Download Chapter 1

Chapter 1
Algorithms with Numbers
Bases and Logs
How many digits does it take to represent
the number N >= 0 in base 2?
With k digits the largest number we can
make:
1x2k-1 + 1x2k-2 + … + 1x21 + 1x20 = 2k - 1
Example: 1111 = 24 – 1
Answer: N = 2k – 1 and solve for k
Bases and Logs
Answer: N = 2k – 1 and solve for k
N + 1 = 2k
Log(N+1) = Log(2k)
Log(N+1) = k
┌ Log(N+1) ┐ = k
Bases and Logs
• Log N is the power you raise 2 to get N
2Log(N) = N
• For large N, Log(N) is much smaller than
N
• N =1,073,741,834 Log(N) = 30
• Which algorithm is better?
O(N2) or O(n Log N)
Bases and Logs
• Log N is the number of times you must
halve N to get down to 1
• Log N is the number of bits in the binary
representation of N (Ceil (Log (N+1)))
• Log N is the depth of a complete binary
tree with N nodes (Floor(Log n))
• Log N is approximately the sum of
1 + ½ + 1/3 + … + 1/N
Addition of Binary Numbers
• Why isn’t binary addition O(1)? Don’t we
have hardware operations for that?
• The sum of x + y is n + 1 bits at most
• Each individual bit gets computed in fixed
amount of time
• Running time = c0 + c1n = O(n)
Multiplication
1 1 0 1
1 0 1 1
x _______
1 1 0 1
1 1 0 1
0 0 0 0
1 1 0 1
_________________
1 0 0 0 1 1 1 1
x
13
11
___
13
26
0
104
___
143
Al Khwarizmi’s Method
1 1 0 1
1 0 1 1
x _______
1 1 0 1
1 1 0 1
0 0 0 0
1 1 0 1
_________________
1 0 0 0 1 1 1 1
11
13
5
26
2
52
1 104
_______
143
Another Approach
X * Y =
2(X * floor(Y/2)) if y is even
X + 2(X * floor(Y/2)) if y is odd
----------------------------------------function multiply(X,Y)
if Y = 0: return 0
Z = multiply(X,floor(Y/2))
if Y is even
return 2 * Z
else:
return X + 2 * Z
Let
X=3
(imperative language)
Y=4
Z=X+Y
--------------------------------------------------(let ((X 3)(Y 4)) (+ X Y) ) (Scheme version)
3
4
X
Y
(+ x y)
Sequence of Lets
X=3
Y=X
Z = (+ X Y)
--------------------------------------------------(let ((X 3)) (let ((Y X)) (+ X Y)))
(let* ((X 3) (Y X)) (+ X Y))
Sequence of Lets
(let ((X 3)) (let ((Y X)) (+ X Y)))
3
X
Y
(+ X Y)
(let* ((X 3) (Y X)) (+ X Y))
Division
function divide(x,y)
if x = 0: return (q,r) = (0,0)
(q,r) = divide(floor(x/2),y)
q=2q,r=2r
if x is odd: r = r + 1
if r >= y: r = r – y, q = q + 1
return (q,r)
Modular Exponentiation
function modexp(x, y, N)
Input: Two n-bit integers x and N, an integer
exponent y
Output: xy mod N
if y = 0: return 1
z = modexp(x, floor(y/2),N)
if y is even:
return z2 mod N
else:
return x * z2 mod N
Euclid’s GCD Algorithm
function Euclid(a, b)
Input: Two integers a and b with a b 0
Output: gcd(a, b)
if b = 0: return a
return Euclid(b, a mod b)
Why is this O(n3)?
Extension to Euclid’s Algorithm
• If someone says “d is the gcd(a,b)”, how
do we know?
• Lemma: if d divides both a and b, and
d = ax + by for some integers x and y,
then d is the gcd of a and b
Extended GCD Algorithm
function Extended-Euclid(a, b)
Input: Two positive integers a and b with
a≥ b≥ 0
Output: Integers x, y, d such that d = gcd(a;
b) and ax + by = d
if b = 0: return (1, 0, a)
(x’, y’ d) = Extended-Euclid(b, a mod b)
return (y’, x’ – floor(a/b)y’, d)
Modular Division
• We say x is the multiplicative inverse of a
modulo N if ax ≡ 1 (mod N).
• Not every integer has such a multiplicative inverse
• Example 2x ! ≡ 1 (mod 6) for any x.
• If gcd(a,N) = 1, a and N are relatively prime
• If a and N are relatively prime, the extended
Euclid’s algorithm gives integers x and y such that
ax + Ny = 1. (ax + Ny)MOD N = 1 MOD N,
• ax MOD N = 1
• But then x is the multiplicative inverse of a mod N!
