Notes on Primality Testing and Public Key Cryptography Part 1: Randomized Algorithms Miller–Rabin and Solovay–Strassen Tests
Total Page:16
File Type:pdf, Size:1020Kb
Notes on Primality Testing And Public Key Cryptography Part 1: Randomized Algorithms Miller{Rabin and Solovay{Strassen Tests Jean Gallier and Jocelyn Quaintance Department of Computer and Information Science University of Pennsylvania Philadelphia, PA 19104, USA e-mail: [email protected] c Jean Gallier February 27, 2019 Contents Contents 2 1 Introduction 5 1.1 Prime Numbers and Composite Numbers . 5 1.2 Methods for Primality Testing . 6 1.3 Some Tests for Compositeness . 9 2 Public Key Cryptography 13 2.1 Public Key Cryptography; The RSA System . 13 2.2 Correctness of The RSA System . 18 2.3 Algorithms for Computing Powers and Inverses Modulo m . 22 2.4 Finding Large Primes; Signatures; Safety of RSA . 26 3 Primality Testing Using Randomized Algorithms 33 4 Basic Facts About Groups, and Number Theory 37 4.1 Groups, Subgroups, Cosets . 37 4.2 Cyclic Groups . 50 4.3 Rings and Fields . 60 4.4 Primitive Roots . 67 4.5 Which Groups (Z=nZ)∗ Have Primitive Roots . 75 4.6 The Lucas Theorem, PRIMES is in NP .................... 80 4.7 The Structure of Finite Fields . 90 5 The Miller{Rabin Test 93 5.1 Square Roots of Unity . 94 5.2 The Fermat Test; F -Witnesses and F -Liars . 96 5.3 Carmichael Numbers . 99 5.4 The Miller{Rabin Test; MR-Witnesses and MR-Liars . 103 5.5 The Monier{Rabin Bound on the Size of the Set of MR-Liars . 116 5.6 The Least MR-Witness for n . 121 6 The Solovay{Strassen Test 125 6.1 Quadratic Residues . 125 2 CONTENTS 3 6.2 The Legendre Symbol . 127 6.3 The Jacobi Symbol . 134 6.4 The Solovay{Strassen Test; E-Witnesses and E-Liars . 137 6.5 The Quadratic Reciprocity Law . 140 6.6 A Randomized Algorithm to Find a Square Root mod p . 144 6.7 Proof of the Quadratic Reciprocity Law . 150 6.8 Eisenstein's Proof of the Quadratic Reciprocity Law . 155 6.9 Strong Pseudoprimes are Euler Pseudoprimes . 158 Bibliography 163 4 CONTENTS Chapter 1 Introduction 1.1 Prime Numbers and Composite Numbers Prime numbers have fascinated mathematicians and more generally curious minds for thou- sands of years. What is a prime number? Well, 2; 3; 5; 7; 11; 13;:::; 9973 are prime numbers. The defining property of a prime number p is that it is a positive integer p ≥ 2 that is only divisible by 1 and p. Equivalently, p is prime if and only if p is a positive integer p ≥ 2 that is not divisible by any integer m such that 2 ≤ m < p. A positive integer n ≥ 2 which is not prime is called composite. Observe that the number 1 is considered neither a prime nor a composite. For example, 6 = 2 · 3 is composite. Is 3 215 031 751 composite? Yes, because 3 215 031 751 = 151 · 751 · 28351: The above number has the remarkable property of being the only composite integer less than 25 · 109 which a strong pseudoprime simultaneously to the bases 2; 3; 5; 7; see Definition 5.5, and Ribenboim [18] (Chapter 2, Section XI). Even though the definition of primality is very simple, the structure of the set of prime numbers is highly nontrivial. The prime numbers are the basic building blocks of the natu- ral numbers because of the following theorem bearing the impressive name of fundamental theorem of arithmetic. Theorem 1.1. Every natural number n ≥ 2 has a unique factorization i1 i2 ik n = p1 p2 ··· pk ; where the exponents i1; : : : ; ik are positive integers and p1 < p2 < ··· < pk are primes. Every book on number theory has a proof of Theorem 1.1. The proof is not difficult and uses induction. It has two parts. The first part shows the existence of a factorization. The second part shows its uniqueness. For example, see Apostol [1] (Chapter 1, Theorem 1.10). How many prime numbers are there? Many! In fact, infinitely many. 5 6 CHAPTER 1. INTRODUCTION Theorem 1.2. The set of prime numbers is infinite. Proof. We give three proofs. These proofs only use the fact that every integer greater than 1 has some prime divisor. (1) (Euclid) Suppose that p1 = 2 < p2 = 3 < ··· < pm are all the primes. Consider N = p1p2 ··· pm + 1. The number N must be divisible by some prime p (p = N is possible). Then p must be one of the pi, so p = pi divides N − p1p2 ··· pm = 1, contradicting the fact that pi ≥ 2. (2) (Kummer) Suppose that p1 = 2 < p2 = 3 < ··· < pm are all the primes, as in (1), but this time let N = p1p2 ··· pm. Observe that N > 2. The number N − 1 must be divisible by one of the primes pi (pi = N − 1 is possible). But if pi divides N − 1, then pi divides N − (N − 1) = 1, a contradiction. (3) (Hermite) We prove that for every natural number n ≥ 2, there is some prime p > n. Consider N = n! + 1. The number N must be divisible by some prime p (p = N is possible). Any prime p dividing N is distinct from 2; 3; : : : ; n, since otherwise p would divide N − n! = 1, a contradiction. There are many more proofs; see Ribenboim [18]. The problem of determining whether a given integer is prime is one of the better known and most easily understood problems of pure mathematics. This problem has caught the interest of mathematicians again and again for centuries. However, it was not until the 20th century that questions about primality testing and factoring were recognized as problems of practical importance, and a central part of applied mathematics. The advent of cryp- tographic systems that use large primes, such as RSA, was the main driving force for the development of fast and reliable methods for primality testing. Indeed, as we see in Chapter 2, in order to create RSA keys, one needs to produce large prime numbers. How do we do that? 1.2 Methods for Primality Testing The general strategy to test whether an integer n > 2 is prime or composite is to choose some property, say A, implied by primality, and to search for a counterexample a to this property for the number n, namely some a for which property A fails. We look for properties for which checking that a candidate a is indeed a countexample can be done quickly. Typically, together with the number n being tested for primality, some candidate coun- terexample a is supplied to an algorithm which runs a test to determine whether a is really a counterexample to property A for n. If the test says that a is a counterexample, also called a witness, then we know for sure that n is composite. If the algorithm reports that a is not a witness to the fact that n is composite, does this imply that n is prime? Unfortunately, no. 1.2. METHODS FOR PRIMALITY TESTING 7 This is because, there may be some composite number n and some candidate counterexample a for which the test says that a is not a countexample. Such a number a is called a liar. The other reason is that we haven't tested all the candidate counterexamples a for n. The remedy is to make sure that we pick a property A such that if n is composite, then at least some candidate a is not a liar, and to test all potential countexamples a. The difficulty is that trying all candidate countexamples can be too expensive to be practical. The following analogy may be helpful to understand the nature of such a method. Sup- pose we have a population and we are interested in determining whether some individual is rich or not (we will say that someone who is not rich is poor). Every individual n has several bank accounts a, and there is a test to check whether a bank account a has a negative balance. The test has the property that if it is applied to an individual n and to one of its bank accounts a, and if it is positive (it says that account a has a negative balance), then the individual n is definitely poor. Note that we are assuming that a rich person is honest, namely that all bank accounts of a rich person have a nonnegative balance. This may be an unrealistic assumption. But if the test is negative (which means that account a has a nonnegative balance), this does not imply that n is rich. The problem is that the test may not be 100% reliable. It is possible that an individual n is poor, yet the test is negative for account a (account a has a nonnegative balance). We may also not have tested all the accounts of n. One way to deal with this problem is to use probabilities. If we know that the conditional probability that the test is positive for some account a given that n is poor is greater than p ≥ 1=2, then we can apply the test to ` accounts chosen independently at random. It is easy to show that the conditional probability that the test is negative ` times given that an individual n is poor is less than (1 − p)`. For p close to 1 and ` large enough, this probability is very small. Thus, if we have high confidence in the test (p is close to 1) and if an individual n is poor, it is very unlikely that the test will be negative ` times. Actually, what we would really like to know is the conditional probability that the indi- vidual n is rich given that the test is negative ` times.