Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

Similar documents
Ma/CS 6a Class 4: Primality Testing

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Advanced Algorithms and Complexity Course Project Report

NOTES ON SOME NEW KINDS OF PSEUDOPRIMES

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Ma/CS 6a Class 4: Primality Testing

Factorization & Primality Testing

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

THE MILLER RABIN TEST

Primality Testing- Is Randomization worth Practicing?

Pseudoprime Statistics to 10 19

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

1. Algebra 1.7. Prime numbers

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

ON CARMICHAEL NUMBERS IN ARITHMETIC PROGRESSIONS

Applied Cryptography and Computer Security CSE 664 Spring 2018

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

On Carmichael numbers in arithmetic progressions

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

THE SOLOVAY STRASSEN TEST

IRREDUCIBILITY TESTS IN F p [T ]

A Guide to Arithmetic

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

arxiv:math/ v1 [math.nt] 17 Apr 2006

The Impossibility of Certain Types of Carmichael Numbers

CPSC 467b: Cryptography and Computer Security

Primality testing: then and now

Pseudoprimes and Carmichael Numbers

Primality testing: then and now

CSC 373: Algorithm Design and Analysis Lecture 30

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

CSE 521: Design and Analysis of Algorithms I

FERMAT S TEST KEITH CONRAD

CPSC 467b: Cryptography and Computer Security

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Part II. Number Theory. Year

On the Distribution of Carmichael Numbers

About complexity. We define the class informally P in the following way:

Uncertainty can be Better than Certainty:

Primality Testing SURFACE. Syracuse University. Per Brinch Hansen Syracuse University, School of Computer and Information Science,

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 31: Miller Rabin Test. Miller Rabin Test

Cryptography: Joining the RSA Cryptosystem

Carmichael numbers and the sieve

About complexity. Number theoretical algorithms

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Public Key Cryptography

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

arxiv: v1 [cs.sc] 17 Apr 2013

The running time of Euclid s algorithm

Euler s ϕ function. Carl Pomerance Dartmouth College

Lecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.

On El-Gamal and Fermat s Primality Test

Departmento de Matemáticas, Universidad de Oviedo, Oviedo, Spain

Upper bounds for least witnesses and generating sets

CPSC 467b: Cryptography and Computer Security

How To Test If a Polynomial Is Identically Zero?

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

Great Theoretical Ideas in Computer Science

More Hodge-Podge Pseudoprimes

The Complexity Classes NP-Hard, BPP.

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Fibonacci Pseudoprimes and their Place in Primality Testing

Equal Compositions of Rational Functions

SOLUTIONS TO PROBLEM SET 1. Section = 2 3, 1. n n + 1. k(k + 1) k=1 k(k + 1) + 1 (n + 1)(n + 2) n + 2,

Math 324, Fall 2011 Assignment 7 Solutions. 1 (ab) γ = a γ b γ mod n.

Counting Points on Curves of the Form y m 1 = c 1x n 1 + c 2x n 2 y m 2

The ranges of some familiar arithmetic functions

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

The ranges of some familiar functions

Lecture 1: Introduction to Public key cryptography

A Few Primality Testing Algorithms

FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIME TEST

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Number Theory. Raj Jain. Washington University in St. Louis

Entry Number:2007 mcs Lecture Date: 18/2/08. Scribe: Nimrita Koul. Professor: Prof. Kavitha.

Sneaky Composites. Number Theory. Matthew Junge. March 12th, 2010

The RSA cryptosystem and primality tests

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

1 Rabin Squaring Function and the Factoring Assumption

Lecture 11 - Basic Number Theory.

D. J. Bernstein University of Illinois at Chicago

Lecture 7: Fingerprinting. David Woodruff Carnegie Mellon University

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Folding, Jamming, and Random Walks

Analyzing and Optimizing the Combined Primality test with GCD Operation on Smart Mobile Devices

Bipartite Perfect Matching

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

arxiv: v1 [math.gm] 6 Oct 2014

CRC Press has granted the following specific permissions for the electronic version of this book:

God may not play dice with the universe, but something strange is going on with the prime numbers.

basics of security/cryptography

Chapter 5.1: Induction

Transcription:

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem Shyam Narayanan Fourth Annual MIT-PRIMES Conference Mentor: David Corwin Project Proposed by Stefan Wehmeier and Ben Hinkle May 17, 2014 Shyam Narayanan Miller-Rabin Extensions May 17, 2014 1 / 26

Overview 1 Introduction 2 Purpose 3 Results 4 Problems and Conjectures 5 Summary Shyam Narayanan Miller-Rabin Extensions May 17, 2014 2 / 26

Outline 1 Introduction 2 Purpose 3 Results 4 Problems and Conjectures 5 Summary Shyam Narayanan Miller-Rabin Extensions May 17, 2014 3 / 26

Primality Test Definition A primality test is an algorithm for determining whether an input number is prime. Trial division: divide n by every number from 2 until n 1 Deterministic Primality Tests: Always accurate, but slower Probabilistic Primality Tests: faster, but are not accurate. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 4 / 26

Fermat Primality Test Probabilistic primality test to determine whether a number is a probable prime. Fermat s Little Theorem states that x p 1 1 (mod p) for all x relatively prime to a prime p. Implementation: For arbitrary integer n, pick random x, where 1 x < n. If x n 1 1 (mod n), then n is composite. If not, then n is probably prime. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 5 / 26

False Witnesses Definition For integers n and x with 1 x < n, we say x is a false witness to n if n is composite but the Fermat primality test states that n is probably prime in base x. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 6 / 26

Weakness of Fermat Primality Test High rate of false witnesses Carmichael numbers - for any Carmichael number n, every x relatively prime to n is a false witness Infinitely many Carmichael numbers Shyam Narayanan Miller-Rabin Extensions May 17, 2014 7 / 26

The Miller-Rabin Primality Test Stronger version of the Fermat Primality Test. Implementation: Write an odd integer n as n = 1 + 2 e d, where d is odd. Then for an integer x(1 x < n), if x d 1 (mod n), or x d 2i some 0 i e 1, then n is probably prime. Else, the integer n is composite. Running time: O(log 2 (n) log(log(n)) log(log(log(n)))). More accurate than the Fermat primality test but still not always accurate. 1 for Shyam Narayanan Miller-Rabin Extensions May 17, 2014 8 / 26

Definitions Strong Psuedoprime and Nonwitness NW(n) If n is composite and 1 x < n, we say n is a strong pseudoprime to the base x if the Miller-Rabin primality test outputs n as probably prime in base x. In this case, we say x is a nonwitness to n. Else, we say x is a witness to n. Nonwitness for Miller-Rabin, False witness for Fermat We define NW (n) as the number of nonwitnesses of n. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 9 / 26

Sample Test Suppose n = 91 and x = 4. 91 = 1 + 2 1 45. 4 45 64 (mod 91), and 4 90 1 (mod 91). 4 is a false witness for the Fermat Primality Test. But it is a witness for the Miller Rabin test. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 10 / 26

Outline 1 Introduction 2 Purpose 3 Results 4 Problems and Conjectures 5 Summary Shyam Narayanan Miller-Rabin Extensions May 17, 2014 11 / 26

Purpose of this Research For very large integers, deterministic primality tests are slow and probabilistic primality tests tend to be very inaccurate. For example, the probabilistic Miller-Rabin Primality Test often fails to detect composite integers. The main goal of this project is to create an improved primality test based on Miller-Rabin. The idea: eliminate certain special forms of composite numbers that have many nonwitnesses. This research has important applications, as it reduces the number of Miller-Rabin iterations needed. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 12 / 26

Outline 1 Introduction 2 Purpose 3 Results 4 Problems and Conjectures 5 Summary Shyam Narayanan Miller-Rabin Extensions May 17, 2014 13 / 26

Accuracy of Miller-Rabin Test The Miller-Rabin Primality Test has significantly fewer nonwitnesses than the Fermat Primality Test. Michael O. Rabin proved the following theorem in 1980: Theorem 1 (Miller-Rabin Theorem) Suppose NW (n) ϕ(n) Then M(n) 1 4. = M(n). Shyam Narayanan Miller-Rabin Extensions May 17, 2014 14 / 26

Formula for NW(n) Explicit formula for the number of nonwitnesses of n given n s prime factorization. This formula was previously stated by Charles R. Greathouse IV, but an original proof is presented in my research paper. Theorem 2 Consider an odd composite integer n with m distinct prime factors. Suppose that n 1 = 2 e d and d is odd. Also suppose that n = m i=1 pq i i, and each p i can be expressed as 2 e i d i + 1, where each d i is odd. The number of nonwitnesses NW (n) equals ( 2min(e i ) m 1 2 m 1 + 1) m i=1 gcd(d, d i). Shyam Narayanan Miller-Rabin Extensions May 17, 2014 15 / 26

Extension of the Miller-Rabin Theorem Theorem 3 (Main Theorem) M(n) = 1 4 if and only if n is one of two forms: 1 n = (2x + 1)(4x + 1), where x is odd and 2x + 1 and 4x + 1 are prime 2 n is a Carmichael Number of the form pqr, where p, q, r are distinct primes 3 (mod 4). 1 6 < M(n) < 1 4 if and only if n = (2x + 1)(4x + 1), where x is even and 2x + 1, 4x + 1 are prime. M(n) = 1 6 if and only if n is of the form (2x + 1)(6x + 1), where x is odd and 2x + 1, 6x + 1 are prime. Else, M(n) 5 32. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 16 / 26

New Test 1 Determine if n is of the form (2x + 1)(4x + 1) for some integer x. 2 Determine if n is of the form (2x + 1)(6x + 1) for some integer x. 3 Determine if n is a Carmichael number of the form pqr, where p, q, r 3 (mod 4). 4 Perform the Miller-Rabin Test for a certain base. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 17 / 26

Experimental Results about Nonwitnesses Define n a as the smallest composite n so that the first a prime numbers are all nonwitnesses to n. All of n 1,..., n 11 are one of two forms: 1 (x + 1)(kx + 1), where 2 k 5 2 Carmichael numbers pqr, where p, q, r 3 (mod 4) Of the 3773 strong pseudoprimes less than 4 10 12, 3187 of them were of the form (x + 1)(kx + 1), where k is an integer and x + 1 and kx + 1 are primes. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 18 / 26

Outline 1 Introduction 2 Purpose 3 Results 4 Problems and Conjectures 5 Summary Shyam Narayanan Miller-Rabin Extensions May 17, 2014 19 / 26

Checking for Carmichael numbers There is currently no fast way to check if a number is a Carmichael number. However, if n is a Carmichael number of the form pqr, where p, q, r are primes 3 (mod 4), the following is true: Lemma Regarding Nonwitnesses A positive integer x is a nonwitness to n if and only if ( x p ) = ( x q ) = ( x r ) Shyam Narayanan Miller-Rabin Extensions May 17, 2014 20 / 26

Choosing bases Alford, Granville, and Pomerance proved the following Theorem: Theorem 4 For large enough integers A, and for any set S of log(a) 1/(3 log log log A) integers, there are at least A 1/(35 log log log(a)) Carmichael numbers n A such that i is a nonwitness to n for all i S. Unfortunately, this implies that for any set S of integers, there are infinitely many n for which every element of S is a nonwitness. However, certain bases can be chosen to minimize error. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 21 / 26

Open Question If the Generalized Riemann Hypothesis is true, then for all composite odd n, there exists an integer i < 2 log 2 (n) such that i is a witness. For numbers not of the 3 forms given at the outline of the new test, does this bound shrink? Shyam Narayanan Miller-Rabin Extensions May 17, 2014 22 / 26

Outline 1 Introduction 2 Purpose 3 Results 4 Problems and Conjectures 5 Summary Shyam Narayanan Miller-Rabin Extensions May 17, 2014 23 / 26

Summary and Next Steps In this research, we presented a proof for the number of nonwitnesses for n. Also, the number of nonwitnesses for a composite odd integer n has been reduced to 5 32 ϕ(n), except for a few specific forms of n. However, our new primality test requires a method to eliminate effectively Carmichael numbers of the form pqr, where p, q, r are primes 3 (mod 4). This project is expected to be implemented in MATLAB. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 24 / 26

Acknowledgements I would like to thank my mentor, David Corwin, for the help he has provided me this year, from MATLAB implementations to checking my theorems and progress. I would also like to thank Dr. Tanya Khovanova, the lead mentor, for general guidance. I would like to thank Stefan Wehmeier and Ben Hinkle from MathWorks, who proposed this project and helped me with MATLAB. Finally, I would like to thank the PRIMES-USA program for making this research possible and my parents for all the support they have provided me over the years. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 25 / 26

References Rabin, Michael O. (1980), Probabilistic algorithm for testing primality, Journal of Number Theory 12 (1): 128138 https://oeis.org/a141768 Carl Pomerance, John L. Selfridge, Samuel S. Wagstaff, Jr. (July 1980). The pseudoprimes to 25 10 9. Mathematics of Computation 35 (151): 10031026. W.R. Alford, A. Granville and C. Pomerance. On the Difficulty of Finding Reliable Witnesses. Algorithmic Number Theory, Lecture Notes in Comput. Sci. 877, Springer, Berlin, 1994, 1-16. E. Bach, Analytic Methods in the Analysis and Design of Number-Theoretic Algorithms, MIT Press, Cambridge, Mass., 1985. Shyam Narayanan Miller-Rabin Extensions May 17, 2014 26 / 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback