# Number-theoretic algorithms

## Modular arithmetic

Modular arithmetic refers to arithmetic that is done using the *modulo* operator on the set of integers $\mathbb{Z}$ {cite:p}`dasgupta2008algorithms`. For example we define 


$$
x \bmod N
$$ 

to be equal to the remainder from dividing $x$ by $N$ i.e.

$$
\text{if } x=qN+r \text{ and } 0\leq r < N \text{ so $r$ is not divisible by $N$} \\\text{ then } x \bmod N = r.
$$
Another concept that will be important is congruence, we say $x$ and $y$ are congruent modulo $N$ by writing

$$
x \equiv y\mod N \iff x\bmod N = y\bmod N 
$$

which means $x$ and $y$ have the same remainder when divided by $N$ or equivalently $N$ divides the quantity $x-y$ or also equivalently $x$ and $y$ differ by a multiple of $N$. There are some other useful properties of modular arithmetic for example for addition and multiplication we have

$$
x+(y+z) \equiv (x+y)+z \mod N \qquad \text{Associativity} \\
xy \equiv yx\mod N \qquad \qquad \qquad \text{ Commutativity} \\
x(y+z) \equiv (xy+xz) \mod N \qquad \text{Distributivity} \\
$$

the last useful property we need is the substitution rule

$$
\text{If } x\equiv x' \mod N \quad \text{ and }  \quad y\equiv y' \mod N \quad \text{ then: } \\
(x+y)\equiv (x'+y') \mod N \iff (x+y)\bmod N = (x'+y') \bmod N \\
\text{ and } \\ 
xy \equiv x'y' \mod N \iff (xy) \bmod N = (x'y') \bmod N
$$

```{note}
:class: dropdown
Modular addition has other interesting properties as well that we won't make use of here. For example the set of integers $\{0,1,2,3,...,n-1\}$ together with the operation of addition modulo $n$, i.e. you add any two elements in the set then take the modulo $n$ of the result, form a *group* called the group of integers modulo $n$ and is denoted as $\mathbb{Z}_n$ and this group has the interesting property that any cyclic group of order $n$ is isomorphic to it {cite:p}`pinter2010book`.
```

### Modular addition

Modular addition, or addition modulo $N$, is fairly straightforward. For any, $n$-bit, integers $x$ and $y$ we simply compute 

$$
(x+y) \bmod N.
$$

The time complexity of this operation is linear in the input size, i.e. size of the integers $x,y$ and $N$, since we just need to add each bit in $x$ with each bit in $y$. Note that the input size $n$, the number of bits, is on the order of $\lceil\log_2(N+1)\rceil$ since we need $\lceil\log_2(N+1)\rceil$ bits to represent a base 10 number $N$ in binary.

### Modular multiplication

Modular multiplication, or multiplication modulo $N$, is similar to addition modulo $N$.  For any integers $x$ and $y$ we simply compute 

$$
(xy) \bmod N
$$

### Modular exponentiation

Finally modular exponentiation, or exponentiation modulo $N$, for $x$ raised to $y$ is given by

$$
x^y \bmod N.
$$

However there's a problem here. If we were to compute this by first computing $x^y$ directly we would end up with very large numbers. For example if $x$ and $y$ are 20-bit numbers, and since the smallest 20-bit number is $2^{19}$, then the quantity $x^y$ is *at least* $(2^{19})^{2^{19}}=2^{19(524288)}$ which is huge. Note that when I say "smallest 20-bit number" I mean the smallest number that you need 20-bits to represent. So if $x$ and $y$ are $n$-bit numbers then $x^y$ is in general a $(2^{n-1})^{2^{n-1}}$-bit number. This is not optimal since it would require use to use many more bits in our program than may be necessary which in turn worsens the time & space complexity. Is there a clever way to compute $x^y \bmod N$ while keeping the number of bits need on the same order as the number of bits needed to represent $x,y$ and $N$? 

We could instead try this: first suppose we compute $x \bmod N = z_1$. Now lets compute $x^2 \bmod N$. Can we do this without actually computing $x^2$ explicitly? The answer is yes! 
First recall that any integer $x$ that we want to divide by another integer $N$ that is not $0$ we can write $x$ as $x=qN+r$ where $q,r \in \mathbb{Z}$. Also recall that for this integer we have, by definition, $x\bmod N=r$. Now what about $x^2 \bmod N$? Well if we use the same expression for $x$ in terms of $q,N$ and $r$ we get 

$$
\begin{align*}
x^2 &= (qN+r)^2 \\
&= q^2N^2 + 2qrN + r^2 \\
&\text{we can rearrange this to get it into the form $x=qN+r$} \\
&= (q^2N+2qr)N + r^2
\end{align*}
$$

now from this expression it is easy to see that the remainder of $\frac{x^2}{N}$ is $r^2$ and by definition that means 

$$
x^2\bmod N = r^2 = (x \bmod N)^2
$$
and it's fairly straightforward to show this generalizes to $x^n$ for $n\in \mathbb{Z^+}$. Lastly we will need the fact that $(rx)\bmod N = r^2$. This is easy to show since for $x = qN+r$ we have 

$$
\frac{rx}{N} = \frac{rqN+r^2}{N}
$$

and thus the remainder is clearly $r^2$.

Using all of this we have

$$
\begin{align*}
x^2 \equiv (x \bmod N) \mod N 
\iff x^2 \bmod N &= (x\bmod N)^2 \\
&= ((x \bmod N) x) \bmod N \\
&= (rx)\bmod N.
\end{align*}
$$



So to compute $x^y\bmod N$ we can first compute $z_1=x\bmod N$ and then to compute $x^2 \bmod N$ we compute $z_2=(z_1x)\bmod N$. And then to compute $x^3 \bmod N$ we just compute $z_3=(z_2x)\bmod N$ and so on until we have computed $x^y\bmod N$. 
Doing it this way we only ever have to compute the modulo $N$ of numbers that are at most equal to $Nx$ in the case that one of the intermediate modulo operations yields $z_i=N$. There is a huge downside with this method however. It is easy to see that we will need to compute exactly $y-1$ multiplications to compute $x^y \bmod N$ with this method which at first seems great; the time complexity is linear in $y$, $O(y)$, so whats the big deal? Well recall that the time complexity of multiplying two $n$-bit numbers is $O(n^2)$ and the complexity of division is also $O(n^2)$ {cite:p}`dasgupta2008algorithms` so each intermediate step has complexity $O(n^2+n^2)=O(n^2)$ since we must multiply $z_i$ with $x$ as well as divide that product by $N$ to compute the modulo $N$. However we do this $y-1$ times and since $y$ is an $n$-bit number it is at most $2^n$ so our overall time complexity is $O(2^nn^2)$ which is exponential in the input size (number of bits needed to represent $x,y$ and $N$).

We can do better than this however. For

## Euclid's greatest common divisor algorithm

Given two integers $x$ and $y$ the largest integer that divides both of them is called their *greatest common divisor* denoted $\gcd(x,y)$.

## Primality testing

````{prf:theorem} Fermat’s little theorem
:label: fermat

If $p$ is a prime number then for every $1 \leq a < p$,

$$
\begin{align*}
a^{p-1}\equiv 1 \pmod p \iff a^{p-1}\bmod p &= 1\bmod p \\
&= 1
\end{align*}
$$

````

## Cryptography (RSA)

## Practice problems