In the previous segment, we talked about modulo inversion,
and we said that Euclid's algorithm gives us
an efficient method to find the inverse of an element modulo m.
In this segment we are going to forward through time
and we're going to move to the 17th and 18th century
and we're going to talk about Fermat's and Euler's contributions.
Before that, let's do a quick review of what we discussed in the previous segment.
So as usual, we're going to let N denote a positive integer,
and let's just say that N happens to be a n-bit integer.
In other words, it's between 2^n and 2^(n+1).
As usual we are going to let p denote a prime.
Now we said that Z sub n is the set of integers from 0 to N - 1.
And we said that we can add and multiply elements in the set modulo N.
We also said the Z_N* is basically the set of invertible elements
in Z_N and we proved the simple lemma to say that x is invertible
if and only if x is relatively prime to n.
And not only did we completely understand which elements are invertible
and which aren't,
we also showed a very efficient algorithm, based on Euclid's extended algorithm,
to find the inverse of an element x in Z_N.
And we said that the running time of this algorithm is basically of order n-squared
where again n is the number of bits of the number capital N.
So as I said, now we're gonna move from Greek times all the way to
the 17th century and talk about Fermat.
So Fermat stated a number of important theorems.
The one that I want to show you here is the following:
So suppose I give you a prime "p".
Then in fact, for any element x in in Z_p*, it so happens
that if I look at x and raise it to the power p-1,
I'm gonna get 1 in Z_p.
So let's look at a quick example.
Suppose I set the number p to be 5
and I look at 3 to the power of p-1 - in other words 3 to the power of 4 -
3^4 is 81, which in fact is 1 modulo 5.
The example satisfies Fermat's theorem.
Interestingly Fermat actually didn't prove this theorem himself.
The proof actually waited until Euler, who proved it almost a 100 years later
and in fact he proved a much more general version of this theorem.
So lets look at a simple application of Fermat's theorem.
Suppose I look at an element x in Z_p*,
and I want to remind you here that p must be a prime.
Well, then what do we know? We know that x^(p-1) = 1.
Well, we can write x^(p-1) as x*x^(p-2).
Well, so now we know that x*x^(p-2) happens to be equal to 1,
and what that says is that really the inverse of x modulo p
is simply x^(p-2).
So this gives us another algorithm for finding the inverse of x modulo a prime:
simply raise x the power of p-2
and that will give us the inverse of x.
It turns out actually this is a fine way to compute inverses modulo a prime,
but it has 2 deficiencies compared to Euclid's algorithm.
First of all, it only works modulo primes,
whereas Euclid's algorithm worked modulo composites as well,
and second of all it turns out this algorithm is actually less efficient.
When we talk about how to do modular exponentiation
- we're gonna do that in the last segment in this module -
you'll see that the running time to compute this exponentiation
is actually cubic in the size of p,
so this will take roughly log^3(p),
whereas, if you remember, Euclid's algorithm was able
to compute the inverse in quadratic time
in the representation of p.
So not only is this algorithm less general
- it only works for primes -
it's also less efficient.
So score one for Euclid,
but nevertheless, this fact about primes is extremely important
and we're going to be making extensive use of it
in the next couple of weeks.
So let me show you a quick and simple application of Fermat's theorem.
Suppose we wanted to generate a large random prime.
Say our prime needed to be 1000 bits or so.
So the prime we're looking for is on the order of 2^1024, say.
So here is a very simple probabilistic algorithm:
What we would do is, we would choose a random integer
in the interval that was specified,
and then we would test whether this integer satisfies Fermat's theorem.
In other words, we would test -
for example, using the base 2,
we would test whether 2^(p-1) equals 1 in Z_p.
If the answer is no, if this equality doesn't hold,
then we know for sure that the number p that we chose is not a prime.
And if that happens, all we do is we go back to step 1
and we try another prime.
We do this again and again and again,
until finally we find an integer that satisfies this condition.
And once we find an integer that satisfies this condition,
we simply output it and stop.
Now it turns out
- this is actually a fairly difficult statement to prove -
but it turns out, if a random number passes this test,
then it's extremely likely to be a prime.
In particular, the probability that p is not a prime
is very small.
It's, like, less than 2^-60 for the range of 1024-bit numbers.
As the number gets bigger and bigger,
the probability that it passes this test here,
but is not a prime, drops to zero very quickly.
So this is actually quite an interesting algorithm.
You realize: we're not guaranteed that the output is in fact a prime.
All we know is that it's very very likely to be a prime.
In other words: the only way that it's not a prime
is that we got extremely unlucky.
In fact, so unlucky that a negligible-probability event just happened.
Another way to say this is that,
if you look at the set of all 1024-bit integers,
then, well, there is the set of primes, when we write "prime" here,
and then there is a small number of composites
that actually will falsify the test,
let's call them F for "false primes".
Let's call them FP, for "false primes".
There is a very small number of composites
that are not prime and yet will pass this test,
but as we choose random integers
- you know, we choose one here and one here, and so on -
as we choose random integers,
the probability that we fall into this set of false primes
is so small that it's essentially a negligible event
that we can ignore.
In other words, one can prove that the set of false primes
is extremely small,
and a random choice is unlikely to pick such a false prime.
Now I should mention,
in fact, this is a very simple algorithm for generating primes.
It's actually by far not the best algorithm.
We have much better algorithms now.
And in fact, once you have a candidate prime
we now have very efficient algorithms
that will actually prove beyond a doubt
that this candidate prime really is a prime.
So we don't even have to rely on probabilistic statements.
And nevertheless,
this Fermat test is so simple
that I just wanted to show you
that it's an easy way to generate primes
although in reality this is not how primes are generated.
As a last point, I'll say that
you might be wondering how many times this iteration
has to repeat until we actually find a prime.
And that's actually a classic result,
it's called the Prime Number Theorem
which says that
after a few hundred iterations
we'll find a prime with high probability.
So expectation, one would expect
a few hundred iterations, no more.
Now that we understand Fermat's theorem,
the next thing I want to talk about is
what's called the structure of (Z_p)*.
So here we're going to move a hundred years into the future,
into the 18th century,
and look at the work of Euler.
And one of the first things Euler showed
is, in modern language,
is that (Z_p)* is what's called a cyclic group.
So what does it mean that (Z_p)* is a cyclic group?
What it means is:
there exists some element g in (Z_p)*
such that if we take g and raise it to a bunch of powers,
g, g^2, g^3, g^4 and so on and so forth
up until we reach g^(p-2)
- notice there is no point of going beyond g^(p-2)
because g^(p-1) by Fermat's theorem is equal to 1,
so then we will cycle back to 1
if we go back to g^(p-1),
then g^p will be equal to g,
g^(p+1) will be equal to g^2, and so on and so forth,
so we'll actually get a cycle
if we keep raising to higher and higher powers of g,
so we might as well stop at the power of g^(p-2).
And what Euler showed is
that in fact there is an element g
such that if we look at all of its powers,
all of its powers span the entire group (Z_p)*.
Powers of g give us all the elements in (Z_p)*.
An element of this type is called a generator.
So g would be said to be a generator of (Z_p)*.
So let's look at a quick example.
Let's look for example at p=7,
and let's look at all the powers of 3,
which are 3^2, 3^3, 3^4, 3^5.
3^6 already, we know, is equal to 1 modulo 7 by Fermat's theorem,
so there's no point in looking at 3^6:
we know we would just get 1.
So here I calculated all of these powers for you,
and I wrote them out,
and you see that in fact, we get all the numbers in (Z_7)*.
In other words, we get 1, 2, 3, 4, 5 and 6.
So we would say that 3 is a generator of (Z_7)*.
Now I should point out that not every element is a generator.
For example, if we look at all the powers of 2,
well, that's not going to generate the entire group.
In particular, if we look at 2^0, we get 1.
2^1, we get 2.
2^2 is 4, and 2^3 is 8, which is 1 modulo 7.
So we cycled back.
And then 2^4 would be 2,
2^5 would be 4, and so on and so forth.
So if we look at the powers of 2,
we just get 1, 2 and 4.
We don't get the whole group.
And therefore we say that 2 is not a generator of (Z_7)*.
Now again, something that we'll use very often
is, given an element g of (Z_p)*,
if we look at the set of all powers of g,
the resulting set is going to be called
the group generated by g.
OK? So these are all the powers of g,
they give us what's called a multiplicative group,
again, the technical term doesn't matter,
the point is: we're going to call all these powers of g
the group generated by g.
In fact, there's this notation which I don't use very often:
"" to denote this group that's generated by g.
And then we call the order of g in (Z_p)*,
we simply let that be
the size of the group that's generated by g.
So in other words,
the order of g in (Z_p)*
is the size of this group.
But another way to think about that
is basically, it's the smallest integer a
such that g^a is equal to 1 in Z_p.
OK? It's basically the smallest power
that causes a power of g to be equal to 1.
And it's very easy to see that
this equality here,
basically if we look at all the powers of g
- we look at 1, g, g^2, g^3 and so on and so forth,
up until we get to g to the order of g minus 1,
and then if we look at g to the order of g,
this thing is simply going to be equal to 1 by definition.
OK? So there's no point in looking into higher powers,
we might as well just stop raising to powers here.
And as a result, the size of the set,
in fact, is the order of g.
And you can see that the order is the smallest power
such that raising g to that power
gives us 1 in Z_p.
So I hope this is clear,
although it might take a little lateral thinking
to absorb all this notation.
But in the meantime, let's look at a few examples.
So again, let's fix our prime to be 7.
And let's look at the order of a number of elements.
So what is the order of 3 modulo 7?
Well, we're asking: what is the size of the group
that 3 generates modulo 7?
Well, we said that 3 is a generator of (Z_7)*,
so it generates all of (Z_7)*.
There are 6 elements in (Z_7)*.
And therefore we say that the order of 3 is equal to 6.
Similarly I can ask:
well, what is the order of 2 modulo 7?
And in fact, we already saw the answer.
So, let's - I'll ask you, what is the order of 2 modulo 7
and see if you can figure out what this answer is.
So the answer is 3.
And again, the reason is,
if we look at the set of powers of 2 modulo 7,
well, we have 1, 2, 2^2,
and then 2^3 that's already equal to 1,
so this is the entire set of powers of 2 modulo 7.
There are only three of them.
And therefore, the order of 2 modulo 7 is exactly 3.
Now let me ask you a trick question:
What's the order of 1 modulo 7?
Well, the answer is 1,
because if you look at the group that's generated by 1,
well, there's only one number in that group,
namely the number 1.
If I raise 1 to a whole bunch of powers,
I'm always going to get 1,
and therefore the order of 1 modulo 7,
in fact, the order of 1 modulo any prime,
is always going to be 1.
Now, there's an important theorem of Lagrange that
- actually, this is a very very special case of what I was telling here.
But Lagrange's theorem basically implies
that if you look at the order of g modulo p,
the order is always going to divide p-1.
So in our two example[s], you see
6 divides 7 minus 1. 6 divides 6.
And similarly, 3 divides 7-1, namely again, 3 divides 6.
But this is very general.
The order is always going to be a factor of p-1.
In fact, I'll tell you,
maybe it's a puzzle for you to think about
it's actually very easy to deduce Fermat's theorem
directly from this fact, from this Lagrange's theorem fact,
and so Fermat's theorem really in some sense
follows directly from Lagrange's theorem.
Lagrange, by the way, did this work in the 19th century,
so we can already see how we're making progress through time.
We started in Greek times,
and already we ended up in the 19th century.
And I can tell you that more advanced crypto
actually uses 20th-century math very extensively.
Now that we understand the structure of (Z_p)*,
let's generalize that to composites
and look at the structure of (Z_N)*.
So what I want to show you here is what's called Euler's theorem,
which is a direct generalization of Fermat's theorem.
So Euler defined the following function:
So given an integer N,
we define what's called the phi function, phi of N,
to be basically the size of the set (Z_N)*.
This is sometimes called "Euler's phi function".
The size of the set (Z_N)*.
So for example, we already looked at (Z_12)*.
We said that (Z_12)* contains these four elements
1, 5, 7 and 11,
and therefore we say that phi of 12 is simply the number of 4.
So let me ask you as a puzzle:
What is phi of p?
It'll basically be the size of (Z_P)*.
And so in fact we said
that (Z_P)* contains all of Z_P
except for the number zero,
and therefore phi of p for any prime p
is going to be p-1.
Now there's a special case which I'm going to state here
we're going to use later for the RSA system:
if N happens to be a product of two primes,
then phi of N is simply N minus p minus q plus 1.
Let me just show you why that's true.
Basically, N is the size of Z_N.
And now we need to remove all the elements
that are not relatively prime to N.
Well, how can an element not be relatively prime to N?
It's got to be divisible by p,
or it's got to be divisible by q.
Well, how many elements between zero and N-1
are there that are divisible by p?
Well, there are exactly q of them.
How many elements are there that are divisible by q?
Well, there are exactly p of them.
So we subtract p to get rid of those divisible by q,
we subtract q to get rid of those divisible by p.
And you'll notice we subtracted 0 twice,
because 0 is divisible both by p and q.
And therefore we add 1,
just to make sure we subtract 0 only once.
And so it's not difficult to see
that phi of N is N minus p minus q plus 1.
And another way of writing that is simply:
p minus 1, times q minus 1.
OK? So this is a fact that we will use
later on when we will come back
and talk about the RSA system.
So far, this is just defining this phi function of Euler.
But now, Euler put this phi function to really good use.
And what he proved is this amazing fact here
that basically says
that if you give me any element x in (Z_N)*,
in fact it so happens that
x to the power of phi of N is equal to 1 in Z_N.
So you can see that this is a generalization of Fermat's theorem.
In particular, Fermat's theorem only applied to primes.
For primes we know that phi of p is equal to p-1,
and in other words,
if N were prime, we would simply write p-1 here,
and then we would get exactly Fermat's theorem.
The beauty of Euler's theorem is that
it applies to composites and not just primes.
So let's look at some examples:
So let's look at 5 to the power of phi of 12.
So 5 is an element of (Z_12)*.
If we raise it to the power of phi of 12,
we should be getting 1.
Well, we know that phi of 12 is 4,
so we're raising 5 to the power of 4.
5 to the power of 4 is 625.
And it's a simple calculation to show that
that's equal to 1 modulo 12.
So this is proof by example,
but of course it's not a proof at all,
it's just an example.
And in fact, it's not difficult to prove Euler's theorem.
And in fact I tell you that Euler's theorem
is also a very special case
of Lagrange's general theorem.
OK. So we said that
this is a generalization of Fermat's theorem
and in fact, as we'll see,
this Euler's theorem
is the basis of the RSA cryptosystem.
So I'll stop here,
and we'll continue with modular quadratic equations
in the next segment.