YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Similar documents
PROBLEM SET 5 SOLUTIONS. Solution. We prove that the given congruence equation has no solutions. Suppose for contradiction that. (x 2) 2 1 (mod 7).

Math 609/597: Cryptography 1

PERIODS OF FIBONACCI SEQUENCES MODULO m. 1. Preliminaries Definition 1. A generalized Fibonacci sequence is an infinite complex sequence (g n ) n Z

Primality Test. Rong-Jaye Chen

[ 47 ] then T ( m ) is true for all n a. 2. The greatest integer function : [ ] is defined by selling [ x]

CPSC 467b: Cryptography and Computer Security

Some Results on Fermat's Theorem and Trial Division Method

Chapter 2. Finite Fields (Chapter 3 in the text)

Solutions to Problem Set 7

Perfect Numbers 6 = Another example of a perfect number is 28; and we have 28 =

6 Integers Modulo n. integer k can be written as k = qn + r, with q,r, 0 r b. So any integer.

Solutions to Math 347 Practice Problems for the final

Trial division, Pollard s p 1, Pollard s ρ, and Fermat s method. Christopher Koch 1. April 8, 2014

A Note on Bilharz s Example Regarding Nonexistence of Natural Density

1 Last time: similar and diagonalizable matrices

Seunghee Ye Ma 8: Week 5 Oct 28

Factoring Algorithms and Other Attacks on the RSA 1/12

ON SUPERSINGULAR ELLIPTIC CURVES AND HYPERGEOMETRIC FUNCTIONS

MATH 118 HW 7 KELLY DOUGAN, ANDREW KOMAR, MARIA SIMBIRSKY, BRANDEN LASKE

(II.G) PRIME POWER MODULI AND POWER RESIDUES

MATH342 Practice Exam

Math 4400/6400 Homework #7 solutions

INFINITE SEQUENCES AND SERIES

CONSTRUCTING TRUNCATED IRRATIONAL NUMBERS AND DETERMINING THEIR NEIGHBORING PRIMES

CSE 1400 Applied Discrete Mathematics Number Theory and Proofs

Zeros of Polynomials

PROBLEM SET 5 SOLUTIONS 126 = , 37 = , 15 = , 7 = 7 1.

The Structure of Z p when p is Prime

Putnam Training Exercise Counting, Probability, Pigeonhole Principle (Answers)

6.3 Testing Series With Positive Terms

Fermat s Little Theorem. mod 13 = 0, = }{{} mod 13 = 0. = a a a }{{} mod 13 = a 12 mod 13 = 1, mod 13 = a 13 mod 13 = a.

Sequences A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence

subcaptionfont+=small,labelformat=parens,labelsep=space,skip=6pt,list=0,hypcap=0 subcaption ALGEBRAIC COMBINATORICS LECTURE 8 TUESDAY, 2/16/2016

CHAPTER I: Vector Spaces

A Simple Derivation for the Frobenius Pseudoprime Test

Properties and Tests of Zeros of Polynomial Functions

THE INTEGRAL TEST AND ESTIMATES OF SUMS

MATH 304: MIDTERM EXAM SOLUTIONS

Quantum Computing Lecture 7. Quantum Factoring

SOLVED EXAMPLES

A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence

Jacobi symbols and application to primality

In number theory we will generally be working with integers, though occasionally fractions and irrationals will come into play.

Introduction to Probability. Ariel Yadin

11. FINITE FIELDS. Example 1: The following tables define addition and multiplication for a field of order 4.

Proposition 2.1. There are an infinite number of primes of the form p = 4n 1. Proof. Suppose there are only a finite number of such primes, say

3.2 Properties of Division 3.3 Zeros of Polynomials 3.4 Complex and Rational Zeros of Polynomials

PUTNAM TRAINING PROBABILITY

FLC Ch 8 & 9. Evaluate. Check work. a) b) c) d) e) f) g) h) i) j) k) l) m) n) o) 3. p) q) r) s) t) 3.

Notes on the prime number theorem

Bertrand s Postulate

The structure of finite rings. The multiplicative residues. Modular exponentiation. and finite exponentiation

NAME: ALGEBRA 350 BLOCK 7. Simplifying Radicals Packet PART 1: ROOTS

Elliptic Curves Spring 2017 Problem Set #1

Recurrence Relations

Sequences and Series of Functions

1 Summary: Binary and Logic

Inverse Matrix. A meaning that matrix B is an inverse of matrix A.

Homework 3. = k 1. Let S be a set of n elements, and let a, b, c be distinct elements of S. The number of k-subsets of S is

COMPUTING FOURIER SERIES

1. By using truth tables prove that, for all statements P and Q, the statement

Fourier Analysis, Stein and Shakarchi Chapter 8 Dirichlet s Theorem

and each factor on the right is clearly greater than 1. which is a contradiction, so n must be prime.

Beurling Integers: Part 2

Confidence Intervals

sin(n) + 2 cos(2n) n 3/2 3 sin(n) 2cos(2n) n 3/2 a n =

a. How might the Egyptians have expressed the number? What about?

In algebra one spends much time finding common denominators and thus simplifying rational expressions. For example:

Ray-triangle intersection

62. Power series Definition 16. (Power series) Given a sequence {c n }, the series. c n x n = c 0 + c 1 x + c 2 x 2 + c 3 x 3 +

Math F215: Induction April 7, 2013

Lecture 9: Pseudo-random generators against space bounded computation,

INFINITE SEQUENCES AND SERIES

3 Gauss map and continued fractions

Exam 2 CMSC 203 Fall 2009 Name SOLUTION KEY Show All Work! 1. (16 points) Circle T if the corresponding statement is True or F if it is False.

LECTURE NOTES, 11/10/04

Optimally Sparse SVMs

Theorem: Let A n n. In this case that A does reduce to I, we search for A 1 as the solution matrix X to the matrix equation A X = I i.e.

Classification of DT signals

ECE534, Spring 2018: Final Exam

Convergence of random variables. (telegram style notes) P.J.C. Spreij

Chapter 8. Euler s Gamma function

Chapter 4. Fourier Series

Mathematical Induction

Read carefully the instructions on the answer book and make sure that the particulars required are entered on each answer book.

Unit 5. Hypersurfaces

Almost all hyperharmonic numbers are not integers

w (1) ˆx w (1) x (1) /ρ and w (2) ˆx w (2) x (2) /ρ.

13.1 Shannon lower bound

MAT 271 Project: Partial Fractions for certain rational functions

DIVISIBILITY PROPERTIES OF GENERALIZED FIBONACCI POLYNOMIALS

n=1 a n is the sequence (s n ) n 1 n=1 a n converges to s. We write a n = s, n=1 n=1 a n

Chapter IV Integration Theory

Sequences, Mathematical Induction, and Recursion. CSE 2353 Discrete Computational Structures Spring 2018

(A sequence also can be thought of as the list of function values attained for a function f :ℵ X, where f (n) = x n for n 1.) x 1 x N +k x N +4 x 3

Recursive Algorithms. Recurrences. Recursive Algorithms Analysis

1 Approximating Integrals using Taylor Polynomials

3.1. Introduction Assumptions.

Solutions to Problem Sheet 1

Section 5.1 The Basics of Counting

Transcription:

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Crytograhy ad Comuter Security Notes 16 (rev. 1 Professor M. J. Fischer November 3, 2008 68 Legedre Symbol Lecture Notes 16 ( Let be a odd rime, a a iteger. The Legedre symbol a is a umber i { 1, 0, +1, defied as follows: ( a +1 if a is a o-trivial quadratic residue modulo 0 if a 0 (mod 1 if a is ot a quadratic residue modulo By the Euler Criterio (see Claim 3, we have Theorem 1 Let be a odd rime. The a ( 1 2 (mod Note that this theorem holds eve whe a. The Legedre symbol satisfies the followig multilicative roerty: Fact Let be a odd rime. The ( a1 a 2 1 ( a2 Not surrisigly, if a 1 ad a 2 are both o-trivial quadratic residues, the so is a 1 a 2. This shows that the fact is true for the case that ( ( a1 a2 1. More surrisig is the case whe either a 1 or a 2 are quadratic residues, so ( a1 ( a2 1. I this case, the above fact says that the roduct a 1 a 2 is a quadratic residue sice ( a1 a 2 ( 1( 1 1. Here s a way to see this. Let g be a rimitive root of. Write a 1 g k 1 (mod ad a 2 g k 2 (mod. Sice a 1 ad a 2 are ot quadratic residues, it must be the case that k 1 ad k 2 are both odd; otherwise g k1/2 would be a square root of a 1, or g k2/2 would be a square root of a 2. But the k 1 + k 2 is eve sice the sum of ay two odd umbers is always eve. Hece, g (k 1+k 2 /2 is a square root of a 1 a 2 g k 1+k 2 (mod, so a 1 a 2 is a quadratic residue.

2 CPSC 467a Lecture Notes 16 (rev. 1 69 Jacobi Symbol The Jacobi symbol exteds the Legedre symbol to the case where the deomiator is a arbitrary odd ositive umber. Let be a odd ositive iteger with rime factorizatio k i1 e i i. We defie the Jacobi symbol by k ( a ei, (1 i1 i where the symbol o the left is the Jacobi symbol, ad the symbol o the right is the Legedre symbol. (By covetio, this roduct is 1 whe k 0, so ( a 1 1. Clearly, whe is a odd rime, the Jacobi symbol ad Legedre symbols agree, so the Jacobi symbol is a true extesio of our earlier otio. What does the Jacobi symbol mea whe is ot rime? If 1 the a is defiitely ot a quadratic residue modulo, but if 1, a might or might ot be a quadratic residue. Cosider the imortat case of q for, q distict odd rimes. The ( ( ( a a a (2 q so there are two cases that result i ( ( ( ( ( a 1: either a a q +1 or a a q 1. I the first case, a is a quadratic residue modulo both ad q, so a is a quadratic residue modulo. Let b ad c be square roots of a modulo ad q, resectively, so a b 2 (mod (3 a c 2 (mod q (4 By the Chiese Remaider Theorem, there exists uique d Z satisfyig d b (mod (5 d c (mod q (6 Squarig both sides of (5 ad (6 ad combiig with (3 ad (4, we have d 2 a (mod (7 d 2 a (mod q (8 Hece, d 2 a (mod, so a is a quadratic residue modulo. I the secod case, a is ot a quadratic residue modulo either or q, so it is ot a quadratic residue modulo, either. Such umbers a are sometimes called seudo-squares sice they have Jacobi symbol 1 but are ot quadratic residues. 70 Idetities Ivolvig the Jacobi Symbol The Jacobi symbol is easily comuted usig Equatio 1 of sectio 69 ad Theorem 1 of sectio 68 if the factorizatio of is kow. Similarly, gcd(u, v is easily comuted without resort to the Euclidea algorithm give the factorizatios of u ad v. The remarkable fact about the Euclidea algorithm is that it lets us comute gcd(u, v efficietly eve without kowig the factors of u ad v. A similar algorithm allows the Jacobi symbol to be comuted efficietly without kowig the factorizatio of a or. The algorithm is based o idetities satisfied by the Jacobi symbol:

CPSC 467a Lecture Notes 16 (rev. 1 3 1. 2. 3. 4. ( ( 0 1 1; 0 0 for 1; ( ( 2 1 if ±1 (mod 8; 2 1 ( a2 if a1 a 2 (mod ; ( 2 ; ( 2a 1 if ±3 (mod 8; 5. 6. ( a if a 3 (mod 4. ( a if a 1 (mod 4 or (a 3 (mod 4 ad 1 (mod 4; There are may ways to tur these idetities ito a algorithm. Below is a straightforward recursive aroach. Slightly more efficiet iterative imlemetatios are also ossible. it jacobi(it a, it /* Precoditio: a, > 0; is odd */ { if (a 0 /* idetity 1 */ retur (1? 1 : 0; if (a 2 { /* idetity 2 */ switch (%8 { case 1: case 7: retur 1; case 3: case 5: retur -1; if > /* idetity 3 */ retur jacobi(a%, ; if (a%2 0 /* idetity 4 */ retur jacobi(2,*jacobi(a/2, ; /* a is odd */ /* idetities 5 ad 6 */ retur (a%4 3 && %4 3? -jacobi(,a : jacobi(,a; 71 Solovay-Strasse Test of Comositeess Recall that a test of comositeess for is a set of redicates {τ a ( a Z such that if τ( succeeds (is true, the is comosite. The Solovay-Strasse Test is the set of redicates {ν a ( a Z, where ν a ( true iff a ( 1/2 (mod. If is rime, the test always fails by Theorem 1 of sectio 68. Equivaletly, if some ν a ( succeeds, the must be comosite. Hece, the test is a valid- test of comositeess. Let b a ( 1/2, so b 2 a 1. There are two ossible reasos why the test might succeed. Oe ossibility is that a 1 1 (mod i which case b ±1 (mod. This is just the Fermat

4 CPSC 467a Lecture Notes 16 (rev. 1 test ζ a ( from sectio 52 of lecture otes 12. A secod ossibility is that a 1 1 (mod but evertheless, b (mod. I this case, b is a square root of 1 (mod, but it might have the oosite sig from, or it might ot eve be ±1 sice 1 has additioal square roots whe is comosite. Strasse ad Solovay show the robability that ν a ( succeeds for a radomly-chose a Z is at least 1/2 whe is comosite. 1 72 Miller-Rabi Test of Comositeess The Miller-Rabi Test is more comlicated to describe tha the Solovay-Strasse Test, but the robability of error (that is, the robability that it fails whe is comosite seems to be lower tha for Solovay-Strasse, so that the same degree of cofidece ca be achieved usig fewer iteratios of the test. This makes it faster whe icororated ito a rimality-testig algorithm. It is also closely related to the algorithm reseted i sectio 56.3 (lecture otes 13 for factorig a RSA modulus give the ecrytio ad decrytio keys ad to Shaks Algorithm 66.1 (lecture otes 15 for comutig square roots modulo a odd rime. 72.1 The test The test µ a ( is based o comutig a sequece b 0, b 1,..., b s of itegers i Z. If is rime, this sequece eds i 1, ad the last o-1 elemet, if ay, is 1 ( 1 (mod. If the observed sequece is ot of this form, the is comosite, ad the Miller-Rabi Test succeeds. Otherwise, the test fails. The sequece is comuted as follows: 1. Write 1 2 s t, where t is a odd ositive iteger. Comutatioally, s is the umber of 0 s at the right (low-order ed of the biary exasio of, ad t is the umber that results from whe the s low-order 0 s are removed. 2. Let b 0 a t mod. 3. For i 1, 2,..., s, let b i (b i 1 2 mod. A easy iductive roof shows that b i a 2it mod for all i, 0 i s. I articular, b s a 2st a 1 (mod. 72.2 Validity To see that the test is valid, we must show that µ a ( fails for all a Z whe is a rime. By Euler s theorem 2, a 1 1 (mod, so we see that b s 1. Sice 1 has oly two square roots modulo, 1 ad 1, ad b i 1 is a square root of b i modulo, the last o-1 elemet i the sequece (if ay must be 1 mod. This is exactly the coditio for which the Miller-Rabi test fails. Hece, it fails wheever is rime, so if it succeeds, is ideed comosite. 72.3 Accuracy How likely is it to succeed whe is comosite? It succeeds wheever a 1 1 (mod, so it succeeds wheever the Fermat test ζ a ( would succeed. (See sectio 52 of lecture otes 12. But 1 R. Solovay ad V. Strasse, A Fast Mote-Carlo Test for Primality, SIAM J. Comut. 6:1 (1977, 84 85. 2 This is also called Fermat s little theorem.

CPSC 467a Lecture Notes 16 (rev. 1 5 eve whe a 1 1 (mod ad the Fermat test fails, the Miller-Rabi test will succeed if the last o-1 elemet i the sequece of b s is oe of the two square roots of 1 that differ from ±1. It ca be roved that µ a ( succeeds for at least 3/4 of the ossible values of a. Emirically, the test almost always succeeds whe is comosite, ad oe has to work to fid a such that µ a ( fails. 72.4 Examle For examle, take 561 3 11 17. This umber is iterestig because it is the first Carmichael umber. A Carmichael umber is a odd comosite umber that satisfies a 1 1 (mod for all a Z. (See htt://mathworld.wolfram.com/carmichaelnumber.html. These are the umbers that I have bee callig seudorimes. Let s go through the stes of comutig µ 37 (561. We begi by fidig t ad s. 561 i biary is 1000110001 (a alidrome!. The 1 560 (1000110000 2, so s 4 ad t (100011 2 35. We comute b 0 a t 37 35 mod 561 265 with the hel of the comuter. We ow comute the sequece of b s, also with the hel of the comuter. The results are show i the table below: i b i 0 265 1 100 2 463 3 67 4 1 This sequece eds i 1, but the last o-1 elemet b 3 1 (mod 561, so the test µ 37 (561 succeeds. I fact, the test succeeds for every a Z 561 excet for a 1, 103, 256, 460, 511. For each of those values, b 0 a t 1 (mod 561. 72.5 Otimizatio I ractice, oe oly wats to comute as may of the b s as ecessary to determie whether or ot the test succeeds. I articular, oe ca sto after comutig b i if b i ±1 (mod. If b i 1 (mod ad i < s, the test fails. If b i 1 (mod ad i 1, the test succeeds. This is because we kow i this case that b i 1 1 (mod, for if it were, the algorithm would have stoed after comutig b i 1.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback