# RA1 Modular Arithmetic

## 92 Randomized Algorithms

Now we'll dive into randomized algorithms. Hopefully at the end, you'll appreciate how randomness is a beautiful and powerful algorithmic tool. We'll start with cryptography. We'll look at the amazing RSA Cryptosystem. This is one of the most widely used Cryptosystems. It's extremely elegant. Once we learn some of the basic mathematics about modular arithmetic, you'll appreciate the ingenuity of the RSA protocol. Then you'll have a basic understanding of how these Cryptosystem that we use everyday, many times a day in fact, actually work. Another beautiful and incredibly useful application of randomized algorithms that we'll study is for hashing. We're going to look at a hashing scheme known as Bloom Filters. This is a simple scheme that's quite popular in many different fields. We'll look at the mathematics behind it. This will involve some basic probability analysis and then you'll do a programming project to implement and study Bloom Filters.

## 93 RSA Lecture Overview

Let me give you an overview of the topics that we're gonna study in this lecture. Now the mathematics of the RSA cryptosystem are very beautiful and they're fairly simple once you have the right mathematical background. So we're going to start with a short primer on the mathematical topics that we need. The relevant topic that we need is Modular Arithmetic. Some of you may have seen this before, so it might be a reveal, for others it's fairly simple to learn. Then one key concept that we need are multiplicative inverses, and what they mean in modular arithmetic. And then we're gonna look at Euclid's GCD algorithm, greatest common divisor, which is gonna be used in the RSA cryptosystem. Next we're going to learn about Fermat's Little Theorem and it's the key tool in the design of the RSA algorithm. So at this point we'll be able to detail the RSA algorithm. Finally, we'll look at Primality testing, given a number, can we test whether the number is prime or not, or composite? Once we see how to do that using Fermat's Little Theorem, then we're going to be able to generate random primes. Generating random primes is a key component in the RSA algorithm. So once we complete that, we'll have completed our discussion of the RSA algorithm. Now let's go ahead and dive into the algorithms related to the RSA.

## 94 Huge Integers

Lets look at the context of the RSA algorithm. In cryptography, we're going to work with N-bit numbers X, Y and N. For example, the number of bits in these numbers is going to be huge. Think of the number of bits as 1024 or 2048. It's a huge number of bits. So normally, we thought of our arithmetic operations as built into hardware, but that usually restricts the attention to 64 bits or so. But here we're talking about 1000 or 2000 bits. So we have to go back and review how long does it take for basic arithmetic operations.

## 95 Modular Arithmetic

Now let's take a look at modular arithmetic. This is the basic mathematics that underlies the RSA algorithm and we're going to see a lot of beautiful mathematics along the way. Let's look at a simple example, X modular two where X is an integer. What is X mod two? This is the least significant bit of X. What does the least significant bit of X tell you? It tells you whether X is odd or even. In particular, it's one if X is odd and zero if X is even. Now, what's another way of looking at this least significant bit of X? Well, we can take X divided by two. If it's even then the remainder is going to be zero because it's a multiple of two, and if it's odd, then the remainder when X divided by two is going to be one. So we looked at X mod two. Now let's look at X mod N where N is an arbitrary integer at least one. Recall X mod two is the remainder when we do X divided by two. So X mod N is going to be the remainder when we divide X by N. Finally let's look at some important notation for modular arithmetic. Suppose we have two numbers X and Y, and we look at these two numbers modular N, and suppose that they're same mod N, how do we denote that? Well, they're not equal. The two numbers are not equal, but they're congruent in this, or they're equivalent in this world modular N. So how do we denote that equivalence or congruence? So the standard indication is three lines instead of two lines. So this notation means that X and Y are congruent modular N, which means that when we look at X divided by N, and Y divided by N, they have the same remainder, and we denote that by three lines, X is congruent to Y modular.

## 96 Example Mod 3

Look at a simple example to make sure everybody understands the concept of modular arithmetic. Let's look at numbers modulo three. When you look at the number mod three, there are three possible values, zero, one, or two. Hence, there are three equivalence classes for the numbers modulo three. Now we set three mod three is also zero. Same with six, nine, and so on. All the multiples of three. Similarly four mod three is one. Same with seven, and 10, and so on. Finally, five mod three is two. Same for eight, and 11, and so on. But look, we can also go negative. What is negative three mod three? Well, negative three divided by three is negative one, and the remainder is zero. So negative three mod three is zero. Same for negative six, negative nine, and so on. Now if I look at negative two mod three, then it is one. Why is that? X mod N equals R means that when I divide X by N, I get a remainder of R. What does that mean? That means that there are some multiple of N, so I can take Q copies of N, and I have to add an R, and I end up with X. Now look at negative two mod three. That is one. Why is that? So if I look at negative two divided by N, what do I get? I get negative one. So negative two, I have Q equals negative one times three. So there's negative three plus one, so, R equals one. And I end up with two. So the remainder is one. So negative two mod three is one. Similarly, negative five mod three is one. Negative eight mod three is one as well. Finally, negative one mod three is two. Same with negative four mod three is two, and negative seven, and so on. So these three equivalence classes all of these numbers, negative nine, zero, nine, are all the same with respect to modulo three. They're all congruent mod three. These numbers are congruent mod three. These numbers are congruent mod three.

## 97 Basic Fact Question

Here's a basic fact that we're going to use repeatedly throughout our work. Let's say I have two numbers, x and y, which are congruent mod N. And I have two additional numbers, a and b, which are also congruent mod N. Now, the point is, that with respect to mod N, x and y are equivalent and a and b are equivalent. So, I can replace one by the other. More precisely, suppose I'm looking at x plus a mod N. Well, x is equivalent to y, so I can replace x by y, and a is equivalent by b, so, I can replace a by b. So, x plus a mod N, is congruent to y plus b mod N. I can replace x by y and a by b. Similarly, if I look at x times a mod N, instead of adding or multiplying, then I can do the same replacement operation. So x times a mod N, is congruent to y times b mod N. Now let's look at an example to illustrate the usefulness of this basic

## 99 Modular Exp

We've seen the definition of the modulo operation, the basic modular arithmetic operation that we're going to do repeatedly is modular exponentiation. So, the setting is that we have n-bit numbers X, Y, and capital N, and our goal is to compute X raised to the power Y modular N. Now recall, little n, the number of bits, is going to be huge. For example, we might have little n, the number of bits, be about a thousand or 2000 in which case these numbers, X, Y, and capital N, are on the order of about two to the thousand or two to the 2000. S, o we want an efficient algorithm to compute X raised to the power Y mod N. By efficient we want polynomial in little n, because little n is the size of the input, to represent these numbers it takes little n bits. So, we want polynomial in the input size, which is polynomial in little n. We don't want polynomial in the numbers themselves because the magnitude of these numbers is exponential in little n. These are huge, if we had running time which was polynomial in two to the thousand that would be enormous. There was no way we could run such an algorithm. So, let's look at the time it takes to compute X raised of the power Y mod N. So, let's start off with a simple algorithm for computing X to the Y mod N. We start off by computing X mod N, let's call that a1. Then what do we do? We compute X squared mod N. Now x squared, that's going to be a1, which is x mod N, and then multiply that by x. So, we take the previous solution, a1, multiply it by x and then take that mod N. Then for x cubed mod N, we take the previous solution, let's call that a2, and we take the a2 and we multiply by x and we take it mod N. And we keep repeating finally for X to the Y in the last round we take the previous solution, which is aY minus 1, and we multiply by x and we take in mod N. Now, how long does this algorithm, this simple algorithm take? Let's look at one round. What are we doing? Let's look at x cubed here. So, we're taking this number a2, which is an n bit number because it's at most capital N minus one. Okay? So, this is n bit number, x is an n bit number. How long does it take to multiply two n bit numbers? That's just normal real arithmetic. That has nothing to do with modular arithmetic, okay? So, we're multiplying two n-bit numbers that takes order n squared time, and then we're taking it mod capital N. How do we do that? We take this order n-bit number and we divide it by this order n-bit number and we take the remainder. How long does it take to divide two n-bit numbers? That's order n squared time. So, this takes order n squared time for this one operation. How many rounds, how many operations do we have? How many ai's do we have? We got y ai's. How large is y? y is n-bits, little n-bits. So, y is at most two to the n. So then, the total runtime of our algorithm is order n squared time per round, and then the number of rounds is on the order of y, which is at most two to the n. So, that means the total runtime of our algorithm that we just described is n squared times 2 to the n. It's an exponential time algorithm, exponential in the input size, little n. So, this is a terrible algorithm. If we have little n even, let's say, about 30 there's no way we could run such an algorithm. And we're going to be looking at a little n which is on the order of about 1000 or 2000. So, this is enormous. So, what do we do better? We used the basic idea of repeated squaring, which you've probably seen many times. So, instead of taking the previous answer and then multiplying by X, we're going to take the previous answer squared and that's going to give us the powers of two. Let's go ahead and in detail

## 101 Modular Exp

So in the repeated squaring algorithm, we start off the same. We compute X_mod_N and let's store the answer as a_one. Then we compute X_squared_mod_N. How do we get X_squared? Well, a_one is X_mod_N, so we take a_one_squared_mod_N. So far it's the same as the other algorithm. Now we're going to skip X_cubed and we're going to go to X_to_the_fourth. How do we get X_to_the_fourth? We take the previous solution, let's call it a_two and we square that. A_two is congruent to X_squared_mod_N, so if we take X_squared and we square that, then we get X_to_the_fourth. Then we take that solution and let's call it a_four. Now to compute X_to_eighth_mod_N, you take the previous solution and we square that. That gives us X_to_the_fourth_squared which is X_to_the_eighth_mod_N. And we repeat. What do we end up with? We end up with X raised to the powers of two. Then what do we do? We look at the binary representation of Y and then we can use the appropriate powers of two and we can get X_to_the_Y_mod_N. Let's look at a specific example so you illustrate the idea better.

## 103 Mod Exp Algorithm

Here's the key fact that we're going to use. For even y, when we divide y by two we get an integer. So x to the y is the same as x to the y over two squared. What happens for odd y? Well, we got to be careful because when we do y divide by two, we get a fractional amount. So, for odd y, when we want to look at x to the y, let's take out an x, so that we look at x to the y minus one. Let's take out that x. Now, we're going to take y minus one, divided by two, which is the same as y over two floor. So, we take y over two and we round it down. So, we drop the fractional part. We raise x to that power and then we square it. And we multiply by the extra factor of x, and we get x to the y. Now, let's take this simple observation and detail a divide and conquer algorithm for modular exponentiation. And these three input parameters, x, y, and capital N are all little n-bit integers. And let's assume there are non negative integers. And our algorithm is computing x raised to the power y, mod, capital N. This can be a recursive algorithm. So, let's start with the base case. The exponent is going to keep going down. The base case is going to correspond to y equals zero, in which case we're taking x to the zero, which is one. So, when we take that mod N, that's also one, assuming N is at least one. So, let's, uh, let's actually assume here that N is positive number. Now, let's look at the general case, what are we going to do? We're going to compute this x to the y over two. If y is odd, then we got to round it down. If y is even, we don't have to worry about rounding it down. But, if we round it down, it doesn't make any difference. So, we're going to recursively call this algorithm with x, raise to the power y over two, round it down, mod capital N. We store that answer in z. Now, we check whether y is even and we follow this case, or y is odd and we follow this case. In the case when y is even, then we want to take the z, which is x to the y over two, and we want to square it, take it mod N, then return the answer. So, we're going to return z squared, mod, capital N. In the other case, when y is odd, we have to take z squared, which is the inner term, and then multiply by x. So, in this case, we want to take x times z squared, mod N. And that's our answer when we return.

## 104 Multiplicative Inverse

A key concept that we're going to need for the RSA algorithm are multiplicative inverses. Now the concept is a bit subtle for a modular arithmetic. Let's go back and look at the normal, real numbers and see what multiplicative inverses mean there. If we take a number three, what's its multiplicative inverse, it's one third. And so if we look at three times one third what do we get? We got one. And in general for a number a, it's multiplicative inverse is one_over_a. And, when we multiply those two together what do we get? One. Now we're going to have a number z and we want to look at its inverse mod N. So we want to know what one_over_z_mod_N is. So we're going to define it as the number, so that when we do z_times_one_over_z we get back one. So our definition of the inverse of z_mod_N, this is number x, so that if we do x_times_z, we get one_mod_N. In this case x is the inverse, it's one_over_z_mod_N. And the notation is that x is z_to_the_negative_one, same as one over Z. So x is z_to_the_negative_one_mod_N. So x is the multiplicative inverse of z_mod_N. Notice also, that if x is the inverse of z_mod_N, then z is the inverse of x_mod_N, because x_times_Z is one_mod_N. So, x is the inverse of z and z is the inverse of x_mod_N. Now let's go ahead and look at a specific example to make sure this notion of multiplicative inverse modulo N makes sense.

## 105 Inverse Example

So, let's take the example where capital N is 14 and let's look at the inverses of the numbers one through 13, mod N. Starting with X equals one. So, what is the inverse of one mod N 14? What is the number so that one times that number is one mod 14? Well, One times itself is one. So, the inverse of one is one itself. It a self inverse. And that's always the case. One is always itself inverse. Let's do a non-trivial case where x equals two. What's the inverse of two mod 14? What number times two is congruent to one mod 14? Well, actually there is no number where that's the case. So, the inverse of two mod 14, does not exist. Let's try X equals three. What's the inverse of three mod 14? Well, notice three times five is 15 which is one, mod 14. So, the inverse of three is five. And the inverse of five is three mod 14. What about X equals four? What's the inverse of for a mod 14? Once again, just like the case of X equals two, that doesn't exist. What about X equals five? We already solve that. Its inverse three. How about six, seven and eight? Actually, none of those have an inverse mod 14. What about nine? What's the inverse of nine mod 14? This is 11 because nine times 11 is 99 and 14 times seven is 98. So, nine times 11 is one mod 14. The last one is, what about 13? What's the inverse of 13 mod 14? It turns out it is a self inverse. It's 13 itself. 13 times 13 is one mod 14. All the other cases the inverse doesn't exist. When exactly does the inverse exist or not? What is the key fact about when the inverse exists or not? When two, four and six. Those are all even numbers. And 14 is an even number. So, they all have a common divisor too. Okay. What about seven? Well, seven is not even but it shares a common divisor with 14, seven. So, that's the key property. They share a common divisor. Then there is no inverse. But if they have no common divisor and in which sense, which case they're feel like primes relative to each other, then there is an inverse. So, one, three, five, nine and 13 have no common divisor with 14.

## 106 Inverse Existence

so when exactly are their multiplicative inverses or not the general theorem is that X inverse mod an exists if and only if X and n have no common divisor so the greatest common divisor is one GC D stands for a greatest common divisor so if they're both even then 2 is a divisor of both so the GCD is at least 2 might be bigger what's at least 2 now just some terminology when the greatest GCD of X and n is 1 so they have no common divisor then we say that X and n are relatively prime with respect to each other they feel like primes to each other for instance 9 and 14 neither one is prime but with respect to each other they have no common divisors so they feel like Prime's to each other so the theorem says that if these numbers are prime relatively prime to each other then there is an inverse but if they have a common divisor then there is no inverse let's look at why this theorem holds but before we get into it let's look at some basic properties about inverses

## 107 Inverse Terminology

Suppose that X has an inverse mod N. So, X inverse mod N exists. Let's prove that this inverse, if it exists, is unique. What exactly do we mean by unique? Well, let's consider a specific example. Here's a simple example. X equals three and N equals 11. What's the inverse of three mod 11? Well, these numbers are quite small, so it's easy to figure out that the inverse of three mod 11 is four, because three times four is 12, which is one mod 11. Now, if we look at four mod 11, there are an infinite number of equivalent numbers. For example, 15, 26, and so on, these are all congruent to four mod 11. We can also look at negative numbers, negative seven is congruent to four mod 11. And there are an infinite number of such numbers which are equivalent to four mod 11. All of these numbers are inverses of X mod N, but for concreteness, we'll always report the inverse of X mod N as the smallest non-negative integer. So, we report it as the integer between zero and N minus one, if that inverse of X mod N exists. And if the inverse of X mod N does not exist, we simply report does not exist. Now, later in this lecture, you'll see how to find the multiplicative inverse if it exists. And to do that, we'll use the extended Euclid algorithm. In that case, often, the algorithm will return the negative number and then we'll have to do a simple calculation in order to convert it to a number, an integer between zero and N minus one.

