lecture note3

7/31/2019 Lecture Note3

1/75

Lecture Note 3

Mathematical Background

Sourav Mukhopadhyay

Cryptography and Network Security - MA61027


2/75

In order to understand some of the cryptographicalgorithms dealt with throughout this course, it isnecessary to have some background in two areas of mathematics

1. Number Theory.

2. Abstract Algebra.

New Advanced Encryption Standard (AES) relies on thesubject of nite elds which forms a part of abstractalgebra.

Going to deal with Number Theory for the moment.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1


3/75

Number Theory

Number theory deals with the theory of numbers and isprobably one of the oldest branches of mathematics. It is divided into several areas including elementary,analytic and algebraic number theory. These are distinguished more by the methods used ineach than the type of problems posed. Relevant ideas discussed here and include:

prime numbers, The greatest common divisor,

Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2


4/75

The modulus operator, The modular inverse, Eulers Theorem and Fermats little Theorem.



5/75

Prime Numbers

A prime numberp is an integergreater than 1 with onlytwo positive divisors, 1 and itself. Therefore its entire set of divisors (i.e. its factors) consist

only of four integers1 and p. It can be seen that 1 isnot a prime number. Prime numbers are of the utmost importance to certaincryptographic algorithms and most of the techniques used

will not work without them.



6/75

Any positive integerI 2 is either a prime or can beexpressed as the product of primes.

This is known as thefundamental theorem of arithmetic :I = P

N N P

N

1

N 1 , . . . , P 11 , P N > P N 1 > . . . > P 1(1)

Another way of looking at this would be:I = S P

n

n , n 0 (2) Here S is the set of all prime numbers.



7/75

In general most of the exponentsn will be 0.

As a result of equations 1 or 2, any integer> 1 that is nota prime is known as acomposite number . It can be seen from this and the denition of a prime

number above, that 1 is neither prime nor composite.

The rst ten prime numbers are:2, 3, 5, 7, 11, 13, 17, 19, 23 and 29.



8/75

Division

Any integer can be expressed asn = q m + r , wheren, q , and r are integers, m is a positive integer and0 r < m .

The remainder (also known asresidue ) r , must benonnegative (i.e. either positive or 0). This is seen by two restrictions:

1. 0 r < m2. q =

nm

The notation xis known as theoor of the integerxand is the greatest integerx.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 7


9/75

The notation xis the ceiling of the integerx and isthe least integer x. For example, 2410 is 2 with a remainder of 4 however,2410 is3 with a remainder of 6 and not2 with aremainder of 4 as might be expected.

If r = 0 then n is said to be a multiple of m. This is alsothe same as saying thatm divides n, is a divisor of n or isa factor of n and the notation used to express this ism

|n.



10/75

The greatest common divisor , mmax , of twointegers a and b is the largest positive integer that willdivide both a and b without a remainder.

Therefore, mmax |a, mmax |b and mn|mmax for any divisormn of a and b.

The notation generally used to represent this isgcd(a, b) = mmax . If gcd(a, b) = 1, this means that a and b have no commonfactors other than 1. Such pairs of integers are known asrelatively prime orco-prime .



11/75

Along with prime numbers, numbers that are relativelyprime have considerable importance in cryptography aswill be seen later.

The greatest common divisor of two positive integersaand b (gcd(a, b)), can be determined by a procedureknown asEuclids Algorithm . It is based on thetheorem that gcd(a, b) = gcd(b, a mod b).

The expression mod is used in modular arithmeticwhich is a special kind of arithmetic involving remaindersas will be seen next.



12/75

Modular Arithmetic

The symbol used () is known as thecongruencesymbol .

Modular relationships are of the formn R (mod m)(spoken as n is congruent toR mod m) where n and Rare integers and m is a positive integer known as themodulus .

If this congruence relationship holds, then it is said thatnis congruent toR modulo m.

The modulus operator (mod) produces the remainderwhen the integer on its left is divided by the modulus.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 11


13/75

Thus, the term (R mod m) is equal to the remainder,r ,when R is divided bym.

If two remainders are equal then it can be written that(n mod m) = (R mod m) - a standard equality.

However, if the modulus is equal on both sides of theequation, then the (mod m) term can be removed fromthe left hand side and the equality symbol replaced with acongruence symbol (along with a slight rearrangement of

the brackets).



14/75

Assuming n = r , it would beincorrect to sayn = (R mod m). However it iscorrect to say that n R (mod m) andthis basically states that the same remainder (in this case

r ) results when bothn and R are divided bym.

As mentioned, the remainderr is also known as aresidue . If R = r (i.e. 0R < m ) then R is known as aleastresidue . The congruent relation is an equivalence relation.



15/75

The set of numbers congruent to some valuea (mod m)is known as aresidue class (or a congruence class). As 0 r < m , this means there arem possible values of r and hence there arem possible residue classes. The congruence relationshipn R (mod m) is only

true if m|(n R). If a a1 (mod m) and b b1 (mod m), thena + b a1 + b1 (mod m) and ab a1b1 (mod m).

The integers modulom, denoted Z

mis the set of integers

{0, 1, 2, . . . , m 1}.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 14


16/75

To understand why, it must be remembered that theintegers n and R can be expressed asq {n,R }m + r{n,R },where the subscript{n, R }represents the fact that q andr will generally take on different values forn and R.

Only if r n = rR will m|(n R) because in this case thetwo remainders cancel each other in the (n

R) term:(q n m + r n q R m r R) = (q n m q R m).

Because m|(q n m) and m|(q R m)m|(q n m q R m). If n R is not divisible bymthen the notation used to represent this is

|and

therefore, m |(n R). In this casen R (mod m).Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 15


17/75

Modular Inverse

The idea of an inverse is important both in ordinaryarithmetic and modular arithmetic.

In any set of numbers, the inverse of a number containedin that set is another number which when combined withthe rst under a particular operation will give theIdentity element for that operation.

The identity element for a particular operation is anumber that will leave the original number unchangedunder that operation.



18/75

Two examples of inverses are the: (1) Additive inverseand (2) Multiplicative inverse.

The Identity element under different operations will bedifferent.

Under addition it is 0, as any number added to 0 willremain unchanged. However, undernormal multiplication the Identityelement is 1 as any number multiplied by 1 will remain

unchanged.



19/75

In ordinary arithmetic if the number isx then theadditive inverse isx and multiplicative inverse is1x .

The idea is the same in modular arithmetic however if x isan integer then its multiplicative inverse would not be1x asthere is no such thing as a fraction in modular arithmetic.

In this case it would be a number which, when multipliedby the original number, would give a result that iscongruent 1 modulom (again, m is the modulus).



20/75

A number x can only have a multiplicative inverse if it isrelatively prime to the modulus (i.e.,gcd(x, m ) = 1).

When one number is operated on modulo some othernumber, it is said that the rst number has beenreduced modulo the second and the operation is called amodular reduction .

Let aZ m . The multiplicative inverse of a modulo m isan integer xZ m such that ax 1 (mod m). If suchan x exists, then it is unique, anda is said to beinvertible. The inverse of a is denoted bya1.



21/75

Chinese Remainder Theorem (CRT)

Suppose m1, m2, . . . , m r are pairwise relatively prime,then the following system of simultaneous congruencesx a1 (mod m1)

x a2 (mod m2)...x ar (mod m r )

has a unique solution moduloM = m1m2 . . . m r , which isgiven by

x =r

i=1a iM iyi mod M,

where M i = M/m i and yi = M 1i mod m i, for 1 i r .Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 20


22/75

Example

Consider the following system of simultaneouscongruencesx 5 (mod 7)x 3 (mod 11)x 10 (mod 13)

Then we have the unique solutionx = 894 mod 1001.



23/75

Eulers Theorem

Eulers Theorem can be stated mathematically as:a(m) 1 (mod m), gcd(a, m ) = 1 (3)

a is any integer andm is the modulus (which, again, isrestricted to being a positive integer).

The symbol (m) is known as Eulersphi (or totient )function and is the number of positive integersm andrelatively prime to it.



24/75

A few points should be noted about(m):

The value of (1) is dened as being equal to 1. If p is some prime, then( p) = p 1 as there are p1 positive integers< p and relatively prime to it. If p and q are prime numbers andn = pq , then(n) = ( p)(q ) = ( p1)(q 1). If n = pkk P

k1k1 , . . . , p11 is the primefactorization of n, then(n) = n 1 1 pk 1

1 pk1

1 1 p1Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 23


25/75

As an example take 410 = 1, 048, 576

1 (mod 11)

because 1195, 325 + 1 = 410. If n is a product of distinct primes, and if r s(mod (n)), then a r as (mod n) for all integersa. Inother words, when working modulo such ann, exponents

can be reduced modulo(n).



26/75

Fermats Little Theorem

Fermats Little Theorem is really a specic case of Eulerstheorem wherem is prime.

Historically though, Fermats little theorem wasdiscovered long before Eulers Theorem.

It can be stated as follows:

am1 1 (mod m), (4)where m is a prime andm |a

If Eulers theorem is taken to be true, then this can alsobe seen to work because of the fact that(m) = m 1for a prime number as mentioned above.



27/75

Extended Euclid Algorithm

It was stated earlier that the greatest common divisor of two numbers can be found using Euclids algorithm.

This algorithm can be extended so that it not only ndsthe greatest common divisor but also calculates theinverse of some numberb modulo some other numberm

(assuming it exists).

For small values of m it is easy enough to nd. However for large numbers this approach is not practical.

Extended Euclids algorithm allow us to nd the inverseof a numberb mod m assuming gcd(m, b) = 1.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 26


28/75

Figure 1: Arithmetic modulo 8



29/75

EXTENDED EUCLID(m,b)

1. (A1, A2, A3)

(1, 0, m); (B1, B2, B3)

(0, 1, b)

2. if B3 = 0 return A3 = gcd(m, b); no inverse

3. if B3 = 1 return B3 = gcd(m, b); B2 = b1 mod m4. Q =

A3B3

5. (T 1, T 2, T 3) (A1 QB 1, A2 QB 2, A3 QB 3)6. (A1, A2, A3) (B1, B2, B3)7. (B1, B2, B3)

(T 1, T 2, T 3)

8. Goto 2



30/75

This is seen to work becausebB2 = 1 mB 1 implies thatbB2 1 (mod m). Therefore the value of B2 is anumber when multiplied byb will give a value which iscongruent to 1 modulom (in other words it gives a valuethat when divided bym will leave a remainder of 1).

We can therefore say:

bB2 = 1 mB 1, i.e.,1 = mB 1 + bB2 (5) In other words we are trying to nd two valuesB1 and B2that solve equation 5. These values will be revealed when

another value B3

is equal to 1 in the above algorithm:mB 1 + bB2 = B3 (6)



31/75

In order to nd this multiplicative inverse we need to keeptrack of A1, A2 and A3 also. The values T 1, T 2, T 3 are only used for temporary storage. Looking at steps 5 and 7 it can be seen theB3 A3 QB 3 - a consequence of Euclids algorithmand it leaves the remainder whenA3 is divided byB3

(you are subtracting B3 away fromA3 as many times asyou can, rememberQ =

A3B3).

Throughout the algorithm, the following relationshipshold:mT 1 + bT 2 = T 3; mA1 + bA2 = A3; mB 1 + bB2 = B3



32/75

These equations are why the initial assignments are(1, 0, m) and (0, 1, b). If you work them out you will getthe above forA3 and B3. The last equation is the one weare interested in and whenB3 = 1 then B2 = b1 mod m.

For example to nd the multiplicative inverse of 550modulo 1759 we have:Q A1 A2 A3 B1 B2 B3- 1 0 1759 0 1 5503 0 1 550 1 -3 1095 1 -3 109 -5 16 5

21 -5 16 5 106 -339 41 106 -339 4 -111 355 1



33/75

Some topics that will be discussed are:

Groups Rings Fields

Polynomial arithmetic

As well as these topics we will also be looking at an areaknown ascomplexity theory which allows us todetermine how efficient a particular algorithm is.



34/75

Abstract Algebra

Will only be looking at a very small subset of what thissubject has to offer.

Three main ideas here that need to be grasped:1. Group {G, }2. Ring

{Rg, + ,

}3. Field{F, + , } Basically three different types of sets along with someoperation(s). The classication of each set is determined by the axiomswhich it satises.



35/75

Group

A Group

{G,

}is a set under some operation (

) if it

satises the following 4 axioms:1. Closure (A1): For any two elements

a, b G, c = a bG2. Associativity (A

2): For any three elements

a,b,c G, (a b) c = a (b c)3. Identity (A3): There exists anIdentity element

e G such that aG, a e = e a = a.4. Inverse (A4): Each element inG has an inverse i.e.aGa1G, a a1 = a1 a = e.



36/75

However it is said to be anAbelian group if inaddition to the above the set follows the axiom:5. Commutativity (A5): For any a, b G,a b = b a.



37/75

Cyclic group

Exponentiation is repeated application of the groupoperator. We might have a3 and this would equala a a. So if the operation was addition thena3 would in fact bea + a + a. Also we havea0 = e which for an additive group is 0. Also an = (a1)n .

A group is said to becyclic if every element of the groupG is a powerak (where k is an integer) of a xed elementaG.



38/75

The element a is said to generateG or be a generatorof G. A cyclic group is always abelian and may be nite orinnite.

If a group has a nite number of elements it is referred toas a nite group .

The order of the group is equal to the number of elements in the group. Otherwise, the group is aninnite group .



39/75

Ring

A binary operation is a mapping of two elements into oneelement under some operation. For a setS we havef : S S S .

A Ring

{Rg, + ,

}is a set with two binary operations

addition and multiplication that satises the followingaxioms:

1. Abelian Group under addition (A1 A5): Itsatises all of the axioms for an abelian group (all of the above) with the operation of addition . Theidentity element is 0 and the inverse is denoteda.



40/75

2. Closure under multiplication (M 1): For anytwo elementsa, b R

g, c = ab Rg.

3. Associativity of multiplication (M 2): For anyelements a,b,c Rg, (ab)c = a(bc) .

4. Distributive (M 3): For any elementsa,b,c Rg, a(b + c) = ab + ac.

It is then said to be acommutative ring if in additionthe ring follows the axiom:5. Commutativity (M 4): For any a, b R

g, ab = ba.



41/75

It is an Integral domain if in addition thecommutative ring follows the axioms:6. Multiplicative Identity (M 5): There is an

element 1 inRg

such that, a1 = 1a = a for all a inRg.

7. No Zero Divisors (M 6): If a, b Rg and ab = 0then either a = 0 or b = 0.



42/75

A Field {F, + , }is a set with two binary operationsaddition and multiplication that satises the followingaxioms:

1. Integral Domain (A1 M 6): It satises all of theaxioms for an Integral domain (all of the above).2. Multiplicative Inverse (M 7): Each element inF

(except 0) has an inverse i.e.,

a=0F a1F , aa1 = a1a = 1.

In ordinary arithmetic it is possible to multiply both sidesof an equation by the same value and still have theequality intact.



43/75

Not necessarily true in nite arithmetic

In this particular type of arithmetic we are dealing with aset containing a nite number of values. The set of real numbers is an innite set and is not really

useful for working with on computer systems due to thelimited amount of memory and processing power.

Much easier if every operation the computer performedresulted in a nite value that was easily handled. This iswhere nite elds come into play.



44/75

Closure is the property that causes the result of a binary

operation on an ordered pair of a set to be a part of thatset also.

