Transcript Lecture 6

Lecture 6
High order procedures
Primality testing
The RSA cryptosystem
6 ‫ שיעור‬- ‫מבוא מורחב‬
1
Fixed Points
x0 is a fixed point of F(x) if F(x0) = x0
Example:
x0 = a
is a fixed point of F(x) = a/x
6 ‫ שיעור‬- ‫מבוא מורחב‬
2
Finding fixed points for f(x)
Start with an arbitrary first guess x1
Each time:
• try the guess, f(x) ~ x ??
• If it’s not a good guess try the next guess xi+1 = f(xi)
(define (fixed-point f first-guess)
(define tolerance 0.00001)
(define (close-enough? v1 v2)
(< (abs (- v1 v2)) tolerance))
(define (try guess)
(let ((next (f guess)))
(if (close-enough? guess next)
guess
(try next))))
(try first-guess))
56 ‫ שיעור‬- ‫מבוא מורחב‬
3
An example: f(x) = 1+1/x
(define (f x) (+ 1 (/ 1 x)))
(fixed-point f 1.0)
X1 = 1.0
X2 = f(x1) = 2
X3 = f(x2) = 1.5
X4 = f(x3) = 1.666666666..
X5 = f(x4) = 1.6
X6 = f(x5) = 1.625
X7 = f(x6) = 1.6153846…
Note how odd guesses
underestimate
And even guesses
Overestimate.
Exact fixed-point: 1.6180339…
56 ‫ שיעור‬- ‫מבוא מורחב‬
4
Another example: f(x) = 2/x
(define (f x) (/ 2 x))
(fixed-point f 1.0)
x1 = 1.0
x2 = f(x1) = 2
x3 = f(x2) = 1
x4 = f(x3) = 2
x5 = f(x4) = 1
x6 = f(x5) = 2
x7 = f(x6) = 1
Exact fixed-point: 1.414213562…
56 ‫ שיעור‬- ‫מבוא מורחב‬
5
How do we deal with oscillation?
Consider f(x)=2/x.
If guess is a number such that guess < sqrt(2) then
2/guess > sqrt(2)
So the average of guess and 2/guess is always an even
Better guess.
So, we will try to find a fixed point of g(x)= (x + f(x))/2
Notice that g(x) = (x +f(x)) /2 has the same fixed
points as f.
For f(x)=2/x this gives: g(x)= (x + 2/x)/2
56 ‫ שיעור‬- ‫מבוא מורחב‬
6
Example :
x for x  2.
To find an approximation of x:
• Make a guess G
• Improve the guess by averaging G and x/G
• Keep improving the guess until it is good enough
X=2
G=1
X/G = 2
X/G = 4/3
G = ½ (1+ 2) = 1.5
G = ½ (3/2 + 4/3) = 17/12 = 1.416666
X/G = 24/17 G = ½ (17/12 + 24/17) = 577/408 = 1.4142156
56 ‫ שיעור‬- ‫מבוא מורחב‬
7
Extracting the common pattern: average-damp
(define (average-damp f) ;outputs g(x)=(x+f(x))/2
(lambda (x) (average x (f x))))
average-damp: (number  number)  (number  number)
((average-damp square) 10)
((lambda (x) (average x (square x))) 10)
(average 10 (square 10))
55
56 ‫ שיעור‬- ‫מבוא מורחב‬
8
… which gives us a clean version of sqrt
(define (sqrt x)
(fixed-point
(average-damp
(lambda (y) (/ x y)))
1))
• Compare this to our previous implementation of sqrt – same process.
For the cubic root of x, fixed point of f(y) = x/y2
(define (cubert x)
(fixed-point
(average-damp (lambda (y) (/ x (square y))))
1))
56 ‫ שיעור‬- ‫מבוא מורחב‬
9
Further abstraction
(define (osc-fixed-point f first-guess)
(fixed-point (average-damp f)
first-guess))
(define (sqrt x)
(osc-fixed-point (lambda (y) (/ x y))
1.0)
(define (cubert x)
(osc-fixed-point (lambda (y) (/ x (square y)))
1.0)
56 ‫ שיעור‬- ‫מבוא מורחב‬
10
Newton’s method
A solution to the equation: F(x) = 0
is a fixed point of: G(x) = x - F(x)/F’(x)
(define (newton-transform f)
(lambda (x) (- x
(/ (f x)
((deriv f) x)))))
(define (newton-method f guess)
(fixed-point (newton-transform f) guess))
(define (sqrt x)
(newton-method (lambda (y) (- (square y) x))
1.0))
56 ‫ שיעור‬- ‫מבוא מורחב‬
11
Further abstraction
(define (fixed-point-of-transform f transform guess)
(fixed-point (transform f) guess))
(define (osc-fixed-point f guess)
(fixed-point-of-transform f
average-damp
guess))
(define (newton-method f guess)
(fixed-point-of-transform f
newton-transform
guess))
56 ‫ שיעור‬- ‫מבוא מורחב‬
12
Primality testing
• A natural number n is prime iff the only
natural numbers dividing n are 1 and n.
• The following are prime: 2, 3, 5, 7, 11, 13, …
and so are 1299709, 15485863, 22801763489, …
• There are an infinite number of prime numbers.
• Is 2101-1=2535301200456458802993406410751 prime?
• How do we check whether a number is prime?
• How do we generate huge prime numbers?
• Why do we care?
6 ‫ שיעור‬- ‫מבוא מורחב‬
13
Naïve solution: Finding the smallest divisor
(define (divides? a b)
(= (remainder b a) 0))
(define (find-smallest-divisor n i)
(cond ((divides? i n) i)
(else (find-smallest-divisor n (+ i 1)))))
(define (prime? n)
(= n (find-smallest-divisor n 2)))
Space complexity is: (1)
For prime n we have time complexity n.
If n is a 100 digit number we will wait “for ever”.
6 ‫ שיעור‬- ‫מבוא מורחב‬
14
An improvement
(define (divides? a b)
(= (remainder b a) 0))
(define (find-smallest-divisor n i)
(cond ((> (square i) n) n)
((divides? i n) i)
(else (find-smallest-divisor n (+ i 1)))))
(define (prime? n)
(= n (find-smallest-divisor n 2)))
For prime n we have time complexity: (n)
Worst case space complexity: (1)
Still, if n is a 100 digit number, it is completely infeasible.
6 ‫ שיעור‬- ‫מבוא מורחב‬
15
Is there a more efficient way
of checking primality?
Yes!
At least if we are willing to accept
a tiny probability of error.
We can prove that a number is not prime
without explicitly finding a divisor of it.
Randomness is useful in computations!
6 ‫ שיעור‬- ‫מבוא מורחב‬
16
The Fermat Primality Test
Fermat’s little theorem:
If n is a prime number then:
(mod n)
n) ,means
for every
aann == aa (mod
an integer
mod n =aa mod n
Corollary:
43 mod 3 = 64 mod 3 = 1 = 4 mod 3
3 mod
If an ≠ a (mod n) , for 5some
a,3then
n is
not 3a =
prime!
= 125
mod
2 = 5 mod 3
63 to
mod
= … etc
Such an a is a witness
the 3compositeness
of n.
The Fermat Test:
Repeat 100 times:
Pick a random 1<a<n and compute an (mod n).
If an  a (mod n), then n is not a prime.
If all 100 tests passed, declare n to be a prime.
6 ‫ שיעור‬- ‫מבוא מורחב‬
17
Fast computation of modular exponentiation
ab mod m
(define (expmod a b m)
(cond
((= b 0) 1)
((even? b)
(remainder (expmod
(remainder (* a a) m)
(/ b 2)
m)
m))
(else
(remainder (* a (expmod a (- b 1) m))
m))))
6 ‫ שיעור‬- ‫מבוא מורחב‬
18
Implementing Fermat test
(define (test a n)(= (expmod a n n) a))
(define (rand-test n)
(test (+ 1 (random (- n 1))) n))
; note - (random m)  0..m-1 and thus
; we test numbers in range 1 to n-2+1
(define (fermat-test n k);
(cond ((= k 0) #t)
((rand-test n) (fermat-test n (- k 1)))
(else #f)))
Worst-case time complexity:
(log n) if k is constant
Even if n is a 1000 digit number, it is still okay!
6 ‫ שיעור‬- ‫מבוא מורחב‬
19
Is the Fermat test correct?
• If the Fermat test says that a number n is composite,
then the number n is indeed a composite number.
• If n is a prime number, the Fermat test will always say
that n is prime.
However,
• The Fermat test can mistakenly say that a
composite number is prime
• What is the probability that this will happen?
6 ‫ שיעור‬- ‫מבוא מורחב‬
20
Carmichael numbers
A composite number n is a Carmichael number
iff an = a (mod n) for every integer a.
The first Carmichael numbers are:
561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, …
Theorem: n is a Carmichael number iff n=p1p2…pk, where
p1 , p2 , … , pk are primes and pi-1 divides n-1, for i=1,…,k.
On Carmichael numbers, the Fermat test is always wrong!
Carmichael numbers are fairly rare. (There are 255
Carmichael numbers smaller than 100,000,000).
6 ‫ שיעור‬- ‫מבוא מורחב‬
21
Theorem: (Rabin ’77)
If n is a composite number that is not a Carmichael
number, then at least half of the numbers between
1 and n are witnesses to the compositeness of n.
Corollary:
Let n be a composite number that is not a Carmichael
number. If we pick a random a, 1<a<n, then a is a
witness with a probability of at least a 1/2 !
6 ‫ שיעור‬- ‫מבוא מורחב‬
22
“Correctness” of the Fermat test
• If n is prime, the Fermat test is always right.
• If n is a Carmichael number,
the Fermat test is always wrong!
• If n is composite number that is not a
Carmichael number, the Fermat test is
wrong with a probability of at most 2-100.
Is an error probability of 2-100 acceptable?
Yes…Chances of being hit by lightening: 2-18
Chances of winning lottery: 2-20
6 ‫ שיעור‬- ‫מבוא מורחב‬
23
The Rabin-Miller test
• A fairly simple modification of the Fermat test
that is correct with a probability of at least 1-2-100
also on Carmichael numbers.
• Will not be covered in this course.
6 ‫ שיעור‬- ‫מבוא מורחב‬
24
Probabilistic algorithms
An algorithm that uses random choices but
outputs the correct result, with high probability,
for every input!
Randomness is a very useful algorithmic tool.
Until the year 2002, there were no efficient
deterministic primality testing algorithms.
In 2002, Agarwal, Kayal and Saxena found a
fast deterministic primality testing algorithm.
6 ‫ שיעור‬- ‫מבוא מורחב‬
25
Finding large prime numbers
The prime number Theorem:
The number of prime numbers smaller than n is
asymptotically n / ln n.
Thus, for every number n, there is “likely” to be
a prime number between n and n + ln n.
To find a prime number roughly the size of (odd) n,
simply test n, n+2, n+4, … for primality.
(define (find-prime n t)
(if (fermat-test n t) n (find-prime (+ n 2) t)))
6 ‫ שיעור‬- ‫מבוא מורחב‬
26
Primality testing versus Factoring
• Fast primality testing algorithms determine that a number n
is composite without finding any of its factors.
• No efficient factoring algorithms are known.
• Factoring a number is believed to be a much harder task.
Primality testing - Easy
Factoring - Hard
An effort concluded 2010 by
several researchers factored a
232-digit number utilizing
hundreds of machines over a
Lets make use of the ease of primality and hardness of factoring
span of 2 years.
6 ‫ שיעור‬- ‫מבוא מורחב‬
28
Cryptography
Eve
Alice
Bob
6 ‫ שיעור‬- ‫מבוא מורחב‬
29
Traditional solution:
classical cryptography
#$%&*()
Hi Bob!
Hi Bob!
Eve
Decryption
Encryption
Alice
Bob
Encryption
key
6 ‫ שיעור‬- ‫מבוא מורחב‬
Decryption
key
30
In classical cryptography:
• The two parties (Alice and Bob) should agree
in advance on the encryption/decryption key.
• The encryption and decryption keys are
either identical or easily derived from one
another.
6 ‫ שיעור‬- ‫מבוא מורחב‬
31
The internet age
Bob
Calvin
Alice
Donald
Eve
Felix
6 ‫ שיעור‬- ‫מבוא מורחב‬
32
Public key cryptography
[Diffie and Hellman]
• A system in which it is infeasible to deduce
the decryption key from the encryption key.
• Each user publishes an encryption key that
should be used for sending messages to
her, but keeps her decryption key private.
• Is it possible to construct secure public key
cryptosystems?
6 ‫ שיעור‬- ‫מבוא מורחב‬
33
The RSA public key cryptosystem
[Rivest, Shamir, Adleman (1977)]
Alice:
Picks two huge primes p and q.
Calculates n=pq, and announces n.
Chooses an integer e prime to (p-1)(q-1), announces e.
Calculates the unique d such that
de = 1 (mod (p-1)(q-1))
It is believed that computing d,
without knowing p and q, is hard.
6 ‫ שיעור‬- ‫מבוא מורחב‬
34
The RSA cryptosystem (cont.)
EAlice(m) = me (mod n)
DAlice(m) = md (mod n)
Lemma:
DAlice(EAlice(m)) = m
To send a message m (0≤m<n) to Alice,
Bob computes c=EAlice(m) and sends it to Alice.
To decipher the message, Alice computes m=DAlice(c)
6 ‫ שיעור‬- ‫מבוא מורחב‬
35
Summary
• High level procedures make programming
patterns re-uasable
• Primality is an example of an algorithm that can
be made highly efficient using randomness
• Sometimes the fact that a problem is very hard
(like factoring) is useful rather than depressing..
6 ‫ שיעור‬- ‫מבוא מורחב‬
36