Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Similar documents
LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Advanced Algorithms and Complexity Course Project Report

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Applied Cryptography and Computer Security CSE 664 Spring 2018

Primality testing: then and now

1. Algebra 1.7. Prime numbers

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

The running time of Euclid s algorithm

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Factorization & Primality Testing

Part II. Number Theory. Year

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

CPSC 467b: Cryptography and Computer Security

Primality testing: then and now

A Few Primality Testing Algorithms

A Guide to Arithmetic

ECEN 5022 Cryptography

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

A SURVEY OF PRIMALITY TESTS

CPSC 467b: Cryptography and Computer Security

CSE 521: Design and Analysis of Algorithms I

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

Lecture 6: Deterministic Primality Testing

Primality Testing- Is Randomization worth Practicing?

Notes on Primitive Roots Dan Klain

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

IRREDUCIBILITY TESTS IN F p [T ]

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

THE SOLOVAY STRASSEN TEST

f(n) = f(p e 1 1 )...f(p e k k ).

Euler s, Fermat s and Wilson s Theorems

Math 324, Fall 2011 Assignment 7 Solutions. 1 (ab) γ = a γ b γ mod n.

MATH 361: NUMBER THEORY FOURTH LECTURE

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

PRIMALITY TEST FOR FERMAT NUMBERS USING QUARTIC RECURRENCE EQUATION. Predrag Terzic Podgorica, Montenegro

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

CSC 373: Algorithm Design and Analysis Lecture 30

SOLUTIONS TO PROBLEM SET 1. Section = 2 3, 1. n n + 1. k(k + 1) k=1 k(k + 1) + 1 (n + 1)(n + 2) n + 2,

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

PRIME NUMBERS YANKI LEKILI

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

Pseudoprimes and Carmichael Numbers

MATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions

The group (Z/nZ) February 17, In these notes we figure out the structure of the unit group (Z/nZ) where n > 1 is an integer.

Basic elements of number theory

Basic elements of number theory

PMA225 Practice Exam questions and solutions Victor P. Snaith

MATH 4400 SOLUTIONS TO SOME EXERCISES. 1. Chapter 1

Primality testing: variations on a theme of Lucas

Chapter 1. Number of special form. 1.1 Introduction(Marin Mersenne) 1.2 The perfect number. See the book.

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Mathematics 4: Number Theory Problem Sheet 3. Workshop 26 Oct 2012

Math 110 HW 3 solutions

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Math 120 HW 9 Solutions

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

THE MILLER RABIN TEST

8 Primes and Modular Arithmetic

The RSA cryptosystem and primality tests

Applied Cryptography and Computer Security CSE 664 Spring 2017

Lecture 11 - Basic Number Theory.

Number Theory and Group Theoryfor Public-Key Cryptography

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

Elliptic curves: Theory and Applications. Day 3: Counting points.

Algebraic number theory Solutions to exercise sheet for chapter 4

The Chinese Remainder Theorem

Introduction to Number Theory. The study of the integers

1 Structure of Finite Fields

Math 109 HW 9 Solutions

1 Overview and revision

Lecture 11: Cantor-Zassenhaus Algorithm

Iterated Encryption and Wiener s attack on RSA

Wednesday, February 21. Today we will begin Course Notes Chapter 5 (Number Theory).

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Congruences and Residue Class Rings

FERMAT S TEST KEITH CONRAD

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Section 10: Counting the Elements of a Finite Group

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

God may not play dice with the universe, but something strange is going on with the prime numbers.

Basic Algorithms in Number Theory

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Winter Camp 2009 Number Theory Tips and Tricks

1. Factorization Divisibility in Z.

7. Prime Numbers Part VI of PJE

Algebraic Structures Exam File Fall 2013 Exam #1

Transcription:

4. Primality testing 4.1. Introduction. Factorisation is concerned with the problem of developing efficient algorithms to express a given positive integer n > 1 as a product of powers of distinct primes. With primality testing, however, the goal is more modest: given n, decide whether or not it is prime. If n does turn out to be prime, then of course you ve (trivially) factorised it, but if you show that it is not prime (i.e., composite), then in general you have learnt nothing about its factorisation (apart from the fact that it s not a prime!). One way of testing a number n for primality is the following: suppose a certain theorem, Theorem X say, whose statement depends on a number n, is true when n is prime. Then if Theorem X is false for a particular n, then n cannot be prime. For instance, we know (Fermat) that a n 1 1 (mod n) when n is prime and n a. So if for such an a we have a n 1 1 (mod n), then n is not prime. This test is called the Pseudoprime Test to base a. Moreover, a composite number n that passes this test is called a Pseudoprime to base a. (It would be good if we could find a Theorem Y that was true iff n was prime, and was moreover easy to test. Then we would know that if the theorem was true for n then n was prime. A result of this type is the following (also on a problem sheet): n is prime iff a n 1 1 (mod n) for a = 1, 2,..., n 1. This is, however, not easy to test; it is certainly no easier than testing whether n is divisible by a for a = 1,...,n.) 4.2. Proving primality of n when n 1 can be factored. In general, primality tests can only tell you that a number n either is composite, or can t tell. They cannot confirm that n is prime. However, under the special circumstance that we can factor n 1, primality can be proved: Theorem 4.1 ( Lucas Test, as strengthened by Kraitchik and Lehmer). Let n > 1 have the property that for every prime factor q of n 1 there is an integer a such that a n 1 1 (mod n) but a (n 1)/q 1 (mod n). Then n is prime. Proof. Define the subgroup G of (Z/nZ) to be the subgroup generated by all such a s. Clearly the exponent of G is a divisor of n 1. But it can t be a proper divisor of n 1, for then it would divide some (n 1)/q say, which is impossible as a (n 1)/q 1 (mod n) for the a corresponding to that q. Hence G has exponent n 1. But then n 1 #G #(Z/nZ) = ϕ(n). Hence ϕ(n) = n 1, which immediately implies that n is prime. Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1 2 1 (mod F k ). Proof. First suppose that 3 F k 1 2 1 (mod F k ). We apply the theorem with n = F k. So n 1 = 2 2k and q = 2 only, with a = 3. Then 3 F k 1 2 1 (mod F k ) and (on squaring) 3 Fk 1 1 (mod F k ), so all the conditions of the Theorem are satisfied. 14

Conversely, suppose that F k is prime. Then, by Euler s criterion and quadratic reciprocity (see Chapter 5) we have ( ) ( ) ( ) 3 F k 1 3 Fk 2 2 = = = 1, 3 3 as 2 is not a square (mod 3). F k We can use this to show that F 0 = 3, F 1 = 5, F 2 = 17, F 3 = 257 and F 4 = 65537 are all prime. It is known that F k is composite for 5 k 32, although complete factorisations of F k are known only for 0 k 11, and there are no known factors of F k for k = 20 or 24. Heuristics suggest that there may be no more k s for which F k is prime. 4.3. Carmichael numbers. A Carmichael number is a (composite) number n that is a pseudoprime to every base a with 1 a n and gcd(a, n) = 1. Since it it immediate that a n 1 1 (mod n) when gcd(a, n) > 1, we see that Carmichael numbers are pseudoprimes to as many possible bases as any composite number could be. They are named after the US mathematician Robert Carmichael (1879 1967). [But even finding an a with gcd(a, n) > 1 gives you a factor of n. (Imagine that n is around 10 300 and is a product of three 100-digit primes such a s are going to be few and far between!)] For examples of Carmichael numbers, see problem sheet 3. 4.4. Strong pseudoprimes. Given n > 1 odd and an a such that a n 1 1 (mod n), factorise n 1 as n 1 = 2 f q, where q is odd, f 1 and consider the sequence S = [a q, a 2q, a 4q,...,a 2fq 1], taken (mod n). If n is prime then, working left to right, either a q 1 (mod n), in which case S consists entirely of 1 s, or the number before the first 1 must be 1. This is because the number following any x in the sequence is x 2, so if x 2 1 (mod n) for n prime, then x ±1 (mod n). (Why?) A composite number n that has this property, (i.e., is a pseudoprime to base a and for which either S consists entirely of 1 s or the number before the first 1 in S is 1) is called a strong pseudoprime to base a. Clearly, if n is a prime or pseudoprime but not a strong pseudoprime, then this stronger test proves that n isn t prime. This is called the Miller-Rabin Strong Pseudoprime Test. Perhaps surprisingly: Theorem 4.3. If n is a pseudoprime to base a but not a strong pseudoprime to base a, with say a 2tq 1 (mod n) but a 2t 1q ±1 (mod n), then n factors nontrivially as n = g 1 g 2, where g 1 = gcd(a 2t 1q 1, n) and g 2 = gcd(a 2t 1q + 1, n). Proof. For then we have, for n 1 = 2 f q and some t f, that a 2tq 1 (mod n) but a 2t 1q ±1 (mod n). Now a 2tq 1 = AB 0 (mod n), where A = (a 2t 1q 1) and 15

16 B = (a 2t 1q + 1), and neither A nor B is divisible by n. Hence g 1 is a nontrivial ( 1 or n) factor of n. Since g 1 n, we have gcd(g 1, g 2 ) = gcd(n, g 1, g 2 ) = gcd(n, g 1, g 2 g 1 ) = gcd(n, g 1, 2) = 1, the last step because n is odd. Hence any prime dividing n can divide at most one of g 1 and g 2. So from n = p pep, say, and n AB, we see that each prime power p ep dividing n divides precisely one of A or B, and so divides precisely one of g 1 or g 2. Hence g 1 g 2 = n. Example. Take n = 31621, a pseudoprime to base a = 2. We have n 1 = 2 2 7905, 2 7905 31313 (mod n) and 2 15810 2 31620 1 (mod n), so n is not a strong pseudoprime to base 2. Then g 1 = gcd(n, 31312) = 103 and g 2 = gcd(n, 31314) = 307, giving n = 103 307. Note that if n = n 1 n 2 where n 1 and n 2 are coprime integers, then by the Chinese Remainder Theorem we can solve each of the four sets of equations x ±1 (mod n 1 ) x ±1 (mod n 2 ) to get four distinct solutions of x 2 1 (mod n). For instance, for n = 35 get x = ±1 or ±6. For the example n = 31621 above, we have 31313 1 (mod 103) and 31313 1 (mod 307), so that four distinct solutions of x 2 1 (mod 31621) are ±1 and ±31313. So what is happening when the strong pseudoprime test detects n as being composite is that some x S is a solution to x 2 1 (mod n) with x ±1 (mod n) because x 1 (mod n 1 ) and x 1 (mod n 2 ) for some coprime n 1, n 2 with n 1 n 2 = n. And then both gcd(x 1, n) (divisible by n 1 ) and gcd(x + 1, n) (divisible by n 2 ) are nontrivial factors of n. 4.5. Strong pseudoprimes to the smallest prime bases. It is known that 2047 is the smallest strong pseudoprime to base 2; 1373653 is the smallest strong pseudoprime to both bases 2, 3; 25326001 is the smallest strong pseudoprime to all bases 2, 3, 5; 3215031751 is the smallest strong pseudoprime to all bases 2, 3, 5, 7; 2152302898747 is the smallest strong pseudoprime to all bases 2, 3, 5, 7, 11; 3474749660383 is the smallest strong pseudoprime to all bases 2, 3, 5, 7, 11, 13; 341550071728321 is the smallest strong pseudoprime to all bases 2, 3, 5, 7, 11, 13, 17. (In fact 341550071728321 is also a strong pseudoprime to base 19.) Hence any odd n < 341550071728321 that passes the strong pseudoprime test for all bases 2, 3, 5, 7, 11, 13, 17 must be prime. So this provides a cast-iron primality test for all such n. 4.6. Primality testing in polynomial time. In 2002 the Indian mathematicians Agrawal, Kayal and Saxena invented an algorithm, based on the study of the polynomial ring (Z/nZ)[x], that was able to decide whether a given n was prime in time O((log n) 6+ε ).

(Here the constant implied by the O depends on ε and so could go to infinity as ε 0.) (Search for AKS algorithm on web.) 4.7. The Lucas-Lehmer primality test for Mersenne numbers. Given an odd prime p, let M p = 2 p 1, a Mersenne number (and a Mersenne prime iff it is prime). [It is an easy exercise to prove that if p is composite, then so is M p.] Define a sequence S 1, S 2,...,S n,... by S 1 = 4 and S n+1 = Sn 2 2 for n = 1, 2,.... so we have S 1 = 4, S 2 = 14, S 3 = 194, S 4 = 37634, S 5 = 1416317954,.... There is a very fast test for determining whether or not M p is prime. Theorem 4.4 ( Lucas-Lehmer Test). For an odd prime p, the Mersenne number M p is prime iff M p divides S p 1. So M 3 = 7 is prime as 7 S 2, M 5 = 31 is prime as 31 S 4,... In this way get M p prime for p = 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203,2281,... (47th) 43112609. There may be others between the 41st and 47th. [as at October 2012.] For the proof, we need two lemmas. Lemma 4.5. Put ω = 2 + 3 and ω 1 = 2 3. Then ωω 1 = 1 (immediate) and for n = 1, 2,.... S n = ω 2n 1 + ω 2n 1 1 The proof is a very easy induction exercise. Lemma 4.6. Let r be a prime 1 (mod 3) and 1 (mod 8) (i.e., 7 (mod 24)). Then ω r+1 2 1 (mod r). (So it s equal to a + b 3 where a 1 (mod r) and b 0 (mod r).) Proof. Put τ = 1 + 3 2 and τ 1 = 1 3 2. Then we immediately get ττ 1 = 1, τ 2 = ω and τ1 2 = ω 1. Next, from τ 2 = 1 + 3 we have (τ 2) r = (1 + 3) r, so that r 1 ( ) τ r 2 r 1 r 2 2 = 1 + ( 3) j + 3 r 1 2 3 j j=1 1 + 3 r 1 2 3 (mod r), (1) as r ( r j). Since r 1 (mod 8) we have ( ) 2 r 1 2 2 = ( 1) r2 1 8 1 (mod r), r 17

18 using Euler s Criterion, and Prop. 5.3. Further, since r 1 (mod 3) and r 1 (mod 4) we have ( ) 3 r 1 3 ( ( ) r 2 = ( 1) r 3) r 1 2 3 1 1 2 = ( 1) 1 (mod r), 3 using Euler s Criterion again, and also Quadratic Reciprocity (Th. 5.1). So, from (1), we have successively the last step using τ 2 = ω. τ r 2 1 3 (mod r) τ r τ 1 (mod r) τ r+1 ττ 1 = 1 (mod r) ω r+1 2 1 (mod r), Proof of Theorem 4.4. M p prime M p S p 1. Assume M p prime. Apply Lemma 4.6 with r = M p, which is allowed as M p 1 (mod 8) and M p ( 1) p 1 1 (mod 3). So ω Mp+1 2 = ω 2p 1 1 (mod M p ) (2) and, using Lemma 4.5, including ω1 1 = ω, we have ( (ω ) S p 1 = ω 2p 2 + ω1 2p 2 = ω1 2p 2 1 2 p 2 1 ω 2 p 2 + 1) = ω1 2p 2 ( ) ω 2p 1 + 1 0 (mod M p ), (3) the last step using (2). M p S p 1 M p prime. Assume M p S p 1 but M p composite. We aim for a contradiction. Then M p will have a prime divisor q (say) with q 2 M p. ( Z[ ) 3] Now consider the multiplicative group G = of units of the ring Z[ 3]. Then (q) (q) G has coset representatives consisting of numbers a + b 3 with a, b {0, 1, 2,..., q 1} that are also invertible (mod q). So G is a group of size (order) at most q 2 1, with multiplication defined modulo q. From ω(ω 1 + q 3) 1 (mod q) we see that ω = 2 + 3 is invertible, and so ω G. [Strictly speaking, the coset ω (mod q) G.] Now, using M p S p 1 we see that (3) holds even when M p is composite, so we have successively that ω 2p 1 + 1 0 (mod M p ), ω 2p 1 1 (mod q) and ω 2p 1 (mod q). Hence the order of ω in G is 2 p. Then 2 p #G q 2 1 M p 1 = 2 p 2, a contradiction. Hence M p must be prime. In practice, to test M p for primality using Theorem 4.4, one doesn t need to compute S j (j = 1, 2,...,p 1), but only the much smaller (though still large!) numbers S j (mod M p )(j = 1, 2,..., p 1). A good source of information on Mersenne numbers is

http://primes.utm.edu/mersenne/index.html 19

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback