p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Similar documents
LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

1. Algebra 1.7. Prime numbers

Ma/CS 6a Class 4: Primality Testing

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Discrete Structures Lecture Primes and Greatest Common Divisor

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Part II. Number Theory. Year

MATH 361: NUMBER THEORY FOURTH LECTURE

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

A SURVEY OF PRIMALITY TESTS

MATH 145 Algebra, Solutions to Assignment 4

Applied Cryptography and Computer Security CSE 664 Spring 2018

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Homework 3, solutions

MATH 2200 Final Review

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Chapter 8. Introduction to Number Theory

The RSA cryptosystem and primality tests

Exam 2 Solutions. In class questions

God may not play dice with the universe, but something strange is going on with the prime numbers.

SOLUTIONS TO PROBLEM SET 1. Section = 2 3, 1. n n + 1. k(k + 1) k=1 k(k + 1) + 1 (n + 1)(n + 2) n + 2,

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Chapter 5. Number Theory. 5.1 Base b representations

Chapter 3 Basic Number Theory

Factorization & Primality Testing

1 Overview and revision

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

The Impossibility of Certain Types of Carmichael Numbers

ORDERS OF ELEMENTS IN A GROUP

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Ma/CS 6a Class 4: Primality Testing

CPSC 467b: Cryptography and Computer Security

A Guide to Arithmetic

Proof by Contradiction

Math 324, Fall 2011 Assignment 7 Solutions. 1 (ab) γ = a γ b γ mod n.

PRIMALITY TEST FOR FERMAT NUMBERS USING QUARTIC RECURRENCE EQUATION. Predrag Terzic Podgorica, Montenegro

Primality Testing- Is Randomization worth Practicing?

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Introduction to Number Theory

FERMAT S TEST KEITH CONRAD

Pseudoprimes and Carmichael Numbers

5: The Integers (An introduction to Number Theory)

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Homework #2 solutions Due: June 15, 2012

Introduction to Public-Key Cryptosystems:

MATH 25 CLASS 8 NOTES, OCT

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

IRREDUCIBILITY TESTS IN F p [T ]

WORKSHEET MATH 215, FALL 15, WHYTE. We begin our course with the natural numbers:

A Few Primality Testing Algorithms

THE SOLOVAY STRASSEN TEST

Public Key Encryption

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

THE MILLER RABIN TEST

MATH 4400 SOLUTIONS TO SOME EXERCISES. 1. Chapter 1

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

2. THE EUCLIDEAN ALGORITHM More ring essentials

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

8 Primes and Modular Arithmetic

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

11 Division Mod n, Linear Integer Equations, Random Numbers, The Fundamental Theorem of Arithmetic

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

198 VOLUME 46/47, NUMBER 3

1. multiplication is commutative and associative;

7.2 Applications of Euler s and Fermat s Theorem.

Senior Math Circles Cryptography and Number Theory Week 2

Some Facts from Number Theory

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

Numbers, Groups and Cryptography. Gordan Savin

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

arxiv: v1 [math.gr] 15 Oct 2017

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

basics of security/cryptography

Chapter 5.1: Induction

Number Theory Homework.

Entry Number:2007 mcs Lecture Date: 18/2/08. Scribe: Nimrita Koul. Professor: Prof. Kavitha.

Euler s, Fermat s and Wilson s Theorems

Beautiful Mathematics

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

The running time of Euclid s algorithm

Proofs. Methods of Proof Divisibility Floor and Ceiling Contradiction & Contrapositive Euclidean Algorithm. Reading (Epp s textbook)

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

The following is an informal description of Euclid s algorithm for finding the greatest common divisor of a pair of numbers:

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Transcription:

LARGE PRIME NUMBERS 1. Fermat Pseudoprimes Fermat s Little Theorem states that for any positive integer n, if n is prime then b n % n = b for b = 1,..., n 1. In the other direction, all we can say is that if b n % n = b for b = 1,..., n 1 then n might be prime. If b n % n = b where b {1,..., n 1} then n is called a Fermat pseudoprime base b. There are 669 primes under 5000, but only five values of n (561, 1105, 1729, 2465, and 2821) that are Fermat pseudoprimes base b for b = 2, 3, 5 without being prime. This is a false positive rate of less than 1%. The false positive rate under 500,000 just for b = 2, 3 is 0.118%. On the other hand, the bad news is that checking more bases b doesn t reduce the false positive rate much further. There are infinitely many Carmichael numbers, numbers n that are Fermat pseudoprimes base b for all b {1,..., n 1} but are not prime. In sum, Fermat pseudoprimes are reasonable candidates to be prime. 2. Strong Pseudoprimes The Miller Rabin test on a positive integer n and a positive test base b in {1,..., n 1} proceeds as follows. Factor n 1 as 2 s m where m is odd. Replace b by b m % n. If b = 1 then return the result that n could be prime, and terminate. Do the following s times: If b = n 1 then return the result that n could be prime, and terminate; otherwise replace b by b 2 % n. If the algorithm has not yet terminated then return the result that n is composite, and terminate. (Slight speedups here: (1) If the same n is to be tested with various bases b then there is no need to factor n 1 = 2 s m each time; (2) there is no need to compute b 2 % n on the sth time through the step in the fourth bullet.) A positive integer n that passes the Miller Rabin test for some b is a strong pseudoprime base b. For any n, at least 3/4 of the b-values in {1,..., n 1} have the property that if n is a strong pseudoprime base b then n is really prime. But according to the theory, up to 1/4 of the b-values have the property that n could be a strong pseudoprime base b but not be prime. In practice, the percentage of such b s is much lower. For n up to 500,000, if n is a strong pseudoprime base 2 and base 3 then n is prime. 1

2 LARGE PRIME NUMBERS 3. Generating Candidate Large Primes Given n, a simple approach to finding a candidate prime above 2n is as follows. Take the first of N = 2n + 1, N = 2n + 3, N = 2n + 5,... to pass the following test. (1) Try trial division for a few small primes. If N passes, continue. (2) Check whether N is a Fermat pseudoprime base 2. If N passes, continue. (3) Check whether N is a strong pseudoprime base b as b runs through the first 20 primes. Any N that passes the test is extremely likely to be prime. And such an N should appear quickly. Indeed, using only the first three primes in step (3) of the previous test finds the following correct candidate primes: The first candidate prime after 10 50 is 10 50 + 151. The first candidate prime after 10 100 is 10 100 + 267. The first candidate prime after 10 200 is 10 200 + 357. The first candidate prime after 10 300 is 10 300 + 331. The first candidate prime after 10 1000 is 10 1000 + 453. 4. Certifiable Large Primes The Lucas Pocklington Lehmer Criterion is as follows. Suppose that N = p U + 1 where p is prime and p > U. Suppose also that there is a base b such that b N 1 % N = 1 but gcd(b U 1, N) = 1. Then N is prime. The proof will be given in the next section. It is just Fermat s Little Theorem and some other basic number theory. As an example of using the result, start with p = 1000003. This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is N = 1032 p + 1 = 1032003097. And 2 N 1 % N = 1 and gcd(2 1032 1, N) = 1, so the LPL Criterion is satisfied, and N is prime. Rename it p. A candidate prime above 10 9 p of the form p U + 1 is N = p (10 9 + 146) + 1 = 1032003247672452163. A candidate prime above 10 17 p of the form p U + 1 is N = p (10 17 + 24) + 1 = 103200324767245241068077944138851913. A candidate prime above 10 34 p of the form p U + 1 is N = p (10 34 + 224) + 1 =10320032476724524106807794413885422 46872747862933999249459487102828513.

LARGE PRIME NUMBERS 3 A candidate prime above 10 60 p of the form p U + 1 is N = p (10 60 + 1362) + 1 =10320032476724524106807794413885422 468727478629339992494608926912518428 801833472215991711945402406825893161 06977763821434052434707. A candidate prime above 10 120 p of the form p U + 1 is N = p (10 120 + 796) + 1 =10320032476724524106807794413885422 468727478629339992494608926912518428 801833472215991711945402406825893161 069777638222555270198542721189019004 353452796285107072988954634025708705 822364669326259443883929402708540315 83341095621154300001861505738026773. Again b = 2 works in the LPL Criterion, so N is prime. 5. Proof of the Lucas Pocklington Lehmer Criterion Recall the Lucas Pocklington Lehmer Criterion: Suppose that N = p U + 1 where p is prime and p > U. Suppose also that there is a base b such that b N 1 % N = 1 but gcd(b U 1, N) = 1. Then N is prime. The proof begins with an observation that goes back to Fermat and Euler: Fermat Euler Criterion. Let p be prime. Let N be an integer such that If there is an integer b such that then N % p = 1. b N 1 % N = 1 and gcd(b (N 1)/p 1, N) = 1 q % p = 1 for each prime divisor q of N. To prove the Fermat Euler criterion, let q be any prime divisor of N. b N 1 % N = 1, it follows that b N 1 % q = 1. Since Let t be the smallest positive integer such that b t % q = 1. Thus t N 1, and also t q 1 by Fermat s Little Theorem. On the other hand, we claim that b (N 1)/p % q 1, so that t (N 1)/p. Indeed, if equality were to hold in the previous display, then we would have b (N 1)/p 1 = kq, violating the condition gcd(b (N 1)/p 1, N) = 1. Now we have, t N 1, t (N 1)/p so that p t, and in fact p t, t q 1. It follows that p q 1, i.e., q % p = 1 as desired.

4 LARGE PRIME NUMBERS Returning to the Lucas Pocklington Lehmer Criterion, recall that we have N = p U + 1 where p > U. The properties of the base b show that all prime divisors q of N satisfy q % p = 1. If N were to be composite then it would have a prime divisor q N. But this forces q < p, and hence q % p 1, contradiction. Therefore N is prime. 6. Discussion of the Miller Rabin Test Given a positive integer n and a base b, reason as follows. Factor n 1 = 2 s m where m is odd. If n is prime then b n 1 = 1 (here and throughout this discussion, all arithmetic is being carried out modulo n). So by contraposition, if b n 1 1 then n is composite. Hence we continue reasoning only if b n 1 = 1. In this case we know a square root of 1: it is b (n 1)/2. If b (n 1)/2 ±1 then too many square roots of 1 exist mod n for n to be prime, and so n is composite. If b (n 1)/2 = 1 then we have no evidence that n is composite, nor can we proceed, since we have no new square roots of 1 to study. The algorithm terminates, reporting that n could be prime. But if b (n 1)/2 = 1 then we do have a new square root of 1 at hand: it is b (n 1)/4. This process can continue until b 2m = 1, so that b m is a square root of 1. If b m ±1 then n is composite. Otherwise, n could be prime. To encode the algorithm efficiently, the only wrinkle is to compute the powers of b from low to high, even though the analysis here considered them from high to low. Inspecting the highest power b n 1 turns out to be redundant. Another way to think about the Miller Rabin test is as follows. Again let n 1 = 2 s m. Then X 2s m 1 1 = (X 2s 1m + 1)(X 2s 1m 1) = (X 2s 1m + 1)(X 2s 2m + 1)(X 2s 2m 1) = (X 2s 1m + 1)(X 2s 2m + 1)(X 2s 3m + 1)(X 2s 3m 1). = (X 2s 1m + 1)(X 2s 2m + 1)(X 2s 3m + 1) (X m + 1)(X m 1). That is, rewriting the left side and reversing the order of the factors of the right side, s 1 X n 1 1 = (X m 1) (X 2rm + 1). It follows that s 1 b n 1 1 = (b m 1) (X 2rm + 1) mod n, for b = 1,..., n 1. r=0 If n is prime then b n 1 1 = 0 mod n for b = 1,..., n, and also Z/nZ is a field, so that necessarily one of the factors on the right side vanishes modulo n as well. r=0

LARGE PRIME NUMBERS 5 That is, given any base b {1,..., n 1}, if n is prime then at least one of the factors b m 1, {b 2rm + 1 : 0 r s 1} vanishes modulo n. So conversely, given any base b {1,..., n 1}, if none of the factors vanishes modulo n then n is composite. This analysis shows that the Miller Rabin test can be phrased as earlier in this writeup. (Beginning of analysis of false positives.) Lemma. Let p be an odd prime. Let n be a positive integer divisible by p 2. Let x, y be integers such that x = y mod p and x n 1 = y n 1 = 1 mod n. Then x = y mod p 2. First we note that x p = y p mod p 2. This follows quickly from the relation x p y p = (x y)(x p 1 + x p 2 y + + xy p 2 + y p 1 ), because the condition x = y mod p makes each of the multiplicands on the right side a multiple of p. Second, raise both sides of the relation x p = y p mod p 2 to the power n/p to get x n = y n mod p 2. But since x n = x mod n, certainly x n = x mod p 2, and similarly for y. The result follows. Proposition. Let p be an odd prime. Let n be a positive integer divisible by p 2. Let B denote the set of bases b between 1 and n 1 such that n is a Fermat pseudoprime base b, i.e., B = {b : 1 b n 1 and b n 1 % n = 1}. Then B p 1 p 2 n 1 (n 1). 4 To see this, decompose B according to the values of its elements modulo p, B = p 1 d=1 where B d = {b B : b % p = d}, 1 d p 1. For any d such that 1 d p 1, if b 1, b 2 S d then we know that b 1 = b 2 mod p 2. It follows that S d n/p 2, and the result follows. B d

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback