ℕ and a ∈ ℤ/mℤ, if gcd(m,a) = 1 then we have that:

a^φ(m) mod m

Notice that if m is a prime number, then φ(m) = m-1. Then for any a ∈ ℤ/mℤ, gcd(a,m) = 1 and a^m-1 mod m = 1. This is exactly the statement of Fermat's little theorem. Thus, Euler's theorem is a generalization of Fermat's little theorem.

[link]

Fact: For any m ∈ ℕ and a ∈ ℤ/mℤ, if gcd(m,a) = 1 then for any i ∈ ℤ/φ(m)ℤ such that i ≡ 0 we have that

aⁱ mod m

This is because:

≡

0 (mod φ(m))

k ⋅ φ(m)

a^{φ(m) ⋅ k} mod m

(a^φ(m))^k mod m

1^k mod m

1 mod m

[link]

Fact: For any p ∈ ℕ, if p is prime and a ∈ ℤ/pℤ then for any k ∈ ℤ we have that:

a^k mod p

a^{(k mod (p-1))} mod p

[link]

Fact: For any m ∈ ℕ and a ∈ ℤ/mℤ, if gcd(m,a) = 1 then for any k ∈ ℤ we have that:

a^k mod m

a^{(k mod φ(m))} mod m

[link]

Example: We can compute the integer value 2³⁸ mod 7 as follows because 7 is prime:

2³⁸

≡

2^{38 mod (7-1)} (mod 7)

≡

2^{38 mod 6}

≡

2²

≡

Since the final operation in the integer term is a modulus operation, the congruence class 4 is also exactly the integer result of the term.

[link]

Example: We can compute 4^{2^10000000} mod 5 as follows because 5 is prime:

4^{2^10000000}

≡

4^{2^10000000 mod (5-1)} (mod 5)

4^{2^10000000 mod 4}

4⁰

[link]

Example: We can compute 4^{8¹⁰⁰+ 3} mod 15 as follows because gcd(4,15) = 1:

4^{(8¹⁰⁰ + 3)}

≡

4^{(8¹⁰⁰ + 3) mod φ(15)} (mod 15)

4^{(8¹⁰⁰ + 3) mod ((5-1) ⋅ (3-1))}

4^{(8¹⁰⁰ + 3) mod 8}

4³

[link]

Example: Compute 5⁶⁶⁰³ mod 7.

[link]

Fact: For any m ∈ ℕ and a ∈ ℤ/mℤ where gcd(m,a) = 1, we can use the Euler's theorem to find the inverse of a. Notice that:

a^φ(m) mod m

(a^φ(m)-1 ⋅ a) mod m

Thus, a^φ(m)-1 mod m is the multiplicative inverse of a in ℤ/mℤ.

[link]

Example: Find the multiplicative inverse of 5² in ℤ/7ℤ.

It is sufficient to notice that 5⁶ ≡ 1 (mod 7), so 5² ⋅ 5⁴ ≡ 1, so 5⁴ is the inverse of 5² in ℤ/7ℤ.

[link]

Example: We can find the multiplicative inverse of 3 in ℤ/22ℤ using the following steps. We first compute φ(22) = 10.

φ(22)

φ(11 ⋅ 2)

φ(11) ⋅ φ(2)

(11 − 1) ⋅ (2 − 1)

10 ⋅ 1

Next, we compute the inverse using Euler's theorem.

3^-1

≡

3^{φ(22) − 1} (mod 22)

≡

3^{10 − 1}

≡

3⁹

≡

3³ ⋅ 3³ ⋅ 3³

≡

5 ⋅ 5 ⋅ 5

≡

25 ⋅ 5

≡

3 ⋅ 5

≡

[link]

Definition: For m ∈ ℕ, We define (ℤ/mℤ)* to be the following subset of ℤ/mℤ:

(ℤ/mℤ)*

{ a | a ∈ ℤ/mℤ, a has an inverse in ℤ/mℤ }

[link]

Example: Does 11 have an inverse in ℤ/22ℤ (i.e., is it true that 11 ∈ (ℤ/22ℤ)*)?

[link]

Example: Compute |(ℤ/35ℤ)*|.

|(ℤ/35ℤ)*|

|{ a | a ∈ ℤ/35ℤ, a has an inverse in ℤ/35ℤ }|

|{ a | a ∈ ℤ/35ℤ, gcd(a,35) = 1 }|

φ(35)

φ(5 ⋅ 7)

φ(5) ⋅ φ(7)

4 ⋅ 6

[link]

Fact: For any m ∈ ℕ, (ℤ/mℤ)* is closed under multiplication modulo m. That is, for any a ∈ ℤ/mℤ and b ∈ ℤ/mℤ, if there exist a^-1 ∈ ℤ and b^-1 ∈ ℤ then (a ⋅ b) has an inverse (a^-1 ⋅ b^-1). We can use the commutativity of multiplication to show this:

(a ⋅ b) ⋅ (a^-1 ⋅ b^-1)

≡

(a ⋅ a^-1) ⋅ (b ⋅ b^-1)

≡

1 ⋅ 1

≡

[link] Review 1. Properties, Algorithms, and Applications of Modular Arithmetic

This section contains a comprehensive collection of review problems going over the course material covered until this point. Many of these problems are an accurate representation of the kinds of problems you may see on an exam.

[link]

Exercise: For some a ∈ ℕ, suppose that a^-1 ∈ ℤ/21ℤ and a^-1 ∈ ℤ/10ℤ (that is, a has an inverse in ℤ/21ℤ, and it also has an inverse in ℤ/10ℤ). Determine whether or not a has an inverse in ℤ/210ℤ. Explain why or why not. Hint: use gcd.

[link]

Exercise: Bob is trying to implement a random number generator. However, he's distracted and keeps making mistakes while building his implementation.

Bob begins his algorithm by generating two coprime numbers a and m such that gcd(a,m) = 1. However, he mixes them up and defines the following computation:
[ (i ⋅ m) mod a | i ∈ {1,...,a-1} ]
Is Bob going to get a permutation? Why or why not?
Yes, Bob will still get a permutation because gcd(a,m) = 1, which means m mod a is also coprime with m (we can see this because this is exactly what the extended Euclidean algorithm computes before making a recursive call, or by observing that if m mod a shares a factor with a, so must m).
Bob notices part of his mistake and tries to fix his algorithm; he ends up with the following:
[ (i ⋅ m) mod m | i ∈ {1,...,m-1} ]
How many distinct elements does the list he gets in his output contain?
It contains exactly one element: 0 (mod m), since all multiples of the congruence class m are equivalent to 0 (mod m).
Bob notices his algorithm isn't returning a permutation, but he mixes up a few theorems and attempts the following fix:
[ (i ⋅ a^m-1) mod m | i ∈ {1,...,m-1} ]
Bob tests his algorithm on some m values that are prime numbers. How many elements does the set he gets in his output contain?
It contains all the elements {1,...,m-1}, generated in ascending order, since by Fermat's little theorem, a^m-1 ≡ 1 (mod m) if m is prime.
Bob doesn't like the fact that his permutation doesn't look very random, so he moves the i term to the exponent:
[ (a^{i ⋅ (m-1)}) mod m | i ∈ {1,...,m-1} ]
Bob tests his algorithm on some m values that are prime numbers. How many elements does the set he gets in his output contain?
It contains exactly one element: 1 (mod m), since by the consequences of Fermat's little theorem and Euler's theorem, if m is prime we have:
a^k
≡
a^{k mod φ(m)} (mod m)

≡
a^{k mod (m-1)} (mod m)

[link]

Exercise: Suppose you have the following instance of Bézout's identity: 2 ⋅ 3 + (−1) ⋅ 5 = 1. Solve the following system of equations:

≡

2 (mod 3)

≡

3 (mod 5)

[link]

Exercise: Solve the following system of equations:

≡

2 (mod 7)

≡

3 (mod 5)

[link]

Exercise: Determine the size of the following set:

{x | x ∈ ℤ/(11 ⋅ 13)ℤ, x ≡ 5 mod 11, x ≡ 7 mod 13}

[link]

Exercise: For a given y ∈ ℤ/(p ⋅ q)ℤ where p and q are distinct primes, how many solutions does the following system of equations have:

≡

y² (mod p)

≡

y² (mod q)

[link]

Exercise: Determine the size of the following set:

{x | x ∈ ℤ/(11 ⋅ 13)ℤ, s ∈ ℤ/11ℤ, t ∈ ℤ/13ℤ, x ≡ s mod 11, x ≡ t mod 13 }

[link]

Exercise: Suppose that n ∈ ℕ is even and n/2 − 1 is odd. Determine the size of the following set:

{i ⋅ (n/2 - 1) mod n | i ∈ {0,...,n-1} }

[link]

Exercise: For any n ∈ ℕ, let a ∈ ℤ/nℤ have an inverse a^-1 ∈ ℤ/nℤ. Determine the size of the following set:

{ (a ⋅ i) mod n | i ∈ ℤ/nℤ }

[link]

Exercise: Let p be a prime number. Compute the set size |ℤ/pℤ - (ℤ/pℤ)*|.

[link]

Exercise: In a game, you win if you can guess correctly whether a large number n is prime in under a minute (if you are wrong, you win nothing and you lose nothing). You are given a handheld calculator that can only perform addition, subtraction, multiplication, division, exponentiation, and modulus (the calculator can represent arbitrarily large numbers, and can provides quotients to any precision). Describe one strategy you can use to give yourself a high probability of winning.

[link]

Exercise: Suppose that n ∈ ℕ. Compute the following:

5^{3^{4 ⋅ n + 1}} mod 11

[link]

Exercise: Suppose we make the following simplifications:

the Earth rovolves around the sun once per year;
the asteroid Ceres rovolves around the sun every 5 years;
the planet Jupiter revolves around the sun every 11 years.

Suppose that on June 21st, 2000, the Earth, Ceres, and Jupiter all align (i.e., one can draw a straight line through all three).

Which two of these objects will align again on June 21st, and in which year?
The next time Earth and Ceres align will be in five years, in 2005, as x = 5 is the smallest non-zero solution in ℕ to the following system (the first equation represents alignment with Earth; the second equation represents alignment with Ceres):
x
≡
0 mod 1
x
≡
0 mod 5
How many years will pass before all three align again?
The smallest non-zero solution in ℕ to the following system is x = 55, so they will all align again in 2055:
x
≡
0 mod 1
x
≡
0 mod 5
x
≡
0 mod 11
Suppose that it is June 21st of some year between 2000 and 2055. At this time, there is no alignment. However, Jupiter aligned with earth on June 21st four years ago, and Ceres aligned with Earth on June 21st one year ago. What year is it?
The following system of equations captures the situation. Since the solution must be in ℤ/55ℤ, we can find a unique solution using the Chinese remainder theorem. By inspection of the elements of 4 + 11ℤ = {4, 15, 26, ...}, the solution is x = 26.
x
≡
0 mod 1
x
≡
1 mod 5
x
≡
4 mod 11
Alternatively, we can use the formula; since x ≡ 0 (mod 1) is true for all x, there are actually only two equations:
x
≡
1 mod 5
x
≡
4 mod 11
Since 11 ≡ 1 (mod 5), 11^-1 ≡ 1 (mod 5); we also have:
5^-1
≡
5⁹ (mod 11)

≡
25⁴ ⋅ 5

≡
3⁴ ⋅ 5

≡
5 ⋅ 3 ⋅ 5

≡
4 ⋅ 5

≡
9
Then the solution is:
x
≡
1 ⋅ (11 ⋅ 1) + 4 ⋅ (5 ⋅ 9) (mod (5 ⋅ 11))

≡
11 + 180

≡
191

≡
26

[link]

Exercise: Suppose there exist two devices, where one can either produce or consume exactly 2 units of power and another can either produce or consume exactly 7 units of power:

device A: +/− 2 units
device B: −/+ 7 units

Suppose we want to produce exactly 1 unit of power using a combination of some number of A devices and B devices. Is this possible?

[link] 4. Computational Complexity of Modular Arithmetic Algorithms

[link] 4.1. Definition of computational problems and their complexity

Below, we review a small set of definitions and facts from complexity theory. We will only use these facts as they relate to problems in modular arithmetic and abstract algebra. A course on computational complexity theory would go into more detail.

[link]

Definition: Informally, for some formula f, we call a statement of the following form a problem:

"Given x, find y such that f(x, y) is true."

In the above, x can be viewed as the input describing the problem, and y can be viewed as the solution to the problem.

[link]

Definition: The computational complexity of a problem refers to the running time of the most efficient algorithm that can solve the problem.

[link] 4.2. Complexity of algorithms for solving tractable problems

In this subsection we consider the running time of efficient algorithms for performing common arithmetic operations (addition, subtraction, multiplication, exponentiation, and division). We consider the complexity of these arithmetic operations on each of the following domains:

unbounded positive integers;
integers modulo 2^k;
integers modulo n for some n ∈ ℕ.

All of our arithmetic algorithms will operate on bit string representations of positive integers. A bit string representation such as

a_k-1...a₀

is defined to represent the integer

2^k-1 ⋅ a_k-1 + ... + 2⁰ ⋅ a₀

Note that this means that k = ⌈log₂(a)⌉. Below are some specific examples:

111

2² ⋅ 1 + 2¹ ⋅ 1 + 2⁰ ⋅ 1

1101

2³ ⋅ 1 + 2² ⋅ 1 + 2¹ ⋅ 0 + 2⁰ ⋅ 1

2¹ ⋅ 1 + 2⁰ ⋅ 0

Since the operations we consider usually take two arguments, we will follow the following conventions:

the first (left-hand side) input is x, an k-bit integer;
the second (right-hand side) input is y, an l-bit integer.

Thus, x ≤ 2^k - 1 and y ≤ 2^l - 1.

[link]

Algorithm: There exists an algorithm that can compute the sum of a k-bit integer x and an l-bit integer y in time O(max(k,l)+1). The size of the output is O(max(k,l)+1).

addition of unbounded positive integers: k-bit integer x, l-bit integer y
1. r (a bit vector to store the result)
2. c := 0 (the carry bit)
3. for i from 0 to max(k,l) − 1
  1. r[i] := (x[i] xor y[i]) xor c
  2. c := (x[i] and y[i]) or (x[i] and c) or (y[i] and c)
4. r[max(k,l)+1] := c
5. return r

How can we use the addition algorithm to implement multiplication? One approach for multiplying two positive integers x, y ∈ ℕ is to do repeated addition of y (repeating the addition operations x times). However, if x is an k-bit integer, this would require up to 2^k-1 addition operations, which would take exponential time in the representation size of the input x.

A more efficient approach is to use the representation of x as a sum of powers of 2, and to apply the distributive property. Suppose x is represented as the binary bit string a_k-1...a₀. Then we have:

x ⋅ y

(a_k-1 ⋅ 2^k-1 + ... + a₂ ⋅ 2² + a₁ ⋅ 2¹ + a₀ ⋅ 2⁰) ⋅ y

(a_k-1 ⋅ 2^k-1 ⋅ y) + ... + (a₂ ⋅ 2² ⋅ y) + (a₁ ⋅ 2¹ ⋅ y) + (a₀ ⋅ 2⁰ ⋅ y)

Notice that we have now rewritten multiplication as k − 1 addition operations. The only other problem is how to multiply y by powers of 2. We can do so simply by appending a 0 to the bit string representation of y. Suppose y is represented as the binary bit string b_k-1...b₀. Then we have:

2 ⋅ y

2 ⋅ b_k-1...b₁b₀

2 ⋅ (b_k-1 ⋅ 2^k-1 + ... + b₁ ⋅ 2¹ + b₀ ⋅ 2⁰)

b_k-1 ⋅ 2^k + ... + b₁ ⋅ 2² + b₀ ⋅ 2¹

(b_k-1 ⋅ 2^k + ... + b₁ ⋅ 2² + b₀ ⋅ 2¹) + 0 ⋅ 2⁰

b_k-1...b₁b₀0

Thus, our algorithm only needs to depend on addition, and on shifting bit strings left by one (a.k.a., appending a 0 to the bit string at the position of the least significant bit).

[link]

Algorithm: There exists an algorithm that can compute the product of a k-bit integer x and an l-bit integer y in time O(k ⋅ (max(k,l)+1+k)) or O(max(k,l)²). The size of the output is O(k+l) (because the shift left for the 2¹ case does not contribute to the final result, the l-bit integer is shifted left at most k-1 times, but there may still be a carried bit on the last addition operation that is performed).

multiplication of unbounded positive integers: k-bit integer x, l-bit integer y
1. r (a bit vector to store the result)
2. for i from 0 to k − 1
  1. if x[i] is 1
    1. r := r + y (using unbounded integer addition)
  2. shift the bits of y left by one bit (i.e., multiply y by 2)
3. return r

[link]

Algorithm: There exists an algorithm that can compute the exponentiation x^y of an k-bit integer x and an l-bit integer y in time O(k ⋅ 2^l). The size of the output is O(k ⋅ 2^l). Notice that this means that for unbounded integer outputs, the algorithm runs in exponential time because it must build an output the size of which is exponentially large in the size of the input.

exponentiation of unbounded positive integers: k-bit integer x, l-bit integer y
1. r (a bit vector to store the result)
2. for i from 0 to l − 1
  1. if y[i] is 1
    1. r := r ⋅ x (using unbounded integer multiplication)
  2. x := x ⋅ x (using unbounded integer multiplication)
3. return r

[link]

Algorithm: There exists an algorithm that can compute the integer quotient ⌊ x / y ⌋ of an k-bit integer x and an l-bit integer y in time O((k ⋅ k) + (k ⋅ (2 ⋅ k))) or O(k²).

integer division of unbounded positive integers: k-bit integer x, l-bit integer y
1. if y > x
  1. return 0
2. for i from 0 to k − 1
  1. shift y left by one bit
3. r (a bit vector to store ⌊ x / y ⌋ ⋅ y)
4. q (a bit vector to store the integer quotient)
5. p := 2^k-1 (to keep track of the current power of 2)
6. for i from 0 to k − 1
  1. if r+y < x
    1. r := r+y (using unbounded integer addition)
    2. q := q+p (using unbounded integer addition)
  2. shift y right by one bit
  3. shift p right by one bit
7. return q

[link]

Algorithm: There exists an algorithm that can compute x mod y of an k-bit integer x and an l-bit integer y in time O(k²). This is accomplished by first performing integer division, then an integer multiplication, and then a subtraction. This corresponds to the formula for the modulus operation:

x mod y

x - ⌊ x/y ⌋ ⋅ y

When we consider the operations above as operating on integers modulo 2^k (with results also in 2^k), this corresponds to simply dropping any bits beyond the k least-significant bits when performing the computation.

[link]

Fact: There exists an algorithm that can compute the sum of two k-bit integers x and y in time O(k). The size of the output is O(k).

[link]

Fact: There exists an algorithm that can compute the product of two k-bit integers x and y in time O(k²). The size of the output is O(k).

[link]

Fact: There exists an algorithm that can compute x^y for two k-bit integers x and y in time O(k³). The size of the output is O(k).

[link]

Fact: The recursive algorithm for gcd (and the extended Euclidean algorithm) makes O(log (max(x,y))) recursive calls on an integer inputs x ∈ ℕ and y ∈ ℕ. Notice that this means that the number of recursive calls is linear, or O(max(k,l)), for inputs consisting of an k-bit integer x and an l-bit integer y.

To see the above, consider the following fact: for any a ∈ ℕ, b ∈ ℕ, if b ≤ a then a mod b < (1/2) ⋅ a. Consider the two possibilities for a and b:

if b ≤ (1/2) ⋅ a, then ⌊ a / b ⌋ > 1, so:
(a mod b)
<
b
≤
(1/2) ⋅ a
if b > (1/2) ⋅ a, then ⌊ a / b ⌋ = 1, so:
a mod b
=
a − ⌊ a/b ⌋ ⋅ b

=
a − 1 ⋅ b

=
a − b

<
a − ((1/2) ⋅ a)

<
(1/2) ⋅ a

Thus, every time a mod b is computed in the algorithms, size of the second paramter is halved. Since every other invocation switches the two parameters, both parameters are halved. Thus, the number of invocations or iterations for an input m is log(m).

[link]

Fact: The recursive algorithm for the extended Euclidean algorithm on inputs consisting of a k-bit integer x and an l-bit integer y runs in time O(max(k,l) ⋅ (2 ⋅ max(k,l)² + max(k,l))), or O(max(k,l)³). The number of recursive calls is about max(k,l), and each recursive call involves an integer division, a multiplication, and a subtraction.

If all inputs and outputs are integers that can be represented with at most k bits, the running time is then O(k³).

[link]

Fact: The following problem can be solved in polynomial time: given x ∈ (ℤ/nℤ)*, compute x^-1. This can be reduced to running the extended Euclidean algorithm, which has a polynomial running time.

If all inputs and outputs are integers that can be represented with at most k bits, the running time is then O(k³).

[link]

Fact: There exists an O(max(k,l)³ + (k+l)²) algorithm that can solve the following system of two equations (for k-bit integers x,x' and l-bit integers y,y') using the Chinese remainder theorem:

≡

x' (mod x)

≡

y' (mod y)

This algorithm calls the extended Euclidean algorithm on x and y, and then performs four multiplications modulo (x ⋅ y). If all inputs and outputs are integers that can be represented with at most k bits, the running time is then O(k³).

[link]

Exercise: Multiply the following two numbers (represented in binary) using the multiplication algorithm presented in lecture: 1101 ⋅ 101.

[link] 4.3. Complexity of (probably) intractable problems

In the previous section we saw that addition, subtraction, multiplication, exponentiation, and division (both integer division, modulus, and multiplication by multiplicative inverses) can all be computed efficiently (i.e., in polynomial time) both over integers and over congruence classes. It is also possible to efficiently compute roots and logarithms of integers (we omit proofs of this fact in this course). However, no efficient algorithms are known for computing roots and logarithms of congruence classes.

[link]

Definition: A problem can be solved in polynomial time iff there exists for some constant c an algorithm that solves all instances of the problem in time O(n^c). The set of all problems that can be solved in polynomial time is called P, and if a problem can be solved in polynomial time, we say that the problem is in P.

[link]

Definition: A problem can be solved in exponential time iff there exists an algorithm that solves all instances of the problem in time O(2ⁿ).

[link]

Definition: There exists a polynomial-time reduction from a problem A to a problem B iff there exists a polynomial-time algorithm that can convert any instance of problem A into an instance of problem B (i.e., convert an input for A into an input for B, and convert the output from B into an output from A).

A polynomial-time reduction from one problem to another can be viewed as two separate polynomial-time algoritms: a conversion algorithm that takes inputs to problem A and invokes a solver for problem B some polynomial number of times, and a conversion algorithm that takes all the outputs obtained from the solver for problem B and assembles and/or converts them into outputs for problem A.

[link]

solver for
problem B

⇒
⇒
⇒

conversion
from output(s) from
B to output from A

⇑⇑⇑

⇓

conversion
from input for
A to input(s) for B

⇐

solver for
problem A

We can summarize the above diagram by simply saying that problem A reduces to problem B.

[link]

problem B

⇐

problem A

We have already seen examples of such reductions. For example, a CRT solver for two equations makes a single call to the extended Euclidean algorithm. Thus, there exists a polynomial-time reduction from the problem of solving a two-equation system using CRT to the problem of computing multiplicative inverses.

[link]

finding
multiplicative
inverses

⇐

solving two-equation
systems using CRT

[link]

Fact: If there exists a polynomial-time reduction from problem A to problem B, and problem A is not in P (i.e., there exists no polynomial-time algorithm to solve A), then problem B must not be in P, either.

To see why B cannot be in P, we can present a proof by contradiction. Suppose that there does exist a polynomial-time algorithm to solve problem B. Then the polynomial-time reduction from A to B can invoke a polynomial-time algorithm. But then the reduction and algorithm for B working together will constitute a polynomial-time algorithm to solve A. Then it must be that A is in P. But this contradicts the fact that A is not in P, so no such polynomial-time algorithm for B could exist.

The above fact allows us to make conclusions about the computational complexity of certain problems based on their relationships (in terms of implementation) to other problems.

[link]

problem B

premise:
can be solved in
polynomial time

B ∈ P

⇐

problem A

conclusion:
can be solved in
polynomial time

A ∈ P

problem B

conclusion:
cannot be solved in
polynomial time

B ∉ P

⇐

problem A

premise:
cannot be solved in
polynomial time

A ∉ P

Intuitively, we can imagine that if problem A is "attached to" (i.e., depends on) problem B, an "easy" problem B will "pull" A down into the set of easily solvable problems P, while a "difficult" problem A will "pull" problem B into the set of hard-to-solve problems.

[link]

Conjecture (factoring): The following problem is not in P: given any integer n ∈ ℕ where n = p ⋅ q and p and q are prime, find p and q.

[link]

Fact: Suppose that n = p ⋅ q for two primes p ∈ ℕ and q ∈ ℕ. Given only n and φ(n), it is possible to compute p and q. Consider the following:

φ(n)

(p − 1) ⋅ (q − 1)

φ(n)

p ⋅ q − p − q + 1

φ(n)

n - p − q + 1

φ(n) - n

- p − q + 1

φ(n) - n - 1

− p − q

Thus, it is sufficient to solve the following system of equations for p and q:

p ⋅ q

φ(n) - n - 1

− p − q

[link]

Example: Suppose that n = 15 and φ(n) = 8. Factor n.

We can plug n and φ(n) into the system of equations derived in the applicable fact:

p ⋅ q

8 − 15 − 1

− p − q

With two equations and two unknowns, we can now solve for p and q:

8 − 15 − 1

− p − q

15 − 8 + 1 − q

8 − q

(8 − q) ⋅ q

− q² + 8q − 15

q² − 8q + 15

At this point, we use the quadratic equation:

1/2 ⋅ (8 ± √(64 − 4(1)(15)))

1/2 ⋅ (8 ± √(4))

1/2 ⋅ (8 ± 2)

∈

{3, 5}

{p, q}

{3, 5}

[link]

Conjecture (computing φ): The following problem is not in P: given any integer n ∈ ℕ where n = p ⋅ q and p and q are prime, find φ(n).

If we can compute φ(n), then we can compute p and q. If computing φ(n) were any easier than factoring n (e.g., if we had a polynomial-time algorithm for computing φ(n)), then our claim about the hardness of factoring n would be a contradiction. In other words, factoring n can be reduced to solving φ(n).

computing φ(n)

conclusion:
cannot be solved in
polynomial time

computing φ(n) ∉ P

⇐

factoring n

conjecture:
cannot be solved in
polynomial time

factoring ∉ P

The above fact (i.e., that if factoring n is not in P, then neither is computing φ(n)) holds for arbitrary n, not just a product of two primes. However, the proofs in those cases are more sophisticated [Shoup].

Suppose we are given the following equation:

x^y

There are three computational questions we could ask about the above equation:

given x and y, compute z (this is the exponentiation operation);
given x and z, compute y (this is the logarithm operation, since we have log_x z = y in an equivalent notation);
given y and z, compute x (this is the yth root operation, since we have ^y√(z) = x in an equivalent notation).

We have efficient algorithms for computing all three of the above if x, y, and z are all integers or real numbers. Suppose we instead consider the following equation for some n ∈ ℕ:

x^y

≡

z (mod n)

In other words, we can interpret the equation as a congruence of equivalence classes in ℤ/nℤ. In this case, we already know that the first operation (exponentiation) has an efficient implementation because exponentiation and modulus are both efficient operations. However, we believe that the other two operations (computation of logarithms and roots of congruence classes) are computationally difficult (no polynomial-time algorithm exists to compute solutions).

[link]

Conjecture (RSA problem): The following problem is not in P: compute m given only the following:

p ⋅ q

for two primes p and q in ℕ

∈

ℤ/φ(n)ℤ

where e ≥ 3

m^e mod n

for an unknown m ∈ ℤ/nℤ

Notice that the RSA problem is analogous to computing the eth root of c in ℤ/nℤ:

^e√(c) (mod n)

^e√(m^e) (mod n)

m (mod n)

Note also that this can be accomplished by first finding φ(n) and then computing the inverse of e, but this is as difficult as factoring n, and we assume that is not in P. Is there another way to compute m? We do not know, but we assume that there is no other faster (i.e., polynomial-time) way to do so.

[link]

Conjecture (discrete logarithm assumption): The following problem is not in P: compute e given only the following:

∈

ℕ

∈

{1,...,n − 1}

m^e mod n

for an unknown e ∈ ℕ

Notice that this is analogous to computing the logarithm of a value c in ℤ/nℤ with respect to a known base m:

log_m (c)

log_m (m^e)

Note that the RSA problem requires that e ≥ 3, so it does not include the problem of computing square roots. The last intractable problem we will consider in this section is the problem of computing square roots of congruence classes within ℤ/nℤ for some n ∈ ℕ. We examine this problem separately from the RSA problem because it is possible to reduce factoring directly to the problem of computing square roots (while there is currently no known deterministic polynomial-time reduction from the factoring problem to the RSA problem).

Before we formally define the problem of computing square roots in ℤ/nℤ, we must first introduce some concepts and facts. This is because the problem of computing square roots in ℤ/nℤ is different from the problem of computing square roots of integers in ℕ, and this difference is likely what makes it computationally more difficult.

[link]

Definition: Given some n ∈ ℕ and some y ∈ ℤ/nℤ, we say that y is a quadratic residue in ℤ/nℤ if there exists x ∈ ℤ/nℤ such that x² ≡ y.

[link]

Example: Let us find the quadratic residues in ℤ/7ℤ:

0² ≡ 0 (mod 7)

1² ≡ 1 (mod 7)

2² ≡ 4 (mod 7)

3² ≡ 2 (mod 7)

4² ≡ 2 (mod 7)

5² ≡ 4 (mod 7)

6² ≡ 1 (mod 7)

The quadratic residues in ℤ/7ℤ are 0, 1, 2, and 4. Notice that 3, 5, and 6 are not quadratic residues in ℤ/7ℤ. Thus, the equations x² ≡ 3, x² ≡ 5, and x² ≡ 6 have no solution in ℤ/7ℤ.

[link]

Example: Consider the set of congruence classes ℤ/5ℤ. We have that:

0² ≡ 0 (mod 5)

1² ≡ 1 (mod 5)

2² ≡ 4 (mod 5)

3² ≡ 4 (mod 5)

4² ≡ 1 (mod 5)

Notice that 2 and 3 are not quadratic residues in ℤ/5ℤ. Thus, neither x² ≡ 2 nor x² ≡ 3 have solutions in ℤ/5ℤ.

[link]

Fact: Given some n ∈ ℕ and some y ∈ ℤ/nℤ, if y and n are coprime and y is a non-zero quadratic residue in ℤ/nℤ then there exist at least two a,b ∈ ℤ/nℤ such that a ≠ b, a² ≡ y, and b² ≡ y.

Note that this is analogous to square roots in ℤ (since √(z) ∈ ℤ and −√(z) ∈ ℤ are both square roots of z ∈ ℤ if they exist).

We can prove this fact in the following way: suppose that y is a quadratic residue. Then there exists at least one x ∈ ℤ/nℤ such that:

x² mod n

But this means that (n − x) ∈ ℤ/nℤ is such that:

((n − x)²) mod n

(n² − (2 ⋅ n ⋅ x) + x²) mod n

x² mod n

y mod n

Thus, x and (n − x) are both roots of y.

[link]

Example: It is the case that 4 ∈ ℤ/5ℤ is a quadratic residue in ℤ/5ℤ, with two roots 2 and 3:

2² mod 5

3² mod 5

9 mod 5

[link]

Example: Consider 0 ∈ ℤ/3ℤ. We have that:

0² ≡ 0 (mod 3)

1² ≡ 1 (mod 3)

2² ≡ 1 (mod 3)

Thus, x² ≡ 0 has exactly one solution in ℤ/3ℤ.

[link]

Fact: Let p ∈ ℕ be a prime such that p mod 4 = 3, and suppose that y ∈ ℤ/pℤ. Then y has either 0, 1, or 2 roots in ℤ/pℤ.

[link]

Example: Suppose we want to solve the following equation for x ∈ ℤ/7ℤ:

x²

≡

3 (mod 7)

Suppose we start by squaring both sides:

x⁴

≡

3² (mod 7)

We can then use Euler's theorem to add any multiple of φ(7) to the exponent:

x⁴

≡

3² ⋅ 1 (mod 7)

x⁴

≡

3² ⋅ 3^φ(7)

x⁴

≡

3^{2 + φ(7)}

Since 7 is prime, φ(7) must be even, so 2 + φ(7) is also even. Thus, we can divide the exponent by 2 on both sides.

x²

≡

3^{(2 + φ(7))/2}

Furthermore, since 7 ≡ 3 (mod 4), we know that 2 + φ(7) is a multiple of 4. Thus, we can actually divide both exponents by 4:

≡

3^{(2 + φ(7))/4}

Thus, we have found x as a power of the original quadratic residue 3.

[link]

Fact: Let p ∈ ℕ be a prime such that p mod 4 = 3, and suppose that y ∈ ℤ/pℤ is a quadratic residue with two roots in ℤ/pℤ. Then we can compute the roots using the following formula:

x ≡ ± y^(p+1)/4 (mod p)

In fact, if the modulus n is not prime, there may exist more than two roots of a value in ℤ/nℤ.

[link]

Example: It is the case that 1,-1,6,-6 ∈ ℤ/35ℤ are all square roots of 1 ∈ ℤ/35ℤ:

1² mod 35

(-1)² mod 35

34² mod 35

1156 mod 35

((33 ⋅ 35)+1) mod 35

1 mod 35

6² mod 35

36 mod 35

1 mod 35

(-6)² mod 35

29² mod 35

841 mod 35

((24 ⋅ 35)+1) mod 35

1 mod 35

[link]

Example: Suppose we are given an instance of the congruent squares problem where y = 2 and n = 15. We want to find x ∈ ℤ/15ℤ such that x ≢ ± y but x² ≡ y² ≡ 2² ≡ 4. Notice that we have that:

≡

2 mod 3

y²

≡

2² mod 3

≡

1 mod 3

(3-y)²

≡

1² mod 3

≡

1 mod 3

Notice also that we have that:

≡

2 mod 5

y²

≡

2² mod 5

≡

4 mod 5

(5-y)²

≡

3² mod 5

≡

4 mod 5

Thus, the square roots of 4 in ℤ/3ℤ are 1 and 2, and the square roots of 4 in ℤ/5ℤ are 2 and 3. We can then apply the Chinese remainder theorem to every pair of combinations:

r₁

≡

1 mod 3

r₁

≡

2 mod 5

r₁

≡

7 mod 15

r₂

≡

2 mod 3

r₂

≡

2 mod 5

r₂

≡

2 mod 15

r₃

≡

1 mod 3

r₃

≡

3 mod 5

r₃

≡

13 mod 15

r₄

≡

2 mod 3

r₄

≡

3 mod 5

r₄

≡

8 mod 15

Thus, x = 8 and x = 7 are solutions to x ≢ ± 2 and x² ≡ 4.

[link]

Fact (Hensel's lemma): Let p ∈ ℕ be a prime number greater than 2, and let k ∈ ℕ be any positive integer (i.e., k ≥ 1). Suppose that x and p are coprime, and that x ∈ ℤ/p^kℤ can be squared to obtain some quadratic residue r ∈ ℤ/p^kℤ:

x² ≡ r (mod p^k)

We can compute y ∈ ℤ/p^k+1ℤ such that:

y² ≡ r (mod p^k+1)

We compute it as follows. First, we compute c using the following formula:

≡

x^-1 ⋅ 2^-1 ⋅ ((r - x²) / p^k) (mod p)

Then, we have that:

≡

x + c ⋅ p^k

To see why Hensel's lemma is true, suppose that we have that:

x²

≡

r (mod p^k)

Notice that if it is possible to "lift" x to a root of r in ℤ/p^k+1ℤ, the only possibility is that this new root y has an additional multiple of p^k. Thus, it must be that for some integer multiple c, we have:

x + c ⋅ p^k

We can then substitute:

y²

≡

r (mod p^k+1)

(x + (c ⋅ p^k))²

≡

r (mod p^k+1)

But we can simplify the above equation:

(x + (c ⋅ p^k))²

≡

r (mod p^k+1)

x² + (2 ⋅ x ⋅ c ⋅ p^k) + (c² ⋅ p^2k)

≡

r (mod p^k+1)

But notice that the third term on the left-hand side in the above equation is equivalent to the congruence class 0 + p^k+1ℤ:

c² ⋅ p^2k

≡

0 (mod p^k+1)

Thus, we have:

x² + (2 ⋅ x ⋅ c ⋅ p^k)

≡

r (mod p^k+1)

(x² − r) + (2 ⋅ x ⋅ c ⋅ p^k)

≡

The above can be rewritten using the divisibility predicate as:

p^k+1

(x² − r) + (2 ⋅ x ⋅ c ⋅ p^k)

Thus, we can divide both sides of the above relationship by p^k to obtain:

(x² − r)/(p^k) + (2 ⋅ x ⋅ c)

We can then rewrite the above as an equation of congruence classes:

(x² − r)/(p^k) + (2 ⋅ x ⋅ c)

≡

0 (mod p)

(2 ⋅ x ⋅ c)

≡

− (x² − r)/p^k

≡

x^-1 ⋅ 2^-1 ⋅ (− (x² − r)/p^k)

≡

x^-1 ⋅ 2^-1 ⋅ ((r − x²)/p^k)

Thus, we have derived the formula in Hensel's lemma.

[link]

Example: To better understand Hensel's lemma, we can derive the lemma for a particular example. Let us start with the following equation:

4²

≡

2 (mod 7)

Suppose we want to find y ∈ ℤ/7²ℤ such that:

y²

≡

2 (mod 49)

We know that the difference between 4 and y must be a multiple of 7, so we write:

4 + 7 ⋅ c

Then we proceed:

y²

≡

2 (mod 49)

(4 + 7 ⋅ c)²

≡

2 (mod 49)

4² + (2 ⋅ 7 ⋅ c ⋅ 4) + (49 ⋅ c²)

≡

2 (mod 49)

4² + (2 ⋅ 7 ⋅ c ⋅ 4)

≡

2 (mod 49)

We simplify further to compute c:

(4² - 2) + (2 ⋅ 7 ⋅ c ⋅ 4)

≡

0 (mod 49)

14 + (2 ⋅ 7 ⋅ c ⋅ 4)

≡

0 (mod 49)

The above can be rewritten using the divisibility predicate as:

49 | 14 + (2 ⋅ 7 ⋅ c ⋅ 4)

7 | 2 + (2 ⋅ c ⋅ 4)

We can again rewrite the above as an equation of congruence classes:

2 + (2 ⋅ c ⋅ 4)

≡

0 (mod 7)

2 ⋅ c ⋅ 4

≡

− 2 (mod 7)

2 ⋅ c ⋅ 4

≡

5 (mod 7)

≡

2^-1 ⋅ 4^-1 ⋅ 5 (mod 7)

≡

4 ⋅ 2 ⋅ 5 (mod 7)

≡

5 (mod 7)

Thus, we have:

≡

4 + 7 ⋅ 5 (mod 49)

≡

39 (mod 49)

Since 49 − 39 = 10, we have:

≡

± 10 (mod 49)

y²

≡

2 (mod 49)

[link]

Example: We want to find both solutions y ∈ ℤ/121ℤ to:

y²

≡

5 (mod 121)

Since 121 = 11², we have p = 11, k = 1, and r = 5. We begin by finding x ∈ ℤ/11ℤ such that:

x²

≡

5 (mod 11)

Since 11 ∈ 3 + 4ℤ, we can use an explicit formula:

≡

± 5^(11+1)/4 (mod 11)

≡

± 5³

≡

± 3 ⋅ 5

≡

± 4

Thus, it is sufficient to lift the solution 4 ∈ ℤ/11ℤ to a solution in ℤ/121ℤ using Hensel's lemma. We compute c:

≡

x^-1 ⋅ 2^-1 ⋅ ((r − x²)/p^k) (mod p)

≡

4^-1 ⋅ 2^-1 ⋅ ((5 − 16)/11) (mod 11)

≡

4^-1 ⋅ 2^-1 ⋅ (− 1)

≡

3 ⋅ 6 ⋅ (− 1)

≡

(− 18)

≡

Thus, we have:

≡

4 + 4 ⋅ 11 (mod 121)

≡

4 + 44

≡

Thus, we have the solution

≡

± 48 (mod 121)

[link]

Example: The distance traveled by an object that is at rest at time t = 0 and then immediately begins accelerating at 4 meters/second² (i.e., the speed of the object increases by the quantity 4 meters/second every second) can be defined in terms of time in second t as:

1/2 ⋅ 4 ⋅ t²

We might expect an object to behave this way if it is being pulled by gravity, or if it is using a stable propulsion engine (e.g., a rocket).

Suppose we are using a range ambiguity resolution technique to track the distance the object has traveled. If it a particular moment, we know that the distance from the object is in the congruence class 10 + 11ℤ, what can we say about the amount of time t that has elapsed since the object started moving?

Since the distance is in 10 + 11ℤ, we can say:

≡

10 (mod 11)

1/2 ⋅ 4 ⋅ t²

≡

2 ⋅ t²

≡

We know that 2^-1 ≡ 6 (mod 11), so we multiply both sides of the above equation to obtain:

t²

≡

60 (mod 11)

t²

≡

5 (mod 11)

Thus, we can compute:

≡

5^(11+1)/4 (mod 11)

≡

5³

≡

3 ⋅ 5

≡

4 (mod 11)

Thus, we can say that the amount of time that has elapsed is in 4 + 11ℤ.

[link]

Example: Solve the following system of equations for x ∈ ℤ/21ℤ (find all solutions):

x²

≡

1 (mod 3)

x²

≡

1 (mod 7)

We know that there is exactly one solution y ∈ ℤ/21ℤ to the following system:

≡

1 (mod 3)

≡

1 (mod 7)

The solution is simply y = 1, and since there is only one solution, this is the only possibility. Thus, we are looking for all the solutions to the following equation:

x²

≡

1 (mod 21)

Since 3 mod 4 = 7 mod 4 = 3, we know that there are two solutions to each of the following equations:

x²

≡

1 (mod 3)

x²

≡

1 (mod 7)

The solutions are as follows:

≡

1 (mod 3)

≡

2 (mod 3)

≡

1 (mod 7)

≡

6 (mod 7)

Taking every pair of combinations with one solution from ℤ/3ℤ and one solution from ℤ/7ℤ, we get:

x₁

≡

1 (mod 3)

x₁

≡

1 (mod 7)

x₁

≡

1 (mod 21)

x₂

≡

2 (mod 3)

x₂

≡

1 (mod 7)

x₂

≡

8 (mod 21)

x₃

≡

1 (mod 3)

x₃

≡

6 (mod 7)

x₃

≡

13 (mod 21)

x₄

≡

2 (mod 3)

x₄

≡

6 (mod 7)

x₄

≡

20 (mod 21)

[link]

Example: How many solutions x ∈ ℤ/(33 ⋅ 35)ℤ does the following system of equations have:

x²

≡

4 (mod 33)

x²

≡

4 (mod 35)

We know that each of the following equations have two solutions (2 and -2 in the respective sets). Notice that 4 mod 3 = 1.

x²

≡

1 (mod 3)

x²

≡

4 (mod 11)

x²

≡

4 (mod 5)

x²

≡

4 (mod 7)

Thus, there are two possible choices for each of the variables r₁ ∈ {-2,2}, r₂ ∈ {-2,2}, r₃ ∈ {-2,2}, r₄ ∈ {-2,2}, so there are 2 ⋅ 2 ⋅ 2 ⋅ 2 = 2⁴ = 16 possible systems of the form:

≡

r₁ (mod 3)

≡

r₂ (mod 11)

≡

r₃ (mod 5)

≡

r₄ (mod 7)

Each system has a unique solution because the tuple (r₁, r₂, r₃, r₄) is unique, so there are 16 solutions for x in ℤ/(33 ⋅ 35)ℤ. Alternatively, we could break the problem down into two subproblems. First, we solve the following equation:

x²

≡

4 (mod 33)

We obtain four distinct solutions (r₁, r₂, r₃, r₄) in ℤ/33ℤ. Next, we solve the following equation:

x²

≡

4 (mod 35)

We then have four distinct solutions in (s₁, s₂, s₃, s₄) ℤ/35ℤ. Since gcd(33,35) = 1, we can then take any combination of solutions r_i and s_i and set up the system:

≡

r_i (mod 33)

≡

s_i (mod 35)

There will be exactly one solution to each of the above systems. There are 4² = 16 distinct systems, so there will be 16 distinct solutions.

We can summarize everything we know about computing square roots of congruence classes as follows. Suppose we want to find all solutions to the equation x² ≡ a (mod n) for some n ∈ ℕ and some a ∈ ℤ/nℤ.

If n is a prime p, the possibilities are:
- a is not a quadratic residue in ℤ/pℤ, so there are no solutions to the equation,
- a ≡ 0, in which case x ≡ 0 is the one and only solution to the equation,
- a is a quadratic residue in ℤ/pℤ, so there are exactly two solutions to the equation, ± x ∈ ℤ/pℤ.
If n is prime power p^k+1 and a is coprime with p, the possibilities are:
- a is not a quadratic residue in ℤ/p^kℤ, so it is not a quadratic residue in ℤ/p^k+1ℤ;
- a is a quadratic residue in ℤ/p^kℤ, and both square roots of a in ℤ/p^kℤ can be "lifted" to ℤ/p^k+1ℤ using Hensel's lemma.
If n is a product of two coprime numbers k and m, then there is a solution in ℤ/nℤ for every possible combination of y and z such that:
y²
≡
a mod k
z²
≡
a mod m
Each combination corresponds to a solution x ∈ ℤ/nℤ defined using CRT as:
x
≡
y mod k
x
≡
z mod m

Let us consider the problem of finding all of the square roots of a member of ℤ/nℤ. Notice that this problem is analogous to computing all the square roots of y in ℤ/nℤ:

√(y)

± x

The main difference is that the number of square roots may be greater than 2. This problem is believed to be computationally difficult (i.e., no algorithm in P exists that can solve the problem). In fact, even finding just one additional square root is believed to be computationally difficult.

[link]

Conjecture (congruent squares): The following problem is not in P: given n = p ⋅ q for two primes p and q in ℕ and y ∈ ℤ/nℤ, find an x ∈ ℤ/nℤ such that x² ≡ y² but x ≢ ± y.

Factoring can be reduced to finding congruent squares. Suppose we want to factor n. We find x and y such that:

x² mod n

y² mod n

0 mod n

(x² − y²) mod n

((x + y) ⋅ (x − y)) mod n

(x + y) ⋅ (x − y)

Since n cannot divide (x+y) (because x ≢ ± y, so x + y ≠ n), and it cannot divide (x-y) (since (x+y) < n), and (x-y) ≠ 0 (since x ≢ ± y), it must be that n shares factors with both (x+y) and (x-y). Thus, it must be that either gcd(n,x + y) or gcd(n,x - y) is a non-trivial factor of n, and this can be computed efficiently.

The following diagram summarizes the relationships between the problems that are conjectured to be intractable (i.e., not in P). Each directed edge represents that there exists a polynomial-time reduction from the source problem to the destination problem. All of the nodes in the graph are conjectured to be not in P.

[link]

congruent squares
(square roots of
congruence classes)

⇑⇓

computing φ(n)
for n = p ⋅ q

⇐
⇒

factoring
n = p ⋅ q

⇑

RSA problem
(eth roots of
congruence classes)

discrete logarithm
(logarithms of
congruence classes)

[link] 4.4. Applications of intractability

The computational intractability of certain problems in modular arithmetic makes it possible to address some practical security issues associated with implementing communication protocols. In particular, it helps address two common problems:

parties must communicate over a public communications channel, so everything they send is visible both to their receiver and to anyone that may be eavesdropping;
parties trying to communicate cannot physically meet to agree on shared secret information before communicating.

[link]

Protocol (hard-to-forge identification with meeting): Suppose Alice and Bob know that Alice will need to send Bob a single message at some point in the future. However, it is possible that Eve might try to impersonate Alice and send a message to Bob while pretending to be Alice.

In order to help Bob confirm that a message is truly from Alice (or to determine which message is from Alice given multiple messages), Alice and Bob meet in person and agree on a secret identifier s. When Alice decides to send a message m to Bob, she will send (m, s). Bob can then compare s to his own copy of s and confirm the message is from Alice.

Eve's only attack strategy is to try and guess s. As long as Alice and Bob choose s from a very large range of integers, the probability that Eve can guess s correctly is small.

A major flaw in the above identification protocol is that Alice and Bob must first meet in person to agree on a secret. Can Alice and Bob agree on a secret without meeting in person?

[link]

Protocol (hard-to-forge identification without meeting): Suppose Alice and Bob know that Alice will need to send Bob a single message at some point in the future. Alice prepares for this by doing the following:

choose two large primes p and q at random;
compute n = p ⋅ q;
send the public identifier n to Bob over a public/non-secure communication channel.

When Alice is ready to send her message m to Bob, Alice will send (m, (p, q)), where (p, q) is the private identifier. Bob can confirm that p ⋅ q = n, at which point he will know Alice was the one who sent the message.

[link]

Conjecture (forging identification): The following problem is not in P: in the previously defined protocol, given a public identifier n, compute the private identifier (p, q).

If it were possible to quickly (i.e., in polynomial time) compute the private identifier, then it would be easy to forge the identity of a sender by recording their public identifier n. However, suppose that this forging computation could be used as a subprocedure in a factoring algorithm. Then it would be possible to implement an efficient factoring algorithm. In other words, factoring n can be reduced to forging a private identifier. Thus, the problem of forging a private identifier must not be in P (i.e., the fastest algorithm that exists for forging an identity is not in P, which means there is no polynomial-time for forging an identity).

forging private
identifier for n

conclusion:
cannot be solved in
polynomial time

forging ∉ P

⇐

factoring n

conjecture:
cannot be solved in
polynomial time

factoring ∉ P

Note that the reduction also works in the other direction: an algorithm for factoring can be used for forging an identity. However, this proves nothing about the difficulty of forging! Just because forging can be reduced to an inefficient algorithm for factoring does not mean that there does not exist some other algorithm for forging that does not rely on factoring.

alternative
efficient
algorithm

⇐

forging private
identifier for n

⇒

factoring n

The above identification protocol improves over the previous protocol because it allows Alice and Bob to agree on an identifier for Alice without meeting in person. Its security relies on the fact that it is unlikely that Eve is capable of forging identifiers because her ability to forge would solve a problem that we believe is very difficult to solve.

However, the protocol still has many other flaws. For example, Eve could preempt Alice and send her own signature %n before Alice has a chance to send her signature to Bob. A more thorough examination of such protocols is considered in computer science courses focusing explicitly on the subject of cryptography.

[link]

Protocol (Diffie-Hellman key exchange): We introduce the Diffie-Hellman key exchange protocol. This protocol is useful if two parties who cannot meet physically want to agree on a secret value that only they know.

Public key generation (performed by one party):
1. Randomly choose a public large prime number p ∈ ℕ and an element g ∈ ℤ/pℤ.
Private key generation (performed by both parties):
1. Party A randomly chooses a secret a ∈ ℤ/φ(p)ℤ.
2. Party B randomly chooses a secret b ∈ ℤ/φ(p)ℤ.
Protocol:
1. Party A computes (g^a mod p) and sends this public value to party B.
2. Party B computes (g^b mod p) and sends this public value to party A.
3. Party A computes (g^b mod p)^a mod p.
4. Party B computes (g^a mod p)^b mod p.
5. Since multiplication over ℤ/φ(p)ℤ is commutative, both parties now share a secret g^{a ⋅ b} mod p.

This protocol's security only relies on the discrete logarithm assumption.

It is not known whether the discrete logarithm problem is related to the factoring problem. Factoring can be reduced using a probabilistic approach to the discrete logarithm problem modulo p ⋅ q.

[link]

Protocol (RSA protocol): We introduce the RSA public-key cryptographic protocol. This protocol is useful in many scenarios, such as the following:

a sender wants to send the receiver a secret message over a public channel;
a receiver wants to allow any number of senders to send him messages over a public channel, and the receiver does not yet know who the senders will be.

This protocol can also be used to prove the identity of the receiver.

Key generation (performed by the receiver):
1. Randomly choose two secret prime numbers p ∈ ℕ and q ∈ ℕ of similar size.
2. Compute a public key value n = p ⋅ q.
3. Compute the secret value φ(n) = (p-1) ⋅ (q-1).
4. Choose a public key value e ∈ {2,...,φ(n)-1} such that gcd(e, φ(n)) = 1.
5. Compute the secret private key d = e^-1 mod φ(n)
Protocol (encryption and decryption): There are two participants: the sender and the receiver.
1. The sender wants to send a message m ∈ {0,...,n-1} where gcd(m,n) = 1 to the receiver.
2. The receiver reveals the public key (n,e) to the sender.
3. The sender computes the ciphertext (encrypted message) c = m^e mod n.
4. The sender sends c to the receiver.
5. The receiver can recover the original message by computing m = c^d mod n.

The above encryption-decryption process works because for some k ∈ ℤ:

e ⋅ d

≡

1 (mod φ(n))

1 + φ(n) ⋅ k

(m^e)^d mod n

(m^{1 + φ(n) ⋅ k}) mod n

(m ⋅ (m^{φ(n) ⋅ k})) mod n

(m ⋅ m^φ(n)) mod n

(m ⋅ 1) mod n

m mod n

Besides the message m, there are three pieces of secret information that an eavesdropper cannot know in order for the encryption to provide any privacy:

p and q
φ(n)
d = e^-1

Notice that if an eavesdropper knows p and q where n = p ⋅ q, the eavesdropper can easily compute φ(n) (which was supposed to be private). If the eavesdropper can compute φ(n), then they can use the extended Euclidean algorithm to compute the inverse d = e^-1 of the public key value e. They can then use d to decrypt messages.

Suppose the eavesdropper only knows \phi(%n). Then the eavesdropper can compute %d and decrypt any message. In fact, the eavesdropper can also recover %p and %q.

[link]

Protocol (Rabin cryptosystem): We introduce the Rabin cryptosystem protocol. It is similar to the RSA scheme, but it does not rely on the difficulty of the RSA problem.

Key generation (performed by the receiver):
1. Randomly choose two secret prime numbers p ∈ ℕ and q ∈ ℕ of similar size.
2. Compute a public key value n = p ⋅ q.
Protocol (encryption and decryption): There are two participants: the sender and the receiver.
1. The sender wants to send a message m ∈ {0,...,n-1} to the receiver.
2. The receiver reveals the public key n to the sender.
3. The sender computes the ciphertext (encrypted message) c = m² mod n.
4. The sender sends c to the receiver.
5. The receiver can recover the original message by computing √(c) in ℤ/pℤ and ℤ/qℤ, and then finding the four solutions to the following system by using the Chinese remainder theorem:
  m
  ≡
  √(c) mod p
  m
  ≡
  √(c) mod q.

Notice that the receiver must guess which of the square roots corresponds to the original message. Also notice that it is not a good idea to encrypt messages in the ranges {0, ..., √(n)} and {n − √(n), ..., n − 1} because it is easy to decrypt such messages by computing the integer square root √(c) of c and then confirming that √(c)² ≡ c (mod n).

The following diagram summarizes the relationships between algorithms that might break each of the protocols presented in this section, and existing problems that are believed not to be in P. Thus, our conjectures imply that all of the problems below are not in P.

[link]

breaking
Rabin encryption

⇐

congruent squares
(square roots of
congruence classes)

⇑⇓

finding RSA
secret key

⇐

computing φ(n)
for n = p ⋅ q

⇐
⇒

factoring
n = p ⋅ q

⇑

decrypting individual
RSA messages

⇐

RSA problem
(eth roots of
congruence classes)

breaking
Diffie-Hellman

⇐

discrete logarithm
(logarithms of
congruence classes)

[link]

Fact: Suppose we have some modulus n ∈ ℕ and some a ∈ (ℤ/nℤ)*. Let r ∈ ℤ/φ(n)ℤ be the smallest r such that a^r ≡ 1 (mod n). Then it must be that r | φ(n).

To see why, suppose that φ(n) is not divisible by r. Then there must be some c < r such that:

φ(n)

c + k ⋅ r

But if that's true, we have:

a^φ(n)

≡

a^{c + k ⋅ r}

≡

a^c ⋅ a^{k ⋅ r}

≡

a^c ⋅ (a^r)^k

≡

a^c

The above implies a^c ≡ a^φ(n) ≡ 1. But since c < r, this contradicts our initial assumption. Thus, it must be that r | φ(n).

Recall the algorithm we learned before for generating random numbers based on using the multiples of a congruence class. In a setting with an adversary, we could imagine the adversary may want to predict the next random number in a sequence given some partial information. If we are using the original algorithm, an adversary can do this efficiently.

Suppose the adversary knows the modulus n, and knows that some number r is the ith random number in the sequence. The adversary then knows the following equation must hold:

a ⋅ i

≡

r (mod n)

If it happens to be the case that gcd(i, n) = 1, the adversary can then compute the original "seed" a by doing a single inversion followed by a single multiplication:

i^-1 ⋅ a ⋅ i

≡

i^-1 ⋅ r (mod n)

≡

i^-1 ⋅ r

This would then allow the adversary to predict any random number in the sequence.

Suppose the adversary knows the modulus n, and knows that the "seed" for a random sequence is a. Then given a random number in the sequence r, the adversary can determine which number in the sequence it must be by using the same equation as above and computing a^-1 (mod n):

a ⋅ i

≡

r (mod n)

a^-1 ⋅ a ⋅ i

≡

a^-1 ⋅ r

≡

a^-1 ⋅ r

We can use what we have learned about intractable problems to create an algorithm for generating random numbers that is slightly more robust against the two attacks described above.

[link]

Algorithm: The following is another possible implementation of a random number generation algorithm.

inputs: upper bound n ∈ ℕ, seed a ∈ (ℤ/nℤ)*, index i ∈ {2,...,φ(n) − 1}
1. return (aⁱ) mod n

One downside of this algorithm is that it will never produce a permutation of ℤ/nℤ. Even if n is prime and greater than 2, then φ(n) must be composite (since it is even), which means that the smallest exponent i that solves the identity aⁱ ≡ 1 could be some factor of φ(n). Even if φ(n) happens to be prime, it cannot be close to n (since n cannot then also be prime, which means φ(n) ≠ n − 1). However, this algorithm does have a few benefits if an adversary is involved.

Given some partial information, an adversary would have a more difficult time making predictions about the random sequence. Suppose the adversary knows the modulus n, and knows that some number r is the ith random number in the sequence. The adversary then knows the following equation must hold:

aⁱ

≡

r (mod n)

However, in order to compute a, the adversary would now need to compute the ith root of the congruence class r modulo n. Effectively, this means the adversary could solve the RSA problem if i > 2 (or the congruent squares problem if i = 2). If we believe these problems cannot be solved efficiently, such an adversary cannot exist.

Alternatively, suppose the adversary knows the modulus n, and knows that the "seed" for a random sequence is a. Then given a random number in the sequence r, the adversary could try to determine which number in the sequence it must be by solving the following equation for i:

aⁱ

≡

r (mod n)

If the adversary can do so, then the adversary can solve the discrete logarithm problem, so it is unlikely that such an adversary exists.

[link]

Example: Bob decides to create his own online currency BobCoin. Bob knows that in order for BobCoin to be successful, it needs to be possible to make more BobCoins as more and more people start using them. However, he also does not want rapid inflation to occur. Thus, Bob issues BobCoins according to the following protocol:

every day, Bob chooses two new random primes p and q;
Bob computes n = p ⋅ q, and then discards p and q;
Bob posts n online for everyone to see;
at any time on that day, anyone can submit a factor f of n;
if f is a factor of n, Bob issues that person a BobCoin, invalidates n permanently so that no one else can use it, and generates a new n.

Why is it okay for Bob to discard p and q?
Because Bob can easily check whether a submitted f actually is a factor by computing gcd(f, n), or simply dividing n by f.
Suppose that Bob always posts numbers n that have 100 digits, and it takes the fastest computer one year to factor a 100-digit number through trial and error. If Alice wants to earn a BobCoin in one day, how many computers will Alice need to run in parallel to earn a BobCoin?
Since it takes a 365 days to try all possible k factors of a 100-digit number, in one day one computer can try 1/365 ⋅ k factors. Thus, Alice would need 365 computers that she could run for one day, with each computer looking through a different region of factors.
Suppose Bob wants to issue a complimentary BobCoin coupon to a group of 100 people. However, he wants to make sure that they can use their BobCoin coupon only if at least 20 out of those 100 people agree that the coupon should be redeemed for a BobCoin. How can Bob accomplish this?
Bob can use Shamir secret sharing to accomplish this. Bob can take one of the factors f of n when he generates n, and choose 100 distinct primes such that the product of any 20 of the primes is greater than f while the product of any 19 of these primes is less than f. Bob can then distribute f mod m for each prime modulus m to each of the 100 people. If any 20 (or greater) of these 100 people agree to redeem the coupon, then can use CRT to reconstruct f and submit it to Bob for redemption.

[link] 5. Algebraic Structures

In the previous sections, we studied a specific algebraic structure, ℤ/nℤ, as well as its operations (e.g., addition, multiplication), and its properties (commutativity, associativity, and so on). There exist many other algebraic structures that share some of the properties of ℤ/nℤ. In fact, we can create a hierarchy, or even a web, of algebraic structures by picking which properties of ℤ/nℤ we keep and which we throw away.

Showing that some new algebraic structure is similar or equivalent to another, more familiar structure allows us to make inferences about that new structure based on everything we already know about the familiar structure. In computer science, the ability to compare algebraic structures using their properties is especially relevant because every time a programmer defines a new data structure and operations on that data structure, they are defining an algebraic structure. Which properties that algebraic structure possesses determines what operations can be performed on it, in what order they can be performed, how efficiently they can be performed, and how they can be broken down and reassembled.

[link] 5.1. Permutations

Recall that a permutation on a set X is a bijective relation between X and X (i.e., a subset of the set product X × X). Since a permutation is a bijective map (i.e., a function), we can reason about composition of permutations (it is just the composition of functions). Thus, we can study sets of permutations as algebraic structures under the composition operation o.

Notice that for any set X of finite size n, we can relabel the elements of X to be {0,...,n-1} (that is, we can define a bijection between X and {0,...,n-1}). Thus, we can study permutations on {0,...,n-1} without loss of generality. We will adopt the following notation for permutations:

[a₁,...,a_n]

Where a₁,...,a_n is some rearrangement of the integers from 0 to n-1. For example, the identity permutation on n elements would be:

[0,1,2,3,4,5,...,n-1]

[link]

Definition: Any permutation that swaps exactly two elements is called a swap. Examples of swaps are [0,3,2,1], [1,0], and [0,6,2,3,4,5,1].

[link]

Definition: Any permutation that swaps exactly two adjacent elements is called an adjacent swap. Examples of adjacent swaps are [0,1,3,2], [1,0,2,3,4], and [0,1,3,2,4,5,6].

[link]

Definition: Define S_n to be the set of all permutations of the set {0,...,n-1}.

[link]

Example: The set of permutations of {0,1} is S₂ = {[0,1], [1,0]}.

[link]

Example: The set of permutations of {0,1,2} is S₃ = {[0,1,2], [0,2,1], [1,0,2], [1,2,0], [2,0,1], [2,1,0]}.

[link]

Fact: The set S_n contains n! permutations.

Suppose we want to construct a permutation [a₁,...,a_n] using the elements in {0,...,n-1}, where we are only allowed to take each element in the set once and assign it to an unassigned entry a_i. Then for the first slot, we have n possibilities; for the second, we have n-1 possibilities. For the third, we have n-2 possibilities, and so on until we have only one possibility left. Thus, the number of possible permutations we can make is:

n ⋅ (n-1) ⋅ (n-2) ⋅ ... ⋅ 2 ⋅ 1

[link]

Definition: Define the set C_n to be the set of all cyclic permutations on n elements. Any permutation that performs a circular shift on elements is a cyclic permutation (also known as a cyclic shift permutation, a circular shift permutation, or just a shift permutation). Examples of shifts are [6,7,0,1,2,3,4,5], [2,3,4,0,1], and [4,0,1,2,3].

[link]

Definition: Define the set M_n to be the set of all multiplication-induced permutations on n elements. Any permutation on n elements that corresponds to multiplication by some coprime a < n is called a multiplication-induced permutation. Examples of such permutations include [0,2,4,1,3] (corresponding to multiples 2 ⋅ i for ascending i in ℤ/5ℤ).

[link]

Example: The set of multiplication-induced permutations on 6 elements (i.e., permutations of {0,1,2,3,4,5}) is the collection of permutations of the form [a ⋅ 0 mod 6, a ⋅ 1 mod 6, a ⋅ 2 mod 6, a ⋅ 3 mod 6, a ⋅ 4 mod 6, a ⋅ 5 mod 6] for each a that is coprime with 6. Thus, a ∈ {1,5}, and so we have:

M₆ = {[0,1,2,3,4,5], [0,5,4,3,2,1]}.

[link]

Example: The set of multiplication-induced permutations on 7 elements (i.e., permutations of {0,1,2,3,4,5,6}) is:

M₇ = {[0,1,2,3,4,5,6], [0,2,4,6,1,3,5], [0,3,6,2,5,1,4], [0,4,1,5,2,6,3], [0,5,3,1,6,4,2], [0,6,5,4,3,2,1]}.

Note that |M₇| = φ(7) = 6 because there are 6 possible a ∈ ℤ/7ℤ that are coprime with 7.

[link] 5.2. Isomorphisms: Equivalence of Algebraic Structures

An algebraic structure is a set together with a binary operator over that set. All algebraic structures are closed under their binary operation.

[link]

Definition: Let S be a set, and let ⊕ be a binary operator. Let closure(S,⊕) be the closure of S under ⊕. We can define the set closure(S,⊕) in the following way:

closure(S, ⊕)

{ x₁ ⊕ x₂ | x₁,x₂ ∈ S } ∪ { x₁ ⊕ (x₂ ⊕ x₃) | x₁,x₂,x₃ ∈ S } ∪ { (x₁ ⊕ x₂) ⊕ x₃ | x₁,x₂,x₃ ∈ S } ∪ ...

Alternatively, we could define it in the following way using recursion:

closure₀(S, ⊕)

closure_n(S, ⊕)

{ x ⊕ y | x,y ∈ (closure_n-1(S, ⊕) ∪ ... ∪ closure₀(S, ⊕)}

closure(S, ⊕)

closure₀(S, ⊕) ∪ closure₁(S, ⊕) ∪ closure₂(S, ⊕) ∪ ...

Notice that if a set S is finite, there is a natural way to algorithmically list all elements in closure(S, ⊕) by starting with the elements in S and "building up" all the elements in each of the closure_i(S, ⊕) subsets.

The concept of an isomorphism between two algebraic structures captures the fact that two structures are not only the same size, but that the two structures have the same internal "structure" with respect to their respective operations. Isomorphisms are useful because they allow us to learn more about a structure by studying the structure isomorphic to it. They can also be useful because if two structures are isomorphic, we can perform computations in one structure instead of another structure (e.g., because it is more secure, more efficient, and so on) while obtaining the same final result.

[link]

Fact: Let A be an algebraic structure with operator ⊕ and let B be an algebraic structure with operator ⊗. We say that A is isomorphic to B, which we denote as (A,⊕) ≅ (B,⊗) or simply A ≅ B, if the following conditions hold:

there exists a bijection (i.e., a bijective relation) between A and B, which we denote using = ;
for all a, a' ∈ A and b,b' ∈ B, if a = b and a' = b' then a ⊕ a' = b ⊗ b'.

Another way to state the definition is to write it in terms of a bijective map m between A and B:

there exists a bijective map m between A and B;
for all a, a' ∈ A, m(a ⊕ a') = m(a) ⊗ m(a').

In other words, an isomorphism is a bijection that preserves (or respects) the binary operations on the two sets: if any true equation involving elements from A and the operator ⊕ is transformed by replacing all elements of a with their corresponding elements m(b) ∈ B and by replacing all instances of ⊕ with ⊗, the resulting equation is still true.

[link]

Example: Consider the set of permutations on two elements S₂ and the set of congruence classes ℤ/2ℤ. It is true that (S₂,o) ≅ (ℤ/2ℤ,+), where o is composition of permutations and where + is addition of congruence classes in ℤ/2ℤ. The following table demonstrates the bijection:

S₂	ℤ/2ℤ
[0,1]	0
[1,0]	1

The following table demonstrates that the bijection above respects the two operations.

S₂	ℤ/2ℤ
[0,1] o [0,1] = [0,1]	0 + 0 = 0
[0,1] o [1,0] = [1,0]	0 + 1 = 1
[1,0] o [0,1] = [1,0]	1 + 0 = 1
[1,0] o [1,0] = [0,1]	1 + 1 = 0

Another way to demonstrate the above is to show that the "multiplication tables" (though the operation need not be multiplication) for the two operators are exactly the same (i.e., the entries in the multiplication table all correspond according to the bijection).

+ o	0 [0,1]	1 [1,0]
0 [0,1]	0 [0,1]	1 [1,0]
1 [1,0]	1 [1,0]	0 [0,1]

[link]

Fact: For any positive integer n ∈ ℕ, (ℤ/nℤ,+) ≅ (C_n, o).

[link]

Example: Consider the set of cyclic permutations on three elements C₃ and the set of congruence classes ℤ/3ℤ. It is true that (C₃,o) ≅ (ℤ/3ℤ,+).

C₃	ℤ/3ℤ
[0,1,2] o [0,1,2] = [0,1,2]	0 + 0 = 0
[0,1,2] o [1,2,0] = [1,2,0]	0 + 1 = 1
[0,1,2] o [2,0,1] = [2,0,1]	0 + 2 = 2
[1,2,0] o [0,1,2] = [1,2,0]	1 + 0 = 1
[1,2,0] o [1,2,0] = [2,0,1]	1 + 1 = 2
[1,2,0] o [2,0,1] = [0,1,2]	1 + 2 = 0
[2,0,1] o [0,1,2] = [2,0,1]	2 + 0 = 2
[2,0,1] o [1,2,0] = [0,1,2]	2 + 1 = 0
[2,0,1] o [2,0,1] = [1,2,0]	2 + 2 = 1

[link]

Example: To compute the composition of two permutations [45,46,...,49,0,1,2,...,44] o [3,4,5,...,49,0,1,2], it is sufficient to recognize that [45,46,...,49,0,1,2,...,44] corresponds to 45 ∈ ℤ/50ℤ, and [3,4,5,...,49,0,1,2] corresponds to 3 ∈ ℤ/50ℤ. Thus, since 45 + 3 = 48, the result of the composition must be [48,49,0,1,2,...,47].

45 + 3

[45,46,...,49,0,1,2,...,44] o [3,4,5,...,49,0,1,2]

[48,49,0,1,2,...,47]

[link]

Fact: For any prime p ∈ ℕ, (ℤ/φ(p)ℤ,+) ≅ ((ℤ/pℤ)*, ⋅).

Note that |ℤ/φ(p)ℤ| = φ(p) = |(ℤ/pℤ)*|.

[link]

Example: Consider the set ℤ/2ℤ with the addition operation + modulo 2, and the set (ℤ/3ℤ)* together with the multiplication operation ⋅ modulo 3. It is true that (ℤ/2ℤ, +) ≅ ((ℤ/3ℤ)*,⋅).

(ℤ/2ℤ, +)	*((ℤ/3ℤ), ⋅)**
0 + 0 = 0	1 ⋅ 1 = 1
0 + 1 = 1	1 ⋅ 2 = 2
1 + 0 = 1	2 ⋅ 1 = 2
1 + 1 = 0	2 ⋅ 2 = 1

[link]

Example: Consider the set ℤ/2ℤ with the addition operation + modulo 2, and the set (ℤ/6ℤ)* together with the multiplication operation ⋅ modulo 6. It is true that (ℤ/2ℤ, +) ≅ ((ℤ/6ℤ)*,⋅). Note that (ℤ/6ℤ)* = {1,5}, because only 1 and 5 in the range {0,...5} are coprime with 6.

(ℤ/2ℤ, +)	*((ℤ/6ℤ), ⋅)**
0 + 0 = 0	1 ⋅ 1 = 1
0 + 1 = 1	1 ⋅ 5 = 5
1 + 0 = 1	5 ⋅ 1 = 5
1 + 1 = 0	5 ⋅ 5 = 1

Isomorphisms need not be defined between different sets. It is possible to define an isomorphism between a set and itself that has non-trivial, interesting, and even useful characteristics.

[link]

Fact: For any n ∈ ℕ and any a ∈ ℤ/nℤ where a is coprime with n, (ℤ/nℤ,+) ≅ (ℤ/nℤ,+) under the bijection that relates x ∈ ℤ/nℤ with a ⋅ x ∈ ℤ/nℤ. This is because for any x,y ∈ ℤ/nℤ, we have:

a ⋅ (x + y)

≡

a ⋅ x + a ⋅ y

[link]

Fact: For any n ∈ ℕ and any e ∈ ℤ/φ(n)ℤ where e is coprime with φ(n), ((ℤ/nℤ)*,⋅) ≅ ((ℤ/nℤ)*,⋅) under the bijection that relates x ∈ (ℤ/nℤ)* with x^e ∈ (ℤ/nℤ)*. This is because for any x, y ∈ (ℤ/nℤ)*, we have:

(x ⋅ y)^e

≡

x^e ⋅ y^e (mod n)

[link]

Example: Consider the set ℤ/3ℤ with the addition operation + modulo 3, and another instance of the set ℤ/3ℤ with the addition operation + modulo 3. The following is a bijection between (ℤ/3ℤ, +) and (ℤ/3ℤ, +):

ℤ/3ℤ	ℤ/3ℤ
0	0
1	2
2	1

Note that the above bijection corresponding to multiplication by 2 modulo 3, since 0 ⋅ 2 ≡ 0, 1 ⋅ 2 ≡ 2, and 2 ⋅ 2 ≡ 1. This bijection is an isomorphism (and is an instance of this fact about isomorphisms):

ℤ/3ℤ	ℤ/3ℤ
0 + 0 = 0	0 + 0 = 0
0 + 1 = 1	0 + 2 = 2
0 + 2 = 2	0 + 1 = 1
1 + 0 = 1	2 + 0 = 2
1 + 1 = 2	2 + 2 = 1
1 + 2 = 0	2 + 1 = 0
2 + 0 = 2	1 + 0 = 1
2 + 1 = 0	1 + 2 = 0
2 + 2 = 1	1 + 1 = 2

If we only consider algebraic structures with particular algebraic properties, we can actually show that there is only one algebraic structure of a particular size (i.e., there is only one "isomorphism class" of algebraic structures having that size).

[link]

Fact: Suppose we have an algebraic structure (A, ⊕) with two elements in which the elements in the set must have inverses, one of them must be an identity, and ⊕ is associative. Without loss of generality, let's label the two elements a and b, and let a be the label of the identity element. Because a is the identity, we must have:

a ⊕ a

a ⊕ b

b ⊕ a

The identity is its own inverse, so a^-1 = a. The only question that remains is to determine what b ⊕ b must be. If we have b ⊕ b = b, then we must ask what the inverse of b can be (since it isn't b itself, as we would then have b ⊕ b = a). But then the only option is a. That would mean that b ⊕ a should be a (since b and its inverse should yield the identity element). But this contradicts the equations we already derived above. So it must be that b is its own inverse:

a ⊕ b

Thus, there can be only one distinct algebraic structure (in terms of its "multiplication table") having two elements; it's the algebraic structure isomorphic to (A, ⊕), as well as all the other algebraic structures isomorphic to it: (S₂, o), (C₂, o), (ℤ/2ℤ, +), ((ℤ/3ℤ)*, ⋅), ((ℤ/6ℤ)*, ⋅), and so on.

[link]

Example (partial homomorphic encryption supporting addition): Suppose that for some n ∈ ℕ, Alice wants to store a large number of congruence classes b₁,...,b_k ∈ ℤ/nℤ in Eve's database (perhaps Alice will generate or collect these over a long period of time). Alice does not have enough memory to store the congruence classes herself, but she does not want to reveal the congruence classes to Eve.

What Alice can do before she stores anything in Eve's database is to pick some secret a ∈ ℤ/nℤ that is coprime with n. Then, every time Alice needs to store some b in Eve's database, Alice will instead send Eve the obfuscated value (a ⋅ b) mod n. Since a is coprime with n, there exists a^-1 ∈ ℤ/nℤ. Thus, if Alice retrieves some obfuscated data entry c from Eve's database, she can always recover the original value by computing (a^-1 ⋅ c) mod n, because:

a^-1 ⋅ (a ⋅ b)

≡

b (mod n)

Furthermore, Alice can ask Eve to compute the sum (modulo n) of all the entries in the database (or any subset of them). Suppose that Alice has stored obfuscated versions of b₁,...,b_k ∈ ℤ/nℤ in Eve's database. Then if Eve computes the sum of all the obfuscated entries stored in her database, she will get:

a ⋅ b₁ + ... + a ⋅ b_k

a ⋅ (b₁ + ... + b_k) (mod n)

Thus, if Alice asks Eve for the sum of all the obfuscated entries in the database, Alice can recover the actual sum of the original entries that she stored in the database because:

a^-1 ⋅ (a ⋅ (b₁ + ... + b_k))

b₁ + ... + b_k (mod n)

In this way, Alice has avoided having to store and add all the database entries, while preventing Eve finding out the actual entries, or their sum.

[link]

Example (partial homomorphic encryption supporting multiplication): Suppose that for some n ∈ ℕ, Alice wants to store a large number of congruence classes b₁,...,b_k ∈ (ℤ/nℤ)* in Eve's database. Alice does not have enough memory to store the congruence classes herself, but she does not want to reveal the congruence classes to Eve.

We assume that Alice knows or can easily compute φ(n), while Eve does not know and cannot compute it (perhaps Alice generated n using a method similar to the one in RSA encryption protocol).

What Alice can do before she stores anything in Eve's database is to pick some secret e ∈ ℤ/φ(n)ℤ that is coprime with φ(n). Since Alice knows e and φ(n), she can compute e^-1 using the extended Euclidean algorithm.

Then, every time Alice needs to store some b in Eve's database, Alice will instead send Eve the encrypted value b^e mod n. If Alice retrieves some encrypted data entry c from Eve's database, she can always recover the original value by computing (c^{e^-1}}) mod n, because by Euler's theorem:

(b^e)^{e^-1}

≡

b^{e ⋅ e^-1}

≡

b (mod n)

Furthermore, Alice can ask Eve to compute the product (modulo n) of all the entries in the database (or any subset of them). Suppose that Alice has stored encrypted versions of b₁,...,b_k ∈ ℤ/nℤ in Eve's database. Then if Eve computes the product of all the encrypted entries stored in her database, she will get:

b₁^e ⋅ ... ⋅ b_k^e

(b₁ ⋅ ... ⋅ b_k)^e (mod n)

Thus, if Alice asks Eve for the product of all the encrypted entries in the database, Alice can recover the actual product of the original entries that she stored in the database because:

((b₁ ⋅ ... ⋅ b_k)^e)^{e^-1}

b₁ ⋅ ... ⋅ b_k (mod n)

In this way, Alice has avoided having to store and multiply all the database entries, while preventing Eve from finding out the actual entries, or their product. Furthermore, because it is believed that factoring n, computing φ(n), and solving the RSA problem is computationally difficult, it is highly unlikely that Eve can decrypt the database entries or the result.

We know by Euler's theorem and the algebraic properties of exponents that for any ℤ/nℤ, any b ∈ (ℤ/nℤ)*, and any x, y ∈ ℤ/φ(n)ℤ the following identity must hold:

b^x ⋅ b^y

≡

b^{x + y} (mod n)

≡

b^{(x + y) mod φ(n)} (mod n)

We might naturally ask whether there might be an isomorphism between (ℤ/φ(n)ℤ, +) and ((ℤ/nℤ)*, ⋅). In fact, sometimes there is (although more often it is an isomorphism between a subset of (ℤ/nℤ)* and ℤ/kℤ for k | φ(n)).

Given the above, we might ask whether it might be possible to create a homomorphic encryption protocol using an isomorphism of the form (ℤ/φ(n)ℤ, +) ≅ ((ℤ/nℤ)*, ⋅) in which Alice can encrypt her data x and y by computing b^x (mod n) and b^y (mod n). This should be secure because it is believed that no efficient algorithms for computing discrete logarithms exist. Then, in order to have Eve compute a sum of the data values x and y, Alice can ask Eve to compute the product b^x ⋅ b^y on her end, which is equivalent to b^{x + y}.

However, there is a flaw in this protocol: Alice has no way to retrieve x + y from b^{x + y} because that requires computing a discrete logarithm, as well. Thus, an isomorphism of the form (ℤ/φ(n)ℤ, +) ≅ ((ℤ/nℤ)*, ⋅) would not necessarily give us a practical homomorphic encryption protocol.

[link]

Fact: Given a set of possible data values ℤ/nℤ (e.g., integers within a certain range), any compression algorithm for elements in ℤ/nℤ must be a bijection and a permutation (since it must be invertible in order for decompression to be possible). As a result, it must necessarily expand the representation size of some elements.

[link]

Example: Suppose that we are working with elements in ℤ/11ℤ = {0,1,2,3,4,5,6,7,8,9,10}. Suppose we define an algorithm that compresses 10 ∈ ℤ/11ℤ into an element in ℤ/11ℤ with a smaller representation size. One example of such an element is 1, since:

10 ⋅ 10

≡

1 (mod 11)

Thus, one possible implementation of a compression algorithm is a function that takes any x ∈ ℤ/11ℤ and returns (10 ⋅ x) mod 11. Since 10 has an inverse in ℤ/11ℤ, this function is invertible, so decompression is possible (simply multiply by 10 again). However, this will necessarily expand the representation of at least one value: 1 ∈ ℤ/11ℤ:

10 ⋅ 1

≡

10 (mod 11)

Note that this cannot be avoided because multiplying all the elements in ℤ/11ℤ by 10 amounts to a permutation, so at least one compressed element must be 10.

[link] 5.3. Generators of Algebraic Structures

Because an algebraic structure (A,⊕) often consists of a set of objects that can be "built up" using the binary operator ⊕ from a smaller, possibly finite, collection of generators G ⊂ A, it is often easier to reason about an algebraic structure by first reasoning about its generators, and then applying structural induction.

[link]

Fact: Let W be the set of swap permutations on n elements. Then W is a set of generators for the set of permutations S_n, which can be defined as:

closure(W, o)

[link]

Fact: Let A be the set of adjacent swap permutations on n elements. Then A is a set of generators for the set of permutations S_n, which can be defined as:

closure(A, o)

[link]

Fact: The set ℤ/nℤ has a single generator 1 ∈ ℤ/nℤ with respect to addition + modulo n:

ℤ/nℤ

closure({1}, +)

[link]

Fact: If a and n are coprime, then a is a generator for ℤ/nℤ with respect to addition + modulo n:

ℤ/nℤ

closure({a}, +)

[link]

Fact: Suppose we have two algebraic structures A and B where for some operator ⊕:

closure({a}, ⊕)

closure({b}, ⊕)

If the generator a can be expressed in terms of b, i.e., a = b ⊕ ... ⊕ b, then it must be that:

⊂

Furthermore, if in addition to the above, the generator b can be expressed in terms of a, i.e., b = a ⊕ ... ⊕ a, then it must be that:

⊂

This would then imply (by basic set theory):

[link] 5.4. Isomorphisms and Linear Equations of Congruence Classes

[link]

Fact: Let n be a positive integer. Then if + represents addition modulo n, we have:

ℤ/nℤ

≅

closure({1}, +)

In other words, 1 is a generator for ℤ/nℤ with respect to +.

[link]

Fact: Let a and n be coprime positive integers. Then if + represents addition modulo n, we have:

ℤ/nℤ

≅

closure({a}, +)

In other words, a can be a single generator for ℤ/nℤ with respect to +. This is equivalent to a fact we have already seen.

[link]

Fact: Let a and n be any two positive integers. Then if + represents addition modulo n, we have:

ℤ/(n/gcd(n,a))ℤ

≅

closure({a}, +)

≅

closure({gcd(n,a)}, +)

[link]

Example: Consider n = 6 and a = 4. Then we have g = gcd(4,6) = 2. We have:

closure({4}, +)

{4 ⋅ 0, 4 ⋅ 1, 4 ⋅ 2}

{0, 4, 2}

closure({2}, +)

Note that:

2 + 2 (mod 6)

4 + 4 (mod 6)

Thus, 2 can be expressed using the generator 4, and 4 can be expressed using the generator 2.

[link]

Fact (linear congruence theorem): Suppose that for a positive integer n and two congruence classes a ∈ ℤ/nℤ and b ∈ ℤ/nℤ where g ≡ gcd(a,n), we are given the following equation:

a ⋅ x

≡

b (mod n)

Since a and n are not coprime, we cannot solve the above equation. Furthermore, if b ∉ closure({a}, +), we know the equation cannot be solved. Since closure({a}, +) = closure({g}, +), the equation can only be solved if b ∈ closure({g}, +). In other words, the equation can only be solved if g|b.

Note that if g ≡ gcd(a,n) and b ∈ closure({g}, +), we have:

n' ⋅ g

a' ⋅ g

b' ⋅ g

(a' ⋅ g) ⋅ x

≡

(b' ⋅ g) (mod (n' ⋅ g))

We can then rewrite the above as:

(a' ⋅ g) ⋅ x

(b' ⋅ g) + k ⋅ (n' ⋅ g)

We can divide both sides of the above equation by g:

a' ⋅ x

b' + k ⋅ n'

We can convert the above equation back into an equation of congruence classes:

a' ⋅ x

≡

b' mod n'

At this point a' and n' are coprime, we can compute a'^-1 (mod n') and multiply both sides by it to find our solution x:

a'^-1 ⋅ a' ⋅ x

≡

a'^-1 ⋅ b' mod n'

≡

a'^-1 ⋅ b' mod n'

[link]

Example: Solve the following equation for x ∈ ℤ/8ℤ, or explain why no solution exists:

2 ⋅ x

≡

3 (mod 8)

[link]

Example: Solve the following equation for x ∈ ℤ/24ℤ, or explain why no solution exists:

16 ⋅ x

≡

7 (mod 24)

[link]

Example: Solve the following equation for x ∈ ℤ/15ℤ, or explain why no solution exists:

9 ⋅ x

≡

6 (mod 15)

[link]

Example: Suppose we want to find all the solutions in ℤ/6ℤ to the following equation:

2 ⋅ x

≡

4 (mod 6)

Using the linear congruence theorem, we can find the unique solution modulo 3:

≡

2 (mod 3)

The solutions modulo 6 will be those congruence classes in ℤ/6ℤ whose integer representatives are members of 2 + 3ℤ = {..., 2, 5, 8, 11, 14, ...}. These are 2 + 6ℤ and 5 + 6ℤ, since 2 ≡ 2 (mod 3) and 5 ≡ 2 (mod 3). Note that:

2 + 3ℤ

2 + 6ℤ ∪ 5 + 6ℤ

{..., 2, 5, 8, 11, 14, 17, 20, ...}

{..., 2, 8, 14, 20, ...} ∪ {..., 5, 11, 17, ...}

[link] 5.5. Isomorphisms and the Chinese Remainder Theorem

[link]

Fact (Chinese remainder theorem isomorphism): Let n and m be coprime positive integers. Let ℤ/nℤ × ℤ/mℤ be the set product of ℤ/nℤ and ℤ/mℤ, and let ⊕ be an operation on ℤ/nℤ × ℤ/mℤ defined as follows:

(a,b) ⊕ (c,d)

(a + c,b + d)

Then it is true that (ℤ/nℤ × ℤ/mℤ, ⊕) ≅ (ℤ/(m ⋅ n)ℤ, +). The bijective relationship in this isomorphism is as follows:

(a mod n, b mod m) ∈ ℤ/nℤ × ℤ/mℤ

corresponds to

(a ⋅ (m ⋅ m^-1) + b ⋅ (n ⋅ n^-1)) ∈ ℤ/(m ⋅ n)ℤ

In other words, given (a, b), we can map it to a ⋅ (m ⋅ m^-1) + b ⋅ (n ⋅ n^-1), and given some c = a ⋅ (m ⋅ m^-1) + b ⋅ (n ⋅ n^-1) from ℤ/(n ⋅ m)ℤ, we can map it back to ℤ/nℤ × ℤ/mℤ using (c mod n, c mod m).

[link]

Example (partial homomorphic encryption with validation): Suppose that for some p ∈ ℕ, Alice wants to store a large number of congruence classes b₁,...,b_k ∈ (ℤ/pℤ)* in Eve's database. Alice does not have enough memory to store the congruence classes herself, but she does not want to reveal the congruence classes to Eve. Alice also wants Eve to compute the product of the congruence classes for her as in this example. However, because Alice does not actually have the numbers Eve is multiplying, Alice has no way to know that the product Eve returns to her corresponds to the actual product; perhaps Eve is saving money and cheating by returning a random number to Alice.

To address this, Alice first chooses a new prime q (distinct from p). She then computes n = p ⋅ q and φ(n) = (p − 1) ⋅ (q − 1), finds e ∈ (ℤ/φ(n)ℤ)* and computes d ≡ e^-1 (mod φ(n)). This will allow Alice to encrypt things before storing them in Eve's database. However, at this point Alice will not simply encrypt her congruence classes b₁, ..., b_k.

Instead, Alice will first choose a single random value r ∈ ℤ/qℤ. Then, Alice will map each of her values (b_i, r) ∈ ℤ/pℤ × ℤ/qℤ via the CRT isomorphism to some values c_i ∈ ℤ/nℤ. Alice will then encrypt the values c_i by computing c_i^e (mod n), and will submit these values to Eve's database. Now, whenever Alice can ask Eve to compute the following product:

c₁^e ⋅ ... ⋅ c_k^e

≡

(c₁ ⋅ ... ⋅ c_k)^e (mod n)

If Eve returns the product (c₁ ⋅ ... ⋅ c_k)^e to Alice, Alice can decrypt it by computing:

((c₁ ⋅ ... ⋅ c_k)^e)^d

≡

c₁ ⋅ ... ⋅ c_k (mod n)

Next, Alice can compute (c₁ ⋅ ... ⋅ c_k) mod p to retrieve the actual product in ℤ/pℤ. However, Alice also wants to make sure that Eve actually multiplied all the entries. Alice can do so by computing:

(c₁ ⋅ ... ⋅ c_k) mod q

≡

r ⋅ ... ⋅ r (mod q)

≡

r^k (mod q)

Alice can quickly compute r^k (mod q) and compare it to (c₁ ⋅ ... ⋅ c_k) mod q. This gives Alice some confidence (but not total confidence) that Eve actually computed the product because it ensures that Eve really did multiply k distinct values provided by Alice.

What is one way that Eve can still cheat and save money under these circumstances (if she knows that Alice is using this validation method)? Is there any way Alice can counter this (hint: what if Alice chooses different values r for each entry)?

[link]

Fact: Let n and m be positive integers. and let g = gcd(n,m). Let ℤ/(n/g)ℤ × ℤ/(m/g)ℤ × ℤ/gℤ be a set product, and let ⊕ be an operation on ℤ/(n/g)ℤ × ℤ/(m/g)ℤ × ℤ/gℤ defined as follows:

(a,b,c) ⊕ (x,y,z)

(a + x,b + y, c + z)

Then it is true that (ℤ/(n/g)ℤ × ℤ/(m/g)ℤ × ℤ/gℤ, ⊕) ≅ (ℤ/((m ⋅ n)/g)ℤ, +).

[link]

Example: Consider the set ℤ/2ℤ × ℤ/3ℤ with the operation ⊕, and the set ℤ/6ℤ together with the operation +. It is true that (ℤ/2ℤ × ℤ/3ℤ, ⊕) ≅ (ℤ/6ℤ, +). The bijection is specified below.

ℤ/2ℤ × ℤ/3ℤ	ℤ/6ℤ
(0,0)	0
(0,1)	4
(0,2)	2
(1,0)	3
(1,1)	1
(1,2)	5

The isomorphism is demonstrated below.

ℤ/2ℤ × ℤ/3ℤ	ℤ/6ℤ
(0,0) ⊕ (0,0) = (0,0)	0 + 0 = 0
(0,0) ⊕ (0,1) = (0,1)	0 + 4 = 4
(0,0) ⊕ (0,2) = (0,2)	0 + 2 = 2
(0,0) ⊕ (1,0) = (1,0)	0 + 3 = 3
(0,0) ⊕ (1,1) = (1,1)	0 + 1 = 1
(0,0) ⊕ (1,2) = (1,2)	0 + 5 = 5
(0,1) ⊕ (0,0) = (0,1)	4 + 0 = 4
(0,1) ⊕ (0,1) = (0,2)	4 + 4 = 2
(0,1) ⊕ (0,2) = (0,0)	4 + 2 = 0
(0,1) ⊕ (1,0) = (1,1)	4 + 3 = 1
(0,1) ⊕ (1,1) = (1,2)	4 + 1 = 5
(0,1) ⊕ (1,2) = (1,0)	4 + 5 = 3

ℤ/2ℤ × ℤ/3ℤ	ℤ/6ℤ
(0,2) ⊕ (0,0) = (0,2)	2 + 0 = 2
(0,2) ⊕ (0,1) = (0,0)	2 + 4 = 0
(0,2) ⊕ (0,2) = (0,1)	2 + 2 = 4
(0,2) ⊕ (1,0) = (1,2)	2 + 3 = 5
(0,2) ⊕ (1,1) = (1,0)	2 + 1 = 3
(0,2) ⊕ (1,2) = (1,1)	2 + 5 = 1
(1,0) ⊕ (0,0) = (1,0)	3 + 0 = 3
(1,0) ⊕ (0,1) = (1,1)	3 + 4 = 1
(1,0) ⊕ (0,2) = (1,2)	3 + 2 = 5
(1,0) ⊕ (1,0) = (0,0)	3 + 3 = 0
(1,0) ⊕ (1,1) = (0,1)	3 + 1 = 4
(1,0) ⊕ (1,2) = (0,2)	3 + 5 = 2

ℤ/2ℤ × ℤ/3ℤ	ℤ/6ℤ
(1,1) ⊕ (0,0) = (1,1)	1 + 0 = 0
(1,1) ⊕ (0,1) = (1,2)	1 + 4 = 5
(1,1) ⊕ (0,2) = (1,0)	1 + 2 = 3
(1,1) ⊕ (1,0) = (0,1)	1 + 3 = 4
(1,1) ⊕ (1,1) = (0,2)	1 + 1 = 2
(1,1) ⊕ (1,2) = (0,0)	1 + 5 = 0
(1,2) ⊕ (0,0) = (1,2)	5 + 0 = 5
(1,2) ⊕ (0,1) = (1,0)	5 + 4 = 3
(1,2) ⊕ (0,2) = (1,1)	5 + 2 = 1
(1,2) ⊕ (1,0) = (0,2)	5 + 3 = 2
(1,2) ⊕ (1,1) = (0,0)	5 + 1 = 0
(1,2) ⊕ (1,2) = (0,1)	5 + 5 = 4

Since 1 and 5 are generators for ℤ/6ℤ with respect to +, the corresponding elements (1,1) and (1,2) are generators for ℤ/2ℤ × ℤ/3ℤ.

[link]

Fact: Suppose that for two positive integers n and m where g ≡ gcd(n,m) and two congruence classes a ∈ ℤ/nℤ and b ∈ ℤ/mℤ, we are given the following system of equations:

≡

a (mod n)

≡

b (mod m)

We then know that:

n' ⋅ g

m' ⋅ g

But this means that:

≡

a (mod (n' ⋅ g))

≡

b (mod (m' ⋅ g))

The above equations can be converted into facts about divisibility:

a + k ⋅ (n' ⋅ g)

b + l ⋅ (m' ⋅ g)

But note that:

a + (k ⋅ n')) ⋅ g

b + (l ⋅ (m')) ⋅ g

The above implies:

≡

a (mod g)

x & ≡ & b (mod g)

Since x ≡ x, it must be that:

a & ≡ & b (mod g)

Thus, a solution x exists for the system of equations only if a ≡ b (mod (gcd(n,m)).

[link]

Fact: Suppose that for two positive integers n and m where g ≡ gcd(n,m) and two congruence classes a ∈ ℤ/nℤ and b ∈ ℤ/mℤ, we are given the following system of equations:

≡

a (mod n)

≡

b (mod m)

Note that because g ≡ gcd(n,m), we have:

n' ⋅ g

m' ⋅ g

To find a solution, first determine whether a ≡ b (mod g), and compute r = a (mod g). Then set:

x = y + r

We can now solve the following system for y:

y + r

≡

a (mod n)

y + r

≡

b (mod m)

We substruct r from both sides in both equations. We now have g | a-r and g | b-r, since r was the remainder when dividing a and b by g:

≡

(a − r) (mod n)

≡

(b − r) (mod m)

Now set:

y = g ⋅ z

We can now solve the following system for y:

g ⋅ z

≡

(a − r) (mod (n' ⋅ g))

g ⋅ z

≡

(b − r) (mod (m' ⋅ g))

Using the linear congruence theorem on both equations, we get:

≡

(a − r)/g (mod n')

≡

(b − r)/g (mod m')

We know that n' and m' are coprime, so we can solve for z using the usual method for solving systems of equations with coprime moduli. Once we find z, we can compute a solution x to the original system of equations:

≡

g ⋅ z + r (mod ((n ⋅ m) / g))

[link]

Example: Suppose we want to solve the following system of equations:

≡

1 (mod 6)

≡

3 (mod 8)

First, we compute gcd(6,8) = 2. Then we check that 1 ≡ 3 (mod 2). Since this is true, we know we can find a solution. We proceed by subtracting 1 from both sides of both equations:

x − 1

≡

0 (mod 6)

x − 1

≡

2 (mod 8)

We can now apply the linear congruence theorem to both equations:

x − 1

≡

0 (mod 3)

x − 1

≡

1 (mod 4)

We can now solve the above system of equations using the usual CRT solution computation because the moduli are now coprime:

x − 1

≡

0 ⋅ (4 ⋅ 4^-1) + 1 ⋅ (3 ⋅ 3^-1)

≡

0 + 1 ⋅ (3 ⋅ 3)

≡

We now compute x:

x − 1

≡

x − 1

≡

Since the range of unique CRT solutions with coprime moduli is ℤ/((6 ⋅ 8)/gcd(6,8))ℤ = ℤ/24ℤ, the congruence class solution is:

≡

19 (mod 24)

By putting together all the theorems and algorithms we have seen so far, we can now define a general-purpose solver for linear systems of equations involving congruence classes.

[link]

greatest
common
divisor
algorithm

Fermat's
little
theorem

Euler's
theorem

⇑

Bézout's
identity

⇐

extended
Euclidean
algorithm

⇐

algorithm for
finding
multiplicative
inverses

⇒

Euler's
totient
function φ

⇑

Chinese
remainder
theorem

⇐

CRT solver
for two
equations

⇑

linear
congruence
theorem

⇐

general
CRT solver
for two
equations

⇑

induction

⇐

general
CRT solver
for n
equations

We can also assemble a general-purpose algorithm for computing square roots of congruence classes modulo composite numbers (assuming we have the factorization of the modulus).

[link]

formula for
3+4ℤ
primes

⇐

square roots
modulo p

⇑

Hensel's lemma

⇐

square roots
modulo p^k

⇑

CRT solver
for two
equations

⇐

square roots
modulo n ⋅ m

[link]

Example: Suppose we want to solve the following equation for any congruence classes in ℤ/6ℤ that solve it:

4 ⋅ x + 3 ⋅ x²

≡

2 (mod 6)

One approach is to use the Chinese remainder theorem and split the problem into two equations by factoring 6:

4 ⋅ x + 3 ⋅ x²

≡

2 (mod 2)

4 ⋅ x + 3 ⋅ x²

≡

2 (mod 3)

We can now simplify each of the above:

3 ⋅ x²

≡

0 (mod 2)

4 ⋅ x

≡

2 (mod 3)

We can simplify each further:

x²

≡

0 (mod 2)

≡

2 (mod 3)

We know that the only solution to the first is x ≡ 0 (mod 2), so we have now obtained the following system of equations; we can use CRT to find the unique solution modulo 6:

≡

0 (mod 2)

≡

2 (mod 3)

≡

2 (mod 6)

We can check that, indeed, 4 ⋅ 2 + 3 ⋅ 2² ≡ 20 ≡ 2 (mod 6).

[link]

Example: Solve the following equation for all congruence classes in ℤ/7ℤ that satisfy it:

x² − 3 ⋅ x

≡

0 (mod 7)

[link] 5.6. Groups, Subgroups, and Direct Products

[link]

Definition: We call an algebraic structure (A, ⊕) a group under ⊕ if:

A is closed under ⊕;
⊕ is associative on A;
A contains an identity;
A has inverses with respect to ⊕ (for all x ∈ A, there exists x^-1 ∈ A such that x ⊕ x^-1 = 1 and x^-1 ⊕ x = 1 are always true).

If (A, ⊕) possesses no other algebraic properties, we call it a free group or we say it is strictly a group.

[link]

Example: One example of a group is (ℤ, +), because the integers are closed under addition, addition is associative, 1 is an identity, and every integer x ∈ ℤ has an additive inverse −x ∈ ℤ.

[link]

Example: Any vector space V with vector addition is a group.

[link]

Example: The set ℤ^{2 × 2} (the set of all 2 × 2 matrices with integer entries) together with matrix addition is a group.

[link]

Fact: For any n ∈ ℕ, the algebraic structure (ℤ/nℤ, +) where + is addition modulo n is a group.

[link]

Fact: For any n ∈ ℕ, the algebraic structure ((ℤ/nℤ)*, ⋅) where ⋅ is multiplication modulo n is a group.

If we look at subsets of the elements in a group, we might find that certain subsets are closed under the operator for that group. These subsets are called subgroups, and the concept of a subgroup can be very useful when studying and using groups.

[link]

Definition: Let A be a group under the operator ⊕. We say that B is a subgroup of A if B ⊂ A, B is closed under ⊕, and B is a group.

[link]

Example: The following are all the subgroups of ℤ/4ℤ under addition + modulo 4:

{0}, because all terms of the form 0, 0+0, 0+0+0, and so on are equivalent to 0;
{0,2}, since closure({0,2}, +) = {0,2};
{0,1,2,3} = ℤ/4ℤ.

The following are all the subgroups of ℤ/6ℤ under addition + modulo 6

{0}, because all terms of the form 0, 0+0, 0+0+0, and so on are equivalent to 0;
{0,2,4}, since closure({2}, +) = closure({0,2,4}, +) = {0,2,4};
{0,3}, since closure({3}, +) = closure({0,3}, +) = {0,3};
{0,1,2,3,4,5} = closure({1}, +) = ℤ/6ℤ.

[link]

Fact: Given some n ∈ ℕ and some factor f ∈ ℕ such that f|n, then (closure({f}, +), +) is a subgroup of (ℤ/nℤ, +), and it is isomorphic to the group (ℤ/(n/f)ℤ, +).

[link]

Example: The following are all the non-trivial subgroups of ℤ/6ℤ under addition + modulo 6, together with their corresponding isomorphic group:

({0,2,4}, +) ≅ (ℤ/(6/2)ℤ) ≅ (ℤ/3ℤ, +);
({0,3}, +) ≅ (ℤ/(6/3)ℤ) ≅ (ℤ/2ℤ, +).

The notion of a subgroup allows us to introduce an alternative definition for prime numbers.

[link]

Definition: Given an integer p ∈ ℕ where p > 1, we say that p is prime if the only subgroups of (ℤ/pℤ, +) are the trivial subgroups ({0}, +) and (ℤ/pℤ, +).

[link]

Conjecture (hidden subgroup problem): The following problem is not in P: given a group (A, ⊕), find a non-trivial subgroup of A (non-trivial means not the subgroup that contains only the identity, ({I}, ⊕), and not the subgroup consisting of the entire group, (A, ⊕)).

Often, we are interested in a more restricted versions of this problem, which are also not believed to be in P:

finding a non-trivial subgroup of (ℤ/nℤ, +);
finding a non-trivial subgroup of ((ℤ/nℤ)*, ⋅);
finding the size of the subgroup closure({a}, ⋅) of the group (ℤ/nℤ)*, where a ∈ (ℤ/nℤ)*.

[link]

Example: Suppose that for some n ∈ ℕ, we are given a ∈ ℤ/nℤ such that gcd(a, n) = 1. We know from Euler's theorem that a^φ(n) ≡ 1 (mod n). However, φ(n) is not necessarily the smallest exponent of a that will yield 1.

For example, consider 3 ∈ ℤ/8ℤ. Even though φ(8) = 2³ - 2² = 4 and 3⁴ ≡ 1 (mod 8), it is also true that 3² ≡ 9 ≡ 1 (mod 8).

Thus, given some a ∈ ℤ/nℤ such that gcd(a, n) = 1, the problem of determining the smallest r such that a^r ≡ 1 (mod n) amounts to finding the smallest subgroup of ((ℤ/nℤ)*, ⋅) that contains a. Equivalently, this amounts to finding |closure({a}, ⋅)|.

[link]

Algorithm (Shor's algorithm): Shor's algorithm relies on the ability of a quantum computer to find the smallest r > 0 such that a^r ≡ 1 (mod n). It takes an arbitrary integer n as its input and finds a non-trivial factor of n with high probability. We highlight the quantum portion of the algorithm in green.

Shor's algorithm: n ∈ ℕ
1. do
  1. choose a random a ∈ ℤ/nℤ
  2. if gcd(a, n) > 1, return gcd(a, n)
  3. otherwise, find the smallest r > 0 such that a^r ≡ 1 (mod n)
  until r is even and a^(r/2) ≢ −1 (mod n)
2. since we have exited the loop, then r is even and a^(r/2) ≢ −1 (mod n)
3. thus, a^(r/2) is a non-trivial root of a^r
4. return gcd(a^(r/2) ± 1, n), which is a non-trivial factor by this fact

Note that 1 has exactly four roots modulo n because n = p ⋅ q. Since r > 0, a^(r/2) cannot be 1. This leaves −1 and two other possibilities.

[link]

Example: Let us consider the example where n = 15. If we do not know the factors of 15, we could instead start with a = 2, since 2 ∈ (ℤ/15ℤ)*. We then find that:

|closure({2}, ⋅)|

|{2, 4, 8, 1}|

Thus, a^r ≡ 2⁴ ≡ 1 (mod 15). In this case, r = 4 is even and a^(r/2) ≡ 2^4/2 ≡ 4, where 4 ≢ −1. But this means we have found a root 4 of 1 where 4 ≢ ± 1:

4 ⋅ 4

≡

1 ⋅ 1 (mod 15)

Thus, we can now use the reduction from factoring to the congruent squares problem to find a factor of n:

gcd(4 + 1, 15)

gcd(4 − 1, 15)

We now consider a few other examples illustrating how subgroups and isomorphisms between groups and subgroups can be applied.

[link]

Example (arithmetic with unbounded error and bounded unreliability): Suppose you need to perform a sequence of k addition operations in ℤ/15ℤ, but all the addition operators ⊕ modulo n available to you are error-prone. To add two numbers a, b modulo n accurately, you must perform the computation a ⊕ b at least n times (because up to ⌈ n/2 ⌉ of those attempts will result in an arbitrarily large error).

This means that to perform k addition operations modulo 15, it will be necessary to perform every operation 15 times, for a total of k ⋅ 15 operations modulo 15. If each addition operation modulo n takes about log₂ n steps, this would mean that k operations would take:

k ⋅ 15 ⋅ 4 steps

Assuming that performing CRT to find a solution in ℤ/15ℤ takes 10,000 steps, determine how you can use CRT to speed up the computation of these k addition operations, and for what minimum k this would be advantageous.

[link]

Definition: Given two groups (A, ⊕) and (B, ⊗), we define the direct product of these two groups to be the group (A × B, ◊) where the operator ◊ is defined over A × B as follows:

(a, b) ◊ (a', b')

(a ⊕ a', b ⊗ b)

[link]

Example: The direct product (ℤ/2ℤ × ℤ/2ℤ, +) where + is component-wise addition is a group, but it is not isomorphic to (ℤ/4ℤ, +). To see why, consider that ℤ/4ℤ has a generator 1 ∈ ℤ/4ℤ. Are any of the four elements (0,0), (0,1), (1,0), or (1,1) generator for all the elements in ℤ/2ℤ × ℤ/2ℤ?

[link]

Example: The direct product (ℤ/2ℤ × ℤ/3ℤ, +) where + is component-wise addition is a group, and it is isomorphic to ℤ/6ℤ. Can you find a single generator in ℤ/2ℤ × ℤ/3ℤ that can be used to generate every element in ℤ/2ℤ × ℤ/3ℤ? What is the name of the theorem that states that there is an isomorphism between ℤ/2ℤ × ℤ/3ℤ and ℤ/6ℤ?

[link]

Example: Suppose we consider the set of all possible polynomials of the form a_k x^k + a_k-1 x^k-1 + ... + a₂ x² + a₁ x¹ + a₀ x⁰ where every coefficient a_i is from ℤ/2ℤ, and where + represents addition modulo 2. Then we can observe the following:

0²

1²

In other words, for any x ∈ ℤ/2ℤ, x² ≡ x. That means any term of the form x^k can be simplified into x:

x²

x³

x² ⋅ x

x ⋅ x

x⁴

x³ ⋅ x

x ⋅ x

⋮

This, together with the fact that every coefficient a_i can be simplified to either 0 or 1 modulo 2, shows us that there are only four distinct polynomials modulo 2:

{0 ⋅ x + 0, 0 ⋅ x + 1, 1 ⋅ x + 0, 1 ⋅ x + 1}

{0, 1, x, x + 1}

One notation for this set of polynomials is ℤ/2ℤ[x], which can be read as "ℤ/2ℤ extended with x" or "polynomials in ℤ/2/Z". The set {0, 1, x, x + 1} together with addition modulo 2 is an algebraic structure, and it is isomorphic to ℤ/2ℤ × ℤ/2ℤ where the two ceofficients of the polynomial a₁ x + a₀ correspond to the two components of an element (a₁, a₀) in ℤ/2ℤ × ℤ/2ℤ.

[link] Review 2. Algebraic Structures and their Properties

This section contains a comprehensive collection of review problems going over all the course material. Many of these problems are an accurate representation of the kinds of problems you may see on an exam.

[link]

Exercise: Suppose we have the following polynomial in the integers (i.e., all operations are arithmetic operations):

6 x¹⁰⁰¹ + 2 x⁶⁰⁰ + 1

Prove that the arithmetic expression above is always divisible by 3 if gcd(x,3) = 1.

[link]

Exercise: Suppose you have n ∈ ℕ and a congruence class a ∈ ℤ/nℤ such that gcd(a, n) = 1. Compute in terms of n (and only n) the congruence class corresponding to the following term:

0 ⋅ a + 1 ⋅ a + 2 ⋅ a + ... + (n − 1) ⋅ a

[link]

Exercise: Find all x ∈ ℤ/29ℤ that satisfy the following:

y²

≡

16 (mod 29)

x²

≡

y (mod 29)

[link]

Exercise: Solve the following problems.

Consider the following two circular shift permutations:
[8,9,0,1,2,3,4,5,6,7]
[5,6,7,8,9,0,1,2,3,4]
How many of each would you need to compose to obtain the permutation [9,0,1,2,3,4,5,6,7,8]?
These permutations specified are in C₁₀, and we know that C₁₀ ≅ ℤ/10ℤ. Notice that [8,9,0,1,2,3,4,5,6,7] ∈ C₁₀ can correspond to 8 ∈ ℤ/10ℤ, that [5,6,7,8,9,0,1,2,3,4] ∈ C₁₀ can correspond to 5 ∈ ℤ/10ℤ, and that [9,0,1,2,3,4,5,6,7,8] ∈ C₁₀ can correspond to 9 ∈ ℤ/10ℤ. By Bézout's identity we have that:
8 ⋅ 2 + 5 ⋅ (-3)
=
1
8 ⋅ 2 + 5 ⋅ 7
≡
1 (mod 10)
8 ⋅ (9 ⋅ 2) + 5 ⋅ (9 ⋅ 7)
≡
9 ⋅ 1 (mod 10)
8 ⋅ 8 + 5 ⋅ 3
≡
9 (mod 10)

Thus, we would need to compose 8 instances of the first permutation and 3 instances of the second permutation to obtain [9,0,1,2,3,4,5,6,7,8].
Rewrite the permutation [3,4,0,1,2] as a composition of adjacent swap permutations.
We can simply run the bubble sort algorithm on the above permutation and record the permutation that represents each swap. This leads to the following sequence:
p₁
=
[0,2,1,3,4]
p₂
=
[0,1,3,2,4]
p₃
=
[0,1,2,4,3]
p₄
=
[1,0,2,3,4]
p₅
=
[0,2,1,3,4]
p₆
=
[0,1,3,2,4]
Thus, by applying the above sequence of permutations to [0,1,2,3,4] in reverse order, we can obtain [3,4,0,1,2], so the factorization of [3,4,0,1,2] into adjacent swap permutations is:
[3,4,0,1,2]
=
p₁ o p₂ o p₃ o p₄ o p₅ o p₆ o [0,1,2,3,4]

[link]

Exercise: Suppose we want to perform k exponentiation operations (e.g., if k = 4, we want to compute (((a^b)^c)^d)^e) modulo 21. Assume the following:

a single exponentiation operation modulo 21 takes 21³ = 9261 steps;
a single exponentiation operation modulo 3 takes 3³ = 27 steps;
a single exponentiation operation modulo 7 takes 7³ = 343 steps;
an exponentiation operation modulo 3 and an exponentiation operation modulo 7 together take 343 + 27 = 370 steps;
solving a two-equation system for two values, a modulo 3 and b modulo 7, takes 8000 steps using CRT;
we can either compute the exponentiation sequence directly modulo 21, or we can split it into two sequences of computations (one modulo 3, the other modulo 7) and then recombine using CRT at the end.

What is the number of steps needed to perform k exponentiations modulo 21?

f(k)
=
9261 ⋅ k
What is the number of steps needed to perform k exponentiations modulo 3 and k exponentiations modulo 7, then to recombine using CRT?

f(k) = 370 ⋅ k + 8000

[link]

Exercise: Find solutions to the following problems.

Explain why the following polynomial has no integer solutions (Hint: you only need to evaluate the polynomial for two possible values of x):
x⁴ + x² + 3
=
0

If the above equation has an integer solution x, then it must have an integer solution modulo 2, since we can take the modulus of both sides:
x⁴ + x² + 3
=
0
(x⁴ + x² + 3) mod 2
=
0 mod 2
x⁴ + x² + 3
≡
0 (mod 2)
Thus, we have using logic that:
(exists solution in ℤ)
→
(exists solution modulo 2)
(no solution modulo 2)
→
(no solution in ℤ)
Note that this only works in one direction. A solution modulo 2 does not necessarily imply that there is an integer solution.
We see that for x = 0 and x = 1, the left-hand side is odd. The right-hand side is 0, so it is always even. Thus, no integer solution exists.
Find at least one solution x ∈ ℤ/10ℤ to the following system of equations (you must use Bézout's identity):
6 ⋅ y + 5 ⋅ x - 1
≡
0 (mod 10)
x²
≡
y (mod 10)

Since 5 and 6 are coprime, we can find a solution to the first equations. One such solution is:
y
≡
1 (mod 10)
x
≡
-1 (mod 10)

≡
9 (mod 10)
We also have that 9² ≡ 81 ≡ 1 (mod 10). Thus, since 1² ≡ 1 (mod 10), both equations are satisfied by this solution.

[link]

Exercise: Find solutions to the following problems.

Suppose you want to send some s ∈ ℤ/nℤ to Alice and Bob, but you want to ensure that the only way Alice and Bob can retrieve s is if they work together. What two distinct pairs (s₁, p₁) and (s₂, p₂) would you send to Alice and Bob, respectively, so that they would need to work together to recover s?
You would need to send (s mod p, p) to Alice and (s mod q, q) to Bob where s < p ⋅ q and p and q are distinct and coprime.
Suppose Bob is generating a public RSA key; he chooses a very large prime p, and then he chooses q = 2. Why is this not secure?
Bob must share his public key (n, e). Since n = p ⋅ 2, n is even. This can immediately be seen by looking at the last bit of n (which will be 0, since n mod 2 = 0). It is then easy to recover the secret value p.
Suppose Alice and Bob use Shamir secret sharing to share a password s to a lock that is not protected from brute force attacks (i.e., anyone can keep trying different passwords until they unlock it). Alice holds s mod p and Bob holds s mod q, where s < p ⋅ q. However, suppose that Bob happens to be using q = 2, and Alice knows this. What can Alice do to quickly break the lock?
If Alice holds a and Bob holds b, the system of equations that would be set up to recover s is as follows:
x
≡
a (mod p)
x
≡
b (mod 2)
Notice that there are only two possibilities for Bob's value b ∈ ℤ/2ℤ. Thus, Alice could set up two systems, one for b = 0 and another for b = 1, solve both, and try both secrets s on the lock.

[link]

Exercise: Suppose that Alice, Bob, Carl, and Dan are sharing a secret s using Shamir secret sharing, where each participant is assigned a distinct modulus n that is coprime to everyone else's modulus. Each participant is holding a part of the secret s mod n, and the secret can be recovered by any two participants. However, Eve has sabotaged the value stored by one one the participants. Below are the values currently stored by everyone; one of them is corrupted.

Alice: n_Alice = 3 and (s mod 3) = 2
Bob: n_Bob = 4 and (s mod 4) = 3
Carl: n_Carl = 5 and (s mod 5) = 2
Dan: n_Dan = 7 and (s mod 7) = 4

Which participant's stored value s mod n has Eve sabotaged?
Any two participants can recover the secret s by setting up a system with two equations and solving the system using CRT. We list all of the possible combinations and solve for s to find which participant's value has been corrupted.
- Alice and Bob:
  s
  ≡
  2 (mod 3)
  s
  ≡
  3 (mod 4)
  s
  ≡
  11 (mod 12)
- Alice and Carl:
  s
  ≡
  2 (mod 3)
  s
  ≡
  2 (mod 5)
  s
  ≡
  2 (mod 15)
- Alice and Dan:
  s
  ≡
  2 (mod 3)
  s
  ≡
  4 (mod 7)
  s
  ≡
  11 (mod 21)
- Bob and Carl:
  s
  ≡
  3 (mod 4)
  s
  ≡
  2 (mod 5)
  s
  ≡
  7 (mod 20)
- Bob and Dan:
  s
  ≡
  3 (mod 4)
  s
  ≡
  4 (mod 7)
  s
  ≡
  11 (mod 28)
- Carl and Dan:
  s
  ≡
  2 (mod 5)
  s
  ≡
  4 (mod 7)
  s
  ≡
  32 (mod 35)
Since three of the participants can consistently recover the same secret s = 11, and all pairs of participants in which Carl is present do not yield s = 11 and are inconsistent with one another, it must be Carl's data that has been sabotaged.
What is the correct secret value s?
Since three of the six possible pairings result in s = 11, and the other three are inconsistent and all involve Carl, it must be that s = 11 was the original uncorrupted secret.
What's the number of different shared secret values these four participants can store (assuming they use the same moduli, and require that any two members should be able to recover the secret).
Since any two participants must be able to recover s, it must be that s < n ⋅ m for every possible pair n and m. The smallest two values are 3 and 4, so 3 ⋅ 4 - 1 = 11, where 11 ∈ ℤ/(3 ⋅ 4)ℤ, is the largest possible s that can be receovered.
Suppose you want to store an n-bit number s. You want to store it in a way that makes it possible to recover s even if one of the bits is corrupted. How can you accomplish this using at most approximately 2 ⋅ n bits?
Choose four distinct coprime numbers m₁, m₂, m₃, and m₄ such that s is less than the product of every pair of these, but such that the product of any pair is not much larger than s (e.g., m₁ and m₂ can be stored in the same number of bits as s). Then store (s mod m₁, s mod m₂, s mod m₃, s mod m₄) using about 2 ⋅ n bits.
If any individual bit is corrupted, this corrupts at most one of the four values stored. As with Alice, Bob, and Dan, the original value can still be recovered.

[link]

Exercise: Suppose you want to make a two-player game in which each player gets a different element (call them a and b) from the algebraic structure (A, ⊕). Then, they would be given a third element c, and they must work together to use their two elements a and b to create the target element c. It must be impossible for an individual player to make the target element c on their own. Explain why each of the following algebraic structures would or would not work for this game.

ℤ/3ℤ
ℤ/4ℤ
ℤ/2ℤ × ℤ/2ℤ
ℤ/6ℤ
ℤ/2ℤ × ℤ/3ℤ
S₃
ℤ

[link] Appendix A. Python Reference

The Python programming language will be among the languages we use in this course. This language supports the object-oriented, imperative, and functional programming paradigms, has automatic memory managememt, and natively supports common high-level data structures such as lists and sets. Python is often used as an interpreted language, but it can also be compiled.

[link] A.1. Obtaining Python

The latest version of Python 3 can be downloaded at: https://www.python.org/downloads/. In this course, we will require the use if Python 3, which has been installed on all the CS Department's undergraduate computing lab machines, as well as on csa2/csa3.

[link] A.2. Assembling a Python module

The simplest Python program is a single file (called a module) with the file extension .py. For example, suppose the following is contained within a file called example.py:


# This is a comment in "example.py".
# Below is a Python statement.
print("Hello, world.")

Assuming Python is installed on your system, to run the above program from the command line you can use the following (you may need to use python3, python3.2, python3.3, etc. depending on the Python installation you're using). Note that in the examples below %> represents a terminal prompt, which may look different on your system.


%> python example.py
Hello, world.

If you run Python without an argument on the command line, you will enter Python's interactive prompt. You can then evaluate expressions and execute individual statements using this prompt; you can also load and execute a Python module file:


%> python
Python 3.2 ...
Type "help", "copyright", "credits" or "license" for more information.
>>> exec(open("example.py").read()) # Load "example.py" module.
Hello, world.
>>> x = "Hello." # Execute an assignment statement.
>>> print(x)     # Execute a "print" statement.
Hello.
>>> x            # Evaluate a string expression.
'Hello.'
>>> 1 + 2        # Evaluate a numerical expression.
3

[link] A.3. Common data structures (i.e., Python expressions)

Python provides native support for several data structures that we will use throughout this course: integers, strings, lists, tuples, sets, and dictionaries (also known as finite maps). In this subsection, we present how instances of these data structures are represented in Python, as well as the most common operations and functions that can be applied to these data structure instances.

Booleans consist of two constants: True and False.

The usual logical operations are available using the operators and, or, and not.


>>> True                                      # A boolean constant.
True
>>> False                                     # A boolean constant.
False
>>> True and False or True and (not False)    # A boolean expression.
True

Integers are written as in most other programming languages (i.e., as a sequence of digits).
- The usual arithmetic operations are available using the operators +, *, -, and /. The infix operator // represents integer division, and the infix operators ** represents exponentiation. Negative integers are prefixed with the negation operator -.
- The usual relational operators ==, !=, <, >, <=, >= are available.
- The int() function can convert a string that looks like an integer into an integer.
```
>>> 123                                       # An integer constant.
True
>>> 1 * (2 + 3) // 4 - 5                      # An integer expression.
-4
>>> 4 * 5 >= 19                               # A boolean expression involving integers.
True
>>> int("123")                                # A string being converted into an integer
123
          
```
Strings are delimited by either ' or " characters. Strings can be treated as lists of single-character strings. Another way to look at this is that there is no distinction between a character and a string: all characters are just strings of length 1. Multiline strings can be delimited using """ or ''' (i.e., three quotation mark characters at the beginning and end of the string literal).
- The empty string is denoted using '' or "".
- Two strings can be concatenated using +.
- The function len() returns the length of a string.
- Individual characters in a string can be accessed using the bracketed index notation (e.g., s[i]). These characters are also strings themselves.
```
>>> 'Example.'                                # A string.
'Example.'
>>> "Example."                                # Alternate notation for a string.
'Example.'
>>> len("ABCD")                               # String length.
4
>>> "ABCD" + "EFG"                            # String concatenation.
'ABCDEFG'
>>> "ABCD"[2]                                 # Third character in the string.
'C'
          
```
Lists are similar to arrays: they are ordered sequences of objects and/or values. The entries of a list can be of a mixture of different types, and lists containing one or more objects are delimited using [ and ], with the individual list entries separated by commas. Lists cannot be members of sets.
- The empty list is denoted using [].
- Two lists can be concatenated using +.
- The function len() returns the length of a list.
- Individual entries in a list can be accessed using the bracketed index notation (e.g., a[i]).
- To check if a value is in a list, use the in relational operator.
```
>>> [1,2,"A","B"]                             # A list.
[1, 2, 'A', 'B']
>>> [1, 2] + ['A','B']                        # Concatenating lists.
[1, 2, 'A', 'B']
>>> len([1,2,"A","B"] )                       # List length.
4
>>> [1,2,"A","B"][0]                          # First entry in the list.
1
>>> 1 in [1, 2]                               # List containment check.
True
          
```
Tuples are similar to lists (they are ordered, and can contain objects of different types), except they are delimited by parentheses ( and ), with entries separated by commas. The main distinction between lists and tuples is that tuples are hashable (i.e., they can be members of sets).
- The empty tuple is denoted using ().
- A tuple containing a single object x is denoted using (x, ).
- Two tuples can be concatenated using +.
- A tuple can be turned into a list using the list() function.
- A list can be turned into a tuple using the tuple() function.
- The function len() returns the length of a tuple.
- Individual entries in a tuple can be accessed using the bracketed index notation (e.g., t[i]).
- To check if a value is in a tuple, use the in relational operator.
```
>>> (1,2,"A","B")                             # A tuple.
(1, 2, 'A', 'B')
>>> (1,)                                      # Another tuple.
(1,)
>>> (1, 2) + ('A','B')                        # Concatenating tuples.
(1, 2, 'A', 'B')
>>> list((1, 2, 'A','B'))                     # A tuple being converted into a list.
[1, 2, 'A', 'B']
>>> tuple([1, 2, 'A','B'])                    # A list being converted into a tuple.
(1, 2, 'A', 'B')
>>> len((1,2,"A","B"))                        # Tuple length.
4
>>> (1,2,"A","B")[0]                          # First entry in the tuple.
1
>>> 1 in (1, 2)                               # Tuple containment check.
True
          
```
Sets are unordered sequences that cannot contain duplicates. They are a close approximation of mathematical sets. Sets cannot be members of sets.
- The empty set is denoted using set().
- The methods .union() and .intersect correspond to the standard set operations.
- A list or tuple can be turned into a set using the set() function.
- A set can be turned into a list or tuple using the list() or list() function, respectively.
- The function len() returns the size of a set.
- To access individual entries in a set, it is necessary to turn the set into a list or tuple.
- To check if a value is in a set, use the in relational operator.
```
>>> {1,2,"A","B"}                             # A set.
{1, 2, 'A', 'B'}
>>> ({1,2}.union({3,4})).intersection({4,5})  # Set operations.
{4}
>>> set([1, 2]).union(set(('A','B')))         # Converting a list and a tuple to sets.
{'A', 1, 2, 'B'}
>>> len({1,2,"A","B"})                        # Set size.
4
>>> 1 in {1,2,"A","B"}                        # Tuple containment check.
True
          
```
Frozen sets are like sets, except they can be members of other sets. A set can be turned into a frozen set using the frozenset() function.
```
>>> frozenset({1,2,3})                        # A frozen set.
frozenset({1, 2, 3})
>>> {frozenset({1,2}), frozenset({3,4})}      # Set of frozen sets.
{frozenset({3, 4}), frozenset({1, 2})}
          
```
In Python, values that are members of a set data structure must be hashable so that it is easy to deduplicate elements in an unordered set (e.g., {1,1,2,2} == {1,2} should be True, and this would take O(n²) steps to compute in the worst case because sets are not ordered). However, values of type set are not hashable because they can change (e.g., it is possible to insert an element into a set and also to remove an element from a set), which means their hashes could change, as well. Values of type frozenset cannot be changed; once their hash value is computed at the time of creation, it never changes. Thus, it is okay to include values of type frozenset inside instances of set without worrying about incurring a quadratic running time when deduplicating (or, e.g., computing a set union).
Dictionaries are unordered collections of associations between some set of keys and some set of values. Dictionaries are also known as finite maps.
- The empty dictionary is denoted using {}.
- The list of keys that the dictionary associates with values can be obtained using list(d.keys()).
- The list of values that the dictionary contains can be obtained using list(d.values()).
- The function len() returns the number of entries in the dictionary.
- Individual entries in a dictionary can be accessed using the bracketed index notation (e.g., d[key]).
```
>>> {"A":1, "B":2}                            # A dictionary.
{'A': 1, 'B': 2}
>>> list({"A":1, "B":2}.keys())               # Dictionary keys.
['A', 'B']
>>> list({"A":1, "B":2}.values())             # Dictionary values.
[1, 2]
>>> len({"A":1, "B":2})                       # Dictionary size.
2
>>> {"A":1, "B":2}["A"]                       # Obtain a dictionary value using a key.
1
          
```

[link] A.4. Function, procedure, and method invocations

Python provides a variety of ways to supply parameter arguments when invoking functions, procedures, and methods.

Function calls and method/procedure invocations consist of the function, procedure, or method name followed by a parenthesized, comma-delimited list of arguments. For example, suppose a function or procedure example() is defined as follows:
```
def example(x, y, z):
  print("Invoked.")
  return x + y + z
          
```
To invoke the above definition, we can use one of the following techniques.
- Passing arguments directly involves listing the comma-delimited arguments directly between parentheses.
```
>>> example(1,2,3)
Invoked.
6
              
```
- The argument unpacking operator (also known as the *-operator, the scatter operator, or the splat operator) involves providing a list to the function, preceded by the * symbol; the arguments will be drawn from the elements in the list.
```
>>> args = [1,2,3]
>>> example(*args)
Invoked.
6
              
```
- The keyword argument unpacking operator (also known as the **-operator) involves providing a dictionary to the function, preceded by the ** symbol; each named paramter in the function definition will be looked up in the dictionary, and the value associated with that dictionary key will be used as the argument passed to that parameter.
```
>>> args = {'z':3, 'x':1, 'y':2}
>>> example(**args)
Invoked.
6
              
```
Default parameter values can be specified in any definition. Suppose the following definition is provided.
```
def example(x = 1, y = 2, z = 3):
  return x + y + z
          
```
The behavior is then as follows: if an argument corresponding to a parameter is not supplied, the default value found in the definition is used. If an argument is supplied, the supplied argument value is used.
```
>>> example(0, 0)
3
>>> example(0)
5
>>> example()
6
          
```

[link] A.5. Comprehensions

Python provides concise notations for defining data structures and performing logical computations. In particular, it support a comprehension notation that can be used to build lists, tuples, sets, and dictionaries.

List comprehensions make it possible to construct a list by iterating over one or more other data structure instances (such as a list, tuple, set, or dictionary) and performing some operation on each element or combination of elements. The resulting list will contain the result of evaluating the body for every combination.
```
>>> [ x for x in [1,2,3] ]
[1, 2, 3]
>>> [ 2 * x for x in {1,2,3} ]
[2, 4, 6]
>>> [ x + y for x in {1,2,3} for y in (1,2,3) ]
[2, 3, 4, 3, 4, 5, 4, 5, 6]
          
```
It is also possible to add conditions anywhere after the first for clause. This will filter which combinations are actually used to add a value to the resulting list.
```
>>> [ x for x in {1,2,3} if x < 3 ]
[1, 2]
>>> [ x + y for x in {1,2,3} for y in (1,2,3) if x > 2 and y > 1 ]
[5, 6]
          
```
Set comprehensions make it possible to construct a set by iterating over one or more other data structure instances (such as a list, tuple, set, or dictionary) and performing some operation on each element or combination of elements. The resulting list will contain the result of evaluating the body for every combination. Notice that the result will contain no duplicates because the result is a set.
```
>>> { x for x in [1,2,3,1,2,3] }
{1, 2, 3}
          
```
Dictionary comprehensions make it possible to construct a dictionary by iterating over one or more other data structure instances (such as a list, tuple, set, or dictionary) and performing some operation on each element or combination of elements. The resulting dictionary will contain the result of evaluating the body for every combination.
```
>>> { key : 2 for key in ["A","B","C"] }
{'A': 2, 'C': 2, 'B': 2}
          
```

[link] A.6. Other useful built-in functions

The built-in function type() can be used to determine the type of a value. Below, we provide examples of how to check whether a given expression has one of the common Python types:


>>> type(True) == bool
True
>>> type(123) == int
True
>>> type("ABC") == str
True
>>> type([1,2,3]) == list
True
>>> type(("A",1,{1,2})) == tuple
True
>>> type({1,2,3}) == set
True
>>> type({"A":1, "B":2}) == dict
True

[link] A.7. Common Python definition and control constructs (i.e., Python statements)

A Python program is a sequence of Python statements. Each statement is either a function definition, a variable assignment, a conditional statement (i.e., if, else, and/or elif), an iteration construct (i.e., a for or while loop), a return statement, or a break or continue statement.

Variable assignments make it possible to assign a value or object to a variable.
```
x = 10
          
```
It is also possible to assign a tuple (or any computation that produces a tuple) to another tuple:
```
(x, y) = (1, 2)
          
```
Function and procedure definitions consist of the def keyword, followed by the name of the function or procedure, and then by one or more arguments (delimited by parentheses and separated by commas).
```
def example(a, b, c):
    return a + b + c
          
```

Conditional statements consist of one or more branches, each with its own boolean expression as the condition (with the exception of else). The body of each branch is an indented sequence of statements.


def fibonacci(n):
    # Computes the nth Fibonacci number.
    if n <= 0:
        return 0
    elif n <= 2:
        return 1
    else:
        return fibonacci(n-1) + fibonacci(n-2)

Iteration constructs make it possible to repeat a sequence of statements over and over. The body of an iteration construct is an indented sequence of statements.

The while construct has a boolean expression as its condition (much like if). The body is executed over and over until the expression in the condition evaluates to False, or a break statement is encountered.


def example1(n):
    # Takes an integer n and returns the sum of
    # the integers from 1 to n-1.
    i = 0
    sum = 0
    while i < n:
        sum = sum + i
        i = i + 1
    return sum

def example2(n):
    # Takes an integer n and returns the sum of
    # the integers from 1 to n-1.
    i = 0
    sum = 0
    while True:
        sum = sum + i
        i = i + 1
        if i == n:
            break
    return sum

The for construct makes it possible to repeat a sequence of statements once for every object in a list, tuple, or set, or once for every key in a dictionary.


def example3(n):
    # Takes an integer n and returns the sum of
    # the integers from 1 to n-1.
    sum = 0
    for i in range(0,n):
        sum = sum + i
    return sum

def example4(d):
    # Takes a dictionary d that maps keys to
    # integers and returns the sum of the integers.
    sum = 0
    for key in d:
        sum = sum + d[key]
    return sum