Title: University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati
1University of Capital University of Economics and
BusinessDept. of Computer Science
IT222Applications of Discrete
StructuresInstructor Xiaoting Zhao
2Module 9Applications of Number Theory
- Rosen 5th ed., 2.4-2.6
- 33 slides, 1.5 lectures
3Applications from 2.4
- Hashing Functions (hashes)
- Pseudorandom Numbers
- Cryptology
4Hashing Functions
- Also known as
- hash functions, hash codes, or just hashes.
- Two major uses
- Indexing hash tables
- Data structures which support O(1)-time access.
- Creating short unique IDs for long documents.
- Used in digital signatures the short ID can be
signed, rather than the long document.
5Hash Function Requirements
- A hash function hA?B is a map from a set A to a
smaller set B (i.e., A B). - An effective hash function should have the
following properties - It should cover (be onto) its codomain B.
- It should be efficient to calculate
- ideally, it should take O(log A) operations.
- The cardinality of each preimage of an element of
B should be about the same. - ?b1,b2?B h-1(b1) h-1(b2)
- That is, elements of B should be generated with
roughly uniform probability. - Ideally, the map should appear random, so that
clearly similar elements of A are not likely to
map to the same (or similar) elements of B. - Furthermore, for a cryptographically secure hash
function - Given an element b?B, the problem of finding an
a?A such that h(a)b should have average-case
time complexity of O(Bc) for some cgt0. - This ensures that it would take exponential time
in the length of an ID for an opponent to fake
a different document having the same ID.
6A Simple Hash Using mod
- Let the domain and codomain be the sets of all
natural numbers below certain bounds - A a?N a lt alim, B b?N b lt
blim - Then an acceptable (although not great) hash
function from A to B (when alimblim) is h(a) a
mod blim. - It has the following desirable hash function
properties - It covers or is onto its codomain B (its range is
B). - When alim blim, then each b?B has a preimage of
about the same size, - Specifically, h-1(b) ?alim/blim? or
?alim/blim?. - However, it has the following limitations
- It is not very random.
- For example, if all as encountered happen to
have the same residue mod blim, they will all map
to the same b! - It is definitely not cryptographically secure.
- Given a b, it is easy to generate as that map to
it - Namely, we know that for any n?N, h(b nblim)
b.
7Hash Table Characteristics
- A hash table is a type of container data
structure often used for representing a set. - It has these properties
- Every element e stored is assigned a unique key
k(e) - It identifies the element and can be easily
calculated from e. - It supports the following operations with O(1)
expected (average case) time - Looking up an element e given its key k.
- Adding a new element e to the hash table.
- Deleting an element e from the hash table.
- Listing the next element, in an enumeration of
all elements.
8Simple Hash Table Implementation
- There is an array eb with blim locations for
storing elements. - procedure store(e element)a k(e)
calculate key a of elementb h(a)
hash the key to a storage location
bwhile (eb ? null ? k(eb) ? a)
not e or empty b (b1) mod blim
go to next loc., circularly if eb null
then eb e store it if it wasnt
there - procedure lookup(a?A desired elements key)b
h(a) hash
it to a location bwhile (eb ? null ? k(eb) ? a)
not e or empty b (b1) mod
blim go to next loc., circularly
if k(eb) a then return eb else return null
Exercise What happens when the array is
full?How might you fix this problem?
9Digital Signature Application
- Many digital signature systems use a
cryptographically secure (but public) hash
function h which maps arbitrarily long documents
down to fixed-length (e.g., 1,024-bit)
fingerprint strings. - Document signing procedure
- Given a document a to sign, quickly compute its
hash b h(a). - Compute a certain function c f(b) that is known
only to the signer - This step is generally slow, so we dont want to
apply it to the whole document. - Deliver the original document together with the
digital signature c. - Signature verification procedure
- Given a document a and signature c, quickly find
as hash b h(a). - Compute b' f -1(c). (Possible if fs inverse f
-1 is made public.) - Compare b to b' if they are equal then the
signature is valid. - Note that if h were not cryptographically secure,
then an opponent could easily forge a different
document a' that hashes to the same value b, and
thereby attach someones digital signature to a
different document than they actually signed, and
fool the verifier.
10Pseudo-random Numbers
- Numbers that are generated deterministically, but
that appear random for all practical purposes. - Used in many applications, such as
- Hash functions
- Simulations, games, graphics
- Cryptographic algorithms
- One simple common pseudo-random number generating
procedure - The linear congruential method
- Uses the mod operator
11Linear Congruential Method
- Requires four natural numbers
- The modulus m, the multiplier a, the increment c,
and the seed x0. - Where 2 a lt m, 0 c lt m, 0 x0 lt m.
