Computer Security Ch8:Introduction to & Forouzan’s Book, CH9

Howon Kim 2019.4 Agenda

 Prime Numbers

 Fermat’s & Euler’s Theorems

 Testing for Primality

 The Chinese Remainder Theorem

 Discrete Logarithms

2 Agenda

 Prime Numbers

 Fermat’s & Euler’s Theorems

 Testing for Primality

 The Chinese Remainder Theorem

 Discrete Logarithms

3 Three groups of positive integers

Note

A prime is divisible only by itself and 1.

Ref: Forouzan Book, CH9 9.4 Prime Numbers

 prime numbers only have divisors of 1 and self

 they cannot be written as a product of other numbers

 note: 1 is prime, but is generally not of interest. So, 2 is the smallest prime. 1 is considered to be neither prime nor composite.

 eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

 prime numbers are central to number theory

• What is the smallest prime? Solution The smallest prime is 2, which is divisible by 2 (itself) and 1.

• List the primes smaller than 10. Solution There are four primes less than 10: 2, 3, 5, and 7. It is interesting to note that the percentage of primes in the range 1 to 10 is 40%. The percentage decreases as the range increases.

5 Cardinality of Primes Infinite Number of Primes

Note

There is an infinite number of primes.

Number of Primes

6 Prime Numbers

 list of prime number less than 2000 is:

907

1993

7 Ex) Checking for Primesness Given a number n, how can we determine if n is a prime? The answer is that we need to see if the number is divisible by all primes less than

We know that this method is inefficient, but it is a good start.

8 Ex) Checking for Primesness Is 97 a prime? Solution The floor of 97 = 9. The primes less than 9 are 2, 3, 5, and 7. We need to see if 97 is divisible by any of these numbers. It is not, so 97 is a prime.

Is 301 a prime? Solution The floor of 301 = 17. We need to check 2, 3, 5, 7, 11, 13, and 17. The numbers 2, 3, and 5 do not divide 301, but 7 does. Therefore 301 is not a prime.

9 Prime Factorisation

 to factor a number n is to write it as a product of other numbers: n=a x b x c

 note that factoring a number is relatively hard compared to multiplying the factors together to generate the number

 Any integer a>1 can be factored in a unique way as: aa a  12 t appp 12 t  where p1

 91 = 7 x 13 4 2 2  3600 = 2 x 3 x 5 2  11011 = 7 x 11 x 13

 It is expressed as the following form:

ap apa ,where each 0p pP

10 Relatively Prime Numbers & GCD

 two numbers a,b are relatively prime if have no common divisors apart from 1

 Two numbers a and b are relatively prime if gcd(a, b) = 1.

 eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor

 conversely can determine the by comparing their prime factorizations and using least powers 2 1 2 1 2 1 1 0  eg. 300=2 x3 x5 18=2 x3 hence GCD(18,300)=2 x3 x5 =6

11 Agenda

 Prime Numbers

 Fermat’s & Euler’s Theorems

 Carmichael Number

 Testing for Primality

 The Chinese Remainder Theorem

 Discrete Logarithms

12 Fermat's Theorem

 If p is prime and a is a positive integer not divisible by p (gcd(a,p)=1), then p-1  a = 1 (mod p)

 also known as Fermat’s Little Theorem

 An alternative form of Fermat’s theorem is also useful p  a = a(mod p)

 This form does not require that a be relatively prime to p

 useful in public key and primality testing

Cf. Fermat Last Theorem (Fermat’s Conjecture): n n n states that no three positive integers a, b, and c satisfy the equation a + b = c for any integer value of n

strictly greater than two. The cases n = 1 and n = 2 have been known to have infinitely many solutions. Andrew Wiles 교수가 증명함

13 Fermat's Theorem mod p로 만들어진 set에 a를 곱해서(p와 서로소인)만들어진 set도 결국 원래의 set과 동일하다는 것을 증명함. p-1  Proof of a = 1 (mod p), gcd(a,p)=1

 Consider the set of positive integers less than p. that is {1,2,…,p-1} and multiply each element by a, and then apply modulo p.

 We can get X={a mod p, 2a mod p, …,(p-1)a mod p}.

 Here, none of the elements of X is equal to zero because p does not divide a. Furthermore no two of the integers in X are equal.

 To see this, assume that ja=ka(mod p) where 1<=j

 Because a is relatively prime to p, gcd(a,p)=1, we can eliminate a from both sides of ja=ka(mod p).

 We now get j=k(mod p).  This is impossible because j and k are both positive integers less than p.

 Therefore, we know that the (p-1) elements of X are all positive integers, with no two elements equal.

 We can conclude the X consists of the set of integers {1,2,…,p-1} in some order. Multiplying the numbers in both sets and taking the result mod p yields:

 a x 2a x … x (p-1)a = [ (1x2x…x(p-1)](mod p) p-1  a (p-1)! = (p-1)! (mod p) p-1  That is, a = 1 (mod p)

14 Fermat's Theorem

 In some parts of proof step, (In the case of p is 5 and a is 3)

 Gcd(a,p) = gcd(3,5) = 1

 Consider the set of positive integers less than p: that is, {1,2,3,4}

 Also the set of X, X = a mod p, 2a mod p, …,(p-1)a mod p} = {3 mod p, 2*3 mod p, 3*3 mod p, 4*3 mod p} = {3,6,9,12} mod 5 = {3,1,4,2} mod 5

 We can conclude the X consists of the set of integers {1,2,…,p-1} in some order. Multiplying the numbers in both sets and taking the result mod p yields:

 a x 2a x … x (p-1)a = [ (1x2x…x(p-1)](mod p) p-1  a (p-1)! = (p-1)! (mod p) p-1  That is, a = 1 (mod p)

15 Fermat's Theorem

 Example a = 7, p = 19 72 = 49 = 11(mod 19) 74 = 121 = 7(mod 19) 78 = 49 = 11(mod 19) 716 = 121 = 7(mod 19) ap-1 = 718 = 716 x 72 = 7 x 11 = 1(mod 19)

16 Euler Totient Function ø(n)

 Before presenting the Euler’s theorem. We need to introduce the important quantity in number theory

 complete set of residues is: 0..n-1

 reduced set of residues, in which those numbers (residues) are relatively prime to n

 eg for n=10,

 complete set of residues is {0,1,2,3,4,5,6,7,8,9}

 reduced set of residues is {1,3,7,9}

 number of elements in reduced set of residues is called the Euler Totient Function ø(n)

 ø(10)=4 and the set is {1,3,7,9}

17 Euler Totient Function ø(n)

 Some values of Euler Totient Function ø(n)

18 Euler Totient Function ø(n)

 In general, we need prime factorization to compute ø(n)

 But, we have some easy ways to get ø(n) The order of  for p (p prime) ø(p) = p-1 GF(p) is p-1

 for p.q (p,q prime) ø(pq)= ø(p) x ø(q) =(p-1)x(q-1)

 ø(pqr)!= ø(p) x ø(q) x ø(r)

 eg. ø(37) = 36 ø(21) = ø(3)x ø(7)= (3–1)x(7–1) = 2x6 = 12

19 Euler Totient Function ø(n)

 Proof of ø(n)=ø(p) x ø(q):

 To see ø(n)=ø(p) x ø(q), consider that the set of positive integers less than n is the set {1,…,(pq- 1)}.

 The integers in this set that are not relatively prime to n are the set {p,2p,…,(q-1)p} and the set {q,2q, …, (p-1)q}. (since n=pxq)

 Accordingly,

ø(n)=(pq-1)-[ (q-1) + (p-1)] p의 배수와 q의 배수를 빼야 즉, n=p x q이므로 n과 relatively = pq – (p+q)+1 prime하지 않은걸 뺀다는 의미 = (p-1) x (q-1) = ø(p)x ø(q)

20 Euler's Theorem

 A generalisation of Fermat's Theorem ø(n)  a = 1 (mod n)

 for any a,n where gcd(a,n)=1

 if n is prime and gcd(a,n)=1, this is Fermat’s theorem. That is, aø(n) = an-1 = 1 (mod n)

 eg. a=3;n=10; ø(10)=4; hence 34 = 81 = 1 mod 10 a=2;n=11; ø(11)=10; hence 210 = 1024 = 1 mod 11

 Alternative form of the Euler’s theorem also useful. ø(n)+1  a = a (mod n), where gcd(a,n)=1

21 Agenda

 Prime Numbers

 Fermat’s & Euler’s Theorems

 Carmichael Number

 Testing for Primality

 The Chinese Remainder Theorem

 Discrete Logarithms

22 Recap: Fermat's Little Theorem

 Formulation 1: If p is prime, then for every number a with 1 ≤ a

 Formulation 2: If p is prime, then for every number a with 1 ≤ a

Q4-5 Easy ?

