LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Similar documents
p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

ORDERS OF ELEMENTS IN A GROUP

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Applied Cryptography and Computer Security CSE 664 Spring 2018

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

MATH 361: NUMBER THEORY FOURTH LECTURE

2. THE EUCLIDEAN ALGORITHM More ring essentials

Part II. Number Theory. Year

SOLUTIONS TO PROBLEM SET 1. Section = 2 3, 1. n n + 1. k(k + 1) k=1 k(k + 1) + 1 (n + 1)(n + 2) n + 2,

A Few Primality Testing Algorithms

Math 109 HW 9 Solutions

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

FERMAT S TEST KEITH CONRAD

A Guide to Arithmetic

CPSC 467b: Cryptography and Computer Security

Chapter 3 Basic Number Theory

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Primality Testing- Is Randomization worth Practicing?

CYCLOTOMIC POLYNOMIALS

Factorization & Primality Testing

1. Algebra 1.7. Prime numbers

CYCLOTOMIC POLYNOMIALS

IRREDUCIBILITY TESTS IN F p [T ]

1 Overview and revision

A SURVEY OF PRIMALITY TESTS

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Chapter 5. Number Theory. 5.1 Base b representations

CPSC 467b: Cryptography and Computer Security

Exam 2 Solutions. In class questions

THE MILLER RABIN TEST

MATH 2200 Final Review

Introduction to Number Theory

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Math 324, Fall 2011 Assignment 7 Solutions. 1 (ab) γ = a γ b γ mod n.

Numbers, Groups and Cryptography. Gordan Savin

THE SOLOVAY STRASSEN TEST

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

The running time of Euclid s algorithm

PRIMALITY TEST FOR FERMAT NUMBERS USING QUARTIC RECURRENCE EQUATION. Predrag Terzic Podgorica, Montenegro

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Public Key Encryption

Pseudoprimes and Carmichael Numbers

NONABELIAN GROUPS WITH PERFECT ORDER SUBSETS

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Discrete Structures Lecture Primes and Greatest Common Divisor

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Chapter 8. Introduction to Number Theory

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

ECEN 5022 Cryptography

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Ma/CS 6a Class 4: Primality Testing

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

God may not play dice with the universe, but something strange is going on with the prime numbers.

Number theory (Chapter 4)

MATH 145 Algebra, Solutions to Assignment 4

CISC-102 Fall 2017 Week 6

The Impossibility of Certain Types of Carmichael Numbers

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

MATH 4400 SOLUTIONS TO SOME EXERCISES. 1. Chapter 1

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

4 Number Theory and Cryptography

Rings and modular arithmetic

3 The fundamentals: Algorithms, the integers, and matrices

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Elliptic curves: Theory and Applications. Day 3: Counting points.

Primality testing: then and now

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

Primality testing: then and now

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Basic elements of number theory

Basic elements of number theory

Mathematics 220 Homework 4 - Solutions. Solution: We must prove the two statements: (1) if A = B, then A B = A B, and (2) if A B = A B, then A = B.

CHAPTER 3. Congruences. Congruence: definitions and properties

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

CPSC 467: Cryptography and Computer Security

The RSA cryptosystem and primality tests

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

Winter Camp 2009 Number Theory Tips and Tricks

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

Transcription:

LARGE PRIME NUMBERS 1. Fast Modular Exponentiation Given positive integers a, e, and n, the following algorithm quickly computes the reduced power a e % n. (Here x % n denotes the element of {0,, n 1} that is congruent to x modulo n. Note that x % n is not an element of Z/nZ since such elements are cosets rather than coset representatives.) (Initialize) Set (x, y, f) = (1, a, e). (Loop) While f > 0, do as follows: If f%2 = 0 then replace (x, y, f) by (x, y 2 % n, f/2), otherwise replace (x, y, f) by (xy % n, y, f 1). (Terminate) Return x. The algorithm is strikingly efficient both in speed and in space. Especially, the operations on f (halving it when it is even, decrementing it when it is odd) are very simple in binary. To see that the algorithm works, represent the exponent e in binary, say e = 2 g + 2 h + 2 k, 0 g < h < k. The algorithm successively computes (1, a, 2 g + 2 h + 2 k ) (1, a 2g, 1 + 2 h g + 2 k g ) (a 2g, a 2g, 2 h g + 2 k g ) (a 2g, a 2h, 1 + 2 k h ) (a 2g +2 h, a 2h, 2 k h ) (a 2g +2 h, a 2k, 1) (a 2g +2 h +2 k, a 2k, 0), and then it returns the first entry, which is indeed a e. Fast modular exponentiation is not only for computers. For example, to compute 2 37 % 149, proceed as follows, (1, 2; 37) (2, 2; 36) (2, 4; 18) (2, 16; 9) (32, 16; 8) (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0). 2. Fermat Pseudoprimes Fermat s Little Theorem states that for any positive integer n, if n is prime then b n % n = b for all b coprime to n. In the other direction, all we can say is that if b n % n = b for all b coprime to n then n might be prime. 1

2 LARGE PRIME NUMBERS If b n % n = b for some particular b {1,..., n 1} then n is called a Fermat pseudoprime base b. There are 669 primes under 5000, but only five values of n (561, 1105, 1729, 2465, and 2821) that are Fermat pseudoprimes base b for b = 2, 3, 5 without being prime. This is a false positive rate of less than 1%. The false positive rate under 500,000 just for b = 2, 3 is 0.118%. On the other hand, the bad news is that checking more bases b doesn t reduce the false positive rate much further. There are infinitely many Carmichael numbers, numbers n that are Fermat pseudoprimes base b for all b {1,..., n 1} coprime to n but are not prime. But Carmichael numbers notwithstanding, Fermat pseudoprimes are reasonable candidates to be prime. 3. Strong Pseudoprimes The Miller Rabin test on a positive odd integer n and a positive test base b in {1,..., n 1} proceeds as follows. Factor n 1 as 2 s m where m is odd. Replace b by b m % n. If b = 1 then return the result that n could be prime, and terminate. Do the following s times: If b = n 1 then return the result that n could be prime, and terminate; otherwise replace b by b 2 % n. If the algorithm has not yet terminated then return the result that n is composite, and terminate. (Slight speedups here: (1) If the same n is to be tested with various bases b then there is no need to factor n 1 = 2 s m each time; (2) there is no need to compute b 2 % n on the sth time through the step in the fourth bullet.) To understand the Miller Rabin test, consider a positive odd integer n and a base b, and factor n 1 = 2 s m where m is odd. Then X 2sm 1 = (X 2s 1m + 1)(X 2s 1m 1) = (X 2s 1m + 1)(X 2s 2m + 1)(X 2s 2m 1) = (X 2s 1m + 1)(X 2s 2m + 1)(X 2s 3m + 1)(X 2s 3m 1). = (X 2s 1m + 1)(X 2s 2m + 1)(X 2s 3m + 1) (X m + 1)(X m 1). That is, rewriting the left side and reversing the order of the factors of the right side, s 1 X n 1 1 = (X m 1) (X 2rm + 1). It follows that s 1 b n 1 1 = (b m 1) (b 2rm + 1) mod n, for b = 1,..., n 1. r=0 If n is prime then b n 1 1 = 0 mod n for b = 1,..., n 1, and also Z/nZ is a field, so that necessarily one of the factors on the right side vanishes modulo n as well. r=0

LARGE PRIME NUMBERS 3 That is, if n is prime then given any base b {1,..., n 1}, at least one of the factors b m 1, {b 2rm + 1 : 0 r s 1} vanishes modulo n. So contrapositively, if for some base b {1,..., n 1} none of the factors vanishes modulo n then n is composite. Hence the Miller Rabin test. A positive integer n that passes the Miller Rabin test for some b is a strong pseudoprime base b. For any n, at least 3/4 of the b-values in {1,..., n 1} have the property that if n is a strong pseudoprime base b then n is really prime. But according to the theory, up to 1/4 of the b-values have the property that n could be a strong pseudoprime base b but not be prime. In practice, the percentage of such b s is much lower. For n up to 500,000, if n is a strong pseudoprime base 2 and base 3 then n is prime. (Beginning of analysis of false positives.) Let n be composite. Suppose that n is a strong pseudoprime base b for some b. Then one of the following congruences holds: b m = 1 mod n, b 2rm = 1 mod n for r = 0,, s 1. Since 2 s m = n 1, any of these congruences immediately implies b n 1 = 1 mod n, which is to say that n is a Fermat pseudoprime base b. Next we show that if n is divisible by p 2 for some prime p then there are few bases b for which n is a Fermat pseudoprime base b. In consequence of the previous paragraph, there are thus as few or fewer bases b for which n is a strong pseudoprime base b. Lemma. Let n be a positive integer. Let x and y be integers such that n is a Fermat pseudoprime base x and base y, x n 1 = y n 1 = 1 mod n. Let p be an odd prime such that p 2 n. If then x = y mod p x = y mod p 2. For the proof, first we note that x p = y p mod p 2. This follows quickly from the relation x p y p = (x y)(x p 1 + x p 2 y + + xy p 2 + y p 1 ), because the condition x = y mod p makes each of the multiplicands on the right side a multiple of p. Second, raise both sides of the relation x p = y p mod p 2 to the power n/p to get x n = y n mod p 2. But since x n = x mod n, certainly x n = x mod p 2, and similarly for y. The result follows. Proposition. Let p be an odd prime. Let n be a positive integer divisible by p 2. Let B denote the set of bases b between 1 and n 1 such that n is a Fermat pseudoprime base b, i.e., B = {b : 1 b n 1 and b n 1 % n = 1}.

4 LARGE PRIME NUMBERS Then B p 1 p 2 n 1 (n 1). 4 To see this, note that the second inequality is elementary to check (to wit, 4(p 1)n (p + 1)(p 1)n = (p 2 1)n p 2 n p 2 = p 2 (n 1)), so that we need only establish the first inequality. Decompose B according to the values of its elements modulo p, B = p 1 d=1 where B d = {b B : b % p = d}, 1 d p 1. For any d such that 1 d p 1, if b 1, b 2 B d then the lemma says that b 1 = b 2 mod p 2. It follows that B d n/p 2, giving the result. B d 4. Generating Candidate Large Primes Given n, a simple approach to finding a candidate prime above 2n is as follows. Take the first of N = 2n + 1, N = 2n + 3, N = 2n + 5,... to pass the following test. (1) Try trial division for a few small primes. If N passes, continue. (2) Check whether N is a Fermat pseudoprime base 2. If N passes, continue. (3) Check whether N is a strong pseudoprime base b as b runs through the first 20 primes. Any N that passes the test is extremely likely to be prime. And such an N should appear quickly because the slope of the asymptotic prime-counting function is d dx ( x log x ) = log x 1 (log x) 2 1 log x, so that heuristically a run of log x gives a rise of 1, i.e., the next prime. And indeed, using only the first three primes in step (3) of the previous test finds the following correct candidate primes: The first candidate prime after 10 50 is 10 50 + 151. The first candidate prime after 10 100 is 10 100 + 267. The first candidate prime after 10 200 is 10 200 + 357. The first candidate prime after 10 300 is 10 300 + 331. The first candidate prime after 10 1000 is 10 1000 + 453. 5. Certifiable Large Primes The Lucas Pocklington Lehmer Criterion is as follows. Suppose that N = p U + 1 where p is prime and p > U. Suppose also that there is a base b such that b N 1 % N = 1 but gcd(b U 1, N) = 1. Then N is prime. The proof will be given in the next section. It is just a matter of Fermat s Little Theorem and some other basic number theory. For now, the idea is that N behaves like a prime in that b N 1 % N = 1, and N further behaves like a prime in that raising b to the divisor U = (N 1)/p of N 1 emphatically does not reduce to 1

LARGE PRIME NUMBERS 5 modulo N indeed, it does not even reduce to 1 modulo any nontrivial divisor of N. These conditions suffice to make N prime. As an example of using the result, start with p = 1000003. This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is N = 1032 p + 1 = 1032003097. And 2 N 1 % N = 1 and gcd(2 1032 1, N) = 1, so the LPL Criterion is satisfied, and N is prime. Rename it p. A candidate prime above 10 9 p of the form p U + 1 is N = p (10 9 + 146) + 1 = 1032003247672452163. A candidate prime above 10 17 p of the form p U + 1 is N = p (10 17 + 24) + 1 = 103200324767245241068077944138851913. A candidate prime above 10 34 p of the form p U + 1 is N = p (10 34 + 224) + 1 =10320032476724524106807794413885422 46872747862933999249459487102828513. A candidate prime above 10 60 p of the form p U + 1 is N = p (10 60 + 1362) + 1 =10320032476724524106807794413885422 468727478629339992494608926912518428 801833472215991711945402406825893161 06977763821434052434707. A candidate prime above 10 120 p of the form p U + 1 is N = p (10 120 + 796) + 1 =10320032476724524106807794413885422 468727478629339992494608926912518428 801833472215991711945402406825893161 069777638222555270198542721189019004 353452796285107072988954634025708705 822364669326259443883929402708540315 83341095621154300001861505738026773. Again b = 2 works in the LPL Criterion, so N is prime. 6. Proof of the Lucas Pocklington Lehmer Criterion Our data are An integer N > 1, presumably large. The prime factors q of N, possibly unknown. A prime p, to be used to analyze N.

6 LARGE PRIME NUMBERS Obviously, if q % p = 1 for each q then also N % p = 1. The converse does not hold in general. For example, take N = 55 = 5 11 and p = 3. Then N % p = 1 but neither prime factor q of N satisfies q % p = 1. However, the Fermat Euler Criterion is a partial converse: Let p be prime. Let N be an integer such that N % p = 1. If there is a base b such that then b N 1 % N = 1 and gcd(b (N 1)/p 1, N) = 1 q % p = 1 for each prime divisor q of N. To prove the Fermat Euler criterion, let q be any prime divisor of N. Consider the smallest positive integer t such that b t % q = 1. That is, t is the order of the base b modulo q. We will show that p q 1 by showing that t is multiplicatively intermediate to p and q 1. Since b N 1 % N = 1, it follows that b N 1 % q = 1 and so t N 1. The given condition gcd(b (N 1)/p 1, N) = 1 says that b (N 1)/p 1 is not a multiple of any divisor of N. In particular, b (N 1)/p % q 1 and so t (N 1)/p. The previous two displays together show that p t. Also: By Fermat s Little Theorem, t q 1. Concatenate the previous two displays to get This is the desired result. p q 1. The Lucas Pocklington Lehmer Criterion builds on the Fermat Euler Criterion by specializing to the case N = pu + 1, U < p. If such an N satisfies the Fermat Euler criterion then it must be prime. The idea is that otherwise it has a proper prime factor q N, for which p q 1 by the Fermat Euler criterion, but the display says that p > N 1 and so p > N 1 q 1. The inequality p > q 1 contradicts the condition p q 1, and so no proper prime factor q of N can exist. To restate the Lucas Pocklington Lehmer Criterion: Suppose that N = pu + 1 where p is prime and p > U. Suppose also that there is a base b such that b N 1 = 1 % N but gcd(b U 1, N) = 1. Then N is prime. To prove the criterion we need only verify that the N and p here satisfy the Fermat Euler criterion, and noting that U = (N 1)/p does the trick.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback