Ma/CS 6a Class 4: Primality Testing

Similar documents
Ma/CS 6a Class 4: Primality Testing

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Ma/CS 6a Class 3: The RSA Algorithm

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Introduction to Public-Key Cryptosystems:

Lecture 1: Introduction to Public key cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

CPSC 467b: Cryptography and Computer Security

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Math.3336: Discrete Mathematics. Mathematical Induction

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

CPSC 467b: Cryptography and Computer Security

basics of security/cryptography

CPSC 467b: Cryptography and Computer Security

Number Theory A focused introduction

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Applied Cryptography and Computer Security CSE 664 Spring 2018

ECE596C: Handout #11

Public Key Encryption

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

MATH 145 Algebra, Solutions to Assignment 4

Factorization & Primality Testing

Chapter 8. Introduction to Number Theory

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

The RSA cryptosystem and primality tests

Public Key Algorithms

CSE 521: Design and Analysis of Algorithms I

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Cryptography IV: Asymmetric Ciphers

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Introduction to Cryptology. Lecture 20

Factoring. Number Theory # 2

1. Algebra 1.7. Prime numbers

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

Mathematical Foundations of Public-Key Cryptography

Primality Testing- Is Randomization worth Practicing?

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Ma/CS 6a Class 2: Congruences

Pseudoprimes and Carmichael Numbers

Number Theory and Group Theoryfor Public-Key Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CPSC 467: Cryptography and Computer Security

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Iterated Encryption and Wiener s attack on RSA

Asymmetric Encryption

Some Facts from Number Theory

Number theory (Chapter 4)

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Lecture 22: RSA Encryption. RSA Encryption

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

10 Modular Arithmetic and Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Cryptography: Joining the RSA Cryptosystem

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Number Theory & Modern Cryptography

Discrete Mathematics GCD, LCM, RSA Algorithm

Lecture 11 - Basic Number Theory.

Lecture Notes, Week 6

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

CIS 551 / TCOM 401 Computer and Network Security

Encryption: The RSA Public Key Cipher

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Ma/CS 6a Class 2: Congruences

IRREDUCIBILITY TESTS IN F p [T ]

1 Rabin Squaring Function and the Factoring Assumption

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

ECEN 5022 Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Mathematics of Cryptography

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

Lecture 31: Miller Rabin Test. Miller Rabin Test

The security of RSA (part 1) The security of RSA (part 1)

Basic elements of number theory

Basic elements of number theory

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Homework 5. This homework is due October 6, 2014, at 12:00 noon.

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Implementation Tutorial on RSA

Introduction to Cryptography. Lecture 6

10 Public Key Cryptography : RSA

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681

Applied Cryptography and Computer Security CSE 664 Spring 2017

Transcription:

Ma/CS 6a Class 4: Primality Testing By Adam Sheffer Reminder: Euler s Totient Function Euler s totient φ(n) is defined as follows: Given n N, then φ n = x 1 x < n and GCD x, n = 1. In more words: φ n is the number of natural numbers 1 x n such that x and n are relatively prime. φ 12 = 1,5,7,11 = 4. 1

Reminder #2: The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n.? Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n.? Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n.? Finding φ n Problem. Given n = pq, where p, q are large primes, find φ n. We need the number of elements in 1,2,, n that are not multiplies of p or q. There are n = q numbers are divisible by p. p There are n = p numbers are divisible by q. q Only n = pq is divided by both. Thus: φ n = n p q + 1. 2

The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n. Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n.? Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n.? Choose e s.t. GCD φ n,e = 1 Problem. Given n = pq, where p, q are large primes, find e N such that GCD φ n, e = 1. We can choose arbitrary numbers until we find one that is relatively prime to φ n. For the worst values of φ n, a random number is good with probability 1/ log log n. 3

The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n. Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n.? Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n. Find d such that de 1 mod φ n Recall. Since GCD e, φ n = 1 then there exist s, t Z such that se + tφ n = 1. That is, se 1 mod φ n. We can find s, t by the extended Euclidean algorithm from lecture 2. 4

Quantum Computing A bit of a computer contains a value of either 0 or 1. A quantum computer contains qubits, which can be in superpositions of states. Theoretically, a quantum computer can easily factor numbers and decipher almost any known encryption. Should We Stop Ordering Things Online? 5

The RSA Algorithm Bob wants to generate keys: Arbitrarily chooses primes p and q.? n = pq find φ n. Chooses e such that GCD φ n, e = 1. Find d such that de 1 mod φ n. Alice wants to pass bob m. Receives n, e from Bob. Returns X m e mod n. Bob receives X. Calculates X d mod n. Finding Large Primes Let n be a LARGE integer (e.g., 2 4000 ). The prime number theorem. The probability of a random p 1,, n being prime is about 1/ log n. If we randomly choose numbers from 1,, n, we expect to have about log n iterations before finding a prime. But how can we check whether our choice is a prime or not?! 6

Primality Testing Given a LARGE q Z, how can we check whether q is prime? The naïve approach. Go over every number in 2,, q and check whether it divides q. Our numbers are so large that a computer cannot do such a check in a reasonable time! Recall: Fermat s Little Theorem For any prime p and integer a relatively prime to p, we have a p a mod p. Pick an integer a that is not a multiple of q and check whether a q a mod q. If not, q is not a prime! If yes,??? Pierre de Fermat 7

Example: Fermat Primality Testing Is n = 355207 prime? 2 355207 84927 mod 355207. n is not prime since 2 n 2 mod n. We can try 1000 different values of a and see if a n a mod n for each of them. Carmichael Numbers A number q N is said to be a Carmichael number if it is not prime, but still satisfies a q a mod q for every a that is relatively prime to q. The smallest such number is 561. Very rare about one in 50 trillion in the range 1 10 21. R. D. Carmichael 8

Example: Carmichael Numbers Claim. Let k N 0 such that 6k + 1, 12k + 1, and 18k + 1 are primes. Then n = 6k + 1 12k + 1 18k + 1 is a Carmichael number. Example. For k = 1, we have that 7,13,19 are primes. 7 13 19 = 1729 is a Carmichael number. Proof Need to prove: Any a that is relatively prime to n satisfies a n a mod n. Since GCD a, n = 1, this is equivalent to proving a n 1 1 mod n. We rewrite n = 1296k 3 + 396k 2 + 36k + 1. For any such a, we have a n 1 = a 1296k3 +396k 2 +36k = a 6k 216k2 +66k+6. 9

Proof (cont.) For any a relatively prime to n, we have a n 1 = a 6k 216k2 +66k+6. Recall. If a N is not divisible by a prime p then a p 1 1 mod p. Since a and 6k + 1 are relatively prime a n 1 1 216k2 +66k+6 1 mod 6k + 1. Similarly, we have a n 1 1 mod 12k + 1 and a n 1 1 mod 18k + 1. Since a n 1 1 is divisible by the three primes 6k + 1, 12k + 1, and 18k + 1, it is also divisible by their product n. That is, a n 1 1 mod n. Miller Rabin Primality Test The Miller Rabin primality test works on every number. Gary Miller Michael Rabin 10

Recalling Some Basics Over R, the solutions to a 2 = 1 are a = ±1. For a prime p, some solutions to a 2 1 mod p are a ±1 mod p. Recall that 1 p 1 mod p. Root of Unity Claim. For any prime p, the only numbers a 0,1,, p 1 for which a 2 1 mod p are 1 and p 1. Example. The solutions to a 2 1 mod 1009 are exactly the numbers satisfying a 1 or 1008 mod 1009. 11

Root of Unity Claim. For any prime p, the only numbers a 0,1,, p 1 for which a 2 1 mod p are 1 and p 1. Proof. a 2 1 mod p a + 1 a 2 1 0 mod p a 1 0 mod p That is, either p a + 1 or p a 1. More Basics Is the following always correct? a 2 1 a + 1 a 1 mod p Yes a + 1 a 1 = a 2 + a a 1 = a 2 1. and this still holds mod p. 12

Root of Unity (cont.) Claim. For any prime p, the only numbers a 0,1,, p 1 for which a 2 1 mod p are 1 and p 1. Proof. a 2 1 mod p a 2 1 0 mod p a + 1 a 1 0 mod p That is, either p a + 1 or p a 1. Roots of Unity Properties Given a prime p > 2, we write p 1 = 2 s d where d is odd and s 1. Claim. For any odd prime p and any 1 < a < p, one of the following holds. a d 1 mod p. There exists 0 r < s such that a 2rd 1 mod p. 13

Roots of Unity Properties (2) Claim. For any odd prime p and any 1 < a < p, one of the following holds. a d 1 mod p. There exists 0 r < s such that a 2rd 1 mod p. Proof. By Fermat s little theorem a p 1 1 mod p. Consider a (p 1)/2, a (p 1)/4,, a (p 1)/2s. By the previous claim, each such root is ± 1 mod n. If all of these roots equal 1, we are in the first case. Otherwise, we are in the second. Composite Witnesses Given a composite (non-prime) odd number n, we again write n 1 = 2 s d where d is odd and s 1. We say that a 2,3,4,, n 2 is a witness for n if a d 1 mod n. For every 0 r < s, we have a 2rd 1 mod n. 14

Example: Composite Witness Problem. Prove that 91 is not a prime. 90 = 2 45. 2 45 57 mod 91. 2 is a witness that 91 is not a prime. There are Many Witnsses Given an odd composite n, the probability of a number 2,, n 2 being a witness is at least ½ (this can be shown using basic group theory). Given an odd n N, take i numbers and check if they are witnesses. If we found a witness, n is composite. If we did not find a witness, n is prime with probability at least 1 1 2 i. 15

The End Never forget: With great powers comes great difficulty in prime factorization. 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback