Table Of ContentA Computational Introduction to Number Theory and
Algebra
(BETA version 2)
Victor Shoup
ii
Copyright c 2003 by Victor Shoup <shoup@cs.nyu.edu>
(cid:176)
All rights reserved. No part of this book may be reproduced in any form by any
electronic or mechanical means without permission in writing from the author.
The only exception to this are that individuals are free to store electronic copies
and print paper copies for personal use only.
Please do not post electronic copies of this document on publicly accessible
web servers; instead, post a link to www.shoup.net/ntb.
If you want a copy shop to print a number of copies of the book for use in a
class, please contact the author for permission.
Preface
Number theory and algebra play an increasingly significant role in computing
and communications, as evidenced by the striking applications of these subjects
to such fields as cryptography and coding theory. My goal in writing this book
was to provide an introduction to number theory and algebra, with an emphasis
on algorithms and applications, that would be accessible to a broad audience.
In particular, I wanted to write a book that would be accessible to typical
graduate students in computer science who have a reasonable amount of general
mathematical experience, while not presupposing anything in particular beyond
a standard undergraduate calculus sequence.
The structure of the book is somewhat unique. All of the mathematics
required beyond a typical calculus sequence is developed “from scratch.” More-
over, the book generally alternates between “theory” and “applications”: one or
two chapters on a particular set of purely mathematical concepts are followed
by one or two chapters on algorithms and applications — the mathematics pro-
vides the theoretical underpinnings for the applications, while the applications
both motivate and illustrate the mathematics. Of course, this dichotomy be-
tween theory and applications is not perfectly maintained: the chapters that
focus mainly on applications include the development of some of the mathemat-
ics that is specialized for a particular application, and very occasionally, some
of the chapters that focus on mathematics include a discussion of related algo-
rithmic ideas as well. In developing the mathematics required to discuss certain
applications, I tried to strike a reasonable balance between, on the one hand,
presenting theabsolute minimum requiredto understand and rigorouslyanalyze
the applications, and on the other hand, presenting a full-blown development of
the relevant mathematics. In striking this balance, I wanted to be reasonably
economical and concise, while at the same time, I wanted to develop enough of
the theory so as to give a fairly well rounded account, giving the reader more of
a feeling for the mathematical “big picture.”
Themathematicalmaterialcoveredincludesthebasicsofnumbertheory(in-
cluding unique factorization, congruences, the distribution of primes, quadratic
iii
iv Preface
reciprocity), abstractalgebra(includinggroups, rings, fields, andvectorspaces),
aswellasdiscreteprobabilitytheory(whichisneededforthetreatmentofproba-
bilistic algorithms). The treatment of these topics is more or less standard, with
perhaps the exception of groups: the text only deals with abelian groups, as this
isallthatisreallyneededforthepurposesofthistext, andthetheoryofabelian
groups is much simpler and more transparent than that of general groups. Even
though it is mathematically quite self contained, the text does presuppose that
the reader is proficient at reading and doing mathematical proofs. Admittedly,
this level of proficiency will typically only be attained by readers who have al-
ready had some exposure to some of the mathematical material covered here,
but even such readers should find it convenient and useful to have all of the
relevant mathematics conveniently available for study or review in one place.
Since the mathematical concepts and notation are fairly standard, the reader
who is already proficient in a certain area may safely skip, or quickly skim over,
the relevant chapters or sections.
The computer science prerequisites for this text are quite minimal: it is as-
sumed that the reader is proficient in programming, and has had some exposure
to the analysis of algorithms, essentially at the level of an undergraduate course
on algorithms and data structures.
The choice of topics covered in this book was motivated primarily by their
applicability to computing and communications, especially to the specific areas
of cryptography and coding theory. The book may be useful, for example, for
reference and self study by readers who want to learn about cryptography. The
bookcouldalsobeused,forexample,asatextbookonacourseoncomputational
number theory and algebra, geared towards computer science students, either
upper division undergraduates, or first year graduate students.
While this is an introductory textbook, and not an encyclopedic reference
for specialists, some topics simply could not be covered. One such topic whose
exclusion will undoubtedly be lamented by some is the theory of lattices, along
with algorithms for and applications of lattice basis reduction. Another such
topicisthatoffastalgorithmsforintegerandpolynomialarithmetic—although
someofthebasicideasofthistopicaredevelopedintheexercises,themainbody
of the text deals only with classical, quadratic-time algorithms for integer and
polynomial arithmetic. As an introductory text, some topics just had to go;
moreover, there are more advanced texts that cover these topics perfectly well,
and these texts should be readily accessible to students who have mastered the
material in this book.
A few notes about the text:
There are a few sections that are marked with a “ ,” indicating that the
• ♣
v
material covered in that section is a bit technical, and is not needed in the
sequel.
There are a many examples in the text — these form an integral part of
•
the text, and should not be skipped.
There are a number of exercises in the text that serve to reinforce — as
•
well as to develop important applications of — the material in the text.
In solving exercises, the reader is free to use any previously stated results
in the text, including those in previous exercises — the only exception to
this rule is that results in 3.5, 5.5, and 18.2 are not to be considered
§ § §
available outside of the section in which they appear.
There is a very brief “Preliminaries” section below, that fixes a bit of
•
notation and recalls a few standard facts, and which should be skimmed
over by the reader.
There is an appendix that contains a few useful facts; where such a fact
•
is used in the text, there is a reference such as “see A.n,” which refers to
§
item number n in Appendix A.
Status of the book: This book is (still) in BETA testing. It is essentially
complete (except that it currently lacks an index), and should be fairly well
polished. I have used an earlier version of it (BETA version 1) to teach a
course on computational number theory at NYU in the fall semester of 2003,
and that experience proved invaluable in ferreting out errors in the text, and
improving the exposition at several points. I’ve also added some new material
(a number of additional exercises, and an expanded coverage of linearly gener-
ated sequences, including Wiedemann’s sparse linear system solver). I would
appreciate any feedback, especially feedback that identifies any errors or serious
omissions. Please send your comments to shoup@cs.nyu.edu.
Acknowledgments: I’d like to thank all of the students in my computational
number theory class that I taught at NYU in the fall semester of 2003. They
provided invaluable help in improving the text. I would especially like to thank
Siddhartha Annapureddy, Carl Bosley, Nelly Fazio, and Antonio Nicolasi for
their help.
New York, December 2003 Victor Shoup
Preliminaries
We establish here a few notational conventions and mention a few simple facts
used throughout the text.
1. Logarithm notation. logx denotes the natural logarithm of x. The loga-
rithm of x to the base b is denoted log x.
b
2. Power notation. We use the notation S n to denote the cartesian product
×
of n copies of a set S, and for x S, x n denotes the element of S n
× ×
∈
consisting of n copies of x. We reserve the notation Sn to denote the set
of all nth powers of S.
3. Functions. For any function f from a set A into a set B, if A A, then
(cid:48)
⊆
f(A) := f(a) B : a A . For b B, f 1(b) := a A : f(a) = b ,
(cid:48) (cid:48) −
{ ∈ ∈ } ∈ { ∈ }
and more generally, for B B, f 1(B ) := a A : f(a) B .
(cid:48) − (cid:48) (cid:48)
⊆ { ∈ ∈ }
f is called one to one or injective if f(a) = f(b) implies a = b. f is
called onto or surjective if f(A) = B. f is called bijective if it is both
injective and surjective; in this case, f is called a bijection.
If f : A B and g : B C are functions, we denote by g f their
→ → ◦
composition, i.e., the function that sends a A to g(f(a)) C.
∈ ∈
4. Arithmeticwith . Weshallsometimesusethesymbols“ ”and“ ”in
∞ ∞ −∞
simple arithmetic expressions involving real numbers. The interpretation
giventosuchexpressionsistheusual,naturalone,e.g.,forallrealnumbers
x, we have < x < , x+ = , x = , + = , and
−∞ ∞ ∞ ∞ −∞ −∞ ∞ ∞ ∞
( ) + ( ) = . It is possible to assign meaning to other such
−∞ −∞ −∞
expressions, but we will not need to; however, some such expressions have
no sensible interpretation (e.g., ).
∞−∞
5. Equivalence relations and equivalence classes. A binary relation on a
≡
set S is called an equivalence relation if for all x,y,z S, x x, x y
∈ ≡ ≡
implies y x, and x y and y z implies x z.
≡ ≡ ≡ ≡
vi
vii
Such a relation partitions the set S into disjoint equivalence classes: for
x S, define S := y S : x y ; then every such S is non-empty,
x x
∈ { ∈ ≡ }
and all y S lie in one and only one such S .
x
∈
Contents
Preface iii
Preliminaries vi
Contents viii
1 Basic Properties of the Integers 1
1.1 Divisibility and Primality . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Ideals and Greatest Common Divisors . . . . . . . . . . . . . . . 3
1.3 More on Unique Factorization and Greatest Common Divisors . 6
2 Congruences 9
2.1 Definitions and Basic Properties . . . . . . . . . . . . . . . . . . 9
2.2 Solving Linear Congruences . . . . . . . . . . . . . . . . . . . . . 10
2.3 Residue Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Euler’s φ-Function . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5 Fermat’s Little Theorem . . . . . . . . . . . . . . . . . . . . . . . 17
2.6 Other Arithmetic Functions . . . . . . . . . . . . . . . . . . . . . 19
3 Computing with Large Integers 23
3.1 Asymptotic Notation . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Machine Models and Complexity Theory . . . . . . . . . . . . . . 25
3.3 Basic Integer Arithmetic . . . . . . . . . . . . . . . . . . . . . . . 28
3.4 Computing in Z . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
n
3.5 Faster Integer Arithmetic . . . . . . . . . . . . . . . . . . . . . 37
♣
3.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4 Euclid’s Algorithm 40
4.1 The Basic Euclidean Algorithm . . . . . . . . . . . . . . . . . . . 40
4.2 The Extended Euclidean Algorithm. . . . . . . . . . . . . . . . . 42
viii
Contents ix
4.3 Computing Modular Inverses and Chinese Remaindering . . . . . 46
4.4 Speeding up Algorithms via Modular Computation . . . . . . . . 47
4.5 Rational Reconstruction and Applications . . . . . . . . . . . . . 50
4.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5 The Distribution of Primes 58
5.1 Chebyshev’s Theorem on the Density of Primes . . . . . . . . . . 58
5.2 Bertrand’s Postulate . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.3 Mertens’ Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.4 The Sieve of Eratosthenes . . . . . . . . . . . . . . . . . . . . . . 69
5.5 The Prime Number Theorem ...and Beyond . . . . . . . . . . . 70
5.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6 Discrete Probability Distributions 80
6.1 Finite Probability Distributions: Basic Definitions . . . . . . . . 80
6.2 Conditional Probability and Independence . . . . . . . . . . . . . 83
6.3 Random Variables . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.4 Expectation and Variance . . . . . . . . . . . . . . . . . . . . . . 90
6.5 Some Useful Bounds . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.6 The Birthday Paradox . . . . . . . . . . . . . . . . . . . . . . . . 96
6.7 Statistical Distance . . . . . . . . . . . . . . . . . . . . . . . . . . 100
6.8 Measures of Randomness and the Leftover Hash Lemma . . . 104
♣
6.9 Discrete Probability Distributions . . . . . . . . . . . . . . . . . . 109
6.10 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
7 Probabilistic Algorithms 115
7.1 Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
7.2 Approximation of Functions . . . . . . . . . . . . . . . . . . . . . 121
7.3 Flipping a Coin until a Head Appears . . . . . . . . . . . . . . . 122
7.4 Generating a Random Number from a Given Interval . . . . . . . 123
7.5 Generating a Random Prime . . . . . . . . . . . . . . . . . . . . 125
7.6 Generating a Random Non-Increasing Sequence . . . . . . . . . . 129
7.7 Generating a Random Factored Number . . . . . . . . . . . . . . 133
7.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
8 Abelian Groups 137
8.1 Definitions, Basic Properties, and Some Examples . . . . . . . . 137
8.2 Subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
8.3 Cosets and Quotient Groups . . . . . . . . . . . . . . . . . . . . . 146
8.4 Group Homomorphisms and Isomorphisms . . . . . . . . . . . . . 149
x Contents
8.5 Cyclic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
8.6 The Structure of Finite Abelian Groups . . . . . . . . . . . . . 161
♣
9 Rings 164
9.1 Definitions, Basic Properties, and Examples . . . . . . . . . . . . 164
9.2 Polynomial rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
9.3 Ideals and Quotient Rings . . . . . . . . . . . . . . . . . . . . . . 176
9.4 Ring Homomorphisms and Isomorphisms . . . . . . . . . . . . . 179
10 Probabilistic Primality Testing 186
10.1 Trial Division . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
10.2 The Structure of Z . . . . . . . . . . . . . . . . . . . . . . . . . 187
∗n
10.3 The Miller-Rabin Test . . . . . . . . . . . . . . . . . . . . . . . . 189
10.4 Generating Random Primes using the Miller-Rabin Test . . . . . 195
10.5 Perfect Power Testing and Prime Power Factoring . . . . . . . . 204
10.6 Factoring and Computing Euler’s φ-Function . . . . . . . . . . . 205
10.7 The RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 209
10.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
11 Computing Generators and Discrete Logarithms in Z 213
∗p
11.1 Finding a Generator for Z . . . . . . . . . . . . . . . . . . . . . 213
∗p
11.2 Computing Discrete Logarithms Z . . . . . . . . . . . . . . . . . 215
∗p
11.3 The Diffie-Hellman Key Establishment Protocol . . . . . . . . . . 220
11.4 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
12 Quadratic Residues and Quadratic Reciprocity 224
12.1 Quadratic Residues . . . . . . . . . . . . . . . . . . . . . . . . . . 224
12.2 The Legendre Symbol . . . . . . . . . . . . . . . . . . . . . . . . 226
12.3 The Jacobi Symbol . . . . . . . . . . . . . . . . . . . . . . . . . . 228
12.4 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
13 Computational Problems Related to Quadratic Residues 231
13.1 Computing the Jacobi Symbol . . . . . . . . . . . . . . . . . . . 231
13.2 Testing Quadratic Residuosity . . . . . . . . . . . . . . . . . . . . 232
13.3 Computing Modular Square Roots . . . . . . . . . . . . . . . . . 232
13.4 The Quadratic Residuosity Assumption . . . . . . . . . . . . . . 236
14 Modules and Vector Spaces 238
14.1 Definitions, Properties, and Some Examples . . . . . . . . . . . . 238
14.2 Submodules and Quotient Modules . . . . . . . . . . . . . . . . . 240
14.3 Module Homomorphisms and Isomorphisms . . . . . . . . . . . . 241
