Number theory - CRC Press has granted the following speciﬁc permissions for the electronic vers

2.4.1 The integers

The set of integers{. . . ,−3,−2,−1,0,1,2,3, . . .}is denoted by the symbolZ.

2.79 Definition Leta,bbe integers. Thenadividesb(equivalently:ais adivisorofb, orais afactorofb) if there exists an integercsuch thatb=ac. Ifadividesb, then this is denoted bya|b.

2.80 Example (i)−3|18, since18 = (−3)(−6). (ii)173|0, since0 = (173)(0).

The following are some elementary properties of divisibility.

2.81 Fact (properties of divisibility) For alla,b,c∈Z, the following are true:

(i) a|a.

(ii) Ifa|bandb|c, thena|c.

(iii) Ifa|banda|c, thena|(bx+cy)for allx, y∈Z.

(iv) Ifa|bandb|a, thena=±b.

2.82 Definition (division algorithm for integers) Ifaandbare integers withb ≥ 1, then or-dinary long division ofabybyields integersq(thequotient) andr(theremainder) such that

a=qb+r, where0≤r < b.

Moreover,qandrare unique. The remainder of the division is denotedamodb, and the quotient is denotedadivb.

2.83 Fact Leta, b∈Zwithb= 0. Thenadivb=a/bandamodb=a−ba/b.

2.84 Example Ifa = 73,b = 17, thenq = 4andr = 5. Hence73 mod 17 = 5and

73 div 17 = 4.

2.85 Definition An integercis acommon divisorofaandbifc|aandc|b.

2.86 Definition A non-negative integerdis thegreatest common divisorof integersaandb, denotedd= gcd(a, b), if

(i) dis a common divisor ofaandb; and (ii) wheneverc|aandc|b, thenc|d.

Equivalently,gcd(a, b)is the largest positive integer that divides bothaandb, with the ex-ception thatgcd(0,0) = 0.

2.87 Example The common divisors of12and18are{±1,±2,±3,±6}, andgcd(12,18) = 6.

2.88 Definition A non-negative integerdis theleast common multipleof integersaandb,

de-notedd= lcm(a, b), if (i) a|dandb|d; and

(ii) whenevera|candb|c, thend|c.

Equivalently,lcm(a, b)is the smallest non-negative integer divisible by bothaandb.

2.89 Fact Ifaandbare positive integers, thenlcm(a, b) =a·b/gcd(a, b).

2.90 Example Sincegcd(12,18) = 6, it follows thatlcm(12,18) = 12·18/6 = 36.

2.91 Definition Two integersaandbare said to berelatively primeorcoprimeifgcd(a, b) = 1.

2.92 Definition An integerp≥2is said to beprimeif its only positive divisors are 1 andp.

Otherwise,pis calledcomposite.

The following are some well known facts about prime numbers.

2.93 Fact Ifpis prime andp|ab, then eitherp|aorp|b(or both).

2.94 Fact There are an infinite number of prime numbers.

2.95 Fact (prime number theorem) Letπ(x)denote the number of prime numbers≤x. Then

x→∞lim π(x) x/lnx= 1.

This means that for large values ofx, π(x) is closely approximated by the expres-sionx/lnx. For instance, whenx= 10¹⁰,π(x) = 455,052,511, whereasx/lnx = 434,294,481. A more explicit estimate forπ(x)is given below.

2.96 Fact Letπ(x)denote the number of primes≤x. Then forx≥17 π(x)> x

lnx and forx >1

π(x)<1.25506 x lnx.

2.97 Fact (fundamental theorem of arithmetic) Every integern ≥ 2has a factorization as a product of prime powers:

n=pê₁¹pê₂²· · ·pê_k^k,

where thep_iare distinct primes, and thee_iare positive integers. Furthermore, the factor-ization is unique up to rearrangement of factors.

2.98 Fact Ifa=pê₁¹pê₂²· · ·pê_k^k,b=p^f₁¹p^f₂²· · ·p^f_k^k, where eache_i≥0andf_i≥0, then gcd(a, b) =p^min(e₁ ¹^,f¹⁾p^min(e₂ ²^,f²⁾· · ·p^min(e_k ^k^,f^k⁾

and

lcm(a, b) =p^max(e₁ ¹^,f¹⁾p^max(e₂ ²^,f²⁾· · ·p^max(e_k ^k^,f^k⁾.

2.99 Example Leta= 4864 = 2⁸·19,b= 3458 = 2·7·13·19. Thengcd(4864,3458) = 2·19 = 38andlcm(4864,3458) = 2⁸·7·13·19 = 442624.

2.100 Definition Forn≥1, letφ(n)denote the number of integers in the interval[1, n]which are relatively prime ton. The functionφis called theEuler phi function(or theEuler totient function).

2.101 Fact (properties of Euler phi function) (i) Ifpis a prime, thenφ(p) =p−1.

(ii) The Euler phi function ismultiplicative. That is, ifgcd(m, n) = 1, thenφ(mn) = φ(m)·φ(n).

(iii) Ifn=pê₁¹pê₂²· · ·pê_k^kis the prime factorization ofn, then φ(n) =n

1− 1

p₁ 1− 1 p₂

· · ·

1− 1 p_k

. Fact 2.102 gives an explicit lower bound forφ(n).

2.102 Fact For all integersn≥5,

φ(n)> n 6 ln lnn.

2.4.2 Algorithms in Z

Letaandbbe non-negative integers, each less than or equal ton. Recall (Example 2.51) that the number of bits in the binary representation ofnislgn+ 1, and this number is approximated bylgn. The number of bit operations for the four basic integer operations of addition, subtraction, multiplication, and division using the classical algorithms is summa-rized in Table 2.1. These algorithms are studied in more detail in§14.2. More sophisticated techniques for multiplication and division have smaller complexities.

Operation Bit complexity

Addition a+b O(lga+ lgb) =O(lgn) Subtraction a−b O(lga+ lgb) =O(lgn) Multiplication a·b O((lga)(lgb)) =O((lgn)²) Division a=qb+r O((lgq)(lgb)) =O((lgn)²)

Table 2.1:Bit complexity of basic operations inZ.

The greatest common divisor of two integersaandbcan be computed via Fact 2.98.

However, computing a gcd by first obtaining prime-power factorizations does not result in an efficient algorithm, as the problem of factoring integers appears to be relatively diffi-cult. The Euclidean algorithm (Algorithm 2.104) is an efficient algorithm for computing the greatest common divisor of two integers that does not require the factorization of the integers. It is based on the following simple fact.

2.103 Fact Ifaandbare positive integers witha > b, thengcd(a, b) = gcd(b, amodb).

2.104 AlgorithmEuclidean algorithm for computing the greatest common divisor of two integers INPUT: two non-negative integersaandbwitha≥b.

OUTPUT: the greatest common divisor ofaandb.

1. Whileb= 0do the following:

1.1 Setr←amodb, a←b, b←r.

2. Return(a).

2.105 Fact Algorithm 2.104 has a running time ofO((lgn)²)bit operations.

2.106 Example (Euclidean algorithm) The following are the division steps of Algorithm 2.104 for computinggcd(4864,3458) = 38:

4864 = 1·3458 + 1406 3458 = 2·1406 + 646 1406 = 2·646 + 114

646 = 5·114 + 76 114 = 1·76 + 38

76 = 2·38 + 0.

The Euclidean algorithm can be extended so that it not only yields the greatest common divisordof two integersaandb, but also integersxandysatisfyingax+by=d.

2.107 AlgorithmExtended Euclidean algorithm

INPUT: two non-negative integersaandbwitha≥b.

OUTPUT:d= gcd(a, b)and integersx,ysatisfyingax+by=d.

1. Ifb= 0then setd←a, x←1, y←0, and return(d,x,y).

2. Setx₂←1, x₁←0, y₂←0, y₁←1.

3. Whileb >0do the following:

3.1 q←a/b, r←a−qb, x←x₂−qx₁, y←y₂−qy₁. 3.2 a←b, b←r, x₂←x₁, x₁←x, y₂←y₁, and y₁←y.

4. Setd←a, x←x₂, y←y₂, and return(d,x,y).

2.108 Fact Algorithm 2.107 has a running time ofO((lgn)²)bit operations.

2.109 Example (extended Euclidean algorithm) Table 2.2 shows the steps of Algorithm 2.107 with inputsa = 4864andb = 3458. Hencegcd(4864,3458) = 38and(4864)(32) +

(3458)(−45) = 38.

q r x y a b x2 x1 y2 y1

− − − − 4864 3458 1 0 0 1

1 1406 1 −1 3458 1406 0 1 1 −1

2 646 −2 3 1406 646 1 −2 −1 3

2 114 5 −7 646 114 −2 5 3 −7

5 76 −27 38 114 76 5 −27 −7 38

1 38 32 −45 76 38 −27 32 38 −45

2 0 −91 128 38 0 32 −91 −45 128

Table 2.2:Extended Euclidean algorithm (Algorithm 2.107) with inputsa= 4864,b= 3458. Efficient algorithms for gcd and extended gcd computations are further studied in§14.4.

2.4.3 The integers modulo n

Letnbe a positive integer.

2.110 Definition Ifaandbare integers, thenais said to becongruent tobmodulon, written a≡b (modn), ifndivides(a−b). The integernis called themodulusof the congruence.

2.111 Example (i)24≡9 (mod 5)since24−9 = 3·5.

(ii)−11≡17 (mod 7)since−11−17 =−4·7.

2.112 Fact (properties of congruences) For alla,a₁,b,b₁,c∈Z, the following are true.

(i) a≡b (modn)if and only ifaandbleave the same remainder when divided byn.

(ii) (reflexivity)a≡a (modn).

(iii) (symmetry) Ifa≡b (modn)thenb≡a (modn).

(iv) (transitivity) Ifa≡b (modn)andb≡c (modn), thena≡c (modn).

(v) Ifa ≡ a₁ (modn)andb ≡ b₁ (modn), thena+b ≡ a₁+b₁ (modn)and ab≡a₁b₁ (modn).

Theequivalence classof an integerais the set of all integers congruent toamodulo n. From properties (ii), (iii), and (iv) above, it can be seen that for a fixednthe relation of congruence modulonpartitionsZinto equivalence classes. Now, ifa =qn+r, where 0≤r < n, thena≡r (modn). Hence each integerais congruent modulonto a unique integer between0andn−1, called theleast residueofamodulon. Thusaandrare in the same equivalence class, and sormay simply be used to represent this equivalence class.

2.113 Definition Theintegers modulon, denotedZn, is the set of (equivalence classes of) in-tegers{0,1,2, . . . , n−1}. Addition, subtraction, and multiplication inZnare performed modulon.

2.114 Example Z25 = {0,1,2, . . . ,24}. InZ25,13 + 16 = 4, since13 + 16 = 29 ≡ 4

(mod 25). Similarly,13·16 = 8inZ25.

2.115 Definition Leta∈ Zn. Themultiplicative inverseofamodulonis an integerx ∈Zn

such thatax≡1 (modn). If such anxexists, then it is unique, andais said to be invert-ible, or aunit; the inverse ofais denoted bya⁻¹.

2.116 Definition Leta, b∈Zn.Divisionofabybmodulonis the product ofaandb⁻¹modulo n, and is only defined ifbis invertible modulon.

2.117 Fact Leta∈Zn. Thenais invertible if and only ifgcd(a, n) = 1.

2.118 Example The invertible elements inZ9are1,2,4,5,7, and8. For example,4⁻¹ = 7

because4·7≡1 (mod 9).

The following is a generalization of Fact 2.117.

2.119 Fact Letd = gcd(a, n). The congruence equationax≡b (modn)has a solutionxif and only ifddividesb, in which case there are exactlydsolutions between0andn−1;

these solutions are all congruent modulon/d.

2.120 Fact (Chinese remainder theorem, CRT) If the integersn₁, n₂, . . . , n_kare pairwise rela-tively prime, then the system of simultaneous congruences

x ≡ a₁ (modn₁) x ≡ a₂ (modn₂)

...

x ≡ a_k (modn_k) has a unique solution modulon=n₁n₂· · ·n_k.

2.121 Algorithm (Gauss’s algorithm) The solutionxto the simultaneous congruences in the Chinese remainder theorem (Fact 2.120) may be computed asx=_k

i=1a_iN_iM_imodn, whereN_i = n/n_iandM_i = N_i⁻¹modn_i. These computations can be performed in O((lgn)²)bit operations.

Another efficient practical algorithm for solving simultaneous congruences in the Chinese remainder theorem is presented in§14.5.

2.122 Example The pair of congruencesx≡3 (mod 7),x≡7 (mod 13)has a unique

solu-tionx≡59 (mod 91).

2.123 Fact Ifgcd(n₁, n₂) = 1, then the pair of congruencesx≡a (modn₁),x≡a (modn₂) has a unique solutionx≡a (modn₁n₂).

2.124 Definition Themultiplicative groupofZnisZ^∗_n = {a ∈ Zn | gcd(a, n) = 1}.In particular, ifnis a prime, thenZ^∗_n={a|1≤a≤n−1}.

2.125 Definition TheorderofZ^∗_nis defined to be the number of elements inZ^∗_n, namely|Z^∗_n|.

It follows from the definition of the Euler phi function (Definition 2.100) that|Z^∗_n|= φ(n). Note also that ifa ∈ Z^∗_nandb∈ Z^∗_n, thena·b∈ Z^∗_n, and soZ^∗_nis closed under multiplication.

2.126 Fact Letn≥2be an integer.

(i) (Euler’s theorem) Ifa∈Z^∗_n, thena^φ(n)≡1 (modn).

(ii) Ifnis a product of distinct primes, and ifr≡s (modφ(n)), thena^r≡a^s (modn) for all integersa. In other words, when working modulo such ann, exponents can be reduced moduloφ(n).

A special case of Euler’s theorem is Fermat’s (little) theorem.

2.127 Fact Letpbe a prime.

(i) (Fermat’s theorem) Ifgcd(a, p) = 1, thena^p−1≡1 (modp).

(ii) Ifr ≡ s (modp−1), thena^r ≡ a^s (modp)for all integersa. In other words, when working modulo a primep, exponents can be reduced modulop−1.

(iii) In particular,a^p≡a (modp)for all integersa.

2.128 Definition Leta∈Z^∗_n. Theorderofa, denotedord(a), is the least positive integertsuch thata^t≡1 (modn).

2.129 Fact If the order ofa ∈ Z^∗_nist, anda^s ≡ 1 (modn), thentdividess. In particular, t|φ(n).

2.130 Example Letn = 21. ThenZ^∗₂₁ = {1,2,4,5,8,10,11,13,16,17,19,20}. Note that φ(21) =φ(7)φ(3) = 12 =|Z^∗₂₁|. The orders of elements inZ^∗₂₁are listed in Table 2.3.

a∈Z^∗₂₁ 1 2 4 5 8 10 11 13 16 17 19 20

order ofa 1 6 3 6 2 6 6 2 3 6 6 2

Table 2.3:Orders of elements inZ^∗21.

2.131 Definition Letα ∈ Z^∗_n. If the order ofαisφ(n), thenαis said to be ageneratoror a primitive elementofZ^∗_n. IfZ^∗_nhas a generator, thenZ^∗_nis said to becyclic.

2.132 Fact (properties of generators ofZ^∗_n)

(i) Z^∗_nhas a generator if and only ifn = 2,4, p^kor2p^k, wherepis an odd prime and k≥1. In particular, ifpis a prime, thenZ^∗_phas a generator.

(ii) Ifαis a generator ofZ^∗_n, thenZ^∗_n={αⁱmodn|0≤i≤φ(n)−1}.

(iii) Suppose thatαis a generator ofZ^∗_n. Thenb=αⁱmodnis also a generator ofZ^∗_n if and only ifgcd(i, φ(n)) = 1. It follows that ifZ^∗_nis cyclic, then the number of generators isφ(φ(n)).

(iv) α ∈ Z^∗_nis a generator ofZ^∗_nif and only ifα^φ(n)/p ≡ 1 (modn)for each prime divisorpofφ(n).

2.133 Example Z^∗₂₁is not cyclic since it does not contain an element of orderφ(21) = 12(see Table 2.3); note that21does not satisfy the condition of Fact 2.132(i). On the other hand,

Z^∗₂₅is cyclic, and has a generatorα= 2.

2.134 Definition Leta∈Z^∗_n.ais said to be aquadratic residuemodulon, or asquaremodulo n, if there exists anx∈Z^∗_nsuch thatx²≡a (modn). If no suchxexists, thenais called aquadratic non-residuemodulon. The set of all quadratic residues modulonis denoted byQ_nand the set of all quadratic non-residues is denoted byQ_n.

Note that by definition0∈Z^∗_n, whence0∈Q_nand0∈Q_n.

2.135 Fact Letpbe an odd prime and letαbe a generator ofZ^∗_p. Thena ∈ Z^∗_pis a quadratic residue modulopif and only ifa=αⁱmodp, whereiis an even integer. It follows that

|Q_p|= (p−1)/2and|Q_p|= (p−1)/2; that is, half of the elements inZ^∗_pare quadratic residues and the other half are quadratic non-residues.

2.136 Example α= 6is a generator ofZ^∗₁₃. The powers ofαare listed in the following table.

i 0 1 2 3 4 5 6 7 8 9 10 11

αⁱmod 13 1 6 10 8 9 2 12 7 3 5 4 11

HenceQ₁₃={1,3,4,9,10,12}andQ₁₃={2,5,6,7,8,11}. 2.137 Fact Letnbe a product of two distinct odd primespandq,n =pq. Thena ∈ Z^∗_nis a quadratic residue modulonif and only ifa ∈ Q_panda ∈ Q_q. It follows that|Q_n| =

|Q_p| · |Q_q|= (p−1)(q−1)/4and|Q_n|= 3(p−1)(q−1)/4.

2.138 Example Letn= 21. ThenQ₂₁={1,4,16}andQ₂₁={2,5,8,10,11,13,17,19,20}. 2.139 Definition Leta∈Q_n. Ifx∈Z^∗_nsatisfiesx² ≡a (modn), thenxis called asquare

rootofamodulon.

2.140 Fact (number of square roots)

(i) Ifpis an odd prime anda∈Q_p, thenahas exactly two square roots modulop.

(ii) More generally, letn=pê₁¹pê₂²· · ·pê_k^kwhere thep_iare distinct odd primes ande_i≥ 1. Ifa∈Q_n, thenahas precisely2^kdistinct square roots modulon.

2.141 Example The square roots of12modulo37are7and30. The square roots of121modulo 315are11,74,101,151,164,214,241, and304.

2.4.4 Algorithms in Z

Letnbe a positive integer. As before, the elements ofZnwill be represented by the integers {0,1,2, . . . , n−1}.

Observe that ifa, b∈Zn, then (a+b) modn=

a+b, ifa+b < n, a+b−n, ifa+b≥n.

Hence modular addition (and subtraction) can be performed without the need of a long di-vision. Modular multiplication ofaandbmay be accomplished by simply multiplyinga andbas integers, and then taking the remainder of the result after division byn. Inverses inZncan be computed using the extended Euclidean algorithm as next described.

2.142 AlgorithmComputing multiplicative inverses inZn

INPUT:a∈Zn.

OUTPUT:a⁻¹modn, provided that it exists.

1. Use the extended Euclidean algorithm (Algorithm 2.107) to find integersxandysuch thatax+ny=d, whered= gcd(a, n).

2. Ifd >1, thena⁻¹modndoes not exist. Otherwise, return(x).

Modular exponentiation can be performed efficiently with the repeated square-and-multiply algorithm (Algorithm 2.143), which is crucial for many cryptographic protocols.

One version of this algorithm is based on the following observation. Let the binary repre-sentation ofkbe_t

i=0k_i2ⁱ, where eachk_i∈ {0,1}. Then a^k=

t i=0

a^kⁱ²ⁱ= (a²⁰)^k⁰(a²¹)^k¹· · ·(a²^t)^k^t.

2.143 AlgorithmRepeated square-and-multiply algorithm for exponentiation inZn

INPUT:a∈Zn, and integer0≤k < nwhose binary representation isk=_t

i=0k_i2ⁱ. OUTPUT:a^kmodn.

1. Setb←1. Ifk= 0then return(b).

2. SetA←a.

3. Ifk₀= 1then setb←a.

4. Forifrom 1 totdo the following:

4.1 SetA←A²modn.

4.2 Ifk_i= 1then setb←A·bmodn.

5. Return(b).

2.144 Example (modular exponentiation) Table 2.4 shows the steps involved in the computation

of5⁵⁹⁶mod 1234 = 1013.

The number of bit operations for the basic operations inZnis summarized in Table 2.5.

Efficient algorithms for performing modular multiplication and exponentiation are further examined in§14.3 and§14.6.

i 0 1 2 3 4 5 6 7 8 9

ki 0 0 1 0 1 0 1 0 0 1

A 5 25 625 681 1011 369 421 779 947 925

b 1 1 625 625 67 67 1059 1059 1059 1013

Table 2.4:Computation of5⁵⁹⁶mod 1234.

Operation Bit complexity

Modular addition (a+b) modn O(lgn)

Modular subtraction (a−b) modn O(lgn) Modular multiplication (a·b) modn O((lgn)²) Modular inversion a⁻¹modn O((lgn)²) Modular exponentiation a^kmodn,k < n O((lgn)³)

Table 2.5:Bit complexity of basic operations inZn.

2.4.5 The Legendre and Jacobi symbols

The Legendre symbol is a useful tool for keeping track of whether or not an integerais a quadratic residue modulo a primep.

2.145 Definition Letpbe an odd prime andaan integer. TheLegendre symbol_a

2.146 Fact (properties of Legendre symbol) Letpbe an odd prime anda, b∈Z. Then the Leg-endre symbol has the following properties:

(i) _a

(v) (law of quadratic reciprocity) Ifqis an odd prime distinct fromp, then p

unless bothpandqare congruent to3modulo4, in which case_p

=−_q

The Jacobi symbol is a generalization of the Legendre symbol to integersnwhich are odd but not necessarily prime.

2.147 Definition Letn≥3be odd with prime factorizationn=pê₁¹pê₂²· · ·pê_k^k. Then theJacobi

Observe that ifnis prime, then the Jacobi symbol is just the Legendre symbol.

2.148 Fact (properties of Jacobi symbol) Letm≥3,n≥3be odd integers, anda, b∈Z. Then the Jacobi symbol has the following properties:

(i) _a congruent to3modulo4, in which case_m

n This observation yields the following recursive algorithm for computing_a

, which does not require the prime factorization ofn.

2.149 AlgorithmJacobi symbol (and Legendre symbol) computation JACOBI(a,n)

INPUT: an odd integern≥3, and an integera,0≤a < n.

OUTPUT: the Jacobi symbol_a

(and hence the Legendre symbol whennis prime).

1. Ifa= 0then return(0).

2.150 Fact Algorithm 2.149 has a running time ofO((lgn)²)bit operations.

2.151 Remark (finding quadratic non-residues modulo a primep) Letpdenote an odd prime.

Even though it is known that half of the elements inZ^∗_pare quadratic non-residues modulo p(see Fact 2.135), there is nodeterministicpolynomial-time algorithm known for finding one. Arandomizedalgorithm for finding a quadratic non-residue is to simply select random integersa ∈Z^∗_puntil one is found satisfying_a

= −1. The expected number iterations before a non-residue is found is2, and hence the procedure takes expected polynomial-time.

2.152 Example (Jacobi symbol computation) Fora= 158andn= 235, Algorithm 2.149 com-putes the Jacobi symbol₁₅₈

235

Unlike the Legendre symbol, the Jacobi symbol_a

does not reveal whether or nota is a quadratic residue modulon. It is indeed true that ifa∈Q_n, then_a

2.153 Example (quadratic residues and non-residues) Table 2.6 lists the elements inZ^∗₂₁and their Jacobi symbols. Recall from Example 2.138 thatQ₂₁ = {1,4,16}. Observe that ₅

Table 2.6:Jacobi symbols of elements inZ^∗₂₁.

2.154 Definition Letn≥3be an odd integer, and letJ_n ={a∈ Z^∗_n|_a

= 1}. The set of pseudosquaresmodulon, denotedQ_n, is defined to be the setJ_n−Q_n.

2.155 Fact Letn = pqbe a product of two distinct odd primes. Then|Q_n| = |Q_n| = (p− 1)(q−1)/4; that is, half of the elements inJ_nare quadratic residues and the other half are pseudosquares.

2.4.6 Blum integers

2.156 Definition ABlum integeris a composite integer of the formn=pq, wherepandqare distinct primes each congruent to3modulo4.

2.157 Fact Letn =pqbe a Blum integer, and leta ∈ Q_n. Thenahas precisely four square roots modulon, exactly one of which is also inQ_n.

2.158 Definition Letnbe a Blum integer and leta∈Q_n. The unique square root ofainQ_nis called theprincipal square rootofamodulon.

2.159 Example (Blum integer) For the Blum integern = 21,J_n = {1,4,5,16,17,20}and Q_n={5,17,20}. The four square roots ofa= 4are2,5,16, and19, of which only16is also inQ₂₁. Thus16is the principal square root of4modulo21.

2.160 Fact Ifn=pqis a Blum integer, then the functionf :Q_n −→Q_ndefined byf(x) = x²modnis a permutation. The inverse function offis:

f⁻¹(x) = x((p−1)(q−1)+4)/8modn.

Dans le document CRC Press has granted the following speciﬁc permissions for the electronic version of this book: (Page 16-28)