Number Theoretic Algorithms Outline • greatest common divisors and Euclid’s algorithm • applications of large primes: public-key cryptosystems (RSA) • primality testing • integer factorization
Number Theoretic Algorithms
Outline
• greatest common divisors and Euclid’s algorithm
• applications of large primes: public-key cryptosystems (RSA)
• primality testing
• integer factorization
Number Theoretic Algorithms
GCD and Euclid’s algorithm
gcd(a,b) - the greatest common divisor of integers a and b
Euclid(a, b) if b = 0 then return aelse return Euclid(b, a mod b)
Time complexity?
Number Theoretic Algorithms
Euclid’s algorithm - Complexity
Euclid(a, b) if b = 0 then return aelse return Euclid(b, a mod b)
Theorem
If a > b 0 and the invocation of Euclid performs k 1 recursive calls, then a Fk+2 and b Fk+1.
(where Fk - the k-th Fibonacci number)
Number Theoretic Algorithms
Euclid’s algorithm - Complexity
Theorem
If a > b 0 and the invocation of Euclid performs k 1 recursive calls, then a Fk+2 and b Fk+1.
k = 1 b 1 = F2, a 2 = F3 OK
k = n – 1 b Fn, a Fn+1 Assume
k = n?
a mod b Fn, b Fn+1 a b + a mod b Fn+1 + Fn = Fn+2
b Fn+1 OK
Number Theoretic Algorithms
Euclid’s algorithm - Complexity
Theorem
If a > b 0 and the invocation of Euclid performs k 1 recursive calls, then a Fk+2 and b Fk+1.
Fk ((1 + 5) / 2)k / 5
(2)k < Fk < 2k
= max{log a, log b} - number of bits to encode a and b
T’(a,b) = ( ) - number of arithmetic operations
T(a,b) = ( 3) - total complexity
Number Theoretic Algorithms
Extended Euclid’s algorithm
d = gcd(a,b) - the greatest common divisor of integers a and b
ExtendedEuclid(a, b) if b = 0 then return (a,1,0)(d’,x’,y’) ExtendedEuclid(b, a mod b)(d,x,y) (d’,y’,x’ – a/b y’)return (d,x,y)
There exist integers x and y such that d = ax + by
Number Theoretic Algorithms
Extended Euclid’s algorithm - Example
ExtendedEuclid(a, b) if b = 0 then return (a,1,0)(d’,x’,y’) ExtendedEuclid(b, a mod b)(d,x,y) (d’,y’,x’ – a/b y’)return (d,x,y)
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
Number Theoretic Algorithms
Complexity of modular operations
Multiplication:
for given a and b find x such that ab mod n = x
multiplication + division, i.e. time complexity ( 2)
Number Theoretic Algorithms
Complexity of modular operations
Division:
for given a and b find x such that bx mod n = a
Not always such x exists - we should have gcd(b,n) | a
Extended Euclid's algorithm: finds x and y such that gcd(s,t) = su + tv
Take b = s and t = n and set x = ua/gcd(b,n)
Time complexity ( 3)
Number Theoretic Algorithms
Complexity of modular operations
Exponentiation:
for given a and b find x such that ab mod n = x
Time complexity?
Number Theoretic Algorithms
Modular Exponentiation
ModularExponentiation(base a, degree b, modulus n)let <bk,bk–1,...,b0> be the binary representation of b c 0d 1for i k downto 0 do
c 2 cd (d d) mod nif bi = 1 then
c c + 1d (d a) mod n
return d
Time complexity T() = ( 3)
Number Theoretic Algorithms
Modular Exponentiation - example
ModularExponentiation(a, b, n)c 0; d 1for i k downto 0 do
c 2 cd (d d) mod nif bi = 1 then
c c + 1d (d a) mod n
return d
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
Number Theoretic Algorithms
Public-key cryptosystems
P: * * public keyS: * * secret key
For an arbitrary message M* we must have:
• M = S(P(M)), and• M = P(S(M))
Number Theoretic Algorithms
The RSA public-key cryptosystem
p,q - two large primes (100 digits or more)n = pqe - small odd integer that is relatively prime to
(p – 1)(q – 1)d - integer such that de 1 (mod (p – 1)(q – 1))
(it can be shown that it always exists)
P = (e,n) - public keyS = (d,n) - secret key
Encoding: P(M) = Me (mod n)Decoding: S(C) = Cd (mod n)
It works!
Number Theoretic Algorithms
Fermat's TheoremFermat's little Theorem
If p is prime then:
• ap = a mod p• if gcd(a,p) =1 then ap1 = 1 mod p.
Proof ?
Number Theoretic Algorithms
Fermat's Theorem
Number Theoretic Algorithms
RSA - Correctness
n = pqe - odd and relatively prime to (p – 1)(q – 1)d - such that de 1(mod (p – 1)(q – 1))P(M) = Me (mod n), S(C) = Cd (mod n)
P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1)
M 0 (mod p) Med M(Mp–1)k(q–1) (mod p) M(1)k(q–1) (mod p) M (mod p)
M 0 (mod p) Med M (mod p)
Number Theoretic Algorithms
RSA - Correctness
Med M (mod p)
Med M (mod q)
Thus Med M (mod n)
Number Theoretic Algorithms
RSA - Complexity
Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n)
Number Theoretic Algorithms
RSA - Complexity
Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n)
TE(M) = O( 3) (and TE(M) = ( 2) for small e)
TD(M) = ( 3)
Number Theoretic Algorithms
RSA - Key management mode
Encryption:
• Encrypt (using a traditional method) message with a random key K
• Send encrypted message
• Send K encrypted with a public-key method
Number Theoretic Algorithms
Public-key cryptosystems - Encryption
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
Number Theoretic Algorithms
RSA + One-way hash functions
h - a one-way hash function (easy to compute, but for a given M it is hard to find M’ with h(M) = h(M’))
Digital signature:
• Send message M
• Send encrypted pair (h(M),)
Number Theoretic Algorithms
Public-key cryptosystems - Digital signature
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
Number Theoretic Algorithms
Finding primes - Erasthothenes sieve
Number Theoretic Algorithms
Distribution of primes
Number Theoretic Algorithms
Distribution of primes
Number Theoretic Algorithms
Illegal primes :)
1811 digit prime number
Represents an executable program that perform DeCSS decryption
Technically illegal in some weird countries (e.g. USA)
Number Theoretic Algorithms
Finding large primes
(n) - the number of primes less or equal to n
n / ln n tends to be a good approximation of (n)
n = 1 000 000 000(n) = 50 847 478n / ln n = 48 254 942
Prime number theorem
limn (n) / (n / ln n) = 1
Number Theoretic Algorithms
Finding large primes
limn (n) / (n / ln n) = 1
Idea how to find a prime approximately of the size of n:
Consider randomly chosen integers close to n andcheck whether these are primes. On average youwill need to examine ln n integers.
Number Theoretic Algorithms
Primality testing
The problem
For a given integer n decide whether n is a prime.
A simple solution:
Try to divide n by 2 and all odd integers3, 5,..., n1/2.
Time complexity of such approach is (2/2), where - number of bits needed to encode n ( = log n).
Advantage - we also get factors of n (if n is not prime).
Number Theoretic AlgorithmsWhat we need from number theory
Extended Euclid's algorithm
d = gcd(a,b) - the greatest common divisor of integers a and b
There exist integers x and y such that d = ax + by
Fermat's little Theorem
If p is prime and gcd(a,p) = 1 then ap1 = 1 mod p.
Number Theoretic Algorithms
Square roots of 1 modulo n
Quadratic residue theorem
If there exists an integer 1<x< n –1, such that x2 = 1 (mod n),then n is composite.
x2 = 1 (mod n), 2 x n – 2
x2 – 1 = kn, 1 k n – 2
(x – 1)(x + 1) = kn
but x – 1 and x + 1 can’t be divisible by n
Number Theoretic AlgorithmsWhat we need from number theory
Chinese reminder theorem
Suppose n1, n2, …, nk are integers which are pairwise coprime. Then, for any given integers a1,a2, …, ak, there exists an integer x solving the system of simultaneous congruences:
Furthermore, all solutions x to this system are congruent modulothe product N = n1n2…nk.
Number Theoretic Algorithms
Something from algebra and number theory Euclid's algorithm
groups and Lagrange's theorem
additive group Zn
multiplicative group Z*n
Fermat's theorem
primitive roots modulo n
Number Theoretic Algorithms
Groups and Lagrange's theoremConsider set G and binary oparator +.
DefinitionPair (G,+) is a group, if there is eG such that for all a,b,cG:
• a+bG• (a+b)+c = a+(b+c)• a+e = a and e+a = a• there exists a unique a such that a+(a) = e and (a)+a = e
(X,+) is a subgroup of (G,+) if XG and (X,+) is a groupX<G - notation that X is a subgroup of Go(G) - order of group = number of elements in Ga - subgroup generated by aG
Number Theoretic Algorithms
Groups and Lagrange's theorem
Lagrange's Theorem
If H < G then o(H) | o(G)
Proof• let gG then all elements of the from a+h, hH, are distinct and |{g+h | hH}| = o(H)
• each element gG belongs to set {g+h | hH} (these setsare called cosets)
• thus G is a union of disjoint cosets, each having o(H) elements
• Hence o(H) | o(G)
Number Theoretic Algorithms
Additive group Zn
n - a positive integer
Set of elements Zn = {0,1,2, ...,n1}
Operation "+":
for x,yZn define x+y to be equal with an integerequal to x+y mod n
o(Zn) = n
Number Theoretic Algorithms
Multiplicative group Z*n
n - a positive integer
Set of elements Z*n = {a Zn | gcd(a,n) = 1}
Operation "·":
for x,yZ*n define xy to be equal with an integerequal to xy mod n
Z*n is a group!
o(Z*n) = (n) (Euler's phi function)
If p is prime and n = pe then (n) = (p1)pe1
Number Theoretic Algorithms
Fermat's TheoremEuler's TheoremFor n>1 and all aZ*n we have a(n) = 1 mod n.
ProofLet ah = 1 mod n. Then h | (n) and a(n) = 1 mod n.
Fermat's little TheoremIf p is prime then ap1 = 1 mod p.
Proofp1 = (n).
Number Theoretic Algorithms
Primitive roots modulo nTheoremZ*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0.
Partial proof (and we are more interested in if part :)
We will consider just case n = p...
Number Theoretic Algorithms
Primitive roots modulo nProposition 1Let d | p1.Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p.
Proofde = p1.xp11 = (xd)e1 = (xd1)g(x).
From Fermat's theorem: For all ap1 = 1 mod p. Thus all p1 elements of Z*n are roots of xp11.
g(x) has at most pd1 roots, thus xd1 should have d roots.
Number Theoretic Algorithms
Primitive roots modulo nProposition 2a,b Z*n, o(a) = r, o(b) = s and gcd(r,s) = 1.Then o(ab) = rs.
Proof(ab)rs = arsbrs =1. Thus o(ab) = xy, where x | r and y | s.Assume r = xu and s = yv.
auxybuxy =1 and auxy =1. Then buxy =1 and s | uxy. Thus s = y. Similarly we show that r = x.
Therefore o(ab) = rs.
Number Theoretic Algorithms
Primitive roots modulo nTheoremZ*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0.
Proposition 1Let d | p1.Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p.
Proposition 2a,b Z*n, o(a) = r, o(b) = s and gcd(r,s) = 1.Then o(ab) = rs.
Number Theoretic Algorithms
Primitive roots modulo nPartial proof (and we are more interested in if part:)n = p.
Let p1 = q1n1...qr
nr, where qi's are primes.
By Proposition 1 f(x) = xqin
i 1 has exactly qini roots and
g(x) = xqin
i1 1 has exactly qi
ni1 roots.
There exists ai which is root of f(x) but not g(x).o(ai) = qi
ni.
a = a1...ar. o(a) = p1. (Proposition 2)
Number Theoretic Algorithms
Finding large primes
(n) - the number of primes less or equal to n
n / ln n tends to be a good approximation of (n)
n = 1 000 000 000(n) = 50 847 478n / ln n = 48 254 942
Prime number theorem
limn (n) / (n / ln n) = 1
Number Theoretic Algorithms
Finding large primes
limn (n) / (n / ln n) = 1
Idea how to find a prime approximately of the size of n:
Consider randomly chosen integers close to n andcheck whether these are primes. On average youwill need to examine ln n integers.
Number Theoretic Algorithms
Primality testing
The problem
For a given integer n decide whether n is a prime.
A simple solution:
Try to divide n by 2 and all odd integers3, 5,..., n1/2.
Time complexity of such approach is (2/2), where - number of bits needed to encode n ( = log n).
Advantage - we also get factors of n (if n is not prime).
Number Theoretic Algorithms
Primality testing - Fermat’s theorem
Fermat’s theorem
an – 1 1 (mod n) for all primes n and all integers a > 1.
What happens when n is not a prime?
Composite integers n that satisfy an – 1 1 (mod n) for all a > 1 with gcd(a,n) = 1 are called Carmichael numbers.
They are quite rare:
the first three are 561, 1105, 1729there are only 255 of them less than 100 000 000
Number Theoretic Algorithms
PseudoPrime algorithm
PseudoPrime(n) if ModularExponentiation(2,n–1,n) 1 then
return Composite definitelyelse return Prime we hope
ModularExponentiation(a,k,n) computes the value ak mod n
Number Theoretic Algorithms
Square roots of 1 modulo n
Quadratic residue theorem
If there exists an integer 1<x< n –1, such that x2 1 (mod n),then n is composite.
Therefore, n will be composite if:
1) we can find a such that an – 1 1 (mod n)2) we can find x such that x2 = 1 (mod n)
• a is chosen randomly and tested for (1)• for (2) are tested all intermediate values arising in computationof an – 1
Number Theoretic Algorithms
Miller-Rabin algorithm - scheme
[Adapted from D.Harel]
Number Theoretic Algorithms
Miller-Rabin algorithm
MillerRabin(n, s) for j 1 to s
do a Random(1, n – 1)if Witness(a, n) then
return Composite definitelyreturn Prime almost surely
Number Theoretic Algorithms
Miller-Rabin algorithm
Witness(a, n)let <bk,bk–1,...,b0> be the binary representation of n – 1 d 1for i k downto 0 do
x d d (d d) mod nif d = 1 & x 1 & x n 1 then return Trueif bi = 1 then d (d a) mod n
if d 1 then return Truereturn False
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness
Theorem
If n is an odd composite number, then the number ofwitnesses to the compositeness of n is at least (n–1)/2.
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness
Observation:
For any non-Witness a we must have gcd(a,n) = 1
(since an – 1 should be divisible by a)
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness - I
Case 1
There exists an x, such that xn – 1 1 (mod n)
A = { 0 < a < n| an – 1 1 (mod n)} = {a1,..,ak}
x A (and gcd(n,x)=1)
All numbers x·a1 (mod n),...,x · ak (mod n) are different and donot belong to A
There are at least (n–1)/2 integers in interval [1,n–1] andnot in A.
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness - II
Case 2
For all x we have xn – 1 1 mod n
n pe, where p is prime
otherwise: (n) = (p1)pe1
Z*n is cyclic and there is and element a of order (n) Then a(n) 1 mod n and (p1)pe1 | pe1 Thus e =1 and n is prime, contradicting our assumption.
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness - II
Case 2
For all x we have xn – 1 1 (mod n)n = cd, where c,d > 1 and are relative primes
n – 1 = 2tu, where t > 1 and u is odd
For all a: 0 < a < n consider the sequence
A = <au, a2u, a22u,..., a2tu> (all elements modulo n)
These are the last t+1 values of d computed by Witness
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness - II
Witness(a, n)let <bk,bk–1,...,b0> be the binary representation of n – 1 d 1for i k downto 0 do
x dd (d d) mod nif d = 1 & x 1 & x n 1 then return Trueif bi = 1 then d (d a) mod n
if d 1 then return Truereturn False
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness - II
Case 2
For all x we have xn – 1 1 (mod n)n = cd, where c,d > 1 and are relative primes
Find the largest j, such that 0 j t and v2ju –1 (mod n) for some v(such j exists since the property holds for j = 0 and v = n – 1)
B = {0 < x < n | x2ju 1 (mod n)} = {b1,..,bk}
Every non-witness is a member of B
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness - II
Case 2
For all x we have xn – 1 1 (mod n)n = cd, where c,d > 1 and are relative primesB = {0 < x < n | x2ju 1 (mod n)} = {b1,..,bk}
If y B, then all numbers y·b1 (mod n),...,y · bk (mod n) are different and do not belong to B
Is there a number z, such that 0 < z < n and z B?
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness - II
v2ju –1 (mod n), n = cd
Then v2ju –1 (mod c)
There exists w such that w v (mod c) and w 1 (mod d)
Therefore w2ju –1 (mod c) and w2ju 1 (mod d)
And thus w2ju 1 (mod n), ie. w B
Number Theoretic Algorithms
Miller-Rabin algorithm - Correctness
Theorem
For any odd integer n > 2 and positive integer s, the probability that Miller-Rabin algorithm outputs incorrectanswer is at most 2–s.
Number Theoretic Algorithms
Miller-Rabin algorithm - Complexity
MillerRabin(n, s) for j 1 to s
do a Random(1, n – 1)if Witness(a, n) then
return Composite definitelyreturn Prime almost surely
T(n,s) = (s 3) = (s (log n)3)
- allowed error probability
T(n, ) = (log (1/ ) (log n)3)
Number Theoretic Algorithms
Primality testing - Riemann hypothesis
(s) function has the trivial zeros at -2, -4, -6, ... (???)
It is easy to show that for all other zeros 0 Re(s) 1
The Riemann hypothesis is that for all nontrivial zeros Re(s) = 1/2
The Riemann zeta function:
Number Theoretic Algorithms
Primality testing - Riemann hypothesis
The values of (s) function (see the colour values below):
Number Theoretic Algorithms
Primality testing - Riemann hypothesis
Generalized Riemann Hypothesis: assumes the RH and that for all nontrivial zeros of the Dirichlet L-Functions Re(s) = 1/2
Dirichlet L-Functions:
where is a periodic integer function.
Number Theoretic Algorithms
Primality testing - Other methods
If generalized Riemann hypothesis holds, then for eachcomposite n there is a witness in {2,3,..., c · (log n)2}, forsome computable constant c. [Miller, 1976]
This gives T(n) = ((log n)2 (log n)3) = ((log n)5) algorithm
Without Riemann hypothesis we can obtain deterministicalgorithm with T(n) = O(n1/10.89)
The fastest deterministic algorithms works in timeT(n) = O((log n)log log log n) [Adleman, Pomerance, Rumely, 1983]
Agrawal-Kayal-Saxena algorithm (2002): T(n) = O((log n)6)
Number Theoretic Algorithms
The largest known prime
2001 213 466 917 – 1 (4 053 946 digits)
2003 220 996 011 – 1 (6 320 430 digits)
2006 232 582 657 – 1 (9 808 358 digits)
2009 243 112 609 – 1 (12 978 189 digits)
2013 257 885 161 – 1 (17 425 170 digits)
Number Theoretic Algorithms
The largest known prime
Growth of number of digits in largest known primes by years
Number Theoretic Algorithms
Integer factorization
The problem
For a given integer n find at least one non-trivial factor of n.
A simple solution (the same as for primality testing):
Try to divide n by 2 and all odd integers3, 5,..., n1/2.
Time complexity of such approach is (2/2), where - number of bits needed to encode n ( = log n).
Number Theoretic Algorithms
RSA challenge
[Adapted from RSA Security - www.rsasecurity.com/rsalabs/]
Number Theoretic Algorithms
RSA challenge
[Adapted from RSA Security - www.rsasecurity.com/rsalabs/]
Number Theoretic Algorithms
Pollard’s rho heuristic
PollardRho(n)i 1x1 Random(0, n – 1) y x1
k 2while True do
i i + 1xi (x2
i–1 – 1) mod nd gcd(y – xi, n)if d 1 & d n then print dif i = k then do
y xi k 2 k
Number Theoretic Algorithms
Pollard’s rho heuristic - What it does?
Start with random value x1
Compute the sequence x1, x2, x3,..., using the formula xi (x2
i–1 – 1) mod n
Save in variable y the xi -s with subscripts being powers of 2, ie. x2, x4, x8,....
Try to find a factor using the saved value of y and the current value of xi
Number Theoretic Algorithms
Pollard’s rho heuristic - Performance
Algorithm does not terminate at all, but may print some of thefactors of n
There is a good reason to expect that it prints a factor pof n approximately after p1/2 (or n1/4) iterations
Number Theoretic Algorithms
Pollard’s rho heuristic - Example
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
Number Theoretic Algorithms
Pollard’s rho heuristic - Motivation
How long it may take for the sequence x1, x2, x3,..., to repeat?
Consider the values of xi being random
Birthday problem: What is the probability that two students inthe group of n have a birthday on the same day?
Expected value is (n1/2)
Number Theoretic Algorithms
Pollard’s rho heuristic - Motivation
Birthday paradox:
What should be the size k of a group of people, such that with probablity 1/2 at least two persons from the group will have birthday on the same day?
Number Theoretic Algorithms
Pollard’s rho heuristic - Motivation
Birthday paradox
Number Theoretic Algorithms
Pollard’s rho heuristic - Motivation
Birthday paradox
Number Theoretic Algorithms
Pollard’s rho heuristic - Motivation
How long it may take for the sequence x1, x2, x3,..., to repeat?
Consider the values of xi being random
Birthday problem: What is the probability that two students inthe group of n have a birthday on the same day?
Number Theoretic Algorithms
Pollard’s rho heuristic - Motivation
p - non-trivial factor of n, such that gcd(p,n / p) = 1
Consider the sequence x’1, x’2, x’3,..., where x’i = xi mod p
We also have x’i (x’2i–1 – 1) mod p
Expected number of steps before repeats is (p1/2)
t - index of the first repeated valueu > 0 - the length of the cycle that has been produced
Expected values of t and u are (p1/2)
Number Theoretic Algorithms
Pollard’s rho heuristic - Motivation
If x’t+i = x’t+u+i then p divides xt+i – xt+u+i
Thus gcd(xt+i – xt+u+i, n) > 1
Eventually y will be set to x’i value on the cycle and afterwards the whole cycle will be traversed without changing the value of y. When the value x’i will be encountered again, a factor of n will be discovered.
Number Theoretic Algorithms
Pollard’s rho heuristic - Example
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
Number Theoretic Algorithms
Pollard’s rho heuristic - Problems
The sequence x’1, x’2, x’3,... may start to repeat much laterthan after (p1/2) steps
The gcd’s (gcd(xt+i – xt+u+i, n)) found may always be equal with n
In practice it does not happen too often
In case of problems we can try to start with a new value x1
Number Theoretic Algorithms
Pollard’s rho heuristic - Complexity?
Expected number of arithmetic operations T’(n) = (p1/2) Expected time complexity T(n) = (2/4 3)
Number Theoretic Algorithms
Integer factorization - Other methods
L[] = e (log n log log n) 1/2
There seems to be several O(L[1]) algorithms
The fastest general algorithm probably works in O(L[1/2]) time
In practice the methods that allow parallel computationprobably are faster
Some integers may be more easy to factor (eg yn 1)
There are also algorithms that depend on generalised Riemann hypothesis