Number theory resolves a problem in a divorce
Sunil K. Chebolu
Illinois State University
1/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Beer is proof that God loves us and wants us to have a good time
Benjamin Franklin
Number Theory is proof that God loves us and wants us to have a
good time
Sunil Chebolu
2/23
Sunil Chebolu
Number theory resolves a problem in a divorce
A divorce problem
Alice and Bob are getting a divorce and have to discuss who gets
what.
They are already separated and they live in different cities and
can’t stand facing each other.
They don’t seem to agree on one thing:
3/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Who gets the car?
4/23
Sunil Chebolu
Number theory resolves a problem in a divorce
After much deliberation on the matter, they decide to flip a coin
5/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Coin flipping over the telephone is tricky
Problem: If they don’t trust each other how can they flip a coin
over the telephone without bringing in a 3rd party (a referee)?
“Flipping a coin” really means performing some random
experiment akin to coin tossing which has two equally likely
outcomes and in which no party can cheat.
6/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Assumptions
Before we go further we will make a couple of mild assumptions on
the couple.
7/23
I
Bob and Alice have math degrees and they love number
theory (more than their partner).
I
They also have access to MAPLE software for computing.
Sunil Chebolu
Number theory resolves a problem in a divorce
The coin toss protocol
1. Alice picks two large distinct prime numbers p and q and tells
Bob the product n(= pq). (p and q are known only to Alice.)
2. Bob picks a random positive integer s less than n such that
gcd(s, n) = 1. He sends Alice the remainder a obtained when
s 2 is divided by n. (Thus s 2 ≡ a mod n.)
3. Alice then solves the equation x 2 ≡ a mod n and will get two
pair of solutions:
{s, −s}
and {t, −t}.
Alice now picks one pair and tells it to Bob. (If pairs are not
distinct, they startover.)
4. If Alice picks {s, −s} she get the car. Otherwise, Bob will
keep the car, and to prove that he won he reveals s.
8/23
Sunil Chebolu
Number theory resolves a problem in a divorce
An example with numbers
1. Alice picks p = 31 and q = 23 and tells Bob n = pq = 713.
2. Bob picks s = 220 and sends Alice a = 629;
629 ≡ 2202
mod 713.
3. Alice solves the modular quadratic equation
x 2 ≡ 629
mod 713
and obtains two pairs of solutions:{220, 493} and {654, 59}
Alice now picks one of these pairs and sends it to Bob.
4. If she picks {220, 493} she wins, otherwise Bob wins.
9/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Computational issues
10/23
I
Database of large primes is available for free on the internet,
and multiplying them is done easily by MAPLE. This is how
Alice gets hold of n, which is p × q.
I
One does not have to search for large primes on the internet.
There are fantastic methods for primality testing which Alice
can use to get hold of large primes.
I
Bob has to pick a random number s less than n which is
coprime to n: this is also easy because the Euclidean
algorithm runs in polynomial time. The next step for Bob is
to square s and take the remainder a obtained upon dividing
by n. This is done by MAPLE in a split second.
Sunil Chebolu
Number theory resolves a problem in a divorce
I
Alice now has to solve the equation x 2 = a in Zn . This has at
least one solution (s). In fact, the Chinese remainder theorem
Zn ∼
= Zp × Zq
(recall that p 6= q) tells that the above equation has four
solutions because s is chosen such that gcd(s, n) = 1. These
four solutions come in pairs corresponding to the equations
x12 ≡ a1
mod p, x22 ≡ a2
mod q,
Here x = (x1 , x2 ) and a = (a1 , a2 ) under the Chinese reminder
theorem.
Thanks to the Tonelli-Shanks algorithm which gives an
efficient method to compute the roots of a quadratic equation
modulo a prime.
11/23
Sunil Chebolu
Number theory resolves a problem in a divorce
The Key point
The key point here is that it is only Alice who can find all 4 roots
of the equation
x 2 ≡ a mod n
because she is the one who knows the two prime factors p and q of
n.
Bob, on the other hand, has no access to these two primes which
constitute n. So he cannot compute (in any reasonable amount of
time) the roots of the above equation even using the world’s
fastest super computer. He does know that {s, −s} are the roots
but that is of no help in getting the other two roots.
12/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Why can’t Bob decompose n into its prime factors?
This is next to impossible. The arithmetic complexity is enormous.
To give some numbers, a single 2.2 GHz machines takes about 70
years to decompose an integer n with 200 digits into its prime
factors!
However, a large assembly of IBM supercomputers (see above
picture) is estimated to cut down the computing time to one year.
The impossibility of factoring these large numbers in real time is
the basis for this protocol. The same is true for the RSA protocol.
13/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Why is it not possible to cheat?
Clearly the punch line is the last step where Alice sends Bob one of
the two pairs {s, −s}, {t, −t}. Alice wins if and only if she sends
Bob the only pair {s, −s} which he has. Let us then consider the
two possibilities.
1. Alice sends {s, −s}: Bob cannot claim that he has the other
pair with him because he has to declare it, and as mentioned
above there is no way he can get that without the knowledge
of the primes p and q which constitute n. So Alice wins.
(Bob will of course verify that this is indeed the other root of
the the equation by substituting it in the equation.)
2. Alice sends {t, −t}: This is a clear case. Bob wins because he
will instantly declare the pair {s, −s} which is different from
what Alice has sent.
14/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Bottom line: There is no room for cheating! The algorithm is
cheat-proof.
15/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Warning!
There is one aspect in which this protocol differs from an ordinary
unbiassed coin: n cannot be reused
Suppose Bob and Alice want to do another coin toss to decide who
gets the computer. They cannot reuse the same value of n. Why is
that so?
Suppose Bob won the first time. This happens when Alice declared
the pair {t, −t}. Bob already has {s, −s}. So now Bob has all
four roots. Using these roots he can compute p and q as follows.
16/23
Sunil Chebolu
Number theory resolves a problem in a divorce
The roots s and t determine p and q
I
s 2 ≡ t 2 ≡ a mod n
I
n divides t 2 − s 2 = (t + s)(t − s)
I
n cannot divide t − s or else t ≡ s mod n
I
similarly n cannot divide t + s or else t ≡ −s mod n
I
since n = pq, this means p divides t + s and q divides t − s,
or vice-versa.
I
at any rate, Bob would know the factorisation n = pq as
n = gcd(n, s + t) gcd(n, t − s).
Good News: This is not a problem because the great Euclid told us
more than 2000 years ago that there are infinitely many primes.
17/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Decomposing an integer into its prime factors is HARD
The impossibility of factoring these large numbers in real time is
the basis for this protocol. The same is true for the RSA public-key
encryption.
This is where all the money is.
18/23
Sunil Chebolu
Number theory resolves a problem in a divorce
RSA Factoring Challenge
The RSA Factoring Challenge was a challenge put forward by RSA
Laboratories in 1991 to encourage research into computational
number theory and the practical difficulty of factoring large
integers and cracking RSA keys used in cryptography.
They published a list of semiprimes (numbers with exactly two
prime factors) known as the RSA numbers, with a cash prize for
the successful factorization of some of them.
The smallest of them, a 100 decimal digit number called RSA-100
was factored by April 1, 1991, but many of the bigger numbers
have still not been factored and are expected to remain unfactored
for quite some time.
19/23
Sunil Chebolu
Number theory resolves a problem in a divorce
A recent result
In 2010 the following 232-digit number (RSA-768) has been
factored as a combined effort of several researches and hundreds of
high-powered machines over a span of 2 years.
RSA-768 = 12301866845301177551304949583849627207728535
6959533479219732245215172640050726365751874520219978646
9389956474942774063845925192557326303453731548268507917
02612214291346160429214311602221240479274737940806653514
19597459856902143413
=
3347807169895689878604416984821269081770479498371376856891
2431388982883793878002287614711652531743087737814467999489
×
3674604366679959042824463379962795263227915816434308764267
60322838157396665112792333734171433968102702798736308917
20/23
Sunil Chebolu
Number theory resolves a problem in a divorce
How can we become rich?
RSA has announced $200,000 cash prize for factoring the following
617-digit number.
RSA-617 =
2270180129378501419358040512020458674106123596276658390709
4021879215171483119139894870133091111044901683400949483846
8182995180417635079489225907749254660881718792594659210265
9704670044981989909686203946001774309447381105699129412854
2891880855362707407670722593737772666973440977361243336397
3080517630915068363107953126072395203652900321058488395079
8145230729941718571579629745499502350531604091985919371802
3307414880446217922800831766040938656344571034778553457121
0805307363945359239326518660305150410609664373133236728315
3932350006793710754195543736243324836124252594586880235391
6766181532375855504886901432221349733
21/23
Sunil Chebolu
Number theory resolves a problem in a divorce
Looking into the future
The RSA-617 is predicted to be factored in 2041 !
Based on today’s technology, it is predicted that factoring a
230-digit number in one year would require 215,000 Pentium-class
machines!
This is the story with digital electronic computers. What about
quantum computers? That is a can of worms to be opened in
another talk but it suffices to say that the research on quantum
computing is still in its early stages and mankind has a long way to
go before it can announce any impressive results.
22/23
Sunil Chebolu
Number theory resolves a problem in a divorce
THANK YOU
23/23
Sunil Chebolu
Number theory resolves a problem in a divorce