chapter 11 - sections 5-7elise/courses/cs631/presentation.pdf · 11.5 11.6 11.7 outline 1 11.5 a...

11.511.611.7

Chapter 11Sections 5-7

Sam Demorest

April 15, 2015

Sam Demorest Chapter 11

11.511.611.7

Outline

1 11.5A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4

2 11.6Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test

3 11.7Public Key CryptosystemsTheorem 11.33


11.511.611.7

A Naive ExampleAn algorithm for improvementAn example of Algorithm 11.4

Example 11.51: Modulo Exponentiation

Example 11.51 provides us with an inefficient example of moduloexponentiation. We are asked to calculate ([7]20)11.

We can read this as: 711%20

([7]20)11 = [1977326743]20 = [3]20


11.511.611.7


Algorithm 11.4

1

1From the Neapolitan textSam Demorest Chapter 11

11.511.611.7


Example 11.52: Algorithm 11.4 in Action

Calculating ([m]n)k with the following conditions:

n = 257,m = 5, k = 45.

We can express 45 as 0b101101

{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2

In the next slide, we see a table of values calculates as thesteps involved in Algorithm 11.4 are performed.


11.511.611.7




n = 257,m = 5, k = 45.


{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}

in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2



11.511.611.7




n = 257,m = 5, k = 45.


{b5, b4, b3, b2, b1, b0} = {1, 0, 1, 1, 0, 1}in the table on the next slide, ki is represented as[bjbj−1 . . . bi ]2



11.511.611.7


Algorithm Value Calculations

Theorem 11.26 After each iteration of the for-i loop in Algorithm11.4, a = ([m]n)ki . Since k0 = k , this means the final value of a is([m]n)k .


11.511.611.7

Finding Large Prime NumbersSearching for Large PrimesChecking if a Number is PrimeModulo CongruenceAKS AlgorithmTime Complexity of AKS Test

Why Large Primes?

Factoring primes is in the NP class of problems.

This makes encryption algorithms that rely on the difficulty ofprime factorization relatively secure.

Finding large primes can occur in polynomial time (as we willsee).


11.511.611.7


Prime Distribution

The Prime Distribution Function (π): The prime distributionfunction π(n) is the number of primes less than or equal to n.

Theorem 11.27:

limn→∞

π(n)

n/ ln n= 1

Due to this theorem, for large values of n, the distribution functioncan be approximated as n/ ln n, and so the probability of arandomly chosen large number being prime can be approximatedto:

n/ ln nn = 1

ln n


11.511.611.7


Prime Distribution

The Prime Distribution Function (π): The prime distributionfunction π(n) is the number of primes less than or equal to n.Theorem 11.27:

limn→∞

π(n)

n/ ln n= 1

Due to this theorem, for large values of n, the distribution functioncan be approximated as n/ ln n, and so the probability of arandomly chosen large number being prime can be approximatedto:

n/ ln nn = 1

ln n


11.511.611.7


Primality Testing

Finding a polynomial-time algorithm to determine primalityhas traditionally been a challenge.

The best we had for a long time was the Miller-RabinRandomized Primality Test, which is an efficient probabilisticmethod of determining primality.

In 2002, Agrawal, Kayal, and Saxena developed apolynomial-time deterministic (rather than probabilistic) testfor primality.


11.511.611.7


Miller-Rabin Randomized Primality Test

This test is fast and will always determine a truly primenumber to be prime.

The major disadvantage of this algorithm is that it maydetermine a composite number to be prime (with a lowprobability of this happening).


11.511.611.7


Modulo Congruence

Definition

Let f(x) and g(x) be polynomials with integral coefficients. If thecoefficients of each power of x are congruent modulo n, we saythat f(x) and g(x) are congruent modulo n, and we write:

f (x) ≡ g(x) mod n.


11.511.611.7


An example from the book: 11.55

(6x2 + 9x + 1) ≡ (2x2 + x − 3) mod 4

This is true because of the following equivalencies:

6 ≡ 2 mod 49 ≡ 1 mod 4

1 ≡ −3 mod 4


11.511.611.7


Lemma 11.2

Lemma 11.2: If n is prime then for all integers m,

(x −m)n ≡ (xn −m) mod n.


11.511.611.7


Relative Primality

Definition

Two positive integers are relative primes or coprimes if they shareno common factors except 1.

Theorem 11.28

Theorem

Suppose m and n are relatively prime. Then n is prime if and onlyif:

(x −m)n ≡ (xn −m) mod n


11.511.611.7


Theorem 11.29

Theorem 11.29

Theorem

Suppose n and r are prime. Then for all integers m,

(x −m)n ≡ (xn −m) mod (x r − 1, n)


11.511.611.7


AKS Algorithm for Determining Primality


11.511.611.7


Proof of correctness

Theorem 11.30

Theorem

If a prime number is the input to the AKS algorithm, the algorithmreturns true.

Proof: If n is prime, then for all r < n,

gcd(n, r) = 1,

which demonstrates that the first while loop will not return false.Since n and r are by definition coprime (as n is prime), Theorem11.29 dictates that false cannot be returned in the second whileloop.


11.511.611.7


Lemmas 11.3 & 11.4

Lemma 11.3: Suppose g(x) is a polynomial with integercoefficients and n is prime. Then

[g(x)]n ≡ g(xn) mod n

Lemma 11.4: Suppose g(x) is a polynomial with integercoefficients, and n and r are prime. Then,

[g(x)]n ≡ g(xn) mod (x r − 1, n)


11.511.611.7


Lemma 11.5 & Lemma 11.6

Lemma 11.5: If r and q are prime, q divides r -1, andq ≥ 4

√r log2(n), then q|ordr (n) if and only if:

nr−1q 6≡ 1 mod r .

Lemma 11.6: If n is composite, q is prime, and q divides q|ordr (n),then there is a prime factor p of n such that:

q|ordr (p).


11.511.611.7


Lemma 11.7

Lemma 11.7: Suppose the second while loop in the AKS algorithmis exited due to the value of switch being true. If p is as in Lemma11.6, and we let l = b2

√r log2 nc, then there is a polynomial:

g(x) = (x − 1)k1(x − 2)k2 . . . (x − l)kl

with the property:

Jg(x) = {m | g(x)m ≡ g(xm) mod (x r − 1, p)},then,

Jg(x) is closed under multiplication.

There is an integer such that for

m ≡ k mod r ,then

m ≡ k mod a.Sam Demorest Chapter 11

11.511.611.7


Theorem 11.31

Theorem 11.31: If a composite number is the input to the AKSPrimality Test, the algorithm returns false.Proof: We must consider the exit conditions for the first while loopin this algorithm. If the first while loop is exited because of itsreturn statement, we are done and false is returned. The loop canalso be exited if r = n− a, in wich case n must be prime. We mustassume that a composite number is entered and the while loop isexited because the variable switch has a value of true.


11.511.611.7


Theorem 11.31, Cont.

Owing to Lemma 11.5, q|ordr (n). Let us suppose a contradictionwhere the algorithm returns true. Then 1 ≤ m ≤ 1 = b2

√r log2 nc,

(x −m)n ≡ (nn −m) mod (x r − 1, n), which implies(x −m)n ≡ (xn −m) mod (x r − 1, p), which means

[g(x)]n ≡ g(xn) mod (x r − 1, p).


11.511.611.7



Therefore, n ∈ Jg(x) where Jg(x) is defined in Lemma 11.7. Also,p ∈ Jg(x), and trivially 1 ∈ Jg(x) due to Lemma 11.4.Consider the set:

E = {nipj |0 ≤ i , j ≤ b√rc}.

Owing to Lemma 11.7, E ∈ Jg(x), and

|E | = (1 + b√rc)2 > r .

. Then by the pigeonhole principle, there are two elements nipj

and nhpk in E with i 6= h or j 6= k such that

nipj ≡ nhpk mod r , andnipj ≡ nhpk mod a where a is as it was in Lemma 11.7.

.Sam Demorest Chapter 11

11.511.611.7



Since p|n, n is composite, and i , j ≤ b√rc,

nipj ≤ n√r(n2

)√r= n2

√r

2√r . Similarly, since h, k ≤ b

√rc,

nhpk ≤ n2√r

2√r .

Since a > n2√r

2 ,

nipj = nhpk mod r

Since p|n and either i 6= h or j 6= k , this implies for some integers ≥ 1 that n = ps . However, in the first part of the algorithm, wechecked whether n is in the form ps for s ≥ 2. Therefore s = 1and n is prime. This is a contradiction, and the theorem is proved.


11.511.611.7


Lemmas 11.8 & 11.9

Lemma 11.8: Let qmbe the largest prime factor of m. Then thereexists a positive constant c and integer N such that for n > N∣∣∣{p | p is prime, p ≤ n, and qp−1 > n2/3}

∣∣∣ ≥ c nlog2 n

.

Lemma 11.9: Let π(m) be the number of primes less than or equalto m. Then for m ≥ 1,

m6 log2 m

≤ π(m) ≤ 8mlog2 m


11.511.611.7


Lemma 11.10

Lemma 11.10: Given positive integers m and n, the product

(n − 1)(n2 − 1) . . . (nm − 1)

has at most m2 log2 n prime factors, and there are m terms.


11.511.611.7


Theorem 11.32

Theorem 11.32

Theorem

There exists positive constants c1 and c2 and integer N such thatfor every n > N there is a prime r in the interval(

c1(log2 n)6, c2(log2 n)6)

such that the largest prime factor q of r - 1 satisfies

q ≥ 4r1/2 log2 n and nr−1q 6≡ 1 mod r .


11.511.611.7


Worst Case Time Complexity for AKS Test

Basic operation: one-bit manipulation

Input size: The number of bits s required to encode n, whichis given by s = blog2 nc+ 1


11.511.611.7


AKS Worst-Time Proof

The AKS algorithm has many steps involved in it, the first ofwhich is determining whether n is a perfect power in the form k j .The number of roots checked here is O(s), where s is the inputsize, and n1/2, n1/3, . . . , n1/m, where m = blog2 nc.The timecomplexity of determining each root is O(s2). Therefore, this looptakes a total of O(s3) operations.


11.511.611.7


AKS Worst-Time Proof, Cont.

Theorem 11.32 allows us to determine that the number of passesthrough the first while loop is in O(s6). Since r < n, according toAlgorithm 11.1, the time complexity for gcd(n, r) is in O(s2).Determining if r is prime and finding the largest prime factor ofr − 1 takes O(r1/2s2), which Theorem 11.32 dictates is inO(s3s2) = O(s5) time. Thus, the total work in this loop is inO(s6s5) = O(s11).


11.511.611.7


AKS Worst-Time Proof, Cont.

Second While Loop: The number of passes through this loop is√r ∗ s, and owing to Theorem 11.32, tis means there will be

O(ss3) = O(s4) passes. Following Theorem 11.29, the complexityof finding congruence is O(rs2) if Fast Fourier multiplication isutilized. Thus, again owing to Theorem 11.32, the time complexityof each pass is O(s6s2) = O(s8). Therefore, the total timecomplexity of the second while loop is O(s8s4) = O(s12), which isthe dominating term in the polynomial expressing the complexityof this algorithm.


11.511.611.7

Public Key CryptosystemsTheorem 11.33

How Asymmetric Cryptosystems Work

Requires a public key and a private key.

Public and Private keys are inverses of each other.

Generally, a message is encrypted using the recipient’s publickey. Only the holder of the private key would then be able todecrypt this.

Sometimes a message is encrypted using the sender’s privatekey. Only the sender’s public key then can decrypt this. Thisis used to verify the identity of a sender (assuming the privatekey has not been compromised), and is called “signing” amessage.


11.511.611.7


Definitions

Definition

Encryption is the process of taking a readable message, andalgorithmically transforming it into something that is readable onlyunder special circumstances.

Definition

Cyphertext is the encoding of the message once it has beenencrypted using the recipient’s public key.

Definition

Decryption is the process of taking a cyphertext message andapplying an algorithm to transform that cyphertext back into areadable message.


11.511.611.7


The RSA Cryptosystem

1 Discover two very large prime numbers, p and q.

2 Compute

n = pqϕ(n) = (p − 1)(q − 1).

ϕ(n) comes from Theorem 11.17.

3 Select a smaller prime number g that is coprime with ϕ(n).

4 Compute the multiplicative inverse [h]ϕ(n) of [g ]ϕ(n). It hasbeen shown that [g ]ϕ(n)[h]ϕ(n) = [1]ϕ(n), and Corollary 11.8has shown that [h]ϕ(n) exists and is unique.

5 Let the public key pkey = (n, g), and the private (secret) keyskey = (n, h).


11.511.611.7


RSA Corrolaries

The set of permissible messages is Zn. The function correspondingto the public key pkey = (n, g) is

pub(b) = bg

where b ∈ Zn and the function corresponding to the private keyskey = (n, h) is

sec(b) = bh

These values must be inverses, otherwise the algorithm will notfunction as intended.


11.511.611.7


Theorem 11.33

Theorem

The functions pub(b) = bg and sec(b) = bh are inverses of eachother.

Proof: We are making the claim thatpub(sec(b)) = sec(pub(b)) = bgh for any b ∈ Zn.We need only show bgh = b.Let m ∈ b. As such, mgh ∈ bgh. We must show

[mgh]p = [m]p

Continued. . .


11.511.611.7


11.33 Proof Cont.

Since g and h are multiplicative inversesmod ϕ(n) = (p − 1)(q − 1), [gh](p−1)(q−1) = [1](p−1)(q−1), whichmeans there is an integer k such that:

gh = 1 + k(p − 1)(q − 1)

There are two cases we must consider.Case 1: Assume [m]p 6= [0]p. Then we haveContinued...


11.511.611.7


11.33 Proof Cont.

[mgh]p = [m1+k(p−1)(q−1)]p

= [m]p(

[m]p−1p

)k(q−1)

= [m]p[1]k(q−1)p

= [m]p

The third equality above is due to Theorem 11.22. Continued...


11.511.611.7


11.33 Proof Cont.

Case 2: If [m]p = [0]p,

[mgh]p = [m]ghp = [0]ghp = [0]p = [m]p.

This establishes that [mgh]q ≡ [m]q (Equality 11.32). Due to this,we can see that:

mgh ≡ m mod p andmgh ≡ m mod q. Therefore,mgh ≡ m mod n, which means

bgh = b.


chapter 11 - sections 5-7elise/courses/cs631/presentation.pdf · 11.5 11.6 11.7 outline 1 11.5 a...

Documents