Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Similar documents
Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

D. J. Bernstein University of Illinois at Chicago

Postmodern Primality Proving

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

HOW TO FIND SMOOTH PARTS OF INTEGERS. 1. Introduction. usually negligible Smooth part of x. usually negligible Is x smooth?

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Integer factorization, part 1: the Q sieve. part 2: detecting smoothness. D. J. Bernstein

ECPP in PARI/GP. Jared Asuncion. 29 January Asuncion, J. ECPP in PARI/GP 29 January / 27

part 2: detecting smoothness part 3: the number-field sieve

Primality testing: then and now

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Primality testing: then and now

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Counting points on hyperelliptic curves

Polynomial arithmetic and applications in number theory

Theoretical Cryptography, Lecture 13

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

One can use elliptic curves to factor integers, although probably not RSA moduli.

Discrete Math, Fourteenth Problem Set (July 18)

L-Polynomials of Curves over Finite Fields

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

The tangent FFT. D. J. Bernstein University of Illinois at Chicago

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

this to include the explicit maps, please do so!

Constructing genus 2 curves over finite fields

Factoring univariate polynomials over the rationals

arxiv: v1 [math.nt] 31 Dec 2011

Addition laws on elliptic curves. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven

Hyperelliptic curves

Edwards Curves and the ECM Factorisation Method

Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography

Algorithms. Shanks square forms algorithm Williams p+1 Quadratic Sieve Dixon s Random Squares Algorithm

University of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array?

DISTINGUISHING PRIME NUMBERS FROM COMPOSITE NUMBERS: THE STATE OF THE ART IN 2004

Elliptic curves: applications and problems

Discrete Logarithm Problem

Non-generic attacks on elliptic curve DLPs

A Proof of the Lucas-Lehmer Test and its Variations by Using a Singular Cubic Curve

Abstracts of papers. Amod Agashe

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Dixon s Factorization method

Lecture 6: Cryptanalysis of public-key algorithms.,

AMBIGUOUS FORMS AND IDEALS IN QUADRATIC ORDERS. Copyright 2009 Please direct comments, corrections, or questions to

Counting points on elliptic curves over F q

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

A Course in Computational Algebraic Number Theory

Elliptic Curves, Factorization, and Cryptography

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation

Euler s ϕ function. Carl Pomerance Dartmouth College

Primality Test Via Quantum Factorization. Abstract

Infinite rank of elliptic curves over Q ab and quadratic twists with positive rank

A Few Primality Testing Algorithms

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

arxiv:math/ v1 [math.nt] 16 Jan 2003

Finite Fields and Elliptic Curves in Cryptography

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

1: Please compute the Jacobi symbol ( 99

Introduction to Elliptic Curve Cryptography. Anupam Datta

Rational Points on Curves in Practice. Michael Stoll Universität Bayreuth Journées Algophantiennes Bordelaises Université de Bordeaux June 8, 2017

PROVING PRIMALITY AFTER AGRAWAL-KAYAL-SAXENA

Class numbers of algebraic function fields, or Jacobians of curves over finite fields

Computing the endomorphism ring of an ordinary elliptic curve

Counting Points on Curves of the Form y m 1 = c 1x n 1 + c 2x n 2 y m 2

Computational Number Theory. Adam O Neill Based on

Number Theory, Algebra and Analysis. William Yslas Vélez Department of Mathematics University of Arizona

Factorization & Primality Testing

Euclidean prime generators

A Fast Euclidean Algorithm for Gaussian Integers

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Basic Algorithms in Number Theory

Elliptic Nets With Applications to Cryptography

Generalized Lucas Sequences Part II

Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )

Elliptic curves: Theory and Applications. Day 3: Counting points.

FACTORIZATION WITH GENUS 2 CURVES

Advanced Algorithms and Complexity Course Project Report

Counting Points on Curves using Monsky-Washnitzer Cohomology

Explicit Complex Multiplication

DETERMINISTIC ELLIPTIC CURVE PRIMALITY PROVING FOR A SPECIAL SEQUENCE OF NUMBERS

AMICABLE PAIRS AND ALIQUOT CYCLES FOR ELLIPTIC CURVES OVER NUMBER FIELDS

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

1 Overview and revision

COMPUTING MODULAR POLYNOMIALS

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

Computational algebraic number theory tackles lattice-based cryptography

Genus 2 Curves of p-rank 1 via CM method

Primality testing: variations on a theme of Lucas

SM9 identity-based cryptographic algorithms Part 1: General

w d : Y 0 (N) Y 0 (N)

The ranges of some familiar arithmetic functions

Counting points on curves: the general case

THE JACOBIAN AND FORMAL GROUP OF A CURVE OF GENUS 2 OVER AN ARBITRARY GROUND FIELD E. V. Flynn, Mathematical Institute, University of Oxford

ZEROS OF POLYNOMIAL FUNCTIONS ALL I HAVE TO KNOW ABOUT POLYNOMIAL FUNCTIONS

Block-tridiagonal matrices

On Orders of Elliptic Curves over Finite Fields

Transcription:

Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago

Is it easy to determine whether a given integer is prime? If easy means computable : Yes, of course. If easy means computable in polynomial time : Yes. (2002 Agrawal/Kayal/Saxena) If easy means computable in essentially cubic time : Conjecturally yes! See Williams talk tomorrow.

What about quadratic time? What about linear time? What if we want to determine with proof whether a given integer is prime? Can results be verified faster than they re computed? What if we want proven bounds on time? Does randomness help?

Cost measure for this talk: time on a serial computer. Beyond scope of this talk: use Ì cost measure to see communication, parallelism. Helpful subroutines: Can compute -bit product, quotient, gcd in time 1+Ó(1). (1963 Toom; 1966 Cook; 1971 Knuth) Beyond scope of this talk: time analyses more precise than constant+ó(1).

Compositeness proofs If Ò is prime and Û ¾ Z then Û Ò Û ¾ ÒZ so Ò is Û-sprp : the easy difference-of-squares factorization of Û Ò Û, depending on ord 2 (Ò 1), has at least one factor in ÒZ. e.g.: If Ò ¾ 5 + 8Z is prime and Û ¾ Z then Û ¾ ÒZ or Û (Ò 1) 2 + 1 ¾ ÒZ or Û (Ò 1) 4 + 1 ¾ ÒZ or Û (Ò 1) 4 1 ¾ ÒZ.

Given Ò 2: Try random Û. If Ò is not Û-sprp, have proven Ò composite. Otherwise keep trying. Given composite Ò, this algorithm eventually finds compositeness certificate Û. Each Û has 75% chance. Random time 2+Ó(1) to find certificate if Ò 2. Deterministic time 2+Ó(1) to verify certificate. Open: Is there a compositeness certificate findable in time Ç(1), verifiable in time 1+Ó(1)?

Given prime Ò, this algorithm loops forever. After many Û s we are confident that Ò is prime but we don t have a proof. Challenge to number theorists: Prove Ò prime! Side issue: Do users care? Paranoid bankers: Yes, we demand primality proofs. Competent cryptographers: No, but we have other uses for the underlying tools.

Combinatorial primality proofs If there are many elements of a particular subgroup of a prime cyclotomic extension of Z Ò then Ò is a power of a prime. (2002 Agrawal/Kayal/Saxena) Many primes Ö have prime divisors of Ö 1 above Ö 2 3 (1985 Fouvry). Deduce that AKS algorithm takes time 12+Ó(1) to prove primality of Ò. Algorithm is conjectured to take time 6+Ó(1).

Variant using arbitrary cyclotomic extensions takes time 8+Ó(1). (2002 Lenstra) Variant with better bound on group structure takes time 7 5+Ó(1). (2002 Macaj; same idea without credit in 2003 revision of AKS paper) These variants are conjectured to take time 6+Ó(1). Variant using Gaussian periods is proven to take time 6+Ó(1). (2004 Lenstra/Pomerance)

What if Ò is composite? Output of these algorithms is a compositeness proof. Time 4+Ó(1) to verify proof. Time 6+Ó(1) to find proof. For comparison, traditional sprp compositeness proofs: verify proof, 2+Ó(1) ; find proof, random 2+Ó(1). For comparison, factorization: verify proof, 1+Ó(1) ; find proof, conjectured (1 901 +Ó(1))( lg )1 3.

Benefit from randomness? Use random Kummer extensions; twist. (2003.01 Bernstein, and independently 2003.03 Mihăilescu/Avanzi; 2-power-degree case: 2002.12 Berrizbeitia; prime-degree case: 2003.01 Cheng) Many divisors of Ò 1983 Odlyzko/Pomerance). Deduce: time 4+Ó(1) 1 (overkill: to verify primality certificate. Random time 2+Ó(1) to find certificate.

Open: Primality proof with proven deterministic time 5+Ó(1) to find, verify? Open: Primality proof with proven random time 3+Ó(1) to find, verify? Open: Primality proof with reasonably conjectured time 3+Ó(1) to find, verify?

Prime-order primality proofs If Û Ò 1 = 1 in Z Ò, and Ò 1 has a prime divisor Õ Ô Ò with Û (Ò 1) Õ 1 in (Z Ò), then Ò is prime. (1876 Lucas, 1914 Pocklington, 1927 Lehmer) Many generalizations. Can extend Z Ò. (1876 Lucas, 1930 Lehmer, 1975 Morrison, 1975 Selfridge/Wunderlich, 1975 Brillhart/Lehmer/Selfridge, 1976 Williams/Judd, 1983 Adleman/Pomerance/Rumely)

Can prove arbitrary primes. Proofs are fast to verify but often very slow to find. Replace unit group by random elliptic-curve group. (1986 Goldwasser/Kilian; point counting: 1985 Schoof) Use complex-multiplication curves; faster point counting. (1988 Atkin; special cases: 1985 Bosma, 1986 Chudnovsky/Chudnovsky) Merge square-root computations. (1990 Shallit)

Culmination of these ideas is fast elliptic-curve primality proving (FastECPP): Conjectured time 4+Ó(1) to find certificate proving primality of Ò. Proven deterministic time 3+Ó(1) to verify certificate. For comparison, combinatorics: proven random 2+Ó(1) to find, 4+Ó(1) to verify.

Variant using genus-2 hyperelliptic curves: Proven random time Ç(1) to find certificate proving primality of Ò. (1992 Adleman/Huang) Tools in proof: bounds on size of Jacobian (1948 Weil); many primes in interval of width Ü 3 4 around Ü (1979 Iwaniec/Jutila). Proven deterministic time 3+Ó(1) to verify certificate.

Variant using elliptic curves with large power-of-2 factors (1987 Pomerance): Proven existence of certificate proving primality of Ò. Proven deterministic time 2+Ó(1) to verify certificate. Open: Is there a primality certificate findable in time Ç(1), verifiable in time 2+Ó(1)? Open: Is there a primality certificate verifiable in time 1+Ó(1)?

Verifying elliptic-curve proofs Main theorem in a nutshell: If an elliptic curve (Z Ò) has a point of prime order Õ ( Ò 1 4 + 1) 2 then Ò is prime. Proof in a nutshell: If Ô is a prime divisor of Ò then the same point mod Ô has order Õ in (F Ô ), but # (F Ô ) ( Ô Ô + 1) 2 (Hasse 1936), so Ò 1 2 Ô.

More concretely: Given odd integer Ò 2, ¾ 6 10 14 18, integer, gcd Ò 3 + 2 + = 1, gcd Ò 2 4 = 1, prime Õ ( Ò 1 4 + 1) 2 : Define Ü1 =, Þ1 = 1, Ü2 = (Ü 2 Þ2 )2, Þ2 = 4Ü Þ (Ü 2 + Ü Þ + Þ 2 ), Ü2 +1 = 4(Ü Ü +1 Þ Þ +1 ) 2, Þ2 +1 = 4(Ü Þ +1 Þ Ü +1 ) 2. If Þ Õ ¾ ÒZ then Ò is prime.

For each prime Ô dividing Ò: ( 2 4)( 3 + 2 + ) = 0 in F Ô, so ( 3 + 2 + )Ý 2 = Ü 3 + Ü 2 + Ü is an elliptic curve over F Ô ; ( 1) is a point on curve. On curve: ( 1) = (Ü Þ ) generically. (1987 Montgomery) Analyze exceptional cases, show Õ( 1) = ½. (2006 Bernstein) Many previous ECPP variants. Trickier recursions, typically testing coprimality.

Finding elliptic-curve proofs To prove primality of Ò: Choose random. Compute # (Z Ò) by Schoof s algorithm. Compute Õ = # (Z Ò) 2. If Õ doesn t seem prime, try new. If Õ Ò or Õ ( Ò 1 4 + 1) 2 : Ò is small; easy base case. Otherwise: Recursively prove primality of Õ. Choose random point È on. If 2È = ½, try another È. Now 2È has prime order Õ.

Schoof s algorithm: time 5+Ó(1). Conjecturally find prime Õ after 1+Ó(1) curves on average. Reduce number of curves by allowing smaller ratios Õ # (Z Ò). Recursion involves 1+Ó(1) levels. Reduce number of levels by allowing and demanding smaller ratios Õ # (Z Ò). Overall time 7+Ó(1).

Faster way to generate curves with known number of points: generate curves with small-discriminant complex multiplication (CM). Reduces conjectured time to 5+Ó(1). With more work: 4+Ó(1). CM has applications beyond primality proofs: e.g., can generate CM curves with low embedding degree for pairing-based cryptography.

Complex multiplication Consider positive squarefree integers ¾ 3 + 4Z. (Can allow some other s too.) If prime Ò equals (Ù 2 + Ú 2 ) 4 then CM with discriminant produces curves over Z Ò with Ò + 1 Ù points. Assuming 2+Ó(1) : Time 2 5+Ó(1). Fancier algorithms: 2+Ó(1).

First step: Find all vectors ( ) ¾ Z 3 with gcd = 1, = 2 4,, and 0 µ. How? Try Ô each integer Ô between 3 and 3. Find all small factors of 2 Ô +. Find all factors 3. For each ( ), find and check conditions.

Second step: For each ( ) compute to high precision ( 2 + Ô 2 ) ¾ C. Some wacky standard notations: Õ(Þ) = exp(2 Þ). 24 = Õ 1 + 1( È 1) (3 Õ 1) 2 + È 1( 1) Õ (3 +1) 2 24. 24 1 (Þ) = 24 (Þ 2) 24 (Þ). = ( 24 1 + 16)3 24 1.

How much precision is needed? Answer: 1+Ó(1) bits; 0 5+Ó(1) terms in sum; 1+Ó(1) inputs ( ); total time 2 5+Ó(1). Don t need explicit upper bound on error. Start with low precision; obtain interval around answer; if precision is too small, later steps will notice that interval is too large, so retry with double precision.

Third step: Compute product À ¾ C[Ü] of Ü ( 2 + Ô over all ( ). 2 ) Amazing fact: À ¾ Z[Ü]. The values are algebraic integers generating a class field. 1+Ó(1) factors. Time 2+Ó(1).

Fourth step: Find a root Ö of À in Z Ò. Easy since Ò is prime. Amazing fact: the curve Ý 2 = Ü 3 + (3Ü + 2)Ö (1728 Ö) has Ò + 1 + Ù points for some (Ù Ú) with 4Ò = Ù 2 + Ú 2.

FastECPP using CM To prove primality of Ò: Choose Ý ¾ 1+Ó(1). For each odd prime Ô Ý, compute square root of Ô in quadratic extension of Z Ò. Also square root of 1. Each square root costs 2+Ó(1). Total time 3+Ó(1).

For each positive squarefree Ý-smooth ¾ 3 + 4Z below 2+Ó(1), compute square root of in quadratic extension of Z Ò. Each square root costs 1+Ó(1) : multiply square roots of primes. Total time 3+Ó(1).

For each having Ô ¾ Z Ò, find Ù Ú with 4Ò = Ù 2 + Ú 2, if possible. This can be done by a half-gcd computation. Each costs 1+Ó(1). Total time 3+Ó(1).

Conjecturally there are 1+Ó(1) choices of ( Ù Ú). Look for Ò + 1 Ù having form 2Õ where Õ is prime. More generally: remove small factors from Ò + 1 Ù; then look for primes. Each compositeness proof costs 2+Ó(1). Total time 3+Ó(1).

Conjecturally have several choices of ( Ù Ú Õ), when Ó(1) s are large enough. Use CM to construct curve with order divisible by Õ. Time 2 5+Ó(1) ; negligible. Problems can occur. Might have Ò + 1 + Ù when Ò + 1 Ù was desired, or vice versa. Curve might not be isomorphic to curve of desired form Ý 2 = Ü 3 + Ü 2 + Ü. Can work around problems, or simply try next curve.

Recursively prove Õ prime. Deduce that Ò is prime. 1+Ó(1) levels of recursion. Total time 4+Ó(1). Verification time 3+Ó(1). Open: Can we quickly find ( Õ) with an elliptic curve (or another group scheme), Õ prime, Õ ¾ [Ò 0 6 Ò 0 9 ], and # (Z Ò) ¾ ÕZ?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback