Based on Lecture Slides from Steven Rudich, CMU 15 a

Even very simple computation al problems can be surprisingly subtle.

Compiler Translation A compiler must translate a high level language (e.g., C) with complex operations (e.g., exponentiation) into a lower level language (e.g., assembly) that can only support simpler operations (e.g., multiplication).

b:=a 8 b:=a*ab:=b*ab:=b*ab:=b*ab:=b*ab:=b*ab:=b*a b:=a*a b:=b*b This method costs only 3 multiplications. The savings are significant if b:=a 8 is executed often.

General Version Given a constant k, how do we implement b:=a k with the fewest number of multiplications?

Powering By Repeated Multiplication Input: a,n Output: A sequence starting with a, ending with a n, and such that each entry other than the first is the product of previous entries.

Example Input: a,5 Output: a, a 2, a 3, a 4, a 5 or Output: a, a 2, a 3, a 5 or or Output: a, a 2, a 4, a 5

Definition of M(n) M(n) = The minimum number of multiplications required to produce a n by repeated multiplication

What is M(n)? Can we calculate it exactly? Can we approximate it?

Some Very Small Examples What is M(0)? –M(0) does not really make sense What is M(1)? –M(1) = 0[a] What is M(2)? –M(2) = 1[a, a 2 ]

M(8) = ? a, a 2, a 4, a 8 is a way to make a 8 in 3 multiplications. What does this tell us about the value of M(8)?

M(8) = ? a, a 2, a 4, a 8 is a way to make a 8 in 3 multiplications. What does this tell us about the value of M(8)? Upper Bound

Lower Bound

Exhaustive Search. There are only two sequences with 2 multiplications. Neither of them make 8: a, a 2, a 3 & a, a 2, a 4

Upper Bound Lower Bound M(8) = 3

Applying Two Ideas

The a is a red herring. a x times a y is a x+y Everything besides the exponent is inessential. This should be viewed as a problem of repeated addition, rather than repeated multiplication.

Addition Chains M(n) = Number of stages required to make n, where we start at 1 and in each subsequent stage we add two previously constructed numbers.

Examples Addition Chain for 8: Minimal Addition Chain for 8:

M(30) = ? 15 a

Some Addition Chains For

?() ?(? < M Mn 306 ) Take 5 minutes to think like a computer scientist < <<

Let B n be the number of 1s in the binary representation of n. Ex: B 5 = 2 since 101 is the binary representation of 5 Proposition: B n ≤ log 2 (n) + 1 The length of the binary representation of n is bounded by this quantity. Binary Representation ┙ ┕

Binary Method Repeated Squaring Method Repeated Doubling Method Phase I(Repeated Doubling) For Add largest so far to itself (1, 2, 4, 8, 16,... ) Phase II(Make n from bits and pieces) Expand n in binary to see how n is the sum of B n powers of 2. Use B n -1 stages to make n from the powers of 2 created in phase I

Binary Method Applied To 30 Binary Phase I Phase II: (Cost: 7 additions)

The repeated squaring method works for modular arithmetic and for raising a matrix to a power.

The repeated squaring method works for any notion of “multiplication” that is associative. (a*b)*c = a*(b*c)

A Lower Bound Idea You can’t make any number bigger than 2 n in n steps Failure of Imagination?

Induction Proof Theorem: For all n 0, no n stage addition chain will contain a number greater than 2 n Theorem: For all n  0, no n stage addition chain will contain a number greater than 2 n

Let S k be the statement that no k stage addition chain will contain a number greater than 2 k Base case: k=0. S 0 is true since no chain can exceed 2 0 after 0 stages. Let k > 0, S k ⇒ S k + 1 At stage k+1 we add two numbers from the previous stage. From S k we know that they both are bounded by 2 k. Hence, their sum is bounded by 2 k+1. No number greater than 2 k+1 can be present by stage k+1.

Change Of Variable All numbers obtainable in m stages are bounded by 2 m. Let m = log 2 (n). Thus, All numbers obtainable in log 2 (n) stages are bounded by n.

Theorem: The only way to make 2 i in i stages is by repeated doubling Assumption: Let 2 i+1 be the first counter-example to the theorem. To make 2 i+1 at stage i+1 requires that some number of size at least 2 i be present at stage i. By previous result such a number could not be larger than 2 i, and thus equals 2 i. By the assumption, 2 i can only be constructed by repeated doubling. The only possible final move was to double 2 i. Thus 2 i+1 must result from repeated doubling, contradicting the assumption.

5 < M(30) Suppose that M(30)=5. At the last stage, we added two numbers x 1 and x 2 to get 30. Without loss of generality (WLOG), we assume that x 1  x 2. Thus, x 1  15 By doubling bound, x 1  16 But x 1 can’t be 16 since there is only one way to make 16 in 4 stages and it does not make 14 along the way. Thus, x 1 = 15 and M(15)=4

Suppose M(15) = 4 At stage 3, a number bigger than 7.5, but not more than 8 must have existed. There is only one sequence that gets 8 in 3 additions: That sequence does not make 7 along the way and hence there is nothing to add to 8 to make 15 at the next stage. Thus, M(15) > 4. CONTRADICTION.

M(30)=6

Factoring Bound M(ab)  M(a)+M(b)

Factoring Bound M(ab)  M(a)+M(b) Proof: Construct a in M(a) additions Using a as a unit follow a construction method for b using M(b) additions. In other words, every time the construction of b refers to a number x, use the number a times x.

Example 45 = 5 * 9 M(5)=3[ ] M(9)=4 [ ] M(45) 3+4[ ] M(45)  3+4[ ]

Corollary (Using Induction) M(a 1 a 2 a 3 …a n )  M(a 1 )+M(a 2 )+…+M(a n ) Proof: For n=1 the bound clearly holds. Assume it has been shown for up to n-1. Apply theorem using a= a 1 a 2 a 3 …a n-1 and b=a n to obtain: M(a 1 a 2 a 3 …a n )  M(a 1 a 2 a 3 …a n-1 )+M(a n ) By inductive assumption, M(a 1 a 2 a 3 …a n-1 )  M(a 1 )+M(a 2 )+…+M(a n-1 )

More Corollaries Corollary: M(a k )  kM(a) Does equality hold?

M(33) < M(3) + M(11) M(3) = 2[1 2 3] M(11)= 5[ ] M(3) + M(11) = 7 M(33) = 6 [ ] The conjecture of equality fails. There have been many nice conjectures....

Conjecture: M(2n) = M(n) +1 (A. Goulard) A fastest way to an even number is to make half that number and then double it. Proof given in 1895 by E. de Jonquieres in L’Intermediere Des Mathematiques, volume 2, pages FALSE! M(191)=M(382)=11 Furthermore, there are infinitely many such examples.

Open Problem Is there an n such that: M(2n) < M(n)

Conjecture Each stage might as well consist of adding the largest number so far to one of the other numbers. First Counter-example: ,509 [ ]

Open Problem Prove or disprove the Scholz- Brauer Conjecture: M(2 n -1)  n B n (The bound that follows from this lecture is too weak: M(2 n -1)  2n - 1)

The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.

Preview:Instructions For RSA use. Public key: e, n Anyone wishing to send you a message m  Z n *, should send you m e mod n. Private key: d,  (n) When you get an encrypted message m e mod n, do the following: (m e ) d mod n = m ed mod n = m ed mod  (n) mod n = m ed mod  (n) mod n = m mod n = m mod n

Addition And Multiplication Mod n a + b mod n = [(a mod n) + (b mod n)] mod n ab mod n = [ (a mod n)(b mod n) ] mod n This is saying that we can just keep track of remainders mod n as we multiply and add.

( S,●) is called a group if it has these properties: closure: identity: inverse: associativity: Theorem: with multiplication modulo n is a group. = the set of naturals between 1 and n that are relatively prime to n

Computing Inverses In Z n * Suppose we want the inverse of a. In other words, b such that ab = 1 mod n. Using an Extended GCD algorithm Compute GCD(a,n). Of course the answer is 1, but also get r, s such that ra+sn = GCD(a,n) = 1. also get r, s such that ra+sn = GCD(a,n) = 1. Taking both sides mod n, we get ra=1 mod n. Thus r is the inverse of a in the group Z n *

 (n) = size of Z n *  (p) = p-1  (p k ) = p k – p k-1  (pq) =  (p)  (q) p,q distinct primes, actually even if GCD(p,q)=1. The Euler Phi Function

 (pq) = (p-1)(q-1) if p,q distinct primes pq = # of numbers from 1 to pq p = # of multiples of q up to pq q = # of multiples of p up to pq 1 = # of multiple of both p and q up to pq  (pq) = pq – p – q + 1 = (p-1)(q-1)

a  (n) = 1 mod n, if GCD(a,n)=1 Lagrange: The size of any subgroup divides the size of the group. Note: In a finite group, the powers of an element x form a subgroup. Euler’s Corollary: Let G be any finite group of size s: x  G implies X s = 1 Euler’s Corollary for Z n *: a  (n) = 1 mod n

Addition And Multiplication Mod n a + b mod n = [(a mod n) + (b mod n)] mod n ab mod n = [ (a mod n)(b mod n) ] mod n This is saying that we can just keep track of remainders mod n as we multiply and divide.

Law Of Exponents mod n Could it be as simple as: a e mod n = [(a mod n) (e mod n) ] mod n ? 2 16  2 mod 15

Mental Arithmetic Test = ? Mod 15

Mental Arithmetic Test = mod 4 Mod 15 = 7 2 mod 15 = 4 Powers of 7: 1, 7, 4, 13, 1, 7, 4, 13, …

Mental Arithmetic Test = ? Mod 14

Mental Arithmetic Test = mod 6 Mod 14 = 3 2 = 9 Powers of 3 1, 3, 9, 13, 11, 5, 1

Law Of Exponents mod n (Correct) a e mod n = [(a mod n) (e mod  (n)) ] mod n  (n) The exponent must be taken mod  (n)

Law Of Exponents mod n a e mod n = [(a mod n) (e mod  (n)) ] mod n Proof: e = a  (n) + b (b <  (n) ) X e = X a  (n) X b = (X  (n) ) a X b = X b = X e mod  (n)

Instructions For RSA setup 1.Pick 2 random k-bit primes: p and q. Let n = pq. 2.Compute  (n). Pick random e relatively prime to  (n). Compute d = inverse of e mod  (n). d is called your private-key. 3.Publish n and e. These are called your public-key.

Instructions For RSA use. Anyone wishing to send you a message m  Z n *, should send you m e mod n. When you get an encrypted message m e mod n, do the following: (m e ) d = m ed mod n = m ed mod  (n) mod n = m mod n

How Can Eve Break The System? If Eve can quickly compute  (n), then she can compute d from e and read all the messages. This might be easier than factoring.

No one knows how to break RSA quickly. Does this mean it is secure?

RSA has an *amazing* feature. Two people who have never met and have no prior shared secrets can use the system. Without this property, commerce on the net would be impossible.

REFERENCES Coxeter, H. S. M. ``The Golden Section, Phyllotaxis, and Wythoff's Game.'' Scripta Mathematica 19, , "Recounting Fibonacci and Lucas Identities" by Arthur T. Benjamin and Jennifer J. Quinn, The CollegeMathematics Journal, Vol. 30, No. 5, 1999, pp