based on lecture slides from steven rudich, cmu
DESCRIPTION
15. 15. a. On Exponentiation. Based on Lecture Slides from Steven Rudich, CMU. Even very simple computational problems can be surprisingly subtle. Compiler Translation. - PowerPoint PPT PresentationTRANSCRIPT
Based on Lecture Slides from Steven Rudich, CMU
1515
aa
Even very simple
computational
problems can be
surprisingly subtle.
Compiler TranslationCompiler Translation
A compiler must translate a high A compiler must translate a high level language (e.g.,level language (e.g., C C) with ) with complex operations (e.g., complex operations (e.g., exponentiationexponentiation) into a lower ) into a lower level language (e.g.,level language (e.g., assembly assembly) ) that can only support simpler that can only support simpler operations (e.g., operations (e.g., multiplicationmultiplication).).
b:=ab:=a88
b:=a*ab:=a*a
b:=b*ab:=b*a
b:=b*ab:=b*a
b:=b*ab:=b*a
b:=b*ab:=b*a
b:=b*ab:=b*a
b:=b*ab:=b*a
b:=a*ab:=a*a
b:=b*bb:=b*b
b:=b*bb:=b*b
This method costs only 3 multiplications. The
savings are significant if b:=a8 is executed often.
General VersionGeneral Version
Given a constant Given a constant kk, , how do we how do we
implement implement b:=ab:=akk with with the fewest number of the fewest number of
multiplications? multiplications?
Powering By Repeated Powering By Repeated MultiplicationMultiplication
Input:Input: a,na,n
Output:Output: A sequence starting A sequence starting with a, ending with awith a, ending with ann, , and such that each and such that each entry other than the entry other than the first is the product of first is the product of previous entries.previous entries.
ExampleExample
Input:Input: a,5 a,5
Output:Output: a, aa, a22, a, a33, a, a44, a, a55
oror
Output:Output: a, aa, a22, a, a33, a, a55
oror
Output:Output: a, aa, a22, a, a44, a, a55
Definition of M(n)Definition of M(n)
M(n)M(n) == The minimum The minimum number of number of multiplications multiplications required to produce required to produce aann by repeated by repeated multiplicationmultiplication
What is M(n)? Can we What is M(n)? Can we calculate it exactly? Can we calculate it exactly? Can we
approximate it?approximate it?Exemplification:Exemplification:
Try out a problem orTry out a problem or solution on small examples. solution on small examples.
Some Very Small ExamplesSome Very Small Examples
•What is M(0)?
– M(0) does not really make sense
•What is M(1)?
– M(1) = 0 [a]
•What is M(2)?
– M(2) = 1 [a, a2]
M(8) = ?M(8) = ?
a, aa, a22, a, a44, a, a88 is a way to make a is a way to make a88 in 3 multiplications. What does in 3 multiplications. What does this tell us about the value of this tell us about the value of M(8)?M(8)?
M(8) = ?M(8) = ?
a, aa, a22, a, a44, a, a88 is a way to make a is a way to make a88 in 3 multiplications. What does in 3 multiplications. What does this tell us about the value of this tell us about the value of M(8)?M(8)?
M( )8 3Upper Bound
? ( ) M 8 3
Lower Bound
? ( ) M 8 3
Lower Bound
3 8 M( )Exhaustive Search. There are only two sequences with 2 multiplications. Neither of them make 8:
a, a2, a3 & a, a2, a4
3 8 3 M( )Upper Bound
Lower Bound
M(8) = 3
Applying Two IdeasApplying Two Ideas
AbstractionAbstraction: : Abstract away the inessential Abstract away the inessential
features of a problem or solutionfeatures of a problem or solution
=Representation:Representation:
Understand the relationship betweenUnderstand the relationship betweendifferent representations of the samedifferent representations of the same
information or ideainformation or idea
1
2
3
The a is a The a is a red red herringherring..
aaxx times a times ay y is ais ax+yx+y
Everything besides the exponent is inessential. This
should be viewed as a problem of repeated addition, rather than
repeated multiplication.
Addition ChainsAddition Chains
M(n) =M(n) = Number of stages Number of stages required to make n, required to make n, where we start at 1 and where we start at 1 and in each subsequent stage in each subsequent stage we add two previously we add two previously constructed numbers.constructed numbers.
ExamplesExamples
Addition Chain for 8:Addition Chain for 8:
1 2 3 5 81 2 3 5 8
MinimalMinimal Addition Chain for 8: Addition Chain for 8:
1 2 4 81 2 4 8
M(30) = ?
1515
aa
Some Addition Chains For 30Some Addition Chains For 30
11 22 44 88 1616 2424 2828 3030
11 22 44 55 1010 2020 3030
11 22 33 55 1010 1515 3030
11 22 44 88 1010 2020 3030
? ( )? ( ?
<MM n
30 6)
Take 5 minutes to think like a computer scientist
<< <
Let BLet Bn n be the number of 1s in the binary be the number of 1s in the binary representation of n. representation of n. Ex: BEx: B55 = 2 since 101 = 2 since 101 is the binary representation of 5is the binary representation of 5
Proposition: BProposition: Bnn ≤ ≤ log log22 (n) + 1 (n) + 1
The length of the binary representation The length of the binary representation of n is bounded by this quantity.of n is bounded by this quantity.
Binary RepresentationBinary Representation
┙┙
┕┕
Binary MethodBinary MethodRepeated Squaring MethodRepeated Squaring MethodRepeated Doubling MethodRepeated Doubling Method
Phase IPhase I (Repeated Doubling)(Repeated Doubling)
For For
Add largest so far to itselfAdd largest so far to itself
(1, 2, 4, 8, 16, . . . )(1, 2, 4, 8, 16, . . . )
Phase IIPhase II (Make n from bits and pieces)(Make n from bits and pieces)
Expand n in binary to see how n is the sum Expand n in binary to see how n is the sum of Bof Bnn powers of 2. Use B powers of 2. Use Bnn-1 stages to make -1 stages to make n from the powers of 2 created in phase In from the powers of 2 created in phase I
log2 n stages:
Total Cost: log2 1n Bn
Binary Method Applied To 30Binary Method Applied To 30BinaryBinary
3030 1111011110
Phase IPhase I11 1 122 10 1044 100 10088 1000 10001616 10000 10000
Phase II: 6 14 30Phase II: 6 14 30 (Cost: 7 additions)(Cost: 7 additions)
M n n B nn( ) log log 2 21 2
AbstractionAbstraction: : Abstract away the inessential Abstract away the inessential
features of a problem or solutionfeatures of a problem or solution
=The repeated
squaring method works for modular arithmetic and for raising a matrix
to a power.
AbstractionAbstraction: : Abstract away the inessential Abstract away the inessential
features of a problem or solutionfeatures of a problem or solution
=
The repeated squaring method
works for any notion of
“multiplication” that is
associative.
(a*b)*c = a*(b*c)
A Lower Bound IdeaA Lower Bound Idea
You can’t make any number bigger You can’t make any number bigger than 2than 2nn in n steps. in n steps.
1 2 4 8 16 32 64 . . .1 2 4 8 16 32 64 . . .
Failure of Imagination?
Induction ProofInduction Proof
Theorem: For all n Theorem: For all n 0, no n stage 0, no n stage addition chain will contain a number addition chain will contain a number greater than 2greater than 2nn
Let SLet Skk be the statement that no k be the statement that no k stage addition chain will contain a stage addition chain will contain a
number greater than 2number greater than 2kk
Base case: k=0. Base case: k=0. SS0 0 is trueis true since no chain since no chain can exceed 2can exceed 200 after 0 stages. after 0 stages.
Let k Let k >> 0, S 0, Skk ⇒⇒ S Sk + 1k + 1
At stage k+1 we add two numbers from At stage k+1 we add two numbers from the previous stage. From the previous stage. From SSkk we know that we know that they both are bounded by 2they both are bounded by 2kk. Hence, their . Hence, their sum is bounded by 2sum is bounded by 2k+1. k+1. No number greater No number greater than 2than 2k+1k+1 can be present by stage k+1. can be present by stage k+1.
I n fact, n n M( ) log ( ) 2
M n n( ) log ( ) 2
Change Of VariableChange Of Variable
All numbers obtainable in m stages All numbers obtainable in m stages are bounded by 2are bounded by 2mm. Let m = log. Let m = log22(n).(n).
Thus, All numbers obtainable in Thus, All numbers obtainable in loglog22(n) stages are bounded by n.(n) stages are bounded by n.
Theorem: The only way to make Theorem: The only way to make 22ii in i stages is by repeated in i stages is by repeated
doublingdoublingAssumption:Assumption: Let 2 Let 2i+1i+1 be the first counter-example be the first counter-example to the theorem.to the theorem.
To make 2To make 2i+1i+1 at stage i+1 requires that some at stage i+1 requires that some number of size at least 2number of size at least 2ii be present at stage i. be present at stage i. By previous result such a number could not be By previous result such a number could not be larger than 2larger than 2ii, and thus equals 2, and thus equals 2ii. .
By the assumptionBy the assumption, 2, 2ii can only be constructed by can only be constructed by repeated doubling. The only possible final move repeated doubling. The only possible final move was to double 2was to double 2ii. . ThusThus 22i+1i+1 must result from must result from repeated doubling, contradicting the assumption.repeated doubling, contradicting the assumption.
5 < M(30)5 < M(30)
Suppose that M(30)=5. Suppose that M(30)=5. At the last stage, we added At the last stage, we added two numbers xtwo numbers x1 1 and xand x22 to get 30. to get 30.
Without loss of generality (WLOG), we assume that Without loss of generality (WLOG), we assume that xx1 1 xx22..
Thus, xThus, x1 1 15 15
By doubling bound, xBy doubling bound, x1 1 16 16
But xBut x11 can’t be 16 since there is only one way to can’t be 16 since there is only one way to make 16 in 4 stages and it does not make 14 along make 16 in 4 stages and it does not make 14 along the way.the way.
Thus, Thus, xx1 1 = 15 and M(15)=4= 15 and M(15)=4
Suppose M(15) = 4Suppose M(15) = 4
At stage 3, a number bigger than 7.5, but At stage 3, a number bigger than 7.5, but not more than 8 must have existed. There not more than 8 must have existed. There is only one sequence that gets 8 in 3 is only one sequence that gets 8 in 3 additions: 1 2 4 8additions: 1 2 4 8
That sequence does not make 7 along the That sequence does not make 7 along the way and hence there is nothing to add to way and hence there is nothing to add to 8 to make 15 at the next stage. 8 to make 15 at the next stage.
Thus, M(15) > 4. CONTRADICTION.Thus, M(15) > 4. CONTRADICTION.
M(30)=6
Factoring BoundFactoring Bound
M(ab) M(ab) M(a)+M(b)M(a)+M(b)
Factoring BoundFactoring Bound
M(ab) M(ab) M(a)+M(b)M(a)+M(b)Proof:Proof:• Construct a in M(a) additions• Using a as a unit follow a construction
method for b using M(b) additions. In other words, every time the construction of b refers to a number x, use the number a times x.
ExampleExample
45 = 5 * 945 = 5 * 9
M(5)=3M(5)=3 [1 2 4 5][1 2 4 5]
M(9)=4M(9)=4 [1 2 4 8 9 ] [1 2 4 8 9 ]
M(45) M(45) 3+4 3+4 [1 2 4 5 10 20 40 45][1 2 4 5 10 20 40 45]
Corollary (Using Induction)Corollary (Using Induction)
M(aM(a11aa22aa33…a…ann) ) M(aM(a11)+M(a)+M(a22)+…+M(a)+…+M(ann))
Proof: For n=1 the bound clearly holds. Proof: For n=1 the bound clearly holds. Assume it has been shown for up to Assume it has been shown for up to n-1. Apply theorem using a= an-1. Apply theorem using a= a11aa22aa33…a…an-1 n-1
and b=aand b=ann to obtain: to obtain:
M(aM(a11aa22aa33…a…ann) ) M(aM(a11aa22aa33…a…an-1n-1)+M(a)+M(ann))By inductive assumption, By inductive assumption,
M(aM(a11aa22aa33…a…an-1n-1) ) M(aM(a11)+M(a)+M(a22)+…+M(a)+…+M(an-1n-1))
More CorollariesMore Corollaries
Corollary: M(aCorollary: M(akk) ) kM(a)kM(a)
Corollary: M(p p p p
M(p + M(p + p
1 2 3 n
1 2 n
1 2 3
1 2
n
nM
)
) ) ( )
Does equality hold?
M(33) < M(3) + M(11)M(33) < M(3) + M(11)
M(3) = 2M(3) = 2 [1 2 3][1 2 3]
M(11)= 5M(11)= 5 [1 2 3 5 10 11][1 2 3 5 10 11]
M(3) + M(11) = 7M(3) + M(11) = 7
M(33) = 6M(33) = 6 [1 2 4 8 16 32 33][1 2 4 8 16 32 33]
The conjecture of equality fails. There The conjecture of equality fails. There have been many nice conjectures. . . .have been many nice conjectures. . . .
Conjecture: Conjecture: M(2n) = M(n) +1M(2n) = M(n) +1(A. Goulard)(A. Goulard)
A fastest way to an even number is to A fastest way to an even number is to make half that number and then double it. make half that number and then double it.
Proof given in 1895 by E. de Jonquieres in Proof given in 1895 by E. de Jonquieres in L’Intermediere Des Mathematiques, L’Intermediere Des Mathematiques, volume 2, pages 125-126volume 2, pages 125-126
FALSE! M(191)=M(382)=11
Furthermore, there are infinitely many such
examples.
Open ProblemOpen Problem
Is there an n such that:Is there an n such that:
M(2n) < M(n)M(2n) < M(n)
ConjectureConjecture
Each stage might as well consist of Each stage might as well consist of adding the largest number so far to adding the largest number so far to one of the other numbers.one of the other numbers.
First Counter-example: 12,50912,509[1 2 4 8 16 17 32 64 128 256 512 1024 1041 2082 4164 8328 8345 12509]
Open ProblemOpen Problem
Prove or disprove the Scholz-Prove or disprove the Scholz-Brauer Conjecture:Brauer Conjecture:
M(2M(2nn-1) -1) n - 1 + B n - 1 + Bnn
(The bound that follows from this (The bound that follows from this lecture is too weak: M(2lecture is too weak: M(2nn-1) -1) 2n - 1) 2n - 1)
The RSA CryptosystemThe RSA Cryptosystem
RRivest, ivest, SShamir, and hamir, and AAdelman (1978)delman (1978)
RSA is one of the most used RSA is one of the most used cryptographic protocols on the net. cryptographic protocols on the net. Your browser uses it to establish a Your browser uses it to establish a
secure session with a site.secure session with a site.
Preview:Preview: Instructions For RSA Instructions For RSA use.use.
Public key: Public key: e, ne, nAnyone wishing to send you a message Anyone wishing to send you a message m m Z Znn*, should send you *, should send you mmee mod mod nn..
Private key: Private key: d, d, (n)(n)
When you get an encrypted message When you get an encrypted message mme e mod nmod n, do the following:, do the following:
(m(mee))dd mod mod nn = m = meedd mod mod nn = m= med mod ed mod (n) (n) mod nmod n = m mod = m mod nn
Addition And Multiplication Addition And Multiplication Mod nMod n
a + b mod n = a + b mod n = [[(a mod n) + (b mod n(a mod n) + (b mod n)] )] mod nmod n
ab mod n = ab mod n = [[ (a mod n)(b mod n) ] (a mod n)(b mod n) ] mod nmod n
This is saying that we can just keep track This is saying that we can just keep track of remainders mod n as we multiply and of remainders mod n as we multiply and add.add.
(S,●) is called a group if it has these properties:
,a b S a b S closure:
identity: s.t. e S a S e a a e a
inverse: 1 1 1 s.t. a S a S a a a a e
associativity: , , ( ) ( )a b c S a b c a b c
Theorem: with multiplication modulo n is a group.*nZ
*nZ= the set of naturals between 1 and
n that are relatively prime to n
Computing Inverses In ZComputing Inverses In Znn**
Suppose we want the inverse of a. In other Suppose we want the inverse of a. In other words, b such that ab = 1 mod n.words, b such that ab = 1 mod n.
Using an Using an Extended GCDExtended GCD algorithm algorithm Compute GCD(a,n).Compute GCD(a,n).
Of course the answer is 1, but Of course the answer is 1, but also get also get r, sr, s such that ra+sn = GCD(a,n) = such that ra+sn = GCD(a,n) = 1.1.Taking both sides mod n, we get ra=1 mod n. Taking both sides mod n, we get ra=1 mod n. Thus Thus rr is the is the inverse of ainverse of a in the group Z in the group Znn**
(n) = size of Z(n) = size of Znn**
(p) = p-1(p) = p-1(p(pkk) = p) = pkk – p – pk-1k-1
(pq) = (pq) = (p) (p) (q) (q) p,q distinct primes, p,q distinct primes, actually even if GCD(p,q)=1.actually even if GCD(p,q)=1.
The Euler Phi FunctionThe Euler Phi Function
(pq) = (p-1)(q-1) (pq) = (p-1)(q-1) if p,q distinct primesif p,q distinct primes
pq = # of numbers from 1 to pqpq = # of numbers from 1 to pq
p = # of multiples of q up to pqp = # of multiples of q up to pq
q = # of multiples of p up to pqq = # of multiples of p up to pq
1 = # of multiple of both p and q up to 1 = # of multiple of both p and q up to pqpq
(pq) = pq – p – q + 1 = (p-1)(q-1)(pq) = pq – p – q + 1 = (p-1)(q-1)
aa(n)(n) = 1 mod n, if GCD(a,n)=1 = 1 mod n, if GCD(a,n)=1
Lagrange: The size of any subgroup Lagrange: The size of any subgroup divides the size of the group. divides the size of the group.
Note: In a finite group, the powers of an Note: In a finite group, the powers of an element x form a subgroup. element x form a subgroup.
Euler’s Corollary: Let G be any finite Euler’s Corollary: Let G be any finite group of size s: xgroup of size s: x G implies XG implies Xss = 1 = 1
Euler’s Corollary for ZEuler’s Corollary for Znn*:*:
aa(n)(n) = 1 mod n = 1 mod n
Addition And Multiplication Addition And Multiplication Mod nMod n
a + b mod n = a + b mod n = [[(a mod n) + (b mod n(a mod n) + (b mod n)] )] mod nmod n
ab mod n = ab mod n = [[ (a mod n)(b mod n) ] (a mod n)(b mod n) ] mod nmod n
This is saying that we can just keep track This is saying that we can just keep track of remainders mod n as we multiply and of remainders mod n as we multiply and divide.divide.
Law Of Exponents mod nLaw Of Exponents mod n
Could it be as simple as:Could it be as simple as:
aaee mod n = mod n = [[(a mod n)(a mod n)(e mod n)(e mod n)] mod n ] mod n ? ?
216 2 mod 15
Mental Arithmetic TestMental Arithmetic Test
7890 = ? Mod 15
Mental Arithmetic TestMental Arithmetic Test
7890 = 7890 mod 4 Mod 15
= 72 mod 15 = 4
Powers of 7:
1, 7, 4, 13, 1, 7, 4, 13, …
Mental Arithmetic TestMental Arithmetic Test
3890 = ? Mod 14
Mental Arithmetic TestMental Arithmetic Test
3890 = 3890 mod 6 Mod 14
= 32 = 9
Powers of 3
1, 3, 9, 13, 11, 5, 1
Law Of Exponents mod nLaw Of Exponents mod n(Correct)(Correct)
aaee mod n = mod n = [[(a mod n)(a mod n)(e mod (e mod (n))(n))] ] mod nmod n
The exponent must be taken mod (n)(n)
Law Of Exponents mod nLaw Of Exponents mod n
aaee mod n = mod n = [[(a mod n)(a mod n)(e mod (e mod (n))(n))] ] mod nmod n
Proof: e = a Proof: e = a (n) + b (b < (n) + b (b < (n) )(n) )
XXee = X = Xaa(n)(n) X Xbb = (X = (X(n)(n)))aa X Xbb = X = Xbb = = XXe mod e mod (n)(n)
Instructions For RSA setupInstructions For RSA setup
1.1. Pick 2 random k-bit primes: p and Pick 2 random k-bit primes: p and q. Let n = pq. q. Let n = pq.
2.2. Compute Compute (n). Pick random e (n). Pick random e relatively prime to relatively prime to (n). Compute (n). Compute d = inverse of e mod d = inverse of e mod (n). (n). d is d is called your private-key.called your private-key.
3.3. Publish Publish n and en and e. These are called . These are called your your public-keypublic-key..
Instructions For RSA use.Instructions For RSA use.
Anyone wishing to send you a Anyone wishing to send you a message m message m Z Znn*, should send you *, should send you mmee mod n mod n..
When you get an encrypted message When you get an encrypted message mme e mod nmod n, do the following:, do the following:
(m(mee))dd = m = meded mod n mod n = m= med mod ed mod (n) (n) mod nmod n= m mod n= m mod n
How Can Eve Break The How Can Eve Break The System?System?
If Eve can quickly compute If Eve can quickly compute (n), (n), then she can compute d from e and then she can compute d from e and read all the messages. This might be read all the messages. This might be easier than factoring.easier than factoring.
No one knows how to break No one knows how to break RSA quickly. RSA quickly.
Does this mean it is secure?Does this mean it is secure?
RSA has an *amazing* RSA has an *amazing* feature.feature.
Two people who have never met and Two people who have never met and have no prior shared secrets can use have no prior shared secrets can use the system. Without this property, the system. Without this property, commerce on the net would be commerce on the net would be impossible.impossible.
REFERENCESREFERENCES
Coxeter, H. S. M. ``The Golden Section, Coxeter, H. S. M. ``The Golden Section, Phyllotaxis, and Wythoff's Game.'' Phyllotaxis, and Wythoff's Game.'' Scripta Scripta MathematicaMathematica 1919, 135-143, 1953. , 135-143, 1953.
"Recounting Fibonacci and Lucas"Recounting Fibonacci and LucasIdentities" by Arthur T. Benjamin and Identities" by Arthur T. Benjamin and Jennifer J. Quinn, The CollegeMathematics Jennifer J. Quinn, The CollegeMathematics Journal, Vol. 30, No. 5, 1999, pp. 359--Journal, Vol. 30, No. 5, 1999, pp. 359--366.366.