Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

2 Finding a Prime Number Finding a prime number is critical for public- key cryptosystems, such as RSA and Diffie- Hellman. Naïve approach: Randomly pick a number n. Try if n is divided by 2, 3, 5, 7, …., p, where p is the largest prime number less than or equal to the square root of n. Computationally expensive. You need to pre-obtain all small prime numbers.

3 Introduction to Number Theory Number theory: modular arithmetic on a finite set of integers Most of the randomized algorithms starts by choosing a random number from some domain and then works deterministically from there on. We hope that with high probability the chosen number has some desirable properties. Goal: Given a number n, the desired complexity is O(logn), i.e., polynomial in the length of n.

4 Computing GCD gcd(a, b): greatest common divisor of (a,b) a and b are co-prime iff gcd(a,b) = 1 Euclid’s algorithm: Finding gcd(a,b) for a>b, gcd(a,b) = gcd(b, a mod b) Extended Euclid’s: Finding gcd d and numbers x and y such that d=ax+by

5 Groups Additive Group: Z n = {0, 1, …, n-1} forms a group under addition modulo n. Multiplicative Group: Z n * = {x | 1 <= x < n and gcd(x,n) = 1} forms a group under multiplication modulo n. For prime p, Z p * includes all elements [1,p-1]. E.g., Z 6 * = {1, 5} E.g., Z 7 * = {1, 2, 3, 4, 5, 6}

6 Chinese Remainder Theorem (CRT) Given n 1, n 2,…, n k are pairwise co-prime. There exists a unique r, r in [0, n = n 1 n 2 …n k ), satisfying r = r i mod n i for any sequence {r 1,..,r k }, where r i in [0, n i ). E.g., r = 2 (mod 3) r = 3 (mod 5) r = 2 (mod 7) We have r = 23, unique in [0,105).

7 Euler phi Function: phi(.) phi(n) = |Z n * | e.g., phi(p) = p–1 for prime p Theorem: if n= p 1 e1 p 2 e2 …p k ek, phi(n) = (p 1 -1)p 1 e (p k -1)p k ek – 1 e.g., if n = pq, phi(n) = (p-1)(q-1) If we know phi(n), we can factorize n. Euler’s Theorem: for all n and x in Z n * x phi(n) = 1 (mod n) For any prime p, x p-1 = 1 (mod p) for all x in [1, p-1]. (Fermat’s Little Theorem). If x n-1 <> 1, n is not prime (e.g., 4 5 mod 6 = 4).

8 Order and Generator ord(x): smallest t such that x t = 1 mod n E.g., in Z 11 *, ord(3) = 5, ord(2) = 10 Generator: an element whose order = group size. E.g., 3 is the generator of Z 7 * Subgroup: generated from an element of order t < phi(n) {1,3,3 2 =9,3 3 =5,3 4 =4} = {1,3,4,5,9} is a subgroup of Z 11 * A group is cyclic if it has a generator. For any prime p, the group Z p * is cyclic, i.e, every Z p * has a generator, say g. Z p * = {1, g, g 2, g 3, …, g p-2 }

9 Group Size Subgroup size divides group size (for all n) Group size = phi(n) We use an element of order t < phi(n) as the generator of the subgroup, (say 2 in Z 7 *). The subgroup spans t elements. For x in subgroup, we observe t has to divide phi(n) so that x tk = x phi(n) = 1, for some integer k. You can prove it by contradiction by assuming t does not divide phi(n). E.g., H = {1, 3, 4, 5, 9} is a subgroup of Z 11 *, |H| dividies |Z 11 * |. This proposition applies to all n (prime / composite).

10 Quadratic Residue y is a quadratic residue (mod n) if there exists x in Z n * such that x 2 = y (mod n) i.e., y has a square root in Z n * Claim: For any prime p, every quadratic residue has exactly two square roots x, -x mod p. Proof: if x 2 = u 2 (mod p), then (x-u)(x+u) = 0 (mod p), so either p divides x-u (i.e., x=u), or p divides x+u (i.e., x=-u). It implies if x 2 = 1 (mod p), x = 1 or -1.

11 Quadratic Residue (cont’d) Theorem: For any prime p, and g is generator, g k is a quadratic residue iff k is even. Given Z p * = {1, g, g 2, g 3, …, g p-2 } Even powers of g are quadratic residues Odd powers of g are not quadratic residues Legendre symbol: [a/p] = 1 if a is a quadratic residue mod p, and - 1 if a is not a quadratic residue mod p.

12 Quadratic Residue (cont’d) Theorem: For prime p and a in Z p *, [a/p] = a (p-1)/2 (mod p). Z p * is cyclic, a = g k for some k. If k is even, let k = 2m, a (p-1)/2 = g (p-1)m = 1. If k is odd, let k = 2m+1, a (p-1)/2 = g (p-1)/2 = -1. Reasons: This is a square root of 1. g (p-1)/2 <> 1 since ord(g) <> (p-1)/2. But 1 has two square roots. Thus, the only solution is -1. If n is prime, a (n-1)/2 = 1 or -1. If we find a (n-1)/2 is not 1 and -1, n is composite.

13 Ideas of Primality Testing Idea 1: If x n-1 mod n <> 1, n is definitely composite. If x n-1 mod n = 1, n is probably prime. Idea 2: If x (n-1)/2 mod n <> {1,-1}, n is definitely composite. If x (n-1)/2 mod n = {1,-1}, n is probably prime.

14 Simple Primality Testing Alg. Repeat k times: Pick a in {2,...,n-1} at random. If gcd(a,n) != 1, then output COMPOSITE. [this is actually unnecessary but conceptually helps] If a (n-1)/2 is not congruent to +1 or -1 (mod n), then output COMPOSITE. Now, if we ever got a "-1" above output "PROBABLY PRIME" else output "PROBABLY COMPOSITE".

15 Error of the Simple Alg. The alg is BPP with error probability 1/2 k. If n is prime, half of them makes a (n-1)/2 = 1. Prob. error in each iteration is ½. If n is composite, error occurs if n is claimed to be “PROBABLY PRIME”. We use the key lemma. Key Lemma: Let n be an odd composite, not a prime power, and let t=(n-1)/2. If there exists a in Z n * such that a t = -1 (mod n), then at most half of the x's in Z n * have x t = {-1,+1} (mod n).

16 Error of the Simple Alg. (cont’d) Let S = {x in Z n * | x t = 1 or -1} (let t = (n-1)/2). We’d like to show S is a proper subgroup of Z n *. S is a subgroup of Z n * since it's closed under multiplication (x t )(y t ) = (xy) t. Find b in Z n * but not in S. Let n = qr, where q and r are co-prime. Using the CRT notation, let b = (a,1), denoting b=a (mod q), b=1 (mod r). CRT assures the existence of b. Thus, b t = (a t, 1 t ) = (-1, 1), implying b <> 1 and -1, since 1 = (1, 1) and -1 = (-1,-1). S is a proper subgroup. Since the subgroup size divides the group size, |S| <= ½ |Z n * |.

17 Case of Prime-Power Composites Key Lemma doesn’t apply if n is a prime-power. However, it doesn’t matter since it cannot pass the test of step (3), i.e., we are sure that a (n-1)/2 <> 1,-1 mod n for all a. Proof (assume all operations are mod n): Write n = p e, where p is prime. Consider a n-1, which is equal to a p e -1. Note that phi(n) = p e-1 (p-1) = p e -p e-1, according to the theorem in slide 7. a p e -1 = a phi(n)+p e-1 -1 = a p e-1 -1 (by Euler’s Theorem) Recursively, we get a p e -1 = a -1. Since a<>1, a -1 <> 1. We have a n-1 <> 1, and its square root is not 1 and -1. Thus, if n is prime-power, it does not pass the test case in step (3). We can safely ignore the case of prime-powers in the Key Lemma.

18 Miller-Rabin Algorithm 1) pick a in {2,...,n-1} at random. 2) If a n-1 != 1 (mod n), then output COMPOSITE 3) Let n-1 = 2 r * B, where B is odd. 4) Compute a B, a 2B,..., a n-1 (mod n). 5) If we found a non {-1,+1} root of 1 in the above list, then 6) output COMPOSITE. 7) else output POSSIBLY PRIME.

19 Error of MR Algorithm It is RP. For prime n, the algorithm always returns prime. For non-Carmichael composite n, the algorithm returns prime with probability at most ½ in each iteration (i.e., step 2 detects compositeness with probability at least ½). Carmichael number: a composite n such that for all a in Z n *, a n-1 = 1 mod n. (e.g., 561, 1729)

20 Error of MR Algorithm (Proof) Let Fn = {x in Z n * | x n-1 = 1 mod n}, the set of elements that do not violate Fermat’s theorem. Lemma: Let n be a composite non-Carmichael number. Then |F n | <= ½ |Z n * |. Clearly, F n <> Z n *. There exists a such that a n-1 <> 1 mod n. F n forms a group. It is closed under multiplication (trivial proof!) F n is a proper subgroup of Z n *. |F n | divides |Z n * |, and |F n | is strictly less than |Z n * |.

21 Detecting Carmichael Numbers Computing a B, a 2B,..., a 2 r B (mod n), where B =(n-1)/2 r, detects Carmichael numbers. Idea: a (n-1)/2 = {1,-1}, how about a (n-1)/4 ? If a (n-1)/4 = {1,-1}, how about a (n-1)/8 ? Prove by contradiction. Assume n is Carmichael, for all a, a B = 1 mod n. Property: Carmichael number is the product of distinct prime. Thus, let n = p 1 p 2..p k. Let g’ is a generator of Z p1 *. Let a = (g’, 1), i.e., a = g’ (mod p 1 ), a = 1 (mod p 2..p r ), by CRT By assumption, a B = 1 (mod n). It implies g’ B = 1 (mod p 1 ) (why?). Since g’ is the generator, B = p-1, which contradicts B is odd. Thus, for some a, a B <> 1. The probability is > ½.

22 How to Find a Prime Number? Algorithm: Randomly pick a number from [1,n-1]. Plug it into the primality testing algorithm. If fails, repeat the test with another number. Are prime numbers rare? No. Prime number theorem: No. of prime numbers less than n ~ n/ln(n).

23 References R. Motwani and P. Raghavan, “Randomized Algorithms”, Ch. 14. CMU, “Randomized algorithms”, 2.cs.cmu.edu/afs/cs/usr/avrim/www/Randalg s98/home.htmlhttp://www- 2.cs.cmu.edu/afs/cs/usr/avrim/www/Randalg s98/home.html CLRS, “Introduction to Algorithms”, 2 nd edition. Ch. 31.