Chapter 1 Algorithms with Numbers
Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number we can make: 1x2 k-1 + 1x2 k-2 + … + 1x x2 0 = 2 k - 1 Example: 1111 = 2 4 – 1 Answer: N = 2 k – 1 and solve for k
Bases and Logs Answer: N = 2 k – 1 and solve for k N + 1 = 2 k Log(N+1) = Log(2 k ) Log(N+1) = k ┌ Log(N+1) ┐ = k
Bases and Logs Log N is the power you raise 2 to get N 2 Log(N) = N For large N, Log(N) is much smaller than N N =1,073,741,834 Log(N) = 30 Which algorithm is better? O(N 2 ) or O(n Log N)
Bases and Logs Log N is the number of times you must halve N to get down to 1 Log N is the number of bits in the binary representation of N (Ceil (Log (N+1))) Log N is the depth of a complete binary tree with N nodes (Floor(Log n)) Log N is approximately the sum of 1 + ½ + 1/3 + … + 1/N
Addition of Binary Numbers Why isn’t binary addition O(1)? Don’t we have hardware operations for that? The sum of x + y is n + 1 bits at most Each individual bit gets computed in fixed amount of time Running time = c 0 + c 1 n = O(n)
Multiplication x _______ x ___ _________________ ___
Al Khwarizmi’s Method x _______ _______ _________________
Another Approach X * Y = 2(X * floor(Y/2)) if y is even X + 2(X * floor(Y/2)) if y is odd function multiply(X,Y) if Y = 0: return 0 Z = multiply(X,floor(Y/2)) if Y is even return 2 * Z else: return X + 2 * Z
Let X = 3 (imperative language) Y = 4 Z = X + Y (let ((X 3)(Y 4)) (+ X Y) ) (Scheme version) 3 4 XYXY (+ x y)
Sequence of Lets X = 3 Y = X Z = (+ X Y) (let ((X 3)) (let ((Y X)) (+ X Y))) (let* ((X 3) (Y X)) (+ X Y))
Sequence of Lets (let ((X 3)) (let ((Y X)) (+ X Y))) X 3 Y (+ X Y) (let* ((X 3) (Y X)) (+ X Y))
Division function divide(x,y) if x = 0: return (q,r) = (0,0) (q,r) = divide(floor(x/2),y) q = 2 q, r = 2 r if x is odd: r = r + 1 if r >= y: r = r – y, q = q + 1 return (q,r)
Modular Exponentiation function modexp(x, y, N) Input: Two n-bit integers x and N, an integer exponent y Output: x y mod N if y = 0: return 1 z = modexp(x, floor(y/2),N) if y is even: return z 2 mod N else: return x * z 2 mod N
Euclid’s GCD Algorithm function Euclid(a, b) Input: Two integers a and b with a b 0 Output: gcd(a, b) if b = 0: return a return Euclid(b, a mod b) Why is this O(n 3 )?
Extension to Euclid’s Algorithm If someone says “d is the gcd(a,b)”, how do we know? Lemma: if d divides both a and b, and d = ax + by for some integers x and y, then d is the gcd of a and b
Extended GCD Algorithm function Extended-Euclid(a, b) Input: Two positive integers a and b with a ≥ b ≥ 0 Output: Integers x, y, d such that d = gcd(a; b) and ax + by = d if b = 0: return (1, 0, a) (x’, y’ d) = Extended-Euclid(b, a mod b) return (y’, x’ – floor(a/b)y’, d)
Modular Division We say x is the multiplicative inverse of a modulo N if ax ≡ 1 (mod N). Not every integer has such a multiplicative inverse Example 2x ! ≡ 1 (mod 6) for any x. If gcd(a,N) = 1, a and N are relatively prime If a and N are relatively prime, the extended Euclid’s algorithm gives integers x and y such that ax + Ny = 1. (ax + Ny)MOD N = 1 MOD N, ax MOD N = 1 But then x is the multiplicative inverse of a mod N!
Modular Division Theorem For any a mod N, a has a multiplicative inverse if and only if it is relatively prime to N. When the inverse exists, it can be found in O(n 3 ) time (where n denotes the number of bits in N) by running the extended Euclid algorithm Example: Compute mod 25 Using EEA, 4(25) - 9(11) = 1. Reducing both sides mod 25 we have: -9 (11) ≡ 1 mod 25, so -9 ≡ 16 mod 25 is the inverse of 11 mod 25. In other words, if I want to divide by 11 mod 25, I can instead multiply by 16 mod 25
Another Example Let p = 17, q = 53 N = p * q = 17 * 53 = 901 Choose e relatively prime to (p-1)(q-1) = 16 * 52 = 832, so somewhat arbitrarily let e be 19. The public key is (901,19).
Public key is (901,19). Let the message be 123. Encrypting the message involves computing MOD 901 = 115 The encrypted message is 115 To decrypt the message we compute the inverse of 19 MOD (17-1)(53-1) = 19 MOD 832.
Computing the Inverse of 19 MOD 832 Using the extended Euclidean algorithm, we see that 219(19) + (-5)(832) = 1 Taking MOD on both sides we have (219(19) + (-5)(832)) MOD 832 = 1 MOD 832 and 219(19) = 1 MOD 832, since the addition of multiples of 832 can be removed In other words, 219 is the multiplicative inverse of 19 MOD 832. This makes the decryption function x 219 MOD 901
Decrypting with x 219 MOD 901 Use modexp to compute the expression MOD 901 = 123 ( ) 219 MOD 901 = 123
Implications For division mod N, we can only divide by integers that are relatively prime to N. To divide by s, we multiply by the inverse of s (s -1 ). To find the inverse of s MOD t, we run EEA on s and t. This produces a(s) + b(t) = 1 if s is relatively prime to t
Implications Applying MOD t results in (a(s) + b(t))MOD t = a(s) MOD t = 1 MOD t In other words, a = s -1 This technique relies heavily on finding large prime numbers p and q
Primality Testing Factoring is hard, primality is easy. Why? To test if N is prime, we can try to divide it by 2,3,5,7…, √N (We try to factor it) This approach still takes lots of time Fermat’s little theorem: If p is prime, then for every 1 ≤ a ≤ p a p-1 ≡ 1 mod p
Primality Testing Using FLT function primality(N) Input: Positive integer N Output: yes/no Pick a positive integer a < N at random if a N-1 ≡ 1 (mod N): return yes else: return no
Primality Testing There are no guarantees that this works! There are some composite integers that satisfy a N-1 ≡ 1 (mod N) 341 = 11 x 31 is not prime, and yet ≡ 1 mod 341. Even so, we hope the answer will be correct most of the time. It certainly works if N is prime
Primality Testing Carmichael numbers pass Fermat’s test for all a relatively prime to N For non-Carmichael numbers, a composite integer will fail for at least half the values of a where 1 ≤ a ≤ p If we randomly choose a, we have at least half a chance of the algorithm working correctly
A Primality Algorithm with Low Error Probability function primality2(N) Input: Positive integer N Output: yes/no Pick positive integers a 1,a 2,…, a k < N at random if a i N-1 ≡ 1 (mod N)for all i = 1,2,… k: return yes else: return no
A Primality Algorithm with Low Error Probability Pr(Algorithm 1.8 returns yes when N is not prime) ≤ 1/2 k Testing k = 100 values of a makes the probability of failure at most ,which is miniscule: far less, for instance, than the probability that a random cosmic ray will sabotage the computer during the computation!
Generating Primes Primes are abundant. A random n-bit number has roughly a one- in-n chance of being prime (actually about 1/(ln 2 n ) ≈ 1:44/n). For instance, About 1 in 20 social security numbers is prime!
Generating Primes Pick a random n-bit number N. Run a primality test on N. If it passes the test, output N; else repeat the process.
RSA Summary Pick any two primes p and q and let N = pq. For any e relatively prime to (p-1)(q -1): 1. The mapping x → x e mod N is a bijection on {0,1,…,N} 2. Moreover, the inverse mapping is easily realized: let d be the inverse of e modulo (p-1)(q -1). Then for all x {0,…,N}, (x e ) d ≡ x mod N:
Assignment Send me a public key (N,e), and I will send you a coded message x e MOD N. Send me the decoded message back in an . You get to choose N and e. The message I send will be a number less than N. In a real application the number could be an message in ASCII Grad Students: Compute two prime numbers p and q with 100 or more digits using Scheme. Generate N = p * q. Choose a suitable e. As before, send me (N, e) but also include your Scheme code for selecting primes.