Presentation is loading. Please wait.

Presentation is loading. Please wait.

Based on Lecture Slides from Steven Rudich, CMU 15 a.

Published byDouglas Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Based on Lecture Slides from Steven Rudich, CMU 15 a."— Presentation transcript:

1

2 Based on Lecture Slides from Steven Rudich, CMU 15 a

3 Even very simple computation al problems can be surprisingly subtle.

4 Compiler Translation A compiler must translate a high level language (e.g., C) with complex operations (e.g., exponentiation) into a lower level language (e.g., assembly) that can only support simpler operations (e.g., multiplication).

5 b:=a 8 b:=a*ab:=b*ab:=b*ab:=b*ab:=b*ab:=b*ab:=b*a b:=a*a b:=b*b This method costs only 3 multiplications. The savings are significant if b:=a 8 is executed often.

6 General Version Given a constant k, how do we implement b:=a k with the fewest number of multiplications?

7 Powering By Repeated Multiplication Input: a,n Output: A sequence starting with a, ending with a n, and such that each entry other than the first is the product of previous entries.

8 Example Input: a,5 Output: a, a 2, a 3, a 4, a 5 or Output: a, a 2, a 3, a 5 or or Output: a, a 2, a 4, a 5

9 Definition of M(n) M(n) = The minimum number of multiplications required to produce a n by repeated multiplication

10 What is M(n)? Can we calculate it exactly? Can we approximate it?

11 Some Very Small Examples What is M(0)? –M(0) does not really make sense What is M(1)? –M(1) = 0[a] What is M(2)? –M(2) = 1[a, a 2 ]

12 M(8) = ? a, a 2, a 4, a 8 is a way to make a 8 in 3 multiplications. What does this tell us about the value of M(8)?

13 M(8) = ? a, a 2, a 4, a 8 is a way to make a 8 in 3 multiplications. What does this tell us about the value of M(8)? Upper Bound

14 Lower Bound

15 Exhaustive Search. There are only two sequences with 2 multiplications. Neither of them make 8: a, a 2, a 3 & a, a 2, a 4

16 Upper Bound Lower Bound M(8) = 3

17 Applying Two Ideas

18 The a is a red herring. a x times a y is a x+y Everything besides the exponent is inessential. This should be viewed as a problem of repeated addition, rather than repeated multiplication.

19 Addition Chains M(n) = Number of stages required to make n, where we start at 1 and in each subsequent stage we add two previously constructed numbers.

20 Examples Addition Chain for 8: 1 2 3 5 8 Minimal Addition Chain for 8: 1 2 4 8

21 M(30) = ? 15 a

22 Some Addition Chains For 30 124816242830 1245102030 1235101530 1248102030

23 ?() ?(? < M Mn 306 ) Take 5 minutes to think like a computer scientist < <<

24 Let B n be the number of 1s in the binary representation of n. Ex: B 5 = 2 since 101 is the binary representation of 5 Proposition: B n ≤ log 2 (n) + 1 The length of the binary representation of n is bounded by this quantity. Binary Representation ┙ ┕

25 Binary Method Repeated Squaring Method Repeated Doubling Method Phase I(Repeated Doubling) For Add largest so far to itself (1, 2, 4, 8, 16,... ) Phase II(Make n from bits and pieces) Expand n in binary to see how n is the sum of B n powers of 2. Use B n -1 stages to make n from the powers of 2 created in phase I

26 Binary Method Applied To 30 Binary 3011110 Phase I 1 1 2 10 4 100 8 1000 16 10000 Phase II: 6 14 30(Cost: 7 additions)

27

28 The repeated squaring method works for modular arithmetic and for raising a matrix to a power.

29 The repeated squaring method works for any notion of “multiplication” that is associative. (a*b)*c = a*(b*c)

30 A Lower Bound Idea You can’t make any number bigger than 2 n in n steps. 1 2 4 8 16 32 64... Failure of Imagination?

31 Induction Proof Theorem: For all n 0, no n stage addition chain will contain a number greater than 2 n Theorem: For all n  0, no n stage addition chain will contain a number greater than 2 n

32 Let S k be the statement that no k stage addition chain will contain a number greater than 2 k Base case: k=0. S 0 is true since no chain can exceed 2 0 after 0 stages. Let k > 0, S k ⇒ S k + 1 At stage k+1 we add two numbers from the previous stage. From S k we know that they both are bounded by 2 k. Hence, their sum is bounded by 2 k+1. No number greater than 2 k+1 can be present by stage k+1.

33 Change Of Variable All numbers obtainable in m stages are bounded by 2 m. Let m = log 2 (n). Thus, All numbers obtainable in log 2 (n) stages are bounded by n.

34 Theorem: The only way to make 2 i in i stages is by repeated doubling Assumption: Let 2 i+1 be the first counter-example to the theorem. To make 2 i+1 at stage i+1 requires that some number of size at least 2 i be present at stage i. By previous result such a number could not be larger than 2 i, and thus equals 2 i. By the assumption, 2 i can only be constructed by repeated doubling. The only possible final move was to double 2 i. Thus 2 i+1 must result from repeated doubling, contradicting the assumption.

35 5 < M(30) Suppose that M(30)=5. At the last stage, we added two numbers x 1 and x 2 to get 30. Without loss of generality (WLOG), we assume that x 1  x 2. Thus, x 1  15 By doubling bound, x 1  16 But x 1 can’t be 16 since there is only one way to make 16 in 4 stages and it does not make 14 along the way. Thus, x 1 = 15 and M(15)=4

36 Suppose M(15) = 4 At stage 3, a number bigger than 7.5, but not more than 8 must have existed. There is only one sequence that gets 8 in 3 additions: 1 2 4 8 That sequence does not make 7 along the way and hence there is nothing to add to 8 to make 15 at the next stage. Thus, M(15) > 4. CONTRADICTION.

37 M(30)=6

38 Factoring Bound M(ab)  M(a)+M(b)

39 Factoring Bound M(ab)  M(a)+M(b) Proof: Construct a in M(a) additions Using a as a unit follow a construction method for b using M(b) additions. In other words, every time the construction of b refers to a number x, use the number a times x.

40 Example 45 = 5 * 9 M(5)=3[1 2 4 5] M(9)=4 [1 2 4 8 9 ] M(45) 3+4[1 2 4 5 10 20 40 45] M(45)  3+4[1 2 4 5 10 20 40 45]

41 Corollary (Using Induction) M(a 1 a 2 a 3 …a n )  M(a 1 )+M(a 2 )+…+M(a n ) Proof: For n=1 the bound clearly holds. Assume it has been shown for up to n-1. Apply theorem using a= a 1 a 2 a 3 …a n-1 and b=a n to obtain: M(a 1 a 2 a 3 …a n )  M(a 1 a 2 a 3 …a n-1 )+M(a n ) By inductive assumption, M(a 1 a 2 a 3 …a n-1 )  M(a 1 )+M(a 2 )+…+M(a n-1 )

42 More Corollaries Corollary: M(a k )  kM(a) Does equality hold?

43 M(33) < M(3) + M(11) M(3) = 2[1 2 3] M(11)= 5[1 2 3 5 10 11] M(3) + M(11) = 7 M(33) = 6 [1 2 4 8 16 32 33] The conjecture of equality fails. There have been many nice conjectures....

44 Conjecture: M(2n) = M(n) +1 (A. Goulard) A fastest way to an even number is to make half that number and then double it. Proof given in 1895 by E. de Jonquieres in L’Intermediere Des Mathematiques, volume 2, pages 125-126 FALSE! M(191)=M(382)=11 Furthermore, there are infinitely many such examples.

45 Open Problem Is there an n such that: M(2n) < M(n)

46 Conjecture Each stage might as well consist of adding the largest number so far to one of the other numbers. First Counter-example: 1 11 12,509 [1 2 4 8 16 17 32 64 128 256 512 1024 1041 2082 4164 8328 8345 12509]

47 Open Problem Prove or disprove the Scholz- Brauer Conjecture: M(2 n -1)  n - 1 + B n (The bound that follows from this lecture is too weak: M(2 n -1)  2n - 1)

48 The RSA Cryptosystem Rivest, Shamir, and Adelman (1978) RSA is one of the most used cryptographic protocols on the net. Your browser uses it to establish a secure session with a site.

49 Preview:Instructions For RSA use. Public key: e, n Anyone wishing to send you a message m  Z n *, should send you m e mod n. Private key: d,  (n) When you get an encrypted message m e mod n, do the following: (m e ) d mod n = m ed mod n = m ed mod  (n) mod n = m ed mod  (n) mod n = m mod n = m mod n

50 Addition And Multiplication Mod n a + b mod n = [(a mod n) + (b mod n)] mod n ab mod n = [ (a mod n)(b mod n) ] mod n This is saying that we can just keep track of remainders mod n as we multiply and add.

51 ( S,●) is called a group if it has these properties: closure: identity: inverse: associativity: Theorem: with multiplication modulo n is a group. = the set of naturals between 1 and n that are relatively prime to n

52 Computing Inverses In Z n * Suppose we want the inverse of a. In other words, b such that ab = 1 mod n. Using an Extended GCD algorithm Compute GCD(a,n). Of course the answer is 1, but also get r, s such that ra+sn = GCD(a,n) = 1. also get r, s such that ra+sn = GCD(a,n) = 1. Taking both sides mod n, we get ra=1 mod n. Thus r is the inverse of a in the group Z n *

53  (n) = size of Z n *  (p) = p-1  (p k ) = p k – p k-1  (pq) =  (p)  (q) p,q distinct primes, actually even if GCD(p,q)=1. The Euler Phi Function

54  (pq) = (p-1)(q-1) if p,q distinct primes pq = # of numbers from 1 to pq p = # of multiples of q up to pq q = # of multiples of p up to pq 1 = # of multiple of both p and q up to pq  (pq) = pq – p – q + 1 = (p-1)(q-1)

55 a  (n) = 1 mod n, if GCD(a,n)=1 Lagrange: The size of any subgroup divides the size of the group. Note: In a finite group, the powers of an element x form a subgroup. Euler’s Corollary: Let G be any finite group of size s: x  G implies X s = 1 Euler’s Corollary for Z n *: a  (n) = 1 mod n

56 Addition And Multiplication Mod n a + b mod n = [(a mod n) + (b mod n)] mod n ab mod n = [ (a mod n)(b mod n) ] mod n This is saying that we can just keep track of remainders mod n as we multiply and divide.

57 Law Of Exponents mod n Could it be as simple as: a e mod n = [(a mod n) (e mod n) ] mod n ? 2 16  2 mod 15

58 Mental Arithmetic Test 7 890 = ? Mod 15

59 Mental Arithmetic Test 7 890 = 7 890 mod 4 Mod 15 = 7 2 mod 15 = 4 Powers of 7: 1, 7, 4, 13, 1, 7, 4, 13, …

60 Mental Arithmetic Test 3 890 = ? Mod 14

61 Mental Arithmetic Test 3 890 = 3 890 mod 6 Mod 14 = 3 2 = 9 Powers of 3 1, 3, 9, 13, 11, 5, 1

62 Law Of Exponents mod n (Correct) a e mod n = [(a mod n) (e mod  (n)) ] mod n  (n) The exponent must be taken mod  (n)

63 Law Of Exponents mod n a e mod n = [(a mod n) (e mod  (n)) ] mod n Proof: e = a  (n) + b (b <  (n) ) X e = X a  (n) X b = (X  (n) ) a X b = X b = X e mod  (n)

64 Instructions For RSA setup 1.Pick 2 random k-bit primes: p and q. Let n = pq. 2.Compute  (n). Pick random e relatively prime to  (n). Compute d = inverse of e mod  (n). d is called your private-key. 3.Publish n and e. These are called your public-key.

65 Instructions For RSA use. Anyone wishing to send you a message m  Z n *, should send you m e mod n. When you get an encrypted message m e mod n, do the following: (m e ) d = m ed mod n = m ed mod  (n) mod n = m mod n

66

67 How Can Eve Break The System? If Eve can quickly compute  (n), then she can compute d from e and read all the messages. This might be easier than factoring.

68 No one knows how to break RSA quickly. Does this mean it is secure?

69 RSA has an *amazing* feature. Two people who have never met and have no prior shared secrets can use the system. Without this property, commerce on the net would be impossible.

70 REFERENCES Coxeter, H. S. M. ``The Golden Section, Phyllotaxis, and Wythoff's Game.'' Scripta Mathematica 19, 135-143, 1953. "Recounting Fibonacci and Lucas Identities" by Arthur T. Benjamin and Jennifer J. Quinn, The CollegeMathematics Journal, Vol. 30, No. 5, 1999, pp. 359--366.

Download ppt "Based on Lecture Slides from Steven Rudich, CMU 15 a."

Similar presentations

Lecture 2 Based on Chapter 1, Weiss. Mathematical Foundation Series and summation: 1 + 2 + 3 + ……. N = N(N+1)/2 (arithmetic series) 1 + r+ r 2 + r 3 +………r.

Lecture 2 Based on Chapter 1, Weiss. Mathematical Foundation Series and summation: ……. N = N(N+1)/2 (arithmetic series) 1 + r+ r 2 + r 3 +………r.
Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Having Proofs for Incorrectness

Having Proofs for Incorrectness
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Ancient Wisdom: On Raising A Number To A Power Great Theoretical Ideas In Computer Science Anupam GuptaCS 15-251 Fall 2005 Lecture 5Sept 13, 2005Carnegie.

Ancient Wisdom: On Raising A Number To A Power Great Theoretical Ideas In Computer Science Anupam GuptaCS Fall 2005 Lecture 5Sept 13, 2005Carnegie.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Basic properties of the integers

Basic properties of the integers
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Ancient Wisdom: Primes, Continued Fractions, The Golden Ratio, and Euclid’s GCD Great Theoretical Ideas In Computer Science Anupam GuptaCS 15-251 Fall.

Ancient Wisdom: Primes, Continued Fractions, The Golden Ratio, and Euclid’s GCD Great Theoretical Ideas In Computer Science Anupam GuptaCS Fall.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
and Factoring Integers (I)

and Factoring Integers (I)
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Cryptography & Number Theory

Cryptography & Number Theory
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Similar presentations

Ads by Google