The structure of finite rings

and finite exponentiation

The multiplicative residues

• We have seen that the finite ring ZZp is a field, that is, every non-zero element of ZZp has a multiplicative inverse.

• It is a convention to write ZZp* for the

non-zero elements {1, 2, 3, ..., p-1}.

• ZZp* is the set of multiplicative residues

modulo p.

Modular exponentiation

• Public key cryptography explores the properties of the exponentiation function in ZZp

*

• Defined as repeated multiplication: – g5 mod p := g * g * g * g * g mod p.

• To exponentiate by negative values, exponentiate the inverse:– g-3 := g-1 * g-1 * g-1 mod p.

Exponent rules

• Addition/subtraction rules:– gk gj = gk+j in ZZn

*

– gk g-j = gk-j in ZZn*

• Multiplication rule:– (gk)j = gkj in ZZn

*

Non-prime modulus

• If n is not prime, then not all non-zero elements are invertible.

• In this case, we write ZZn* for the

invertible elements only.

• Examples:– ZZ14

* = {1, 3, 5, 9, 11, 13}

– ZZ15* = {1, 2, 4, 7, 8, 11, 13, 14}

Generators

• Consider the following:– In ZZ14

* = {1, 3, 5, 9, 11, 13};• 32 =9 mod 14; 33 =13 mod 14; 34 = 11 mod 14;

35 = 5 mod 14; 36 = 1 mod 14.

• In ZZ14* every element is a power of 3.

We say that 3 is a generator.

• Do generators always exist?

Prime modulus

• If n is a prime, or twice a prime, then ZZn*

always has a generator. – We have already seen this for n = 14 = 2*7.

• Otherwise, generators do not exist.– An important case is when n = pq, where both

p and q are odd and prime. In this case, there is an element that generates 1/2 of ZZn

* .

Example

• ZZ15* = {1, 2, 4, 7, 8, 11, 13, 14}

– 21 =2 mod 15; 22 =4 mod 15; 23 =8 mod 15; 24 =1 mod 15 – 41 = 4 mod 15; 42 = 1 mod 15;– 71 =7 mod 15; 72 =4 mod 15; 73 =13 mod 15; 74 =1 mod 15;– 81 =8 mod 15; 82 =4 mod 15; 83 =2 mod 15; 84 =1 mod 15;– 111 =11 mod 15; 112= 1 mod 15;– 131 =13 mod 15; 132 =4 mod 15; 133 =7 mod 15;

134 =1 mod 15;– 141 = 14 mod 15; 142 =1 mod 15;

• No element is a generator, as predicted

Order of an element

• Take g in ZZn* . The list

– g1, g2, ..., gk, k = 1, 2, ...

must eventually repeat.– Otherwise get infinite sequence of elements from a finite

set, a contradiction. • Let gj = gk, j < k. k = j + t.

– gj = gk = g j+t; – gj = g j+t = gj gt; – gt = 1

• Cancellation rule applies because g is invertible

Order (continued)

• We have shown that:– g is invertible if and only if there is t > 1

such that gt = 1 mod ZZn* .

– Indeed, if g is invertible we have shown that t exists. On the other hand, if t exists, then g has an inverse, equal to gt-1.• g g t-1 = gt = 1 in ZZn

* .

• The smallest such t is the order of g.

Order of ZZn*

• The order of an element can also be defined as the size of the set generated by it:– t = order(g) = #{g, g2, g3, ..., gt = 1}

• The order of the group ZZn* is simply its

cardinality | ZZn* |. The function

(n) = | ZZn* |

is called the Euler totient function.

Euler totient

• We know that all non-zero residues modulo a prime p are invertible. In other words:– (p) = p - 1, if p is a prime.

• It is easy to see that, if n = p q is a product of two primes, then (n) = (p - 1)(q - 1) = (p) (q)

• In general: (n) (m) = (nm) if n, m are relatively prime.

Relations between orders

• Fact: If g is a residue in ZZn* , then

– order(g) divides (n) = order(ZZn* ).

• An important special case is when p is a prime. In that case, – order(g) divides p-1– gp-1 = (gt)k = 1k = 1 mod p; t =

order(g)

Fermat’s Little Theorem

• The previous result is called Fermat’s Little Theorem.

• (FLT) For every non-zero g in ZZp* , where

p is a prime:– gp-1 = 1 mod p

• This can be generalized for all g in ZZp* ,

– gp = g mod p

Generalizing FLT

• For any finite ring ZZn* :

– g(n) = 1 mod n, g in ZZn* .

• Proof will not be given.

• The special case n = pq is important.

• Claim: If n is a product of two primes:– g(n)+1 = g mod n, g in ZZn

= {0, 1, ..., n-1}

The Remainder Theorem

• In order to appreciate the structure of finite rings when the modulus is composite, the remainder theorem applies:

• Given n = s t, where GCD(s, t) = 1– For each element a mod n, there

corresponds a unique pair • (b mod s, c mod t).

Example (CRT)

• n = 15 = 3*5– a = 7 mod 15 corresponds to

• (1 mod 3, 2 mod 5)

• To go from “a mod n” to (b mod s, c mod t):– Just compute b = a mod s, c = a mod t.

• How to go backwards?– Let represent s-1 mod t, represents t-1 mod s.

CRT backwards

• Given (b mod s, c mod t), compute– a = c s + b t mod n

• In other words a = c s + b t + k n• Consider ”a mod s” (similar for a mod t)

– a mod s = – c s + b t + k s t mod s = – b t mod s = – b mod s

CRT backwards example

• given b = 1 mod 3, c = 5 mod 7• Compute 3-1 mod 7 = 5, as

3*5 = 1 mod 7• Compute 7-1 mod 3 = 1, as

7 = 1 mod 3• a =1 * 7 * 1 + 5 * 3 * 5 = 82 mod 21

= 19 mod 21

Returning to FLT for n = pq

• To prove:– g(n)+1 = g mod n, g in ZZn

= {0, 1, ..., n-1}, when n = pq, and p, q are primes.

– For invertible elements, i.e., GCD(g, n) = 1, it is the previous claim

– For g=0 mod n, i.e., GCD(g, n) = n it is clear.

• Consider now the case GCD(g, n) = p.

FLT (continued)

• By the CRT, g is defined by – g is invertible mod q– g = 0 mod p

• We get that – gq = g mod q– gq = 0 = g mod p

• By backwards CRT, we get– gq = g mod pq; g (n)+1 = gpq - p - q +2 =

= g-p+2 (gq)p-1 = g mod pq