Primality Testing- Is Randomization worth Practicing?

Similar documents
RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Factorization & Primality Testing

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Ma/CS 6a Class 4: Primality Testing

CSE 521: Design and Analysis of Algorithms I

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

1. Algebra 1.7. Prime numbers

CSC 373: Algorithm Design and Analysis Lecture 30

Applied Cryptography and Computer Security CSE 664 Spring 2018

CPSC 467b: Cryptography and Computer Security

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

Great Theoretical Ideas in Computer Science

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Advanced Algorithms and Complexity Course Project Report

CPSC 467b: Cryptography and Computer Security

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

A Few Primality Testing Algorithms

Lecture 6: Cryptanalysis of public-key algorithms.,

ECEN 5022 Cryptography

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Ma/CS 6a Class 4: Primality Testing

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

8 Primes and Modular Arithmetic

IRREDUCIBILITY TESTS IN F p [T ]

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Lecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.

Primality testing: then and now

Primality testing: then and now

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Public Key Encryption

Primality Testing SURFACE. Syracuse University. Per Brinch Hansen Syracuse University, School of Computer and Information Science,

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Entry Number:2007 mcs Lecture Date: 18/2/08. Scribe: Nimrita Koul. Professor: Prof. Kavitha.

Elementary Number Theory

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

THE MILLER RABIN TEST

CRC Press has granted the following specific permissions for the electronic version of this book:

Lecture 11 - Basic Number Theory.

ORDERS OF ELEMENTS IN A GROUP

About complexity. We define the class informally P in the following way:

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

FERMAT S TEST KEITH CONRAD

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

A Guide to Arithmetic

Algorithms (II) Yu Yu. Shanghai Jiaotong University

The running time of Euclid s algorithm

Lecture 6: Introducing Complexity

About complexity. Number theoretical algorithms

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Lecture 1: Introduction to Public key cryptography

Aspect of Prime Numbers in Public Key Cryptosystem

Lecture 31: Miller Rabin Test. Miller Rabin Test

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

Primes and Factorization

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

Euler s, Fermat s and Wilson s Theorems

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Analyzing and Optimizing the Combined Primality test with GCD Operation on Smart Mobile Devices

CPSC 467: Cryptography and Computer Security

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Dixon s Factorization method

Short Course in Quantum Information Lecture 5

THE SOLOVAY STRASSEN TEST

WORKSHEET ON NUMBERS, MATH 215 FALL. We start our study of numbers with the integers: N = {1, 2, 3,...}

3 The fundamentals: Algorithms, the integers, and matrices

Chapter 5 : Randomized computation

Wednesday, February 21. Today we will begin Course Notes Chapter 5 (Number Theory).

Math 110 HW 3 solutions

C.T.Chong National University of Singapore

Part II. Number Theory. Year

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Some Facts from Number Theory

Solutions to Problem Set 3 - Fall 2008 Due Tuesday, Sep. 30 at 1:00

Postmodern Primality Proving

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

Lecture 11: Cantor-Zassenhaus Algorithm

SOLUTIONS TO PROBLEM SET 1. Section = 2 3, 1. n n + 1. k(k + 1) k=1 k(k + 1) + 1 (n + 1)(n + 2) n + 2,

RSA Implementation. Oregon State University

An Algorithm for Prime Factorization

Transcription:

Primality Testing- Is Randomization worth Practicing? Shubham Sahai Srivastava Indian Institute of Technology, Kanpur ssahai@cse.iitk.ac.in April 5, 2014 Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 1 / 47

Overview 1 Primes : 101 Introduction Some Interesting Points 2 Primality Testing A Naive Approach Is it good Enough!! 3 Fermat s Test 4 Miller-Rabin Test Algorithm Error Probability 5 Experimental Results Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 2 / 47

Primes : The fundamental building blocks of a number. Prime Number A prime number (or a prime) is a natural number greater than 1 that has no positive divisors other than 1 and itself. Example : 2, 3, 5, 7, 11, 13... Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 3 / 47

Primes : The fundamental building blocks of a number. Prime Number A prime number (or a prime) is a natural number greater than 1 that has no positive divisors other than 1 and itself. Example : 2, 3, 5, 7, 11, 13... Composite Number A natural number greater than 1 that is not a prime number is called a composite number. Example : 4, 6, 8, 10, 12, 15... Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 3 / 47

Carl Friedrich Gauss The problem of distinguishing prime numbers from composites, and of resolving composite numbers into their prime factors, is one of the most important and useful in all of arithmetic.... The dignity of science seems to demand that every aid to the solution of such an elegant and celebrated problem be zealously cultivated. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 4 / 47

Primes : The fundamental building blocks of a number. Fundamental Theorem of Arithematic Every integer greater than 1, either is prime itself or is the product of prime numbers. Also, although the order of the primes in the second case is arbitrary, the primes themselves are not. Example : 330 = 2 3 5 11 1200 = 2 4 3 1 5 2 = 3 2 2 2 2 5 5 = etc. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 5 / 47

Some Interesting Points Euclid s Theorem : There are infinitely many prime numbers. Goldbach Conjecture : Every even number greater than 2 can be written as a sum of two primes. Twin Prime Conjecture : There are infinitely many primes p such that p + 2 is also prime. Prime Number Theorem : Number of primes x x log e x Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 6 / 47

Primality Testing PRIMES PRIMES = {bin(n) n 2 is a prime number} SO, Primality Testing algorithm is any algorithm which decides that given any input n, whether bin(n) PRIMES? Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 7 / 47

Primality Testing PRIMES PRIMES = {bin(n) n 2 is a prime number} SO, Primality Testing algorithm is any algorithm which decides that given any input n, whether bin(n) PRIMES? Which Complexity Class contains PRIMES? Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 7 / 47

Primality Testing PRIMES PRIMES = {bin(n) n 2 is a prime number} SO, Primality Testing algorithm is any algorithm which decides that given any input n, whether bin(n) PRIMES? Which Complexity Class contains PRIMES? Examples : Trial Division Test Fermat s Test based Primality test Miller-Rabin primality test Solovay-Strassen primality test AKS primality test Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 7 / 47

Trial Division Test Algorithm 1 : Trial Division Test Require: Integer n 2 1: i : integer 2: i 2 3: while i.i n do 4: if i divides n then 5: return COMPOSITE 6: end if 7: i i + 1 8: end while 9: return PRIME This algortithm never gives an error The running time of the algorithm is exponential (In terms of number of binary bits needed to represent the number) Several minor optimizations may be carried out, but not much gain in the time complexity. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 8 / 47

Trial Division Test : Is it good enough? For moderately large n, this algorithm can be used for a calculation by hand. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 9 / 47

Trial Division Test : Is it good enough? For moderately large n, this algorithm can be used for a calculation by hand. As the value of n grows, a computer may be used to carry out the desired calculations. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 9 / 47

Trial Division Test : Is it good enough? For moderately large n, this algorithm can be used for a calculation by hand. As the value of n grows, a computer may be used to carry out the desired calculations. But, what happens when n becomes exceedingly large? Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 9 / 47

Trial Division Test : Is it good enough? For moderately large n, this algorithm can be used for a calculation by hand. As the value of n grows, a computer may be used to carry out the desired calculations. But, what happens when n becomes exceedingly large? The following table estimates the usefulness of the Algorithm 1! Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 9 / 47

Trial Division Test : Is it good enough? Number Decimal Digits Binary Digits Running Time 11 2 4 0.069 sec 191 3 8 0.081 sec 7927 4 13 0.111 sec 1300391 7 21 0.34 sec 179426549 9 28 13.56 sec 32416190071 11 35 1 hr 33 min 23.5 sec Table: Running time vs n These tests were carried out on a core i5 machine with 8 GB RAM Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 10 / 47

Trial Division Test : Is it good enough? A 62 digit giant 74838457648748954900050464578792347604359487509026452654305481 The 62 digit number above happens to be a prime. The loop happens to run for more than 10 31 rounds. Even after applying several tricks and optimizations, and under the assumption that a very fast computer is used that can carry out one trial division in 1 nanosecond, say, a simple estimate shows that this would take more than 10 13 years of computing time on a single computer. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 11 / 47

Trial Division Test : Is it good enough? A 62 digit giant 74838457648748954900050464578792347604359487509026452654305481 The 62 digit number above happens to be a prime. The loop happens to run for more than 10 31 rounds. Even after applying several tricks and optimizations, and under the assumption that a very fast computer is used that can carry out one trial division in 1 nanosecond, say, a simple estimate shows that this would take more than 10 13 years of computing time on a single computer. There are several real world algorithms that make use of prime numbers of this magnitude Example: RSA System Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 11 / 47

Lets Explore!! Stated by Pierre de Fermat in 1640. Fermat s Little Theorem If p is a prime number, and 1 a < p. then a p 1 1 (mod p) Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 12 / 47

Lets Explore!! Stated by Pierre de Fermat in 1640. Fermat s Little Theorem If p is a prime number, and 1 a < p. then a p 1 1 (mod p) Points to note : All prime numbers will satisfy the above thorem. Some composite number may or may not satisfy it. Any number which does not satisfy the Fermat s Little Theorem, is for sure a composite number. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 12 / 47

Lets Explore!! Stated by Pierre de Fermat in 1640. Fermat s Little Theorem If p is a prime number, and 1 a < p. then a p 1 1 (mod p) Points to note : All prime numbers will satisfy the above thorem. Some composite number may or may not satisfy it. Any number which does not satisfy the Fermat s Little Theorem, is for sure a composite number. Can we use these properties to design a Primality Test? Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 12 / 47

Fermat s Test Let us take a = 2, and for given n, calculate f (n) = 2 n 1 mod n. n 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 f (n) 1 0 1 2 1 0 4 2 1 8 1 2 4 0 1 Table: a n 1 mod n, for a = 2 For prime numbers n 17, we get f (n) = 1 For non Primes we get some value different from 1. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 13 / 47

Fermat s Test Let us take a = 2, and for given n, calculate f (n) = 2 n 1 mod n. n 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 f (n) 1 0 1 2 1 0 4 2 1 8 1 2 4 0 1 Table: a n 1 mod n, for a = 2 For prime numbers n 17, we get f (n) = 1 For non Primes we get some value different from 1. By Fermat s Little Theorem, if a n 1 mod n 1 we have a definite certificate for the fact that n is composite. We call such a, as F-Witness for n. (Or, more exactly, witness of the fact that n is composite) Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 13 / 47

Fermat s Test Let us take a = 2, and for given n, calculate f (n) = 2 n 1 mod n. n 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 f (n) 1 0 1 2 1 0 4 2 1 8 1 2 4 0 1 Table: a n 1 mod n, for a = 2 For prime numbers n 17, we get f (n) = 1 For non Primes we get some value different from 1. By Fermat s Little Theorem, if a n 1 mod n 1 we have a definite certificate for the fact that n is composite. We call such a, as F-Witness for n. (Or, more exactly, witness of the fact that n is composite) If n is a prime number than, a n 1 mod n = 1, a 1 a n-1 Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 13 / 47

Fermat s Test Algorithm 2 : Fermat s Test Require: Odd Integer n 3 1: i 0 2: repeat 3: Let a be randomly chosen from {2,, n 2} 4: if a n 1 mod n 1 then 5: return COMPOSITE 6: end if 7: i i + 1 8: until i < k 9: return PRIME If the algorithm outputs COMPOSITE, then n is guaranteed to be composite. The running time of the algorithm depends on calculation of a n 1 mod n (which takes O(log n) arithematic operations.) But, the algorithm might give wrong output!! Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 14 / 47

Fermat s Test : When will it give error? When will the algorithm give a wrong output? Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 15 / 47

Fermat s Test : When will it give error? When will the algorithm give a wrong output? If the number is prime the algorithm will always give the output as PRIME. If the input number is composite, the algorithm might claim that the number is prime. [Hence, give an error] Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 15 / 47

Fermat s Test : When will it give error? When will the algorithm give a wrong output? If the number is prime the algorithm will always give the output as PRIME. If the input number is composite, the algorithm might claim that the number is prime. [Hence, give an error] Why is this error generated? Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 15 / 47

Fermat s Test : When will it give error? When will the algorithm give a wrong output? If the number is prime the algorithm will always give the output as PRIME. If the input number is composite, the algorithm might claim that the number is prime. [Hence, give an error] Why is this error generated? Due to the presence of F-Liars F-liar For an odd composite number n we call an element a, 1 a n 1, an F-liar if a n 1 mod n = 1 Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 15 / 47

Fermat s Test : Error Probability When is the probability that the algorithm give a wrong output? Let, Let Z n = {a 1 a < n, gcd(a, n) = 1} And the operations defined in Z n be + n and n L F = {a 1 a < n, a n 1 mod n = 1} Theorem If n 3 is an odd composite number such that there is at least one F-witness a in Z n, then the Fermat test applied to n gives answer 1 with probability more than 1 2. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 16 / 47

Fermat s Test : Error Probability Theorem If n 3 is an odd composite number such that there is at least one F-witness a in Z n, then the Fermat test applied to n gives answer 1 with probability more than 1 2. We know that L F is a subset of Z n. Since Z n is a finite group, and (a) 1 L F, since1 n 1 = 1 (b) L F is closed under operations in Z n, since if a n 1 mod n = 1 and b n 1 mod n = 1, then (ab) n 1 a n 1 b n 1 1 1 1 (mod n) Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 17 / 47

Fermat s Test : Error Probability Theorem If n 3 is an odd composite number such that there is at least one F-witness a in Z n, then the Fermat test applied to n gives answer 1 with probability more than 1 2. We know that L F is a subset of Z n. Since Z n is a finite group, and (a) 1 L F, since1 n 1 = 1 (b) L F is closed under operations in Z n, since if a n 1 mod n = 1 and b n 1 mod n = 1, then (ab) n 1 a n 1 b n 1 1 1 1 (mod n) Hence, L F is a proper subgroup of Z n This gives us the bound that L F (n 2)/2 Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 17 / 47

Fermat s Test : Error Probability Theorem If n 3 is an odd composite number such that there is at least one F-witness a in Z n, then the Fermat test applied to n gives answer 1 with probability more than 1 2. We know that L F is a subset of Z n. Since Z n is a finite group, and (a) 1 L F, since1 n 1 = 1 (b) L F is closed under operations in Z n, since if a n 1 mod n = 1 and b n 1 mod n = 1, then (ab) n 1 a n 1 b n 1 1 1 1 (mod n) Hence, L F is a proper subgroup of Z n This gives us the bound that L F (n 2)/2 Hence, probability that a number randomly chosen from {2,, n 2} in in L F < 1 2 Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 17 / 47

Carmichael Numbers Carmichael Number An odd composite number n is called a Carmichael number if: a n 1 mod n = 1, for all a Z n, where Z n = {a 1 a < n, gcd(a, n) = 1} The smallest Carmichael number is 561. In 1994 was it shown that there are infinitely many Carmichael numbers. If the Carmichael Number is fed into the Fermat s Test, the probability that a wrong answer PRIME is given is close to 1. Hence Fermat s test fail for Carmichael Numbers. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 18 / 47

Nontrivial Square Roots of 1 Let s consider one more property of arithmetic modulo p, which we could use as a certificate of compositeness. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 19 / 47

Nontrivial Square Roots of 1 Let s consider one more property of arithmetic modulo p, which we could use as a certificate of compositeness. Square Roots of 1 Let 1 a < n. Then a is called a square root of 1 modulo n if: a 2 mod n = 1. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 19 / 47

Nontrivial Square Roots of 1 Let s consider one more property of arithmetic modulo p, which we could use as a certificate of compositeness. Square Roots of 1 Let 1 a < n. Then a is called a square root of 1 modulo n if: a 2 mod n = 1. 1 and n-1 are trivial square roots of 1 modulo n. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 19 / 47

Nontrivial Square Roots of 1 Let s consider one more property of arithmetic modulo p, which we could use as a certificate of compositeness. Square Roots of 1 Let 1 a < n. Then a is called a square root of 1 modulo n if: a 2 mod n = 1. 1 and n-1 are trivial square roots of 1 modulo n. If n is a prime number, there are no other square roots of 1 modulo n. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 19 / 47

Nontrivial Square Roots of 1 Let s consider one more property of arithmetic modulo p, which we could use as a certificate of compositeness. Square Roots of 1 Let 1 a < n. Then a is called a square root of 1 modulo n if: a 2 mod n = 1. 1 and n-1 are trivial square roots of 1 modulo n. If n is a prime number, there are no other square roots of 1 modulo n. Thus, if we find some nontrivial square root of 1 modulo n, then n is certainly composite. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 19 / 47

Nontrivial Square Roots of 1 Let s consider one more property of arithmetic modulo p, which we could use as a certificate of compositeness. Square Roots of 1 Let 1 a < n. Then a is called a square root of 1 modulo n if: a 2 mod n = 1. 1 and n-1 are trivial square roots of 1 modulo n. If n is a prime number, there are no other square roots of 1 modulo n. Thus, if we find some nontrivial square root of 1 modulo n, then n is certainly composite. More generally, if n = p 1 p 2 p r, for distinct odd primes p 1, p 2 p r, then there are exactly 2 r square roots of 1 modulo n Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 19 / 47

Nontrivial Square Roots of 1 Let s consider one more property of arithmetic modulo p, which we could use as a certificate of compositeness. Square Roots of 1 Let 1 a < n. Then a is called a square root of 1 modulo n if: a 2 mod n = 1. 1 and n-1 are trivial square roots of 1 modulo n. If n is a prime number, there are no other square roots of 1 modulo n. Thus, if we find some nontrivial square root of 1 modulo n, then n is certainly composite. More generally, if n = p 1 p 2 p r, for distinct odd primes p 1, p 2 p r, then there are exactly 2 r square roots of 1 modulo n This means that unless n has extremely many prime factors, it is useless to try to find nontrivial square roots of 1 modulo n by testing randomly chosen a. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 19 / 47

Back to Fermat s Test Fermat s Test If p is a prime number, and 1 a < p. then a p 1 1 (mod p) As p is odd, p 1 would be even. So, p 1 = u 2 k, for some odd u and k 1 Thus, a p 1 ((a u )mod n) 2k mod n This means that we may calculate a n 1 mod n with k+1 intermediate steps, if we let: b 0 = a u mod n; b i = b 2 i 1 mod n; for i = 1 k Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 20 / 47

Example Let us take n = 325. So, 324 = 81 2 2 a b 0 = a 81 b 1 = a 162 b 2 = a 324 2 252 129 66 7 307 324 1 32 57 324 1 49 324 1 1 65 0 0 0 126 1 1 1 201 226 51 1 224 274 1 1 Table: a n 1 mod n,with intermediate steps for n = 325 2, 65 are a F-witness for 325. 7, 32, 49, 126, 201, 224 are F-liars Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 21 / 47

Possible Cases b 0 b 1 b k 1 b k Case 1 1 1 1 1 1 1 No Info. n-1 1 1 1 1 1 1 No Info. * * * n-1 1 1 1 No Info. * * * * * * n-1 Composite * * * * * * * Composite * * * 1 1 1 1 Composite * * * * * * 1 Composite Table: Powers of a n 1 mod n,with intermediate steps, possible cases Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 22 / 47

Miller Rabin Test Algorithm 3 : Miller Rabin Test 1: For u odd and k so that n 1 = u.2 k 2: Let a be randomly chosen from {2,, n 2} and b a u mod n 3: if b {1, n 1} then 4: return PRIME 5: end if 6: repeat 7: b b 2 mod n 8: if b = n 1 then 9: return PRIME 10: end if 11: if b = 1 then 12: return COMPOSITE 13: end if 14: until i < k 15: return COMPOSITE Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 23 / 47

Error Probability : Miller Rabin Test If n is not a Carmichael Number, the miller rabin test performs better than Fermat s Test. Hence, the probability to give an error is at most 1 2. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 24 / 47

Error Probability : Miller Rabin Test If n is not a Carmichael Number, the miller rabin test performs better than Fermat s Test. Hence, the probability to give an error is at most 1 2. Lets see what happens if n is a Carmichael number Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 24 / 47

Error Probability : Miller Rabin Test Let L n be set that contains all Miller-Rabin Liars (MR-Liar) of number n. Our aim would be now to proof that L n is a proper subgroup of Z n. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 25 / 47

Error Probability : Miller Rabin Test Let L n be set that contains all Miller-Rabin Liars (MR-Liar) of number n. Our aim would be now to proof that L n is a proper subgroup of Z n. Let i 0 be the maximal i 0 such that there is some MR-Liar a 0 with a u.2 i 0 0 mod n = n 1. Since n is a Carmichael number, a u.2 k 0 = a n 1 0 = 1 mod n. Hence, 0 i 0 < k Now, we define : B n = {a 0 a < n, a u.2i 0 mod n {1, n 1}}, and L n = Set of all MR-Liars for n Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 25 / 47

Error Probability : Miller Rabin Test Now, the basic idea would be to prove that L n is a proper subgroup of Z n. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 26 / 47

Error Probability : Miller Rabin Test Now, the basic idea would be to prove that L n is a proper subgroup of Z n. We will prove it in three steps by showing : Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 26 / 47

Error Probability : Miller Rabin Test Now, the basic idea would be to prove that L n is a proper subgroup of Z n. We will prove it in three steps by showing : L n B n B n is a subgroup of Z n Z n B n φ Lets look at them one by one! Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 26 / 47

Error Probability : Miller Rabin Test 1. To show : L n B n Let a be arbitrary MR-Liar. Case 1 : If a u mod n = 1. Then, a u.2i 0 mod n = 1 as well, and hence a B n Case 2 : If a u.2i mod n = n-1, for some i. Then, 0 i i 0. Now, if i = i 0, we directly have a B n. and, if i < i 0, then : a u.2i 0 mod n = (a u.2 i mod n) 2i 0 i mod n = 1 Hence, a B n Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 27 / 47

Error Probability : Miller Rabin Test 2. To show : B n is a subgroup of Z n We know that B n is a subset of Zn. Since Zn is a finite group, and (a) 1 B n, since1 u.2i 0 mod n = 1 (b) B n is closed under operations in Zn. Let a, b B n Then, a u.2i 0 mod n, b u.2i 0 mod n {1, n 1} Since, 1.1 = 1, 1.(n-1) = (n-1).1 = (n-1), and (n-1).(n-1) mod n = 1, we have, (ab) u.2i 0 mod n = (a u.2i 0 mod n).(b u.2i 0 ) mod n {1, n 1} Hence, (ab) u.2i 0 mod n B n So, B n is a subgroup of Z n Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 28 / 47

Error Probability : Miller Rabin Test 3. To show : Z n B n φ We know that any Carmichael number has atleast 3 different prime factors. Hence can be written as n = n 1.n 2 for odd numbers n 1 and n 2 which are relatively prime. We had, a 0 u.2 i 0 1 (mod n) Let a 1 = a 0 mod n 1. By CRT, there is a unique number a {0,..., n 1}, with a a 1 (mod n 1 ) and a 1 (mod n 2 ) Calculating modulo n 1, we have that a a 1 (mod n 1 ), hence a u.2i 0 1 (mod n 1 ) Calculating modulo n 2, we have that a 1 (mod n 2 ), hence a u.2i 0 1 u.2i 0 1 (mod n 2 ) Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 29 / 47

Error Probability : Miller Rabin Test 3. To show : Z B n φ (...Continued) We have, a u.2i 0 1 (mod n 1 ), = a u.2i0 1 (mod n) a u.2i 0 1 u.2i 0 1 (mod n 2 ) = a u.2i0 1 (mod n) This means a u.2i 0 (mod n) {1, n 1}, hence a L n Further, a u.2i 0 +1 1 (mod n 1 ), and a u.2i 0 +1 1 (mod n 2 ). Hence, by CRT, a u.2i 0 +1 1 (mod n), So, a Z Hence, a Z B n = Z B n φ Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 30 / 47

Error Probability : Miller Rabin Test By the 3 parts above, we can conclude : B n is a proper subgroup of Z Hence, B n divides Z Also, B n Z Therefore, B n n 2 Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 31 / 47

Error Probability : Miller Rabin Test By the 3 parts above, we can conclude : B n is a proper subgroup of Z Hence, B n divides Z Also, B n Z Therefore, B n n 2 Error Probability : Miller Rabin Test The error probability of Miller Rabin is 1 2, for one iteration. For k iterations of Miller Rabin Test, the probability of error is bounded by ( 1 2 )k Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 31 / 47

Experimental Results Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 32 / 47

Running Time vs Size of input To carry out this analysis, we randomly selected 1000 integers each for bitsize ranging from 2 to 2048. Hence, 1000 2047 = 2, 047, 000 numbers in total. Then the running time was aggregated corresponding to number of bits. The result is summarized in the following plot. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 33 / 47

Running Time vs Size of input Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 34 / 47

Dataset Used To carry out further analysis, we used the dataset provided by : Center for Experimental and Constructive Mathematics, Simon Fraser University, British Columbia, Canada. The dataset was last updated on 25-April-2013. It contains data on all base-2 Fermat pseudoprimes below 2 64. Pseudoprimes Strong Pseudoprimes Carmichael Numbers 118,968,378 31,894,014 4,279,356 Table: Data Set Statistics Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 35 / 47

Error Probability To analyze the error probability we used the dataset mentioned. As we know that all the numbers in the dataset are composites, we recorded the number of primes detected by our algorithm. We recorded these number of false positives for differnet number of iterations of the algorithm. We expected that, as the number of iteration will increase, the number of false positive will decrease drastically. (Error Probability 1 2 k ) We carried out the experiment for the entire datset, as well as for Carmichael numbers explicitely. Our findings are present in the folllowing slides. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 36 / 47

Error Probability (Carmichael Numbers) The following table summarizes the result of running k iterations of Miller Rabin test on Carmichael Numbers. Iterations (k) Number of Composites Number of primes 1 4267107 12249 2 4278338 1018 3 4279188 168 4 4279328 28 5 4279344 12 6 4279355 1 7 4279356 0 Table: Experimental Result for Carmichael Numbers vs k Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 37 / 47

Error Probability (Carmichael Numbers) Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 38 / 47

Error Probability (Entire Dataset) The following table summarizes the result of running k iterations of Miller Rabin test on Entire Dataset. Iterations (k) Number of Composites Number of primes 1 115639122 3329256 2 118592423 375955 3 118915714 52664 4 118960099 8279 5 118967046 1332 6 118968151 227 7 118968331 47 8 118968376 2 Table: Experimental Result for Entire Dataset vs k Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 39 / 47

Error Probability (Entire Dataset) Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 40 / 47

Conclusion (Error Probability) The Miller Rabin test performs indifferently for Carmichael Numbers (unlike Fermat s Test) The number of false positives detected reduces drastically as number of iterations increases. For 8 iterations of Miller Rabin, the error reduces to almost 0. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 41 / 47

Density of Primes For this test, we chose 10 9 integers, randomly, of bit length 64, 128, 256, 512 and 1024. We used 5 iterations of Miller Rabin Test, to calculate the number of primes in the set. D = No.of Primes No.of sample numbers(=10 9 ) The density of primes is given by : 1 ln t The following table shows the results. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 42 / 47

Density of Primes The following table compares the value of density of primes that we get (D) with the expected value of density (Density) Bit Length Number of Primes D Density 64 23164312.023164.022542 128 12091211.012091.011271 256 5678645.005678.00563552 512 2820804.002820.0028177 1024 1408923.001408.0014088 Table: Density of primes Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 43 / 47

Table: Least Composite that base fails to identify Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 44 / 47 Divisibility with small prime set Primes Least No. that is false positive 2 341 (11 31) 3 91 (7 13) 5 217 (7 31) 7 25 (5 5) 2, 3 1105 (5 13 17) 2, 5 561(3 11 17) 2, 7 561(3 11 17) 3, 5 1541(23 67) 3, 7 703(19 37) 5, 7 561(3 11 17) 2, 3, 5 1729(7 13 19) 2, 3, 7 1105(5 13 17) 3, 5, 7 29341(13 37 61)

Conclusion Miller Rabin Test, perform equivalently well than any deterministic counterparts. It is much more easier to implement compared to deterministic counterpart. Miller Rabin is robust enough that it is defacto for working with primes in RSA Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 45 / 47

Is Randomization worth practicing? These randomized algorithms, are sufficient for solving the primality problem for quite large inputs for all practical purposes. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 46 / 47

Is Randomization worth practicing? These randomized algorithms, are sufficient for solving the primality problem for quite large inputs for all practical purposes. For practical purposes, there is no reason to worry about the risk of giving output PRIME on a composite input n. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 46 / 47

Is Randomization worth practicing? These randomized algorithms, are sufficient for solving the primality problem for quite large inputs for all practical purposes. For practical purposes, there is no reason to worry about the risk of giving output PRIME on a composite input n. Such a small error probability is negligible in relation to other (hardware or software) error risks that are inevitable with real computer systems. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 46 / 47

Is Randomization worth practicing? These randomized algorithms, are sufficient for solving the primality problem for quite large inputs for all practical purposes. For practical purposes, there is no reason to worry about the risk of giving output PRIME on a composite input n. Such a small error probability is negligible in relation to other (hardware or software) error risks that are inevitable with real computer systems. Still, from a theoretical point of view, the question remained whether there was an absolutely error-free algorithm for solving the primality problem with a small time bound. Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 46 / 47

The End Shubham Sahai Srivastava (IITK) Primality Test April 5, 2014 47 / 47

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback