Transcript Document

Lecture 6
High order procedures
Primality testing
The RSA cryptosystem
‫מבוא מורחב‬- ‫שיעור‬6
1
Fixed Points
x0 is a fixed point of F(x) if F(x0) = x0
Example:
x0 = a
is a fixed point of F(x) = a/x
‫מבוא מורחב‬- ‫שיעור‬6
2
Finding fixed points for f(x)
Start with an arbitrary first guess x1
Each time:
• try the guess, f(x) ~ x ??
• If it’s not a good guess try the next guess xi+1 = f(xi)
(define (fixed-point f first-guess)
(define tolerance 0.00001)
(define (close-enough? v1 v2)
(< (abs (- v1 v2)) tolerance))
(define (try guess)
(let ((next (f guess)))
(if (close-enough? guess next)
guess
(try next))))
(try first-guess))
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
3
An example: f(x) = 1+1/x
(define (f x) (+ 1 (/ 1 x)))
(fixed-point f 1.0)
X1 = 1.0
X2 = f(x1) = 2
X3 = f(x2) = 1.5
X4 = f(x3) = 1.666666666..
X5 = f(x4) = 1.6
X6 = f(x5) = 1.625
X7 = f(x6) = 1.6153846…
Note how odd guesses
underestimate
And even guesses
Overestimate.
Exact fixed-point: 1.6180339…
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
4
Another example: f(x) = 2/x
(define (f x) (/ 2 x))
(fixed-point f 1.0)
x1 = 1.0
x2 = f(x1) = 2
x3 = f(x2) = 1
x4 = f(x3) = 2
x5 = f(x4) = 1
x6 = f(x5) = 2
x7 = f(x6) = 1
Exact fixed-point: 1.414213562…
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
5
How do we deal with oscillation?
Consider f(x)=2/x.
If guess is a number such that guess < sqrt(2) then
2/guess > sqrt(2)
So the average of guess and 2/guess is always an even
Better guess.
So, we will try to find a fixed point of g(x)= (x + f(x))/2
Notice that g(x) = (x +f(x)) /2 has the same fixed
points as f.
For f(x)=2/x this gives: g(x)= (x + 2/x)/2
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
6
Example :
x for x  2.
To find an approximation of x:
• Make a guess G
• Improve the guess by averaging G and x/G
• Keep improving the guess until it is good enough
X=2
G=1
X/G = 2
X/G = 4/3
G = ½ (1+ 2) = 1.5
G = ½ (3/2 + 4/3) = 17/12 = 1.416666
X/G = 24/17 G = ½ (17/12 + 24/17) = 577/408 = 1.4142156
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
7
Extracting the common pattern: average-damp
(define (average-damp f) ;outputs g(x)=(x+f(x))/2
(lambda (x) (average x (f x))))
average-damp: (number  number)  (number  number)
((average-damp square) 10)
((lambda (x) (average x (square x))) 10)
(average 10 (square 10))
55
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
8
… which gives us a clean version of sqrt
(define (sqrt x)
(fixed-point
(average-damp
(lambda (y) (/ x y)))
1))
• Compare this to our previous implementation of sqrt – same process.
For the cubic root of x, fixed point of f(y) = x/y2
(define (cubert x)
(fixed-point
(average-damp (lambda (y) (/ x (square y))))
1))
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
9
Further abstraction
(define (osc-fixed-point f first-guess)
(fixed-point (average-damp f)
first-guess))
(define (sqrt x)
(osc-fixed-point (lambda (y) (/ x y))
1.0)
(define (cubert x)
(osc-fixed-point (lambda (y) (/ x (square y)))
1.0)
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
10
Newton’s method
A solution to the equation: F(x) = 0
is a fixed point of: G(x) = x - F(x)/F’(x)
(define (newton-transform f)
(lambda (x) (- x
(/ (f x)
((deriv f) x)))))
(define (newton-method f guess)
(fixed-point (newton-transform f) guess))
(define (sqrt x)
(newton-method (lambda (y) (- (square y) x))
1.0))
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
11
Further abstraction
(define (fixed-point-of-transform f transform guess)
(fixed-point (transform f) guess))
(define (osc-fixed-point f guess)
(fixed-point-of-transform f
average-damp
guess))
(define (newton-method f guess)
(fixed-point-of-transform f
newton-transform
guess))
‫מורחב‬
5 ‫מבואשיעור‬
- ‫מורחב‬
- ‫שיעור‬6
‫מבוא‬
12
Primality testing
• A natural number n is prime iff the only
natural numbers dividing n are 1 and n.
• The following are prime: 2, 3, 5, 7, 11, 13, …
and so are 1299709, 15485863, 22801763489, …
• There is an infinite number of prime numbers.
• Is 2101-1=2535301200456458802993406410751 prime?
• How do we check whether a number is prime?
• How do we generate huge prime numbers?
• Why do we care?
‫מבוא מורחב‬- ‫שיעור‬6
13
Naïve solution: Finding the smallest divisor
(define (divides? a b)
(= (remainder b a) 0))
(define (find-smallest-divisor n i)
(cond ((divides? i n) i)
(else (find-smallest-divisor n (+ i 1)))))
(define (prime? n)
(= n (find-smallest-divisor n 2)))
Space complexity is: (1)
For prime n we have time complexity n.
If n is a 100 digit number we will wait “for ever”.
‫מבוא מורחב‬- ‫שיעור‬6
14
An improvement
(define (divides? a b)
(= (remainder b a) 0))
(define (find-smallest-divisor n i)
(cond ((> (square i) n) n)
((divides? i n) i)
(else (find-smallest-divisor n (+ i 1)))))
(define (prime? n)
(= n (find-smallest-divisor n 2)))
For prime n we have time complexity: (n)
Worst case space complexity: (1)
Still, if n is a 100 digit number, it is completely infeasible.
‫מבוא מורחב‬- ‫שיעור‬6
15
Is there a more efficient way
of checking primality?
Yes!
At least if we are willing to accept
a tiny probability of error.
We can prove that a number is not prime
without explicitly finding a divisor of it.
Randomness is useful in computations!
‫מבוא מורחב‬- ‫שיעור‬6
16
The Fermat Primality Test
Fermat’s little theorem:
If n is a prime number then:
an  a (mod n) , for every integer a
Corollary:
If an ≠ a (mod n) , for some a, then n is not a prime!
Such an a is a witness to the compositeness of n.
The Fermat Test:
Do 100 times:
Pick a random 1<a<n and compute an (mod n).
If an  a (mod n), then n is not a prime.
If all 100 tests passed, declare n to be a prime.
‫מבוא מורחב‬- ‫שיעור‬6
17
Fast computation of modular exponentiation
ab mod m
(define (expmod a b m)
(cond
((= b 0) 1)
((even? b)
(remainder (expmod
(remainder (* a a) m)
(/ b 2)
m)
m))
(else
(remainder (* a (expmod a (- b 1) m))
m))))
‫מבוא מורחב‬- ‫שיעור‬6
18
Implementing Fermat test
(define (test a n)(= (expmod a n n) a))
(define (rand-test n)
(test (+ 1 (random (- n 1))) n))
; note - (random m) returns a random number
; between 0 and m-1
(define (fermat-test n k);
(cond ((= k 0) #t)
((rand-test n) (fermat-test n (- k 1)))
(else #f)))
Worst-case time complexity:
(log n) if k is constant
Even if n is a 1000 digit number, it is still okay!
‫מבוא מורחב‬- ‫שיעור‬6
19
Is the Fermat test correct?
• If the Fermat test says that a number n is composite,
then the number n is indeed a composite number.
• If n is a prime number, the Fermat test will always say
that n is prime.
But,
• Can the Fermat test say that a composite number
is prime?
• What is the probability that this will happen?
‫מבוא מורחב‬- ‫שיעור‬6
20
Carmichael numbers
A composite number n is a Carmichael number
iff an  a (mod n) for every integer a.
The first Carmichael numbers are:
561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, …
Theorem: n is a Carmichael number iff n=p1p2…pk, where
p1 , p2 , … , pk are primes and pi-1 divides n-1, for i=1,…,k.
On Carmichael numbers, the Fermat test is always wrong!
Carmichael numbers are fairly rare. (There are 255
Carmichael numbers smaller than 100,000,000).
‫מבוא מורחב‬- ‫שיעור‬6
21
Theorem: (Rabin ’77)
If n is a composite number that is not a Carmichael
number, then at least half of the numbers between
1 and n are witnesses to the compositeness of n.
Corollary:
Let n be a composite number that is not a Carmichael
number. If we pick a random number a, 1<a<n, then a is
a witness with a probability of at least a 1/2 !
‫מבוא מורחב‬- ‫שיעור‬6
22
“Correctness” of the Fermat test
• If n is prime, the Fermat test is always right.
• If n is a Carmichael number,
the Fermat test is always wrong!
• If n is composite number that is not a
Carmichael number, the Fermat test is
wrong with a probability of at most 2-100.
Is an error probability of 2-100 acceptable?
Yes!
‫מבוא מורחב‬- ‫שיעור‬6
23
The Rabin-Miller test
• A fairly simple modification of the Fermat test
that is correct with a probability of at least 1-2-100
also on Carmichael numbers.
• Will not be covered in this course.
‫מבוא מורחב‬- ‫שיעור‬6
24
Probabilistic algorithms
An algorithm that uses random choices but
outputs the correct result, with high probability,
for every input!
Randomness is a very useful algorithmic tool.
Until the year 2002, there were no efficient
deterministic primality testing algorithms.
In 2002, Agarwal, Kayal and Saxena found a
fast deterministic primality testing algorithm.
‫מבוא מורחב‬- ‫שיעור‬6
25
Finding large prime numbers
The prime number Theorem:
The number of prime numbers smaller than n is
asymptotically n / ln n.
Thus, for every number n, there is “likely” to be
a prime number between n and n + ln n.
To find a prime number roughly the size of (odd) n,
simply test n, n+2, n+4, … for primality.
(define (find-prime n t)
(if (fermat-test n t) n (find-prime (+ n 2) t)))
‫מבוא מורחב‬- ‫שיעור‬6
26
Primality testing versus Factoring
• Fast primality testing algorithms determine that a number n
is composite without finding any of its factors.
• No efficient factoring algorithms are known.
• Factoring a number is believed to be a much harder task.
Primality testing - Easy
Factoring - Hard
Now: Use the ease of primality and hardness of factoring
‫מבוא מורחב‬- ‫שיעור‬6
28
Cryptography
Eve
Alice
Bob
‫מבוא מורחב‬- ‫שיעור‬6
29
Traditional solution:
classical cryptography
#$%&*()
Hi Bob!
Hi Bob!
Eve
Encryption
Decryption
Alice
Bob
Encryption
key
‫מבוא מורחב‬- ‫שיעור‬6
Decryption
key
30
In classical cryptography:
• The two parties (Alice and Bob) should agree
in advance on the encryption/decryption key.
• The encryption and decryption keys are
either identical or easily derived from one
another.
‫מבוא מורחב‬- ‫שיעור‬6
31
The internet age
Bob
Calvin
Alice
Donald
Eve
Felix
‫מבוא מורחב‬- ‫שיעור‬6
32
Public key cryptology
• A system in which it is infeasible to deduce
the decryption key from the encryption key.
• Each user publishes an encryption key that
should be used for sending messages to
her, but keeps her decryption key private.
• Is it possible to construct secure public key
cryptosystems?
‫מבוא מורחב‬- ‫שיעור‬6
33
The RSA public key cryptosystem
[Rivest, Shamir, Adleman (1977)]
Bob:
Picks two huge primes p and q.
Calculates n=pq, and announces n.
Chooses and announce integer e prime to (p-1)(q-1)
e and (p-1)(q-1) have no common divisor other than 1
Calculates the unique d such that
de = 1 (mod (p-1)(q-1))
It is believed that computing d,
without knowing
p and q, is hard.
‫מבוא מורחב‬- ‫שיעור‬6
34
The RSA cryptosystem (cont.)
EBob(m) = me (mod n)
DBob(m) = md (mod n)
Lemma:
DBob(EBob(m)) = m
To send a message m (0≤m<n) to Bob,
Alice computes c=EBob(m) and sends it to Bob.
To decipher the message, Bob computes m=DBob(c)
‫מבוא מורחב‬- ‫שיעור‬6
35
(define p 17)
(define q 13)
(define n (* p q))
(define base (* (- p 1) (- q 1)))
(define e 35)
(define d (find-d e base))
(display d)
(define message 121)
(display message)
(newline)
(define alice-message
(expmod message e n)
(newline)
(define bob-decipher
(expmod alice-message d n)
(display bob-decipher)
‫מבוא מורחב‬- ‫שיעור‬6
;d =
11
36
Find-d
(define (find-d e base)
(define (guess d)
(if ( = (remainder (* d e) base) 1)
d
(guess (+ d 1))
)
)
(guess 0)
)
Obviously, not the way this is done for real numbers.. Why?
‫מבוא מורחב‬- ‫שיעור‬6
37
Some executions
• message
• alice-message
• bob-decipher
121
127
121
• message
• alice-message
• bob-decipher
21
200
21
• message
• alice-message
• bob-decipher
57
216
57
‫מבוא מורחב‬- ‫שיעור‬6
38