Lecture Notes : Primality Testing

Similar documents
Primality - Factorization

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Lecture 13 - Basic Number Theory.

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

8 Divisibility and prime numbers

Cryptography and Network Security Chapter 8

CS 103X: Discrete Structures Homework Assignment 3 Solutions

Lecture 13: Factoring Integers

Factoring & Primality

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Homework until Test #2

Applications of Fermat s Little Theorem and Congruences

Full and Complete Binary Trees

RSA and Primality Testing

CIS 5371 Cryptography. 8. Encryption --

The application of prime numbers to RSA encryption

Cryptography and Network Security Number Theory

MATH10040 Chapter 2: Prime and relatively prime numbers

8 Primes and Modular Arithmetic

Public Key Cryptography: RSA and Lots of Number Theory

Computing exponents modulo a number: Repeated squaring

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

2 Primality and Compositeness Tests

The last three chapters introduced three major proof techniques: direct,

mod 10 = mod 10 = 49 mod 10 = 9.

Every Positive Integer is the Sum of Four Squares! (and other exciting problems)

Solutions for Practice problems on proofs

Continued Fractions and the Euclidean Algorithm

Winter Camp 2011 Polynomials Alexander Remorov. Polynomials. Alexander Remorov

COMP 250 Fall 2012 lecture 2 binary representations Sept. 11, 2012

Page 331, 38.4 Suppose a is a positive integer and p is a prime. Prove that p a if and only if the prime factorization of a contains p.

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Math 319 Problem Set #3 Solution 21 February 2002

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Quotient Rings and Field Extensions

CONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12

Basic Proof Techniques

3. Mathematical Induction

2.1 Complexity Classes

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

Some practice problems for midterm 2

6.2 Permutations continued

Settling a Question about Pythagorean Triples

Zeros of a Polynomial Function

Solutions to TOPICS IN ALGEBRA I.N. HERSTEIN. Part II: Group Theory

THE DIMENSION OF A VECTOR SPACE

2 When is a 2-Digit Number the Sum of the Squares of its Digits?

FACTORING. n = fall in the arithmetic sequence

6.080/6.089 GITCS Feb 12, Lecture 3

Mathematical Induction

1. Prove that the empty set is a subset of every set.

MATHEMATICAL INDUCTION. Mathematical Induction. This is a powerful method to prove properties of positive integers.

Mathematical Induction. Lecture 10-11

Carmichael numbers and pseudoprimes

Lecture 3: Finding integer solutions to systems of linear equations

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

Test1. Due Friday, March 13, 2015.

RSA Encryption. Tom Davis October 10, 2003

Kevin James. MTHSC 412 Section 2.4 Prime Factors and Greatest Comm

Today s Topics. Primes & Greatest Common Divisors

God created the integers and the rest is the work of man. (Leopold Kronecker, in an after-dinner speech at a conference, Berlin, 1886)

k, then n = p2α 1 1 pα k

MATH 289 PROBLEM SET 4: NUMBER THEORY

PRIME FACTORS OF CONSECUTIVE INTEGERS

Cartesian Products and Relations

5.1 Radical Notation and Rational Exponents

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

GRAPH THEORY LECTURE 4: TREES

Factoring Algorithms

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Data Structures Fibonacci Heaps, Amortized Analysis

SOLUTIONS FOR PROBLEM SET 2

Lecture 1: Course overview, circuits, and formulas

Real Roots of Univariate Polynomials with Real Coefficients

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

Advanced Cryptography

Computer and Network Security

SECTION 10-2 Mathematical Induction

1 if 1 x 0 1 if 0 x 1

FACTORING CERTAIN INFINITE ABELIAN GROUPS BY DISTORTED CYCLIC SUBSETS

15 Prime and Composite Numbers

Lecture 2: Universality

Handout #1: Mathematical Reasoning

Congruent Number Problem

Section 3-3 Approximating Real Zeros of Polynomials

How To Prove The Dirichlet Unit Theorem

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

MATH 537 (Number Theory) FALL 2016 TENTATIVE SYLLABUS

Lectures notes on orthogonal matrices (with exercises) Linear Algebra II - Spring 2004 by D. Klain

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

3 1. Note that all cubes solve it; therefore, there are no more

The Mathematics of the RSA Public-Key Cryptosystem

FACTORS AND MULTIPLES Answer Key

Transcription:

Advanced Algorithms 28.2.2008, 3.3.2008,10.3.2008 Lecture Notes : Primality Testing Professor: Naveen Garg Scribes:Pushkar Tripathi and Amandeep Singh Introduction In the previous lecture, we covered the Fermat s Primality test. In this lecture, we will look at Rabin Miller test, a more fullproof method of primality testing and analyse its effectiveness and running time. Before moving to the Rabin Miller test, let s review the Fermat s Test. 1 Fermat s Test Theorem 1. Fermat s Little Theorem: For a given number p, p is Prime a p 1 = 1mod p a {1, 2, p 1} Fermat s theorem follows from the fact that the group of integers modulo a prime p, form a group of size p 1 under multiplication. Let G be this group.hence for any member(say a) of the group a G = 1. Since G = p 1, this proves Fermat s Little Theorem. 1.1 Fermat s Primality testing Algorithm In this section we will describe an algorithm based on fermat s test given in the previous section. Input: A number n Output: Prime or Composite 1: Choose random a {2 n}. Compute a n 1 mod n 2: if (a, n) 1 then 3: return Composite 4: if a n 1 mod n 1, then 5: return Composite 6: else 7: return Prime This algorithm returns Prime for all primes as proved by Fermat s Little Theorem. However, it may return Prime for some composite numbers too. Repeating this procedure whenever it returns Prime may help eliminate those errors which occurred due to the random choice of a. However, there exist composite numbers for which this algorithm always returns Prime, irrespective of the choice of a. Such numbers are called Charmichael Numbers. - 1

Analysis of Fermat s Test The following theorem states that at least half the numbers coprime to a non-charmichael number will give the correct certificate(of non-primality) if chosen in line 1 of the algorithm. Theorem 2. If n is not a Charmichael Number then atleast half the numbers coprime to n satisfy a n 1 1 mod n. Proof. This follows from the fact that numbers satisfying (a, n) = 1 mod n and a n 1 = 1 mod n form a subgroup of Z n. This is not a trivial subgroup since n is not a charmichael number. By langrange theorem the order of this subgroup must divide the order of the group Z n. Thus the size if the subgroup if atmost half the size of the group Z n. So for non-charmichael numbers the above algorithm is correct on for atleast half the choices of a. Thus if it is repeated k times then the probability of declaring a composite number to be prime falls exponentially. This is summarized in the following two equations. P r [n is decl. PRIME given n is composite, and non-charmichael] 1 2 P r [n is decl. PRIME after k repetitions given n is composite and non-charmichael] ( 1 2 )k Hence the Fermat s algorithm works with good enough accuracy for Non Carmichael numbers. 2 Rabin-Miller Test In the previous section, we analysed a randomized technique of primality testing that worked well for most numbers except for a small class of numbers. In this section we will analyse another randomized method that does not have such an achilles heal. This primality test relies on finding the square roots of unity in the group Z n. In the next few lines we will define the square-roots of unity and explore their properties. Square root of unity: In a group G, the square root of unity is an element x G, such that x 2 = 1. Theorem 3. For a given prime, p, there are exactly two square roots of unity in the group Z p. These are the trivial roots ±1. Proof. Let x( p) be a root of unity, then the following equations follow. x 2 1 mod p x 2 1 0 mod p (x 1)(x + 1) 0 mod p Thus p divides either x 1 or x + 1. But x is no greater than p, thus x equals ±1. Before we continue further let us recall the Chinese Remainder Theorem. - 2

Theorem 4. Chinese Remainder Theorem : If p and q be two positive integers such that (p, q) = 1 then the following set of equations have a unique solution modulo pq. x a (mod p) x b (mod q) Theorem 5. For any composite number n, there are atleast two non-trivial square roots of unity in the group Z n. Proof. Proof follows from induction on the number n. We can see that the base case for n = 2 is trivially true. Assume that the theorem holds for all k < n. Let n = ab such that (a, b) = 1. Then by chinese remainder theorem the following equations have a unique solution mod n. Clearly y ±1 and also the following two relations hold for y 2. y 1 (mod a) (1) y 1 (mod b) (2) y 2 1 (mod a) (3) y 2 1 (mod b) (4) Using the fact that (a, b) = 1 and equations (3) and (4) the solution to equations (1) and (2) gives a non trivial square root of unity mod n. These theorems collectively prove that if the given number n is prime iff it there are exactly two trivial square-roots of unity mod n. Rabin Miller Primality Testing Algorithm We can safely say that the candidate number(say n) is odd hence, n 1 is even. Let n 1 = 2 t s, s is odd Construct the following sequence for α Z n by repeatedly squaring α s. { } S α = S α (i) = α 2is (mod n) i {0, 1, 2, 3 t} If the last element in this sequence is not 1, then n is surely composite. If the 1 st element of the sequence is 1, we declare n to be prime. Let k be the smallest index at which S α (k) = 1 is such that S α (k 1) 1, then we have found a non-trivial square root of unity and hence a certificate of the compositeness of n. However, if S α (k 1) = 1, then we cannot be sure about the primality of n. As in the previous algorithm, we want an upper bound on the probability of n being composite when such a certificate cannot be produced for the random choice of α. - 3

Analysis of the Rabin Miller method To analyze the effectiveness of the procedure for random choice of α we will prove that the set of bad choices of α (ones that donot give a certificate of compositeness) is contained in a non-trivial subgroup of Z n. Theorem 6 proves that this subgroup is not empty while proposition 7 will prove that all such α lie in this subgroup. Define α Z n to be a witness if by choosing it as the starting number in the procedure described above we would have arrived at a certificate of the compositeness of n. Similarly define non-witnesses in Z n. Define k as follows, k = { } max i {0,1,2 φ(n)} j α 2j s i 1 mod n Note that n 1 Z n. Since n 1 1 mod n and s is odd, (n 1) s 1 mod n. So, there surely exists an element α of Z n such that 1 S α and hence k always exists. Theorem 6. If n is composite then there exists an α Z n such that α is a witness. Proof. Case 1: n = ab and (a,b) = 1. i.e. n is not a prime power. Pick any row(say corresponding to v) such that v 2ks 1 (mod n). Define w as follows, w v (mod a) (5) w 1 (mod b) (6) By Chinese remainder theorem there exists a unique w which satisfies equations 5 and 6. The following propositions complete the proof for this case. Proposition 7. For the variable w defined above, w 2ks ±1(mod n) but w Z n. Proof. Let w 2ks 1(mod n). This implies w 2ks 1(mod a). By equation 5 and using our assumption it follows that, w v (mod a) v 2ks (mod a) 1 (mod a) This contradicts our assumption. On the other hand if we assume w 2ks 1(mod n) then w 2ks 1(mod b).by equation 6 and using our assumption it follows that, w 1 (mod b) 1 2ks (mod b) 1 (mod b) - 4

This contradicts our assumption. Hence w 2ks ±1(mod n). But by the given equations 5 and 6, (w, a) = (w, b) = 1. Since w and a have no common factor and neither do w and b and a and b are co-prime. w and ab have no commen factor. Thus, (w, ab) = 1, i.e. w Z n. Case 2: n = p r i.e. n is the power of a prime It was discussed in class that the following procedure be invoked at the beginning of our algorithm to check for this case and hence to issue a compositeness-certificate to n. Input: A number, n Output: true if n is the power of a number else false. 1: for all k {1, 2 log 2 (n)} do 2: Binary search for r such that r k = n 3: if r such that r k = n then 4: return Power of Prime 5: return Not the Power of Prime This gives a computational(o(log 3 2 (n)) procedure) way to eleminate the this case in the beginning of the algorithm. We can also handle this case analytically. For this we will use the following theorem (without proof). Theorem 8. Z n is a cyclic group. Let g be the generator for Z n. Thus φ(n) is the least number such that g φ(n) 1 (mod n) Proposition 9. n is not a Charmichael number. Proof. We need to find a number r, such that r and n are coprime and r n 1 1 (mod n). If possible let g(as defined earlier) be such that g n 1 1 (mod n). Then φ(n) divides n-1. This means p r p r 1 divides p r 1 which is not possible. Hence there exists a number(g) for which g n 1 1 (mod n). Thus n is not a charmicheal number. Theorem 10. Atleast half the elements of Z n are witnesses. Proof. Define the set B as follows, { } B = a Z n a 2ks ±1(mod n) We can easily see that each non-witness lies in B. B may contain some witnesses. We can also see that B is a subgroup of Z n. So if we can prove that it is a non-trivial subgroup then its order must divide that of Z n. Hence order of B will be at most half the size of Z n. - 5

Theorem 11. For any arbitrary composite number n, the event that for a random choice of α we are unable to issue a certificate of compositeness happens with probability less than 1 2. Proof. The proof follows from the theorems given above. By repeating the above procedure k times we can boost the probability of issuing correctcertificates to all numbers. Note that the Rabin-Miller test does not suffer from the problems of Fermat s test. Unlike the Fermat s test there is no bad input for Rabin-Miller test. - 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information