You are on page 1of 38

Advanced Mathematics for Cryptography

Lecture on 29th of June Divisibility Theory in the Integers

Basic Tools :
1. Mathematic Induction. 2. Well Ordering Principle : any non-empty subset of positive integers contains the smallest element.

Definition of Divisibility : We say that b is a divisor of a or b divides a, denoted

as b|a iff k Z such that a=kb.

Proposition of Divisibility
(i) (ii) (iii) (iv) (v) Proof : (i) According to the divisibility definition we have : a|b pZ such that b=pa, a|c qZ such that c=qa then bx+cy = pax+qay = (px+qy)a=k`a, obviously k`Z which means a|(bx+cy). (ii) (iii) By the definition. Because a|b then kZ such that b=ka k=b/a. Otherwise, b>0, a>0 k>0 which means k1ba (iv) Because a|b |a| | |b| and b|a |b| | |a|. Since |a|, |b| 0, we have : |b| |a| and |a| |b| |a| = |b| a=b. Summer symester, 2001 Page 1/38 a|b and a|c a|(bx + cy) with x,y Z a|b a|bc with cZ Let a>0 and b>0. Then if a|b ba a|b and b|a a=b a|b and b|c a|c

Advanced Mathematics for Cryptography (v) By the definition.

Theorem 1.1 (Division Theorem) :

Let a, b Z and a > 0. It is the fact that ! q, r such that b=qa+r and a>r0. Proof : Case b 0 : Let consider set S = {n | na > b, n Z+}. By the Well-Ordering Principle S contains the smallest element and we denote it as q+1. Since q+1 is the smallest element of S, we have : (q+1)a > b qa We represent r = b-qa. Clearly, a > r 0. Now we prove that such q and r are unique. Assume that there are two pairs (q1, r1) and (q2, r2) which satisfy : b = q1a+r1, where a > r1 0 b = q2a+r2, where a > r2 0 Then we have : q1a + r1 = q2a + r2 (q1-q2)a = r2-r1 Hence, a|(r2-r1). On the other hand, since a > r1 0 and a > r2 0, a > r2-r1 > -a. From a to a, only zero satisfies a|(r2-r1). That is, r2=r1 and q2=q1. Thus, the theorem is proved with b 0. Case b < 0 : according to case b 0 we have : ! q, r such that -b = qa + r with a > r 0. We have : b = -qa-r b = (-q-1)a + a-r We denote q`= -q-1 and r`= a-r. Clearly, a > r` 0. Similarly, we can prove that q` and r` is unique then the theorem is proved with b < 0.

Definition (Greatest Common Divisor (GCD) ):

Let a, b Z then d = gcd(a,b), or shortly (a,b) if and only if : (i) (ii) d|a , d|b and d > 0. For any integer e such that : e|a and e|b then d e. Page 2/38

Summer symester, 2001

Advanced Mathematics for Cryptography

Theorem 1.2 : Given integers a and b, not both of which are zero, there exists
integers x and y such that : gcd(a, b) = ax+by Proof : Consider S = {au+bv | au+bv > 0 and u, v integers}. Clearly, S is not an empty set. Then, by the Well-Ordering Principle, S contain a smallest element d = ax+by, x and y. We prove that d is gcd(a,b). Taking advantage of Division Theorem, one can obtain two integers q and r such that a=qd+r, where d > r 0. From this equation we have : r = a-qd = a-q(ax+by)=(1-qx)a+(-qy)b Because 1-qx and qy are integers, if r > 0 then r S. It contradicts that d is the smallest element of S while r (less then d) is also an element of S. Therefore, r = 0 (so r is not an element of S), which means d|a. Similarly, we can prove that d|b. Now we must show that no common divisor of a and b is greater than d. Given an arbitrary common divisor e of a and b, it holds that e|a and e|b. According to the proposition of divisibility it is true that e|ax+by = d|e| | d d |e|. The statement is proved. We can deduce from the proof of this theorem the fact that gcd of two integers a, b (not both of them are zero) is always exist.

Theorem 1.3 : For d > 0 then d = gcd(a,b) iff :

(i) (ii) d|a and d|b. Whenever e|a and e|b then e|d.

Proof : Similar to proof of previous theorem.

Corollary 1.1 : If a and b are given integers, not both zero, then the set
T = {ax + by | x, y are integers} is precisely the set of all multiples of d = gcd(a,b). Summer symester, 2001 Page 3/38

Advanced Mathematics for Cryptography Proof : For any x, y Z with d|a, d|b, d|ax+by Because d can be written as d = ax0+by0, for n Z we have : nd = n(ax0+by0) = a(nx0) + b(ny0) T.

Theorem 1.4 : gcd is unique.

Proof : Because we define gcd as the greatest one in the set of all common divisors, so if it exists then it must be unique.

Definition of Relatively Prime Numbers : If gcd(a,b) = 1 then a, b are said

to be relatively prime.

Theorem 1.5 : Let a and b be integers, not both zero. Then a and b are relatively
prime iff there exist two integers x and y such that ax + by = 1. Proof : Easy, d = gcd(a,b) is the smallest element of S = {au+bv | au+bv>0; u, v integers}. Because ax + by = 1 then 1 S.In addition 1 is the smallest positive integer then 1 is the smallest element of S. We know that the smallest element of S is gcd(a, b) then d = 1.

Corollary 1.2 : If gcd(a,b) = d then gcd(a/d,b/d) = 1.

Proof : we have : ax + by = d ax/d + by/d = 1 gcd(a/d, b/d) = 1.

Corollary 1.3 : If a|c and b|c with gcd(a,b) = 1 then ab|c.

Proof : Because a|c and b|c then r, s Z such that c = ar = bs. On the other hand gcd(a,b)=1 then x, yZ : ax + by = 1 acx + bcy = c absx + bary = c ab(sx+ry) = c ab|c.

Corollary 1.4 : If a|bc and gcd(a,b) = 1 then a|c.

Proof : Because a|bc then kZ such that : bc = ka. According the assumption that
gcd(a,b) = 1 then x, y Z such that :

Summer symester, 2001

Page 4/38

Advanced Mathematics for Cryptography ax+by = 1 acx+bcy=cacx+kay=ca(cx+ky)=ca|c.

Corollary 1.5: If a|bc and gcd(a,b) = d then (a/d)|c.

Proof : a|bc then a/d|bc/d. Let a=a/d, b=b/d so a|bc gcd(a,b) = 1 a|c a/d|c.

Corollary 1.6 : If d = gcd(a,b) then gcd(ma, mb) = md where m > 0.

Proof : Because d = gcd(a,b) then d is the smallest element of set S = {ax+by| ax+by>0;
x and y integers}. This fact can be written as : d = ax0+by0 ax+by for x, y Z s.t ax+by > 0 md = amx0+bmy0 amx+bmy for x, y Z s.t amx + bmy > 0 (m >0) This inequality means that md is the smallest element of set S` = {amx+bmy | amx+bmy>0; x, y integers}. Therefore md = gcd(ma,mb).

Lemma 1.1 : If a = qb + r, b > r 0 then gcd(a,b) = gcd(b,r).

Proof : a = qb + r r = a - qb. Let d = gcd(a,b) then d|a, d|b d|r. Therefore, d is a
common divisor of b and r. Now we prove that d is also gcd(b,r). Given e is a common divisor of b, r e|b, e|r e|qb+r e|a then e is also a common divisor of a and b. Because d = gcd(a,b) then d e. Hence d = gcd(b,r).

The Euclidean Algorithm :

Let consider following sequence (a b > 0. (Note that : gcd(a,b) = gcd(|a|,|b|))) a = q1b + r1 where b > r1 0 b = q2r1 + r2 where r1 > r2 0 r1 = q3r2 + r3 where r2 > r3 0 .. rn-2 = qnrn-1 + rn where rn-1 > rn 0 rn-1 = qn+1rn It is clear that this sequence is finite because n cannot be greater than b. According to the Lemma 1.1, gcd(a,b) = gcd(b,r1) = gcd(r1,r2) == gcd(rn-2,rn-1) = gcd(rn,0) = rn. That is, we can find out gcd(a,b) in finite computational steps.

Summer symester, 2001

Page 5/38

Advanced Mathematics for Cryptography

Definition (Least Common Multiply (LCM)) :

The least common multiply of two non-zero integers a, b, denoted by lcm(a,b), is the positive integer m satisfying the followings : (i) (ii) a|m and b|m. if a|c and b|c with c > 0 then c m.

Theorem 1.6 : gcd(a, b)*lcm(a, b) = ab (a, b > 0)

Proof : Let d = gcd(a,b) then a = rd, b = sd (r, s Z).
Let m = ab/d m = as = rb a|m and b|m, which means m is a common multiply of a and b. Let c be any positive common multiply of a and b, that makes c = ua = vb (u, v Z). We examine c/m : c/m = c/(ab/d) = cd/(ab) = c(ax+by)/(ab) = (c/b)x + (c/a)y = vx + uy Z This equation states that m|c or on the other hand : c m. Hence, m = lcm(a,b).

Corollary 1.7 : lcm(a,b) = ab iff gcd(a,b) = 1.

Summer symester, 2001

Page 6/38

Advanced Mathematics for Cryptography

Lecture on 4th of June, 2001 Linear Diophantine Equation

Theorem 2.1 : For the given equation ax + by = c where a, b, c Z, d = gcd(a, b) | c.
Then, all integral solutions of this equation have following formations : x = x0 + k(b/d) y = y0 k(a/d) where k is arbitary integral numbers and (x0, y0) is a particular integral solution.

Proof : First, we prove that every pair (x, y) satisfying :

x = x0 + k(b/d) y = y0 k(a/d) is one solution. Indeed : ax + by = a(x0 + kb/d) + b(y0 ka/d) = ax0 + by0 + kab/d - kab/d = ax0 + by0 = c because x0, y0 is a solution of the equation. Second, we prove that every solution (x, y) of the equation has above formation. Because (x0, y0) is one solution then : ax + by = c = ax0 + by0 a(x-x0) = -b(y-y0) b|a(x-x0) (b/d)|(a/d)(x-x0)

Due to gcd(a, b) = d, gcd(a/d, b/d) = 1 (b/d)|(x-x0) k Z such that : x-x0 = kb/d x = x0 + kb/d

Then it is easy to figure out that : y = y0 ka/d The theorem is proved.

Summer symester, 2001

Page 7/38

Advanced Mathematics for Cryptography

Prime And Factorization

Definition of Prime Number : A integer number p is said to be prime iff :
(i) (ii) p > 1. a|p implies a=1 or p.

Theorem 3.1 : Every positive integer has the unique prime factorization.
Proof : We must prove two things : (i) (ii) The existence : the prime factorization of a positive integer must exist. The uniqueness : the prime factorizarion of a positive integer must be unique.

Let w is the smallest element of the set S = {n Z+ | n has no prime factorization}. w cannot be prime because if it is prime then it can be prime-factorized. Hence, w must be composite. Let a be a divisor of w. we have : 1 < a, w/a < w Because a and w/a is less than w, a and w/a do not belong to the set S. So, w and w/a can be prime-factorized. Thus w also can be factorized (because w is product of two factorized-capable integers). It is a contradiction since S must be empty. That is, the factorization of a is always exist. The existence is proved. Now we prove the uniqueness of factorization. Assume that an integer a is a smallest elemet of set S = {n Z+ |n has two different factorization}, say : a = p1p2ps = q1q2qt Clearly, p1 | q1q2qt and all qj are prime so qj such that p1 = qj. Then we have a/p = p2p3ps = q1q2..qi-1qi+1qt. It is clear that a/p1 < a and then a/p1 does not belong to S. That means a/p1 has the unique factorization. This statement leads to unique factorization of a (because p1=qj). It contracdicts to hypothesis that a has two factorization. So S must be empty. The uniqueness is proved.

Summer symester, 2001

Page 8/38

Advanced Mathematics for Cryptography

Theorem 3.2 : There are infinite prime numbers.

Proof : Assume that there are only n prime numbers, say : p1, p2,, pn. It is clear that
p1p2pn + 1 is greater than any pi. In addition, p1p2pn + 1 can be factorized then there must be pi is a factor of p1p2pn + 1. Note that pi| then we have ; pi|p1p2pn + 1 p1p2pn pi|1

It is a contradiction here because pi is prime then there are infinite prime numbers.

Some Interesting Results :

(i) (ii) (iii) (p, p+2) is called twin-prime if both of p and p+2 are prime. Among (n+1)! + 2, (n+1)! + 3,,(n+1)! + n + 1, there is no prime number. The number of primes not exceeding x (denote as (x)) approaches x/log(x) when x is large.

Theorem 3.3 : For the given composite integer n, n has a prime factor not greater


Proof : Because n is composite then we have n = ab (b Z), where n > b a > 1. If

both a, b is greater than square root of n, then ab > n. So factor so n has prime factor less than
n. n a. Clearly, a has prime

Corollary 3.1 : if a does not divide n for all a with

n a > 1 then n is prime.

We can apply this fact to Erastothenes sieve algorithm to search for all prime numbers less than a given integer n. Normally, we have n-1 loops but taking advantage of this fact we reduce the number of loops to

Summer symester, 2001

Page 9/38

Advanced Mathematics for Cryptography

Lecture on 4th and 5th of July, 2001 Congruences And Its Application
Definition (Congruence) : Given three integers a, b, n where n > 0. Then, a is
said to be congruent to b modulo n (denoted as a b mod n) iff n|(a-b).

Proposition 4.1 : For a, b, n Z the followings are true :

(i) (ii) (iii) a a (mod n). a b b a (mod n). a b, b c a c (mod n).

Proposition 4.2 : Given a b (mod n), c d (mod n)

(i) (ii) (iii) a + c b + d (mod n) a - c b - d (mod n) ax ay implies x y (mod n) if gcd(a, n) = 1.

Definition (Arithmetic Inverse) : a* is called arithmetic inverse of a modulo n

if aa* 1 (mod n).

Proposition 4.3 :
(i) (ii) Proof : (i) forward direction : if we have a* such that aa* 1 (mod n) n|aa* - 1 aa* - 1 = kn aa* - kn =1 gcd(a, n) = 1 a* exists if and only if gcd(a, n) = 1. a* is unique.

Summer symester, 2001

Page 10/38

Advanced Mathematics for Cryptography backward direction : if we have gcd(a, n) = 1 then we have : (ii) ax + ny = 1 (x, y Z) ax 1 = ny n | ax - 1 ax 1 (mod n) a* = x

Suppose that we have a* and a** are two arithmetic inverse of a then we have: aa* aa** 1 (mod n) n | aa* - aa** n | a(a* - a**) n|a* - a** (because gcd(a, n) =1) a* a** (mod n)

Theorem 4.1 : Let gcd(a, n) = d then : ax ay (mod n) implies x y (mod n/d)

Proof : We have : ax ay n | ax - ay n/d | a(x-y)/d n/d | x y (because gcd(a/d, n/d) = 1) x y (mod n/d)

Lemma 4.1 : Let gcd(a, n) = 1 then ax ay (mod n) implies x y (mod n) How to Solve The Linear Congruence Equation :
ax b (mod n) This equation has no solution if gcd(a, n) is not a divisor of b. Otherwise it equals to following equation : ax/d b/d (mod n/d)

Summer symester, 2001

Page 11/38

Advanced Mathematics for Cryptography x (a/d)-1(b/d) (mod n/d)

If gcd(a, n) = 1 then x a-1b (mod n).

Some Simple Simplification Techniques :

(i) a b (mod n) a kn b (mod n). Exp : 9x 1 -x + 10x 1 -x 1 (mod 5). (ii) ab cb (mod n) if a c (mod n). ab ac (mod n) if b c (mod n) X ai (mod 9 and mod 3). X mod 2 = a0 mod 2. X mod 4 = 10a1 + a0 mod 4. X mod 8 = 100a2 + 10a1 + a0. X mod 5 = a0 mod 5. X mod 11 = (-1)iai mod 11 Let X = ai10i (i = 0,..,n-1 and 9 ai 0) (iii) (iv) (v) (vi) (vii)

(viii) X mod 10 = a0 (ix)

Theorem 4.2 (Fermat Little Theorem) :

If p a prime number and p doesnt divide a then ap-1 1 (mod p). Proof : p is prime and it is not a divisor of a. a and p are relatively prime. Let considers following sequence : a, 2a, 3a,, (p-1)a. It is clear that none of these numbers are divided by p. Because if p|ja (j = 1,..,p-1) then p|j because gcd(a, p) = 1. It is false because j < p. Another fact is that no two of these numbers are congruent modulo p. Assume that there exist such pair ja ia (mod p), since gcd(a, p) = 1 then j i (mod p). It is impossible since both i, j < p. As a result, product of the integers a, 2a, 3a,, (p-1)a is congruent modulo p to product of integers 1, 2,, p-1. That is : a*2a*3a**(p-1)a 1*2*3**(p-1) (mod p) ap-1 1 (mod p).

We can apply Fermat Little Theorem to simplify modulo calculation which relate to power of the integer.

Summer symester, 2001

Page 12/38

Advanced Mathematics for Cryptography

Corollary 4.1 : if p is prime then ap a (mod p) for any integer a.

Proof : if p|a then ap a 0 (mod p). If a is not divided by p then gcd(a, p) = 1. Taking advantage of Fermat Little Theorem : ap-1 1 (mod p) aap-1 a (mod p) ap a (mod p) (because (a, p) = 1)

Theorem 4.3 (Wilsons Theorem) : if p is prime (p-1)! -1 (mod p).

Proof : Pending.

Definition of Euler Phi Function : (n) (Euler phi/toitient function) represents

number of integers between 1 and n-1 which are relatively prime to n.

Lemma 4.2 : (n, ab) = 1 if and only if (a, n) = 1 and (b, n) = 1 where (a, b) = 1.
Proof : First, we prove that if (n, ab) = 1 then we have (a, n) = 1 and (b, n) = 1. Indeed, suppose that (a, n) = d > 1 then d|a, d|n d|ab, d|n (n, ab) d > 1. It contracdicts with hypothesis. Now we prove that if (a, n) = 1, (b, n) = 1 and (a, b) = 1 then (n, ab) = 1. Suppose that (ab, n) = d > 1 d|ab, d|n. Because (a, b) = 1, d must divide either a or b either (a, n) or (b, n) is not less than d. It contradicts with hypothesis that both (a, n) and (b, n) equal to 1. So the Lemma is proved.

Proposition 4.4 (Proposition Euler Phi Function) :

(i) (ii) (iii) (iv) (v) Proof : (p) = p - 1 where p is prime. (pn) = pn pn-1 where p is prime. (ab) = (a)(b) where gcd(a,b) = 1 (multiplicative property). (pq) = (p-1)(q-1) where p, q are prime. (n) = n(1-1/pi) where each pi is prime factorization of n.

