The Rabin-Miller Primality Test

Similar documents
Primality - Factorization

Cryptography and Network Security Chapter 8

Public Key Cryptography: RSA and Lots of Number Theory

Lecture 13 - Basic Number Theory.

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

SECTION 10-2 Mathematical Induction

Math 319 Problem Set #3 Solution 21 February 2002

2 Primality and Compositeness Tests

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Computer and Network Security

5.1 Radical Notation and Rational Exponents

Factoring & Primality

Homework until Test #2

Factoring Algorithms

MATH 537 (Number Theory) FALL 2016 TENTATIVE SYLLABUS

Public Key Cryptography and RSA. Review: Number Theory Basics

mod 10 = mod 10 = 49 mod 10 = 9.

Applications of Fermat s Little Theorem and Congruences

RSA and Primality Testing

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

6.3 Conditional Probability and Independence

Cryptography and Network Security Number Theory

Groups in Cryptography

Some practice problems for midterm 2

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

3. Mathematical Induction

RSA Encryption. Tom Davis October 10, 2003

by the matrix A results in a vector which is a reflection of the given

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

26 Integers: Multiplication, Division, and Order

Session 6 Number Theory

Stupid Divisibility Tricks

Prime Numbers. Difficulties in Factoring a Number: from the Perspective of Computation. Computation Theory. Turing Machine 電 腦 安 全

2 When is a 2-Digit Number the Sum of the Squares of its Digits?

A Study on the Necessary Conditions for Odd Perfect Numbers

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

The application of prime numbers to RSA encryption

The Mathematics of the RSA Public-Key Cryptosystem

Vieta s Formulas and the Identity Theorem

Category 3 Number Theory Meet #1, October, 2000

Notes on Continuous Random Variables

Clock Arithmetic and Modular Systems Clock Arithmetic The introduction to Chapter 4 described a mathematical system

FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIME TEST

On Generalized Fermat Numbers 3 2n +1

FACTORING. n = fall in the arithmetic sequence

Chapter. Number Theory and Cryptography. Contents

WRITING PROOFS. Christopher Heil Georgia Institute of Technology

Increasing for all. Convex for all. ( ) Increasing for all (remember that the log function is only defined for ). ( ) Concave for all.

Chapter 7 - Roots, Radicals, and Complex Numbers

Notes on Factoring. MA 206 Kurt Bryan

Playing with Numbers

Cartesian Products and Relations

Chapter 11 Number Theory

Computing exponents modulo a number: Repeated squaring

Our Primitive Roots. Chris Lyons

Test1. Due Friday, March 13, 2015.

An Introduction to the RSA Encryption Method

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Midterm Practice Problems

Math 3000 Section 003 Intro to Abstract Math Homework 2

The last three chapters introduced three major proof techniques: direct,

Introduction to Hypothesis Testing. Hypothesis Testing. Step 1: State the Hypotheses

Every Positive Integer is the Sum of Four Squares! (and other exciting problems)

Faster deterministic integer factorisation

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Finding Carmichael numbers

PYTHAGOREAN TRIPLES KEITH CONRAD

Basic Proof Techniques

3.1. RATIONAL EXPRESSIONS

MATH10040 Chapter 2: Prime and relatively prime numbers

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

SUM OF TWO SQUARES JAHNAVI BHASKAR

Normal distribution. ) 2 /2σ. 2π σ

15 Prime and Composite Numbers

Zeros of a Polynomial Function

Handout #1: Mathematical Reasoning

The cyclotomic polynomials

SIMPLIFYING SQUARE ROOTS EXAMPLES

3 Some Integer Functions

Recent Breakthrough in Primality Testing

Solution to Exercise 2.2. Both m and n are divisible by d, som = dk and n = dk. Thus m ± n = dk ± dk = d(k ± k ),som + n and m n are divisible by d.

Exponents and Radicals

CURVE FITTING LEAST SQUARES APPROXIMATION

8 Primes and Modular Arithmetic

8 Divisibility and prime numbers

Today s Topics. Primes & Greatest Common Divisors

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

Five fundamental operations. mathematics: addition, subtraction, multiplication, division, and modular forms

The Mean Value Theorem

IB Math Research Problem

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Primes, Factoring, and RSA A Return to Cryptography. Table of contents

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Just the Factors, Ma am

ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM

FACTORS AND MULTIPLES Answer Key

23. RATIONAL EXPONENTS

MATH 4330/5330, Fourier Analysis Section 11, The Discrete Fourier Transform

Transcription:

The Rabin-Miller Primality Test Fermat Pseudoprimes; The Fermat Primality Test Fermat s Little Theorem allows us to prove that a number is composite without actually factoring it. Fermat s Little Theorem (alternate statement): If a n 1 / 1 (mod n) for some a with a / 0 (mod n), then n is composite. This statement is absolute: There are no exceptions. Carmichael numbers are fairly rare: There are only seven less than 10000: 561, 1105, 1729, 2465, 2821, 6601, 8911 In fact, there are only 585,355 Carmichael numbers less than 10 17. Given a randomly chosen odd integer n less than 10 17, the probability that n is a Carmichael number is only a little over 10 11 (about one in one hundred billion). For a randomly chosen odd integer n with 100 to 300 digits, the probability that n is a Carmichael number appears to be exceedingly low (for practical purpose, zero). Unfortunately, the inverse statement is not always true. Inverse to Fermat s Little Theorem (not always true): If a n 1 1 (mod n) for some a with a / 0 (mod n), then n is prime. Some counterexamples: 2 340 1 (mod 341), but 341 = 11 31 is composite, and 5 560 1 (mod 561), but 561 = 3 11 17 is composite. We say that 341 is a Fermat pseudoprime (to the base 2), and 561 is a Fermat pseudoprime to the base 5. It is even possible for a n 1 1 (mod n) to hold for every a with gcd(a,n) = 1, and still have n be composite. This occurs if n is a Carmichael number (also called an absolute Fermat pseudoprime). A Carmichael number is a Fermat pseudoprime to any base a with gcd(a,n) = 1. If n is composite and not a Carmichael number, then there are at most ϕ(n)/2 values of a (1 a < n) for which a n 1 1 (mod n). Let n be any odd integer, other than a Carmichael number. Say we choose 50 random integers a and compute that each satisfies a n 1 1 (mod n). The probability that this would occur if n is composite is at most 2 50 10 15. So we can say with reasonable certainty that n is prime. If n is composite and not a Carmichael number, then it is actually possible to have ϕ(n)/2 values for which a n 1 1 (mod n). For example, take n = 91 = 7 13. ϕ(n) = 6 12 = 72. There are 36 values of a with a 72 1 (mod 91), namely a = 1, 3, 4, 9, 10, 12, 16, 17, 22, 23, 25, 27, 29, 30, 36, 38, 40, 43, 48, 51, 53, 55, 61, 62, 64, 66, 68, 69, 74, 75, 79, 81, 82, 87, 88, 90.

But this is unusual. For nearly all odd composite integers n (other than Carmichael numbers), a n 1 1 (mod n) for far fewer than ϕ(n)/2 values of a. For example, let us look at odd composite integers starting with 10001. n ϕ(n) No of a with a n 1 1(mod n) 10001 9792 64 10003 8568 36 10005 4928 64 10011 6440 280 10013 8640 16 10015 8008 4 10017 5616 16 10019 9744 4 10021 9100 100 10023 6144 8 10025 8000 32 10027 9720 162 10029 6684 4 10031 8592 4 10033 9828 36 10035 5328 8 10041 6192 4 10043 9020 4 This means that far fewer than the 50 random values of a, mentioned earlier, are typically sufficient to show that an odd integer (not a Carmichael number) is prime, with near certainty. For a randomly chosen odd integer n with 100 to 300 digits, it appears that if a n 1 1 (mod n) for even a single randomly chosen a, then n is prime with probability very close to 1. Fermat Test for Primality: To test whether n is prime or composite, choose a at random and compute a n 1 (mod n). i) If a n 1 1 (mod n), declare n a probable prime, and optionally repeat the test a few more times. ii) If a n 1 / 1 (mod n), declare n composite, and stop. We have seen that the Fermat test is really quite good for large numbers. One limitation: If someone is supposed to provide us with a prime number, and sends a Carmichael number instead, we cannot detect the deception with the Fermat test. In any case, we can improve upon the Fermat test at almost no cost. Euler Pseudoprimes; The Euler Test If n is an odd prime, we know that an integer can have at most two square roots, mod n. In particular, the only square roots of 1 (mod n) are ±1.