## 108 Inverse Unique

Now, let's go back to our original question. Suppose X inverse mod N exists, how many such inverses can there be? So, in this example, three has an inverse mod 11, four is one such inverse. Are there any other inverses? When we're looking at integers between zero and 10, what's easy to check that four is the only integer between 0 and 10 which is an inverse of three mod 11. And what we want to prove now is that if X has an inverse mod N, then there is a unique such inverse. So, there is only one such inverse. Let's prove now that if the inverse exists, it's a unique choice. So, there's a unique number between zero and N minus one, which is an inverse of X mod N. How are we going to prove this? Let's prove it by contradiction. So, let's suppose that X mod N has two inverses. And then, let's show a contradiction. So, suppose that Z is an inverse of X mod N, and suppose that Y is also an inverse of X mod N. And let's suppose that these numbers Y and Z are different. What do we mean different? We mean, they are different mod N. So, we're assuming that Y and Z are different mod N. This means that if we think of the Y and Z as numbers between zero and N minus one, Y and Z are different. For this small example for these small numbers, it's easy to verify that this number three can have multiple inverses mod 11. We want to prove, in general, that if a number X has an inverse mod N, and that inverse is unique. So, we're assuming that there's multiple inverses of X mod N. And we're denoting those as Y and Z. And now we're going to derive a contradiction. Now Z is an inverse of X mod N, so what does that mean? That means that if we look at the product of X and Z that congruent to one mod N. That's the definition of an inverse. Similarly, if we look at Y, we know that X times Y is also congruent to one mod N. Therefore, X times Y is congruent to X times Z mod N. Now, we know that the inverse of X mod N exists. Actually, we're supposing that there's multiple such inverses. Anyways, take one of those inverses and multiply both sides of this equation by that inverse. So, multiply the left side and the right side by X inverse. What do you get? Well, X inverse times X is one, X inverse times X is one, so we can cancel these terms, and we can cancel out these terms. And what are we left with? We are left with the Y and Z. So, the left-hand side simplifies to Y, the right-hand side simplifies to Z. Let's forget this one. And we know that Y is congruent to Z mod N. But our assumption earlier was that Y is not congruent to Z mod N, that these are different numbers between zero and N minus one. Therefore, we derived our contradiction, and thus, our assumption that there is multiple inverses of X mod N is not true. So, if the inverse of X mod N exists, it's a unique such inverse. It's unique when we look at these numbers between zero and N minus one. Later, we're going to prove that if X and N are relatively primes, so the GCD of X and N is one, then the inverse of X mod N exists. How are we going to prove that? We're going to prove that this inverse exists by finding it. We're going to show an algorithm extended Euclid algorithm to find the inverse, when the GCD of X and N is one. But, on the next slide, we'll prove that if X and N have a common factor, so the GCD of X and N is greater than one, then the inverse of X mod N does not exist.

## 109 Inverse Non existence

Let's look at the case when multiplicative inverses do not exist. Why don't they exist? So in the case where X and N have a common divisor. So their GCD is strictly greater than one, in which case this theorem says that the inverse of X mod N does not exist. Let's take a look at why that happens. Let me give you the intuition for the proof. Let me do the simple case where X and N both even. So then they have a common divisor of two. If you understand this case then you can understand the general case. Suppose X did have an inverse mod N, let's call it Z. So what does that mean? That means that X times Z is congruent to one mod N. So how can XZ be congruent to one mod N? That means XZ is either N+1 or it might be 2N+1 or 3N+1. In general, it's some multiple of N+1. So it's QN+1 for an integer Q. Now X we assumed was even. So what is X times Z? Even number times some other number is going to be an even number. Okay? Because it still has two as a divisor. Okay. So XZ is even because X is even. Now N is even. So what about Q times N? That's going to be even as well just the same as before. So XZ is even and QN is even. What about QN+1? We take an even plus one we got an odd number. So this is an odd number. This is an even number. How can they be equal? They can't be equal. So that's our contradiction. Therefore, there is no inverse of X mod N. And similarly, if X and N just share a common divisor then you have a similar proof to explain why the inverse does not exist. Now the interesting case is when they are relatively prime to each other, so their greatest common divisor is one. So they have no common divisors except for one. Then the inverse exists. Why is that the case? Can we prove why the inverse exists? We'll prove it exists by actually giving an algorithm for finding it. We'll actually find it and by finding it we prove its existence. Okay? What is the algorithm we're going to use for finding it? Well some of you might have seen Euclid's algorithm before for computing the greatest common divisor. So even if we want to check whether the inverse exists or not we have to compute the GCD of X and N. Check whether they're relatively prime to each other. I mean these are big numbers so it's not easy to just eyeball and check. So we got to run an algorithm to check the greatest common divisor and see whether it's one or not. That algorithm for that is Euclid's algorithm which is very simple recursive algorithm and we're going to see it in a moment. And then a slight modification of Euclid's algorithm is extended Euclidean algorithm and that extended Euclidean algorithm will give us the greatest common divisor of X and N and if the greatest common divisor is one it will give us the inverse of X mod N. And therefore, that will prove the existence of the inverse of X mod N. Okay? So let's go ahead and dive into Euclid's algorithm and the extended version of the algorithm to find the inverse.

