DOCSLIB.ORG

An Analysis of Primality Testing and Its Use in Cryptographic Applications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Analysis of Primality Testing and Its Use in Cryptographic Applications An Analysis of Primality Testing and Its Use in Cryptographic Applications Jake Massimo Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Information Security Royal Holloway, University of London 2020 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jake Massimo April, 2020 2 Abstract Due to their fundamental utility within cryptography, prime numbers must be easy to both recognise and generate. For this, we depend upon primality testing. Both used as a tool to validate prime parameters, or as part of the algorithm used to generate random prime numbers, primality tests are found near universally within a cryptographer's tool-kit. In this thesis, we study in depth primality tests and their use in cryptographic applications. We first provide a systematic analysis of the implementation landscape of primality testing within cryptographic libraries and mathematical software. We then demon- strate how these tests perform under adversarial conditions, where the numbers being tested are not generated randomly, but instead by a possibly malicious party. We show that many of the libraries studied provide primality tests that are not pre- pared for testing on adversarial input, and therefore can declare composite numbers as being prime with a high probability. We also demonstrate that for a number of libraries, including Apple's CommonCrypto, we are able to construct composites that always pass the supplied primality tests. We then explore the implications of these security failures in applications, focus- ing on the construction of malicious Diffie-Hellman parameters. These malicious parameter sets target the public key parameter validation functions found in these same cryptographic libraries { particularly within the ones that offer TLS imple- mentations. Using the analysis performed on these library's primality tests, we are able to construct malicious parameter sets for both finite-field and elliptic curve Diffie-Hellman that pass validation testing with some probability, but are designed such that the Discrete Logarithm Problem (DLP) is relatively easy to solve. We give an application of these malicious parameter sets to OpenSSL and password authenticated key exchange (PAKE) protocols. Finally, we address the shortcomings uncovered in primality testing under adver- sarial conditions by the introduction of a performant primality test that provides strong security guarantees across all use cases, while providing the simplest possible API. We examine different options for the core of our test, describing four different candidate primality tests and analysing them theoretically and experimentally. We then evaluate the performance of the chosen test in the use case of prime generation and discuss how our proposed test was fully adopted by the developers of OpenSSL through a new API and primality test scheduled for release in OpenSSL 3.0 (2020). 3 Acknowledgements I would like to first thank my supervisor Kenny Paterson for his patience, motivation, and guidance throughout the course of my Ph.D. Kenny has provided me so much insight and development into all aspects of my academic work, and I thank him for always making time for this. I would also like to thank Martin Albrecht for his support as a mentor and collaborator, as well as Liz Quaglia. I would like to thank Juraj Somorovsky and Steven Galbraith for giving me the opportunity to work with them as collaborators and to learn from their expertise. It was inspirational to see the level at which they work. I am grateful to the Engineering and Physical Sciences Research Council (EPSRC) for funding my work as part of the Centre for Doctoral Training (CDT) at Royal Holloway, University of London. I also give thanks to my fellow CDT students, and in particular Joanne Woodage, for truly being a role model and a friend to me { I learned from you how to deal with all the things that can't be learned from supervision and was constantly motivated by your outstanding level of work. I would like also to thank the CDT leadership and support staff at Royal Holloway, particularly Carlos Cid and Claire Hudson. I would also like to thank Matthew Campagna and Shay Gueron for hosting me at Amazon Web Services as an intern. Your team gave me an incredible opportunity to learn and work with so many other great researchers and engineers. Lastly, I give thanks to my Mum, Dad, Sister, and Anna for your love, support, and for watching my presentations even when you don't understand them. 4 Publications This thesis is based on the following three publications: 1. Martin R. Albrecht, Jake Massimo, Kenneth G. Paterson, and Juraj So- morovsky. Prime and Prejudice: Primality Testing Under Adversarial Condi- tions. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, Canada, October 15-19, 2018, pp. 281-298, ACM. [5] This work originated with discussions between Martin and Kenny. I then joined the project as work began to flesh out these ideas. The main theoretical parts of the work arose from discussions between Martin, Kenny and me. The practical analysis of cryptographic libraries and mathematical software was in the main performed by me (and supported by all other authors), with the exception of the Bouncy Castle and Botan libraries, which were jointly worked on with Juraj Somorovsky. 2. Steven Galbraith, Jake Massimo, and Kenneth G. Paterson. Safety in Num- bers: On the Need for Robust Diffie-Hellman Parameter Validation. In IACR International Workshop on Public Key Cryptography, PKC 2019, Beijing, China, April 14-17, 2019, pp. 379-407, Springer. [57] This work started as a continuation of the previous work between Kenny and me. All sections were therefore authored jointly between Kenny and me, with the exception of the theoretical work on the elliptic curve setting which was due to Steven. Steven then contributed to the authorship as a whole during the submission process. 3. Jake Massimo and Kenneth G. Paterson. A Performant, Misuse-Resistant API for Primality Testing. To appear in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS 2020, Orlando, USA, November 9-13, 2020, ACM. [100] This work was contributed to equally by Kenny and me. 5 Contents 1 Introduction 9 1.1 Motivation . .9 1.2 Contributions . 14 1.2.1 Thesis Structure . 14 1.2.2 OpenSSL Timeline . 16 2 Background and Preliminaries 19 2.1 Mathematical Background . 19 2.1.1 The Prime Number Theorem . 19 ∗ 2.1.2 The Group Zn .......................... 20 2.1.3 Cyclic Groups and Primitive Roots . 20 2.1.4 Lagrange's Theorem . 21 2.1.5 Finding Primitive Elements and Elements of Order q ..... 22 2.2 The Diffie-Hellman and Discrete Log Problems . 23 2.2.1 The Discrete Log Problem . 23 2.2.2 Prime Parameters and Safe Primes . 24 2.2.3 Security Level and Generic Attacks . 25 2.2.4 Pollard Rho . 25 2.2.5 Pohlig-Hellman . 26 2.2.6 Finite Field Diffie-Hellman Key Exchange . 27 2.3 Elliptic Curve Cryptography . 28 2.3.1 Elliptic Curves . 29 2.3.2 The Elliptic Curve Discrete Log Problem . 30 2.3.3 Elliptic Curve Diffie-Hellman . 30 2.4 Primality Testing . 31 2.4.1 Fermat Test . 31 2.4.2 Miller-Rabin Test . 32 2.4.3 Lucas Test . 33 2.4.4 Baillie-PSW . 35 2.4.5 Supplementary and Preliminary Tests . 36 2.4.6 Standards and Technical Guidelines . 37 2.5 Prime Generation . 38 2.5.1 Bias in Prime Generation . 39 3 Prime and Prejudice: Primality Testing Under Adversarial Condi- tions 41 3.1 Introduction and Motivation . 42 3.1.1 Overview of Primality Testing . 44 3.1.2 Contributions & Outline . 45 3.2 Constructing Pseudoprimes . 47 3.2.1 Miller-Rabin Pseudoprimes . 47 3.2.2 Lucas Pseudoprimes . 54 6 CONTENTS 3.3 Cryptographic Libraries . 57 3.3.1 OpenSSL . 57 3.3.2 GNU GMP . 60 3.3.3 Mini-GMP . 65 3.3.4 NSS . 67 3.3.5 Apple corecrypto and CommonCrypto . 69 3.3.6 Cryptlib . 70 3.3.7 JavaScript Big Number (JSBN) . 71 3.3.8 LibTomMath . 73 3.3.9 LibTomCrypt . 74 3.3.10 WolfSSL . 74 3.3.11 Libgcrypt . 75 3.3.12 Java . 76 3.3.13 Bouncy Castle . 78 3.3.14 Botan . 79 3.3.15 Crypto++ . 79 3.3.16 Golang . 80 3.3.17 Example Pseudoprimes for Apple corecrypto and Common- Crypto, LibTomMath, LibTomCrypt and WolfSSL . 81 3.4 Mathematical Software . 83 3.4.1 Magma . 84 3.4.2 Maple . 84 3.4.3 MATLAB . 86 3.4.4 Maxima . 86 3.4.5 SageMath . 87 3.4.6 SymPy . 88 3.4.7 Wolfram Mathematica . 90 3.5 Application to Diffie-Hellman . 90 3.6 Disclosure and Mitigations . 94 3.7 Conclusion and Recommendations . 96 4 Great Exponentiations: On the Need for Robust Diffie-Hellman Parameter Validation 98 4.1 Introduction and Motivation . 99 4.1.1 Contributions & Outline . 101 4.1.2 Related Work . 104 4.2 Miller-Rabin Primality Testing and Pseudoprimes . 105 4.2.1 On the Relationship Between S(n) and m, the Number of Prime Factors of n ........................ 107 4.3 Generating Large Carmichael Numbers . 110 4.3.1 The Erd¨osMethod . 110 4.3.2 The Selection of L in the Erd¨osMethod .
Load more

Recommended publications
  • Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster
    THE OPEN BOOK SERIES 2 ANTS XIII Proceedings of the Thirteenth Algorithmic Number Theory Symposium Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster msp THE OPEN BOOK SERIES 2 (2019) Thirteenth Algorithmic Number Theory Symposium msp dx.doi.org/10.2140/obs.2019.2.411 Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster We provide a new algorithm for tabulating composite numbers which are pseudoprimes to both a Fermat test and a Lucas test. Our algorithm is optimized for parameter choices that minimize the occurrence of pseudoprimes, and for pseudoprimes with a fixed number of prime factors. Using this, we have confirmed that there are no PSW-challenge pseudoprimes with two or three prime factors up to 280. In the case where one is tabulating challenge pseudoprimes with a fixed number of prime factors, we prove our algorithm gives an unconditional asymptotic improvement over previous methods. 1. Introduction Pomerance, Selfridge, and Wagstaff famously offered $620 for a composite n that satisfies (1) 2n 1 1 .mod n/ so n is a base-2 Fermat pseudoprime, Á (2) .5 n/ 1 so n is not a square modulo 5, and j D (3) Fn 1 0 .mod n/ so n is a Fibonacci pseudoprime, C Á or to prove that no such n exists. We call composites that satisfy these conditions PSW-challenge pseudo- primes. In[PSW80] they credit R. Baillie with the discovery that combining a Fermat test with a Lucas test (with a certain specific parameter choice) makes for an especially effective primality test[BW80].
    [Show full text]
  • Define Composite Numbers and Give Examples
    Define Composite Numbers And Give Examples Hydrotropic and amphictyonic Noam upheaves so injunctively that Hudson charcoal his nymphomania. immanently,Chase eroding she her shells chorine it transiently. bluntly, tameless and scenographic. Ethan bargees her stalagmometers Transponder much money frank had put up by our counselor will tell the numbers and composite number is called the whole or a number of improved methods capable of To give examples. Similarly, when subtraction is performed, the similar pattern is observed. Explicit Teach section and bill discuss the difference between composite and prime numbers. What bout the difference between a prime number does a composite number. That captures the hour well school is said a job enough definition because it. Cite Nimisha Kaushik Difference Between road and Composite Numbers. Write down the multiplication facts as you do this. When we talk getting the divisors of another prime number we had always talking a natural numbers whole numbers greater than 0 Examples of Prime Numbers 2. But opting out of some of these cookies may have an effect on your browsing experience. All of that the positive integer a paragraph in this is already registered with multiple. Are there for prime numbers? The side number is incorrect. Find our prime factorization of whole numbers. Example 11 is a prime number field the only numbers it quiz be divided by evenly is 1 and 11 What is Composite Number Composite numbers has. Lorem ipsum dolor in a composite and gives you know if you. See more ideas about surface and composite numbers prime and composite 4th grade.
    [Show full text]
  • Lecture 9: Arithmetics II 1 Greatest Common Divisor
    DD2458, Problem Solving and Programming Under Pressure Lecture 9: Arithmetics II Date: 2008-11-10 Scribe(s): Marcus Forsell Stahre and David Schlyter Lecturer: Douglas Wikström This lecture is a continuation of the previous one, and covers modular arithmetic and topics from a branch of number theory known as elementary number theory. Also, some abstract algebra will be discussed. 1 Greatest Common Divisor Definition 1.1 If an integer d divides another integer n with no remainder, d is said to be a divisor of n. That is, there exists an integer a such that a · d = n. The notation for this is d | n. Definition 1.2 A common divisor of two non-zero integers m and n is a positive integer d, such that d | m and d | n. Definition 1.3 The Greatest Common Divisor (GCD) of two positive integers m and n is a common divisor d such that every other common divisor d0 | d. The notation for this is GCD(m, n) = d. That is, the GCD of two numbers is the greatest number that is a divisor of both of them. To get an intuition of what GCD is, let’s have a look at this example. Example Calculate GCD(9, 6). Say we have 9 black and 6 white blocks. We want to put the blocks in boxes, but every box has to be the same size, and can only hold blocks of the same color. Also, all the boxes must be full and as large as possible . Let’s for example say we choose a box of size 2: As we can see, the last box of black bricks is not full.
    [Show full text]
  • Primality Testing and Integer Factorisation
    Primality Testing and Integer Factorisation Richard P. Brent, FAA Computer Sciences Laboratory Australian National University Canberra, ACT 2601 Abstract The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several recent algorithms for primality testing and factorisation, give examples of their use and outline some applications. 1. Introduction It has been known since Euclid’s time (though first clearly stated and proved by Gauss in 1801) that any natural number N has a unique prime power decomposition α1 α2 αk N = p1 p2 ··· pk (1.1) αj (p1 < p2 < ··· < pk rational primes, αj > 0). The prime powers pj are called αj components of N, and we write pj kN. To compute the prime power decomposition we need – 1. An algorithm to test if an integer N is prime. 2. An algorithm to find a nontrivial factor f of a composite integer N. Given these there is a simple recursive algorithm to compute (1.1): if N is prime then stop, otherwise 1. find a nontrivial factor f of N; 2.
    [Show full text]
  • X9.80–2005 Prime Number Generation, Primality Testing, and Primality Certificates
    This is a preview of "ANSI X9.80:2005". Click here to purchase the full version from the ANSI store. American National Standard for Financial Services X9.80–2005 Prime Number Generation, Primality Testing, and Primality Certificates Accredited Standards Committee X9, Incorporated Financial Industry Standards Date Approved: August 15, 2005 American National Standards Institute American National Standards, Technical Reports and Guides developed through the Accredited Standards Committee X9, Inc., are copyrighted. Copying these documents for personal or commercial use outside X9 membership agreements is prohibited without express written permission of the Accredited Standards Committee X9, Inc. For additional information please contact ASC X9, Inc., P.O. Box 4035, Annapolis, Maryland 21403. This is a preview of "ANSI X9.80:2005". Click here to purchase the full version from the ANSI store. ANS X9.80–2005 Foreword Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards.
    [Show full text]
  • Triangular Numbers /, 3,6, 10, 15, ", Tn,'" »*"
    TRIANGULAR NUMBERS V.E. HOGGATT, JR., and IVIARJORIE BICKWELL San Jose State University, San Jose, California 9111112 1. INTRODUCTION To Fibonacci is attributed the arithmetic triangle of odd numbers, in which the nth row has n entries, the cen- ter element is n* for even /?, and the row sum is n3. (See Stanley Bezuszka [11].) FIBONACCI'S TRIANGLE SUMS / 1 =:1 3 3 5 8 = 2s 7 9 11 27 = 33 13 15 17 19 64 = 4$ 21 23 25 27 29 125 = 5s We wish to derive some results here concerning the triangular numbers /, 3,6, 10, 15, ", Tn,'" »*". If one o b - serves how they are defined geometrically, 1 3 6 10 • - one easily sees that (1.1) Tn - 1+2+3 + .- +n = n(n±M and (1.2) • Tn+1 = Tn+(n+1) . By noticing that two adjacent arrays form a square, such as 3 + 6 = 9 '.'.?. we are led to 2 (1.3) n = Tn + Tn„7 , which can be verified using (1.1). This also provides an identity for triangular numbers in terms of subscripts which are also triangular numbers, T =T + T (1-4) n Tn Tn-1 • Since every odd number is the difference of two consecutive squares, it is informative to rewrite Fibonacci's tri- angle of odd numbers: 221 222 TRIANGULAR NUMBERS [OCT. FIBONACCI'S TRIANGLE SUMS f^-O2) Tf-T* (2* -I2) (32-22) Ti-Tf (42-32) (52-42) (62-52) Ti-Tl•2 (72-62) (82-72) (9*-82) (Kp-92) Tl-Tl Upon comparing with the first array, it would appear that the difference of the squares of two consecutive tri- angular numbers is a perfect cube.
    [Show full text]
  • FACTORING COMPOSITES TESTING PRIMES Amin Witno
    WON Series in Discrete Mathematics and Modern Algebra Volume 3 FACTORING COMPOSITES TESTING PRIMES Amin Witno Preface These notes were used for the lectures in Math 472 (Computational Number Theory) at Philadelphia University, Jordan.1 The module was aborted in 2012, and since then this last edition has been preserved and updated only for minor corrections. Outline notes are more like a revision. No student is expected to fully benefit from these notes unless they have regularly attended the lectures. 1 The RSA Cryptosystem Sensitive messages, when transferred over the internet, need to be encrypted, i.e., changed into a secret code in such a way that only the intended receiver who has the secret key is able to read it. It is common that alphabetical characters are converted to their numerical ASCII equivalents before they are encrypted, hence the coded message will look like integer strings. The RSA algorithm is an encryption-decryption process which is widely employed today. In practice, the encryption key can be made public, and doing so will not risk the security of the system. This feature is a characteristic of the so-called public-key cryptosystem. Ali selects two distinct primes p and q which are very large, over a hundred digits each. He computes n = pq, ϕ = (p − 1)(q − 1), and determines a rather small number e which will serve as the encryption key, making sure that e has no common factor with ϕ. He then chooses another integer d < n satisfying de % ϕ = 1; This d is his decryption key. When all is ready, Ali gives to Beth the pair (n; e) and keeps the rest secret.
    [Show full text]
  • Primality Test
    Primality test A primality test is an algorithm for determining whether (6k + i) for some integer k and for i = −1, 0, 1, 2, 3, or 4; an input number is prime. Amongst other fields of 2 divides (6k + 0), (6k + 2), (6k + 4); and 3 divides (6k mathematics, it is used for cryptography. Unlike integer + 3). So a more efficient method is to test if n is divisible factorization, primality tests do not generally give prime by 2 or 3, then to check through all the numbers of form p factors, only stating whether the input number is prime 6k ± 1 ≤ n . This is 3 times as fast as testing all m. or not. Factorization is thought to be a computationally Generalising further, it can be seen that all primes are of difficult problem, whereas primality testing is compara- the form c#k + i for i < c# where i represents the numbers tively easy (its running time is polynomial in the size of that are coprime to c# and where c and k are integers. the input). Some primality tests prove that a number is For example, let c = 6. Then c# = 2 · 3 · 5 = 30. All prime, while others like Miller–Rabin prove that a num- integers are of the form 30k + i for i = 0, 1, 2,...,29 and k ber is composite. Therefore the latter might be called an integer. However, 2 divides 0, 2, 4,...,28 and 3 divides compositeness tests instead of primality tests. 0, 3, 6,...,27 and 5 divides 0, 5, 10,...,25.
    [Show full text]
  • Primes and Primality Testing
    Primes and Primality Testing A Technological/Historical Perspective Jennifer Ellis Department of Mathematics and Computer Science What is a prime number? A number p greater than one is prime if and only if the only divisors of p are 1 and p. Examples: 2, 3, 5, and 7 A few larger examples: 71887 524287 65537 2127 1 Primality Testing: Origins Eratosthenes: Developed “sieve” method 276-194 B.C. Nicknamed Beta – “second place” in many different academic disciplines Also made contributions to www-history.mcs.st- geometry, approximation of andrews.ac.uk/PictDisplay/Eratosthenes.html the Earth’s circumference Sieve of Eratosthenes 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 Sieve of Eratosthenes We only need to “sieve” the multiples of numbers less than 10. Why? (10)(10)=100 (p)(q)<=100 Consider pq where p>10. Then for pq <=100, q must be less than 10. By sieving all the multiples of numbers less than 10 (here, multiples of q), we have removed all composite numbers less than 100.
    [Show full text]
  • Elementary Number Theory
    Elementary Number Theory Peter Hackman HHH Productions November 5, 2007 ii c P Hackman, 2007. Contents Preface ix A Divisibility, Unique Factorization 1 A.I The gcd and B´ezout . 1 A.II Two Divisibility Theorems . 6 A.III Unique Factorization . 8 A.IV Residue Classes, Congruences . 11 A.V Order, Little Fermat, Euler . 20 A.VI A Brief Account of RSA . 32 B Congruences. The CRT. 35 B.I The Chinese Remainder Theorem . 35 B.II Euler’s Phi Function Revisited . 42 * B.III General CRT . 46 B.IV Application to Algebraic Congruences . 51 B.V Linear Congruences . 52 B.VI Congruences Modulo a Prime . 54 B.VII Modulo a Prime Power . 58 C Primitive Roots 67 iii iv CONTENTS C.I False Cases Excluded . 67 C.II Primitive Roots Modulo a Prime . 70 C.III Binomial Congruences . 73 C.IV Prime Powers . 78 C.V The Carmichael Exponent . 85 * C.VI Pseudorandom Sequences . 89 C.VII Discrete Logarithms . 91 * C.VIII Computing Discrete Logarithms . 92 D Quadratic Reciprocity 103 D.I The Legendre Symbol . 103 D.II The Jacobi Symbol . 114 D.III A Cryptographic Application . 119 D.IV Gauß’ Lemma . 119 D.V The “Rectangle Proof” . 123 D.VI Gerstenhaber’s Proof . 125 * D.VII Zolotareff’s Proof . 127 E Some Diophantine Problems 139 E.I Primes as Sums of Squares . 139 E.II Composite Numbers . 146 E.III Another Diophantine Problem . 152 E.IV Modular Square Roots . 156 E.V Applications . 161 F Multiplicative Functions 163 F.I Definitions and Examples . 163 CONTENTS v F.II The Dirichlet Product .
    [Show full text]
  • MATH 404: ARITHMETIC 1. Divisibility and Factorization After Learning To
    MATH 404: ARITHMETIC S. PAUL SMITH 1. Divisibility and Factorization After learning to count, add, and subtract, children learn to multiply and divide. The notion of division makes sense in any ring and much of the initial impetus for the development of abstract algebra arose from problems of division√ and factoriza- tion, especially in rings closely related to the integers such as Z[ d]. In the next several chapters we will follow this historical development by studying arithmetic in these and similar rings. √ To see that there are some serious issues to be addressed notice that in Z[ −5] the number 6 factorizes as a product of irreducibles in two different ways, namely √ √ 6 = 2.3 = (1 + −5)(1 − −5). 1 It isn’t hard to show these factors are irreducible but we postpone√ that for now . The key point for the moment is to note that this implies that Z[ −5] is not a unique factorization domain. This is in stark contrast to the integers. Since our teenage years we have taken for granted the fact that every integer can be written as a product of primes, which in Z are the same things as irreducibles, in a unique way. To emphasize the fact that there are questions to be understood, let us mention that Z[i] is a UFD. Even so, there is the question which primes in Z remain prime in Z[i]? This is a question with a long history: Fermat proved in ??? that a prime p in Z remains prime in Z[i] if and only if it is ≡ 3(mod 4).√ It is then natural to ask for each integer d, which primes in Z remain prime in Z[ d]? These and closely related questions lie behind much of the material we cover in the next 30 or so pages.
    [Show full text]
  • Primality Testing for Beginners
    STUDENT MATHEMATICAL LIBRARY Volume 70 Primality Testing for Beginners Lasse Rempe-Gillen Rebecca Waldecker http://dx.doi.org/10.1090/stml/070 Primality Testing for Beginners STUDENT MATHEMATICAL LIBRARY Volume 70 Primality Testing for Beginners Lasse Rempe-Gillen Rebecca Waldecker American Mathematical Society Providence, Rhode Island Editorial Board Satyan L. Devadoss John Stillwell Gerald B. Folland (Chair) Serge Tabachnikov The cover illustration is a variant of the Sieve of Eratosthenes (Sec- tion 1.5), showing the integers from 1 to 2704 colored by the number of their prime factors, including repeats. The illustration was created us- ing MATLAB. The back cover shows a phase plot of the Riemann zeta function (see Appendix A), which appears courtesy of Elias Wegert (www.visual.wegert.com). 2010 Mathematics Subject Classification. Primary 11-01, 11-02, 11Axx, 11Y11, 11Y16. For additional information and updates on this book, visit www.ams.org/bookpages/stml-70 Library of Congress Cataloging-in-Publication Data Rempe-Gillen, Lasse, 1978– author. [Primzahltests f¨ur Einsteiger. English] Primality testing for beginners / Lasse Rempe-Gillen, Rebecca Waldecker. pages cm. — (Student mathematical library ; volume 70) Translation of: Primzahltests f¨ur Einsteiger : Zahlentheorie - Algorithmik - Kryptographie. Includes bibliographical references and index. ISBN 978-0-8218-9883-3 (alk. paper) 1. Number theory. I. Waldecker, Rebecca, 1979– author. II. Title. QA241.R45813 2014 512.72—dc23 2013032423 Copying and reprinting. Individual readers of this publication, and nonprofit libraries acting for them, are permitted to make fair use of the material, such as to copy a chapter for use in teaching or research. Permission is granted to quote brief passages from this publication in reviews, provided the customary acknowledgment of the source is given.
    [Show full text]