COMP 547: Assignment 1 Solutions

More documents

Recommendations

Info

Combining these two directions proves that f(a) ∈ QR p if and only if a does not give the key to √ x. Lemma 2: f is a one-to-one function. Proof: Suppose, for the sake of deriving a contradiction, that there exist two elements i, j ∈ {1, 2, . . . , p − 1}\{ √ x, p − √ x}, i ≠ j, such that f(i) = f(j) = g. Then, by the definition of f, (i − √ x)g ≡ i + √ x (mod p) and (j − √ x)g ≡ j + √ x (mod p). Combining these two results, we obtain the following sequence of statements: (NB: Here, we use some multiplicative cancellation. This is valid, since gcd(p, x) = 1 for any integer x, given that p is prime. We also know that it is not the case that i− √ x ≡ 0 (mod p) or j− √ x ≡ 0 (mod p), since i, j /∈ { √ x, p − √ x} and it is not the case that g ≡ 0 (mod p), since f’s range is {2, 3, . . . , p − 1}.) (i − √ x)(j + √ x)g ≡ (i + √ x)(j − √ x)g (mod p) (i − √ x)(j + √ x) ≡ (i + √ x)(j − √ x) (mod p) ij + i √ x − j √ x − x ≡ ij − i √ x + j √ x − x (mod p) i √ x − j √ x ≡ −i √ x + j √ x (mod p) √ x(i − j) ≡ √ x(j − i) (mod p) i − j ≡ j − i (mod p) 2i ≡ 2j (mod p) i ≡ j (mod p) Since i, j ∈ {1, 2, . . . , p − 1}, this last result can occur only if i = j. This contradicts our assumption that i ≠ j. Therefore, we conclude that there cannot exist two elements i, j ∈ {1, 2, . . . , p−1}, i ≠ j, such that f(i) = f(j). This establishes that f is a one-to-one function. Lemma 3: If p ≡ 1 (mod 4), then p − 1 ∈ QR p . Proof: We know that x ∈ QR p if and only if x p−1 2 ≡ 1 (mod p). Let x = p−1. Then p−1 ∈ QR p if and only if (p−1) p−1 2 ≡ 1 (mod p). Since p ≡ 1 (mod 4), we know that 4|p−1, so 4k = p−1 for some integer k. Then p − 1 ∈ QR p if and only if (4k) 2k ≡ 1 (mod 4k + 1). Note that for any integer b, (b + 1)(b − 1) = b 2 − 1. So (b + 1)|(b 2 − 1). So b 2 ≡ 1 (mod b + 1). Thus, (4k) 2 ≡ 1 (mod 4k + 1), and it immediately follows that (4k) 2k ≡ 1 (mod 4k + 1). This was our condition for p − 1 being in QR p . Thus, we can conclude that p − 1 ∈ QR p . 34
Now, armed with these lemmas, let us address the problem itself. If a gives the key to √ x and a is in f’s domain {1, 2, . . . , p − 1}\{ √ √ x, p − x}, then f(a) /∈ QRp , by lemma 1. We know that exactly half of the integers between 1 and p − 1 are in QR p and exactly half of them are not in QR p . Since 1 ∈ QR p , the number of integers between 2 and p − 1 that are not in QR p is still p−1 2 . Since, by lemma 3, p−1 ∈ QR p, the number of integers between 2 and p − 2 that are not in QR p is still p−1 2 . Thus, there are p−1 2 integers in f’s range that are not in QR p . Since, by lemma 2, f is a one-to-one function, we know that of the integers in f’s domain, exactly p−1 2 get mapped to integers that are not in QR p and thus, by lemma 1, give the key to √ x. The values that a can assume that are not in f’s domain, √ x and p − √ x, are square roots of x modulo p. Thus, these values also give the key to √ x. This contributes two more values that give the key to √ x. Thus, √ the total number of values that a can assume that give the key to x is p−1 2 + 2 = p+3 2 . 15. We assume that the prime number theorem is exactly correct for all powers of two, that is, the number of primes not exceeding 2 m for any m is equal to 2m ln 2 , or, expressed another way, π(2 m ) = 2m m m ln 2 . Picking a random m-bit integer n such that gcd(n, 6) = 1 can very easily be done probabilistically as follows: (a) Pick a random m-bit integer n. (b) Using the Euclidean algorithm, test if gcd(n, 6) = 1. If yes, return n. Otherwise, go to step (a). The Euclidean algorithm is efficient, so this procedure yields fruit quite quickly. Since we are picking an m-bit integer, there are a total of 2 m integers we could pick. By the prime number theorem, exactly 2m m ln 2 of these integers are prime. Of the 2 m integers we are considering, half are divisible by two, one third are divisible by three and one sixth are divisible by six. Thus, culling those integers that are not relatively prime to 6, we are left with 2 m − 2m 2 − 2m 3 + 2m 6 = 2m − 2 3 2m = 2m 3 integers, both prime and composite. Obviously, we did not cull any prime numbers, so 2m m ln 2 of our remaining integers are still prime. We know that if n is composite, the procedure Rabin-Miller prime(n,k) returns prime with a probability of at most ( 1 k. 4) Thus, the probability of choosing a composite n from our culled integers is ( 2 m 3 − 2m m ln 2 2) / 2m 3 = ( 1 − 3 m ln 2) , so the probability that our procedure picks a composite n that Rabin-Miller prime(n,k) falsely identifies as prime is at most ( ) 1 − 3 1 m ln 2 . 4 k 35
Page 1 and 2: COMP 547: Assignment 1 Solutions Oc
Page 3 and 4: + x^277 + x^276 + x^275 + x^272 + x
Page 5 and 6: g := x^997 + x^996 + x^994 + x^991
Page 7 and 8: We know that the distinct powers of
Page 9 and 10: + x^790 + x^788 + x^784 + x^783 + x
Page 11 and 12: The following Maple function comput
Page 13 and 14: a:= 0; b:= 0; while not (a = -1 and
Page 15 and 16: 21284645683965405414161580243440656
Page 17 and 18: 17819930918348761695484963068116150
Page 19 and 20: 38925360540593985506091325701956938
Page 21 and 22: 5471234567945 is in QR_n (root of x
Page 23 and 24: 5471234567962 is not in QR_n (root
Page 25 and 26: 5471234567979 is not in QR_n (root
Page 27 and 28: integers in X fall into either of t
Page 29 and 30: There are simply too many condition
Page 31 and 32: (a + √ x) p−1 2 (a − √ x) p
Page 33: Thus, if rootLV fails, then a does

COMP 547: Assignment 1 Solutions

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?