Presentation is loading. Please wait.

Presentation is loading. Please wait.

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Similar presentations


Presentation on theme: "Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)"— Presentation transcript:

1 Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

2 2 Finding a Prime Number Finding a prime number is critical for public- key cryptosystems, such as RSA and Diffie- Hellman. Naïve approach: Randomly pick a number n. Try if n is divided by 2, 3, 5, 7, …., p, where p is the largest prime number less than or equal to the square root of n. Computationally expensive. You need to pre-obtain all small prime numbers.

3 3 Introduction to Number Theory Number theory: modular arithmetic on a finite set of integers Most of the randomized algorithms starts by choosing a random number from some domain and then works deterministically from there on. We hope that with high probability the chosen number has some desirable properties. Goal: Given a number n, the desired complexity is O(logn), i.e., polynomial in the length of n.

4 4 Computing GCD gcd(a, b): greatest common divisor of (a,b) a and b are co-prime iff gcd(a,b) = 1 Euclid’s algorithm: Finding gcd(a,b) for a>b, gcd(a,b) = gcd(b, a mod b) Extended Euclid’s: Finding gcd d and numbers x and y such that d=ax+by

5 5 Groups Additive Group: Z n = {0, 1, …, n-1} forms a group under addition modulo n. Multiplicative Group: Z n * = {x | 1 <= x < n and gcd(x,n) = 1} forms a group under multiplication modulo n. For prime p, Z p * includes all elements [1,p-1]. E.g., Z 6 * = {1, 5} E.g., Z 7 * = {1, 2, 3, 4, 5, 6}

6 6 Chinese Remainder Theorem (CRT) Given n 1, n 2,…, n k are pairwise co-prime. There exists a unique r, r in [0, n = n 1 n 2 …n k ), satisfying r = r i mod n i for any sequence {r 1,..,r k }, where r i in [0, n i ). E.g., r = 2 (mod 3) r = 3 (mod 5) r = 2 (mod 7) We have r = 23, unique in [0,105).

7 7 Euler phi Function: phi(.) phi(n) = |Z n * | e.g., phi(p) = p–1 for prime p Theorem: if n= p 1 e1 p 2 e2 …p k ek, phi(n) = (p 1 -1)p 1 e1 - 1...(p k -1)p k ek – 1 e.g., if n = pq, phi(n) = (p-1)(q-1) If we know phi(n), we can factorize n. Euler’s Theorem: for all n and x in Z n * x phi(n) = 1 (mod n) For any prime p, x p-1 = 1 (mod p) for all x in [1, p-1]. (Fermat’s Little Theorem). If x n-1 <> 1, n is not prime (e.g., 4 5 mod 6 = 4).

8 8 Order and Generator ord(x): smallest t such that x t = 1 mod n E.g., in Z 11 *, ord(3) = 5, ord(2) = 10 Generator: an element whose order = group size. E.g., 3 is the generator of Z 7 * Subgroup: generated from an element of order t < phi(n) {1,3,3 2 =9,3 3 =5,3 4 =4} = {1,3,4,5,9} is a subgroup of Z 11 * A group is cyclic if it has a generator. For any prime p, the group Z p * is cyclic, i.e, every Z p * has a generator, say g. Z p * = {1, g, g 2, g 3, …, g p-2 }

9 9 Group Size Subgroup size divides group size (for all n) Group size = phi(n) We use an element of order t < phi(n) as the generator of the subgroup, (say 2 in Z 7 *). The subgroup spans t elements. For x in subgroup, we observe t has to divide phi(n) so that x tk = x phi(n) = 1, for some integer k. You can prove it by contradiction by assuming t does not divide phi(n). E.g., H = {1, 3, 4, 5, 9} is a subgroup of Z 11 *, |H| dividies |Z 11 * |. This proposition applies to all n (prime / composite).

10 10 Quadratic Residue y is a quadratic residue (mod n) if there exists x in Z n * such that x 2 = y (mod n) i.e., y has a square root in Z n * Claim: For any prime p, every quadratic residue has exactly two square roots x, -x mod p. Proof: if x 2 = u 2 (mod p), then (x-u)(x+u) = 0 (mod p), so either p divides x-u (i.e., x=u), or p divides x+u (i.e., x=-u). It implies if x 2 = 1 (mod p), x = 1 or -1.

11 11 Quadratic Residue (cont’d) Theorem: For any prime p, and g is generator, g k is a quadratic residue iff k is even. Given Z p * = {1, g, g 2, g 3, …, g p-2 } Even powers of g are quadratic residues Odd powers of g are not quadratic residues Legendre symbol: [a/p] = 1 if a is a quadratic residue mod p, and - 1 if a is not a quadratic residue mod p.

12 12 Quadratic Residue (cont’d) Theorem: For prime p and a in Z p *, [a/p] = a (p-1)/2 (mod p). Z p * is cyclic, a = g k for some k. If k is even, let k = 2m, a (p-1)/2 = g (p-1)m = 1. If k is odd, let k = 2m+1, a (p-1)/2 = g (p-1)/2 = -1. Reasons: This is a square root of 1. g (p-1)/2 <> 1 since ord(g) <> (p-1)/2. But 1 has two square roots. Thus, the only solution is -1. If n is prime, a (n-1)/2 = 1 or -1. If we find a (n-1)/2 is not 1 and -1, n is composite.

13 13 Ideas of Primality Testing Idea 1: If x n-1 mod n <> 1, n is definitely composite. If x n-1 mod n = 1, n is probably prime. Idea 2: If x (n-1)/2 mod n <> {1,-1}, n is definitely composite. If x (n-1)/2 mod n = {1,-1}, n is probably prime.

14 14 Simple Primality Testing Alg. Repeat k times: Pick a in {2,...,n-1} at random. If gcd(a,n) != 1, then output COMPOSITE. [this is actually unnecessary but conceptually helps] If a (n-1)/2 is not congruent to +1 or -1 (mod n), then output COMPOSITE. Now, if we ever got a "-1" above output "PROBABLY PRIME" else output "PROBABLY COMPOSITE".

15 15 Error of the Simple Alg. The alg is BPP with error probability 1/2 k. If n is prime, half of them makes a (n-1)/2 = 1. Prob. error in each iteration is ½. If n is composite, error occurs if n is claimed to be “PROBABLY PRIME”. We use the key lemma. Key Lemma: Let n be an odd composite, not a prime power, and let t=(n-1)/2. If there exists a in Z n * such that a t = -1 (mod n), then at most half of the x's in Z n * have x t = {-1,+1} (mod n).

16 16 Error of the Simple Alg. (cont’d) Let S = {x in Z n * | x t = 1 or -1} (let t = (n-1)/2). We’d like to show S is a proper subgroup of Z n *. S is a subgroup of Z n * since it's closed under multiplication (x t )(y t ) = (xy) t. Find b in Z n * but not in S. Let n = qr, where q and r are co-prime. Using the CRT notation, let b = (a,1), denoting b=a (mod q), b=1 (mod r). CRT assures the existence of b. Thus, b t = (a t, 1 t ) = (-1, 1), implying b <> 1 and -1, since 1 = (1, 1) and -1 = (-1,-1). S is a proper subgroup. Since the subgroup size divides the group size, |S| <= ½ |Z n * |.

17 17 Case of Prime-Power Composites Key Lemma doesn’t apply if n is a prime-power. However, it doesn’t matter since it cannot pass the test of step (3), i.e., we are sure that a (n-1)/2 <> 1,-1 mod n for all a. Proof (assume all operations are mod n): Write n = p e, where p is prime. Consider a n-1, which is equal to a p e -1. Note that phi(n) = p e-1 (p-1) = p e -p e-1, according to the theorem in slide 7. a p e -1 = a phi(n)+p e-1 -1 = a p e-1 -1 (by Euler’s Theorem) Recursively, we get a p e -1 = a -1. Since a<>1, a -1 <> 1. We have a n-1 <> 1, and its square root is not 1 and -1. Thus, if n is prime-power, it does not pass the test case in step (3). We can safely ignore the case of prime-powers in the Key Lemma.

18 18 Miller-Rabin Algorithm 1) pick a in {2,...,n-1} at random. 2) If a n-1 != 1 (mod n), then output COMPOSITE 3) Let n-1 = 2 r * B, where B is odd. 4) Compute a B, a 2B,..., a n-1 (mod n). 5) If we found a non {-1,+1} root of 1 in the above list, then 6) output COMPOSITE. 7) else output POSSIBLY PRIME.

19 19 Error of MR Algorithm It is RP. For prime n, the algorithm always returns prime. For non-Carmichael composite n, the algorithm returns prime with probability at most ½ in each iteration (i.e., step 2 detects compositeness with probability at least ½). Carmichael number: a composite n such that for all a in Z n *, a n-1 = 1 mod n. (e.g., 561, 1729)

20 20 Error of MR Algorithm (Proof) Let Fn = {x in Z n * | x n-1 = 1 mod n}, the set of elements that do not violate Fermat’s theorem. Lemma: Let n be a composite non-Carmichael number. Then |F n | <= ½ |Z n * |. Clearly, F n <> Z n *. There exists a such that a n-1 <> 1 mod n. F n forms a group. It is closed under multiplication (trivial proof!) F n is a proper subgroup of Z n *. |F n | divides |Z n * |, and |F n | is strictly less than |Z n * |.

21 21 Detecting Carmichael Numbers Computing a B, a 2B,..., a 2 r B (mod n), where B =(n-1)/2 r, detects Carmichael numbers. Idea: a (n-1)/2 = {1,-1}, how about a (n-1)/4 ? If a (n-1)/4 = {1,-1}, how about a (n-1)/8 ? Prove by contradiction. Assume n is Carmichael, for all a, a B = 1 mod n. Property: Carmichael number is the product of distinct prime. Thus, let n = p 1 p 2..p k. Let g’ is a generator of Z p1 *. Let a = (g’, 1), i.e., a = g’ (mod p 1 ), a = 1 (mod p 2..p r ), by CRT By assumption, a B = 1 (mod n). It implies g’ B = 1 (mod p 1 ) (why?). Since g’ is the generator, B = p-1, which contradicts B is odd. Thus, for some a, a B <> 1. The probability is > ½.

22 22 How to Find a Prime Number? Algorithm: Randomly pick a number from [1,n-1]. Plug it into the primality testing algorithm. If fails, repeat the test with another number. Are prime numbers rare? No. Prime number theorem: No. of prime numbers less than n ~ n/ln(n).

23 23 References R. Motwani and P. Raghavan, “Randomized Algorithms”, Ch. 14. CMU, “Randomized algorithms”, http://www- 2.cs.cmu.edu/afs/cs/usr/avrim/www/Randalg s98/home.htmlhttp://www- 2.cs.cmu.edu/afs/cs/usr/avrim/www/Randalg s98/home.html CLRS, “Introduction to Algorithms”, 2 nd edition. Ch. 31.


Download ppt "Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)"

Similar presentations


Ads by Google