Outline

• Modular Arithmetic
• Quiz
• Solving Modular Linear Equations

Introduction

• Before the break, we started talking about Number Theoretic Algorithms.
• These algorithms underlie many protocols used for secure communication on the web, such as public key exchange.
• We discussed divisibility and defined the notion of greatest common divisor (gcd), proving some of its properties.
• We talked about the extended Euclidean algorithm for computing GCD.
• Today, we are going to start by looking at the notion of a group which is useful in understanding properties of multiplication mod some number.
• We then are going to give an algorithm for solving linear equations modulo some number.

Modular Arithmetic

• We will be interested in exploiting the operations of `+` and `cdot` with respect to arithmetic modulo some integer.
• This kind of structure is called a group. Formally:

Definition. A group `(S, o+)` is a set together with a binary operation `o+` defined on `S` for which the following properties hold:

1. Closure: For all `a,b` in `S`, `a o+ b` is in `S`.
2. Identity: There is an element `e in S`, called the identity of the group, such that `e o+ a = a o+ e = a` for every `a in S`.
3. Associativity: For all `a, b, c in S`, `(a o+ b) o+ c = a o+ (b o+ c)`.
4. Inverses: For each `a in S`, there exists a unique element `b in S`, called the inverse of `a`, such that `a o+ b = b o+ a = e`.

Example. `(Z, +)` is a group.

• If the set `S` is finite then the group is called a finite group.
• If the operation `o+` is commutative (that is, `a o+ b = b o+ a`), then the group is called an abelian group.

Groups Defined by Modular Arithmetic

• Recall `[a]_n := {a+kn | k in ZZ}`. This was an equivalence class for the equivalence relation `b ~ a`, where `b ~ a` iff `b - a = kn` for some `k in ZZ`. i.e., `b equiv a mod n`.
• Let `ZZ_n` be the set `{[b]_n | b in ZZ}`. Define `[a]_n + [b]_n = [a + b]_n` . One can show `(ZZ_n, +)` is a finite abelian group.
• Let `ZZ_n^star` be the set `{[b]_n | gcd(b,n) =1}`. Define `[a]_n cdot [b]_n = [a cdot b]_n`.

Theorem. The system `(ZZ_n^star, cdot)` is a finite abelian group.

Proof. The set is obviously finite as it has fewer then `n` elements. Closure follows from Theorem (**) on an earlier slide. `[1]_n` is easily seen to be an identity. To see the existence of inverses, let `(d, x, y)` be the output of Extended-Euclid(a, n). Then `d = 1` since `a` in `ZZ_n^star` so `ax+ny=1`. So `ax equiv 1 (mod n)`. So `x` is `a`'s inverse. Associativety and commutativety follow from these properties for `ZZ`.

Properties of Groups Defined by Modular Arithmetic

• We are often lazy and write `b` for the element `[b]_n`.
• We further write `b^(-1)` for the inverse of `b mod n`. For example, `-2 = (5)^(-1) mod 11`.
• The size of `Z_n^\star` is denoted by `\phi(n)`, called Euler's phi function.
• It satisfies the equation
  $$\phi(n) = n \prod_{p|n}(1 - 1/p).$$
• If `(S, o+)`, then a subset `S'` of `S` that is also a group under `o+`, is called a subgroup of `S`.

Theorem. If `(S, o+)` is a finite group and `S'` is any nonempty set of `S` closed under `o+`, then `(S', o+)` is a subgroup of `(S, o+)`.

Lagrange's Theorem. If `(S, o+)` is a finite group and `(S', o+)` is a subgroup, then `|S'|` is a divisor of `|S|`.

Proof Idea. Call a set of the form `aS' := {as' : s' in S', a in S}` a left coset of `S'`. The idea is to show that all the left cosets have the same number of elements. Since every element of `S` belongs to some left coset, that means the size of `S`, denoted by `|S|`, is equal to `|S:S'||S'|`, where `|S:S'|` is the number of left cosets. Hence, `|S'|` is a divisor of `|S|`.

Subgroups Generated By an Element

• Given a subset `X` of a group `G`. Let `langle X rangle` be the closure of `X` under the group operation.
• When `G` is finite `langle X rangle` is a finite group called the group generated by `X`.
• In the case where `X={b}` is a single element, then we write `langle b rangle`.
• So `langle b rangle = {b^((k)) : k>=1}` where `b^((k))` means `b o+ b ... o+ b` (`k` times).
• For example in `ZZ_6`, `langle 2 rangle ={0,2,4}`; in `ZZ_7^star`, `langle 2 rangle = {1, 2, 4}`.
• The order of `a in S`, denoted by `o\r\d(a)`, is defined as the smallest positive integer `t` such that `a^((t))=e`.

Theorem. For any finite group `(S, o+)` and any `a in S`, `o\r\d(a) = |langle a rangle|`.

Proof. Let `t=\o\r\d(a)`. Since `a^((t)) = e` and `a^((t+k))= a^((t)) o+ a^((k))= a^((k))` for `k ge 1`, if `i>t`, then `a^((i))=a^((j))` for some `j < t`. Thus, no new elements are seen after `a^((t))`. So `langle a rangle ={a^((1)), a^((2)), ... , a^((t))}` and `|langle a rangle| le t`. To see `|langle a rangle| ge t`, suppose `a^((i)) = a^((j))` for some `i,j`, satisfying `1 le i < j le t`. Then, `a^((i+k)) = a^((j+k))` for all `k>=0`. But this implies `a^((i+(t-j))) = a^((j+(t-j))) =e`, a contradiction as `i+(t-j) < t`. So all of `a^((i))` are distinct.

Some Corollaries

Corollary. The sequence `a^((1)), a^((2)), ...` is periodic with period `o\r\d(a)`.

Corollary. If `(S, o+)` is a finite group with identity `e`, then for all `a in S`, `a^((|S|))=e`.

Solving Modular Linear Equations

• We now look at the problem of finding solutions to the equation `ax equiv b (mod n)` where `a > 0` and `n > 0`.
• This is used in one of the steps in the RSA algorithm.
• Let's start with `ZZ_n`.

Theorem (%%). For any positive integers `a` and `n`, if `d = gcd(a,n)` then `langle a rangle = langle d rangle` in `ZZ_n`. Thus, `|langle a rangle| = n/d`.

Proof. We begin by showing that `d` is in `langle a rangle`. Recall that Extended-Euclid(a,n) produces integers `x'` and `y'` such that `ax'+ ny' = d`. Thus `ax' equiv d (mod n)`, so `d` is in `langle a rangle`. Since `d` is in `langle a rangle` it follows that every multiple of `d` is in `langle a rangle`. So `langle d rangle` is contained in `langle a rangle`. But now if `m in langle a rangle`, then `m equiv ax mod n`. So `m = ax+ny`. Since `d | a` and `d | n`, `d | m`; so `m in langle d rangle`. Therefore `langle a rangle subseteq langle d rangle`.

Corollary. The equation `ax equiv b (mod n)` is solvable for the unknown `x` iff `gcd(a,n) | b`.

Proof. The proof above shows us if `d = gcd(a,n)`, that the equation `ax equiv d (mod n)` has a solution. If `gcd(a,n) | b` then `m \cdot gcd(a,n) = b` for some `m`, hence, `amx equiv md equiv b (mod n)`. On the other hand, from the above proof we know `langle a rangle subseteq langle d rangle`, so any multiple of `a` is some multiple of `d` mod `n`. But if `gcd(a,n) ∤ b`, then no such multiple can be equal to `b mod n`.

More on Solving Linear Equations

Corollary. The equation `ax equiv b (mod n)` either has `d` distinct solutions modulo `n`, where `d = gcd(a,n)`, or it has no solutions.

Proof. If `ax equiv b (mod n)` has a solution, then `b in langle a rangle`. As `\o\r\d(a)=|langle a rangle|`, by Theorem (%%), the sequence `Seq ={a^((i)) mod n | i= 0, 1,..., n-1}` is periodic with period `|langle a rangle| = n/d`. So if `b in langle a rangle`, then `b` appears exactly `d` times in `Seq`.

Quiz

Which of the following statements is true?

1. If x,y are relatively prime then the extended Euclidean algorithm takes exponential time.
2. The Marker algorithm is `O(ln k)` competitive.
3. The smallest possible element of the set `{ax+by:x,y\in ZZ}` is always strictly larger than `gcd(a,b)`.