DOCSLIB.ORG

Independence of the Miller-Rabin and Lucas Probable Prime Tests

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Independence of the Miller-Rabin and Lucas Probable Prime Tests Alec Leng Mentor: David Corwin March 30, 2017 1 Abstract In the modern age, public-key cryptography has become a vital component for se- cure online communication. To implement these cryptosystems, rapid primality test- ing is necessary in order to generate keys. In particular, probabilistic tests are used for their speed, despite the potential for pseudoprimes. So, we examine the commonly used Miller-Rabin and Lucas tests, showing that numbers with many nonwitnesses are usually Carmichael or Lucas-Carmichael numbers in a specific form. We then use these categorizations, through a generalization of Korselt’s criterion, to prove that there are no numbers with many nonwitnesses for both tests, affirming the two tests’ relative independence. As Carmichael and Lucas-Carmichael numbers are in general more difficult for the two tests to deal with, we next search for numbers which are both Carmichael and Lucas-Carmichael numbers, experimentally finding none less than 1016. We thus conjecture that there are no such composites and, using multi- variate calculus with symmetric polynomials, begin developing techniques to prove this. 2 1 Introduction In the current information age, cryptographic systems to protect data have become a funda- mental necessity. With the quantity of data distributed over the internet, the importance of encryption for protecting individual privacy has greatly risen. Indeed, according to [EMC16], cryptography is allows for authentication and protection in online commerce, even when working with vital financial information (e.g. in online banking and shopping). Now that more and more transactions are done through the internet, rather than in person, the importance of secure encryption schemes is only growing. Thus, as some commonly used public key cryptography algorithms rely on large semi- primes that are extremely difficult to factor, fast prime generation is vital for key gener- ation. For example, the RSA cryptosystem is one of the most widely used systems for cryptography—even when not used directly, its often used to encrypt the keys for other cryptographic algorithms ([CSE11]). To implement it, RSA requires semiprimes that are around 2048 bits (about 600 decimal digits) for its key ([EMC16]). These semiprimes are the product of two primes, so one needs to quickly generate primes that are around 1048 bits (around 300 decimal digits). If we have a way to quickly determine if a number is prime, we can quickly generate the necessary primes by choosing “candidate” numbers in the right size, until we find one that is prime. 1.1 Primality Tests Methods for determining whether or not a number n is prime are simply called primality tests. There are two distinct types of primality tests. On one hand, deterministic tests always decide for certain whether or not n is prime. On the other hand, probabilistic tests determine either that n is composite, or that it might be prime. This is done by checking whether or not n satisfies some properties which are true of all primes and few composites. While these probabilistic tests do not always correctly determine if a number is prime, they are generally far faster than deterministic tests. Indeed, when compared with the fast (in the sense that it runs in polynomial-time), deterministic, Agrawal-Kayal-Saxena (AKS) primality test, effective probabilistic primality tests are still millions of times faster [AKS04]. Thus, probabilistic primality tests remain very relevant. Indeed, even when attempting to prove that a number is prime, probabilistic tests can be rapidly applied to quickly exclude most composite numbers, reducing the overall time the primality test takes. 3 1.2 The Fermat Primality Test The Fermat test is constructed from Fermat’s Little Theorem, which says that for a prime p, and any a relatively prime to p, we have ap−1 ≡ 1 (mod p). So, to turn this into a primality test, given an odd number n, we choose some positive integer a < n that is relatively prime to n and see if an−1 ≡ 1 (mod n). If the congruence holds, then n might be prime. However, if the congruence does not hold, then we know n is a composite, and we call a a witness for n’s compositeness. Similarly, if n is actually composite, and the congruence holds for some a, then we call that a a nonwitness, and n a Fermat pseudoprime. However, the Fermat Primality test itself is not particularly useful; there are some n for which every a is a nonwitness. These numbers are called Carmichael numbers, and they will play a vital role when looking at pseudoprimes to the Miller-Rabin test. 1.3 The Miller-Rabin Primality Test In the Miller-Rabin test, we express our odd integer n as n = 1+d ·2k, for d an odd integer. Then, as with the Fermat test, we choose a positive integer a < n, relatively prime to n, as a potential witness. However, with the Miller-Rabin test, we check that either ad ≡ 1 r (mod n); or a2 ·d ≡ −1 (mod n) for some r < k. If one of these conditions hold, then n is a probable prime. If n is actually composite, then we say that it is a strong pseudoprime, and that a is a nonwitness. Likewise, if neither of the conditions hold, then a is a witness to n and n is known to be composite. As this paper will not examine the Fermat test, “witness” and “nonwitness,” when used to describe an integer a, will be used to mean a “witness” or “nonwitness” for the Miller-Rabin test. For a given n, we will use N(n) to denote the number of Miller-Rabin nonwitnesses to n. We will focus on this test, and the Lucas Probable Prime test which we now introduce. 1.4 The Lucas Probable Prime Test To construct the weak Lucas test, we first define the Lucas Sequences U and V, when given two integers P and Q, by U0 = 0, U1 = 1, Uk+2 = PUk+1 − QUk, and V0 = 2, V1 = 2 P, Vk+2 = PVk+1 − QVk. Then, let D = P − 4Q, and let e(n) denote the Jacobi symbol D . We have the following as a well-known theorem: n Theorem. [Arn97] Let p be a prime number, relatively prime to 2QD. Set p − e(p) = 2kq for q an odd integer. Then, pjU2kq. 4 Note that this condition can be viewed as analogous to the condition for the Fermat test. So, just like with the Fermat test, there is a stronger form of the statement; if p is prime, then one of the following conditions is satisfied: pjUq or there exists some i, 0 ≤ i < k, where pjV i : 2 q p Let O be the ring of algebraic integers in Q( D). Then, [Arn97] shows that each Lucas sequence is in a one-to-one correspondence with the norm-1 elements t in O where t − 1 is a unit in O=n. Furthermore, [Arn97] also shows that for a given Lucas sequence, if n is k k relatively prime to 2QD, then njUk () t ≡ 1 (mod n) and njVk () t ≡ −1 (mod n). In light of these equivalences, we will often study the Lucas test with algebraic integers, not with Lucas sequences. Now, we can turn the Lucas condition into a primality test, starting with some n rel- atively prime to 2QD and setting n − e(n) = 2kq for q odd. If, for a composite n, either njUq or there is some i, 0 ≤ i < k, where pjV2iq; then we call n a strong Lucas pseudoprime, since it satisfies the strong form of the Lucas test, and the pair of parameters (P;Q) (or the corresponding quadratic integer t), a nonwitness. We will now introduce some notation that is useful when talking about Lucas pseudo- e1 em primes. Suppose n > 2 factors into primes as n = p1 ··· pm . Let ei denote e(pi). Then, ki for 1 ≤ i ≤ m, let pi − ei = 2 qi for qi odd. Finally, let SL(D;n) denote the number of nonwitnesses, analogous to N(n) for Miller-Rabin nonwitnesses. The Lucas test, when used correctly, can be highly independent of the Miller Rabin test, making it particularly interesting. Indeed, several algorithms exploit this independence to yield extremely powerful primality tests; of particular note is the Baillie-PSW test, for which there are no known composite n which are “probably prime.” 1.5 This Research In Section 2, we begin by examining prior results about numbers with many nonwitnesses for both the Miller-Rabin and Lucas Pseudoprime tests. We define our concept of “Lucas- Carmichael numbers” as an analog of the Carmichael numbers, but for the Lucas Probable Prime test, and give a categorization of numbers with many nonwitnesses for both the Miller-Rabin and Lucas tests in terms of Carmichael and Lucas-Carmichael numbers. In order to prove that no numbers have many nonwitnesses for both tests, we prove that if a composite has three prime factors, then it cannot be a Carmichael number and a Lucas- Carmichael number. Then, in Section 3, we begin to generalize this result to show that there are no composites that are both Carmichael and Lucas-Carmichael numbers, developing 5 lemmas and techniques before applying them to a particular form of numbers with five prime factors to show that there are no numbers in that form that are both Carmichael and Lucas-Carmichael numbers. We conclude in Section 4 by considering possible future work. 2 Finding Composites with Many Nonwitnesses 2.1 Prior Results In the case of the Miller-Rabin test, we have the below classification for the numbers with high amounts of nonwitnesses, where j(n) denotes the Euler totient function, and v2(n) is v2(n) the greatest natural number so that 2 jn.
Recommended publications
  • Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster

    Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster

    THE OPEN BOOK SERIES 2 ANTS XIII Proceedings of the Thirteenth Algorithmic Number Theory Symposium Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster msp THE OPEN BOOK SERIES 2 (2019) Thirteenth Algorithmic Number Theory Symposium msp dx.doi.org/10.2140/obs.2019.2.411 Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster We provide a new algorithm for tabulating composite numbers which are pseudoprimes to both a Fermat test and a Lucas test. Our algorithm is optimized for parameter choices that minimize the occurrence of pseudoprimes, and for pseudoprimes with a fixed number of prime factors. Using this, we have confirmed that there are no PSW-challenge pseudoprimes with two or three prime factors up to 280. In the case where one is tabulating challenge pseudoprimes with a fixed number of prime factors, we prove our algorithm gives an unconditional asymptotic improvement over previous methods. 1. Introduction Pomerance, Selfridge, and Wagstaff famously offered $620 for a composite n that satisfies (1) 2n 1 1 .mod n/ so n is a base-2 Fermat pseudoprime, Á (2) .5 n/ 1 so n is not a square modulo 5, and j D (3) Fn 1 0 .mod n/ so n is a Fibonacci pseudoprime, C Á or to prove that no such n exists. We call composites that satisfy these conditions PSW-challenge pseudo- primes. In[PSW80] they credit R. Baillie with the discovery that combining a Fermat test with a Lucas test (with a certain specific parameter choice) makes for an especially effective primality test[BW80].
  • Lecture 9: Arithmetics II 1 Greatest Common Divisor

    Lecture 9: Arithmetics II 1 Greatest Common Divisor

    DD2458, Problem Solving and Programming Under Pressure Lecture 9: Arithmetics II Date: 2008-11-10 Scribe(s): Marcus Forsell Stahre and David Schlyter Lecturer: Douglas Wikström This lecture is a continuation of the previous one, and covers modular arithmetic and topics from a branch of number theory known as elementary number theory. Also, some abstract algebra will be discussed. 1 Greatest Common Divisor Definition 1.1 If an integer d divides another integer n with no remainder, d is said to be a divisor of n. That is, there exists an integer a such that a · d = n. The notation for this is d | n. Definition 1.2 A common divisor of two non-zero integers m and n is a positive integer d, such that d | m and d | n. Definition 1.3 The Greatest Common Divisor (GCD) of two positive integers m and n is a common divisor d such that every other common divisor d0 | d. The notation for this is GCD(m, n) = d. That is, the GCD of two numbers is the greatest number that is a divisor of both of them. To get an intuition of what GCD is, let’s have a look at this example. Example Calculate GCD(9, 6). Say we have 9 black and 6 white blocks. We want to put the blocks in boxes, but every box has to be the same size, and can only hold blocks of the same color. Also, all the boxes must be full and as large as possible . Let’s for example say we choose a box of size 2: As we can see, the last box of black bricks is not full.
  • An Analysis of Primality Testing and Its Use in Cryptographic Applications

    An Analysis of Primality Testing and Its Use in Cryptographic Applications

    An Analysis of Primality Testing and Its Use in Cryptographic Applications Jake Massimo Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Information Security Royal Holloway, University of London 2020 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jake Massimo April, 2020 2 Abstract Due to their fundamental utility within cryptography, prime numbers must be easy to both recognise and generate. For this, we depend upon primality testing. Both used as a tool to validate prime parameters, or as part of the algorithm used to generate random prime numbers, primality tests are found near universally within a cryptographer's tool-kit. In this thesis, we study in depth primality tests and their use in cryptographic applications. We first provide a systematic analysis of the implementation landscape of primality testing within cryptographic libraries and mathematical software. We then demon- strate how these tests perform under adversarial conditions, where the numbers being tested are not generated randomly, but instead by a possibly malicious party. We show that many of the libraries studied provide primality tests that are not pre- pared for testing on adversarial input, and therefore can declare composite numbers as being prime with a high probability.
  • Triangular Numbers /, 3,6, 10, 15, ", Tn,'" »*"

    Triangular Numbers /, 3,6, 10, 15, ", Tn,'" »*"

    TRIANGULAR NUMBERS V.E. HOGGATT, JR., and IVIARJORIE BICKWELL San Jose State University, San Jose, California 9111112 1. INTRODUCTION To Fibonacci is attributed the arithmetic triangle of odd numbers, in which the nth row has n entries, the cen- ter element is n* for even /?, and the row sum is n3. (See Stanley Bezuszka [11].) FIBONACCI'S TRIANGLE SUMS / 1 =:1 3 3 5 8 = 2s 7 9 11 27 = 33 13 15 17 19 64 = 4$ 21 23 25 27 29 125 = 5s We wish to derive some results here concerning the triangular numbers /, 3,6, 10, 15, ", Tn,'" »*". If one o b - serves how they are defined geometrically, 1 3 6 10 • - one easily sees that (1.1) Tn - 1+2+3 + .- +n = n(n±M and (1.2) • Tn+1 = Tn+(n+1) . By noticing that two adjacent arrays form a square, such as 3 + 6 = 9 '.'.?. we are led to 2 (1.3) n = Tn + Tn„7 , which can be verified using (1.1). This also provides an identity for triangular numbers in terms of subscripts which are also triangular numbers, T =T + T (1-4) n Tn Tn-1 • Since every odd number is the difference of two consecutive squares, it is informative to rewrite Fibonacci's tri- angle of odd numbers: 221 222 TRIANGULAR NUMBERS [OCT. FIBONACCI'S TRIANGLE SUMS f^-O2) Tf-T* (2* -I2) (32-22) Ti-Tf (42-32) (52-42) (62-52) Ti-Tl•2 (72-62) (82-72) (9*-82) (Kp-92) Tl-Tl Upon comparing with the first array, it would appear that the difference of the squares of two consecutive tri- angular numbers is a perfect cube.
  • FACTORING COMPOSITES TESTING PRIMES Amin Witno

    FACTORING COMPOSITES TESTING PRIMES Amin Witno

    WON Series in Discrete Mathematics and Modern Algebra Volume 3 FACTORING COMPOSITES TESTING PRIMES Amin Witno Preface These notes were used for the lectures in Math 472 (Computational Number Theory) at Philadelphia University, Jordan.1 The module was aborted in 2012, and since then this last edition has been preserved and updated only for minor corrections. Outline notes are more like a revision. No student is expected to fully benefit from these notes unless they have regularly attended the lectures. 1 The RSA Cryptosystem Sensitive messages, when transferred over the internet, need to be encrypted, i.e., changed into a secret code in such a way that only the intended receiver who has the secret key is able to read it. It is common that alphabetical characters are converted to their numerical ASCII equivalents before they are encrypted, hence the coded message will look like integer strings. The RSA algorithm is an encryption-decryption process which is widely employed today. In practice, the encryption key can be made public, and doing so will not risk the security of the system. This feature is a characteristic of the so-called public-key cryptosystem. Ali selects two distinct primes p and q which are very large, over a hundred digits each. He computes n = pq, ϕ = (p − 1)(q − 1), and determines a rather small number e which will serve as the encryption key, making sure that e has no common factor with ϕ. He then chooses another integer d < n satisfying de % ϕ = 1; This d is his decryption key. When all is ready, Ali gives to Beth the pair (n; e) and keeps the rest secret.
  • The Pseudoprimes to 25 • 109

    The Pseudoprimes to 25 • 109

    MATHEMATICS OF COMPUTATION, VOLUME 35, NUMBER 151 JULY 1980, PAGES 1003-1026 The Pseudoprimes to 25 • 109 By Carl Pomerance, J. L. Selfridge and Samuel S. Wagstaff, Jr. Abstract. The odd composite n < 25 • 10 such that 2n_1 = 1 (mod n) have been determined and their distribution tabulated. We investigate the properties of three special types of pseudoprimes: Euler pseudoprimes, strong pseudoprimes, and Car- michael numbers. The theoretical upper bound and the heuristic lower bound due to Erdös for the counting function of the Carmichael numbers are both sharpened. Several new quick tests for primality are proposed, including some which combine pseudoprimes with Lucas sequences. 1. Introduction. According to Fermat's "Little Theorem", if p is prime and (a, p) = 1, then ap~1 = 1 (mod p). This theorem provides a "test" for primality which is very often correct: Given a large odd integer p, choose some a satisfying 1 <a <p - 1 and compute ap~1 (mod p). If ap~1 pi (mod p), then p is certainly composite. If ap~l = 1 (mod p), then p is probably prime. Odd composite numbers n for which (1) a"_1 = l (mod«) are called pseudoprimes to base a (psp(a)). (For simplicity, a can be any positive in- teger in this definition. We could let a be negative with little additional work. In the last 15 years, some authors have used pseudoprime (base a) to mean any number n > 1 satisfying (1), whether composite or prime.) It is well known that for each base a, there are infinitely many pseudoprimes to base a.
  • Primes and Primality Testing

    Primes and Primality Testing

    Primes and Primality Testing A Technological/Historical Perspective Jennifer Ellis Department of Mathematics and Computer Science What is a prime number? A number p greater than one is prime if and only if the only divisors of p are 1 and p. Examples: 2, 3, 5, and 7 A few larger examples: 71887 524287 65537 2127 1 Primality Testing: Origins Eratosthenes: Developed “sieve” method 276-194 B.C. Nicknamed Beta – “second place” in many different academic disciplines Also made contributions to www-history.mcs.st- geometry, approximation of andrews.ac.uk/PictDisplay/Eratosthenes.html the Earth’s circumference Sieve of Eratosthenes 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 Sieve of Eratosthenes We only need to “sieve” the multiples of numbers less than 10. Why? (10)(10)=100 (p)(q)<=100 Consider pq where p>10. Then for pq <=100, q must be less than 10. By sieving all the multiples of numbers less than 10 (here, multiples of q), we have removed all composite numbers less than 100.
  • A Clasification of Known Root Prime-Generating

    A Clasification of Known Root Prime-Generating

    Special properties of the first absolute Fermat pseudoprime, the number 561 Marius Coman Bucuresti, Romania email: [email protected] Abstract. Though is the first Carmichael number, the number 561 doesn’t have the same fame as the third absolute Fermat pseudoprime, the Hardy-Ramanujan number, 1729. I try here to repair this injustice showing few special properties of the number 561. I will just list (not in the order that I value them, because there is not such an order, I value them all equally as a result of my more or less inspired work, though they may or not “open a path”) the interesting properties that I found regarding the number 561, in relation with other Carmichael numbers, other Fermat pseudoprimes to base 2, with primes or other integers. 1. The number 2*(3 + 1)*(11 + 1)*(17 + 1) + 1, where 3, 11 and 17 are the prime factors of the number 561, is equal to 1729. On the other side, the number 2*lcm((7 + 1),(13 + 1),(19 + 1)) + 1, where 7, 13 and 19 are the prime factors of the number 1729, is equal to 561. We have so a function on the prime factors of 561 from which we obtain 1729 and a function on the prime factors of 1729 from which we obtain 561. Note: The formula N = 2*(d1 + 1)*...*(dn + 1) + 1, where d1, d2, ...,dn are the prime divisors of a Carmichael number, leads to interesting results (see the sequence A216646 in OEIS); the formula M = 2*lcm((d1 + 1),...,(dn + 1)) + 1 also leads to interesting results (see the sequence A216404 in OEIS).
  • Arxiv:1412.5226V1 [Math.NT] 16 Dec 2014 Hoe 11

    Arxiv:1412.5226V1 [Math.NT] 16 Dec 2014 Hoe 11

    q-PSEUDOPRIMALITY: A NATURAL GENERALIZATION OF STRONG PSEUDOPRIMALITY JOHN H. CASTILLO, GILBERTO GARC´IA-PULGAR´IN, AND JUAN MIGUEL VELASQUEZ-SOTO´ Abstract. In this work we present a natural generalization of strong pseudoprime to base b, which we have called q-pseudoprime to base b. It allows us to present another way to define a Midy’s number to base b (overpseudoprime to base b). Besides, we count the bases b such that N is a q-probable prime base b and those ones such that N is a Midy’s number to base b. Furthemore, we prove that there is not a concept analogous to Carmichael numbers to q-probable prime to base b as with the concept of strong pseudoprimes to base b. 1. Introduction Recently, Grau et al. [7] gave a generalization of Pocklignton’s Theorem (also known as Proth’s Theorem) and Miller-Rabin primality test, it takes as reference some works of Berrizbeitia, [1, 2], where it is presented an extension to the concept of strong pseudoprime, called ω-primes. As Grau et al. said it is right, but its application is not too good because it is needed m-th primitive roots of unity, see [7, 12]. In [7], it is defined when an integer N is a p-strong probable prime base a, for p a prime divisor of N −1 and gcd(a, N) = 1. In a reading of that paper, we discovered that if a number N is a p-strong probable prime to base 2 for each p prime divisor of N − 1, it is actually a Midy’s number or a overpseu- doprime number to base 2.
  • Elementary Number Theory

    Elementary Number Theory

    Elementary Number Theory Peter Hackman HHH Productions November 5, 2007 ii c P Hackman, 2007. Contents Preface ix A Divisibility, Unique Factorization 1 A.I The gcd and B´ezout . 1 A.II Two Divisibility Theorems . 6 A.III Unique Factorization . 8 A.IV Residue Classes, Congruences . 11 A.V Order, Little Fermat, Euler . 20 A.VI A Brief Account of RSA . 32 B Congruences. The CRT. 35 B.I The Chinese Remainder Theorem . 35 B.II Euler’s Phi Function Revisited . 42 * B.III General CRT . 46 B.IV Application to Algebraic Congruences . 51 B.V Linear Congruences . 52 B.VI Congruences Modulo a Prime . 54 B.VII Modulo a Prime Power . 58 C Primitive Roots 67 iii iv CONTENTS C.I False Cases Excluded . 67 C.II Primitive Roots Modulo a Prime . 70 C.III Binomial Congruences . 73 C.IV Prime Powers . 78 C.V The Carmichael Exponent . 85 * C.VI Pseudorandom Sequences . 89 C.VII Discrete Logarithms . 91 * C.VIII Computing Discrete Logarithms . 92 D Quadratic Reciprocity 103 D.I The Legendre Symbol . 103 D.II The Jacobi Symbol . 114 D.III A Cryptographic Application . 119 D.IV Gauß’ Lemma . 119 D.V The “Rectangle Proof” . 123 D.VI Gerstenhaber’s Proof . 125 * D.VII Zolotareff’s Proof . 127 E Some Diophantine Problems 139 E.I Primes as Sums of Squares . 139 E.II Composite Numbers . 146 E.III Another Diophantine Problem . 152 E.IV Modular Square Roots . 156 E.V Applications . 161 F Multiplicative Functions 163 F.I Definitions and Examples . 163 CONTENTS v F.II The Dirichlet Product .
  • Anomalous Primes and Extension of the Korselt Criterion

    Anomalous Primes and Extension of the Korselt Criterion

    Anomalous Primes and Extension of the Korselt Criterion Liljana Babinkostova1, Brad Bentz2, Morad Hassan3, André Hernández-Espiet4, Hyun Jong Kim5 1Boise State University, 2Brown University, 3Emory University, 4University of Puerto Rico, 5Massachusetts Institute of Technology Motivation Elliptic Korselt Criteria Lucas Pseudoprimes Cryptosystems in ubiquitous commercial use base their security on the dif- ficulty of factoring. Deployment of these schemes necessitate reliable, ef- Korselt Criteria for Euler and Strong Elliptic Carmichael Numbers Lucas Groups ficient methods of recognizing the primality of a number. A number that ordp(N) D; N L passes a probabilistic test, but is in fact composite is known as a pseu- Let N;p(E) be the exponent of E Z=p Z . Then, N is an Euler Let be coprime integers. The Lucas group Z=NZ is defined on elliptic Carmichael number if and only if, for every prime p dividing N, 2 2 2 doprime. A pseudoprime that passes such test for any base is known as a LZ=NZ = f(x; y) 2 (Z=NZ) j x − Dy ≡ 1 (mod N)g: Carmichael number. The focus of this research is analysis of types of pseu- 2N;p j (N + 1 − aN) : doprimes that arise from elliptic curves and from group structures derived t (N + 1 − a ) N If is the largest odd divisor of N , then is a strong elliptic Algebraic Structure of Lucas Groups from Lucas sequences [2]. We extend the Korselt criterion presented in [3] Carmichael number if and only if, for every prime p dividing N, for two important classes of elliptic pseudoprimes and deduce some of their If p is a prime and D is an integer coprime to p, then L e is a cyclic properties.
  • Composite Numbers That Give Valid RSA Key Pairs for Any Coprime P

    Composite Numbers That Give Valid RSA Key Pairs for Any Coprime P

    information Article Composite Numbers That Give Valid RSA Key Pairs for Any Coprime p Barry Fagin ID Department of Computer Science, US Air Force Academy, Colorado Springs, CO 80840, USA; [email protected]; Tel.: +1-719-339-4514 Received: 13 August 2018; Accepted: 25 August 2018; Published: 28 August 2018 Abstract: RSA key pairs are normally generated from two large primes p and q. We consider what happens if they are generated from two integers s and r, where r is prime, but unbeknownst to the user, s is not. Under most circumstances, the correctness of encryption and decryption depends on the choice of the public and private exponents e and d. In some cases, specific (s, r) pairs can be found for which encryption and decryption will be correct for any (e, d) exponent pair. Certain s exist, however, for which encryption and decryption are correct for any odd prime r - s. We give necessary and sufficient conditions for s with this property. Keywords: cryptography; abstract algebra; RSA; computer science education; cryptography education MSC: [2010] 11Axx 11T71 1. Notation and Background Consider the RSA public-key cryptosystem and its operations of encryption and decryption [1]. Let (p, q) be primes, n = p ∗ q, f(n) = (p − 1)(q − 1) denote Euler’s totient function and (e, d) the ∗ Z encryption/decryption exponent pair chosen such that ed ≡ 1. Let n = Un be the group of units f(n) Z mod n, and let a 2 Un. Encryption and decryption operations are given by: (ae)d ≡ (aed) ≡ (a1) ≡ a mod n We consider the case of RSA encryption and decryption where at least one of (p, q) is a composite number s.