Bogazici University Department of Computer Engineering CmpE 220 Discrete Mathematics 09' Application - PowerPoint PPT Presentation


PPT – Bogazici University Department of Computer Engineering CmpE 220 Discrete Mathematics 09' Application PowerPoint presentation | free to download - id: 17ec78-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Bogazici University Department of Computer Engineering CmpE 220 Discrete Mathematics 09' Application


Based on Rosen, Discrete Mathematics & Its Applications, 5e ... Crucially, we can do the mod m operations as we go along, because of the various ... – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 43
Provided by: michae1484


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Bogazici University Department of Computer Engineering CmpE 220 Discrete Mathematics 09' Application

Bogazici University Department of Computer
Engineering CmpE 220 Discrete Mathematics 09.
Applications of Number Theory Haluk Bingöl
Module 9 Applications of Number Theory
  • Rosen 5th ed., 2.4-2.6
  • 33 slides, 1.5 lectures

Applications from 2.4
  • Hashing Functions (hashes)
  • Pseudorandom Numbers
  • Cryptology

Hashing Functions
Hashing Functions
  • Also known as
  • hash functions, hash codes, or just hashes.
  • Two major uses
  • Indexing hash tables
  • Data structures which support O(1)-time access.
  • Creating short unique IDs for long documents.
  • Used in digital signatures the short ID can be
    signed, rather than the long document.

Hash Function Requirements
  • Def. A hash function h A?B is a map from a set
    A to a smaller set B (i.e., A B).
  • An effective hash function should have the
    following properties
  • It should cover (be onto) its codomain B.
  • It should be efficient to calculate
  • ideally, it should take O(log A) operations.
  • The cardinality of each preimage of an element of
    B should be about the same.
  • ?b1,b2?B h-1(b1) h-1(b2)
  • That is, elements of B should be generated with
    roughly uniform probability.
  • Ideally, the map should appear random, so that
    clearly similar elements of A are not likely to
    map to the same (or similar) elements of B.

Hash Function Requirements
  • Furthermore, for a cryptographically secure hash
  • Given an element b?B, the problem of finding an
    a?A such that h(a)b should have average-case
    time complexity of O(Bc) for some cgt0.
  • This ensures that it would take exponential time
    in the length of an ID for an opponent to fake
    a different document having the same ID.

A Simple Hash Using mod
  • Let the domain and codomain be the sets of all
    natural numbers below certain bounds
  • A a?N a lt alim, B b?N b lt
  • Then an acceptable (although not great) hash
    function from A to B (when alimblim) is h(a)
    a mod blim.
  • It has the following desirable hash function
  • It covers or is onto its codomain B (its range is
  • When alim blim, then each b?B has a preimage of
    about the same size,
  • Specifically, h-1(b) ?alim/blim? or
  • However, it has the following limitations
  • It is not very random.
  • For example, if all as encountered happen to
    have the same residue mod blim, they will all map
    to the same b!
  • It is definitely not cryptographically secure.
  • Given a b, it is easy to generate as that map to
  • Namely, we know that for any n?N, h(b nblim)

Hash Table Characteristics
  • A hash table is a type of container data
    structure often used for representing a set.
  • It has these properties
  • Every element e stored is assigned a unique key
  • It identifies the element and can be easily
    calculated from e.
  • It supports the following operations with O(1)
    expected (average case) time
  • Looking up an element e given its key k.
  • Adding a new element e to the hash table.
  • Deleting an element e from the hash table.
  • Listing the next element, in an enumeration of
    all elements.

Simple Hash Table Implementation
  • There is an array eb with blim locations for
    storing elements.
  • procedure store(e element) a k(e)
    calculate key a of element b h(a) hash
    the key to a storage location b while (eb ? null
    ? k(eb) ? a) not e or empty b (b1) mod
    blim go to next loc.,circularly if eb null
    then eb e store it if it wasnt there
  • procedure lookup(a?A desired elements key) b
    h(a) hash it to a location
    b while (eb ? null ? k(eb) ? a) not e or
    empty b (b1) mod blim go to next loc.,
    circularly if k(eb) a then return eb else
    return null

Exercise What happens when the array is
full? How might you fix this problem?
Digital Signature Application
  • Many digital signature systems use a
    cryptographically secure (but public) hash
    function h which maps arbitrarily long documents
    down to fixed-length (e.g., 1,024-bit)
    fingerprint strings.
  • Document signing procedure
  • Given a document a to sign, quickly compute its
    hash b h(a).
  • Compute a certain function c f(b) that is known
    only to the signer
  • This step is generally slow, so we dont want to
    apply it to the whole document.
  • Deliver the original document together with the
    digital signature c.

Digital Signature Application
  • Signature verification procedure
  • Given a document a and signature c, quickly find
    as hash b h(a).
  • Compute b' f -1(c). (Possible if fs inverse f
    -1 is made public.)
  • Compare b to b' if they are equal then the
    signature is valid.
  • Note that if h were not cryptographically secure,
    then an opponent could easily forge a different
    document a' that hashes to the same value b, and
    thereby attach someones digital signature to a
    different document than they actually signed, and
    fool the verifier.

Pseudo-random Numbers
Pseudo-random Numbers
  • Numbers that are generated deterministically, but
    that appear random for all practical purposes.
  • Used in many applications, such as
  • Hash functions
  • Simulations, games, graphics
  • Cryptographic algorithms

Linear Congruential Method
  • One simple common pseudo-random number generating
  • Uses the mod operator
  • Requires four natural numbers
  • The modulus m, the multiplier a, the increment c,
    and the seed x0 where 2 a lt m, 0 c lt m, 0
    x0 lt m.
  • Generates the pseudo-random sequence xn with 0
    xn lt m, via the following
  • xn1 (axn c) mod m.
  • Tends to work best when a,c,m are prime, or at
    least relatively prime.
  • If c0, the method is called a pure
    multiplicative generator.

  • Let modulus m 1,000 2353.
  • To generate outputs in the range 0-999.
  • Pick increment c 467 (prime), multiplier a
    293 (also prime), seed x0 426.
  • Then we get the pseudo-random sequence
  • x1 (ax0 c) mod m 285
  • x2 (ax1 c) mod m 972
  • x3 (ax2 c) mod m 263
  • and so on…

Note alternating odd and even values results
from m being even
  • This is the study of secret (coded) messages. It
  • Cryptography Methods for encrypting and
    decrypting secret (coded) messages.
  • Cryptanalysis Methods for code-breaking.
  • Some simple early codes include Caesars cipher
  • Associate each letter w. its position 0-25 in the
  • Encrypt by replacing letter n by letter (n3) mod
  • Decrypt by replacing n with (n-3) mod 26.
  • This a simple example of a shift cipher (nk) mod
  • Can generalize this to affine transforms (linear
    1-1 transforms) (an b) mod 26, e.g., (7n3) mod
  • This is still very insecure however!

Modular Exponentiation Problem
Modular Exponentiation Problem (from 2.5)
  • Problem Given large integers b (base), n
    (exponent), and m (modulus), efficiently compute
    bn mod m.
  • Note that bn itself may be completely infeasible
    to compute and store directly.
  • E.g. if n is a 1,000-bit number, then bn itself
    will have far more digits than there are atoms in
    the universe!
  • Yet, this is a type of calculation that is
    commonly required in modern cryptographic

Modular Exponentiation
  • procedure modularExponentiation(b integer, n
    (nk-1…n0)2, m positive integers) x 1
    result will be accumulated here b2i b mod m
    mod m i0 initially for i 0 to k-1
    go thru all k bits of n if ni 1 then x
    (xb2i) mod m b2i (b2ib2i) mod m return x

Why that Algorithm Works
The binary expansion of n
  • Note that
  • We can compute b to various powers of 2 by
    repeated squaring.
  • Then multiply them into the partial product, or
    not, depending on whether the corresponding ni
    bit is 1.
  • Crucially, we can do the mod m operations as we
    go along, because of the various identity laws of
    modular arithmetic. All the numbers stay small.

b1 b
2.6 More on Applications
  • Misc. useful results
  • Linear congruences
  • Chinese Remainder Theorem
  • Computer arithmetic w. large integers
  • Pseudoprimes
  • Fermats Little Theorem
  • Public Key Cryptography
  • The Rivest-Shamir-Adleman (RSA) cryptosystem

Some Misc. Results
  • Thm. (Euclid)
  • ?a,b gt 0 gcd(a,b) gcd(b, a mod b)
  • Thm.
  • ?a,bgt0 ?s,t gcd(a,b) sa tb
  • Lemma.
  • ?a,b,cgt0 gcd(a,b)1 ? a bc ? ac
  • Lemma.
  • If p is prime and pa1a2…an (integers ai) then
    ?i pai.
  • Thm.
  • If ac bc (mod m) and gcd(c,m)1, then a b
    (mod m).

Proof Euclids Algorithm Works
  • Thm. gcd(a,b) gcd(b,c) if c a mod b. Proof.
    First, c a mod b implies ?t a bt c. Let g
    gcd(a,b), and g' gcd(b,c). Since ga and
    gb (thus gbt) we know g(a-bt), i.e. gc.
    Since gb ? gc, it follows that g gcd(b,c)
    g'. Now, since g'b (thus g'bt) and g'c, we
    know g'(btc), i.e., g'a. Since g'a ? g'b,
    it follows that g' gcd(a,b) g. Since we have
    shown that both gg' and g'g, it must be the
    case that gg'.

Proof of Theorem 1
  • Thm. ?ab0 ?st gcd(a,b) sa tb Proof. (By
    induction over the value of the larger argument
    a.) From theorem 0, we know that gcd(a,b)
    gcd(b,c) if c a mod b, in which case a kb c
    for some integer k, so c a - kb. Now, since
    blta and cltb, by inductive hypothesis, we can
    assume that ?uv gcd(b,c) ub vc.
    Substituting for c, this is ubv(a-kb), which we
    can regroup to get va (u-vk)b. So now let s
    v, and let t u-vk, and were finished. The
    base case is solved by s1, t0, which works for
    gcd(a,0), or if ab originally.

Proof of Lemma 1
  • Lemma. gcd(a,b)1 ? abc ? ac Proof. Applying
    theorem 1, ?st satb1. Multiplying through by
    c, we have that sac tbc c. Since abc is
    given, we know that atbc, and obviously asac.
    Thus (using the theorem on p.154), it follows
    that a(sactbc) in other words, that ac.

Proof of Lemma 2
  • Lemma. Prime pa1…an ? ?i pai. Proof. If n1,
    this is immediate since pa0 ? pa0. Suppose the
    lemma is true for all nltk and suppose pa1…ak.
    If pm where ma1…ak-1 then we have it
    inductively. Otherwise, we have pmak but
    (pm). Since m is not a multiple of p, and p
    has no factors, m has no common factors with p,
    thus gcd(m,p)1. So by applying lemma 1, pak.

Uniqueness of Prime Factorizations
  • The prime factorization of any number n is
  • Thm. If p1…ps q1…qt are equal products of two
    nondecreasing sequences of primes, then st and
    pi qi for all i. Proof. Assume (without loss
    of generality) that all primes in common have
    already been divided out, so that ?ij pi ? qj.
    But since p1…ps q1…qt, we have that p1q1…qt,
    since p1(p2…ps) q1…qt. Then applying lemma 2,
    ?j p1qj. Since qj is prime, it has no divisors
    other than itself and 1, so it must be that
    piqj. This contradicts the assumption ?ij pi ?
    qj. The only resolution is that after the common
    primes are divided out, both lists of primes were
    empty, so we couldnt pick out p1. In other
    words, the two lists must have been identical to
    begin with!

Proof of Theorem 2
  • Thm. If ac bc (mod m) and gcd(c,m)1, then a
    b (mod m). Proof. Since ac bc (mod m), this
    means m ac-bc. Factoring the right side, we
    getr m c(a - b). Since gcd(c,m)1, lemma 1
    implies that m a-b, in other words, that a b
    (mod m).

(No Transcript)
An Application of Theorem 2
  • Suppose we have a pure-multiplicative
    pseudo-random number generator xn using a
    multiplier a that is relatively prime to the
    modulus m.
  • Then the transition function that maps from xn to
    xn1 is bijective.
  • Because if xn1 axn mod m axn' mod m, then
    xnxn' (by theorem 2).
  • This in turn implies that the sequence of numbers
    generated cannot repeat until the original number
    is re-encountered.
  • And this means that on average, we will visit a
    large fraction of the numbers in the range 0 to
    m-1 before we begin to repeat!
  • Intuitively, because the chance of hitting the
    first number in the sequence is 1/m, so it will
    take T(m) tries on average to get to it.
  • Thus, the multiplier a ought to be chosen
    relatively prime to the modulus, to avoid
    repeating too soon.

Linear Congruences, Inverses
  • A congruence of the form ax b (mod m) is called
    a linear congruence.
  • To solve the congruence is to find the xs that
    satisfy it.
  • An inverse of a, modulo m is any integer a' such
    that a'a 1 (mod m).
  • If we can find such an a', notice that we can
    then solve axb by multiplying through by it,
    giving a'axa'b, thus 1xa'b, thus xa'b.
  • Theorem 3 If gcd(a,m)1 and mgt1, then a has a
    unique (modulo m) inverse a'.
  • Proof By theorem 1, ?st satm 1, so satm 1
    (mod m). Since tm0 (mod m), sa1 (mod m). Thus
    s is an inverse of a (mod m). Theorem 2
    guarantees that if rasa1 then rs, thus this
    inverse is unique mod m. (All inverses of a are
    in the same congruence class as s.)

Chinese Remainder Theorem
  • Theorem (Chinese remainder theorem.) Let
    m1,…,mn gt 0 be relatively prime. Then the system
    of equations x ai (mod mi) (for i1 to n) has a
    unique solution modulo m m1…mn.
  • Proof Let Mi m/mi. (Thus gcd(mi, Mi)1.) So by
    theorem 3, ?yiMi' such that yiMi1 (mod mi).
    Now let x ?i aiyiMi. Since miMk for k?i, Mk0
    (mod mi), so xaiyiMiai (mod mi). Thus, the
    congruences hold. (Uniqueness is an exercise.) ?

Computer Arithmetic w. Large Ints
  • By Chinese Remainder Theorem, an integer a where
    0altm?mi, gcd(mi,mj?i)1, can be represented by
    as residues mod mi
  • (a mod m1, a mod m2, …, a mod mn)
  • To perform arithmetic upon large integers
    represented in this way,
  • Simply perform ops on these separate residues!
  • Each of these might be done in a single machine
  • The ops may be easily parallelized on a vector
  • Works so long as m gt the desired result.

Computer Arithmetic Example
  • For example, the following numbers are relatively
  • m1 225-1 33,554,431 31 601 1,801
  • m2 227-1 134,217,727 7 73 262,657
  • m3 228-1 268,435,455 3 5 29 43 113
  • m4 229-1 536,870,911 233 1,103 2,089
  • m5 231-1 2,147,483,647 (prime)
  • Thus, we can uniquely represent all numbers up to
    m ?mi 1.41042 2139.5 by their residues ri
    modulo these five mi.
  • E.g., 1030 (r1 20,900,945 r2
    18,304,504 r3 65,829,085
    r4 516,865,185 r5 1,234,980,730)
  • To add two such numbers in this representation,
  • Just add their corresponding residues using
    machine-native 32-bit integers.
  • Take the result mod 2k-1
  • If result is the appropriate 2k-1 value,
    subtract out 2k-1
  • Or just take the low k bits and add 1.
  • Note No carries are needed between the different

  • Ancient Chinese mathematicians noticed that
    whenever n is prime, 2n-11 (mod n).
  • Some also claimed that the converse was true.
  • However, it turns out that the converse is not
  • If 2n-11 (mod n), it doesnt follow that n is
  • For example, 3411131, but 23401 (mod 341).
  • Composites n with this property are called
  • More generally, if bn-11 (mod n) and n is
    composite, then n is called a pseudoprime to the
    base b.

Carmichael numbers
  • These are sort of the ultimate pseudoprimes.
  • A Carmichael number is a composite n such that
    bn-11 (mod n) for all b relatively prime to n.
  • The smallest few are 561, 1105, 1729, 2465, 2821,
    6601, 8911, 10585, 15841, 29341.
  • Well, so what? Who cares?
  • Exercise for the student Do some research and
    find me a useful interesting application of
    Carmichael numbers. (Extra credit.)

Fermats Little Theorem
  • Fermat generalized the ancient observation that
    2p-11 (mod p) for primes p to the following more
    general theorem
  • Theorem (Fermats Little Theorem.)
  • If p is prime and a is any non-negative integer,
    then apa (mod p).
  • Furthermore, if (pa), then ap-11 (mod p).

Public Key Cryptography
  • In private key cryptosystems, the same secret
    key string is used to both encode and decode
  • This raises the problem of how to securely
    communicate the key strings.
  • In public key cryptosystems, instead there are
    two complementary keys.
  • One key decrypts the messages that the other one
  • This means that one key (the public key) can be
    made public, while the other (the private key)
    can be kept secret from everyone.
  • Messages to the owner can be encrypted by anyone
    using the public key, but can only be decrypted
    by the owner using the private key.
  • Like having a private lock-box with a slot for
  • Or, the owner can encrypt a message with their
    private key, and then anyone can decrypt it, and
    know that only the owner could have encrypted it.
  • This is the basis of digital signature systems.
  • The most famous public-key cryptosystem is RSA.
  • It is based entirely on number theory!

Rivest-Shamir-Adleman (RSA)
  • The private key consists of
  • A pair p,q of large random prime numbers, and
  • An exponent e that is relatively prime to
  • The public key consists of
  • The product n pq (but not p and q), and
  • d, an inverse of e modulo (p-1)(q-1), but not e
  • To encrypt a message encoded as an integer Mltn
  • Compute C Me mod n.
  • To decrypt the encoded message C,
  • Compute M Cd mod n.

Why RSA Works
  • Theorem (Correctness of RSA) (Me)d M (mod n).
  • By the definition of d, we know that de 1 mod
  • Thus by the definition of modular congruence, ?k
    de 1 k(p-1)(q-1).
  • So, the result of decryption is Cd (Me)d Mde
    M1k(p-1)(q-1) (mod n)
  • Assuming that M is not divisible by either p or
  • Which is nearly always the case when p and q are
    very large,
  • Fermats Little Theorem tells us that Mp-11 (mod
    p) and Mq-11 (mod q)
  • Thus, we have that the following two congruences
  • First Cd M(Mp-1)k(q-1) M1k(q-1) M
    (mod p)
  • Second Cd M(Mq-1)k(p-1) M1k(p-1) M (mod
  • And since gcd(p,q)1, we can use the Chinese
    Remainder Theorem to show that therefore CdM
    (mod pq)
  • If CdM (mod pq) then ?s CdspqM, so CdM (mod
    p) and (mod q). Thus M is a solution to these
    two congruences, so (by CRT) its the only

  • Rosen Discrete Mathematics and its Applications,
    5e Mc GrawHill, 2003