The term ordered pair is important as it is not generallythe case that a

b = b

a.



45/75

Figure 2: Group, Ring and Field



46/75

To restate, Groups, Rings and Fields are all sets denedwith either one or more binary operations.

For example a set may be a group under one binaryoperation but not under another because it may obey theaxioms A1 A4 under the rst operation but not underthe second.

Figure 2 summarises the hierarchical structure of thegroup, ring and eld. It can be seen that the group isdened under addition.

Although a group is dened under operations other thanaddition, a ring requires that the group be dened withonly addition.



47/75

Polynomial Arithmetic

We need to understand some things about arithmeticinvolving polynomials before continuing.

A polynomial is an expression of the form:f (x) = anxn + an1x

x1 + . . . + a1x + a0 =n

i=0a ix i (7)

an = 0, The degree of the polynomial is equal to the value of theinteger n 0. The coefficients are the set S = {an , an1, . . . , a 1, a0}which is known as thecoefficient set .



48/75

If an = 1 then the polynomial is said to bemonic .

If n = 0 then we simply have a constant known as aconstant polynomial . As an example we can setn = 8 and

S = {1, 0, 0, 0, 1, 1, 1, 1, 1}and we get the followingpolynomial:8

i=0a ixi = x8 + x4 + x3 + x2 + x + 1

This polynomial has important signicance for us as it isused in the AES standard as we shall see later.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 47


49/75

As we are going to use these for cryptographic methodswe will want to do some form of arithmetic on them.

One can do following three classes of arithmetic:1. Ordinary polynomial arithmetic, using the basic rulesof algebra.

2. Polynomial arithmetic in which the arithmetic on thecoefficients is performed modulop; that is thecoefficients are inZ p = 0, 1, . . . , p 1.

3. Polynomial arithmetic in which the coefficients are in

Z p and the polynomials are dened modulo apolynomialm(x) having highest power, sayn.



50/75

Can we operate on polynomials using the four basicarithmetical operations of addition, subtraction,multiplication and division?

Consider two polynomialsf (x) = x3 + x2 + 2 andg(x) = x2 x + 1. If we add these we get:f (x) + g(x) = x

3

+ 2x2

x + 3 This would seem to suggest we can add (and it turns outwe can).

If we subtract them:f (x) g(x) = x3 + x + 1Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 49


51/75

This would seem to suggest we can subtract (and it turns

out we can).

If we multiply them:f (x) g(x) = x5 + 3x2 2x + 2

This would seem to suggest we can multiply (and it turnsout we can). The order of the product polynomial is equal to the sum

of the orders of the two factors. In this casen prod = n f (x) + ng(x) = 3 + 2 = 5.



52/75

What about division?

Division requires that the set of coefficientsS = {an , an1, . . . , a 1, a0}be a eld.

In other wordsS must satisfy the conditions describedearlier.

In general, division will produce a quotient and aremainder so we can write (for two polynomialsf (x) andg(x)):

f (x)g(x) = q (x) +

r (x)g(x), i.e. f (x) = q (x)g(x) + r (x) (8)



53/75

Galois Fields

Saw earlier that a eld obeys axiomsA1 M 7.

It is possible for a set with an innite number of elementsto be a eld. For example the set of real numbers is a eld under theusual arithmetical operations. In cryptography however we are not interested in inniteelds because they cannot be worked with in practice

(due to memory limitations etc.).

What cryptographers want instead are nite elds .These are simply elds with a nite number of elements.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 52


54/75

It turns out that the order of a nite eld must be thepower of a primepn where n > 0. The nite eld of orderpn is normally written GF( pn). The GF stands for Galois Field in honour of themathematician who rst studied them. When n = 1 Galois elds take on a different structurethan when n > 1. We will mainly be interested in GF( p) for some primepand GF(2n) (2 being the main prime of interest due to

computers operating in binary).



55/75

Addition and multiplication in a Galois eld are donemodulo m(x), where m(x) is an irreducible polynomial of degree n.

A polynomial m(x) over a eldF is calledirreducible if and only if m(x) cannot be expressed as a product of twopolynomials both over F, and both of degree lower thanthat of m(x).

By analogy to integers, an irreducible polynomial is alsocalled a prime polynomial .

As an example of a Galois eld we can look at GF(23).Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 54


56/75

This has the following elements:{0, 1,x ,x + 1, x2, x2 + 1, x2 + x, x 2 + x + 1}and anirreducible polynomial isx3 + x + 1.

In binary Galois elds all polynomials are monic due tothe fact that the coefficients are taken from the setS = {0, 1}.



57/75

Earlier we stated that Z m was the set of integers modulom.

If m = p where p is some prime, then we haveZ m = Z p = {0, 1, 2, . . . , p 1}.

This, together with the arithmetic operations modulop,form the nite eld of orderp. Since p is the power of a prime, this eld is a Galois eld. Table 3 shows the properties of modular arithmetic forintegers in Z m .

If you compare this to gure 2 then it can be seen thatZ pis a commutative ring.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 56


58/75

Figure 3: Properties of modular arithmetic for integeres inZ

m .



59/75

It was seen that if some numberaZ m is relativelyprime to m then there exists a1 such that aa 1 1(mod m), i.e. the multiplicative inverse of a exists. However if m = p for some primep then each nonzeroelement in Z has a multiplicative inverse because each

aZ p is relatively prime top (M 5).

Also if ab = 0 for a, bZ p then either a = 0 or b = 0. It can therefore be seen thatZ p is a nite eld. This is ne for GF( p) where n = 1 because p is a prime

but what about the case wheren > 1? In this casepn

willnot be a prime.



60/75

In the general case, if m = pn where p is again some primeand n some integer greater than 1, m will not be prime. This poses problems asZ m will not form a nite eldwhen the arithmetical operations are done modulom. Remember we need this if we wish to use division as one

of our operations.

However, if we add two restrictions to our arithmeticaloperations (which follow the ordinary rules of polynomialarithmetic using the basic rules of algebra) it is possibleto keep Z m as a nite eld.



61/75

These restrictions are:1. Arithmetic on the coefficients is performed modulop.

That is, we use the rules of arithmetic for the niteeld Z p (for GF(2n) this is basically the XORoperation).

2. If multiplication results in a polynomial of degreegreater than n 1, then the polynomial is reducedmodulo some irreducible polynomialm(x) of degreen. That is, we divide bym(x) and keep theremainder. For a polynomial f(x), the remainder isexpressed asr (x) = f (x) mod m(x).



62/75

It can be shown that the set of all polynomials modulo anirreducible nth-degree polynomialm(x) satises axiomsA1

M 7 above and therefore forms a nite eld.

This is an important point because if we were working inGF(28) and we reduced the polynomial modulo 256 thenthis wouldnt form a nite eld and we might have to

think about using 251 as this is the closest prime to 256. Not efficient because might be using a processor thatoperates on 8 bit words which allows representation of

28 = 256 values.

Other values (251256) would not be used.Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 61


63/75

Complexity theory

All cryptographic algorithms require time and space(memory) to execute.

Clearly what is desired is an algorithm that executes asquickly as possible with the minimum number of resources possible, however, often this is not feasible.

Complexity Theory deals with the resources requiredduring computations to solve a given problem.

The most common resources (for example) would betime and space .



64/75

Complexity theory allows us to work out how costlydifferent algorithms (such as DES, RSA) are going to be.

Also allows us to analyse attacks on cryptosystems asthese will be algorithmic in nature as well. Using complexity theory we can determine whether aparticular attack is feasible against a cryptographic

algorithm and can therefore give some indication of thesecurity of an algorithm.

Of course one could say that the time of execution of analgorithm depends on speed of the computer on which itis running, as well as the amount of memory it has.



