CSC 373: Algorithm Design and Analysis Lecture 30

Similar documents
Lecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.

Applied Cryptography and Computer Security CSE 664 Spring 2018

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Factorization & Primality Testing

THE SOLOVAY STRASSEN TEST

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

A Few Primality Testing Algorithms

Primality Testing- Is Randomization worth Practicing?

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

1. Algebra 1.7. Prime numbers

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

Advanced Algorithms and Complexity Course Project Report

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

CPSC 467b: Cryptography and Computer Security

Algorithmic number theory. Questions/Complaints About Homework? The division algorithm. Division

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

CSE 521: Design and Analysis of Algorithms I

Great Theoretical Ideas in Computer Science

CPSC 467b: Cryptography and Computer Security

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 11: Number Theoretic Assumptions

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Lecture 31: Miller Rabin Test. Miller Rabin Test

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

How To Test If a Polynomial Is Identically Zero?

ECEN 5022 Cryptography

CPSC 467b: Cryptography and Computer Security

Primality testing: then and now

1 Rabin Squaring Function and the Factoring Assumption

1.1 P, NP, and NP-complete

The running time of Euclid s algorithm

NP and Computational Intractability

Lecture 6: Deterministic Primality Testing

Chapter 5 : Randomized computation

CSCI3390-Second Test with Solutions

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Lecture 1: Introduction to Public key cryptography

10 Concrete candidates for public key crypto

Bipartite Perfect Matching

THE MILLER RABIN TEST

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Lecture 11 - Basic Number Theory.

IRREDUCIBILITY TESTS IN F p [T ]

NP-Completeness Part II

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Primality testing: then and now

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

20.1 2SAT. CS125 Lecture 20 Fall 2016

CSC2420 Spring 2016: Algorithm Design, Analysis and Theory Lecture 11

FERMAT S TEST KEITH CONRAD

Algorithms: COMP3121/3821/9101/9801

NP-problems continued

CS21 Decidability and Tractability

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Formal definition of P

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

CSC 373: Algorithm Design and Analysis Lecture 15

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

NP-Completeness Part II

Simultaneous Linear, and Non-linear Congruences

Number theory (Chapter 4)

Math.3336: Discrete Mathematics. Mathematical Induction

NP-Complete Reductions 2

Lecture 12: Interactive Proofs

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Lecture Prelude: Agarwal-Biswas Probabilistic Testing

Essential facts about NP-completeness:

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for Advanced Study

Uncertainty can be Better than Certainty:

CSC 5170: Theory of Computational Complexity Lecture 5 The Chinese University of Hong Kong 8 February 2010

Applied Cryptography and Computer Security CSE 664 Spring 2017

Ma/CS 6a Class 4: Primality Testing

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

A Guide to Arithmetic

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Ma/CS 6a Class 2: Congruences

Postmodern Primality Proving

Limits to Approximability: When Algorithms Won't Help You. Note: Contents of today s lecture won t be on the exam

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Lecture 2: Randomized Algorithms

Lecture Notes, Week 6

Theoretical Cryptography, Lectures 18-20

Introduction to Cryptology. Lecture 19

1: Please compute the Jacobi symbol ( 99

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Cryptography: Joining the RSA Cryptosystem

C.T.Chong National University of Singapore

Elementary Number Theory

Lecture 24 : Even more reductions

Algorithms (II) Yu Yu. Shanghai Jiaotong University

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

NP-Hardness reductions

Transcription:

CSC 373: Algorithm Design and Analysis Lecture 30 Allan Borodin April 5, 2013 1 / 12

Announcements and Outline Announcements Two misstated questions on term test Grading scheme for term test 3: 1 Test will be graded out of 25 with a max of 30 (i.e. up to 20% bonus possible where now everyone has a better chance of getting bonus marks) 2 Full credit (10 points) for seeing that Q1 was trivial; two points for saying false because of clauses containing x x 3 Can obtain full credit for interpreting question in terms of approximation ratio. Today s outline Comments on the nature of the final exam Review and finish discussion of RWALK algorithm for 2SAT Brief discussion of 1-sided randomized compositeness algorithm 2 / 12

Papadimitriou s random walk algorithm for 2-SAT It is not difficult to show that 2-SAT (determining if a 2CNF formula is satisfiable) is efficiently computable (reducible to directed ST connectivity) whereas we know that 3-SAT is NP complete. We will provide a conceptually simple 1-sided randomized algorithm (RWALK) running in time O(n 2 ) to show that 2-SAT is computationally easy. The same basic approach can be used to derive a randomized algorithm (which in turn has led to a deterministic variant of the idea) for 3SAT that runs in time (1.324) n. It is a big open question if one can get time 2 o(n) algorithm for 3-SAT. This random walk idea is the basis for a widely used class of algorithms known as Walk-Sat algorithms for SAT problems. 3 / 12

Random walk algorithm for 2-SAT RWALK algorithm for 2CNF formula F Choose a random or arbitrary truth assignment τ For i = 1, 2,..., (c n 2 ) % with a sufficiently large c to obtain any desired probability of success If τ satisfies F then Report success and quit Else Let C be an unsatisfied clause and choose one of its literals l i at random Flip the truth value of the literal l i to change τ End If End For Claim If f is satisfiable, then with say probability at least 1 2 succeed in finding a satisfying truth assignment. the RWALK algorithm will We can either increase c or run RWALK many times to increase the probability of success. 4 / 12

Why RWALK works Claim Let τ be a truth assignment satisfying an n variable 2CNF F. Then we can view RWALK as a random walk on a line graph (with nodes 1, 2,..., n) that is trying to reach node n where node i indicates that τ matches τ in i coordinates. Since the clause C was not satisfied, at least one of its literals must be set different than τ. (It could be that both literals are different.) This means that the probability (in terms of the walk on the line) of getting closer to node n is at least 1 2. It can happen that as we are randomly walking, we may come across another satisfying assignment but that will only shorten the time needed. What remains to be shown is that a random walk on the line with probability 1 2 to move left or right will hit every point on the line in expected time 2n 2. More generally, a uniform random walk (starting at any node) on a connected graph G = (V, E) will hit all nodes in expected time 2 E ( V 1). 5 / 12

Randomized Compositeness/Primality Algorithm One of the most influential randomized algorithms is a polynomial time method for determining if a number is prime/composite. Quick modern history of primality testing Independently Solovay and Strassen, and Rabin (1974) gave two different polynomial time 1-sided error algorithms for determining if an n digit number x is prime. The algorithm always outputs PRIME if x is prime and outputs COMPOSITE with probability (say) 1 2 if x is composite. That is, the algorithm could error (saying PRIME when x is composite) with probability at most 1 2. This error probability can be reduced by repeated indpendent trials of the algorithm. That is, t trials would then yield an error probability at most 1 2. t 6 / 12

History continued The Rabin algorithm is related to deterministic polynomial time algorithm by G. Miller (1976) whose correctness requires the Extended Riemann Hypothesis (ERH), a famous well-believed conjecture in number theory. Goldwasser and Kilian (1986) gave a polynomial time 0-sided error algorithm. Agarwal, Kayal and Saxena (2002) gave a deterministic polynomial time algorithm. 7 / 12

So why concern oursleves with randomized algorithms when the problem is solved? There are polynomials and there are polynomials The deterministic (or 0-sided algorithms) are not nearly as practical as the 1-sided algorithms These algorithms are an essential ingrediant in much of modern cryptography where random primes are often needed. Note that while primality testing is theoretically (i.e. in P) and practically solvable, factoring is believed to be NP hard and even hard in some sense of average case complexity. Complexity based cryptography also depends on the hardness of problems such as factoring integers. 8 / 12

Some basic group theory and number theory Z N = {a Z N gcd(a, N) = 1} is a commutative group under multiplication (mod N) Lagrange Theorem If H is a subgroup of G then order(h) divides order(g). Fermat s Little Theorem: If N is prime then for a 0 (mod N), a N 1 = 1 (mod N) Furthermore, if N is prime, then ZN is a cyclic group; that is, g : {g, g 2,..., g N 1 } = Z N. This implies that for such a generator g, g i 1 for 1 i < N 1 If N is prime, then ±1 mod N are precisely two distinct square roots of 1. The Chinese Remainder Theorem: If N 1 and N 2 are relatively prime, then for all v 1, v 2, there exists a unique non-negative w < N 1 N 2 such that w = v 1 (mod N 1 ) and w = v 2 (mod N 2 ) 9 / 12

A simple but not quite correct algorithm We need two computational facts: 1 a i (mod N) can be efficiently computed by repeated squaring mod N. 2 gcd(a, b) can be efficiently computed by the Euclidean algorithm. Simple randomized primality algorithm that almost works Choose a Z N \ {0} uniformly at random If gcd(a, N) 1 or a N 1 (mod N) 1, then output COMPOSITE Otherwise output PRIME. 10 / 12

When the simple algorithm does (and doesn t) work S = {a Z N an 1 = 1 (mod N)} is a subgroup of Z N Hence either S = ZN if S is a proper subgroup, or by the Lagrange Theorem, S Z N 2 = N 1 2 if S is not proper. Hence if the simple algorithm finds an a where gcd(a, N) = 1 but a N 1 1 (mod N), then S is proper and therefore at least 1 2 half of the elements in Z N \ {0} will be certificates showing N is not prime. Hence the only numbers N that can defeat the simple algorithm are the Carmichael numbers (also called false primes); i.e. those N for which a N 1 = 1 (mod N) for all a Z N. It was only relatively recently (1994) when it was proven that there are infinitely many Carmichael numbers. The first three Carmichael numbers are 561, 1105, 1729. There are only 255 Carmichael numbers 100,00,000. 11 / 12

Miller-Rabin 1-sided randomized algorithm The Miller-Rabin algorithm If gcd(a, N) 1 then report composite and terminate % This test isn t really needed but we add it for clarity Compute t, u such that N 1 = (2 t u), u odd and t 1. x 0 := 2 u % all computations are mod N Randomly choose a Z N \ {0} For i = 1,..., t x i := xi 1 2 If x i = 1 and x i 1 / { 1, 1} then report composite and terminate End For If x t 1 then report composite and terminate Else report prime Claim: P[algorithm reports prime N is composite] 1 2 Proof relies on fact that N is Carmichael implies N = N 1 N 2 with gcd(n 1, N 2 ) = 1 12 / 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback