Introduction

On Monday we started talking about number theoretic algorithms.
We said these algorithms are frequently used in the cryptographic protocols that underlie the web.
We defined the integers, `ZZ ={... -2, -1, 0, 1, 2...}`, the naturals, `NN = {0, 1, 2, ...}`, and the notations `d|a` to mean `d` divides `a` (evenly as natural numbers).
We defined primes, units, and composite numbers.
We stated the division theorem that: For any integer `a` and any positive integer `n`, there are unique numbers `q` and `0 le r le n` such that `a=qn+r`.
Finally, we defined `[a]_n` for `{a + kn : k in ZZ}`, the equivalence class of `a mod n` and we defined the field, `ZZ_n` as the set of these equivalence classes with `+` and `times` induced from the integers.
Today, we start by looking at some facts about the greatest common divisor (gcd) of two numbers. We then give and analyze Euclid's algorithm for finding gcd's.

Greatest Common Divisor

If `d | a` and `d |b` then `d` is a common divisor of `a` and `b`.
Notice if `d` is a common divisor of a and b, then `d|(a+b)` and `d|(a-b)` and more generally `d|(ax+by)`
The largest common divisor of `a` and `b` is called the greatest common divisor of `a` and `b` and is denoted `gcd(a,b)`.
Ex: `gcd(250, 150) = 50.`
Observation.
1. `gcd(a,b) = gcd(b,a).`
2. `gcd(a,b) = gcd(-a,b).`
3. `gcd(a ,b) = gcd(|a|, |b|).`
4. `gcd(a, 0) = |a|.`
5. `gcd(a, ka) = |a|.`

A GCD Theorem and Corollaries

Theorem. If `a` and `b `are integers, not both zero, then `gcd(a,b)` is the smallest positive element of the set `{ax + by :x,y in ZZ }`.

Proof. Let `s` be the smallest positive linear combination of `a` and `b`, and let `s = ax + by` for some `x`, `y`. Let `q =|__a/s__|`. Then
`a \mod s = a-qs`
`= a - q(ax +by)`
`= a(1- qx) + b(- qy)`,
and so `a mod s` is a linear combination of `a` and `b` as well. But since `0 <= a mod s <= s`, we have `a mod s = 0`, because `s` was supposed to be the smallest positive such linear combination. Therefore `s | a` and by similar reasoning `s | b`. So `gcd(a,b) >= s`. As `gcd(a,b) | a` and `gcd(a,b) | b`, by the last slide we know `gcd(a,b) | s`. So `gcd(a,b)=s`.

Corollary. For any `a` and `b`, if `d|a` and `d|b`, then `d | gcd(a,b)`.

Corollary. For all integers `a` and `b` and any integer `n`, `gcd(an, bn) =n cdot gcd(a,b)`.

Corollary. For all positive integers `n`, `a`, and `b` if `n|ab` and `gcd(a,n) = 1` then `n | b`.

Relatively Prime, Unique Factorization

We say two numbers are relatively prime if `gcd(a,b) = 1`.
We say a list of integers `n_1, ..., n_k` are pairwise relatively prime if `gcd(n_i, n_j) = 1` for `i ne j`.

Theorem (**). If `gcd(a, p) = 1` and `gcd(b,p) =1`, then `gcd(ab,p)=1`.

Proof. We have `ax + py = 1` and `bx' + py' = 1`. So `ab(x\x') + p(ybx' +y'ax +pyy') = 1` and the theorem follows.

Theorem (Euclid's Lemma). For all primes `p`, for all integers `a, b`, if `p|ab` then `p|a` or `p|b` or both.

Proof. If `p|ab` but not `p|b` and not `p|a`. Then we know `gcd(p,a)=1` and `gcd(p,b)=1`. So `gcd(p,ab)=1` contradicting `p|ab`.

Unique Factorization Theorem. (appears in Euclid's Elements). A positive composite integer m can be written in exactly one way as a product of the form:
`m = p_1^(e_1)p_2^(e_2) cdots p_r^(e_r)`
where `p_i`'s are prime and `e_i`'s are positve integers.

We won't prove this, but it is proven in Wikipedia using induction to show existence of a factorization, and Euclid's Lemma to do matching of primes to show uniqueness.

Towards Euclid's Algorithm

It follows from the Unique Factorization Theorem that if:
`a = p_1^(e_1)p_2^(e_2) cdots p_r^(e_r)`
`b = p_1^(f_1)p_2^(f_2) cdots p_r^(f_r)`
then
`gcd(a, b) = p_1^(min(e_1, f_1))p_2^(min(e_2, f_2)) cdots p_r^(min(e_r, f_r))`

Theorem. For any nonnegative integer `a` and any positive integer `b`, `gcd(a,b) = gcd(b, a mod b)`.

Proof Idea. Show `gcd(a,b)| gcd(b, a mod b)` and `gcd(b, a mod b) | gcd(a,b)` using that gcd divides any linear combination of its arguments.

Euclid's Algorithm

The theorem of the last slide can be converted into Euclid's Algorithm for finding the gcd of two numbers:
```
Euclid(a,b): 
   if b=0 return a;
   else return Euclid(b, a mod b)
```
As an example, applying this algorithm to 99 and 30 gives:
Euclid(99, 30) = Euclid(30, 9) = Euclid(9, 3) = Euclid(3,0) = 3.

The Runtime of Euclid's Algorithm

Lemma. If `a > b >=1` and the invocation Euclid(a,b) performs `k>=1` recursive calls, then `a >= F_(k+2)` and `b >= F_(k+1)`. Here `F_k` is the `k`th Fibonacci number.

Proof. By induction on `k`. Let `k = 1`. Then `b >= 1 = F_2` and since `a > b`, `a >= 2 = F_3`. So the statement is true. Since `b > (a mod b)`, in each recursive call the first argument will always be the larger number.

Assume the statement is true for `k - 1`, and suppose Euclid(a,b) performs `k` calls. Well, this function then call Euclid(b, a mod b) which then makes `k-1` calls. By the induction hypothesis we have `b >= F_((k-1)+2) = F_(k+1)` and `a mod b >= F_k`. Notice `a > = b + (a mod b) >= F_(k+1) + F_k = F_(k+2)`.

Corollary (Lamé's Theorem). For any integer `k >= 1`, if `a > b >=1` and `b < F_(k+1)`, then Euclid(a,b) makes fewer than `k` recursive calls.

Extended Euclid

Euclid's algorithm can be rewritten to get the `x` and `y` such that `ax+by = d = gcd(a,b)`.

Extended-Euclid(a,b)
1. if b = 0 then return (a, 1, 0)
2. (d', x', y') = Extended-Euclid(b, a mod b)
3. (d, x, y) = (d', y', x' - floor(a/b)*y')
4. return (d, x, y)

One important use of Euclid's algorithm is to compute modular inverses. I.e., suppose we want to find a number `x` such that `ax equiv 1 mod b` where `a,b` are relatively prime, then we can use Extended Euclid to find `x`. This is getting a little ahead of ourselves, let's explore how arithmetic mod some number works a little more before using this idea.

Modular Arithmetic

We will be interested in exploiting the operations of `+` and `cdot` with respect to arithmetic modulo some integer.
This kind of structure is called a group. Formally:

Definition. A group `(S, o+)` is a set together with a binary operation `o+` defined on `S` for which the following properties hold:

Closure: For all `a,b` in `S`, `a o+ b` is in `S`.
Identity: There is an element `e in S`, called the identity of the group, such that `e o+ a = a o+ e = a` for every `a in S`.
Associativity: For all `a, b, c in S`, `(a o+ b) o+ c = a o+ (b o+ c)`.
Inverses: For each `a in S`, there exists a unique element `b in S`, called the inverse of `a`, such that `a o+ b = b o+ a = e`.

Example. `(Z, +)` is a group.

If the set `S` is finite then the group is called a finite group.
If the operation `o+` is commutative (that is, `a o+ b = b o+ a`), then the group is called an abelian group.

Groups Defined by Modular Arithmetic

Recall from last day `[a]_n ={a+kn | k in ZZ}`. This was an equivalence class for the equivalence relation `b ~ a` iff `b - a = kn` for some `k in ZZ`. i.e., `b equiv a mod n`.
Let `ZZ_n` be the set `{[b]_n | b in ZZ}`. Define `[a]_n + [b]_n = [a + b]_n` . One can show `(ZZ_n, +)` is a finite abelian group.
Let `ZZ_n^star` be the set `{[b]_n | gcd(b,n) =1}`. Define `[a]_n cdot [b]_n = [a cdot b]_n`.

Theorem. The system `(ZZ_n^star, cdot)` is a finite abelian group.

Proof. The set is obviously finite as it has fewer then `n` elements. Closure follows from Theorem (**) on an earlier slide. `[1]_n` is easily seen to be an identity. To see the existence of inverses, let `(d, x, y)` be the output of Extended-Euclid(a, n). Then `d = 1` since `a` in `ZZ_n^star` so `ax+ny=1`. So `ax equiv 1 (mod n)`. So `x` is `a`'s inverse. Associativety and commutativety follow from these properties for `ZZ`.

Properties of Groups Defined by Modular Arithmetic

We often are lazy and write `b` for the element `[b]_n`.
We further write `b^(-1)` for the inverse of `b mod n`. For example, `-2 = (5)^(-1) mod 11`.
The size of Zn* is denoted by `\phi(n)`, called Eulers phi function.
It satisfies the equation
$$\phi(n) = n \prod_{p|n}(1 - 1/p).$$
If `(S, o+)`, then a subset `S'` of `S` that is also a group under `o+`, is called a subgroup of `S`.

Theorem. If `(S, o+)` is a finite group and `S'` is any nonempty set of `S` closed under `o+`, then `(S', o+)` is a subgroup of `(S, o+)`.

Lagrange's Theorem. If `(S, o+)` is a finite group and `(S', o+)` is a subgroup, then `|S'|` is a divisor of `|S|`.

GCDs, Euclid's Algorithm, Groups

Outline