## 110 GCD Euclids Rule

Before diving into Euclid's algorithm, let's look at the basic fact which is called Euclid's rule which is the basis for Euclid's recursive algorithm. Let's take integers X and Y. And we want to compute the GCD of X and Y. And let's assume for simplicity that X is at least Y. So the order. And let's assume that Y is greater than zero. Then the basic fact is that the greatest common divisor of X and Y is the same as the greatest common divisor of X mod Y and Y. And notice these are now in reverse order because Y is going to be at least X mod Y. So if we want to compute the GCD of X and Y then given this fact we can compute the GCD of X mod Y with Y. And that's going to be the basis of our recursive algorithm. But let's first see why this is true. Here's a basic proof idea. The proof relies on the following simple fact. The GCD of X and Y is equal to the GCD of X minus and Y. Let's call this star. Notice, if we play star repeatedly, we get the theorem statement. GCD of X and Y is equal to the GCD of X mod Y and Y. How do we get X mod Y? We get X mod Y by taking X and subtracting off Y repeatedly. Let's say Q times. So we take off as many Y's as we can from X and then we take the remainder and that's X mod Y. So it keeps subtracting Y, and Y, and Y, and Y repeatedly until we're left with a number smaller than Y. So we keep applying this X minus Y. So we take X, X minus Y, and then that thing minus Y, minus Y, minus Y again, again. Q times and then we end up with X mod Y. So if we prove this fact star then that implies this theorem statement. So it suffices to prove star and then that implies the theorem. Okay, and then the star is a bit simpler statement than the theorem statement. So why's star true? Let's look at why that's true. You can think of this as if and only if. If a number D divides X and Y then it divides X minus Y and Y. That's the number D divides X minus Y and Y then it divides X and Y. So any divisor of these two, it's a divisor of these two. Any divisor of these two, it's a divisor of these two. If we prove that, we're done. So we can think as a if and only if. Given a divisor here of these two, it divides these two. Let's do that statement first. If D divides X and Y then clearly it divides Y. Ready. And D divides X minus Y as well. If it divides X and Y then it obviously divides X minus Y as well. You can factor out D from X and from Y so you can factor it out from X minus Y. That gives this one direction, the forward direction. What about the reverse direction? So if D divides X minus Y and Y then D divides X as well because X is just the sum of X minus Y plus Y. So it divides both of these then it divides their sum. So that gives us the reverse direction therefore they have all the divisors in common, so the greatest divisor is also in common. That proves this statement star which implies this Euclid's rule. Here is Euclid's rule that we saw in the last line. GCD of X and Y is the same as the GCD of X mod Y and Y. Now, let's use that basic fact and design of recursive algorithm for computing the GCD. It's called the Euclid's algorithm.

## 111 GCD Euclids Algorithm

What we just saw is the following fact known as Euclid's Rule. The gcd of x and y is the same as the gcd of x_mod_y and y. This leads to a natural, recursive algorithm which we'll now detail. Here's Euclid's GCD algorithm. The input to the algorithm are two integers, x and y. And we'll assume these input parameters are ordered so that x is at least y and that both of these integers are non-negative. And the output of the algorithm is the gcd of x and y. This is the recursive algorithm, so let's start with the base case. The base case will be when y, the smaller parameter, is equal to zero. When y equals zero, so we're looking at the gcd of x and zero, we're going to return x as the gcd. Now, to be honest, this case actually is confusing to me. So, we'll go back and we'll discuss this more in a little bit more detail after. Now, in the general case, we're just going to apply Euclid's rule. Euclid's rule tells us that the gcd of x and y is the same as the gcd of x_mod_y and y. So, we're going to return the recursive call of Euclid's algorithm on y and x_mod_y. We flip the order of these two parameters in order to maintain the fact that the first parameter is at least the second parameter. That completes the pseudocode of the algorithm. Let's go back and look at the space case a little.

## 112 GCD Base Case

In the base case of our algorithm Y equals zero. So, we're looking at the GCD of X and zero. What are the divisors of zero? This is a case where we should define it in an appropriate way. What is an appropriate way? What is a reasonable manner of defining the divisors of zero? Well, how do we get to this case? We got to this case by taking the GCD of sum multiple of X with X. Because look at what happens when we do the recursive call on this. We're going to take kX, mod X, and that's going to be zero. So, the second parameter is going to be zero and the first parameter will be the second parameter. Now, what is the GCD of kX and X? Well, this is clearly X, since the first parameter is a multiple of X. So, this is why we define the GCD of X and zero to be equal to X.

## 113 GCD Running Time

Let's take a look at the running time of Euclid's algorithm. The only non-trivial step in each round is computing X mod Y. How long does that take to compute? Well that involves dividing X by Y which takes the order N squared time, where N is the number of bits. So the time is order N square time per round. How many rounds or recursive calls do we have in this algorithm though? Here's the key lemma for figuring out the number of rounds. If X is at least Y which is the case for our algorithm the first parameter is always at least the second parameter. Then X mod Y, which is the second parameter in our recursive call, that's the only parameter which is changing, is strictly less than X over two. So the one parameter which is changing goes down by a factor of at least two. So let's take a look at the algorithm. Let's say we have a call with X and Y, then a recursive call is going to be Y, X mod Y. What happens in our next recursive call? Well this second parameter is going to become the first parameter. So we get X mod Y, is the first parameter. What's the second parameter? The second parameter is Y mod X mod Y. Okay, it's a little bit hard to write. Let's skip it. It's not important. What does this lemma tell us? It tells us this X mod Y, which is right here, this is strictly less than X over two. So notice after two rounds of the algorithm, what happens to the first parameter? It went down by least a factor two. So how many rounds does the algorithm have? It's going to have at most two N rounds. Why? Because every other round we've shown the first parameter goes down by a factor of at least two. Since we have order N rounds and we have order N squared time per round, the total running time is order N cubed. So we've established the running time of the algorithm modulo this lemma. Let's go ahead and prove this lemma which is would be quite straightforward to prove. Once we break it up into the appropriate cases the proof will be almost immediate. We're going to break it up based on the size of Y, either Y is small and then X mod Y is immediately small, or Y is big and then we'll figure out another reason why X mod Y is small. So let's first take the case where Y is small. Let's say Y is at most X over two. What do we know about X mod Y? How big can it be? The largest it can be is Y minus one which is smaller than Y. What we know about Y? Y is at most X over two. So what have we shown? We've show that X mod Y is strictly smaller than X over 2 which is what we're trying to prove. Now let's take the case where Y is big. Y is strictly greater than X over 2. What do we know about X divided by Y? Well Y goes into X at most one time. So this is one. So what does that imply about X mod Y? In order to get the remainder when we do X divided by Y, we just have to subtract off Y one time from X. So X mod Y is equal to X minus Y. Well we know that Y is strictly greater than X over 2, so X minus Y is strictly smaller than X minus X over 2 because Y is strictly bigger than X over 2. And this is clearly at most X over 2. And that's what we're trying to prove. We prove that X mod Y is strictly smaller than X over 2, which is what we're trying to prove in the lemma. That completes the proof of the lemma, and therefore we've shown that the running time of Euclid's algorithm is order N cubed time.

## 114 Computing Inverses

Now, let's look at how we compute inverses. To do this, we're going to use the extension of Euclid's algorithm called the Extended Euclidean Algorithm. Euclid's algorithm takes as input two parameters X and Y. And the same will be true for Extended Euclidean Algorithm. These parameters x and y are integers, and we assume that these parameters are ordered, so that x is at least y and both of these are non-negative. Now, here's the difference: the output of the algorithm here is three parameters--the alpha and beta. These are integers. Now D is the gcd of x and y. So, if we just pay attention to the first parameter d, this will behave just as in Euclid's algorithm. Now, what are these additional parameters alpha and beta? Well these parameters alpha and beta satisfy the following relation. D is guaranteed to equal x times alpha plus Y Times beta. Well, this is a bit mysterious, why do I want an alpha and beta which satisfy this relation? Let's look at, why it's useful to have an alpha and beta satisfying this relation. Recolor goal is to compute inverses. We're going to be in a setting where we're going to run extended Euclide on x and capital N. We're trying to compute the inverse of x mod N. First off, do we know that this inverse exists? Well, we have to look at the gcd of x and N, to see whether the inverse exists. We need them to be relatively prime. We need that the gcd of x and N is 1 and then the inverse exists. Well, when we run extended Euclid algorithm, d the first parameter gives us the gcd of x and y. In this case it's x and N, so if d equals 1 then we know the inverse exists. So where in this scenario where d equals 1, when we run extended Euclid on x and N and we get back this alpha and beta which satisfy this relation. So we know that one equals x times alpha plus N times beta. Now from this alpha or this beta, can we figure out the inverse of x mod N? Well this relation is true, so now if we take mod N of both sides, then the relation will still be true. So, now we have that 1 is congruent to X alpha plus N times beta mod N. Now can we simplify this? Yeah, look at the second term here on the right hand side. This is N times beta. This is a multiple of N, therefore it's zero mod N. So, we are going to place N times beta by zero. So, that goes away and what are we left with, we're left with one is congruent to x times alpha mod N. That means that alpha is the inverse of x mod N, because alpha is the integer where X times that integer alpha is congruent to 1 mod N, that's the definition of its inverse. So, we shown that alpha is the inverse of x mod N, in the case where d, the gcd of the two parameters, is equal to 1. And similarly beta is the inverse of an N mod x. So, in the case where these two parameters are relatively prime to each other, so their gcd is 1, so d equals 1, then alpha gives the inverse of x mod y and beta gives inverse of y mod x.

## 115 Inverses Ext

Let's go ahead and detail the extended Euclid algorithm. Recall, it takes two parameters as input X and Y where X is at least Y and we're going to output three parameters. D alpha and beta. D is the GCD. So, if we just look at the first parameter, it's going to behave like Euclid's algorithm and we're also going to output this alpha and this beta, which satisfy this relation. Let's start again with the base case. So, when Y equals zero, where do we return.? Well, the first parameter D is the GCD. So, that should be equal to X. Now, we want to find alpha and beta which satisfy the relation, where D in this case is equal to X. So, we want X equals X times alpha plus Y times beta. Well, that's easier to satisfy. We can just say alpha equal to one, and beta equal to zero. That takes care of the base case. Now, for the general case, we're going to use Euclid's rule, which says that the GCD of X and Y is equal to the GCD of Y and X mod Y. So, we recursively call this algorithm on Y and X mod Y. That's going to return three numbers, D, alpha, beta. Let's call it D alpha prime, beta prime. Now, we're going to have to do a little bit of manipulation of these three parameters, in order to get our output for X and Y. Now, we know the first parameter stays the same. The GCD of these two parameters is the same as the GCD of X and Y. Now, what do we know about alpha prime and beta prime? Well, we know that D equals Y times alpha prime plus X mod Y times beta prime. Now, in order to find an alpha and beta which satisfy this relation for X and Y, we have to do some algebra to manipulate this alpha prime and beta prime. It turns out that it's sufficient to set alpha equal to beta prime, and we set beta equal to alpha prime minus X divided by Y, rounded down times beta prime. In order to see where this quantity comes from, you got to look at the proof of correctness which is not too bad, but it's just a bit of algebra. I'll refer you to the textbook for the details on that proof of correctness. That completes its pseudo code for the extended Euclid algorithm. Finally, what's the running time with this algorithm? Well notice, each step, the non-trivial operations are X mod Y and there's little bit of algebra, right here. So, it takes order N squared time per round, and the number of rounds is order N just like Euclid's algorithm. So the total run time is order N cube time.

## 117 Mod

Let's recap what we've seen so far. We've seen the Modular Arithmetic definition, X mod Y. The first non-trivial algorithm that we saw was computing modular exponentiation using the repeated squaring idea. This gave us an algorithm which was polynomial in the number of bits, little n. This modular exponentiation algorithm is gonna be a key component in the RSA algorithm. We're gonna have numbers X, Y and capital N and we're gonna have to compute X raised to the Y mod N. And these numbers X, Y and capital N are all gonna be huge number of bits. So we're gonna have to compute this modular exponentiation, in time polynomial, in the number of bits, not in the size of the numbers. So it will be key that we use this Fast algorithm that we devised. The other key concept that we looked at were multiplicative inverses. For example, X inverse mod N. What we saw is that this inverse exists, if and only if, these two numbers are relatively prime. In other words, that their GCD is one. How do we check that they're relatively prime? How do we check their GCD? Well, we can compute their GCD using Euclid's algorithm. Now if they are relatively prime, how do we compute their inverse? Well we saw how to compute their inverse using the extended Euclid algorithm. So those are the key algorithms that we're gonna use in our RSA cryptosystem. Euclid's algorithm, extended Euclid algorithm and this Fast modular exponentiation. Now, we can dive into their RSA cryptosystem.