Arithmetic Complexity Theory Euclid’s Algorithm

Mathematics for Cryptography

Christophe Clavier

University of Limoges

October 7-11, 2013

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 1 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Modular Operations, Congruences

Modular Operations

Definition
Let n > 0 an integer, and a ∈ Z.
One defines residue of a modulo n the remainder of the division of a by n.
The residue of a modulo n is denoted a mod n, and n is called the modulus.

a mod n = b thus means that there exists an integer k such that a = k · n + b,

with 0 ≤ b < n.

Example
1 = 7 mod 3, 2 = 10 mod 8, 50 mod 5 = 0

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 2 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Modular Operations, Congruences

Modular Operations

Property
Let n > 0 an integer, and a, b ∈ Z.
addition (a + b) mod n = ((a mod n) + (b mod n)) mod n
product (a · b) mod n = ((a mod n) · (b mod n)) mod n

Examples
(1211 + 366) mod 12 = (11 + 6) mod 12 = 5.
(58 823 · 4729) mod 10 = (3 · 9) mod 10 = 7.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 3 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Modular Operations, Congruences

Congruence modulo n
Definition
Let n > 0 an integer, and a, b ∈ Z.
One says that a is congruent to b modulo n iff a and b have same remainders
under the division by n.
Notation: a ≡ b (mod n)

Property
a ≡ b (mod n) ⇐⇒ n | (a − b)

For any given integer n > 0, the relation ”· ≡ · (mod n)” is an equivalence
relation on Z (reflexive, symmetric, transitive).
If a ≡ a0 (mod n) and b ≡ b 0 (mod n), then
a + b ≡ a0 + b 0 (mod n)
a · b ≡ a0 · b 0 (mod n)

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 4 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Modular Operations, Congruences

Congruence modulo n

Warning !
The remainder modulo n notion (a mod n = b) must not be confused with that of
congruence modulo n (a ≡ b (mod n)).

Example
4 ≡ 7 (mod 3), 1 ≡ 7 (mod 3), 50 ≡ 0 (mod 5)

Notice that a ≡ b (mod n) does not imply a = b mod n nor b = a mod n.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 5 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Modular Operations, Congruences

Multiplicative Inverse modulo n

Definition
Let n > 0 an integer, and a ∈ Z.
a0 ∈ Z is called a multiplicative inverse of a modulo n iff a · a0 ≡ 1 (mod n)

Examples
An inverse of 3 modulo 7 is 5.
Other inverses of 3 modulo 7 sare 12, 19, -2. . .
An inverse of 3 modulo 10 is 7.
An inverse of 4 modulo 10 does not exists.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 6 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Modular Operations, Congruences

Multiplicative Inverse modulo n

Theorem
There exists a multiplicative inverse of a modulo n if and only if a and n are
coprime (gcd(a, n) = 1).

If there exists a multiplicative inverse of a modulo n, then it is uniquely

determined modulo n.
a−1 thus defines an equivalent class modulo n ({a−1 + kn, k ∈ Z}).

By an abuse of usage of the notation, one often denotes a−1 the unique
representative of this class belonging to {0, . . . , n − 1}.
For example one will say that 5 is the inverse of 3 modulo 7.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 7 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Chinese Remainder Theorem

Chinese Remainder Theorem (CRT)

Chinese Remainder Theorem

Let n1 , . . . , nk be pairwise coprime positive integers, and a1 , . . . , ak be integers
defined modulo n1 , . . . , nk respectively.
There exists an integer a such that
a ≡ ai (mod ni ) (i = 1, . . . , k).
0 0
Qk a solution to this equations system iff a ≡ a (mod N),
Also, a is also
where N = i=1 ni .
Therefore, the solution to this congruences system is uniquely determined
modulo the product of the moduli.

The Chinese remainder theorem expresses that there exists a one-to-one

mapping between ZN and Zn1 × . . . × Znk .
In ZN , it is possible to represent the integer a by the tuple (a1 , . . . , ak ) where
for all i, ai = a mod ni .

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 8 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Chinese Remainder Theorem

Chinese Remainder Theorem (CRT)

Example
Example with n1 = 3 and n2 = 5 (N = 15) :
a 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
a mod 3 0 1 2 0 1 2 0 1 2 0 1 2 0 1 2
a mod 5 0 1 2 3 4 0 1 2 3 4 0 1 2 3 4
The integer 8 is represented by the couple (2, 3).

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 9 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Chinese Remainder Theorem

Changing the Representation

From ZN to Zn1 × . . . × Znk

∀i = 1, . . . , k ai = a mod ni

From Zn1 × . . . × Znk to ZN (Gauss’s method)

For all i = 1, . . . , k, let Ni := N/ni . Then:

 
a = a1 · N1 · (N1−1 mod n1 ) + . . . + ak · Nk · (Nk−1 mod nk ) mod N

From Zn1 × . . . × Znk to ZN (Garner’s method)

Particular case k = 2 :  
a = a1 + n1 · (a2 − a1 ) · (n1−1 mod n2 ) mod n2
This method can be generalised for k > 2. It consists in computing the
successive digits of a in multi-radix base (n1 , n2 , . . . , nk ).

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 10 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Groups and Residue Classes

Groups

Definition
A group is a set G together with a binary (two operands) operation ? defined on
G × G satisfying:
1 for all a, b, c ∈ G, a ? (b ? c) = (a ? b) ? c (? is associative)
2 there exists e ∈ G (the neutral element) such that for all a ∈ G,
a?e =a=e ?a
3 for all a ∈ G, there exists a0 ∈ G (the inverse of a) such that a ? a0 = e = a0 ? a

Definition
An abelian group is a group G such that:
4 for all a, b ∈ G, a ? b = b ? a (? is commutative)

Even if not explicitly stated, we will only consider abelian groups in the
following.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 11 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Groups and Residue Classes

Examples of groups

Examples
The following sets are groups:
Z, with addition operation
For any integer n, nZ = {nz : z ∈ Z}, with addition operation
{−1, +1}, with product operation
Zn = {0, ..., n − 1}, with modular addition operation

Examples
The following sets are not groups:
The set of positive integers with addition operation
Z, with product operation

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 12 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Groups and Residue Classes

Usage of Groups in Cryptography

Examples
Some groups are often used in cryptography:
For a prime p, the set Z∗p = {1, ..., p − 1}, with modular product operation
For an integer n, the set Z∗n = {a, such that gcd(a, n) = 1}, with modular
product operation
Groups defined on elliptic curves

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 13 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Groups and Residue Classes

Group Order
Definition
The order of a finite group is defined as the number of elements it contains. If
the group is infinite, it is said to have infinite order.

Examples
(Z, +) is a group of infinite order
(Zn , +) is a group of finite order n
(Z∗p , .) is a group of finite order p − 1 (for any prime p)

Subgroups of Z∗p
For cryptography, we are interested notably in subgroups of Z∗p , for a prime p.
Let q be a large prime, so that q divides p − 1.
Then, there exists a unique subgroup of Z∗p of order q.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 14 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Groups and Residue Classes

Residue Classes modulo n

Definition
The equivalence class for the relation ”· ≡ · (mod n)” containing the integer a
is called the residue class of a modulo n.
It is denoted by [a]n (or [a]).

[a]n = a + nZ := {a + nz : z ∈ Z}

Definition
Any integer a is called a representative of its own residue class.

There exist exactly n residue classes modulo n, which are [a]n for all
a = 0, . . . , n − 1.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 15 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Groups and Residue Classes

Residue Classes modulo n

Definition
Zn is defined as the set of all residue classes modulo n.

Definition
Z∗n is defined as the set of all residue classes which are invertible modulo n.

Example
Z∗10 = {1, 3, 7, 9} (more rigorously, Z∗
10 = {[1]10 , [3]10 , [7]10 , [9]10 })

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 16 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Euler’s and Fermat’s Theorems

The Φ Euler’s Function

Definition
The Φ(n) Euler’s function is defined as the number of elements of Z∗n .

Φ(n) is also the number of integers in {0, . . . , n − 1} which are coprime to n.

Examples
Φ(1) = 1, Φ(2) = 1, Φ(3) = 2, Φ(4) = 2, Φ(15) = 8

Theorem
For all positive integer n, X
Φ(d) = n
d|n

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 17 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Euler’s and Fermat’s Theorems

The Φ Euler’s Function

Theorem
For any coprime positive integers n and m: Φ(nm) = Φ(n) · Φ(m)

Theorem
For any prime p and any positive integer e: Φ(p e ) = p e−1 (p − 1)
and in particular: Φ(p) = p − 1

Theorem
If n = p1e1 · · · prer is the factorisation of n in a product of prime powers, then
r r
piei −1 (pi − 1) = n
Y Y
Φ(n) = (1 − 1/pi )
i=1 i=1

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 18 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Euler’s and Fermat’s Theorems

Euler’s Theorem

Definition
Let n be a positive integer, and a an integer coprime to n. The least integer
k > 0 such that
ak ≡ 1 (mod n)
is called the multiplicative order of a modulo n.

Euler’s theorem
For any positive integer n, and any integer a coprime to n:

aΦ(n) ≡ 1 (mod n).

In particular, the multiplicative order of a modulo n divides Φ(n).

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 19 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Euler’s and Fermat’s Theorems

Little Fermat’s Theorem

The little Fermat’s theorem is a particular case of Euler’s theorem:

Little Fermat’s theorem

For any prime p and any integer a 6≡ 0 (mod p),

ap−1 ≡ 1 (mod p) .

Also, for any integer a,

ap ≡ a (mod p) .

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 20 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Primitive Roots

Primitive Roots
Definition
For any positive integer n, an integer a coprime to n is called a primitive root
modulo n if its multiplicative order modulo n is equal to Φ(n).

Definition
If there exists a primitive root a of Z∗n , then the subgroup
hai := {ai : i = 0, . . . , Φ(n) − 1} generated by a is Z∗n itself.
In that case Z∗n is said to be cyclic.

Theorem
The only positive integers n for which there exists a primitive root modulo n
are:
n = 1, 2, 4, p e , 2p e
where p is an odd prime, and e is a positive integer.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 21 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Asymptotic Notations

Asymptotic Notations

Definitions
Let f and g be two real functions (with g (x) > 0 for all sufficiently large x),

f = O(g ) means that there exists a positive constant c such that

|f (x)| ≤ cg (x) for all sufficiently large x.
f = Ω(g ) means that there exists a positive constant c such that
f (x) ≥ cg (x) for all sufficiently large x.
f = Θ(g ) means that there exist two positive constants c and d such that
cg (x) ≤ f (x) ≤ dg (x) for all sufficiently large x.
f = o(g ) means that f (x)/g (x) → 0 when x → ∞.
f ∼ g means that f (x)/g (x) → 1 when x → ∞.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 22 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Asymptotic Notations

Asymptotic Notations

Example
f (x) = x 2 , g (x) = 2x 2 − x + 1,
f = Θ(g ) (both O(g ) and Ω(g ))

Example
f (x) = x 2 , g (x) = x 2 − 2x + 1,
f ∼g

Example
f (x) = 1000x 2 , g (x) = x 3 ,
f = o(g )

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 23 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Algorithmic Complexity

Polynomial Time Algorithm

Definitions
An algorithm is said to execute in polynomial time if its worst case execution
time (as a function of the size n of its input) is O(nk ) for some integer k.

Polynomial time algorithms are usually considered as efficient, but. . .

The polynomial degree as well as hidden constants of the O notation may
be significant:
compare a O(n100 ) algorithm (which is polynomial time) with a O(nln ln n ) one
(which is not)
In cryptography the average complexity is often more relevant than the
worst case complexity:
a cryptanalysis must be difficult on average, and not only for a few isolated
instances
While asymptotically efficient, a polynomial time algorithm may not be faster
than a non polynomial time one on small inputs.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 24 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Arithmetic on Integers

Complexity of Arithmetic on Integers

Theorem
Let a and b two integers.
One can compute a + b and a − b in time O(log(a) + log(b)).
One can compute a · b in time O(log(a) log(b)).
If b 6= 0, one can compute the quotient q := ba/bc and the remainder
r := a mod b in time O(log(b) log(q)).

Theorem
Let n > 0 an integer, and a, b ∈ Zn ,
a + b mod n and a − b mod n can be computed in time O(log(n)).
a · b mod n can be computed in time O(log(n)2 ).
ak mod n can be computed in time O(log(k) log(n)2 ). (for k a positive integer)

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 25 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Bezout’s Theorem

Bezout’s Theorem

Bezout’s Theorem
Let a and b be two positive integers, and let d := gcd(a, b).
There exists two unique integers s and t satisfying as + bt = d.

Basic Euclid’s algorithm allows to compute:

d = gcd(a, b) .

Extended Euclid’s algorithm also finds s and t satisfying:

as + bt = d = gcd(a, b) .

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 26 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Basic Algorithm

Basic Euclid’s Algorithm

Given two positive integers a and b (say, a ≥ b), one wishes to compute:

d = gcd(a, b) .

If b = 0, then gcd(a, 0) = a.
If b > 0, consider the division of a by b (with quotient and remainder):

a = bq + r (0 ≤ r < b) .

Any common divisor to a and b is also a common divisor to b and r (and

conversely).
The key relation gcd(a, b) = gcd(b, a mod b) allows to reduce the initial
problem into a smaller one.
By repeatedly reducing ai modulo bi , one eventually obtains the greatest
common divisor of a and b once bi = 0.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 27 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Basic Algorithm

Euclid’s Algorithm

Example
1: procedure Euclid(a, b)
2: r ← a ; r0 ← b r” r r’
3: while r 0 6= 0 do 4864 3458
4: r 00 ← r mod r 0 1406 3458 1406
5: (r , r 0 ) ← (r 0 , r 00 ) 646 1406 646
6: end while 114 646 114
7: d ←r 76 114 76
8: return d 38 76 38
9: end procedure 0 38 0

gcd(4864, 3458) = 38.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 28 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Basic Algorithm

Euclid’s Algorithm

Exercises
1 Compute gcd(4864, 1216).
2 Compute gcd(4864, 419).

Answers
1 gcd(4864, 1216) = 1216.
2 gcd(4864, 419) = 1.

Theorem
Let a and b two integers.
gcd(a, b) can be computed in time O(log(a) log(b)) ! (only theoretically)

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 29 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Extended Algorithm

Extended Euclid’s Algorithm

1: procedure ExtendedEuclid(a, b)
2: r ← a; r 0 ← b
3: s ← 1; s 0 ← 0
4: t ← 0; t 0 ← 1
5: while r 0 6= 0 do . Invariants: as + bt = r et as 0 + bt 0 = r 0
6: q ← br /r c; r ← r mod r 0
0 00

7: (r , s, t, r 0 , s 0 , t 0 ) ← (r 0 , s 0 , t 0 , r 00 , s − s 0 q, t − t 0 q)
8: end while
9: d ←r
10: return (s, t, d) . Returns (s, t, d) such that as + bt = d = gcd(a, b)
11: end procedure

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 30 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Extended Algorithm

Extended Euclid’s Algorithm (example)

Example

q r” s t r r’ s’ t’
1 0 4864 3458 0 1
1 1406 0 1 3458 1406 1 -1
2 646 1 -1 1406 646 -2 3
2 114 -2 3 646 114 5 -7
5 76 5 -7 114 76 -27 38
1 38 -27 38 76 38 32 -45
2 0 32 -45 38 0 -91 128

gcd(4864, 3458) = 38 and (4864)(32) + (3458)(−45) = 38.

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 31 / 32

Arithmetic Complexity Theory Euclid’s Algorithm

Extended Algorithm

Modular Inverse Computation

Inverses modulo n can be computed by means of the extended Euclid’s
algorithm.
Indeed, for any integer x coprime to n, executing the algorithm with inputs
a ← x and b ← n provides s and t satisfying:

xs + nt = 1 .

s is such that xs ≡ 1 (mod n) so that it is the inverse of x modulo n.

Exercises
1 Compute 3458−1 (mod 4864)
2 Compute 1013−1 (mod 4864)

Answers
1 3458−1 (mod 4864) does not exist since gcd(4864, 3458) = 38 6= 1.
2 1013−1 (mod 4864) = 605. (605 · 1013 = 612865 = 126 · 4864 + 1)

Christophe Clavier (Unilim) Mathematics for Cryptography October 7-11, 2013 32 / 32