Practical assessment week 5 and 6

Transcription

1 Practical assessment week 5 and 6 Finding prime numbers 1.1 Modular Arithmetic Basically, a b (mod n) if a = b + kn for some integer k. If a is non-negative and b is between 0 and n, you can think of b as the remainder of a when divided by n. Sometimes, b is called the residue of a, modulo n. Sometimes a is called congruent to b, modulo n (the triple equals sign,, denotes congruence). These are just different ways of saying the same thing. The set of integers from 0 to n - 1 form what is called a complete set of residues modulo n. This means that, for every integer a, its residue modulo n is some number from 0 to n - 1. The operation a mod n denotes the residue of a, such that the residue is some integer from 0 to n - 1. This operation is modular reduction. For example, 5 mod 3 = 2. In C, the % operator returns the remainder from the division of the first expression by the second; this can be a negative number if either operand is negative. Make sure you add n to the result of the modulo operator if it returns a negative number. Modular arithmetic is just like normal arithmetic: It s commutative, associative, and distributive. Also, reducing each intermediate result modulo n yields the same result as doing the whole calculation and then reducing the end result modulo n. a + b) mod n = ((a mod n) + (b mod n)) mod n (a - b) mod n = ((a mod n) - (b mod n)) mod n (a*b) mod n = ((a mod n)*(b mod n)) mod n (a*(b + c)) mod n = (((a*b) mod n) + ((a*c) mod n)) mod n Cryptography uses computation mod n a lot, because calculating discrete logarithms and square roots mod n can be hard problems. Modular arithmetic is also easier to work with on computers, because it restricts the range of all intermediate values and the result. For a k- bit modulus, n, the intermediate results of any addition, subtraction, or multiplication will not be more than 2k- bits long. So we can perform exponentiation in modular arithmetic without generating huge intermediate results. Calculating the power of some number modulo some number, a x mod n, is just a series of multiplications and divisions, but there are speedups. One kind of speedup aims to minimize the number of modular multiplications; another kind aims to optimize the individual modular multiplications. Because the operations are distributive, it is faster to do the exponentiation as a stream of successive multiplications, taking the modulus every time. It doesn t make much difference now, but it will when you re working with 200-bit numbers. For example, if you want to calculate a 8 mod n, don t use the naïve approach and perform seven multiplications and one huge modular reduction: (a*a*a*a*a*a*a*a) mod n Instead, perform three smaller multiplications and three smaller modular reductions: ((a 2 mod n) 2 mod n)2 mod n By the same token, a 16 mod n = (((a 2 mod n) 2 mod n) 2 mod n) 2 mod n A pseudo code is presented as follows Computing a k mod n IN: a integer si k n wher by k i we understand i-th bit from k (t number of the bits from k) OUT: a k mod n

2 b=1 if(!k)return(b); temp=a; if(k 0 )b=a; for(i=1;i++;i<t) { temp=temp 2 mod n if(k i )b=temp*bmod n return(b); Computing gcd(a,b) IN: a,b unsigned integer a b OUT: gcd(a,b) while(b) { temp=a mod b; a=b; b=temp return (a) Job 1. Implement the method to compute a k mod n and gcd 1.2 Chinese Remainder Theorem According to D. Wells, the following problem was posed by Sun Tsu Suan-Ching (4th century AD): There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 the remainder is 2. What will be the number? Oystein Ore mentions another puzzle with a dramatic element from Brahma-Sphuta-Siddhanta (Brahma's Correct System) by Brahmagupta (born 598 AD): An old woman goes to market and a horse steps on her basket and crashes the eggs. The rider offers to pay for the damages and asks her how many eggs she had brought. She does not remember the exact number, but when she had taken them out two at a time, there was one egg left. The same happened when she picked them out three, four, five, and six at a time, but when she took them seven at a time they came out even. What is the smallest number of eggs she could have had? Problems of this kind are all examples of what universally became known as the Chinese Remainder Theorem. In mathematical parlance the problems can be stated as finding n, given its remainders of division by several numbers m 1, m 2,..., m k : n = n 1 (mod m 1 ) n = n (1) 2 (mod m 2 )... n = n k (mod m k ) The modern day theorem is best stated with a couple of useful notations. For non-negative integers m 1, m 2,..., m k, their greatest common divisor is defined as

