Problems to be discussed Addition of two large intergers Multiplication of two large intergers x^n x^n modulo m Gcd(a,b) Primes(x) –Simple Exponential –Pseudoprimality (polynomial time) –Miller-Rabin randomized primality (polynomial time) –AKS primality (polynomial time) RSA public-key cryptosystem
Computing x^n Iterative: x n-1 * x T(n) = T(n-1) + c (n-1) log 2 x = O(n 2 log 2 x) Divide and Conquer: x n/2 * x n/2 T(n) = T(n/2) + c n 2 log 2 x = O(n 2 log 2 x) Both Exponential in the input size B = (log x + log n)
Computing x^n modulo m x n modulo m never becomes too large (never more than m) i*log x = O(log m) Iterative: x n-1 * x modulo m T(n) <= T(n-1) + log x * log m = O(n * log x * log m) Exponential in the input size B = (log x + log n) Divide and Conquer: x n/2 * x n/2 modulo m T(n) = T(n/2) + log 2 m = O(log n * log 2 m) Polynomial in the input size.
Correctness of Euclid Follows from For any non-ve integer a and +ve integer b, gcd(a,b) = gcd(b, a mod b) Prove it yourself, its very simple.
Time Complexity Number of recursive calls k satisfies the following: Theorem: If a>b and the invocation EUCLID(a,b) performs k>=1 recursive calls, then a>=F k+2 and b>=F K+1. ( F k is fibonacci number) Proof: Omitted
Since F k is approximately Φ k / sqrt(5), where Φ is the golden ratio (1 + sqrt(5))/2, the number of recursive calls is O(lg b) (where b< a).
RSA Cryptosystem (Rivest, Shamir and Adleman, 1977) 1.Select two large prime numbers (say 100 digit) p and q at random. 2.Compute n = pq 3.Select a small odd integer e that is relatively prime to Φ(n). Φ(n) is the number of positive integers relatively prime to n and = (p-1)(q-1). 4.Compute d as the multiplicative inverse of e, modulo Φ(n). 5.Pair P =(e, n) is the public key. 6.S= (d, n) is the private/secret key
Primality Testing Prime distribution function π(n) is the number of primes <= n. Prime Number Theorem: lim n→∞ π(n) / (n/ ln n) = 1 i.e for large n the number of primes <= n is (n/ ln n) i.e we need to check about ln n numbers <= n for primality to find a prime that is of same length as n. Thus step 1 of RSA can be done in polynomial time using Rabin-Miller or AKS algorithm.
Modular Linear Equations ax ≡ b (mod n), n > 0 There are Modular Linear Equations Solver which solve the system in polynomial time for large a,b and n. Thus step 4 can be done in polynomial time with b = 1.
Encryption and Decryption using RSA Encryption: P(M) = M e (mod n) Decryption: S(C) = C d (mod n) Note that S(P(M)) = M since de = 1 (mod n) Clearly, these steps can be done in polynomial time using power function modulo n.
How difficult it is to crack RSA? The eavesdropper has M and d but he doesn’t have e. He could get e if knew n. How does he get n? He tries all numbers, factor a number into primes and obtain p and q, gets phi(n) (he can’t find phi(n) without p and q; phi(n) = n* product of (1- 1/p) of all prime factors of n), computes e and its inverse e’. If e’ matches d, he is done. Factoring a number into primes is a hard problem And that makes RSA difficult to crack.
b + (a mod b) = b + (a – floor(a/b) b) = a + (b - floor(a/b) b) ≤ a ( as a>b>0 => floor(a/b) ≥ 1) a ≥ b + (a mod b) = a k-1 + b k-1 ≥ F k+1 + F k (by induction hypo.) = F k+2. And, b k = a k-1 ≥ F k+1 (by induction hypo.) Note: a’s and b’s above are a k ’s and b k ’s resp.
Primality Testing Fermat’s Theorem If p is prime, then a p-1 ≡ 1 (mod p) for all a relatively prime to p Converse If a n-1 ≡ 1 (mod n) for all a relatively prime to n, is n prime? Ans: Not true for all n
Carmichael numbers These composite numbers for which the converse does not hold are called Carmichael numbers. Carmichael numbers are extremely rare: Only 255 less than 100,000,000.