Number Theoretic Algorithms

Today, we are going to start a new topic: Number Theoretic Algorithms.
Number Theory plays an important role in many cryptographic algorithms used to securely communicate over the web.
Our goal over the next couple of weeks is to look at some of these algorithms.
In order to do that we will need to review, or learn for the first time, some number theory.
Throughout we will be interested in large integers. This means integers which cannot be stored in one, two, or even constantly many memory locations.
So we will be interested in the time complexity of even simple operations like +, * as a function of the number of bits in the input.
We will assume that any operation our computer does acts on a constant number of bits at a time, say 32, 64, 128, or 256 bits.
For example, to add two `n`-bit numbers takes `O(n)` of such operations. To multiply two n bit numbers take `O(n^2)` operations using the grade school algorithm.

Elementary Number Theory Concepts

`ZZ =` integers `= {..,-2,-1,0,1,2...}`
`NN =` natural numbers `= {0,1,2,...}`
We write `d | a` to mean `d` divides `a`. That is,there is some integer `c`, such that `cd = a`.
Notice every integer divides `0` and if `a gt 0`, if `d | a` then `|a| ge |d|`.
We might also say `a` is a multiple of `d` or `d` is a divisor of `a`.
If `d | a` does not hold, then we write `d ∤ a`

More Number Concepts

A prime number is a number which is divisible by only `1` and itself. `2, 3, 5, 7, 11, ...`
The number `1` is called a unit since `1 cdot a = a cdot 1 = a` for any a.
Other non-primes are called composite numbers.
The division theorem says: For any integer `a` and any positive integer `n`, there are unique numbers `q` and `0 le r lt n` such that `a = qn +r`.
We call `q = |__a/n__|` the quotient and `r` the remainder or residue of the division.
We write `[a]_n` for `{a + kn : k in ZZ}`, the equivalence class of `a mod n`. For example, `[-3]_7 = {...-10, -3, 4, 11 ...}`.
We define `ZZ_n= {[a]_n: 0 le a le n-1}`.
Notice this is a field where `+` and `cdot` come from the integers.

Greatest Common Divisor

If `d | a` and `d |b` then `d` is a common divisor of `a` and `b`.
Notice if `d` is a common divisor of a and b, then `d|(a+b)` and `d|(a-b)` and more generally `d|(ax+by)`
The largest common divisor of `a` and `b` is called the greatest common divisor of `a` and `b` and is denoted `gcd(a,b)`.
Ex: `gcd(250, 150) = 50`
Notice
- `gcd(a,b) = gcd(b,a)`.
- `gcd(a,b) = gcd(-a,b)`.
- `gcd(a ,b) = gcd(|a|, |b|)`.
- `gcd(a, 0) = |a|`.
- `gcd(a, ka) = |a|`.

Quiz

Which of the following statements is true?

In class we showed: Any CREW PRAM algorithm using `O(n^2 - 2\epsilon)` total memory, `O(n^2 - 2epsilon)` processors and `t(n)` running time can be simulated in `lfloor 1/2n rfloor` rounds in DMRC.
It is possible for a deterministic online paging algorithm to have competitiveness `k/2`.
The Marker algorithm with a cache of `k` items has at least a `k` bit memory overhead.

A GCD Theorem and Corollaries

Theorem. If `a` and `b` are integers, not both zero, then `gcd(a,b)` is the smallest positive element of the set `{ax + by :x,y in Z }`.

Proof. Let `s` be the smallest positive linear combination of `a` and `b`, and let `s = ax + by` for some `x`, `y`. Let `q =|__a/s__|`. Then
`a \mod s = a-qs`
`= a - q(ax +by)`
`= a(1- qx) + b(- qy)`,
and so `a mod s` is a linear combination of `a` and `b` as well. But since `0 le a mod s le s`, we have `a mod s = 0`, because `s` was supposed to be the smallest positive such linear combination. Therefore `s | a` and by similar reasoning `s | b`. So `gcd(a,b) ge s`. As `gcd(a,b) | a` and `gcd(a,b) | b`, by the last slide we know `gcd(a,b) | s`. So `gcd(a,b)=s`.

Corollary. For any `a` and `b`, if `d|a` and `d|b`, then `d | gcd(a,b)`.

Corollary. For all integers `a` and `b` and any integer `n`, `gcd(an, bn) =n cdot gcd(a,b)`.

Corollary. For all positive integers `n`, `a`, and `b` if `n|ab` and `gcd(a,n) = 1` then `n | b`.

Relatively Prime, Unique Factorization

We say two numbers are relatively prime if `gcd(a,b) = 1`.
We say a list of integers `n_1, ..., n_k` are pairwise relatively prime if `gcd(n_i, n_j) = 1` for `i ne j`.

Theorem (**). If `gcd(a, p) = 1` and `gcd(b,p) =1`, then `gcd(ab,p)=1`.

Proof. We have `ax + py = 1` and `bx' + py' = 1`. So `ab(x\x') + p(ybx' +y'ax +pyy') = 1` and the theorem follows.

Theorem (Euclid's Lemma). For all primes `p`, for all integers `a, b`, if `p|ab` then `p|a` or `p|b` or both.

Proof. If `p|ab` but not `p|b` and not `p|a`, then we know `gcd(p,a)=1` and `gcd(p,b)=1`. So `gcd(p,ab)=1` contradicting `p|ab`.

Unique Factorization Theorem. (appears in Euclid's Elements). A positive composite integer `m` can be written in exactly one way as a product of the form:
`m = p_1^(e_1)p_2^(e_2) cdots p_r^(e_r)`
where `p_i`'s are prime and `e_i`'s are positive integers.

We won't prove this, but it is proven in Wikipedia using induction to show existence of a factorization, and Euclid's Lemma to do matching of primes to show uniqueness.

Towards Euclid's Algorithm

It follows from the Unique Factorization Theorem that if:
`a = p_1^(e_1)p_2^(e_2) cdots p_r^(e_r)`
`b = p_1^(f_1)p_2^(f_2) cdots p_r^(f_r)`
then
`gcd(a, b) = p_1^(min(e_1, f_1))p_2^(min(e_2, f_2)) cdots p_r^(min(e_r, f_r))`

Theorem. For any nonnegative integer `a` and any positive integer `b`, `gcd(a,b) = gcd(b, a mod b)`.

Proof Idea. Show `gcd(a,b)| gcd(b, a mod b)` and `gcd(b, a mod b) | gcd(a,b)` using that `gcd` divides any linear combination of its arguments.

Euclid's Algorithm (c 300BC)

The theorem of the last slide can be converted into Euclid's Algorithm for finding the gcd of two numbers:
```
Euclid(a,b): 
   if b=0 return a;
   else return Euclid(b, a mod b)
```
As an example, applying this algorithm to 99 and 30 gives:
Euclid(99, 30) = Euclid(30, 9) = Euclid(9, 3) = Euclid(3,0) = 3.

The Runtime of Euclid's Algorithm

Lemma. If `a gt b ge 1` and the invocation Euclid(a,b) performs `k>=1` recursive calls, then `a ge F_(k+2)` and `b ge F_(k+1)`. Here `F_k` is the `k`th Fibonacci number.

Proof. By induction on `k`. Let `k = 1`. Then `b ge 1 = F_2` and since `a > b`, `a ge 2 = F_3`. So the statement is true. Since `b > (a mod b)`, in each recursive call the first argument will always be the larger number.

Assume the statement is true for `k - 1`, and suppose Euclid(a, b) performs `k` calls. Well, this function then calls Euclid(b, a mod b) which then makes `k-1` calls. By the induction hypothesis we have `b ge F_((k-1)+2) = F_(k+1)` and `a mod b ge F_k`. Notice `a ge b + (a mod b) ge F_(k+1) + F_k = F_(k+2)`.

Corollary (Lamé's Theorem 1844). For any integer `k ge 1`, if `a gt b ge 1` and `b lt F_(k+1)`, then Euclid(a,b) makes fewer than `k` recursive calls.

Extended Euclid

Euclid's algorithm can be rewritten to get the `x` and `y` such that `ax+by = d = gcd(a,b)`.

Extended-Euclid(a,b)
1. if b = 0 then return (a, 1, 0)
2. (d', x', y') = Extended-Euclid(b, a mod b)
3. (d, x, y) = (d', y', x' - floor(a/b)*y')
4. return (d, x, y)

One important use of Euclid's algorithm is to compute modular inverses. I.e., suppose we want to find a number `x` such that `ax equiv 1 mod b` where `a,b` are relatively prime, then we can use Extended Euclid to find `x`. This is getting a little ahead of ourselves, let's explore how arithmetic mod some number works a little more before using this idea.

Modular Arithmetic

We will be interested in exploiting the operations of `+` and `cdot` with respect to arithmetic modulo some integer.
This kind of structure is called a group. Formally:

Definition. A group `(S, o+)` is a set together with a binary operation `o+` defined on `S` for which the following properties hold:

Closure: For all `a,b` in `S`, `a o+ b` is in `S`.
Identity: There is an element `e in S`, called the identity of the group, such that `e o+ a = a o+ e = a` for every `a in S`.
Associativity: For all `a, b, c in S`, `(a o+ b) o+ c = a o+ (b o+ c)`.
Inverses: For each `a in S`, there exists a unique element `b in S`, called the inverse of `a`, such that `a o+ b = b o+ a = e`.

Example. `(Z, +)` is a group.

If the set `S` is finite then the group is called a finite group.
If the operation `o+` is commutative (that is, `a o+ b = b o+ a`), then the group is called an abelian group.

Groups Defined by Modular Arithmetic

Recall that `[a]_n ={a+kn | k in ZZ}`. This was an equivalence class for the equivalence relation `b ~ a` iff `b - a = kn` for some `k in ZZ`. i.e., `b equiv a mod n`.
Let `ZZ_n` be the set `{[b]_n | b in ZZ}`. Define `[a]_n + [b]_n = [a + b]_n` . One can show `(ZZ_n, +)` is a finite abelian group.
Let `ZZ_n^star` be the set `{[b]_n | gcd(b,n) =1}`. Define `[a]_n cdot [b]_n = [a cdot b]_n`.

Theorem. The system `(ZZ_n^star, cdot)` is a finite abelian group.

Proof. The set is obviously finite as it has fewer then `n` elements. Closure follows from Theorem (**) on an earlier slide. `[1]_n` is easily seen to be an identity. To see the existence of inverses, let `(d, x, y)` be the output of Extended-Euclid(a, n). Then `d = 1` since `a` in `ZZ_n^star` so `ax+ny=1`. So `ax equiv 1 (mod n)`. So `x` is `a`'s inverse. Associativety and commutativety follow from these properties for `ZZ`.

Properties of Groups Defined by Modular Arithmetic

We often are lazy and write `b` for the element `[b]_n`.
We further write `b^(-1)` for the inverse of `b mod n`. For example, `-2 = (5)^(-1) mod 11`.
The size of `Z_n^\star` is denoted by `\phi(n)`, called Euler's phi function.
It satisfies the equation
$$\phi(n) = n \prod_{p|n}(1 - 1/p).$$
If `(S, o+)`, then a subset `S'` of `S` that is also a group under `o+`, is called a subgroup of `S`.

Theorem. If `(S, o+)` is a finite group and `S'` is any nonempty set of `S` closed under `o+`, then `(S', o+)` is a subgroup of `(S, o+)`.

Lagrange's Theorem. If `(S, o+)` is a finite group and `(S', o+)` is a subgroup, then `|S'|` is a divisor of `|S|`.

Proof Idea. Call a set of the form `aS' := {as' : s' in S', a in S}` a left coset of `S'`. The idea is to show that all the left cosets have the same number of elements. Since every element of `S` belongs to some left coset. That means the size of `S`, denoted by `|S|`, is equal to `|S:S'||S'|`, where `|S:S'|` is the number of left cosets. Hence, `|S'|` is a divisor of `|S|`.

Number Theoretic Algorithms, GCDs, Euclid's Algorithm, Groups

Outline