12 Primality Proving
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster
THE OPEN BOOK SERIES 2 ANTS XIII Proceedings of the Thirteenth Algorithmic Number Theory Symposium Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster msp THE OPEN BOOK SERIES 2 (2019) Thirteenth Algorithmic Number Theory Symposium msp dx.doi.org/10.2140/obs.2019.2.411 Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster We provide a new algorithm for tabulating composite numbers which are pseudoprimes to both a Fermat test and a Lucas test. Our algorithm is optimized for parameter choices that minimize the occurrence of pseudoprimes, and for pseudoprimes with a fixed number of prime factors. Using this, we have confirmed that there are no PSW-challenge pseudoprimes with two or three prime factors up to 280. In the case where one is tabulating challenge pseudoprimes with a fixed number of prime factors, we prove our algorithm gives an unconditional asymptotic improvement over previous methods. 1. Introduction Pomerance, Selfridge, and Wagstaff famously offered $620 for a composite n that satisfies (1) 2n 1 1 .mod n/ so n is a base-2 Fermat pseudoprime, Á (2) .5 n/ 1 so n is not a square modulo 5, and j D (3) Fn 1 0 .mod n/ so n is a Fibonacci pseudoprime, C Á or to prove that no such n exists. We call composites that satisfy these conditions PSW-challenge pseudo- primes. In[PSW80] they credit R. Baillie with the discovery that combining a Fermat test with a Lucas test (with a certain specific parameter choice) makes for an especially effective primality test[BW80]. -
Classics Revisited: El´ Ements´ De Geom´ Etrie´ Algebrique´
Noname manuscript No. (will be inserted by the editor) Classics Revisited: El´ ements´ de Geom´ etrie´ Algebrique´ Ulrich Gortz¨ Received: date / Accepted: date Abstract About 50 years ago, El´ ements´ de Geom´ etrie´ Algebrique´ (EGA) by A. Grothen- dieck and J. Dieudonne´ appeared, an encyclopedic work on the foundations of Grothen- dieck’s algebraic geometry. We sketch some of the most important concepts developed there, comparing it to the classical language, and mention a few results in algebraic and arithmetic geometry which have since been proved using the new framework. Keywords El´ ements´ de Geom´ etrie´ Algebrique´ · Algebraic Geometry · Schemes Contents 1 Introduction . .2 2 Classical algebraic geometry . .3 2.1 Algebraic sets in affine space . .3 2.2 Basic algebraic results . .4 2.3 Projective space . .6 2.4 Smoothness . .8 2.5 Elliptic curves . .9 2.6 The search for new foundations of algebraic geometry . 10 2.7 The Weil Conjectures . 11 3 The Language of Schemes . 12 3.1 Affine schemes . 13 3.2 Sheaves . 15 3.3 The notion of scheme . 20 3.4 The arithmetic situation . 22 4 The categorical point of view . 23 4.1 Morphisms . 23 4.2 Fiber products . 24 4.3 Properties of morphisms . 28 4.4 Parameter Spaces and Representable Functors . 30 4.5 The Yoneda Lemma . 33 4.6 Group schemes . 34 5 Moduli spaces . 36 5.1 Coming back to moduli spaces of curves . 36 U. Gortz¨ University of Duisburg-Essen, Fakultat¨ fur¨ Mathematik, 45117 Essen, Germany E-mail: [email protected] 2 Ulrich Gortz¨ 5.2 Deformation theory . -
Primality Testing and Integer Factorisation
Primality Testing and Integer Factorisation Richard P. Brent, FAA Computer Sciences Laboratory Australian National University Canberra, ACT 2601 Abstract The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several recent algorithms for primality testing and factorisation, give examples of their use and outline some applications. 1. Introduction It has been known since Euclid’s time (though first clearly stated and proved by Gauss in 1801) that any natural number N has a unique prime power decomposition α1 α2 αk N = p1 p2 ··· pk (1.1) αj (p1 < p2 < ··· < pk rational primes, αj > 0). The prime powers pj are called αj components of N, and we write pj kN. To compute the prime power decomposition we need – 1. An algorithm to test if an integer N is prime. 2. An algorithm to find a nontrivial factor f of a composite integer N. Given these there is a simple recursive algorithm to compute (1.1): if N is prime then stop, otherwise 1. find a nontrivial factor f of N; 2. -
An Analysis of Primality Testing and Its Use in Cryptographic Applications
An Analysis of Primality Testing and Its Use in Cryptographic Applications Jake Massimo Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Information Security Royal Holloway, University of London 2020 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jake Massimo April, 2020 2 Abstract Due to their fundamental utility within cryptography, prime numbers must be easy to both recognise and generate. For this, we depend upon primality testing. Both used as a tool to validate prime parameters, or as part of the algorithm used to generate random prime numbers, primality tests are found near universally within a cryptographer's tool-kit. In this thesis, we study in depth primality tests and their use in cryptographic applications. We first provide a systematic analysis of the implementation landscape of primality testing within cryptographic libraries and mathematical software. We then demon- strate how these tests perform under adversarial conditions, where the numbers being tested are not generated randomly, but instead by a possibly malicious party. We show that many of the libraries studied provide primality tests that are not pre- pared for testing on adversarial input, and therefore can declare composite numbers as being prime with a high probability. -
Fast Generation of RSA Keys Using Smooth Integers
1 Fast Generation of RSA Keys using Smooth Integers Vassil Dimitrov, Luigi Vigneri and Vidal Attias Abstract—Primality generation is the cornerstone of several essential cryptographic systems. The problem has been a subject of deep investigations, but there is still a substantial room for improvements. Typically, the algorithms used have two parts – trial divisions aimed at eliminating numbers with small prime factors and primality tests based on an easy-to-compute statement that is valid for primes and invalid for composites. In this paper, we will showcase a technique that will eliminate the first phase of the primality testing algorithms. The computational simulations show a reduction of the primality generation time by about 30% in the case of 1024-bit RSA key pairs. This can be particularly beneficial in the case of decentralized environments for shared RSA keys as the initial trial division part of the key generation algorithms can be avoided at no cost. This also significantly reduces the communication complexity. Another essential contribution of the paper is the introduction of a new one-way function that is computationally simpler than the existing ones used in public-key cryptography. This function can be used to create new random number generators, and it also could be potentially used for designing entirely new public-key encryption systems. Index Terms—Multiple-base Representations, Public-Key Cryptography, Primality Testing, Computational Number Theory, RSA ✦ 1 INTRODUCTION 1.1 Fast generation of prime numbers DDITIVE number theory is a fascinating area of The generation of prime numbers is a cornerstone of A mathematics. In it one can find problems with cryptographic systems such as the RSA cryptosystem. -
The Pseudoprimes to 25 • 109
MATHEMATICS OF COMPUTATION, VOLUME 35, NUMBER 151 JULY 1980, PAGES 1003-1026 The Pseudoprimes to 25 • 109 By Carl Pomerance, J. L. Selfridge and Samuel S. Wagstaff, Jr. Abstract. The odd composite n < 25 • 10 such that 2n_1 = 1 (mod n) have been determined and their distribution tabulated. We investigate the properties of three special types of pseudoprimes: Euler pseudoprimes, strong pseudoprimes, and Car- michael numbers. The theoretical upper bound and the heuristic lower bound due to Erdös for the counting function of the Carmichael numbers are both sharpened. Several new quick tests for primality are proposed, including some which combine pseudoprimes with Lucas sequences. 1. Introduction. According to Fermat's "Little Theorem", if p is prime and (a, p) = 1, then ap~1 = 1 (mod p). This theorem provides a "test" for primality which is very often correct: Given a large odd integer p, choose some a satisfying 1 <a <p - 1 and compute ap~1 (mod p). If ap~1 pi (mod p), then p is certainly composite. If ap~l = 1 (mod p), then p is probably prime. Odd composite numbers n for which (1) a"_1 = l (mod«) are called pseudoprimes to base a (psp(a)). (For simplicity, a can be any positive in- teger in this definition. We could let a be negative with little additional work. In the last 15 years, some authors have used pseudoprime (base a) to mean any number n > 1 satisfying (1), whether composite or prime.) It is well known that for each base a, there are infinitely many pseudoprimes to base a. -
Primes and Primality Testing
Primes and Primality Testing A Technological/Historical Perspective Jennifer Ellis Department of Mathematics and Computer Science What is a prime number? A number p greater than one is prime if and only if the only divisors of p are 1 and p. Examples: 2, 3, 5, and 7 A few larger examples: 71887 524287 65537 2127 1 Primality Testing: Origins Eratosthenes: Developed “sieve” method 276-194 B.C. Nicknamed Beta – “second place” in many different academic disciplines Also made contributions to www-history.mcs.st- geometry, approximation of andrews.ac.uk/PictDisplay/Eratosthenes.html the Earth’s circumference Sieve of Eratosthenes 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 Sieve of Eratosthenes We only need to “sieve” the multiples of numbers less than 10. Why? (10)(10)=100 (p)(q)<=100 Consider pq where p>10. Then for pq <=100, q must be less than 10. By sieving all the multiples of numbers less than 10 (here, multiples of q), we have removed all composite numbers less than 100. -
The Quadratic Sieve Factoring Algorithm
The Quadratic Sieve Factoring Algorithm Eric Landquist MATH 488: Cryptographic Algorithms December 14, 2001 1 1 Introduction Mathematicians have been attempting to find better and faster ways to fac- tor composite numbers since the beginning of time. Initially this involved dividing a number by larger and larger primes until you had the factoriza- tion. This trial division was not improved upon until Fermat applied the factorization of the difference of two squares: a2 b2 = (a b)(a + b). In his method, we begin with the number to be factored:− n. We− find the smallest square larger than n, and test to see if the difference is square. If so, then we can apply the trick of factoring the difference of two squares to find the factors of n. If the difference is not a perfect square, then we find the next largest square, and repeat the process. While Fermat's method is much faster than trial division, when it comes to the real world of factoring, for example factoring an RSA modulus several hundred digits long, the purely iterative method of Fermat is too slow. Sev- eral other methods have been presented, such as the Elliptic Curve Method discovered by H. Lenstra in 1987 and a pair of probabilistic methods by Pollard in the mid 70's, the p 1 method and the ρ method. The fastest algorithms, however, utilize the− same trick as Fermat, examples of which are the Continued Fraction Method, the Quadratic Sieve (and it variants), and the Number Field Sieve (and its variants). The exception to this is the El- liptic Curve Method, which runs almost as fast as the Quadratic Sieve. -
Composite Numbers That Give Valid RSA Key Pairs for Any Coprime P
information Article Composite Numbers That Give Valid RSA Key Pairs for Any Coprime p Barry Fagin ID Department of Computer Science, US Air Force Academy, Colorado Springs, CO 80840, USA; [email protected]; Tel.: +1-719-339-4514 Received: 13 August 2018; Accepted: 25 August 2018; Published: 28 August 2018 Abstract: RSA key pairs are normally generated from two large primes p and q. We consider what happens if they are generated from two integers s and r, where r is prime, but unbeknownst to the user, s is not. Under most circumstances, the correctness of encryption and decryption depends on the choice of the public and private exponents e and d. In some cases, specific (s, r) pairs can be found for which encryption and decryption will be correct for any (e, d) exponent pair. Certain s exist, however, for which encryption and decryption are correct for any odd prime r - s. We give necessary and sufficient conditions for s with this property. Keywords: cryptography; abstract algebra; RSA; computer science education; cryptography education MSC: [2010] 11Axx 11T71 1. Notation and Background Consider the RSA public-key cryptosystem and its operations of encryption and decryption [1]. Let (p, q) be primes, n = p ∗ q, f(n) = (p − 1)(q − 1) denote Euler’s totient function and (e, d) the ∗ Z encryption/decryption exponent pair chosen such that ed ≡ 1. Let n = Un be the group of units f(n) Z mod n, and let a 2 Un. Encryption and decryption operations are given by: (ae)d ≡ (aed) ≡ (a1) ≡ a mod n We consider the case of RSA encryption and decryption where at least one of (p, q) is a composite number s. -
Primality Testing for Beginners