 Is N prime? "composite"  Pick some a with 1 < a < N means "not prime" N-1  Is a  1 (mod N)?

 If so, N is prime; if not, N is composite

 Nice try, but…

 Fermat's Little Theorem is not an "if and only if" condition.

 It doesn't say what happens when N is not prime. N-1  N may not be prime, but we might just happen to pick an a for which a  1 (mod N) 340  Example: 341 is not prime (it is 11∙31), but 2  1 (mod 341)

N-1  Definition: We say that a number a passes the Fermat test if a  1 (mod N)

 We can hope that if N is composite, then many values of a will fail the test.

 It turns out that this hope is well-founded

 If any integer that is relatively prime to N fails the test, then at least half of the numbers a such that 1 ≤ a < N also fail it. How many “Fermat liars"?

 If N is composite, and we randomly pick an a such that 1 ≤ a < N, and gcd(a, N) = 1, how likely is it that aN-1 is  1 (mod N)?  이런 경우, a를 Fermat liar라고 함. N이 composite인데도 Fermat thm을 만족하는 경우

N-1  If a ≠1 (mod N) for some a that is relatively prime to N, then this must also be true for at least half of the choices of a < N.  a를 선택하여 Fermat test를 통과하지 못한다면, 선택하는 a의 반 이상이 test 통과 못할 것임

N-1  Let b be some number (if any exist) that passes the Fermat test, i.e. b  1 (mod N). // 선택한 b는 Fermat test 통과하는 경우. a는 fail하는 경우라고 가정.

 Then the number a∙b fails the test: N-1 N-1 N-1 N-1  (ab)  a b  a , which is not congruent to 1 mod N.

 For a fixed a, f: bab is a one-to-one function on the set of b's that pass the Fermat test

 f: Fermat test 통과  Fermat test fail로 매핑됨

 so there are at least as many numbers that fail the Fermat test as pass it

 적어도 pass하는 수만큼 fail하는 개수가 있게 됨 Carmichael Number vs. Fermat Thm

 A Carmichael number is a composite number N such that ∀ a ∈ {1, ..N-1} (if gcd(a, N)=1 then aN-1 ≡ 1 (mod N) ) i.e. every possible a passes the Fermat test. N-1  즉, Fermat thm에서 N이 prime number 이고 gcd(a,N)=1 이면, a ≡ 1 (mod N)을 만족한다고 했음 N-1  Carmichael number 는 N이 composite number 일때도 a ≡ 1 (mod N)이 되는 경우가 많음을 알려줌

 The smallest Carmichael number is 561

 We'll see later how to deal with those

 How rare are they? Let C(X) = number of Carmichael numbers that are less than X.

27 Where are we now?

 Now we know that Carmichael numbers exists. N-1  If N is prime, a  1 (mod N) for all 0 < a < N. //Fermat Thm N-1  If N is not prime, then a  1 (mod N) for at most half of the values of a

 How to reduce the likelihood of error?

 Do the test for k randomly-generated values of a < N. k  Probability of error is < (1/2)

 If k=100, dasGupta says the probability of error is less than the probability of a cosmic ray flipping some bits and messing up your computer's computation

28 Where are we now?

 To test N for primality

 Pick positive integers a1, a2, … , ak < N at random N-1  For each ai, check for ai  1 (mod N)

 Use the Miller-Rabin approach, (next slides) so that Carmichael numbers are unlikely to thwart us. N-1  If ai is not congruent to 1 (mod N), or Miller-Rabin test produces a non-trivial square root of 1 (mod N)

 return false

 return true

Does this work?

Note that this may produce a “false prime”, but the probability is very low if k is large enough.

29 Miller-Rabin test  A Carmichael number N is a composite number that passes the Fermat test for all a with 1 ≤ a

 A way around the problem (Rabin and Miller): Note that for some t and u (u is odd), N-1 = 2tu. 4  ex) 16 = 2 * 1, 24 = 2*7, 66 = 2 * 33, … N-1  As before, compute a (mod N), but do it this way: u  Calculate a (mod N), then repeatedly square, to get the sequence au (mod N), a2u (mod N), …, a2tu (mod N)  aN-1 (mod N) i  Suppose that at some point, a2 u  1 (mod N), but a2i-1u is not congruent to 1 or to N-1 (mod N)

 then we have found a nontrivial square root of 1 (mod N).

 We know that if 1 has a nontrivial square root (mod N), then N cannot be prime.

이 값은 1, 하지만 이전값은 +-1 이 아니면, square root로 nontrivial 값을 가짐  Square root test에서 n은 prime num 아님을 알 수 있음

square root test Example (first Carmichael number)

 N = 561.

 We might randomly select at first, a = 101. 4  Then 560 = 2 ∙35, so u=35, t=4 u 35  a  101  560 (mod 561) which is -1 (mod 561) (we can stop here) 2u 70  a  101  1 (mod 561)  … 16u 560  a  101  1 (mod 561) // a=101에선 Fermat test 통과해버림  So 101 is not a witness that 561 is composite (we say that 101 is a Miller-Rabin liar for 561, if indeed 561 is composite)

 Try another a = 83 u 35  a  83  230 (mod 561) 2u 70  a  83  166 (mod 561) 4u 140  a  83  67 (mod 561) 8u 280  a  83  1 (mod 561)  // a=83에선 Fermat test 중간에 square root test에서 1 이전의 SQR_ROOT 값이 1 혹은 -1이 아님을 확인  Composite.  So 83 is a witness that 561 is composite, because 67 is a non-trivial square root of 1 (mod 561). Agenda

 Prime Numbers

 Fermat’s & Euler’s Theorems

 Carmichael Number

 Testing for Primality

 The Chinese Remainder Theorem

 Discrete Logarithms

32 Generating Primes

Mersenne Primes

Note

p A number in the form Mp = 2 − 1 is called a Mersenne number and may or may not be a prime.

9.33 Generating Primes

Fermat Primes

F0 = 3 F1 = 5 F2 = 17 F3 = 257 F4 = 65537 F5 = 4294967297 = 641 × 6700417 Not a prime

9.34 Primality Testing

 For many cryptographic , it is necessary to select one or more very large prime numbers at random

 Thus, we are faced with the task of determining whether a given large number is prime !

 traditionally sieve using  ie. divide by all numbers (primes) in turn less than the square root of the number  only works for small numbers

 alternatively can use statistical primality tests based on properties of primes  for which all primes numbers satisfy property  but some composite numbers, called pseudo-primes, also satisfy the property

 can use a slower deterministic primality test

35 Primality Testing

 Naïve methods

 The simplest primality test is as follows: Given an input number n, we see if any integer m from 2 to n − 1 divides n. If n is divisible by any m then n is composite, otherwise it is prime. n  Rather than testing all m up to n − 1, we need only test m up to if n is composite then it can be factored into two values, at least one of which must be less than or equal to n .

 Ex) If n is 104, then it can be factored into 4*26. Here, 4 is less than 104

36 Probabilistic Algorithms

 Fermat Test

If n is a prime, an−1 ≡ 1 mod n If n is a composite, it is possible that an−1 ≡ 1 mod n

 Example

 Does the number 561 pass the Fermat test? Solution Use base 2

The number passes the Fermat test, but it is not a prime, because 561 = 33 × 17.

40 Probabilistic Algorithms

 Square Root Test

 Example 1: What are the square roots of 1 mod n if n is 7 (a prime)?

 The only square roots are 1 and −1. We can see that

 Example 2: : What are the square roots of 1 mod n if n is 8 (a composite)?

 There are four solutions: 1, 3, 5, and 7 (which is −1). We can see that 1의 sqr root로 1혹은 -1이 아닌 다른 것이 나옴  Square root test 에서 n은 prime이 아님

** sqr root test에서 1혹은 -1이 아닌 다른 수가 나오고(여기서 3,5), 그 이후에 1이 나오면 이때, n은 prime 아님을 알수 있음 41 Probabilistic Algorithms

 What are the square roots of 1 mod n if n is 17 (a prime)?

 There are only two solutions: 1 and −1

 What are the square roots of 1 mod n if n is 22 (a composite)?

 Surprisingly, there are only two solutions, +1 and −1, although 22 is a composite

42 참고) Finding four square roots of y in mod N(N: 합성수)?

 Let 푁(143) = 푝 ∗ 푞, (푝 = 11, 푞 = 13, 푝푟푖푚푒 푛푢푚푏푒푟) 2 • 푦(3) = 푥 푚표푑 143

 Now, find square root of 푦 3 in 푚표푑 143 2 2 • 3 푚표푑 11 = ±5, 푥, 푠푖푛푐푒 5 푚표푑 11 → 3 , −5 푚표푑 11 → 3 2 2 • 3 푚표푑 13 = ±4, 푥, 푠푖푛푐푒 4 푚표푑 13 → 3 , −4 푚표푑 13 → 3 • Now we get four square roots of 3 푖푛 푚표푑 143,

 푥 = +5, −5, +4, −4

 That is, every has four square roots

 여기서 ±5 는 mod 11에 대한 것이고 ±3 은 mod 13 상에서 계산한 것임

 즉, square root 값은 mod N (p * q)에 대한 정보를 줄 수 있음

43 Probabilistic Algorithms

 Miller-Rabin Test

[Figure] Idea behind Fermat primality test

The Miller-Rabin test needs from step 0 to step k − 1.

44 Probabilistic Algorithms a random하게 선택

 Does the number 561 pass the Miller-Rabin test? 4  Using base 2, let 561 − 1 = 35 × 2 , which means m = 35, k = 4, and a = 2.

Prime p.41의 sqr root test에서 1혹은 -1이 나온것을 제곱했을때, 1이 되어야 prime number 이었음

즉, 1이아닌 값이 나오고 이를 제곱해서 1이 나오면 composite으로 봄 Composite

Prime number: 처음부터(am) 1이거나, nontrivial값 나온 후 -1이 나와야 함 45 Probabilistic Algorithms

 We already know that 27 is not a prime. Let us apply the Miller-Rabin test. 1  With base 2, let 27 − 1 = 13 × 2 , which means that m = 13, k = 1, and a = 2. In this case, because k − 1 = 0, we should do only the initialization step: T = 213 mod 27 = 11 mod 27. However, because the algorithm never enters the loop, it returns a composite.

 We know that 61 is a prime, let us see if it passes the Miller- Rabin test.

 We use base 2.

60

46 Recommended Primality Test

 Today, one of the most popular primality test is a combination of the divisibility test and the Miller-Rabin test.

47 Recommended Primality Test  The number 4033 is a composite (37 × 109). Does it pass the recommended primality test?

 Solution

 1. Perform the divisibility tests first. The numbers 2, 3, 5, 7, 11, 17, and 23 are not divisors of 4033. 6  2. Perform the Miller-Rabin test with a base of 2, 4033 − 1 = 63 × 2 , which means m is 63 and k is 6.

 3. But we are not satisfied. We continue with another base, 3.

48 Agenda

 Prime Numbers

 Fermat’s & Euler’s Theorems

 Carmichael Number

 Testing for Primality

 The Chinese Remainder Theorem

 Discrete Logarithms

49 Chinese Remainder Theorem

 It is possible to reconstruct integers in a certain range from their residues modulo a set of pairwise relatively prime moduli

 Ex) The 10 integers in Z10, that is the integers 0 through 9, can be reconstructed from their two residues modulo 2 and 5 (the relatively prime factors of 10).

 Say the known residues of a decimal digit x are r2 = 0 and r5 = 3; (x mod2=0 and x mod5=3).

 Therefore, The unique solution is x = 8.

 used to speed up modulo computations

 if working modulo a product of numbers (mi is pairwise coprime)  eg. mod M = m1m2..mk

 Chinese Remainder theorem lets us work in each moduli mi separately

 since computational cost is proportional to size, this is faster than working in the full modulus M

50 Chinese Remainder Theorem

 CRT

 연립 1차 합동식의 해를 구함

 If m1, m2, m3, … mn are pairwise relatively prime, 연립 1차 합동식

x ≡ b1 (mod m1)

x ≡ b2 (mod m2) . .

x ≡ bn (mod mn)

은 m = m1m2m3…mn에 대하여 단 하나의 해를 가짐

 위 연립 1차 합동식을 구하기 위해 Mi=m/mi (i=1,2,…,n)으로 놓으면

m = Mimi, gcd(mi,Mi) =1 이므로

MiNi ≡ 1 mod mi 을 성립하는 Ni 가 존재

n  x ≡ (mod m) bi M i Ni i1

51 x ≡ b1·M 1·N 1 + b2·M 2·N 2 + b3·M 3·N 3 (mod m) Chinese Remainder Theorem

 CRT의 원리

 m1, m2, m3가 서로소 이고 m=m1m2m3 이므로

 x ≡ b1·M 1·N 1 + b2·M 2·N 2 + b3·M 3·N 3 (mod m) 이라 두면

 x ≡ b1 (mod m₁)

 x ≡ b2 (mod m₂) (단, b1 b2 b3은 임의의 정수)

 x ≡ b3 (mod m₃)

 x가 위의 세 식을 모두 만족할 수 있도록 Mi 와 Ni를 설정

 Mi=m/mi 이므로 서로 다른 i와 j에 대하여 mj는 Mi의 약수

 x ≡ b1·M 1·N 1 + b2·M 2·N 2 + b3·M 3·N 3 (mod m1)

≡ b1·M 1·N 1 (mod m1) [M2≡0, M3≡0 (mod m1) 이므로]

≡ b1 (mod m1) ( M1N1 ≡ 1 (mod m1) 이므로)

 m2, m3 의 경우도 같은 원리로 주어진 세 식을 모두 만족하는 해가 됨

52 Chinese Remainder Theorem

 In summary, CRT can be implemented in the following way:

 to compute A(mod M)

 first compute all ai = A mod mi separately  determine constants ci below, where Mi = M/mi  then combine results to get answer using:

53 Chinese Remainder Theorem

 The CRT follows the rules of for modular arithmetic

 Then

 The useful features of the CRT is that it provides a way to manipulate (potentially very large) numbers mod M in terms of tuples of smaller numbers

54 Primitive Roots

ø(n)  from Euler’s theorem, a mod n=1 m  More general expression , a =1 (mod n), GCD(a,n)=1

 If a & n are relatively prime, then there is at least one integer m that satisfies this equation( m = ø(n))

 The least positive exponent m is referred to in several ways:

 The order of a (mod n)

 The length of the period generated by a

55 Primitive Roots aø(n)=1 (mod n)

 If m = ø(n), then a is called a primitive root  Because m is order of a, we can also say  If order(a)= ø(n)(mod n),then a is called a primitive root

 If a is a primitive root of n, then its powers 2 ø(n)  a, a , …, a are distinct and are all relatively prime to n

 If p is prime, then successive powers of a "generate" the group mod p 2 p-1  a, a , …, a

 Example:  Since order(3)=30, 3 is a primitive root modulo 31.  As order(2)=5, 2 is not a primitive root modulo 31.

 These are useful but relatively hard to find

56 Agenda

 Prime Numbers

 Fermat’s & Euler’s Theorems

 Carmichael Number

 Testing for Primality

 The Chinese Remainder Theorem

 Discrete Logarithms

57 Discrete Logarithms

 In ordinary real numbers, the logarithm function is the inverse of exponentiation

 In modular arithmetic, there is an analogous function

 The inverse problem to exponentiation is to find the of a number modulo p x  that is to find x such that y = g (mod p)

 this is written as x = logg y (mod p)

 If g is a primitive root then it always exists, otherwise it may not, eg.

 x = log3 4 mod 13 has no answer 4  x = log2 3 mod 13 = 4 by trying successive powers (2 =16  3 mod 13)

 whilst exponentiation is relatively easy, finding discrete logarithms is generally a hard problem

58 Next…

 We will study on public key cryptography and RSA…

59 Q&A

60 Appendix

 Primality Testing & More on Miller Rabin Primality Test

 More on Primality Test

61 Primality Testing

 The probabilistic tests:

 Most popular primality tests are probabilistic tests

 These tests use, apart from the tested number n, some other numbers a which are chosen at random from some sample space

 The usual randomized primality tests never report a prime number as composite, but it is possible for a composite number to be reported as prime

 The probability of error can be reduced by repeating the test with several independently chosen as; for two commonly used tests

 For any composite n at least half the as detect n 's compositeness, so k repetitions reduce the error probability to at most 2−k, which can be made arbitrarily small by increasing k.

62 Primality Testing

 The basic structure of randomized primality tests is as follows:  Randomly pick a number a.

 Check some equality involving a and the given number n. If the equality fails to hold true, then n is a composite number, a is known as a witness for the compositeness, and the test stops.

 Repeat from step 1 until the required certainty is achieved.

 After several iterations, if n is not found to be a composite number, then it can be declared probably prime

 The simplest probabilistic primality test is the Fermat primality test

 It is only a heuristic test; some composite numbers will be declared "probably prime" no matter what witness is chosen.

 Nevertheless, it is sometimes used if a rapid screening of numbers is needed, for instance in the key generation phase of the RSA public key cryptography.

63 Primality Testing

 Fermat primality test

 Fermat’s theorem states that if p is prime and a is a positive integer not divisible by p then ap-1 = 1 (mod p), where 1<= a < p.

 If we want to test if p is prime, then we can pick random a’s in the interval and see if the equality holds.

 If the equality does not hold for a value of a, then p is composite.

 If the equality does hold for many values of a, then we can say that p is probably prime, or a pseudoprime

 In our tests, we do not pick any value for a such that the equality fails n-1  a = 1 (mod n), though n is composite!

 Then a is a Fermat liar

n-1  If we do pick an a such that a != 1 (mod n), then a is a Fermat witness

 If n has an Fermat-witness, it is composite. It is important to note that an F- witness a for n is a certificate for the compositeness of n.

64 Primality Testing

Ref ) Primality Testing in Polynomial Time by Martin D. 65 Miller Rabin Algorithm

 Based on Fermat’s & Square-root test to determine if the given number is a prime number an–1 = 1 (mod n) ( prime number n)

 It is not a deterministic test, but gives the result with high probability

 It is based on the following considerations:

The number n to be tested is always odd because even numbers can’t be a prime

Therefore, n-1 is always even and can be written as product of an odd number m and power of 2 n – 1 = 2km

If we choose positive number a such tat 1

66 Miller Rabin Algorithm

 Note that we have excluded a = 1 or n-1. ( a=1 혹은 n-1일때, n가 prime이든 composite이는 관계없이 a2 mod n =1 이므로) 제곱관계

Each number is square root of the following number Since n – 1 = 2km, The last number is square root of an-1 mod n

67 Miller Rabin Algorithm

Cryptograhy and Network Security by Prakash C. Gupta, CH8 68 Miller Rabin Algorithm

 Ex1) Test 121 for primality using Miller-Rabin algorithm and base a = 10 We have n=121, n-1=120, 120 = 15 X 2^3, m=15,k=3 Now, 1015 mod 121 =43, 10(15x2) mod 121 = 34, 10(15x4) mod 121 = 67 Thus, 121 is composite.

 Ex2) Test 97 for primality using Miller-Rabin algorithm and base a = 10 We have n=97, n-1=96, 96=3 x 25, m=3, k=5. 3 3x2 Now, 10 mod 97 = 30; 10 mod 97 = 27; http://blog.jpolak.org/?p=1968 103x4 mod 97 = 50; 103x8 mod 97 = 75; 103x16 mod 97 = 96 = n-1 Thus, 97 is a prime number with high probability.

참고: Cryptography and Network Security by Gupta 69 Probabilistic Considerations

 if Miller-Rabin returns “composite” the number is definitely not prime

 otherwise is a prime or a pseudo-prime

 chance it detects a pseudo-prime is <1/4

 hence if repeat test with different random a then chance n is prime after t tests is: t  Pr(n prime after t tests) = 1-(1/4)

 eg. for t=10 this probability is > 0.99999

70 Distribution of Primes

 prime number theorem states that the primes near n are spaced on the average one every (ln n) integers

 Thus, on average, one would have to test on the order of ln(n)integers before a prime is found.

 but can immediately ignore evens

 so in practice need only test 0.5 ln(n) numbers of size n to locate a prime

 note this is only the “average”

 sometimes primes are close together

 other times are quite far apart

71 Appendix

 Primality Testing & More on Miller Rabin Primality Test

 More on Primality Test (reference: Algorithm by Dasgupta, Section 1.3~)

72 Primality Testing

73 Primality Testing

74 Primality Testing

75 Primality Testing

76 Primality Testing

77 Primality Testing

78 Primality Testing

79