670 likes | 783 Views
Public key ciphers 1. Session 5. Contents. Intractability and NP- completness Primality testing Factoring large composite numbers Complexity of RSA Security of RSA. Intractability and NP- completness. A problem A general question that must be answered
E N D
Public key ciphers 1 Session 5
Contents • Intractability and NP-completness • Primality testing • Factoring large composite numbers • Complexity of RSA • Security of RSA
Intractability and NP-completness • A problem • A general question that must be answered • Usually possesses several parameters, whose values are generally unspecified • Described by giving • A general description of all the parameters • A statement of those properties that the answer (the solution) must satisfy
Intractability and NP-completness • An instance of a problem • Obtained by listing a particular set of values for all the problem parameters
Intractability and NP-completness • Example – solving polynomial equations over GF(2) (1) • The parameters • A set of polynomials fi(x1,...,xn), 1im, over GF(2) • An instance of the problem • Formulated by stating particular choices for the polynomials
Intractability and NP-completness • Example – solving polynomial equations over GF(2) (2) • A solution • A set u1,...,un of elements in GF(2) such that fi(u1,...,un)=0 for each 1im • This problem is known as AN9 • 9th in the Garey and Johnson’s list of Algebra and Number Theory problems
Intractability and NP-completness • Algorithm • A step-by-step procedure for solving a problem • An algorithm is said to solve a problem if it can be applied to any instance of the problem and is guaranteed to produce a solution • For any problem there may be many possible algorithms • It is of interest to find the most efficient one (in the sense of speed)
Intractability and NP-completness • The size of an instance of a problem • Intended to measure the amount of input necessary to describe an instance of a problem • It should take into account all the parameters of the problem • Example • AN9 with n=3, m=3 • The size of the problem is the number of variables, n=3
Intractability and NP-completness • The time complexity function • Expresses time requirements of an algorithm by giving, for each possible size of an instance of a problem, the maximum time that might be needed to use the algorithm to solve it
Intractability and NP-completness • Deterministic computer • The next instruction is uniquely determined by the current state and the input • Non-deterministic computer • There are many choices for the next instruction, regardless of the current state and the input (random choice) • Can execute arbitrarily many operations in parallel
Intractability and NP-completness • (Deterministic) Turing machine • A machine that possesses basic properties shared by all deterministic computers • Equipped with an infinite paper tape divided into squares • Capable of moving the tape, writing or erasing marks on the tape and halting
Intractability and NP-completness • (Deterministic) Turing machine • It can be shown that if a problem is solvable by the Turing machine, it is solvable by any deterministic computer
Intractability and NP-completness • Polynomial-time algorithm • There is a polynomial p(r) in the problem instance size r and a constant k such that the time complexity function f(r) is always less than kp(r) • Exponential-time algorithm • The time complexity function f(r) is not bounded by a polynomial
Intractability and NP-completness • Example (1) • Suppose we need 10-5 seconds to solve an instance of a problem whose size is r=10 • Then for an algorithm, whose time complexity function is linear in r we have, for the time needed to solve a problem of size r=10 • t=10-5 s • If we increase r to r=60, we get • t=610-5 s
Intractability and NP-completness • Example (2) • For an algorithm, whose time complexity function is quadratic in r we have, for the time needed to solve a problem of size r=10 • r2=102=100=1010 t=1010-5=10-4 s • If we increase r to r=60, we get • r2=602=3600=36010 t=36010-5 = 3,610-3 s
Intractability and NP-completness • Example (3) • For an algorithm, whose time complexity function is 2r we have, for the time needed to solve a problem of size r=10 • 2r=210=1024=102,410 t=102,410-510-3 s • If we increase r to r=60, we get • 2r=260= 1152921504606846976 =115292150460684697,610 t= 115292150460684697,6 10-5 = 1152921504606,846976 s 366 centuries
Intractability and NP-completness • In practice, most exponential time algorithms are merely variations of an exhaustive search • A problem is called intractable if no polynomial time algorithm can solve it on a deterministic computer • Time complexity measures are essentially a measure of the time needed to solve the worst case instance
Intractability and NP-completness • Only decision problems are considered • The answer is of type “yes” or “no” • It is easy to convert any problem into a decision problem • The original problem is then at least as difficult as the corresponding decision problem
Intractability and NP-completness • Class P decision problems • There is a polynomial time deterministic Turing machine, which solves the problem • Class NP decision problems • There is a polynomial time non-deterministic Turing machine, which solves the problem • Any problem in the class P is automatically in the class NP
Intractability and NP-completness • So far, nobody has found a problem proved to be in the class NP and not in the class P • Finding such a problem would mean that there is a problem for which a polynomial-time algorithm does not exist
Intractability and NP-completness • Such problem(s) may exist; then we would know that PNP • We only assume (without proof) that PNP; whole cryptographic security relies on this assumption
Intractability and NP-completness • The satisfiability problem (SAT) • Given a Boolean formula, is there an interpretation (i.e. the values assigned to each variable present in the formula) that evaluates TRUE? • For any problem in the class NP, there is a polynomial-time algorithm that reduces this particular problem to SAT
Intractability and NP-completness • If a polynomial-time algorithm is ever found for SAT, this will imply that every problem in the class NP is also in the class P, i.e. P=NP • On the other hand, if there is any intractable problem in the class NP, then SAT must be one of them
Intractability and NP-completness • There are many other problems that share this property of SAT (i.e. reducibility of NP to SAT in polynomial time) • They are called NP-complete • The class of NP-complete problems is a subset of the class NP
Intractability and NP-completness • Proving that a problem from the class NP-complete is in P would prove that each problem from NP is in P, i.e. P=NP • Proving that one NP-complete problem is intractable would prove that all the problems from NP are intractable, i.e. PNP • Cook’s theorem (1971) • SAT is NP-complete
Intractability and NP-completness Class NP Class P NP-complete
Intractability and NP-completness • Example 1 • The problem AN9 is in P if the functions involved are linear • Otherwise it is NP-complete – can be reduced to SAT in polynomial time • Since in general the functions are not linear, AN9 is NP-complete
Intractability and NP-completness • Example 2 • The problem of determining whether an integer is a prime is not NP-complete • In 2002, Agrawal, Kayal and Saxena proved that it is in P • Since this problem is not NP-complete, this proof does not mean that P=NP
Intractability and NP-completness • The “big O” notation • Let f and g be two functions defined over the positive integers, which take on real values that are always positive from some point onwards • We then define the asymptotic upper bound • f(n) = O(g(n)) if there exists a positive constant c and a positive integer n0such that 0f(n)cg(n) for all nn0
Primality testing • In order to set up the RSA public key cipher, we need large primes (2 large primes p and q of approximately the same size) • Large means the order of magnitude of 200 decimal digits (663 bits, factored in 2005) and more • Typical RSA keys are 1024 to 2048 bits long • How do we generate such large primes?
Primality testing • The random prime generator • Generate a random integer n • If n is even, replace n by n +1 • Test if n is prime • If n is not prime, test if n + 2 is prime, etc. • The key step is 3: primality testing
Primality testing • Let n be a large odd integer • Naïve algorithm 1 • Let m be an odd integer such that 0 < m < • For all m test if m | n • Naïve algorithm 2 (Sieve of Eratosthenes) • List all integers from 1 to n • Sieve out all the multiples of known primes less than
Primality testing • The problem • If we have a 100 (decimal) digit integer n (i.e. it can take values up to 10100), then there are primes less than n
Primality testing • Possible solution – use probabilistic algorithms • Many primality tests are based on Fermat’s little theorem • If n is a prime and if (b, n) = 1 then bn−1 1 (mod n) (*) • So, try all b for which (b,n)=1 and check whether (*) holds • The problem is that this is a necessary but not a sufficient condition
Primality testing • The expression (*) may hold (not very likely) if n is not a prime • If n is not a prime and the expression (*) holds, n is called a pseudoprime in the base b • Example 91 is a pseudoprime in the base 3, as 390 1 (mod 91) • In the base 2, we find 290 64 (mod 91), so 91 is not a prime (91 = 7 × 13)
Primality testing • Quadratic residue (1) • Let p be an odd prime, and a an integer • a is defined to be a quadratic residue modulo p, or a square modulo p, if there exists an integer x such that x2 a (mod p) • If that is the case we say that aQp, if not
Primality testing • Quadratic residue (2) • Example • Let p=7 • We see that 1, 2 and 4 are quadratic residues
Primality testing • Quadratic residue (3) • If p is an odd prime and if is a generator of Zp*, then a is a quadratic residue if and only if a = i(mod p), where i =0,2,4,...,p-3 • Example • Let p=7, 3 is a generator of Z7* • We see again that 1, 2 and 4 are quadratic residues
Primality testing • Quadratic residue (4) • If p is a prime, then there are exactly (p-1)/2 quadratic residues in Zp* • Theorem (Euler’s criterion) • Let p be an odd prime. Then a is a quadratic residue modulo p if and only if
Primality testing • Quadratic residue (5) • Example • p=7, (p-1)/2=3 • Again, we see that 1, 2 and 4 are quadratic residues
Primality testing • The Legendre symbol (1) • Let p be an odd prime • For any integer a, we define the Legendre symbol as follows
Primality testing • The Legendre symbol (2) • By the Euler’s criterion if and only if aQp • If a is a multiple of p, it is obvious that
Primality testing • The Legendre symbol (3) • It can be shown that if then • Then
Primality testing • The Jacobi symbol (1) • Let n be an odd positive integer with factorization • Let a be an integer. The Jacobi symbol is defined as follows
Primality testing • The Jacobi symbol (2) • Example • Given that 9975=352719, we evaluate the Jacobi symbol as follows • Observe that we used the fact
Primality testing • The Jacobi symbol (3) • Theorem (1) • Let n be an odd positive integer and let a,b0. Then the following identities hold
Primality testing • The Jacobi symbol (4) • Theorem (2) • If ab (mod n) then
Primality testing • The Jacobi symbol (5) • Theorem (3) 5. Quadratic reciprocity (Gauss). If a is odd, then
Primality testing • The Jacobi symbol (6) • Example • Note that we successively apply rules 5, 3, 4, 2
Primality testing • Yes-biased Monte Carlo algorithm (1) • A yes-biased Monte Carlo Algorithm is a randomized algorithm for a decision problem in which a “yes” answer is always correct, but a “no” answer may be incorrect • Let n be an odd integer greater than 1 • If n is prime we have for all a • If n is composite, it may or may not be the case that holds • If it holds we say that n is an Euler pseudo-prime