### The Density Attack for primes

### Witnesses to compositeness

*of n*

*All numbers < n*

### The Density Attack for primes

1: *Pick k* *∈ {1, . . . , n} randomly;*

2: **if k****| n and k ̸= n then**

3: **return “n is composite”;**

4: **else**

5: **return “n is (probably) a prime”;**

6: **end if**

### The Density Attack for primes (continued)

*• It works, but does it work well?*

*• The ratio of numbers ≤ n relatively prime to n (the*
*white area) is ϕ(n)/n.*

*• When n = pq, where p and q are distinct primes,*
*ϕ(n)*

*n* = *pq* *− p − q + 1*

*pq* *> 1* *−* 1

*q* *−* 1
*p.*

### The Density Attack for primes (concluded)

*• So the ratio of numbers ≤ n not relatively prime to n*
*(the grey area) is < (1/q) + (1/p).*

**– The “density attack” has probability about 2/**√

*n of*
*factoring n = pq when p* *∼ q = O(√*

*n ).*

* – The “density attack” to factor n = pq hence takes*
Ω(

*√*

*n) steps on average when p* *∼ q = O(√*
*n ).*

**– This running time is exponential: Ω(2**^{0.5 log}^{2}* ^{n}*).

### The Chinese Remainder Theorem

*• Let n = n*^{1}*n*_{2} *· · · n*^{k}*, where n** _{i}* are pairwise relatively
prime.

*• For any integers a*^{1}*, a*_{2}*, . . . , a** _{k}*, the set of simultaneous
equations

*x* = *a*_{1} *mod n*_{1}*,*
*x* = *a*_{2} *mod n*_{2}*,*

...

*x* = *a*_{k}*mod n*_{k}*,*

*has a unique solution modulo n for the unknown x.*

### Fermat’s “Little” Theorem

^{a}

**Lemma 55 For all 0 < a < p, a**^{p}^{−1}*= 1 mod p.*

*• Recall Φ(p) = {1, 2, . . . , p − 1}.*

*• Consider aΦ(p) = {am mod p : m ∈ Φ(p)}.*

*• aΦ(p) = Φ(p).*

**– aΦ(p)***⊆ Φ(p) as a remainder must be between 1 and*
*p* *− 1.*

**– Suppose am = am**^{′}*mod p for m > m** ^{′}*, where

*m, m*

^{′}*∈ Φ(p).*

**– That means a(m***− m*^{′}*) = 0 mod p, and p divides a or*
*m* *− m** ^{′}*, which is impossible.

aPierre de Fermat (1601–1665).

### The Proof (concluded)

*• Multiply all the numbers in Φ(p) to yield (p − 1)!.*

*• Multiply all the numbers in aΦ(p) to yield a*^{p}^{−1}*(p* *− 1)!.*

*• As aΦ(p) = Φ(p), a*^{p}^{−1}*(p* *− 1)! = (p − 1)! mod p.*

*• Finally, a*^{p}^{−1}*= 1 mod p because p* *̸ |(p − 1)!.*

### The Fermat-Euler Theorem

^{a}

**Corollary 56 For all a***∈ Φ(n), a*^{ϕ(n)}*= 1 mod n.*

*• The proof is similar to that of Lemma 55 (p. 437).*

*• Consider aΦ(n) = {am mod n : m ∈ Φ(n)}.*

*• aΦ(n) = Φ(n).*

**– aΦ(n)***⊆ Φ(n) as a remainder must be between 0 and*
*n* *− 1 and relatively prime to n.*

**– Suppose am = am**^{′}*mod n for m*^{′}*< m < n, where*
*m, m*^{′}*∈ Φ(n).*

**– That means a(m***− m*^{′}*) = 0 mod n, and n divides a or*
*m* *− m** ^{′}*, which is impossible.

aProof by Mr. Wei-Cheng Cheng (R93922108, D95922011) on Novem- ber 24, 2004.

### The Proof (concluded)

^{a}

*• Multiply all the numbers in Φ(n) to yield* ∏

*m**∈Φ(n)* *m.*

*• Multiply all the numbers in aΦ(n) to yield*
*a** ^{ϕ(n)}* ∏

*m**∈Φ(n)* *m.*

*• As aΦ(n) = Φ(n),*

∏

*m**∈Φ(n)*

*m = a*^{ϕ(n)}

∏

*m**∈Φ(n)*

*m*

* mod n.*

*• Finally, a*^{ϕ(n)}*= 1 mod n because n* *̸ |* ∏

*m**∈Φ(n)* *m.*

aSome typographical errors corrected by Mr. Jung-Ying Chen (D95723006) on November 18, 2008.

### An Example

*• As 12 = 2*^{2} *× 3,*

*ϕ(12) = 12* *×*
(

1 *−* 1
2

) (

1 *−* 1
3

)

*= 4.*

*• In fact, Φ(12) = {1, 5, 7, 11}.*

*• For example,*

5^{4} *= 625 = 1 mod 12.*

### Exponents

**• The exponent of m ∈ Φ(p) is the least k ∈ Z**^{+} such that
*m*^{k}*= 1 mod p.*

*• Every residue s ∈ Φ(p) has an exponent.*

**– 1, s, s**^{2}*, s*^{3}*, . . . eventually repeats itself modulo p, say*
*s*^{i}*= s*^{j}*mod p, which means s*^{j}^{−i}*= 1 mod p.*

*• If the exponent of m is k and m*^{ℓ}*= 1 mod p, then k|ℓ.*

**– Otherwise, ℓ = qk + a for 0 < a < k, and**

*m*^{ℓ}*= m*^{qk+a}*= m*^{a}*= 1 mod p, a contradiction.*

**Lemma 57 Any nonzero polynomial of degree k has at most***k distinct roots modulo p.*

### Exponents and Primitive Roots

*• From Fermat’s “little” theorem, all exponents divide*
*p* *− 1.*

*• A primitive root of p is thus a number with exponent*
*p* *− 1.*

*• Let R(k) denote the total number of residues in*
*Φ(p) =* *{1, 2, . . . , p − 1} that have exponent k.*

*• We already knew that R(k) = 0 for k ̸ |(p − 1).*

*• So* ∑

*k**|(p−1)*

*R(k) = p* *− 1*
as every number has an exponent.

*Size of R(k)*

*• Any a ∈ Φ(p) of exponent k satisﬁes*
*x*^{k}*= 1 mod p.*

*• Hence there are at most k residues of exponent k, i.e.,*
*R(k)* *≤ k, by Lemma 57 (p. 442).*

*• Let s be a residue of exponent k.*

*• 1, s, s*^{2}*, . . . , s*^{k}^{−1}*are distinct modulo p.*

**– Otherwise, s**^{i}*= s*^{j}*mod p with i < j.*

**– Then s**^{j}^{−i}*= 1 mod p with j* *− i < k, a contradiction.*

*• As all these k distinct numbers satisfy x*^{k}*= 1 mod p,*
*they comprise all solutions of x*^{k}*= 1 mod p.*

*Size of R(k) (continued)*

*• But do all of them have exponent k (i.e., R(k) = k)?*

*• And if not (i.e., R(k) < k), how many of them do?*

*• Pick s** ^{ℓ}*.

*• Suppose ℓ < k and ℓ ̸∈ Φ(k) with gcd(ℓ, k) = d > 1.*

*• Then*

*(s** ^{ℓ}*)

^{k/d}*= (s*

*)*

^{k}

^{ℓ/d}*= 1 mod p.*

*• Therefore, s*^{ℓ}*has exponent at most k/d < k.*

*• We conclude that*

*R(k)* *≤ ϕ(k).*

*Size of R(k) (concluded)*

*• Because all p − 1 residues have an exponent,*
*p* *− 1 =* ∑

*k**|(p−1)*

*R(k)* *≤* ∑

*k**|(p−1)*

*ϕ(k) = p* *− 1*

by Lemma 54 (p. 430).

*• Hence*

*R(k) =*

*ϕ(k)* *when k|(p − 1)*
0 otherwise

*• In particular, R(p − 1) = ϕ(p − 1) > 0, and p has at least*
one primitive root.

*• This proves one direction of Theorem 49 (p. 416).*

### A Few Calculations

*• Let p = 13.*

*• From p. 439, we know ϕ(p − 1) = 4.*

*• Hence R(12) = 4.*

*• Indeed, there are 4 primitive roots of p.*

*• As*

*Φ(p* *− 1) = {1, 5, 7, 11},*
the primitive roots are

*g*^{1}*, g*^{5}*, g*^{7}*, g*^{11}
*for any primitive root g.*

### The Other Direction of Theorem 49 (p. 416)

*• We show p is a prime if there is a number r such that*
*1. r*^{p}^{−1}*= 1 mod p, and*

*2. r*^{(p}^{−1)/q}*̸= 1 mod p for all prime divisors q of p − 1.*

*• Suppose p is not a prime.*

*• We proceed to show that no primitive roots exist.*

*• Suppose r*^{p}^{−1}*= 1 mod p (note gcd(r, p) = 1).*

*• We will show that the 2nd condition must be violated.*

### The Proof (continued)

*• So we proceed to show r*^{(p}^{−1)/q}*= 1 mod p for some*
*prime divisor q of p* *− 1.*

*• r*^{ϕ(p)}*= 1 mod p by the Fermat-Euler theorem (p. 439).*

*• Because p is not a prime, ϕ(p) < p − 1.*

*• Let k be the smallest integer such that r*^{k}*= 1 mod p.*

*• With the 1st condition, it is easy to show that k | (p − 1)*
(similar to p. 442).

*• Note that k | ϕ(p) (p. 442).*

*• As k ≤ ϕ(p), k < p − 1.*

### The Proof (concluded)

*• Let q be a prime divisor of (p − 1)/k > 1.*

*• Then k|(p − 1)/q.*

*• By the deﬁnition of k,*

*r*^{(p}^{−1)/q}*= 1 mod p.*

*• But this violates the 2nd condition.*

### Function Problems

*• Decision problems are yes/no problems (sat, tsp (d),*
etc.).

* • Function problems require a solution (a satisfying*
truth assignment, a best tsp tour, etc.).

*• Optimization problems are clearly function problems.*

*• What is the relation between function and decision*
problems?

*• Which one is harder?*

### Function Problems Cannot Be Easier than Decision Problems

*• If we know how to generate a solution, we can solve the*
corresponding decision problem.

**– If you can ﬁnd a satisfying truth assignment**
eﬃciently, then sat is in P.

**– If you can ﬁnd the best tsp tour eﬃciently, then tsp**
(d) is in P.

*• But decision problems can be as hard as the*
corresponding function problems.

### fsat

*• fsat is this function problem:*

**– Let ϕ(x**_{1}*, x*_{2}*, . . . , x** _{n}*) be a boolean expression.

* – If ϕ is satisﬁable, then return a satisfying truth*
assignment.

**– Otherwise, return “no.”**

*• We next show that if sat ∈ P, then fsat has a*
polynomial-time algorithm.

*• sat is a subroutine (black box) that returns “yes” or*

“no” on the satisﬁability of the input.

### An Algorithm for fsat Using sat

*1: t := ϵ;* *{Truth assignment.}*

**2: if ϕ****∈ sat then**

3: **for i = 1, 2, . . . , n do**

4: **if ϕ[ x*** _{i}* = true ]

*5:*

**∈ sat then***t := t*

*∪ { x*

*i*= true

*};*

6: *ϕ := ϕ[ x** _{i}* = true ];

7: **else**

8: *t := t* *∪ { x**i* = false*};*

9: *ϕ := ϕ[ x** _{i}* = false ];

10: **end if**
11: **end for**
12: **return t;**

**13: else**

14: **return “no”;**

**15: end if**

### Analysis

*• If sat can be solved in polynomial time, so can fsat.*

**– There are** *≤ n + 1 calls to the algorithm for sat.*^{a}
**– Boolean expressions shorter than ϕ are used in each**

call to the algorithm for sat.

*• Hence sat and fsat are equally hard (or easy).*

*• Note that this reduction from fsat to sat is not a Karp*
reduction (recall p. 237).

*• Instead, it calls sat multiple times as a subroutine and*
moves on sat’s outputs.

aContributed by Ms. Eva Ou (R93922132) on November 24, 2004.

### tsp and tsp (d) Revisited

*• We are given n cities 1, 2, . . . , n and integer distances*
*d*_{ij}*= d*_{ji}*between any two cities i and j.*

*• tsp (d) asks if there is a tour with a total distance at*
*most B.*

*• tsp asks for a tour with the shortest total distance.*

**– The shortest total distance is at most** ∑

*i,j* *d** _{ij}*.

*∗ Recall that the input string contains d*^{11}*, . . . , d** _{nn}*.

*∗ Thus the shortest total distance is less than 2** ^{| x |}* in

*magnitude, where x is the input (why?).*

*• We next show that if tsp (d) ∈ P, then tsp has a*
polynomial-time algorithm.

### An Algorithm for tsp Using tsp (d)

1: *Perform a binary search over interval [ 0, 2** ^{| x |}* ] by calling

*tsp (d) to obtain the shortest distance, C;*

2: **for i, j = 1, 2, . . . , n do**

3: *Call tsp (d) with B = C and d*^{ij}*= C + 1;*

4: **if “no” then**

5: *Restore d** _{ij}* to old value;

*{Edge [ i, j ] is critical.}*

6: **end if**

7: **end for**

8: **return the tour with edges whose d**_{ij}*≤ C;*

### Analysis

*• An edge that is not on any optimal tour will be*
*eliminated, with its d*_{ij}*set to C + 1.*

*• An edge which is not on all remaining optimal tours will*
also be eliminated.

*• So the algorithm ends with n edges which are not*
eliminated (why?).

*• There are O(| x | + n*^{2}) calls to the algorithm for tsp (d).

*• Each call has an input length of O( x |).*

*• So if tsp (d) can be solved in polynomial time, so can*
tsp.

*• Hence tsp (d) and tsp are equally hard (or easy).*

*Randomized Computation*

I know that half my advertising works, I just don’t know which half.

— John Wanamaker I know that half my advertising is a waste of money, I just don’t know which half!

— McGraw-Hill ad.

### Randomized Algorithms

^{a}

*• Randomized algorithms ﬂip unbiased coins.*

*• There are important problems for which there are no*
*known eﬃcient deterministic algorithms but for which*
very eﬃcient randomized algorithms exist.

**– Extraction of square roots, for instance.**

*• There are problems where randomization is necessary.*

**– Secure protocols.**

*• Randomized version can be more eﬃcient.*

**– Parallel algorithm for maximal independent set.**^{b}

aRabin (1976); Solovay and Strassen (1977).

b“Maximal” (a local maximum) not “maximum” (a global maximum).

### “Four Most Important Randomized Algorithms”

^{a}

1. Primality testing.^{b}

2. Graph connectivity using random walks.^{c}
3. Polynomial identity testing.^{d}

4. Algorithms for approximate counting.^{e}

aTrevisan (2006).

bRabin (1976); Solovay and Strassen (1977).

cAleliunas, Karp, Lipton, Lov´asz, and Rackoﬀ (1979).

dSchwartz (1980); Zippel (1979).

eSinclair and Jerrum (1989).

### Bipartite Perfect Matching

**• We are given a bipartite graph G = (U, V, E).**

**– U =***{u*^{1}*, u*_{2}*, . . . , u*_{n}*}.*

**– V =***{v*^{1}*, v*_{2}*, . . . , v*_{n}*}.*

**– E***⊆ U × V .*

**• We are asked if there is a perfect matching.**

**– A permutation π of***{1, 2, . . . , n} such that*
*(u*_{i}*, v** _{π(i)}*)

*∈ E*

*for all i* *∈ {1, 2, . . . , n}.*

### A Perfect Matching in a Bipartite Graph

X_{}

X_{}

X_{}

X_{}

X_{}

Y_{}

Y_{}

Y_{}

Y_{}

Y_{}

### Symbolic Determinants

*• We are given a bipartite graph G.*

*• Construct the n × n matrix A*^{G}*whose (i, j)th entry A*^{G}_{ij}*is a symbolic variable x*_{ij}*if (u*_{i}*, v** _{j}*)

*∈ E and 0 otherwise.*

### Symbolic Determinants (continued)

*• The matrix for the bipartite graph G on p. 464 is*

*A** ^{G}* =

0 0 *x*_{13} *x*_{14} 0

0 *x*_{22} 0 0 0

*x*_{31} 0 0 0 *x*_{35}

*x*_{41} 0 *x*_{43} *x*_{44} 0

*x*_{51} 0 0 0 *x*_{55}

*.* (6)

### Symbolic Determinants (concluded)

**• The determinant of A*** ^{G}* is

*det(A*

*) = ∑*

^{G}*π*

*sgn(π)*

∏*n*
*i=1*

*A*^{G}_{i,π(i)}*.* (7)

**– π ranges over all permutations of n elements.**

* – sgn(π) is 1 if π is the product of an even number of*
transpositions and

*−1 otherwise.*

**– Equivalently, sgn(π) = 1 if the number of (i, j)s such***that i < j and π(i) > π(j) is even.*^{a}

*• det(A*^{G}*) contains n! terms, many of which may be 0s.*

aContributed by Mr. Hwan-Jeu Yu (D95922028) on May 1, 2008.

### Determinant and Bipartite Perfect Matching

*• In* ∑

*π* *sgn(π)*∏*n*

*i=1* *A*^{G}* _{i,π(i)}*, note the following:

**– Each summand corresponds to a possible perfect**
*matching π.*

**– All of these summands** ∏*n*

*i=1* *A*^{G}* _{i,π(i)}* are distinct

*monomials and will not cancel.*

*• det(A** ^{G}*) is essentially an exhaustive enumeration.

**Proposition 58 (Edmonds (1967)) G has a perfect***matching if and only if det(A*^{G}*) is not identically zero.*

### Perfect Matching and Determinant (p. 464)

X_{}

X_{}

X_{}

X_{}

X_{}

Y_{}

Y_{}

Y_{}

Y_{}

Y_{}

### Perfect Matching and Determinant (concluded)

*• The matrix is (p. 466)*

*A** ^{G}* =

0 0 *x*_{13} *x*_{14} 0

0 *x*_{22} 0 0 0

*x*_{31} 0 0 0 *x*_{35}

*x*_{41} 0 *x*_{43} *x*_{44} 0

*x*_{51} 0 0 0 *x*_{55}

*.*

*• det(A** ^{G}*) =

*−x*

^{14}

*x*

_{22}

*x*

_{35}

*x*

_{43}

*x*

_{51}

*+ x*

_{13}

*x*

_{22}

*x*

_{35}

*x*

_{44}

*x*

_{51}+

*x*

_{14}

*x*

_{22}

*x*

_{31}

*x*

_{43}

*x*

_{55}

*− x*

^{13}

*x*

_{22}

*x*

_{31}

*x*

_{44}

*x*

_{55}.

*• Each nonzero term denotes a perfect matching.*