Modular Division Theorem
• For any a mod N, a has a multiplicative inverse if
and only if it is relatively prime to N. When the
inverse exists, it can be found in O(n3) time (where
n denotes the number of bits in N) by running the
extended Euclid algorithm
• Example: Compute 11-1 mod 25
Using EEA, 4(25) - 9(11) = 1. Reducing both
sides mod 25 we have:
-9 (11) ≡ 1 mod 25, so -9 ≡ 16 mod 25 is the
inverse of 11 mod 25.
In other words, if I want to divide by 11 mod 25, I can
instead multiply by 16 mod 25
Another Example
• Let p = 17, q = 53
• N = p * q = 17 * 53 = 901
• Choose e relatively prime to (p-1)(q-1) =
16 * 52 = 832, so somewhat arbitrarily let
e be 19.
The public key is (901,19).
Public key is (901,19).
• Let the message be 123.
• Encrypting the message involves
computing 12319 MOD 901 = 115
• The encrypted message is 115
• To decrypt the message we compute the
inverse of 19 MOD (17-1)(53-1) =
19 MOD 832 .
Computing the Inverse of
19 MOD 832
• Using the extended Euclidean algorithm, we see that
219(19) + (-5)(832) = 1
• Taking MOD on both sides we have
• (219(19) + (-5)(832)) MOD 832 = 1 MOD 832
and 219(19) = 1 MOD 832, since the addition of multiples
of 832 can be removed
• In other words, 219 is the multiplicative inverse of 19
MOD 832.
• This makes the decryption function
x219 MOD 901
Decrypting with x219 MOD 901
• Use modexp to compute the expression
• 115219 MOD 901 = 123
• (12319)219 MOD 901 = 123
Implications
• For division mod N, we can only divide by
integers that are relatively prime to N.
• To divide by s, we multiply by the inverse
of s (s-1).
• To find the inverse of s MOD t, we run
EEA on s and t.
• This produces a(s) + b(t) = 1 if s is
relatively prime to t
Implications
•
•
•
•
Applying MOD t results in
(a(s) + b(t))MOD t = a(s) MOD t = 1 MOD t
In other words, a = s-1
This technique relies heavily on finding large
prime numbers p and q
Primality Testing
• Factoring is hard, primality is easy. Why?
• To test if N is prime, we can try to divide it
by 2,3,5,7…, √N (We try to factor it)
• This approach still takes lots of time
• Fermat’s little theorem:
If p is prime, then for every 1 ≤ a ≤ p
ap-1 ≡ 1 mod p
Primality Testing Using FLT
function primality(N)
Input: Positive integer N
Output: yes/no
Pick a positive integer a < N at
random
if aN-1 ≡ 1 (mod N):
return yes
else:
return no
Primality Testing
• There are no guarantees that this works!
• There are some composite integers that
satisfy aN-1 ≡ 1 (mod N)
• 341 = 11 x 31 is not prime, and yet 2340 ≡
1 mod 341.
• Even so, we hope the answer will be
correct most of the time. It certainly works
if N is prime
Primality Testing
• Carmichael numbers pass Fermat’s test
for all a relatively prime to N
• For non-Carmichael numbers, a composite
integer will fail for at least half the values
of a where 1 ≤ a ≤ p
• If we randomly choose a, we have at least
half a chance of the algorithm working
correctly
A Primality Algorithm with Low
Error Probability
function primality2(N)
Input: Positive integer N
Output: yes/no
Pick positive integers a1,a2,…, ak < N at
random
if ai N-1 ≡ 1 (mod N)for all i = 1,2,… k:
return yes
else:
return no
A Primality Algorithm with Low
Error Probability
• Pr(Algorithm 1.8 returns yes when N is not
prime) ≤ 1/2k
• Testing k = 100 values of a makes the
probability of failure at most 2-100,which is
miniscule: far less, for instance, than the
probability that a random cosmic ray will
sabotage the computer during the
computation!
Generating Primes
• Primes are abundant.
• A random n-bit number has roughly a onein-n chance of being prime (actually about
1/(ln 2n) ≈ 1:44/n).
• For instance, About 1 in 20 social security
numbers is prime!
Generating Primes
• Pick a random n-bit number N.
• Run a primality test on N.
• If it passes the test, output N; else repeat
the process.
RSA Summary
• Pick any two primes p and q and let N = pq. For any e
relatively prime to (p-1)(q -1):
1. The mapping x → x e mod N is a bijection on {0,1,…,N}
2. Moreover, the inverse mapping is easily realized: let d be
the inverse of e modulo (p-1)(q -1). Then for all x
{0,…,N}, (x e)d ≡ x mod N:
Assignment
• Send me a public key (N,e), and I will send you a coded
message x e MOD N. Send me the decoded message
back in an email. You get to choose N and e.
• The message I send will be a number less than N. In a
real application the number could be an message in
ASCII
• Grad Students: Compute two prime numbers p and q
with 100 or more digits using Scheme. Generate N = p *
q. Choose a suitable e. As before, send me (N, e) but
also include your Scheme code for selecting primes.