1. Algebra 1.7. Prime numbers

Transcription

1 1. ALGEBRA Algebra 1.7. Prime numbers Definition Let n Z, with n 2. If n is not a prime number, then n is called a composite number. We look for a way to test if a given positive integer is prime or composite. The first test is based on Fermat s little theorem Fermat Test This test is based on Fermat s little theorem. If n is a prime number and a Z, with gcd(a, n) = 1, then Fermat s little theorem implies that a n 1 1 (mod n). Thus if a n 1 1 (mod n), then n is composite. Fermat Test Let n Z, with n 2. Let a Z, with gcd(a, n) = 1. If a n 1 1 (mod n), then we say that n passes the Fermat test for a (mod 341), so 341 passes the Fermat test for (mod 341), so 341 does not passes the Fermat test for 3. Hence 341 is a composite number (in fact, 341 = 11 31). Remark Since the test is based on modular arithmetic it suffices to take 1 a n, but in fact we will assume 1 < a < n, for 1 and n are not the numbers you want to test on. If for such an a we have gcd(a, n) 1, then 1 < gcd(a, n) < n, so n is composite. Thus always first calculate the greatest common divisor. Definition Let n be a composite number, a Z, with gcd(a, n) = 1. If n passes the Fermat test for a, we say that n is an a-pseudo prime. If n is an a-pseudo prime for all a Z with gcd(a, n) = 1, then n is called a Carmichael number. If n is an even number with n 2, then it is clearly not prime. We are mainly interested in odd numbers. The following theorem tells us that Carmichael numbers exist, that is there exist numbers n that passes the Fermat test for any a Z, with gcd(a, n) = 1. Theorem Let n Z, with n 3 and n odd. Then n is a Carmichael number if and only if n = p 1 p 2 p s, where s 2, p 1,..., p s are distinct odd prime numbers, and (p i 1) (n 1) for all i {1, 2,..., s}. Proof. Suppose n = p 1 p 2 p s, where s 2, p 1,..., p s are distinct odd prime numbers, and (p i 1) (n 1) for all i {1, 2,..., s}. Consider the isomorphism ( Z /n Z ) = ( Z /p 1 Z ) ( Z /p 2 Z ) ( Z /p s Z ) [b] n ([b] p1, [b] p2,..., [b] ps ). For each i {1, 2,..., s} the group ( Z /p i Z ) is a cyclic group of order p i 1 and (p i 1) (n 1). Hence for each i {1, 2,..., s} we have ([b] pi ) n 1 = [1] pi, that is (([b] p1, [b] p2,..., [b] ps )) n 1 = ([1] p1, [1] p2,..., [1] ps ). It follows that for any element of g ( Z /n Z ), we have o(g) (n 1). Now let a Z, with gcd(a, n) = 1. Then [a] n ( Z /n Z ), so ([a] n ) n 1 = [1] n. Hence a n 1 1 (mod n), and thus n

2 1. ALGEBRA 31 is an a-pseudo prime. Since this is true for any a Z with gcd(a, n) = 1, it follows that n is a Carmichael number. Suppose n is a Carmichael number. If a Z, with gcd(a, n) = 1, then a n 1 1 (mod n), that is ([a] n ) n 1 = [1] n. In particular o([a] n ) divides n 1, for any [a] n ( Z /n Z ). Write n = p r1 1 pr2 2 prs s, where p 1,..., p s are distinct odd prime numbers and r i 1, for all i {1, 2,..., s}. Consider the isomorphism ( Z /n Z ) = ( Z /p r1 1 Z ) ( Z /p r2 2 Z ) ( Z /p rs s Z ) [b] n ([b] r p 1, [b] r 1 p 2,..., [b] 2 p rs ). s For each i {1, 2,..., s} let β i be a generator of the cyclic group ( Z /p ri i Z ) and let a i Z, with 1 a i < n, be such that ( Z /n Z ) = ( Z /p r1 1 Z ) ( Z /p r2 2 Z ) ( Z /p ri i Z )... ( Z /p rs s Z ) [a i ] n (1, 1,..., β i,..., 1) Thus o([a i ] n ) = p r1 1 i (p i 1). So for each i {1, 2,..., s}, p r1 1 i (p i 1) divides n 1, whence r i = 1, since p i and n 1 are relatively prime. Thus n = p 1 p 2 p s, where p 1,..., p s are distinct odd prime numbers, and (p i 1) (n 1) for all i {1, 2,..., s}. Since n is not prime we have s 2.. Some Carmichael numbers are 561 = , for 560 = ; 1105 = , for 1104 = ; 1729 = , for 1728 = Remark It was shown in 1994 that there are an infinite number of Carmichael numbers Miller-Rabin Test Let n be an odd number, s = max{r Z 2 r divides n 1} and d = n 1 2 s. So n 1 = 2 s d, with d Z an odd number, and s and d are easely calculated. Lemma Let n be an odd prime number and a Z, with gcd(a, n) = 1. One of the following holds: (i) a d 1 (mod n). (ii) there exists an r {0,..., s 1}, such that a d 2r 1 (mod n). Proof. Let n be an odd prime and a Z, with gcd(a, n) = 1, so [a] n ( Z /n Z ). Since n is an odd prime the group ( Z /n Z ) is cyclic of order n 1. In particular, it has only one element of order 2, namely [ 1] n. Let k = o([a d ] n ). Since ([a d ] n ) 2s = ([a] n ) n 1 = [1] n, we have k 2 s. If k = 1, then [a d ] n = [1] n, so (i) holds. If k 1, then k = 2 l, for certain 1 l s. Now [1] n = ([a d ] n ) 2l = (([a d ] n ) 2l 1 ) 2 and ([a d ] n ) 2l 1 [1] n. Thus ([a d ] n ) 2l 1 is an element of order 2. Whence ([a d ] n ) 2l 1 = [ 1] n, that is a d 2l 1 1 (mod n). Let r = l 1, then 0 r < s and a d 2r 1 (mod n), so (ii) holds.

3 1. ALGEBRA 32 Miller-Rabin Test Let n Z, be n an odd number with n 2. Let a Z, with gcd(a, n) = 1. Consider the sequence [a d ] n, ([a d ] n ) 2,..., ([a d ] n ) 2s 1. If either this sequence is all 1, or 1 appears in it, then we say that n passes the Miller-Rabin test for a. Since ([a d ] n ) 2i+1 = (([a d ] n ) 2i ) 2, the lemma states that if n is a prime then either this sequence is all 1, or 1 appears in it. So all primes pass the Miller-Rabin test for any a Z with gcd(a, n) = 1. The answer depends only on a (mod n), so one can assume that 1 a < n. Remark Observe that for a = 1 and a = n 1, n passes the Miller-Rabin test for a. Definition Let n be a composite number, a Z, with gcd(a, n) = 1. If n passes the Miller-Rabin test for a, we say that n is a strong a-pseudo prime, and a will be called a false witness. If n does not pass the Miller-Rabin test for a, we say that a is a witness for n being a composite number. Let n = 561, which is a Carmichael number, then n 1 = Consider the sequence [a 35 ] n, ([a 35 ] n ) 2, ([a 35 ] n ) 4, ([a 35 ] n ) 8. If a = 2, then the sequence is 263, 166, 67, 1; 2 is a witness that 561 is composite; If a = 101, then the sequence is 1, 1, 1, 1; 101 is a false witness; If a = 103, then the sequence is 1, 1, 1, 1; 103 is a false witness; Thus 561 is a strong 101-pseudo prime and a strong 103-pseudo prime. Lemma Any strong a-pseudo prime is also an a-pseudo prime. Proof. If either [a d ] n = [1] n or ([a d ] n ) 2r = [ 1] n, for some 0 r < s, then ([a d ] n ) 2s = [1] n. Hence ([a] n ) n 1 = [1] n, so n passes the Fermat test for a. Let n be an odd number and a Z, with gcd(a, n) = 1, and d, s Z such that n 1 = 2 s d, with d an odd number. Suppose n is a strong a-pseudo prime. Since it is also a a-pseudo prime, we have ([a d ] n ) 2s = [1] n. Thus the order of [a d ] n divides 2 s. If ([a d ] n ) 2r = [ 1] n, for some 0 r < s, then o([a d ] n ) = 2 r+1. Though it is not true that if o([a d ] n ) = 2 r+1, then ([a d ] n ) 2r = [ 1] n. The element ([a d ] n ) 2r will be of order 2, but need not be [ 1] n. Moreover, we have [a d ] n = [1] n if and only if o([a d ] n ) = 1. Thus the order of [a d ] n determines whether the sequence is all 1 or the place where a [ 1] n could appear. Before we can determine false witnesses we need a lemma about d-th powers of elements in Abelian groups. Lemma Let G be a finite Abelian group d Z with d 1 an odd number and r Z, with r 0. Let A r = {a G o(a) = 2 r }, the set of elements of order 2 r, and K = {g G o(g) d}, the set of elements whose order divides d. Then {g g d A r } = {ak a A r, k K}. Moreover, {g g d A r } = A r K.

4 1. ALGEBRA 33 Proof. Consider ψ : G G defined by ψ : g g d. Since G is Abelian this is a homomorphism of groups. If a A r, then o(a d ) = o(a) so ψ(a r ) A r. On the other hand, if a, b A r with ψ(a) = ψ(b), then a d = b d and so (ab 1 ) d = 1. But (ab 1 ) 2r = 1 and gcd(d, 2 r ) = 1, so ab 1 = 1. Hence a = b. Since A r is a finite set we have A r = ψ(a r ). Let X={g g d A r } and Y = {ak a A r, k K}. We claim that X = Y. Let g X, then g d = a for some a A r. By the above a = b d, for some b A r. So g d = b d. Hence (gb 1 ) d = 1. Hence gb 1 K and g = b(gb 1 ) Y. On the other hand, if g Y then g = ak for some a A r and k K, then g d = (ak) d = a d k d = a d A r, so g X. If a 1, a 2 A r and k 1, k 2 K, with a 1 k 1 = a 2 k 2, then a 1 2 a 1 = k 2 k1 1. But o(a 1 2 a 1) 2 r and o(k 2 k1 1 ) d, hence o(a 1 2 a 1) = o(k 2 k1 1 ) = 1. It follows that a 1 = a 2 and k 1 = k 2 and thus {ak a A r, k K} = A r K. We find the numbers a, 1 < a < 561 for which n = 561 is a strong a-pseudo prime. Since 561 = we consider the isomorphism ( Z /561 Z ) = ( Z /3 Z ) ( Z /11 Z ) ( Z /17 Z ) [b] 561 ([b] 3, [b] 11, [b] 17 ). Since all three latter groups are cyclic, they contain exactly one element of order 2. Since 560 = the sequence becomes [a 35 ] 561, ([a 35 ] 561 ) 2, ([a 36 ] 561 ) 22, ([a 35 ] 561 ) 23. Case 1. [a 35 ] 561 = [1] 561. This holds if and only if o([a] 561 ) divides 35. Hence if and only if o([a] 3 ), o([a] 11 ) and o([a] 17 ), divide 35. It follows that o([a] 3 ) = 1, o([a] 11 ) divides 5 and o([a] 17 ) = 1. So there are 5 possibilities, one of which is ([1] 561 ). The elements of order 5 in ( Z /11 Z ) are [3] 11, [4] 11, [5] 11 and [9] 11. Thus the elements are ([1] 3, [b] 11, [1] 17 ), with [b] 11 {[3] 11, [4] 11, [5] 11, [9] 11, [1] 11 }, that is [256] 561, [103] 561, [511] 561, [460] 561 and [1] 561. Case 2. [a 35 ] 561 = [ 1] 561. This holds if and only ([a] 3, [a] 11, [a] 17 ) 35 = ([ 1] 3, [ 1] 11, [ 1] 17 ). This holds if and only if o([a 35 ] 3 ) = o([a 35 ] 11 ) = o([a 35 ] 17 ) = 2. The elements are ([ 1] 3, [b] 11, [ 1] 17 ), with [b] 11 {[ 3] 11, [ 4] 11, [ 5] 11, [ 9] 11, [ 1] 11 }, that is [305] 561, [458] 561, [50] 561 [101] 561 and [560] 561. Case 3. ([a 35 ] 561 ) 2i = [ 1] 561, with i 1. This holds if and only if ([a 35 ] 3, [a 35 ] 11, [a 35 ] 17 )) 2i = ([ 1] 3, [ 1] 11, [ 1] 17 ). Hence, if and only if o([a 35 ] 3 ) = o([a 35 ] 11 ) = o([b 35 ] 17 ) = 2 i+1. Observe that there are no possibilities for the algorithm to give such a sequence as an answer as ( Z /3 Z ) does not contain elements of order 4. Let n = 481 and a Z, with 1 a < 481 and gcd(a, n) = 1. We count the number of values of a such that 481 is a strong a-pseudo prime. We have ( Z /481 Z ) = ( Z /13 Z ) ( Z /37 Z ). Since n 1 = 480 = and the sequence becomes [a 15 ] 481, ([a 15 ] 481 ) 2, ([a 15 ] 481 ) 22, ([a 15 ] 481 ) 23, ([a 15 ] 481 ) 24. Case 1. [a 15 ] 481 = [1] 481. This holds if and only if ([a 15 ] 13, [a 15 ] 37 ) = ([1] 13, [1] 37 ). Hence, if and only if o([a] 13 ) 15 and o([a] 37 ) 15. We look at the 2 groups separately. In ( Z /13 Z ) we have that, since gcd(15, 12) = 3, [a 15 ] 13 = [1] 13 if and only if [a 3 ] 13 = [1] 13. Moreover, this group is cyclic so has 3 elements with this property. In ( Z /37 Z ) we have that, since gcd(15, 36) = 3, [a 15 ] 37 = [1] 37 if and only if [a 3 ] 37 = [1] 37. Moreover, this group is cyclic so has 3 elements with this property. Hence there are 3 3 = 9 values for a in this case.

5 1. ALGEBRA 34 Case 2. [a 15 ] 481 = [ 1] 481. This holds if and only if ([a 15 ] 13, [a 15 ] 37 ) = ([ 1] 13, [ 1] 37 ). Hence, if and only if o([a 15 ] 13 ) = o([a 15 ] 37 ) = 2. Hence there are 3 3 = 9 values for a in this case. Case 3. ([a 15 ] 481 ) 2 = [ 1] 481. This holds if and only if (([a 15 ] 13 ) 2, ([a 15 ] 37 ) 2 ) = ([ 1] 13, [ 1] 37 ). Hence, if and only if o([a 15 ] 13 ) = o([a 15 ] 37 ) = 4. Hence there are 6 6 = 36 values for a in this case. Case 4. ([a 15 ] 481 ) 2i = [ 1] 481, with i 2. This holds if and only if (([a 15 ] 13 ) 2i, ([a 15 ] 37 ) 2i ) = ([ 1] 13, [ 1] 37 ). Hence, if and only if o([a 15 ] 13 ) = o([a 15 ] 37 ) = 2 i+1. This is not possible for ( Z /13 Z ) has no elements of order 8. Hence there are 54 a Z, with 1 a < 481 and gcd(a, n) = 1, that are a false witness. We will redo this calculation now in a different, more down to earth, way. Let n = 481 and a Z, with 1 a < 481 and gcd(a, n) = 1. We count the number of values of a such that 481 is a strong a-pseudo prime. We have ( Z /481 Z ) = ( Z /13 Z ) ( Z /37 Z ). Since n 1 = 480 = and the sequence becomes [a 15 ] 481, ([a 15 ] 481 ) 2, ([a 15 ] 481 ) 22, ([a 15 ] 481 ) 23, ([a 15 ] 481 ) 24. Case 1. The calculation remains the same as in the previous way. Case 2. [a 15 ] 481 = [ 1] 481. This holds if and only if ([a 15 ] 13, [a 15 ] 37 ) = ([ 1] 13, [ 1] 37 ). We look at the 2 groups separately. In ( Z /13 Z ) we have [a 15 ] 13 = [ 1] 13 if and only if [a 30 ] 13 = 1 and [a 15 ] 13 1, for the group has only one element of order 2, namely [ 1] 13. Thus [a 15 ] 13 = [ 1] 13 if and only if o([a] 13 ) 30 and o([a] 13 ) 15. Since gcd(12, 30) = 6, gcd(12, 15) = 3 and the group is cyclic, there are 6 3 = 3 choices for [a] 13. In ( Z /37 Z ) we have [a 15 ] 37 = [ 1] 13 if and only if [a 30 ] 37 = 1 and [a 15 ] 37 1, for the group has only one element of order 2, namely [ 1] 37. Thus [a 15 ] 37 = [ 1] 37 if and only if o([a] 37 ) 30 and o([a] 37 ) 15. Since gcd(36, 30) = 6, gcd(36, 15) = 3 and the group is cyclic, there are 6 3 = 3 choices for [a] 37. Hence 3 3 = 9 numbers in total. Case 3. [a 30 ] 481 = [ 1] 481. This holds if and only if ([a 30 ] 13, [a 30 ] 37 ) = ([ 1] 13, [ 1] 37 ). We look at the 2 groups separately. In ( Z /13 Z ) we have [a 30 ] 13 = [ 1] 13 if and only if [a 60 ] 13 = 1 and [a 30 ] 13 1, for the group has only one element of order 2, namely [ 1] 13 ). Thus [a 30 ] 13 = [ 1] 13 if and only if o([a] 13 ) 60 and o([a] 13 ) 30. Since gcd(12, 60) = 12, gcd(12, 30) = 6 and the group is cyclic, there are 12 6 = 6 choices for [a] 13. In ( Z /37 Z ) we have [a 30 ] 37 = [ 1] 13 if and only if [a 60 ] 37 = 1 and [a 30 ] 37 1, for the group has only one element of order 2, namely [ 1] 37 ). Thus [a 30 ] 37 = [ 1] 37 if and only if o([a] 37 ) 60 and o([a] 37 ) 30. Since gcd(36, 60) = 12, gcd(36, 30) = 6 and the group is cyclic there are 12 6 = 6 choices for [a] 37. Hence 6 6 = 36 numbers in total. Case 4. ([a 15 ] 481 ) 2i = [ 1] 481, with i 2. This holds if and only if (([a 15 ] 13 ) 2i, ([a 15 ] 37 ) 2i ) = ([ 1] 13, [ 1] 37 ). We look at the first group. In ( Z /13 Z ) we have [a 15 ] 2i 13 = [ 1] 13 if and only if [a 15 ] 2i+1 13 = [1] 13 and [a 15 ] 2i 13 [ 1] 13, for the group has only one element of order 2, namely [ 1] 13 ). Thus [a 15 ] 2i 13 = [ 1] 13 if and only if o([a] 13 ) 15 2 i+1 and o([a] 13 ) 15 2 i+1. Since gcd(12, 15 2 i+1 ) = 12 and gcd(12, 15 2 i ) = 12, there are no possible choices for [a] 13. Hence there are 54 a Z, with 1 a < 481 and gcd(a, n) = 1, that are a false witness. Lemma For any odd composite number n there exists an a Z, with 1 < a < n and gcd(a, n) = 1, such that a is a witness for n being composite.

6 1. ALGEBRA 35 Proof. Let n = p r1 1 pr2 2 prt t, where p 1,..., p t are distinct odd prime numbers and r i 1, for all i {1, 2,..., t} be the factorization of n in primes. Let n 1 = 2 s d, with d odd. Consider the isomorphism ( Z /n Z ) = ( Z /p r1 1 Z ) ( Z /p r2 2 Z ) ( Z /p rt t Z ) [b] n ([b] r p 1, [b] r 1 p 2,..., [b] r ). 2 p t t Suppose t 2. Let a Z, with 1 < a < n, be such that [a] n ([ 1] p r 1 1, [1] p r 2,..., [1] r 2 p t ). Then t [a d ] n = [a] n [±1] n, since d is odd and t 2, and ([a d ] n ) 2 = [1] n. If s = 1, then the sequence consists only of [a d ] n, and a is a witness. If s 2, then the sequence starts with [a d ] n, [1] n,..., hence a is a witness. If t = 1 and r 1 > 1, then gcd(d, p 1 ) = 1. In this case we have ( Z /n Z ) = ( Z /p r1 1 Z ), which is a group cyclic group of order p r1 1 1 (p 1 1). Let a Z, with 1 < a < n, be such that [a] n has order p 1 (there are p 1 1 of them). Since o([a d ] n ) = p 1 we have o([a d ] n ) 2i = p 1 too. Hence ([a d ] n ) 2i [ 1] n, since o([ 1] n ) = 2, thus a is a witness. In fact there are many witnesses. Theorem (Rabin, 1980) Let n 3 be an odd composite number. At most 1 4 a Z, with 1 < a < n and gcd(a, n) = 1, is a false witness. of the numbers Let n 3 be an odd composite number and a Z, with 1 < a < n. If gcd(a, n) 1, then n is composite. If gcd(a, n) = 1, then the probability that n passes the Miller-Rabin test for a is at most. In fact, there are better estimates one can make. 1 4 Remarks Between 1 and there are prime numbers, pseudo primes and 3291 strong 2-pseudo primes. In practice one can use the Miller-Rabin test to create large prime numbers. We look for a prime p with p < Then, in base 2, p can represented as a bit string of length 128, which starts and ends with 1. Now choose a random bit string of length 128, which starts and end with 1, and let n be the corresponding number in base 2. Then apply the following probabilistic test to see if the number is prime: Check if n is divisible by a prime less then 10 6 (there is a known list of these primes). If not, then apply the Miller-Rabin test for 3 different values of a. If the number has survived this test then the probability that n is not a prime is less then ( 1 2 )80. In 2002 Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, created a deterministic primalityproving algorithm. The algorithm, known as the AKS primality test, determines whether a number is prime or composite within polynomial time (over the number of digits). Current implementations are not fast enough yet. Lemma Let n be an odd number and a Z, with gcd(a, n) = 1. If n is an a-pseudo prime, but not a strong a-pseudo prime, then there exist a fast algorithm to find some factors of n. Proof. Let n 1 = 2 s d, with d odd. Consider the sequence [a d ] n, ([a d ] n ) 2,..., ([a d ] n ) 2s 1, ([a d ] n ) 2s. Since n is an a-pseudo prime we have ([a d ] n ) 2s = [1] n. Since but not a strong a-pseudo prime the sequence [a d ] n, ([a d ] n ) 2,..., ([a d ] n ) 2s 1 is not all 1 nor does it contain [ 1] n. Whence there exists an 0 l < s, such that ([a d ] n ) 2l [±1] n, and ([a d ] n ) 2l+1 = [1] n. Let b Z, with 0 b < n such that b a 2l d (mod n). Then b 2 1 (mod n)

7 1. ALGEBRA 36 and b ±1 (mod n). In particular, n divides (b 2 1) = (b + 1)(b 1). If gcd(n, b 1) = 1, then n (b+1), contradicting the fact that b 1 (mod n). If gcd(n, b 1) = n, then n (b 1), contradicting the fact that b 1 (mod n). Hence 1 < gcd(n, b 1) < n. Similarly 1 < gcd(n, b + 1) < n. Let n = 561, which is a Carmichael number, and a = 2. Then n 1 = 560 = The sequence [2 35 ] n, ([2 35 ] n ) 2, ([2 35 ] n ) 4, ([2 35 ] n ) 8, ([2 35 ] n ) 16 equals 263, 166, 67, 1, 1. Let b = 67, then gcd(561, 66) = 11 and gcd(561, 68) = 17. Thus 11 and 17 are divisors of 561. Indeed 561 = In particular, if n is the product of two odd primes, then the above algorithm give a way of factorizing n into primes. The RSA-modules should therefore not be of this type.