Lecture 31: Miller Rabin Test. Miller Rabin Test

Similar documents
Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Applied Cryptography and Computer Security CSE 664 Spring 2018

1. Algebra 1.7. Prime numbers

Factorization & Primality Testing

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

Lecture 2: Randomized Algorithms

WXML Final Report: AKS Primality Test

Lecture 7: Fingerprinting. David Woodruff Carnegie Mellon University

CPSC 467b: Cryptography and Computer Security

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

Ma/CS 6a Class 4: Primality Testing

Primes and Factorization

Cryptography: Joining the RSA Cryptosystem

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

CSC 373: Algorithm Design and Analysis Lecture 30

Lecture 6: Deterministic Primality Testing

Ma/CS 6a Class 4: Primality Testing

THE SOLOVAY STRASSEN TEST

Lecture 8: Number theory

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

Great Theoretical Ideas in Computer Science

CPSC 467b: Cryptography and Computer Security

Randomness. What next?

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

The running time of Euclid s algorithm

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

Lecture Prelude: Agarwal-Biswas Probabilistic Testing

Lecture 10 Oct. 3, 2017

CSE 521: Design and Analysis of Algorithms I

String Matching. Thanks to Piotr Indyk. String Matching. Simple Algorithm. for s 0 to n-m. Match 0. for j 1 to m if T[s+j] P[j] then

Lecture 11 - Basic Number Theory.

Adleman Theorem and Sipser Gács Lautemann Theorem. CS422 Computation Theory CS422 Complexity Theory

Some Facts from Number Theory

Advanced Algorithms and Complexity Course Project Report

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Primality Testing- Is Randomization worth Practicing?

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Randomized Complexity Classes; RP

Does randomness solve problems? Russell Impagliazzo UCSD

Lecture 22: RSA Encryption. RSA Encryption

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

And for polynomials with coefficients in F 2 = Z/2 Euclidean algorithm for gcd s Concept of equality mod M(x) Extended Euclid for inverses mod M(x)

Primality testing: then and now

Primality testing: then and now

Theoretical Cryptography, Lecture 13

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

basics of security/cryptography

1 Randomized Computation

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Introduction to Cryptology. Lecture 20

Introduction to Modern Cryptography. Benny Chor

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Pseudoprimes and Carmichael Numbers

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Notes for Lecture 14

Algorithms lecture notes 1. Hashing, and Universal Hash functions

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Uncertainty can be Better than Certainty:

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

10 Concrete candidates for public key crypto

Discrete Math, Fourteenth Problem Set (July 18)

Lecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.

Some mysteries of multiplication, and how to generate random factored integers

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

IRREDUCIBILITY TESTS IN F p [T ]

Public Key Cryptography

Entry Number:2007 mcs Lecture Date: 18/2/08. Scribe: Nimrita Koul. Professor: Prof. Kavitha.

Lecture Examples of problems which have randomized algorithms

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Bipartite Perfect Matching

1 Rabin Squaring Function and the Factoring Assumption

U.C. Berkeley CS174: Randomized Algorithms Lecture Note 12 Professor Luca Trevisan April 29, 2003

Lecture 4: Codes based on Concatenation

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Needles, haystacks and optimal designs

Computational complexity

b + O(n d ) where a 1, b > 1, then O(n d log n) if a = b d d ) if a < b d O(n log b a ) if a > b d

A Few Primality Testing Algorithms

Lecture 3 (Limits and Derivatives)

About complexity. We define the class informally P in the following way:

THE MILLER RABIN TEST

Attempt QUESTIONS 1 and 2, and THREE other questions. penalised if you attempt additional questions.

MATH 115, SUMMER 2012 LECTURE 4 THURSDAY, JUNE 21ST

How To Test If a Polynomial Is Identically Zero?

15-451/651: Design & Analysis of Algorithms October 31, 2013 Lecture #20 last changed: October 31, 2013

arxiv: v1 [math.gm] 23 Dec 2018

Theoretical Cryptography, Lecture 10

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Lecture 2 (Limits) tangent line secant line

Lecture 11: Generalized Lovász Local Lemma. Lovász Local Lemma

NOTES ON SOME NEW KINDS OF PSEUDOPRIMES

CHAPTER 3 FUNDAMENTALS OF COMPUTATIONAL COMPLEXITY. E. Amaldi Foundations of Operations Research Politecnico di Milano 1

Correctness, Security and Efficiency of RSA

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Transcription:

Lecture 31:

Recall In the previous lecture we considered an efficient randomized algorithm to generate prime numbers that need n-bits in their binary representation This algorithm sampled a random element in the range {2 n 1, 2 n 1 + 1,..., 2 n 1} and test whether it is a prime number or not By the Prime Number Theorem, we are extremely likely to hit a prime number So, all that remains is an algorithm to test whether the random sample we have chosen is a prime number or not

Primality Testing Given an n-bit number N as input, we have to ascertain whether N is a prime number or not in time polynomial in n Only in 2002, Agrawal Kayal Saxena constructed a deterministic polynomial time algorithm for primality testing. That is, the algorithm will always run in time polynomial in n. For any input N (that has n-bits in its binary representation), if N is a prime number, the AKS primality testing algorithm will return 1; otherwise (if, the number N is a composite number), the AKS primality testing algorithm will return 0. In practice, this algorithm is not used for primality testing because this turns out to be too slow. In practice, we use a randomized algorithm, namely, the, that successfully distinguishes primes from composites with very high probability. In this lecture, we will study a basic version of this Miller Rabin primality test.

Assurance of Miller Rabin outputs 1 to indicate that it has classified the input N as a prime. It Miller Rabin outputs 0, then it indicates that it has classified N as a composite number. N is Prime Composite Miller Rabin outputs 1 with probability 1 0 with probability 0 1 with probability 2 t 0 with probability 1 2 t So, if N is a prime, then Miller Rabin algorithm is always correct. On the other hand, if N is a composite number, then Miller Rabin algorithm correctly classifies it as a composite number with probability (1 2 t ), where t is an input it takes. Intuitively, the Miller Rabin only sometimes incorrectly classifies composite numbers as primes numbers.

Basic I In today s lecture, we shall cover a basic form of Miller Rabin primality testing algorithm This algorithm mimics the performance of the actual test on all inputs except a small set of bad composite numbers, namely, Carmichael Numbers. On all other inputs, it replicates the performance of the actual For example, our basic algorithm will correctly identify prime number with probability 1. Moreover, for any composite number that is not a Carmichael number, it will correctly classify it as a composite number with probability (1 2 t ) Our basic algorithm goes horribly wrong if the input N is a Carmichael number. It will incorrectly classify N as a prime number with probability 1.

Basic II Intuition Underlying the Basic Construction. Note that if N is a prime then we know that a p 1 = 1 mod p, for all a {1, 2,..., p 1} (We shall state this next statement without a proof) If N is a composite number that is not a Carmichael number, then at least half the elements a {1, 2,..., N 1} have the property that a N 1 1 mod N So, if we pick a random a {1, 2,..., N 1} and compute a N 1 mod N, then 1 If N is a prime, then it is always 1 2 If N is a composite that is not a Carmichael number, then it is 1 with probability at least 1/2

Basic III Basic Miller Rabin Primality Testing IsPrime(N, t): 1 For i = 1 to t: 1 Sample a $ {1, 2,..., N 1} 2 If a N 1 mod N 1: Return 0 2 Return 1

Basic IV Analysis. Suppose N is a prime number. Then the test a N 1 mod N = 1, for all a {1, 2,..., N 1}. Hence, the output of the algorithm is 1 Suppose N is a composite number that is not a Carmichael number. Then, with probability 1/2, the inner loop samples a such that a N 1 mod N 1. So, the inner loop does not return 0, with probability 1/2. Any one of the t-runs of the inner loop does not return 0, with probability 2 t. Hence, the probability that the basic test returns 1 (ie, the algorithm incorrectly classifies a composite N as a prime number) is 2 t

Carmichael Numbers Carmichael numbers are composite numbers for which our basic algorithm fails There are infinitely many Carmichael numbers (otherwise, our basic algorithm could have simply checked whether N lies in this finite list of Carmichael numbers) Definition (Carmichael Number) The composite number N is a Carmichael number if a N 1 = 1 mod N, for all a {1, 2,..., N 1} C(X ) represents the number of Carmichael number < X. Erdös proved an upper-bound on C(X ) C(X ) ( exp x where N = 2 x and λ > 0 is a constant. X λ log log x log x So, it is highly unlikely that a random number generated from the set {1,..., 2 x 1} is a Carmichael number ),

Analysis of Basic Algorithm with Random Input Recall that our basic algorithm is incorrect only for Carmichael numbers We saw that Carmichael numbers are very rare So, when the input to our basic Rabin Miller primality testing algorithm is chosen uniformly at random, then it works correctly with high probability The actual Rabin Miller primality testing algorithm will not be covered in this course. Interested students are encouraged to read online resources on this algorithm.

A worked out example for N = 15 For a = 1, 2, 3,..., 14, we write down the values of a N 1 mod N 1, 4, 9, 1, 10, 6, 4, 4, 6, 10, 1, 9, 4, 1 Only a {1, 4, 11, 14} have a N 1 = mod N 10-out-of-14 elements in {1, 2,..., 14} have a N 1 mod N

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback