greatest common divisors and Euclid’s algorithm

Name: greatest common divisors and Euclid’s algorithm
Uploaded: 2017-07-12T15:04:00+00:00
Duration: PTM38S21
Channel: Warren Allison
Description: greatest common divisors and Euclid’s algorithm

greatest common divisors and Euclid’s algorithm
Outline greatest common divisors and Euclid’s algorithm applications of large primes: public-key cryptosystems (RSA) primality testing integer factorization

GCD and Euclid’s algorithm
gcd(a,b) - the greatest common divisor of integers a and b Euclid(a, b) if b = 0 then return a else return Euclid(b, a mod b) Time complexity?

Euclid’s algorithm - Complexity
Euclid(a, b) if b = 0 then return a else return Euclid(b, a mod b) Theorem If a > b  0 and the invocation of Euclid performs k  1 recursive calls, then a  Fk+2 and b  Fk+1. (where Fk - the k-th Fibonacci number)

Theorem If a > b  0 and the invocation of Euclid performs k  1 recursive calls, then a  Fk+2 and b  Fk+1. k = 1  b  1 = F2, a  2 = F3 OK k = n – 1  b  Fn, a  Fn Assume k = n? a mod b  Fn, b  Fn+1  a  b + a mod b  Fn+1 + Fn = Fn+2  b  Fn+1 OK

Theorem If a > b  0 and the invocation of Euclid performs k  1 recursive calls, then a  Fk+2 and b  Fk+1. Fk  ((1 + 5) / 2)k / 5 (2)k < Fk < 2k  = max{log a, log b} - number of bits to encode a and b T’(a,b) = ( ) - number of arithmetic operations T(a,b) = ( 3) - total complexity

Extended Euclid’s algorithm
d = gcd(a,b) - the greatest common divisor of integers a and b There exist integers x and y such that d = ax + by ExtendedEuclid(a, b) if b = 0 then return (a,1,0) (d’,x’,y’)  ExtendedEuclid(b, a mod b) (d,x,y)  (d’,y’,x’ – a/b y’) return (d,x,y)

Extended Euclid’s algorithm - Example
ExtendedEuclid(a, b) if b = 0 then return (a,1,0) (d’,x’,y’)  ExtendedEuclid(b, a mod b) (d,x,y)  (d’,y’,x’ – a/b y’) return (d,x,y) [Adapted from T.Cormen, C.Leiserson, R. Rivest]

Complexity of modular operations
Multiplication: for given a and b find x such that ab mod n = x multiplication + division, i.e. time complexity ( 2)

Division: for given a and b find x such that bx mod n = a Not always such x exists - we should have gcd(b,n) | a Extended Euclid's algorithm: finds x and y such that gcd(s,t) = su + tv Take b = s and t = n and set x = ua/gcd(b,n) Time complexity ( 3)

Exponentiation: for given a and b find x such that ab mod n = x Time complexity?

Modular Exponentiation
ModularExponentiation(base a, degree b, modulus n) let <bk,bk–1,...,b0> be the binary representation of b c  0 d  1 for i  k downto 0 do c  2  c d  (d  d) mod n if bi = 1 then c  c + 1 d  (d  a) mod n return d Time complexity T() = ( 3)

Modular Exponentiation - example
ModularExponentiation(a, b, n) c  0; d  1 for i  k downto 0 do c  2  c d  (d  d) mod n if bi = 1 then c  c + 1 d  (d  a) mod n return d [Adapted from T.Cormen, C.Leiserson, R. Rivest]

Public-key cryptosystems
P: *  * public key S: *  * secret key For an arbitrary message M* we must have: M = S(P(M)), and M = P(S(M))

The RSA public-key cryptosystem
p,q - two large primes (100 digits or more) n = pq e - small odd integer that is relatively prime to (p – 1)(q – 1) d - integer such that de  1 (mod (p – 1)(q – 1)) (it can be shown that it always exists) P = (e,n) - public key S = (d,n) - secret key Encoding: P(M) = Me (mod n) Decoding: S(C) = Cd (mod n) It works!

Fermat's Theorem Fermat's little Theorem If p is prime then:
ap = a mod p if gcd(a,p) =1 then ap1 = 1 mod p. Proof ?

Fermat's Theorem

RSA - Correctness n = pq e - odd and relatively prime to (p – 1)(q – 1) d - such that de  1(mod (p – 1)(q – 1)) P(M) = Me (mod n), S(C) = Cd (mod n) P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1) M  0 (mod p)  Med  M(Mp–1)k(q–1) (mod p)  M(1)k(q–1) (mod p)  M (mod p) M  0 (mod p)  Med  M (mod p)

RSA - Correctness Med  M (mod p) Med  M (mod q) Thus Med  M (mod n)

RSA - Complexity Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n)

RSA - Complexity Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n) TE(M) = O( 3) (and TE(M) = ( 2) for small e) TD(M) = ( 3)

RSA - Key management mode
Encryption: Encrypt (using a traditional method) message with a random key K Send encrypted message Send K encrypted with a public-key method

Public-key cryptosystems - Encryption
[Adapted from T.Cormen, C.Leiserson, R. Rivest]

RSA + One-way hash functions
h - a one-way hash function (easy to compute, but for a given M it is hard to find M’ with h(M) = h(M’)) Digital signature: Send message M Send encrypted pair (h(M),)

Public-key cryptosystems - Digital signature

Finding primes - Erasthothenes sieve

Distribution of primes

Illegal primes :) 1811 digit prime number
Represents an executable program that perform DeCSS decryption Technically illegal in some weird countries (e.g. USA)

Finding large primes (n) - the number of primes less or equal to n
Prime number theorem limn (n) / (n / ln n) = 1 n / ln n tends to be a good approximation of (n) n = (n) = n / ln n =

Finding large primes limn (n) / (n / ln n) = 1
Idea how to find a prime approximately of the size of n: Consider randomly chosen integers close to n and check whether these are primes. On average you will need to examine ln n integers.

Primality testing The problem
For a given integer n decide whether n is a prime. A simple solution: Try to divide n by 2 and all odd integers 3, 5,..., n1/2. Time complexity of such approach is (2/2), where  - number of bits needed to encode n ( = log n). Advantage - we also get factors of n (if n is not prime).

What we need from number theory
Extended Euclid's algorithm d = gcd(a,b) - the greatest common divisor of integers a and b There exist integers x and y such that d = ax + by Fermat's little Theorem If p is prime and gcd(a,p) = 1 then ap1 = 1 mod p.

Square roots of 1 modulo n
Quadratic residue theorem If there exists an integer 1<x< n –1, such that x2 = 1 (mod n), then n is composite. x2 = 1 (mod n), 2  x  n – 2 x2 – 1 = kn, 1  k  n – 2 (x – 1)(x + 1) = kn but x – 1 and x + 1 can’t be divisible by n

What we need from number theory
Chinese reminder theorem Suppose n1, n2, …, nk are integers which are pairwise coprime. Then, for any given integers a1,a2, …, ak, there exists an integer x solving the system of simultaneous congruences: Furthermore, all solutions x to this system are congruent modulo the product N = n1n2…nk.

Something from algebra and number theory
Euclid's algorithm groups and Lagrange's theorem additive group Zn multiplicative group Z*n Fermat's theorem primitive roots modulo n

Groups and Lagrange's theorem
Consider set G and binary oparator +. Definition Pair (G,+) is a group, if there is eG such that for all a,b,cG: a+bG (a+b)+c = a+(b+c) a+e = a and e+a = a there exists a unique a such that a+(a) = e and (a)+a = e (X,+) is a subgroup of (G,+) if XG and (X,+) is a group X<G - notation that X is a subgroup of G o(G) - order of group = number of elements in G a - subgroup generated by aG

Groups and Lagrange's theorem
If H < G then o(H) | o(G) Proof let gG then all elements of the from a+h, hH, are distinct and |{g+h | hH}| = o(H) each element gG belongs to set {g+h | hH} (these sets are called cosets) thus G is a union of disjoint cosets, each having o(H) elements Hence o(H) | o(G)

Additive group Zn n - a positive integer
Set of elements Zn = {0,1,2, ...,n1} Operation "+": for x,yZn define x+y to be equal with an integer equal to x+y mod n o(Zn) = n

Multiplicative group Z*n
n - a positive integer Set of elements Z*n = {a  Zn | gcd(a,n) = 1} Operation "·": for x,yZ*n define xy to be equal with an integer equal to xy mod n Z*n is a group! o(Z*n) = (n) (Euler's phi function) If p is prime and n = pe then (n) = (p1)pe1

Fermat's Theorem Euler's Theorem
For n>1 and all aZ*n we have a(n) = 1 mod n. Proof Let ah = 1 mod n. Then h | (n) and a(n) = 1 mod n. Fermat's little Theorem If p is prime then ap1 = 1 mod p. p1 = (n).

Primitive roots modulo n
Theorem Z*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0. Partial proof (and we are more interested in if part :) We will consider just case n = p...

Proposition 1 Let d | p1. Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p. Proof de = p1. xp11 = (xd)e1 = (xd1)g(x). From Fermat's theorem: For all ap1 = 1 mod p. Thus all p1 elements of Z*n are roots of xp11. g(x) has at most pd1 roots, thus xd1 should have d roots.

Proposition 2 a,b Z*n, o(a) = r, o(b) = s and gcd(r,s) = 1. Then o(ab) = rs. Proof (ab)rs = arsbrs =1. Thus o(ab) = xy, where x | r and y | s. Assume r = xu and s = yv. auxybuxy =1 and auxy =1. Then buxy =1 and s | uxy. Thus s = y. Similarly we show that r = x. Therefore o(ab) = rs.

Theorem Z*n is cyclic (i.e. there exists aZ*n with o(a) = o(Z*n)) if and only if n = 2, n = 4, n = pm, or n = 2pm for some odd prime p and some m > 0. Proposition 1 Let d | p1. Then there are exactly d solutions (mod p) to equation xd1 = 0 mod p. Proposition 2 a,b Z*n, o(a) = r, o(b) = s and gcd(r,s) = 1. Then o(ab) = rs.

Partial proof (and we are more interested in if part:) n = p. Let p1 = q1n1...qrnr, where qi's are primes. By Proposition 1 f(x) = xqini 1 has exactly qini roots and g(x) = xqini1 1 has exactly qini1 roots. There exists ai which is root of f(x) but not g(x). o(ai) = qini. a = a1...ar. o(a) = p1. (Proposition 2)

Finding large primes (n) - the number of primes less or equal to n
Prime number theorem limn (n) / (n / ln n) = 1 n / ln n tends to be a good approximation of (n) n = (n) = n / ln n =

Finding large primes limn (n) / (n / ln n) = 1
Idea how to find a prime approximately of the size of n: Consider randomly chosen integers close to n and check whether these are primes. On average you will need to examine ln n integers.

Primality testing The problem
For a given integer n decide whether n is a prime. A simple solution: Try to divide n by 2 and all odd integers 3, 5,..., n1/2. Time complexity of such approach is (2/2), where  - number of bits needed to encode n ( = log n). Advantage - we also get factors of n (if n is not prime).

Primality testing - Fermat’s theorem
an – 1  1 (mod n) for all primes n and all integers a > 1. What happens when n is not a prime? Composite integers n that satisfy an – 1  1 (mod n) for all a > 1 with gcd(a,n) = 1 are called Carmichael numbers. They are quite rare: the first three are 561, 1105, 1729 there are only 255 of them less than

PseudoPrime algorithm
PseudoPrime(n) if ModularExponentiation(2,n–1,n)  1 then return Composite  definitely else return Prime  we hope ModularExponentiation(a,k,n) computes the value ak mod n

Square roots of 1 modulo n
Quadratic residue theorem If there exists an integer 1<x< n –1, such that x2  1 (mod n), then n is composite. Therefore, n will be composite if: we can find a such that an – 1  1 (mod n) we can find x such that x2 = 1 (mod n) a is chosen randomly and tested for (1) for (2) are tested all intermediate values arising in computation of an – 1

Miller-Rabin algorithm - scheme
[Adapted from D.Harel]

Miller-Rabin algorithm
MillerRabin(n, s) for j  1 to s do a  Random(1, n – 1) if Witness(a, n) then return Composite  definitely return Prime  almost surely

Miller-Rabin algorithm
Witness(a, n) let <bk,bk–1,...,b0> be the binary representation of n – 1 d  1 for i  k downto 0 do x  d d  (d  d) mod n if d = 1 & x  1 & x  n  1 then return True if bi = 1 then d  (d  a) mod n if d  1 then return True return False

Miller-Rabin algorithm - Correctness
Theorem If n is an odd composite number, then the number of witnesses to the compositeness of n is at least (n–1)/2.

Observation: For any non-Witness a we must have gcd(a,n) = 1 (since an – 1 should be divisible by a)

Miller-Rabin algorithm - Correctness - I
Case 1 There exists an x, such that xn – 1  1 (mod n) A = { 0 < a < n| an – 1  1 (mod n)} = {a1,..,ak} x  A (and gcd(n,x)=1) All numbers x·a1 (mod n),...,x · ak (mod n) are different and do not belong to A There are at least (n–1)/2 integers in interval [1,n–1] and not in A.

Miller-Rabin algorithm - Correctness - II
Case 2 For all x we have xn – 1  1 mod n n  pe, where p is prime otherwise: (n) = (p1)pe1 Z*n is cyclic and there is and element a of order (n) Then a(n)  1 mod n and (p1)pe1 | pe1 Thus e =1 and n is prime, contradicting our assumption.

Case 2 For all x we have xn – 1  1 (mod n) n = cd, where c,d > 1 and are relative primes n – 1 = 2tu, where t > 1 and u is odd For all a: 0 < a < n consider the sequence A = <au, a2u, a22u,..., a2tu> (all elements modulo n) These are the last t+1 values of d computed by Witness

Witness(a, n) let <bk,bk–1,...,b0> be the binary representation of n – 1 d  1 for i  k downto 0 do x  d d  (d  d) mod n if d = 1 & x  1 & x  n  1 then return True if bi = 1 then d  (d  a) mod n if d  1 then return True return False

Case 2 For all x we have xn – 1  1 (mod n) n = cd, where c,d > 1 and are relative primes Find the largest j, such that 0  j  t and v2ju  –1 (mod n) for some v (such j exists since the property holds for j = 0 and v = n – 1) B = {0 < x < n | x2ju  1 (mod n)} = {b1,..,bk} Every non-witness is a member of B

Case 2 For all x we have xn – 1  1 (mod n) n = cd, where c,d > 1 and are relative primes B = {0 < x < n | x2ju  1 (mod n)} = {b1,..,bk} If y  B, then all numbers y·b1 (mod n),...,y · bk (mod n) are different and do not belong to B Is there a number z, such that 0 < z < n and z  B?

v2ju  –1 (mod n), n = cd Then v2ju  –1 (mod c) There exists w such that w  v (mod c) and w  1 (mod d) Therefore w2ju  –1 (mod c) and w2ju  1 (mod d) And thus w2ju  1 (mod n), ie. w  B

Theorem For any odd integer n > 2 and positive integer s, the probability that Miller-Rabin algorithm outputs incorrect answer is at most 2–s.

Miller-Rabin algorithm - Complexity
MillerRabin(n, s) for j  1 to s do a  Random(1, n – 1) if Witness(a, n) then return Composite  definitely return Prime  almost surely T(n,s) = (s  3) = (s (log n)3)  - allowed error probability T(n, ) = (log (1/ ) (log n)3)

Primality testing - Riemann hypothesis
The Riemann zeta function: (s) function has the trivial zeros at -2, -4, -6, ... (???) It is easy to show that for all other zeros 0  Re(s)  1 The Riemann hypothesis is that for all nontrivial zeros Re(s) = 1/2

The values of (s) function (see the colour values below):

Generalized Riemann Hypothesis: assumes the RH and that for all nontrivial zeros of the Dirichlet L-Functions Re(s) = 1/2 Dirichlet L-Functions: where  is a periodic integer function.

Primality testing - Other methods
If generalized Riemann hypothesis holds, then for each composite n there is a witness in {2,3,..., c · (log n)2}, for some computable constant c. [Miller, 1976] This gives T(n) = ((log n)2 (log n)3) = ((log n)5) algorithm Without Riemann hypothesis we can obtain deterministic algorithm with T(n) = O(n1/10.89) The fastest deterministic algorithms works in time T(n) = O((log n)log log log n) [Adleman, Pomerance, Rumely, 1983] Agrawal-Kayal-Saxena algorithm (2002): T(n) = O((log n)6)

The largest known prime
– 1 ( digits) – 1 ( digits) – 1 ( digits) – 1 ( digits) – 1 ( digits)

The largest known prime
Growth of number of digits in largest known primes by years

Integer factorization
The problem For a given integer n find at least one non-trivial factor of n. A simple solution (the same as for primality testing): Try to divide n by 2 and all odd integers 3, 5,..., n1/2. Time complexity of such approach is (2/2), where  - number of bits needed to encode n ( = log n).

RSA challenge [Adapted from RSA Security -

Pollard’s rho heuristic
PollardRho(n) i  1 x1  Random(0, n – 1) y  x1 k  2 while True do i  i + 1 xi  (x2i–1 – 1) mod n d  gcd(y – xi, n) if d  1 & d  n then print d if i = k then do y  xi k  2 k

Pollard’s rho heuristic - What it does?
Start with random value x1 Compute the sequence x1, x2, x3,..., using the formula xi  (x2i–1 – 1) mod n Save in variable y the xi -s with subscripts being powers of 2, ie. x2, x4, x8,.... Try to find a factor using the saved value of y and the current value of xi

Pollard’s rho heuristic - Performance
Algorithm does not terminate at all, but may print some of the factors of n There is a good reason to expect that it prints a factor p of n approximately after p1/2 (or n1/4) iterations

Pollard’s rho heuristic - Example

Pollard’s rho heuristic - Motivation
How long it may take for the sequence x1, x2, x3,..., to repeat? Consider the values of xi being random Birthday problem: What is the probability that two students in the group of n have a birthday on the same day? Expected value is (n1/2)

Birthday paradox: What should be the size k of a group of people, such that with probablity 1/2 at least two persons from the group will have birthday on the same day?

Birthday paradox

How long it may take for the sequence x1, x2, x3,..., to repeat? Consider the values of xi being random Birthday problem: What is the probability that two students in the group of n have a birthday on the same day?

p - non-trivial factor of n, such that gcd(p,n / p) = 1 Consider the sequence x’1, x’2, x’3,..., where x’i = xi mod p We also have x’i  (x’2i–1 – 1) mod p Expected number of steps before repeats is (p1/2) t - index of the first repeated value u > 0 - the length of the cycle that has been produced Expected values of t and u are (p1/2)

If x’t+i = x’t+u+i then p divides xt+i – xt+u+i Thus gcd(xt+i – xt+u+i, n) > 1 Eventually y will be set to x’i value on the cycle and afterwards the whole cycle will be traversed without changing the value of y. When the value x’i will be encountered again, a factor of n will be discovered.

Pollard’s rho heuristic - Example

Pollard’s rho heuristic - Problems
The sequence x’1, x’2, x’3,... may start to repeat much later than after (p1/2) steps The gcd’s (gcd(xt+i – xt+u+i, n)) found may always be equal with n In practice it does not happen too often In case of problems we can try to start with a new value x1

Pollard’s rho heuristic - Complexity?
Expected number of arithmetic operations T’(n) = (p1/2) Expected time complexity T(n) = (2/4  3)

Integer factorization - Other methods
L[] = e (log n log log n) 1/2 There seems to be several O(L[1]) algorithms The fastest general algorithm probably works in O(L[1/2]) time In practice the methods that allow parallel computation probably are faster Some integers may be more easy to factor (eg yn  1) There are also algorithms that depend on generalised Riemann hypothesis

greatest common divisors and Euclid’s algorithm

Similar presentations

Presentation on theme: "greatest common divisors and Euclid’s algorithm"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

greatest common divisors and Euclid’s algorithm

Similar presentations

Presentation on theme: "greatest common divisors and Euclid’s algorithm"— Presentation transcript:

Similar presentations

About project

Feedback