Selected Topics of Theoretical Computer Science (456-335/1) Petr - PowerPoint PPT Presentation

Selected Topics of Theoretical Computer Science (456-335/1) Petr Janˇ car Dept of Computer Science Technical University Ostrava (FEI Vˇ SB-TU) www.cs.vsb.cz/jancar TU Ostrava, winter semester 2005/2006 Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 1 / 24

A randomized communication protocol From J. Hromkoviˇ c: Theoretical Computer Science, Springer 2004 Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 2 / 24

Number theoretic algorithms (From Cormen, Leiserson, Rivest: Introduction to algorithms; the MIT Press, 1990) Size of inputs and cost of arithmetic operations number a : size β = log a bit operations multiplication in O ( β 2 ), similarly dividing (and mod ) (for practise sufficient) by divide-conquer one can get for multiplication O ( β log 2 3 ), the fastest known is O ( β log β log log β ) Exerc.: binary-to-decimal representation (log overhead; O ( β 2 log β ) Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 3 / 24

Elementary number theoretic notions divisibility, primes, a = (( a ÷ n ) · n ) + ( a mod n ) definition of a ≡ b ( mod n ) Z n , Z 6 = { 0 , 1 , 2 , 3 , 4 , 5 } common divisors, gcd Theorem: a , b not both 0, gcd ( a , b ) is the smallest positive in { ax + by | x , y ∈ Z } relatively prime integers unique factorization k ); so ( a + b ) p ≡ a p + b p ( mod p ) Exercises: p prime, 0 < k < p ; then p | ( p Show a polyn. alg. to decide if a given n is a nontrivial power ( n = a k for some k > 1) Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 4 / 24

Greatest common divisor gcd ( a , b ) = gcd ( b , a mod b ) Euclid’s algorithm Fibonacci numbers 1 , 1 , 2 , 3 , 5 , 8 , 13 , . . . are the worst-case for Euclid’s algorithm √ Since F k is approximately φ k / 5 where φ is the golden ratio (1.618...) the number of recursive calls is O ( β ) (altogether the running time O ( β 3 )). (By more detailed analysis O ( β 2 ).) (Golden ratio (divine proportion): A − − − B − − C : AC / AB = AB / BC = φ removing the maximal square from (golden) rectangle 1 : φ we get a smaller golden rectangle ...) Extended Euclid (gives d = gcd ( a , b ) = ax + by ): (for a , b gives ( d , x , y ): if b = 0 then return ( a , 1 , 0) else (recursively) d = bx ′ + ( a mod b ) y ′ (= bx ′ + ( a − ( a ÷ b ) b ) y ′ = ay ′ + b ( x ′ − ( a ÷ b ) y ′ ); return ( d , y ′ , x ′ − ( a ÷ b ) y ′ Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 5 / 24

Modular arithmetic Two groups from Z n : ( Z n , + n ), ( Z ∗ n , ∗ n ) In Z ∗ n the relative primes with n E.g. Z 15 = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } Size of Z ∗ n : Euler’s phi function � φ ( n ) = n (1 − 1 / p ) p | n φ (45) = 45(1 − 1 3)(1 − 1 5) ( n is prime iff φ ( n ) < n − 1) Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 6 / 24

Subgroups Th.: A nonempty closed subset of a finite group is a subgroup. Th. (Lagrange): S finite group and S ′ a subgroup. Then | S ′ | divides | S | . (So if S ′ is proper then | S ′ | ≤ | S | / 2.) Proof. (More generally.) Let H be a subgroup of (even nonfinite) G . Consider { gH | g ∈ G } . This is a partition of (the set) G . ( ah 1 = bh 2 implies ah = ah 1 h − 1 1 h = bh 2 h − 1 1 h ∈ bH .) |{ gH | g ∈ G }| is called index of subgroup H in group G (denoted [ G : H ]). Note that for each g : | H | = | gH | ( gh 1 = gh 2 implies h 1 = h 2 ). So | G | = [ G : H ] · | H | . Subgroups generated by an element ( a , a + a , a + a + a , . . . ), or a , aa , aaa , . . . in the multiplicative notation the order of a (the least t s.t. a t = e ); equal to the size of the generated subgroup Due to Langrange th.: a | S | = e Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 7 / 24

Solving modular linear equations ax ≡ b ( mod n ) denote d = gcd ( a , n ); the subgroup gen by a is { 0 , d , 2 d , 3 d , . . . , (( n / d ) − 1) d } (size n / d ). So: either d distinct solutions (if d | b ) or no solution. Solution by EXT-Euclid: d = gcd ( a , n ) = ax ′ + ny ′ ; x 0 = x ′ ( b / d ); x i = x 0 + i ( n / d ) if gcd ( a , n ) = 1 then ax ≡ b ( mod n ) has unique solution Multiplicative inverse: if gcd ( a , n ) = 1 then ax ≡ 1( mod n ) has unique solution (otherwise no solution) (EXT-Euclid gives the inverse x : 1 = gcd ( a , n ) = ax + ny ; Exerc: a polynomial f ( x ) mod p of degree t with coef. from Z p , p prime. If a ∈ Z p is zero ( f ( a ) = 0) then f ( x ) ≡ ( x − a ) g ( x )( mod p ) for a pol. g of degree t − 1. At most t distinct zeros modulo p . Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 8 / 24

The Chinese remainder theorem Let n 1 , n 2 , . . . , n k are pairwise relatively prime; n = n 1 n 2 . . . n k . Then there is a natural one-to-one correspondence between Z n and Z n 1 × Z n 2 × . . . Z n k (with addition and multiplication componentwise) a ↔ ( a 1 , a 2 , . . . , a k ) ( a i ≡ a ( mod n i )) a ≡ ( a 1 c 1 + a 2 c 2 + . . . a k c k )( mod n ) where c i ↔ (0 , . . . , 0 , 1 , 0 , . . . , 0) ( c i uniquely determined) E.g. n = 4 · 5 · 9 = 180; c 2 is the number s.t. c 2 mod 4 · 9 = 0 ( c 2 ∈ { 0 , 36 , 72 , 108 , 144 } ) and c 2 mod 5 = 1, i.e. c 2 = 36. C1. Corollary. If n 1 , n 2 , . . . , n k are pairwise relatively prime and n = n 1 n 2 . . . n k then the set of equations x ≡ a 1 ( mod n 1 ), x ≡ a 2 ( mod n 2 ), . . . , x ≡ a k ( mod n k ) has a unique solution modulo n . C2. Corollary. If n 1 , n 2 , . . . , n k are pairwise relatively prime and n = n 1 n 2 . . . n k then for all x , a we have x ≡ a ( mod n 1 ), x ≡ a ( mod n 2 ), . . . , x ≡ a ( mod n k ) iff x ≡ a ( mod n ) . Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 9 / 24

Powers of an element Instead of considering 0 a , 1 a , 2 a , 3 a , . . . in Z n , we now consider a 0 , a 1 , a 2 , . . . in Z ∗ n . By a corollary of Langrange’s theorem we get Euler’s theorem a φ ( n ) ≡ 1( mod n ) for all a ∈ Z ∗ n Fermat’s theorem for p prime, a p − 1 ≡ 1( mod p ) for all a ∈ Z ∗ p = { 1 , 2 , . . . , p − 1 } (Remark: also in the other direction: it is impossible that a n − 1 = 1 + kn when gcd ( a , n ) = d ≥ 2) If Z ∗ n has a generator (also called a primitive root), it is called cyclic. (A theorem says that Z ∗ n ( n > 1 is cyclic precisely for the values 2,4, p e ,2 p e for odd prime p and any positive integer e .) Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 10 / 24

Discrete logarithm ind n , g ( a ) is z s.t. g z ≡ a ( mod n ) where g is generator of Z ∗ n . Discrete logarithm theorem: g x ≡ g y ( mod n ) iff x ≡ y ( mod φ ( n )) Theorem: if p is an odd prime and e ≥ 1, then the equation x 2 ≡ 1( mod p e ) has only two solutions, namely 1 and − 1. Proof. Denote n = p e . ( g ind n , g ( x ) ) 2 ≡ g ind n , g (1) ( mod n ) so 2 · ind n , g ( x ) ≡ 0( mod φ ( n )) ( φ ( n ) = p e (1 − 1 / p ) = p e − p e − 1 = p e − 1 ( p − 1)) so gcd (2 , φ ( n )) = 2, so ind n , g ( x ) can have exactly two values, so also x 2 ≡ 1( mod p e ) has exactly two solutions, namely +1 and − 1. A number x is a nontrivial square root of 1 modulo n iff x 2 ≡ 1( mod n ) and x �≡ 1( mod n ), x �≡ − 1( mod n ). (E.g. 6 2 ≡ 1( mod 35).) Corollary (useful for Miller-Rabin primality testing): If there is a nontrivial square root of 1 modulo n then n is composite. Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 11 / 24

Raising to powers with repeated squaring To compute a b mod n ; b in binary b k b k − 1 · · · 1 b 0 (invariant d = a c mod n ; variable c used only for this invariant) c := 0; d := 1 for i := k downto 0 do c := 2 c ; d := d 2 mod n ; if b i = 1 then c := c + 1; d := d · a mod n ( O ( β ) arithmetic operations, number of bit operations in O ( β 3 ).) Exerc.: Knowing φ ( n ), compute a − 1 mod n ( a ∈ Z ∗ n ) using Modular-Exponentiation Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 12 / 24

Primality testing Prime number theorem π ( n ) lim n / ln n = 1 n →∞ ln 10 100 ≈ 230 (to approx. how quickly we can find a 100-digit random prime) Recall Fermat’s theorem, and consider (pseudoprimality testing): if Mod − Exp (2 , n − 1) �≡ 1( mod n ) then COMPOSITE (definitely) else PRIME (we hope) Surprisingly good (at random) but not for each number. Can we do with just adding Mod − Exp (3 , n − 1) or so ? Or a random a ? No. E.g., Carmichael numbers (561, 1105, 1729, ...) satisfy a n − 1 ≡ 1( mod n ) for all a ∈ Z ∗ n . E.g. 561 = 3 · 11 · 17 φ (561) = 561(1 − 1 3 )(1 − 1 11 (1 − 1 17 ) = 320 Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 13 / 24

The Miller-Rabin randomized primality test - It tries several randomnly chosen base values a (not just a = 2) - while computing modular exponentiation, it notices if a nontrivial square root of 1 modulo n is discovered (then n is definitely composite) n − 1 in binary b k b k − 1 · · · 1 b 0 procedure Witness ( a , n ) (of compositeness of n ) d := 1 for i := k downto 0 do x := d ; d := d 2 mod n ; if d = 1 and x � = 1 and x � = n − 1 then return TRUE if b i = 1 then d := d · a mod n —– if d � = 1 then return TRUE else return FALSE Petr Janˇ car (TU Ostrava) Selected Topics of TCS 2005/2006 14 / 24