3 gcd(m 1, m 2,..., m k ) = max{s: s m i, for i = 1,..., k, where, as always, "s m" means that s divides m exactly. The least common multiple of k numbers is defined as lcm(m 1, m 2,..., m k ) = min{s: s > 0 and m i s, for i = 1,..., k, Both gcd() and lcm() are symmetric functions of their arguments. They are complementary in the sense that, for k = 2, gcd(m 1, m 2 ) lcm(m 1, m 2 ) = m 1 m 2. However, for k > 2 a similar identity does not in general hold. For an example, consider two triplets: {2, 4, 16 and {2, 8, 16. Both have exactly the same gcd and lcm but obviously different products. On the other hand, both gcd and lcm are associative: gcd(m 1, (gcd(m 2, m 3 )) = gcd(gcd(m 1, m 2 ), m 3 ) and, both equal gcd(m 1, m 2, m 3 ). Similarly, lcm(m 1, (lcm(m 2, m 3 )) = lcm(lcm(m 1, m 2 ), m 3 ) Note If, for a prime p, p α i m i, with α i being the largest exponent with that property, then p α lcm(m 1, m 2,..., m k ), where α = max{α i and α is the largest exponent with that property. Similarly, the greatest common divisor of several numbers is the product of the largest powers of the primes that divide all the given numbers. Associativity allows one to proceed a step at a time with an inductive argument without putting all eggs into a basket at once. Jumping at the opportunity I'll prove the most basic case of k = 2. Theorem 1 Two simultaneous congruences n = n 1 (mod m 1 ) and n = n 2 (mod m 2 ) are only solvable when n 1 = n 2 (mod gcd(m 1, m 2 )). The solution is unique modulo lcm(m 1, m 2 ). (When m 1 and m 2 are coprime their gcd is 1. By convention, a = b (mod 1) holds for any a and b.) Proof By a generalization of the Euclid's algorithm, there are integers s and t such that tm 1 + sm 2 = gcd(m 1, m 2 ). Since n 2 - n 1 = 0 (mod gcd(m 1, m 2 )), for some, possibly different t and s, (2) tm 1 + sm 2 = n 2 - n 1. Then n = tm 1 + n 1 = -sm 2 + n 2 satisfies both congruences in the theorem. This proves the existence of a solution. To prove the uniqueness part, assume n and N satisfy the two congruences. Taking the differences we see that N - n = 0 (mod m 1 ) and N - n = 0 (mod m 2 ) which implies N - n = 0 (mod lcm(m 1, m 2 )). As was previously stated, a more general theorem can now be proved by induction. Theorem 2 The simultaneous congruences n = n 1 (mod m 1 ) n = n 2 (mod m 2 )... n = n k (mod m k )

4 are only solvable when n i = n j (mod gcd(m i, m j )), for all i and j, i j. The solution is unique modulo lcm(m 1, m 2,..., m k ). Proof Theorem 1 serves the initial step verification. Assume the theorem holds for k congruences and consider k + 1 of them. n = n 1 (mod m 1 ) n = n 2 (mod m 2 )... n = n k (mod m k ) n = n k+1 (mod m k+1 ) Let s be a solution to the first k equations. Then the congrurence n = s (mod lcm(m 1, m 2,..., m k )) has a solution. (Observe that every solution of the latter also satisfies the first k congruences.) To be able to apply the already proven Theorem 1, we need to show that (3) s = n k+1 (mod gcd(lcm(m 1,..., m k ), m k+1 )). Let's write g u = gcd(m u, m k+1 ), u = 1,..., k. Then we know that n u = n k+1 (mod g u) for these values of u. But n u = s + t um u, for some t u, implying n k+1 = s + t um u (mod g u) so that s = n k+1 (mod g u), u = 1, 2,..., k. If so, s = n k+1 (mod lcm(g 1,..., g k )) = n k+1 (mod lcm(gcd(m 1, m k+1 ),..., gcd(m k, m k+1 ))). = n k+1 (mod gcd(lcm(m 1,..., m k ), m k+1 )) because lcm(gcd(m 1, m k+1 ),..., gcd(m k, m k+1 )) = gcd(lcm(m 1,..., m k ), m k+1 ). Thus the system n = s (mod lcm(m 1, m 2,..., m k )) n = n k+1 (mod m k+1 ) has a solution which is unique modulo lcm(lcm(m 1, m 2,..., m k ), m k+1 ) = lcm(m 1, m 2,..., m k, m k+1 ). It also satisfies the whole set of k + 1 congruences. Corollary The simultaneous congruences n = n 1 (mod m 1 ) n = n 2 (mod m 2 )... n = n k (mod m k ) where all m i 's are pairwise coprime has a unique solution modulo m 1 m 2... m k. If some m i 's are not mutually prime, a solution may not exist unless the corresponding congruence agree. For example, the system n = 1 (mod 2) and n = 2 (mod 4) has not solution, while the system n = 1 (mod 2) and n = ±1 (mod 4) does. Another approach in Computing CR A method (3) that can compute the smallest solution N 0 directly, it is easy to carry out both by human and by computer. Firstly we solve a * x + r 1 = b * y + r 2, it can be rewritten as ax = by + r. Notice that if x 0,y 0 is a solution of ax = by + 1, then x = bn + rx 0,y = an + ry 0 is a solution of ax = by + r for any integer n. Because a(bn+rx 0 ) = b(an+ry 0 )+r

5 => abn + arx 0 = ban + bry 0 + r => ax 0 = by So the problem come down to solve ax = by + 1. If a > b, we can solve (a-b)x = by' + 1, y' = y - x first, say the solution is x,y', then y = y'+x. Similarly this can be done if a < b. Repeat the procedure, a and b become smaller and smaller. When a = 1, we can let y = 1 and x = b + 1, else if b = 1 we can let x = 1 and y = a - 1. Since x = bn + rx 0,y = an + ry 0 we can let x 1 = rx 0 mod b and y 1 = ry 0 mod a. x 1,y 1 will be the smallest numbers fulfil a * x + r 1 = b * y + r 2. Let r 4 = ax 1 + r 1 = by 1 + r 2, we can see that solutions are of the form abu + r 4. Then we solve abu + r 4 = cz + r 3 and get u 1,z 1. Finally N 0 = abu 1 + r 4 = cz 1 + r 3. For example, we solve N = 3x+2 = 5y+3 = 7z+2 again. Firstly solve 3x=5y+1 => 3(x-y)=2y+1 => x-y=2(y-(x-y))+1 => x 0 -y 0 =3,2y 0 -x 0 =1 => x 0 =7,y 0 =4 => r 4 =3*7+2=23 Then we solve 15u+23=7z+2 => 7z=15u+21 (here r=21, we are ready to know ru 0 mod 7 = 0), 7z=15u+1 => 7(z-u)=8u+1 => 7(z-2u)=u+1 => u 0 =6,z 0 =13 => u 1 = 21*6 mod 7 = 0 => N 0 =15*0+23=23. Job 2. Implement Chinese reminder computing 1.3 Fermat Primality Test Fermat's Little Theorem According to Fermat's Little Theorem if p is a prime number and a is a positive integer less than p, then a p = a ( mod p ) or alternatively: a (p-1) = 1 ( mod p ) Algorithm of the test If p is the number which we want to test for primality, then we could randomly choose a, such that a < p and then calculate (a (p-1) )%p. If the result is not 1, then by Fermat's Little Theorem p cannot be prime. What if that is not the case? We can choose another a and then do the same test again. We could stop after some number of iterations and if the result is always 1 in each of them, then we can state with very high probability that p is prime. The more iterations we do, the higher is the probability that our result is correct. You can notice that if the method returns composite, then the number is sure to be composite, otherwise it will be probably prime. Given below is a simple function implementing Fermat's primality test: /* Fermat's test for checking primality, the more iterations the more is accuracy */ bool Fermat(long long p,int iterations){ if(p == 1){ // 1 isn't prime return false;

6 for(int i=0;i<iterations;i++){ // choose a random integer between 1 and p-1 ( inclusive ) long long a = rand()%(p-1)+1; // modulo is the function we developed above for modular exponentiation. if(modulo(a,p-1,p)!= 1){ return false; /* p is definitely composite */ return true; /* p is probably prime */ More iterations of the function will result in higher accuracy, but will take more time. You can choose the number of iterations depending upon the application. Though Fermat is highly accurate in practice there are certain composite numbers p known as Carmichael numbers for which all values of a<p for which gcd(a,p)=1, (a (p-1) )%p = 1. If we apply Fermat's test on a Carmichael number the probability of choosing an a such that gcd(a,p)!= 1 is very low ( based on the nature of Carmichael numbers ), and in that case, the Fermat's test will return a wrong result with very high probability. Although Carmichael numbers are very rare ( there are about 250,000 of them less than ), but that by no way means that the result you get is always correct. Someone could easily challenge you if you were to use Fermat's test :). Out of the Carmichael numbers less than 10 16, about 95% of them are divisible by primes < This suggests that apart from applying Fermat's test, you may also test the number for divisibility with small prime numbers and this will further reduce the probability of failing. However, there are other improved primality tests which don't have this flaw as Fermat's. We will discuss some of them now. Job 3. Implement Fermat Primality Test computing 1.4 Miller-Rabin Primality Test 1. Fermat's Little Theorem. 2. If p is prime and x 2 = 1 ( mod p ), then x = +1 or -1 ( mod p ). We could prove this as follows: 3. x 2 = 1 ( mod p ) 4. x 2-1 = 0 ( mod p ) 5. (x-1)(x+1) = 0 ( mod p ) Now if p does not divide both (x-1) and (x+1) and it divides their product, then it cannot be a prime, which is a contradiction. Hence, p will either divide (x-1) or it will divide (x+1), so x = +1 or -1 ( mod p ). Let us assume that p - 1 = 2 d * s where s is odd and d >= 0. If p is prime, then either a s = 1 ( mod p ) as in this case, repeated squaring from a s will always yield 1, so (a (p-1) )%p will be 1; or a (s*(2r)) = -1 ( mod p ) for some r such that 0 <= r < d, as repeated squaring from it will always yield 1 and finally a (p-1) = 1 ( mod p ). If none of these hold true, a (p-1) will not be 1 for any prime number a ( otherwise there will be a contradiction with fact #2 ).

7 Algorithm Let p be the given number which we have to test for primality. First we rewrite p-1 as (2 d )*s. Now we pick some a in range [1,n-1] and then check whether a s = 1 ( mod p ) or a (s*(2r)) = -1 ( mod p ). If both of them fail, then p is definitely composite. Otherwise p is probably prime. We can choose another a and repeat the same test. We can stop after some fixed number of iterations and claim that either p is definitely composite, or it is probably prime. A small procedure realizing the above algorithm is given below: /* Miller-Rabin primality test, iteration signifies the accuracy of the test */ bool Miller(long long p,int iteration){ if(p<2){ return false; if(p!=2 && p%2==0){ return false; long long s=p-1; while(s%2==0){ s/=2; for(int i=0;i<iteration;i++){ long long a=rand()%(p-1)+1,temp=s; long long mod=modulo(a,temp,p); while(temp!=p-1 && mod!=1 && mod!=p-1){ mod=mulmod(mod,mod,p); temp *= 2; if(mod!=p-1 && temp%2==0){ return false; return true; It can be shown that for any composite number p, at least (3/4) of the numbers less than p will witness p to be composite when chosen as 'a' in the above test. Which means that if we do 1 iteration, probability that a composite number is returned as prime is (1/4). With k iterations the probability of test failing is (1/4) k or 4 (-k). This test is comparatively slower compared to Fermat's test but it doesn't break down for any specific composite numbers and iterations is a quite good choice for most applications. Job 4. Implement Miller-Rabin Primality Test computing 1.5 Solovay-Strassen Primality Test 1. Legendre Symbol: This symbol is defined for a pair of integers a and p such that p is prime. It is denoted by (a/p) and calculated as: 2. (a/p) = 0 if a%p = 0

8 3. (a/p) = 1 if there exists an integer k such that k 2 = a ( mod p ) (a/p)= -1 otherwise. It is proved by Euler that: (a/p) = (a ((p-1)/2)) % p So we can also say that: (ab/p) = (ab ((p-1)/2)) % p = (a ((p-1)/2)) %p * (b ((p-1)/2)) %p = (a/p)*(b/p) 4. Jacobian Symbol: This symbol is a generalization of Legendre Symbol as it does not require 'p' to be prime. Let a and n be two positive integers, and n = p1 k1 *.. * pn kn, then Jacobian symbol is defined as: 5. (a/n) = ((a/p1) k1 ) * ((a/p2) k2 ) *... * ((a/pn) kn ) So you can see that if n is prime, the Jacobian symbol and Legendre symbol are equal. There are some properties of these symbols which we can exploit to quickly calculate them: 1. (a/n) = 0 if gcd(a,n)!= 1, Hence (0/n) = 0. This is because if gcd(a,n)!= 1, then there must be some prime pi such that pi divides both a and n. In that case (a/pi) = 0 [ by definition of Legendre Symbol ]. 2. (ab/n) = (a/n) * (b/n). It can be easily derived from the fact (ab/p) = (a/p)(b/p) ( here (a/p) is the Legendry Symbol ). 3. if a is even, than (a/n) = (2/n)*((a/2)/n). It can be shown that: 4. = 1 if n = 1 ( mod 8 ) or n = 7 ( mod 8 ) 5. (2/n) = -1 if n = 3 ( mod 8 ) or n = 5 ( mod 8 ) = 0 otherwise 6. (a/n) = (n/a)*(-1 ((a-1)(n-1)/4)) if a and n are both odd. The algorithm for the test is really simple. We can pick up a random a and compute (a/n). If n is a prime then (a/n) should be equal to (a ((n-1)/2)) %n [ as proved by Euler ]. If they are not equal then n is composite, and we can stop. Otherwise we can choose more random values for a and repeat the test. We can declare n to be probably prime after some iterations. Note that we are not interested in calculating Jacobi Symbol (a/n) if n is an even integer because we can trivially see that n isn't prime, except 2 of course. Let us write a little code to compute Jacobian Symbol (a/n) and for the test: //calculates Jacobian(a/n) n>0 and n is odd int calculatejacobian(long long a,long long n){ if(!a) return 0; // (0/n) = 0 int ans=1; long long temp; if(a<0){ a=-a; // (a/n) = (-a/n)*(-1/n) if(n%4==3) ans=-ans; // (-1/n) = -1 if n = 3 ( mod 4 ) if(a==1) return ans; // (1/n) = 1 while(a){ if(a<0){ a=-a; // (a/n) = (-a/n)*(-1/n) if(n%4==3) ans=-ans; // (-1/n) = -1 if n = 3 ( mod 4 )

9 while(a%2==0){ a=a/2; // Property (iii) if(n%8==3 n%8==5) ans=-ans; swap(a,n); // Property (iv) if(a%4==3 && n%4==3) ans=-ans; // Property (iv) a=a%n; // because (a/p) = (a%p / p ) and a%pi = (a%n)%pi if n % pi = 0 if(a>n/2) a=a-n; if(n==1) return ans; return 0; /* Iterations determine the accuracy of the test */ bool Solovoy(long long p,int iteration){ if(p<2) return false; if(p!=2 && p%2==0) return false; for(int i=0;i<iteration;i++){ long long a=rand()%(p-1)+1; long long jacobian=(p+calculatejacobian(a,p))%p; long long mod=modulo(a,(p-1)/2,p); if(!jacobian mod!=jacobian){ return false; return true; It is shown that for any composite n, at least half of the a will result in n being declared as composite according to Solovay-Strassen test. This shows that the probability of getting a wrong result after k iterations is (1/2) k. However, it is generally less preferred than Rabin-Miller test in practice because it gives poorer performance. The various routines provided in the article can be highly optimized just by using bitwise operators instead of them. For example /= 2 can be replaced by ">>= 1", "%2" can be replaced by "&1" and "*= 2" can be replaced by "<<=1". Inline Assembly can also be used to optimize them further. Job 5. Implement Solovay-Strassen Primality Test computing Homework: Make the following comparation test between Miller-Rabin Primality and Solovay-Strassen Primality Test for 1000 numbers, numbers and numbers and create a graphic with required times. The used compiler, executable/interpreted, the language, if the hardware parallelism wre used and the targhet machine must be presented too

10 References 1. Bruce Schneier Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C Publisher: John Wiley & Sons, Inc., ISBN: , Douglas Stinson, Cryptography: Theory and Practice, CRC Press, CRC Press LLC ISBN: ,