Number Theory with Applications to Cryptography 177407351X, 9781774073513

Number Theory with Applications to Cryptography takes into account the application of number theory in the field of cryp

156 94 8MB

English Pages 307 [310] Year 2019

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Cover
Title Page
Copyright
DECLARATION
ABOUT THE EDITOR
TABLE OF CONTENTS
List of Contributors
List of Abbreviations
Preface
SECTION I: DIOPHANTINE EQUATIONS
Chapter 1 A Disaggregation Approach for Solving Linear Diophantine Equations
Abstract
Introduction
Lattice and Basis Reduction
Equivalent Modular Equations and Their Lattice Representation
Disaggregation of a System of Equations With Basis Reduction
Conclusion
References
Chapter 2 Diophantine Equations. Elementary Methods
Abstract
Introduction and Main Results
Acknowledgements
References
Chapter 3 Diophantine Equations. Elementary Methods II
Abstract
Introduction and Main Results
Acknowledgements
References
Chapter 4 Almost and Nearly Isosceles Pythagorean Triples
Abstract
Introduction
Almost and Nearly Pythagorean Triples
Almost Isosceles Pythagorean Triple
Acknowledgments
References
Chapter 5 A Public Key Cryptosystem based on Diophantine Equations of Degree Increasing Type
Abstract
Introduction
Review of ASC
Our Cryptosystem
Security Analysis
Sizes of Keys and Cipher Polynomials
Conclusion
Acknowledgements
References
SECTION II: THE RIEMANN ZETA FUNCTION AND THE FUNDAMENTAL THEOREM OF ARITHMETIC
Chapter 6 Hamiltonian for the Zeros of the Riemann Zeta Function
Abstract
Acknowledgements
References
Chapter 7 Fractional Parts and Their Relations to the Values of the Riemann Zeta Function
Abstract
Background
Notation
The Fractional Transform
Main Results
Conclusion
References
SECTION III: CONGRUENCES
Chapter 8 11-Dissection and Modulo 11 Congruences Properties for Partition Generating Function
Abstract
Introduction
Preliminaries
Components and Congruences For M = 11
References
Chapter 9 Effective Congruences for Mock Theta Functions
Abstract
Introduction and Statement of The Results
Nuts and Bolts
Statement of The General Theorem and Its Proof
Acknowledgments
References
Chapter 10 On Integer Solutions of the Cubic Equations Over Certain Fields Zn
Abstract
Introduction
Main Results
References
Chapter 11 Iterative Sliding Window Method for Shorter Number of Operations in Modular Exponentiation and Scalar Multiplication
Abstract
Introduction
Iterative Sliding Window Method (ISWM)
Iterative Recoded Swm (IRSWM)
Conclusion And Future Works
References
SECTION IV: DISCRETE LOG PROBLEM, ELLIPTIC CURVES, MATRICES AND PUBLIC-KEY CRYPTOGRAPHY
Chapter 12 Implementation of Pollard Rho over binary fields using Brent Cycle Detection Algorithm
Abstract
Introduction
Basic Definition
Pollard Rho Algorithm
Modified Pollard Rho
Experimental Results
Conclusion and Further Research
Acknowledgment
References
Chapter 13 Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside Sn
Abstract
Introduction
The Scheme of Doliskani Et al.
Finding Discrete Logarithms In Cyclic Subgroups of SN
Experimental Validation
Conclusions
Author Contributions
References
Chapter 14 Research on Attacking a Special Elliptic Curve Discrete Logarithm Problem
Abstract
Introduction
Preliminary
Partitions of Group Elements
A Group Represented by Disjoint Orbits
A Special Polynomial Construction
Experimental Results
Conclusion
Acknowledgments
References
Chapter 15 Are Matrices Useful in Public-Key Cryptography?
Abstract
Introduction
Circulant Matrices
Security of The Proposed Elgamal Cryptosystem
Is The Elgamal Cryptosystem Over SC(D, Q) Really Useful?
An Algorithm
References
SECTION V: CONTINUED FRACTIONS
Chapter 16 An Application of Fibonacci Sequence on Continued Fractions
Abstract
Introduction
Basic Lemma
Proof of Theorem 1.1
Acknowledgments
References
Chapter 17 On The Quantitative Metric Theory of Continued Fractions in Positive Characteristic
Abstract
Introduction
Quantitative Metrical Theorems
Proofs
References
Chapter 18 Some New Continued Fraction Sequence Convergent to the Somos QuadraticRecurrence Constant
Abstract
Introduction
Estimating γ(1/2)
Estimating γ(1/3)
Acknowledgements
References
Chapter 19 Continued Fractions for Some Transcendental Numbers
Abstract
Introduction
The Main Result
Acknowledgements
References
Index
Back Cover
Recommend Papers

Number Theory with Applications to Cryptography
 177407351X, 9781774073513

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

NUMBER THEORY WITH APPLICATIONS TO CRYPTOGRAPHY

NUMBER THEORY WITH APPLICATIONS TO CRYPTOGRAPHY

Edited by:

Stefano Spezia

ARCLER

P

r

e

s

s

www.arclerpress.com

Number Theory with Applications to Cryptography Stefano Spezia

Arcler Press 2010 Winston Park Drive, 2nd Floor Oakville, ON L6H 5R7 Canada www.arclerpress.com Tel: 001-289-291-7705 001-905-616-2116 Fax: 001-289-291-7601 Email: [email protected] e-book Edition 2020 ISBN: 978-1-77407-417-6 (e-book)

This book contains information obtained from highly regarded resources. Reprinted material sources are indicated. Copyright for individual articles remains with the authors as indicated and published under Creative Commons License. A Wide variety of references are listed. Reasonable efforts have been made to publish reliable data and views articulated in the chapters are those of the individual contributors, and not necessarily those of the editors or publishers. Editors or publishers are not responsible for the accuracy of the information in the published chapters or consequences of their use. The publisher assumes no responsibility for any damage or grievance to the persons or property arising out of the use of any materials, instructions, methods or thoughts in the book. The editors and the publisher have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission has not been obtained. If any copyright holder has not been acknowledged, please write to us so we may rectify. Notice: Registered trademark of products or corporate names are used only for explanation and identification without intent of infringement.

© 2020 Arcler Press ISBN: 978-1-77407-351-3 (Hardcover)

Arcler Press publishes wide variety of books and eBooks. For more information about Arcler Press and its products, visit our website at www.arclerpress.com

DECLARATION Some content or chapters in this book are open access copyright free published research work, which is published under Creative Commons License and are indicated with the citation. We are thankful to the publishers and authors of the content and chapters as without them this book wouldn’t have been possible.

ABOUT THE EDITOR

Stefano Spezia is Ph.D. holder in Applied Physics at the University of Palermo since April 2012. His major research experience is in noise-induced effects in nonlinear systems, especially in the fields of modeling of complex biological systems and simulation of semiconductor spintronic devices. Associate member of the Italian Physical Society and European Physical Society.

TABLE OF CONTENTS

List of Contributors .......................................................................................xv List of Abbreviations .................................................................................... xix Preface.................................................................................................... ....xxi SECTION I: DIOPHANTINE EQUATIONS Chapter 1

A Disaggregation Approach for Solving Linear Diophantine Equations ..... 3 Abstract ..................................................................................................... 3 Introduction ............................................................................................... 4 Lattice and Basis Reduction ....................................................................... 5 Equivalent Modular Equations and Their Lattice Representation ................. 6 Disaggregation of a System of Equations With Basis Reduction .................. 8 Conclusion .............................................................................................. 10 References ............................................................................................... 11

Chapter 2

Diophantine Equations. Elementary Methods .......................................... 13 Abstract ................................................................................................... 13 Introduction and Main Results ................................................................. 14 Acknowledgements ................................................................................. 23 References ............................................................................................... 24

Chapter 3

Diophantine Equations. Elementary Methods II ...................................... 25 Abstract ................................................................................................... 25 Introduction and Main Results ................................................................. 25 Acknowledgements ................................................................................. 38 References ............................................................................................... 39

Chapter 4

Almost and Nearly Isosceles Pythagorean Triples ................................... 41 Abstract ................................................................................................... 41

Introduction ............................................................................................. 41 Almost and Nearly Pythagorean Triples .................................................... 42 Almost Isosceles Pythagorean Triple ......................................................... 47 Acknowledgments ................................................................................... 52 References ............................................................................................... 53 Chapter 5

A Public Key Cryptosystem based on Diophantine Equations of Degree Increasing Type ...................................................................... 55 Abstract ................................................................................................... 55 Introduction ............................................................................................. 56 Review of ASC ......................................................................................... 58 Our Cryptosystem .................................................................................... 65 Security Analysis ...................................................................................... 73 Sizes of Keys and Cipher Polynomials ...................................................... 79 Conclusion .............................................................................................. 83 Acknowledgements ................................................................................. 84 References ............................................................................................... 85

SECTION II: THE RIEMANN ZETA FUNCTION AND THE FUNDAMENTAL THEOREM OF ARITHMETIC Chapter 6

Hamiltonian for the Zeros of the Riemann Zeta Function ....................... 91 Abstract ................................................................................................... 91 Acknowledgements ............................................................................... 101 References ............................................................................................. 102

Chapter 7

Fractional Parts and Their Relations to the Values of the Riemann Zeta Function ......................................................................... 105 Abstract ................................................................................................. 105 Background ........................................................................................... 106 Notation ................................................................................................ 107 The Fractional Transform ........................................................................ 108 Main Results .......................................................................................... 109 Conclusion ............................................................................................ 114 References ............................................................................................. 115

x

SECTION III: CONGRUENCES Chapter 8

11-Dissection and Modulo 11 Congruences Properties for Partition Generating Function ............................................................... 119 Abstract ................................................................................................. 119 Introduction ........................................................................................... 120 Preliminaries.......................................................................................... 122 Components and Congruences For M = 11 ............................................ 124 References ............................................................................................. 130

Chapter 9

Effective Congruences for Mock Theta Functions.................................. 131 Abstract ................................................................................................. 131 Introduction and Statement of The Results.............................................. 132 Nuts and Bolts ....................................................................................... 134 Statement of The General Theorem and Its Proof .................................... 139 Acknowledgments ................................................................................. 142 References ............................................................................................. 143

Chapter 10 On Integer Solutions of the Cubic Equations Over Certain Fields

... 145

Abstract ................................................................................................. 145 Introduction ........................................................................................... 146 Main Results .......................................................................................... 146 References ............................................................................................. 149 Chapter 11 Iterative Sliding Window Method for Shorter Number of Operations in Modular Exponentiation and Scalar Multiplication........................................................................................ 151 Abstract ................................................................................................. 151 Introduction ........................................................................................... 152 Iterative Sliding Window Method (ISWM) .............................................. 157 Iterative Recoded Swm (IRSWM)............................................................ 162 Conclusion And Future Works ............................................................... 167 References ............................................................................................. 169

xi

SECTION IV: DISCRETE LOG PROBLEM, ELLIPTIC CURVES, MATRICES AND PUBLIC-KEY CRYPTOGRAPHY Chapter 12 Implementation of Pollard Rho over binary fields using Brent Cycle Detection Algorithm .......................................................... 175 Abstract ................................................................................................. 175 Introduction ........................................................................................... 176 Basic Definition ..................................................................................... 176 Pollard Rho Algorithm ........................................................................... 177 Modified Pollard Rho ............................................................................. 179 Experimental Results .............................................................................. 180 Conclusion and Further Research .......................................................... 183 Acknowledgment ................................................................................... 184 References ............................................................................................. 185 Chapter 13 Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside Sn ................................................................. 187 Abstract ................................................................................................. 187 Introduction ........................................................................................... 188 The Scheme of Doliskani Et al................................................................ 188 Finding Discrete Logarithms In Cyclic Subgroups of SN ......................... 190 Experimental Validation ......................................................................... 194 Conclusions ........................................................................................... 195 Author Contributions ............................................................................. 195 References ............................................................................................. 196 Chapter 14 Research on Attacking a Special Elliptic Curve Discrete Logarithm Problem................................................................................ 197 Abstract ................................................................................................. 197 Introduction ........................................................................................... 198 Preliminary ............................................................................................ 200 Partitions of Group Elements .................................................................. 202 A Group Represented by Disjoint Orbits ................................................ 204 A Special Polynomial Construction ........................................................ 207 Experimental Results .............................................................................. 210 Conclusion ............................................................................................ 213

xii

Acknowledgments ................................................................................. 213 References ............................................................................................. 214 Chapter 15 Are Matrices Useful in Public-Key Cryptography? ................................ 217 Abstract ................................................................................................. 217 Introduction ........................................................................................... 218 Circulant Matrices ................................................................................. 221 Security of The Proposed Elgamal Cryptosystem..................................... 223 Is The Elgamal Cryptosystem Over SC(D, Q) Really Useful? ................... 224 An Algorithm ......................................................................................... 229 References ............................................................................................. 235 SECTION V: CONTINUED FRACTIONS Chapter 16 An Application of Fibonacci Sequence on Continued Fractions ............ 239 Abstract ................................................................................................. 239 Introduction ........................................................................................... 240 Basic Lemma ......................................................................................... 241 Proof of Theorem 1.1 ............................................................................. 242 Acknowledgments ................................................................................. 243 References ............................................................................................. 244 Chapter 17 On The Quantitative Metric Theory of Continued Fractions in Positive Characteristic....................................................................... 245 Abstract ................................................................................................. 245 Introduction ........................................................................................... 246 Quantitative Metrical Theorems ............................................................. 248 Proofs .................................................................................................... 252 References ............................................................................................. 257 Chapter 18 Some New Continued Fraction Sequence Convergent to the Somos QuadraticRecurrence Constant............................................ 259 Abstract ................................................................................................. 259 Introduction ........................................................................................... 260 Estimating g(1/2) ..................................................................................... 261 Estimating g(1/3) ..................................................................................... 266 Acknowledgements ............................................................................... 270 References ............................................................................................. 271 xiii

Chapter 19 Continued Fractions for Some Transcendental Numbers ...................... 273 Abstract ................................................................................................. 273 Introduction ........................................................................................... 274 The Main Result ..................................................................................... 275 Acknowledgements ............................................................................... 279 References ............................................................................................. 280 Index ..................................................................................................... 281

xiv

LIST OF CONTRIBUTORS Baiyi Wu School of Finance Guangdong University of Foreign Studies Guangzhou 510420, P.R. China Qun Zhang School of Finance Guangdong University of Foreign Studies Guangzhou 510420, P.R. China Rafael Jakimczuk Divisi´on Matem´atica, Universidad Nacional de Luj´an Buenos Aires, Argentina Eunmi Choi Department of Mathematics, Han Nam University, Daejeon, Republic of Korea Shinya Okumura Kyushu University, 744, Motooka, Nishi-ku, 819-0395 Fukuoka, Japan Carl M. Bender Department of Physics, Washington University, St. Louis, Missouri 63130, USA Dorje C. Brody Department of Mathematics, Brunel University London, Uxbridge UB8 3PH, United Kingdom Department of Optical Physics and Modern Natural Science, St. Petersburg National Research University of Information Technologies, Mechanics and Optics, St. Petersburg 197101, Russia Markus P. Müller Departments of Applied Mathematics and Philosophy, University of Western Ontario, Middlesex College, London, Ontario N6A 5B7, Canada The Perimeter Institute for Theoretical Physics, Waterloo, Ontario N2L 2Y5, Canada xv

Ibrahim M. Alabdulmohsin Computer, Electrical and Mathematical Sciences and Engineering Division, King Abdullah University of Science and Technology (KAUST), Thuwal 23955-6900, Saudi Arabia Goksal Bilgici Kastamonu University, Education Faculty Department of the Computer Education and Instructional Technology 37100, Kastamonu, Turkey Ali Bulent Ekin Ankara University, Faculty of Science Department of Mathematics 06100, Tandogan, Ankara, Turkey Nickolas Andersen Department of Mathematics, University of Illinois at Urbana-Champaign, 409 W. Green Street, Urbana, IL 61801, USA Holley Friedlander Department of Mathematics, University of Massachusetts, Lederle Graduate Research Tower, Amherst, MA 01003, USA Jeremy Fuller Department of Mathematics, Purdue University, 150 N. University Street, West Lafayette, IN 47907, USA Heidi Goodson Department of Mathematics, University of Minnesota, 206 Church St. SE, Minneapolis, MN 55455, USA Dilek Namlı Balıkesir Universiresi Fen-Edebiyat Fak¨ultesi, Matematik B¨ol¨um¨u ¨ 10145 C¸ a˘gı¸s Kamp¨us¨u, Balikesir, Turkey Adamu Muhammad Noma Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia Abdullah Muhammed Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia xvi

Zuriati Ahmad Zukarnain Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia Muhammad Afendee Mohamed Faculty of Informatics and Computing, Universiti Sultan Zainal Abidin, Besut 22200, Terengganu, Malaysia. Intan Muchtadi-Alamsyah, Faculty of Mathematics and Natural Sciences, Institut Teknologi Bandung, Jalan Ganesha No. 10 Bandung 40132, Indonesia Taufiq Akbari Utomo Faculty of Mathematics and Natural Sciences, Institut Teknologi Bandung, Jalan Ganesha No. 10 Bandung 40132, Indonesia María Isabel González Vasco MACIMTE, Universidad Rey Juan Carlos, 28933 Móstoles, Madrid, Spain Angela Robinson Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA Rainer Steinwandt Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA Jiang Weng State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China Air Force Engineering University, Xi’an 710038, China Yunqi Dou State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China Chuangui Ma Basic Department, Army Aviation Institution, Beijing 101123, China

xvii

Ayan Mahalanobis Indian Institute of Science Education and Research Pune Dr. Homi Bhabha Road, Pashan, Pune 411008, India Ali H. Hakami Department of Mathematics, Faculty of Science, Jazan University, Jazan, Postal Code: 45142, Saudi Arabia Poj Lertchoosakul Instytut Matematyki, Uniwersytet Gdanski, ul. Wita Stwosza 57, 80-308 Gdansk, Poland Radhakrishnan Nair Mathematical Sciences, the University of Liverpool, Peach Street, Liverpool L69 7ZL, UK Xu You Department of Mathematics and Physics, Beijing Institute of Petrochemical Technology, Beijing, 102617, P.R. China Shouyou Huang School of Mathematics and Statistics, Hubei Normal University, Huangshi, Hubei 435002, P.R. China Di-Rong Chen Department of Mathematics, Wuhan Textile University, Wuhan, Hubei 430200, P.R. China School of Mathematics and System Science, Beihang University, Beijing, 100191, P.R. China Andrew N. W. Hone School of Mathematics, Statistics and Actuarial Science, University of Kent, Canterbury CT2 7NF, UK

xviii

LIST OF ABBREVIATIONS AC

Addition chain

ACP

Addition chain problem

ASC

Algebraic Surface Cryptosystem

AI-PT

Almost isosceles pythagorean triple

AIRA

Almost isosceles right angled

APT

Almost pythagorean triple

BDHEP

Bilinear Diffie-Hellman Exponent Problem

BDHIP

Bilinear Diffie-Hellman Inversion Problem

BDHP

Bilinear Diffie-Hellman Problem

ECDLP

Elliptic Curve Cryptography Discrete Logarithm Problem

ECC

Elliptic curve cryptography

LSB

List significant bit

MAC

Message authentication code

MSD

Modified signed digit

MSB

Most significant bit

MSW

Most significant word

MOF

Mutual opposite form

NPT

Nearly pythagorean triple

NAF

Non-adjacent form

NW

Non-zero window

PKC

Public key cryptosystems

PT

Pythagorean triple

RA

Recovering Algorithm

SFP

Section finding problem

SWM

Sliding window method

SDHP

Strong Diffie-Hellman Problem

VLNW

Variable-length non-zero window

PREFACE

Nowadays, the security of the information and communications systems is based on the computational complexity of some theoretical problems related to integer numbers of which Number Theory is concerned. Some of these ones are the integer factorization problem, the discrete logarithm problem and the modular exponentiation. For this reason, research in Cryptography and Number Theory has been going on together for many decades. Section 1 of Number Theory with Applications to Cryptography book begins with the Diophantine equations. In particular, it treats with the wide and complex problem of finding integer solutions of equations, among which simultaneous linear equations and simultaneous Pell’s equations. Moreover, it discusses the solutions of a parametric Pell’s equation via generalized Fibonacci and Lucas numbers, and Pythagorean triples that are solutions of certain Diophantine equations. In the end, Section 1 presents a new public key cryptosystem based on Diophantine equations. Section 2 focuses on the Riemann zeta function and the fundamental theorem of arithmetic. In detail, it introduces a study of the Riemann hypothesis by constructing ad hoc a Hamiltonian operator; it discusses an asymptotic relationship between the summation of the products of fractional parts with powers of integers, and the values of the Riemann zeta function; and shows the calculus of the hybrid moments of the Riemann zeta function on the critical line. Section 3 treats of the application of the congruences in many topics of analytical number theory, and in finding integer solutions of cubic equations over certain fields. In the end, it also shows different efficient methods in modular exponentiation and scalar multiplication and squaring algorithms for cryptosystems. Section 4 deals with the discrete log problem, elliptic curves, matrices and their application in public-key cryptography. Finally, the last Section 5 reviews the continued fractions and their application. In particular, it presents the use of Fibonacci sequence on continued fractions; it shows closed-form expressions for the continued fractions of certain quadratic irrationals; it discusses some new results about continued fraction expansions

of the Somos quadratic recurrence constant. In the end, it shows a study on two new attacks using continued fractions on a certain RSA cryptosystem.

xxii

SECTION I: DIOPHANTINE EQUATIONS

Chapter 1

A Disaggregation Approach for Solving Linear Diophantine Equations

Baiyi Wu and Qun Zhang

School of Finance Guangdong University of Foreign Studies Guangzhou 510420, P.R. China

ABSTRACT Finding integer solutions to a set of linear equations has been a challenging problem with application in many areas, such as knapsack optimization and cryptography. In this paper, we find a new method from the angle of disaggregation to solve a system of linear Diophantine equations. The disaggregation process, which employs the LLL procedure in the literature, keeps generating new valid linear equations until the system of equations becomes high-ranked and easy to solve. Keywords: Diophantine equations, LLL, basis reduction Citation: Baiyi Wu, Qun Zhang 2018 “A disaggregation approach for solving linear Diophantine equations” Applied Mathematical Sciences, Vol. 12, 2018, no. 18, 871-878. https://doi.org/10.12988/ams.2018.8687 Copyright © 2018 Baiyi Wu and Qun Zhang. This article is distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

4

Number Theory with Applications to Cryptography

INTRODUCTION Linear Diophantine equation problem is the following feasibility problem:

where D is often the binary set {0, 1} n . A critical factor of an (LDE) problem is its density, defined as:

For low-density (LDE) problems, algorithms based on basis reduction were firstly introduced by Brickell [2] and Lagarias and Odlyzko [4]. In [4], they showed that for almost all (LDE) problems with a density smaller than 0.645, the solution could be obtained in polynomial time, provided there is a polynomial time oracle for finding a shortest vector in a lattice. They also showed that when the density is smaller than 1/n, the LLL basis reduction algorithm, which is polynomial time, almost surely finds a shortest vector in the corresponding lattice. Later Coster et al. in [3] improved the basis formulation and showed that for almost all (LDE) with a density smaller than 0.9408, the solution could be obtained in polynomial time, provided there is a polynomial time oracle for finding a shortest vector in a lattice. An interesting generalization of the (LDE) problem is the following system of linear Diophantine equations problem:

The (SLDE) problems include many practical examples such as the classical Frobenius problem, the market split problem and the Petri net problem. Aardal et al. in [1] applied basis reduction algorithms and implicit enumeration to tackle (SLDE) with D being a bounded box. In this paper we are going to apply basis reduction algorithms from a new angle to tackle the (SLDE) problem. To that end, we would like to introduce the disaggregation problem:

A Disaggregation Approach for Solving Linear Diophantine Equations

5

The disaggregation problem of (SLDE Disaggregation) is to find another equation that is linear independent to the original equations to describe the feasible set. In the literature the discussion on this problem is rare. Mardanov and Mamedov in [6] gave a sufficient condition to split an original equation into two by a good modular multiplication and provided a heuristic to do so. In this paper we are going to tackle the disaggregation problem systematically with basis reduction. This paper is organized as follows. In Section 2, we review the basis reduction algorithm for a lattice. In Section 3, we define equivalent modular equations and derive their lattice representation. In Section 4, we demonstrate how to use basis reduction to conduct disaggregation on a system of equations. We conclude in Section 5.

LATTICE AND BASIS REDUCTION A lattice is a set in obtained from integral linear combination of k vectors . Let B1, ..., Bk be k vectors in Rn . The lattice generated by them is in denoted by: The rank of a basis of a lattice in is invariant [7] and it is defined to be the dimension of the lattice. The determinant of a lattice det(L) is the volume of the parallelapipe stretched by the basis vectors. It is a property of the lattice and invariant of the particular basis chosen. Let λ1(L) be the shortest vector of in the lattice L. From Minkowski’s convex body theorem, we have the following bound for it: (1) Finding a shortest vector in a lattice has been proved to be NP-hard under the sup-norm in [8]. But the NP-hardness of finding a shortest vector under the Euclidean norm remains unknown. On the other hand, the well know LLL basis reduction algorithm from [5] and its variants provide polynomial time routines to find relatively short vectors in a lattice. Proposition 2.1 The LLL algorithm finds in polynomial time a vector x1 in a lattice L with (2)

6

Number Theory with Applications to Cryptography

where n is the dimension of the lattice and β is a fixed number lager than but not equal to . Proof. See e.g. [5].

EQUIVALENT MODULAR EQUATIONS AND THEIR LATTICE REPRESENTATION Given

, we write a modular equation

to mean that , if the two sets

for some

. Given

and

and are the same, we say that the two modular equations are equivalent to each other in D. Givand and en ,

is equivalent to . For this reason, we do not distinguish among these modular equations and we will say they are the same modular equation. Given of w divided by v. Let then

The set

be the nonnegative remainders of components ,

could be strictly larger. For example, ,

but the point (2, −1) is not in . We say that the modular equation is obtained from by modular multiplication with multiplier t and modulus m. Following the discussion above, if m is further assumed to be a prime numsuch that s ∗ t ≡ 1(mod m). (This s ber, then there exists a number

A Disaggregation Approach for Solving Linear Diophantine Equations

7

can be found by the extended Euclidean algorithm in polynomial time.) We and mod(s ∗ a1, m) note that mod(s ∗ b1, m) = b0 + k0 ∗ m for some . Thus the modular equation = a0 + k ∗ m for some by modular multiplication with can be obtained from multiplier s and modulus m. Then we have the reverse inclusion and other in D.

and

are equivalent to each , and m is prime,

From the above discussion, given from

, the set of equivalent modular equations in generated by modular multiplication with modulus m can be represented by a lattice generated by the following rows of vectors:

So the lattice is defined to be:

(3)

We can see that for any l ∈ L, the modular equation l1x1 + ... + lnxn ≡ ln+1(mod in D. And for any m) is equivalent to obtained from modular multiplication of with modulus m, we have . Because the above basis B consists of n + 2 linear dependent row vectors and the lattice is in , we can simplify the basis to its Hermite normal form:

(4) Now B’ consists of exactly n+ 1 linear independent row vectors generating the same lattice L.

8

Number Theory with Applications to Cryptography

DISAGGREGATION OF A SYSTEM OF EQUATIONS WITH BASIS REDUCTION For the problem (SLDE Disaggregation), we form the following basis

And the lattice is defined to be: For any l ∈ L, the modular equation l1x1 + ... + lnxn ≡ ln+1(mod m) is not necessarily equivalent to Ax ≡ b(mod m) in D. But we always have the relationship: And this is enough to enable the disaggregation of the system of Diophantine equations. Firstly, we need a number m (not necessarily a prime number) such that {x ∈ D : Ax ≡ b(mod m)} = {x ∈ D : Ax = b}. One sufficient condition is Then, from the lattice, we hope to find some cTx ≡ d(mod m) such that then we have {x ∈ D : Ax = b} ⊆ {x ∈ D : cTx = d}. Next, we provide sufficient conditions for successful disaggregation when the system of equations has only one equation. Proposition 4.1 If gcd(a1, ..., an, b) = 1 and , the problem (SLDE Disaggregation) with D = {0, 1} n can be solved in polynomial time. Proof. Choose a prime number m such that . Then construct a lattice L of dimension n + 1

A Disaggregation Approach for Solving Linear Diophantine Equations

9

from the basis B as in (3). Then apply the LLL algorithm to B. Firslty, det(L) = mn because B can be reduced to B’ as in (4). Then from (2) we can find (cT , d) such that

Thus by Cauchy-Schwarz inequality, we have

. Then . Also, because , we have

linear independent and the proof is complete. ..., an, Proposition 4.2 If gcd(a1,

are b)

=

1

and

, assuming a polynomial time oracle to find a shortest vector in a lattice, the problem (SLDE Disaggregation) with D = {0, 1} n can be solved in polynomial time. Proof. Choose a prime number m such that (n+ 1)1/2 . Then construct a lattice L of dimension n + 1 from the basis B as in (3). Then apply the LLL algorithm to B. Firslty, det(L) = mn because B can be reduced to B’ as in (4). Then, with the oracle to find a shortest vector in L, from (1) we can find (cT , d) such that

Thus by Cauchy-Schwarz inequality, have

Then we . Also, because

10

Number Theory with Applications to Cryptography

we have . Since gcd are linear independent and the proof is complete. We can perform disaggregation for the (SLDE) and once new equations are obtained, we enlarge the (SLDE). Eventually we will be able to get a system of equations with high rank and then we could solve the enlarged system by enumeration.

CONCLUSION Finding integer solutions to a set of linear equations is an NP-hard problem. In this paper, we find a new method from the angle of disaggregation to solve a system of linear Diophantine equations. The disaggregation process, which employs the LLL procedure in the literature, keeps generating new valid linear equations until the system of equations becomes high-ranked. Our method is a novel algebraic approach in tackling NP-hard problems, which could help stimulating new thoughts on the solution schemes for other NP-hard problems.

A Disaggregation Approach for Solving Linear Diophantine Equations

11

REFERENCES 1.

2.

3.

4.

5.

6.

7. 8.

K. Aardal, C.A.J. Hurkens and A.K. Lenstra, Solving a system of linear diophantine equations with lower and upper bounds on the variables, Mathematics of Operations Research, 25 (2000), no. 3, 427-442. https://doi.org/10.1287/moor.25.3.427.12219 E.F. Brickell, Solving low density knapsacks, Advances in Cryptology, Springer, Boston, MA 1984, 25-37. https://doi.org/10.1007/978-14684-4730-9 2 M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.P. Schnorr and J. Stern, Improved low-density subset sum algorithms, Computational Complexity, 2 (1992), no. 2, 111-128. https://doi.org/10.1007/ bf01201999 J.C. Lagarias and A.M. Odlyzko, Solving low-density subset sum problems, Journal of the ACM (JACM), 32 (1985), no. 1, 229-246. https://doi.org/10.1145/2455.2461 A.K. Lenstra, H.W. Lenstra and L. Lov´asz, Factoring polynomials with rational coefficients, Mathematische Annalen, 261 (1982), no. 4, 515-534. https://doi.org/10.1007/bf01457454 S.S. Mardanov and K.S. Mamedov, Disaggregation of diophantine equation with Boolean variables, Computational Optimization and Applications, 27 (2004), no. 1, 31-36. https://doi.org/10.1023/ b:coap.0000004978.46548.d8 A. Schrijver, Theory of Linear and Integer Programming, Wiley, New York, 1998. P. van Emde-Boas, Another NP-Complete Partition Problem and the Com- plexity of Computing Short Vectors in a Lattice, Tecnical Report, Department of Mathmatics, University of Amsterdam, 1981.

Chapter 2

Diophantine Equations. Elementary Methods

Rafael Jakimczuk Divisi´on Matem´atica, Universidad Nacional de Luj´an Buenos Aires, Argentina

ABSTRACT In this note we are interested in some diophantine equations to the form . Some of these diophantine equations are well-known and our methods of solution are different and very elementary. Keywords: Diophantine equations, elementary methods

Citation: Rafael Jakimczuk 2017 “Diophantine equations. Elementary methods” International Mathematical Forum, Vol. 12, 2017, no. 9, 429-438. https://doi.org/10.12988/ imf.2017.7223 Copyright © 2017 Rafael Jakimczuk. This article is distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

14

Number Theory with Applications to Cryptography

INTRODUCTION AND MAIN RESULTS In this note we are interested in some diophantine equations to the form

(1) where h ≥ 2, the coefficients kj (j = 1, . . . , h + 1) are integers different of zero and the exponents rj ≥ 2 (j = 1, . . . , h + 1) are positive integers. Some of these diophantine equations are well-known (see [1] and [2]) and our methods of solution are different and very elementary. Let us consider a solution (2) to equation (1) (the xj (j = 1, . . . , h + 1) are integers). If we multiply both sides of equation (1) by E L , where E is an integer different of zero and L is the least common multiple (lcm) of the exponents rj (j = 1, . . . , h + 1), then we obtain the solution (3) The solution (3) will be called derivada solution of (1). Note that solution (2) is derivada solution of solution (2) if we put E = 1. Clearly, from (3) we can obtain (2) by common factor. If a set of solutions of equation (1) contain at least one derivada solution of each solution of equation (1) we shall call this set of solutions a complete system of solutions to equation (1). Note that from a complete system of solutions we can obtain all solution to the equation by common factor. This method if not very different to consider the set of primitive solutions to, for example, the equation x 2 + y 2 = z 2 and to obtain the rest of the solutions by multiplication of the primitive solutions. If we consider a certain subset S of solutions to equation (1) then a complete system of solutions in relation to S is a subset of S that contain at least a derivada solution of each solution of the set S. We begin with the famous Pythagorean equation. Theorem 1.1 Let us consider the diophantine equation (4) where xyz

0. Then, a complete system of solutions to the equation is

Diophantine Equations. Elementary Methods

15

(5) where a and b are arbitrary integers such that xyz 0. Proof. This equation has solutions (x, y, z) such that xyz 0. For example (x, y, z) = (3, 4, 5). Let us consider then a solution (x, y, z) such that xyz 0. We can write (6) Note that a 0. Consequently (see (4)) (7) Therefore (8) Substituting (8) into (7) we obtain (9) If we now multiply both sides of equation (9) by (2a)2 then we obtain the derivada solution (5) (10) of the solution (x, y, z). Note, besides, that (10) is an identity. The theorem is proved. Theorem 1.2 Let us consider the diophantine equation (11) where h ≥ 2, the coefficients kj (j = 2, . . . , h) are positive integers and some xj (j = 2, . . . , h) is different of zero. Then a complete system of solutions to the equation is (12) where the aj (j = 1, . . . , h) are arbitrary integers such that some xj (j = 2, . . . , h) is different of zero. Proof. The equation has solutions with is property, since we have the iden-

16

Number Theory with Applications to Cryptography

tity (see (12)) (13) Let us consider then a solution (x1, . . . , xh, xh+1) with is property. We can write (14) Note that C 0 and a1 0 , since in contrary case the property is not fulfilled. Consequently (see (11)) (15) Therefore

That is (16) Substituting (16) into (15) we obtain (17) If we now multiply both sides of equation (17) by (2a1) then we obtain the derivada solution (12) 2

(18) of the solution (x1, . . . , xh, xh+1). The theorem is proved. Theorem 1.3 Let us consider the diophantine equation (19) where h ≥ 2 and the coefficients kj (j = 1, . . . , h) and kh+1 are positive integers. Suppose that this equation has a solution

Diophantine Equations. Elementary Methods

17

(20) different of the trivial solution (0, 0, . . . , 0, 0) and besides gcd(b1, b2, . . . , bh, bh+1) = 1. Then a complete system of solutions is (21)

(22) where the ci (i = 1, . . . , h) are arbitrary integers.

Proof. Let us consider a solution to equation (19) (e1, e2, . . . , eh, C’ ) where the ej (j = 1, . . . , h) and C’ are integers and C’ 0. Suppose that this solution can not be written in the form (b1C, b2C, . . . , bhC, bh+1C) where C is a integer different of zero. Solutions with is property exist, since we have the identity (compare with (21) and (22))

(23) We can write (24) Consequently

(25) and (26) where the cj (j = 1, . . . , h) are integers. Note that some aj is different of zero and consequently some cj is different of zero (see (26)), since in contrary case we have (see (24)) where C is given by (25). This is impossible, C can not be a rational not

18

Number Theory with Applications to Cryptography

integer since gcd(b1, b2, . . . , bh, bh+1) = 1 and C can not be a integer by the established property of the solution (see above). Substituting (25) and (26) into (24) we obtain

Substituting this solution into equation (19) we have (27) That is (use

(see (20))) (28)

That is

(29) and consequently (see (28)) since Substituting (29) into (27) we obtain

.

Substituting (29) into (27) we obtain

(30) If we now multiply both sides of (30) by obtain the following derivada solution

then we

(31) of the solution (e1, e2, . . . , eh, C’ ) (see (31), (21) and (22)).

Suppose now that (e1, e2, . . . , eh, C’ ) = (b1C, b2C, . . . , bhC, bh+1C) where C is an integer different of zero. Suppose that some bs = 0, then we put into (21) and (22) cs = C and cj = 0 (j s) and obtain la derivada solution

Diophantine Equations. Elementary Methods

19

Suppose now that bj 0 (j = 1, . . . , h), then we put into (21) and (22) c1 = −k2b2C, c2 = k1b1C and cj = 0 (j 1, 2) and obtain the derivada solution

If (e1, e2, . . . , eh, C’ ) = (0, 0, . . . , 0, 0) then we put cj = 0 (j = 1, . . . , h) into (21) and (22) and obtain the derivada solution (0, 0, . . . , 0, 0). The theorem is proved. Example 1.4 Let us consider the diophantine equation (Legendre’s equation)

Suppose that (b1, b2, b3) is a solution different of (0, 0, 0) and gcd(b1, b2, b3) = 1. Then a complete system of solutions is

where c1, c2 and c3 are arbitrary integers. Theorem 1.5 Let us consider the diophantine equation

(32) where h ≥ 2, the coefficients kj (j = 1, . . . , h) and kh+1 are integers differents of zero and each integer exponent rj ≥ 2 (j = 1, . . . , h) divides the positive integer M. Let us consider the solutions to the equation (33) where xh+1

0. Then a complete system of solutions to the equation is

20

Number Theory with Applications to Cryptography

(34) (35) where (36) and the bj are arbitrary integers such that A

0.

Proof. We have the identity (compare with (34) and (35))

(37) where

(38) Consequently the diophantine equation (32) has infinite solutions where xh+1 0. Now, we shall prove that if (39) is a solution with xh+1 0 then there exist integers bj (j = 1, . . . , h) such that equations (34) and (35) are a derivada solution of the solution (39). Thus, equations (34) and (35) with the condition A 0 are a complete system of solutions to the equation. Therefore, let us consider a solution to the equation (40) where C

0. Therefore we have

(41) If now we multiply both sides of (41) by

Diophantine Equations. Elementary Methods

21

then we obtain the derivada solution (42) Equation (41) gives (see (42)) (43) Therefore (see (43) and (42)) we have (44) Consequently equations (43) and (44) are a derivada solution of the solution (40). The theorem is proved. Example 1.6 Now, we give some examples of Theorem 1.5. The equations in a) , b) and c) are consider in [2]. a) The equation x 2 + 3y 2 = z 3 . This equation has the following complete system of solutions. where a and b are arbitrary integers. b) The equation x 2 + 3y 2 = 4z 3 . This equation has the following complete system of solutions.

where a and b are arbitrary integers c) The equation x 4 + 3y 4 = z 5 . This equation has the following complete system of solutions. where a and b are arbitrary integers. d) The equation 3x 3 − 2y 4 + z 5 = w 121 This equation has the following complete system of solutions.

22

Number Theory with Applications to Cryptography

where a, b and c are arbitrary integers. e) The equation 4x 2 + 3y 4 + 2z 8 = w 9 This equation has the following complete system of solutions.

where a, b and c are arbitrary integers. f ) The equation This equation has the following complete system of solutions. (45) where b1, b2, . . . , bh are arbitrary integers.

In particular, the equation x n+y n = z n+1 has the following complete system of solutions. (46) where a and b are arbitrary integers. Now, we generalize the former theorem. Theorem 1.7 Let us consider the diophantine equation

where h ≥ 2, the coefficients kj (j = 1, . . . , h) and kh+1 are integers differents of zero, each integer exponent rj ≥ 2 (j = 1, . . . , h) divides the positive integer M and the positive integer d (0 < d < M+1) divides M+1. Let us consider the solutions to the equation (x1, . . . , xh, xh+1) where xh+1 0. Then a complete system of solutions to the equation is

where and the bj are arbitrary integers such that A 0. Proof. The proof is the same as the former theorem. The theorem is proved. Remark 1.8 Note that the former theorem is a particular case of this theorem when d = 1.

Diophantine Equations. Elementary Methods

23

Remark 1.9 Note that (M+1)/d can be any exponent relatively prime with L, where L is the least common multiple of the exponents rj (j = 1, . . . , h). Since have infinite solutions with the linear diophantine equation y1 > 0 and y2 > 0, we take M = Ly2. Example 1.10 Now, we give an example of Theorem 1.7. Let us consider the diophantine equation where the exponents rj (j = 1, . . . , h) are odd. If we take M = lcm(r1, r2, . . . , rh) then a complete system of solutions to the ecuation is

where , and the bj are arbitrary integers such that A 0. 3 3 2 Particular cases of this example appear in [2], for example, x + y = z , x 3 + y 3 = 2z 2 , x 3 − 2y 3 = z 2 and another.

ACKNOWLEDGEMENTS The author is very grateful to Universidad Nacional de Luj´an.

24

Number Theory with Applications to Cryptography

REFERENCES 1. 2.

H. Cohen, Number Theory, Volume I, Springer, 2010. H. Cohen, Number Theory, Volume II, Springer, 2010.

Chapter 3

Diophantine Equations. Elementary Methods II

Rafael Jakimczuk Divisi´on Matem´atica, Universidad Nacional de Luj´an Buenos Aires, Argentina

ABSTRACT In this article we study some general diophantine equations. Our methods of solution are different and very elementary. Keywords: Diophantine equations, elementary methods

INTRODUCTION AND MAIN RESULTS In a previous article [2] we define derivative solution of a solution and complete system of solutions to an equation. For sake of completeness we establish these definitions here. Citation: Rafael Jakimczuk 2017 “Diophantine equations. Elementary methods II” International Mathematical Forum, Vol. 12, 2017, no. 20, 953-965. https://doi.org/10.12988/ imf.2017.71192 Copyright © 2017 Rafael Jakimczuk. This article is distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

26

Number Theory with Applications to Cryptography

Let us consider the equation

(1) where h ≥ 2, the coefficients kj (j = 1, . . . , h + 1) are integers different of zero and the exponents rj ≥ 2 (j = 1, . . . , h + 1) are positive integers. (2) to equation (1) where the xj (j = 1, . . . , h + 1) are integers. If we multiply both sides of equation (1) by E L , where E is an integer different of zero and L is the least common multiple (lcm)of the exponents rj (j = 1, . . . , h + 1), then we obtain the solution (3) The solution (3) will be called derivative solution of (1). Note that solution (2) is derivative solution of solution (2) if we put E = 1. Clearly, from (3) we can obtain (2) by common factor. If a set of solutions of equation (1) contain at least one derivative solution of each solution of equation (1) we shall call this set of solutions a complete system of solutions to equation (1). Note that from a complete system of solutions we can obtain all solution to the equation by common factor. This method if not very different to consider the set of primitive solutions to, for example, the equation x 2 + y 2 = z 2 and to obtain the rest of the solutions by multiplication of the primitive solutions. If we consider a certain subset S of solutions to equation (1) then a complete system of solutions in relation to S is a subset of S that contain at least a derivative solution of each solution of the set S. In this note we study the solutions to the diophantine equation

(4) where h ≥ 2, the coefficients kj (j = 1, . . . , h + 1) are positive integers and the exponent r ≥ 2 is an arbitrary but fixed positive integer. A particular case of this general diophantine equation is well-known, namely, the equation

Diophantine Equations. Elementary Methods II

27

(5) This equation is studied in [1] as part of the dihedral cases. We also study another general diphantine equations and as a particular case of our general theorems the equation x 2 + y 4 = z 6 is studied. This particular equation is studied in [1] as part of the hyperbolic case. Also, as a particular case of our general theorems the equation x 2 − y 2 = z r is studied. This particular equation is studied in [1] as part of the dihedral cases. Our methods of solution are different and very elementary. In [2] is proved the following general theorem. Theorem 1.1 Let us consider the diophantine equation

where h ≥ 2, the coefficients kj (j = 1, . . . , h) and kh+1 are integers differents of zero, each integer exponent rj ≥ 2 (j = 1, . . . , h) divides the positive integer M and the positive integer d (0 < d < M+1) divides M+1. Let us consider the solutions to the equation (x1, . . . , xh, xh+1), where xh+1 0. Then a complete system of solutions to the equation is

where

and the bj are arbitrary integers such that A

0.

The case r odd in equation (4) is a particular case of Theorem 1.1 when r1 = r2 = · · · = rh = 2, M = r − 1 (r ≥ 3) and d = 1. Consequently we have the following theorem.

Theorem 1.2 Let us consider the diophantine equation

where h ≥ 2, the coefficients kj (j = 1, . . . , h + 1) are positive integers and the exponent r ≥ 3 is an arbitrary but fixed odd positive integer. Let us consider the solutions to the equation (x1, . . . , xh, xh+1) where xh+1 0. Then a complete system of solutions to the equation is

28

Number Theory with Applications to Cryptography

where

and the bj are arbitrary integers such that A

0.

Corollary 1.3 Let us consider equation (5). Then, a complete system of solutions to equation (5) when r ≥ 3 is odd is

where a and b are arbitrary integers. In the following two theorems we examine equation (5) when r is even. Theorem 1.4 Let us consider the diophantine equation

where xyz

0. Then, a complete system of solutions to the equation is

where a and b are arbitrary integers such that xyz

0.

Proof. See [2]. The theorem is proved. Theorem 1.5 Let s an arbitrary but fixed positive integer. Let us consider the diophantine equation (6) where xyz

0. Then, a complete system of solutions to the equation is (7)

where a and b are arbitrary integers such that xyz

0.

Proof. We have the identity (8) where a and b are arbitrary integers. Consequently equation (6) has infinite solutions (x, y, z) such that xyz

0.

Let us consider a solution (x, y, z) such that xyz 0. We can write is solution in the form (x, y, z) = (C sa1, Csa2, C) where a1 and a2 are rational numbers. Therefore we have

Diophantine Equations. Elementary Methods II

29

(9) We can write Hence (9) becomes

, where b1, b2 and d are integers.

(10) If we multiply both sides of (10) by d

2s+2

then we obtain (11)

Equation (11) gives (12) By Theorem 1.4 there exists h such that if we multiply both sides of (12) by h2 we obtain That is, we obtain (13) Now, if we multiply both sides of (11) by h2s+2 then we obtain the following derivative solution of the solution (x, y, z) (14) This derivative solution can be written in the form (see (13) and (14))

Compare with (8). The theorem is proved. In the following two theorems we complete the study of equation (4) when r is even. Theorem 1.6 Let us consider the diophantine equation

30

Number Theory with Applications to Cryptography

where h ≥ 2 and the coefficients kj (j = 1, . . . , h) and kh+1 are positive integers. Suppose that this equation has a solution

different of the trivial solution (0, 0, . . . , 0, 0) and besides gcd(b1, b2, . . . , bh, bh+1) = 1. Then a complete system of solutions is

where the ci (i = 1, . . . , h) are arbitrary integers. Proof. See [2]. The theorem is proved.

Theorem 1.7 Let s an arbitrary but fixed positive integer. Let us consider the diophantine equation

Suppose that is diophantine equation has a solution different of the trivial. Then a complete system of solutions is

where the ci (i = 1, . . . , h) are arbitrary integers.

Proof. The proof is the same as the proof of Theorem 1.5 using now Theorem 1.6. Note that we have the identity

where

and

Diophantine Equations. Elementary Methods II

31

The theorem is proved. Lemma 1.8 Let s be an arbitrary but fixed positive integer. Let us consider the diophantine equation

(15) where h ≥ 2, the coefficients kj (j = 2, . . . , h) are positive integers and some xj (j = 2, . . . , h) is different of zero. Then a complete system of solutions to the equation is (16) (17) where the aj (j = 1, . . . , h) are arbitrary integers such that some xj (j = 2, . . . , h) is different of zero. Proof. The equation has solutions with is property, since we have the identity (see (16) and (17))

(18) Let us consider then a solution (x1, . . . , xh, xh+1) with is property. We can write (19) 0 and a1 0 , since in contrary case the property is not Note that C fulfilled. Consequently (see (15) and (19)) (20) Therefore

32

Number Theory with Applications to Cryptography

That is

(21) Substituting (21) into (20) we obtain (22) If we now multiply both sides of equation (22) by (2a1) 2s then we obtain the following derivative solution

of the solution (x1, . . . , xh, xh+1). Compare with (18). The lemma is proved. Theorem 1.9 Let us consider the diophantine equation

(23) where the coefficients kj (j = 2, . . . , h) are positive integers, s is a positive integer, the sj (j = 2, . . . , h) are divisors of s and some xj (j = 2, . . . , h) is different of zero. Then a complete system of solutions to the equation is (24) where

(25)

Diophantine Equations. Elementary Methods II

33

(26) and the tj (j = 1, . . . , h) are arbitrary integers such that some xj is different of zero. That is, t1 0 and some tj (j = 2, . . . , h) is different of zero. (27) consequently there exist solutions such that some xj (j = 2, . . . , h) is different of zero. Let us consider a solution (28) to the equation with is property. This solution can be written in the form (29) where the uj (j = 1, . . . , h) are rational numbers. We can write (j = 1, . . . , h) where d and the nj (j = 1, . . . , h) are integers. Therefore we have (see (23) and (29)) (30) If we multiply both sides of equation (30) by d

2(2s)(2s+2)

then we obtain (31)

Equation (31) gives

That is (32) By Lemma 1.8 here exists h such that if we multiply both sides of (32) by h we obtain

2s

34

Number Theory with Applications to Cryptography

(33) where

(34) (35) (36) Equation (35) gives (37) Therefore (38) where tj is the integer

(j = 2, . . . , h) and consequently (39)

If we multiply both sides of equation (31) by h following derivative solution of solution (28)

2s(s+1)

then we obtain the

(40) Substituting equations (34), (36) and (39) into equation (40) we obtain equation (27). Note that we have written a1 = t1. The theorem is proved. Theorem 1.10 Let us consider the diophantine equation

(41) where the kj (j = 1, . . . , t+1) are integers different of zero, there exist a positive integer M ≥ 2 such that the exponents rj ≥ 2 are divisors of M (j =

Diophantine Equations. Elementary Methods II

35

1, . . . , h) and the exponents sj ≥ 2 (j = h+1, . . . , t) are divisors of M+1. Let us consider the solutions to the equation (x1, . . . , xh, xh+1, . . . , xt , xt+1) such 0 and that xt+1 system of solutions to the equation is

. Then a complete

(42) (43) (44) where (45) (46) the integers vj (j = 1, . . . , t) and m are arbitrary and such that A 0.

0 and B

Proof. Note that we have the identity

(47) Therefore there exist solutions to the equation with the properties of the theorem. Let us consider a solution (48) to the equation with the properties of the theorem. This solution can be written in the form (49) where the uj (j = 1, . . . , t) are certain rational numbers. Hence we have (see (41) and (49))

36

Number Theory with Applications to Cryptography

(50) We can write (50) becomes

where m and the vj (j = 1, . . . , t) are integers. Therefore

(51) If we multiply both sides of (51) by mM(M+1) then we obtain

(52) Consequently we have

(53) Substituting (53) into (52) and multiply both sides by B we obtain the following derivative solution of solution (48) (Compare with (47)). M(M+1)

The theorem is proved. Theorem 1.11 Let us consider the diophantine equation

where the kj (j = 1, . . . , t + 1) are integers different of zero, there exist a positive integer M ≥ 2 such that the exponents rj ≥ 2 are divisors of M + 1 (j = 1, . . . , h) and the exponents sj ≥ 2 (j = h + 1, . . . , t) are divisors of M. Let us consider the solutions to the equation (x1, . . . , xh, xh+1, . . . , xt , xt+1) 0 and such that xt+1 system of solutions to the equation is

. Then a complete

Diophantine Equations. Elementary Methods II

37

where

the integers vj (j = 1, . . . , t) and m are arbitrary and such that A 0.

0 and B

Proof. The proof is the same as the proof of Theorem 1.10. The theorem is proved. Theorem 1.12 Let us consider the equation

(54) where the coefficients kj (j = 3, . . . , h) are integers different of zero and the exponents rj ≥ 2 (j = 3, . . . , h) are positive integers. Let us consider the solutions (x1, x2, x3, . . . , xh) such that x1 x2. Then, a complete system of solutions is (55)

(56) (57) where b1

0 and aj (j = 3, . . . , h) are arbitrary integers and L is a fixed

38

Number Theory with Applications to Cryptography

positive integer multiple of the least common multiple of the exponents 2 and rj (j = 3, . . . , h).

Proof. We have the identity (see (55), (56) and (57))

(58) Hence there exist solutions to equation (54) such that x1

x2.

Let us consider a solution (x1, x2, x3, . . . , xh) such that x1 can be written in the form

x2. This solution (59)

Consequently (see (54) and (59)) we have (60) Equation (60) gives (61) Substituting (61) into (60) and multiply both sides by (2b1) we obtain the following derivative solution L

of solution (59). Compare with (58). The theorem is proved.

ACKNOWLEDGEMENTS The author is very grateful to Universidad Nacional de Luj´an.

Diophantine Equations. Elementary Methods II

39

REFERENCES 1. 2.

H. Cohen, Number Theory, Volume II, Springer, 2010. R. Jakimczuk, Diophantine equations. Elementary methods, International Mathematical Forum, 12 (2017), no. 9, 429 - 438. https:// doi.org/10.12988/imf.2017.7223

Chapter 4

Almost and Nearly Isosceles Pythagorean Triples

Eunmi Choi

Department of Mathematics, Han Nam University, Daejeon, Republic of Korea

ABSTRACT This work is about extended pythagorean triples, called NPT, APT, and AIPT. We generate infinitely many NPTs and APTs and then develop algorithms for infinitely many AI-PTs. Since AI-PT (𝑎, 𝑏, 𝑐) is of |𝑎 − 𝑏| = 1, we ask generally for PT (𝑎, 𝑏, 𝑐) satisfying |𝑎 − 𝑏| = 𝑘 for any . These triples are solutions of certain diophantine equations.

INTRODUCTION A pythagorean triple (PT) is an integer solution (𝑎, 𝑏, 𝑐) satisfying the

Citation: Eunmi Choi, “Almost and Nearly Isosceles Pythagorean Triples,” International Journal of Mathematics and Mathematical Sciences, vol. 2016, Article ID 5189057, 6 pages, 2016. https://doi.org/10.1155/2016/5189057 Copyright © 2016 Eunmi Choi. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

42

Number Theory with Applications to Cryptography

polynomial 𝑥2 + 𝑦2 = 𝑧2 , and it is said to be primitive (PPT) if gcd(𝑎, 𝑏, 𝑐) = 1. There have been many ways for finding solutions of 𝑥2+𝑦2 = 𝑧2 , and one of the wellknown methods is due to Euclid, BC 300. The investigation of integer solutions of 𝑥2+𝑦2 = 𝑧2 has been expanded to various aspects. One direction is to deal with polynomials 𝑥2 + 𝑦2 = 𝑧2 ± 1, where in [1] its integer solutions were called almost pythagorean triple (APT) or nearly pythagorean triple (NPT) depending on the sign ±. Another side is to study solutions of 𝑥2 + 𝑦2 = 𝑧2 having some special conditions. A solution (𝑎, 𝑏, 𝑐) is called isosceles if 𝑎=𝑏. Since there is no isosceles integer solution of 𝑥2 + 𝑦2 = 𝑧2 , isosceles-like integer triples (𝑎, 𝑏, 𝑐) with |𝑎 − 𝑏| = 1 were investigated. We shall call the (𝑎, 𝑏, 𝑐) an almost isosceles pythagorean triple (AI-PT), and typical examples are (3, 4, 5) and (20, 21, 29). In literatures [2–4], AI-PT was studied by solving Pell polynomial. And a few others [5, 6] used triangular square numbers for finding AI-PT. We note that in some articles AI-PT was called almost isosceles right angled (AIRA) triangle. But in order to emphasize relationships with PT, APT, and NPT in this work, we shall refer to AIRA as AI-PT. APT and NPT were studied in [1] while AI-PT was studied in [2, 4], and so forth, but it seems that no one has asked about their connections. In this work we generate infinitely many APTs and NPTs and then apply the results in order to develop algorithms for constructing infinitely many AI-PTs. Moreover we study PTs (𝑎, 𝑏, 𝑐) satisfying |𝑎 − 𝑏| = 𝑘 for any 𝑘≥1. So the study of these triples can be regarded as a research of solving diophantine equations 𝑥2 + 𝑦2 = 𝑧2 ± 1 and 𝑥2 − 𝑧2 = 2𝑦𝑧.

ALMOST AND NEARLY PYTHAGOREAN TRIPLES

APT and NPT, respectively, are integer solutions of 𝑥2 + 𝑦2 = 𝑧2 + 1 and 𝑥2 + 𝑦2 = 𝑧2 − 1, respectively. If (𝑎, 𝑏, 𝑐) is an APT or NPT, so it is (±𝑎, ±𝑏, ±𝑐) hence we generally assume 𝑎, 𝑏, 𝑐 > 0. Some triples were listed in [1] by experimental observations:

Lemma 1(see [1]). If (𝑎, 𝑏, 𝑐) is an APT then (2𝑎𝑐, 2𝑏𝑐, 2𝑐2+1) is a NPT. Conversely if (𝑎, 𝑏, 𝑐) is a NPT then (2𝑎2+1, 2𝑎𝑏, 2𝑎c) is an APT

Almost and Nearly Isosceles Pythagorean Triples

43

Theorem 2. If 𝑎 is an even integer then we have the following.

(1) (𝑎, 𝑏, 𝑏 + 1) is an APT if 𝑏=𝑎2 /2 − 1, while it is a NPT if 𝑏=𝑎2 /2.

(2) (2𝑎2 + 1, 𝑎3 , 𝑎(𝑎2 + 2)) is an APT and (𝑎3 , 𝑎2 (𝑎2 /2 − 1), 𝑎4 /2 + 1) is a NPT Table 1

Table 2

Proof. If 𝑐 = 𝑏+1 then 𝑐 2 − 𝑏2 = 2𝑏 + 1. If 𝑏=𝑎2 /2 − 1 then 𝑐 2 − 𝑏2 = 𝑎2 − 1, so (𝑎, 𝑏, 𝑐) is an APT. If 𝑏=𝑎2 /2 then 𝑐 2 − 𝑏2 = 𝑎2 + 1, so (𝑎, 𝑏, 𝑐) is a NPT.

Due to Lemma 1, the NPT (𝑎, 𝑎2 /2, 𝑎2 /2 + 1) yields an APT (2𝑎2 + 1, 𝑎3 , 𝑎(𝑎2 + 2)), while the APT (𝑎, 𝑎2 /2 − 1, 𝑎2 /2) provides a NPT (𝑎3 , 𝑎2 (𝑎2 /2 − 1), 𝑎4 /2 + 1) (see Table 1).

Theorem 2 gives infinitely many APTs and NPTs (𝑎, 𝑏, 𝑐) such that 𝑐−𝑏=1. Not only this, we can generate APT and NPT (𝑎, 𝑏, 𝑐) with 𝑐−𝑏=5.

Theorem 3. (1) If 𝑎 ≡ ±2 (mod 10) and 𝑏 = (𝑎2 − 24)/10 then (𝑎, 𝑏, 𝑏 + 5) is a NPT. (2) If 𝑎 ≡ ±4 (mod 10) and 𝑏 = (𝑎2 − 26)/10 then (𝑎, 𝑏, 𝑏 + 5) is an APT.

Proof. The triple (𝑎, 𝑏, 𝑏+5)is a NPT if 𝑎2 +𝑏2 = (𝑏+5)2 −1; that is, 𝑏 = (𝑎2 − 24)/10. Since 𝑏>0 is integer, it must be 𝑎2 > 24 and 𝑎2 ≡ 24 (mod 10). So 𝑎 ≡ ±2 (mod 10) with 𝑎≥8. On the other hand (𝑎, 𝑏, 𝑏 + 5) is an APT if 𝑎2 = 10𝑏 + 26; that is, 𝑏 = (𝑎2 − 26)/10. Similar to the above, we have 𝑎2 > 26 and 𝑎2 ≡ 26 ≡ 42 (mod10). Hence 𝑎 ≡ ±4 (mod10) with 𝑎≥6. Theorem 3 together with Lemma 1 yields infinitely many NPTs and APTs (see Table 2).

Though there are APT and NPT (𝑎, 𝑏, 𝑏 + 𝑘) with 𝑘 = 1, 5, no NPT (𝑎, 𝑏, 𝑏+𝑘) exists if 𝑘=2 or 3. In fact if (𝑎, 𝑏, 𝑏+2) is a NPT then 𝑎2 = 4𝑏 + 3. But

44

Number Theory with Applications to Cryptography

since 𝑎2 ≡ 3(mod 4) is quadratic nonresidue, no solution 𝑎 exists. Similarly if 𝑘=3 then ≡ 2 (mod 6), so no integer solution 𝑎.

Theorem 4. For any 𝑘>0, APTs of the form (𝑎, 𝑏, 𝑏+𝑘) always exist. If 𝑘−1 is even and square then there exist NPTs of the form (𝑎, 𝑏, 𝑏 + 𝑘). Proof. A triple (𝑎, 𝑏, 𝑏+𝑘)is an APT if 𝑎2 +𝑏2 = (𝑏+𝑘)2 +1; that is, 𝑏 = (𝑎2 − 𝑘2 − 1)/2𝑘. Then 𝑎2 ≡ 𝑘2 + 1 ≡ (𝑘 ± 1)2 ( mod 2𝑘). Hence if we let 𝑎 = 2𝑚𝑘 ± (𝑘 ± 1) and 𝑏 = 2(𝑚𝑘 ± 𝑘 ± 1) + 1 for 𝑚 ∈ then it can be observed that

,

(1) is an APT. In particular, (𝑘+1, 1, 𝑘+1) is an APT for all 𝑘>0.

Let 𝑘−1 = 𝑢2 = 2V (𝑢, V ∈ ). For(𝑎, 𝑏, 𝑏+ 𝑘) to be a NPT, we must have 𝑎2 = 2𝑘𝑏 + 𝑘2 − 1; that is, 𝑏 = (𝑎2 − 𝑘2 + 1)/2𝑘. Hence 𝑎2 ≡ 𝑘2 −1(mod 2𝑘), so (2) Write 𝑎2 = 𝑢2+2(𝑢2+1) for 𝑚 ∈ Z. Then 𝑏 = −𝑢2 /2+𝑚 and 𝑐 = 𝑏+𝑘 = 𝑢2 /2+1+𝑚. And since 𝑐 2 −𝑏2 −1 = (2𝑏+𝑘)−1 = (𝑢2 + 1)(2𝑚 + 1) − 1 = 𝑎2 , (𝑎, 𝑏, 𝑐) is a NPT.

For instance, (31, 43, 53), (51, 125, 135) are APTs (𝑎, 𝑏, 𝑐) with 𝑐 − 𝑏 = 10. Similarly (34, 47, 58), (56, 137, 148) are APTs with 𝑐−𝑏 = 11. So we have infinitely many APTs (𝑎, 𝑏, 𝑐) such that 𝑐−𝑏 is any integer.

On the other hand, consider 𝑘 = 1, 5, 17, 37 such that 𝑘−1 is square. Then Theorem 4 yields NPT (𝑎, 𝑏, 𝑏 + 𝑘) satisfying 𝑎2 = 2𝑘𝑏 + 𝑘2 − 1 and 𝑏 = (𝑎2 − 𝑘2 + 1)/2𝑘. If 𝑘=1 then 𝑎 ≡ 0(mod 2) and 𝑏 = −𝑎2 /2 yielding that (𝑎, 𝑏, 𝑏 + 1) is a NPT; say (2, 2, 3), and so forth. If 𝑘=5 then 𝑎 ≡ ±2 (mod 10) and 𝑏 = (𝑎2 − 24)/10 with 𝑎2 > 24 implying that (𝑎, 𝑏, 𝑏 + 5) is a NPT; say (8, 4, 9), and so forth. If 𝑘 = 17 then 𝑎 ≡ ±4 (mod 34) and 𝑏 = (𝑎2 − 288)/34 with 𝑎2 > 288 implying that (𝑎, 𝑏, 𝑏 + 17) is a NPT; say (30, 18, 35), and so forth.

Corollary 5. Let 𝑛 ≡ 0(mod10). If 𝑎 = 𝑛 + 10𝑘 and 𝑏 = 𝑛2 /2 + 10(𝑛 + 5𝑘) for any 𝑘≥0 then (𝑎, 𝑏, 𝑏 + 1) is a NPT.

Almost and Nearly Isosceles Pythagorean Triples

45

The proof is clear. Thus (10, 50, 51), (20, 200, 201), (30, 450, 451), (40, 800, 801), . . . are NPTs, where the list corresponds to the findings in [1]. We now discuss another way to construct NPTs from PPT. Table 3

Table 4

Theorem 6. For any PPT (𝑥, 𝑦, 𝑧), there are NPTs(𝑎, 𝑏, 𝑐)with 𝑐−𝑏=𝑧.

Proof. The PPT (𝑥, 𝑦, 𝑧) can be written as 𝑥=𝑢2 − V2 , 𝑦 = 2𝑢V, and 𝑧=𝑢2 + V2 where 𝑢 > V > 0 are bipartite and gcd(𝑢, V)=1. Let 𝑢 = 2𝑟 and V = 2𝑠 + 1 (𝑟, 𝑠 ∈ N). Clearly 𝑧=𝑢2 + V2 ≡1(mod 4) and 𝑧 is odd. For (𝑎, 𝑏, 𝑏 + 𝑧) to be a NPT, it satisfies 𝑎2 = 2𝑏𝑧 + 𝑧2 − 1 and 𝑏 = (𝑎2 − 𝑧2 + 1)/2𝑧. So 𝑎2 ≡ 𝑧2 −1(mod 2𝑧) implies 𝑎2 ≡ −1 (mod 𝑧) and 𝑎2 ≡ 𝑧2 −1≡0(mod 2).

If 𝑧 is a prime then 𝑎2 ≡ −1 ( mod 𝑧) has integer solutions since 𝑧 ≡ 1(mod4). So with 𝑏 = (𝑎2 − 𝑧2 + 1)/2𝑧, there exists a NPT of the form (𝑎, 𝑏, 𝑏 + 𝑧). On the other hand if 𝑧=𝑝1 ⋅⋅⋅𝑝𝑗 (𝑝𝑖 odd primes, 1≤𝑖≤𝑗), then 𝑧 ≡ 1(mod 4) implies that either every 𝑝𝑖 ≡ 1(mod4) or there are even number of 𝑝𝑖 such that 𝑝𝑖 ≡ −1 (mod 4) for 1≤𝑖≤𝑗. Thus Legendre symbol (−1/𝑧) equals (−1/𝑝1) ⋅ ⋅ ⋅ (−1/ 𝑝𝑗)=1, so 𝑎2 ≡ −1 (mod 𝑧) has integer solutions; hence there is a NPT (𝑎, 𝑏, 𝑏 + 𝑧). The PPT (𝑥, 𝑦, 𝑧) with 𝑧 ≤ 40 are (3, 4, 5), (5, 12, 13), (8, 15, 17), (7, 24, 25), (20, 21, 29), and (12, 35, 37). If 𝑧 = 5, 17, 37 then Table 3 contains the list of NPTs. When 𝑧 = 13, 25, 29, NPTs are as shown in Table 4.

46

Number Theory with Applications to Cryptography

An APT (𝑎, 𝑏, 𝑐)satisfying 𝑎=𝑏 is called an isosceles APT (iso-APT). Analogously an iso-NPT is defined. Though there is no isosceles PT, there are many iso-APTs and iso-NPTs. Indeed iso-APT and iso-NPT (𝑎, 𝑎, 𝑐) satisfy 𝑎2 + 𝑎2 = 𝑐2 ± 1, so that the pair (𝑎, 𝑐) is an integer solution of 2𝑥2 − 𝑦2 = ±1, which is the Pell polynomial. If (𝑎1, 𝑐1), (𝑎2, 𝑐2) are integer solutions of 2𝑥2 − 𝑦2 = −1 then (3) Shows that (𝑎1𝑐2 + 𝑎2𝑐1, 2𝑎1𝑎2 + 𝑐1𝑐2) satisfies 2𝑥 − 𝑦 = −1. If (𝑎1, 𝑐1), (𝑎2, 𝑐2) are roots of 2𝑥2 − 𝑦2 = 1 then (𝑎1𝑐2 + 𝑎2𝑐1, 2𝑎1𝑎2 + 𝑐1𝑐2) holds 2𝑥2 − 𝑦2 = −1. 2

2

Let us define a multiplication (𝑎1, 𝑐1)(𝑎2, 𝑐2) by (𝑎1𝑐2 + 𝑎2𝑐1, 2𝑎1𝑎2 + 𝑐1𝑐2) [7]. For example, a root (2, 3) of 2𝑥2 − 𝑦2 = −1 yields (2, 3)2 = (12, 17) satisfying 2𝑥2 − 𝑦2 = −1. And a root (5, 7) of 2𝑥2 − 𝑦2 = 1 shows that (5, 7)2 = (70, 99) holds 2𝑥2 − 𝑦2 = −1. So the first few nonnegative solutions of 2𝑥2 − 𝑦2 = ±1 are (4) where the subscripts +, − indicate solutions of 2𝑥2 − 𝑦2 = ±1, respectively

Theorem 7. Let 𝑠𝑛 = (𝑎𝑛, 𝑏𝑛) for 𝑠𝑛+1 = 2𝑠𝑛 + 𝑠𝑛−1 with 𝑠0 = (0, 1), 𝑠1 = (1, 1). Then the following hold.

(1) 𝑎𝑛+1 = 𝑎𝑛 + 𝑐𝑛 and 𝑐𝑛+1 = 𝑎𝑛+1 + 𝑎𝑛 and 2𝑎𝑛𝑎𝑛−1 − 𝑐𝑛𝑐𝑛−1 = (−1) . So 𝑆 = {𝑠𝑛}≥0 is a sequence of solutions of 2𝑥2 − 𝑦2 = (−1)𝑛+1.

(2) Let 𝐴=

. Then 𝑠𝑛 = 𝑠𝑛−1𝐴=𝑠0𝐴𝑛 by considering 𝑠𝑛 as a matrix.

(3) Let 𝑆+, 𝑆− be subsets of 𝑆 consisting of 𝑠𝑛+, 𝑠𝑛−, respectively. If 𝑠𝑛 ∈ 𝑆± then 𝑠𝑛+1 ∈ 𝑆∓ and 𝑠𝑛+2 ∈ 𝑆±.

Proof. The recurrence 𝑠𝑛+1 = 2𝑠𝑛 + 𝑠𝑛−1 shows (𝑎𝑛+1, 𝑐𝑛+1) = (2𝑎𝑛 + 𝑎𝑛−1, 2𝑐𝑛 + 𝑐𝑛−1). So 𝑎2 = 2𝑎1 + 𝑎0 =2=𝑎1 + 𝑐1 and 𝑐2 = 2𝑐1 + 𝑐0 =3=𝑎2 + 𝑎1. Hence if we assume 𝑎𝑛 = 𝑎𝑛−1 + 𝑐𝑛−1 and 𝑐𝑛 = 𝑎𝑛 + 𝑎𝑛−1 then 𝑎𝑛+1 = 2𝑎𝑛 + 𝑎𝑛−1 = 𝑎𝑛 + (𝑎𝑛 + 𝑎𝑛−1) = 𝑎𝑛 + 𝑐𝑛 and 𝑐𝑛+1 = (2𝑎𝑛 + 𝑎𝑛−1)+𝑎𝑛 = 𝑎𝑛+1 + 𝑎𝑛.

Almost and Nearly Isosceles Pythagorean Triples

47

Clearly 𝑠𝑖 = (𝑎𝑖, 𝑐𝑖) (1≤𝑖≤3) are solutions of 2𝑥2 − 𝑦2 = (−1)+1, and 2𝑎𝑖𝑎𝑖−1 − 𝑐𝑖𝑐𝑖−1 = (−1)𝑖 . If (𝑎𝑖, 𝑐𝑖) satisfies the identities for 𝑖≤𝑛 then

(5) Now 𝑠0𝐴 = (1, 1) = 𝑠1 and 𝑠1𝐴 = (2, 3) = 𝑠2 = 𝑠0𝐴 . So if we assume 𝑠𝑛−1𝐴=𝑠𝑛 = 𝑠0𝐴𝑛 then 𝑠0𝐴𝑛+1 = 𝑠𝑛𝐴 = (𝑎𝑛 + 𝑐𝑛, 2𝑎𝑛 + 𝑐𝑛) = (𝑎𝑛+1, 𝑐𝑛+1)=𝑠𝑛+1. 2

Moreover

for

𝑠𝑛

=

(𝑎𝑛,

𝑐𝑛),+1

=

.

(𝑎𝑛+𝑐𝑛,

Similarly

2𝑎𝑛+𝑐𝑛)satisfies

from

𝑠𝑛+2

=

. Thus if . This completes the proof. Corollary 8. Let (𝑎1, 𝑎1, 𝑐1) (𝑖 = 1, 2) be either iso-NPTs or iso-APTs. Define a multiplication by (𝑎1, 𝑎1, 𝑐1)(𝑎2, 𝑎2, 𝑐2) = (𝑎1𝑐2 + 𝑎2𝑐1, 𝑎1𝑐2 + 𝑎2𝑐1, 2𝑎1𝑎2 + 𝑐1𝑐2). Then the multiplication of iso-NPTs (or iso-APTs) yields an iso-NPT. And the multiplication of iso-APT and iso-NPT yields an iso-APT.

The corollary about iso-APT and iso-NPT follows immediately. Hence sets 𝑆− and 𝑆+ yield iso-NPTs {(2, 2, 3), (12, 12, 17), (70, 70, 99), (408, 408, 577), . . .} and iso-APTs {(1, 1, 1), (5, 5, 7), (29, 29, 41), (169, 169, 239), . . .}.

ALMOST ISOSCELES PYTHAGOREAN TRIPLE The nonexistence of isosceles integer solution of 𝑥2 + 𝑦2 = 𝑧2 intrigues investigations for finding solutions that look more and more like isosceles. By an almost isosceles pythagorean triple (AI-PT), we mean an integer solution (𝑎, 𝑏, 𝑐) of 𝑥2 + 𝑦2 = 𝑧2 such that 𝑎 and 𝑏 differ by only 1. The triples (3, 4, 5), (20, 21, 29), (119, 120, 169), and (696, 697, 985) are typical examples of AI-PT.

48

Number Theory with Applications to Cryptography

Let(𝑎, 𝑏, 𝑐) be an AI-PT with 𝑏 = 𝑎+1. If 𝑐 = 𝑏+𝑘 for 𝑘 ∈ N then 𝑎2 + (𝑎 + 1)2 = (𝑎 + 1 + 𝑘)2 , so 𝑎2 − 2𝑘𝑎 − (𝑘2 + 2𝑘) = 0. The solution 𝑎 = 𝑘± √2(𝑘 + 1) is an integer if 2𝑘(𝑘 + 1) is a perfect square. In fact, if 𝑘=1 then 2(𝑘 + 1) = 4, so 𝑎=3, 𝑏=4 yields an AI-PT (3, 4, 5). Let 2(𝑘 + 1) = 𝑢2 for Table 5

𝑢 ∈ N. Then 𝑢2 − 2𝑘2 − 2𝑘 = 0, so 2𝑢2 − (2𝑘 + 1)2 = −1. If V = 2𝑘 + 1 then 2𝑢2 − V2 = −1, so the pairs (𝑢, V) correspond to the pairs (𝑢𝑛, V𝑛)∈𝑆− in Theorem 7. Hence the set 𝑆− = {(2, 3), (12, 17), (70, 99), . . .} together with 𝑘𝑛 = (V𝑛 − 1)/2, 𝑎𝑛 = 𝑢𝑛 + 𝑘𝑛, 𝑏𝑛 = 𝑎𝑛 + 1, and 𝑐𝑛 = 𝑏𝑛 + 𝑘𝑛 provides Table 5 of AI-PT (𝑎𝑛, 𝑏𝑛, 𝑐𝑛).

Theorem 9. (1) When (𝑢𝑛, V𝑛)∈𝑆−, let 𝑎𝑛 = 𝑢𝑛+(1/2)(V𝑛−1), 𝑏𝑛 = 𝑢𝑛 + (1/2) (V𝑛 + 1), and 𝑐𝑛 = 𝑢𝑛 + V𝑛. Then (𝑎𝑛, 𝑏𝑛, 𝑐𝑛) is an AI-PT with 𝑐𝑛 − 𝑏𝑛 = (1/2) (V𝑛 − 1). (2) If (𝑢𝑛, V𝑛)∈𝑆+ then (𝑎𝑛, 𝑏𝑛, 𝑐𝑛) is an AI-PT for 𝑎𝑛 = (1/2)(V𝑛 − 1), 𝑏𝑛 = (1/2)(V𝑛 + 1), and 𝑐𝑛 = 𝑢𝑛. Proof. If (𝑢𝑛, V𝑛)∈𝑆− then V𝑛 is odd since V𝑛 = 2V𝑛−1 +V𝑛−2 in Theorem 7. So if we let 𝑘𝑛 = (1/2)(V𝑛 − 1) then 𝑎𝑛 = 𝑢𝑛 + 𝑘𝑛, 𝑏𝑛 = 𝑎𝑛 + 1, and 𝑐𝑛 − 𝑏𝑛 = (𝑢𝑛 + V𝑛)−𝑢𝑛 − (1/2)(V𝑛 + 1) = (1/2)(V𝑛 − 1) = 𝑘𝑛. Thus

(6)

Almost and Nearly Isosceles Pythagorean Triples

49

since (𝑢𝑛, V𝑛)∈𝑆− satisfies . So (𝑎𝑛, 𝑏𝑛, 𝑐𝑛) is an AI-PT. Similarly Theorem 7 says if (𝑢𝑛, V𝑛)∈𝑆+ then (𝑢𝑛−1, V𝑛−1)∈𝑆−, where

(7) Hence by letting 𝑎𝑛 = −𝑢𝑛+V𝑛+(1/2)(2𝑢𝑛−V𝑛−1) = (1/2)(V𝑛− 1), 𝑏𝑛 = −𝑢𝑛 + V𝑛 + (1/2)(2𝑢𝑛 − V𝑛 + 1) = (1/2)(V𝑛 + 1), and 𝑐𝑛 = −𝑢𝑛 + V𝑛 + 2𝑢𝑛 − V𝑛 = 𝑢𝑛, (1) implies that (𝑎𝑛, 𝑏𝑛, 𝑐𝑛) is an AI-PT.

Table 5 can be compared to the results in [2, 3]. A feature here is that we first generate infinitely many isoNPTs (𝑢𝑛, 𝑢𝑛, V𝑛) and then find AI-PTs (𝑢𝑛 + (V𝑛 − 1)/2, 𝑢𝑛 + (V𝑛 + 1)/2, 𝑢𝑛 + V𝑛). For instance, (𝑢𝑛, V𝑛) = (5, 7), (29, 41), (169, 239) in 𝑆+ produce AI-PTs(3, 4, 5), (20, 21, 29), (119, 120, 169), respectively, by Theorem 9. Moreover Pell sequence provides iso-APT, isoNPT, and AI-PTs. Theorem 10. Let {𝑃𝑛} be the Pell sequence with 𝑃0 = 0 and 𝑃1 = 1

(1) (𝑃𝑛, 𝑃𝑛, 𝑃𝑛−1 + 𝑃𝑛) is an iso-APT if 𝑛 is odd; otherwise it is an iso-NPT

(2) ((1/2)(𝑃𝑛 + 𝑃𝑛+1 − 1), (1/2)(𝑃𝑛 + 𝑃𝑛+1 + 1), 𝑃𝑛+1) with even 𝑛 and ((1/2) (𝑃𝑛−1+𝑃𝑛−1), (1/2)(𝑃𝑛−1+𝑃𝑛+1), 𝑃𝑛) with odd 𝑛 are AI-PTs. Proof.

Let

,

and

it

is

easy

to

see

𝐴𝑛

= .

shows (1) due

Hence the determinant to Theorem 7.

For (2), clearly 𝑠𝑛 = 𝑠0𝐴𝑛 = (𝑃𝑛, 𝑃𝑛−1 + 𝑃𝑛) and 𝑃𝑛−1 + 𝑃𝑛 is odd. If 𝑛 is even then 𝑠𝑛 ∈ 𝑆−, so by Theorem 9 we may let

(8)

50

Number Theory with Applications to Cryptography

So we have an AI-PT (𝑎𝑛, 𝑏𝑛, 𝑐𝑛). Now if 𝑛 is odd then 𝑠𝑛 ∈ 𝑆+. Again by Theorem 9, we have an AI-PT (𝑎𝑛, 𝑏𝑛, 𝑐𝑛) with 𝑎𝑛 = (1/2)(𝑃𝑛 + 𝑃𝑛−1 − 1), 𝑏𝑛 = (1/2)(𝑃𝑛 + 𝑃𝑛−1 + 1), and 𝑐𝑛 = 𝑃𝑛.

There are infinitely many iso-APTs and iso-NPTs by means of Pell sequence, where their corresponding pairs are regarded as solutions of 2𝑥2 − 𝑦2 = ±1. Moreover infinitely many AI-PTs (𝑎, 𝑏, 𝑐) arose from Pell sequence are solutions of 𝑥2 + 𝑦2 = 𝑧2 with 𝑏−𝑎=1. Indeed, due to Theorem 10, if 𝑛=9 then (𝑃9, 𝑃9, 𝑃8+𝑃9) = (985, 985, 1393)satisfies 𝑥2 +𝑦2 = 𝑧2 + 1, so it is an isoAPT, while ((1/2)(𝑃8 + 𝑃9 − 1), (1/2)(𝑃8 + 𝑃9 + 1), 𝑃9) = (696, 697, 985) meets 𝑥2 + 𝑦2 = 𝑧2 , so it is an AI-PT. On the other hand if 𝑛 = 10 then (𝑃10, 𝑃10, 𝑃9 + 𝑃10) = (2378, 2378, 3363) is an iso-NPT satisfying 𝑥2 + 𝑦2 = 𝑧2 − 1, while ((1/2)(𝑃10 + 𝑃11 − 1), (1/2)(𝑃10 + 𝑃11 + 1), 𝑃11) = (4059, 4060, 5741) is an AI-PT satisfying 𝑥2 + 𝑦2 = 𝑧2 . Besides Pell sequence, Fibonacci sequence is also useful to generate AI-PT. Horadam [8] proved that the four Fibonacci numbers {𝐹𝑛, 𝐹𝑛+1, 𝐹𝑛+2, 𝐹𝑛+3}

generate a PT 𝑇𝑛 = = {(3, 4, 5), (5, 12, 13), (16, 30, 34), (39, 80, 89), (105, 208, 233), . . .} are all PTs. As a generalization, we say a sequence {𝑓𝑛}is Fibonacci type if 𝑓𝑛+𝑓𝑛+1 = 𝑓𝑛+2 with any initials 𝑓1 and 𝑓2. Clearly {𝑓𝑛} = {𝐹𝑛} if 𝑓1 = 𝑓2 = 1, and any four Fibonacci type numbers 𝑏−𝑎, 𝑎, 𝑏, and 𝑏+𝑎 (𝑏>𝑎>0) yield a PT (𝑏2 − 𝑎2 , 2𝑎𝑏, 𝑏2 + 𝑎2 ), Euclid’s formula. Let us consider Fibonacci type numbers and their corresponding PTs: (9) In particular if 𝑎=1 and 𝑏=2, we have

(10)

And we notice that middle two terms of {𝑓𝑛} are consecutive Pell numbers and the corresponding PT 𝑇𝑛 are all AI-PT.

Theorem 11. Let 𝑎=𝑃𝑛, 𝑏=𝑃𝑛+1 be Pell numbers. Then the PT generated by four Fibonacci type numbers 𝑏 − 𝑎, 𝑎, 𝑏, and 𝑏+𝑎 is an AI-PT

Proof. Consider four Fibonacci type numbers{𝑏−𝑎, 𝑎, 𝑏, 𝑏+𝑎} and its generated triple 𝑇𝑛. We have seen that 𝑇𝑛 are all AI-PT if 1≤𝑛≤4. Now let

Almost and Nearly Isosceles Pythagorean Triples

51

𝑇𝑛 = (𝑥𝑛, 𝑦𝑛, 𝑧𝑛) be the PT generated by {𝑃𝑛+1 − 𝑃𝑛, 𝑃𝑛, 𝑃𝑛+1, 𝑃𝑛+1 + 𝑃𝑛} for

any 𝑛>0. Since 𝑥𝑛 = hard to see that

, it is not

(11) due to the determinant of 𝐴𝑛 in Theorem 10. Thus 𝑇𝑛 is an AI-PT.

Like for triples (𝑥, 𝑦, 𝑧) satisfying |𝑦 − 𝑥| = 1, it is worth asking for triples (𝑥, 𝑦, 𝑧) satisfying |𝑦 − 𝑥| = 𝑘 for 𝑘 ∈ . For instance, the Fibonacci type numbers {1, 1, 2, 3}, {1, 2, 3, 5}, and {1, 3, 4, 7} produce PTs (𝑥, 𝑦, 𝑧) = (3, 4, 5), (5, 12, 13), (7, 24, 25), respectively, where 𝑦 − 𝑥 = 1, 7, 17. Theorem 12. For any positive integer 𝑘, there are infinitely many PTs (𝑥, 𝑦, 𝑧) satisfying |𝑦 − 𝑥| = 2𝑘2 − 1. Proof. We assume 𝑎1 = 1 and 𝑏1 = 𝑘. Fibonacci type numbers .

Table 6

Secondly if 𝑎2 = 𝑎1 + 2𝑏1, 𝑏2 = 𝑎1 + 𝑏1 then Fibonacci type

numbers{𝑎2, 𝑏2, 𝑎2+𝑏2, 𝑎2+2𝑏2} yield a PT

. . As-

Now for any 𝑛>1, let

sume

that

the

PT

generated

by

Fibonacci

type

. Then the next PT erated by

forms

numbers gen-

52

Number Theory with Applications to Cryptography

(12)

And we also have

(13) So we have infinitely many PTs (𝑥𝑛, 𝑦𝑛, 𝑧𝑛) such that |𝑦𝑛 − 𝑥𝑛| = 2𝑘2 − 1. If are as shown in Table 6.

ACKNOWLEDGMENTS This work was supported by 2016 HanNam University Research Fund.

Almost and Nearly Isosceles Pythagorean Triples

53

REFERENCES 1. 2.

3.

4.

5. 6. 7. 8.

O. Frink, “Almost pythagorean triples,” Mathematics Magazine, vol. 60, no. 4, pp. 234–236, 1987. C. C. Chen and T. A. Peng, “Classroom note. Almost isoceles right angled triangle,” Australasian Journal of Combinatorics, vol. 11, pp. 263–267, 1995. R. H. Dye and R. W. Nickalls, “82.9 A new algorithm for generating pythagorean triples,” The Mathematical Gazette, vol. 82, no. 493, pp. 86–91, 1998. T. W. Forget and T. A. Larkin, “Pythagorean triads of the form x,x+1,z described by recurrence sequences,” The Fibonacci Quarterly, vol. 6, no. 3, pp. 94–104, 1968. G. Hatch, “Pythagorean triples and triangular square numbers,” The Mathematical Gazette, vol. 79, no. 484, pp. 51–55, 1995. M. A. Nyblom, “A note on the set of almost-isosceles right-angled triangles,” The Fibonacci Quarterly, vol. 36, no. 4, pp. 319–322, 1998. D. Burton, Elementary Number Theory, McGraw Hill Education, 2010. A. F. Horadam, “Fibonacci number triples,” The American Mathematical Monthly, vol. 68, pp. 751–753, 1961.

Chapter 5

A Public Key Cryptosystem based on Diophantine Equations of Degree Increasing Type Shinya Okumura Kyushu University, 744, Motooka, Nishi-ku, 819-0395 Fukuoka, Japan

ABSTRACT In this paper we propose a new public key cryptosystem based on diophantine equations which we call of degree increasing type. We use an analogous method to the “Algebraic Surface Cryptosystem” (ASC) proposed by Akiyama, Goto and Miyake. There are two main differences between our cryptosystem and ASC. One of them is to twist a plaintext by using some modular arithmetic to increase the number of candidates of the plaintext in order to complicate finding the correct plaintext. Another difference is to use a polynomial of degree increasing type to recover the plaintext uniquely even if the plaintext was twisted. Although we have not been able to give a security proof, we give some discussions on how secure our cryptosystem is Citation: Shinya Okumura “A public key cryptosystem based on Diophantine equations of degree increasing type” Pacific Journal of Mathematics for Industry 2015 7:4 https://doi. org/10.1186/s40736-015-0014-4 Copyright © 2015 Okumura; licensee Springer. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons. org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.

56

Number Theory with Applications to Cryptography

against known attacks including the ideal decomposition attack, which can break the one-wayness of ASC. Keywords: Diophantine equation; Post quantum cryptography; Public key cryptography

INTRODUCTION After Diffie and Hellman proposed the concept of public key cryptography [11], the theory of cryptography has been developed rapidly and has contributed to the security of networks. This cryptosystem is based on computationally hard problems, for example factorization of large integers and computation of discrete logarithm in large finite groups. The most famous public key cryptosystems are the RSA cryptosystem [27] and elliptic curve cryptosystem [17,22]. Although these cryptosystems have been studied by many researchers, efficient attacks have not been found in general. However, Shor showed that factorization of integers and computation of discrete logarithm are done efficiently by using quantum computers [28]. So it is important to find new computationally hard problems which are intractable even with quantum computers and can be used to construct cryptosystems. We expect that the diophantine problem is one of such problems. This problem is to find integral or rational solutions of a given multivariate polynomial with integer coefficients. Despite many researchers’ endeavor Correspondence: [email protected] Kyushu University, 744, Motooka, Nishi-ku, 819-0395 Fukuoka, Japan (see e.g. [14]), this problem is usually a very difficult problem. Moreover Matijasevic showed that there is no general method which determines the solvability of an arbitrary diophantine equation [10]. On the other hand, for any integers a1, a2, ··· ,

[ x1, ··· , xn] with an, it is easy to find a polynomial X(x1, ··· , xn) ∈ X(a1, a2, ··· , an) = 0 (see section 3.4.1). So we can expect that diophantine equations can be used to construct a new public key cryptosystems. Indeed some cryptosystems based on this problem have already been proposed [15,19,34]. But the one-wayness of the cryptosystem proposed in [19] was broken [9]. On the other hand, cryptosystems in [15,34] are interesting in theory, but these cryptosystems can be used only a few times with the same key ([15], Proposition 2). We can also consider the diophantine problem over global function fields. This problem is also hard and it is proved that there is no general method

A Public Key Cryptosystem based on Diophantine Equations of....

57

which determines the solvability of an arbitrary diophantine equation [25]. The Algebraic Surface Cryptosystem (ASC) proposed in [1] is based on the hardness of the section finding problem (SFP) which can be viewed as a diophantine problem over [ t] (or (t)). More precisely, let p be a prime number and X(x, y, t) ∈ [ x, y, t] a polynomial which defines a surface S

over the affine t-line. The SFP is to find ux(t), uy(t) with a fibration ∈ [ t] such that X(ux(t), uy(t), t) = 0.

In number theory, there are many analogous problems between number fields and function fields. There are many cases where problems over function fields have been solved while the corresponding problems have hardly been solved. For example, there is an algorithm to factorize elements of [ t] in probabilistic polynomial time [2,7], while the best known algorithm (the general number field sieve) for fuctorization in

takes subexponen-

tial time and N is an integer which we want to factorize [18]. The Riemann Hypothesis for function fields was proved by André Weil [33], while the Riemann Hypothesis for still seems far beyond our reach. The abc conjecture for function fields (the Mason-Stothers Theorem) was proved in [21,29], while a proof of the was announced just a few years ago by Shinichi Moabc conjecture for chizuki [23]. In this paper we consider diophantine equations of degree increasing type (see Definition 3.1) over integers and propose a new public key cryptosystem whose security relies on the hardness to find a rational solution to them. In our cryptosystem we use a polynomial satisfying certain conditions as public keys and integers a1, ··· , an satisfying as secret keys. Our method is to mix a plaintext (this is a polynomial) with other polynomials and cover the mixed polynomial with public key. To recover the plaintext we use secret keys and some modular arithmetic. This method is analogous to ASC except for using modular arithmetic. Although the one-wayness of ASC was broken by the ideal decomposition attack [12], our analysis (section 4) shows that our cryptosystem has resistance against some possible attacks including the ideal decomposition attack. However, we have not been able to give a security proof of it. Finally, we estimate the size of keys of our cryptosystem. This paper aims to design a scheme with 128 bit-security level. Our estimation

58

Number Theory with Applications to Cryptography

shows that if we use integers d, e and a diophantine equation with n variables and total degree w as the public key, then the size of the secret key is at most

bits and the size of the

public key is at most bits. We also estimate the size of ciphertexts to be at most bits. This paper is organized as follows: In section 2 we give a brief review of ASC and known attacks against it. In section 3 we describe our cryptosystem including some remarks on it and give a method to construct a diophantine equation of degree increasing type with a given solution. In section 4 we analyze its security against some possible attacks. In section 5 we estimate the size of keys and ciphertexts under some assumptions. In section 6 we give some examples of the size of keys and ciphertexts together with the time which it took to encrypt and decrypt.

REVIEW OF ASC In this section we give a brief review of ASC and known attacks against it (for details, see [1]). Let p be a prime number. The ASC makes use of a section to a fibration of an algebraic surface to the afine line over .

Notation Let p be a prime number and

a finite field with p elements. For a

polynomial define

For two subsets

we

we define

This means that if . For each ideal J = (f1, ... , fn) ⊂ [ x, y, t], each polynomial g ∈ [ x, y, t] and each monomial ordering 0, the greatest common divisor of H1 and H2. If gcd(g, d) > 1, then we replace g by , then gcd(g, d) = 1 (cf. Remark 3.6.3). 3. Compute

. Note that if (mod g). Note that if

and g divides

Note that 4. Recover

, then we have

(cf. Remark 3.6.4). by RA which we will describe below.

Recovering Algorithm (RA) We describe a method to recover Input : Output :

. Let N, d, e and

. or “false”.

1. Compute 2. Let

be the maximal element of

. Compute

be as above.

Number Theory with Applications to Cryptography

70

3. If

, then return

. Otherwise, let . Put

the maximal element of , then replace turn “false”. 4. Go back to step 2.

by

, respectively. Otherwise, re-

Proposition 3.4. If Proof.

We

, then RA returns

assume

.

that . Because

we have

be

is of degree increasing type,

. It implies that

Because ld(m) < d, we have

Thus,

. Because

is of degree in-

. It implies that we can get

creasing type, we have as above. Similarly, we can get

.

Remark 3.5. We give some remarks on our cryptosystem. 1. If d = p is a prime number, we may choose e = p and e’ = 1. 2. We should choose d so that the computation of ϕ(d) is easy. For example, if d is a prime number, then ϕ(d) = d − 1.

Improvement in Recovering Algorithm In

step

2

of

the

decryption

process

we

can

write

g

=

A Public Key Cryptosystem based on Diophantine Equations of....

71

, then, in step 3, g may not . If so, both are not equal to . Then RA will return “false” with high probability because d

divide

and hence becomes ≥ 2 in the middle of the is large, process of RA. In this case we must take the following steps: 1. If RA returned “false”, then we choose a positive integer M and construct . the set 2. If , then we choose an element x ∈ F(g, M) and remove x from F(g, M). Otherwise, go back to step 1 and choose an integer which is larger than M. 3.

Compute

and

. 4. If RA returned “false” again, then go back to step 2. We describe the reason why RA returns “false” with high probability

if

we

do

not

get , we have always

. Thus in this case RA does not return “false” even if we do not get . On the other hand if is satisfied in the middle of the process of RA and then RA returns “false” with high probability, if we do not get the success probability of decryption.

. Thus we need to improve

Remark 3.6. 1. In step 3 of the decryption process, we require that to get . To satisfy this condition we impose the condition of step 3 in the encryption process on ld(f ). Note that the fact that X is of degree increasing type also helps to satisfy , because

, if X is of

degree increasing type. Thus, if then because

is satisfied with high probability . We also note that we can estimate whether or not by the same reason with high probability.

72

Number Theory with Applications to Cryptography

2. If , then the argument in . So in Remark 3.6.1 is not correct because this case and f should be chosen so that a1, ... , an > 0 and, for each , the absolute value of the i-th coefficient of f is larger than that of the monomial

of

to satisfy

.

to compute the inverse el3. We need to have ement of d (mod g). We show that this condition is satisfied. Let be the maximal element of . It follows from the expression

that if

, then

is divisible by d’ be-

is satisfied, and cause gcd d. This contradicts our assumption because we assume step 3 of the encryption process. 4. We also need to have this condition is satisfied. Let

that if

is divisible by in

to recover m. We show that be as above. It follows from the expression

is divisible by d. This is a contradic-

tion because implies . 5. Recall that the t in section 3.5 is troublesome if it is large. We experimented 100000 times on the value of t for each set of parameters in the following tables. According to these results, we can expect that t is smaller than 1000 in practical time with with high probability. So we can get high probability. However, we do have t >> 1000, though it happens with low probability. In this case we would not be able to decrypt the plaintext in practical time by the simple trial. Thus if we want to design a scheme with lower probability of decryption failure, we need an efficient integer factorization algorithm in the above steps Tables 1, 2 and 3.

A Public Key Cryptosystem based on Diophantine Equations of....

73

SECURITY ANALYSIS In this section although we have not been able to give a security proof, we analyze the effectiveness of some possible attacks for the one-wayness of our cryptosystem. Table 1: Quantities of t for |t| < 100

We also discuss the sizes of d, e and N to achieve 128 bit-security. First, we note that the attacks against ASC described in section 2.6 are applicable also to our cryptosystem.

Reduction to Solving a Multivariate Equation System I Let

where are variables. One may be able to get f by solving the following quadratic equation system (5) The number of variables of the system is smaller than that of the system in section 2.6.1, but experimentally a Gröbner basis of the ideal generated by the coefficients of F1−F2−(s’ f’ +r’ X) consists of quadratic polynomials and there is no known general algorithm to solve a multivariate quadratic equa-

74

Number Theory with Applications to Cryptography

tion system over

in polynomial time. So solving the system would

not be easy. Moreover, if

, then the equalities

where s and t are any integers, show that there are many solutions of the system (5). So we may avoid this attack. Table 2: Quantities of the t for |t| < 1000

Table 3: Quantities of the t for |t| > 10000

Reduction to Solving a Multivariate Equation System II Let be as in section 4.1. Let

where

are

variables. Let be n-tuples of integers. Then we have the following and : multivariate equation system in

A Public Key Cryptosystem based on Diophantine Equations of....

75

(6) One of the methods of solving (6) is to use the Gröbner basis technique. However, if {g1, ··· , gh} is a Gröbner basis of the ideal , experimentally, gi is a cubic or a quadratic polynomial with rational coefficients having large denominators and numerators. Thus, as mentioned in section 4.1, it would not be easy to solve (6). Moreover, for any integers s and t we have

Noting that for 1 ≤ i ≤ 3, we see that there are many possible solutions of (6). Hence, we may suppose that this attack is not efficient if Nd is sufficiently large, say Nd > 2128H(X). Note that it is also possible to compare and to get f , but it would be hard because of the same reason.

Reduction to Solving a Multivariate Equation System III The following attack was suggested by Professor Attila Petho. Let ˝ be as in section 4.2. Let S :=

and define

where Si’s are variables. Then one can apply the similar attack as in section 4.2 to F’’ . However, we may also suppose that this attack is not efficient be a if Nd is sufficiently large, say Nd > 2128H(X). To see this, let . Then we have

random polynomial with

It

implies

that

there

are

many

possible solution to , where are as in section 4.2. Note that S + rX has the same form as S, and have the same form as

and S, respectively.

76

Number Theory with Applications to Cryptography

Reduction by X Since X is made public, one can try to divide F1 − F2 by X to find f in the remainder. But f does not appear in the remainder if and the absolute values of coefficients of f are larger than those of X. So this attack would not be effective.

Rational Point Attack (Solving X = 0) This attack is equivalent to solving the diophantine equation . Although it is hard in general as mentioned in introduction, one may wonder if the diophantine equation may be solvable for X of degree increasing type. However, there are no known general algorithms to solve such diophantine equations in polynomial time. For instance, in [20], it was proved that the problem for determining whether there are positive integer solutions for

where a, b and c are positive integers, is NP-complete. So we may assume that solving the diopantine equations of degree increasing type is hard in general. Next, we discuss more general diophantine problems. If one can find a vector such that , then one can get m by the same process of decryption. The solution is not an integral solution but a rational solution. (Using rational solutions is suggested by Professor Noriko Hirata-Kohno.) However, finding such rational solutions is equivalent to finding integral solutions of know the denominator d, finding rational solutions of to finding integer solutions of the equation

. (If we do not = 0 is reduced in n

+ 1 variables.) If n = 2 and = 0 defines a curve of genus 0, 1 or a hyperelliptic curve, then there are explicit algorithms to find all integral solutions [6,26,30]. Otherwise, in special cases there are some algorithms to find all integral points [3,4]. Moreover, it is believed that in many cases, diophantine equations with two variables are solvable. Theoretically, using Baker’s method and its improvements, explicit upper bounds of the size of solutions to special equations with two variables are known (see [13] and the references given there). (Note that if solutions of a diophantine equation are sufficiently large, then Baker’s method is not practical in general, but we want to use a solution which is as small as possible.) However, no efficient

A Public Key Cryptosystem based on Diophantine Equations of....

77

methods are known to find integral solutions of diophantine equations of n variables with n ≥ 3. So we should use a diophatine equations with at least 3 variables as a public key of our cryptosystem. Note that in case of 3 variables, our experience in arithmetic geometry suggests to use X of degree at least 5, because then the hypersurface in the projective 3-space defined by (the homogenized form of ) X is of general type if it is non-singular (cf. [14], Example F.5.1.7 and section F.5.2).

Solving If we use a single cipher polynomial , where r is an integer such that rX is of degree increasing type, and or a polynomial in , then it can be broken by finding a solution to the congruence equation (7) which can be computable in probabilistic polynomial time. Let tion of (7) and the maximal element of is applicable as follows:

be a solu-

. Then the same method as RA

Similarly, we can compute the other coefficients of m. However, using cipher polynomials of the form we may avoid this weakness because sif obstructs to get

(mod d).

Ideal Decomposition Attack By using the resultant as in section 2.6.4, it is also possible in our case to reconstruct or the ideals I := from the data (F1, F2, X), where z is a new variable and is a prime number. If one can get , then one can get m. A simple method to avoid this attack is to let and

78

Number Theory with Applications to Cryptography

the coefficients of

be larger than H(X). Then

uniquely because

implies

(note that for any from general, we cannot determine know the secret key

cannot be determined ). However, in uniquely even if we

. This reason is as follows: for any

and have the same value at . So, we use modular and use Euler’s theorem as in the exponentiation to transform m into RSA cryptosystem to recover m from in RA. This is the main idea to avoid this attack. Now, we analyze the effectiveness of the ideal decomposition attack in detail. We analyze only the Level 2 and the Level 3 attacks because, experimentally, the Level 1 attack is not efficient. First, we analyze the effectiveness of the ideal decomposition attack of Level 2 (see [12], section 3.2), which uses the ideal decomposition

to reconstruct from the data (F1, F2, X) an ideal J ⊂

which coincides

with . To get , we use the fact that if a Gröbner basis if and only if = 0 (see secof J is computed, then tion 2.6.4 for more detail). But, if , then for any integers s and t, is also satisfied. If the number of choices of the pairs is larger than 2128, we may avoid this attack. All coefficients of and f are smaller than Nd, but in many cases they are as large as Nd, if > Nd. So the possible choices of t may be only 0, 1 or 2. But, if Nd > 2128H(X), the number of the possible choices of s may be larger than 2128. So N should be chosen so that Nd > 2128H(X) and e should be so large that me . In this case, this attack is not assumed to be effective. Note that, because the absolute value of coefficients of f are as large as those of , the above argument implies that choosing N satisfying Nd > 2128H(X) may complicate finding f from the ideal J or I1. Next, we analyze the effectiveness of the ideal decomposition attack of Level 3 (see [12], section 3.3). We assume that d is a prime number. We note , then one can get m. So one does not need to get . It that if one got which coincides with is possible to reconstruct an ideal

A Public Key Cryptosystem based on Diophantine Equations of....

79

from tha data (F1, F2, X) (see the algorithm in 2.6.4). Let are variables for bner basis of

. Assume that a Grö-

is computed. Let J be the ideal of

generated by the coefficients of be a Gröbner basis of J. Then gi is linear with respect to its variables for each 1 ≤ i ≤ h. So we can use linear algebra techniques to solve . Let A be the coefficient matrix of the equation system g1 = ··· = gh = 0. Let D be the dimension of the kernel of the linear map

defined by

A. Then the number of polynomials in having the same form as + z is dD. So if dD > 2128, the Level 3 attack is not effective. Experimentally, D is at least 2. Thus, this attack is not assumed to be effective if d2 ≥ 2128 ( d ≥ 264) . (k ≥ 2 and pi are distinct prime

Next, we assume that

numbers for 1 ≤ i ≤ k). If one got for 1 ≤ i ≤ k, then one can get and m by the Chinese Remainder Theorem. However, because of the above argument we may also avoid this attack, if d is sufficiently large, for for some i, this attack example d2 > 2128. Note that if d = may not be directly applicable, because

is not a domain if ei ≥ 2.

But, it is possible to lift a polynomial

to a polynomial

. There are ways of such a lifting. So we may also avoid this attack, if d is sufficiently large, for example d ≥ 264.

SIZES OF KEYS AND CIPHER POLYNOMIALS In this section we estimate the sizes of keys and cipher polynomials so that our cryptosystem can be expected to have 128 bit-security. First, we estimate the size of a secret key and a public key. A typical brute force attack is as follows: One chooses a random vector (b1, ... , bn−1) and factorize the polynomial of the form

in xn. If for some integer bn, then

has a factor is a solution

80

Number Theory with Applications to Cryptography

to X = 0. If gcd = 1, then using the solution , one can get m by taking the same steps as the decryption process. So we should choose a secret key = (a1, ... , an) such that |ai| is sufficiently large for i = 1, ... , n to avoid the brute force attack. Since the probability that a random integer b is prime to d is

(ϕ(·) is the Euler’s function), the number of choices of the

vector (b1, ... , bn−1) which satisfies secret key so that

is at least

and . Thus we should choose a

(8) for i = 1, ... , n. We assume (8). Let be the maximal element of be as in section 3.4.1. We assume that X is constructed by the method described in section 3.4.1. There are infinitely many solutions of (4). We claim that we can choose a solution and , if the following inequality is satisfied:

(9) To see this, let

then all solutions are given by

is a solution to

for

. Looking

with x > at the first lattice point (x, y) on the line 0, we find a solution (x, y) such that . Thus, we have proved the above claim. In many cases the minimum size of the solutions of (4) satisfies | then we may assume that

are so small that (9) is satisfied,

A Public Key Cryptosystem based on Diophantine Equations of....

81

82

Number Theory with Applications to Cryptography

It implies that the size of 2sif is at most (130 + 130wX + bits. So, it is important to estimate , Table 4: Size of keys of our cryptosystem

explicitly. We assume

. Then we can write

It implies that

Thus, the size of 2sif is at most

bits. Since 2128+65(wX−1) ≤ N < 2129+65(wX−1) , we conclude that the size of ciphertext is at most

bits.

A Public Key Cryptosystem based on Diophantine Equations of....

83

EXAMPLES In Table 4 and Table 5 we give examples of the size of keys and ciphertexts. In Table 6 we also give examples of the time which it took to encrypt and decrypt. Table 5: Size of ciphertext of our cryptosystem

Table 6: Encryption time and decryption time

We use a computer with 2.80 GHz CPU (Intel(R) Core(TM) i7-3840QM) and 8GB memory. The OS is Windows 8.1 Pro 64 bit. We implemented in Magma V2.19-7 [5] and the source code of our cryptosystem (file name: crypto-okumura.txt) is available at http://imi.kyushu-u.ac.jp/˜s-okumura/.

CONCLUSION In this paper we have proposed a new public key cryptosystem based on

84

Number Theory with Applications to Cryptography

diophantine equations and analyzed its security. It is a number field analogue of the ASC, incorporating a key idea, to avoid some attacks, of “twisting” the plaintext by using some modular arithmetic and Euler’s theorem as in the RSA cryptosystem. Another key idea is to use a polynomial, as the public key, of degree increasing type to recover the plaintext. In this paper we have not studied the hardness of solving diophantine equations of degree increasing type. Investigating the security of our cryptosystem by using this special type of diophantine equations is a future work.

Endnotes The size of ai should be for i = 1, ... , n, where ϕ(·) is the Euler function and d is an integer which we will choose below. (For the reason of this choice, see section 5). a

The sizes of d and e should be d ≥ 264 and e ≥ 129 + 65w, respectively. (For the reason of this choice, see section 5).

b

ACKNOWLEDGEMENTS I am grateful to my supervisor Yuichiro Taguchi for comments, corrections, and suggestions on this research. I am also grateful to Koichiro Akiyama, Noriko Hirata-Kohno, Attila Petho, Takakazu Satoh and Tsuyoshi Takagi for ˝ useful comments, suggestions and discussions.

A Public Key Cryptosystem based on Diophantine Equations of....

85

REFERENCES 1.

2. 3. 4. 5. 6.

7. 8.

9. 10.

11. 12.

13.

Akiyama, K., Goto, Y., Miyake, H.: An algebraic surface cryptosystem. In: Proceedings of PKC’09, Lecture Notes in Comput. Sci., vol. 5443, pp. 425–442. Springer, Berlin Heidelberg (2009). Berlekamp, E.R: Factoring polynomials over large finite fields. Math. Comput. 24, 713–735 (1970). Beukers, F., Tengely, S.: An implementation of Runge’s method for Diophantine equations, (2005). available at arXiv:math/0512418. Bilu, Y.: Effective analysis of integral points on algebraic curves. Israel J. Math. 90, 235–252 (1995). Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24, 235–265 (1997). Bugeaud, Y., Mignotte, S., Siksek, S., Stoll, M., Tengely, S.: Integral points on hyperelliptic curves. Algebra Number Theory. 2, 859–885 (2008). Cantor, D.G, Zassenhaus, H.: On Algorithms for Factoring Polynomials over Finite Fields. Math. of Computation. 36, 587–592 (1981). Cox, D., Little, J., O’Shea, D.: Ideals, varieties, and algorithms: an introduction to computational algebraic geometry and commutative algebra, 3rd., Undergraduate Texts in Mathematics. Springer Verlag, New York (2007). Cusick, T.W: Cryptoanalysis of a public key system based on diophantine equations. Inform. Process. Lett. 56, 73–75 (1995). Davis, M., Matijasevič, Y., Robinson, J.: Hilbert’s tenth problem, Diophantine equations: positive aspects of a negative solution, In: Browder, FE (ed.) Mathematical developments arising from hilbert problems (Proc. Sympos. Pure Math., Vol. XXVIII, Northern Illinois Univ., De Kalb, Ill., 1974), pp. 323–378. (loose erratum) Amer. Math. Soc., Providence, R. I., 1976. Diffie, W., Hellman, M.: New direction in cryptography. Trans. Inf. Theory. 22, 644–654 (1976). Faugére, J.C, Spaenlehauer, P.-J.: Algebraic Cryptanalysis of the PKC’2009 Algebraic Surface Cryptosystem. In: Proceedings of PKC’10, Lecture Notes in Comput. Sci., vol. 6056, pp. 35–52. Springer, Berlin Heidelberg (2010). Győry, K.: Solving Diophantine equations by Baker’s theory. In: A

86

14. 15. 16.

17. 18.

19.

20. 21.

22. 23.

24. 25. 26.

Number Theory with Applications to Cryptography

panorama of number theory of the view from Baker’s garden (Zürich, 1999), pp. 38–72. Cambridge University Press, Cambridge, England (2002). Hindry, M., Silverman, J.H: Diophantine geometry: an introduction, Graduate Texts in Mathematics, 201. Springer, New York (2000). Hirata-Kohno, N., Pethő, A.: On a key exchange protocol based on Diophantine equations. Infocommunications J. 16(2), 168–184 (1987). Iwami, M.: A Reduction Attack on Algebraic Surface Public-Key Cryptosystems. In: Kapur, D (ed.) ASCM 2007. LNCS, vol. 5081, pp. 323–332. Springer, Heidelberg (2008). Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987). Lenstra, A.K, Lenstra, H.W, (ed.): The Development of the Number Field Sieve, Lecture Notes in Mathematics, vol. 1554. Springer-Verlag, Berlin Heidelberg (1993). Lin, C.H, Chang, C.C, Lee, R.CT: A new public-key cipher system based upon the diophantine equations. IEEE Trans. Comp. 44, 13–19 (1995). Manders, K., Adleman, L.: NP-complete decision problems for binary quadratics. J. Comput. Syst. Sci. 24, 713–735 (1970). Mason, R.C: Diophantine Equations over Function Fields, London ematical Society Lecture Note Series, vol. 96. Cambridge University Press, Cambridge, England (1984). Miller, V.S: Use of elliptic curves in cryptography. Abstracts for Crypto. ‘85. Lect. Notes Comput. Sci. 218, 417–426 (1986). Mochizuki, S.: Inter-universal Teichmüller Theory I: Construction of Hodge Theaters, I I: Hodge-Arakelov-theoretic Evaluation, II: Canonical Splittings of the Log-theta-lattice, IV: Log-volume Computations and Set-theoretic Foundations. available at http://www. kurims.kyoto-u.ac.jp/~motizuki/papers-english.html. Ogura, N.: On Multivariate Public-key cryptosystems. PhD thesis, Tokyo Metropolitan University (2012). Pheidas, T.: Hilbert’s tenth problem for fields of rational functions over finite fields. Invent. . 103(1), 1–8 (1991). Poulakis, D., Voskos, E.: On the practical solution of genus zero Diophantine equations. J. Symbolic Comput. 30, 573–582 (2000).

A Public Key Cryptosystem based on Diophantine Equations of....

87

27. Rivest, R.L, Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Commun. ACM. 21, 120– 126 (1987). 28. Shor, P.: Algorithms for Quantum Computation: Discrete Logarithm and Factoring. In: Proc. 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (1994). 29. Stothers, W. W.: Polynomial identities and hauptmoduln. Quart. J. . Oxford Ser. (2). 32(127), 349–370 (1981). 30. Stroeker, R.J, Tzanakis, N.: Computing all integer solutions of a genus 1 equation. . Comput. 72, 1917–1933 (2003). 31. Uchiyama, S., Tokunaga, H.: On the Security of the Algebraic Surface Public-key Cryptosystems (in Japanese). In: Proceedings of of SCIS 2007, CD-ROM 2C1-2 (2009). 32. Voloch, F.: Breaking the Akiyama-Goto algebraic surface cryptosystem. Arithmetic, Geometry, Cryptography and Coding Theory, CIRM meeting (2007). 33. Weil, A.: Sur les courbes algébriques et les variétés qui s’en déduisent. Actualités Sci. Ind., no. 1041; Publ. Inst. . Univ. Strasbourg 7 (1945). Hermann, Paris, 1948. iv+85 pp. 34. Yosh, H.: The key exchange cryptosystem used with higher order Diophantine equations. Int. J. Netw. Secur. Appl. 3, 43–50 (2011)..

SECTION II: THE RIEMANN ZETA FUNCTION AND THE FUNDAMENTAL THEOREM OF ARITHMETIC

Chapter 6

Hamiltonian for the Zeros of the Riemann Zeta Function

Carl M. Bender1, Dorje C. Brody2,3, and Markus P. Müller4,5 1

Department of Physics, Washington University, St. Louis, Missouri 63130, USA

Department of Mathematics, Brunel University London, Uxbridge UB8 3PH, United Kingdom 2

3 Department of Optical Physics and Modern Natural Science, St. Petersburg National Research University of Information Technologies, Mechanics and Optics, St. Petersburg 197101, Russia

Departments of Applied Mathematics and Philosophy, University of Western Ontario, Middlesex College, London, Ontario N6A 5B7, Canada 4

5

The Perimeter Institute for Theoretical Physics, Waterloo, Ontario N2L 2Y5, Canada

ABSTRACT A Hamiltonian operator is constructed with the property that if the eigenfunctions obey a suitable boundary condition, then the associated eigenvalues correspond to the nontrivial zeros of the Riemann zeta function. Citation: Carl M. Bender, Dorje C. Brody, and Markus P. Müller “Hamiltonian for the Zeros of the Riemann Zeta Function” Phys. Rev. Lett. 118, 130201 (2016). https://doi.org/10.1103/ PhysRevLett.118.130201 Copyright © 2016. Published by the American Physical Society under the terms of the Creative Commons Attribution 4.0 International license. Further distribution of this work must maintain attribution to the author(s) and the published article’s title, journal citation, and DOI.

92

Number Theory with Applications to Cryptography

The classical limit of is 2xp, which is consistent with the Berry-Keating conjecture. While is not Hermitian in the conventional sense, i is PT symmetric with a broken PTsymmetry, thus allowing for the possibility that all eigenvalues of are real. A heuristic analysis is presented for the construction of the metric operator to define an inner-product space, on which the Hamiltonian is Hermitian. If the analysis presented here can be made rigorous to show that is manifestly self-adjoint, then this implies that the Riemann hypothesis holds true. The Riemann zeta function ζ(z) is conventionally represented as the sum or the integral

(The integral reduces to the sum if the denominator of the integrand is expanded in a geometric series.) Both representations converge and define ζ(z) as an analytic function when Re(z)>1. These representations diverge when z=1 because the zeta function has a simple pole at z=1. Substituting z=−2n ( n=1,2,3,…) in the reflection formula

shows that the zeta function vanishes when z is a negative-even integer. These zeros of ζ(z) are called the trivial zeros. The Riemann hypothesis [1] states that the nontrivial zeros of ζ(z) lie on the line Re(z)= . This hypothesis has attracted much attention for over a century because there is a deep connection with number theory and other branches of mathematics. However, the hypothesis has not been proved or disproved. Any advance in understanding the zeta function would be of great interest in mathematical science, whether or not one succeeds in finally proving or falsifying the hypothesis. In this Letter, we examine the Riemann hypothesis by constructing and studying an operator that plays the role of a Hamiltonian. The conjectured property of is that its eigenvalues are exactly the imaginary parts of the nontrivial zeros of the zeta function. The idea that the imaginary parts of the zeros of ζ(z) might correspond to the eigenvalues of a Hermitian, self-adjoint operator (assuming the validity of the Riemann hypothesis) is known as the Hilbert-Pólya conjecture. Research into this connection has intensified

Hamiltonian for the Zeros of the Riemann Zeta Function

93

following the observation that the spacings of the zeros of the zeta function on the line Re(z)= and the spacings of the eigenvalues of a Gaussian unitary ensemble of Hermitian random matrices have the same distribution [2–4]. Berry and Keating conjectured that the classical counterpart of such a Hamiltonian would have the form H=xp [5,6]. However, a Hamiltonian possessing this property has hitherto not been found (see [7] for a detailed account of the Berry-Keating program and its extensions). We propose and consider the Hamiltonian (1) Our main findings are as follows. (i) The non-Hermitian Hamiltonian in (1) formally satisfies the conditions of the Hilbert-Pólya conjecture. That is, if the eigenfunctions of are required to satisfy the boundary condition ψn(0)=0 for all n, then the eigenvalues {En} have the property that { (1−iEn)} are the nontrivial zeros of the Riemann zeta function. (ii) The Hamiltonian reduces to the classical Hamiltonian H=2xp when commute, in agreement with the Berry-Keating conjecture. We derive the corresponding boundary condition that leads to the quantization . (iii) Although is not of the Berry-Keating Hamiltonian Hermitian, i is PT symmetric; that is, i is invariant under parity-time reflection (in the sense to be defined), which means that the eigenvalues of i are either real or else occur in complex-conjugate pairs. If i has maximally broken PT symmetry—that is, if all of its eigenvalues are pureimaginary complex-conjugate pairs—then the eigenvalues of are real and the Riemann hypothesis follows. (iv) While is not Hermitian (symmetric) with respect to the conventional L2 inner product, we introduce an alternative inner product such that ⟨ φ,ψ⟩=⟨φ, ψ⟩ for all φ(x) and ψ(x) belonging to the linear span of the eigenstates of . (v) If the Riemann hypothesis is correct, then the eigenvalues of are nondegenerate, and conversely if there are nontrivial roots of ζ(z) for which Re(z)≠ , then the corresponding eigenvalues and eigenstates are both degenerate. Preliminaries.—The Hamiltonian in (1) is a similarity transformation of the formally Hermitian local Hamiltonian via the nonlocal

94

Number Theory with Applications to Cryptography

operator operators

. We must therefore identify properties of the . We work in units for which ℏ=1, so the momentum

is a shift operator if it acts on operator is functions f(x) that have a Taylor series about x with a radius of convergence greater than one. In this case, is a difference operator: (2) Because annihilates unit-periodic functions, it does not have an inverse in the space of all smooth functions. However, we shall be interested in functions that vanish as x→∞. With this in mind, by taking a series expansion we may define

of

as (cf. [8]) (3)

where {Bk} are the Bernoulli numbers [9], with the convention that B1=− . For some functions f(x) this formal series diverges but it is Borel summable. The operator at infinity:

Then

is interpreted as an integral operator with a boundary

defined in (3) has the property that if f(x) vanishes at infinity, then

we have . Eigenfunctions and eigenvalues.—The solutions to the eigenvalue differential equation ψ=Eψ are given in terms of the Hurwitz zeta function (the negative sign is our ψz(x)=−ζ(z,x+1) on the positive half line convention), with eigenvalues i(2z−1). To see this, we multiply the eigenvalue equation ψ=Eψ on the left by . This gives a first-order linear differential equation for the function ψ, whose solution is unique and is given by ψ=x−z for some z∈C, up to a multiplicative constant. To proceed, let us calculate

Hamiltonian for the Zeros of the Riemann Zeta Function

Since obtain the asymptotic series

95

, we set μ=1−z to

(4) which is valid in the limit as x→∞. To obtain the Borel sum [10] of the series, we use the integral representation

where C denotes a Hankel contour that encircles the negative- u axis in the positive orientation [9]. Hence,

Finally, we let u/x=t and get

which we recognize as the negative of the integral representation for the Hurwitz zeta function [9]. (An analogous result was obtained in a different context in [11].) It follows that ψz(x)=−ζ(z,x+1) up to an additive unit-periodic function, but ψ=Eψ implies that the periodic function must be identically zero. We thus deduce that ψz(x)=−ζ(z,x+1) is the solution to the eigenvalue differential equation with eigenvalue i(2z−1): Next, we impose the boundary condition that ψz(0)=0 on the class of functions ψz(x) that satisfy the eigenvalue differential equation. This yields a is similar to a first-order countable set of eigenfunctions of . (Since differential operator, we impose just one boundary condition.) The choice of

96

Number Theory with Applications to Cryptography

the boundary condition ψz(0)=0, as discussed below, is motivated by our requirement that should be symmetric. Because −ψz(0)=ζ(z) is the Riemann zeta function, the boundary condition that we have used implies that z must belong to the discrete set of zeros of ζ(z). The zeros of the Riemann zeta function may be either trivial or nontrivial. It follows from (4) that for the trivial zeros z=−2n ( n=1,2,3,…) we have ψz(x)=−B2n+1(x+1)/(2n+1), where Bn(x) is a Bernoulli polynomial [9]. In this case |ψz(x)| grows like x2n+1 as x→∞. For the nontrivial zeros ψz(x)oscillates and |ψz(x)| grows sublinearly. In particular, it follows from (4) that for large x we have ψz(x)≈x1−z/(1−z). Thus, for the trivial zeros ψz(x) blows up, but for the nontrivial zeros ψz(x)goes to zero as x→∞. The eigenstates associated with the trivial zeros violate the orthogonality relation discussed below, and the eigenstates associated with the nontrivial zeros do not. These indicate that the eigenstates associated with the trivial zeros do not belong to the domain of . Therefore, under the boundary condition ψ(0)=0, the nth eigenstate of the Hamiltonian (1) is ψn(x)=−ζ(zn,x+1); the eigenvalues En=i(2zn−1) are discrete and zn= (1−iEn) are the nontrivial zeros of the Riemann zeta function. The Riemann hypothesis is valid if and only if these eigenvalues are real. The analysis above establishes a complex extended version of the BerryKeating conjecture [12]. We are not able to prove that the eigenvalues of are real; nevertheless, in what follows we present a heuristic analysis that suggests that the eigenvalues are real. Specifically, we first investigate symmetry properties of , which shows that i is PT symmetric and is pseudo-Hermitian. This allows us to obtain a quantization of the Berrythat is isospectral to . We then make Keating Hamiltonian use of the biorthogonality properties of the eigenstates of to introduce an inner product which makes Hermitian. Relation to pseudo-Hermiticity.—To gain some intuition about the reality of the eigenvalues of the Hamiltonian, we remark first that i is PT symmetric [13,14] in the following sense. Under conventional paritytime reflection, if

is a momentum and

is a coordinate, we have PT:

. However, we consider instead the variables where the roles of position

and momentum

are interchanged [15]. We then define

Hamiltonian for the Zeros of the Riemann Zeta Function

97

parity-time reflection as PT: . Therefore, since PT:i→−i, we deduce that i is invariant under this modified PT reflection. It follows that the eigenvalues of i are either real (if the PT symmetry is unbroken in the sense that the associated eigenstates are also eigenstates of PT), or else they form complex-conjugate pairs (if the PT symmetry is broken in the sense that the associated eigenstates are not eigenstates of PT). If the PT symmetry is maximally broken for i , then the eigenvalues of would be real, and the Riemann hypothesis would hold. In our case, since PTψn(x)=ψ−n(x), the PT symmetry is indeed broken for all complex values of zn. (For the trivial zeros the PT symmetry is unbroken.) Let us now assume that the momentum operator

is Hermitian

(symmetric); that is, the action of †agrees with that of on the domain of . Here † denotes the adjoint with respect to the standard inner product on . Then the Hermitian adjoint of

is (5)

Therefore, if we define the operator

according to

which is non-negative, bounded, and Hermitian under the assumption, we get that

; i.e.,

is pseudo-Hermitian in the sense of [16]. Assuming

is Hermitian, there exists an associated Hermitian Hamiltonian

obtained by conjugating

with an operator

satisfying

, that is,

. Letting , we obtain . We include Planck’s constant ℏ explicitly here because it indicates that the linear momentum term is a quantum anomaly; this term vanishes in the classical

limit ℏ→0 [15]. Alternatively, by letting Keating Hamiltonian .

we obtain the Berry-

, whose eigenstates are

The associated Hamiltonian ^h is unique up to unitary transformations, so there are infinitely many formally Hermitian Hamiltonians that are similar to

[12]. If both

and

−1 are positive, bounded, and Hermitian, then

98

Number Theory with Applications to Cryptography

the Hamiltonians

and

are isospectral [17]. Assuming that

tian, these operators are indeed Hermitian and non-negative, but

is Hermi−1 is not

bounded. Nevertheless, we can show by a direct calculation that and are in fact isospectral. Furthermore, since the map from the eigenstates {ψn(x)} of to the eigenstates { n(x)} of is governed by , we can identify the quantization condition for the eigenstates of the associated Hamiltonians explicitly by using the relation . For the Berry-Keating Hamiltonian, the condition ψz(0)=0 leads to

or, equivalently, . Biorthogonal states.—Let us proceed under the assumption that ^p is Hermitian. Because is not Hermitian, its eigenstates {ψn(x)} are not orthogonal. of † we obtain a biorNevertheless, by considering the eigenstates thogonal set of eigenstates [17], provided that † is the Hermitian adjoint of . Bearing in mind that † is the forward difference operator, a calculation and that shows that . Using , we introduce an inner product on the space of functions spanned by {ψn(x)} as follows. For any ψ(x)=∑ncnψn(x)we define its associated state by . The inner product of a pair of such . functions ψ(x) and φ(x) is then defined by ⟨φ,ψ⟩= , we have ⟨φ,ψ⟩= ; that is, the Alternatively stated, since positive Hermitian operator plays the role of the metric (or, equivalently, the CP operator [18]). For in (1) the inner-product space constructed above is not a Hilbert space because, as we will see, the elements of the vector space have infinite norm. are biorthogonal However, the elements of {ψn(x)} and those of provided that {zn} belongs to the nontrivial zeros of the Riemann zeta function. To see this, let us consider the inner product and recalling that

, we find that

. Observing that

Hamiltonian for the Zeros of the Riemann Zeta Function

99

(6) Thus, if (that is, if the Riemann hypothesis is correct), then (6) is a Dirac delta function 4πδ(En−Em). It follows that for m≠n we have (7) in the distributional sense, as required by the biorthogonality condition. In contrast, for the trivial zeros, the integral (6) diverges too rapidly to be interpreted as a tempered distribution. In terms of the inner product introduced above, and assuming that , that mitian (symmetric), we find, using

is Her-

This shows that, from the assumption that is Hermitian, we may conclude that is Hermitian (symmetric) with respect to the new inner product. As a further consequence of (6) and (7), if the Riemann hypothesis is true, then the eigenvalues of are nondegenerate. Conversely, if the Riemann hypothesis is false, then the eigenstates of that correspond to nontrivial zeros for which Re(z)≠12 coalesce to give rise to Jordan block structures in the Hamiltonian. This follows from the fact that at such complex degeneracies (often referred to as exceptional points), the eigenstates satisfy the . These findings may so-called self-orthogonality condition have an implication on whether the zeros of ζ(z) are simple: It is known that if the Riemann hypothesis holds true, then at least 19/27 of the nontrivial zeros are simple [19]. However, if there exists a one-to-one correspondence and the secular between the boundary condition on the eigenstates of equation for the eigenvalues of ^H, then it follows that the validity of the Riemann hypothesis implies that all roots are simple, and conversely any nontrivial zero of ζ(z) for which Re(z)≠12 cannot be simple. Boundary condition revisited.—For finite-dimensional nondegenerate ma-

100

Number Theory with Applications to Cryptography

trices, the biorthogonality relation (7) implies that † defined in (5) is the Hermitian adjoint of . However, in infinite-dimensional vector spaces the completeness of the states {ψn(x)} is required to arrive at this conclusion. Nevertheless, the relation (7) suggests that our Hermiticity assumption of is valid, making

manifestly Hermitian.

Encouraged by this observation, we ask whether the momentum operator is Hermitian (symmetric) on the inner-product space defined above. Because [ , ]=0, the Hermiticity of on ⟨⋅,⋅⟩ follows if the boundary terms vanish under an integration by parts when the elements of {ψn(x)} and those of are paired. Note that diverges at x=0, so ψn(x) must vanish sufficiently fast at x=0to ensure the vanishing of the boundary terms. [The as divergence of {ψn(x)} at x=∞ is compensated by the vanishing of x→∞.] One can verify that imposing ψn(0)=0 is sufficient to guarantee the

vanishing of the boundary term at the origin. Thus, the Hermiticity of ⟨⋅,⋅⟩ follows from the boundary condition ψn(0)=0. Relation to quantum mechanics.—Since the operator

on

is a function of

the canonical variables ( , ), we have referred to it as a Hamiltonian. However, the connection of this Hamiltonian to physical systems is at best tenuous because the eigenstates of in our inner-product space are not normalizable. This is not a concern for our analysis, but in quantum mechanics normalizability is required for a probabilistic interpretation.

A possible way of making a connection to quantum theory is to introduce a regularization scheme, for example, by letting x∈[Λ−1,Λ], renormalizing the states according to ψn(x)→(lnΛ)−1/2ψn(x), and then taking the limit Λ→∞. in the Interestingly, the expectation value of the position operator state ψn(x) for any n in the renormalized theory is Λ/lnΛ, which for large Λ gives the leading term in the counting of prime numbers smaller than Λ. Discussion.—We have presented a formal argument showing that the in (1), whose classical limit is 2xp, eigenvalues of the Hamiltonian correspond to the nontrivial zeros of the Riemann zeta function. Identifying remains a difficult and open problem. We hope that the domain of further analysis of the properties of , such as identifying its domain and establishing its self-adjointness, will prove the reality of the eigenvalues, and thus the veracity of the Riemann hypothesis. The possibility of extending the

Hamiltonian for the Zeros of the Riemann Zeta Function

101

Hilbert-Pólya program to non-Hermitian PT-symmetric operators has been noted [20]. We hope that our findings will significantly boost research in this direction. The fact that i is PT symmetric, with a broken PT symmetry, offers a fresh and optimistic outlook.

ACKNOWLEDGEMENTS D. C. B. thanks D. Blasius and C. Hughes for comments and the Russian Science Foundation for support (Project No. 16-11-10218). M. P. M. thanks D. Schleicher for discussions. M. P. M. is supported in part by the Canada Research Chairs program. Research at Perimeter Institute is supported by the Government of Canada through Innovation, Science and Economic Development Canada and by the Province of Ontario through the Ministry of Research, Innovation and Science.

102

Number Theory with Applications to Cryptography

REFERENCES 1.

B. Riemann, Monatsberichte Der Berliner Akademie (Monatsberichte der Königlichen Preußischen Akademie der Wissenschaften zu Berlin, Berlin, 1859). 2. H. L. Montgomery, in Analytic Number Theory. Proceedings of the Symposium on Pure Mathematics XXIV (American Mathematical Society, Providence, 1973), pp. 181–193. 3. A. M. Odlyzko, On the distribution of spacings between zeros of the zeta function, Math. Comput. 48, 273 (1987). 4. M. V. Berry, in Quantum Chaos and Statistical Nuclear Physics edited by T. H. Seligman and H. Nishioka (Springer-Verlag, New York, 1986), Vol. 263. 5. M. V. Berry and J. P. Keating, in Supersymmetry and Trace Formulae: Chaos and Disorder edited by I. V. Lerner (Kluwer Academic/Plenum, New York, 1999). 6. A. Connes, Trace formula in noncommutative geometry and the zeros of the Riemann zeta function, Sel. Math. New Ser. 5, 29 (1999). 7. G. Sierra, The Riemann Zeros as Spectrum and the Riemann Hypothesis, The Riemann zeros as spectrum and the Riemann hypothesis arXiv:1601.01797. 8. Ë. Delabaere, Ramanujan’s summation, Algorithms Sem. 2001–2002, 83 (2003). 9. F. W. J. Olver, D. M. Lozier, R. F. Boisvert, and C. W. Clark, NIST Handbook of Mathematical Functions (Cambridge University Press, Cambridge, England, 2010). 10. C. M. Bender and S. A. Orszag, Advanced Mathematical Methods for Scientists and Engineers(McGraw-Hill, New York, 1978). 11. M. Müller and D. Schleicher, How to add a non-integer number of terms, and how to produce unusual infinite summations, J. Comput. Appl. Math. 178, 347 (2005); Fractional sums and Euler-like identities, Ramanujan J. 21, 123 (2010); How to add a noninteger number of terms: From axioms to new identities, Am. Math. Mon. 118, 136 (2011). 12. One can extend ^H to a one-parameter family of Hamiltonians ^Hϵ by the replacement ^Δ→^Δϵ=ϵ−1(1−e−iϵ^p). A calculation shows that the eigenstates ψϵz(x) of ^Hϵ take the form ψϵz(x)∝−ζ(z,1+x/ϵ) with eigenvalue i(2z−1). In the limit ϵ→0 we obtain the Hamiltonian

Hamiltonian for the Zeros of the Riemann Zeta Function

13. 14. 15.

16.

17. 18. 19. 20.

103

^p−1(^x^p+^p^x)^p with eigenstate x1−z. C. M. Bender, Making sense of non-Hermitian Hamiltonians, Rep. Prog. Phys. 70, 947 (2007). D. C. Brody, Consistency of PT-symmetric quantum mechanics, J. Phys. A 49, 10LT03 (2016). C. M. Bender, D. C. Brody, J.-H. Chen, H. F. Jones, K. A. Milton, and M. C. Ogilvie, Equivalence of a complex PT-Symmetric quartic Hamiltonian and a Hermitian quartic Hamiltonian with an anomaly, Phys. Rev. D 74, 025016 (2006). G. W. Mackey, Commutative Banach Algebras (Instituto de Matematica pura e Aplicada do Conselho Nacional de Pesquisa, Rio De Janeiro, 1959). D. C. Brody, Biorthogonal quantum mechanics, J. Phys. A 47, 035305 (2014). C. M. Bender, D. C. Brody, and H. F. Jones, Complex Extension of Quantum Mechanics, Phys. Rev. Lett. 89, 270401 (2002). H. M. Bui and D. R. Heath-Brown, On simple zeros of the Riemann zeta-function, Bull. London Math. Soc. 45, 953 (2013). Z. Ahmed and S. R. Jain, A pseudo-unitary ensemble of random matrices, PT-symmetry and the Riemann hypothesis, Mod. Phys. Lett. A 21, 331 (2006).

Chapter 7

Fractional Parts and Their Relations to the Values of the Riemann Zeta Function Ibrahim M. Alabdulmohsin Computer, Electrical and Mathematical Sciences and Engineering Division, King Abdullah University of Science and Technology (KAUST), Thuwal 23955-6900, Saudi Arabia

ABSTRACT A well-known result, due to Dirichlet and later generalized by de la Vallée– Poussin, expresses a relationship between the sum of fractional parts and the Euler–Mascheroni constant. In this paper, we prove an asymptotic relationship between the summation of the products of fractional parts with powers of integers on the one hand, and the values of the Riemann zeta function, on the other hand. Dirichlet’s classical result falls as a particular case of this more general theorem.

Citation: Alabdulmohsin, I.M. “Fractional parts and their relations to the values of the Riemann zeta function” Arab. J. Math. (2018) 7: 1. https://doi.org/10.1007/s40065-0170184-2 Copyright © The Author(s) 2017. This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/ by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

106

Number Theory with Applications to Cryptography

BACKGROUND In 1849, Dirichlet established a relationship between the Euler–Mascheroni constant γ = 0.5772 ··· and the average of fractional parts. More specifically, writing [x] for the integral (floor) part of the number x ∈ and {x} = x − [x] for its fractional part, Dirichlet [3,5] proved that (1.1) This surprising connection between γ and the average of fractional parts was, in turn, used by Dirichlet to prove that the number of divisors of an integer n is of the order log n. The technique introduced by Dirichlet to prove these results is often called the hyperbola method, which is a counting argument to the number of lattice points that lie beneath a curve [3,6]. The error term in (1.1) is known to be pessimistic. Finding the optimal exponent θ > 0 such that

for any > 0 is known as the Dirichlet divisor problem, which remains , which is unsolved to this date. A well-known result of Hardy is that conjectured to be the true answer to this problem [3]. In 1898, de la Vallée–Poussin generalized (1.1). He showed that for any integer w ∈ , (1.2) As noted by de la Vallée–Poussin, this result is quite remarkable because the limiting average of the fractional parts remains unchanged regardless of the arithmetic progression that one wishes to use [3]. More recently, Pillichshammer obtained a different generalization of Dirichlet’s result. He showed that for any β > 1,

(1.3) where γ1/β is a family of constants whose first term is γ1 = γ [5]. In this paper, we look into a different line of generalizing (1.1). Specifically, we address the question of deriving the asymptotic expressions to summations of the form

Fractional Parts and Their Relations to the Values of the Riemann....

107

(1.4) for positive real numbers s > 0. This is the summation of the products of fractional parts and powers of integers. Interestingly, we will show that the asymptotic behavior of this summation is connected to the values of the Riemann zeta function ζ (s), and we will recover Dirichlet’s result in (1.1) as a particular case. More specifically, we prove that for any real number s > 0, (1.5) We conclude this section with two classical theorems that we will rely on in our proofs: Theorem 1.1 (Abel summation formula) Let ak be a sequence of complex numbers and φ(x) be a function of class C1. Then, (1.6) .

Where

Theorem 1.2 (Euler–Maclaurin summation formula) We have (1.7) for some constant A, where numbers.

are the Bernoulli

These results can be found in many places, such as [2,4].

NOTATION We will use the following notations: •

[x] denotes the integral (floor) part of x and {x} = x − [x] denotes the fractional part.



denotes the set of positive integers, often called the natural

Number Theory with Applications to Cryptography

108



numbers; is the set of non-negative integers; real numbers; is the set of complex numbers. R(s) denotes the real part of s ∈ .

is the set of

THE FRACTIONAL TRANSFORM Overview

The key insight we will employ to derive the asymptotic expansion of the function fs(n) in (1.4) is that we can solve this problem indirectly by answering a different question. Specifically, we will be interested in the following function:

(3.1) More generally, when (3.2) we will call (n) the fractional transform of φ(n). answer our original question because

s

(n) allows us to

where we have used the fact that {n/n}={n} = 0. By expanding the righthand side using the binomial theorem, we obtain a method of solving our original question.

Preliminary We present a few useful lemmas related to the fractional transform defined above. Before we do this, we introduce the following symbol: (3.3) In other words, ∂(n) is the set of positive integers k ∈ that are less than n, and for which the interval [n/(k + 1), n/k] contains, at least, one integer. For instance, 2 ∈ ∂(5) because the interval [5/3, 5/2] contains the integer two,

Fractional Parts and Their Relations to the Values of the Riemann....

whereas 3

109

∂(5) because the interval [5/4, 5/3] lies strictly between 1 and 2.

Lemma 3.1 (3.4) where | | denotes the size (cardinality) of the set

.

Proof We have:

Lemma 3.2 If k ≥ √n and k ∈ ∂(n), then Proof The interval [n/(k + 1), n/k] can contain, at most, a unique integer since:

This fact and Lemma 3.1 both imply the statement of the lemma.

MAIN RESULTS We begin with the following lemma: Lemma 4.1 For any real number s > 0, (4.1) where the constant in O(·) depends on s. Proof First, let us consider the following function:

Since

110

Number Theory with Applications to Cryptography

we obtain

Consequently, we conclude that −w ≤ gn(w) ≤ w. Using Theorem 1.1,

Here, we used the fact that |g(w)| ≤ w. Similarly,

Therefore, the statement of the lemma follows. Now, we are ready to prove our first main result. Theorem 4.2 For any s > 1,

Proof We split the sum into two parts: (4.2) as proved in the previous lemma, which is The first term is when s > 1. Next, we examine the second term. We have by Lemma 3.2,

Fractional Parts and Their Relations to the Values of the Riemann....

111

Using the fact that for R(s) > 0 (see [1]),

we conclude that

Alternatively, the error term O(w−s) in the above expression can be derived from Theorem 1.2. Hence,

As a result,

112

Number Theory with Applications to Cryptography

Finally, we look into the remaining term. Using Theorem 1.2, we have for any s > 1,

Here, we used the fact that for any u ≥ 2, we have by Theorem 1.2,

for some constant C(u) that is independent of n. Putting everything together, we conclude that for any real number s > 1,

which is the statement of the theorem. Theorem 4.2 is illustrated in Fig. 1. Clearly, this theorem generalizes Dirichlet’s result, as promised earlier, because

and the fact that

Now, we are ready to derive the asymptotic expression of the function fs(n)

Fractional Parts and Their Relations to the Values of the Riemann....

113

given in (1.4). Theorem 4.3 For any real number s > 0,

Figure 1: A comparison between the values of s(n) marked in blue and the asymptotic expression derived in Theorem 4.2 marked in red. The x-axis is n while the y-axis is s(n). The left, middle, and right figures correspond to s = 1, s = 2 and s = 3, respectively. Proof Let fs(n) be as defined in Eq. (1.4). Then, writing by Theorem 4.2,

However,

114

Number Theory with Applications to Cryptography

Therefore,

Hence for s > 0,

which implies the statement of the theorem.

CONCLUSION In this paper, we generalized Dirichlet’s classical result on the connection between the Euler–Mascheroni constant and the average of fractional parts. Our theorem reveals that the fractional parts are, in general, connected to the values of the Riemann zeta function ζ (s). Hence, ζ (s) with s > 1 can be expressed as a limiting average of the products of fractional parts with powers of positive integers.

Fractional Parts and Their Relations to the Values of the Riemann....

115

REFERENCES 1. 2. 3. 4. 5. 6.

Cvijovic, D.; Srivastava, Hari M.: Limit representations of Riemann’s zeta function. Amer. Math. Month. 119(4), 324–330 (2012) Hardy, G.H.: Divergent Series. Oxford University Press, New York (1949) Lagarias, J.: Eulers constant: Eulers work and modern developments. Bull. Am. Math. Soc. 50(4), 527–628 (2013) Lampret, V.: The Euler–Maclaurin and Taylor formulas: twin, elementary derivations. Math. Mag. 74(2), 109–122 (2001) Pillichshammer, F.: Euler’s constant and averages of fractional parts. Am. Math. Month. 117(1), 78–83 (2010) Stopple, J.: A primer of analytic number theory: from Pythagoras to Riemann. Cambridge University Press, Cambridge (2003)

SECTION III: CONGRUENCES

Chapter 8

11-Dissection and Modulo 11 Congruences Properties for Partition Generating Function Goksal Bilgici and Ali Bulent Ekin Kastamonu University, Education Faculty Department of the Computer Education and Instructional Technology 37100, Kastamonu, Turkey Ankara University, Faculty of Science Department of Mathematics 06100, Tandogan, Ankara, Turkey

ABSTRACT In a recent paper, we give 13-dissection and some congruences for modulo 13 for the partition generating function (1 − qr)−1 by using a method of Kolberg. In this paper, by following similar course, we develop an algoritmic approach and give 11-dissection for the partition generating function (1 − qr)−1. Then we re-obtain the congruences given by Atkin and SwinnertonDyer.

Citation: Goksal Bilgici,Ali Bulent Ekin “11-dissection and modulo 11 congruences properties for partition generating function” International Journal of Contemporary Mathematical Sciences, Vol. 9, 2014, no. 1, 1-10. http://dx.doi.org/10.12988/ijcms.2014.310116 Copyright © 2013 Goksal Bilgici and Ali Bulent Ekin. This article is distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

120

Number Theory with Applications to Cryptography

Keywords: Partition, Dissections, q - Equivalance

INTRODUCTION A partition of a positive integer n is a non-increasing sequence of positive integers whose sum is n. The number of partitions of n is denoted p(n) and p(0) is assumed as 1. Euler gave the following generating function for the series

Throughout this paper, m > 1 always denotes a positive integer prime to 6, and the variables y and q are always related to y = qm (|q| < 1). We define

For k = 1, 2, ..., m − 1, we define k-th component of F as follows:

then we have a dissection for partition generating function, namely

Kolberg gave 5-dissection and 7-dissection for F. A simpler form of 7dissection for F was given by Ekin in his doctoral thesis [3]. In a recent paper [2], the authors obtained 13-dissection for F and some congruences for the components F(k,13) where 0 ≤ k ≤ 12. In this paper, by following the same course in [2], we obtain 11-dissection for F. The 11-dissection for F may appear for the first time. After obtaining the components, using a q-equivalence given in [2], we obtain the congruences for the components F(k,11) (mod 11) given by Atkin and Swinnerton-Dyer in [1]. We prefer the following notation:

where

11-Dissection and Modulo 11 Congruences Properties for Partition....

121

and a is not a multiple of m. P(a) satisfies For m = 11, Atkin and Swinnerton-Dyer gave Theorem 1.1 For m = 11, we have

They use the following congruence to calculate Theorem 1.1: (1)

122

Number Theory with Applications to Cryptography

We calculate 11-dissection for the partition generating function at first. Then, we obtain the Theorem 1.1 by using the components with an algorithmic approach.

PRELIMINARIES Kolberg defines, for s = 0, 1, ..., m − 1

and

These definitions give

By these equations, we conclude the following relation (2) We have the following lemma from [4]. Lemma 2.1 (2) and

(4) Using the following lemma which is given by the authors in [2], we can determine the gs in terms of P(a) . Lemma 2.2 Let 24s + 1 is a quadratic residue mod m and m = 6λ + μ where

11-Dissection and Modulo 11 Congruences Properties for Partition....

123

λ is a positive integer and μ = ±1. Then we have (5) where c is a solution of the congruence x ≡ (4s − μλ)/6 (mod m). 2

Kolberg also gives Lemma 2.3 For s = 0, 1, ..., m − 1

(6) where Ds is the following determinant;

(7) we put gr = gs when r ≡ s (mod m) in (7). We define

where m is prime and 24k + 1 ≡ 0 (mod m). So we have (8) For the denominator of (8), we have (9) We use the following lemma which is given by the authors in [2] to obtain the congruence properties of components. Lemma 2.4 If m ∈ Z+ is a prime, then

(10)

For the left-hand side on Eq.(10), we need the following lemma which is Lemma 3 in [1]:

124

Number Theory with Applications to Cryptography

Lemma 2.5 We have (11)

COMPONENTS AND CONGRUENCES FOR M = 11 In this section we give the components F(k,11) and find the congruences given by Atkin and Swinnerton-Dyer. For m = 11, from (3) and (4) we have

and

We set (12) From (2) we find

By the help of (12), these equations become, respectively (13) (14) (15) (16) (17) (18) Now we put

11-Dissection and Modulo 11 Congruences Properties for Partition....

125

(19) Thus (18) becomes (20) After multiplying As (s = 0, 1, .., 10) by α, α , β , γ , δ, θ , 1, θ, δ−1, γ and β respectively, As can be written in terms of xi. −1

−1

−1

−1

From (3) and (5), we get

These equations give

and (21) Lemma 3.1 We have (22) (23) (24) (25) (26) Proof. We define A := x3x4x5, B := x1x2x5, C := x1x4x5, D := x1x2x3 and E := x2x3x4. Multiplying equations (13), (14), (15), (16) and (17) by δ, θ, γ, β and α respectively give us

126

Number Theory with Applications to Cryptography

The solution of this equations system is

Using equation (20), we get (27) (28) (29) (30) (31) Multiplying both sides of (27) by x1x2 and using (21), we find (32) Substituting for (28), (30) and (20) into the equation (32), we obtain (33) and we find the others similarly. Algorithm 1. Let U be a linear combination of is a non-negative integer.

where each ir

1. Substitute for the equations (22)-(26) into U. This step turns all terms into

11-Dissection and Modulo 11 Congruences Properties for Partition....

the form

127

where (i, j)=(1,4), (2,5), (4,2), (3,1), (5,3).

2. If b > 1 then substitute for

, if a > 1 and b=0 substitute for

into U.

. To evaluate this step we This step writes U as sums of use the following equations which can be easily found by (20): (34) (35) (36) (37) (38) By using Algorithm 1, we get the As in simple forms:

(39)

The last equation proves the famous congruence p(11n+6) ≡ 0 (mod 11) of Ramanujan. If we observe the indices of the terms in As, having αA0 and α−1A1 is enough to obtain other components via the permutation (12345). This permutation gives the following relations (40) (41)

128

Number Theory with Applications to Cryptography

(42) Using these relations, that is, changing indices in convenient order and making the same operations, we get the other components. For m = 11, with the help of Eq.(10) and Lemma 2.5, we have (43) For abbreviation, we define We write (43) in terms of xi in 20 different ways by dividing (43) by (a, b, c, d, e, f) where 1 ≤ b, c, d, e, f ≤ 5 and b + c + d + e + f = 11. Five of them are useful for us and the remaining 15 of them are linearly independent on these five. These can be found dividing (43) by (3, 1, 2, 3, 2, 3), (4, 2, 2, 3, 3, 1), (4, 2, 3, 1, 3, 2), (4, 3, 1, 2, 2, 3) and (5, 3, 3, 2, 1, 2):

(44) (45)

11-Dissection and Modulo 11 Congruences Properties for Partition....

129

(46) (47)

(48) Now we can obtain the congruences given by Atkin and Swinnerton-Dyer. From (39), we have

From (48), we find (49) Then the equations (8) and (49) give us

The other congruences in Theorem 1.1 can be obtained similarly

130

Number Theory with Applications to Cryptography

REFERENCES 1.

2.

3. 4.

A.O.L. Atkin and H.P.F. Swinnerton-Dyer, Some Properties of Partitions, Proc. London Math. Soc., 3 (4) (1954), 84–106. http:// dx.doi.org/10.1112/plms/s3-4.1.84 G. Bilgici and A.B. Ekin, Some Congruences for Modulus 13 Related to Partition Generating Function, The Ramanujan Journal, (to be appear). http://dx.doi.org/10.1007/s11139-013-9537-4 A.B. Ekin, The Rank and the Crank in the Theory of Partition, D.Phil Thesis, University of Sussex, 1993. O. Kolberg, Some Identities Involving the Partition Function, Math. Scand., 5 (1957), 77–92.

Chapter 9

Effective Congruences for Mock Theta Functions

Nickolas Andersen 1, Holley Friedlander 2, Jeremy Fuller 3 , and Heidi Goodson 4 Department of Mathematics, University of Illinois at Urbana-Champaign, 409 W. Green Street, Urbana, IL 61801, USA

1

Department of Mathematics, University of Massachusetts, Lederle Graduate Research Tower, Amherst, MA 01003, USA

2

Department of Mathematics, Purdue University, 150 N. University Street, West Lafayette, IN 47907, USA

3

Department of Mathematics, University of Minnesota, 206 Church St. SE, Minneapolis, MN 55455, USA

4

ABSTRACT Let be one of Ramanujan’s mock theta functions. We establish the existence of infinitely many linear congruences of the form:

Citation: Andersen, N.; Friedlander, H.; Fuller, J.; Goodson, H. “Effective Congruences for Mock Theta Functions”. Mathematics 2013, 1, 100-110. https://doi.org/10.3390/ math1030100 Copyright © 2013 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).

132

Number Theory with Applications to Cryptography

where A is a multiple of ℓ and an auxiliary prime, p. Moreover, we give an effectively computable upper bound on the smallest such p for which these congruences hold. The effective nature of our results is based on the prior works of Lichtenstein [1] and Treneer [2]. Keywords: mock theta functions, congruences, harmonic weak Maass forms

INTRODUCTION AND STATEMENT OF THE RESULTS A partition of a positive integer, n, is a non-increasing sequence of positive integers that sum to n. Define p(n)to be the number of partitions of a nonnegative integer, n. Ramanujan [3] proved the linear congruences:

which were later extended by Atkin [4] and Watson [5] to include powers of five, seven and 11. Later, Atkin [6] developed a method to identify congruence modulo larger primes, such as:

Ahlgren and Ono [7,8,9] have shown that linear congruences for p(n) exist for all moduli, m, coprime to six. These congruences arise from studying the arithmetic properties of the generating function:

which can also be written in Eulerian form:

where

. By the change

Effective Congruences for Mock Theta Functions

of sign, mock theta functions:

133

, we obtain one of Ramanujan’s third-order

The coefficients, af(n), of f(q), can be used to determine the number of partitions of n of even rank and of odd rank [10]. The function f(q) is one of Ramanujan’s seventeen original mock theta functions, which are strange q-series that often have combinatorial interpretations (see [11] for a comprehensive survey of mock theta functions). These functions have been the source of much recent study. In [12,13,14,15,16,17], congruences for the coefficients of various mock theta functions are established. For example, in their investigation of strongly unimodal sequences, Bryson, Ono, Pitman and Rhoades [14] prove the existence of congruences for the coefficients of Ramanujan’s mock theta function:

In particular, they establish the congruence: (1.1) In [17], Waldherr shows that Ramanujan’s mock theta function:

satisfies: Congruences like the examples above have also been proven for other mock theta functions, such as Ramanujan’s ϕ(q) function [13,15] and a mock theta function associated with the Mathieu group, M24 [18]. It is natural to ask if a general theory of such congruences exists. In this paper, we build on the approaches of these previous works to establish the existence of linear congruences for all of Ramanujan’s mock theta functions. If M(q) is one of Ramanujan’s mock theta functions, let q:=e2πiz, and let δ and τ be integers for which:

134

Number Theory with Applications to Cryptography

(1.2) is the holomorphic part of a weight of 1/2 harmonic weak Maass form (to be defined in Section 2). We obtain congruences for the coefficients of M(q) as in Equation (1.1) by obtaining them for F(z). Theorem 1. Let M(q) be one of Ramanujan’s mock theta functions with F(z), as in Equation (1.2). Let N be the level of F, and let ℓj be a prime power with (ℓ,N)=1. Then, there is a prime, Q, and infinitely many primes, p, such that, for some m,B∈ , we have: Furthermore, the smallest such p satisfies p≤C, where C is an effectively computable constant that depends on ℓj, N and other computable parameters. Remarks 1. 1. Theorem 1 is a special case of Theorem 5 in Section 3, a more general result that applies to a weight of 1/2 harmonic Maass forms, whose holomorphic parts have algebraic coefficients and whose non-holomorphic parts are period integrals of a weight of 3/23/2 unary theta series. The next section will set up all the notation and preliminary results to state and prove the general theorem, as well as how Theorem 1 follows from it. 2. Theorem 1 has already been established for a few specific mock theta functions. For example, see [10] for f(q) and [14] for Ψ(q). 3. The other computable parameters will be described toward the end of Section 3. Briefly, they involve computing the level of a certain half-integral weight modular form from the work of Treneer [2] as well as the order of vanishing at the cusps; the constants from the results of Lichtenstein [1]; and, if we do not assume the Generalized Riemann Hypothesis, the constant of Lagarias, Montgomery and Odlyzko [19].

NUTS AND BOLTS We shall utilize several important concepts from the theory of modular forms and harmonic Maass forms, and in this section, we summarize those topics.

Effective Congruences for Mock Theta Functions

135

Harmonic Maass Forms Ramanujan’s mock theta functions are essentially the holomorphic parts of a certain weight of 1/2 harmonic Maass forms. To begin, we define half integral weight harmonic weak Maass forms. Here, “harmonic” refers to the fact that these functions vanish under the weight, k, and hyperbolic Laplacian, Δk, (2.1) for . If N is a positive integer with 4|N and χ, a Dirichlet character modulo, N, a weight of

harmonic weak Maass form for a congruence , with nebentypus, χ, is any smooth func-

subgroup, tion,

, satisfying:

1. For every

, we have:

where:

2. We have Δkf=0. 3. There is a polynomial, as y→+∞for some ϵ>0. Analogous conditions are required at all cusps. The term “weak” refers to the relaxed growth condition at the cusps described by (3). For convenience, we will refer to these harmonic weak Maass forms simply as harmonic Maass forms. We adopt the following notation: if χ is a Dirichlet character modulo, N, let Sk(N,χ) (respectively, denote the space of cusp forms (respectively, holomorphic modular forms, weakly holomorphic modular forms and harmonic Maass forms) of weight k on Γ0(N) with Nebentypus χ. For

, there is the unique decomposition,

136

Number Theory with Applications to Cryptography

f=f++f− of Bruinier and Funke [20], where, following Ono in [21]:

is referred to as the holomorphic part and:

the non-holomorphic part and where Gamma-function.

is the incomplete

If M(q) is one of Ramanujan’s mock theta functions with F(z) as in (1.2), then by the work of Zwegers [22], f+=F is the holomorphic part of a weight of 1/2 harmonic weak Maass form, whose non-holomorphic part, f−, is a period integral of a weight of 3/2 unary theta series. As a consequence, there exist integers, δ1,⋯,δh, such that the coefficients, a−(n), are supported on exponents of the form, −δim2.

As stated in Section 1, Theorem 1 is a special case of our general theorem in Section 3, which applies to a weight of 1/2 harmonic Maass forms with algebraic coefficients, whose non-holomorphic parts are period integrals of a weight of 3/2 unary theta series. Essentially, these congruences are obtained from the annihilation of a cusp form g(z), related to f(z), by the Hecke operators, T(p2). The cusp form, g(z), is determined by a result of Treneer [2]. Moreover, the work of Lichtenstein [1] allows us to bound the first prime, p, such that T(p2) annihilates g(z). The details of the construction of g(z) follow.

Elements of the Proof In the proof, we shall obtain a weakly holomorphic modular form, , from f by applying quadratic twists to annihilate the non-holomorphic part of f(z). and: If Q is an odd prime, define . Then, the Q-quadratic twist of f is defined as:

Effective Congruences for Mock Theta Functions

137

Remarks 2. The definition of f⊗ψQ given in ([23], III, Proposition 17) applies to modular forms, but this definition also makes sense for f∈H2−k(N,χ), since the transformation, z↦z−λ/Q, only affects the real part of z (the Γ-factor in f− remains unchanged). As in the modular case (see [23], III, Proposition 17), the nth coefficient of f⊗ψQ is

times the nth coefficient of f.

The following lemma describes how twisting f affects the level: Lemma 2. Suppose f satisfies the transformation: and for some character, χ, mod N. Let ψ be a character mod M, and let . Then:

for all

.

Proof. . For each λ with 0≤λ 2 then I(−1) = ϕ(n)/2.

If g’ is a primitive root different from g in then Ig(a) = Ig(g’ ).Ig’(a) (mod ϕ(n)). For more detailed information on the index function, please see [1] and In this paper, we find the integer solutions of the cubic equations

, for function. Also, we give some examples.

,by using the index

MAIN RESULTS Theorem 2.1 Let ax3+bx2+cx+d = 0 be a cubic equation for a, b, c, d ∈ and a

0. For

and

,

On Integer Solutions of the Cubic Equations Over .....

147

i) if k ≡ 0 (mod n) then unique solution of this cubic equation is x ≡ . ii) if k

0 (mod n) then this cubic equation is solvable ⇐⇒ (3, ϕ(n)) | I(k).

Proof. Firstly, we divide both sides of the ax3 + bx2 + cx + d = 0 by a. Now, if we write

instead of x in the equation, i.e.,

then we find

Therefore, we can write the congruence

Here, if we say

and

then we have the congruence If k ≡ 0 (mod n) then x3 ≡ 0 (mod n) and x ≡ 0 (mod n). Thus, the unique (mod n). solution is If k

0 (mod n) then we get the linear congruence

This linear congruence is solvable if and only if (3, ϕ(n)) | I(k). If (3, ϕ(n)) | I(k) then

a) (3, ϕ(n)) = 1 and there is a unique solution in

.

b) (3, ϕ(n)) = 3, (or, 3 | I(k)) and there are three solutions in

.

148

Number Theory with Applications to Cryptography

Finally, if 3 . I(k)) then there is no solution in

.

Example 2.2 Let us consider the cubic equation 4x 3 + 6x 2 + 6x + 7 = 0. Here, a = 4, b = 6, c = 6 and d = 7. Thus, if we write instead of x in the equation then we found

Therefore, we obtain the congruence

Now we solve this equation by using the index function. Then, we have

Since we write (mod 3) in the ring

instead of x, we find the solution as .

2

Example 2.3 Let us consider the cubic equation x 3 + 5x + 2 = 0. Here, a = 1, b = 0, c = 5 and d = 2. Since

, we obtain the same equation.

Therefore, we have the congruence

If we use the index function, then we have

Thus, we find the solution as x ≡ 2 (mod 5) in the ring

.

On Integer Solutions of the Cubic Equations Over .....

149

REFERENCES 1. 2.

3. 4.

D. E. Flath, Introduction to Number Theory, AMS Chelsea Publishing, Providence, RI, 2018. V. P. Gabrielyan, Linearized coverings for sets of special solutions of one cubic equation over a finite field, Dokl. Nats. Akad. Nauk Armen., 118 (2018), no. 2, 115-118. D. Namli, Cubic Residues, PhD Thesis, Balikesir, 2001. L. Zhao, Small prime solutions to cubic equations, Sci. China Math., 59 (2016), no. 10, 1909-1918. https://doi.org/10.1007/s11425-016-5150-5

Chapter 11

Iterative Sliding Window Method for Shorter Number of Operations in Modular Exponentiation and Scalar Multiplication

Adamu Muhammad Noma1 , Abdullah Muhammed1, Zuriati Ahmad Zukarnain1 and Muhammad Afendee Mohamed1,2 Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia

1

Faculty of Informatics and Computing, Universiti Sultan Zainal Abidin, Besut 22200, Terengganu, Malaysia.

2

ABSTRACT Cryptography via public key cryptosystems (PKC) has been widely used for providing services such as confality, authentication, integrity and nonrepudiation. Other than security, computational efficiency is another major Citation: Noma, A. M., Muhammed, A., Zukarnain, Z. A., & Mohamed, M. A. (2017). “Iterative sliding window method for shorter number of operations in modular exponentiation and scalar multiplication”. Cogent Engineering, 4(1), 1304499. https://doi.org/10.1080/233 11916.2017.1304499 Copyright © 2017 Taylor & Francis. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

152

Number Theory with Applications to Cryptography

issue of concern. And for PKC, it is largely controlled by either modular exponentiation or scalar multiplication operations such that found in RSA and elliptic curve cryptosystem (ECC), respectively. One approach to address this operational problem is via concept of addition chain (AC), in which the exhaustive single operation involving large integer is reduced into a sequence of operations consisting of simple multiplications or additions. Existing techniques manipulate the representation of integer into binary and m-ary prior performing the series of operations. This paper proposes an iterative variant of sliding window method (SWM) form of m-ary family, for shorter sequence of multiplications corresponding to the modular exponentiation. Thus, it is called an iterative SWM. Moreover, specific for ECC that imposes no extra resource for point negation, the paper proposes an iterative recoded SWM, operating on integers recoded using a modified non-adjacent form (NAF) for speeding up the scalar multiplication. The relative behaviour is also examined, of number of additions in scalar multiplications, with the integers hamming weight. The proposed iterative SWM methods reduce the number of operations by up to 6% than the standard SWM heuristic. They result to even shorter chains of operations than ones returned by many metaheuristic algorithms for the AC. Keywords: addition chain, modular exponentiation, scalar multiplication, sliding window method

INTRODUCTION In public key cryptosystems (PKC) (Diffie & Hellman, 1976; El-Gamal, 1985; Koblitz, 1987; Rivest, Adi, & Adleman, 1978), computations involving modular exponentiation and scalar multiplication found in the respective RSA (Rivest et al., 1978) and ECC (Koblitz, 1987; Miller, 1985) are the most expensive operations that determine the efficiencies of the algorithm, and on which the security of the systems also depends. For the applications to be computationally secured the size of the key, which is the exponent or multiplier, respectively, should be of at least 1,024 bits in multiplicative structure such as Diffie–Hellman (Diffie and Hellman, 1976) and RSA and 163 bits in additive structure of ECC. One of the means of optimizing these operations without compromising the security effectiveness is by reducing an exhaustive operation of modular exponentiation to repeated squaring and multiplication and likewise scalar multiplication to repeated doubling and addition via the concept of

Iterative Sliding Window Method for Shorter Number of Operations....

153

addition chain (AC). Since modular exponentiation is an additive function of the exponent similar to that of multiplier from scalar multiplication, both operations are adoptable to the idea of AC. In other words, possible shortening of an AC for the exponent/multiplier by reducing the number of doubling and addition corresponds to that of either one of the two operations: thus should be understood as minimizing the number of multiplications in modular exponentiation or of additions in scalar multiplication. The problem of finding optimal AC for an arbitrary integer, also known as addition chain problem (ACP), exists for long (Dellac, 1894; Scholz, 1937). Numerous theoretical studies on the problem can be found in Balega (1976), Brauer (1939), Downey, Leong, and Sethi (1981), Mignotte and Tall (2011), Thurber (1993) and Yao (1976). From experimentation perspective, exhaustive approaches have been applied (Clift, 2010; Hatem, 2011), as well as heuristics (Bos & Coster, 1990; Gelgi & Onus, 2006; Koç, 1995; Park, Park, & Cho, 1999; Thurber, 1999). Moreover, after Downey et al. (1981) proved that the generic case called addition sequence is an NP-complete problem, various metaheuristics have also been applied (Cruz-cortés, Rodríguez-Henríquez, & Coello, 2008; Domínguez-Isidro, Mezura-Montes, & Osorio-Hernández, 2015; Jose-Garcia, Romero-Monsivais, HernandezMorales, Rivera-Islas, & Torres-Jimenez, 2011; León-Javier, Cruz-Cortés, Moreno-Armendáriz, & Orantes-Jiménez, 2009, November; Nedjah & de Macedo Mourelle, 2006; Osorio-Hernández, Mezura-Montes, Cruz-Cortés, & Rodríguez-Henríquez, 2009, May). For the purpose of simplicity, a generic integer e is used in this paper to represent the exponent or multiplier of either of the operations.

Definition 1.1 Given an integer e, the sequence AC for e if

, is said to be an . The length of the chain is r.

In the studies of AC by mean of heuristic approach, e is normally represented into an equivalent binary form, from which some form of manipulation is applied in the quest to produce the shortest possible chain.

Definition 1.2 The length of e (denoted as) n(e) is defined as the minimum number of bits to represent e in binary form length of an arbitrary n-bit e.

. n used to indicate the

154

Number Theory with Applications to Cryptography

Definition 1.3 The hamming weight (shorten as weight) of e denoted as H(e) is defined as the number of non-zero bits in the binary representation of e. Using the binary form as found in many heuristic techniques, the total number of operations is counted to the number of doublings (squarings) and additions (multiplication) involved. In fact, the number of squarings is fixed to the bit-length n(e), and thus improvement can only be done on the number of multiplications which is proportionate to weight H(e). Binary method (Knuth, 1998) has been the basic procedure for computing modular exponentiation as well as scalar multiplication. In the modular exponentiation, a sequence of squarings and optional multiplications are performed, depends upon the given digit value of the binary form for e that is 1 or 0, respectively. Similarly, a sequence of doublings and optional additions are performed in the scalar multiplication. For an n-bit e, represented in the binary form as follows in Algorithm 1.

, the method for the exponentiation

In Algorithm 1, n(e)−1 number of squarings are performed in step 3, and a multiplication in step 5 corresponding to every non-zero bit encounter, less the most significant bit (MSB): H(e)−1. Thus, assuming multiplication and squaring are computationally equal, the number of multiplications (operations) Tbin is (1) Since there are n bits in e, each of which is equally likely to be 1 or 0, the asymptotic number of multiplications in Algorithm 1 is n+n/2=3n/2. The method is highly efficient in implementation due to its minimal bookkeeping in the process (Knuth, 1998). However, it performs excessive number of multiplications than is necessary. An m-ary (also known as or 2k-ary) method is an extension of the

Iterative Sliding Window Method for Shorter Number of Operations....

155

binary method. An n-bit e is padded (where necessary) with at most k−1 trail of 0s to form a multiple of k. It is then partitioned into w=⌈n/k⌉ blocks of fixed k-bit words: being the most significant word (MSW). Thus, . Initially, the values , corresponding , are pre-computed. The algorithm to all possible value for

average number of multiplications given by Koç (1995). (2) Depending on the k parameter, the method performs less number of multiplications than binary method. However, the pre-computations cost increases exponentially with an increase in the k size. the multiplication step is not necessary. Note that when Consequently, adaptive window methods are the enhancements of the m-ary that form partitions mi of arbitrary length of 0s. In the constantlength non-zero window (CLNW) version, in the partitioning process, the leading zeros in a given k-bit non-zero window (NW) partition mi≠0 are carved out and concatenated with subsequent zeros encounter to form a zero window (ZW) mi=0 partition. The ZW takes any arbitrary length until a non-zero bit is again encountered. Thus, only NWs are restricted to bit-lengths n(mi)≤k, and for which list significant bit (LSB)=MSB=1. As a result, the pre-computation stage involves computing only multiplications. Whereas, in the variable-length nonat the cost of zero window (VLNW) version (Koç, 1995), the number of ZWs is further maximized by switching NW to ZW partition construction upon encounter of predetermined 0 60, keeping all points will require big memory. To decrease

Number Theory with Applications to Cryptography

180

memory usage, cycle detection can be done by using the Brent Cycle Detection Algorithm. In detecting the iteration cycle performed in Pollard Rho Algorithm, the Brent Cycle Detection Algorithm goes as follows: (i)

(ii) (iii) (iv) (v) The

with Suppose the sequence that we want to generate is initial value X0 and iteration function f such that Xi+1 = f(Xi). Set j = 0, k = 0, and l = 1. Replace k with k + 1, then check whether Xj = Xk. If Xj = Xk, then we get a collision. If the collision has not occurred, repeat step 2 until a collision occurs or k = 2l − 1. If k = 2l − 1, replace j with k and replace l with 2l. Repeat steps 2-4 until a collision occurred. expectation of the number of iterations performed is 1.9828√

m, where m is the order of P [1]. It is more than , i.e. the expectation of the number of iterations in Pollard Rho Algorithm unmodified. However, we only need to store two points, instead of O( √ m) points.

EXPERIMENTAL RESULTS In previous research we gave a comparison between standard Pollard Rho and Pollard Rho Algorithm with Negation and Frobenius maps for Koblitz curves (see [4] [5]). In this section we will give a comparison between three variants Pollard Rho Algorithm on elliptic curves over binary field : the standard Pollard Rho Algorithm, Pollard Rho Algorithm with Negation map, and Pollard Rho using Brent Cycle Detection Algorithm. In addition, the possibility of using Frobenius on Koblitz curves gives more comparison between variants of Pollard Rho Algorithm. First, the following is the list of curves used in this research.

Implementation of Pollard Rho over binary fields using Brent Cycle ....

181

Table 1: The list of curves used in this research

In Table 2 we give comparison between standard Pollard Rho and Pollard Rho with Brent Cycle Detection Algorithm. In Table 3 we give the same comparison for Koblitz curves without Frobenius map, meanwhile the same comparison for Koblitz curves with Frobenius map is given in Table 4. Table 2: Comparison between standard Pollard Rho and Pollard Rho with Brent Cycle Detection Alg

Table 3: Comparison between std Pollard Rho and Pollard Rho with Brent Alg(Koblitz)

182

Number Theory with Applications to Cryptography

Table 4: Comparison between standard Pollard Rho and Pollard Rho with Brent Cycle Detection Algorithm for Koblitz curves, both use Frobenius map

From the experiment, we see that the use of Frobenius map generally reduces the number of iterations required. However, the time required is not always shorter. This is due to the additional time required to generate equivalence class of each iteration. In Table 5 we give comparison between Pollard Rho with Frobenius map and Pollard Rho without Frobenius map for Koblitz curves, both use Brent Cycle Detection Algorithm. In Table 6 we give the same comparison but without Brent Cycle Detection Algorithm and without Negation map. Meanwhile the same comparison without Brent Cycle Detection Algorithm but with Negation map is given in Table 7. Table 5: Comparison between Pollard Rho with Frobenius map and Pollard Rho without Frobenius map for Koblitz curves, both use Brent Cycle Detection Algorithm

Implementation of Pollard Rho over binary fields using Brent Cycle ....

183

Table 6: Comparison between Pollard Rho with Frobenius map and Pollard Rho without Frobenius map for Koblitz curves, both without Brent Cycle Detection Algorithm and without Negation map

Table 7: Comparison between Pollard Rho with Frobenius map and Pollard Rho without Frobenius map for Koblitz curves, both without Brent Cycle Detection Algorithm but with Negation map

From the experiment, we see that the use of Negation map generally reduce the number of iterations required. However, if Negation map is used without Frobenius map, almost 10 percent (276,344 out of 2,773,726) iterations are repeated due to fruitless cycles. As a result, the acceleration factor of √ 2 which was originally predicted is not achieved.

CONCLUSION AND FURTHER RESEARCH The use of Brent Cycle Detection Algorithm to detect collisions in Pollard Rho Algorithm needs more iterations and generally takes longer than storing every point and check it out.

184

Number Theory with Applications to Cryptography

Nevertheless, we can not store all points for Pollard Rho Algorithm with large binary field, for example GF(2n ) with n > 60. The use of Frobenius map generally reduces the number of iterations required. However, the time required is not always shorter. This is due to the additional time required to generate equivalence class of each iteration. The use of Negation map generally reduce the number of iterations required. However, if Negation map is used without Frobenius map, almost 10 percent (276,344 out of 2,773,726) iterations are repeated due to fruitless cycles. As a result, the acceleration factor of √ 2 which was originally predicted is not achieved. For further research, one can investigate Nivash Cycle Detection algorithm. Theoretically, Nivasch Cycle Detection algorithm need iterations, less than Brent Cycle Detection Algorithm in detecting collisions. However, expectations for the number of points that need to be stored is ln h + O(1), with h is the number of iterations [1].

ACKNOWLEDGMENT This research is supported by Asahi Glass Foundation research grant 2014.

Implementation of Pollard Rho over binary fields using Brent Cycle ....

185

REFERENCES 1. 2. 3. 4. 5.

Cohen H and Frey G 2006 Handbook of Elliptic and Hyperelliptic Curve Cryptography (Chapman and Hall/CRC) Fulton, W 1969 Algebraic Curves: An Introduction to Algebraic Geometry (W. A. Benjamin) Hankerson D, Menezes A, and Vanstone S 2004 Guide to Elliptic Curve Cryptography (Springer) Muchtadi-Alamsyah I, Ardiansyah T, Carita S S 2014 Adv. Sc. Let. 20(1) 340-343. Muchtadi-Alamsyah I, Ardiansyah T, Carita S S 2013 Far East J. Math Sc. Special Volume, No 4 385-402.

Chapter 13

Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside Sn

María Isabel González Vasco 1, Angela Robinson 2, and Rainer Steinwandt 2 1

MACIMTE, Universidad Rey Juan Carlos, 28933 Móstoles, Madrid, Spain

Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA 2

ABSTRACT In 2008, Doliskani et al. proposed an ElGamal-style encryption scheme using the symmetric group Sn as mathematical platform. In 2012, an improvement of the cryptosystem’s memory requirements was suggested by Othman. The proposal by Doliskani et al. in particular requires the discrete logarithm problem in Sn, using its natural representation, to be hard. Making use of the

Citation: González Vasco, M.I.; Robinson, A.; Steinwandt, R. “Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside ”. Cryptography 2018, 2, 16. https://doi. org/10.3390/cryptography2030016 Copyright © 2018 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

188

Number Theory with Applications to Cryptography

Chinese Remainder Theorem, we describe an efficient method to solve this discrete logarithm problem, yielding a polynomial time secret key recovery attack against Doliskani et al.’s proposal. Keywords: Cryptanalysis, symmetric group, public key encryption

INTRODUCTION Discrete logarithm problems in certain representations of cyclic groups, such as subgroups of elliptic curves over prime fields, are a popular resource in the construction of cryptographic primitives. Widely deployed solutions for digital signatures and key establishment rely on the computational hardness of such discrete logarithm problems. Doliskani et al. proposed a cryptosystem in [1] which relies on the discrete logarithm problem inside the symmetric group Sn, using its standard representation, to be hard. The encryption scheme proposed in [1] is essentially an instantiation of the classic ElGamal [2] encryption scheme, but using a cyclic subgroup of Sn in standard representation as platform instead of a more traditional platform choice. We show that this particular discrete logarithm problem is problematic for cryptographic purposes by showing how to find such discrete logarithms in polynomial time. Consequently, in the proposal from [1], secret keys can be recovered from public data in polynomial time. Our algorithm exploits the permutation representation of a cyclic group that is used in [1]. Even though any finite cyclic group is isomorphic to a subgroup of a suitably large symmetric group, our algorithm does not imply an efficient solution for discrete logarithm problems in established cryptographic platform groups.

THE SCHEME OF DOLISKANI ET AL. In this section, we briefly recall the cryptosystem proposed by Doliskani et al. following the description given in [1] (Section 4). The scheme has the same basic structure as ElGamal encryption:

Key Generation The key generation algorithm, executed by the receiver, selects an appropriate index n and a suitable permutation g∈Sn. The cyclic group generated by g will be denoted by ⟨g⟩, and we represent its order by |g|. Further, an integer

Cryptanalysis of a Proposal Based on the Discrete Logarithm .....

189

α is selected uniformly at random from {1,…,|g|−1}. The public key is the pair (g,gα), while the private key is the secret “exponent” α. (Even though these points are not clarified by the authors, as is customary, we assume n is chosen from an input security parameter l, and is polynomial in l.)

Encryption On input of a plaintext m, which we may assume belongs to Sn (we omit the encoding described in [1] (Section 3), which is irrelevant for our purposes), an integer k is chosen uniformly at random from {1,…,n}. The ciphertext is computed as the pair of group elements (g1,g2):=(gk,mgαk).

Decryption The group element g1 is raised to the secret exponent α and further inverted to compute

.

As made clear by the authors, this scheme essentially instantiates ElGamal encryption in the symmetric group Sn. As such, some of the security concerns of the original ElGamal over finite fields carry over. Given an encryption of m, one can trivially derive an encryption of hm for any h∈Sn, so we observe that malleability is one such concern. Very limited plaintext leakage is another concern. It is known that in a straightforward ElGamal for a Sophie Germain prime q, one bit of the implementation over message leaks. Indeed, if the cyclic group ⟨g⟩ has order q, it is possible to determine from the ciphertext whether the underlying plaintext m is a quadratic residue mod 2q+1 or not, as the ciphertext leaks the Legendre symbol

of m.

Similarly, the construction in [1] leaks one bit, corresponding to the sign of the plaintext permutation m. Recall that the sign of a permutation can be seen as a group homomorphism ε:Sn⟶{−1,1},

defined as ε(σ)=1 if and only if σ can be written as the product of an even number of transpositions. Otherwise, if σ is odd (and can thus only be decomposed as a product of an odd number of transpositions), ε(σ)=−1. It is easy to see that ε is a group homomorphism, hence ε(mgαk)=ε(m)ε(gαk). If any of the (public) g, gα, or gk are in the kernel of ε, then necessarily the sign of the “mask” gαk is one, too, and the sign of the plaintext leaks. Information

190

Number Theory with Applications to Cryptography

on the elements in {1,…,n} not stabilized by the permutation m, known as the support of plaintext m, may leak if the support of g is small. This follows from the fact that the elements in {1,…,n} not stabilized by any permutation from ⟨g⟩ is always a subset of the support of g. We include these remarks to emphasize that, when considering a concrete ElGamal instantiation, a thorough analysis is essential. One must consider the specific group representation and parameters in use. In [1], the order of the public group element g is identified by the authors as the main relevant parameter determining the security of the above scheme. Indeed, when approaching a generic instance of the discrete logarithm problem in an arbitrary cyclic group, the order of the generator gives us an idea of how successful standard methods such as those mentioned in [1] (Section 2) might be when it comes to solving the associated discrete logarithm problem. This, however, does not rule out the existence of more efficient algorithms for computing discrete logarithms exploiting a concrete representation of the underlying group. As we show in the next section, this is the case for the symmetric group.

FINDING DISCRETE LOGARITHMS IN CYCLIC SUBGROUPS OF SN Let Sn be the symmetric group on n points, with elements f∈Sn represented as a list of images [f(1),…,f(n)] (or in standard cycle notation). Moreover, let g∈Sn, and h=gα some element in the cyclic group ⟨g⟩ generated by g. For the encryption scheme put forward in [1], the pair (g,h) represents a public key, and being able to recover α from the public key yields a successful recovery of a user’s secret key. When applied to the input (g,h), the following procedure returns α(mod|g|), thereby solving the discrete logarithm problem in ⟨g⟩. Step 1. Decompose g and h into disjoint cycles

Here, we include length-one cycles if needed, so that each i∈{1,…,n} occurs in exactly one cycle.

Cryptanalysis of a Proposal Based on the Discrete Logarithm .....

191

Step 2. Compute arrays G and H, such that the ith entry G[i] stores: • the index j of the cycle πj containing i; and • the position of i within this cycle (1≤i≤n). That is, G[i]=(j,pos(i)) would indicate that element i appears in cycle πj at position pos(i). Similarly, in H[i], we store: • the index k of the cycle σk containing i; and • the position of i within this cycle (1≤i≤n). Thus, H[i]=(k,pos(i)) would indicate that element i appears in cycle σk at position pos(i). Step 3. Store the first element of each cycle σj of h as First[j] in an array. Analogously, store the second element of σj as entry Second[j] in an array. (For a lengthone cycle, we set Second[j] = First[j].) Note that First[j] and Second[j] belong to the same cycle πj′ of g. Step 4. Use the array G to find for each i∈{1,…,n} the cycle of g containing First[i] and Second[i], and store the difference D[i] between their positions in an array D. Then, D[i]=pos(Second[i])−pos(First[i]), for each i∈{1,…,n}. Further, compute the length of the cycle containing element i and store it in an array L.

Step 5. Step 5. The solution α is congruent to each residue D[i] modulo L[i] for 1≤i≤|D|. Compute αwith the Chinese Remainder Theorem. It may be worth noting that the last step of the above procedure uses a slightly more general version of the Chinese Remainder Theorem than is commonly discussed in introductory computer algebra courses. Instead of exploiting the availability of an efficiently computable isomorphism between being pairwise coprime natural numbers, we face the more general situation of a of congruences of the form

192

Number Theory with Applications to Cryptography

where m1,…,mr may have common factors. This situation is covered, e.g., in [3] (Theorem 3.12) and in [4], which show that a solution is unique modulo the least common multiple of m1,…,mr, and for executing Step 5 we basically follow the proof given in [4]. Putting everything together, it turns out that the running time of the above procedure is polynomial. (As is common, we use the (bit) length of the group size as cost parameter. With the natural representation of Sn used, the running time is also polynomial in the input length.) Theorem 1. Let g∈Sn. Then, the discrete logarithm problem in the group generated by g can be solved in time O(log4|g|)=O(n2log2n). Proof. Let g∈Sn. It is easy to see that Step 1 from the above description can be completed in time O(n). Indeed, to express g in cycle notation, we assume (without loss of generality) it acts on {1,…,n}. Thus, we start from i=1, perform a look-up and find the image of i under g. If the image is equal to i, close the cycle and increment the index i moving ahead to i+1. Otherwise, append g(i) at the end of the cycle and repeat the process for this index. There will be at most n look-ups and n stored integers between 1 and n. The arrays G, Heach contain 2n integers. Further, Step 2 can also be completed in time O(n). As there are at most n cycles in gα, the arrays First, Second are at most n integers long. Thus, the construction of these two arrays requires storing at most 2nintegers. Let us now move ahead to Steps 3 and 4. For each 1≤i≤|First|, perform a look-up in array G to determine to which cycle of g the value First[i] belongs. This requires at most n look-ups. Look up the position numbers of Second[i] and First[i] and subtract. This requires at most O(n) computations plus O(n) look-ups. The final step requires that we solve a system with at most |D| modular arithmetic equations, where the moduli are not necessarily coprime. We have |D|≤n/2, so let k=⌈n/2⌉, and let

Cryptanalysis of a Proposal Based on the Discrete Logarithm .....

193

denote the system of congruences found in Step 5, where each L[i] is the length of a cycle of g. As in [4], let m=lcm(L[1],L[2],…,L[k]). Now, we can closely follow the the proof of [4]: Compute the solution to the first two congruences

and call this solution α1. There are t,s∈ with gcd(L[1],L[2])=t⋅L[1]+s⋅L[2]. By [4], we know the solution is α1=D[1]+t⋅L[1], which is unique modlcm(L[1],L[2]). According to [5], this application of the Extended Euclidean Algorithm has a cost of O(logL[1]⋅logL[2]). We upper-bound this by O(log2n). Next, consider the two equivalences

Compute the solution to this pair of congruences as above, and call this solution α2. The cost of computing α2 is

Iterate this step until the k equivalences are reduced to 2. The solution to the last pair of equivalences is the solution, α. There will be at most n−1 applications of the Extended Euclidean Algorithm, . From [6,7,8], we with total complexity in know that, for any g∈Sn, it holds that , and the claim follows. Correctness of the above procedure is not hard to verify: Proposition 1. For any g∈Sn and h∈⟨g⟩ such that h=gα, the above procedure computes α(mod|g|), given g, h, and n. Proof. Let g=π1∘⋯∘πr and suppose the algorithm returns

≡D[i]modL[i] for all i

as in the proof of Theorem 1. We proceed by showing that g πi are disjoint,

=h. Since the

194

Number Theory with Applications to Cryptography

(1) There exist ki∈

such that

for all i, so (1) is equal to (2)

The order of πi is L[i] for each i, so Equation (2) simplifies to

To show that =h, we evaluate (First[i]) and show that the result is Second[i] for all i. Let G[First[i]]=(l,pos(First[i])). As First[i] and Second[i] belong to the same cycle of g, then G[Second[i]]=(l,pos(Second[i])). It follows that

The image of First[i] under is found by moving (cyclically) right by D[i] positions inside πl. Thus, First[i] ends up being mapped to the cycle entry at position pos(First[i])+(pos(Second[i])−pos(First[i])])=pos(Second[i]). Consequently, (First[i])=Second[i]. As this holds for all i, the resulting permutation satisfies =h.

EXPERIMENTAL VALIDATION The proposed attack was implemented in Magma V2.21 on a personal computer. An example of the attack in S100 is as follows. Let

g=(1,12,90,19,7,30,44,72,57,55,34,81,82,17,54,21,80,94,35,11,85,100) (2,9,83,87,45,13,67,24,78,4,16,32,65,51,29,33,22,59,50,69,56,58,43,3 1,47,96,91,92,15,75,86,49,68,88,95,36,63,23,71,98,42,28,64,8,38,40) (3,10,97,48,74,39,46,60,89,5)(6,26,79,25,20,76)(14,84,37,53,61,70,73) (18,99,93,66,62,27,77,41). The order of g is 212,520. Given (g,g178,705), let us try to recover the secret exponent α = 178,705. Following the procedure presented above, we store DL==[21,41,5,−5,1,5,2,1,5,−5,0]and[22,46,10,10,6,10,7,8,10,10,1]. Further, we know that α is congruent to D[i] modulo L[i] for each i. Applying

Cryptanalysis of a Proposal Based on the Discrete Logarithm .....

195

the Chinese Remainder Theorem yields the solution α = 178,705, as expected.

CONCLUSIONS The above discussion provides a polynomial time solution for the discrete logarithm problem inside the symmetric group Sn, using its standard presentation. On suitable elliptic curves, efficient implementations of ElGamal are available, where (in the absence of quantum computers) no polynomial time attacks on the secret key are known. With the availability of a polynomial-time secret key recovery, it seems fair to consider the security assumption underlying Doliskani et al.’s proposal as problematic.

AUTHOR CONTRIBUTIONS Conceptualization, Formal Analysis, and Writing: M.I.G.V, A.R., and R.S.; Software: A.R.

196

Number Theory with Applications to Cryptography

REFERENCES 1.

2. 3. 4.

5.

6. 7. 8.

Doliskani, J.N.; Malekian, E.; Zakerolhosseini, A. A Cryptosystem Based on the Symmetric Group Sn. IJCSNS Int. J. Comput. Sci. Netw. Secur. 2008, 8, 226–234. Gamal, T.E. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 1985, 31, 469–472. Jones, G.A.; Jones, J.M. Elementary Number Theory; Springer Undergraduate Mathematics Series; Springer: Berlin, Germany, 1998. Bogomolny, A. Chinese Remainder Theorem from Interactive Mathematics Miscellany and Puzzles. 2012. Available online: http:// www.cut-the-knot.org/blue/chinese.shtml (accessed on 1 May 2018). Von zur Gathen, J.; Gerhard, J. Chapter The Euclidean Algorithm. In Modern Computer Algebra; The Press Syndicate of the University of Cambridge: Cambridge, UK, 1999; pp. 50–55. Landau, E. Über die Maximalordnung der Permutationen gegebenen Grades. Arch. Math. Phys. 1903, 5, 92–103. Massias, J.P. Majoration explicite de l’ordre Maximum d’un Élément du groupe symétrique. Ann. Fac. Sci. Toulouse Math. 1984, 6, 269–280. Massias, J.P.; Nicolas, J.L.; Robin, G. Effective Bounds for the Maximal Order of an Element in the Symmetric Group. Math. Comput. 1989, 53, 665–678.

Chapter 14

Research on Attacking a Special Elliptic Curve Discrete Logarithm Problem

Jiang Weng1,2, Yunqi Dou 1, and Chuangui Ma3 State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China 1

2

Air Force Engineering University, Xi’an 710038, China

3

Basic Department, Army Aviation Institution, Beijing 101123, China

ABSTRACT Cheon first proposed a novel algorithm for solving discrete logarithm problem with auxiliary inputs. Given some points 𝑃, 𝛼𝑃, 𝛼2 𝑃, ...,𝑑 𝑃 ∈

, an attacker can solve the secret key efficiently. In this paper, we propose a new algorithm to solve another form of elliptic curve discrete

Citation: Jiang Weng, Yunqi Dou, and Chuangui Ma, “Research on Attacking a Special Elliptic Curve Discrete Logarithm Problem,” Mathematical Problems in Engineering, vol. 2016, Article ID 5361695, 8 pages, 2016. https://doi.org/10.1155/2016/5361695 Copyright © 2016 Jiang Weng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

198

Number Theory with Applications to Cryptography

logarithm problem with auxiliary inputs. We show that if some points and a multiplicative cyclic group 𝐾 = ⟨𝑘⟩ are given, where 𝑑 is a prime, (𝑑) is the order of 𝐾. The secret key

can be solved in storage.

group operations by using

INTRODUCTION Let 𝐸 be an elliptic curve over a finite field , where 𝑞=𝑝𝑛 and 𝑝 is prime. Given points 𝑃, 𝑄 ∈ ( ) to find an integer 𝛼, if it exists, such that 𝑄 = 𝛼𝑃. The computational problem is called elliptic curve discrete logarithm problem (ECDLP). This problem is the fundamental building block for elliptic curve cryptography (ECC) and pairing-based cryptography and has been a major area of research in computational number theory and cryptography for several decades. The security of elliptic curve cryptography is based on the difficulty of the ECDLP. Like any other discrete logarithm problem, ECDLP can be solved by generic algorithms such as the Baby-Step Giant-Step method [1] and Pollard rho method [2]. At present, parallelized Pollard rho algorithm [3] is the fastest general-purpose method for solving the ECDLP. So far, Pollard rho method has been implemented on a variety of accelerator platforms including FPGAs, Playstation 3 Cell Processors, and GPUs. Many bilinear maps were applied to establish efficient cryptographic schemes, whose security relies on the infeasibility of newly proposed mathematical problems such as Bilinear Diffie-Hellman Problem (BDHP) [4], Strong Diffie-Hellman Problem (SDHP) [5], Bilinear Diffie-Hellman Inversion Problem (BDHIP) [6], and Bilinear Diffie-Hellman Exponent Problem (BDHEP) [7]. A variant of the Diffie-Hellman problem introduced by Boneh and Boyen [5] is to compute that when given 𝑃, 𝛼𝑃, 𝛼2 𝑃, . . . , 𝛼𝑑𝑃. Problems of this type (including the simpler case of being given 𝑃, 𝛼𝑃, 𝛼𝑑𝑃) are sometimes called discrete logarithm problems with auxiliary inputs.

In Eurocrypt 2006, Cheon [8, 9] first proposed an algorithm for solving discrete logarithm problem with auxiliary inputs (DLP-wAI). Auxiliary inputs are some additional information which is provided for solving DLP, such that some elements

instead of only two

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

199

elements . Let 𝐺 = ⟨𝑃⟩ be an additive cyclic group generated by an element 𝑃 of prime order 𝑝. The time complexity of Cheon’s algorithm is

storage in the case

of 𝑑 | (𝑝 − 1). In particular, when in time and space. Cheon also presents a variant for the case when 𝑑 | (𝑝 + 1). The idea of Cheon’s algorithm is to embed a discrete logarithm 𝛼 from auxiliary group for 𝑝−1 (or 𝑝+1 case, resp.).

to an

In 2009, Satoh [10] proposed a possible generation of Cheon’s algorithm when 𝑑 is a divisor of 𝜑(𝑝) when 𝑛 ≥ 2, where 𝜑𝑛(𝑝) is the 𝑛th cyclotomic polynomial. Although Satoh described the algorithm in the context of general linear groups, essentially Satoh’s algorithm used embedding from

to an auxiliary group . In the case of 𝑛=2, Satoh’s algorithm reduced the number of input data pieces by the half of Cheon’s original algorithm. However, the efficiency of the algorithm was not well-studied. Kim [11, 12] studied Satoh’s generalization of the 𝑝+1 algorithm for solving the DLP-wAI. The result showed that the complexity of Satoh’s algorithm was not faster than Cheon’s algorithm when 𝑑|𝜑(𝑝) and 𝑛≥3. One of the main problems when using this mapping is the occurrence of high degree polynomials. In 2012, Kim and Hee [13] proposed a new approach to solve the DLP-wAI focusing on the behavior of the function mapping rather than embedding the secret key to an auxiliary group. Kim’s algorithm reduced solving DLP-wAI into finding a polynomial whose substitution polynomial has many absolutely irreducible factors. In 𝑝+1 case, the complexity of

Kim’s algorithm is with 𝑑 auxiliary elements, where 𝑅 such that (𝑥) = 𝑓(𝑦), while Cheon’s is the number of pairs (𝑥, 𝑦) ∈ algorithm required 2𝑑 auxiliary elements for the same problem. However, it would be more difficult to design such a polynomial with small value sets. Sakemi et al. [14] investigated useful techniques for speeding up Cheon’s algorithm and demonstrated that it is possible to solve 160-bit DLP-wAI over a pairing-friendly elliptic curve within a practical time.

In this paper, we introduce a new algorithm for solving ECDLP-wAI. If are given, specify that 𝑑 is a prime number and that 𝜑 is the Euler totient function and that 𝑘 is a generator of multiplicative cyclic group with order 𝜑(𝑑); we can solve

by

200

Number Theory with Applications to Cryptography

using

group operations and

storage.

The rest of this paper is organized as follows. In Section 2, we describe Cheon’s algorithm. We define a group partition and show how group elements can be represented with only a few elements in Sections 3 and 4. In Section 5, we propose an algorithm for the ECDLP-wAI and analyze the complexity. Then our experimental results are reported in Section 6. Finally, we conclude this paper in Section 7.

PRELIMINARY In this section we introduce some notations and concepts used throughout this paper.

Discrete Logarithm Problem with Auxiliary Inputs The DLP-wAI was first proposed by Cheon in [8, 9] as a variant of DLP. Let be an additive cyclic group generated by the base point 𝑃 of is to solve from some additional prime order 𝑝. The DLP-wAI in information such as 𝛼𝑖 𝑃 ∈ G for some integer 𝑖.

Cheon proposed two types (𝑝−1 and 𝑝+1 case) of DLP-wAI. Both of the two into an auxiliary group, algorithms transform the discrete logarithm in and solving the DLP in the auxiliary group is more efficient than original group. We now sketch the technique due to Brown and Gallant [15] for solving , where 𝑃 has order 𝑝 and 𝑑 | (𝑝 − 1). Fix ECDLP instances of order equal to (𝑝 − 1), so that 𝜁𝑑 has order (𝑝 − 1)/𝑑. Since 𝛼𝑑 has order modulo 𝑝 dividing (𝑝 − 1)/𝑑, we have 𝛼𝑑 ≡ (𝜁𝑑) 𝑥 (mod𝑝) for some integer

and 𝑘1 =𝑢+𝑚V with 0 0≤𝑘1 < (𝑝 − 1)/𝑑. Writing 𝑑 𝑑 𝑢 𝑚𝑑 V ≤ 𝑢, V < 𝑚 we have 𝛼 𝑃 = (𝜁 ) (𝜁 ) 𝑃. Hence one can compute a list of values (𝜁−𝑑𝑢)𝑑 and a list of values (𝜁𝑑𝑚)V𝑃 and find in O(√(𝑝 − 1)/𝑑) steps the matching pair (𝑢, V). Writing 𝑘1 =𝑢+𝑚V we have 𝛼𝑑 ≡ (𝜁𝑑) 𝑘 (mod𝑝). To find a we write 𝛼=𝜁𝑘 and note that 𝑘=𝑘1 + 𝑘2√(𝑝 − 1)/𝑑 for some 0≤𝑘2 < 𝑑. By a similar method based on 𝛼𝑃 one computes 𝑘2 in O(√𝑑) steps and hence computes 𝛼. Overall we compute 𝛼 in O(max{√(𝑝 − 1)/𝑑, √𝑑}) group operations. The 𝑝−1 case is that 𝑃, 𝛼𝑃, 𝛼𝑑𝑃 are given for a positive divisor 𝑑 of 𝑝−1.

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

201

This case maps 𝛼 to 𝛼𝑑 and the subgroup of with order (𝑝 − 1)/𝑑 as the auxiliary group. We give Cheon’s algorithm with 𝑝−1 case as follows:

Algorithm 1.

The secret key 𝛼 ∈ can be recovered in time complexity O(√(𝑝 − 1)/𝑑 + √𝑑) by using O(max{√(𝑝 − 1)/𝑑, √𝑑}) storage. In the extreme case where there is a factor 𝑑 | (𝑝 − 1) with 𝑑 ≈ √𝑝, then one can solve the ECDLP in steps, which is much efficient than that for solving DLP in general groups (which requires O(√𝑝)). The 𝑝+1 case is that 𝑃, 𝛼𝑃, 𝛼2 𝑃, . . . , 𝛼2𝑑𝑃 are given for a positive divisor 𝑑 of 𝑝+1. This case maps 𝛼 to (𝛼 + 𝜃)(𝑝−1)⋅𝑑, where

, and the subgroup

with order(𝑝+1)/d as the auxiliary group. We give Cheon’s algorithm of with 𝑝+1 case as follows: Algorithm 2.

202

Number Theory with Applications to Cryptography

Input: let {𝑃, 𝑃1 = 𝛼𝑃, 𝑃2 = 𝛼2 𝑃, . . . , 𝑃2𝑑 = 𝛼2𝑑𝑃 ∈ 𝐺}, 𝑑|𝑝+1, 𝑎 a quadratic nonresidue of , and 𝜃 a root of , and |𝐻| = 𝑝 + 1; Output:

:

The secret key can be recovered in time complexity O(√(𝑝 + 1)/ 𝑑+𝑑) by usingO(max{√(𝑝 + 1)/𝑑, √𝑑})storage.

PARTITIONS OF GROUP ELEMENTS

In this section, we introduce a representation of a multiplicative subgroup and then give a group action on theory, one refers to [16, 17].

. For more information about group

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

Multiplicative Cyclic Subgroup of

203

Construction

A representation of the subgroup can help to analyze the structure of the subgroup. In this paper, we introduce a new representation for multiplicative , where 𝑝 is an odd prime. subgroup of

.The greatest common divisor of all integers 𝑠 is Let 𝑆 be a subset of denoted by gcd(𝑆), where 𝑠 mod (𝑝 − 1) belongs to 𝑆. We define a subset 𝐾

of 𝑑 is an odd prime number

, where 𝑝 − 1 = 𝑑𝜆, 𝜆 is an even integer, and

Lemma 3. Let 𝐾 = {𝑛𝜆 + 1: 𝑛 ∈ [0, (𝑝 − 1)/𝜆)} ∩ . multiplicative subgroup of

. Thus 𝐾 is a

Proof. Let 1+𝑖𝜆, 1+𝑗𝜆 ∈ 𝐾; then (1+𝑖𝜆)(1+𝑗𝜆) mod (𝑝−1) ≡ 1 + (𝑖 + 𝑗 + 𝑖𝑗𝜆)𝜆 mod (𝑝 − 1). Since gcd(1 + 𝑖𝜆, 𝑝 − 1) = 1 and gcd(1+𝑗𝜆, 𝑝−1) = 1, this means gcd((1+𝑖𝜆)(1+𝑗𝜆), 𝑝−1) = 1. So (1 + 𝑖𝜆)(1 + 𝑗𝜆) ∈ 𝐾.

Let 1+𝑖𝜆 ∈ 𝐾; we assume (1+𝑖𝜆)(1+𝑗𝜆) ≡ 1 mod (𝑝−1). Since 1+(𝑖+𝑗+𝑖𝑗𝜆) 𝜆 ≡ 1 mod (𝑝−1) ⇒ 𝑖+𝑗(1+𝜆) ≡ 0 mod 𝑑 and gcd(𝑑, 1 + 𝑖𝜆) = 1, then there exists 𝑗 such that 1 + 𝑗𝜆 is the inverse of 1 + 𝑖𝜆. It is closed under multiplication and inversion. Therefore 𝐾 is a multiplicative subgroup of .

Since 𝜆 is an even integer, every element of 𝐾 is as form 1 + 𝑛𝜆 so that 𝜆 = gcd(𝐾 − 1), where 𝐾 − 1 = {𝑘 − 1: 𝑘 ∈ 𝐾}.

Group Action

Definition 4 (see [16]). An action of group 𝐺 on a set 𝑆 is a function 𝐺×𝑆→𝑆 𝑔 ∘ 𝑥) such that for all 𝑔1, 𝑔2 ∈ 𝐺, 𝑥∈𝑆 (usually denoted by (𝑔, 𝑥) satisfies: (1) where 𝑒 is a unit element of 𝐺. When such an action is given, we say that 𝐺 acts on set 𝑆. Since there may be many different actions of group 𝐺 on given set 𝑆, the notation 𝑔𝑥 is ambiguous. A group action on a set induces a partition of this set, which is called the orbit of the set under this group action.

204

Number Theory with Applications to Cryptography

Let 𝐺 be a group that acts on a set 𝑆. The relation on 𝑆 defined by 𝑥∼𝑥’ ⇔ 𝑔𝑥 = 𝑥’ for some 𝑔∈𝐺 is an equivalence relation. The equivalence classes of the equivalence relation are called the orbits of the set under this group action; usually the orbit of 𝑥∈𝑆 is denoted as ⟨𝑥⟩. A group action of 𝐺 on a set 𝑆 induces a partition of 𝑆 via the equivalence relation defined by 𝑥∼𝑥’ ⇔ 𝑔∘𝑥 = 𝑥’ for some 𝑔∈𝐺. The equivalence classes are called orbits of 𝑆 under the action of 𝐺; usually the orbit of 𝑥∈𝑆 is denoted as ⟨𝑥⟩. We define the set of fixed points of 𝑆 under the action of 𝐺 by Fix(𝐺) = {𝑥 ∈ 𝑆: 𝑔∘𝑥 = 𝑥 for all 𝑔 ∈ 𝐺} and the set of nonfixed points nFix(𝐺) by 𝑆 \ Fix(𝐺). Hence all elements of group 𝐺 can be represented by only two types of elements, fixed points and nonfixed points. We define the action of subgroup 𝐾 on

(𝑘, 𝑥) → 𝑥 for all 𝑘∈𝐾 and 𝑥 ∈ 𝑘

such that 𝐾 ×



satisfies

. This map induces a set 𝑥 = {𝑥 : 𝑘 ∈ 𝐾}

that is called a 𝐾-orbit of 𝑥. In particular, Fix(𝐾) = {𝑥 ∈ − 1), for every 𝑘 ∈ 𝐾} is a subgroup of

𝐾

| 𝑥𝑘 ≡ 𝑥 mod (𝑝

, which is the set of fixed points.

Let be a primitive element in ; then 𝜁=𝜉(𝑝−1)/𝜆 is a generator of a cyclic group. Obviously, the fixed point set is generated by 𝜁, where ⟨𝜁⟩ = {𝑥 ∈

: 𝑥𝜆 ≡ 1 mod (𝑝 − 1)} and 𝜆 = gcd{𝑘 − 1: 𝑘 ∈ 𝐾}.

By using this group action on

the elements of

, we can efficiently partition

. Thus

can be represented with only a few subsets.

A GROUP REPRESENTED BY DISJOINT ORBITS In this section, we introduce how to partition group elements by disjoint orbits.

A Group Partition Let , where 𝐼 = {2, 3, . . . , 𝑡} is an index set, 𝑝2,...,𝑝𝑡 are distinct odd prime numbers, and each 𝑒𝑖 ≥ 1. We choose a prime divisor = (𝑝 − 1)/𝑑. It 𝑝𝑗 of 𝑝−1 with 𝑒𝑗 = 1, denoted as 𝑝𝑗 = 𝑑. Let 𝜆 is equivalent to gcd(𝜆, 𝑑) = 1. We generate a set 𝐾 that is defined by := {1 + 𝑛𝜆: 𝑛 ∈ [0, 𝑑)}.

be a multiplicative Proposition 5. Let 𝐾 = {1 + 𝑛𝜆: 𝑛 ∈ [0, 𝑑)} ∩ . Thus the order of 𝐾 is (𝑑), where 𝜑 denotes Euler’s totient subgroup of

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

205

function Let (𝑝 − 1)/𝜆 = 𝑑 be prime; then |𝐾| = 𝑑 − 1. We note that gcd(𝜆, 𝑑) = 1 and 1+𝑛𝜆, where 0≤𝑛< 𝑑 such that 𝑑|1+𝑛’ 𝜆. So all the elements of 𝐾 can be expressed by 𝐾 = {1 + 𝑛𝜆: 𝑛 ∈ [0, 𝑑) \ 𝑛’ }. Thus we know that |𝐾| = (𝑑) = 𝑑 − 1.

Proposition 6. Let 𝐾 = {1 + 𝑛𝜆: 𝑛 ∈ [0, 𝑑) \ 𝑛’ } be a multiplicative subgroup of . If gcd(𝜆, 𝑑) = 1, then 𝐾 is a cyclic group.

, where is a multiplicative cyclic Proof. We define a map 𝑓: 𝐾 → group of order 𝑑−1.The map 𝑓is defined by 𝑓: 1 + 𝑛𝜆 → (1 + 𝑛𝜆) mod 𝑑 for every 1 + 𝑛𝜆 ∈ 𝐾. Let 1 + 𝑛𝜆 = 𝑘1𝑑+𝑡1 and 1 + 𝑚𝜆 = 𝑘2𝑑+𝑡2, where 0≤𝑡1, 𝑡2 < 𝑑:

(2) Hence (1 + 𝑛𝜆)(1 + 𝑚𝜆) mod 𝑑 ≡ (1 + 𝑛𝜆) mod 𝑑 ⋅ (1 + 𝑚𝜆) mod 𝑑; it implies that the map 𝑓 is a grouphomomorphism for the multiplicative structures on 𝐾 and . In order to prove the map is bijective, we only need to prove the map 𝑓 is injective.

If 1+𝑛𝜆 1+𝑚 , then (1+𝑛𝜆) mod 𝑑 (1+𝑚𝜆) mod 𝑑 for all 0 ≤ 𝑛, 𝑚 < 𝑑 and 𝑛 𝑚. Suppose (1 + 𝑛𝜆) mod 𝑑 = (1 + 𝑚𝜆) mod 𝑑; then 𝑑 | (𝑛 − 𝑚). Since gcd(𝜆, 𝑑) = 1, we have 𝑑|𝑛−𝑚. This is a contradiction. Therefore, the map 𝑓 is injective. It is natural that 𝑓 is bijective. Hence the groups 𝐾 and are isomorphism (written as 𝐾 ≅

Therefore the group 𝐾 is a cyclic group.

).

Then we need to find a generator of 𝐾. Since 𝐾 is a cyclic group and 𝐾 ≅ , the homomorphism 𝑓 maps the generator of 𝐾 to the generator of

206

Number Theory with Applications to Cryptography

. Let 𝛾 be a generator of

; then 𝐾 = ⟨𝑓−1(𝛾)⟩. The following proposition

implies that 𝑥, 𝑥 , 𝑥𝑘2 ,...,𝑥𝑘𝜑(𝑑)−1 are all the distinct elements for 𝑥 ∈ where 𝑘 is a generator of 𝐾.

\ ⟨𝜁⟩,

in the same orbit are distinct for every 𝑥 ∈

\ ⟨𝜁⟩.

Proposition 7. Let 𝐾 be defined as above and 𝜁 a generator of Fix(𝐾); then all elements

Proof. Suppose that

. Writing this as

, where 0 ≤ 𝑙 < (𝑝 − 1)/𝜆, notice that ord(𝑥) = 𝑝 − 1; we have (𝑝 − 1) | 𝑙𝜆. However, 𝑝 − 1 > 𝑙𝜆; this is are distinct for 0 ≤ 𝑖, 𝑗 < 𝑑, 𝑖 𝑗. a contradiction. Thus Let 𝜁 be a generator of a cyclic group of fixed point. In the following we mainly discuss the relation between 𝜁𝑖 𝑥𝐾 and 𝜁𝑗 𝑥𝐾 under the condition gcd(𝜆, 𝑑) = 1 for all 0 ≤ 𝑖, 𝑗 ≤ 𝜆 − 1 and 𝑖 𝑗, where 𝜁 is a fixed point and 𝑥 is a nonfixed point.

Proposition 8. Let 𝐾 be a multiplicative subgroup of and 𝜁 a generator of fixed point for 𝜆 = gcd(𝐾−1). If gcd(𝜆, 𝑑) = 1, then any two orbits 𝜁𝑖 𝑥𝐾 and 𝜁𝑗 𝑥𝐾 are disjoint for 0 ≤ 𝑖, 𝑗 ≤ 𝜆−1, 𝑖 𝑗. Proof. Any two orbits 𝜁𝑖 𝑥𝐾 and 𝜁𝑗 𝑥𝐾 are disjoint for 0 ≤ 𝑖, 𝑗 ≤ 𝜆−1, 𝑖 0 𝑗. It is equivalent to (𝜁𝑖 𝑥𝐾)∩(𝜁𝑗 𝑥𝐾)=0. Suppose that (𝜁𝑖 𝑥𝐾)∩(𝜁𝑗 𝑥𝐾)

for some 𝑖, 𝑗.This means that 𝜁𝑖 𝑥𝐾 = 𝜁𝑗 𝑥𝐾 and

, where

, the order of 𝑦 divides both 𝜆 and 𝑑. Then it divides gcd(𝜆, 𝑑) = 1, from which it follows that 𝑦 must be equal to 1. This is a contradiction, so 𝜁𝑖 𝑥𝐾 and 𝜁𝑗 𝑥𝐾 are disjoint. On the other hand, if 𝑖=𝑗, there is natural 𝜁𝑖 𝑥𝐾 = 𝜁𝑗 𝑥𝐾.

From the above discussion, we conclude that two orbits 𝜁𝑖 𝑥𝐾 and 𝜁𝑗 𝑥𝐾 are identical or disjoint. Therefore, group elements can be expressed by disjoint orbits. We may divide the group 𝐺 into two classes, the nonfixed points (denoted as 𝐺𝑛𝑓𝑝) and the fixed points (denoted as 𝐺𝑓𝑝). The group 𝐺 can be expressed by 𝐺=𝐺𝑛𝑓𝑝 ∪ 𝐺𝑓𝑝, where ∪ denotes the disjoint union. The nonfixed points part 𝐺𝑛𝑓𝑝 behaves just like an extended orbit. 𝐺𝑛𝑓𝑝 can be partitioned by the disjoint union of distinct 𝐺𝑥,𝑓𝑝, such as 𝐺𝑥,𝑛𝑓𝑝 = 𝑥𝐾 ∪ 𝜁𝑥𝐾 ∪⋅⋅⋅∪𝜁𝜆−1𝑥𝐾 where we choose 𝑥∈𝐺 as a nonfixed point representative element, and 𝜁∈𝐺 is a fixed point. The above discussion gives a decomposition of group elements as union of

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

207

distinct orbits, which we call the orbit decomposition formula. Furthermore, we can take these elements 𝑥, 𝜁𝑥, . . . , 𝜁𝜆−1𝑥 as the different representatives for distinct orbits. Obviously, any two orbits 𝜁𝑖 𝑥𝐾 and 𝜁𝑗 𝑥𝐾 are one-to-one correspondence, where 0 ≤ 𝑖, 𝑗 < 𝜆. Thus any two orbits have the same cardinality. Hence, the cardinality of 𝐺𝑥,𝑓𝑝 can be expressed by |𝐾|𝜆 for 𝑥∈𝐺. The order of 𝐺 can be expressed by |𝐺| = |𝐺𝑥,𝑓𝑝 ∪ 𝐺𝑓𝑝| = (|𝐾| + 1)𝜆 for a non-fixed point 𝑥∈𝐺 and a fixed point 𝜁∈𝐺. Example 9. Let 𝐾 = {1, 5, 9, 13, 17, 25} ≤

; define a map

for 𝑘=5 and 0≤𝑖≤5. We consider a group partition method on . Then we have 𝜆=4 disjoint orbits of length (𝑑) = 6. Since there is one-to-one

correspondence between any two orbits, the group follows:

can be divided as

(3) So the cardinality of every orbit is |𝐾| = |2𝐾| = |4𝐾| = |7𝐾| = |8𝐾|=6. We have 4 fixed points 𝐺𝑓𝑝 = ⟨12⟩ = {1, 12, 17, 28} and note that 14 ≡ 124 ≡ 174 ≡ 284 ≡ 1 mod 29. Obviously,𝑛𝑓𝑝 can be represented as𝐺𝑛𝑓𝑝 = 2𝐾∪4𝐾∪7𝐾∪ 8𝐾. Thus can be partitioned by

= Fix(𝐾) ∪ nFix(𝐾).

A SPECIAL POLYNOMIAL CONSTRUCTION In [13], Kim and Hee proposed a fast multipoint evaluation method to solve DLP-wAI focusing on the behavior of function mapping between the finite fields rather than using embedding for auxiliary groups. This method reduced solving DLP-wAI into finding a polynomial whose substitution polynomial has many absolutely irreducible factors. In this section, we construct a polynomial (𝑥) ∈ [𝑥] having the same value for the elements in the same orbit. We define a function (𝑥) by

Number Theory with Applications to Cryptography

208

(4) are all diswhere 𝑘𝜑(𝑑) ≡ 1 mod (𝑝 − 1). It implies that tinct elements and that this sequence is repeated for further powers. Furthermore, we define the equivalence relation ∼ on

as follows:

(5) where 𝜁 is a fixed point and 𝜁𝑖 𝑥 are the representatives of distinct orbits.

into different equivalence classes, and This relation partitions the group each class contains (𝑑) elements. Obviously, any two equivalence classes, that is, ⟨𝜁𝑖 𝑥⟩ and ⟨𝜁𝑗 𝑥⟩, have one-to-one correspondence for all 𝑖, 𝑗 and .

Proposition 10. Let 𝐾 be multiplicative subgroup of

generator of fixed point. Then we have (𝑥) ≡ 𝑓(𝑥𝑘 )≡⋅⋅⋅ ≡

and 𝑓(𝜁𝑖 𝑥) ≡ 𝜁𝑖 𝑓(𝑥) mod 𝑝, where 𝑥 ∈

and 𝜁 a

\ ⟨𝜁⟩, 𝑘∈𝐾, and 0≤𝑖≤𝜆−1.

mod 𝑝

Proof. One has 𝜁 ≡ 𝜁 mod 𝑝 for all 𝑘∈𝐾; the orbit generated by 𝜁𝑖 𝑥 satisfies (𝜁𝑖 𝑥) = 𝜁𝑖 𝑥𝐾 for all 0≤𝑖≤ 𝜆−1. 𝑘

The Proposed Algorithm Theorem 11. Let

be an additive cyclic group of prime order 𝑝 with

a generator 𝑃. Let 𝐾 be a multiplicative subgroup of

1). Suppose that a generator 𝜁 of are given. Then 𝛼 ∈

and

with 𝜆 = gcd(𝐾 −

can be computed in time

group operations by using storage for

elements of G.

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

Proof. Let

209

be an additive cyclic group generated by an element 𝑃

mod 𝑝 has of prime order 𝑝. Polynomial (𝑥) = 𝑥 + 𝑥𝑘 + the same value for all elements in an orbit, and it is to say that 𝑓(𝛼) ≡ 𝑓(𝛼𝑘 )

≡ ⋅⋅⋅ ≡ Given

) mod 𝑝, where

.

,

we

first

compute

. Then we randomly choose a and evaluate (𝑥) at 𝛽. There exist nonnegative nonfixed element 𝛽 from integers 0 ≤ 𝑖, 𝑗 ≤ 𝜆 − 1 such that 𝜁𝑡 (𝛼) = 𝑓(𝛽).

If we take can be expressed in a unique manner as 𝑡=𝑚V + 𝑢, where 0 ≤ 𝑢, V < 𝑚. This implies that (6)

Since (𝛼) is unknown value, in practice, we search for integers 𝑢 and V that satisfy (7)

In order to find such 𝑡, we use Baby-Step Giant-Step [1] method. We construct a lookup table, which contains all the pairs (𝜁−𝑢(𝛽)𝑃, 𝑢) for 0≤𝑢 < 𝑚, and we sort the table by the first component. Then we compute 𝜁𝑚v (𝛼) 𝑃 for each 0 ≤ V < 𝑚 and compare with the lookup table in order to identify coincidence. Note that the terms in both sides of (7) can be computed by repeated elliptic curve scalar multiplication. Thus, we can determine a pair of (𝑢, V) that satisfies (7) in 2𝑚 group operations by using storage for 𝑚 elements of . Then 𝑡 can be found.

There is 𝜁𝑡 (𝛼)𝑃 = 𝑓(𝛽)𝑃 or equivalently 𝑓(𝜁𝑡 𝛼)𝑃 = 𝑓(𝛽)𝑃. Since the 𝑘th power of any point is still in the same orbit, there exists an integer 𝑘𝑙 ∈ 𝐾 such that

. We compute

where 0≤𝑖≤ 𝜆−1. This gives

.

and compare with 𝜁𝑡 𝛼𝑃 in

,

We briefly describe this method in Algorithm 12. The algorithm is probabilistic, in which 𝛽 ∈ F∗ 𝑝 satisfies 𝜁𝑡 (𝛼)𝑃 = 𝑓(𝛽)𝑃 for our attack. Since all elements of group

can be represented by fixed point and

nonfixed point, the probability that a random element 𝛽 ∈ point is (𝑑)𝜆/𝑝 = 1 − 𝜆/𝑝, which is sufficiently large.

is a nonfixed

210

Number Theory with Applications to Cryptography

Algorithm 12 (a new algorithm to ECDLP with auxiliary inputs). Consider the following: a

Input: let primitive element in Output: 𝛼 ∈

;

:

In summary, if and multiplicative group 𝐾 are given, the proposed algorithm computes 𝛼 approximately in O(√(𝑝 − 1)/𝑑 + 𝑑) group operations with storage O(√(𝑝 − 1)/𝑑) in .

EXPERIMENTAL RESULTS This section describes our experimental results of our new algorithm for an elliptic curve. We successfully solved ECDLP-wAI by our implementation in a group with 61-bit order.

Parameters We use an addition cyclic group = ⟨𝑃⟩ with order 𝑝 on an elliptic curve 𝑦2 + 𝑥𝑦 = 𝑥3 + 𝑥2 + 415485412408256448 defined over a binary finite field . Concrete values of these parameters are summarized in the following:

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

211

where #𝐸 denotes the number of points in 𝐸( ). In the implementation of our new algorithm, we use the following parameters:

Here, 𝑑 is chosen to minimize the time complexity of our algorithm. The element 𝜁 is chosen as the generator of the multiplicative group 𝐺𝑓𝑝. A base point 𝑃 is randomly chosen from points in ( ) with order 𝑝. Given the coordinate of , the corresponding values for 𝑥 and 𝑦 are as follows:

212

Number Theory with Applications to Cryptography

(8) Results In this experiment, we randomly choose an element 𝛽 = 916588465071928542. Step

1.

We

and

compute as follows:

(9) Step 2. We search for the integer 0≤𝑡 (10) It is equivalent to searching for integer 0 ≤ 𝑢, V < ⌈√𝜆⌉, such that (11)

We establish two databases and . To establish database DB𝑅, we have to compute and store the following points:

(12) In order to reduce the storage space, we use the point compression technique as [18]. Each point 𝜁−𝑗 ⋅ (𝛽)𝑃 is digested as LSB64(MD5(𝑥(𝑃) ‖ 𝑦(𝑃))), so each point needs 8 bytes. Thus, ⌈√𝜆⌉ × 8 = 246637704 bytes (≈235.2 Mbytes) is required for DB𝑅, and about 6.5 hours is required in total (on Pentium Dual-Core CPU E5700 3.00 GHz). To establish database DB𝐿,

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

213

(13) were computed and stored. With the same space saving technique, ⌈√𝜆⌉ × 8 = 246637704 bytes (≈235.2 Mbytes) was required for DB𝐿, and 6.5 hours was required in total. Then, a collision 𝜁⌈√𝜆⌉V ⋅ (𝛼)𝑃 = 𝜁−𝑢 ⋅ 𝑓(𝛽)𝑃 between two databases DB𝐿 and DB𝑅 was searched by a naive method. Since databases are small, the time for comparison is negligible. Collisions V = 7 and 𝑢 = 235 were found. Thus, a solution (14)

can be found. Step 3. To find 𝛼, we have known an integer 𝑡 that satisfies 𝜁𝑡 ⋅ (𝛼)𝑃 = 𝑓(𝛽) 𝑃; it is equivalent to 𝜁𝑡 ⋅ 𝛼𝑃 =

for 0 ≤ 𝑙 ≤ 1211. Locate 𝜁𝑡 ⋅ 𝛼𝑃 from the

} to find 0≤𝑙≤ 1211 such that 𝜁𝑡 ⋅ 𝛼𝑃 = . Finally, we succeed in set { finding a solution 𝛼=𝜁−𝑡 ⋅ 𝛽𝑘𝑙 = 1073972411177481784 for 𝑙 = 1093.

CONCLUSION

In this paper, we propose a new ECDLP-wAI and give an algorithm to solve the ECDLP efficiently. When given some points and multiplicative cyclic group 𝐾,

in O(√(𝑝 − 1)/𝑑 + our new algorithm can recover the secret key 𝛼 ∈ 𝑑) group operations by using O(√(𝑝 − 1)/𝑑) storage, where 𝑘 is a generator of 𝐾 and 𝜑(𝑑) is the order of 𝐾. This algorithm can be used to attack these cryptographic schemes that admit an oracle returning 𝑘th power of its secret key upon an arbitrary input.

ACKNOWLEDGMENTS This work is supported by the National Natural Science Foundation of China (nos. 61309016, 61379150, and 61103230), Fundamental Research Funds for the Central Universities (no. JB140302), and the National Cryptology Development Project of China (no. MMJJ201201004).

214

Number Theory with Applications to Cryptography

REFERENCES 1.

D. Shanks, “Class number, a theory of factorization and genera,” in Proceedings of the Symposia in Pure Mathematics, vol. 20, pp. 415– 440, 1971. 2. J. M. Pollard, “Monte carlo methods for index computations (mod p),” Mathematics of Computation, vol. 32, no. 143, pp. 918– 924, 1978. 3. P. C. Van Oorschot and M. J. Wiener, “Parallel collision search with cryptanalytic applications,” Journal of Cryptology, vol. 12, no. 1, pp. 1–28, 1999. 4. D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003. 5. D. Boneh and X. Boyen, “Short signatures without random oracles,” in Advances in Cryptology—EUROCRYPT 2004, pp. 56–73, Springer, Berlin, Germany, 2004. 6. D. Boneh and X. Boyen, “Efficient selective-id secure identitybased encryption without random oracles,” in Advances in Cryptology— EUROCRYPT 2004, pp. 223–238, Springer, Berlin, Germany, 2004. 7. D. Boneh, C. Gentry, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys,” in Advances in Cryptology—CRYPTO 2005, V. Shoup, Ed., vol. 3621 of Lecture Notes in Computer Science, pp. 258–275, Springer, Berlin, Germany, 2005. 8. J. H. Cheon, “Security analysis of strong diffie-hellman problem,” inAdvances in Cryptology—EUROCRYPT 2006, vol. 4004, pp. 1–11, Springer, Berlin, Germany, 2006. 9. J. H. Cheon, “Discrete logarithm problems with auxiliary inputs,” Journal of Cryptology, vol. 23, no. 3, pp. 457–476, 2010. 10. T. Satoh, “On generalization of Cheon’s algorithm,” IACR Cryptology ePrint Archive 2009:58, 2009. 11. T. Kim, Integer factorization and discrete logarithm with additional information Ph.D. thesis., Seoul National University, 2011. 12. M. Kim, J. H. Cheon, and I.-S. Lee, “Analysis on a generalized algorithm for the strong discrete logarithm problem with auxiliary inputs,” Mathematics of Computation, vol. 83, no. 288, pp. 1993– 2004, 2014.

Research on Attacking a Special Elliptic Curve Discrete Logarithm ....

215

13. T. Kim and C. J. Hee, “A new approach to discrete logarithm problem with auxiliary inputs,” IACR Cryptology ePrint Archive 2012:609, 2012. 14. Y. Sakemi, G. Hanaoka, T. Izu, M. Takenaka, and M. Yasuda, “Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve,” in Public Key Cryptography—PKC 2012, M. Fischlin, J. Buchmann, and M. Manulis, Eds., vol. 7293 of Lecture Notes in Computer Science, pp. 595–608, Springer, New York, NY, USA, 2012. 15. D. R. L. Brown and R. P. Gallant, “The static Diffie-Hellman problem,” Cryptology ePrint Archive Report 2004/306, 2004, https://eprint.iacr. org/2004/306. 16. T. W. Hungerford, Algebra, Graduate Texts in Mathematics, 1980. 17. S. Lang, Algebra, Graduate Texts in Mathematics, Springer, New York, NY, USA, 3rd edition, 2002. 18. T. Izu, M. Takenaka, and M. Yasuda, “Experimental results on Cheon’s algorithm,” in Proceedings of the 5th International Conference on Availability, Reliability, and Security (ARES ’10), pp. 625–628, IEEE, February 2010.

Chapter 15

Are Matrices Useful in Public-Key Cryptography?

Ayan Mahalanobis Indian Institute of Science Education and Research Pune Dr. Homi Bhabha Road, Pashan, Pune 411008, India

ABSTRACT The discrete logarithm problem is the most prolific cryptographic primitive in use. Though the most important ones are the DiffieHellman problem and the decision Diffie-Hellman problem. In this paper, we discuss the discrete logarithm problem in circulant matrices – providing many particular secure instances. We compare the discrete logarithm problem in circulant matrices with that of the discrete logarithm problem in finite fields and with the discrete logarithm problem in the group of rational points of an elliptic curve.

Citation: Ayan Mahalanobis “Are matrices useful in public-key cryptography?” International Mathematical Forum, Vol. 8, 2013, no. 39, 1939-1953. http://dx.doi.org/10.12988/ imf.2013.310187 Copyright © 2013 Ayan Mahalanobis. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Number Theory with Applications to Cryptography

218

Keywords: The discrete logarithm problem, circulant matrices, elliptic curve cryptosystems

INTRODUCTION The purpose of this paper is to raise the question, “can one effectively use matrices in public-key cryptography”? Public-key cryptography uses many kinds of cryptographic primitives, the one that is of interest in this paper is the discrete logarithm problem. Phrased differently, my question is, can one use the discrete logarithm problem in matrices effectively in public-key cryptography? This paper is not to promote matrices, but to start a honest discussion on this topic. Our principal example of useful matrices in this paper is the circulant matrices, which we define later. Before we go into the details, let me itemize the objections to the use of matrices that I have heard over the years. • •

Matrix multiplication is too expensive. Matrices offer security advantage, i.e., the embedding degree, that is tied to the size of the matrix. In the case of elliptic curves, this embedding degree is very high in most cases. So, use elliptic curves instead of matrices. • Computing the inverse of a matrix is too expensive. Let us talk about the first and the third point together. It is true that in the worst case, i.e., multiplying two arbitrary matrices is hard. However, there are matrices for which multiplication is easy, for example, circulant matrices. Furthermore, in using the discrete logarithm problem, one mostly involves exponentiation. For exponentiation, there is an useful algorithm by LeedhamGreen.

Computing Matrix Exponent We introduce the reader with an amazing algorithm by Leedham-Green [7, Section 10] to compute Am for some A ∈ GL(d, q).

Algorithm 1 (Leedham-Green)

Input: a matrix A of size d over a finite field Output: Am •

and a positive integer m.

Find a matrix P such that B = P −1AP is in the Frobenius normal form.

Are Matrices Useful in Public-Key Cryptography?

219



Determine the minimal polynomial m(x) of B. Since the Smith normal form is sparse, it is easy to compute the minimal polynomial – it takes O(d2 ) field multiplications. • Compute t m mod m(t) in F[t]/m(t) as l(t). • Compute C = l(B) • Return PCP −1 . The objective of the original algorithm was to compute the power of any non-singular matrix. For our purpose this is not the case, we can choose our matrix. One way to choose that matrix is to find an irreducible polynomial m of degree d over . Then choose A to be the companion matrix for that polynomial m. In this case, the first two steps and the last step in the above algorithm becomes redundant. If m is irreducible, the quotient

is a field. So the third step is

. So apart from computing the C in the an exponentiation in the field above algorithm, exponentiation of a matrix with irreducible characteristic polynomial is the same as exponentiation in the finite field

.

It is true that for most matrix, inverting is hard. However, there are matrices, like the orthogonal matrices, which satisfies the condition, ATA = AAT = 1. In this case, AT , the transpose of A, is the inverse of A and is easy to compute. Let us now talk about the embedding degree, or the security advantage. The concept of embedding degree has its genesis in the MOV attack [9] on the elliptic curve discrete logarithm problem. The advantage is as follows: consider an elliptic curve over , using the MOV attack one can reduce the discrete logarithm problem in the points on the curve to a discrete logarithm . This d is called the security advantage, or the embedding problem over degree. It is helpful to understand the effect of this, to run an elliptic curve cryptosystem over , the operations of the elliptic curve are actually field operations in . However, to break this discrete logarithm problem, one , for a large d this provides an obvious security advantage. has to work in The above argument is particularly relevant in the case of index calculus attacks. Where for a large d the index calculus even becomes exponential. However, a very large d is not really that important. Another use of the elliptic curves are the pairing based cryptosystems, it uses the same reduction the MOV attack uses. However, if one uses an

220

Number Theory with Applications to Cryptography

elliptic curve with high embedding degree then these cryptosystems become useless [4]. Given the fact that pairing is an important research direction in modern public-key cryptography, it is clear that very high embedding degree is not necessary [4, Section 1.1]. Moreover, the discrete logarithm problem is exponential or sub-exponential is mostly of an academic interest. At the end of the day, what is of most importance is the fact – the security of the discrete logarithm problem is the security of the discrete logarithm . Now if one can trust the security in that field, he problem in the field uses that discrete logarithm problem, otherwise move on to a different one. That is the right attitude about security. Let me now present the MenezesWu algorithm [10].

The Discrete Logarithm Problem in Matrices The discrete logarithm problem is to find m, from A and Am where A ∈ GL(d, q). Here GL(d, q) is the group of all nonsingular matrices of size d over the finite field . We present the work of Menezes & Wu [10], the best known algorithm to solve the discrete logarithm problem in matrices. This algorithm reduces the discrete logarithm problem in GL(d, q) to a finite (possibly trivial) extension of .

The Menezes-Wu Algorithm : Input: A and Am. : Output: m. : From A, compute the characteristic polynomial χA of A. : From Am, compute the characteristic polynomial χAm of Am. Once the characteristic polynomials χA and χAm are computed, the algorithm where χA splits. It is not hard is as follows: find the smallest extension of to show that χAm splits in that extension as well. Let α1, α2, . . . , αd be the roots of χA counting multiplicities, ordered in some way. Let β1, β2, . . . , βd be the roots of χAm counting multiplicities. Though there is no canonical ordering of the characteristic roots, following Menezes & Wu we assume that the lack of ordering is not going to add much to the complexity of the algorithm. So we assume that there is an ordering, corresponding to that , where o(αi) is the multiplicative order of αi , for i = 1, 2, . . . , d. Once this is done, we can solve the discrete

Are Matrices Useful in Public-Key Cryptography?

logarithm problem in A by solving for theorem.

221

and using the Chinese remainder

The obvious question is, for which A do we get the most security? It is clear from above that the Menezes & Wu algorithm reduces the discrete logarithm problem in A to the discrete logarithm problem in an extension of . That extension is the largest possible, when χA is irreducible. When the characteristic polynomial is irreducible, the discrete logarithm problem is . This is the best effectively reduced to a discrete logarithm problem in case scenario from the security standpoint. However, as we will soon see, in the case of circulant matrices this is not attainable. In that case, we should find A, such that χA has the largest possible irreducible component. We now turn to a very special matrix, the circulant matrices and concentrate on those for the rest of the paper. It is known [8, 14] that the group of circulant matrices offers the same security of a finite field of about the same size, with half the computational cost. The other interesting fact about circulant matrices is the size of the field for a secure implementation. The arithmetic of the circulant matrices is implemented over a finite field, very similar to the case of elliptic curves, where the arithmetic is also implemented over a finite field. In the case of circulants, the size of the field can be smaller than the one used for elliptic curves. This is extensively studied in Section 5, and the results are tabulated in Table 2. To sum it up, the advantage of circulants is that it uses smaller field and is faster. In this paper, we denote the group of non-singular circulant matrices of size d by C(d, q) and the group of special circulant matrices, i.e., circulant matrices with determinant 1, by SC(d, q) respectively.

CIRCULANT MATRICES Definition 1 (Circulant matrix C(d, q)). A d × d matrix over a field F is called a circulant matrix, if every row except the first row, is a right circular shift of the row above that. So a circulant matrix is defined by its first row. One can define a circulant matrix similarly using columns. A matrix is a two dimensional object, but a circulant matrix behaves like a one dimensional object – given by the first row or the first column. We will denote a circulant matrix C of size d, with the first row c0, c1, . . . , cd−1, by C = circ (c0, c1, c2, . . . , cd−1). An example of a circulant 5 × 5 matrix is:

Number Theory with Applications to Cryptography

222

One can define a representer polynomial corresponding to the circulant matrix . The circulants form a commutative ring under matrix multiplication and matrix addition and is isomorphic to (the isomorphism being circulant matrix to the representer polynomial) R =

. For more on circulant matrices, see [3].

We will study the discrete logarithm problem in SC(d, q), the special circulant matrix. It is fairly straightforward to see that one can develop a DiffieHellman key exchange protocol or the ElGamal cryptosystem from this discrete logarithm problem. The ElGamal cryptosystem over SL(d, q), the special linear group of size d over is described below. Since the special circulant matrix is contained in the special linear group, this description of the ElGamal cryptosystem works for SC(d, q) as well. All fields considered from now on are of characteristic 2.

THE ELGAMAL OVER SL(d, q) Private Key: . Public Key: A and Am, where A ∈ SL(d, q).

Encryption • •

To send a message (plaintext) , Bob computes Ar and Amr . for an arbitrary r The ciphertext is (A , Amrv T ), where v T is the transpose of v.

Decryption a: Alice knows m, when she receives the ciphertext (Ar , AmrvT ), she computes Amr from Ar , then A−mr and then computes v from Amrv T. We show that the security of the ElGamal cryptosystem over SL(d, q), is equivalent to the Diffie-Hellman problem in SL(d, q). Since SC(d, q) is contained in SL(d, q), this proves that the security of ElGamal cryptosystem is

Are Matrices Useful in Public-Key Cryptography?

223

equivalent to the Diffie-Hellman problem in SC(d, q Assume that Eve can solve the Diffie-Hellman problem, then from the public information, she knows Am. From a ciphertext (Ar , Armv T ) she gets Ar . Since she can solve the Diffie-Hellman problem, she computes Arm and can decrypt the ciphertext. The converse follows from the following theor Theorem 1. Suppose Eve has access to an oracle that can decrypt arbitrary ciphertext of the above cryptosystem for any private key, then she can solve the Diffie-Hellman problem in SL(d, q). Proof. Let g = Aa and h = Ab . Eve takes an arbitrary element v in the vector space of dimension d on which SL(d, q) acts. We use the same basis used for the representation of SL(d, q). Then v = (v1, v2, . . . , vd) where

.

Let . She pretends that A and Aa is a public key. Sends that information to the oracle. Then asks the oracle to decrypt (h, c). Oracle sends back to Eve, h −a c. Eve knowing v, computes the i th column of A−ab from h −a c. In d tries Aab is found. This solves the DiffieHellman problem.

SECURITY OF THE PROPOSED ELGAMAL CRYPTOSYSTEM This paper is primarily focused on the discrete logarithm problem in the automorphism group of a vector space over a finite field. There are two kinds of attack on the discrete logarithm problem. •

The “so called” generic attacks, like the Pollard’s rho algorithm. These attacks use a black box group algorithm. The time complexity of these algorithms is about the same as the squareroot of the size of the group. • The other one is an index calculus attack. These attacks do not work in any group. Black box group algorithms work in any group, hence they will work in SC(d, q) as well. The most efficient way to a use black box attack on the discrete logarithm problem, is to use the Pohlig-Hellman algorithm [15, Section 6.2.3] first. This reduces the discrete logarithm problem to the prime divisors of the order of the element (the base for the discrete logarithm) and then use the Chinese remainder theorem to construct a solution for the

Number Theory with Applications to Cryptography

224

original discrete logarithm problem. One can use the Pollard’s rho algorithm to solve the discrete logarithm problem in the prime divisors. So the whole process can be summarized as follows: the security of the discrete logarithm against generic attacks, is the security of the discrete logarithm in the largest prime divisor of the order. We cannot prevent these attacks. These generic attacks are of exponential time complexity and are not of much concern. The biggest threat to any cryptosystem using the discrete logarithm problem is a subexponential attack like the index calculus attack [12]. It is often argued [6, 13] that there is no index calculus algorithm for most elliptic curve cryptosystems that has subexponential time complexity. This fact is often used to promote elliptic curve cryptosystem over a finite field cryptosystem [6]. So, the best we can hope from the discrete logarithm problem in SC(d, q) is, there is no index calculus attack or the index calculus attack becomes exponential. The expected asymptotic complexity of the index calculus algorithm in is where c is a constant, see [12] and [6, Section 4]. If the degree of the extension, k, is greater than log2 q then the asymptotic time complexity of the index calculus algorithm becomes exponential. In our case this means, if d > log2 q, the asymptotic complexity of the index calculus algorithm on circulant matrices of size d becomes exponential in log q. On the other hand, in the proposed cryptosystem, encryption and decryption works in

and breaking the cryptosystem depends on solving a discrete

. Implementing the index calculus attack belogarithm problem in comes harder as the field gets bigger.

IS THE ELGAMAL CRYPTOSYSTEM OVER SC(D, Q) REALLY USEFUL? For a circulant matrix over a field of even characteristic, squaring is fast. It is shown [8, Theorem 2.2] that, if . Here π is a permutation of {0, 1, 2, . . . , d − 1}. Now the ais belong to the underlying field of characteristic 2. In this field, squaring is just a cyclic shift using a normal basis [11, Chapter 4]

Are Matrices Useful in Public-Key Cryptography?

225

representation of the field elements. It was shown [8], that if five conditions are satisfied, then the security of the discrete logarithm problem for circulant matrices of size d over .

is the same as the discrete logarithm problem in

The five conditions are: • • •

The circulant matrix should be of determinant 1. The matrix A should have row-sum 1. The integer d is prime.

• The polynomial is irreducible. • q is primitive mod d. In short, the argument for these five conditions are the following: Let A = circ (a0, a1, . . . , ad−1) and let χA be the characteristic polynomial of A. It is easy to see that the row-sum, a0 + a1 + · · · + ad−1, sum of all elements in a row, is constant for a circulant matrix. This row-sum, α is an eigenvalue of A and belongs to . Clearly, α m is an eigenvalue of Am. m This α and α can reduce a part of the discrete logarithm problem in A, to a discrete logarithm problem in the field . If the row-sum is 1, then there is no such issue. This is the reason behind the condition, the row-sum is 1. , where each fi is an irreducible Now assume that polynomial and eis are positive integers2 . Then it follows, the discrete logarithm problem in A, can be reduced to discrete logarithm problems in , for each i. Then one can solve the individual discrete logarithms in extensions of , put those solutions together using the Chinese remainder theorem and solve the discrete logarithm problem in A. The degree of these extensions, the size of which provides us with the better security, is maximized when irreducible.

is irreducible. This is the reason for

The ring of circulant matrices is isomorphic to

is

, moreover

is isomorphic to , where is the d th cyclotomic polynomial. If d is prime and q is primitive modulo d, then the cyclotomic

Number Theory with Applications to Cryptography

226

polynomial Φ(x) is irreducible. In this case, the discrete logarithm problem . in circulant matrices reduce to the discrete logarithm problem in

What are the advantages of using circulant matrices? The advantages of using circulant matrices are: •

Multiplying circulant matrices of size d over

is twice as fast

compared to multiplication in the field of size using optimal normal basis. • Computing the inverse of a circulant matrix is easy. Since any circulant matrix A can be represented as a polynomial of the form f(x) = c0 + c1x + . . . + cd−1x d−1 . This polynomial is invertible, implies that, gcd f(x), xd − 1 = 1. Then one can use the extended Euclid’s algorithm to find the inverse. In our cryptosystem, we need to find that inverse, and it is easily computable We now compare the following three cryptosystems for security and speed. We do not compare the key sizes and the size of the ciphertext, as these can be decided easily. •

The ElGamal cryptosystem using the circulant matrices of size d



over The ElGamal cryptosystem using the group of an elliptic curve



The ElGamal cryptosystem over

ElGamal over

.

vs. the Circulants of Size d Over

circulants are the winner in this case. The circulants provide almost the same security as the ElGamal over the finite field , but multiplication in the circulants is twice as fast compared to the multiplication in the finite field . To understand the difference, we need to understand the standard field multiplication. A field

over

, an extension of degree d, is a

commutative algebra of dimension d over . Let α0, α1, . . . , αd−1 be a basis of Fq d over Fq. Let A := (a0α0 + a1α1 + · · · + ad−1αd−1), B := (b0α0 + b1α1 + · · · + bd−1αd−1) and C := A · B = (c0α0 + c1α1 + · · · + cd−1αd−1) be elements of

.

Are Matrices Useful in Public-Key Cryptography?

227

The objective of multiplication is to find ck for k = 0, 1, . . . ,(d − 1). Now notice that, if

we can define a d × d matrix Tk as . It follows that ck = ATkBt . The number of nonzero entries in the matrix Tk, which is constant over k, is called the complexity of the field multiplication [11, Chapter 5]. The following theorem is well known [11, Theorem 5.1] Theorem 2. For any normal basis N of multiplication is at least 2d – 1.

over

, the complexity of

Note that in an implementation of a field exponentiation, one can use a normal basis to use the square and multiply algorithm In our case, circulants of size d over a finite field

, the situation is

much different. We need a normal basis implementation for . However, to implement multiplication of two circulants, i.e., multiplication in we can use the basis

.

In a very similar way as before, if A := a0 + a1x + . . . + ad−1x d−1 and B := b0 + b1x + . . . bd−1x d−1 then C := A · B = c0 + c1x + . . . + cd−1x d−1 . Our job is to compute ck for k = 0, 1, . . . , d − 1. It follows that (1) It is now clear that the complexity of the multiplication is d. Compare this to the best case situation for the optimal normal basis [11, Chapter 5], in which case it is 2d − 1. So multiplying circulants take about half the time that of finite fields. It is clear that the keysizes will be the same for both these cryptosystems.

The Elliptic Curve ElGamal vs. the Circulants of Size d In this case there is no clear winner. On one hand, take the case of embedding degree. For most elliptic curves the embedding degree is very large. The

Number Theory with Applications to Cryptography

228

embedding degree, that we refer to as the security advantage, for a circulant is tied up with the size of the matrix. For a matrix of size d, it is d − 1. So with circulants, it is hard to get very large embedding degree, without blowing up the size of the matrix. On the other hand, a very large embedding degree is not always necessary. On the other hand, in elliptic curves, the order of the group is about the same as the size of the field. For 80-bit security, we must take the field to be around 2160, to defend against any square-root algorithms. In the case of circulants, the order of a circulant matrix can be large. This enables us to use smaller field for the same security. In circulants, one can use the extended Euclid’s algorithm to compute the inverse. So, as we said before, we are not in a position to declare a clear winner in this case. However, if the size of the field is important in the implementation, and a moderate embedding degree suffices for security, then circulants are a little ahead in the game. We explain this by some examples in the next section.

An Interesting Comparison We compare an elliptic curve cryptosystem on a non-supersingular curve E( ), where we assume that q is approximately equal to 2160, with circulant . For instance, one can take matrices of size 13 over , the NIST recommended field. Circulant matrices of size 13 provides adequate security, see Table 2. Koblitz et. al. [6, Section 5] has done similar comparison and we borrow heavily from them. The comparison is between these two situations: • •

kP where P in E( ), E is a non-supersingular curve, and k is a 160-bit integer; and Ak , where A is a non-singular circulant matrix of size 13 over a

, again k is a random 160 bit integer. field We count the number of field multiplications necessary and ignore field additions. To compute the number of field multiplications necessary, we count the number of field multiplications in a square-and-multiply algorithm. One would expect that a 160-bit random integer k, will have as many ones as zeros. So to compute kP one expects about 160 elliptic curve doubling and 80 elliptic curve additions. Same is the case with circulant matrices, to compute Ak one would need about 160 squaring and 80 multiplications. Now

Are Matrices Useful in Public-Key Cryptography?

229

squaring is free in circulants, however in elliptic curve doubling and addition requires 1 field inversion and 2 field multiplications in affine coordinates. There are many coordinate systems that one can use for elliptic curves. In this paper, to compare with the elliptic curves, we use the projective coordinates. Bernstein and Lange [1, Table 2.1 and Table 2.2] lists that using the projective coordinates addition needs 12 field multiplication and doubling needs 5 field multiplication. From that we estimate that to compute kP one would need 1760 field multiplications, 160 × 5 from doubling and 80 × 12 from addition. In the case of circulant matrices, squaring is free and so there are 80 multiplications, the total is 80×(13)2 = 13520 field multiplications. However notice that the size of the field is

for circulants compared to

for the elliptic curve. It is easy to see that a field multiplication in the field uses l2 bit operations. So the field operation for circulant will run about 3.35 times faster than that of the elliptic curve. So 13520 circulant multiplications is equivalent to field multiplications for the elliptic curve. So the circulants are slower by a factor of 2.3. However, circulants use smaller fields which is useful for lightweight cryptography. A similar comparison with circulants of size 11 over a field of size 297, reveals that it runs neck-and-neck with elliptic curve. The complexity of multiplication in circulants depend on the size of the matrix. If there are better ways to multiply circulants or a higher extension field is chosen, that can allow us to choose smaller size for circulants and the complexity will come down dramatically. It is clear that the keysize for circulant matrices will be larger than that of the elliptic curve cryptosystem, both satisfying the following: •

Security of 80 bits or more from generic algorithms.



Security from index-calculus comparable to the field i.e., index calculus security of 1000 bits.

,

AN ALGORITHM Recall that C(d, q) is isomorphic to . We now describe an algorithm to find a circulant matrix satisfying the above five conditions. Algorithm 2 (Construct a circulant matrix satisfying five conditions).

230

Number Theory with Applications to Cryptography

Using Magma [2] and Algorithm 2, we were able to compute several circulant matrices over many different fields of characteristic 2. We produce part of that data in Table 1. The row with q is the size of the field extension and the row with d is the size of the circulant matrix over that field extension. To construct the table, we considered all possible field extensions of size q, where q varies from 240 to 2100. For each such extension, we took all the primes, d, from 11 to 50. We then checked and tabulated the ones for which q is primitive modulo d. For every extension q and for all primes d, satisfying the primitivity condition, Algorithm 2 was used and the output matrix was checked for all the five conditions and moreover the order of the matrix A was found to be at least q d−3 . So, if q is primitive modulo d, our algorithm produces the desired matrix A, satisfying all five conditions. The computation was fast on a standard workstation. So now it is clear, that there are a lot of choices for parameters for the ElGamal cryptosystem over circulant matrices. We describe our findings with some arbitrary examples. For more data see Table 2. In the case, q = 2 order of A to be

89

, d = 13, we found the largest prime factor of the

7993364465170792998716337691033251350895453313. The base two logarithm of this prime is 152.5. So even if we use the PohligHellman algorithm to reduce the discrete logarithm in A, to the discrete logarithm problem in the prime factors of the order of A, we still have the security very close to the 80-bit security from generic attacks. The security against the index calculus is the same as in

.

Are Matrices Useful in Public-Key Cryptography?

231

Table 1: Fields from size 240 to 2100 and matrices from size 11 to 50 that satisfy those five conditions

In case of q = 2 39 , d = 29, the largest prime factor of A was 3194753987813988499397428643895659569. The logarithm base 2 of which is about 120. So from generic attack, the security is about 260 or sixty bit security. From index calculus the security is the same as the security of a field of size . In the case of q = 2 45 , d = 29, the largest prime factor of the order of A is 15169173997557864184867895400813639018421 with more than 60 bit security. The security against the index calculus is equivalent to

.

In the case of q = 2 97 , d = 11, the largest prime divisor of A is 509968433928053143130332521088536688309634722937437691410695 7559915561, the logarithm base 2 is 231. Security from generic attacks is 115 bits and from index calculus is equivalent to the field

, i.e., 970 bits security.

In the case of q = 2 43 , d = 29, the largest prime factor of the order is 159713302691448460392468762259991249064928249094411418559813 89550399714935349, the logarithm of that is 253. So this has about 125 bit security from the generic attacks and 1204 bit security from index calculus attack. In the case of q = 2 29 , d = 37, the largest prime factor is 328017025014102923449988663752960080886511412965881, with logarithm 167, i.e., security of more than 80 bits from generic attacks and 1044 bits from index calculus.

232

Number Theory with Applications to Cryptography

Using GAP [5], we created Table 2. In this table, all extensions q, q from 245 to 290 and all primes from 10 to 20 are considered. For those extensions and primes, it was checked if q is primitive mod d. If that was so, then the circulant matrix A was constructed and both the generic and the index calculus security was tabulated. Table 2: Security for q from 245 to 290 and d from 10 to 20

Are Matrices Useful in Public-Key Cryptography?

233

Complexity of Exponentiation of a Circulant Matrix of Size d Let us assume, that the circulant matrix of size d is A and we are raising it to power m, i.e., compute Am. We are using the square and multiply algorithm. We know that squaring of circulants is free, and multiplication of two circulant matrices of size d takes about d2 field multiplications. The number of multiplications in the exponentiation is the same as the number of ones in the binary expansion of m. It is expected that a finite random string of zeros and ones will have about the same number of zeros and ones. So the expected number of ones in the binary expansion of m is . So the expected number of field multiplications required to compute Am is .

Further Research It seems that circulant matrices have some promise in public-key cryptography. Let us finish this article with two questions that I find interesting. •

In this paper, the comparison of speed between circulant matrices and elliptic curves is theoretical. One needs to do an actual implementation to verify our estimates.

Number Theory with Applications to Cryptography

234



What is the situation with orthogonal circulant matrices? Can one get the same security with the orthogonal circulant matrices? This is important in the light that computing the inverse of an orthogonal circulant matrix is straightforward and involves no computation.

Are Matrices Useful in Public-Key Cryptography?

235

REFERENCES 1.

2.

3. 4.

5. 6.

7.

8.

9.

10. 11. 12.

13.

Daniel J. Bernstein and Tanja Lange, Analysis and optimization of elliptic-curve single-scalar multiplication, Proceedings of Fq8, 2013, http://www.hyperelliptic.org/EFD/precomp.pdf. Wieb Bosma, John Cannon, and Catherine Playoust, The Magma algebra system. I. The user language, J. Symbolic Comput. 24 (1997), no. 3-4, 235–265, Computational algebra and number theory (London, 1993). Philip J. Davis, Circulant matrices, Chelsea, 1994. David Freeman, Michael Scott, and Edlyn Teske, A taxonomy of pairing-friendly elliptic curves, Journal of Cryptology 23 (2010), 224– 280. The GAP Group, GAP – Groups, Algorithms, and Programming, Version 4.4.10, 2007. Neal Koblitz, Alfred Menezes, and Scott Vanstone, The state of elliptic curve cryptography, Designs, Codes and Cryptogrpahy 19 (2000), 173–193. C.R. Leedham-Green and E.A. O’Brien, Constructive recongnition of classical groups in odd characteristic, Journal of Algebra 322 (2009), 833–881. Ayan Mahalanobis, The discrete logarithm problem in the group of non-singular circulant matrices, Groups Complexity Cryptology 2 (2010), 83–89. A.J. Menezes, T. Okamoto, and S.A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE transactions on information theory 39 (1993), no. 5, 1639 – 1646. Alfred Menezes and Yi-Hong Wu, The discrete logarithm problem in GL(n, q), Ars Combinatorica 47 (1997), 23–32. Alfred J. Menezes (ed.), Applications of finite fields, Kluwer, 1993. Oliver Schirokauer, Damian Weber, and Thomas Denny, Discrete logarithm: the effectiveness of the index calculus method, Algorithmic number theory (Talence, 1996), LNCS, vol. 1122, 1996, pp. 337–361. Joseph Silverman and Joe Suzuki, Elliptic curve discrete logarithms and the index calculus, Asiacrypt’98 (K. Ohra and D. Pei, eds.), LNCS, vol. 1514, 1998, pp. 110–125.

236

Number Theory with Applications to Cryptography

14. Joseph H. Silverman, Fast multiplication in Finite Fields GF(2n), CHES’99, LNCS, vol. 1717, 1999, pp. 122–134. 15. Douglas Stinson, Cryptography theory and practice, third ed., Chapman & Hall/CRC, 2006.

SECTION V: CONTINUED FRACTIONS

Chapter 16

An Application of Fibonacci Sequence on Continued Fractions

Ali H. Hakami Department of Mathematics, Faculty of Science, Jazan University, Jazan, Postal Code: 45142, Saudi Arabia

ABSTRACT Let F0 = 0, F1 = 1, F2 = 1, . . . be the Fibonacci sequence. Fix . We prove that for almost every x ∈ (0, 1), the pattern 1, 1, . . . , 1 (k-digits) appears in the continued fraction expansion x = [a1, a2, . . .] with frequency .

Keywords: Fibonacci sequence, Fibonacci numbers, continue fractions

Citation: Ali H. Hakami “An application of Fibonacci sequence on continued fractions” International Mathematical Forum, Vol. 10, 2015, no. 2, 69-74. http://dx.doi.org/10.12988/ imf.2015.412207 Copyright © 2014 Ali H. Hakami. This article is distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

240

Number Theory with Applications to Cryptography

INTRODUCTION The Fibonacci sequencea (Fn) is defined by F0 = 0, F1 = 1, and for n > 2, The reader will find an introduction to this well-studied sequence in the books by Koshy [8] and Moll [10]. An expression of the form

where a0, a1, a2, . . . ∈ and a1, a2, . . . > 0 is said to be infinite continued fraction and is denoted concisely by [a0; a1, a2, . . .]. An infinite continued fraction is said to be simple if a0, a1, a2, . . . ∈ . For more detail about of the basic properties of continued fractions and its related by Fibonacci sequence can be found in Jones and Thron [5], Khovanskii [6], Khinchin [7] and Lorentzen and Waadeland [9]. In this paper we are seeking to prove Theorem 1.1 Let F0 = 0, F1 = 1, F2 = 1, . . . be the Fibonacci sequence. Fix . Then for almost every x ∈ (0, 1), the pattern 1, 1, . . . , 1 (k-digits) appears in the continued fraction expansion x = [a1, a2, . . .] with frequency , that is:

We shall devote section 3 to give the proof of Theorem 1. Throughout this work, we assume that the reader has familiarity with some introductory number theory (suggested references see books by Borevich and Shafarevich [1], Hardy and Wright[4], Niven, Zuckerman and Montogomery[11], and Stark[14]), ergodic theory (see for example book by Einsiedler and Ward [2]), analysis and measure theory (see books by Rudin[12,13] and G.B. Folland [3]). Simple facts about concepts of Gauss measure, Gauss map also are needed (see for example ref. Einsiedler and Ward [2])

An Application of Fibonacci Sequence on Continued Fractions

241

BASIC LEMMA To prove Theorem 1.1 we shall need the following lemma Lemma 2.1 Let . For x ∈ Y = (0, 1)\ let a1(x), a2(x), . . . be the digits of its continued fraction expansion. Let Ik ⊂ (0, 1) be the interval

if k is even, and Then a1(x) = a2(x) = · · · = ak(x) = 1 holds if and only if x ∈ Ik.

if k is odd.

The next two lemmas help us to prove Lemma 2.1 and Theorem 1.1 Lemma 2.2 ([2], Theorem 2.30) Let (X, B, µ, T) be a measure-preserving system. If

, then

converges almost everywhere and in , and

to a T-invariant function

If T is ergodic, then

almost everywhere. Lemma 2.3 ([2], Theorem 3.7) The continued fraction map on (0, 1) is ergodic with respect to the Gauss measure µ. Proof of Lemma 2.1. We have , i.e. if and only if the case k = 1.

. Hence a1 = 1 if and only if = I1, and the lemma is proved in

242

Number Theory with Applications to Cryptography

also for k + 1. Hence by induction, the lemma holds for all

.

PROOF OF THEOREM 1.1

(3.1) But here, by Lemma 2.1 and using the fact that T corresponds to left shifting the continued fraction expansion, we have f(T j−1x) = 1 if and only if aj (x) = aj+1(x) = · · · = aj+k−1(x) = 1, and therefore the left hand side of (3.1) equals (3.2) On the other hand, the right hand side is:

An Application of Fibonacci Sequence on Continued Fractions

where in the last step we used the formula

243

(3.3)

To see this formula, since Fk+3 = Fk+2+Fk+1, the statement is equivalent with k = 0, and note also that

. Note that this identity holds for

Hence the claim follows by induction. We have thus proved that for µ-almost all x ∈ Y (equivalently, for Lebesgue almost all x ∈ Y ),) the limit in (3.2) equals the expression in (3.3).

ACKNOWLEDGMENTS

The author is grateful to Jazan University for providing excellent research facilities.

244

Number Theory with Applications to Cryptography

REFERENCES 1. 2.

3. 4. 5.

6.

7.

8.

9.

10.

11. 12. 13. 14.

Z. I. Borevich and I.R. Shafarevich, Number Theory, Vol. 20 in Series on Pure and Applied Mathematics, New York, 1966. M. Einsiedler and T. Ward, Ergodic Theory with a view towards Number Theory, Springer Graduate Text in Mathematics, Vol. 259, SpringerVerlag London Ltd., London, 2011. http://dx.doi. org/10.1007/978-0- 85729-021-2 G. B. Folland, Real Analysis: Modern Techniques and Their Applications, 2nd edn, John Wiley and Sons, 1999. G. H. Hardy and E. M. Wright, An Introduction to the Theory of Numbers, Oxford Science Publications, Clarenden Press, Oxford, 1998 W. B. Jones and W. J. Thron, Continued Fractions. Analytic Theory and Applications, Vol. 11 of Encyclopedia of Mathematics and its Applications. Addison-Wesley Publishing Co., Reading, Mass., 1980. A. N. Khovanskii, The application of continued fractions and their generalizations to problems in approximation theory. Translated by P. Wynn. P. Noordhoff N. V., Groningen, 1963. A. Y. Khinchin, Continued fractions. With a preface by B. V. Gnedenko. Translated from the third (1961) Russian edition. Reprint of the 1964 translation. Dover Publications, Inc., Mineola, Ny, 1997. T. Koshy, Fibonacci and Lucas numbers with applications. Pure and Applied Mathematics, (New York). Wiley-Interscience, New York, 2001. L. Lorentzen and H. Waadeland, Continued fractions with applications, Vol. 3 of Studies in Computational Mathematics. North-Holland Publishing Co., Amsterdam, 1992. V. H. Moll, Number and functions, Student Mathematical Library. American Mathematical Society, Providence, RI, 2012. Special Functions for Undergraduates. I. Niven, H. S. Zuckerman and H. L. Montogomery, An introduction to the Theory of Numbers, John Wiley and Sons, New Yourk, 1991. W. Rudin, Principles of Mathematical Analysis, 3nd edn, McGrawHill, 1976. W. Rudin, Real and Complex Analysis, 3nd edn, McGraw-Hill, 1987. H. M. Stark, An Introduction to Number Theory, Markham Publishing Company, Chicago, 1970.

Chapter 17

On The Quantitative Metric Theory of Continued Fractions in Positive Characteristic

Poj Lertchoosakul1 and Radhakrishnan Nair2 1

Instytut Matematyki, Uniwersytet Gdanski, ul. Wita Stwosza 57, 80-308 Gdansk, Poland

2

Mathematical Sciences, the University of Liverpool, Peach Street, Liverpool L69 7ZL, UK

ABSTRACT Let be the finite field of q elements. An analogue of the regular continued fraction expansion for an element α in the field of formal Laurent series over is given uniquely by

Citation: Lertchoosakul, P., & Nair, R. (2018). “On the Quantitative Metric Theory of Continued Fractions in Positive Characteristic”. Proceedings of the Edinburgh Mathematical Society, 61(1), 283-293. https://doi.org/10.1017/S0013091517000177 Copyright © Edinburgh Mathematical Society 2018. This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http:// creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.

246

Number Theory with Applications to Cryptography

where is a sequence of polynomials with coefficients in such that deg(An(α)) 1 for all n 1. In this paper, we provide quantitative versions of metrical results regarding averages of partial quotients. A sample result we prove is that, given any > 0, we have for almost everywhere α with respect to Haar measure. Keywords: continued fractions, metric theory of numbers

INTRODUCTION Let

denote the finite field of q elements, where q is a power of a prime

p. If Z is an indeterminate, we denote by polynomials in Z with coefficients in respectively. For each P, Q ∈

)−deg(Q) and |0| = 0. The field completion of

[Z] and

(Z) the ring of

and the quotient field of

[Z],

[Z] with Q = 0, define |P/Q| = qdeg(P ((Z−1)) of formal Laurent series is the

(Z) with respect to the valuation |·|. That is,

countably additive Haar measure μ on the Borel subsets of

((Z−1)). In [10,

pp. 65–70], Sprindˇzuk gives a characterization of Haar measure on

((Z−1))

by its value on the balls . n n Indeed, it is shown that the equation μ(B(α; q )) = q completely characterizes Haar measure.

On The Quantitative Metric Theory of Continued Fractions in....

where

is a sequence of polynomials in

247

[Z] with |An| > 1 for

all n 1. Here the sequence (An)n≥0 is uniquely determined by α for α not in (Z). Note that, in the context of continued fractions, we shall often deal with the set

[Z] ∗ = {A ∈

[Z]: |A| > 1}. As in the classical theory, we define

recursively the two sequences of polynomials

by

with the initial conditions P0 = A0, Q0 = 1, P1 = A1A0 + 1 and Q1 = A1. Then we have QnPn−1 − PnQn−1 = (−1)n, and whence Pn and Qn are coprime. In addition, we have Pn/Qn = [A0; A1,...,An]. For a general reference on this subject, the reader should consult [6, 9]. The Gauss map, or the continued fraction map, T on the unit ball B(0; 1) = {a−1Z−1 + a−2Z−2 + ··· : ai ∈

} is defined by

where {anZn + ··· + a0 + a−1Z−1 + ···} = a−1Z−1 + a−2Z−2 + ··· denotes its fractional part. We note that if α = [0; A1(α), A2(α),... ], then we have, for all . It was proved in [7] that the map T is measurepreserving and exact with respect to Haar measure μ. This fact of exactness implies all order of mixing properties and in particular ergodicity. It was shown by Niederreiter [8] that T in fact has a natural extension that is Bernoulli. Of course this implies the exactness of T. See [7, 8] respectively for the statement of the exactness and Bernoulli properties. In this setting, Houndonougbo [4] and Berth´e and Nakada [1] were able to establish, by using Birkhoff’s ergodic theorem, some qualitative metrical results on the averages of partial quotients of continued fraction expansions. For instance, they proved the positive characteristic analogue of Khinchin’s famous result that for almost everywhere α ∈ B(0; 1) with respect to Haar measure.

248

Number Theory with Applications to Cryptography

In this paper, we investigate quantitative versions of metrical results regarding ergodic averages. In particular we find the error term in (1.1) as a function of N. In other words, we shall see how the geometric means of |An(α)| (n = 1,...,N) deviates from the positive characteristic Khinchin’s constant qq/(q−1) for almost everywhere α. This is an extension of work of de Vroedt [2] to the field of formal Laurent series. To deal with the error terms, we need some notation to describe asymptoticity. , Given two real functions f1 and f2 and a positive function g defined on we write f1 = f2 + O(g) if |f1 − f2| < cg for some positive constant c, and we write f1 = f2 + o(g) if limN→∞(f1(N) − f2(N))/g(N)=0.

We now summarize the contents of this paper. In § 2, we state several quantitative metrical results on the behaviour of averages of partial quotients of continued fraction expansions in positive characteristic. In § 3, we describe G´al and Koksma’s method for determining the error term of ergodic averages, and we give some lemmas necessary for proving the quantitative metrical theorems of continued fractions. In § 4, we give the proofs of all the statements that appear in § 2.

QUANTITATIVE METRICAL THEOREMS The proofs of the following statements will be given in § 4. We start with the first two general theorems for calculating the quantitative ergodic averages. Theorem 1. Suppose that F :

Then, given any

is a function such that

> 0, we have

for almost everywhere α ∈ B(0; 1) with respect to Haar measure. Theorem 2. Suppose that H :

Then, given any

> 0, we have

is a function such that

On The Quantitative Metric Theory of Continued Fractions in....

249

for almost everywhere α ∈ B(0; 1) with respect to Haar measure. Theorems 1 and 2 are general results for calculating means. Specializing for instance to the case F(x) = logq x, we establish the quantitative version of the positive characteristic Khinchin’s constant

for almost everywhere α ∈ B(0; 1) with respect to Haar measure, [2, 6]. Results for means other than the geometric mean can be obtained by making different choices of F and H, see [5, pp. 230–232] for more details. The following three theorems can be viewed as corollaries of Theorem 1. We note that they should be compared with Theorems 12–14 of [7] as they sharpen those results when numbers in the literature. Theorem 3. Given any

is considered as the sequence of natural

> 0, we have

for almost everywhere α ∈ B(0; 1) with respect to Haar measure. Theorem 4. Given any A ∈

[Z] ∗ and

> 0, we have

for almost everywhere α ∈ B(0; 1) with respect to Haar measure. Theorem 5. Let k < l be two natural numbers. Given any

> 0, we have

250

Number Theory with Applications to Cryptography

for almost everywhere α ∈ B(0; 1) with respect to Haar measure.

Lemmas

In this section, we collect some results that are necessary for establishing the quantitative metric theory of continued fractions in positive characteristic. To begin with, we introduce G´al and Koksma’s method for determining the error term of ergodic averages. The following lemma appears in [3] in slightly different language. Lemma 6 ([3, Th´eor`eme 3]). Let S be a measurable set. For any nonbe a function defined on S negative integers M and N, let such that (i) ϕ(M, 0; x)=0 for all ; (ii) ϕ(M,N; x) ϕ(M,N’ ; x) + ϕ(M + N’ , N – N’ ; x) for all N.

Suppose that, for all

,

where φ(N)/N is a non-decreasing function. Then, given any

> 0, we have

for almost everywhere x ∈ S. Before proceeding, we give the following two remarks on Lemma 6. First, G´al and Koksma stated their results in the setting where the set S is a measurable subset of a Euclidean space. None of the proofs however in [3] depend on the Euclidean setting. In fact, their result is true more generally. We are interested in the case where S = B(0; 1), for which the result is also true. Second, the function ϕ can be viewed as a generalization of the difference of two functions in a sequence:

On The Quantitative Metric Theory of Continued Fractions in....

251

where property (ii) is just a generalization of the triangle inequality

Particularly, we focus on the case where where

and

is a sequence of functions defined on S; that is,

Next, we introduce the notion of a cylinder in positive characteristic and its fundamental properties. Recall that

.

Let n be a natural number, and let . The cylinder ΔA1,...,An of length n is defined to be the set of all points in B(0; 1) whose continued fraction expansions are of the form [0; A1,...,An,... ]. That is,

We now show how a cylinder can be seen as a ball. This is crucial for calculating the measure of each cylinder. Lemma 7 ([7, Lemma 2]). For all

, we have

From Lemma 7, it follows immediately that μ(ΔA1,...,An ) = |A1 ··· An| −2. We note also that two cylinders ΔA1,...,An and ΔB1,...,Bn are disjoint if and only if

for some

.

The notion of a cylinder is an effective tool because of the following fact. Let A denote the algebra of finite unions of cylinders. Then A generates the Borel σ-algebra of the dynamical system (B(0; 1), B, μ, T). This follows from the fact that the cylinders are clearly Borel sets themselves and that they separate points, that is, if and Δ2 such that α ∈ Δ1 and β ∈ Δ2.

, then there exist disjoint cylinders Δ1

Our final lemma will be useful when we would like to change variables in an integration. This result follows immediately from the fact that the map T is measure-preserving, [7, Lemma 3]. Lemma 8. For all n ∈ N, we have dμ(T −nx)=dμ(x).

252

Number Theory with Applications to Cryptography

PROOFS Proof of Theorem 1. Consider Lemma 6 with S = B(0; 1),

φ(N) = N and p = 2. First we check that this function ϕ satisfies the hypotheses (i) and (ii) of Lemma 6. It is clear by the notation of summation that, for all M 0, we have

Moreover, by the triangle inequality, we have

for all Now the proof is reduced to showing that, for any pair of integers M 0 and N 1, we have

where K is a constant depending only on F(x). Put To calculate P1 and P2, we note that B(0; 1) can be partitioned into a disjoint union of cylinders of length one. Indeed, we have

(4.1) We also know that there are distinct (q − 1)qn cylinders ΔA with |A| = qn and whose measures are μ(ΔA) = q−2n. It now follows that

On The Quantitative Metric Theory of Continued Fractions in....

253

(4.2)

and

(4.3) Working out

we get

By Lemma 8, we can use the change of variables formula to obtain

and

(4.4)

(4.5)

254

Number Theory with Applications to Cryptography

(4.6)

Combining (4.4)–(4.6), we now have

(4.7) We can calculate

By

(4.2)

explicitly as follows

and

(4.8),

we

see

(4.8) that

. Therefore, by (4.7), we arrive at the hypothesis of Lemma 6 that I = O(N), and this completes the proof of Theorem 1. Proof of Theorem 2. The proof is similar to that of Theorem 1, so we shall give only an outline. First of all, we apply Lemma 6 with S = B(0; 1),

On The Quantitative Metric Theory of Continued Fractions in....

255

φ(N) = N and p = 2. Next, by using the same idea of partition as in (4.1), we can calculate

Finally, if we put

then

These observations lead to Theorem 2. To prove Theorems 3–5, we recall the following two elementary identities We focus on the case when x = q−1. Proof of Theorem 3. In view of Theorem 1, consider F(x) = logq x. By (4.2) and (4.3), we have

This completes the proof of Theorem 3. Proof

of

Theorem

4.

Apply

Theorem

1

with

is the characteristic function of a set E. The reason that we use this function is to observe that for almost everywhere α ∈ B(0; 1) with respect to Haar measure. In other words, we have for almost everywhere α ∈ B(0; 1) with respect to Haar measure. By (4.2) and (4.3), we have

256

Number Theory with Applications to Cryptography

This completes the proof of Theorem 4. Proof of Theorem 5. In view of Theorem 1, we consider (4.3), we have

This completes the proof of Theorem 5.

, respectively. By (4.2) and

On The Quantitative Metric Theory of Continued Fractions in....

257

REFERENCES 1.

Berthé, V. and Nakada, H., On continued fraction expansions in positive characteristic: equivalence relations and some metric properties, Expo. Math. 18(4) (2000), 257–284. 2. de Vroedt, C., Metrical problems concerning continued fractions, Compos. Math. 16 (1964), 191–195. 3. Gál, I. S. and Koksma, J. F., Sur l’ordre de grandeur des fonctions sommables, Indag. Math. 12 (1950), 638–653. 4. Houndonougbo, V., Développement en fractions continues et répartititon modulo 1 dans un corps de séries formelles Thése de troisiéme cycle , Université de Bordeaux I, 1979. 5. Iosifescu, M. and Kraaikamp, C., Metrical theory of continued fractions, in Mathematics and its applications, Volume 547, pp. 225–232(Kluwer Academic Publishers, Dordrecht, 2002). 6. Khinchin, A. Ya., Continued fractions (Dover Publications, Mineola, NY, Russian edition, 1997). With a preface by Gnedenko, B. V., Reprint of the 1964 translation. 7. Lertchoosakul, P. and Nair, R., On the metric theory of continued fractions in positive characteristic, Mathematika 60(2) (2014),307– 320. 8. Niederreiter, H., The probabilistic theory of linear complexity, In Advances in cryptology – Eurocrypt 88, Davos 88, Lecture Notes in Computer Science, Volume 330, pp. 195–197 (Springer, Berlin 1988). 9. Schmidt, W. M., On continued fractions and Diophantine approximation in power series fields, Acta Arith. 95(2) (2000), 139–166. 10. Sprindžuk, V. G., Mahler’s problem in metric number theory. Translated from the Russian by Volkmann, B.. Translations of Mathematical Monographs, Volume 25, p. 99 (American Mathematical Society, Providence, RI, 1969).

Chapter 18

Some New Continued Fraction Sequence Convergent to the Somos Quadratic Recurrence Constant

Xu You1, Shouyou Huang2 and Di-Rong Chen3,4 Department of Mathematics and Physics, Beijing Institute of Petrochemical Technology, Beijing, 102617, P.R. China

1

School of Mathematics and Statistics, Hubei Normal University, Huangshi, Hubei 435002, P.R. China

2

Department of Mathematics, Wuhan Textile University, Wuhan, Hubei 430200, P.R. China

3

School of Mathematics and System Science, Beihang University, Beijing, 100191, P.R. China

4

ABSTRACT In this paper, we provide some new continued fraction approximation and inequalities of the Somos quadratic recurrence constant, using its relation with the generalized Euler constant. Citation: Xu You, Shouyou Huang and Di-Rong Chen “Some new continued fraction sequence convergent to the Somos quadratic recurrence constant” Journal of Inequalities and Applications 2016 2016:91. https://doi.org/10.1186/s13660-016-1035-y Copyright © 2016 You et al. This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/ by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

260

Number Theory with Applications to Cryptography

Keywords: Somos’ quadratic recurrence constant, generalized Euler constant, continued fraction, multiple-correction method

INTRODUCTION Somos [1] defined the sequence , with g0 = 1 in 1999. Finch [2] proved the asymptotic formula in 2003 as follows:

where the constant σ=1.661687949… is now known as the Somos quadratic recurrence constant. This constant appears in important problems by pure representations,

or integral representations,

see [3, 4, 5]. The generalized-Euler-constant function (1.1) was introduced by Sondow and Hadjicostas [6] and Pilehrood and Pilehrood [7], where γ(1)=0.577215… is the classical Euler constant. Sondow and Hadjicostas [6] also defined the generalized Somos quadratic recurrence constant, by

Since when we set t=2 in (1.2),

(1.2)

(1.3) these functions are closely related to the Somos quadratic recurrence constant σ. Here we denote

Some New Continued Fraction Sequence Convergent to the Somos....

261

(1.4) Recently, many inspiring results of establishing more precise inequalities and more accurate approximations for the Somos quadratic recurrence constant and generalized-Euler-constant function were given. Mortici [8] provided a double inequality of the error estimate by the polynomial approximation. Lu and Song [9] gave sharper bounds. Motivated by this important work, in this paper we will continue our previous work [10, 11, 12, 13] and apply a multiple-correction method to construct some new sharper double inequality of the error estimate for the Somos quadratic recurrence constant. Moreover, we establish sharp bounds for the corresponding error terms. Notation Throughout the paper, the notation Ψ(k;x) means a polynomial of degree k in x with all of its non-zero coefficients positive, which may be different at each occurrence.

ESTIMATING Γ(1/2) In order to deduce some estimates for the σ constant, we evaluate the series

First we need the following intermediary result.

(2.1)

Lemma 1 For every integer positive k, we define

where .

Then for every integer k, we have Proof

(2.2)

262

Number Theory with Applications to Cryptography

Based on our previous work we will apply multiple-correction method and study the double inequality of the error estimate as follows. (Step 1) The initial correction. Because

, we choose

. Then letting the coefficient of x5, x6 of the molecule in the following fractions equal zero, we have

, and

As the molecule in the above fractions has all coefficients negative, we see as a result that f0(x) is strictly decreasing. . Then letting the (Step 2) The first correction. We let coefficient of x6 of the molecule in the following fractions equal zero, we have

and

As

has all coefficients positive, we see as a result that f1(x) is strictly increasing. But f1(∞)=0, so f1(x)0 on [1,∞).

(Step 4) The third correction. Similarly, we let . Then letting the coefficient of x8 of the molecule in the following fractions equal zero, we have c3=

and

we see as a result that f3(x) is strictly increasing. But f3(∞)=0, so f3(x)0 on [1,∞). This finishes the proof of the right-hand inequality in (2.2). This is the end of Lemma 1.

264

Number Theory with Applications to Cryptography

Remark 1 It is worth to point out that Lemma 1 provides some continued fraction inequalities by the multiple-correction method. Similarly, repeating the above approach step by step, we can get more sharp inequalities. But this maybe brings about some computation increase, the details omitted here. By adding inequalities of the form

from k=n+1 to k=∞, we get (2.3) These double inequalities give the error estimate when by

is approximated

So we have the following theorem. Theorem 1 For every positive integer n,

(2.4) Proof The double inequality (2.3) can be equivalently written as

and the conclusion follows if we take into account that

Some New Continued Fraction Sequence Convergent to the Somos....

265

and

This is the end of Theorem 1.

Remark 2 In fact, the upper and lower bounds in (2.4) are sharper than the ones in (2.3) of Mortici [8] and (2.8) of Lu and Song [9] for every positive integer n. From (2.4) we can provide the following result which has a simpler form than (2.4), although it is weaker than (2.4). Corollary 1 For every positive integer n≥1, we have

Proof We take into account that

(2.5)

for n≥1, and

for n≥1. Combining with Theorem 1, the conclusion follows. This is the end of Corollary 1. Combining (1.3) and Corollary 1, we obtain the following estimates for the

266

Number Theory with Applications to Cryptography

Somos quadratic recurrence constant.

Corollary 2 For every positive integer n≥1, we have (2.6)

ESTIMATING Γ(1/3) Mortici [8] and Lu and Song [9] have provided a double inequality for the error estimate of γ(1/3). In order to give the new error estimate for γ(1/3), we need the following intermediary result.

Lemma 2 For every integer positive k, we define (3.1)

Proof Based on our previous work we will apply multiple-correction method to study the double inequality of the error estimate as follows. (Step 1) The initial correction. Because , we choose b0(x

. Then letting the coefficient of x6, x7 of the

molecule in the following fractions equal zero, we have and

we see as a result that g0(x) is strictly increasing.

,

Some New Continued Fraction Sequence Convergent to the Somos....

267

(Step 2) The first correction. We let . Then letting 7 the coefficient of x of the molecule in the following fractions equal to zero, we have

and

As Ψ(6;x) has all coefficients positive, we see as a result that g1(x) is strictly decreasing.

. (Step 3) The second correction. Similarly, we let Then we let the coefficient of x8 of the molecule in the following fractions equal zero, we have

and

we see as a result that g2(x) is strictly increasing.

(Step 4) The third correction. We let . Then letting the coefficient of x9 of the molecule in the following fractions equal zero, we have

and

As Ψ(8;x) has all coefficients positive, we see as a result that g3(x) is strictly

268

Number Theory with Applications to Cryptography

decreasing. But g3(∞)=0, so g3(x)>0 on [1,∞). This finishes the proof of the right-hand inequality in (3.1). (Step

5)

The

fourth

correction.

Similarly,

we

let

. Then letting the coefficient of x of the molecule in the following fractions 10

equal zero, we have

and

we see as a result that g4(x) is strictly increasing. But g4(∞)=0, so g4(x)3. Similarly, repeating the above approach step by step, we can get more sharp inequalities. But this maybe brings about some computation increase, the details omitted here.

ACKNOWLEDGEMENTS This work was supported by the National Natural Science Foundation of China (Grant Nos. 61403034 and 11571267). Computations made in this paper were performed using Mathematica 9.0.

Some New Continued Fraction Sequence Convergent to the Somos....

271

REFERENCES 1. 2. 3.

4.

5. 6.

7. 8. 9. 10. 11. 12.

13.

Somos, M: Several constants related to quadratic recurrences. Unpublished note (1999) Finch, SR: Mathematical Constants. Cambridge University Press, Cambridge (2003) Guillera, J, Sondow, J: Double integrals and infinite products for some classical constants via analytic continuations of Lerch’s transcendent. Ramanujan J. 16(3), 247-270 (2008) Ramanujan, S: Collected Papers of Srinivasa Ramanujan. Edited by Hardy, GH, Aiyar, PVS, Wilson, BM. Am. Math. Soc., Providence (2000) Sloane, NJA: Sequences A052129, A112302, A114124, and A116603 in the On-Line Encyclopedia of Integer Sequences Sondow, J, Hadjicostas, P: The generalized Euler-constant function γ(z)γ(z) and a generalization of Somos’ quadratic recurrence constant. J. . Anal. Appl. 332(1), 292-314 (2007) Pilehrood, KH, Pilehrood, TH: Arithmetical properties of some series with logarithmic coefficients. . Z. 255(1), 117-131 (2007) Mortici, C: Estimating the Somos’ quadratic recurrence constant. J. Number Theory 130, 2650-2657 (2010) Lu, D, Song, Z: Some new continued fraction estimates of the Somos’ quadratic recurrence constant. J. Number Theory 155, 36-45 (2015) Cao, XD, Xu, HM, You, X: Multiple-correction and faster approximation. J. Number Theory 149, 327-350 (2015) Cao, XD: Multiple-correction and continued fraction approximation. J. . Anal. Appl. 424, 1425-1446 (2015) You, X: Some new quicker convergences to Glaisher-Kinkelin’s and Bendersky-Adamchik’s constants. Appl. . Comput. 271, 123-130 (2015) You, X, Chen, D-R: Improved continued fraction sequence convergent to the Somos’ quadratic recurrence constant. J. . Anal. Appl. 436, 513520 (2016)

Chapter 19

Continued Fractions for Some Transcendental Numbers

Andrew N. W. Hone

School of Mathematics, Statistics and Actuarial Science, University of Kent, Canterbury CT2 7NF, UK

ABSTRACT We consider series of the form

where x1=q and the integer sequence (xn) satisfies a certain non-autonomous recurrence of second order, which entails that xn|xn+1 for n≥1. It is shown Citation: Hone, A.N.W. “Continued fractions for some transcendental numbers” Monatsh Math (2017) 182: 33. https://doi.org/10.1007/s00605-015-0844-2 Copyright © The Author(s) 2015. This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/ by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

274

Number Theory with Applications to Cryptography

that the terms of the sequence, and multiples of the ratios of successive terms, appear interlaced in the continued fraction expansion of the sum of the series, which is a transcendental number. Keywords: Continued fraction, Non-autonomous recurrence, Transcendental number

INTRODUCTION In recent work [5], we considered the integer sequence (1.1) (sequence A112373 in Sloane’s Online Encyclopedia of Integer Sequences), which is generated from the initial values x0 = x1 = 1 by the nonlinear recurrence relation (1.2) and proved some observations of Hanna, namely that the sum

(1.3) has the continued fraction expansion (1.4) where yj = x j+1/xj ∈

and we use the notation

for continued fractions. Furthermore, we generalized this result by obtaining the explicit continued fraction expansion for the sum of reciprocals (1.3) in the case of a sequence (xn) generated by a nonlinear recurrence of the form

Continued Fractions for Some Transcendental Numbers

275

(1.5) with case F(x) = x + 1.

and F(0) = 1; so (1.2) corresponds to the particular

All of the recurrences (1.5) exhibit the Laurent phenomenon [4], and starting from x0 = x1 = 1 they generate a sequence of positive integers satisfying xn|xn+1. The latter fact means that the sum (1.3) is an Engel series (see Theorem 2.3 in Duverney’s book [3], for instance). The purpose of this note is to present a further generalization of the results in [5], by considering a sum

(1.6) with the terms xn satisfying the recurrence (1.7) for n ≥ 2, where (zn) is a sequence of positive integers, x1 = q, and x2 is specified suitably. Observe that, in contrast to (1.5), the recurrence (1.7) can be viewed as a non-autonomous dynamical system for xn, because the coefficient zn can vary independently (unless it is taken to be G(xn), for some function G). The same argument as used in [5], based on Roth’s theorem, shows the transcendence of any number S defined by a sum of the form (1.6) with such a sequence (xn).

THE MAIN RESULT We start with a rational number written in lowest terms as p/q, and suppose that the continued fraction of this number is given as (2.1) for some k ≥ 0. Note that, in accordance with a comment on p. 230 of [7], there is no loss of generality in assuming that the index of the final coefficient is even. For the convergents we denote numerators and denominators by pn and qn, respectively, and use the correspondence between matrix products and continued fractions, which says that

276

Number Theory with Applications to Cryptography

yielding the determinantal identity

(2.2)

(2.3) Now for a given sequence (zn) of positive integers, we define a new sequence (xn) by where

(2.4)

(2.5) It is clear from (2.4) and (2.5) that (xn) is an increasing sequence of positive integers such that xn|xn+1 for all n ≥ 1; (yn) also consists of positive integers, and is an increasing sequence as well. The recurrence (1.7) for n ≥ 2 follows immediately from (2.4) and (2.5). Theorem 2.1 The partial sums of (1.6) are given by

for all n ≥ 1, where the coefficients appearing after a2k are Proof For n = 1, S1 is just (2.1), and we note that q2k−1 = y0 − 1 and q2k = q = x1. Proceeding by induction, we suppose that q2k+2n−3 = yn−1 − 1 and q2k+2n−2 = xn, and calculate the product

By making use of (2.4) and (2.5), this gives p2k+2n = (xn yn−1zn + 1)p2k+2n−2 + xn p2k+2n−3,

Continued Fractions for Some Transcendental Numbers

277

and

which are the required denominators for the (2k + 2n − 1)th and (2k + 2n)th convergents. Thus we have

From (2.3) and (2.4), the bracketed expression above can be rewritten as

giving

which is the required result. Upon taking the limit n → ∞ we obtain the infinite continued fraction expansion for the sum S, which is clearly irrational. To show that S is transcendental, we need the following growth estimate for xn:

Lemma 2.2 The terms of a sequence defined by (2.4) satisfy

for all n ≥ 3. Proof Since (xn) is an increasing sequence, the recurrence relation (1.7) gives

for n ≥ 2. Hence

, and putting this back into the first

278

Number Theory with Applications to Cryptography

inequality above yields

, as required.

The preceding growth estimate for xn means that S can be well approximated by rational numbers. Theorem 2.3 The sum

is a transcendental number Proof This is the same as the proof of Theorem 4 in [5], which we briefly outline here. Let Pn = p2k+2n−2 and Qn = q2k+2n−2. Approximating the irrational number S by the partial sum Sn = Pn/Qn, then using Lemma 2.2 and a comparison with a geometric sum, gives the upper bound

for any > 0, whenever n is sufficiently large. Roth’s theorem [6] (see also chapter VI in [1]) says that, for an arbitrary fixed κ > 2, an irrational algebraic number α has only finitely many rational approximations P/Q for which ; so S is transcendental. For other examples of transcendental numbers whose continued fraction expansion is explicitly known, see [2] and references therein.

EXAMPLES The autonomous recurrences (1.5) considered in [5], where the polynomial F has positive integer coefficients and F(0) = 1, give an infinite family of examples. In that case, one has p = 1 and x1 = q = 1, so that k = 0, y0 = 1 and zn = (F(xn) − 1)/xn. More generally, one could take zn = G(xn) for any nonvanishing arithmetical function G. In general, it is sufficient to take the initial term in (1.6) lying in the range 0 < p/q ≤ 1, since going outside this range only alters the value of a0. As a particular example, we take

so that k = 1, and q1 = 3 which gives y0 = 2. Hence x1 = 7, x2 = 112, and the

Continued Fractions for Some Transcendental Numbers

279

sequence (xn) continues with The sum S is the transcendental number

with continued fraction expansion [0; 3, 2, 2, 7, 32, 112, 10800, 403200, 17418254400, 1755760043520000,...].

ACKNOWLEDGEMENTS This work is supported by Fellowship EP/M004333/1 from the Engineering and Physical Sciences Research Council. The original inspiration came from Paul Hanna’s observations concerning the nonlinear recurrence sequences described in [5], which were communicated via the Seqfan mailing list. The author is grateful to Jeffrey Shallit for helpful correspondence on related matters.

280

Number Theory with Applications to Cryptography

REFERENCES 1. 2. 3. 4. 5. 6. 7.

Cassels, J.W.S.: An Introduction to Diophantine Approximation. Cambridge University Press, Cambridge (1957) Davison, J.L., Shallit, J.O.: Continued fractions for some alternating series. Monatsh. Math. 111, 119–126 (1991) Duverney, D.: Number Theory: An Elementary Introduction Through Diophantine Problems, World Scientific (2010) Fomin, S., Zelevinsky, A.: The Laurent Phenomenon. Adv. Appl. Math. 28, 119–144 (2002) Hone, A.N.W.: Curious continued fractions, nonlinear recurrences and transcendental numbers. J. Integer Seq. 18 (2015) (Article 15.8.4) Roth, K.F.: Rational approximations to algebraic numbers. Mathematika 2, 1–20 (1955) Shallit, J.O.: Simple continued fractions for some irrational numbers. II. J. Number Theory 14, 228–231 (1982)

INDEX A

B

Absolute value 68, 72, 78 Addition chain (AC) 152, 153 Addition chain problem (ACP) 153 Algebraic coefficients 134, 136, 140 Algebraic surface 58, 85, 87 Algebraic Surface Cryptosystem (ASC) 57 Algorithmic approach 122 Almost isosceles pythagorean triple (AI-PT) 42, 47 Almost isosceles right angled (AIRA) 42 Almost pythagorean triple (APT) 42 Annihilation 136 Arbitrary ciphertext 223 Arbitrary cyclic group 190 Arbitrary integers 15, 17, 19, 20, 21, 22, 23 Arbitrary polynomial 66 Arithmetic equations 192 Asymptotic behavior 107 Asymptotic formula 260 Asymptotic relationship 105

Baby-Step Giant-Step method 198 Bernoulli numbers 94 Bernoulli polynomial 96 Berry-Keating conjecture 92, 93, 96 Bilinear Diffie-Hellman Exponent Problem (BDHEP) 198 Bilinear Diffie-Hellman Inversion Problem (BDHIP) 198 Bilinear Diffie-Hellman Problem (BDHP) 198 Binary method 155, 160, 161, 162, 164, 166 Binomial theorem 108 Biorthogonality 96, 99, 100 Birkhoff’s ergodic theorem 247 Black box group algorithms 223 Borel sets 251 Brent Cycle Detection 175, 176, 180, 181, 182, 183, 184 Brent Cycle Detection Algorithm 175, 176, 180, 181, 182, 183, 184

282

Number Theory with Applications to Cryptography

C Cauchy-Schwarz inequality 9 Cheon’s algorithm 199, 200, 201, 214, 215 Chinese Remainder Theorem 64, 65, 79, 188, 191, 195, 196 Ciphertexts 58, 83 Circulant matrices 217, 218, 221, 222, 224, 225, 226, 228, 229, 230, 233, 234, 235 Classical theory 247 Complete system 25, 26, 27, 28, 30, 31, 32, 35, 36, 37 Complex numbers 107, 108 Computable constant 134, 139 Computable isomorphism 191 Computational number theory 198 Computational problem 198 Computation process 162 Computing modular exponentiation 154, 156, 161 Cost parameter 192 Cryptographic primitive 217 Cryptography 3 Cryptosystem 55, 56, 57, 58, 66, 67, 70, 73, 77, 78, 79, 82, 83, 84, 85, 87, 176 Cubic equation 146, 147, 148, 149 Cyclotomic polynomial 199

D Decryption 176 Decryption process 70, 71, 80 Derivada solution 14, 15, 16, 18, 19, 20, 21 Derivative solution 25, 26, 29, 32, 34, 36, 38 DiffieHellman key exchange protocol 222

DiffieHellman problem 217 Diophantine equation 26, 27, 28, 29, 30, 31, 32, 34, 36 Diophantine problem 56, 57 Dirichlet divisor problem 106 Disaggregation problem 4, 5 Disaggregation process 3, 10 Discrete logarithm 197, 198, 199, 200, 214, 215 Discrete logarithm problem 176, 178 Disjoint union 252

E Eigenvalue differential equation 94, 95 ElGamal cryptosystem 222, 226, 230 ElGamal encryption 188, 189 Elliptic curve 217, 218, 219, 220, 224, 226, 228, 229, 235 Elliptic Curve Cryptography Discrete Logarithm Problem (ECDLP) 175 Elliptic curve cryptosystem (ECC) 152 Elliptic curve discrete logarithm problem 198 Empirical analysis 159 Encryption 176 Encryption scheme 187, 188, 190 Equivalence relation 204, 208 Euclidean Algorithm 193, 196 Euclidean space 250 Euler–Mascheroni constant 105, 106, 114

F Factorization 56, 63, 72

Index

Fibonacci numbers 50 Fibonacci sequence 50, 239, 240 Finite-dimensional nondegenerate matrices 100 Finite field 245, 246 Finite iterative partitioning strategy 156 Former theorem 22 Fractional transform 108 Fraction approximation 259, 270, 271 Fraction expansion 239, 240, 241, 242 Frobenius map 181, 182, 183, 184

G Gamma-function 136 Group theory 202

H Harmonic Maass 134, 135, 136, 139, 141 Hermitian adjoint 97, 98, 100 Hermiticity assumption 100 Heuristic analysis 92, 96 Holomorphic modular form 136, 141 Homomorphism 189 Hyperbola method 106 Hyperbolic case 27 Hyperbolic Laplacian 135

I Ideal decomposition attack 56, 57, 63, 67, 78 Index function 145, 146, 148 Infinite continued fraction 240 Infinite continued fraction expansion 277

283

Integer exponent 19, 22 Integration 251 Introductory number theory 240 Irrational algebraic number 278 Irrational number 278 Isomorphism 205 Isosceles integer solution 42, 47 Iteration function 178, 180

K Khinchin’s constant 248, 249 Knapsack optimization 3 Koblitz curves 180, 181, 182, 183 Koksma’s method 248, 250

L Laurent series 245, 246, 248 Least common multiple (lcm) 14 Legendre symbol 45 Lichtenstein’s result 138 Linear congruence 147 Linear diophantine equation 23 Linear Diophantine equations problem 4 Linear equation system 63, 65 Linear momentum 97 List significant bit (LSB) 155 Logarithm function 146

M MAC (Message authentication code) 61 Measure-preserving system 241 Metaheuristic hybrid methods 160 Minkowski’s convex body theorem 5 Mock theta functions 131, 132, 133, 134, 135, 136, 144 Modified signed digit (MSD) 162

284

Number Theory with Applications to Cryptography

Modular arithmetic 55, 57, 64, 84 Modular equation 6, 7, 8 Most significant bit (MSB) 154 Most significant word (MSW) 155 Multiple-correction method 260, 261, 264, 266, 270 Multiplicative cyclic group 198, 199, 205, 213 Multivariate equation system 61, 74 Mutual opposite form (MOF) 162

N Natural extension 247 Nearly pythagorean triple (NPT) 42 Non-adjacent form (NAF) 152 Non-autonomous recurrence 273 Non-holomorphic part 136, 140, 141 Nonlinear recurrence relation 274 Nonnegative integers 137 Non-singular matrix 219 Non-zero window (NW) 155 Novel algebraic approach 10

O Odd prime number 203 Optimal exponent 106 Orthogonality 96, 99

P Pell polynomial 42, 46 Pell sequence 49, 50 Periodic function 95 Permutation from 190 Petri net problem 4 Plaintext leakage 189 Pollard Rho Algorithm 175, 176, 178, 179, 180, 183, 184 Pollard rho method 198

Polynomial ring 63, 64, 65 Polynomial time 4, 5, 7, 8, 9, 188, 195 Positive integer 26, 27, 28, 30, 31, 32, 34, 36, 38, 120, 123 Prime number 57, 58, 70, 77, 78, 179 Primitive root 146 Private key 223 Probabilistic interpretation 100 Probabilistic polynomial time 57, 77 Public data 188 Public key 188, 189, 190, 196 Public-key cryptography 217, 218, 220, 233, 239 Public key cryptosystems (PKC) 151, 152 Pythagorean equation 14 Pythagorean triple (PT) 41

Q Quadratic equation system 62, 73, 74 Quadratic nonresidue 44 Quadratic residue 122 Quantitative metric theory 250 Quantization condition 98 Quantum theory 100

R Ramanujan’s mock theta function 133 Recovering Algorithm (RA) 67, 69 Relative behaviour 152, 160, 165 Riemann hypothesis 92, 93, 96, 97, 99, 100, 102, 103 Riemann zeta function 105, 107, 114

Index

285

S

T

Section finding problem (SFP) 57 Sliding window method (SWM) 152 Somos quadratic recurrence constant 259, 260, 261, 266 Strong Diffie-Hellman Problem (SDHP) 198 Sturm bound 138 Subexponential time complexity 224

Time complexity 199, 201, 202, 211 Transcendental number 274, 278, 279 Trivial solution 30

V Variable-length non-zero window (VLNW) 155

Z Zeta function 91, 92, 93, 94, 95, 96, 98, 100, 102