מבוא מורחב - שיעור 6 1 lecture 6 high order procedures primality testing the rsa...

מבוא מורחב - שיעור 61

Lecture 6

High order procedures

Primality testing

The RSA cryptosystem


Fixed Points

x0 is a fixed point of F(x) if F(x0) = x0

Example:

x0 = a is a fixed point of F(x) = a/x


5מבוא מורחב - שיעור 3

Finding fixed points for f(x)

Start with an arbitrary first guess x1

Each time:

• try the guess, f(x) ~ x ??

• If it’s not a good guess try the next guess xi+1 = f(xi)

(define (fixed-point f first-guess) (define tolerance 0.00001) (define (close-enough? v1 v2) (< (abs (- v1 v2)) tolerance)) (define (try guess) (let ((next (f guess))) (if (close-enough? guess next) guess (try next)))) (try first-guess))



An example: f(x) = 1+1/x

(define (f x) (+ 1 (/ 1 x)))(fixed-point f 1.0)

X1 = 1.0X2 = f(x1) = 2X3 = f(x2) = 1.5X4 = f(x3) = 1.666666666..X5 = f(x4) = 1.6X6 = f(x5) = 1.625X7 = f(x6) = 1.6153846…

Exact fixed-point: 1.6180339…

Note how odd guessesunderestimateAnd even guessesOverestimate.



Another example: f(x) = 2/x

(define (f x) (/ 2 x))(fixed-point f 1.0)

x1 = 1.0x2 = f(x1) = 2x3 = f(x2) = 1x4 = f(x3) = 2x5 = f(x4) = 1x6 = f(x5) = 2x7 = f(x6) = 1

Exact fixed-point: 1.414213562…



How do we deal with oscillation?

Consider f(x)=2/x.

If guess is a number such that guess < sqrt(2) then 2/guess > sqrt(2)So the average of guess and 2/guess is always an evenBetter guess.

So, we will try to find a fixed point of g(x)= (x + f(x))/2

For f(x)=2/x this gives: g(x)= (x + 2/x)/2

Notice that g(x) = (x +f(x)) /2 has the same fixed points as f.



X = 2 G = 1

X/G = 2 G = ½ (1+ 2) = 1.5

X/G = 4/3 G = ½ (3/2 + 4/3) = 17/12 = 1.416666

X/G = 24/17 G = ½ (17/12 + 24/17) = 577/408 = 1.4142156

To find an approximation of x:• Make a guess G• Improve the guess by averaging G and x/G• Keep improving the guess until it is good enough

.2for :Example xx



Extracting the common pattern: average-damp

(define (average-damp f) ;outputs g(x)=(x+f(x))/2

(lambda (x) (average x (f x))))

average-damp: (number number) (number number)

((average-damp square) 10)

((lambda (x) (average x (square x))) 10)

(average 10 (square 10))

55



… which gives us a clean version of sqrt

(define (sqrt x)

(fixed-point

(average-damp

(lambda (y) (/ x y)))

1))• Compare this to our previous implementation of sqrt – same process.

For the cubic root of x, fixed point of f(y) = x/y2

(define (cubert x)

(fixed-point

(average-damp (lambda (y) (/ x (square y))))

1))



Further abstraction

(define (osc-fixed-point f first-guess) (fixed-point (average-damp f)

first-guess))

(define (sqrt x) (osc-fixed-point (lambda (y) (/ x y))

1.0)

(define (cubert x) (osc-fixed-point (lambda (y) (/ x (square y)))

1.0)



Newton’s method

A solution to the equation: F(x) = 0

is a fixed point of: G(x) = x - F(x)/F’(x)(define (newton-transform f) (lambda (x) (- x

(/ (f x) ((deriv f) x)))))

(define (newton-method f guess) (fixed-point (newton-transform f) guess)) (define (sqrt x) (newton-method (lambda (y) (- (square y) x)) 1.0))



Further abstraction

(define (fixed-point-of-transform f transform guess) (fixed-point (transform f) guess))

(define (osc-fixed-point f guess) (fixed-point-of-transform f

average-damp guess))

(define (newton-method f guess) (fixed-point-of-transform f

newton-transform guess))


Primality testing

• A natural number n is prime iff the only natural numbers dividing n are 1 and n.

• The following are prime: 2, 3, 5, 7, 11, 13, …and so are 1299709, 15485863, 22801763489, …

• There is an infinite number of prime numbers.• Is 2101-1=2535301200456458802993406410751 prime?• How do we check whether a number is prime?• How do we generate huge prime numbers?• Why do we care?


Naïve solution: Finding the smallest divisor

(define (prime? n)

(= n (find-smallest-divisor n 2)))

(define (divides? a b)

(= (remainder b a) 0))

(define (find-smallest-divisor n i) (cond ((divides? i n) i) (else (find-smallest-divisor n (+ i 1)))))

Space complexity is: (1)For prime n we have time complexity n.

If n is a 100 digit number we will wait “for ever”.


An improvement

(define (prime? n) (= n (find-smallest-divisor n 2)))

(define (divides? a b) (= (remainder b a) 0))

(define (find-smallest-divisor n i) (cond ((> (square i) n) n) ((divides? i n) i) (else (find-smallest-divisor n (+ i 1)))))

For prime n we have time complexity: (n)Worst case space complexity: (1)

Still, if n is a 100 digit number, it is completely infeasible.


We can prove that a number is not prime without explicitly finding a divisor of it.

Randomness is useful in computations!

Is there a more efficient way of checking primality?

Yes! At least if we are willing to accept

a tiny probability of error.


The Fermat Primality Test

Fermat’s little theorem:

If n is a prime number then:

an a (mod n) , for every integer a

The Fermat Test:

Do 100 times:

Pick a random 1<a<n and compute an (mod n).

If an a (mod n), then n is not a prime.

If all 100 tests passed, declare n to be a prime.

Corollary: If an ≠a (mod n) , for some a, then n is not a prime!Such an a is a witness to the compositeness of n.


Fast computation of modular exponentiationab mod m

(define (expmod a b m) (cond ((= b 0) 1) ((even? b) (remainder (expmod (remainder (* a a) m) (/ b 2) m) m)) (else (remainder (* a (expmod a (- b 1) m)) m))))


Implementing Fermat test

(define (test a n)(= (expmod a n n) a))

(define (rand-test n) (test (+ 1 (random (- n 1))) n)); note - (random m) returns a random number; between 0 and m-1(define (fermat-test n k); (cond ((= k 0) #t) ((rand-test n) (fermat-test n (- k 1))) (else #f)))

Worst-case time complexity: (log n) if k is constant Even if n is a 1000 digit number, it is still okay!


Is the Fermat test correct?

• If the Fermat test says that a number n is composite,then the number n is indeed a composite number.

• If n is a prime number, the Fermat test will always say that n is prime.

But,• Can the Fermat test say that a composite number

is prime?• What is the probability that this will happen?


Carmichael numbers

A composite number n is a Carmichael number iff an a (mod n) for every integer a.

The first Carmichael numbers are: 561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, …

Theorem: n is a Carmichael number iff n=p1p2…pk, where p1 , p2 , … , pk are primes and pi-1 divides n-1, for i=1,…,k.

On Carmichael numbers, the Fermat test is always wrong!

Carmichael numbers are fairly rare. (There are 255 Carmichael numbers smaller than 100,000,000).


Theorem: (Rabin ’77) If n is a composite number that is not a Carmichael number, then at least half of the numbers between 1 and n are witnesses to the compositeness of n.

Corollary: Let n be a composite number that is not a Carmichael number. If we pick a random number a, 1<a<n, then a is a witness with a probability of at least a 1/2 !


“Correctness” of the Fermat test

• If n is prime, the Fermat test is always right.• If n is a Carmichael number,

the Fermat test is always wrong!• If n is composite number that is not a Carmichael number, the Fermat test

is wrong with a probability of at most 2-100.

Is an error probability of 2-100 acceptable?

Yes!


The Rabin-Miller test

• A fairly simple modification of the Fermat test that is correct with a probability of at least 1-2-100 also on Carmichael numbers.

• Will not be covered in this course.


Probabilistic algorithms

An algorithm that uses random choices but outputs the correct result, with high probability,for every input!

Randomness is a very useful algorithmic tool.

Until the year 2002, there were no efficient deterministic primality testing algorithms.

In 2002, Agarwal, Kayal and Saxena found a fast deterministic primality testing algorithm.


Finding large prime numbers

The prime number Theorem:

The number of prime numbers smaller than n is asymptotically n / ln n.

Thus, for every number n, there is “likely” to be a prime number between n and n + ln n.

To find a prime number roughly the size of (odd) n, simply test n, n+2, n+4, … for primality.

(define (find-prime n t) (if (fermat-test n t) n (find-prime (+ n 2) t)))


Primality testing versus Factoring

• Fast primality testing algorithms determine that a number n is composite without finding any of its factors.

• No efficient factoring algorithms are known.• Factoring a number is believed to be a much harder task.

Primality testing - EasyFactoring - Hard

Now: Use the ease of primality and hardness of factoring


Cryptography

Eve

BobAlice


Traditional solution: classical cryptography

Eve

BobAlice

Encryption Decryption

Encryptionkey

Decryptionkey

Hi Bob! Hi Bob!

#$%&*()


In classical cryptography:

• The two parties (Alice and Bob) should agree in advance on the encryption/decryption key.

• The encryption and decryption keys are either identical or easily derived from one another.


The internet age

Eve

Bob

Alice Calvin

Donald

Felix


Public key cryptology

• A system in which it is infeasible to deduce the decryption key from the encryption key.

• Each user publishes an encryption key that should be used for sending messages to her, but keeps her decryption key private.

• Is it possible to construct secure public key cryptosystems?


The RSA public key cryptosystem [Rivest, Shamir, Adleman (1977)]

Bob:

Picks two huge primes p and q.

Calculates n=pq, and announces n.

Chooses and announce integer e prime to (p-1)(q-1)

e and (p-1)(q-1) have no common divisor other than 1

Calculates the unique d such that

de = 1 (mod (p-1)(q-1)) It is believed that computing d,

without knowing p and q, is hard.


The RSA cryptosystem (cont.)

To send a message m (0≤m<n) to Bob,

Alice computes c=EBob(m) and sends it to Bob.

To decipher the message, Bob computes m=DBob(c)

EBob(m) = me (mod n)

DBob(m) = md (mod n)

Lemma: DBob(EBob(m)) = m


(define p 17)(define q 13)(define n (* p q))(define base (* (- p 1) (- q 1)))(define e 35)(define d (find-d e base))(display d)(define message 121)(display message)(newline)(define alice-message (expmod message e n)(newline)(define bob-decipher (expmod alice-message d n)(display bob-decipher)

; d = 11


Find-d

(define (find-d e base)

(define (guess d)

(if ( = (remainder (* d e) base) 1)

d

(guess (+ d 1))

)

)

(guess 0)

)

Obviously, not the way this is done for real numbers.. Why?


Some executions

• message 121• alice-message 127• bob-decipher 121



מבוא מורחב - שיעור 6 1 lecture 6 high order procedures primality testing the rsa...

Documents