Modular Arithmetic

Let a, b ∈ Z. Then a is said to be congruent to b modulo n, denoted by a ≡ b (mod n) if n divides (a − b). The integer n is called the modulus of the congruence.

The integer modulo n, denoted Z_n is the set of integers {0, 1, . . . , n − 1}. Addition, subtraction, and multiplication in Z_n are performed modulo n. The multiplicative inverse of a modulo n is an integer x ∈ Z_n such that ax ≡ 1 (mod n). If such an x exists, then it is unique, and a is said to be invertible, or a unit. The multiplicative inverse of a is denoted by a⁻¹. Let Z^∗_n= {a ∈ Z_n| gcd(a, n) = 1}. If n is prime, then Z^∗_n = {a|1 ≤ a ≤ n − 1}. Note that (Z_n, +) and (Z^∗_n, ∗) are abelian groups.

In the following, we first present important definitions and facts about modu-lar arithmetic. Then we describe several tractable problems that can be solved in polynomial time.

Definitions and Facts

Definition 2.2.7. Let n be a positive integer. The Euler phi function or the Euler totient function φ(n) is defined to be the number of positive integers not exceeding n which are relatively prime to n.

Definition 2.2.8. Let a and n be relatively prime positive integers. Then, the least positive integer x such that a^x ≡ 1 (mod n) is called the order of a modulo n, denoted by ord_na.

Definition 2.2.9. If g and n are relatively prime integers with n > 0 and if ordng = φ(n), then g is called a primitive root modulo n.

Definition 2.2.10. Let n ∈ N and a ∈ Z. We say that a is a quadratic residue modulo n if a 6≡ 0 (mod n) and the congruence x² ≡ a (mod n) has a solution x ∈ Z. If a 6≡ 0 (mod n) and the congruence x² ≡ a (mod n) has no solution, we say that a is a quadratic nonresidue modulo n.

In most cases, we are only interested in the quadratic residues a which are rela-tively to the modulus n. decomposition of n into primes. Let a ∈ Z. Then

³ a

is called the Jacobi symbol of a mod n.

Definition 2.2.14. A universal exponent of the positive integer n is a positive integer U such that

a^U ≡ 1 (mod n) for all integers a relatively prime to n.

Definition 2.2.15. The least universal exponent of the positive integer n is called the minimal universal exponent of n, denoted by λ(n).

Fact 2.2.11 (Chinese Remainder Theorem). Let m1, m2, . . . , mn be positive

Assume k is the length of every modulus. The computational complexity of apply-ing the Chinese remainder theorem is OB(M(kn) log(n)) + OB(nM(k) log(k)), where M(x) is the time of multiplying two x bit integers, and O_B indicates order of magni-tude in bit operations [2, Theorem 8.21].

Fact 2.2.12. Simultaneous congruences

where Euler’s constant γ = 0.5772 . . .. This inequality implies, for example, that φ(n) > n

6 log₁₀(log₁₀(n)), for n ≥ 1.3 × 10⁶.

Fact 2.2.14 (Fermat’s Little Theorem). If p is a prime and p does not divide a ∈ Z, then

a^p−1 ≡ 1 (mod p).

Fact 2.2.15 (Euler’s Theorem). Let n ∈ N and a ∈ Z. If gcd(a, n) = 1, then a^φ(n) ≡ 1 (mod n).

Fermat’s little theorem and Euler’s theorem are special cases of Fact 2.2.6.

Fact 2.2.16. Suppose that g and n are relatively prime with n > 0. Then gⁱ ≡ g^j (mod n) if and only if i ≡ j (mod ord_ng).

Fact 2.2.17. The positive integer n possesses a primitive root if and only if n = 2, 4, p^t, or 2p^t,

where p is an odd prime and t is a positive integer.

Fact 2.2.18. If the positive integer n has a primitive root, then it has a total of φ(φ(n)) incongruent primitive roots.

Fact 2.2.19. Let p be a prime. Then Z^∗_p is cyclic, and the number of generators is φ(p − 1).

Fact 2.2.20. Let p be a prime. Then x ∈ Z^∗_p is a primitive root if and only if x^(p−1)/q 6≡ 1 (mod p) for every prime q|p − 1.

Fact 2.2.21. Let p be a prime > 2 and g ∈ Z^∗_p be a primitive root of Z^∗_p. Let a ∈ Z^∗_p. Then a ∈ QR_p if and only if a ≡ g^t (mod p) for some even number t, 0 ≤ t ≤ (p − 2).

Furthermore, exactly half of the elements of Z^∗_p are quadratic residues, i.e., |QRp| =

|QNR_p| = (p − 1)/2.

Fact 2.2.22 (Euler’s Criterion). Let p be a prime > 2 and a ∈ Z. Then µa

p

¶

≡ a^(p−1)/2 mod p.

Euler’s criterion can be generalized to the kth residuosity as follows.

Fact 2.2.23. A number a is an eth residue of Z^∗_p if and only if a^(p−1)/d ≡ 1 (mod p), where d = gcd(e, p − 1).

Fact 2.2.24 ([6, 98]). Let n = p₁p₂, where p₁ 6= p₂, p₁ = 2q₁+ 1, p₂ = 2q₂+ 1, and p₁, p₂, q₁, q₂ are all prime numbers. Then the following holds.

1. The order of g₀ ∈ Z^∗_n is equal to q₁q₂ or 2q₁q₂ if and only if gcd(g₀+ 1, n) = 1 and gcd(g₀− 1, n) = 1.

2. For any g₀ such that gcd(g₀+ 1, n) = 1 and gcd(g₀− 1, n) = 1, hg²₀i ⊂ Z^∗_n is a cyclic subgroup of order q₁q₂.

Fact 2.2.25. Let M be a positive integer with odd prime factorization M = p1p2· · · pn. Then the following holds.

1. λ(M) = lcm(φ(p₁), φ(p₂), . . . , φ(p_n)).

2. There exists an integer g such that ord_Mg = λ(M), the largest possible order of an integer modulo M.

3. Let r_i be a primitive root modulo p_i. The solution of simultaneous congruences x ≡ r_i (mod p_i), i = 1, 2, . . . , n, produces such an integer g.

The above fact implies that if M is a product of large primes pi = 2qi+ 1 where qi

are also primes, then there exists a g whose order contains large prime factors. The reason is that

λ(M) = lcm(p₁− 1, p₂− 1, . . . , p_n− 1) = 2q₁q₂· · · q_n. (2.1)

Tractable Problems in Z_n

As in Z, basic group operations in Z_n can be performed efficiently, i.e., in time polynomial in the group size. Let n be an integer and k = blog₂(n)c + 1. By the ordinary method, the numbers of bit operations for the computations of (a+b) mod n and (a − b) mod n are O(k), whereas the number of bit operations for (a · b) mod n is O(k²). Modular inversion a⁻¹ mod n can be computed in O(k²) using the extended

Euclidean algorithm. Modular exponentiation a^tmod n can be performed with at most 2 · |t| modular multiplications using the repeated squaring method. Hence, an exponentiation in Z^∗_n can be computed in O(k³).

There are hardware implementations for performing modular multiplication fast.

In particular, Norris and Simmons use the concept of delayed-carry adders to produce a hardware modular multiplier which computes the product of two t-bit operands modulo a t-bit modulus in 2t clock cycles [172]. Brickell improves the idea to produce a modular multiplier requiring only t + 7 clock cycles [32]. Enhancements of Brickell’s method are given by Walter [218]. Ko¸c provides a comprehensive survey of hardware methods for modular multiplication [133].

We now present several number-theoretic problems that can be solved in proba-bilistic polynomial time. Let p is prime. First, consider computations in Z_p. The following problems is tractable.

1. Finding a primitive root modulo p when the prime factors of p − 1 are known.

By Fact 2.2.20, we can use the following algorithm to obtain a primitive root modulo p.

Algorithm 2.2.1.

input: prime p

output: a primitive root modulo p

1. Randomly choose an integer g, with 0 < g < p − 1 2. if g^(p−1)/q 6≡ 1 (mod q) for all primes q dividing p − 1.

3. then output g 4. else go to 1 Because

φ(p − 1) > (p − 1)

6 log₁₀(log₁₀(p − 1)),

the expected iteration to find a primitive root is O(log₁₀(log₁₀(p))). Note that if the prime factors of p − 1 are not known, no efficient algorithms are known for the generation of primitive roots.

2. Testing whether an element is a quadratic residue modulo p.

The problem is called the quadratic residuosity problem and can be solved by Euler’s criterion.

3. Testing whether an element is an eth residue modulo p.

The problem is called eth residuosity problem and can be solved by Fact 2.2.23.

4. Computing the eth root modulo p when gcd(e, p − 1) = 1.

The problem is called eth root problem. When gcd(e, p − 1) = 1, a^e−1 mod p is a e’th root of a modulo p, where e⁻¹e ≡ 1 (mod p − 1).

5. Computing square roots of a quadratic residue in Z_p.

Because gcd(2, p − 1) 6= 1, computing the square root is not easy. We do not know any polynomial-time algorithm that computes a^1/2mod p deterministi-cally. Nevertheless, there exits a probabilistic polynomial-time algorithm that does it. We describe the algorithm as follows.

Algorithm 2.2.2.

input: (a, p), where a ∈QR_p and p is an odd prime output: a^1/2mod p

1. if p ≡ 3 mod 4

2. then output a(p+1) div 4 mod p 3. else

4. randomly choose b ∈ QNR_p 5. i ← (p − 1) div 2; j ← 0 6. repeat

7. i ← i div 2; j ← j div 2 8. if aⁱb^j ≡ −1 mod p

9. then j ← j + (p − 1) div 2 10. until i ≡ 1 (mod 2)

11. output a(i+1) div 2b^{j div 2} mod p

Suppose p ≡ 1 mod 4. Let (p − 1)/2 = 2<sup>`</sup>r, with r odd and ` ≥ 1. The above algorithm randomly chooses a quadratic nonresidue b ∈ QNR_p and then finds an exponent s such that a^rb^2s = 1. Therefore, a^r+1b^2s = a and a^(r+1)/2b^s is a square root of a. To get a quadratic nonresidue we can randomly choose an element b of Z^∗_p and test by Euler’s criterion whether b is a nonresidue. Because half of the elements in Z^∗_p are nonresidues, we expect to get a nonresidue after two random choices. Moreover s is obtained in ` steps.

6. Determining the order of a group element when the prime factorization of the group order is known.

By Fact 2.2.8, we can use the following algorithm to find the order of a group element a modulo p efficiently.

Algorithm 2.2.3.

input: prime p, an element a ∈ Z^∗_p, and the prime factorization p − 1 = p^e₁¹p^e₂²· · · p^e_k^k

output: the order of a 1. t ← p − 1

2. for i = 1 to k do

3. while a^t/pi ≡ 1 (mod p) do 4. t ← t/p_i

5. output t

Let n be a composite number. Consider computations in Z_n. The following problems are believed to be hard if the factorization of n is unknown but become tractable if the opposite is true.

1. Testing if an element is a quadratic residue in Zn. 2. Computing the square root of a quadratic residue in Z_n.

This is provably as hard as factoring n. Assume n = pq. When the factorization of n = pq is known, we compute the square root of a ∈ Z^∗_n by first computing the square root in Zp of a mod p and the square root in Zq of a mod q and then using the Chinese remainder theorem to obtain roots of x in Z_n.

3. Computing eth roots modulo n when gcd(e, φ(n)) = 1.

Suppose n = pq. Then the problem is the so-called RSA problem. φ(n) can be found by factoring n. Thus, if factoring is easy, then so is the RSA problem.