Instructor
Neelima Gupta ngupta@cs.du.ac.in

• Number Theoretic Problems

• Addition of two large intergers
• Multiplication of two large intergers
• x^n
• x^n modulo m
• Gcd(a,b)
• Primes(x)
– Simple Exponential
– Pseudoprimality (polynomial time)
– Miller-Rabin randomized primality (polynomial time)
– AKS primality (polynomial time)
• RSA public-key cryptosystem

• Iterative: x n-1 * x
T(n) = T(n-1) + c (n-1) log 2 x
= O(n 2 log 2 x)
• Divide and Conquer: x n/2 * x n/2
T(n) = T(n/2) + c n 2 log 2 x
= O(n 2 log 2 x)
Both Exponential in the input size B = (log x + log n)

• x n modulo m never becomes too large
(never more than m) i*log x = O(log m)
• Iterative: x n-1 * x modulo m
T(n) <= T(n-1) + log x * log m
= O(n * log x * log m)
Exponential in the input size B = (log x + log n)
• Divide and Conquer: x n/2 * x n/2 modulo m
T(n) = T(n/2) + log 2 m
= O(log n * log 2 m)
Polynomial in the input size.

Copyright
© The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

• Follows from
For any non-ve integer a and +ve integer b, gcd(a,b) = gcd(b, a mod b)
Prove it yourself, its very simple.

• Number of recursive calls k satisfies the following:
• Theorem: If a>b and the invocation
EUCLID(a,b) performs k>=1 recursive calls , then a>=F k+2 and b>=F
K+1
. ( F k is fibonacci number)
Proof: Omitted

• Since F k is approximately Φ k / sqrt(5), where Φ is the golden ratio (1 + sqrt(5))/2, the number of recursive calls is O(lg b)
(where b< a).

Copyright
© The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

(Rivest, Shamir and Adleman, 1977)
1. Select two large prime numbers (say 100 digit) p and q at random.
2. Compute n = pq
3. Select a small odd integer e that is relatively prime to Φ(n). Φ(n) is the number of positive integers relatively prime to n and = (p-1)(q-1).
4. Compute d as the multiplicative inverse of e, modulo Φ(n).
5. Pair P =(e, n) is the public key.
6. S= (d, n) is the private/secret key

• Prime distribution function π (n) is the number of primes <= n.
• Prime Number Theorem:
• lim n→∞
π (n) / (n/ ln n) = 1
• i.e for large n the number of primes <= n is (n/ ln n)
• i.e we need to check about ln n numbers <= n for primality to find a prime that is of same length as n.
• Thus step 1 of RSA can be done in polynomial time using Rabin-Miller or AKS algorithm.

• ax ≡ b (mod n) , n > 0
• There are Modular Linear Equations
Solver which solve the system in polynomial time for large a,b and n.
• Thus step 4 can be done in polynomial time with b = 1.

• Encryption: P(M) = M e (mod n)
• Decryption: S(C) = C d (mod n)
• Note that S(P(M)) = M since de = 1 (mod n)
• Clearly, these steps can be done in polynomial time using power function modulo n.

• The eavesdropper has M and d but he doesn’t have e. He could get e if knew n. How does he get n?
• He tries all numbers, factor a number into primes and obtain p and q ,
• gets phi(n) (he can’t find phi(n) without p and q; phi(n) = n* product of (1- 1/p) of all prime factors of n),
• computes e and its inverse e’. If e’ matches d, he is done.
• Factoring a number into primes is a hard problem
• And that makes RSA difficult to crack.

• b + (a mod b) = b + (a – floor(a/b) b)
= a + (b - floor(a/b) b)
≤ a ( as a>b>0 => floor(a/b) ≥ 1) a ≥ b + (a mod b) = a k-1
+ b k-1
≥ F k+1
+ F k
(by induction hypo.)
= F k+2
.
And, b k
= a k-1
≥ F k+1
(by induction hypo.)
Note: a’s and b’s above are a k
’s and b k
’s resp.

• Fermat’s Theorem
If p is prime, then a p-1 ≡ 1 (mod p) for all a relatively prime to p
• Converse
If a n-1 ≡ 1 (mod n) for all a relatively prime to n, is n prime?
Ans: Not true for all n

• These composite numbers for which the converse does not hold are called
Carmichael numbers.
• Carmichael numbers are extremely rare:
Only 255 less than 100,000,000.