Introduction

On Monday, we started talking about Number Theoretic Algorithms.
These algorithms underlie many protocols used for secure communication on the web, such a public key exchange.
We discussed divisibility and defined the notion of greatest common divisor (gcd), proving some of its properties.
We showed how the extended Euclid algorithm for computing GCD could be used to find multiplicative inverses mod some number.
We defined the notion of a group and gave some examples such as `ZZ_n` and `ZZ_n^star`.
Today, we are going to give an algorithm for solving linear equations modulo some number.

Subgroups Generated By an Element

Given a subset `X` of a group `G`. Let `langle X rangle` be the closure of `X` under the group operation.
When `G` is finite `langle X rangle` is a finite group called the group generated by `X`.
In the case where `X={b}` is a single element, then we write `langle b rangle`.
So `langle b rangle = {b^((k)) : k>=1}` where `b^((k))` means `b o+ b ... o+ b` (`k` times).
For example in `ZZ_6`, `langle 2 rangle ={0,2,4}`; in `ZZ_7^star`, `langle 2 rangle = {1, 2, 4}`.
The order of `a in S`, denoted by `o\r\d(a)`, is defined as the smallest positive integer `t` such that `a^((t))=e`.

Theorem. For any finite group `(S, o+)` and any `a in S`, `o\r\d(a) = |langle a rangle|`.

Proof. Let `t=\o\r\d(a)`. Since `a^((t)) = e` and `a^((t+k))= a^((t)) o+ a^((k))= a^((k))` for `k ge 1`, if `i>t`, then `a^((i))=a^((j))` for some `j < t`. Thus, no new elements are seen after `a^((t))`. So `langle a rangle ={a^((1)), a^((2)), ... , a^((t))}` and `|langle a rangle| le t`. To see `|langle a rangle| ge t`, suppose `a^((i)) = a^((j))` for some `i,j`, satisfying `1 le i < j le t`. Then, `a^((i+k)) = a^((j+k))` for all `k>=0`. But this implies `a^((i+(t-j))) = a^((j+(t-j))) =e`, a contradiction as `i+(t-j) < t`. So all of `a^((i))` are distinct.

Some Corollaries

Corollary. The sequence `a^((1)), a^((2)), ...` is periodic with period `o\r\d(a)`.

Corollary. If `(S, o+)` is a finite group with identity `e`, then for all `a in S`, `a^((|S|))=e`.

Solving Modular Linear Equations

We now look at the problem of finding solutions to the equation `ax equiv b (mod n)` where `a > 0` and `n > 0`.
This is used in one of the steps in the RSA algorithm.
Let's start with `ZZ_n`.

Theorem (%%). For any positive integers `a` and `n`, if `d = gcd(a,n)` then `langle a rangle = langle d rangle` in `ZZ_n`. Thus, `|langle a rangle| = n/d`.

Proof. We begin by showing that `d` is in `langle a rangle`. Recall that Extended-Euclid(a,n) produces integers `x'` and `y'` such that `ax'+ ny' = d`. Thus `ax' equiv d (mod n)`, so `d` is in `langle a rangle`. Since `d` is in `langle a rangle` it follows that every multiple of `d` is in `langle a rangle`. So `langle d rangle` is contained in `langle a rangle`. But now if `m in langle a rangle`, then `m equiv ax mod n`. So `m = ax+ny`. Since `d | a` and `d | n`, `d | m`; so `m in langle d rangle`. Therefore `langle a rangle subseteq langle d rangle`.

Corollary. The equation `ax equiv b (mod n)` is solvable for the unknown `x` iff `gcd(a,n) | b`.

Proof. The proof above shows us if `d = gcd(a,n)`, that the equation `ax equiv d (mod n)` has a solution. If `gcd(a,n) | b` then `m \cdot gcd(a,n) = b` for some `m`, hence, `amx equiv md equiv b (mod n)`. On the other hand, from the above proof we know `langle a rangle subseteq langle d rangle`, so any multiple of `a` is some multiple of `d` mod `n`. But if `gcd(a,n) ∤ b`, then no such multiple can be equal to `b mod n`.

More on Solving Linear Equations

Corollary. The equation `ax equiv b (mod n)` either has `d` distinct solutions modulo `n`, where `d = gcd(a,n)`, or it has no solutions.

Proof. If `ax equiv b (mod n)` has a solution, then `b in langle a rangle`. As `\o\r\d(a)=|langle a rangle|`, by Theorem (%%), the sequence `Seq ={a^((i)) mod n | i= 0, 1,..., n-1}` is periodic with period `|langle a rangle| = n/d`. So if `b in langle a rangle`, then `b` appears exactly `d` times in `Seq`.

In-Class Exercise

How many solutions will the equation `5x = 3 mod 15` have ?
How many solutions will the equation `10x = 5 mod 15` have ?
Work out any solutions using what we've learned so far.
Post your solutions to the Apr 4 In-Class Exercise Thread.

A Solution Existence Theorem for Modular Linear Equations

Before giving our Modular-Linear-Equation-Solver algorithm we need to give a last couple theorems
The first shows such equations have a solution:

Theorem. Let `d=gcd(a,n)` and suppose `d=ax' + ny'` for some integers `x'` and `y'`. If `d | b`, then the equation `ax equiv b (mod n)` has as one of its solutions the value `x_0` where `x_0 = x'(b/d) mod n`.

Proof. Suppose `x_0 = x'(b/d) mod n`. Then
`ax_0 equiv ax'(b/d) (mod n)`
`equiv d(b/d) (mod n)`
` equiv b (mod n)`

On the Number of Solution

The second theorem gives the number of solutions.

Theorem. Suppose `ax equiv b (mod n)` is solvable and that `x_0` is a solution. Then this equation has exactly `d` solutions given by `x_i= x_0 + i(n/d)`, for `i=0,1,...`

Proof. Since `n/d > 0` and `0 le i(n/d) < n`, the values `x_0, x_1,..., x_d` are all distinct. Each will be a solution since `a x_i equiv a(x_0 + i(n/d)) equiv a x_0 + a i(n/d) equiv a x_0 equiv b(mod n)`. From our corollary earlier today, the equation either has `d` solutions or no solutions so we must have all of them.

Modular Linear Equation Algorithm

Given the above theorems we are now in position to give an algorithm for solving modular equations:

Modular-Linear-Equation-Solver(a, b, n) 
1. (d, x', y') = Extended-Euclid(a, n)
2. if d|b:
3.    x_0 = x'*(b/d) mod n 
4.    for i = 0 to d -1
5.        do print (x_0 + (i * (n/d)) mod n 
6. else print "no solutions"

Modular Arithmetic

Outline