Number Theoretic Algorithms

Today, we are going to start a new topic: Number Theoretic Algorithms.
Number Theory plays an important role in many cryptographic algorithms used to securely communicate over the web.
Our goal over the next couple of weeks is to look at some of these algorithms.
In order to do that we will need to review, or learn for the first time, some number theory.
Throughout we will be interested in large integers. This means integers which cannot be stored in one, two, or even constantly many memory locations.
So we will be interested in the time complexity of even simple operations like +, * as a function of the number of bits in the input.
We will assume that any operation our computer does acts on a constant number of bits at a time, say 32, 64, 128, or 256 bits.
For example, to add two `n`-bit numbers takes `O(n)` of such operations. To multiply two n bit numbers take `O(n^2)` operations using the grade school algorithm.

Elementary Number Theory Concepts

`ZZ =` integers `= {..,-2,-1,0,1,2...}`
`NN =` natural numbers `= {0,1,2,...}`
We write `d | a` to mean `d` divides `a`. That is,there is some integer `c`, such that `cd = a`.
Notice every integer divides `0` and if `a gt 0`, if `d | a` then `|a| ge |d|`.
We might also say `a` is a multiple of `d` or `d` is a divisor of `a`.
If `d | a` does not hold, then we write `d ∤ a`

More Number Concepts

A prime number is a number which is divisible by only `1` and itself. `2, 3, 5, 7, 11, ...`
The number `1` is called a unit since `1 cdot a = a cdot 1 = a` for any a.
Other non-primes are called composite numbers.
The division theorem says: For any integer `a` and any positive integer `n`, there are unique numbers `q` and `0 le r lt n` such that `a = qn +r`.
We call `q = |__a/n__|` the quotient and `r` the remainder or residue of the division.
We write `[a]_n` for `{a + kn : k in ZZ}`, the equivalence class of `a mod n`. For example, `[-3]_7 = {...-10, -3, 4, 11 ...}`.
We define `ZZ_n= {[a]_n: 0 le a le n-1}`.
Notice this is a field where `+` and `cdot` come from the integers.

Greatest Common Divisor

If `d | a` and `d |b` then `d` is a common divisor of `a` and `b`.
Notice if `d` is a common divisor of a and b, then `d|(a+b)` and `d|(a-b)` and more generally `d|(ax+by)`
The largest common divisor of `a` and `b` is called the greatest common divisor of `a` and `b` and is denoted `gcd(a,b)`.
Ex: `gcd(250, 150) = 50`
Notice
- `gcd(a,b) = gcd(b,a)`.
- `gcd(a,b) = gcd(-a,b)`.
- `gcd(a ,b) = gcd(|a|, |b|)`.
- `gcd(a, 0) = |a|`.
- `gcd(a, ka) = |a|`.

A GCD Theorem and Corollaries

Theorem. If `a` and `b` are integers, not both zero, then `gcd(a,b)` is the smallest positive element of the set `{ax + by :x,y in Z }`.

Proof. Let `s` be the smallest positive linear combination of `a` and `b`, and let `s = ax + by` for some `x`, `y`. Let `q =|__a/s__|`. Then
`a \mod s = a-qs`
`= a - q(ax +by)`
`= a(1- qx) + b(- qy)`,
and so `a mod s` is a linear combination of `a` and `b` as well. But since `0 le a mod s < s`, we have `a mod s = 0`, because `s` was supposed to be the smallest positive such linear combination. Therefore `s | a` and by similar reasoning `s | b`. So `gcd(a,b) ge s`. As `gcd(a,b) | a` and `gcd(a,b) | b`, by the last slide we know `gcd(a,b) | s`. So `gcd(a,b)=s`.

Corollary. For any `a` and `b`, if `d|a` and `d|b`, then `d | gcd(a,b)`.

Corollary. For all integers `a` and `b` and any integer `n`, `gcd(an, bn) =n cdot gcd(a,b)`.

Corollary. For all positive integers `n`, `a`, and `b` if `n|ab` and `gcd(a,n) = 1` then `n | b`.

Relatively Prime, Unique Factorization

We say two numbers are relatively prime if `gcd(a,b) = 1`.
We say a list of integers `n_1, ..., n_k` are pairwise relatively prime if `gcd(n_i, n_j) = 1` for `i ne j`.

Theorem (**). If `gcd(a, p) = 1` and `gcd(b,p) =1`, then `gcd(ab,p)=1`.

Proof. We have `ax + py = 1` and `bx' + py' = 1`. So `ab(x\x') + p(ybx' +y'ax +pyy') = 1` and the theorem follows.

Theorem (Euclid's Lemma). For all primes `p`, for all integers `a, b`, if `p|ab` then `p|a` or `p|b` or both.

Proof. If `p|ab` but not `p|b` and not `p|a`, then we know `gcd(p,a)=1` and `gcd(p,b)=1`. So `gcd(p,ab)=1` contradicting `p|ab`.

Unique Factorization Theorem. (appears in Euclid's Elements). A positive composite integer `m` can be written in exactly one way as a product of the form:
`m = p_1^(e_1)p_2^(e_2) cdots p_r^(e_r)`
where `p_i`'s are prime and `e_i`'s are positive integers.

We won't prove this, but it is proven in Wikipedia using induction to show existence of a factorization, and Euclid's Lemma to do matching of primes to show uniqueness.

Towards Euclid's Algorithm

It follows from the Unique Factorization Theorem that if:
`a = p_1^(e_1)p_2^(e_2) cdots p_r^(e_r)`
`b = p_1^(f_1)p_2^(f_2) cdots p_r^(f_r)`
then
`gcd(a, b) = p_1^(min(e_1, f_1))p_2^(min(e_2, f_2)) cdots p_r^(min(e_r, f_r))`

Theorem. For any nonnegative integer `a` and any positive integer `b`, `gcd(a,b) = gcd(b, a mod b)`.

Proof Idea. Show `gcd(a,b)| gcd(b, a mod b)` and `gcd(b, a mod b) | gcd(a,b)` using that `gcd` divides any linear combination of its arguments.

Euclid's Algorithm (c 300BC)

The theorem of the last slide can be converted into Euclid's Algorithm for finding the gcd of two numbers:
```
Euclid(a,b): 
   if b=0 return a;
   else return Euclid(b, a mod b)
```
As an example, applying this algorithm to 99 and 30 gives:
Euclid(99, 30) = Euclid(30, 9) = Euclid(9, 3) = Euclid(3,0) = 3.

The Runtime of Euclid's Algorithm

Lemma. If `a gt b ge 1` and the invocation Euclid(a,b) performs `k>=1` recursive calls, then `a ge F_(k+2)` and `b ge F_(k+1)`. Here `F_k` is the `k`th Fibonacci number.

Proof. By induction on `k`. Let `k = 1`. Then `b ge 1 = F_2` and since `a > b`, `a ge 2 = F_3`. So the statement is true. Since `b > (a mod b)`, in each recursive call the first argument will always be the larger number.

Assume the statement is true for `k - 1`, and suppose Euclid(a, b) performs `k` calls. Well, this function then calls Euclid(b, a mod b) which then makes `k-1` calls. By the induction hypothesis we have `b ge F_((k-1)+2) = F_(k+1)` and `a mod b ge F_k`. Notice `a ge b + (a mod b) ge F_(k+1) + F_k = F_(k+2)`.

Corollary (Lamé's Theorem 1844). For any integer `k ge 1`, if `a gt b ge 1` and `b lt F_(k+1)`, then Euclid(a,b) makes fewer than `k` recursive calls.

Extended Euclid

Euclid's algorithm can be rewritten to get the `x` and `y` such that `ax+by = d = gcd(a,b)`.

Extended-Euclid(a,b)
1. if b = 0 then return (a, 1, 0)
2. (d', x', y') = Extended-Euclid(b, a mod b)
3. (d, x, y) = (d', y', x' - floor(a/b)*y')
4. return (d, x, y)

One important use of Euclid's algorithm is to compute modular inverses. I.e., suppose we want to find a number `x` such that `ax equiv 1 mod b` where `a,b` are relatively prime, then we can use Extended Euclid to find `x`. This is getting a little ahead of ourselves, let's explore how arithmetic mod some number works a little more before using this idea.

Number Theoretic Algorithms, GCDs, Euclid's Algorithm, Groups

Outline