Algorithms Professor John Reif ALG 4.0 Number Theory Algorithms: (a) GCD (b) Multiplicative Inverse (c) Fermat & Euler's Theorems (d) Public Key Cryptographic Systems (e) Primality Testing Greatest Common Divisor GCD(u,v) = largest a s.t. a is a divisor of both u,v Euclid's Algorithm procedure GCD(u,v) begin if v=0 then return(u) else return (GCD(v,u mod v)) Main Reading Selections: CLR, Chapter 33 Auxillary Reading Selections: BB, Sections 8.5., 8.5.3, 8.6. Handout : "Lecture Notes on the Complexity of Some Problems in Number Theory" Inductive of Correctness: if a is a divisor of u,v a is a divisor of u - ( u/ v Î ) v = u mod v
Time Analysis of Euclid's Algorithm for n bit numbers u,v T(n) T(n-) + M(n) = O(n M(n)) where M(n) = time to mult two n bit integers = O(n log n log log n). Fibonocci worst case: u = F k, v = F k+ where F 0 = 0, F =, F k+ = F k+ + F k, k 0 k F K = F, F = ( + 5) 5 fi Euclids Algorithm takes log F stages when N = max(u,v). Improved Algorithm (see AHU) T( n) T( n) + O(M(n)) = O(M(n) log n) ( 5 N) = O(n) begin Extended GCD Algorithm procedure Ex GCD( u, v) where u = (u, u, u 3 ), v = (v, v, v 3 ) if v 3 = 0 then return(u) else return ExGCD(v, u - (v Î u 3 /v 3 )) Theorem ExGCD((,0,x),(0,,y)) where =(x',y', GCD(x,y)) x x' + y y' = GCD(x,y) inductively can verify on each call ( xu + yu = u 3 xv + yv = v 3 3 4
Corollary If gcd(x,y) = then x' is the modular inverse of x modulo y Modular Laws for n let x y if x=y mod n we must show x x' = mod y but by previous Theorem, Law A if a b and x y then ax by Law B if a b and ax by and gcd(a,n)= then x y = x x' + y y' = x x' mod y so = x x' mod y let {a,..., a k } {b,..., b k } if Gives Algorithm for Modular Inverse! a i b ji for i=,...,k and {j,..., j k }={,..., k} 5 6
Fermat's Little Theorem ( by Euler) If n prime then a n = a mod n j(n) = number of integers in {,..., n-} relatively prime to n if a 0 then a n 0 a else suppose gcd(a,n) = Then x ay for y a - x and any x so {a,a,..., (n-)a} {,,..., n-} Euler's Theorem If gcd(a,n) = then a j(n) = mod n So by Law A, So by Law B (a) (a) (n-)a (n-) So a n- (n-)! (n-)! let b,..., b j(n) relatively prime to n be the integers < n a n- l mod n 7 8
Le mma {b,..., b j(n) } {ab, ab,...,ab j(n) } If ab i ab j then by Law B, b i b j Since = gcd(b i,n) = gcd(a,n) then gcd(ab i, n) = so ab i = b ji for {j,..., j j(n) } = {,..., j(n)} By Law A and Lemma (ab ) (ab ) (ab j(n) ) b b b j(n) Taking Powers mod n Problem Compute e = e k e k- e e 0 [] X by "Repeated Squaring" a e mod b [] for i = k, k-,..., 0 do begin X X mod b if e i = then X Xa mod b end k output i=0 a e i i binary representation = a Se i i = a e mod b so a j(n) b b j(n) b b j(n) By Law B a j(n) mod n Time Cost O(k) mults and additions mod b k = # bits of e 9 0
Rivest, Sharmir, Adelman(RSA) Encryption Algorithm M = integer message e = "encryption integer" for user A Cryptogram C = E(M) = M e mod n Method () Choose large random primes p,q let n = p q () Choose large random integer d relatively prime to j (n) = j(p) j(q) = (p-) (q-) (3) let e be the multiplicative inverse of d modulo j(n) e d mod j (n) (require e > log n, else try another d) Theorem If M is relatively prime to n, and D(x) = x d (mod n) then D(E(M)) E(D(M)) M D(E(M)) E(D(M)) There must j M e d mod n $ k > 0 s.t. =gcd(d, (n))=-k (n)+de By Symmetry, j So, M ed M k j(n)+ mod n Since (p-) divides j(n) M k j(n)+ M mod p By Euler's Theorem M k j(n)+ M ( mod q ) Hence M ed = M k j(n)+ = M mod n So M ed = M mod n
Security of RSA Cryptosystem Rabin's Public Key Crypto System Theorem If can compute d in polynomial time, then can factor n in polynomial time Use private large primes p,q public n = q p key e d- is a multiple of j(n) But Miller has shown can factor n from any multiple of j(n). message M cryptogram M mod n Corollary If can find d' s.t. M d ' = M d mod n fi d' differs from d by lcm(p-, q-) fi so can factor n. Theorem If cryptosystem can be broken, then can factor key n 3 4
a = M mod n has solutions M = g, b, n- g, n- b where b π { g, n- g } But then g - b = (g - b) (g + b) = 0 mod n So ei ther () p (g - b) and q (g + b) or either () q (g - b) and p (g + b) In either case, two independent solutions for M give factorization of n, i.e., a factor of n is gcd (n, g - b) Rabin's Algorithm for factoring n, given a way to break his cryptosystem. Choose random b, < b < n s.t. gcd( b,n)= let a = b mod n find M s.t. M = a mod n by assumed way to break cryptosystem Wi t h pr obability, M π { b, n - b } fi so factors of n are found else repeat with another b Note: Expected number of rounds is 5 6
Jacobi Function Quadratic Residues a is quadratic residue of n if x a mod n has solution J(a,n) = ( if gcd(a,n)= and a is quadratic residue of n - if gcd(a,n)= and a is not quadratic residue of n 0 if gcd(a,n) π Euler: If n is odd, prime and gcd(a,n)=, then a is quadratic residue of n iff a (n-)/ mod n Gauss's Quadratic Reciprocity Law if p,q are odd primes, J(p,q) J(q,p) = (-) (p-) Rivest Algorithm: (q-)/ 4 ( if a= J(a,n) = J(a/, n) (-) (n -)/ 8 if a even J(n mod a, a) (-) (a-) (n-) else 7 8
Theorem & Primes NP (Pratt) Theorem (Fermat) n > is prime iff $ x, < x < n () x n- mod n () x i π mod n for all i e {,,..., n- } input n n= fi output "prime" n= or (n even and n>) fi output "composite" else guess x to verify Fermat's Theorem Check () x n- = mod n To verify () guess prime factorization of n- = n n n k (a) recursively verify each n i prime (b) verify x (n-)/ n i π mod n note if x (n-) = mod n the least y s.t. x y = mod n must divide n-. So x ya = mod n let a = (n-) so x ya = x (n-)/ n i yn i mod n 9 0
Primality Testing wish to test if n is prime technique W n (a) = "a witnesses that n is composite" W n (a) =true fi n composite W n (a) =false fi don't know Goal of Randomized Primality Tests: e for random a {,..., n-} n composite fi Prob(W n (a) true ) > Solovey & Strassen Primality Test W n (a) = (gcd(a,n) π ) or J(a,n) π a (n-)/ mod n test if Gauss's Quad. Recip. Law is violated So of all a e {,..., n-} are "witnesses to compositness of n"
Definitions Z n = set of all nonnegative numbers < n whi ch are relatively prime to n. generator g of Z n Theorem of Solovey & Strassen If n is composite, then G n- where G = {a W n (a mod n) false} such that for all x e Z n there is i such that g i = x mod n Case G π Z n fi G i s s ubgroup of Z n fi G Z n n- Cas e G = Z n Us e Proof by Cont r adiction so a (n-)/ = J( a,n) mod n for all a relatively prime to n Let n have prime factorization n = P a P a... P k a k, a a... a k 3 Let g be a generator of Z m a where m = P 4
Then by Chinese Remainder Theorem, $ unique a s.t. a = g mod m ( n a = mod m ) Since a is relatively prime to n, a e Z n so a n- = mod n and g n- = mod n Cas e a = a =... = a k = Since n = p... p k k J(a,n) = i= J(a,P i ) k = J(g, p ) i= J(, p i ) Cas e a. Then order of g in Z n a - is p (p -) by known formula, a contradiction since the order divides n-. since a = {g mod p i i= mod p i i π So J(a,n) = - mod n since J(, p i ) = and J(g, p ) = - 5 6
We have shown J(a,n) = - mod n =- mod ( m But by assumption a= mod ( m so a (n-)/ = mod ( m n) n) Hence a (n-)/ π J(a,n) mod ( m n) n) Miller's Primality Test W n (a) = (gcd(a,n) π ) or ( a n- π mod n ) or gcd(a (n-)/ i mod n-, n) π for i e {,...,k} where k = max {i i divides n-} a contradiction with Gauss's Law! Theorem (Miller) Assuming the extended RH, if n is composite, then W n (a) holds for some a e {,,..., c log n} 7 8
Miller's Test assumes extended RH (not proved) Rabin: choose a random a e {,..., n-} test W n (a) Theorem Rabin if n is composite then Prob (W n (a) holds) > fi gives another randomized, polytime algorithm for primality! 9