Embed Size (px)
Citation preview
CPSC 490 Number TheoryPrimes, Factoring and Euler
Phi-functionMar.31st, 2006
Sam Chan
Clarifications
• The Euclidean Algorithm runs in logarithmic time.
• Finding modular inverses can be done using the extended Euclidean algorithm.
• Ex. 5x = 1 (mod 7) is equivalent to writing 5x – 7y = 1 or 5x + 7(-y) = 1. Use extended Euclidean Algorithm to find x.
Primes
• Def: a positive integer p > 1 is prime if and only if it has exactly two divisors, 1 and p.
• Ex. 2, 3, 5, 7, 11, 13, 17, 19, 23, 29 are the fist 10 primes.
• How many primes are there exactly?
Euclid’s Proof• Euclid first proved that there exists an infinite number of primes.
(300 BC)• Assume there are finitely many primes.• Let S be the set of all n primes, p1p2p3…pn
• Let q = p1p2p3…pn + 1.• There must exist a prime factorization for q. We claim that this
factorization does not contain an element of S. This would imply that q uses a prime outside the set S, thus there are in fact more than n primes.
• Assume that pi, 1 <= i <= n, is in the prime factorization of q. Then it must divide p1p2p3…pn + 1. Specificially pi | 1.
• But since primes are greater than 1, this is our contradiction.
First approach
• Consider the following code: bool isPrime( int n ) {
for( int i = 2; i*i <= n; i++ )if( n % i == 0 ) return true;
return false;}
• We attempt to find divisors of n. If we find one then return false.
• Has a running time of O(n1/2)• In practice, primality testing comes in to varieties.
Primality testing
• Deterministic tests will determine with absolute certainty whether a given integer n is prime.
• Probabilistic tests will determine with a small probability of error, whether a given integer n is prime.
Example of a probabilistic test
• Fermat’s Little Theorem• Let n be a prime and a be any positive integer
such that a < n. Then a raised to the nth power is congruent to a modulo n.
• an = a (mod n) or an-1-1 = 0 (mod n)• Given an integer n, all we have to do is find the
remainder of an (mod n) and see if it equals a.• We know how to compute modulo powers from
our previous discussion.
Fermat’s Little Theorem
• If an integer n satisfies this theorem, does this imply that n is prime?
• NO!• If an (mod n) is not congruent to a then we are
certain that n is not prime.• If it is congruent to a then there is a good
chance that n is prime.• As it turns out, there are composite numbers that
also satisfy Fermat’s Little Theorem.
Fermat’s Little Theorem
• A composite number n is a Carmichael number if n satisfies Fermat’s Little Theorem for every a that is relatively prime to n.
• Smallest Carmichael number is 561.• Other examples include: 89 = 8 (mod 9)• These are called pseudoprimes in general• What can we do to avoid having our test
fail?
Fermat’s Little Theorem
• We are free to choose any a we like, as long as a < n.
• Pick many integers a to test for primality.
• If n passes this test for a lot of different values of a, then it is highly probable that n is prime.
• Run this test many times to reduce our probability of error.
Running times
• Probabilistic tests have running times around O(logn).
• In 2002, Agrawal et al discovered the first algorithm for a deterministic test that is polynomial in the number of digits of n.
• Running time is O(log7.5n). However, they seem to run in O(log3n) in practice.
• Largest known prime currently is 230402457-1. It contains 9152052 digits.
Sieve of Eratosthenes
• What if we want a list of primes?
• Given n, we can find all the primes up to n by using the Sieve of Eratosthenes.
• Start with a list of integers from 2 to n.
• At iteration i, mark the smallest integer a in the set as a prime, then cross off all multiples of a in the set.
• Repeat until i2 <= n.
Sieve of Eratosthenes
• Ex. Let n = 10, and x denote a crossed off integer.
• 2, 3, 4, 5, 6, 7, 8, 9, 10
• 2, 3, x, 5, x, 7, x, 9, x
• 2, 3, x, 5, x, 7, x, x, x
• Done!
• So primes up to n = 10 are 2, 3, 5, and 7.
Sieve of Eratosthenes
• Here is an implementation:bool prime[1000000];void sieve( int n ) { memset( prime, 1, sizeof(prime) ); prime[0] = prime[1] = 0; for( int i = 2; i <= n; i++ ) if( prime[i] ) { for( int j = i+i; j <= n; j += i )
prime[j] = 0; }}
Sieve of Eratosthenes
• At the end of this algorithm, prime[i] = 1 if and only if i is prime, 0 otherwise.
• Outer loop starts at the smallest position that hasn’t been crossed off.
• Inner loop repeatedly crosses of multiples of i.
• With some analysis, we can show that this has a running time of O(nlogn).
• Can we improve this algorithm?
Sieve of Eratosthenes
• Consider after having done the first iteration in the outer loop. So i = 3.
• We start at i + i = 6.• However, we already crossed off all
multiples of 2 (all the even numbers) in the first iteration. So why are we looking here?
• Similarly, when we have crossed off all multiples of 3, we should not look at any multiples of 3 in any future iteration.
Sieve of Eratosthenes
• Improved implementationbool prime[1000000];void sieve( int n ) { memset( prime, 1, sizeof(prime) ); prime[0] = prime[1] = 0; for( int i = 2; i*i <= n; i++ ) if( prime[i] ) { for( int j = i*i; j <= n; j += i ) prime[j] = 0; }}
• Changes are in bold.
Sieve of Eratosthenes
• Outer loop only goes up to the square root of n.• Ex. n = 10, there is no need to check any
multiples of a where a > 3. Surely they will all have been crossed off by some previous combination. (ie. 2x5 = 5x2)
• Inner loop starts at i*i. This prevents looking at positions that obviously is crossed off.
• Improved running time is still O(nlogn), but in practice the speed usually speeds it up by 50%.
Sieve of Eratosthenes
• For anyone interested:• There are other implementations that exploit the
fact that our prime[] array is just an array of 1’s and 0’s.
• Use bits to lower memory usage, perhaps speed things up.
• Other optimizations that can improve running time in practice.
• Sieve of Atkin, optimized version of the Sieve of Eratosthenes.
Factoring
• Given n, we are not interested in finding positive integers a and b such that a*b = n.
• Factoring is hard, when n contains 100 or more digits.
• Many cryptographic systems depend heavily on this assumption.
Is factoring really that hard?
• Consider n = 2193 (n is given as such because my calculator doesn’t like numbers that have more than 10 digits, so pretend we do not know the prime factorization of n ahead of time). How long would it take to factor this number?
• It turns out that we can factor this number in 193 division operations. We just divide our number by 2 193 times.
• It was trivial to factor this number, so why is factoring considered a hard problem?
First attempt at factoring
• Recall our first approach in primality testing. bool isPrime( int n ) {
for( int i = 2; i*i <= n; i++ )
if( n % i == 0 ) return true;
return false;
}
• We can do exactly the same thing, except instead of returning true when we have found a factor, we simply return that number that divided n.
Further optimizations of our first attempt
• To speed things up even further, we can only divide by primes between 2 and square root of n.
• How well does this work in practice?
• What is the worst case input?
Worst case for factoring
• What if we are given two 100 digit prime numbers a and b. Let n = a*b.
• To factor this number with our approach, we will have to check all primes between 2 and the minimum of a and b.
• As an exmaple, consider n = 2193 – 1.• The first prime divisor is 13,821,503.• Assuming that our computer can perform a
billion division instructions per second, it will take more than 35,000 years to find the second largest factor of n!
Worst case for factoring
• As it turns out, the full factorization of n is:• n = 13,821,503 *
61,654,440,233,248,340,616,559 *
14,732, 265,321,145,317,331,353,282,383.• Conclusion: Factoring is hard for most cases.
RSA Factoring Challenge
• http://www.rsasecurity.com/rsalabs/node.asp?id=2093
• Monetary reward for successful factoring of very large integers.
• Latest factored number: RSA-640. An integer that is 640 bits long.
• To quote the website: “The effort took approximately 30 2.2 GHz- Opteron-CPU years according to the submitters, over five months of calendar time. (This is about half the effort for RSA-20)
Factoring and the Sieve• We know we can’t factor general numbers very efficiently.• Here is an implementation of an augmented Sieve of Eratosthenes
that will factor for us:int factors[1000000];void fsieve( int n ) { for( int i = 1; i <= n; i++ ) factors[i] = i; for( int i = 2; i <= n; i++ ) if( factors[i] == I ) { for( int j = i*i; j <= n; j += i ) if( factors[j] == j ) f[j] = i; }}
Factoring Sieve
• Again we loop over the numbers from 2 to n.• The inner loop will set factor[j] = i if i is a multiple of j.
Since we loop in ascending order, it is the smallest multiple of j.
• We can retrieve the list o factors for any arbitrary position.
• Ex. n = 6• Before the first iteration, factors[]: 1, 2, 3, 4, 5, 6• After the last iteration, factors[]: 1, 2, 3, 2, 5, 2• To retrieve the factors of 6, go to factors[6]. Divide that 6
by that value and get 3, go to factors[3], divide 6 by that value and get 2, go to factors[2], divide 6 by 2 to get 1. Stop.
• Factors are 1, 2, 3 and 6.
Euler’s Phi Function
• Def: “Phi of n”, denoted as Φ(n), counts the number of integers in the range of
[1,n-1] that are relatively prime to n.
• Def: Two positive integers a and b are said to be relatively prime if gcd(a,b) = 1.
• Note that the definition does not require either a or b to be prime themselves.
• Ex. a = 6, b = 25. (6,25) = 1
Euler Phi Function
• Ex. Φ(6) = 2 since 1 and 5 are relatively prime to 6.
• Ex. Φ(2000) = 800. How do we know this?
• Let’s first establish some ways we can calculate Φ(n).
Case when n is prime
• If n is prime, then by definition, it contains no factors other than itself and 1. Since (n,1) = 1, the number integers less than n that are relatively prime to n is just n – 1.
• Ex. Φ(7) = 6 since 1, 2, 3, 4, 5, 6 are all relatively prime to 7.
Case when n = pr, r > 1
• If n is a power of a prime number p, can we derive a formula for Φ(n)?
• Let’s consider what pr is not relatively prime to.• Obviously, (p,pr) = p. In fact, all integers
ap <= pr where a is some positive integer are not relatively prime to p.
• Also, all powers of p, up to pr-1 are not relatively prime to p.
Case when n = pr, r > 1
• Thus the numbers p, 2p, 3p, … (pr-1-1)p are all not relatively prime to p.
• There are pr-1 numbers less than pr. There are pr-1-1 numbers that are not relatively prime to pr.
• So Φ(n) = (pr-1)-(pr-1-1) = pr - pr-1.
General Case
• Given n and it’s prime factorization, can we derive a general formula for n?
mrm
rr pppn ...2121
)()...()()( 2121
mrm
rr pppn
kpppnn
11..........
11
11)(
21
In general:
Looking ahead
• Next class, Andrew will be talking about cryptography.• One of the more famous algorithms for public-key
encryption is RSA.• Each step of the algorithm involves something that we
talked about in each of the 3 (including today) discussions.
• We will need to find two large prime numbers. (primality)• We will need to solve linear equations such as ax + by =
1. (extended Euclidean algorithm)• We will need to compute Φ(n)• Try to be at least a little familiar with all 3 or otherwise,
the next discussion may be hard to follow.
References
• http://mathworld.wolfram.com/PrimalityTest.html
• http://www.fortunecity.com/emachines/e11/86/tourist2d.html
• http://www.rsasecurity.com/rsalabs/node.asp?id=2093
• http://en.wikipedia.org/wiki/RSA
• Last Year’s notes.
