Math 609/597: Cryptography 1

Similar documents
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Primality Test. Rong-Jaye Chen

MATH 304: MIDTERM EXAM SOLUTIONS

Trial division, Pollard s p 1, Pollard s ρ, and Fermat s method. Christopher Koch 1. April 8, 2014

Infinite Sequences and Series

MATH 324 Summer 2006 Elementary Number Theory Solutions to Assignment 2 Due: Thursday July 27, 2006

and each factor on the right is clearly greater than 1. which is a contradiction, so n must be prime.

Bertrand s Postulate

Chapter 4. Fourier Series

The Structure of Z p when p is Prime

NICK DUFRESNE. 1 1 p(x). To determine some formulas for the generating function of the Schröder numbers, r(x) = a(x) =

6.3 Testing Series With Positive Terms

PROBLEM SET 5 SOLUTIONS. Solution. We prove that the given congruence equation has no solutions. Suppose for contradiction that. (x 2) 2 1 (mod 7).

Jacobi symbols. p 1. Note: The Jacobi symbol does not necessarily distinguish between quadratic residues and nonresidues. That is, we could have ( a

CSE 1400 Applied Discrete Mathematics Number Theory and Proofs

Square-Congruence Modulo n

(A sequence also can be thought of as the list of function values attained for a function f :ℵ X, where f (n) = x n for n 1.) x 1 x N +k x N +4 x 3

THE ASYMPTOTIC COMPLEXITY OF MATRIX REDUCTION OVER FINITE FIELDS

MAT 271 Project: Partial Fractions for certain rational functions

SOME TRIBONACCI IDENTITIES

CALCULATION OF FIBONACCI VECTORS

In number theory we will generally be working with integers, though occasionally fractions and irrationals will come into play.

PROPERTIES OF THE POSITIVE INTEGERS

Ma 530 Introduction to Power Series

Solutions to Math 347 Practice Problems for the final

A Simple Derivation for the Frobenius Pseudoprime Test

6 Integers Modulo n. integer k can be written as k = qn + r, with q,r, 0 r b. So any integer.

Statistics 511 Additional Materials

Math 155 (Lecture 3)

UNITARY HARMONIC NUMBERS. CHARLES R. WALL Trident Technical College, Charleston, SC (Submitted October 1981) 1. INTRODUCTION

Math F215: Induction April 7, 2013

Seunghee Ye Ma 8: Week 5 Oct 28

62. Power series Definition 16. (Power series) Given a sequence {c n }, the series. c n x n = c 0 + c 1 x + c 2 x 2 + c 3 x 3 +

Chapter 6 Principles of Data Reduction

DIVISIBILITY PROPERTIES OF GENERALIZED FIBONACCI POLYNOMIALS

Summary: Congruences. j=1. 1 Here we use the Mathematica syntax for the function. In Maple worksheets, the function

Induction: Solutions

PERIODS OF FIBONACCI SEQUENCES MODULO m. 1. Preliminaries Definition 1. A generalized Fibonacci sequence is an infinite complex sequence (g n ) n Z

Zeros of Polynomials

SOLVED EXAMPLES

Exam 2 CMSC 203 Fall 2009 Name SOLUTION KEY Show All Work! 1. (16 points) Circle T if the corresponding statement is True or F if it is False.

Topic 9: Sampling Distributions of Estimators

The multiplicative structure of finite field and a construction of LRC

CHAPTER 10 INFINITE SEQUENCES AND SERIES

3.2.4 Integer and Number Theoretical Functions

Sequences and Series of Functions

The picture in figure 1.1 helps us to see that the area represents the distance traveled. Figure 1: Area represents distance travelled

[ 47 ] then T ( m ) is true for all n a. 2. The greatest integer function : [ ] is defined by selling [ x]

Factoring Algorithms and Other Attacks on the RSA 1/12

Recurrence Relations

11. FINITE FIELDS. Example 1: The following tables define addition and multiplication for a field of order 4.

Math 61CM - Solutions to homework 3

ACCESS TO SCIENCE, ENGINEERING AND AGRICULTURE: MATHEMATICS 1 MATH00030 SEMESTER / Statistics

It is always the case that unions, intersections, complements, and set differences are preserved by the inverse image of a function.

Chapter 0. Review of set theory. 0.1 Sets

Math 140A Elementary Analysis Homework Questions 1

TEACHER CERTIFICATION STUDY GUIDE

Frequentist Inference

Congruence Modulo a. Since,

1. By using truth tables prove that, for all statements P and Q, the statement

Math 61CM - Solutions to homework 1

Complex Numbers Solutions

Topic 9: Sampling Distributions of Estimators

Basic Sets. Functions. MTH299 - Examples. Example 1. Let S = {1, {2, 3}, 4}. Indicate whether each statement is true or false. (a) S = 4. (e) 2 S.

Random Models. Tusheng Zhang. February 14, 2013

1 Generating functions for balls in boxes

CS / MCS 401 Homework 3 grader solutions

Sequences A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence

Stochastic Matrices in a Finite Field

Dirichlet s Theorem on Arithmetic Progressions

Lecture 9: Pseudo-random generators against space bounded computation,

Fermat s Little Theorem. mod 13 = 0, = }{{} mod 13 = 0. = a a a }{{} mod 13 = a 12 mod 13 = 1, mod 13 = a 13 mod 13 = a.

A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence

Introduction to Computational Biology Homework 2 Solution

Math 140A Elementary Analysis Homework Questions 3-1

The Random Walk For Dummies

Injections, Surjections, and the Pigeonhole Principle

Math 4400/6400 Homework #7 solutions

Solutions to Problem Set 8

Topic 9: Sampling Distributions of Estimators

Proof of Goldbach s Conjecture. Reza Javaherdashti

USA Mathematical Talent Search Round 3 Solutions Year 27 Academic Year

Recursive Algorithms. Recurrences. Recursive Algorithms Analysis

MATH 205 HOMEWORK #2 OFFICIAL SOLUTION. (f + g)(x) = f(x) + g(x) = f( x) g( x) = (f + g)( x)

MA131 - Analysis 1. Workbook 3 Sequences II

Homework 3. = k 1. Let S be a set of n elements, and let a, b, c be distinct elements of S. The number of k-subsets of S is

Lecture 10: Mathematical Preliminaries

Find a formula for the exponential function whose graph is given , 1 2,16 1, 6

INFINITE SEQUENCES AND SERIES

The Boolean Ring of Intervals

subcaptionfont+=small,labelformat=parens,labelsep=space,skip=6pt,list=0,hypcap=0 subcaption ALGEBRAIC COMBINATORICS LECTURE 8 TUESDAY, 2/16/2016

First, note that the LS residuals are orthogonal to the regressors. X Xb X y = 0 ( normal equations ; (k 1) ) So,

The structure of finite rings. The multiplicative residues. Modular exponentiation. and finite exponentiation

[ 11 ] z of degree 2 as both degree 2 each. The degree of a polynomial in n variables is the maximum of the degrees of its terms.

(b) What is the probability that a particle reaches the upper boundary n before the lower boundary m?

(ii) Two-permutations of {a, b, c}. Answer. (B) P (3, 3) = 3! (C) 3! = 6, and there are 6 items in (A). ... Answer.

Math 220A Fall 2007 Homework #2. Will Garner A

arxiv: v1 [math.nt] 10 Dec 2014

MT5821 Advanced Combinatorics

Math 475, Problem Set #12: Answers

Transcription:

Math 609/597: Cryptography 1 The Solovay-Strasse Primality Test 12 October, 1993 Burt Roseberg Revised: 6 October, 2000 1 Itroductio We describe the Solovay-Strasse primality test. There is quite a bit of umber-theoretic backgroud ecessary to the full uderstadig of the algorithm, however, i practice it is very simple. It is also curious because it works icredibly quickly to give you a probably correct aswer, however o oe has foud a less tha expoetial-time algorithm to tell you for certai whether a umber is prime. The algorithm works by selectig radom itegers ad computig large powers of them i the rig Z/Z, where is the umber you wat to test. Also, the so called Jacobi symbol is calculated for these itegers. If ever these calculatios disagree, the is composite. For if were prime, the Jacobi symbol would i fact be the Legedre symbol, ad for the Legedre symbol equality of the two methods of calculatio is a theorem. It is ot ecessary for the two calculatios to disagree whe is composite, but it is likely. Half of the itegers betwee 1 ad 1 which are relatively prime to will make the calculatios disagree. (If we happe to choose a iteger which is ot relatively prime to, we are eve better off: we ot oly kow is composite, we have a o-trival factor!) Hece, the probablity that after k choices of a radom iteger you would wrogly proclaim a composite to be prime is less tha 1/2 k. I practice, the results are eve better. We by explaiig the Legedre Symbol, the exted the defiitio to the Jacobi Symbol. From there we apply the Jacobi Symbol to primality testig. Fially, a Pascal program is preseted. 2 Quadratic Residues Suppose p is a odd prime. I (Z/pZ), the group of ivertible elemets mod p, that is to say, Z/pZ without 0, half of the itegers are squares ad the rest are ot. This is quickly see by cosiderig the map x x 2. Each elemet a i the rage of this map receives exactly two elemets, amely, if b 2 a the ( b) 2 a, that is, if we ca assume that b b, which is equivalet to assumig p 2. The elemets which are squares are called quadratic residues, the rest are quadratic o-residues. Defiitio 1 (Legedre Symbol) For p a prime, ad b a positive iteger, The Legedre Symbol is defied by, [ ] b 0 if b ad p are ot relatively prime, 1 if b is a quadratic residue mod p, p 1 if b is a quadratic o-residue mod p If p is two, the the value of the Legedre Symbol is oe for ay odd b ad 0 else. For p a odd prime, we ca use this theorem: Theorem 1 For ay odd prime p ad ay positive iteger b, [ ] b b (p 1)/2 (mod p). p

Math 609/597: Cryptography 2 Proof: If (b, p) 1 the b 0 (mod p) ad the equality follows. We heceforth cosider itegers b relatively prime to p. It is quickly see that the set, A { a (Z/pZ) a (p 1)/2 1 (mod p) }, form a subgroup of (Z/pZ). Ay quadratic residue b a 2 is i A, sice, b (p 1)/2 a 2(p 1)/2 1 (mod p), by Little Fermat. We remarked above that half the elemets of (Z/pZ) are quadratic residues, hece A is of size either (p 1) ad (p 1)/2 (the order of a subgroup must divide the order of the group). The subgroup A does ot iclude ay geerator of the group, hece its size is ot (p 1). Therefore A cotais exactly the quadratic residues. O the other had, by Little Fermat, the square of b (p 1)/2 is 1, hece for those itegers relatively prime to p but outside of A, the power must evaluate to the oly other root of oe, that is, 1. There are several rules for computig with Legedre symbols, for istace: that the Legedre symbol depeds oly o the residue of b mod p, that the Legedre symbol of 1 over p is always 1, ad that, [ ] [ ] [ ] b1 b 2 b1 b2. p p p These are easy to verify. Two rules which are more difficult to show are: Theorem 2 For p a odd prime, [ ] 2 ( 1) (p2 1)/8 p { 1 if p ±1 (mod 8) 1 if p ±3 (mod 8) Theorem 3 (Law of Quadratic Reciprocity) For p ad q odd primes, [ ] [ ] { p q ( 1) (p 1)(q 1)/4 1 if p q 3 (mod 4) q p 1 else. For proofs see Neal Koblitz s A Course i Number Theory ad Cryptography, or for a echatigly elemetary proof, Adré Weil s Number Theory for Begiers. 3 Jacobi Symbols The Jacobi Symbol exteds the defiitio of the Legedre Symbol to deomiators other tha primes. I doig so, it loses the umber-theoretic iterpretatio, it o loger idicates which itegers are quadratic residues, ad it is o loger possible to calculate it by takig the umerator to a certai power mod the deomiator.

Math 609/597: Cryptography 3 Defiitio 2 (Jacobi Symbol) For ay positive iger, we defie the Jacobi symbol accordig to the prime decompositio of by, r ( α if p i m ) r [ ] αi m i, the. i1 Note immediately that the Jacobi symbol has values either 1, 1 or 0, ad it is zero oly if oe of its factors is zero, that is, m ad are ot relatively prime. Sice the Euclidea algorithm efficietly determies if two itegers are relatively prime, from the poit of view of calculatig the Jacobi symbol, attetio focuses o the case of m ad relatively prime. Theorem 4 For itegers ad m, ad factorizatios of 1 2 ad m m 1 m 2, the Jacobi symbols obeys: ( m1 m ) ( 2 m1 ) ( m2 ), ad ( ) ( ) ( ) m m m, 1 2 1 2 Proof: For the first equivalece, write out the Jacobi symbol as a product of Legedre symbols, apply the rule, [ 1 ] [ 2 1 ] [ 2 ], m m m for Legedre symbols, the rearrage ad collect terms. For the secod equivalece, write out the Jacobi symbol accordig to its defiitio, the collect terms. Theorem 5 For ad m relatively prime ad odd, ( ) ( m ) ( 1) (m 1)( 1)/4. m Proof: Let i be the umber of prime factors i ad j the umber of prime factors i m, coutig multiplicity. We use iductio o i ad j. Whe i j 1, the basis case, the theorem is exactly the law of quadratic reciprocity. Assume ow that the theorem is true for ay i < I ad j < J, with I ad J greater tha oe. We show it is true for ay i < I + 1 ad j < J + 1. Let be a iteger with I + 1 factors. Write it as the product of two itegers 1 2 each havig less tha I factors, ad apply the iductio hypothesis to the factored Jacobi symbols: ( ) ( ) ( ) ( ) ( ) ( ) 1 2 m 1 2 m m m 1 2 m m 1 2 i1 ( 1) (1 1)(m 1)/4 ( 1) (2 1)(m 1)/4 p i ( 1) ( 1+ 2 2)(m 1)/4. Hece our product is 1 if both m ad 1 + 1 are 3 mod 4, ad 1 else. Note that, sice 1 ad 2 are both odd, ( 1 1)( 2 1) is divisible by 4. Multiplig this out, we get 1 + 2 1 mod 4. So the product is 1 if ad m are 3 mod 4, ad 1 else. That is, ( 1) ( 1+ 2 2)(m 1)/4 ( 1) ( 1)(m 1)/4,

Math 609/597: Cryptography 4 which proves the theorem for i I ad ad ay j < J. Swappig the role of ad m gives that the theorem is true for i I ad j J. Cotiuig by iductio, the theorem is true for all i ad j. I calculatig the Jacobi symbol we use the previous theorem ad reductio of the umerator modulo the deomiator to reduce step by step the calculatio, except if the umerator or deomiator is eve. If both are eve, the the result is zero. We ca throw out all factors of two of the deomiator, sice ay odd is a quadratic residue mod 2. If the umerator is eve, its factors of two are treated usig the followig theorem. Theorem 6 For ay odd iteger, ( ) 2 ( 1) (2 1)/8. Proof: Similar to the previous theorem, we use a iductio o the umber of elemets i the prime decompositio of. The basis case is is a prime, whe the Jacobi symbol equals the Legedre symbol ad the theorem is true by defiitio. Suppose the theorem is true for all which are the product of less tha I primes. Write, a product of I primes, as 1 2 ad calculate, usig the iductio hypothesis: ( ) ( ) ( ) 2 2 2 1 2 1 2 ( 1) (12 + 2 2 2)/8 Note that a odd iteger is either 1 or 3 mod 4, so ay square of a odd iteger is 1 mod 4. Therefore ( 1 2 1)( 2 2 1) is zero mod 16. Multiplig this out we fid, 2 1 2 + 2 2 1 (mod 16). Recall that m 2 1 is divisible by 8 for ay odd m, so 2 1 ad 1 2 + 2 2 2 are equal ad both either 0 or 8 mod 16. I ay case, ( 1) (12 + 2 2 2)/8 ( 1) (2 1)/8, provig the theorem for ay iteger a product of I primes. Proceedig the iductio, we have the theorem for all odd. 4 Applicatio to Primality Testig The Jacobi symbol is used to test for primality of a give iteger by testig for agreemet betwee two calculatios, ( ) b (?) b ( 1)/2 (mod ), which, if is a prime, is a idetity for the Legedre symbol. If is ot a prime, however, either b will ot be relatively prime to, or the two calculatios might ot agree. How ofte they do ot agree is discussed ext.

Math 609/597: Cryptography 5 Theorem 7 For ay prime p, there is a geerator for (Z/p 2 Z). Proof: For ay prime p, there is a geerator g for (Z/pZ). Let h equal g or g(1 + p), depedig o whether or ot g p 1? 1 (mod p 2 ). If g p 1 1 (mod p 2 ), the (g(1 + p)) p 1 1 + (p 1)p + p 2 w 1 + p(p 1) (mod p 2 ), where w is some iteger. Hece h ca be chose so that its p 1 power mod p 2 is ot oe. Sice i either case h g (mod p), h is a geerator of (Z/pZ), We show that h is a geerator of (Z/p 2 Z). Let h j 1 (mod p 2 ). This this cogruece remais true modulo p, therefore (p 1) j. This beig so, we ca write j as j (p 1)j. But j must also divide the order of the group, j p(p 1), hece j p. Sice h p 1 is ot oe, j caot be oe, so it must be p. Therefore the order of h is the size of the group. Theorem 8 For ay odd composite, there is a b relatively prime to such that, ( ) b b ( 1)/2 (mod ). Proof: If p 2, for a prime p, let g geerate (Z/p 2 Z). Select a b such that b g (mod p 2 ) ad b 1 (mod q) for ay other distict prime q dividig. The existece of b is assured by the Chiese Remaider Theorem. If the equatio were true, the b 1 1 (mod ), which beig a cogruece remaiig true i Z/p 2 Z, would imply that p(p 1) ( 1). However, the p would divide both ad 1. So we ca suppose is square free. Let g be a quadratic o-residue i some Z/pZ where p. Select a b, agai by the Chiese Remaider theorem, such that b g (mod p) ad b 1 (mod q) for ay other prime q dividig. The it is impossible for b ( 1)/2 1 (mod ), else this would be true Z/qZ for those primes where b is oe. However, the rules of calculatio for the Jacobi symbol give: ( ) b ( b p ) q ( ) b 1. q We used that is odd i two places, that there are quadratic o-residues ad that 1 1 (mod q). Theorem 9 If is a odd composite, the for at least half of the itegers b relatively prime to i the iterval [1, 1], ( ) b b ( 1)/2 (mod ).

Math 609/597: Cryptography 6 Proof: Let A be the set of a for which (a, ) 1 ad the equality holds. Sice there is a b relatively prime to for which the equality does ot hold, take ay a A ad cosider ab. It is agai relatively prime to ad, ( a ) ( ) b a ( 1)/2 b ( 1)/2 (mod ) because we are iside the group (Z/Z). Hece we have that all of ba does ot satisfy the equality, ad hece A caot accout for more tha half the elemets i [1, 1]. 5 Program program SolovayStrasse (iput,output) ; fuctio gcd( a, b : iteger ) : iteger ; var t : iteger ; if a < 0 the a : - a ; if b < 0 the b : - b ; if a < b the t : a ; a : b ; b : t ; while b<>0 do t : a mod b ; a : b ; b : t ; gcd : a fuctio twofactor( var a : iteger ) : iteger ; var i : iteger ; i : 0 ; while ((a mod 2) 0 ) do i : i + 1 ; a : a div 2 ; twofactor : i ;

Math 609/597: Cryptography 7 fuctio jacobi( m, : iteger ) : iteger ; { assume (m,)1, is odd, 0 < m <. } var i, j, d : iteger ; i : 1 ; while (m>1) do { it could be zero or 1 to exit} j : twofactor( m ) ; if ( j mod 2 ) 1 the d : mod 8 ; if ( d 3 ) or ( d 5 ) the i : - i ; if ( (m mod 4) 3 ) AND ( ( mod 4 ) 3 ) the i : - i ; d : mod m ; : m ; m : d ; jacobi : i ; fuctio multiply( a, b, c : iteger ) : iteger ; { retur a * b mod c, without overflow by repeated doublig } { assume 0 < a, b < c } var i : iteger ; if (a0) the i : 0 else if (a mod 2) 1 the i : multiply( (a-1) div 2, b, c ) ; if ( (c - i ) > i ) the i : i + i else i : ( i - c ) + i ; if ( (c - i ) > b ) the i : i + b else i : ( i - c ) + b ; ed else

Math 609/597: Cryptography 8 i : multiply( a div 2, b, c ) ; if ( (c - i ) > i ) the i : i + i else i : ( i - c ) + i ; ed multiply : i ; fuctio fastexp( b, j, : iteger ) : iteger ; { take b to the j mod } var i : iteger32 ; if (j0) the i : 1 else if ( j mod 2 ) 1 the i : fastexp( b, (j-1) div 2, ) ; i : multiply( multiply( b, i, ), i, ) ; ed else i : fastexp( b, j div 2, ) ; i : multiply( i, i, ) ; fastexp : i fuctio primality( p, i : iteger ) : iteger ; { give a iteger p, test for primality, usig i iteratios of some umbers, here they are the umber 2, 3,..., i+1. Returs 0 if o cotradictio betwee the jacobi ad legedre symbols was foud. Else returs the evidece that p is composite, either a factor or a iteger such that the sumbols differ. } var j : iteger ; dl, dj : iteger ; b : boolea ; if (p<2) the j : 1 { ot prime } else if (p2) the j : 0 { prime } else if (p mod 2)0 the j : 2 { ot prime } else {Precoditio: p is odd, 3 or larger}

Math 609/597: Cryptography 9 {Check if i is uecessarily large, ad correct} if (i+1)>p the i : p-2 ; j : 1 ; b : false ; repeat j : j + 1 ; if (j > (i+1) ) the b : true else { test for o-trivial gcd } if gcd(j,p)>1 the b : true else { apply tests } dl : fastexp( j, (p-1) div 2, p ) ; if (dl<>1) the dl : dl - p ; dj : jacobi( j, p ) ; if ( dj<>dl) the b : true ; util b ; if (j > (i+1)) the {test ra to completio} j : 0 ; primality : j ; var i,j,k : iteger ; c : char ; write( Quit [y/]? ) ; readl(c) ; while (c<> y ) do writel( Primality test of p, i iteratios, ) ; write( p? ) ; readl(j) ; write( i? ) ; readl(i) ; k : primality( j, i ) ; if ( k 0 ) the writel(j:0, might be a prime. ) else writel(j:0, is ot a prime, fails test usig,k:0) ; write( Quit [y/]? ) ; readl(c) ; ed.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback