Download Lecture 8

MS 101: Algorithms
Instructor
Neelima Gupta
[email protected]
Table of Contents
• Number Theoretic Problems
Problems to be discussed
•
•
•
•
•
•
Addition of two large intergers
Multiplication of two large intergers
x^n
x^n modulo m
Gcd(a,b)
Primes(x)
– Simple Exponential
– Pseudoprimality (polynomial time)
– Miller-Rabin randomized primality (polynomial time)
– AKS primality (polynomial time)
• RSA public-key cryptosystem
Computing x^n
• Iterative: xn-1 * x
T(n) = T(n-1) + c (n-1) log2x
= O(n2 log2x)
• Divide and Conquer: xn/2 * xn/2
T(n) = T(n/2) + c n2 log2x
= O(n2 log2x)
Both Exponential in the input size B = (log x +
log n)
Computing x^n modulo m
• xn modulo m never becomes too large
(never more than m)
i*log x = O(log m)
• Iterative: xn-1 * x modulo m
T(n) <= T(n-1) + log x * log m
= O(n * log x * log m)
Exponential in the input size B = (log x + log n)
• Divide and Conquer: xn/2 * xn/2 modulo m
T(n) = T(n/2) + log2 m
= O(log n * log2m)
Polynomial in the input size.
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Correctness of Euclid
• Follows from
For any non-ve integer a and +ve integer b,
gcd(a,b) = gcd(b, a mod b)
Prove it yourself, its very simple.
Time Complexity
• Number of recursive calls k satisfies the
following:
• Theorem: If a>b and the invocation
EUCLID(a,b) performs k>=1 recursive
calls , then
a>=Fk+2 and b>=F K+1. (Fk is fibonacci number)
Proof: Omitted
• Since Fk is approximately Φk / sqrt(5),
where Φ is the golden ratio (1 + sqrt(5))/2,
the number of recursive calls is O(lg b)
(where b< a).
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
RSA Cryptosystem
(Rivest, Shamir and Adleman, 1977)
1. Select two large prime numbers (say 100 digit)
p and q at random.
2. Compute n = pq
3. Select a small odd integer e that is relatively
prime to Φ(n). Φ(n) is the number of positive
integers relatively prime to n and = (p-1)(q-1).
4. Compute d as the multiplicative inverse of e,
modulo Φ(n).
5. Pair P =(e, n) is the public key.
6. S= (d, n) is the private/secret key
Primality Testing
• Prime distribution function π(n) is the number of
primes <= n.
• Prime Number Theorem:
• lim n→∞ π(n) / (n/ ln n) = 1
• i.e for large n the number of primes <= n is (n/ ln
n)
• i.e we need to check about ln n numbers <= n
for primality to find a prime that is of same length
as n.
• Thus step 1 of RSA can be done in polynomial
time using Rabin-Miller or AKS algorithm.
Modular Linear Equations
• ax ≡ b (mod n) , n > 0
• There are Modular Linear Equations
Solver which solve the system in
polynomial time for large a,b and n.
• Thus step 4 can be done in polynomial
time with b = 1.
Encryption and Decryption
using RSA
• Encryption: P(M) = Me (mod n)
• Decryption: S(C) = Cd (mod n)
• Note that S(P(M)) = M since de = 1 (mod
n)
• Clearly, these steps can be done in
polynomial time using power function
modulo n.
How difficult it is to crack RSA?
• The eavesdropper has M and d but he doesn’t
have e. He could get e if knew n. How does he
get n?
• He tries all numbers, factor a number into primes
and obtain p and q,
• gets phi(n) (he can’t find phi(n) without p and q;
phi(n) = n* product of (1- 1/p) of all prime factors
of n),
• computes e and its inverse e’. If e’ matches d,
he is done.
• Factoring a number into primes is a hard
problem
• And that makes RSA difficult to crack.
• b + (a mod b) = b + (a – floor(a/b) b)
= a + (b - floor(a/b) b)
≤ a ( as a>b>0 => floor(a/b) ≥ 1)
a ≥ b + (a mod b) = a k-1 + bk-1
≥ Fk+1 + Fk (by induction hypo.)
= Fk+2.
And, bk = ak-1 ≥ Fk+1 (by induction hypo.)
Note: a’s and b’s above are ak’s and bk’s resp.
Primality Testing
• Fermat’s Theorem
If p is prime, then
ap-1 ≡ 1 (mod p) for all a relatively prime to
p
• Converse
If an-1 ≡ 1 (mod n) for all a relatively prime
to n, is n prime?
Ans: Not true for all n
Carmichael numbers
• These composite numbers for which the
converse does not hold are called
Carmichael numbers.
• Carmichael numbers are extremely rare:
Only 255 less than 100,000,000.