Post on 20-Dec-2015
מבוא מורחב - שיעור 61
Lecture 6
High order procedures
Primality testing
The RSA cryptosystem
מבוא מורחב - שיעור 622
Fixed Points
x0 is a fixed point of F(x) if F(x0) = x0
Example:
x0 = a is a fixed point of F(x) = a/x
מבוא מורחב - שיעור 63
5מבוא מורחב - שיעור 3
Finding fixed points for f(x)
Start with an arbitrary first guess x1
Each time:
• try the guess, f(x) ~ x ??
• If it’s not a good guess try the next guess xi+1 = f(xi)
(define (fixed-point f first-guess) (define tolerance 0.00001) (define (close-enough? v1 v2) (< (abs (- v1 v2)) tolerance)) (define (try guess) (let ((next (f guess))) (if (close-enough? guess next) guess (try next)))) (try first-guess))
מבוא מורחב - שיעור 64
5מבוא מורחב - שיעור 4
An example: f(x) = 1+1/x
(define (f x) (+ 1 (/ 1 x)))(fixed-point f 1.0)
X1 = 1.0X2 = f(x1) = 2X3 = f(x2) = 1.5X4 = f(x3) = 1.666666666..X5 = f(x4) = 1.6X6 = f(x5) = 1.625X7 = f(x6) = 1.6153846…
Exact fixed-point: 1.6180339…
Note how odd guessesunderestimateAnd even guessesOverestimate.
מבוא מורחב - שיעור 65
5מבוא מורחב - שיעור 5
Another example: f(x) = 2/x
(define (f x) (/ 2 x))(fixed-point f 1.0)
x1 = 1.0x2 = f(x1) = 2x3 = f(x2) = 1x4 = f(x3) = 2x5 = f(x4) = 1x6 = f(x5) = 2x7 = f(x6) = 1
Exact fixed-point: 1.414213562…
מבוא מורחב - שיעור 66
5מבוא מורחב - שיעור 6
How do we deal with oscillation?
Consider f(x)=2/x.
If guess is a number such that guess < sqrt(2) then 2/guess > sqrt(2)So the average of guess and 2/guess is always an evenBetter guess.
So, we will try to find a fixed point of g(x)= (x + f(x))/2
For f(x)=2/x this gives: g(x)= (x + 2/x)/2
Notice that g(x) = (x +f(x)) /2 has the same fixed points as f.
מבוא מורחב - שיעור 67
5מבוא מורחב - שיעור 7
X = 2 G = 1
X/G = 2 G = ½ (1+ 2) = 1.5
X/G = 4/3 G = ½ (3/2 + 4/3) = 17/12 = 1.416666
X/G = 24/17 G = ½ (17/12 + 24/17) = 577/408 = 1.4142156
To find an approximation of x:• Make a guess G• Improve the guess by averaging G and x/G• Keep improving the guess until it is good enough
.2for :Example xx
מבוא מורחב - שיעור 68
5מבוא מורחב - שיעור 8
Extracting the common pattern: average-damp
(define (average-damp f) ;outputs g(x)=(x+f(x))/2
(lambda (x) (average x (f x))))
average-damp: (number number) (number number)
((average-damp square) 10)
((lambda (x) (average x (square x))) 10)
(average 10 (square 10))
55
מבוא מורחב - שיעור 69
5מבוא מורחב - שיעור 9
… which gives us a clean version of sqrt
(define (sqrt x)
(fixed-point
(average-damp
(lambda (y) (/ x y)))
1))• Compare this to our previous implementation of sqrt – same process.
For the cubic root of x, fixed point of f(y) = x/y2
(define (cubert x)
(fixed-point
(average-damp (lambda (y) (/ x (square y))))
1))
מבוא מורחב - שיעור 610
5מבוא מורחב - שיעור 10
Further abstraction
(define (osc-fixed-point f first-guess) (fixed-point (average-damp f)
first-guess))
(define (sqrt x) (osc-fixed-point (lambda (y) (/ x y))
1.0)
(define (cubert x) (osc-fixed-point (lambda (y) (/ x (square y)))
1.0)
מבוא מורחב - שיעור 611
5מבוא מורחב - שיעור 11
Newton’s method
A solution to the equation: F(x) = 0
is a fixed point of: G(x) = x - F(x)/F’(x)(define (newton-transform f) (lambda (x) (- x
(/ (f x) ((deriv f) x)))))
(define (newton-method f guess) (fixed-point (newton-transform f) guess)) (define (sqrt x) (newton-method (lambda (y) (- (square y) x)) 1.0))
מבוא מורחב - שיעור 612
5מבוא מורחב - שיעור 12
Further abstraction
(define (fixed-point-of-transform f transform guess) (fixed-point (transform f) guess))
(define (osc-fixed-point f guess) (fixed-point-of-transform f
average-damp guess))
(define (newton-method f guess) (fixed-point-of-transform f
newton-transform guess))
מבוא מורחב - שיעור 613
Primality testing
• A natural number n is prime iff the only natural numbers dividing n are 1 and n.
• The following are prime: 2, 3, 5, 7, 11, 13, …and so are 1299709, 15485863, 22801763489, …
• There is an infinite number of prime numbers.• Is 2101-1=2535301200456458802993406410751 prime?• How do we check whether a number is prime?• How do we generate huge prime numbers?• Why do we care?
מבוא מורחב - שיעור 614
Naïve solution: Finding the smallest divisor
(define (prime? n)
(= n (find-smallest-divisor n 2)))
(define (divides? a b)
(= (remainder b a) 0))
(define (find-smallest-divisor n i) (cond ((divides? i n) i) (else (find-smallest-divisor n (+ i 1)))))
Space complexity is: (1)For prime n we have time complexity n.
If n is a 100 digit number we will wait “for ever”.
מבוא מורחב - שיעור 615
An improvement
(define (prime? n) (= n (find-smallest-divisor n 2)))
(define (divides? a b) (= (remainder b a) 0))
(define (find-smallest-divisor n i) (cond ((> (square i) n) n) ((divides? i n) i) (else (find-smallest-divisor n (+ i 1)))))
For prime n we have time complexity: (n)Worst case space complexity: (1)
Still, if n is a 100 digit number, it is completely infeasible.
מבוא מורחב - שיעור 616
We can prove that a number is not prime without explicitly finding a divisor of it.
Randomness is useful in computations!
Is there a more efficient way of checking primality?
Yes! At least if we are willing to accept
a tiny probability of error.
מבוא מורחב - שיעור 617
The Fermat Primality Test
Fermat’s little theorem:
If n is a prime number then:
an a (mod n) , for every integer a
The Fermat Test:
Do 100 times:
Pick a random 1<a<n and compute an (mod n).
If an a (mod n), then n is not a prime.
If all 100 tests passed, declare n to be a prime.
Corollary: If an ≠a (mod n) , for some a, then n is not a prime!Such an a is a witness to the compositeness of n.
מבוא מורחב - שיעור 618
Fast computation of modular exponentiationab mod m
(define (expmod a b m) (cond ((= b 0) 1) ((even? b) (remainder (expmod (remainder (* a a) m) (/ b 2) m) m)) (else (remainder (* a (expmod a (- b 1) m)) m))))
מבוא מורחב - שיעור 619
Implementing Fermat test
(define (test a n)(= (expmod a n n) a))
(define (rand-test n) (test (+ 1 (random (- n 1))) n)); note - (random m) returns a random number; between 0 and m-1(define (fermat-test n k); (cond ((= k 0) #t) ((rand-test n) (fermat-test n (- k 1))) (else #f)))
Worst-case time complexity: (log n) if k is constant Even if n is a 1000 digit number, it is still okay!
מבוא מורחב - שיעור 620
Is the Fermat test correct?
• If the Fermat test says that a number n is composite,then the number n is indeed a composite number.
• If n is a prime number, the Fermat test will always say that n is prime.
But,• Can the Fermat test say that a composite number
is prime?• What is the probability that this will happen?
מבוא מורחב - שיעור 621
Carmichael numbers
A composite number n is a Carmichael number iff an a (mod n) for every integer a.
The first Carmichael numbers are: 561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, …
Theorem: n is a Carmichael number iff n=p1p2…pk, where p1 , p2 , … , pk are primes and pi-1 divides n-1, for i=1,…,k.
On Carmichael numbers, the Fermat test is always wrong!
Carmichael numbers are fairly rare. (There are 255 Carmichael numbers smaller than 100,000,000).
מבוא מורחב - שיעור 622
Theorem: (Rabin ’77) If n is a composite number that is not a Carmichael number, then at least half of the numbers between 1 and n are witnesses to the compositeness of n.
Corollary: Let n be a composite number that is not a Carmichael number. If we pick a random number a, 1<a<n, then a is a witness with a probability of at least a 1/2 !
מבוא מורחב - שיעור 623
“Correctness” of the Fermat test
• If n is prime, the Fermat test is always right.• If n is a Carmichael number,
the Fermat test is always wrong!• If n is composite number that is not a Carmichael number, the Fermat test
is wrong with a probability of at most 2-100.
Is an error probability of 2-100 acceptable?
Yes!
מבוא מורחב - שיעור 624
The Rabin-Miller test
• A fairly simple modification of the Fermat test that is correct with a probability of at least 1-2-100 also on Carmichael numbers.
• Will not be covered in this course.
מבוא מורחב - שיעור 625
Probabilistic algorithms
An algorithm that uses random choices but outputs the correct result, with high probability,for every input!
Randomness is a very useful algorithmic tool.
Until the year 2002, there were no efficient deterministic primality testing algorithms.
In 2002, Agarwal, Kayal and Saxena found a fast deterministic primality testing algorithm.
מבוא מורחב - שיעור 626
Finding large prime numbers
The prime number Theorem:
The number of prime numbers smaller than n is asymptotically n / ln n.
Thus, for every number n, there is “likely” to be a prime number between n and n + ln n.
To find a prime number roughly the size of (odd) n, simply test n, n+2, n+4, … for primality.
(define (find-prime n t) (if (fermat-test n t) n (find-prime (+ n 2) t)))
מבוא מורחב - שיעור 628
Primality testing versus Factoring
• Fast primality testing algorithms determine that a number n is composite without finding any of its factors.
• No efficient factoring algorithms are known.• Factoring a number is believed to be a much harder task.
Primality testing - EasyFactoring - Hard
Now: Use the ease of primality and hardness of factoring
מבוא מורחב - שיעור 629
Cryptography
Eve
BobAlice
מבוא מורחב - שיעור 630
Traditional solution: classical cryptography
Eve
BobAlice
Encryption Decryption
Encryptionkey
Decryptionkey
Hi Bob! Hi Bob!
#$%&*()
מבוא מורחב - שיעור 631
In classical cryptography:
• The two parties (Alice and Bob) should agree in advance on the encryption/decryption key.
• The encryption and decryption keys are either identical or easily derived from one another.
מבוא מורחב - שיעור 632
The internet age
Eve
Bob
Alice Calvin
Donald
Felix
מבוא מורחב - שיעור 633
Public key cryptology
• A system in which it is infeasible to deduce the decryption key from the encryption key.
• Each user publishes an encryption key that should be used for sending messages to her, but keeps her decryption key private.
• Is it possible to construct secure public key cryptosystems?
מבוא מורחב - שיעור 634
The RSA public key cryptosystem [Rivest, Shamir, Adleman (1977)]
Bob:
Picks two huge primes p and q.
Calculates n=pq, and announces n.
Chooses and announce integer e prime to (p-1)(q-1)
e and (p-1)(q-1) have no common divisor other than 1
Calculates the unique d such that
de = 1 (mod (p-1)(q-1)) It is believed that computing d,
without knowing p and q, is hard.
מבוא מורחב - שיעור 635
The RSA cryptosystem (cont.)
To send a message m (0≤m<n) to Bob,
Alice computes c=EBob(m) and sends it to Bob.
To decipher the message, Bob computes m=DBob(c)
EBob(m) = me (mod n)
DBob(m) = md (mod n)
Lemma: DBob(EBob(m)) = m
מבוא מורחב - שיעור 636
(define p 17)(define q 13)(define n (* p q))(define base (* (- p 1) (- q 1)))(define e 35)(define d (find-d e base))(display d)(define message 121)(display message)(newline)(define alice-message (expmod message e n)(newline)(define bob-decipher (expmod alice-message d n)(display bob-decipher)
; d = 11
מבוא מורחב - שיעור 637
Find-d
(define (find-d e base)
(define (guess d)
(if ( = (remainder (* d e) base) 1)
d
(guess (+ d 1))
)
)
(guess 0)
)
Obviously, not the way this is done for real numbers.. Why?
מבוא מורחב - שיעור 638
Some executions
• message 121• alice-message 127• bob-decipher 121
• message 21• alice-message 200• bob-decipher 21
• message 57• alice-message 216• bob-decipher 57