randomness and computation: some prime examples

Randomness and Computation: Some Prime Examples

Great Theoretical Ideas In Computer Science

(Steven Rudich) John Lafferty CS 15-251 Fall 2005

Lecture 22 Nov. 9, 2005 Carnegie Mellon University

Checking Our Work

Suppose we want to check p(x) q(x) = r(x), where p, q and r are three polynomials. (x-1)(x3+x2+x+1) = x4-1

If the polynomials are long, this requires O(n2) work by elementary school algorithms -- or O(n log n) work with fancy techniques like the Fast Fourier transform.

Can we check if p(x) q(x) = r(x) more efficiently?

Great Idea: Evaluating on Random Inputs

Let f(x) = p(x) q(x) – r(x). Is f zero?

Idea: Evaluate f on a random input z.If we get f(z) = 0, this is evidence that f is zero everywhere.

If f(x) is a degree 2n polynomial, it can only have 2n roots. We’re unlikely to guess one of these by chance!

Equality checking by random evaluation

1. Choose sample space S={z1, z2,…, zm}

with arbitrary points zi, for m=2n/ .

2. Select z from S with probability 1/m

3. Evaluate p(z) q(z) – r(z) = f(z)

4. If f(z) = 0, output “equal” otherwise output “not equal”


What is the probability the algorithm outputs “correct” when in fact f 0?

Let A = {z | z is a root of f}. Then|A| 2n. Therefore:

P(A) 2n/m = . We take to be small.


By repeating this procedure k times, we are “fooled” by the event

f(z1) = f(z2) = … = f(zk) = 0 when actually f(x) 0

with probability no bigger than

P(A) (2n)k/mk = k

Wow! That idea could Wow! That idea could be used for testing be used for testing equality of lots of equality of lots of different types of different types of

“functions”!“functions”!

Yes! It’s a very powerful Yes! It’s a very powerful technique.technique.

For example, a matrix is just a For example, a matrix is just a special kind of function. Suppose special kind of function. Suppose we do a matrix multiplication of we do a matrix multiplication of two two nxnnxn matrices: matrices:

AB = CAB = C

The idea of random evaluation can The idea of random evaluation can be used to efficiently check the be used to efficiently check the calculation.calculation.

Just evaluate the “function” C on a random Just evaluate the “function” C on a random input vector input vector rr. In fact, we can take . In fact, we can take rr to be to be a a randomrandom bit vector bit vector : : r=(1,0,0,1,…,0)r=(1,0,0,1,…,0)TT

So to test if So to test if AB = CAB = C we compute we compute

x = Br, y = Ax, and z = Crx = Br, y = Ax, and z = Cr

If If y = zy = z, we take this as evidence that the , we take this as evidence that the calculation was correct. The amount of calculation was correct. The amount of work is only O(nwork is only O(n22).).

Claim: If AB Claim: If AB C and r is a random n-bit C and r is a random n-bit

vector, then Pr(ABr = Cr) vector, then Pr(ABr = Cr) ½. ½.

So, if a complicated, So, if a complicated, fancy algorithm is used fancy algorithm is used to compute AB in time to compute AB in time

O(nO(n2+2+), it can be ), it can be efficiently checked with efficiently checked with only O(nonly O(n22) extra work, ) extra work, using randomness! using randomness!

Earth has huge file X that she transferred to Moon. Moon gets

Y.

EARTH: XEARTH: X MOON: YMOON: Y

Did you get that file ok? Was Did you get that file ok? Was the transmission accurate?the transmission accurate?

Uh, yeah.Uh, yeah.

Let (n) be the number of primes between 1 and n. I wonder how fast

(n) grows?

Conjecture [1750]:

( )lim 1

/ lnn

n

n n

Euler

The Prime Density Theorem:

Hadamard [1900]Hadamard [1900]

( )lim 1

/ lnn

n

n n

The Prime Density Theorem

This theorem remains one of the celebrated achievements of number theory. In fact, an even sharper conjecture remains one of the great open problems of mathematics!

The Riemann Hypothesis

[1859]

Riemann

( ) / lnlim 0n

n n n

n

For EC on Homework:For EC on Homework:

The Theta Version Of The Prime The Theta Version Of The Prime Density Theorem:Density Theorem:

(n) = (n) = (n / ln n)(n / ln n)

(n)/n = (n)/n = (1/ ln n)(1/ ln n)

The probability that a randomly The probability that a randomly selected n-bit number is prime is selected n-bit number is prime is

(1/n). Explicitly, (1/n). Explicitly, (n) / n (n) / n ¸̧ 1/2logn 1/2logn

Random Random lognlogn bit number is bit number is a random number from a random number from

1..n1..n

(n) / n (n) / n ¸̧ 1/2 1/2lognlogn

means that a random means that a random lognlogn-bit number has at -bit number has at

least a 1/2least a 1/2lognlogn chance of chance of being prime.being prime.

Random Random kk bit number is a bit number is a random number from 1..random number from 1..22kk

((22kk) / ) / 22kk ¸̧ 1/2 1/2kk

means that a random means that a random kk-bit number has at least a -bit number has at least a

1/21/2kk chance of being chance of being prime.prime.

A random A random kk-bit number has at -bit number has at least a 1/2least a 1/2kk chance chance

of being prime.of being prime.

A random A random kk-bit number has at least a -bit number has at least a 1/21/2kk chance of being prime. chance of being prime.

Hence, if we pick 2k random k Hence, if we pick 2k random k bit numbers the bit numbers the

expected number of primes expected number of primes on the list is on the list is ¸̧ 1 1

Picking A Random Prime

Many modern cryptosystems (e.g., RSA) include the instructions:

“Pick a uniformly chosen n-bit prime.”

How can this be done efficiently?



Strategy:

1) Generate random n-bit numbers2) Test each one for primality [more

on this to later in the lecture]



1) Generate kn random n-bit numbersEach trial has a ¸ 1/2n chance of being prime. Probability that we get all composites

(1-1/2n)kn = (1-1/2n)2n * k/2 1/ek/2

Theorem: Theorem: Let X and Y be n-bit numbers.Let X and Y be n-bit numbers. If X If X Y Y

then at least half the 2logn bit primes p then at least half the 2logn bit primes p satisfy X satisfy X Y mod p. Y mod p.

Theorem:Theorem: Let X and Y be distinct, Let X and Y be distinct, n-bit numbers. Let p be a random n-bit numbers. Let p be a random

2logn-bit prime:2logn-bit prime:

Prob [X = Y mod p] < 1/2Prob [X = Y mod p] < 1/2

Are X and Y the same n-bit numbers?


P = random 2logn bit primeP = random 2logn bit primeX mod pX mod p

Answer to “X = Y mod p Answer to “X = Y mod p ?”?”

Are X and Y the same n-bit numbers?


k random k random

2logn bit primes: P2logn bit primes: P11, P, P22, .., P, .., Pkk

X mod PX mod Pii for 1 <= i <= k for 1 <= i <= k

k answers to “X = Y mod k answers to “X = Y mod PPii ?” ?”

If X=Y, Earth and Moon will always accept. If X Y then Earth and Moon have a ¸ ½ chance of catching it, for

each of k iterations.

If X Y,

Prob [X = Y mod Pi for all i] (1/2)k



1) Generate random n-bit numbers2) Test each one for primality.

How can we test primality efficiently?

Primality Testing: Trial Division On Input n

Trial division up to n

for k = 2 to n doif k |n then

return “n is not prime”otherwise return “n is prime”

O(n (logn)2) time if division is O((logn)2)

On input n, trial division uses On input n, trial division uses O(n (logn)2) time. Is that efficient?

No! The input length is No! The input length is logn.logn. Let k = log n. In Let k = log n. In terms of k, we are using terms of k, we are using 22k/2k/2 k k22 time. time.

The time is EXPONENTIAL The time is EXPONENTIAL in the input length.in the input length.

Do the primes have a

polynomial-time decision

algorithm?

Euclid gave us a fast GCD algorithm. Surely,

he tried to give a faster primality test than trial division. Euclid, Euler, and Gauss all failed!

In 2002, Agrawal, Saxena, and Kayal (AKS) gave a deterministic primality test that runs in time O(n12).

This was the first deterministic polynomial-time algorithm that didn’t depend on some unproven conjecture, like the Riemann Hypothesis!

But so many But so many cryptosystems, like RSA cryptosystems, like RSA and PGP, use and PGP, use fast primality fast primality testingtesting as part of their as part of their subroutine to generate a subroutine to generate a random n-bit prime! What random n-bit prime! What is the fast primality testing is the fast primality testing algorithm that they use?algorithm that they use?

There are fast randomized algorithms to do primality testing.

Strangely, by allowing our computational model an extra instruction for flipping a fair coin, we seem to be able to compute some things faster!

If n is composite, what would If n is composite, what would be abe a certificate of certificate of compositeness for n?compositeness for n?

A non-trivial factor of n.A non-trivial factor of n.

Even using randomness, Even using randomness, no one knows how to find no one knows how to find a factor quickly. We will a factor quickly. We will use a use a differentdifferent certificate certificate of compositeness that of compositeness that does not require does not require factoring.factoring.

When working modulo a prime p, When working modulo a prime p, for any afor any a 0, a 0, a(p-1)/2(p-1)/2 = = §§1.1.

Fermat: aFermat: ap-1p-1 = 1 mod p. = 1 mod p.

XX22 = 1 mod p has at most 2 roots. = 1 mod p has at most 2 roots.

1 and -1 are roots, so it has no 1 and -1 are roots, so it has no others.others.

““Euler Certificate” Of CompositenessEuler Certificate” Of Compositeness

When working modulo a prime p, for any a 0, a(p-1)/2 = §1.

We say that We say that a is a certificate of a is a certificate of compositeness for ncompositeness for n, , if aif a 0, a 0, a(n-1)/2(n-1)/2 §§1. 1.

Clearly, if we find a certificate of Clearly, if we find a certificate of compositeness for n, we know that n is compositeness for n, we know that n is

composite.composite.

““Euler Certificates” Of CompositenessEuler Certificates” Of Compositeness

ECECnn ={ a ={ a 22 Z Z**nn | a | a(n-1)/2(n-1)/2 §§1 }1 }

NOT-ECNOT-ECnn ={ a ={ a 22 Z Z**nn | a | a(n-1)/2(n-1)/2 §§1 }1 }

if NOT-ECif NOT-ECnn Z Z**nn then then ECECnn is at least is at least

half of Zhalf of Z**n n

Suppose a is in ECSuppose a is in ECn n and aand aii are in are in NOT-ECNOT-ECnn. Then (a a. Then (a aii))n-1n-1 = a = an-1n-1 a aii

n-1n-1 = = aan-1n-1 (mod n)(mod n)

So, a aSo, a aii is in EC is in ECnn..




Fancier agrument: NOT-ECFancier agrument: NOT-ECnn is a is a subgroupsubgroup of Z of Z**

nn

Hence, by Hence, by Lagrange’s theoremLagrange’s theorem, , if NOT-ECif NOT-ECnn Z Z**

nn, then the size of , then the size of NOT-ECNOT-ECnn is no more than half is no more than half the size of Zthe size of Z**

nn..




Hence, Hence, ECECnn = = ;;, or EC, or ECnn contains at least contains at least half the elements of Zhalf the elements of Z**

nn..



Let’s suppose that Let’s suppose that EC ECnn contains at least half the contains at least half the

elements of Zelements of Z**nn..

This makes it easy to find one This makes it easy to find one using random bits. . . . . . . . .using random bits. . . . . . . . .

Randomized Primality TestRandomized Primality Test

Let’s suppose that Let’s suppose that EC ECnn contains at contains at least half the elements of Zleast half the elements of Z**

nn..Loop i = 1 to k:Loop i = 1 to k:

Pick random aPick random aii 22 [2 .. n-1]; [2 .. n-1];

If GCD(aIf GCD(aii,n) ,n) 1, Halt with “Composite”; 1, Halt with “Composite”;

If If aaii(n-1)/2(n-1)/2 §§1 1 , Halt with “Composite”;, Halt with “Composite”;

Halt with “I think n is prime. I am Halt with “I think n is prime. I am only wrong (½)only wrong (½)kk fraction of times I fraction of times I think that n is prime.” think that n is prime.”

n prime means half of a’s satisfyn prime means half of a’s satisfy

aa(n-1)/2(n-1)/2 = -1 mod n = -1 mod n

If n is prime, then ZIf n is prime, then Znn** has a has a

generator g. This means that a generator g. This means that a random arandom a22 Z Znn

** is given by g is given by grr for uniformly distributed r. Half for uniformly distributed r. Half the time, r is odd: the time, r is odd:

(g(grr))(n-1)/2(n-1)/2 = -1 mod n = -1 mod n


Loop i = 1 to k:Loop i = 1 to k:




If all the If all the aaii(n-1)/2(n-1)/2 s = 1, Halt with “I s = 1, Halt with “I

think n is composite”;think n is composite”; if n were prime, half of the a’s satisfy a(n-1)/2 -1


Test to see if n is even, or a power of a Test to see if n is even, or a power of a number.number.





If all the aIf all the aii(n-1)/2(n-1)/2 s = 1, halt with “I think s = 1, halt with “I think

n is composite. I am only wrong with n is composite. I am only wrong with prpr(½)(½)kk”; ”;

Halt with “I think n is prime. I am only Halt with “I think n is prime. I am only wrong (½)wrong (½)kk fraction of times I think fraction of times I think that n is prime.”that n is prime.”

Test to see if n is even, or a power of a number.Test to see if n is even, or a power of a number.





If all the aIf all the aii‘s = 1, Halt with “I think n is composite. I am ‘s = 1, Halt with “I think n is composite. I am

only wrong with pronly wrong with pr(½)(½)kk”; ”;

Halt with “I think n is prime. I am only wrong (½)Halt with “I think n is prime. I am only wrong (½)kk fraction of times I think that n is prime.”fraction of times I think that n is prime.”

Can prove that if n is an odd Can prove that if n is an odd composite, not a power, and there is composite, not a power, and there is some a such that some a such that aa(n-1)/2(n-1)/2 -1, then EC -1, then ECnn ;;. Hence, EC. Hence, ECnn is at least a half fraction of is at least a half fraction of ZZ**

nn..

Carmichael Numbers

Certain numbers masquerade as primes.

A Carmichael number is a number n such that for all numbers a with gcd(a,n)=1,an-1 = 1 (mod n)

Example: n=561 (the smallest Carmichael number)

For sufficiently large m, there are at least m2/7 Carmichael numbers between 1 and m.

Randomized Primality TestsRandomized Primality TestsThe test we gave is a fast randomized The test we gave is a fast randomized algorithm, that makes 2-sided error. This algorithm, that makes 2-sided error. This means that sometimes we are mistaken means that sometimes we are mistaken when we think n is prime, and sometimes we when we think n is prime, and sometimes we are mistaken when we think n is composite. are mistaken when we think n is composite. We can err in both directions.We can err in both directions.

There is a different, one-sided algorithm that There is a different, one-sided algorithm that never makes a mistake when it thinks n is never makes a mistake when it thinks n is composite. composite.

There is yet another one-sided algorithm There is yet another one-sided algorithm that never makes a mistake when it thinks n that never makes a mistake when it thinks n is prime.is prime.



Strategy:

1) Generate random n-bit numbers2) Do a fast randomized primality

check on each one

Primality Testing Versus FactoringPrimality Testing Versus Factoring

Primality has a fast randomized Primality has a fast randomized algorithm. algorithm.

FactoringFactoring is not known to have a fast is not known to have a fast algorithm. In fact, after thousands of algorithm. In fact, after thousands of

years of research, the fastest years of research, the fastest randomized algorithm takes exp(O(n randomized algorithm takes exp(O(n

log n log n) log n log n) 1/31/3))

operations on numbers of length n. operations on numbers of length n. With great effort, we can currently With great effort, we can currently

factor factor

200 digit numbers.200 digit numbers.

RSA-200, May 9, 2005: 2799783391 1221327870 8294676387 2260162107 0446786955 4285375600RSA-200, May 9, 2005: 2799783391 1221327870 8294676387 2260162107 0446786955 4285375600

0992932612 8400107609 3456710529 5536085606 1822351910 9513657886 3710595448 0992932612 8400107609 3456710529 5536085606 1822351910 9513657886 3710595448 2006576775 0985805576 1357909873 4950144178 8631789462 9518723786 92218239832006576775 0985805576 1357909873 4950144178 8631789462 9518723786 9221823983

number digits prize factored

RSA-100 100 Apr. 1991

RSA-110 110 Apr. 1992

RSA-120 120 Jun. 1993

RSA-129 129 $100 Apr. 1994

RSA-130 130 Apr. 10, 1996

RSA-140 140 Feb. 2, 1999

RSA-150 150 Apr. 16, 2004

RSA-155 155 Aug. 22, 1999

RSA-160 160 Apr. 1, 2003

RSA-200 200 May 9, 2005

RSA-576 174 $10,000 Dec. 3, 2003

RSA-640 193 $20,000 open

RSA-704 212 $30,000 open

RSA-768 232 $50,000 open

RSA-896 270 $75,000 open

RSA-1024 309 $100,000 open

RSA-1536 463 $150,000 open

RSA-2048 617 $200,000 open

Google: RSA Challenge Numbers

The techniques we’ve been The techniques we’ve been discussing today are discussing today are sometimes called sometimes called “fingerprinting.”“fingerprinting.”

The idea is that a large object The idea is that a large object such as a string (or document, such as a string (or document, or function, or data or function, or data structure…) is represented by structure…) is represented by a much smaller “fingerprint” a much smaller “fingerprint” using randomness.using randomness.

If two objects have identical If two objects have identical sets of fingerprints, they’re sets of fingerprints, they’re likely the same object.likely the same object.

randomness and computation: some prime examples

Documents