Discrete Math, Fourteenth Problem Set (July 18)

Similar documents
Algebra Review. Instructor: Laszlo Babai Notes by Vincent Lucarelli and the instructor. June 15, 2001

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Discrete Math, Second Problem Set (June 24)

Homework #2 solutions Due: June 15, 2012

Theoretical Cryptography, Lecture 13

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

ECEN 5022 Cryptography

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Theoretical Cryptography, Lectures 18-20

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

Winter Camp 2009 Number Theory Tips and Tricks

CSE 521: Design and Analysis of Algorithms I

Lecture 6: Cryptanalysis of public-key algorithms.,

6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree

Factorization & Primality Testing

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

8 Primes and Modular Arithmetic

Number Theory. Modular Arithmetic

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Algorithms CMSC Basic algorithms in Number Theory: Euclid s algorithm and multiplicative inverse

CMSC Discrete Mathematics SOLUTIONS TO SECOND MIDTERM EXAM November, 2005

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

Mathematical Foundations of Cryptography

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Primes. Rational, Gaussian, Industrial Strength, etc. Robert Campbell 11/29/2010 1

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

M3P14 LECTURE NOTES 8: QUADRATIC RINGS AND EUCLIDEAN DOMAINS

1. multiplication is commutative and associative;

Applied Cryptography and Computer Security CSE 664 Spring 2018

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Number theory (Chapter 4)

Definition For a set F, a polynomial over F with variable x is of the form

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

MATH 361: NUMBER THEORY FOURTH LECTURE

14.1 Finding frequent elements in stream

Chapter 4 Finite Fields

Linear Algebra, 3rd day, Wednesday 6/30/04 REU Info:

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

ZEROS OF POLYNOMIAL FUNCTIONS ALL I HAVE TO KNOW ABOUT POLYNOMIAL FUNCTIONS

1. Algebra 1.7. Prime numbers

7.2 Applications of Euler s and Fermat s Theorem.

Integer factorization, part 1: the Q sieve. D. J. Bernstein

MATH 4400 SOLUTIONS TO SOME EXERCISES. 1. Chapter 1

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

Basic elements of number theory

Basic elements of number theory

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

Entry Number:2007 mcs Lecture Date: 18/2/08. Scribe: Nimrita Koul. Professor: Prof. Kavitha.

RSA Cryptosystem and Factorization

CHAPTER 10: POLYNOMIALS (DRAFT)

PRACTICE PROBLEMS: SET 1

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

LECTURE NOTES IN CRYPTOGRAPHY

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

CHAPTER 14. Ideals and Factor Rings

Elliptic Curves Spring 2013 Lecture #4 02/14/2013

A Few Primality Testing Algorithms

Basic Algorithms in Number Theory

Computations/Applications

1 2 3 style total. Circle the correct answer; no explanation is required. Each problem in this section counts 5 points.

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

Public-key Cryptography: Theory and Practice

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Practice Number Theory Problems

Solution Sheet (i) q = 5, r = 15 (ii) q = 58, r = 15 (iii) q = 3, r = 7 (iv) q = 6, r = (i) gcd (97, 157) = 1 = ,

Dixon s Factorization method

CHAPTER 3. Congruences. Congruence: definitions and properties

IRREDUCIBILITY TESTS IN F p [T ]

The Berlekamp algorithm

Modular Arithmetic Instructor: Marizza Bailey Name:

1 Overview and revision

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Chapter 5: The Integers

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Some Facts from Number Theory

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

The Chinese Remainder Theorem

COMP4109 : Applied Cryptography

Chapter 14: Divisibility and factorization

Lecture 7: Polynomial rings

12x + 18y = 50. 2x + v = 12. (x, v) = (6 + k, 2k), k Z.

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Rings and modular arithmetic

ANALYZING THE QUADRATIC SIEVE ALGORITHM

Cryptography. Number Theory with AN INTRODUCTION TO. James S. Kraft. Lawrence C. Washington. CRC Press

CS280, Spring 2004: Prelim Solutions

A Course in Computational Algebraic Number Theory

Lecture 7.5: Euclidean domains and algebraic integers

Math 109 HW 9 Solutions

Rings. Chapter 1. Definition 1.2. A commutative ring R is a ring in which multiplication is commutative. That is, ab = ba for all a, b R.

Transcription:

Discrete Math, Fourteenth Problem Set (July 18) REU 2003 Instructor: László Babai Scribe: Ivona Bezakova 0.1 Repeated Squaring For the primality test we need to compute a X 1 (mod X). There are two problems with the straightforward method (multiplying X 1 copies of a and reducing modulo X). First, the resulting number a X 1 has exponentially many digits (nearly 2 n binary digits if X has n binary digits and a = 2). The space requirement can be reduced to linear in the bit-length of the input by doing all operations modulo X. Second, an exponential number of modular multiplications is needed, namely X 2 2 n. We can reduce this number to n by repeated squaring see the Pseudocodes for basic algorithms in Number Theory handout. 0.2 Factoring of integers Given a number X we want to find its prime factors. The trial division method tests all integers up to X, requiring 2 n/2 trials where n is the bit-length of X. Several factoring algorithms are known which run in time 2 c n log n. While this is still very far from polynomial time, it is significantly better than trial division. We shall see the idea. Remark 0.1. The best factoring algorithm known, called the number field sieve, runs in time 2 c 3 n log 2 n [Lenstra, Lenstra, Manasse and Pollard (1990)]. This statement is based on some plausible but unproven number theoretic assumptions ( heuristic analysis ). Given the significance of factoring integers, efficient factoring algorithms are of great interest even if we cannot rigorously prove their efficiency. Dixon s remains the only factoring algorithm with a fully proven 2 c n log n upper bound on its running time. 0.3 Types of randomized algorithms A Las Vegas algorithm is an algorithm that runs in polynomial time and produces an answer with probability 1/2; alternatively, it may say don t know. Whenever an answer is produced, it is guaranteed to be correct. By repeating the algorithm k times using independent coin flips, the probability of not getting an answer is reduced to 1/2 k. 1

A Monte Carlo algorithm with one-sided error runs in polynomial time and it produces a correct answer with probability 1/2. The primality tests discussed in the previous class are examples of Monte Carlo algorithms with one-sided error, i. e., the answer X is composite is always correct but X is prime may be an incorrect answer; the probability that a composite X is misclassified as prime is less than 1/2 k (after k repetitions). 0.4 Representing a prime as a sum of two squares We proved in this class that if p is aq prime and p 1 (mod 4) then there exist integers a, b such that p = a 2 + b 2. The goal is to find such a and b in polynomial time (i. e., in time (log p) O(1) ). Rabin and Shallit showed that we can find a, b in randomized polynomial time (a Las Vegas algorithm). As a subroutine, they need to factor polynomials in F p. This can be done in randomized polynomial time using a Las Vegas algorithm by Berlekamp. (Polynomial-time factoring of polynomials over Q is a consequence of the lattice basis reduction algorithm. This algorithm does not work for factoring over F p and no deterministic polynomial-time algorithm is known for this case.) How can we guarantee that a factoring is correct? By multiplying the factors we can verify that the product equals the input polynomial. But we also need to test that the factors are irreducible. Indeed, we have a deterministic test for irreducibility of polynomials over F p. 0.5 Deterministic test of irreducibility of polynomials over F p Let f(x) F p [x] be a polynomial over F p. We say that f is irreducible if there do not exist polynomials g, h of lower degree than f such that f gh (mod p). Let F F p be the algebraic closure of F p. Let α F be a root of f, i.e. f(α) = 0. If f is an irreducible polynomial of degree k then F p [α] = F p k. Fermat s Little Theorem for F p k states that for all α F p k, if α 0 then α pk 1 = 1 (equality in the field F p k). Therefore x α divides g.c.d. (f, x pk 1 1) and since f is irreducible, this implies that f divides x pk 1 1. Moreover, f does not divide x pl 1 1 for any l < k. Exercise 0.2. Let f F p [x] be a polynomial of degree k. Prove that f is irreducible if and only if both of the following conditions hold: 1. f x pk 1 1; 2. ( l < k)(f x pl 1 1). Remark 0.3. Above we sketched the only if part. 2

Exercise 0.4. Given a polynomial f F p [x] and t 2 n, compute g.c.d. (f, x t 1) in time polynomial in n, log p, and the degree of f. Hint. Compute repeated squares x, x 2, x 4,... (mod f). Combining the preceding two exercises we obtain a polynomial time algorithm for testing irreducibility of polynomials over F p. 0.6 Las Vegas factoring of quadratic polynomials over F p Let f F p [x] be a quadratic polynomial. We want to factor f over F p. First we test whether f is irreducible; if so, we are done. Otherwise we know that f can be factored as f(x) = (x a)(x b) where a, b F p. We want to find a and b. Definition 0.5. We say that a polynomial g splits polynomial f if 1 g.c.d. (f, g) f. It suffices to find a polynomial that splits f. If a = b then f splits f. So if f does not split f then we know that a b. We may also assume that ab 0 (why?) Exercise 0.6. Prove: the roots of the polynomial x (p 1)/2 ( 1) are exactly the quadratic 1 residues mod p. (Note: we used this fact in proving that = ( 1) (p 1)/2 ; and this p fact in turn was one of the chief ingredients of our proof that primes 1 (mod 4) can be written as the sum of two squares.) We start with an easy case. Suppose ( ) a p ( ) b. In this case, according to the preceding p exercise, x (p 1)/2 1 splits f. ( ) ( ) a b If now =, our next trick is to consider the polynomials g r (x) = f(x + r). Ideally, p p ( ) ( ) a r b r we want to find r such that. Then x (p 1)/2 1 splits g r and therefore we p p can factor f. The next exercise shows that we have an excellent chance of finding r by just picking it at random. (( ) ( )) a r b r Exercise 0.7. Prove: For a random r F p the probability P 1/2. p p Exercise + 0.8. Generalize the algorithm to factoring polynomials of arbitrary degree over F p into their irreducible factors. 3

0.7 Back to the p = a 2 + b 2 problem In this section we describe the Rabin Shallit polynomial-time Las Vegas algorithm to represent a given prime of the form 4k + 1 as the sum of two squares. We know that 1 is a quadratic residue in F p for p 1 (mod 4), i.e. there exists t such that t 2 1 (mod p). Our first task is to find such t? This is equivalent to factoring the polynomial x 2 + 1 = (x + t)(x t) = x 2 t 2 F p [x]. Definition 0.9. The domain of Gaussian integers is defined as Z[i] = {a + bi : a, b Z}. Divisibility, primes, g.c.d. are defined among Gaussian integers the same way as among integers. (Recall: by definition, the greatest common divisor is not largest among the common divisors but one that is a common multiple of all common divisors. So its existence is not evident.) There are four units (numbers dividing 1) among Gaussian integers, 1, 1, i, and i. Let us take a look at Gaussian primes. 2 and 5 are not primes in Z[i] (because 5 = (2 + i)(2 i)) but 3 remains a prime. Exercise 0.10. For z = a + bi, let N(z) = a 2 + b 2 (the norm of z). Note that N(z) = z 2. Prove: N(zw) = N(z)N(w). Exercise 0.11. Prove: if z, w Z[i] and w z then N(w) N(z). Exercise 0.12. Prove that if p is a prime number (in Z) and p 1 (mod 4) then p is a prime in Z[x]. Exercise 0.13. If p is a prime number (in Z) and p 1 (mod 4) then p = a 2 + b 2 = (a + bi)(a bi). Prove: a + bi is prime in Z[i] (as is a bi). Hint. Suppose c + di a + bi. Compare their norms. Exercise 0.14. Prove that Euclid s algorithm works in Z[i]. (The remainder must have smaller norm than the divisor.) It follows that for z, w Z[i], g.c.d.(z, w) exists and is a linear combination of z and w with coefficients from Z[i]. Corollary 0.15. Every Gaussian integer has unique prime factorization in Z[i] (unique apart from order and units). (Prove!) The algorithm Let p 1 (mod 4). By factoring the polynomial x 2 + 1 over F p, we found, in Las Vegas polynomial time, and integer t such that p t 2 +1. Now t 2 +1 = (t+i)(t i). Since p = a 2 +b 2 (a, b unknown) and a + bi is a prime in Z[i], it follows that a + bi divides either t + i or t i (but not both why?). Therefore t + i splits p: if a + bi t + i then a + bi = g.c.d. (t + i, p). Otherwise, a bi = g.c.d. (t + i, p). In either case, we find a, b using Euclid s algorithm in Z[i]. Exercise + 0.16. Give an alternative proof of the theorem that primes 1 (mod 4) can be written as the sum of two squares. Use Gaussian integers. 4

0.8 Factoring integers in time, exponential in n log n J. Dixon was the first to show that n-digit integers can be factored in e c n log n steps. Let X be an n-digit integer (X 2 n ) which we want to factor. Definition 0.17. We say that z is a v-smooth integer if all primes dividing z are v. Suppose we can find a, b such that a 2 b 2 (mod X) and a ±b (mod X). Then X divides (a + b)(a b) and a + b splits X. Exercise 0.18. If X is odd and not a prime power then there exist a, b such that a 2 b 2 (mod X) and a ±b (mod X). How do we find such a and b? Let v be a threshold number v = 2 n log n and let P = {p is a prime : p v}. Let r i {1,..., X} be a random number. Let s i = (r 2 i mod X). If s i is not v-smooth, discard it and try again. Let N = P. Keep generating the r i until N + 1 smooth numbers s i are found. Suppose s i = p α i 1 1... p α i N N (mod X) where P = {p 1,..., p N }. Consider the matrix α 1,1 α 1,2... α 1,N α 2,1 α 2,2... α 2,N...... α N+1,1 α N+1,2... α N+1,N Since this matrix is (N + 1) N, its rows are linearly dependent (mod 2). Therefore there exists a nonempty set S {1,..., N} such that ( j)( i S α ij = 2β j ). Thus ri 2 i S N j=1 p 2β j j (mod X) Let a := i S r i mod X and b := N j=1 pβ j j mod X. Now a 2 b 2 (mod X). There are two catches in this sketch. First, the smooth numbers have to happen sufficiently frequently. Second, the probability of a ±b (mod X) must be significant. The second claim seems more plausible and can be proven by using a clever counting argument. Here we present intuition behind the first claim. Let ψ(x, v) be the number of v-smooth numbers less than X. Let k = n/ log n, i.e. v k X. Clearly, ψ(v k, v) ( π(v) ) k > (π(v)/k) k (the product of any k primes v is smooth). What is the probability that a random number is smooth? ψ(v k, v) v k ( π(v) k ) ( k 1 v k ) c 1 n log n n/ log n 5 n/ log n = (c/n) n/ log n c n log n 1.

Thus, the expected number of trials to find a random smooth number is less than (1/c 1 ) n log n. Note, however, that the s i are not generated uniformly at random, so the actual proof is necessarily more delicate. But it uses the same simple lower bound on ψ(v k, v). 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback