Ma/CS 6a Class 4: Primality Testing

Similar documents
Ma/CS 6a Class 4: Primality Testing

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Ma/CS 6a Class 3: The RSA Algorithm

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Math.3336: Discrete Mathematics. Mathematical Induction

Lecture 1: Introduction to Public key cryptography

Introduction to Public-Key Cryptosystems:

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Number Theory A focused introduction

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

CPSC 467b: Cryptography and Computer Security

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

basics of security/cryptography

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

MATH 145 Algebra, Solutions to Assignment 4

CPSC 467b: Cryptography and Computer Security

Factoring. Number Theory # 2

Applied Cryptography and Computer Security CSE 664 Spring 2018

ECE596C: Handout #11

Public Key Encryption

Introduction to Cryptology. Lecture 20

Factorization & Primality Testing

Chapter 8. Introduction to Number Theory

Public Key Algorithms

The RSA cryptosystem and primality tests

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

CIS 551 / TCOM 401 Computer and Network Security

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Cryptography IV: Asymmetric Ciphers

1. Algebra 1.7. Prime numbers

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Ma/CS 6a Class 2: Congruences

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Mathematical Foundations of Public-Key Cryptography

Lecture 22: RSA Encryption. RSA Encryption

Lecture Notes, Week 6

Encryption: The RSA Public Key Cipher

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Pseudoprimes and Carmichael Numbers

CPSC 467: Cryptography and Computer Security

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

CSE 521: Design and Analysis of Algorithms I

Some Facts from Number Theory

10 Modular Arithmetic and Cryptography

Number theory (Chapter 4)

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Ma/CS 6a Class 2: Congruences

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

Primality Testing- Is Randomization worth Practicing?

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

The security of RSA (part 1) The security of RSA (part 1)

Number Theory & Modern Cryptography

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Number Theory and Group Theoryfor Public-Key Cryptography

IRREDUCIBILITY TESTS IN F p [T ]

Applied Cryptography and Computer Security CSE 664 Spring 2017

Iterated Encryption and Wiener s attack on RSA

Asymmetric Encryption

Lecture 31: Miller Rabin Test. Miller Rabin Test

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Mathematics of Cryptography

Cryptography: Joining the RSA Cryptosystem

Discrete Mathematics for CS Fall 2003 Wagner MT2 Soln

10 Public Key Cryptography : RSA

ECEN 5022 Cryptography

Public Key Cryptography

Discrete Mathematics GCD, LCM, RSA Algorithm

Lecture 11 - Basic Number Theory.

Homework Problems, Math 134, Spring 2007 (Robert Boltje)

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

CRYPTOGRAPHY AND NUMBER THEORY

Number theory (Chapter 4)

THE RSA ENCRYPTION SCHEME

1 Rabin Squaring Function and the Factoring Assumption

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Homework 5. This homework is due October 6, 2014, at 12:00 noon.

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Introduction to Cryptography. Lecture 6

Euler s, Fermat s and Wilson s Theorems

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Attacks on RSA & Using Asymmetric Crypto

Solutions to the Midterm Test (March 5, 2011)

Transcription:

Ma/CS 6a Class 4: Primality Testing By Adam Sheffer Send anonymous suggestions and complaints from here. Email: adamcandobetter@gmail.com Password: anonymous2 There aren t enough crocodiles in the presentations Why won t you tell me how to solve the homework?! Only today! 75% off for Morphine and Xanax. Could you open every class by playing Flight of the Valkyries? 1

Reminder: Euler s Totient Function Euler s totient φ(n) is defined as follows: Given n N, then φ n = x 1 x < n and GCD x, n = 1. In more words: φ n is the number of natural numbers 1 x n such that x and n are relatively prime. φ 12 = 1,5,7,11 = 4. Reminder #2: The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n.? Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n.? Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n.? 2

Finding φ n Problem. Given n = pq, where p, q are large primes, find φ n. We need the number of elements in 1,2,, n that are not multiplies of p or q. There are n = q numbers are divisible by p. p There are n = p numbers are divisible by q. q Only n = pq is divided by both. Thus: φ n = n p q + 1. The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n. Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n.? Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n.? 3

Choose e s.t. GCD φ n,e = 1 Problem. Given n = pq, where p, q are large primes, find e N such that GCD φ n, e = 1. We can choose arbitrary numbers until we find one that is relatively prime to φ n. For the worst values of φ n, a random number is good with probability 1/ log log n. The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n. Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n.? Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n. 4

Find d such that de 1 mod φ n Recall. Since GCD e, φ n = 1 then there exist s, t Z such that se + tφ n = 1. That is, se 1 mod φ n. We can find s, t by the extended Euclidean algorithm from lecture 2. Quantum Computing A bit of a computer contains a value of either 0 or 1. A quantum computer contains qubits, which can be in superpositions of states. Theoretically, a quantum computer can easily factor numbers and decipher almost any known encryption. 5

Should We Stop Ordering Things Online? The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n. Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n. Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n. 6

Finding Large Primes Let n be a LARGE integer (e.g., 2 4000 ). The prime number theorem. The probability of a random p 1,, n being prime is about 1/ log n. If we randomly choose numbers from 1,, n, we expect to have about log n iterations before finding a prime. But how can we check whether our choice is a prime or not?! Primality Testing Given a LARGE q Z, how can we check whether q is prime? The naïve approach. Go over every number in 2,, q and check whether it divides q. Our numbers are so large that a computer cannot do such a check in a reasonable time! 7

Recall: Fermat s Little Theorem For any prime p and integer a relatively prime to p, we have a p a mod p. Pick an integer a that is not a multiple of q and check whether a q a mod q. If not, q is not a prime! If yes,??? Pierre de Fermat Example: Fermat Primality Testing Is n = 355207 prime? 2 355207 84927 mod 355207. n is not prime since 2 n 2 mod n. We can try 1000 different values of a and see if a n a mod n for each of them. 8

Carmichael Numbers A number q N is said to be a Carmichael number if it is not prime, but still satisfies a q a mod q for every a that is relatively prime to q. The smallest such number is 561. Very rare about one in 50 trillion in the range 1 10 21. R. D. Carmichael Example: Carmichael Numbers Claim. Let k N 0 such that 6k + 1, 12k + 1, and 18k + 1 are primes. Then n = 6k + 1 12k + 1 18k + 1 is a Carmichael number. Example. For k = 1, we have that 7,13,19 are primes. 7 13 19 = 1729 is a Carmichael number. 9

Proof We need to prove that for any a that is relatively prime to n, we have a n a mod n. Since GCD a, n = 1, this is equivalent to proving a n 1 1 mod n. We rewrite n = 1296k 3 + 396k 2 + 36k + 1. For any such a, we have a n 1 = a 1296k3 +396k 2 +36k = a 6k 216k2 +66k+6. Proof (cont.) For any a relatively prime to n, we have a n 1 = a 6k 216k2 +66k+6. Recall. If a N is not divisible by a prime p then a p 1 1 mod p. Since a and 6k + 1 are relatively prime a n 1 1 216k2 +66k+6 1 mod 6k + 1. Similarly, we have a n 1 1 mod 12k + 1 and a n 1 1 mod 18k + 1. Since a n 1 1 is divisible by the three primes 6k + 1, 12k + 1, and 18k + 1, it is also divisible by their product n. That is, a n 1 1 mod n. 10

Miller Rabin Primality Test The Miller Rabin primality test works on every number. Gary Miller Michael Rabin Root of Unity Claim. For any prime p, the only numbers a 0,1,, p 1 such that a 2 1 mod p are 1 and p 1. Example. The solutions to a 2 1 mod 1009 are exactly the numbers satisfying a 1 or 1008 mod 1009. 11

Root of Unity Claim. For any prime p, the only numbers a 1,, p such that a 2 1 mod p are 1 and p 1. Proof. a 2 1 mod p a 2 1 0 mod p a + 1 a 1 0 mod p That is, either p a + 1 or p a 1. Roots of Unity Properties Given a prime p > 2, we write p 1 = 2 s d where d is odd and s 1. Claim. For any odd prime p and any 1 < a < p, one of the following holds. a d 1 mod p. There exists 0 r < s such that a 2rd 1 mod p. 12

Roots of Unity Properties (2) Claim. For any odd prime p and any 1 < a < p, one of the following holds. a d 1 mod p. There exists 0 r < s such that a 2rd 1 mod p. Proof. By Fermat s little theorem a p 1 1 mod p. Consider a (p 1)/2, a (p 1)/4,, a (p 1)/2s. By the previous claim, each such root is ± 1 mod n. If all of these roots equal 1, we are in the first case. Otherwise, we are in the second. Composite Witnesses Given a composite (non-prime) odd number n, we again write n 1 = 2 s d where d is odd and s 1. We say that a 2,3,4,, n 2 is a witness for n if a d 1 mod n. For every 0 r < s, we have a 2rd 1 mod n. 13

Example: Composite Witness Problem. Prove that 91 is not a prime. 90 = 2 45. 2 45 57 mod 91. 2 is a witness that 91 is not a prime. There are Many Witnsses Given an odd composite n, the probability of a number 2,, n 2 being a witness is at least ½ (this can be shown with basic group theory). Given an odd n N, take i numbers and check if they are witnesses. If we found a witness, n is composite. If we did not find a witness, n is prime with probability at least 1 1 2 i. 14

The End Never forget: With great powers comes great difficulty in prime factorization. 15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback