Presentation is loading. Please wait.

Presentation is loading. Please wait.

מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem."— Presentation transcript:

1

2 מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem

3 מבוא מורחב - שיעור 6 22 Fixed Points x 0 is a fixed point of F(x) if F(x 0 ) = x 0 Example: x 0 = a is a fixed point of F(x) = a/x

4 מבוא מורחב - שיעור 6 3 מבוא מורחב - שיעור 5 3 Finding fixed points for f(x) Start with an arbitrary first guess x 1 Each time: try the guess, f(x) ~ x ?? If it’s not a good guess try the next guess x i+1 = f(x i ) (define (fixed-point f first-guess) (define tolerance 0.00001) (define (close-enough? v1 v2) (< (abs (- v1 v2)) tolerance)) (define (try guess) (let ((next (f guess))) (if (close-enough? guess next) guess (try next)))) (try first-guess))

5 מבוא מורחב - שיעור 6 4 מבוא מורחב - שיעור 5 4 An example: f(x) = 1+1/x (define (f x) (+ 1 (/ 1 x))) (fixed-point f 1.0) X 1 = 1.0 X 2 = f(x 1 ) = 2 X 3 = f(x 2 ) = 1.5 X 4 = f(x 3 ) = 1.666666666.. X 5 = f(x 4 ) = 1.6 X 6 = f(x 5 ) = 1.625 X 7 = f(x 6 ) = 1.6153846… Exact fixed-point: 1.6180339… Note how odd guesses underestimate And even guesses Overestimate.

6 מבוא מורחב - שיעור 6 5 מבוא מורחב - שיעור 5 5 Another example: f(x) = 2/x (define (f x) (/ 2 x)) (fixed-point f 1.0) x 1 = 1.0 x 2 = f(x 1 ) = 2 x 3 = f(x 2 ) = 1 x 4 = f(x 3 ) = 2 x 5 = f(x 4 ) = 1 x 6 = f(x 5 ) = 2 x 7 = f(x 6 ) = 1 Exact fixed-point: 1.414213562…

7 מבוא מורחב - שיעור 6 6 מבוא מורחב - שיעור 5 6 How do we deal with oscillation? Consider f(x)=2/x. If guess is a number such that guess sqrt(2) So the average of guess and 2/guess is always an even Better guess. So, we will try to find a fixed point of g(x)= (x + f(x))/2 For f(x)=2/x this gives: g(x)= (x + 2/x)/2 Notice that g(x) = (x +f(x)) /2 has the same fixed points as f.

8 מבוא מורחב - שיעור 6 7 מבוא מורחב - שיעור 5 7 X = 2G = 1 X/G = 2G = ½ (1+ 2) = 1.5 X/G = 4/3G = ½ (3/2 + 4/3) = 17/12 = 1.416666 X/G = 24/17G = ½ (17/12 + 24/17) = 577/408 = 1.4142156 To find an approximation of x: Make a guess G Improve the guess by averaging G and x/G Keep improving the guess until it is good enough

9 מבוא מורחב - שיעור 6 8 מבוא מורחב - שיעור 5 8 Extracting the common pattern: average-damp (define (average-damp f) ;outputs g(x)=(x+f(x))/2 (lambda (x) (average x (f x)))) average-damp: (number  number)  (number  number) ((average-damp square) 10) ((lambda (x) (average x (square x))) 10) (average 10 (square 10)) 55

10 מבוא מורחב - שיעור 6 9 מבוא מורחב - שיעור 5 9 … which gives us a clean version of sqrt (define (sqrt x) (fixed-point (average-damp (lambda (y) (/ x y))) 1)) Compare this to our previous implementation of sqrt – same process. For the cubic root of x, fixed point of f(y) = x/y 2 (define (cubert x) (fixed-point (average-damp (lambda (y) (/ x (square y)))) 1))

11 מבוא מורחב - שיעור 6 10 מבוא מורחב - שיעור 5 10 Further abstraction (define (osc-fixed-point f first-guess) (fixed-point (average-damp f) first-guess)) (define (sqrt x) (osc-fixed-point (lambda (y) (/ x y)) 1.0) (define (cubert x) (osc-fixed-point (lambda (y) (/ x (square y))) 1.0)

12 מבוא מורחב - שיעור 6 11 מבוא מורחב - שיעור 5 11 Newton’s method A solution to the equation: F(x) = 0 is a fixed point of: G(x) = x - F(x)/F’(x) (define (newton-transform f) (lambda (x) (- x (/ (f x) ((deriv f) x))))) (define (newton-method f guess) (fixed-point (newton-transform f) guess)) (define (sqrt x) (newton-method (lambda (y) (- (square y) x)) 1.0))

13 מבוא מורחב - שיעור 6 12 מבוא מורחב - שיעור 5 12 Further abstraction (define (fixed-point-of-transform f transform guess) (fixed-point (transform f) guess)) (define (osc-fixed-point f guess) (fixed-point-of-transform f average-damp guess)) (define (newton-method f guess) (fixed-point-of-transform f newton-transform guess))

14 מבוא מורחב - שיעור 6 13 Primality testing A natural number n is prime iff the only natural numbers dividing n are 1 and n. The following are prime: 2, 3, 5, 7, 11, 13, … and so are 1299709, 15485863, 22801763489, … There is an infinite number of prime numbers. Is 2 101 -1=2535301200456458802993406410751 prime? How do we check whether a number is prime? How do we generate huge prime numbers? Why do we care?

15 מבוא מורחב - שיעור 6 14 Naïve solution: Finding the smallest divisor (define (prime? n) (= n (find-smallest-divisor n 2))) (define (divides? a b) (= (remainder b a) 0)) (define (find-smallest-divisor n i) (cond ((divides? i n) i) (else (find-smallest-divisor n (+ i 1))))) Space complexity is:  (1) For prime n we have time complexity n. If n is a 100 digit number we will wait “for ever”.

16 מבוא מורחב - שיעור 6 15 An improvement (define (prime? n) (= n (find-smallest-divisor n 2))) (define (divides? a b) (= (remainder b a) 0)) (define (find-smallest-divisor n i) (cond ((> (square i) n) n) ((divides? i n) i) (else (find-smallest-divisor n (+ i 1))))) For prime n we have time complexity:  (  n) Worst case space complexity:  (1) Still, if n is a 100 digit number, it is completely infeasible.

17 מבוא מורחב - שיעור 6 16 We can prove that a number is not prime without explicitly finding a divisor of it. Randomness is useful in computations! Is there a more efficient way of checking primality? Yes! At least if we are willing to accept a tiny probability of error.

18 מבוא מורחב - שיעור 6 17 The Fermat Primality Test Fermat’s little theorem: If n is a prime number then: a n  a (mod n), for every integer a The Fermat Test: Do 100 times: Pick a random 1<a<n and compute a n (mod n). If a n  a (mod n), then n is not a prime. If all 100 tests passed, declare n to be a prime. Corollary: If a n ≠  a (mod n), for some a, then n is not a prime! Such an a is a witness to the compositeness of n.

19 מבוא מורחב - שיעור 6 18 Fast computation of modular exponentiation a b mod m (define (expmod a b m) (cond ((= b 0) 1) ((even? b) (remainder (expmod (remainder (* a a) m) (/ b 2) m) m)) (else (remainder (* a (expmod a (- b 1) m)) m))))

20 מבוא מורחב - שיעור 6 19 Implementing Fermat test (define (test a n)(= (expmod a n n) a)) (define (rand-test n) (test (+ 1 (random (- n 1))) n)) ; note - (random m) returns a random number ; between 0 and m-1 (define (fermat-test n k); (cond ((= k 0) #t) ((rand-test n) (fermat-test n (- k 1))) (else #f))) Worst-case time complexity:  (log n) if k is constant Even if n is a 1000 digit number, it is still okay!

21 מבוא מורחב - שיעור 6 20 Is the Fermat test correct? If the Fermat test says that a number n is composite, then the number n is indeed a composite number. If n is a prime number, the Fermat test will always say that n is prime. But, Can the Fermat test say that a composite number is prime? What is the probability that this will happen?

22 מבוא מורחב - שיעור 6 21 Carmichael numbers A composite number n is a Carmichael number iff a n  a (mod n) for every integer a. The first Carmichael numbers are: 561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, … Theorem: n is a Carmichael number iff n=p 1 p 2 …p k, where p 1, p 2, …, p k are primes and p i -1 divides n-1, for i=1,…,k. On Carmichael numbers, the Fermat test is always wrong! Carmichael numbers are fairly rare. (There are 255 Carmichael numbers smaller than 100,000,000).

23 מבוא מורחב - שיעור 6 22 Theorem: (Rabin ’77) If n is a composite number that is not a Carmichael number, then at least half of the numbers between 1 and n are witnesses to the compositeness of n. Corollary: Let n be a composite number that is not a Carmichael number. If we pick a random number a, 1<a<n, then a is a witness with a probability of at least a 1/2 !

24 מבוא מורחב - שיעור 6 23 “Correctness” of the Fermat test If n is prime, the Fermat test is always right. If n is a Carmichael number, the Fermat test is always wrong! If n is composite number that is not a Carmichael number, the Fermat test is wrong with a probability of at most 2 -100. Is an error probability of 2 -100 acceptable? Yes!

25 מבוא מורחב - שיעור 6 24 The Rabin-Miller test A fairly simple modification of the Fermat test that is correct with a probability of at least 1-2 -100 also on Carmichael numbers. Will not be covered in this course.

26 מבוא מורחב - שיעור 6 25 Probabilistic algorithms An algorithm that uses random choices but outputs the correct result, with high probability, for every input! Randomness is a very useful algorithmic tool. Until the year 2002, there were no efficient deterministic primality testing algorithms. In 2002, Agarwal, Kayal and Saxena found a fast deterministic primality testing algorithm.

27 מבוא מורחב - שיעור 6 26 Finding large prime numbers The prime number Theorem: The number of prime numbers smaller than n is asymptotically n / ln n. Thus, for every number n, there is “likely” to be a prime number between n and n + ln n. To find a prime number roughly the size of (odd) n, simply test n, n+2, n+4, … for primality. (define (find-prime n t) (if (fermat-test n t) n (find-prime (+ n 2) t)))

28 מבוא מורחב - שיעור 6 27 > (find-prime (+ (exp 2 200) 1) 20) 1606938044258990275541962092341162602522202993782792835301 611 > (find-prime (+ (exp 2 500) 1) 20) 3273390607896141870013189696827599152216642046043064789483 29136809613379640467455488327009232590415715088668412756 0071009217256545885393053328527589431 > (find-prime (+ (exp 2 1000) 1) 20) 1071508607186267320948425049060001810561404811705533607443 75038837035105112493612249319837881569585812759467291755 31468251871452856923140435984577574698574803934567774824 23098542107460506237114187795418215304647498358194126739 87675591655439460770629145711964776865421676604298316526 24386837205668069673

29 מבוא מורחב - שיעור 6 28 Primality testing versus Factoring Fast primality testing algorithms determine that a number n is composite without finding any of its factors. No efficient factoring algorithms are known. Factoring a number is believed to be a much harder task. Primality testing - Easy Factoring - Hard Now: Use the ease of primality and hardness of factoring

30 מבוא מורחב - שיעור 6 29 Cryptography Eve Bob Alice

31 מבוא מורחב - שיעור 6 30 Traditional solution: classical cryptography Eve Bob Alice Encryption Decryption Encryption key Decryption key Hi Bob! #$%&*()

32 מבוא מורחב - שיעור 6 31 In classical cryptography: The two parties (Alice and Bob) should agree in advance on the encryption/decryption key. The encryption and decryption keys are either identical or easily derived from one another.

33 מבוא מורחב - שיעור 6 32 The internet age Eve Bob Alice Calvin Donald Felix

34 מבוא מורחב - שיעור 6 33 Public key cryptology A system in which it is infeasible to deduce the decryption key from the encryption key. Each user publishes an encryption key that should be used for sending messages to her, but keeps her decryption key private. Is it possible to construct secure public key cryptosystems?

35 מבוא מורחב - שיעור 6 34 The RSA public key cryptosystem [Rivest, Shamir, Adleman (1977)] Bob: Picks two huge primes p and q. Calculates n=pq, and announces n. Chooses and announce integer e prime to (p-1)(q-1) e and (p-1)(q-1) have no common divisor other than 1 Calculates the unique d such that de = 1 (mod (p-1)(q-1)) It is believed that computing d, without knowing p and q, is hard.

36 מבוא מורחב - שיעור 6 35 The RSA cryptosystem (cont.) To send a message m (0≤m<n) to Bob, Alice computes c=E Bob (m) and sends it to Bob. To decipher the message, Bob computes m=D Bob (c) E Bob (m) = m e (mod n) D Bob (m) = m d (mod n) Lemma: D Bob (E Bob (m)) = m

37 מבוא מורחב - שיעור 6 36 (define p 17) (define q 13) (define n (* p q)) (define base (* (- p 1) (- q 1))) (define e 35) (define d (find-d e base)) (display d) (define message 121) (display message) (newline) (define alice-message (expmod message e n) (newline) (define bob-decipher (expmod alice-message d n) (display bob-decipher) ; d = 11

38 מבוא מורחב - שיעור 6 37 Find-d (define (find-d e base) (define (guess d) (if ( = (remainder (* d e) base) 1) d (guess (+ d 1)) ) (guess 0) ) Obviously, not the way this is done for real numbers.. Why?

39 מבוא מורחב - שיעור 6 38 Some executions message 121 alice-message 127 bob-decipher 121 message 21 alice-message 200 bob-decipher 21 message 57 alice-message 216 bob-decipher 57

Download ppt "מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem."

Similar presentations

COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues.

COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
MS 101: Algorithms Instructor Neelima Gupta

MS 101: Algorithms Instructor Neelima Gupta
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
Primality Testing By Ho, Ching Hei Cheung, Wai Kwok.

Primality Testing By Ho, Ching Hei Cheung, Wai Kwok.
מבוא מורחב 1 Lecture #6. מבוא מורחב 2 Primality testing (application) Know how to test whether n is prime in  (log n) time => Can easily find very large.

מבוא מורחב 1 Lecture #6. מבוא מורחב 2 Primality testing (application) Know how to test whether n is prime in  (log n) time => Can easily find very large.
PPL Lecture 3 Slides by Dr. Daniel Deutch, based on lecture notes by Prof. Mira Balaban.

PPL Lecture 3 Slides by Dr. Daniel Deutch, based on lecture notes by Prof. Mira Balaban.
מבוא מורחב 1 Lecture 4 Material in the textbook on Pages 44-46, 50-53 of 2nd Edition Sections 1.2.4 and 1.2.6 + Hanoy towers.

מבוא מורחב 1 Lecture 4 Material in the textbook on Pages 44-46, of 2nd Edition Sections and Hanoy towers.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
and Factoring Integers (I)

and Factoring Integers (I)
1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.

1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.

Similar presentations

Ads by Google