Summer symester, 2001

Page 13/38

Advanced Mathematics for Cryptography (i) Because p is prime then all integers from 1 to p-1 are relatively prime to n then (p) = p 1. (ii) All integers from 1 to pn 1 are relatively prime to p except those integers are multiple of p. It is easy to figure out that number of such integers is pn-1 then we have (pn) = pn pn-1. (iii) We must count the number of positive integers which are relatively prime to mn and not exceeding mn. In order to do it, we display all positive integers not exceeding mn in the following way : 1 2 3 r m

2m + 1

(n-1)m + 1 (n-1)m + 2 (n-1)m + 3 (n-1)m + r

m + 1 2m + 2 m + 3 2m + 3

m + r 2m + r 2m 3m


Consider r row. If gcd(m, r) = d > 1 then d|km + r, that means all numbers in rth row are not relatively prime to m and of course are not relatively prime to mn. So only rows which its indexes are relatively prime to m can contain numbers which are relatively prime to mn. Clearly, there are totally (m) such rows. Now consider rth row where r is relatively prime to m : r, m + r,, (n-1)m + r. This row contains n integers. Now we prove that there are only (n) integers in this row which are relatively prime to n. First consider following sequence : 0, m, 2m,, (n-1)m. We know that (m, n) = 1 then no two integers in this sequence are congruent modulo n. If not, suppose that im jm (mod n) and n > i, j 0 then i j, it is impossible because both i and j are less than n. It states that there are only (n) numbers in this sequence are relatively prime to n. Indeed, suppose that im j (n > i, j 0) then if (j, n) = 1 we have (im, n) = 1 because : x, y Z such that jx + ny = 1 im j im j = kn (k Z) Summer symester, 2001 Page 14/38

Advanced Mathematics for Cryptography j(im kn) + ny = 1 (im)j + n(y-jk) = 1 gcd(im, n) = 1

If (j, n) = d > 1 then we have (im ,n) > 1 because : d | n, d | j im j = kn im = j + kn d | im gcd(im, n) d > 1

So because no two integers in a sequence of n integers are congruent modulo n then there are exactly (n) numbers in the sequence which are relatively prime to n. We prove that sequence : r, m + r,, (n-1)m + r is also this kind of sequence. Suppose that im + r jm + r (mod n) where i, j are positive integers and less than n n | im + r jm r = im jm im jm i j (mod n) because (m, n) = 1, it is impossible because both i and j are less than n. In conclusion, in rth row there are only (n) numbers which are relatively prime to n. We have already stated that there are (m) such kind of rows then there are totally (m).(n) numbers relatively prime to both m and n. According to Lemma, only such numbers are also relatively prime to mn then we have : (mn) = (m)(n) with (m, n) = 1. (iv) (v) Because p, q are prime then (p, q) = 1 (pq) = (p)(q) = (p-1)(q-1). We can easily get this formula by applying the multiplicative property of function. (note that n can be written in the form of product of power of some prime numbers factorization).

Theorem 4.4 (Eulers Theorem) : if gcd(a, n) = 1 then a(n) 1 (mod n).

Proof : Let consider two following sequences : r1, r2,, r(n) and ar1, ar2,, ar(n) where ri is relatively prime to n and not exceeding n for any i = 1, 2,, (n) and (ri, rj) = 1 if i

Summer symester, 2001

Page 15/38

Advanced Mathematics for Cryptography j. The set of r1, r2,, r(n) is called a reduced residue system modulo n. Now we prove that the set of ar1, ar2,, ar(n) is also a reduced residue system modulo n. Indeed, ari is relatively prime to n because both a and ri are relatively prime to n. Furthermore, if i, j such that ari arj (mod n) ri rj (mod n). It contradicts with the fact that ri and rj belong to reduced residue system modulo n. Because the set of ar1, ar2,, ar(n) is a reduced residue modulo n then the least positive residues of ar1, ar2,, ar(n) must be the integers r1, r2,, r(n) in some orders. Consequently, if we multiply together all terms in each of these reduced residue systems, we get (note a b, c d ab cd) : ar1ar2ar(n) r1r2r(n) (mod n) a(n)r1r2r(n) r1r2r(n) (mod n) a(n) 1 (mod n) because (r1r2r(n), n) = 1

Proposition 4.5: We can compute arithmetic inverse as follow :

a-1 a(n) 1 (mod n) if a and n are relatively prime. Proof : We have : a(n) 1 (mod n) a(n)-1aa-1 a-1 (mod n) a(n) 1 a-1 (mod n)

RSA Cryptosystem : RSA Cryptosystem is a kind of Public Key Cryptosystem.

Its security is based on difficulty in solving factorization problem. Given two large prime numbers p and q (size of p and q should be at least 512 digits to ensure the hardness of factorization) and n is product of p and q. We have Euler Phi function of n, (n) = (p-1)(q-1). Let consider two integers e, d such that ed 1 (mod (n)) then the RSA scheme is as follow : Public information : n, e. Private information : d.

Summer symester, 2001

Page 16/38

Advanced Mathematics for Cryptography Encryption : c me (mod n) c is ciphertext and m is message to be encrypted. Decryption : m cd med mk(n) + 1 m{m(n)}k m (mod n). In fact, according to Eulers theorem m and n must be relatively prime but the probability of the event in which m and n are not relatively prime is very small : prob = (n - (n)) / n prob = {pq (p-1)(q-1)}/{pq} prob = {p + q 1}/(pq) prob 2-511 (because |p|,|q| = 512 digits).

Theorem 4.5 (Chinese Remainder Theorem-CRT) : Given r integral

numbers which are pairwise relatively prime, m1, m2,, mr, then the following congruence system: x b1 (mod m1) x b2 (mod m2) x b3 (mod m3) . xr br (mod mr) has the unique solution : x = y1b1M1 + + yrbrMr mod M (M = mi where i = 1, 2, 3,, r) where Mi = M/mi yiMi 1 (mod mi) Proof : First we verify that x = y1b1M1 + + yrbrMr is a solution of congruence system. Indeed, we can see that yiMi 0 (mod mj) where i j because mj is one factor of Mi. Then x yiMibi bi (mod mi) i = 1, 2, 3,, r. Now we show that any two solutions are congruent modulo M. Suppose that we have two solution x0, x1 then we have : x0 x1 b1 (mod m1) x0 x1 b2 (mod m2) Summer symester, 2001 Page 17/38

Advanced Mathematics for Cryptography .. x0 x1 br (mod mr) Then mi|x0-x1 i. Because m1, m2,, mr are pairwise relatively prime then m1m2mr|(x0-x1) M|x0-x1 x0 x1 (mod M). So the theorem is proved.

Theorem 4.5 (Hasse Minkowski Theorem) : ax2 + by2 + cz2 = 0 has an

integral solution if and only if : (i) (ii) it has a non-zero solution in R. it has a relatively prime solution mod pn for each prime p and a positive integer n.

Theorem 4.6 : An equation has an integral solution then it has a solution mod pn for
each prime p and a positive integer n.

Theorem 4.7 : If f(x, y) 0 (mod pn) has no solution for some prime p and positive
integer n then f(x, y) = 0 has no solution.

Summer symester, 2001

Page 18/38

Advanced Mathematics for Cryptography

Lecture on 11th of July Complexity of Computation

Definition (Base): any integer n can be written as the following form :
n = ai b i where b, ai are integral and b > 1, b > ai 0
i =0 n

Then we say that (an, an-1,, a1, a0) is the represetation of integer x in base b. ai is called one digit in base b.

Proposition 5.1 : If bk > n bk-1 then number of digits required to represent n in

base b is k or log b n + 1 . (we also have k > log b n k-1).

Proposition 5.2 : To add two k-bit integers, it requires at most k bit operations. Propostion 5.3 : To multiply a k-bit integer and a l-bit integer, it requires at most kl
bit operations.

Proposition 5.4: To subtract a k-bit integer from a l-bit integer, it requires at most
max(k, l) bit operations.

Proposition 5.5: To divide a k-bit integer by a l-bit integer (k l), it require at most
kl bit operations.

Definition of Big-O Notation : Let f(n) and g(n) be two functions of positive
integer n which take positive. We say that f(n) = O(g(n)) (or simply f = O(g)) if a constant C , N such that f(n) is always less than Cg(n) for n > N. To generalize, f and g are functions on vector (n1, n2,, nr). We said that f = O(g) if a constant C such that f(n1, n2,, nr) is always less than C.g(n1, n2,, nr).

Summer symester, 2001

Page 19/38

Advanced Mathematics for Cryptography

Note : f = O(g) if and only if

lim g

is bounded.

Proof : According to the definiton of limit, for positive , N such that n > N
implies :

f ( n) A < g ( n)

f (n) Ag (n) < g (n)

f ( n) < ( A + ) g ( n)

Let |A| + = C, then we have : f ( n) < C g ( n ) Because we suppose that both f(n) and g(n) are positive n then :

f (n) Cg (n)

Proposition 5.6:
(i) (ii) (iii) Given f(x) = adxd + + a0 where ad 0, then f = O(xd). log(n) = O(n) > 0. If we have f = O(1) then f is bounded.

Proof :
(i) Let consider :


f ( x) = a d f(x) = O(xd) d x


Taking advantage of Lopitan law, we have :

1 log n 1 n lim n = lim n 1 = lim n = 0 n n n Then log(n) = O(n) > 0.

Proposition 5.7: Let n be k-bit integer, let m be l-bit integer then we have :
(i) n + m, require at most max(k, l) bit operations. We call the complexity to compute m + n is O(max{k, l}). (ii) (iii) (iv) Complexity to compute n m is O(max{k, l}). Complexity to compute n*m is O(kl). Complexity to compute n/m is O(kl).

Summer symester, 2001

Page 20/38

Advanced Mathematics for Cryptography

Proposition 5.8: We have O(1) O(log{n}) O(n) O(n2) O(2n) O(n!)


Definition : An algorithm is called a poly-nominal time algorithm if its complexity is

O(f(k)) for a poly-nominal f(k).

Defintion : We call f = o(g) if and only if :

lim g


It is the fact that if f = o(n) then f = O(n).

Summer symester, 2001

Page 21/38

Advanced Mathematics for Cryptography

Lecture on 12th, 18th, 19th of July, 2001 Groups, Rings, Vector Spaces and Fields
Definition (Group) : A group G is a set with a binary operation, denoted by *,
satisfying : (i) (ii) (iii) (iv) Closure : a*b G for a, b G. Associativity : (a*b)*c = a*(b*c) for a, b, c G. Identity : e G such that : a*e = e*a = a for a G. Inverses : x G such that a*x = x*a = e for a G. We usually denote the inverse of a by a-1.

Proposition 6.1: Let G be a group and a, b, c G. Then

(i) (ii) (iii) (iv) (v) (vi) (vii) e is unique. ab = ac b = c (left cancellation property). ba = ca b = c (right cancellation property). cc = c c = e. a-1 is unique for each a. (a-1)-1 = a. (ab)-1 = b-1a-1. ba-1.
Proof :

(viii) The equations ax = b and ya = b have unique solution in G : x =a-1b and y =


Suppose that there are two identity e and e. Follwing condition (iii) we have : e = ee' = e ab = ac a-1(ab) = a-1(ac) (a-1a)b = (a-1a)c eb = ec b = c. ba = ca (ba)a-1 = (ca)a-1 b(aa-1) = c(aa-1) be = ce b = c. cc = c c-1(cc) = c-1c (c-1c)c = e ec = e c = e. Suppose a has two inverses a1, a2 aa1 = aa2 = e a1 = a2 (left cancellation property). (a-1)-1 = a a-1(a-1)-1 = a-1a e = e.
Page 22/38

(ii) (iii) (iv) (v)


Summer symester, 2001

Advanced Mathematics for Cryptography


(ab)-1 = b-1a-1 (ab)(ab)-1 = (ab)(b-1a-1) e = (abb-1)a-1 e = (a(bb-1))a-1 e = (ae)a-1 e = aa-1 e = e.

Definition (Abelian Group) : a group is called an abelian group (or commutative

group) if : a.b = b.a for every a, b G.

Definition (Group Order): The order of a group G, denoted by |G| is the number
of element of G. If n is finite then we call G is a finite group.

Definition (Reduced Residue System): The reduced residue system (or a

residue class) modulo n is a set of integers relatively prime to n such that every integer relatively prime to n is congruent to one and only one in this set.

Definition : Let G be a group and a G:

(i) a is a generator of G G = {an | n Z+}. Here please note that an = a*a*a*aa (n times) where * is the binary operation of group G. (ii) (iii) G is called cyclic if it has a generator. The order of a, where a is a element of a group G, denoted by ord(a) is the least integer n such that an = e. If n does not exist we say a has infinite order, otherwise a has finite order. (iv) (v) A subgroup S is a subset of G which is a group under the same operation.
<a> is a subgroup G generated by a G. That is <a> = {e, a, a2,, aord(a)-1}

Proposition 6.2 : Let G be a group with identity element e, and let H be a subset of
G. Then H is a subgroup of G if and only if the following conditions hold: (i) (ii) (iii) a.b H for all a,b H e H; a-1 H for all a H.

Summer symester, 2001

Page 23/38

Advanced Mathematics for Cryptography

Definition of Coset : Given a group G with a subgroup H, the coset of H with

respect to g, where g is an element of G, is the set formed by operating on elements of H, with g, i.e., it is hg : h H. It is written simply Hg. Hg is called right coset of H.

Propostion 6.3 : Some properties of coset (Given group G and its subgroup H) :
(i) (ii) g Hg since e H ge = g H. If H is finite, H = {h1, h2,, hn} then Hg = {h1g, h2g,, hng} where hig are all distinct. (iii) (iv) H itself is one coset of H since He = H. We can obtain one coset of H from each g G but we cannot claim that we get a different right coset from each element of G.

Lemma: If H is a subgroup of G then the relation R defined on G by aRb ab-1 H

is an equivalence relation; the equivalence class containing a is the right coset Ha.
Proof : We must verify that the relation R is reflexive, symmetric, and transitive:

(i) (ii) (iii)

aa-1 = e H aRa (reflexive). ab-1 H (ab-1) H ba-1 H bRa (symmetric). ab-1 H, bc-1 H ab-1bc-1 H ac-1 H aRb, bRc aRc (transitive).

Now we prove that the equivalence class containing a is a right coset of H. Let consider: gRa ga-1 H Let ga-1 = h for some h H ga-1a = ha g = ha Ha. The theorem is proved.

Theorem 6.1 (Lagranges Theorem) : If H is a subgroup under a finite group

G then the order of H divides the order of G.

Summer symester, 2001

Page 24/38

Advanced Mathematics for Cryptography Proof : Let k be the numbers of right cosets of H. Because we can form all cosets of H

from equivalence classes (Lemma) then they contain element of G exactly one and size of each is |H| k|H| = |G|.

Theorem 6.2: ord(a) | |G| where G is a finite group.

Proof : Let consider a subgroup of G which is generated by a, <a>. Clearly, the order of

<a> is ord(a) because aord(a) = e. Following the Langrange theorem we have : order(<a>) | order(G) ord(a) | order(G)

Corollary 6.1: If |G|=n and g G, then ord(g)|n and gn=e.

Proof. We have ord(g) = |<g>|, so as G <g>, we must have o(g)|n. Thus if o(g)=k we

may write n=qk for some q N, and then gn=(gk)q=e. Actually, Eulers theorem can be induced from this fact by considering (Z/nZ)* group (that is, a group contains all number less than n and relatively prime to n, * means 0 does not belong to this group. The binary operation is the multiple operation then reduced by modulo n). The order of this group is (n) so if a (Z/nZ)* or (a, n) = 1 we have a(n) = 1 or a(n) 1 (mod n) in another sense. If p is prime then we have proof of Little Fermat Theorem ap-1 1 (mod p) where p does not divide a.

Corollary 6.2 : A group of prime order is cyclic and has no proper non-trivial
subgroups; any non-identity that generates group.
Proof : Suppose that group G has order of p where p is prime then all subgroup of G

should have order of 1 or p. Thus if a is not indentity element then <a> = G (because the order of <a> is p).

Proposition 6.4 : If H and K are subgroup of G and gcd(|H|, |K|) = 1 then H K =


Summer symester, 2001

Page 25/38

Advanced Mathematics for Cryptography Proof : Clearly, H K is subgroup of both H and K then if gcd(|H|, |K|) |H K|

the order of H K must be 1 which means that H K = {e}.

Definition (Field) : Let consider set {F, +, *} where :

(i) (ii) (F, +) is an abelian group and 0 is denoted as identity of operation +. (F*, *) is an abelian group and 1 is denoted as indentity of operation * (F* = F \ {0}). (iii) (a + b) * c = a*b + b*c (distributive law).

Definition (Vector Space) : Given (V, +) is an abelian group. This group is said
to be a vector space over a field F if an binary operation : FxVV (a, v) av such that (a, b F, v, w V): (i) (ii) (iii) (iv) a(v + w) = av + aw (a + b)v = av + bv (ab)v = a(bv) 1v = v (1 is the multiplicative indentity if F)

Definition :
(i) Given a vector space V over a field F then we say S = (v1, v2,, vn) V are
linearly independent if c1v1 + c2v2 + . + cnvn = 0 implies c1 = c2 = c3

=.=cn = 0. Otherwise, we say that S are linearly dependent. (ii) We define a dimension of V (denoted as dimV) as the largest number of linear independent elements in V. Dimension of a vector space can be finite or infinite. (iii) (v1, v2,, vn) V are a basis of V over F if n elements are linearly independent and dimV = n.

Summer symester, 2001

Page 26/38

Advanced Mathematics for Cryptography

Definition (Extension Field) : Let consider a field K which also contains a field
F then K is automatically a vector space over F. We denote dimK (over F) as [K:F], it is called extension degree of K over F. The field K is said to be an extension field of the field F. If [K:F] is finite then it is called a finite extension. One common way of obtaining extension field is to adjoin an element to F: we say K = F() if K is the field consisting all rational expressions formed using and elements of F.

Definiton (Polynominal Ring) : Let F be a field. The the set of polynominal

f(x) where all coefficients are elements of F is called polynominal ring, denoted as F[X].

Definition (Degree of Polynominal) : Degree of a polynominal f(x) is defined

as the largest power of x in all terms of f(x), denoted by deg(f).

Definition (Monic Polynominal): A polynominal f(x) is said to be a monic

polynominal if the coefficient of the largest power of x is 1.

Definition (Irreducible Polynominal): A polynominal f(x) is said to be

divisible by another polynominal g(x) if h(x) such that f(x) = g(x)h(x) where the degree of g(x) and h(x) are less than degree of f(x) and greater than 0. Otherwise, f(x) is said to be irreducible. We also can apply division algorithm theorem of integer and greatest common divisor concept to polynominal.

Definition (Unique Factorization Domain): F[X] is the unique factorization

domain if f(x) F[X] satisfying the following : f(x) = pi(x) where every pi(x) is irreducible.

Summer symester, 2001

Page 27/38

Advanced Mathematics for Cryptography

Definition (Algebraic) : K (K is a extension field of F) is said to be algebraic

over F if f(x) F[X] such that f()=0. If such doesnt exist then is said to be transcendental over F.

Proposition 6.5 There exists only one monic irreducible polynominal f(x) such that
f() = 0 if is algebraic over F ( is called root of f(x)). This monic irreducible polynominal is called minimal polynominal of . Furthermore, if any h(x) F[X] satisfies h() = 0 then f(x)|h(x).
Proof : Assume that f(x) and g(x) which are irreducible polynominal such that f() =

g() = 0. Because f(x) and g(x) are irreducible, they are relatively prime which means u(x), v(x) F[X] such that : f(x)u(x) + g(x)v(x) = 1 Replace x by we have : 0.u(x) + 0.v(x) = 1 It is impossible so such f(x) is unique. 0=1

Proposition 6.6 : If the minimal polynominal, say f(x), of has degree d, then any
element of F() (that is, any rational expression involving powers of and elements of F see definition of extension field) can be expressed as a linear combination of the powers 1, , 2,, d-1. Therefore, those powers of form a basis of F() over F and so the dimension of the extension obtained by adjoining is the same as the degree of the minimal polynominal , [F():F] = deg(f(x)) = d.

Definition : Any which is root of the minimal polynominal of algebraic element

of F is called a conjugate of over F. is a map from F() to F() satisfying : (i) (ii) (iii) is bijective. (x + y) = (x) + (y). (preserving addition) (xy) = (x)(y). (preserving mutiplication)

Summer symester, 2001

Page 28/38

Advanced Mathematics for Cryptography

F() and F() are said to be isomorphism. If F() = F(), then we say that F() and F() are automorphism. A very popular result in this topic is that Q( 2 ) and

Q( 2 ) are automorphic. Any number in R can be represented by a b 2 where a and b

are rational numbers.

Definition (Multiple Root): (x-m)r | f(x) (that is, (x-m)r | f(x) and (x-m)r+1 | f(x))
then we say that m is a root of multiplicity r.

Propostion 6.7 If f(x) has a multiple root then gcd(f, f) has a root . Definition (Splitting Field) : A splitting field of f(x) F[X] is the smallest
extension field containing all roots of f. That is, f(x) is splitted into a product of linear polynominals in the splitting fields of f. f(x) = a(x r1)(x r2)(x rn) where ri splitting field of f(x) for any i. The splitting field is unique up to isomorphism, meaning that if any K has same properties, there will be a 1-to-1 corespondence between K and K which preserve addition and multiplication.

Definition (Characteristic of Field) : Given a field F. if 1 + 1 ++ 1 = 0 (p

times, 1 is the multiplicative indentity of F) then we say characteristic of F p, char(F) = p. In this case F contains a copy of the field Z/pZ which is called its prime field. If 1 + 1 +1 + 1 + never gives result 0 we say that char(F) = 0. For instance char(Z/pZ) = p (p is prime) and char(Q) = 0. Note that characteristic of a field can only be prime.

Propositon 6.8 Every field should contain one and only one prime field. Definition (Algebraic Closure) : Given a field F. If every polynominal f(x)
F[X] has a root in F then F is said to be algebraic closed. The complex field, C, is the one

Summer symester, 2001

Page 29/38

Advanced Mathematics for Cryptography

of this kind of field. The smallest algebraically closed extension field of F is called the algebraic closure of F. It is denoted as F . The complex numbers are. the algebraic closure of the real numbers.

Summer symester, 2001

Page 30/38

Advanced Mathematics for Cryptography

Finite Field
Theorem 7.1 : Let F be a finite field
(i) (ii) Characteristic of F cannot be zero. If char(F) = p then the order of F is pn for some integer n, where p is prime. There is also one and only one finite field with such order up to isomorphism, denoted by F p n .

Corollary 7.1 : The order of a Fq*, ord(a), divides q-1.

Proof : The order of Fq* is q-1 then ord(a) | (q-1) for any a Fq*.

Definition of Primitive Element : A generator of a finite field Fq is an element

of order q-1, called primitive element.

Proposition 7.1: Every finite field has a generator. Corollary 7.2: Let <g> = Fq*
(i) (ii) gi is a generator if and only if (i, q-1) = 1 There are (q-1) generators.

Proof : Pending.

Theorem 7.2: (a+b)p = ap + bp in Fq with characteristic equals to p.

Proof : We have :
(a + b) p = C ip a i b n i
i =0 p

It is easy to verify that p | C ip where i 0 and p so (a+b)p ap + bp which means : (a+b)p = ap + bp in Fq

Summer symester, 2001

Page 31/38

Advanced Mathematics for Cryptography

( a + b) p = a p + b p
2 2 2









(a + b) p = a p + b p ,, (a + b) q = a q + b q . Thus if aq = a and bq = b then (a + b)q = a +


Theorem 7.3 : Every conjugate of is i for some positive integer i, where is

algebraic over a finite field.
Proof : is one root of f(x) then :

f ( ) = a d d + a d 1 d 1 + ... + a1 + a0 = 0

f ( i ) = a ( i ) d + a d 1 ( i ) d 1 + ... + a 1 i + a 0
f ( i ) = a d ( d ) i + a d 1 ( d 1 ) i + ... + a1 i + a0 f ( i ) = (a d d + a d 1 d 1 + ... + a1 + a 0 ) i = 0

(explaination pending)

Theorem 7.4 : If Fq is a field of qn elements , then every element satisfies equation :

Xq X = 0 and Fq is precisely the set of roots of that equation. Conversely, for every prime power q = pn the splitting field over Fp of the polynominal Xq X is the field of q elements.
Proof : First suppose that Fq is a finite field then the order of every element in Fq divides

q-1. Thus, Xq-1 = (Xord(a))k = (1)k = 1 (where a is an element of Fq) Xq X = 0. Conversely, let q = pn is a prime power and F is a splitting field of f(x) = Xq X over field Fp. We have : f(x) = Xq X f(x) = qXq-1 - 1 f(X) = -1 (because q = 0 in Fp)

Therefore f(x) and f(x) have no common root at all and they have no multiple root. This statement means that f(x) has distinct q root. As we define F as splitting field of f(x) over Fp then F must contain at least q elements. We show that the set of q elements is a field with addition and multiplication operation. If a and b are solutions of f(x), aq = a, bq = b then (a + b)q = aq + bq = a + b (Theorem 7.3) and (ab)q = aqbq = ab. That is both sum of a

Summer symester, 2001

Page 32/38

Advanced Mathematics for Cryptography

and b, and product of a and b are solutions of Xq X. So F is precisely a field of q elements.

Construction of Finite Field : F p = F p ( ) =


Fp [ X ] f ( x)

, where p is prime

and f(x) is an irreducible polynominal of degree d such that f() = 0. Fp[X]/f(x) means that all operations in such field will be reduced modulo f(x). We know that if f(x) is minimal polynominal of then all elements if vector space Fp() can be written as a linear combination of 1, , 2, 3,..., d-2, d-1. That is 1, , 2, 3,..., d-2, d-1 forms a basis in Fp() over Fp:

i =0 i

d 1

= 0 , where ai Fp implies ai = 0 for arbitrary i.


Let f ( x) = ai x i , and ad = 1 (monic irreducible minimal polynominal), then :

i =0

f ( ) = d + a d 1 d 1 + ... + a1 + a 0 = 0

d = (a d 1 d 1 + ... + a1 + a 0 )
[Fp():Fp] = d F p ( ) = { ai i | ai F p }
i =0 d 1

where ai Fp

In order to construct a finite field, take following steps : Take an irreducible polynominal f(x) over Fp.
F p d = F [ X ] / f ( x) Operation : given g(x), h(x) F p d g(x) h(x) = {g(x) + h(x)} mod f(x) g(x)h(x) = {g(x)h(x)} mod f(x) g(x)-1 = g(x)-1 mod f(x)

Summer symester, 2001

Page 33/38

Advanced Mathematics for Cryptography

Classification of Finite Fields :

F p is called a prime field where p is prime (in cryptographic sense, size of p
should be 1024). F2 n is called binary field. If n is composite, it is called a composite field. Size of n also should be 1024 in respect of cryptography. F p n is called an optimal extension field. Size of p should be the same as size of a word in a given processor and n = 1024/r. Definition of Norms and Traces : Given a prime number and q = pn. Then, trace and norm function are defined as follow : N , Tr : Fq n Fq TrF n |Fq ( ) = ( ) = q

n 1 i =0

N F n |Fq ( ) = ( ) = q

n 1 i =0

Where G is an automorphism set (in this definition we choose ( ) is Frobenius map).

Proposition 7.2 :
(i) (ii) (iii) (iv) (v) (vi) (vii) Tr(+) = Tr() + Tr(). Tr(c) = cTr(). Tr(c) = nc. Tr(q) = Tr(). N() = N()N(). N(c) = cnN(). N(c) = cn.

(viii) N(q) = N().

Proposition 7.3 : Let E F K, then :

TrE/K = TrF/KoTrE/F.

Summer symester, 2001

Page 34/38

Advanced Mathematics for Cryptography


Bases : basis is a set of n elements in Fq which are linearly independent over Fq.

The number of ways to choose a basis of Fq n over Fq is (explaination pending) : (q n 1)(q n q )...(q n q n 1 ) =

q i (q ni 1)
i =0 i =0

n 1

n 1

n ( n 1)

n 1 i =0

i =1 n


= qn

(because qn >> qi).

Classification of basis : A basis is called a :

(i) poly-nominal basis if it has form : {1, , 2,, n-1} (ii) normal basis if it has the form :
{ , q , q ,..., q
w n

, q 1 }

Definition of dual basis : Let = { 1 , 2 ,..., n } and = { 1 , 2 ,..., n } are two bases of Fq n / Fq . is dual basis of if : Tr(ij) = ij Where ij is Kronecker delta, ij = 1 if i = j and 0 if i j.

Theorem 7.5 :
(i) For every basis of Fq n / Fq , there is one and only one dual basis of . (ii) The dual basis of a normal basis is a normal basis. (iii)The dual basis of a polynominal basis is not a polynominal basis.

Proposition : If is a basis A is a non-singular matrix (square matrix and

determinant is not zero) where :

Summer symester, 2001

Page 35/38

Advanced Mathematics for Cryptography

1 q A= 1 ... q n 1 1

2 q 2
q 2
n 1

... q n 1 ... n ...

... ...

n q n

Proof : Fisrt, we prove that if is a basis then A is nonsingular. It is the fact that there
always exists dual basis of . Let be the dual basis of and consider following matrix :
1 q B= 1 ... q n 1 1

2 2q

... ... ...


n 1

... n 1 ... nq

n nq

Let consider product of A and transformation of B, BT :

1 q T AB = 1 ... q n 1 1

2 q 2
q 2
n 1

... n 1 q ... n 2 ... ... ... q n 1 ... n n AB T = I

1q ... 1q 1 2q ... 2q
n n 1



... ... n 1 ... nq

Because ij = ij (Kronecker delta). This implies that A can be inverted or A must be nonsingular. Now we prove that when A is nonsingular then is a basis. Let consider following equation :

i =1 i

= 0 where ci Fq

n c i i = 0 i =1

i =1 n q i

q i

=0 = 0 (because ci Fq ciq = ci )

i =1 i

q i

Summer symester, 2001

Page 36/38

Advanced Mathematics for Cryptography

Similarly, we can show that Note that :

i =1 i

qk i

= 0 if

i =1 i

= 0 , where ci Fq holds.

1 q AC = 1 ... q n 1 1

2 q 2

... ... ... ...

q n 1 2

n c i i n c1 i =1 1 q q n c 2 = c i i ... ... i =1 ... q n 1 n c n n q n 1 c i i i =1

Then AC = and A is nonsingular then C = , That is :

i =1 i

= 0 implies ci = 0 i

Theorem 7.6 : Let = {1, , 2 ,..., n 1 } be a polynominal basis, f(x) = Irr(, Fq) an
minimal polynominal of over Fq, f(x) = (x - )(n-1xn-1 + n-2xn-2 ++ 0). Then the dual basis of is {1,2,,n), where : i = i/f(x)

Proof : Pending.

Theorem 7.7 :
(i) There is no a self-dual polynominal ( = ) basis of Fq n over Fq for n 2. (ii) Fq n has one self-dual basis over Fq if and only if q is even or both q and n are odd. (iii)If n is odd or if q is even then there is a self dual normal of Fq n /Fq.

Polynominal Bases Theorem (7.8) : Let a Fq* with order e then xt a is

irreducible in Fq[X] if and only if t 2 satisfies : (i) each prime factor of t divides e but not divide (q-1)/e. (ii) if 4|t the 4|q-1.

Summer symester, 2001

Page 37/38

Advanced Mathematics for Cryptography

Come irreducible polynominal :

(i) Trinominal : xn + adxd + a0 (three terms) (ii) Pentanominal : five terms. (iii)All-one polynominal : all coefficients equal to 1.

Polynominal multiplication Karastruba Ofman method :

Suppose that we want to compute A(x)B(x). We write A(x) and B(x) in following form : A(x) = xn/2An + Al B(x) = xn/2Bn + Bl Then, we have : A(x)B(x) = (xn/2An + Al)(xn/2Bn + Bl) A(x)B(x) = xnAnBn + xn/2(AnBl + BnAl) + AlBl

In order to reduce the number of multiplication operations, we simplify AnBl + BnAl in following way : AnBl + AlBl = (Al + An)(Bl + Bn) AlBl - AnBn Repeat this procedure for multiplication operation of AnBn, AnBl, AlBn, AlBl we can get better performance in comparision with conventional method.

Complexity of polynominal operations in Finite Field :

(i) (ii) (iii) (iv) (v) (vi) (vii) Addition : Subtraction : Multiplication : Reduction : Division : Inverse : Power :

Summer symester, 2001

Page 38/38