Outline
- Modular Arithmetic
- Quiz
- Solving Modular Linear Equations
Introduction
- Last week, we start talking about number theoretic algorithms.
- We went over the basic definitions of the naturals, integers, primes, etc.
- We then discussed properties of gcd (greatest common divisor).
- We gave Euclid's algorithm for computing gcd and gave a upper bound on its run time.
- Today, we look at modular arithmetic and how to find solutions to linear equations modulo some number.
- This will be useful when we describe the RSA encryption algorithm.
Modular Arithmetic
- We will be interested in exploiting the operations of `+` and `cdot` with
respect to arithmetic modulo some integer.
- This kind of structure is called a group. Formally:
Definition. A group `(S, o+)` is a set together with a binary operation `o+` defined on `S`
for which the following properties hold:
- Closure: For all `a,b` in `S`, `a o+ b` is in `S`.
- Identity: There is an element `e in S`, called the identity of the group,
such that `e o+ a = a o+ e = a` for every `a in S`.
- Associativity: For all `a, b, c in S`, `(a o+ b) o+ c = a o+ (b o+ c)`.
- Inverses: For each `a in S`, there exists a unique element `b in S`, called the
inverse of `a`, such that `a o+ b = b o+ a = e`.
Example. `(Z, +)` is a group.
- If the set `S` is finite then the group is called a finite group.
- If the operation `o+` is commutative (that is, `a o+ b = b o+ a`), then the group is
called an abelian group.
Groups Defined by Modular Arithmetic
- Recall from last day `[a]_n ={a+kn | k in ZZ}`. This was an equivalence class for the equivalence
relation `b ~ a` iff `b - a = kn` for some `k in ZZ`. i.e., `b equiv a mod n`.
- Let `ZZ_n` be the set `{[b]_n | b in ZZ}`. Define `[a]_n + [b]_n = [a + b]_n` .
One can show `(ZZ_n, +)` is a finite abelian group.
- Let `ZZ_n^star` be the set `{[b]_n | gcd(b,n) =1}`. Define `[a]_n cdot [b]_n = [a cdot b]_n`.
Theorem. The system `(ZZ_n^star, cdot)` is a finite abelian group.
Proof. The set is obviously finite as it has fewer then `n` elements.
Closure follows from Theorem (**) from the April 1 Lecture.
`[1]_n` is easily seen to be an identity. To see the existence of inverses, let `(d, x, y)` be the output of
Extended-Euclid(a, n). Then `d = 1` since `a` in `ZZ_n^star` so `ax+ny=1`. So
`ax equiv 1 (mod n)`. So `x` is `a`'s inverse.
Associativety and commutativety follow from these properties for `ZZ`.
Quiz
Which of the following is true?
- The Marker algorithm and LRU are both `O(H_k)`-competitive.
- If `n` is the number of bits in `a` and `b`, then Euclid(a, b) is an `Omega(n)` algorithm.
- If `a` and `b` are integers, not both zero, then `gcd(a,b)` is the smallest positive element of the set `{ax+by:x,y in ZZ}`.
Properties of Groups Defined by Modular Arithmetic
- We often are lazy and write `b` for the element `[b]_n`.
- We further write `b^((-1))` for the inverse of `b mod n`. For example, `-2 = (5)^((-1)) mod 11`.
- The size of `ZZ_n^star` is denoted by `\phi(n)`, called Euler's phi function.
- It satisfies the equation
$$\phi(n) = n \prod_{p|n}(1 - 1/p).$$
- If `(S, o+)` is a group, then a subset `S'` of `S` that is also a group under `o+`, is called a subgroup of `S`.
Theorem. If `(S, o+)` is a finite group and `S'` is any nonempty set of `S`
closed under `o+`, then `(S', o+)` is a subgroup of `(S, o+)`.
Lagrange's Theorem. If `(S, o+)` is a finite group and `(S', o+)` is a subgroup, then `|S'|` is a divisor of `|S|`.
Subgroups Generated By an Element
- Given a subset `X` of a group `G`. Let `langle X rangle` be the closure of `X` under the group operation.
- When `G` is finite `langle X rangle` is a finite group called the group generated by `X`.
- In the case where `X={b}` is a single element, then we write `langle b rangle`.
- So `langle b rangle = {b^((k)) : k>=1}` where `b^((k))` means `b o+ b ... o+ b` (`k` times).
- For example in `ZZ_6`, `langle 2 rangle ={0,2,4}`; in `ZZ_7^star`, `langle 2 rangle = {1, 2, 4}`.
- The order of `a in S`, denoted by `o\r\d(a)`, is defined as the smallest positive integer `t` such that `a^((t))=e`.
Theorem. For any finite group `(S, o+)` and any `a in S`, `o\r\d(a) = |langle a rangle|`.
Proof. Let `t=\o\r\d(a)`. Since `a^((t)) = e` and `a^((t+k))= a^((t)) o+ a^((k))= a^((k))`
for `k ge 1`, if `i>t`, then `a^((i))=a^((j))` for some `j < t`. Thus, no new elements are seen
after `a^((t))`. So `langle a rangle ={a^((1)), a^((2)), ... , a^((t))}` and `|langle a rangle| le t`. To see
`|langle a rangle| ge t`, suppose `a^((i)) = a^((j))` for some `i,j`, satisfying `1 le i < j le t`.
Then, `a^((i+k)) = a^((j+k))` for all `k>=0`. But this implies `a^((i+(t-j))) = a^((j+(t-j))) =e`,
a contradiction as `i+(t-j) < t`. So all of `a^((i))` are distinct.
Some Corollaries
Corollary. The sequence `a^((1)), a^((2)), ...` is periodic with period `o\r\d(a)`.
Corollary. If `(S, o+)` is a finite group with identity `e`, then for all `a in S`, `a^((|S|))=e`.
Solving Modular Linear Equations
- We now look at the problem of finding solutions
to the equation `ax equiv b (mod n)` where `a > 0` and `n > 0`.
- This is used in one of the steps in the RSA algorithm.
- Let's start with `ZZ_n`.
Theorem (%%). For any positive integers `a` and `n`,
if `d = gcd(a,n)` then `langle a rangle = langle d rangle` in `ZZ_n`. Thus, `|langle a rangle| = n/d`.
Proof. We begin by showing that `d` is in `langle a rangle`. Recall that Extended-Euclid(a,n)
produces integers `x'` and `y'` such that `ax'+ ny' = d`. Thus `ax' equiv d (mod n)`,
so `d` is in `langle a rangle`. Since `d` is in `langle a rangle`
it follows that every multiple of `d` is in `langle a rangle`.
So `langle d rangle` is contained in `langle a rangle`.
But now if `m in langle a rangle`, then `m equiv ax mod n`. So `m = ax+ny`.
Since `d | a` and `d | n`, `d | m`; so `m in langle d rangle`. Therefore `langle a rangle subseteq langle d rangle`.
Corollary. The equation `ax equiv b (mod n)` is solvable for the unknown `x` iff `gcd(a,n) | b`.
More on Solving Linear Equations
Corollary. The equation `ax equiv b (mod n)` either has `d` distinct solutions
modulo `n`, where `d = gcd(a,n)`, or it has no solutions.
Proof. If `ax equiv b (mod n)` has a solution, then `b in langle a rangle`. As `\o\r\d(a)=|langle a rangle|`, by
Theorem (%%), the sequence `Seq ={a^((i)) mod n | i= 0, 1,..., n-1}` is periodic with period `|langle a rangle| = n/d`. So if
`b in langle a rangle`, then `b` appears exactly `d` times in `Seq`.