STUDENT MATHEMATICAL LIBRARY Volume 70 Primality Testing for Beginners Lasse Rempe-Gillen Rebecca Waldecker http://dx.doi.org/10.1090/stml/070 Primality Testing for Beginners STUDENT MATHEMATICAL LIBRARY Volume 70 Primality Testing for Beginners Lasse Rempe-Gillen Rebecca Waldecker American Mathematical Society Providence, Rhode Island Editorial Board Satyan L. Devadoss John Stillwell Gerald B. Folland (Chair) Serge Tabachnikov The cover illustration is a variant of the Sieve of Eratosthenes (Sec- tion 1.5), showing the integers from 1 to 2704 colored by the number of their prime factors, including repeats. The illustration was created us- ing MATLAB. The back cover shows a phase plot of the Riemann zeta function (see Appendix A), which appears courtesy of Elias Wegert (www.visual.wegert.com). 2010 Mathematics Subject Classification. Primary 11-01, 11-02, 11Axx, 11Y11, 11Y16. For additional information and updates on this book, visit www.ams.org/bookpages/stml-70 Library of Congress Cataloging-in-Publication Data Rempe-Gillen, Lasse, 1978– author. [Primzahltests f¨ur Einsteiger. English] Primality testing for beginners / Lasse Rempe-Gillen, Rebecca Waldecker. pages cm. — (Student mathematical library ; volume 70) Translation of: Primzahltests f¨ur Einsteiger : Zahlentheorie - Algorithmik - Kryptographie. Includes bibliographical references and index. ISBN 978-0-8218-9883-3 (alk. paper) 1. Number theory. I. Waldecker, Rebecca, 1979– author. II. Title. QA241.R45813 2014 512.72—dc23 2013032423 Copying and reprinting. Individual readers of this publication, and nonprofit libraries acting for them, are permitted to make fair use of the material, such as to copy a chapter for use in teaching or research. Permission is granted to quote brief passages from this publication in reviews, provided the customary acknowledgment of the source is given. -
The Distribution of Pseudoprimes
The Distribution of Pseudoprimes Matt Green September, 2002 The RSA crypto-system relies on the availability of very large prime num- bers. Tests for finding these large primes can be categorized as deterministic and probabilistic. Deterministic tests, such as the Sieve of Erastothenes, of- fer a 100 percent assurance that the number tested and passed as prime is actually prime. Despite their refusal to err, deterministic tests are generally not used to find large primes because they are very slow (with the exception of a recently discovered polynomial time algorithm). Probabilistic tests offer a much quicker way to find large primes with only a negligibal amount of error. I have studied a simple, and comparatively to other probabilistic tests, error prone test based on Fermat’s little theorem. Fermat’s little theorem states that if b is a natural number and n a prime then bn−1 ≡ 1 (mod n). To test a number n for primality we pick any natural number less than n and greater than 1 and first see if it is relatively prime to n. If it is, then we use this number as a base b and see if Fermat’s little theorem holds for n and b. If the theorem doesn’t hold, then we know that n is not prime. If the theorem does hold then we can accept n as prime right now, leaving a large chance that we have made an error, or we can test again with a different base. Chances improve that n is prime with every base that passes but for really big numbers it is cumbersome to test all possible bases. -
P-Adic Class Invariants
LMS J. Comput. Math. 14 (2011) 108{126 C 2011 Author doi:10.1112/S1461157009000175e p-adic class invariants Reinier Br¨oker Abstract We develop a new p-adic algorithm to compute the minimal polynomial of a class invariant. Our approach works for virtually any modular function yielding class invariants. The main algorithmic tool is modular polynomials, a concept which we generalize to functions of higher level. 1. Introduction Let K be an imaginary quadratic number field and let O be an order in K. The ring class field HO of the order O is an abelian extension of K, and the Artin map gives an isomorphism s Pic(O) −−! Gal(HO=K) of the Picard group of O with the Galois group of HO=K. In this paper we are interested in explicitly computing ring class fields. Complex multiplication theory provides us with a means of doing so. Letting ∆ denote the discriminant of O, it states that we have j HO = K[X]=(P∆); j where P∆ is the minimal polynomial over Q of the j-invariant of the complex elliptic curve j C=O. This polynomial is called the Hilbert class polynomial. It is a non-trivial fact that P∆ has integer coefficients. The fact that ring class fields are closely linked to j-invariants of elliptic curves has its ramifications outside the context of explicit class field theory. Indeed, if we let p denote a j prime that is not inert in O, then the observation that the roots in Fp of P∆ 2 Fp[X] are j j-invariants of elliptic curves over Fp with endomorphism ring O made computing P∆ a key ingredient in the elliptic curve primality proving algorithm [12].