Presentation is loading. Please wait.

Presentation is loading. Please wait.

MA/CSSE 473 Day 9 Primality Testing Encryption Intro.

Published byMerryl Patrick Modified over 7 years ago

Similar presentations

Presentation on theme: "MA/CSSE 473 Day 9 Primality Testing Encryption Intro."— Presentation transcript:

1 MA/CSSE 473 Day 9 Primality Testing Encryption Intro

2 MA/CSSE 473 Day 09 Quiz Announcements Exam coverage Student questions
Review: Randomized Primality Testing. Miller-Rabin test Generation of large prime numbers Introduction to RSA cryptography 25/37 students had scores above 48. Quote from Dave Rader from last year's "course assessment report": The current book is too low-level, I believe. My concern: The upside: 60% of the students have an A or B+ at this point. The downside: 15% have a grade below "C". When I ask for questions in class, no one has technical questions. Visits to my office to ask about HW problems are very rare. Rather than asking, many of you submit garbage. I give hard problems (not many yet, but many more to come). I don't expect that everyone will get them on your own. Most of you should be able to get most of them; sometimes with some help.

3 Exam 1 resources No books, notes, electronic devices (except a calculator that is not part of a phone, etc.), no earbuds or headphones. I will give you the Master Theorem and the formulas from Appendix A of Levitin. A link to an old Exam 1 is on Day 14 of the schedule page.

4 Exam 1 coverage HW 1-5 Lectures through today
Readings through Chapter 3. There is a lot of "sink in" time before the exam. But of course we will keep looking at new material.

5 Exam 1 If you want additional practice problems for Tuesday's exam:
The "not to turn in" problems from various assignments Feel free to post your solutions in a Piazza discussion forum and ask your classmates if they think it is correct Allowed for exam: Calculator See the exam specification document, linked from the exam day on the schedule page. Pass around attendance sheet.

6 About the exam Mostly it will test your understanding of things in the textbook and things we have discussed in class or that you have done in homework. Will not require a lot of creativity (it's hard to do much of that in 50 minutes). Many short questions, a few calculations. Perhaps some T/F/IDK questions (example: 5/0/3) You may bring a calculator. I will give you the Master Theorem and the formulas from Levitin Appendix A. Time may be a factor! First do the questions you can do quickly

7 Possible Topics for Exam - 2016
Formal definitions of O, , . Recurrences, Master Theorem Fibonacci algorithms and their analysis Efficient numeric multiplication Proofs by induction (ordinary, strong) Extended Binary Trees Trominoes Other HW problems (assigned and suggested) Mathematical Induction Modular multiplication, exponentiation Extended Euclid algorithm Modular inverse What would Donald (Knuth) say? Binary Search Binary Tree Traversals Basic Data Structures (Section 1.4) Graph representations

8 Possible Topics for Exam
Formal definitions of O, ,. Master Theorem Fibonacci algorithms and their analysis Efficient numeric multiplication Proofs by induction (ordinary, strong) Trominoes Extended Binary Trees Modular multiplication, exponentiation Extended Euclid algorithm Modular inverse Fermat's little theorem Rabin-Miller test Random Prime generation RSA encryption What would Donald (Knuth) say?

9 Possible Topics for Exam - 2016
Brute Force algorithms Selection sort Insertion Sort Amortized efficiency analysis Analysis of growable array algorithms Binary Search Binary Tree Traversals Basic Data Structures (Section 1.4) Graph representations BFS, DFS, DAGs & topological sort

10 Possible Topics for Exam
Brute Force algorithms Selection sort Insertion Sort Amortized efficiency analysis Analysis of growable array algorithms Binary Search Binary Tree Traversals Basic Data Structures (Section 1.4) Graph representations BFS, DFS, DAGs & topological sort

11 Recap: Where are we now? For a moment, we pretend that Carmichael numbers do not exist. If N is prime, aN-1  1 (mod N) for all 0 < a < N If N is not prime, then aN-1  1 (mod N) for at most half of the values of a<N. Pr(aN-1  1 (mod N) if N is prime) = 1 Pr(aN-1  1 (mod N) if N is composite) ≤ ½ How to reduce the likelihood of error? Do the test for k randomly-generated values of a < N. Probability of error is < (1/2)^k If k=100, dasGupta says the probability of error is less than the probability of a cosmic ray flipping some bits and messing up your computer's computation

12 The algorithm (modified)
To test N for primality Pick positive integers a1, a2, … , ak < N at random For each ai, check for aiN-1  1 (mod N) Use the Miller-Rabin approach, (next slides) so that Carmichael numbers are unlikely to thwart us. If aiN-1 is not congruent to 1 (mod N), or Miller-Rabin test produces a non-trivial square root of 1 (mod N) return false return true Note that this algorithm may produce a “false prime”, but the probability is very low. Does this work? Note that this algorithm may produce a “false prime”, but the probability is very low if k is large enough.

13 Miller-Rabin test A Carmichael number N is a composite number that passes the Fermat test for all a with 1 ≤ a <N and gcd(a, N)=1. A way around the problem (Rabin and Miller): (Not just for Carmichael numbers). Note that for some t and u (u is odd), N-1 = 2tu. As before, compute aN-1(mod N), but do it this way: Calculate au (mod N), then repeatedly square, to get the sequence au (mod N), a2u (mod N), …, a2tu (mod N)  aN-1 (mod N) Suppose that at some point, a2iu  1 (mod N), but a2i-1u is not congruent to 1 or to N-1 (mod N) then we have found a nontrivial square root of 1 (mod N). We will show that if 1 has a nontrivial square root (mod N), then N cannot be prime. u is odd? Or should I say "u are odd". To most of the world outside Rose-Hulman, if you would take this course or any 400-level CSSE course, U must be odd! Note that this factorization of N-1 can be fast. Just count how many bits at the end of N-1 are 0 to get t, and then bit-shift N-1 to get u. ON BOARD: Note that aN-1 = au(2^t) =(…( (au)2)2… ) square t times

14 Example (first Carmichael number)
N = 561. We might randomly select a = 101. Then 560 = 24∙35, so u=35, t=4 au   560 (mod 561) which is -1 (mod 561) (we can stop here) a2u   1 (mod 561) a16u   1 (mod 561) So 101 is not a witness that 561 is composite (we can say that 101 is a Miller-Rabin liar for 561, if indeed 561 is composite) Try a = 83 au  8335  230 (mod 561) a2u  8370  166 (mod 561) a4u   67 (mod 561) a8u   1 (mod 561) So 83 is a witness that 561 is composite, because 67 is a non-trivial square root of 1 (mod 561). Work through another example with the students. N = 105. Suppose we first try a = 8. (Use the modexp interactive program). Enter 8, 104, 105: Get 1. So it passes the Fermat test. What is u? (13). Do 8^13 (8), 8^26(64), 8^52 (1) Then 29^104 = ^13 = 29, 29^26 = 1

15 Lemma: Modular Square Roots of 1
If there is an s which is neither 1 or -1 (mod N), but s2  1 (mod N), then N is not prime Proof (by contrapositive): Suppose that N is prime and s2  1 (mod N) s2-1  0 (mod N) [subtract 1 from both sides] (s - 1) (s + 1)  0 (mod N) [factor] So N divides (s - 1) (s + 1) [def of congruence] Since N is prime, N divides (s - 1) or N divides (s + 1) [def of prime] s is congruent to either 1 or -1 (mod N) [def of congruence] This proves the lemma, which validates the Miller-Rabin test After Proof (by contrapositive), write the actual contrapositive on the board.

16 Accuracy of the Miller-Rabin Test
Rabin* showed that if N is composite, this test will demonstrate its non-primality for at least ¾ of the numbers a that are in the range 1…N-1, even if N is a Carmichael number. Note that 3/4 is the worst case; randomly-chosen composite numbers have a much higher percentage of witnesses to their non-primeness. If we test several values of a, we have a very low chance of incorrectly flagging a composite number as prime. *Journal of Number Theory 12 (1980) no. 1, pp

17 Efficiency of the Test Testing a k-bit number is Ѳ(k3)
If we use the fastest-known integer multiplication techniques (based on Fast Fourier Transforms), this can be pushed to Ѳ(k2 * log k * log log k)

18 Testing "small" numbers From Wikipedia article on the Miller-Rabin primality test: When the number N we want to test is small, smaller fixed sets of potential witnesses are known to suffice. For example, Jaeschke* has verified that if N < 9,080,191, it is sufficient to test a = 31 and 73 if N < 4,759,123,141, it is sufficient to test a = 2, 7, and 61 if N < 2,152,302,898,747, it is sufficient to test a = 2, 3, 5, 7, 11 if N < 3,474,749,660,383, it is sufficient to test a = 2, 3, 5, 7, 11, 13 if N < 341,550,071,728,321, it is sufficient to test a = 2, 3, 5, 7, 11, 13, 17 * Gerhard Jaeschke, “On strong pseudoprimes to several bases”, Mathematics of Computation 61 (1993)

19 Generating Random Primes
For cryptography, we want to be able to quickly generate random prime numbers with a large number of bits Are prime numbers abundant among all integers? Fortunately, yes Lagrange's prime number theorem Let (N) be the number of primes that are ≤ N, then (N) ≈ N / ln N. Thus the probability that an k-bit number is prime is approximately (2k / ln (2k) )/ 2k ≈ 1.44/ k

20 Random Prime Algorithm
To generate a random k-bit prime: Pick a random k-bit number N Run a primality test on N If it passes, output N Else repeat the process Expected number of iterations is Ѳ(k)

21 Interlude

Download ppt "MA/CSSE 473 Day 9 Primality Testing Encryption Intro."

Similar presentations

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Cryptography and Network Security

Cryptography and Network Security
Computability and Complexity

Computability and Complexity
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Fermat’s Little Theorem (2/24) Theorem (flt). If p is prime and GCD(a, p) = 1, then a p – 1  1 (mod p). Again, this says that in a mod p congruence, we.

Fermat’s Little Theorem (2/24) Theorem (flt). If p is prime and GCD(a, p) = 1, then a p – 1  1 (mod p). Again, this says that in a mod p congruence, we.
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.

Announcements: 1. Pass in Homework 5 now. 2. Term project groups and topics due by Friday 1.Can use discussion forum to find teammates 3. HW6 posted, due.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Cryptography and Network Security Chapter 8. Chapter 8 – Introduction to Number Theory The Devil said to Daniel Webster: Set me a task I can't carry.

Cryptography and Network Security Chapter 8. Chapter 8 – Introduction to Number Theory The Devil said to Daniel Webster: "Set me a task I can't carry.
CSE 321 Discrete Structures Winter 2008 Lecture 10 Number Theory: Primality.

CSE 321 Discrete Structures Winter 2008 Lecture 10 Number Theory: Primality.
BY MISS FARAH ADIBAH ADNAN IMK

BY MISS FARAH ADIBAH ADNAN IMK
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright © The McGraw-Hill Companies, Inc. Permission required.

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright © The McGraw-Hill Companies, Inc. Permission required.

MA/CSSE 473 Day 13 Permutation Generation. MA/CSSE 473 Day 13 HW 6 due Monday, HW 7 next Thursday, Student Questions Tuesday’s exam Permutation generation.

MA/CSSE 473 Day 13 Permutation Generation. MA/CSSE 473 Day 13 HW 6 due Monday, HW 7 next Thursday, Student Questions Tuesday’s exam Permutation generation.
CS 312: Algorithm Analysis Lecture #4: Primality Testing, GCD This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.Creative.

CS 312: Algorithm Analysis Lecture #4: Primality Testing, GCD This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.Creative.
CPSC 490 Number Theory Primes, Factoring and Euler Phi-function Mar.31 st, 2006 Sam Chan.

CPSC 490 Number Theory Primes, Factoring and Euler Phi-function Mar.31 st, 2006 Sam Chan.
MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test.

MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test.

Similar presentations

Ads by Google