MATH 470 Lecture 12

« previous | Thursday, February 21, 2013 | next »

Homework Questions

${\displaystyle {\sqrt {11}}{\pmod {10949}}}$

${\displaystyle \left({\frac {11}{10949}}\right)=\left({\frac {10949}{11}}\right)=\left({\frac {4}{11}}\right)=1}$

Tonelli:

Use ${\displaystyle g=2}$ as non-square.

${\displaystyle p-1=2^{2}\cdot 2737}$, so ${\displaystyle (s,t)=(2,2737)}$

Only one iteration of loop with ${\displaystyle e=0}$

${\displaystyle 11\cdot 2^{-0})^{\frac {p-1}{4}}=-1}$, so ${\displaystyle e=2}$

${\displaystyle h={\frac {11}{2^{2}}}=2740{\pmod {10949}}}$

${\displaystyle {\sqrt {11}}=\pm g^{\frac {e}{2}}\,h^{\frac {t+1}{2}}=2\cdot 2740^{1369}{\pmod {10949}}=\pm 234}$

Riemann Hypothesis

${\displaystyle \left|\pi (x)-\mathrm {Li} (x)\right|=O({\sqrt {x}}\,\ln {x})}$ ${\displaystyle \left|\pi (x)-\mathrm {Li} (x)\right|<{\frac {{\sqrt {x}}\,\ln {x}}{4\tau }}\quad \forall x\geq 2657}$

Generalized Riemann Hypothesis

For primes in arithmetic progression

${\displaystyle \left|\pi (x;n,a)-{\frac {\mathrm {Li} (x)}{\phi (n)}}\right|<{\sqrt {x}}(\ln {x}+2\ln {n})\quad \forall x\geq 2}$

Rabin's Variant of RSA

Provably as hard to break as factoring certain integers (RSA might be easier to break than factoring, but just don't know this for sure).

1. Pick distinct primes ${\displaystyle p}$ and ${\displaystyle q}$ with roughly the same number of digits
2. Compute ${\displaystyle n}$ and publish it, but keep ${\displaystyle p}$ and ${\displaystyle q}$ secret
3. Bob encrypts a message ${\displaystyle m\in (\mathbb {Z} /n\mathbb {Z} )}$ via ${\displaystyle c=m^{2}{\pmod {n}}}$ —simple!
4. Alice solves ${\displaystyle {\begin{cases}x^{2}\equiv c{\pmod {p}}\\x^{2}\equiv c{\pmod {q}}\end{cases}}}$ using ${\displaystyle c^{\frac {p+1}{4}}}$, Tonelli's, and the Chinese Remainder Theorem.
5. Message will be one of square roots.

Proof

As hard to break as factoring because:

Proposition: If you can break Rabin's variant in randomized time poly in ${\displaystyle \ln {n}}$, then you can factor ${\displaystyle n}$ in randomized time poly in ${\displaystyle \ln {n}}$ too!

Suppose you can break Rabin's variant for ${\displaystyle n=301377}$. Find the square roots of 1 mod 301337: {1, -1, 113070, -113070}

Consider ${\displaystyle \mathrm {GCD} (113070-1,n)=541}$, so ${\displaystyle 541\mid n}$, and so does 557 (!)

Works because if you have ${\displaystyle x_{1},x_{2},y_{1},y_{2}}$ with ${\displaystyle x_{1}\equiv x_{2}\equiv y_{1}\equiv y_{2}{\pmod {n}}}$, the n ${\displaystyle x_{1}^{2}-y_{1}^{2}\equiv (x_{1}-y_{1})(x_{1}+y_{1})\equiv 0{\pmod {n}}}$

If ${\displaystyle x_{1}\neq y_{1}}$, then ${\displaystyle x_{1}-y_{1}\in \{-n+1,\ldots ,n-1\}}$ and ${\displaystyle \mathrm {GCD} (x_{1}-y_{1},n)>1}$ implies ${\displaystyle x_{1}-y_{1}}$ is ${\displaystyle p}$ or ${\displaystyle q}$!

So as long as ${\displaystyle x_{1},y_{1},x_{2},y_{2}\not \equiv 0{\pmod {p}}}$ (or mod ${\displaystyle q}$), you're good!

Shor's Algorithm

In 1994, Peter Shor (AT&T → MIT → Microsoft) found a quantum Randomized Polynomial Time Algorithm for factoring and (and discrete logarithms)!!

As far as we know, no one has a quantum computer large enough to implement this algorithm efficiently.

Involves continued fractions and the Quantum Fourier Transform

Decision Classes

A complexity class is a family of sets of bit strings

More practically, it can be thought of as a family of computational problems.

Our model of computation is the Turing Machine

P: Polynomial

The family of decision problems doable in time polynomial in the input size.

Legendre Symbol

Given the ${\displaystyle n}$-bit binary expansions for ${\displaystyle a\in \mathbb {Z} }$ and a prime ${\displaystyle p}$, decide whether ${\displaystyle {\sqrt {a}}{\pmod {p}}}$ exists. That is, evaluate ${\displaystyle a^{p-1}{2}{\pmod {p}}}$. This is in P

Stable Marriage Problem

${\displaystyle n}$ men and ${\displaystyle n}$ women with list of preferences. A "stable marriage" is where the man and women are at the same position in their preference list.

It turns out that stable marriages always exists, so its actually in constant time. Finding one takes a bit longer.

ZPP: Zero-Error Probability Polynomial

The family of decision problems where an answer, correct with probability 1/2, can be found in time polynomial in input size

Algorithms (return IDK or an answer with 50% probability) of this class are called "Las Vegas" algorithms: You are never cheated.

RP: Randomized Polynomial

The family of decision problems admitting an algorithm where a "yes" answer is always correct, but a "no" is wrong with probability ≤ 1/2

Compositeness

Given ${\displaystyle n\in \mathbb {N} }$, decide if it's composite. In particular, compare ${\displaystyle \left({\frac {a}{n}}\right)}$ with ${\displaystyle a^{\frac {n-1}{2}}{\pmod {n}}}$ for random ${\displaystyle a}$: if equal, then probably prime; if not equal, then composite.

Thanks to the Solovay-Strassen Theorem, Compositeness is in RP.