If a / 0 (mod n), a (n 1)/2 is a square root of a (n 1) 1 (mod n), so a (n 1)/2 ±1 (mod n). If a (n 1)/2 / ±1 (mod n) for some a with a / 0 (mod n), then n is composite. Euler Test: For a randomly chosen a with a / 0 (mod n), compute a (n 1)/2 (mod n). i) If a (n 1)/2 ±1 (mod n), declare n a probable prime, and optionally repeat the test a few more times. If n is large and chosen at random, the probability that n is prime is very close to 1. ii) If a (n 1)/2 / ±1 (mod n), declare n composite. This is always correct. The Euler test is more powerful than the Fermat test. If the Fermat test finds that n is composite, so does the Euler test. But the Euler test may find n composite even when the Fermat test fails. Why? If n is an odd composite integer (other than a prime power), 1 has at least 4 square roots mod n. So we can have a (n 1)/2 β (mod n), where β ±1 is a square root of 1. Then a n 1 1 (mod n). In this situation, the Fermat Test (incorrectly) declares n a probable prime, but the Euler test (correctly) declares n composite. We noted earlier that 2 340 1 (mod 341), even though 340 is composite, and 5 560 1 (mod 561), even though 561 is composite. We can compute that 2 170 1 (mod 341), even though 340 is composite, but 5 280 67 / ±1 (mod 561), showing that 561 is composite. We call 341 an Euler pseudoprime to the base 2. But note that 561 is not an Euler pseudoprime base 5, even though it is a Fermat pseudoprime base 5. On the whole, there are only about half as many Euler pseudoprimes as Fermat pseudoprimes. Consider the seven Carmichael numbers less than 10000. The Euler test can show that 5 of the 7 numbers are composite. n ϕ(n) No of a with No of a with a n 1 1(mod n) a (n 1)/2 ±1(mod n) 561 320 320 160 1105 768 768 384 1729 1296 1296 1296 2465 1792 1792 1792 2881 2160 2160 1080 6601 5280 5280 2640 8911 7128 7128 1782

The integers 1729 and 2465 are called absolute Euler pseudoprimes (by analogy with the absolute Fermat pseudoprimes, i.e., Carmichael numbers). These are composite odd integers such that a (n 1)/2 ±1 (mod n) for every a with gcd(a,n) = 1. These number cannot be proven composite with the Euler test (unless we happen to choose an a with gcd(a,n) > 1, which is exceedingly unlikely if n is a large integer lacking small prime factors. There are fewer absolute Euler pseudoprimes than there are Carmichael numbers, but unfortunately absolute Euler pseudoprimes do exist. The Rabin-Miller Primality Test The Euler test improves upon the Fermat test by taking advantage of the fact, if 1 has a square root other than ±1 (mod n), then n must be composite. If a (n 1)/2 / ±1 (mod n), where gcd(a,n) = 1, then n must be composite for one of two reasons: i) If a n 1 / 1 (mod n), then n must be composite by Fermat s Little Theorem ii) If a n 1 1 (mod n), then n must be composite because a (n 1)/2 is a square root of 1 (mod n) different from ±1. The limitation of the Euler test is that is does not go to any special effort to find square roots of 1, different from ±1. The Rabin-Miller test does do this. For example, recall the Euler Test declares 341 a probable prime because 2 170 1 (mod 341). But if we compute 2 85 (mod 341), we find 2 85 32 (mod 341). Thus 32 is a square root of 2 2 85 2 170 1 (mod 341), different from ±1, so we would find that 341 is composite. In the Rabin-Miller test, we write n 1 = 2 s m, with m odd and s 1. We then start by compute a m (mod n) using fast exponentiation. If a m ±1 (mod n), we declare n a probable prime, and stop. Why? We know that a n 1 (a m ) 2s 1 (mod n), and we will not find a square root of 1, other than ±1, in repeated squaring of a m to get a n 1. Otherwise, unless s = 1, we square a m (mod n) to obtain a 2m. If a 2m 1 (mod n), we declare n composite, and stop. Why? a m is a square root of a 2m 1 (mod n), different from ±1. If a 2m 1 (mod n), we declare n a probable prime, and stop. Why? Just as above, we know that a n 1 1 (mod n), and we will not find a square root of 1, other than ±1. Otherwise, unless s = 2, we square a 2m (mod n) to obtain a 22m.

If a 22m 1 (mod n), we declare n composite, and stop. Why? We have found a square root of 1 (mod n), different from ±1, just as above If a 2m 1 (mod n), we declare n a probable prime, and stop. Why? Just above, we know that a n 1 1 (mod n), and we will not find a square root of 1, other than ±1. Otherwise we continue in this manner until either (a) we stop the test, or (b) we have computed a 2s 1m, and stopped if a 2s 1m a (n 1)/2 ±1 (mod n). If we haven t stopped by this point, we declare n composite and stop. Why? Exactly as with the Euler test. Let us carry out the Rabin-Miller test on the absolute Euler pseudoprime 1729, using a = 671. 1729 1 = 1728 = 2 6 27. So s = 6, m = 27. 671 27 1084 (mod 1729) 671 27 2 1084 2 1065 (mod 1729) 671 27 22 1065 2 1 (mod 1729) The test declares n composite, and terminates. Next we test a much larger integer, n = 972133929835994161 (also a Carmichael number), using a = 2. n 1 = 2 4 60758370614749635. 2 60758370614749635 338214802923303483 (mod n) 2 2 60758370614749635 338214802923303483 2 (mod n) 332176174063516118 (mod n) 2 22 60758370614749635 2 23 60758370614749635 332176174063516118 2 (mod n) 779803551049098051 (mod n) 779803551049098051 2 (mod n) 1 (mod n) The test declares n composite, and terminates. Next we test an integer that is composite, but not a Carmichael number, n = 2857191047211793, using a = 1003. n 1 = 2 4 178574440450737. 1003 178574440450737 1135781085623492 (mod n) 1003 2 178574440450737 1135781085623492 2 (mod n) 84313648747407 (mod n) 1003 22 178574440450737 84313648747407 2 (mod n) 2321094267189023 (mod n) 1003 23 178574440450737 2321094267189023 2 (mod n) 978857874792606 (mod n) The test declares n composite, and terminates.

Finally we test an integer that is in fact prime, n = 104513, using a = 3. n 1 = 2 6 1633. 3 1633 88958 (mod n) 3 2 1633 88958 2 10430 (mod n) 3 22 1633 10430 2 91380 (mod n) 3 23 1633 91380 2 29239 (mod n) 3 24 1633 29239 2 2781 (mod n) 3 25 1633 2781 2 1 (mod n) The test concludes that n is a probable prime. We might perform a few more tests before we are convinced that n is in fact prime. For any odd composite integer n, there are at most ϕ(n)/4 integers a (1 a < n, gcd(a,n) = 1) for which the Rabin-Miller test declares n prime. In practice, the number of strong pseudoprimes is usually far, far less than ϕ(n)/4, if n is large. There are a number of other primality tests, but the Rabin-Miller test is the one most commonly used. Like the Fermat and Euler tests, the Rabin-Miller test has psuedoprimes (choices of a for which the test declares a composite integer to be a probable prime). Rabin-Miller pseudoprimes are called strong pseudoprimes. There are fewer strong pseudoprimes than Fermat or Euler pseudoprimes. More importantly, there are no Rabin-Miller absolute pseudoprimes (as we had absolute Fermat and Euler absolute pseudoprimes).

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information