Number Theoretic Algorithms Outline greatest common divisors and Euclid’s algorithm applications of large primes: public- key cryptosystems (RSA) primality

Number Theoretic Algorithms

Outline

• greatest common divisors and Euclid’s algorithm

• applications of large primes: public-key cryptosystems (RSA)

• primality testing

• integer factorization


GCD and Euclid’s algorithm

gcd(a,b) - the greatest common divisor of integers a and b

Euclid(a, b) if b = 0 then return aelse return Euclid(b, a mod b)

Time complexity?


Euclid’s algorithm - Complexity

Euclid(a, b) if b = 0 then return aelse return Euclid(b, a mod b)

Theorem

If a > b 0 and the invocation of Euclid performs k 1 recursive calls, then a Fk+2 and b Fk+1.

(where Fk - the k-th Fibonacci number)



Theorem


k = 1 b 1 = F2, a 2 = F3 OK

k = n – 1 b Fn, a Fn+1 Assume

k = n?

a mod b Fn, b Fn+1 a b + a mod b Fn+1 + Fn = Fn+2

b Fn+1 OK



Theorem


Fk ((1 + 5) / 2)k / 5

(2)k < Fk < 2k

= max{log a, log b} - number of bits to encode a and b

T’(a,b) = ( ) - number of arithmetic operations

T(a,b) = ( 3) - total complexity


Extended Euclid’s algorithm

d = gcd(a,b) - the greatest common divisor of integers a and b

ExtendedEuclid(a, b) if b = 0 then return (a,1,0)(d’,x’,y’) ExtendedEuclid(b, a mod b)(d,x,y) (d’,y’,x’ – a/b y’)return (d,x,y)

There exist integers x and y such that d = ax + by


Extended Euclid’s algorithm - Example

ExtendedEuclid(a, b) if b = 0 then return (a,1,0)(d’,x’,y’) ExtendedEuclid(b, a mod b)(d,x,y) (d’,y’,x’ – a/b y’)return (d,x,y)

[Adapted from T.Cormen, C.Leiserson, R. Rivest]


Complexity of modular operations

Multiplication:

for given a and b find x such that ab mod n = x

multiplication + division, i.e. time complexity ( 2)



Division:

for given a and b find x such that bx mod n = a

Not always such x exists - we should have gcd(b,n) | a

Extended Euclid's algorithm: finds x and y such that gcd(s,t) = su + tv

Take b = s and t = n and set x = ua/gcd(b,n)

Time complexity ( 3)



Exponentiation:

for given a and b find x such that ab mod n = x

Time complexity?


Modular Exponentiation

ModularExponentiation(base a, degree b, modulus n)let <bk,bk–1,...,b0> be the binary representation of b c 0d 1for i k downto 0 do

c 2 cd (d d) mod nif bi = 1 then

c c + 1d (d a) mod n

return d

Time complexity T() = ( 3)


Modular Exponentiation - example

ModularExponentiation(a, b, n)c 0; d 1for i k downto 0 do

c 2 cd (d d) mod nif bi = 1 then

c c + 1d (d a) mod n

return d



Public-key cryptosystems

P: * * public keyS: * * secret key

For an arbitrary message M* we must have:

• M = S(P(M)), and• M = P(S(M))


The RSA public-key cryptosystem

p,q - two large primes (100 digits or more)n = pqe - small odd integer that is relatively prime to

(p – 1)(q – 1)d - integer such that de 1 (mod (p – 1)(q – 1))

(it can be shown that it always exists)

P = (e,n) - public keyS = (d,n) - secret key

Encoding: P(M) = Me (mod n)Decoding: S(C) = Cd (mod n)

It works!


Fermat's TheoremFermat's little Theorem

If p is prime then:

• ap = a mod p• if gcd(a,p) =1 then ap1 = 1 mod p.

Proof ?


Fermat's Theorem


RSA - Correctness

n = pqe - odd and relatively prime to (p – 1)(q – 1)d - such that de 1(mod (p – 1)(q – 1))P(M) = Me (mod n), S(C) = Cd (mod n)

P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1)

M 0 (mod p) Med M(Mp–1)k(q–1) (mod p) M(1)k(q–1) (mod p) M (mod p)

M 0 (mod p) Med M (mod p)


RSA - Correctness

Med M (mod p)

Med M (mod q)

Thus Med M (mod n)


RSA - Complexity

Encoding: P(M) = Me (mod n)

Decoding: S(C) = Cd (mod n)


RSA - Complexity

Encoding: P(M) = Me (mod n)

Decoding: S(C) = Cd (mod n)

TE(M) = O( 3) (and TE(M) = ( 2) for small e)

TD(M) = ( 3)


RSA - Key management mode

Encryption:

• Encrypt (using a traditional method) message with a random key K

• Send encrypted message

• Send K encrypted with a public-key method


Public-key cryptosystems - Encryption



RSA + One-way hash functions

h - a one-way hash function (easy to compute, but for a given M it is hard to find M’ with h(M) = h(M’))

Digital signature:

• Send message M

• Send encrypted pair (h(M),)


Public-key cryptosystems - Digital signature



Finding primes - Erasthothenes sieve


Distribution of primes


Distribution of primes


Illegal primes :)

1811 digit prime number

Represents an executable program that perform DeCSS decryption

Technically illegal in some weird countries (e.g. USA)


Finding large primes

(n) - the number of primes less or equal to n

n / ln n tends to be a good approximation of (n)

n = 1 000 000 000(n) = 50 847 478n / ln n = 48 254 942

Prime number theorem

limn (n) / (n / ln n) = 1



limn (n) / (n / ln n) = 1

Idea how to find a prime approximately of the size of n:

Consider randomly chosen integers close to n andcheck whether these are primes. On average youwill need to examine ln n integers.


Primality testing

The problem

For a given integer n decide whether n is a prime.

A simple solution:

Try to divide n by 2 and all odd integers3, 5,..., n1/2.

Time complexity of such approach is (2/2), where - number of bits needed to encode n ( = log n).

Advantage - we also get factors of n (if n is not prime).

Number Theoretic AlgorithmsWhat we need from number theory

Extended Euclid's algorithm

d = gcd(a,b) - the greatest common divisor of integers a and b

There exist integers x and y such that d = ax + by

Fermat's little Theorem

If p is prime and gcd(a,p) = 1 then ap1 = 1 mod p.


Square roots of 1 modulo n

Quadratic residue theorem

If there exists an integer 1<x< n –1, such that x2 = 1 (mod n),then n is composite.

x2 = 1 (mod n), 2 x n – 2

x2 – 1 = kn, 1 k n – 2

(x – 1)(x + 1) = kn

but x – 1 and x + 1 can’t be divisible by n

Number Theoretic AlgorithmsWhat we need from number theory

Chinese reminder theorem

Suppose n1, n2, …, nk are integers which are pairwise coprime. Then, for any given integers a1,a2, …, ak, there exists an integer x solving the system of simultaneous congruences:

Furthermore, all solutions x to this system are congruent modulothe product N = n1n2…nk.


Something from algebra and number theory Euclid's algorithm

groups and Lagrange's theorem

additive group Zn

multiplicative group Z*n

Fermat's theorem

primitive roots modulo n


Groups and Lagrange's theoremConsider set G and binary oparator +.

DefinitionPair (G,+) is a group, if there is eG such that for all a,b,cG:

• a+bG• (a+b)+c = a+(b+c)• a+e = a and e+a = a• there exists a unique a such that a+(a) = e and (a)+a = e

(X,+) is a subgroup of (G,+) if XG and (X,+) is a groupX<G - notation that X is a subgroup of Go(G) - order of group = number of elements in Ga - subgroup generated by aG


Groups and Lagrange's theorem

Lagrange's Theorem

If H < G then o(H) | o(G)

Proof• let gG then all elements of the from a+h, hH, are distinct and |{g+h | hH}| = o(H)

• each element gG belongs to set {g+h | hH} (these setsare called cosets)

• thus G is a union of disjoint cosets, each having o(H) elements

• Hence o(H) | o(G)


Additive group Zn

n - a positive integer

Set of elements Zn = {0,1,2, ...,n1}

Operation "+":

for x,yZn define x+y to be equal with an integerequal to x+y mod n

o(Zn) = n


Multiplicative group Z*n

n - a positive integer

Set of elements Z*n = {a Zn | gcd(a,n) = 1}

Operation "·":

for x,yZ*n define xy to be equal with an integerequal to xy mod n

Z*n is a group!

o(Z*n) = (n) (Euler's phi function)

If p is prime and n = pe then (n) = (p1)pe1


Fermat's TheoremEuler's TheoremFor n>1 and all aZ*n we have a(n) = 1 mod n.

ProofLet ah = 1 mod n. Then h | (n) and a(n) = 1 mod n.

Fermat's little TheoremIf p is prime then ap1 = 1 mod p.

Proofp1 = (n).


Primitive roots modulo nTheoremZ*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0.

Partial proof (and we are more interested in if part :)

We will consider just case n = p...


Primitive roots modulo nProposition 1Let d | p1.Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p.

Proofde = p1.xp11 = (xd)e1 = (xd1)g(x).

From Fermat's theorem: For all ap1 = 1 mod p. Thus all p1 elements of Z*n are roots of xp11.

g(x) has at most pd1 roots, thus xd1 should have d roots.


Primitive roots modulo nProposition 2a,b Z*n, o(a) = r, o(b) = s and gcd(r,s) = 1.Then o(ab) = rs.

Proof(ab)rs = arsbrs =1. Thus o(ab) = xy, where x | r and y | s.Assume r = xu and s = yv.

auxybuxy =1 and auxy =1. Then buxy =1 and s | uxy. Thus s = y. Similarly we show that r = x.

Therefore o(ab) = rs.


Primitive roots modulo nTheoremZ*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0.

Proposition 1Let d | p1.Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p.

Proposition 2a,b Z*n, o(a) = r, o(b) = s and gcd(r,s) = 1.Then o(ab) = rs.


Primitive roots modulo nPartial proof (and we are more interested in if part:)n = p.

Let p1 = q1n1...qr

nr, where qi's are primes.

By Proposition 1 f(x) = xqin

i 1 has exactly qini roots and

g(x) = xqin

i1 1 has exactly qi

ni1 roots.

There exists ai which is root of f(x) but not g(x).o(ai) = qi

ni.

a = a1...ar. o(a) = p1. (Proposition 2)



(n) - the number of primes less or equal to n

n / ln n tends to be a good approximation of (n)

n = 1 000 000 000(n) = 50 847 478n / ln n = 48 254 942

Prime number theorem

limn (n) / (n / ln n) = 1



limn (n) / (n / ln n) = 1

Idea how to find a prime approximately of the size of n:

Consider randomly chosen integers close to n andcheck whether these are primes. On average youwill need to examine ln n integers.


Primality testing

The problem

For a given integer n decide whether n is a prime.

A simple solution:



Advantage - we also get factors of n (if n is not prime).


Primality testing - Fermat’s theorem

Fermat’s theorem

an – 1 1 (mod n) for all primes n and all integers a > 1.

What happens when n is not a prime?

Composite integers n that satisfy an – 1 1 (mod n) for all a > 1 with gcd(a,n) = 1 are called Carmichael numbers.

They are quite rare:

the first three are 561, 1105, 1729there are only 255 of them less than 100 000 000


PseudoPrime algorithm

PseudoPrime(n) if ModularExponentiation(2,n–1,n) 1 then

return Composite definitelyelse return Prime we hope

ModularExponentiation(a,k,n) computes the value ak mod n


Square roots of 1 modulo n

Quadratic residue theorem

If there exists an integer 1<x< n –1, such that x2 1 (mod n),then n is composite.

Therefore, n will be composite if:

1) we can find a such that an – 1 1 (mod n)2) we can find x such that x2 = 1 (mod n)

• a is chosen randomly and tested for (1)• for (2) are tested all intermediate values arising in computationof an – 1


Miller-Rabin algorithm - scheme

[Adapted from D.Harel]


Miller-Rabin algorithm

MillerRabin(n, s) for j 1 to s

do a Random(1, n – 1)if Witness(a, n) then

return Composite definitelyreturn Prime almost surely


Miller-Rabin algorithm

Witness(a, n)let <bk,bk–1,...,b0> be the binary representation of n – 1 d 1for i k downto 0 do

x d d (d d) mod nif d = 1 & x 1 & x n 1 then return Trueif bi = 1 then d (d a) mod n

if d 1 then return Truereturn False


Miller-Rabin algorithm - Correctness

Theorem

If n is an odd composite number, then the number ofwitnesses to the compositeness of n is at least (n–1)/2.



Observation:

For any non-Witness a we must have gcd(a,n) = 1

(since an – 1 should be divisible by a)


Miller-Rabin algorithm - Correctness - I

Case 1

There exists an x, such that xn – 1 1 (mod n)

A = { 0 < a < n| an – 1 1 (mod n)} = {a1,..,ak}

x A (and gcd(n,x)=1)

All numbers x·a1 (mod n),...,x · ak (mod n) are different and donot belong to A

There are at least (n–1)/2 integers in interval [1,n–1] andnot in A.


Miller-Rabin algorithm - Correctness - II

Case 2

For all x we have xn – 1 1 mod n

n pe, where p is prime

otherwise: (n) = (p1)pe1

Z*n is cyclic and there is and element a of order (n) Then a(n) 1 mod n and (p1)pe1 | pe1 Thus e =1 and n is prime, contradicting our assumption.



Case 2

For all x we have xn – 1 1 (mod n)n = cd, where c,d > 1 and are relative primes

n – 1 = 2tu, where t > 1 and u is odd

For all a: 0 < a < n consider the sequence

A = <au, a2u, a22u,..., a2tu> (all elements modulo n)

These are the last t+1 values of d computed by Witness



Witness(a, n)let <bk,bk–1,...,b0> be the binary representation of n – 1 d 1for i k downto 0 do

x dd (d d) mod nif d = 1 & x 1 & x n 1 then return Trueif bi = 1 then d (d a) mod n

if d 1 then return Truereturn False



Case 2

For all x we have xn – 1 1 (mod n)n = cd, where c,d > 1 and are relative primes

Find the largest j, such that 0 j t and v2ju –1 (mod n) for some v(such j exists since the property holds for j = 0 and v = n – 1)

B = {0 < x < n | x2ju 1 (mod n)} = {b1,..,bk}

Every non-witness is a member of B



Case 2

For all x we have xn – 1 1 (mod n)n = cd, where c,d > 1 and are relative primesB = {0 < x < n | x2ju 1 (mod n)} = {b1,..,bk}

If y B, then all numbers y·b1 (mod n),...,y · bk (mod n) are different and do not belong to B

Is there a number z, such that 0 < z < n and z B?



v2ju –1 (mod n), n = cd

Then v2ju –1 (mod c)

There exists w such that w v (mod c) and w 1 (mod d)

Therefore w2ju –1 (mod c) and w2ju 1 (mod d)

And thus w2ju 1 (mod n), ie. w B



Theorem

For any odd integer n > 2 and positive integer s, the probability that Miller-Rabin algorithm outputs incorrectanswer is at most 2–s.


Miller-Rabin algorithm - Complexity

MillerRabin(n, s) for j 1 to s

do a Random(1, n – 1)if Witness(a, n) then

return Composite definitelyreturn Prime almost surely

T(n,s) = (s 3) = (s (log n)3)

- allowed error probability

T(n, ) = (log (1/ ) (log n)3)


Primality testing - Riemann hypothesis

(s) function has the trivial zeros at -2, -4, -6, ... (???)

It is easy to show that for all other zeros 0 Re(s) 1

The Riemann hypothesis is that for all nontrivial zeros Re(s) = 1/2

The Riemann zeta function:



The values of (s) function (see the colour values below):



Generalized Riemann Hypothesis: assumes the RH and that for all nontrivial zeros of the Dirichlet L-Functions Re(s) = 1/2

Dirichlet L-Functions:

where is a periodic integer function.


Primality testing - Other methods

If generalized Riemann hypothesis holds, then for eachcomposite n there is a witness in {2,3,..., c · (log n)2}, forsome computable constant c. [Miller, 1976]

This gives T(n) = ((log n)2 (log n)3) = ((log n)5) algorithm

Without Riemann hypothesis we can obtain deterministicalgorithm with T(n) = O(n1/10.89)

The fastest deterministic algorithms works in timeT(n) = O((log n)log log log n) [Adleman, Pomerance, Rumely, 1983]

Agrawal-Kayal-Saxena algorithm (2002): T(n) = O((log n)6)


The largest known prime

2001 213 466 917 – 1 (4 053 946 digits)

2003 220 996 011 – 1 (6 320 430 digits)

2006 232 582 657 – 1 (9 808 358 digits)

2009 243 112 609 – 1 (12 978 189 digits)

2013 257 885 161 – 1 (17 425 170 digits)


The largest known prime

Growth of number of digits in largest known primes by years


Integer factorization

The problem

For a given integer n find at least one non-trivial factor of n.

A simple solution (the same as for primality testing):




RSA challenge

[Adapted from RSA Security - www.rsasecurity.com/rsalabs/]


RSA challenge

[Adapted from RSA Security - www.rsasecurity.com/rsalabs/]


Pollard’s rho heuristic

PollardRho(n)i 1x1 Random(0, n – 1) y x1

k 2while True do

i i + 1xi (x2

i–1 – 1) mod nd gcd(y – xi, n)if d 1 & d n then print dif i = k then do

y xi k 2 k


Pollard’s rho heuristic - What it does?

Start with random value x1

Compute the sequence x1, x2, x3,..., using the formula xi (x2

i–1 – 1) mod n

Save in variable y the xi -s with subscripts being powers of 2, ie. x2, x4, x8,....

Try to find a factor using the saved value of y and the current value of xi


Pollard’s rho heuristic - Performance

Algorithm does not terminate at all, but may print some of thefactors of n

There is a good reason to expect that it prints a factor pof n approximately after p1/2 (or n1/4) iterations


Pollard’s rho heuristic - Example



Pollard’s rho heuristic - Motivation

How long it may take for the sequence x1, x2, x3,..., to repeat?

Consider the values of xi being random

Birthday problem: What is the probability that two students inthe group of n have a birthday on the same day?

Expected value is (n1/2)



Birthday paradox:

What should be the size k of a group of people, such that with probablity 1/2 at least two persons from the group will have birthday on the same day?



Birthday paradox



Birthday paradox



How long it may take for the sequence x1, x2, x3,..., to repeat?

Consider the values of xi being random

Birthday problem: What is the probability that two students inthe group of n have a birthday on the same day?



p - non-trivial factor of n, such that gcd(p,n / p) = 1

Consider the sequence x’1, x’2, x’3,..., where x’i = xi mod p

We also have x’i (x’2i–1 – 1) mod p

Expected number of steps before repeats is (p1/2)

t - index of the first repeated valueu > 0 - the length of the cycle that has been produced

Expected values of t and u are (p1/2)



If x’t+i = x’t+u+i then p divides xt+i – xt+u+i

Thus gcd(xt+i – xt+u+i, n) > 1

Eventually y will be set to x’i value on the cycle and afterwards the whole cycle will be traversed without changing the value of y. When the value x’i will be encountered again, a factor of n will be discovered.


Pollard’s rho heuristic - Example



Pollard’s rho heuristic - Problems

The sequence x’1, x’2, x’3,... may start to repeat much laterthan after (p1/2) steps

The gcd’s (gcd(xt+i – xt+u+i, n)) found may always be equal with n

In practice it does not happen too often

In case of problems we can try to start with a new value x1


Pollard’s rho heuristic - Complexity?

Expected number of arithmetic operations T’(n) = (p1/2) Expected time complexity T(n) = (2/4 3)


Integer factorization - Other methods

L[] = e (log n log log n) 1/2

There seems to be several O(L[1]) algorithms

The fastest general algorithm probably works in O(L[1/2]) time

In practice the methods that allow parallel computationprobably are faster

Some integers may be more easy to factor (eg yn 1)

There are also algorithms that depend on generalised Riemann hypothesis

Documents

Number Theoretic Algorithms Outline greatest common divisors and Euclid’s algorithm applications of large primes: public- key cryptosystems (RSA) primality