CSE 521: Design and Analysis of Algorithms I

Similar documents
Introduction to Public-Key Cryptosystems:

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Factorization & Primality Testing

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

basics of security/cryptography

Lecture 11 - Basic Number Theory.

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

CIS 551 / TCOM 401 Computer and Network Security

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Number Theory and Algebra: A Brief Introduction

A Guide to Arithmetic

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Cryptography IV: Asymmetric Ciphers

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Ma/CS 6a Class 4: Primality Testing

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

10 Concrete candidates for public key crypto

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Applied Cryptography and Computer Security CSE 664 Spring 2018

Elementary Number Theory MARUCO. Summer, 2018

Iterated Encryption and Wiener s attack on RSA

The RSA cryptosystem and primality tests

Primality Testing- Is Randomization worth Practicing?

1. Algebra 1.7. Prime numbers

Great Theoretical Ideas in Computer Science

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptography: Joining the RSA Cryptosystem

Math/Mthe 418/818. Review Questions

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Lecture 1: Introduction to Public key cryptography

CPSC 467b: Cryptography and Computer Security

Lecture Notes, Week 6

ALG 4.0 Number Theory Algorithms:

Basic Algorithms in Number Theory

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Euler s ϕ function. Carl Pomerance Dartmouth College

Mathematical Foundations of Public-Key Cryptography

Discrete Math, Fourteenth Problem Set (July 18)

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Public Key Cryptography

Introduction to Cybersecurity Cryptography (Part 5)

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Ma/CS 6a Class 4: Primality Testing

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

A Few Primality Testing Algorithms

CSC 373: Algorithm Design and Analysis Lecture 30

Some Facts from Number Theory

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

1 Overview and revision

Discrete Mathematics GCD, LCM, RSA Algorithm

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Introduction to Number Theory

10 Public Key Cryptography : RSA

About complexity. We define the class informally P in the following way:

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Introduction to Modern Cryptography. Benny Chor

ECE596C: Handout #11

Public-Key Cryptosystems CHAPTER 4

Chapter 9 Basic Number Theory for Public Key Cryptography. WANG YANG

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Introduction to Number Theory

Public Key Algorithms

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

download instant at

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Aspect of Prime Numbers in Public Key Cryptosystem

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Carmen s Core Concepts (Math 135)

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Mathematics of Cryptography

CPSC 467b: Cryptography and Computer Security

RSA RSA public key cryptosystem

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Public Key Cryptography

CS250: Discrete Math for Computer Science

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Congruence of Integers

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Math.3336: Discrete Mathematics. Mathematical Induction

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Transcription:

CSE 521: Design and Analysis of Algorithms I Randomized Algorithms: Primality Testing Paul Beame 1

Randomized Algorithms QuickSelect and Quicksort Algorithms random choices make them fast and simple but don t affect correctness Not only flavor of algorithmic use of randomness Def: A randomized algorithm A computes a function f with error at most ε iff For every input x the probability over the random choices of A that A outputs f(x) on input x is 1- ε Error at most 2-100 is practically just as good as 0 Chance of fault in hardware is larger 2

Primality Testing Given an n-bit integer N determine whether or not N is prime. Obvious algorithm: Try to factor N Try all divisors up to N 1/2 2 n/2. Best factoring algorithms run in 2 n1/3 time Rabin-Miller randomized algorithm If N is prime always outputs prime If N is composite outputs composite with probability 1-2 -2t outputs prime with probability 2-2t [AKS 2002] Polynomial-time deterministic algorithm. Much less efficient, though. 3

Rabin-Miller Algorithm If N is even then output prime if N=2 and composite otherwise and then halt Compute k and d such that N-1=2 k d where d is odd For j=1 to t do Choose random a from {1,,N-1} Compute b 0 =a d mod N using powering by repeated squaring For i=1 to k do Compute b i =b i-12 mod N = a 2i d mod N If b i =1 and b i-1 ±1 output composite and halt If b k = a N-1 mod N 1 output composite and halt Output prime Running time: O(tn) multiplications mod N 4

Rabin-Miller analysis We will prove slightly weaker bound: If N is prime always outputs prime If N is composite outputs composite with probability 1-2 -t outputs prime with probability 2 -t Whenever output is composite N is composite: Fermat s Little Theorem: If N is prime and a is in {1,,N-1} then a N-1 mod N =1 So a N-1 mod N 1 implies N is composite If b i =b i-1 2 mod N=1 then N divides (b i-1 2-1)=(b i-1-1)(b i-1 +1) so if N is prime then N divides (b i-1-1) or (b i-1 +1) and thus b i-1 = b i-1 mod N = ±1 So b i =1 and b i-1 ±1 implies N is composite 5

Some observations Let m be any integer > 0 If gcd(a,n)>1 for 0<a<N then N is composite but also gcd(a m,n)>1 so a m mod N 1 Algorithm will test m=n-1 and output composite Write Z N *={a 0<a<N and gcd(a,n)=1} Euclid s algorithm shows that every b in Z N * has an inverse b -1 in Z N * such that b -1 b mod N = 1 Let G m ={a in Z N * a m mod N = 1} Claim: If there is a b in Z N * but not in G m then G m Z N * /2. 6

Some observations Z N *={a 0<a<N and gcd(a,n)=1} Let G m ={a in Z N * a m mod N = 1} Claim: If there is a b in Z N * but not in G m then G m Z N * /2. Consider H m ={ba mod N a in G m } Z N *. Then H m = G m since ba 1 =ba 2 mod N implies a 1 =a 2 mod N Also for c in H m, c=ba mod N for some a in G m. so c m mod N=(ba) m mod N = b m a m mod N=b m mod N 1. 7

Carmichael Numbers So if there is even one a such that a N-1 mod N 1 then N is composite and at least half the possible a also satisfy this and the algorithm will output composite with probability ½on each time through the loop Chance of failure over t iterations 2 -t. Odd composite numbers (e.g. N=361) that have a N-1 mod N=1 for all a in Z N * are called Carmichael numbers Fact: Carmichael numbers are not powers of primes Only need to consider the case of N=q 1 q 2 where gcd(q 1,q 2 )=1 8

Rabin-Miller analysis Need the other part of the Rabin-Miller test If b i = a 2i d mod N =1 and b i-1 = a 2i-1 d mod N ±1 output composite Chinese Remainder Theorem: If N=q 1 q 2 where gcd(q 1,q 2 )=1 then for every r 1, r 2 with 0 r i q i -1 there is a unique integer M in {0,,N-1} such that M mod q i = r i for i=1,2. (One-to-one correspondence between integers M and pairs r 1, r 2 ) M=1 (1,1), M=-1=N-1 (q 1-1, q 2-1)=(-1,-1) Other values of M such that M 2 mod N=1 correspond to pairs (1,-1) and (-1,1) 9

Finishing up Consider the largest i such that there is some a 1 in Z N * with a 1 2 i-1 d mod N=-1 and let r i = a 1 mod q i Since a 1 1, (r 1,r 2 ) (1,1). Assume wlog r 1 1. Let G={a in Z N * a 2i-1 d mod N=±1} By Chinese Remainder Theorem consider b in Z N * corresponding to the pair (r 1,1). Then b 2i d mod q 1 =1 and b 2i d mod q 2 =1 so b 2i d mod N=1 But b 2i-1 d mod q 1 = -1 and b 2i-1 d mod q 2 =1 so b 2i-1 d mod N ±1 By similar reasoning as before every element of H={ba a in G} is in Z N * but not in G so G Z N * /2 and the algorithm will choose an element not in G with probability ½ per iteration and output composite with probability 1-2 -t overall 10

Relationship to Factoring In the second case the algorithm finds an x such that x 2 mod N =1 but x mod N ±1 Then N divides (x 2-1)=(x+1)(x-1) but N does not divide (x+1) or (x-1) Therefore N has a non-trivial common factor with both x+1 and x-1 Can partially factor N by computing gcd(x-1,n) Finding pairs x and y such that x 2 mod N=y 2 but x ±y is the key to most practical algorithms for factoring (e.g. Quadratic Sieve) 11

Basic RSA Application Choose two random n-bit primes p, q Repeatedly choose n-bit odd numbers and check whether they are prime The probability that an n-bit number is prime is Ω(1/n) by the Prime Number Theorem so only O(n) trials required on average Public Key is N=pq and random e in Z N * Encoding message m is m e mod N Secret Key is (p,q) which allows one to compute φ(n)= N-p-q+1 and d=e -1 mod φ(n) Decryption of ciphertext c is c d mod N Note: Some implementations (e.g. PGP) don t do full Rabin-Miller test 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback