Pseudoprimes and Carmichael Numbers

Similar documents
The Impossibility of Certain Types of Carmichael Numbers

IRREDUCIBILITY TESTS IN F p [T ]

Ma/CS 6a Class 4: Primality Testing

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Ma/CS 6a Class 4: Primality Testing

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

1. Algebra 1.7. Prime numbers

Introduction to Public-Key Cryptosystems:

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Introduction to Number Theory

MATH 145 Algebra, Solutions to Assignment 4

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Applied Cryptography and Computer Security CSE 664 Spring 2018

Wilson s Theorem and Fermat s Little Theorem

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

SOLUTIONS TO PROBLEM SET 1. Section = 2 3, 1. n n + 1. k(k + 1) k=1 k(k + 1) + 1 (n + 1)(n + 2) n + 2,

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Chapter 1. Number of special form. 1.1 Introduction(Marin Mersenne) 1.2 The perfect number. See the book.

PMA225 Practice Exam questions and solutions Victor P. Snaith

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

THE MILLER RABIN TEST

Table of Contents. 2013, Pearson Education, Inc.

9 Modular Exponentiation and Square-Roots

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Math 324, Fall 2011 Assignment 7 Solutions. 1 (ab) γ = a γ b γ mod n.

FERMAT S TEST KEITH CONRAD

CPSC 467b: Cryptography and Computer Security

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Chapter 8. Introduction to Number Theory

The running time of Euclid s algorithm

Factorization & Primality Testing

Aspect of Prime Numbers in Public Key Cryptosystem

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Advanced Algorithms and Complexity Course Project Report

Lecture 11 - Basic Number Theory.

Math/Mthe 418/818. Review Questions

A Guide to Arithmetic

The RSA cryptosystem and primality tests

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Wednesday, February 21. Today we will begin Course Notes Chapter 5 (Number Theory).

CPSC 467b: Cryptography and Computer Security

7.2 Applications of Euler s and Fermat s Theorem.

Exam 2 Solutions. In class questions

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Math 5330 Spring Notes Congruences

Oleg Eterevsky St. Petersburg State University, Bibliotechnaya Sq. 2, St. Petersburg, , Russia

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

CSE 521: Design and Analysis of Algorithms I

THE SOLOVAY STRASSEN TEST

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

Math.3336: Discrete Mathematics. Mathematical Induction

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Summary Slides for MATH 342 June 25, 2018

10 Problem 1. The following assertions may be true or false, depending on the choice of the integers a, b 0. a "

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Math 109 HW 9 Solutions

Chapter 3 Basic Number Theory

Euler s, Fermat s and Wilson s Theorems

Primality Testing SURFACE. Syracuse University. Per Brinch Hansen Syracuse University, School of Computer and Information Science,

CRC Press has granted the following specific permissions for the electronic version of this book:

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

A SURVEY OF PRIMALITY TESTS

C.T.Chong National University of Singapore

CPSC 467b: Cryptography and Computer Security

MATH 25 CLASS 21 NOTES, NOV Contents. 2. Subgroups 2 3. Isomorphisms 4

WXML Final Report: AKS Primality Test

ORDERS OF ELEMENTS IN A GROUP

History of Mathematics

Lecture 31: Miller Rabin Test. Miller Rabin Test

CPSC 467b: Cryptography and Computer Security

PRIMALITY TEST FOR FERMAT NUMBERS USING QUARTIC RECURRENCE EQUATION. Predrag Terzic Podgorica, Montenegro

Sneaky Composites. Number Theory. Matthew Junge. March 12th, 2010

Part II. Number Theory. Year

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Some Facts from Number Theory

MATH 310: Homework 7

Basic elements of number theory

Basic elements of number theory

Congruence of Integers

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

basics of security/cryptography

CS March 17, 2009

EULER S THEOREM KEITH CONRAD

Notes on Systems of Linear Congruences

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Transcription:

Pseudoprimes and Carmichael Numbers Emily Riemer MATH0420 May 3, 2016 1

Fermat s Little Theorem and Primality Fermat s Little Theorem is foundational to the study of Carmichael numbers and many classes of pseudoprimes. The theorem states that if p is a prime number, then a p 1 1(mod p), so long as p a. Because gcd(p, a) = 1, we can multiply this congruence by a to arrive at the equivalent result of a p a(mod p). Both of these forms are used throughout the paper, as dictated by context. Though Fermat s Little Theorem is true for prime numbers, its converse is not true. That is, while every prime number satisfies Fermat s Little Theorem, not every number that satisfies Fermat s Little Theorem is prime. So, if a n a (mod n), we can conclude definitively that n is composite. However, finding that a n a (mod n) for some a does not prove that n is prime. For example, we are able to determine that 63 is composite by examining 2 63 (mod 63) and reducing using Euler s formula [a ϕ(63) = a 24 1(mod 63)]: 2 63 = (2 24 ) 2 2 15 1 2 15 (2 6 ) 2 2 3 (64) 2 8 1 8 2(mod 63) However, we can see that the converse of Fermat s Little Theorem does not hold true by observing the case of n = 341, which we know factors as 11 31: 2 10 1(mod 11) = 2 340 = (2 10 ) 34 1(mod 11) 2 30 1(mod 31) = 2 340 = (2 30 ) 11 2 10 1 11 (2 5 ) 2 (32) 2 1(mod 31) 2 340 1(mod 11 31) 1(mod 341) [by the Chinese Remainder Theorem] Thus, 341 satisfies Fermat s Little Theorem to the base 2, even though we know that it is composite, and actually used its prime factorization to arrive at our result. Bases a for which a n a(mod n) are referred to as witnesses for n. These values provide evidence that n is composite. While most composite numbers have 2

many witnesses, pseudoprimes have relatively fewer witnesses, and certain kinds of pseudoprimes, such as Carmichael numbers, have no witnesses at all. Prime numbers also have no witnesses, since there is no value of a for which a p a (mod p); such a result would violate Fermat s Little Theorem. Primality Tests Primality tests are used to determine whether a given number is prime or composite. A variety of such tests exist, most of which are beyond the scope of this paper. Some primality tests are probabilistic, meaning that they can verify that a number is composite, but can only provide insight into the likelihood that a number is prime. Other primality tests are deterministic, meaning that they can conclusively determine whether numbers are prime or composite. Fermat s Little Theorem functions as a probabilistic primality test, since it cannot do more than suggest that a number is prime. Moreover, there are still composite numbers n for which a n a(mod n) for some bases a. The existence of these numbers necessitates more rigorous primality tests. One such test is the Rabin-Miller Test for Composite Numbers. The following definition is excerpted from Joseph Silverman s Friendly Introduction to Number Theory: Let n be an odd integer and write n 1 = 2 k q with q odd. If both of the following conditions are true for some a not divisible by n, then n is a composite number: (a) a q 1(mod n) (b) a 2 i q 1(mod n) for all i = 0, 1, 2,..., k 1 The Rabin-Miller test is stronger than Fermat s Little Theorem because 75 percent of bases a between 1 and n 1 satisfy the above conditions for each odd composite n. This means that there are many witnesses for every composite number, and by extension 3

that no Carmichael-like numbers arise when applying this primality test. Pseudoprimes Broadly speaking, pseudoprimes are composite numbers that exhibit some properties of prime numbers. Various classes of pseudoprimes exist, and are described by the prime conditions they satisfy. This paper focuses on Fermat pseudoprimes, named as such because they satisfy Fermat s Little Theorem. Formally, a number n is a Fermat pseudoprime to base a if a n a (mod n), with n a composite positive integer. In this paper, any subsequent reference to pseudoprimes refers specifically to Fermat pseudoprimes. It is interesting to note that such numbers are more rare than primes to any base a. In Chapter 5 of his Elementary Number Theory, Kenneth Rosen calculates that there are 455, 052, 512 primes, but only 14, 884 pseudoprimes, less than 10 10 to the base 2. Despite occurring much less frequently than primes, there are still infinitely pseudoprimes to the base 2. In fact, there are infinitely many pseudoprimes to every base. The proof of infinitely many pseudoprimes is of particular interest because it relies on the same underlying idea that we encountered in our study of Mersenne primes, namely using the Geometric Series formula to draw conclusions about divisibility. [It is also worth mentioning that Rosen s proof of infinitely many pseudoprimes to the base 2 is very similar to Silverman s derivation of the form of Mersenne primes from the general form a n 1]. The process of the proof itself therefore reinforces the connections between pseudoprimes and primes. The following proof draws on the approaches used in papers by Bernd Kreussler and Graham Jameson. The goal is to show that n = (a2p 1) is a pseudoprime to base (a 2 1) a, so long as p a 2 1. Because there are infinitely many inputs for p and a, the above formula will generate infinitely many pseudoprimes. 4

If n is a pseudoprime, it must be the case that it is both composite and odd. To prove this for n as defined above, notice that both the numerator and denominator are differences of squares, so the expression can be factored as: The Geometric Series formula shows that: n = (a2p 1) (a 2 1) = (ap 1) (a p + 1) (a 1) (a + 1) a p 1 = (a 1)(a p 1 + a p 2 +... + a p + a + 1) We can see from the above equation that (a 1) (a p 1). Similar reasoning leads to the conclusion that (a + 1) (a p + 1). Because (ap 1) (a 1) and (ap + 1) are both integers, (a + 1) n is composite. The Geometric Series formula is also helpful in showing that n is odd. In the general case, the Geometric Series formula says the following: x m 1 = (x 1)(x m 1 + x m 2 +... + x 2 + x + 1) Taking x = a 2 and m = p gives: (a 2 ) p 1 = (a 2 1)((a 2 ) p 1 + (a 2 ) p 2 +... + (a 2 ) 2 + a 2 + 1) a 2p 1 = (a 2 1)(a 2p 2 + a 2p 4 +... + a 4 + a 2 + 1) (a 2p 1) (a 2 1) = (a2p 2 + a 2p 4 +... + a 4 + a 2 + 1) n = (a 2p 2 + a 2p 4 +... + a 4 + a 2 + 1) Using parity conditions, if a is even, then a 2p 2 + a 2p 4 +... + a 4 + a 2 is even (since each term is even, and even + even = even), and a 2p 2 + a 2p 4 +... + a 4 + a 2 + 1 is odd. If a is odd, then a 2p 2 + a 2p 4 +... + a 4 + a 2 is even (since each term is odd, and odd + odd = even), and a 2p 2 + a 2p 4 +... + a 4 + a 2 + 1 is again odd. Thus, n is always odd. 5

Finally, we must show that a n 1 1(mod n). Rearranging the given equation for n shows that n (a 2 1) = a 2p 1. We can then see that n a 2p 1 = a 2p 1 0 (mod n) = a 2p 1(mod n). This suggests that finding a relationship between 2p and n 1 is critical to proving that a n 1 1(mod n). Expanding n 1 yields: n 1 = (a2p 1) (a 2 1) 1 = (a2p 1) (a 2 1) (a2 1) (a 2 1) = (a2p 1 a 2 + 1) (a 2 1) = (a2p a 2 ) (a 2 1) Our numerator is now a variation of Fermat s Little Theorem; multiplying both sides of a p 1 1(mod p) by a gives a p a(mod p), and squaring this yields a 2p a 2 (mod p). So with a little manipulation, Fermat s Little Theorem implies that p (a 2p a 2 ). Recall that if p ab, p a or p b. In this instance, because p (a 2p a 2 ), and (a 2p a 2 ) = (n 1)(a 2 1), p must divide (n 1) or (a 2 1). However, by definition p (a 2 1). Thus, p must divide (n 1). We demonstrated previously that n is odd, which means that n 1 is even, so 2 (n 1). If 2 and p both divide (n 1), then 2p must also divide (n 1), and there must be some k such that 2p k = (n 1). We also know from our work two paragraphs prior that a 2p 1(mod n). Putting all of this together yields: a n 1 a 2p k (a 2p ) k 1 k 1 (mod n). Thus, a n 1 1(mod n). This completes our proof of infinitely many pseudoprimes. Carmichael Numbers and Korselt s Criterion As mentioned previously, Fermat s Little Theorem does not always identify composite numbers as such. Numbers for which a n a (mod n) for every integer 6

1 a n are known as Carmichael numbers. The smallest Carmichael number is 561, the product of 3 11 17. It is straightforward to verify that a 561 a (mod 561) for all values of a. One can use Fermat s Little Theorem to show that a 561 a (mod p i ) for p i = 3, 11, and 17, then use the Chinese Remainder Theorem to confirm that a 561 a(mod 3 11 17) = a 561 a (mod 561). Carmichael numbers are are further defined by Korselt s Criterion, which states that n is a Carmichael number if and only if: a) n is odd b) For every prime p dividing n, p 2 n (in other words, n is the product of distinct primes) c) For every p dividing n, (p 1) (n 1) All numbers satisfying Korselt s Criterion are Carmichael numbers, and all Carmichael numbers satisfy Korselt s Criterion. Not presented in this paper, the proof of Korselt s Criterion can be approached using a heuristic similar to one used in our proof of Gaussian primes and integer primes that can be written as sums of squares. Each component can be connected to the next in a kind of triangle, in which (a) = (b), (b) = (c), and (c) = (a). One could easily check that our first Carmichael number 561 satisfies Korselt s Criterion. Korselt s Criterion states that every Carmichael number is the product of distinct primes. In fact, Carmichael numbers are always the products of at least three distinct primes. To understand why, consider n, the product of primes p and q. If n is a Carmichael number, then by Korselt s Criterion it must be that case that (p 1) (n 1) and (q 1) (n 1), and neither p 2 nor q 2 divides n. The latter requirement tells us that p q, so one must be larger than the other, say q > p. Then q 1 > p 1, and (q 1) cannot divide (p 1). We know that (q 1) (n 1) (p 1), since 7

(n 1) (p 1) = n p = pq p = p(q 1). And if q 1 divides the linear combination (n 1) (p 1) and also divides n 1, then it must divide p 1. But we have shown that q 1 p 1. Therefore, we have a contradiction, and n cannot be a Carmichael number. It was not proven until 1994 that there are infinitely many Carmichael numbers, despite the fact that mathematicians have been discovering new Carmichael numbers since the late 19th century. One method for generating Carmichael numbers relies on the following claim: If k is chosen such that 6k + 1, 12k + 1, and 18k + 1 are all prime, then their product n is a Carmichael number. Recall that in order for n to be a Carmichael number, it must satisfy Korselt s Criterion. That is, n must be odd, and for every prime p dividing n, it must be the case that p 2 n and p 1 n 1. The first step in the proof is to show that n is odd. If 6k + 1, 12k + 1, and 18k + 1 are all prime, then they must all be odd. This means that n is the product of three odd numbers, and is itself odd. Second, we must show that p 2 i n. This is true since the prime factorization of n is (6k + 1) (12k + 1) (18k + 1), or p 1 p 2 p 3. Because of unique prime factorization, n can only be factored as p 1 p 2 p 3, so p 2 i cannot be a factor of n. The third component of the proof is to show that (p i 1) (n 1). To do so, start by expanding n: n = (6k + 1) (12k + 1) (18k + 1) n = 1296k 3 + 396k 2 + 36k + 1 n 1 = 1296k 3 + 396k 2 + 36k n 1 = 36k(36k 2 + 11k + 1) Next, consider each p i in turn: 8

a) (p 1 1) = 6k + 1 1 = 6k 36k = 6 6k = 6k 36k(36k 2 + 11k + 1) = (p 1 1) (n 1) b) (p 2 1) = 12k + 1 1 = 12k 36k = 3 12k = 12kd 36k(36k 2 + 11k + 1) = (p 2 1) (n 1) c) (p 3 1) = 18k + 1 1 = 18k 36k = 2 18k = 18k 36k(36k 2 + 11k + 1) = (p 3 1) (n 1) Finally, if n is a Carmichael number, it must also satisfy a n 1 1 (mod n). Because we have defined (6k + 1), (12k + 1), and (18k + 1) to be prime, we know by Fermat s Little Theorem that a pi 1 1 (mod p i ). We want to show that a n 1 1 (mod p i ), and then use the Chinese Remainder Theorem to show a n 1 1 (mod n). Because we know that a pi 1 1 (mod p i ), our task is to find a way to relate a p i 1 and a n 1. In fact, we have already shown that (p i 1) (n 1), so we know that v (p i 1) = (n 1) for some v. Then a n 1 = a v (pi 1) = (a pi 1 ) v 1 v (mod p i ). Thus, we have shown that a n 1 1 (mod p i ). Using the Chinese Remainder Theorem and the fact that n = p 1 p 2 p 3, we can show that a n 1 1 (mod p 1 p 2 p 3 ) 1 (mod n). This completes the proof that n is a Carmichael number. Using the above method, the smallest value of k for which n is a Carmichael number is 1. When k = 1, p 1 = 7, p 2 = 13, and p 3 = 19. This gives n = 1729. Applications of Pseudoprimes and Carmichael Numbers Though there are no obvious direct applications of pseudoprimes or Carmichael numbers, such concepts are relevant in the realm of cryptography. Public keys necessitate the generation or discovery of large prime numbers (what we have been referring to as p and q in our discussion of RSA cryptography). Finding and verifying large prime numbers is therefore an essential prerequisite for RSA. Primality tests can be used to 9

locate large primes, and understanding which composite numbers appear prime when applying certain primality tests (i.e. when pseudoprimes might appear) is critical to ensuring that one has correctly chosen primes for encryption. Unknowingly selecting a pseudoprime as p or q would lead to an incorrect calculation of ϕ(m), which would then derail the rest of the encryption computations. Despite an ostensible lack of direct applications, mathematicians remain interested in finding and further examining Carmichael numbers. Works Consulted Baker, Matthew. Korselt s Criterion for Carmichael Numbers. Notes for MATH4150, Spring 2011, Georgia Institute of Technology. http://people.math.gatech.edu/ mbaker/pdf/korselt.pdf Kreussler, Bernd. Pseudoprimes. Notes for MA6011, Mary Immaculate College, University of Limerick. http://www.maths.mic.ul.ie/kreussler/ma6011/week05.pdf Jameson, Graham. Finding pseudoprimes. March 2010, Lancaster University. http://www.maths. lancs.ac.uk/ jameson/carfind.pdf Jameson, Graham. Carmichael numbers and pseudoprimes. May 2010, Lancaster University. http://www.maths.lancs.ac.uk/ jameson/carpsp.pdf Rosen, Kenneth. Elementary Number Theory and Its Applications. 6th ed. New Jersey: Pearson Education, Inc., 2010. Silverman, Joseph H. A Friendly Introduction to Number Theory. 4th ed. New Jersey: Pearson Education, Inc., 2013. 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback