Application: The RSA Function

Three Easy Applications

• The inverse of a in (Z^∗_p,×) is a^p−2 mod p.

– a^p−2a = a^p−1 ≡ 1 mod p by Fermat’s “little”

theorem.

• 3 | (n² − 1) when 3  | n.

– The number 3 is a prime.

– By Fermat’s “little” theorem,

n³⁻¹ = n² ≡ 1 mod 3.

Three Easy Applications (concluded)

• a^pn−pn−1 ≡ 1 mod pⁿ for odd prime p and gcd(a, p) = 1.

– By Euler’s theorem (p. 862) and Theorem 61 (p.

423),

1 ≡ a^φ(pn) ≡ a^pn−pn−1 mod pⁿ.

Application: The RSA Function

• Let n = pq, where p and q are distinct odd primes.

• Then

φ(n) = (p − 1)(q − 1) by Theorem 61 (p. 423).

• Let e be an odd integer relatively prime to φ(n).^b

• The RSA function is defined as

E(x) = x^e mod n, where gcd(x, n) = 1.

aRivest, Shamir, & Adleman (1978).

Adi Shamir, Ron Rivest, and Leonard Adleman

Encryption Using the RSA Function

• The RSA function is a good candidate for the encryption of message x.

• The number e is called the encryption key.

• The prime number theorem (p. 160) guarantees an abundance of primes.

Decryption and Trapdoor Information

• To be useful, an efficient algorithm must exist to recover x from E(x).

• But this is an open problem (so far).

• The way out is the existence of the trapdoor

information not available to others except the receiver.

• A candidate is the factorization of n.

– Factorization is believed to be hard.^a

aNumbers can be factorized efficiently by Shor’s (1994) quantum al- gorithm.

Inversion of the RSA Function

• Let d be the inverse of e modulo φ(n), that is, ed = 1 mod φ(n).

• Because gcd(e, φ(n)) = 1, such d exists.

– d can be found by the extended Euclidean algorithm (p. 802).

• By Euler’s theorem (p. 862), the encrypted message y = E(x) can be decrypted by^Δ

y^d = (x^e)^d = x^ed = x^1+kφ(n) = xx^kφ(n) = x mod n.

• So the decryption function is

d

Sophie Germain Primes

• How many e’s are there such that gcd(e, φ(n)) = 1?

• The density of numbers between 1 and φ(n) that satisfy the above condition is^a

φ(φ(n))

φ(n) = φ((p − 1)(q − 1)) (p − 1)(q − 1) .

aThe 5th edition of Grimaldi’s Discrete and Combinatorial Mathe- matics errs with φ(n)/n on p. 760.

Sophie Germain Primes (concluded)

• Suppose p = 2p^ + 1 and q = 2q^ + 1, where p^, q^ are also primes.

– Such primes are called Sophie Germain primes.

• The density becomes φ(4p^q^)

(p − 1)(q − 1) = 2(p^ − 1)(q^ − 1)

4p^q^ ≈ 1 2.

Sophie Germain (1776–1831)

• A French mathematician.

• Gauss on Germain: “But when a person of the sex which, according to our customs and prejudices, must encounter infinitely more difficulties than men to

familiarize herself with these thorny researches, succeeds nevertheless in surmounting these obstacles and

penetrating the most obscure parts of them, then

without doubt she must have the noblest courage, quite extraordinary talents and superior genius.”

• http://www.pbs.org/wgbh/nova/proof/germain.html.

Second Corollary of Lagrange’s Theorem

Corollary 128 Every group of prime order is cyclic.

• Pick any element a = e of the group G.^a

• Note that o(a) > 1.

• As o(a) also divides | G |,^b a prime number, o(a) = | G |.

• This implies that every b ∈ G must be of the form a^k for some k ∈ Z.

aBecause a group of prime order has at least 2 elements, such an a exists.

bSee Corollary 124 (p. 859).

Criterion for Generators

• The computational problem of verifying if g is a generator is believed to be hard without the

factorization of | G |.

• Exhaustive testing is too slow, taking O(| G |) time.

• A better algorithm is based on the next corollary, assuming the factorization of | G | is available.

Third Corollary of Lagrange’s Theorem

Corollary 129 Let G be a finite cyclic group with prime factorization of its order m = p^a₁¹p^a₂² · · · p^a_nⁿ. Then g ∈ G is a generator of G if and only if

g^m/pi = e (106)

for i = 1, 2, . . . , n.

• Define mi Δ

= m/p_i.

• Hence

m_i = p^a₁¹p^a₂² · · · p^a_iⁱ⁻¹ · · · p^a_nⁿ.

• Suppose g is a generator.

The Proof (continued)

• Because o(g) = m, g^m/pi = e for all i.

• Conversely, assume inequality (106).

• We proceed to show that g must be a generator.

• Let o(g) = j so g^j = e.

• Because j divides m by Lagrange’s theorem (p. 855), m = dj for some d ≥ 1.

The Proof (concluded)

• Let

j = p^b₁¹p^b₂² · · · p^b_nⁿ, where 0 ≤ bi ≤ ai for i = 1, 2, . . . , n.

• What if j < m?

• Then bi < a_i for some i.

• But then j divides mi.

• This implies that g^mi = e, contradicting inequality (106).

• We must conclude that j = m and g is a generator.

Algorithm for Testing If g Is a Generator of G

1: m := p^a₁¹p^a₂² · · · p^a_nⁿ;

2: for i = 1, 2, . . . , n do

3: if g^m/pi = e then

4: return “g is not a generator”;

5: end if

6: end for

7: return “g is a generator”;

• Note that n = O(log₂ m).

• So the number of steps is polynomial in log₂ m.

• In contrast, the exhaustive method takes m steps.

Number of Generators in Finite Cyclic Groups

Lemma 130 Let G be a finite cyclic group with order m and g be a generator of G. Then the generators are

gⁱ,

where 1 ≤ i < m and gcd(i, m) = 1. Hence the number of generators is φ(m), Euler’s phi function (p. 423).

• Suppose 1 ≤ i < m is relatively prime to m.

• Let j = o(gⁱ).

• So g^ij = e.

• As g is a generator, m divides ij by Lemma 117 (p. 840).

The Proof (concluded)

• As m cannot divide i by assumption, m divides j.

• As 1 ≤ j ≤ m, we must have j = m and gⁱ is a generator.

• Next assume 1 ≤ i < m but gcd(i, m) = d > 1.

• Define j = m/d.

• Now, 0 < j < m.

• By the Fermat-Euler theorem (p. 860),

(gⁱ)^j = g^ij = g^im/d = g^(i/d)m = (g^m)^i/d = e.

• So gⁱ is not a generator.

Number of Generators in (Z

, ×), If Any

Theorem 131 If (Z^∗_n,×) has a generator, then it has φ(φ(n)) generators.^a

• Recall Euler’s phi function (p. 423).

• If (Z^∗n,×) has a generator, then it is a finite cyclic group.

• Lemma 130 (p. 880) then implies the theorem.

aA common mistake is to answer φ(n). Is it easy to calculate φ(φ(n)) even if one knows the factorization of n?

Powers of a Generator in (Z

, ×)

Corollary 132 Suppose (Z^∗_n,×) has a generator g. Then gⁱ is a generator if and only if gcd(i, φ(n)) = 1. Furthermore, there are no other generators.

• (Z^∗_n,×) is a finite cyclic group with order φ(n).

• Lemma 130 (p. 880) then implies the claim.

F

• Let (F, +, ·) be a finite field.

• (F − { 0 }, ·) is an abelian group by the definition of ring.^a

• Define

F^{∗ Δ}= (F − { 0 }, ·),

the multiplicative group of the nonzero elements of F .

aRecall p. 769.

“Order Statistics”

Lemma 133 If F is a finite field and d divides | F^∗ |, then φ(d) elements of F^∗ have order d.

• Let q =^Δ | F^∗ |.

• Assume q ≥ 3 without loss of generality.

• Let oi ≥ 0 denote the number of elements of F with order i.

• By Corollary 124 (p. 859), the order of an element must divide q.

• Hence oi = 0 if i is not a divisor of q.

The Proof (continued)

• As every element of F^∗ has a finite order by Lemma 118 (p. 841),



d| q

o_d = q.

• But Theorem 62 (p. 429) says



d| q

φ(d) = q.

• So it suffices to show

o_d ≤ φ(d)

The Proof (concluded)

• Let d divide q.

• If od > 0, then

o_d = φ(d) by Lemma 130 (p. 880).

• Hence od ≤ φ(d).

F

Is Cyclic

Theorem 134 If F is a finite field, then F^∗ is a cyclic group with φ(| F^∗ |) generators.

• F^∗ has φ(| F^∗ |) generators by Lemma 133 (p. 885).

• But φ(| F^∗ |) ≥ 1.

Group Homomorphism and Isomorphism

• Let (G, ◦) and (H, ◦^) be 2 groups.

• A function f : G → H is a homomorphism if f (x ◦ y) = f(x) ◦^ f (y)

for all x, y ∈ G.

• It is called an epimorphism if f is onto.

• It is called an isomorphism if f is a bijection.

• An isomorphism is called an automorphism if G = H.

Group Homomorphism and Isomorphism (concluded)

• G and H are said to be isomorphic (written as G ∼= H) if an isomorphism exists between them.

• Isomorphic groups have the same multiplication table (up to relabeling by f ).

• When ambiguity is an issue,

– Write e_G for the identity of G.

– Write e_H for the identity of H.

All Cyclic Groups Are Isomorphic

Lemma 135 Cyclic groups of the same order are isomorphic.

• Let G = (g, ◦g) and H = (h, ◦h) be 2 cyclic groups of the same order.

• Define f : G → H by f(gⁱ) = hⁱ.

• For all x = gⁱ ∈ G and y = g^j ∈ G,

f (x ◦g y) = f (g^i+j) = h^i+j = hⁱ ◦h h^j = f (x) ◦h f (y).

• f is a one-to-one correspondence between G and H because f (g) = h clearly generates H.

All Cyclic Groups Are Isomorphic (concluded)

Corollary 136 Every cyclic group of order n > 1 is isomorphic to (Zn, +).

• (Zn, +) is a cyclic abelian group.^a

• Lemma 135 (p. 891) then implies this corollary.

aRecall p. 839.

Permutations

• Let function f : { 1, 2, . . . , n } → { 1, 2, . . . , n } be one-to-one and onto.

• f must be a permutation of { 1, 2, . . . , n }.

• Write f as

⎛

⎝ 1 2 · · · n

f(1) f(2) · · · f(n)

⎞

⎠

– I =

⎛

⎝ 1 2 · · · n 1 2 · · · n

⎞

⎠, the identity permutation.

aLagrange (1770); Ruffini (1799); Cauchy (1815). Recall p. 433.

Permutations (concluded)

• So permutations are functions.

• We are mainly interested in permutations of a finite set.

Permutation Groups

• Let f and g be two permutations of { 1, 2, . . . , n }.

• Then f ◦ g is defined as

⎛

⎝ 1 2 · · · n

g(f (1)) g(f (2)) · · · g(f(n))

⎞

⎠ . (107)

• Note that f is applied first.

• The alternative of applying g first is more consistent with function composition on p. 316.

• But our convention is more convenient in calculations.

• Either convention works.

Permutation Groups (continued)

• For example,_⎛

⎝ 1 2 3 4 2 3 4 1

⎞

⎠ ◦

⎛

⎝ 1 2 3 4 3 4 1 2

⎞

⎠ =

⎛

⎝ 1 2 3 4 4 1 2 3

⎞

⎠.

• In general, permutations can work on any finite set X, not just { 1, 2, . . . , n }.

– The X can even be a set of permutations.

• When a set of permutations forms a group under ◦, we have a permutation group.

• In general, ◦ is not abelian.

Permutation Groups (concluded)

• A key result of Cayley says every group is isomorphic to a permutation group!^a

• But the permutation perspective has one unique advantage over groups: Permutations are functions!

• Under this perspective, notations like g(x), x ∈ X, make sense for a group element g ∈ G that “acts on” X.

• This idea was used to construct interconnection networks for parallel computers.^b

aSee p. 919.

bAnnexstein, Baumslag, & Rosenberg (1990).

Permutation Group as a Multiplication Table

g₁ g₂ g₃ g₄ g₅ g₆

The Symmetric Group

• There are n! permutations of { 1, 2, . . . , n }.

• These permutations form a group (verify it).

– This group S_n is called the symmetric group of degree n.

• | Sn | = n!.

• Every permutation group is thus a subgroup of Sn.

• By Cayley’s result^a again, every group is a subgroup of a symmetric group.

• In general, SX denotes the set of all permutations of a set X.

Cycles

• Call a cycle (i₁ i₂ · · · im) an m-cycle, where i₁, i₂, . . . , i_m are distinct.

• It represents the permutation

⎛

⎝ i₁ i₂ i₃ · · · im−1 i_m other fixed points i₂ i₃ i₄ · · · i_m i₁ other fixed points

⎞

⎠ .

• The order of an m-cycle g is m because g^m = I,

the identity permutation.

Cycles (concluded)

• A 1-cycle is a fixed point.

• The inverse of a cycle:

(i₁ i₂ · · · im)⁻¹ = (i_m i_n−1 · · · i1).

– Because

(i₁ i₂ · · · im)(i_m i_m−1 · · · i1) = (i₁)(i₂)· · · (im).^a

aIn fact, (i_m i_m−1 · · · i1)(i₁ i₂ · · · im) = (i₁)(i₂)· · · (im), too (recall p. 818).

