Review Sheet for Math 471 Midterm Fall 2014, Siman Wong Disclaimer: Note:
Transcription
Review Sheet for Math 471 Midterm Fall 2014, Siman Wong Disclaimer: Note:
Review Sheet for Math 471 Midterm Fall 2014, Siman Wong Disclaimer: This review sheet serves to give a highlight of the topics to be covered in your midterm. It does NOT replace your textbook and/or your lecture notes. Note: On your exam you will be asked to recall the precise statement of some theorem and/or recall the precise definition of an important terms. Know your theorems. Know your definitions. Oct 27: This is a draft, and I will continue to revise this in the coming days. I post this now to help you get started on your review. Please check the course website regularly for updates. 1. T HE BASIC TRICHOTOMY In the past few weeks we have studied a number of topics, including (among many others!) • congruences and divisibility • division algorithm • unique factorization • gcd and (extended) Euclidean algorithm • Chinese remainder theorem • Fermat’s little theorem and Fermat compositeness test; fast exponentiation • Euler phi function These are not disjoint topics – in fact they are closely related, and a key issue you should address when you study for the exam is to understand the connections between these topics. In this writeup I will try to outline some of these connections. First, remember that a ≡ b ( mod n) ⇐⇒ n|(b − a) ⇐⇒ gcd(n, b − a) = n. Which one of these three forms to use depends on the situations; cf. the list of practice problems for various examples. In the special case of prime modulus we have the additional equivalence p - a ⇐⇒ gcd( p, a) = 1. This is totally false if p is NOT a prime! This is also a good place in the review notes to point out that the Fundamental Theorem of Arithmetic allows us to give yield another reformulation of GCD (even though the FTA was presented a bit later in the course): gcd( a, b) = 1 ⇐⇒ the factorization of a and b have no common prime factors. This reformulation can be quite useful, see for example practice problem #8. Note also FTA has two parts, the existence of factorization and uniqueness, The uniqueness part is subtle and makes use of both the addition and multiplication operations. The existence part makes crucial use of the following result: Let p be a prime, and let a1 , . . . , an be integers. If p|( a1 · · · an ) then p| ai for some i. See also PS#4 for a related result with p replaced by an arbitrary integer. c 1 Copyright 2014 SIMAN WONG Speaking of GCD, first remember that if a, b 6= 0, then gcd( a, b) = the largest positive integer that divides both a and b = the smallest positive integer of the form as + bt. To find gcd( a, b) we have the Euclidean algorithm. We also have the Extended Euclidean algorithm, which not only determines gcd( a, b) but also two integers s, t so that gcd( a, b) = as + bt. Here’s a numerical example: step 1 solve for 24 (i.e. output from step 1) and then plug into step 3 = 7 × 50 + 24 ? z }| ) { step 3 step 4 50 = 2 × 24 + 2 = (−2) × 24 + 50 ⇒ 2 = (−2) × 7 × 50 + (−1) × 374 +50 ⇒ 2 374 step 2 step 5 = 50 × 15 + 374 × (−2) Remember that s, t in the EEA are not unique! See Theorem 1.11 for the precise statement about finding all possible solutions. The EEA allows us to find the multiplicative inverse mod n of any α ∈ Z which is prime to n. Make sure you know how to do that. More generally, make sure you know how to perform EA and EEA by hand. You will need to do such calculation on your test. Multiplicative inverses mod n are needed when, for example, you try to solve linear diophantine equations ax + bx = c (note that this is an equality in integers). This depends on gcd( a, b); see your notes for details. Here is the basic idea: (i) Clearly a necessary condition for ax + bx = c to have integer solutions is that gcd( a, b) divides c. (ii) Suppose that in fact gcd( a, b)|c. Set d = gcd( a, b) and write a0 = a/d, b0 = b/d, c0 = c/d. Then the original equation is equivalent to (1) a0 x + b0 y = c0 with gcd( a0 , b0 ) = 1. (iii) Use EEA to find an integer solution (x 0 , y0 ) for the auxiliary equation a0 x 0 + b0 y0 = 1 (iv) Then (c0 x 0 , c0 y0 ) is one solution to (1), and hence the original equation. In particular, the necessary condition in (i) is in fact sufficient! (v) However: Not every integer solution to ax + by = c is of the form (c0 x 0 , c0 y0 ) for some solution ( x 0 , y0 ) to (1); cf. your notes for a (counter)example and details. This takes care of a single linear congruence in two variables. But what about systems of linear congruences? Answer: the Chinese remainder theorem. Caveat: care must be taken when you apply the CRT to non-pairwise coprime modulus. Here is an example. Consider the system x ≡ 6 ( mod 10), x ≡ 4 ( mod 14). These congruences are equivalent to (2) x ≡ 6 ( mod 2), x ≡ 6 ( mod 5), x ≡ 4 ( mod 2) x ≡ 4 ( mod 7) Note that the two equations in (2) actually are the same! We can then turn these equations to x ≡ 0 ( mod 2), x ≡ 1 ( mod 5), x ≡ 4 ( mod 7). c 2 Copyright 2014 SIMAN WONG The moduli are now pairwise coprime! Apply the CRT and we get x ≡ 56 ( mod 70). On the other hand, consider the system y ≡ 6 ( mod 12), y ≡ 4 ( mod 20). These congruences are equivalent to y ≡ 6 ( mod 4), y ≡ 6 ( mod 3), (3) y ≡ 4 ( mod 4) y ≡ 4 ( mod 5) The two equations in (3) are clearly NOT consistent, so this system has no solution. Note: • Make sure you know how to carry out CRT by hand and how to solve CRT problems with more than two congruences • We can use CRT to solve non-linear congruences too. We worked out examples of that in clas; cf. e.g. #1 on the list of Practice Problem. 2. E XPONENTIATION So far we have focused on the addition, subtraction, multiplication and (when exists) division operations (mod n). To compute ae ( mod n) we have the fast exponentiation algorithm; it is based on a very simple observation: a2 (4) i +1 i i = a 2 ·2 = ( a 2 )2 . See your notes/text for the precise statement; here is a simple numerical example: 5 3 1 0 543 ( mod 29) ≡ 532+8+2+1 ≡ 52 52 52 52 ( mod 29). (5) 0 Clearly 52 ≡ 51 ( mod 17). To determine the three other terms on the right side of (5) we successively applly (4): 1 52 2 52 3 52 4 52 5 52 = = = = = 0 ( 52 ) 2 1 ( 52 ) 2 2 ( 52 ) 2 3 ( 52 ) 2 4 ( 52 ) 2 ≡ ≡ ≡ ≡ ≡ 25 ( mod 29) (−4)2 ( mod 29) 162 ( mod 29) (−5)2 ( mod 29) (−4)2 ( mod 29) ≡ ≡ ≡ ≡ ≡ −4 ( mod 29), 16 ( mod 29), 24 ( mod 29) ≡ −5 ( mod 29), 25 ( mod 29) ≡ −4 ( mod 29) 16 ( mod 29) Thus by 543 ≡ 16 · (−5) · (−4) · 5 (6) (7) by (5) ≡ 16 · (−4) · [(−5) · 5] ≡ 16 · (−4) · 4 ≡ 32 · (−8) ≡ 3 · (−8) ≡ 5 ( mod 29). since −25 ≡ 4 ( mod 29) Note: 4 2 • In this example, FE requires that we compute 52 ( mod 29) and 52 ( mod 29) which are not not needed in the final computation, but even so we only need to do (5 squares) + (4 multiplications), which is a lot easier than computing 543 directly. 3 c Copyright 2014 SIMAN WONG • The reason I spell out steps like (6) and (7) is to remind you to watch out for such simplification. To see why FE is useful, first recall Fermat’s little theorem, which we will state in two forms. Fix a prime p. Then (a) if ( a, p) = 1 then a p−1 ≡ 1 ( mod p); (b) for any b ∈ Z we have b p ≡ b ( mod p). Restate (a) in another way, we get the Fermat compositeness test: given an odd integer n > 1, if there exists b ∈ Z so that bn−1 6≡ 1 ( mod n) (8) then n must be composite. Recall that Z/n := the set of integers (mod n) (Z/n)× := the set of β ( mod n) with ( β, n) = 1 In particular, #(Z/n) = n and #(Z/n)× = φ(n). Returning to FLT, note that it requires that the modulus be prime. For general modulus we have Euler’s theorem: if ( a, n) = 1 then aφ(n) ≡ 1 ( mod n), where φ(n) := { a ( mod n) : ( a, n) = 1}. We have a closed-form formula for computing φ(n): φ(n) = n ∏(1 − 1p ). p|n So we can compute φ(n) easily provided that we know the prime factorization of n. And when n = pq is the product of two distinct primes, we saw that knowing φ( pq) is equivalent to knowing the factorization n = pq. This observation is crucial for e.g. RSA. 3. P RIMITIVE ROOTS AND DISCRETE LOGS Let p be a prime. Given an element g ∈ (Z/p)× , ord p ( g) := smallest positive integer r such that gr ≡ 1 ( mod p) = smallest positive integer r such that g, g2 , . . . , gr are pairwise distinct mod p For any b ∈ (Z/p)× , we have (9) bm ≡ 1 ( mod p) ⇐⇒ ord p (b)|m. The proof of this result depends on EEA plus properties of GCD – make sure you understand the proof ! This is a useful property to keep in mind for e.g. solving for x m ≡ 1 ( mod p) In conjunction with Fermat’s Little Theorem, (9) implies in particular that (i) ord p ( g) | ( p − 1) (ii) ord p (αi )|ord p (α) for every i ≥ 1, with equality if and only if (i, ord p (α)) = 1. c 4 Copyright 2014 SIMAN WONG (i) above raises a natural question: Is every divisor of p − 1 realizable as the order of an element of (Z/p)× ? In particular, is there an element of order exactly p − 1? The answer is yes: For every prime p there exists an element α ∈ (Z/p)× with ord p (α) = p − 1. Such an element is called a primitive root mod p. Basic properties: (i) every element of (Z/p)× is congruence mod p to a power of α; (ii) αi ≡ 1 ( mod p) ⇐⇒ ( p − 1)|i; (iii) αi ≡ α j ( mod p) ⇐⇒ ( p − 1)|(i − j); Let α be a primitive root (mod p). Given any β ∈ (Z/p)× , the unique k ∈ Z/( p − 1) so that β ≡ αk ( mod p) is called the discrete log of β ( mod p) with respect to base α; notation: logα ( β). Discrete log behaves in many ways similar to that of ordinary logarithm of real numbers, for example • logα ( ab) ≡ logα ( a) + logα (b) ( mod p − 1); • logα ( ak ) ≡ k logα ( a) ( mod p − 1); but keep in mind that • discrete log is well-defined only (mod p − 1) • the change-of-bases formula only makes sense if both bases are PR (mod p − 1) This underlies the security of RSA and ElGamal – make sure you know how to carry it out! Keep in mind that repeated application of RSA could undo the encryption; this has to do with the order of an element in (Z/n)× . We also analyze the issue related to repeated application of the affine ciphers. We discussed two ways to solve a discrete log problem a ≡ g x ( mod p). First, Shank’s Babysteps-Giantsteps algorithm, described below, asserts that it will terminate and com√ pute the discrete log in O( p) steps (note that your text works with a general group G; we will stick to (Z/p)× and you do not need to know abstract algebra): √ • Set n = 1 + b pc; • Compute two lists modulo p: 1, g, . . . , gn 2 a, a · g−n , . . . , a · g−n ; 2 • Find a match between these two lists, say gi ≡ ag−kn ( mod p) with 0 ≤ i, k ≤ n; • Then x = i + kn is a solution to a ≡ g x ( mod p). Next we have Pohlig-Hellman. The idea is x is determined modulo p − 1, and since p is prime, p − 1 is compoite, so we can write p − 1 = q1e1 · · · qrer . It then suffices to e first determine x ( mod qi i ) for each i and then use CRT. See §2.9 of your text + notes + solutions to PS for examples. 4. S QUARE ROOTS MOD p One useful application of primitive roots is that it allows us to compute square roots modulo a prime p ≡ 3 ( mod 4): If an integer a is a square modulo p, then (10) a p +1 4 ( mod p) is a square-root of a ( mod p). c 5 Copyright 2014 SIMAN WONG There is a polynomial time algorithm for computing square roots modulo a general prime; it makes use of more advanced mathematics and we did not discuss that in class. As for a general modulus n: If we know the prime factorization n = p1e1 . . . prer , then we can first e find square-root modulo each pi i and then piece the answer back using CRT. In particular, if n is product of distinct 3 ( mod 4) primes then we can find all square-roots very quickly. However, currently there is no efficient algorithm for finding a single square root modulo a general modulus, and as we saw in class, if n is a product of distinct prime and if we can find all square roots modulo n then we can recover the factorization of n. This observation is the theoretical underpinning of the protocol for coin-flipping over the phone. 5. P RIMALITY T ESTING Given a composite number n, if b satisfies (8) then we say that b is a witness to the compositeness of n. On other hand, if n is composite and an−1 ≡ 1 ( mod n), then we say that n is a pseudoprime to base a. For example, 3 is a witness to the compositeness of 341 = 11 × 31, but 341 is a pseudoprime to base 2 (check!). There are composite numbers with no witness (equivalently: composite numbers which are pseudoprime to every base). The first example is 561 = 3 · 11 · 17; we can verified this using the Chinese remainder theorem – cf. problem1 #3.13(a) in PS#5; make sure you understand how to do that. Composite numbers with no witness are called Carmichael numbers. It is a deep theorem that there are infinitely many Carmichael numbers, so there is no hope of using the Fermat compositeness test (which is very fast) as a primality test. We can refine the Fermat compositeness test to give a fast, probabilistic primality test. The starting point is the observation that, if p is an odd prime then p − 1 is even, so we can write p − 1 = 2m for some integer m. Then FLT says that for any a with gcd( a, p) = 1, we have ( am )2 ≡ 1 ( mod p), in which case (see PS#3) am ≡ ±1 ( mod p). If am ≡ −1 ( mod p) then there’s nothing else we can do; ditto if m is odd. But if m is even and if am ≡ 1 ( mod p), then we can repeat this process. Formalize this process and we arrive at the Miller-Rabin test. Let n > 1 be an odd number. Write n − 1 = 2k q with q odd. Suppose that both of the following conditions hold: (i) aq 6≡ 1 ( mod n), and k −1 (ii) none of the numbers aq , a2q , . . . , a2 q is congruence to −1 ( mod n). Then n is composite. If n > 1 is odd and composite and if a satisfies the two conditions above, we say that a is a Miller-Rabin witness for the compositeness of n. And if n > 1 is odd, composite and passes the Miller-Rabin test for a (i.e. at least one of conditions (i), (ii) fails) we say that n is a strong pseudoprime to base a. Unlike the case of the Fermat compositeness test, we have the following result (which we did not proved in class): Let n > 1 be an odd composite number. Then at least 3/4 of the numbers between 1 and n − 1 are Miller-Rabin witness for n. 1Note: The solution to #3.13(a) hinges upon an observation I stated and made use of many times: To solve one or more congruence where the modulus is composite, it is often easier to first factor the modulus into product of powers of distinct primes, study the system of congruences modulo each prime powers – among other things, the new modulus will be smaller, and if the new modulus happens to be a prime then we can use e.g. FLT – and then piece the final answer back together using CRT. 6 c Copyright 2014 SIMAN WONG Thanks to this result, we can turn the Miller-Rabin test into a very practical and efficient probabilistic primality testing algorithm. 6. FACTORIZATION Unlike primality testing, at present we have no efficient algorithm – even probabilistic ones – for factorization. In class we discussed four different factorization algorithms, each with different strengths and weaknesses (and as I pointed out in class, none of these can factor a typical large numbers (say over 1000 binary digits), a topic of major current research focus): • Trial Division: good for picking √ out small prime factors, but for a general composite number n it could take up to n steps before we can pick out a prime factors; • Difference of squares: good for factoring integers with two factors a, b which are ‘close’ • Pollard p − 1 test: good for picking out prime factors p for which all prime factors of p − 1 are small • Pollard Rho test: good for ‘low-intermediate’ size factors; has low memory requirements. We will discuss the last three algorithms in a bit more detail shortly, but what you should keep in mind is that the strength of each of these algorithm collectively have non-trivial implications for the primes p, q we can use in RSA. Difference of squares If n = ab with a ≥ b, then with X = ( a + b)/2 and Y = (√ a − b)/2 we have n = X 2 − Y 2 ; the √ converse also holds. Since a ≥ b, we have that a ≥ x, in which case X ≥ X0 := [ n] + 1. To apply the difference of squares method, we start with X = X0 and test whether or not X 2 − n is a perfect square; if so, use the converse formulae√above to recover a and b; if not, increase X by 1 and repeat. This could take as much as n steps to factor n. On the other hand, if a, b are very close then Y is tiny, in which case it would not take very long (cf. for example problem #3.23 in PS#6). Pollard p − 1 method Basic idea: if p is a divisor of n so that all prime divisors of p − 1 are small, then we should be able to find a small m so that ( p − 1)|m, in which case Fermat’s Little Theorem would give am ≡ 1 ( mod p). But then p would divide gcd(n, ( am − 1)). With luck this gcd would then gives you a proper factor of n. • choose an integer k which is the multiple of all integers ≤ B for some pre-arranged bound B (e.g. k = B!, or k = the LCM of all integers ≤ B) • choose integers a between 2 and n − 2 which is prime to n (do you know why we want avoid a = 1 or n − 1?) • set b ≡ ak ( mod p) – fast exponentiation, of course! • set d = gcd(n, b) c 7 Copyright 2014 SIMAN WONG • we are done if d is a non-trivial divisor of n, otherwise try a different a and/or bigger B Pollard ρ method Basic idea: fix a polynomial, such as f ( x ) = x2 + 1; plus an initial value, such as x0 = 2. Then generate a sequence xi+1 := f ( xi ) ( mod n). Note that xi+1 depends solely on xi ( mod n). Since there are at most n distinct possible values for xi , that means the sequence x0 , x1 , x2 , . . . eventually becomes periodic (whence the loop in ‘ρ’). In symbolic forms that means xi ≡ x j ( mod n) for some i 6= j. If n has a proper prime divisor p, then the sequence xi ( mod n) will also be eventually periodic, but perhaps (with luck!) with a shorter period. That means by computing lots of gcds like gcd(n, xi − x j ) then with luck we might be able to pick out p. √ Recall that trial division always find a factor (if there is one) in no more than n steps. From the Birthday paradox, heuristically the Pollard ρ method can find a factor in about √ 4 n steps. Example. Factor n = 4087 using f ( x ) = x2 + x + 1 and x0 = 2 (1) x1 = f (2) = 7; gcd( x1 − x0 , n) = gcd(7 − 2, 4087) = 1; (2) x2 = f (7) = 57; gcd( x2 − x1 , n) = gcd(57 − 7, 4087) = 1; (3) x3 = f (57) = 3307; gcd( x3 − x1 , n) = 1; (4) x4 = f (3307) = 2745 ( mod 4087); gcd( x4 − x3 , n) = 1; (5) x5 = f (2745) = 1343 ( mod 4087); gcd( x5 − x3 , n) = 1; (6) x6 = f (1343) = 2626 ( mod 4087); gcd( x6 − x3 , n) = 1; (7) x7 = f (2626) = 3734 ( mod 4087); gcd( x7 − x3 , n) = 61. Thus 4087 = 61 × 67. Note: In practice you do not test the gcd of n with all xi − x j – that would be too many testing! To cut down the number of pairs involved, use the Floyd cycle-finding algorithm, i.e. it suffices to find i so that ? xi ≡ x2i ( mod m). A clever little trick to compute x2i − xi without storing all the x’s: x <- x1; y <- f(x1 ); while x 6= y do x <- f(x); y <- f(y); y <- f(y); end do 7. P ROTOCOLS With regard to the various protocols discussed in class, of course you should know how these schemes works and how to carry it out by hand. But equally importantly (if not more so!), make sure you understand how the number theory comes in and how the arithmetic influence the implementation of these algorithms. Note: The Midterm will not cover coin-flipping, zero-knowledge proof, bit commitment, and key distribution. RSA Cryptosystem Say Alice wants to send an encrypted message to Bob: c 8 Copyright 2014 SIMAN WONG • Bob picks distinct primes p, q; an integer (e, φ( pq)) = 1; and make public n = pq and e • Alice takes her message M, encrypts it as E := Me ( mod p), and sends E to Bob • Bob decrypts this by – find d so that de ≡ 1 ( mod φ(n)); – compute Ed ( mod p) Note: • do not recycle n • beware of repeated encryptions • other ways to break RSA... ElGamal cryptosystem • Public data: large prime p and a primitive root α ( mod p). Also, each user picks a secret key a and makes public A := α a ( mod p) • to send a message M ∈ (Z/p)× to the user Alice, Bob needs to do the following: – pick a random k ∈ Z with gcd( p − 1, k) = 1; – send the following pair of elements of (Z/p)× : (c1 := αk ( mod p), c2 := MAk ( mod p)) – NOTE: the sender does NOT have to know a to carry out this transmission! • since Alice knows aAlice , to read this message she simply computes c2 (c1−a ) ( mod p) • an outside would have a hard time reading Alice’s message since he cannot compute c1−a ( mod p) from the public information A and the intercepted c1 = αk Other Topics I have not mentioned in this writeup but you need to know: • Diffie-Hellman key exchange • Shamir scheme (via Lagrange interpolation) • various ways to attack these protocols, how (not) to choose parameters • how to make optimal choices of parameters in RSA, and how to use the Prime Number Theorem to estimate the number of such optimal parameters • ... 9 c Copyright 2014 SIMAN WONG Practice Problems for Math 471 Midterm, Fall 2014. These problems serve to give you additional practice on the course material and to give you an idea of the kind and variety of questions you might encounter on your actual exam. There are more problems here then you can be expected to complete during your actual exam, and your midterm WILL have problems different from the ones below. #1. Solve the congruence 4x2 + 3x + 7 ≡ 7 ( mod 91). #2. Compute 2340 ( mod 19). Show your work. #3. Solve the following system of congruences. Show you work! x ≡ 3 ( mod 13) ≡ 4 ( mod 6) ≡ 2 ( mod 10) #4. Find all pairs of integers x, y so that gcd(408, 312) = 408x + 312y. Show your work. #5. Let p be a ODD prime. By pairing up elements mod p with their multiplicative inverses, show that ( p − 1)! ≡ −1 ( mod p). #6. True or false (and why): (1) φ(n) is even for every n > 2. (2) If gcd( a, b) = 1 and gcd(b, c) = 1, then gcd( a, c) = 1. (3) If gcd( a, b) > 1 and gcd(b, c) > 1, then gcd( a, c) > 1. (4) The affine cipher x 7→ (3x − 4) ( mod 56) does not encrypt any message (viewed as a number (mod 56)) back to itself. (5) If gcd( a, b) = 1, then the equation ax + by = 1 has a unique integer solution ( x, y). Note: Your midterm will not have T/F problems — you must justify your answers! #7. Use mathematical induction to show that if n is a positive integer, then 2n divides (n + 1) × (n + 2) × · · · × (2n). #8. Prove or disprove: gcd(n, φ(n)) = 1 if and only if n is a prime. #9. Determine all integers n so that φ(n) = 10. Explain your reasoning. #10. Let p, q be distinct primes. Let a ∈ Z be a non-zero integers so that ( a, p) = ( a, q) = 1. Show that a pq−1 ≡ a p−1 aq−1 ( mod pq). #11. Determine all possible pairs (α ( mod 6), β ( mod 10)) for which the following system of congruences is solvable: x ≡ 3 ( mod 13) ≡ α ( mod 6) ≡ β ( mod 10) c 10 Copyright 2014 SIMAN WONG NOTE: you do not have to actually find the integer solutions x. #12. Fix b prime to p. Show that the congruence x k ≡ b ( mod p) is solvable if and only if b( p−1)/d ≡ 1 ( mod p), where d := gcd(k, φ( p)). #13. Solve the congruence 4x9 ≡ 7 ( mod 13). #14. Show that 1729 is a Carmichael number. #15. Let m be a primitive root modulo an odd prime p. Show that, for any prime q|( p − 1), we must have that m( p−1)/q 6≡ 1 ( mod p). #16. Let p be an odd prime, and let π be a primitive root mod p. Show that logπ (−1) = ( p − 1)/2. #17. Prove that if p is a prime and x2 ≡ y2 ( mod p), then x ≡ ±y ( mod p). general this is false if p is not prime! Note: in #18. Does bφ(35)/3 ≡ 1 ( mod 35) implies that b is a perfect cube mod 35? #19. Show that φ(n) = n/3 if and only if n is divisible by 2 and 3 and no other primes. #20. (a) Compute φ( p2 ) where p is a prime. (b) Show that p2 is a pseudoprime to base b if and only if b p−1 ≡ 1 ( mod p2 ). (c) Show that if p2 is a pseudoprime to base b and p is odd, then it is also a strong pseudoprime to base b. #21. Make sure you know how to carry the Pollard p − 1 test, Fermat factorization, Fermat compositeness test, Miller-Rabin, RSA, ElGamal, etc. a −2 #22. For any odd integer n and any integer a ≥ 3, show that n2 ≡ 1 ( mod 2a ). (Hint: what does it mean for n to be odd? what happen then if you raise n to some power?) #23. Let t, n be positive integers with n > 1. Suppose there exists a primitive root mod p. Show that if t|φ( p) then x t ≡ 1 ( mod p) has exactly φ( p)/t distinct roots mod p. #24. Show that there exists x 6≡ 1 ( mod p) with x3 ≡ 1 ( mod p) if and only if p ≡ 1 ( mod 3). #25. Prove that if n is a pseudoprime base 2, then 2n − 1 a strong pseudoprime base 2. #26. Let n be an integer not divisible by 3. Show that n7 ≡ n ( mod 63). 11 c Copyright 2014 SIMAN WONG #27. For any positive integers A, B, show that LCM( A, B) · GCD ( A, B) = AB. #28. If gcd(ord p (α), ord p ( β)) = 1, show that ord p (αβ) = ord p (α) · ord p ( β) #29. Prove or explain why it is false: (Z/35)× has an element of order 5. #30. What is the order of 2 in (Z/49)× ? #31. Find all bases b ∈ (Z/561)× such that 561 is a strong pseudoprime base b. #32. Use the Pollard ρ test to factor n = 7031 using f ( x ) = x2 − 1, x0 = 5. 12 c Copyright 2014 SIMAN WONG