• 沒有找到結果。

# The Density Attack for primes

N/A
N/A
Protected

Share "The Density Attack for primes"

Copied!
51
0
0

(1)

(2)

### The Density Attack for primes

1: Pick k ∈ {1, . . . , n} randomly;

2: if k| n and k ̸= 1 and k ̸= n then

3: return “n is composite”;

4: else

5: return “n is (probably) a prime”;

6: end if

(3)

### The Density Attack for primes (continued)

• It works, but does it work well?

• The ratio of numbers ≤ n relatively prime to n (the white ring) is

ϕ(n) n .

• When n = pq, where p and q are distinct primes, ϕ(n)

n = pq − p − q + 1

pq > 1 1

q 1 p.

(4)

### The Density Attack for primes (concluded)

• So the ratio of numbers ≤ n not relatively prime to n (the grey area) is < (1/q) + (1/p).

– The “density attack” has probability about 2/

n of factoring n = pq when p ∼ q = O(√

n ).

– The “density attack” to factor n = pq hence takes Ω(

n) steps on average when p ∼ q = O(√ n ).

– This running time is exponential: Ω(20.5 log2n).

(5)

### The Chinese Remainder Theorem

• Let n = n1n2 · · · nk, where ni are pairwise relatively prime.

• For any integers a1, a2, . . . , ak, the set of simultaneous equations

x = a1 mod n1, x = a2 mod n2,

...

x = ak mod nk,

has a unique solution modulo n for the unknown x.

(6)

### Fermat’s “Little” Theorem

a

Lemma 56 For all 0 < a < p, ap−1 = 1 mod p.

• Recall Φ(p) = {1, 2, . . . , p − 1}.

• Consider aΦ(p) = {am mod p : m ∈ Φ(p)}.

• aΦ(p) = Φ(p).

– aΦ(p) ⊆ Φ(p) as a remainder must be between 1 and p − 1.

– Suppose am ≡ am mod p for m > m, where m, m ∈ Φ(p).

– That means a(m − m) = 0 mod p, and p divides a or m − m, which is impossible.

aPierre de Fermat (1601–1665).

(7)

### The Proof (concluded)

• Multiply all the numbers in Φ(p) to yield (p − 1)!.

• Multiply all the numbers in aΦ(p) to yield ap−1(p − 1)!.

• As aΦ(p) = Φ(p), we have

ap−1(p − 1)! ≡ (p − 1)! mod p.

• Finally, ap−1 = 1 mod p because p ̸ |(p − 1)!.

(8)

### The Fermat-Euler Theorem

a

Corollary 57 For all a ∈ Φ(n), aϕ(n) = 1 mod n.

• The proof is similar to that of Lemma 56 (p. 473).

• Consider aΦ(n) = {am mod n : m ∈ Φ(n)}.

• aΦ(n) = Φ(n).

– aΦ(n) ⊆ Φ(n) as a remainder must be between 0 and n − 1 and relatively prime to n.

– Suppose am ≡ am mod n for m < m < n, where m, m ∈ Φ(n).

– That means a(m − m) = 0 mod n, and n divides a or m − m, which is impossible.

aProof by Mr. Wei-Cheng Cheng (R93922108, D95922011) on Novem- ber 24, 2004.

(9)

### The Proof (concluded)

a

• Multiply all the numbers in Φ(n) to yield

m∈Φ(n) m.

• Multiply all the numbers in aΦ(n) to yield aϕ(n)

m∈Φ(n) m.

• As aΦ(n) = Φ(n),

m∈Φ(n)

m ≡ aϕ(n)

 ∏

m∈Φ(n)

m

 mod n.

• Finally, aϕ(n) = 1 mod n because n ̸ |

m∈Φ(n) m.

aSome typographical errors corrected by Mr. Jung-Ying Chen (D95723006) on November 18, 2008.

(10)

### An Example

• As 12 = 22 × 3,

ϕ(12) = 12 × (

1 1 2

) (

1 1 3

)

= 4.

• In fact, Φ(12) = {1, 5, 7, 11}.

• For example,

54 = 625 = 1 mod 12.

(11)

### Exponents

• The exponent of m ∈ Φ(p) is the least k ∈ Z+ such that mk = 1 mod p.

• Every residue s ∈ Φ(p) has an exponent.

– 1, s, s2, s3, . . . eventually repeats itself modulo p, say si ≡ sj mod p, which means sj−i = 1 mod p.

• If the exponent of m is k and m = 1 mod p, then k|ℓ.

– Otherwise, ℓ = qk + a for 0 < a < k, and

m ≡ mqk+a ≡ ma ≡ 1 mod p, a contradiction.

Lemma 58 Any nonzero polynomial of degree k has at most k distinct roots modulo p.

(12)

### Exponents and Primitive Roots

• From Fermat’s “little” theorem, all exponents divide p − 1.

• A primitive root of p is thus a number with exponent p − 1.

• Let R(k) denote the total number of residues in Φ(p) = {1, 2, . . . , p − 1} that have exponent k.

• We already knew that R(k) = 0 for k ̸ |(p − 1).

• So

k|(p−1)

R(k) = p − 1 as every number has an exponent.

(13)

### Size of R(k)

• Any a ∈ Φ(p) of exponent k satisfies xk = 1 mod p.

• Hence there are at most k residues of exponent k, i.e., R(k) ≤ k, by Lemma 58 (p. 478).

• Let s be a residue of exponent k.

• 1, s, s2, . . . , sk−1 are distinct modulo p.

– Otherwise, si ≡ sj mod p with i < j.

– Then sj−i = 1 mod p with j − i < k, a contradiction.

• As all these k distinct numbers satisfy xk = 1 mod p, they comprise all the solutions of xk = 1 mod p.

(14)

### Size of R(k) (continued)

• But do all of them have exponent k (i.e., R(k) = k)?

• And if not (i.e., R(k) < k), how many of them do?

• Pick s, where ℓ < k.

• Suppose ℓ ̸∈ Φ(k) with gcd(ℓ, k) = d > 1.

• Then

(s)k/d = (sk)ℓ/d = 1 mod p.

• Therefore, s has exponent at most k/d < k.

• So s has exponent k only if ℓ ∈ Φ(k).

• We conclude that

R(k) ≤ ϕ(k).

(15)

### Size of R(k) (concluded)

• Because all p − 1 residues have an exponent, p − 1 =

k|(p−1)

R(k)

k|(p−1)

ϕ(k) = p − 1

by Lemma 55 (p. 465).

• Hence

R(k) =



ϕ(k) when k|(p − 1) 0 otherwise

• In particular, R(p − 1) = ϕ(p − 1) > 0, and p has at least one primitive root.

• This proves one direction of Theorem 50 (p. 451).

(16)

### A Few Calculations

• Let p = 13.

• From p. 475, we know ϕ(p − 1) = 4.

• Hence R(12) = 4.

• Indeed, there are 4 primitive roots of p.

• As

Φ(p − 1) = {1, 5, 7, 11}, the primitive roots are

g1, g5, g7, g11, where g is any primitive root.

(17)

### The Other Direction of Theorem 50 (p. 451)

• We show p is a prime if there is a number r such that 1. rp−1 = 1 mod p, and

2. r(p−1)/q ̸= 1 mod p for all prime divisors q of p − 1.

• Suppose p is not a prime.

• We proceed to show that no primitive roots exist.

• Suppose rp−1 = 1 mod p (note gcd(r, p) = 1).

• We will show that the 2nd condition must be violated.

(18)

### The Proof (continued)

• So we proceed to show r(p−1)/q = 1 mod p for some prime divisor q of p − 1.

• rϕ(p) = 1 mod p by the Fermat-Euler theorem (p. 475).

• Because p is not a prime, ϕ(p) < p − 1.

• Let k be the smallest integer such that rk = 1 mod p.

• With the 1st condition, it is easy to show that k | (p − 1) (similar to p. 478).

• Note that k | ϕ(p) (p. 478).

• As k ≤ ϕ(p), k < p − 1.

(19)

### The Proof (concluded)

• Let q be a prime divisor of (p − 1)/k > 1.

• Then k|(p − 1)/q.

• By the definition of k,

r(p−1)/q = 1 mod p.

• But this violates the 2nd condition.

(20)

### Function Problems

• Decision problems are yes/no problems (sat, tsp (d), etc.).

• Function problems require a solution (a satisfying truth assignment, a best tsp tour, etc.).

• Optimization problems are clearly function problems.

• What is the relation between function and decision problems?

• Which one is harder?

(21)

### Function Problems Cannot Be Easier than Decision Problems

• If we know how to generate a solution, we can solve the corresponding decision problem.

– If you can find a satisfying truth assignment eﬃciently, then sat is in P.

– If you can find the best tsp tour eﬃciently, then tsp (d) is in P.

• But decision problems can be as hard as the corresponding function problems.

(22)

### fsat

• fsat is this function problem:

– Let ϕ(x1, x2, . . . , xn) be a boolean expression.

– If ϕ is satisfiable, then return a satisfying truth assignment.

– Otherwise, return “no.”

• We next show that if sat ∈ P, then fsat has a polynomial-time algorithm.

• sat is a subroutine (black box) that returns “yes” or

“no” on the satisfiability of the input.

(23)

### An Algorithm for fsat Using sat

1: t := ϵ; {Truth assignment.}

2: if ϕ ∈ sat then

3: for i = 1, 2, . . . , n do

4: if ϕ[ xi = true ] ∈ sat then 5: t := t ∪ { xi = true};

6: ϕ := ϕ[ xi = true ];

7: else

8: t := t ∪ { xi = false};

9: ϕ := ϕ[ xi = false ];

10: end if 11: end for 12: return t;

13: else

14: return “no”;

15: end if

(24)

### Analysis

• If sat can be solved in polynomial time, so can fsat.

– There are ≤ n + 1 calls to the algorithm for sat.a – Boolean expressions shorter than ϕ are used in each

call to the algorithm for sat.

• Hence sat and fsat are equally hard (or easy).

• Note that this reduction from fsat to sat is not a Karp reduction (recall p. 265).

• Instead, it calls sat multiple times as a subroutine and moves on sat’s outputs.

aContributed by Ms. Eva Ou (R93922132) on November 24, 2004.

(25)

### tsp and tsp (d) Revisited

• We are given n cities 1, 2, . . . , n and integer distances dij = dji between any two cities i and j.

• tsp (d) asks if there is a tour with a total distance at most B.

• tsp asks for a tour with the shortest total distance.

– The shortest total distance is at most

i,j dij.

∗ Recall that the input string contains d11, . . . , dnn.

∗ Thus the shortest total distance is less than 2| x | in magnitude, where x is the input (why?).

• We next show that if tsp (d) ∈ P, then tsp has a polynomial-time algorithm.

(26)

### An Algorithm for tsp Using tsp (d)

1: Perform a binary search over interval [ 0, 2| x | ] by calling tsp (d) to obtain the shortest distance, C;

2: for i, j = 1, 2, . . . , n do

3: Call tsp (d) with B = C and dij = C + 1;

4: if “no” then

5: Restore dij to old value; {Edge [ i, j ] is critical.}

6: end if

7: end for

8: return the tour with edges whose dij ≤ C;

(27)

### Analysis

• An edge that is not on any optimal tour will be eliminated, with its dij set to C + 1.

• In fact, an edge which is not on all remaining optimal tours will also be eliminated.

• So the algorithm ends with n edges which are not eliminated (why?).

• This is true even if there are multiple optimal tours!a

aThanks to a lively class discussion on November 12, 2013.

(28)

### Analysis (concluded)

• There are O(| x | + n2) calls to the algorithm for tsp (d).

• Each call has an input length of O(| x |).

• So if tsp (d) can be solved in polynomial time, so can tsp.

• Hence tsp (d) and tsp are equally hard (or easy).

(29)

## Randomized Computation

(30)

I know that half my advertising works, I just don’t know which half.

— John Wanamaker I know that half my advertising is a waste of money, I just don’t know which half!

(31)

### Randomized Algorithms

a

• Randomized algorithms flip unbiased coins.

• There are important problems for which there are no known eﬃcient deterministic algorithms but for which very eﬃcient randomized algorithms exist.

– Extraction of square roots, for instance.

• There are problems where randomization is necessary.

– Secure protocols.

• Randomized version can be more eﬃcient.

– Parallel algorithm for maximal independent set.b

aRabin (1976); Solovay and Strassen (1977).

b“Maximal” (a local maximum) not “maximum” (a global maximum).

(32)

### “Four Most Important Randomized Algorithms”

a

1. Primality testing.b

2. Graph connectivity using random walks.c 3. Polynomial identity testing.d

4. Algorithms for approximate counting.e

aTrevisan (2006).

bRabin (1976); Solovay and Strassen (1977).

cAleliunas, Karp, Lipton, Lov´asz, and Rackoﬀ (1979).

dSchwartz (1980); Zippel (1979).

eSinclair and Jerrum (1989).

(33)

### Bipartite Perfect Matching

• We are given a bipartite graph G = (U, V, E).

– U = {u1, u2, . . . , un}.

– V = {v1, v2, . . . , vn}.

– E ⊆ U × V .

• We are asked if there is a perfect matching.

– A permutation π of {1, 2, . . . , n} such that (ui, vπ(i)) ∈ E

for all i ∈ {1, 2, . . . , n}.

• A perfect matching contains n edges.

(34)

X

X

X

X

X

Y

Y

Y

Y

Y

(35)

### Symbolic Determinants

• We are given a bipartite graph G.

• Construct the n × n matrix AG whose (i, j)th entry AGij is a symbolic variable xij if (ui, vj) ∈ E and 0 otherwise:

AGij =



xij, if (ui, vj) ∈ E, 0, othersie.

(36)

### Symbolic Determinants (continued)

• The matrix for the bipartite graph G on p. 501 isa

AG =









0 0 x13 x14 0

0 x22 0 0 0

x31 0 0 0 x35

x41 0 x43 x44 0

x51 0 0 0 x55









. (7)

aThe idea is similar to the Tanner graph in coding theory by Tanner (1981).

(37)

### Symbolic Determinants (concluded)

• The determinant of AG is det(AG) = ∑

π

sgn(π)

n i=1

AGi,π(i). (8)

– π ranges over all permutations of n elements.

– sgn(π) is 1 if π is the product of an even number of transpositions and −1 otherwise.

– Equivalently, sgn(π) = 1 if the number of (i, j)s such that i < j and π(i) > π(j) is even.a

• det(AG) contains n! terms, many of which may be 0s.

aContributed by Mr. Hwan-Jeu Yu (D95922028) on May 1, 2008.

(38)

### Determinant and Bipartite Perfect Matching

• In

π sgn(π)n

i=1 AGi,π(i), note the following:

– Each summand corresponds to a possible perfect matching π.

– All of the nonzero summandsn

i=1 AGi,π(i) are distinct monomials and will not cancel.

• det(AG) is essentially an exhaustive enumeration.

Proposition 59 (Edmonds (1967)) G has a perfect matching if and only if det(AG) is not identically zero.

(39)

X

X

X

X

X

Y

Y

Y

Y

Y

(40)

### Perfect Matching and Determinant (concluded)

• The matrix is (p. 503)

AG =









0 0 x13 x14 0

0 x22 0 0 0

x31 0 0 0 x35

x41 0 x43 x44 0

x51 0 0 0 x55









.

• det(AG) = −x14x22x35x43x51 + x13x22x35x44x51 + x14x22x31x43x55 − x13x22x31x44x55.

• Each nonzero term denotes a perfect matching, and vice versa.

(41)

### How To Test If a Polynomial Is Identically Zero?

• det(AG) is a polynomial in n2 variables.

• There are exponentially many terms in det(AG).

• Expanding the determinant polynomial is not feasible.

– Too many terms.

• If det(AG) ≡ 0, then it remains zero if we substitute arbitrary integers for the variables x11, . . . , xnn.

• When det(AG) ̸≡ 0, what is the likelihood of obtaining a zero?

(42)

### Number of Roots of a Polynomial

Lemma 60 (Schwartz (1980)) Let p(x1, x2, . . . , xm) ̸≡ 0 be a polynomial in m variables each of degree at most d. Let M ∈ Z+. Then the number of m-tuples

(x1, x2, . . . , xm) ∈ {0, 1, . . . , M − 1}m such that p(x1, x2, . . . , xm) = 0 is

≤ mdMm−1.

• By induction on m (consult the textbook).

(43)

### Density Attack

• The density of roots in the domain is at most mdMm−1

Mm = md

M . (9)

• So suppose p(x1, x2, . . . , xm) ̸≡ 0.

• Then a random

(x1, x2, . . . , xm) ∈ { 0, 1, . . . , M − 1 }m has a probability of ≤ md/M of being a root of p.

• Note that M is under our control!

– One can raise M to lower the error probability, e.g.

(44)

### Density Attack (concluded)

Here is a sampling algorithm to test if p(x1, x2, . . . , xm) ̸≡ 0.

1: Choose i1, . . . , im from {0, 1, . . . , M − 1} randomly;

2: if p(i1, i2, . . . , im) ̸= 0 then

3: return “p is not identically zero”;

4: else

5: return “p is (probably) identically zero”;

6: end if

(45)

### Analysis

• If p(x1, x2, . . . , xm) ≡ 0 , the algorithm will always be correct as p(i1, i2, . . . , im) = 0.

• Suppose p(x1, x2, . . . , xm) ̸≡ 0.

– The algorithm will answer incorrectly with

probability at most md/M by Eq. (9) on p. 510.

• We next return to the original problem of bipartite perfect matching.

(46)

### A Randomized Bipartite Perfect Matching Algorithm

a

1: Choose n2 integers i11, . . . , inn from {0, 1, . . . , 2n2 − 1}

randomly; {So M = 2n2.}

2: Calculate det(AG(i11, . . . , inn)) by Gaussian elimination;

3: if det(AG(i11, . . . , inn)) ̸= 0 then

4: return “G has a perfect matching”;

5: else

6: return “G has no perfect matchings”;

7: end if

aLov´asz (1979). According to Paul Erd˝os, Lov´asz wrote his first sig- nificant paper “at the ripe old age of 17.”

(47)

### Analysis

• If G has no perfect matchings, the algorithm will always be correct as det(AG(i11, . . . , inn)) = 0.

• Suppose G has a perfect matching.

– The algorithm will answer incorrectly with

probability at most md/M = 0.5 with m = n2, d = 1 and M = 2n2 in Eq. (9) on p. 510.

• Run the algorithm independently k times.

• Output “G has no perfect matchings” if and only if all say “no perfect matchings.”

• The error probability is now reduced to at most 2−k.

(48)

(49)

### Remarks

a

• Note that we are calculating

prob[ algorithm answers “no”| G has no perfect matchings ], prob[ algorithm answers “yes”| G has a perfect matching ].

• We are not calculatingb

prob[ G has no perfect matchings| algorithm answers “no” ], prob[ G has a perfect matching| algorithm answers “yes” ].

aThanks to a lively class discussion on May 1, 2008.

bNumerical Recipes in C (1988), “[As] we already remarked, statistics is not a branch of mathematics!”

(50)

G

11

nn

### )) Be?

• It is at most

n! (

2n2)n

.

• Stirling’s formula says n! ∼

2πn (n/e)n.

• Hence

log2 det(AG(i11, . . . , inn)) = O(n log2 n) bits are suﬃcient for representing the determinant.

• We skip the details about how to make sure that all intermediate results are of polynomial sizes.

(51)

### An Intriguing Question

a

• Is there an (i11, . . . , inn) that will always give correct answers for the algorithm on p. 513?

• A theorem on p. 612 shows that such an (i11, . . . , inn) exists!

– Whether it can be found eﬃciently is another matter.

• Once (i11, . . . , inn) is available, the algorithm can be made deterministic.

aThanks to a lively class discussion on November 24, 2004.

(Ⅱ) specific binding theory is a more accurate explanation of the mechanism of action of local anaesthetics. The evidence to support this theory is strong. Different isomers of

Markov chain: a discrete random process with a finite number of states and it satisfies the property that the next state depends only on the current state.. Aperiodic: all states

— John Wanamaker I know that half my advertising is a waste of money, I just don’t know which half.. —

• There are important problems for which there are no known eﬃcient deterministic algorithms but for which very eﬃcient randomized algorithms exist. – Extraction of square roots,

As a byproduct, we show that our algorithms can be used as a basis for delivering more effi- cient algorithms for some related enumeration problems such as finding

• The XYZ.com bonds are equivalent to a default-free zero-coupon bond with \$X par value plus n written European puts on Merck at a strike price of \$30.. – By the

• Program is to implement algorithms to solve problems Program decomposition and flow of problems.. Program decomposition and flow of control are important concepts

However, there exist functions of bounded variation that are not continuously differentiable.... However, there exist bounded functions that are not of

But due to the careful construction of the middle state solution for the contact discontinuity, which is extremely important for many diﬃcult multicomponent problems with strong

Then, it is easy to see that there are 9 problems for which the iterative numbers of the algorithm using ψ α,θ,p in the case of θ = 1 and p = 3 are less than the one of the

For different types of optimization problems, there arise various complementarity problems, for example, linear complemen- tarity problem, nonlinear complementarity problem

For different types of optimization problems, there arise various complementarity problems, for example, linear complementarity problem, nonlinear complementarity problem,

On a Saturday afternoon, you pull into a parking lot with unme- tered spaces near a shopping area, where people are known to shop, on average, for 2 hours. You circle around, but

The algorithms have potential applications in several ar- eas of biomolecular sequence analysis including locating GC-rich regions in a genomic DNA sequence, post-processing

important to not just have intuition (building), but know definition (building block).. More on

Both problems are special cases of the optimum communication spanning tree problem, and are reduced to the minimum routing cost spanning tree (MRCT) prob- lem when all the

Attractions, no matter physical or cultural, are the main pull factor of tourist flow. Without these attractions, there would be no need for other tourist

• There are important problems for which there are no known eﬃcient deterministic algorithms but for which very eﬃcient randomized algorithms exist.. – Extraction of square roots,

There is no general formula for counting the number of transitive binary relations on A... The poset A in the above example is not

There is no bundled means for those who are licensed as motivation for strict execution, which leads to the hesitative attitudes toward HACCP among proprietors of

Freezing (refrigeration) equipment for long-time power consumptive may be power-hungry but there is great room for improvement of saving energy; but there is a lack of

Though currently there are standard technologies such as OWL-S (Web Ontology Language for Services) and WSMO (Web Service Modeling Ontology) which can be used to build

However, in the Protein Data Bank (PDB), there are problems about certain proteins containing Cα-only atomic coordinates and disordered backbone conformation.. For