65/75

This is true, so what we would like is a method of comparing different algorithms that is independent notonly of the speed and amount of RAM a particularmachine has, but also of the size of the input (which isnormally denoted byn).

A measure of the efficiency of an algorithm is known as itsTime Complexity .

The time complexity of an algorithm is dened to bef (n)if for alln and all inputs of lengthn, the algorithm takesat most f (n) steps.



66/75

Thus for a given processor speed and a given size of input(n) the time complexity is anupper bound on theexecution time of the algorithm.

However, the denition is not precise: The meaning of step is not precise: Is it a single

processor machine instruction or a single high-levellanguage machine instruction?

An exact formula forf (n) is generally not availablebut that is not important. We need only anapproximation and are interested primarily in the rateof change of f (n) as n increases to very large values.



67/75

There is a standard mathematical notation known as thebig O notation which is used to characterise the timecomplexity of algorithms.

By denition:-f (n) = O(g(n)) iff a, M Z

+ such that

|f (n)| a |g(n)| for n M (9) For example we might say that an algorithm runs inO(n2) time.

Anything that takes a xed amount of resources takesO(1).



68/75

Lets say we want to evaluate the following polynomial: p(x) = anxn + an

1xx1 + . . . + a1x + a0

Some fairly inefficient coding is shown in next slide. In this implementation, each term (subexpression) isevaluated separately. It could have been more efficient

however. Each a ixi requires i + 1 multiplications.

Computing all n terms requiresn

i=0 (i + 1) =(n + 2)(n + 1)

2 multiplications.



69/75

Badly written pseudocode

Declare n, i , j integer;Declare a, s array[100] real;Declare x, p real;

Read( x, n );for i = 0 to n do \ * Each of n terms of the f (x ) *\

{

s [i ] = 1;

read(a[i]);

for j = 1 to i do

{

s [ j ] = x s [i ]; \ * Calculate xi

and store in s [ j ]*\}

s [i ] = a [i] s [i ]; \ * Calculate a i x i and store* \

}

p = 0;

for i = 0 to n do

{

p = p + s [i ];}

write(Value of function at, x, is, p .);



70/75

The time complexity of the algorithm is :f (n) =

(n + 2)(n + 1)2 =

n2

2 +32n + 1

We can show that in this casef (n) = O(n2) (i.e.g(n) = n2). We must nd M

n and a such that

|f (n)| a |g(n)| If we letM = 4 and a = 1 then equation 9 is satised assuggested by table 1. In this case we can say that

O(f (n)) = n2.



71/75

n n 2 f (n) = n2

2 +32n + 1 g(n) = n

2 function ok?

3 9 10 9 No4 16 15 16 Yes5 25 21 25 Yes6 36 28 36 Yes7 49 35 49 Yes

Table 1: This table shows the value of the function f (n) for different n.


In general the big O notation makes use of the term


72/75

In general, the big O notation makes use of the termthat grows fastest: O(ax 7 + 3x3 + sin (x)) = O(x7) O(en + an 10) = O(en) O(n! + n50) = O(n!)

An algorithm with an input of sizen is said to be

a). Linear if the running time isO(n).b). Polynomial if the running time isO(n t) for some

constant t.

c). Exponential if the running time isO(th(n)

) where t issome constant and h(n) is a polynomial inn.



73/75

Generally a problem that can be solved in polynomialtime is considered feasible whereas anything worse thanpolynomial time is considered computationally infeasible -especially exponential time.

N.B. If n is small enough, even complex algorithmsbecome feasible. For example, most discussions on cryptanalysis of RSAcentre on the task of factoringn into its 2 prime factors.

The best known methods for doing this have a timecomplexity of:

f (n) = e ln (n)ln (ln (n)) (10)Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 72


74/75

A graph of this equation is shown in gure 4. The big O is exponential running time so this isconsidered computationally infeasible (with bign, i.e.

n > 150) and hence RSA is considered secure.



75/75

Figure 4: The number of operations required to factor an integer of size n.


lecture note3

Documents