- Generates the pseudo-random sequence xn with 0
xn lt m, via the following - xn1 (axn c) mod m.
- Tends to work best when a,c,m are prime, or at
least relatively prime. - If c0, the method is called a pure
multiplicative generator.
12Example
- Let modulus m 1,000 2353.
- To generate outputs in the range 0-999.
- Pick increment c 467 (prime), multiplier a
293 (also prime), seed x0 426. - Then we get the pseudo-random sequence
- x1 (ax0 c) mod m 285
- x2 (ax1 c) mod m 972
- x3 (ax2 c) mod m 263 and so on
Note alternatingodd and even values results
from m being even
13Cryptology
- This is the study of secret (coded) messages. It
includes - Cryptography Methods for encrypting and
decrypting secret (coded) messages. - Cryptanalysis Methods for code-breaking.
- Some simple early codes include Caesars cipher
- Associate each letter w. its position 0-25 in the
alphabet - Encrypt by replacing letter n by letter (n3) mod
26. - Decrypt by replacing n with (n-3) mod 26.
- This a simple example of a shift cipher (nk) mod
m. - Can generalize this to affine transforms (linear
1-1 transforms) (an b) mod 26, e.g., (7n3) mod
26. - This is still very insecure however!
14Modular Exponentiation Problem (from 2.5)
- Problem Given large integers b (base), n
(exponent), and m (modulus), efficiently compute
bn mod m. - Note that bn itself may be completely infeasible
to compute and store directly. - E.g. if n is a 1,000-bit number, then bn itself
will have far more digits than there are atoms in
the universe! - Yet, this is a type of calculation that is
commonly required in modern cryptographic
algorithms!
15Modular Exponentiation
- procedure modularExponentiation(b integer, n
(nk-1n0)2, m positive integers)x 1
result will be accumulated hereb2i b mod m
mod m i0 initiallyfor i 0 to k-1
go thru all k bits of n if ni 1 then x
(xb2i) mod m b2i (b2ib2i) mod mreturn x
16Why that Algorithm Works
The binary expansion of n
- Note that
- We can compute b to various powers of 2 by
repeated squaring. - Then multiply them into the partial product, or
not, depending on whether the corresponding ni
bit is 1. - Crucially, we can do the mod m operations as we
go along, because of the various identity laws of
modular arithmetic. All the numbers stay small.
b1 b
172.6 More on Applications
- Misc. useful results
- Linear congruences
- Chinese Remainder Theorem
- Computer arithmetic w. large integers
- Pseudoprimes
- Fermats Little Theorem
- Public Key Cryptography
- The Rivest-Shamir-Adleman (RSA) cryptosystem
18Some Misc. Results
- Theorem 0 (Euclid)
- ?a,b gt 0 gcd(a,b) gcd(b, a mod b)
- Theorem 1
- ?a,bgt0 ?s,t gcd(a,b) sa tb
- Lemma 1
- ?a,b,cgt0 gcd(a,b)1 ? a bc ? ac
- Lemma 2
- If p is prime and pa1a2an (integers ai) then
?i pai. - Theorem 2
- If ac bc (mod m) and gcd(c,m)1, then a b
(mod m).
19Proof Euclids Algorithm Works
- Theorem 0 gcd(a,b) gcd(b,c) if c a mod b.
- Proof First, c a mod b implies ?t a bt
c. Letg gcd(a,b), and g' gcd(b,c). Since
ga and gb (thus gbt) we know g(a-bt), i.e.
gc. Sincegb ? gc, it follows that g
gcd(b,c) g'. Now, since g'b (thus g'bt) and
g'c, we know g'(btc), i.e., g'a. Since g'a
? g'b, it follows thatg' gcd(a,b) g. Since
we have shown that both gg' and g'g, it must be
the case that gg'.
20Proof of Theorem 1
- Theorem 1 ?ab0 ?st gcd(a,b) sa tb
- Proof (By induction over the value of the larger
argument a.) From theorem 0, we know that
gcd(a,b) gcd(b,c) ifc a mod b, in which case
a kb c for some integer k, so c a - kb.
Now, since blta and cltb, by inductive hypothesis,
we can assume that ?uv gcd(b,c) ub vc.
Substituting for c, this is ubv(a-kb), which we
can regroup to get va (u-vk)b. So now let s
v, and let t u-vk, and were finished. The
base case is solved by s1, t0, which works for
gcd(a,0), or if ab originally.
21Proof of Lemma 1
- Lemma 1 gcd(a,b)1 ? abc ? ac
- Proof Applying theorem 1, ?st satb1.
Multiplying through by c, we have thatsac tbc
c. Since abc is given, we know that atbc,
and obviously asac. Thus (using the theorem on
p.154), it follows that a(sactbc) in other
words, that ac.
22Proof of Lemma 2
- Lemma 2 Prime pa1an ? ?i pai.
- Proof If n1, this is immediate since pa0 ?
pa0. Suppose the lemma is true for all nltk and
suppose pa1ak. If pm where ma1ak-1 then we
have it inductively. Otherwise, we have pmak
but (pm). Since m is not a multiple of p, and
p has no factors, m has no common factors with p,
thus gcd(m,p)1. So by applying lemma 1, pak.
23Uniqueness of Prime Factorizations
The hard part of proving the Fundamental
Theorem of Arithmetic.
- The prime factorization of any number n is
unique. - Theorem If p1ps q1qt are equal products of
two nondecreasing sequences of primes, then st
and pi qi for all i. - Proof Assume (without loss of generality) that
all primes in common have already been divided
out, so that ?ij pi ? qj. But since p1ps
q1qt, we have that p1q1qt, since p1(p2ps)
q1qt. Then applying lemma 2, ?j p1qj. Since
qj is prime, it has no divisors other than itself
and 1, so it must be that piqj. This contradicts
the assumption ?ij pi ? qj. The only resolution
is that after the common primes are divided out,
both lists of primes were empty, so we couldnt
pick out p1. In other words, the two lists must
have been identical to begin with!
24Proof of Theorem 2
- Theorem 2 If ac bc (mod m) and gcd(c,m)1,
then a b (mod m). - Proof Since ac bc (mod m), this means m
ac-bc. Factoring the right side, we getr m c(a
- b). Since gcd(c,m)1, lemma 1 implies that m
a-b, in other words, that a b (mod m).
25An Application of Theorem 2
- Suppose we have a pure-multiplicative
pseudo-random number generator xn using a
multiplier a that is relatively prime to the
modulus m. - Then the transition function that maps from xn to
xn1 is bijective. - Because if xn1 axn mod m axn' mod m, then
xnxn' (by theorem 2). - This in turn implies that the sequence of numbers
generated cannot repeat until the original number
is re-encountered. - And this means that on average, we will visit a
large fraction of the numbers in the range 0 to
m-1 before we begin to repeat! - Intuitively, because the chance of hitting the
first number in the sequence is 1/m, so it will
take T(m) tries on average to get to it. - Thus, the multiplier a ought to be chosen
relatively prime to the modulus, to avoid
repeating too soon.
26Linear Congruences, Inverses
- A congruence of the form ax b (mod m) is called
a linear congruence. - To solve the congruence is to find the xs that
satisfy it. - An inverse of a, modulo m is any integer a' such
thata'a 1 (mod m). - If we can find such an a', notice that we can
then solve axb by multiplying through by it,
giving a'axa'b, thus 1xa'b, thus xa'b. - Theorem 3 If gcd(a,m)1 and mgt1, then a has a
unique (modulo m) inverse a'. - Proof By theorem 1, ?st satm 1, so satm 1
(mod m). Since tm0 (mod m), sa1 (mod m). Thus
s is an inverse of a (mod m). Theorem 2
guarantees that if rasa1 then rs, thus this
inverse is unique mod m. (All inverses of a are
in the same congruence class as s.)
27Chinese Remainder Theorem
- Theorem (Chinese remainder theorem.) Let
m1,,mn gt 0 be relatively prime. Then the system
of equations x ai (mod mi) (for i1 to n) has a
unique solution modulo m m1mn. - Proof Let Mi m/mi. (Thus gcd(mi, Mi)1.) So by
theorem 3, ?yiMi' such that yiMi1 (mod mi).
Now let x ?i aiyiMi. Since miMk for k?i, Mk0
(mod mi), so xaiyiMiai (mod mi). Thus, the
congruences hold. (Uniqueness is an exercise.) ?
28Computer Arithmetic w. Large Ints
- By Chinese Remainder Theorem, an integer a where
0altm?mi, gcd(mi,mj?i)1, can be represented by
as residues mod mi - (a mod m1, a mod m2, , a mod mn)
- To perform arithmetic upon large integers
represented in this way, - Simply perform ops on these separate residues!
- Each of these might be done in a single machine
op. - The ops may be easily parallelized on a vector
machine. - Works so long as m gt the desired result.
29Computer Arithmetic Example
- For example, the following numbers are relatively
prime - m1 225-1 33,554,431 31 601 1,801
- m2 227-1 134,217,727 7 73 262,657
- m3 228-1 268,435,455 3 5 29 43 113
127 - m4 229-1 536,870,911 233 1,103 2,089
- m5 231-1 2,147,483,647 (prime)
- Thus, we can uniquely represent all numbers up to
m ?mi 1.41042 2139.5 by their residues ri
modulo these five mi. - E.g., 1030 (r1 20,900,945 r2
18,304,504 r3 65,829,085
r4 516,865,185 r5 1,234,980,730) - To add two such numbers in this representation,
- Just add their corresponding residues using
machine-native 32-bit integers. - Take the result mod 2k-1
- If result is the appropriate 2k-1 value,
subtract out 2k-1 - Or just take the low k bits and add 1.
- Note No carries are needed between the different
pieces!
30Pseudoprimes
- Ancient Chinese mathematicians noticed that
whenever n is prime, 2n-11 (mod n). - Some also claimed that the converse was true.
- However, it turns out that the converse is not
true! - If 2n-11 (mod n), it doesnt follow that n is
prime. - For example, 3411131, but 23401 (mod 341).
- Composites n with this property are called
pseudoprimes. - More generally, if bn-11 (mod n) and n is
composite, then n is called a pseudoprime to the
base b.
31Carmichael numbers
- These are sort of the ultimate pseudoprimes.
- A Carmichael number is a composite n such that
bn-11 (mod n) for all b relatively prime to n. - The smallest few are 561, 1105, 1729, 2465, 2821,
6601, 8911, 10585, 15841, 29341. - Well, so what? Who cares?
- Exercise for the student Do some research and
find me a useful interesting application of
Carmichael numbers. (Extra credit.)
32Fermats Little Theorem
- Fermat generalized the ancient observation that
2p-11 (mod p) for primes p to the following more
general theorem - Theorem (Fermats Little Theorem.)
- If p is prime and a is any non-negative integer,
then apa (mod p). - Furthermore, if (pa), then ap-11 (mod p).
33Public Key Cryptography
- In private key cryptosystems, the same secret
key string is used to both encode and decode
messages. - This raises the problem of how to securely
communicate the key strings. - In public key cryptosystems, instead there are
two complementary keys. - One key decrypts the messages that the other one
encrypts. - This means that one key (the public key) can be
made public, while the other (the private key)
can be kept secret from everyone. - Messages to the owner can be encrypted by anyone
using the public key, but can only be decrypted
by the owner using the private key. - Like having a private lock-box with a slot for
messages. - Or, the owner can encrypt a message with their
private key, and then anyone can decrypt it, and
know that only the owner could have encrypted it. - This is the basis of digital signature systems.
- The most famous public-key cryptosystem is RSA.
- It is based entirely on number theory!
34Rivest-Shamir-Adleman (RSA)
- The private key consists of
- A pair p,q of large random prime numbers, and
- An exponent e that is relatively prime to
(p-1)(q-1). - The public key consists of
- The product n pq (but not p and q), and
- d, an inverse of e modulo (p-1)(q-1), but not e
itself. - To encrypt a message encoded as an integer Mltn
- Compute C Me mod n.
- To decrypt the encoded message C,
- Compute M Cd mod n.
35Why RSA Works
- Theorem (Correctness of RSA) (Me)d M (mod n).
Proof - By the definition of d, we know that de 1 mod
(p-1)(q-1). - Thus by the definition of modular congruence, ?k
de 1 k(p-1)(q-1). - So, the result of decryption is Cd (Me)d Mde
M1k(p-1)(q-1) (mod n) - Assuming that M is not divisible by either p or
q, - Which is nearly always the case when p and q are
very large, - Fermats Little Theorem tells us that Mp-11 (mod
p) and Mq-11 (mod q) - Thus, we have that the following two congruences
hold - First Cd M(Mp-1)k(q-1) M1k(q-1) M
(mod p) - Second Cd M(Mq-1)k(p-1) M1k(p-1) M (mod
q) - And since gcd(p,q)1, we can use the Chinese
Remainder Theorem to show that therefore CdM
(mod pq) - If CdM (mod pq) then ?s CdspqM, so CdM (mod
p) and (mod q). Thus M is a solution to these
two congruences, so (by CRT) its the only
solution.