1 / 23

Primality Testing

Primality Testing. Patrick Lee 12 July 2003 (updated on 13 July 2003). Finding a Prime Number. Finding a prime number is critical for public-key cryptosystems, such as RSA and Diffie-Hellman. Naïve approach:

ikia
Télécharger la présentation

Primality Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

  2. Finding a Prime Number • Finding a prime number is critical for public-key cryptosystems, such as RSA and Diffie-Hellman. • Naïve approach: • Randomly pick a number n. Try if n is divided by 2, 3, 5, 7, …., p, where p is the largest prime number less than or equal to the square root of n. • Computationally expensive. • You need to pre-obtain all small prime numbers.

  3. Introduction to Number Theory • Number theory: modular arithmetic on a finite set of integers • Most of the randomized algorithms starts by choosing a random number from some domain and then works deterministically from there on. We hope that with high probability the chosen number has some desirable properties. • Goal: Given a number n, the desired complexity is O(logn), i.e., polynomial in the length of n.

  4. Computing GCD • gcd(a, b): greatest common divisor of (a,b) • a and b are co-prime iff gcd(a,b) = 1 • Euclid’s algorithm: • Finding gcd(a,b) • for a>b, gcd(a,b) = gcd(b, a mod b) • Extended Euclid’s: • Finding gcd d and numbers x and y such that d=ax+by

  5. Groups • Additive Group: • Zn= {0, 1, …, n-1} forms a group under addition modulo n. • Multiplicative Group: • Zn* = {x | 1 <= x < n and gcd(x,n) = 1} forms a group under multiplication modulo n. • For prime p, Zp* includes all elements [1,p-1]. • E.g., Z6* = {1, 5} • E.g., Z7* = {1, 2, 3, 4, 5, 6}

  6. Chinese Remainder Theorem (CRT) • Given n1, n2,…, nk are pairwise co-prime. There exists a unique r, r in [0, n = n1n2…nk), satisfying r = ri mod ni for any sequence {r1,..,rk}, where ri in [0, ni). • E.g., r = 2 (mod 3) r = 3 (mod 5) r = 2 (mod 7) We have r = 23, unique in [0,105).

  7. Euler phi Function: phi(.) • phi(n) = |Zn*| • e.g., phi(p) = p–1 for prime p • Theorem: if n= p1e1p2e2…pkek, phi(n) = (p1-1)p1e1 - 1...(pk-1)pkek – 1 • e.g., if n = pq, phi(n) = (p-1)(q-1) • If we know phi(n), we can factorize n. • Euler’s Theorem: for all n and x in Zn* xphi(n) = 1 (mod n) • For any prime p, xp-1 = 1 (mod p) for all x in [1, p-1]. (Fermat’s Little Theorem). • If xn-1 <> 1, n is not prime (e.g., 45 mod 6 = 4).

  8. Order and Generator • ord(x): smallest t such that xt = 1 mod n • E.g., in Z11*, ord(3) = 5, ord(2) = 10 • Generator: an element whose order = group size. • E.g., 3 is the generator of Z7* • Subgroup: generated from an element of order t < phi(n) • {1,3,32=9,33=5,34=4} = {1,3,4,5,9} is a subgroup of Z11* • A group is cyclic if it has a generator. • For any prime p, the group Zp* is cyclic, i.e, every Zp* has a generator, say g. • Zp* = {1, g, g2, g3, …, gp-2}

  9. Group Size • Subgroup size divides group size (for all n) • Group size = phi(n) • We use an element of order t < phi(n) as the generator of the subgroup, (say 2 in Z7*). • The subgroup spans t elements. • For x in subgroup, we observe t has to divide phi(n) so that xtk = xphi(n) = 1, for some integer k. You can prove it by contradiction by assuming t does not divide phi(n). • E.g., H = {1, 3, 4, 5, 9} is a subgroup of Z11*, |H| dividies |Z11*|. • This proposition applies to all n (prime / composite).

  10. Quadratic Residue • y is a quadratic residue (mod n) if there exists x in Zn* such that x2 = y (mod n) • i.e., y has a square root in Zn* • Claim:For any prime p, every quadratic residue has exactly two square roots x, -x mod p. • Proof: if x2 = u2 (mod p), then (x-u)(x+u) = 0 (mod p), so either p divides x-u (i.e., x=u), or p divides x+u (i.e., x=-u). • It implies if x2 = 1 (mod p), x = 1 or -1.

  11. Quadratic Residue (cont’d) • Theorem: For any prime p, and g is generator, gk is a quadratic residue iff k is even. • Given Zp* = {1, g, g2, g3, …, gp-2} • Even powers of g are quadratic residues • Odd powers of g are not quadratic residues • Legendre symbol: • [a/p] = 1 if a is a quadratic residue mod p, and -1 if a is not a quadratic residue mod p.

  12. Quadratic Residue (cont’d) • Theorem: For prime p and a in Zp*, [a/p] = a(p-1)/2 (mod p). • Zp* is cyclic, a = gk for some k. • If k is even, let k = 2m, a(p-1)/2 = g(p-1)m = 1. • If k is odd, let k = 2m+1, a(p-1)/2 = g(p-1)/2 = -1. Reasons: • This is a square root of 1. • g(p-1)/2 <> 1 since ord(g) <> (p-1)/2. • But 1 has two square roots. Thus, the only solution is -1. • If n is prime, a(n-1)/2= 1 or -1. If we find a(n-1)/2 is not 1 and -1, n is composite.

  13. Ideas of Primality Testing • Idea 1: • If xn-1 mod n <> 1, n is definitely composite. • If xn-1 mod n = 1, n is probably prime. • Idea 2: • If x(n-1)/2 mod n <> {1,-1}, n is definitely composite. • If x(n-1)/2 mod n = {1,-1}, n is probably prime.

  14. Simple Primality Testing Alg. • Repeat k times: • Pick a in {2,...,n-1} at random. • If gcd(a,n) != 1, then output COMPOSITE. [this is actually unnecessary but conceptually helps] • If a(n-1)/2 is not congruent to +1 or -1 (mod n), then output COMPOSITE. Now, if we ever got a "-1" above output "PROBABLY PRIME" else output "PROBABLY COMPOSITE".

  15. Error of the Simple Alg. • The alg is BPP with error probability 1/2k. • If n is prime, half of them makes a(n-1)/2 = 1. Prob. error in each iteration is ½. • If n is composite, error occurs if n is claimed to be “PROBABLY PRIME”. We use the key lemma. • Key Lemma: Let n be an odd composite, not a prime power, and let t=(n-1)/2. If there exists a in Zn* such that at = -1 (mod n), then at most half of the x's in Zn* have xt = {-1,+1} (mod n).

  16. Error of the Simple Alg. (cont’d) • Let S = {x in Zn* | xt = 1 or -1} (let t = (n-1)/2). • We’d like to show S is a proper subgroup of Zn*. • S is a subgroup of Zn* since it's closed under multiplication (xt)(yt) = (xy)t. • Find b in Zn* but not in S. • Let n = qr, where q and r are co-prime. • Using the CRT notation, let b = (a,1), denoting b=a (mod q), b=1 (mod r). CRT assures the existence of b. • Thus, bt = (at, 1t) = (-1, 1), implying b <> 1 and -1, since 1 = (1, 1) and -1 = (-1,-1). • S is a proper subgroup. Since the subgroup size divides the group size, |S| <= ½ |Zn*|.

  17. Case of Prime-Power Composites • Key Lemma doesn’t apply if n is a prime-power. However, it doesn’t matter since it cannot pass the test of step (3), i.e., we are sure that a(n-1)/2 <> 1,-1 mod n for all a. • Proof (assume all operations are mod n): • Write n = pe, where p is prime. • Consider an-1, which is equal to ape-1. • Note that phi(n) = pe-1(p-1) = pe-pe-1, according to the theorem in slide 7. • ape-1 = aphi(n)+pe-1-1 = ape-1-1 (by Euler’s Theorem) • Recursively, we get ape-1 = a-1. • Since a<>1, a-1 <> 1. We have an-1 <> 1, and its square root is not 1 and -1. • Thus, if n is prime-power, it does not pass the test case in step (3). We can safely ignore the case of prime-powers in the Key Lemma.

  18. Miller-Rabin Algorithm • pick a in {2,...,n-1} at random. • If an-1 != 1 (mod n), then output COMPOSITE • Let n-1 = 2r * B, where B is odd. • Compute aB, a2B, ..., an-1 (mod n). • If we found a non {-1,+1} root of 1 in the above list, then • output COMPOSITE. • else output POSSIBLY PRIME.

  19. Error of MR Algorithm • It is RP. • For prime n, the algorithm always returns prime. • For non-Carmichael composite n, the algorithm returns prime with probability at most ½ in each iteration (i.e., step 2 detects compositeness with probability at least ½). • Carmichael number: a composite n such that for all a in Zn*, an-1 = 1 mod n. (e.g., 561, 1729)

  20. Error of MR Algorithm (Proof) • Let Fn = {x in Zn* | xn-1 = 1 mod n}, the set of elements that do not violate Fermat’s theorem. • Lemma: Let n be a composite non-Carmichael number. Then |Fn| <= ½ |Zn*|. • Clearly, Fn <> Zn* . • There exists a such that an-1 <> 1 mod n. • Fn forms a group. • It is closed under multiplication (trivial proof!) • Fn is a proper subgroup of Zn*. |Fn| divides |Zn*|, and |Fn| is strictly less than |Zn*|.

  21. Detecting Carmichael Numbers • Computing aB, a2B, ..., a2rB (mod n), where B =(n-1)/2r, detects Carmichael numbers. • Idea: a(n-1)/2 = {1,-1}, how about a(n-1)/4? If a(n-1)/4 = {1,-1}, how about a(n-1)/8? • Prove by contradiction. • Assume n is Carmichael, for all a, aB = 1 mod n. • Property: Carmichael number is the product of distinct prime. Thus, let n = p1p2..pk. • Let g’ is a generator of Zp1*. • Let a = (g’, 1), i.e., a = g’ (mod p1), a = 1 (mod p2..pr), by CRT • By assumption, aB = 1 (mod n). It implies g’B = 1 (mod p1) (why?). • Since g’ is the generator, B = p-1, which contradicts B is odd. • Thus, for some a, aB <> 1. The probability is > ½.

  22. How to Find a Prime Number? • Algorithm: • Randomly pick a number from [1,n-1]. • Plug it into the primality testing algorithm. • If fails, repeat the test with another number. • Are prime numbers rare? No. • Prime number theorem: • No. of prime numbers less than n ~ n/ln(n).

  23. References • R. Motwani and P. Raghavan, “Randomized Algorithms”, Ch. 14. • CMU, “Randomized algorithms”, http://www-2.cs.cmu.edu/afs/cs/usr/avrim/www/Randalgs98/home.html • CLRS, “Introduction to Algorithms”, 2nd edition. Ch. 31.

More Related