1 / 38

Lecture 6

Lecture 6. High order procedures Primality testing The RSA cryptosystem. Fixed Points. a. x 0 is a fixed point of F(x) if F(x 0 ) = x 0. x 0 = . Example: . is a fixed point of F(x) = a/x. 2. Finding fixed points for f(x) .

lavina
Download Presentation

Lecture 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 6 High order procedures Primality testing The RSA cryptosystem מבוא מורחב - שיעור 6

  2. Fixed Points a x0 is a fixed point of F(x) if F(x0) = x0 x0 = Example: is a fixed point of F(x) = a/x מבוא מורחב - שיעור 6 2

  3. Finding fixed points for f(x) • Start with an arbitrary first guess x1 • Each time: • try the guess, f(x) ~ x ?? • If it’s not a good guess try the next guess xi+1 =f(xi) (define (fixed-point f first-guess) (define tolerance 0.00001) (define (close-enough? v1 v2) (< (abs (- v1 v2)) tolerance)) (define (try guess) (let ((next (f guess))) (if (close-enough? guess next) guess (try next)))) (try first-guess)) מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 3

  4. An example: f(x) = 1+1/x (define (f x) (+ 1 (/ 1 x))) (fixed-point f 1.0) X1 = 1.0 X2 = f(x1) = 2 X3 = f(x2) = 1.5 X4 = f(x3) = 1.666666666.. X5 = f(x4) = 1.6 X6 = f(x5) = 1.625 X7 = f(x6) = 1.6153846… Exact fixed-point: 1.6180339… Note how odd guesses underestimate And even guesses Overestimate. מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 4

  5. Another example: f(x) = 2/x (define (f x) (/ 2 x)) (fixed-point f 1.0) x1 = 1.0 x2 = f(x1) = 2 x3 = f(x2) = 1 x4 = f(x3) = 2 x5 = f(x4) = 1 x6 = f(x5) = 2 x7 = f(x6) = 1 Exact fixed-point: 1.414213562… מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 5

  6. How do we deal with oscillation? Consider f(x)=2/x. If guess is a number such that guess < sqrt(2) then 2/guess > sqrt(2) So the average of guess and 2/guess is always an even Better guess. So, we will try to find a fixed point of g(x)= (x + f(x))/2 Notice that g(x) = (x +f(x)) /2 has the same fixed points as f. For f(x)=2/x this gives: g(x)= (x + 2/x)/2 מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 6

  7. To find an approximation of x: • Make a guess G • Improve the guess by averaging G and x/G • Keep improving the guess until it is good enough X/G = 2 G = ½ (1+ 2) = 1.5 X/G = 4/3 G = ½ (3/2 + 4/3) = 17/12 = 1.416666 X/G = 24/17 G = ½ (17/12 + 24/17) = 577/408 = 1.4142156 מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 7

  8. Extracting the common pattern: average-damp (define (average-damp f) ;outputs g(x)=(x+f(x))/2 (lambda (x)(average x (f x)))) average-damp: (number  number)  (number  number) ((average-damp square) 10) ((lambda (x) (average x (square x))) 10) (average 10 (square 10)) 55 מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 8

  9. … which gives us a clean version of sqrt (define (sqrt x) (fixed-point (average-damp (lambda (y) (/ x y))) 1)) Compare this to our previous implementation of sqrt – same process. For the cubic root of x, fixed point of f(y) = x/y2 (define (cubert x) (fixed-point (average-damp (lambda (y) (/ x (square y)))) 1)) מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 9

  10. Further abstraction (define (osc-fixed-point f first-guess) (fixed-point (average-damp f) first-guess)) (define (sqrt x) (osc-fixed-point (lambda (y) (/ x y)) 1.0) (define (cubert x) (osc-fixed-point (lambda (y) (/ x (square y))) 1.0) מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 10

  11. Newton’s method A solution to the equation: F(x) = 0 is a fixed point of: G(x) = x - F(x)/F’(x) (define (newton-transform f) (lambda (x) (- x (/ (f x) ((deriv f) x))))) (define (newton-method f guess) (fixed-point (newton-transform f) guess)) (define (sqrt x) (newton-method (lambda (y) (- (square y) x)) 1.0)) מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 11

  12. Further abstraction (define (fixed-point-of-transform f transform guess) (fixed-point (transform f) guess)) (define (osc-fixed-point f guess) (fixed-point-of-transform f average-damp guess)) (define (newton-method f guess) (fixed-point-of-transform f newton-transform guess)) מבוא מורחב - שיעור 6 מבוא מורחב - שיעור 5 12

  13. Primality testing • A natural number n is prime iff the only natural numbers dividing n are 1 and n. • The following are prime: 2, 3, 5, 7, 11, 13, …and so are 1299709,15485863, 22801763489, … • There is an infinite number of prime numbers. • Is 2101-1=2535301200456458802993406410751 prime? • How do we check whether a number is prime? • How do we generate huge prime numbers? • Why do we care? מבוא מורחב - שיעור 6

  14. Naïve solution: Finding the smallest divisor (define (prime? n) (define (find-smallest-divisor n i) (cond ((divides? i n) i) (else (find-smallest-divisor n (+ i 1))))) (= n (find-smallest-divisor n 2))) (define (divides? a b) (= (remainder b a) 0)) Space complexity is: (1)For prime n we have time complexity n. If n is a 100 digit number we will wait “for ever”. מבוא מורחב - שיעור 6

  15. An improvement (define (divides? a b) (= (remainder b a) 0)) (define (prime? n) (define (find-smallest-divisor n i) (cond((> (square i) n) n) (divides? i n) i) (else (find-smallest-divisor n (+ i 1))))) (= n (find-smallest-divisor n 2))) For prime n we have time complexity: (n)Worst case space complexity: (1) Still, if n is a 100 digit number, it is completely infeasible. מבוא מורחב - שיעור 6

  16. Is there a more efficient way of checking primality? We can prove that a number is not primewithout explicitly finding a divisor of it. Randomness is useful in computations! Yes!At least if we are willing to accept a tiny probability of error. מבוא מורחב - שיעור 6

  17. The Fermat Primality Test Fermat’s little theorem: If n is a prime number then: an  a (mod n) , for every integer a Corollary: If an ≠a (mod n) , for some a, then n is not a prime! Such an a is a witness to the compositeness of n. The Fermat Test: Do 100 times: Pick a random 1<a<n and compute an (mod n). If an a (mod n), then n is not a prime. If all 100 tests passed, declare n to be a prime. מבוא מורחב - שיעור 6

  18. Fast computation of modular exponentiationab mod m (define (expmod a b m) (cond ((= b 0) 1) ((even? b) (remainder (square (expmod a (/ b 2) m)) m)) (else (remainder (* a (expmod a (- b 1) m)) m)))) מבוא מורחב - שיעור 6

  19. Implementing Fermat test (define (test a n)(= (expmod a n n) a)) (define (rand-test n) (test (+ 2 (random (- n 2))) n)) ; note - (random m) returns a random number ; between 0 and m-1 (define (fermat-test n k); (cond ((= k 0) #t) ((rand-test n) (fermat-test n (- k 1))) (else #f))) Worst-case time complexity: (log n) if k is constant Even if n is a 1000 digit number, it is still okay! מבוא מורחב - שיעור 6

  20. Is the Fermat test correct? • If the Fermat test says that a number n is composite,then the number n is indeed a composite number. • If n is a prime number, the Fermat test will always say that n is prime. But, • Can the Fermat test say that a composite number is prime? • What is the probability that this will happen? מבוא מורחב - שיעור 6

  21. Carmichael numbers A composite number n is a Carmichael number iff an  a (mod n)for every integer a. The first Carmichael numbers are: 561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, … Theorem:n is a Carmichael number iff n=p1p2…pk, where p1 , p2 , … , pk are primes and pi-1 divides n-1, for i=1,…,k. On Carmichael numbers, the Fermat test is always wrong! Carmichael numbers are fairly rare. (There are 255 Carmichael numbers smaller than 100,000,000). מבוא מורחב - שיעור 6

  22. Theorem: (Rabin ’77) If n is a composite number that is not a Carmichael number, then at least halfof the numbers between 1 and n are witnesses to the compositeness of n. Corollary: Let n be a composite number that is not a Carmichael number. If we pick a random number a, 1<a<n, then a is a witness with a probability of at least a 1/2 ! מבוא מורחב - שיעור 6

  23. “Correctness” of the Fermat test • If n is prime, the Fermat test is always right. • If n is a Carmichael number, the Fermat test is always wrong! • If n is composite number that is not a Carmichael number, the Fermat test is wrong with a probability of at most 2-100. Is an error probability of2-100acceptable? Yes! מבוא מורחב - שיעור 6

  24. The Rabin-Miller test • A fairly simple modification of the Fermat test that is correct with a probability of at least 1-2-100 also on Carmichael numbers. • Will not be covered in this course. מבוא מורחב - שיעור 6

  25. Probabilistic algorithms An algorithm that uses random choices but outputs the correct result, with high probability,for every input! Randomness is a very useful algorithmic tool. Until the year 2002, there were no efficient deterministic primality testing algorithms. In 2002, Agarwal, Kayal and Saxena found a fast deterministic primality testing algorithm. מבוא מורחב - שיעור 6

  26. Finding large prime numbers The prime number Theorem: The number of prime numbers smaller than n is asymptotically n / ln n. Thus, for every number n, there is “likely” to be a prime number between n and n + ln n. To find a prime number roughly the size of (odd) n, simply test n, n+2, n+4, … for primality. (define (find-prime n t) (if (fermat-test n t) n (find-prime (+ n 2) t))) מבוא מורחב - שיעור 6

  27. > (find-prime (+ (exp 2 200) 1) 20) 1606938044258990275541962092341162602522202993782792835301611 > (find-prime (+ (exp 2 500) 1) 20) 3273390607896141870013189696827599152216642046043064789483291368096133796404674554883270092325904157150886684127560071009217256545885393053328527589431 > (find-prime (+ (exp 2 1000) 1) 20) 10715086071862673209484250490600018105614048117055336074437503883703510511249361224931983788156958581275946729175531468251871452856923140435984577574698574803934567774824230985421074605062371141877954182153046474983581941267398767559165543946077062914571196477686542167660429831652624386837205668069673 מבוא מורחב - שיעור 6

  28. Primality testing versus Factoring • Fast primality testing algorithms determine that a number n is composite without finding any of its factors. • No efficient factoring algorithms are known. • Factoring a number is believed to be a much harder task. Primality testing - Easy Factoring - Hard Now: Use the ease of primality and hardness of factoring מבוא מורחב - שיעור 6

  29. Cryptography Eve Alice Bob מבוא מורחב - שיעור 6

  30. Traditional solution: classical cryptography #$%&*() Hi Bob! Hi Bob! Eve Decryption Encryption Alice Bob Encryptionkey Decryptionkey מבוא מורחב - שיעור 6

  31. In classical cryptography: • The two parties (Alice and Bob) should agree in advance on the encryption/decryption key. • The encryption and decryption keys are either identical or easily derived from one another. מבוא מורחב - שיעור 6

  32. The internet age Bob Calvin Alice Donald Felix Eve מבוא מורחב - שיעור 6

  33. Public key cryptology • A system in which it is infeasible to deduce the decryption key from the encryption key. • Each user publishes an encryption key that should be used for sending messages to her, but keeps her decryption key private. • Is it possible to construct secure public key cryptosystems? מבוא מורחב - שיעור 6

  34. The RSA public key cryptosystem [Rivest, Shamir, Adleman (1977)] Bob: Picks two huge primes p and q. Calculates n=pq, and announces n. Chooses and announce integer e prime to (p-1)(q-1) e and (p-1)(q-1) have no common divisor other than 1 Calculates the unique d such that de = 1(mod(p-1)(q-1)) It is believed that computing d, without knowing p and q, is hard. מבוא מורחב - שיעור 6

  35. The RSA cryptosystem (cont.) EBob(m) = me (mod n) DBob(m) = md (mod n) Lemma:DBob(EBob(m)) = m To send a message m(0≤m<n) to Bob, Alice computes c=EBob(m) and sends it to Bob. To decipher the message, Bob computesm=DBob(c) מבוא מורחב - שיעור 6

  36. (define p 17) (define q 13) (define n (* p q)) (define base (* (- p 1) (- q 1))) (define e 35) (define d (find-d e base)) (display d) (define message 121) (display message) (newline) (define alice-message (expmod message e n) (newline) (define bob-decipher (expmod alice-message d n) (display bob-decipher) ; d = 11 מבוא מורחב - שיעור 6

  37. Find-d (define (find-d e base) (define (guess d) (if ( = (remainder (* d e) base) 1) d (guess (+ d 1)) ) ) (guess 0) ) Obviously, not the way this is done for real numbers.. Why? מבוא מורחב - שיעור 6

  38. Some executions • message 121 • alice-message 127 • bob-decipher 121 • message 21 • alice-message 200 • bob-decipher 21 • message 57 • alice-message 216 • bob-decipher 57 מבוא מורחב - שיעור 6

More Related