Cycle Decomposition of Permutations

• A permutation like

⎛

⎝ 1 2 3 4 5 3 4 1 2 5

⎞

⎠ can be represented as

(1 3)(2 4)(5).

• There are 3 disjoint cycles above.

• 5 is a fixed point; it is invariant under the permutation.

• Obviously, a permutation is a cycle or a product of disjoint cycles.

Cycle Decomposition of Permutations (concluded)

• Now,

(1 3)(2 4)(5) = (1 3)(2 4).

– So fixed points drop out.

• A cycle decomposition^a of a permutation is a product of disjoint cycles that contains a 1-cycle for every

invariant element.

• A cycle decomposition can be calculated efficiently.

aAlso called a complete factorization.

Another Cycle Decomposition

•

⎛

⎝ 1 2 3 4 5 6

2 3 1 5 4 6

⎞

⎠ = (1 2 3)(4 5)(6).

• There are 3 disjoint cycles above.

• Equivalent cycle decompositions:

(3 1 2)(5 4)(6), (4 5)(1 2 3)(6),

...

• The cycle decomposition is essentially unique.

Transpositions

• A 2-cycle is called a transposition.

• (1 2 3) = (1 2)(1 3).^a

• In general,

(i₁ i₂ · · · in) = (i₁ i₂)(i₁ i₃)· · · (i₁ i_n).

• So every permutation is a product of (not necessarily disjoint) transpositions.

aFrom left to right always.

Order of a Permutation

Theorem 137 Let g ∈ Sn. If g = g₁ · · · gm is a product of disjoint cycles,^a then

o(g) = lcm(r₁, r₂, . . . , r_m), where g_i is an r_i-cycle.

• We knew o(gⁱ) = r_i (p. 900).

• Suppose o(g) = M.

• Clearly,

g^M = (g₁ · · · gm)^M = g₁^M · · · g_m^M = I because the g_is are disjoint and hence commute.

aIt is not necessarily a cycle decomposition of g because 1-cycles may

Order of a Permutation (concluded)

• The disjointness of the gis implies g_i^M = I for each i.

• Then ri | M by Lemma 117 (p. 840) for i = 1, 2, . . . , m.

• Hence lcm(r₁, r₂, . . . , r_m)| M as well.

• But g^{lcm(r1,r2,...,rm)} = I.

– Trivially, r_i divides lcm(r₁, r₂, . . . , r_m).

– So

g^{lcm(r1,...,rm)} = g₁^{lcm(r1,...,rm)} · · · g_m^{lcm(r1,...,rm)} = I.

• Hence lcm(r1, r₂, . . . , r_m) = M .

Conjugates

• Let f and g be permutations of { 1, 2, . . . , n }.

• The permutation

g⁻¹ ◦ f ◦ g is called f ’s conjugate.

• Conjugacy is an equivalence relation (prove it!).

• Take f = (1 3)(2 4 7)(5)(6) and g = (2 5 6)(1 3 4)(7).

• Then

g⁻¹ ◦ f ◦ g

= (7)(4 3 1)(6 5 2)(1 3)(2 4 7)(5)(6)(2 5 6)(1 3 4)(7)

= (1 7 5)(2)(3 4)(6).

Conjugates (concluded)

• Interestingly,

(g(1) g(3))(g(2) g(4) g(7))(g(5))(g(6))

= (3 4)(5 1 7)(6)(2)

= (1 7 5)(2)(3 4)(6)

= g⁻¹f g.

• So we simply replaced every element in a cycle by its image under the conjugating permutation g.

• This is not an accident, as the next theorem shows.

Conjugate and Cycle Decomposition

Theorem 138 Let f and g be permutations of

{ 1, 2, . . . , n }. The conjugate g⁻¹ ◦ f ◦ g results by applying g to the symbols in the cycle decomposition of f .

• If f fixes i, then g⁻¹ ◦ f ◦ g fixes g(i) because (g⁻¹ ◦ f ◦ g)(g(i)) = g 

f 

g⁻¹(g(i))

= g(f (i)) = g(i).

• So the 1-cycle (i) in the cycle decomposition of f becomes the 1-cycle (g(i)) in that of g⁻¹ ◦ f ◦ g.

The Proof (continued)

• Now suppose f(i) = j.

• The cycle decomposition of f contains a cycle (i j . . .).

• Then g⁻¹ ◦ f ◦ g moves g(i) to (g⁻¹ ◦ f ◦ g)(g(i)) = g 

f 

g⁻¹(g(i))

= g(f (i)) = g(j).

• Hence the cycle decomposition of g⁻¹ ◦ f ◦ g contains the cycle

(g(i) g(j) . . .).

The Proof (concluded)

• So whenever f(i) = j, g⁻¹ ◦ f ◦ g moves g(i) to g(j) regardless of i = j or not.

• As g is a bijection, there are no more numbers to consider.

Isomorphism between Symmetric Groups of the Same Degree

All symmetric groups of the same order are isomorphic.

Lemma 139 If X and Y have the same cardinality, then S_X ∼= S_Y .

• Assume X = { x₁, x₂, . . . , x_n } and Y = { y₁, y₂, . . . , y_n }.

• We shall demonstrate an isomorphism ϕ from SX to S_Y .

• Let ψ : X → Y be any bijective function.

The Proof (continued)

• Pick any arbitrary permutation from SX:

f =^Δ

⎛

⎝ x₁ x₂ · · · x_n f (x₁) f (x₂) · · · f(xn)

⎞

⎠ .

• We choose the mapping ϕ : SX → SY that turns f into

f_ψ =^Δ

⎛

⎝ ψ(x₁) ψ(x₂) · · · ψ(x_n) ψ(f (x₁)) ψ(f (x₂)) · · · ψ(f(xn))

⎞

⎠ .

– Technically, ϕ(f ) = f_ψ.

• Note that fψ ∈ SY because ψ and f are bijective.

The Proof (continued)

• Let

f_ψ(y_i) = y_j.

• It is one of the columns of fψ.

• So there is an xi ∈ X such that y_i = ψ(x_i), y_j = ψ(f (x_i)).

• Hence

y_j = ψ  f 

ψ⁻¹(y_i)

. (108)

The Proof (continued)

• After sorting,

f_ψ

=

⎛

⎝ y₁ y₂ · · · y_n

ψ(f(ψ⁻¹(y₁))) ψ(f(ψ⁻¹(y₂))) · · · ψ(f(ψ⁻¹(y_n)))

⎞

⎠ .

• Alternatively,

ϕ(f ) = ψ ◦ f ◦ ψ⁻¹ by Eq. (108).

The Proof (continued)

• Pick any f1, f₂ ∈ SX.

• Then

ϕ(f1 ◦ f2)

=

 y₁ · · · y_n

ψ(f2(f1(ψ⁻¹(y1)))) · · · ψ(f2(f1(ψ⁻¹(yn))))



=

 y1 · · · y_n

ψ(f²(ψ⁻¹(ψ(f¹(ψ⁻¹(y¹)))))) · · · ψ(f²(ψ⁻¹(ψ(f¹(ψ⁻¹(yn))))))



= ϕ(f1) ◦ ϕ(f2).

• Hence ϕ is a homomorphism.

The Proof (concluded)

• To show that ϕ is an isomorphism, it remains to show that ϕ is one-to-one.

• But this is obvious because all functions we used are bijective.

Cayley’s Theorem

Theorem 140 Every finite group is isomorphic to a group of permutations.

• Let (G, ◦) be a finite group of order m, G = { g₁, g₂, . . . , g_m }.

• Define m distinct permutations by

π₁(g) = g ◦ g₁, π₂(g) = g ◦ g₂, . . . , π_m(g) = g ◦ gm.

• They are called (right) translations.^a

aThe proof also works if we use left translations: π_i(g) = g_i ◦ g.

The Proof (continued)

• Each πi postmultiplies every g ∈ G by gi:

π_i =

⎛

⎝ g₁ g₂ · · · g_m g₁ ◦ gi g₂ ◦ gi · · · gm ◦ gi

⎞

⎠ .

• It is easy to verify that πi is a permutation.

• Consider the permutation set (G^,◦^), where G^ = { π1, π₂, . . . , π_m }

and ◦^ denotes multiplication of permutations.^a

aRecall p. 895.

The Proof (continued)

• (G^,◦^) is a group (why?).

• We next show that (G, ◦) is isomorphic to (G^,◦^).

• Define f : G → G^ by

f (g_i) = π_i, i = 1, 2, . . . , m.

• Clearly, f is a one-to-one correspondence.

• Next we show that f is an isomorphism.

The Proof (concluded)

• Suppose gi ◦ gj = g_k.

• For each g ∈ G,

π_k(g) = g ◦ g^k = g ◦ (gⁱ ◦ g^j)

= (g ◦ gi) ◦ gj = π_i(g) ◦ gj

= π_j(π_i(g)) = (π_i ◦^ π_j)(g).

– Recall our convention on permutation composition (p. 895).

• As πk = π_i ◦^ π_j, it means

f (g_i ◦ gj) = f (g_k) = π_k = π_i ◦^ π_j = f (g_i) ◦^ f (g_j).