Primality Testing and the Miller-Rabin Algorithm
J. David Primality Testing and the Miller-Rabin Taylor Algorithm Introduction FA 2018 Cryptography Seminar First Attempt
Second Attempt J. David Taylor
October 12, 2018 Bob needs a pair of large prime numbers!
If p, q are composite, then Bob will need to know how to factor them, and the cipher will be less secure.
Why Primality Testing?
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor Suppose Bob wants to implement RSA. Introduction
First Attempt
Second Attempt If p, q are composite, then Bob will need to know how to factor them, and the cipher will be less secure.
Why Primality Testing?
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor Suppose Bob wants to implement RSA. Introduction First Attempt Bob needs a pair of large prime numbers! Second Attempt and the cipher will be less secure.
Why Primality Testing?
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor Suppose Bob wants to implement RSA. Introduction First Attempt Bob needs a pair of large prime numbers! Second Attempt If p, q are composite, then Bob will need to know how to factor them, Why Primality Testing?
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor Suppose Bob wants to implement RSA. Introduction First Attempt Bob needs a pair of large prime numbers! Second Attempt If p, q are composite, then Bob will need to know how to factor them, and the cipher will be less secure. If Bob can efficiently distinguish prime numbers from composite numbers, then Bob can choose large numbers at random and check which are prime.
Bob wants an efficient algorithm that detects composite numbers.
Why Primality Testing?
Primality Testing and the Miller-Rabin Algorithm The prime number theorem tells us that J. David Taylor N The number of primes ≤ N ≈ Introduction log N First Attempt . Second Attempt Bob wants an efficient algorithm that detects composite numbers.
Why Primality Testing?
Primality Testing and the Miller-Rabin Algorithm The prime number theorem tells us that J. David Taylor N The number of primes ≤ N ≈ Introduction log N First Attempt . Second Attempt If Bob can efficiently distinguish prime numbers from composite numbers, then Bob can choose large numbers at random and check which are prime. Why Primality Testing?
Primality Testing and the Miller-Rabin Algorithm The prime number theorem tells us that J. David Taylor N The number of primes ≤ N ≈ Introduction log N First Attempt . Second Attempt If Bob can efficiently distinguish prime numbers from composite numbers, then Bob can choose large numbers at random and check which are prime.
Bob wants an efficient algorithm that detects composite numbers. Example: Let n = 31987937737479355332620068643713101490952335301.
The congruence ( mod n)
2n−1 ≡ 1281265953551359064133601216247151836053160074
tells Bob that n is not prime!
Fermat’s Little Theorem
Primality Testing and the Miller-Rabin Algorithm Theorem p J. David Let p be a prime number, then a ≡ a mod p for every integer Taylor a. Introduction
First Attempt
Second Attempt The congruence ( mod n)
2n−1 ≡ 1281265953551359064133601216247151836053160074
tells Bob that n is not prime!
Fermat’s Little Theorem
Primality Testing and the Miller-Rabin Algorithm Theorem p J. David Let p be a prime number, then a ≡ a mod p for every integer Taylor a. Introduction First Attempt Example: Let Second Attempt n = 31987937737479355332620068643713101490952335301. Fermat’s Little Theorem
Primality Testing and the Miller-Rabin Algorithm Theorem p J. David Let p be a prime number, then a ≡ a mod p for every integer Taylor a. Introduction First Attempt Example: Let Second Attempt n = 31987937737479355332620068643713101490952335301. The congruence ( mod n)
2n−1 ≡ 1281265953551359064133601216247151836053160074
tells Bob that n is not prime! For example, 2 is a witness for 6, but 3 isn’t.
Idea: Try numbers less than n until you find a witness or try all of them
Witnesses
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor Let a, n be integers. We say that a is a witness for (the Introduction compositeness of) n if an 6≡ a mod n. First Attempt
Second Attempt Idea: Try numbers less than n until you find a witness or try all of them
Witnesses
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor Let a, n be integers. We say that a is a witness for (the Introduction compositeness of) n if an 6≡ a mod n. First Attempt Second For example, 2 is a witness for 6, but 3 isn’t. Attempt Witnesses
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor Let a, n be integers. We say that a is a witness for (the Introduction compositeness of) n if an 6≡ a mod n. First Attempt Second For example, 2 is a witness for 6, but 3 isn’t. Attempt Idea: Try numbers less than n until you find a witness or try all of them (Korselt) Theorem: A positive composite integer n is Carmichael iff n is square-free and p − 1|n − 1 for every prime p|n.
First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911.
(Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers
Carmichael Numbers
Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor
Introduction
First Attempt
Second Attempt First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911.
(Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers
Carmichael Numbers
Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor
Introduction (Korselt) Theorem: A positive composite integer n is First Attempt Carmichael iff n is square-free and p − 1|n − 1 for every Second prime p|n. Attempt (Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers
Carmichael Numbers
Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor
Introduction (Korselt) Theorem: A positive composite integer n is First Attempt Carmichael iff n is square-free and p − 1|n − 1 for every Second prime p|n. Attempt First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911. Carmichael Numbers
Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor
Introduction (Korselt) Theorem: A positive composite integer n is First Attempt Carmichael iff n is square-free and p − 1|n − 1 for every Second prime p|n. Attempt First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911.
(Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers Let a be an integer coprime to p. Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q,..., a2k−1q is congruent to −1 mod p.
Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1.
Miller-Rabin Criterion
Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor
Introduction
First Attempt
Second Attempt Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q,..., a2k−1q is congruent to −1 mod p.
Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1.
Miller-Rabin Criterion
Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor
Introduction Let a be an integer coprime to p.
First Attempt
Second Attempt or
one of aq, a2q, a4q,..., a2k−1q is congruent to −1 mod p.
Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1.
Miller-Rabin Criterion
Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor
Introduction Let a be an integer coprime to p. Then
First Attempt q Second a ≡ 1 mod p, Attempt Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1.
Miller-Rabin Criterion
Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor
Introduction Let a be an integer coprime to p. Then
First Attempt q Second a ≡ 1 mod p, or Attempt one of aq, a2q, a4q,..., a2k−1q is congruent to −1 mod p. so either q kills a or some number in the list is a non-trivial square root of 1.
Miller-Rabin Criterion
Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor
Introduction Let a be an integer coprime to p. Then
First Attempt q Second a ≡ 1 mod p, or Attempt one of aq, a2q, a4q,..., a2k−1q is congruent to −1 mod p.
Essentially, a2k q = ap−1 ≡ 1 mod p, or some number in the list is a non-trivial square root of 1.
Miller-Rabin Criterion
Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor
Introduction Let a be an integer coprime to p. Then
First Attempt q Second a ≡ 1 mod p, or Attempt one of aq, a2q, a4q,..., a2k−1q is congruent to −1 mod p.
Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a Miller-Rabin Criterion
Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor
Introduction Let a be an integer coprime to p. Then
First Attempt q Second a ≡ 1 mod p, or Attempt one of aq, a2q, a4q,..., a2k−1q is congruent to −1 mod p.
Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1. 1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2k q with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm
J. David Taylor
Introduction
First Attempt
Second Attempt 2 factor n − 1 = 2k q with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor
Introduction
First Attempt
Second Attempt 3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor 2 factor n − 1 = 2k q with q odd. Introduction
First Attempt
Second Attempt 4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor 2 factor n − 1 = 2k q with q odd. Introduction q First Attempt 3 set a = a mod n Second Attempt 5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor 2 factor n − 1 = 2k q with q odd. Introduction q First Attempt 3 set a = a mod n Second Attempt 4 if a ≡ 1 mod n, return “fail” if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor 2 factor n − 1 = 2k q with q odd. Introduction q First Attempt 3 set a = a mod n Second Attempt 4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1, set a = a2 mod n
6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor 2 factor n − 1 = 2k q with q odd. Introduction q First Attempt 3 set a = a mod n Second Attempt 4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail” 6 return “composite”
Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor 2 factor n − 1 = 2k q with q odd. Introduction q First Attempt 3 set a = a mod n Second Attempt 4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n Miller-Rabin Primality Test
Primality Testing and the We’ll test n with potential witness a: Miller-Rabin Algorithm 1 if 2|n or 1 < gcd(a, n) < n, return “composite” J. David Taylor 2 factor n − 1 = 2k q with q odd. Introduction q First Attempt 3 set a = a mod n Second Attempt 4 if a ≡ 1 mod n, return “fail”
5 for i = 0,..., k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite” Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm
J. David Taylor
Introduction
First Attempt
Second Attempt Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor
Introduction
First Attempt
Second Attempt Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor Step 3 a = 235 ≡ 263 mod 561 Introduction
First Attempt
Second Attempt 263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor Step 3 a = 235 ≡ 263 mod 561 Introduction First Attempt Step 5 The loop 0,1,2,3 Second Attempt 2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor Step 3 a = 235 ≡ 263 mod 561 Introduction First Attempt Step 5 The loop 0,1,2,3 Second Attempt 263 6≡ −1 1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor Step 3 a = 235 ≡ 263 mod 561 Introduction First Attempt Step 5 The loop 0,1,2,3 Second Attempt 263 6≡ −1
2632 ≡ 166 672 ≡ 1
Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor Step 3 a = 235 ≡ 263 mod 561 Introduction First Attempt Step 5 The loop 0,1,2,3 Second Attempt 263 6≡ −1
2632 ≡ 166
1662 ≡ 67 Step 6 return “composite”
Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor Step 3 a = 235 ≡ 263 mod 561 Introduction First Attempt Step 5 The loop 0,1,2,3 Second Attempt 263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1 Miller-Rabin Example
Primality Testing and the Let’s test n = 561 with a = 2. Miller-Rabin Algorithm Step 2 560 = 24 · 35 J. David Taylor Step 3 a = 235 ≡ 263 mod 561 Introduction First Attempt Step 5 The loop 0,1,2,3 Second Attempt 263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite” If the Generalized Riemann Hypothesis is true, then some a ≤ 2(log n)2 suffices.
In practice, (1) choose a large number n, then (2) try random a’s in the MRT until you get a sufficently high probability that n is prime.
The runtime for each n is between quadratic and quartic depending on implementation.
MRT Analysis
Primality Testing and the Miller-Rabin Algorithm If n is an odd composite number, then at least 75% of the
J. David integers in [1, n − 1] will show that n is composite via the Taylor Miller-Rabin Test.
Introduction
First Attempt
Second Attempt In practice, (1) choose a large number n, then (2) try random a’s in the MRT until you get a sufficently high probability that n is prime.
The runtime for each n is between quadratic and quartic depending on implementation.
MRT Analysis
Primality Testing and the Miller-Rabin Algorithm If n is an odd composite number, then at least 75% of the
J. David integers in [1, n − 1] will show that n is composite via the Taylor Miller-Rabin Test.
Introduction If the Generalized Riemann Hypothesis is true, then some First Attempt 2 Second a ≤ 2(log n) suffices. Attempt The runtime for each n is between quadratic and quartic depending on implementation.
MRT Analysis
Primality Testing and the Miller-Rabin Algorithm If n is an odd composite number, then at least 75% of the
J. David integers in [1, n − 1] will show that n is composite via the Taylor Miller-Rabin Test.
Introduction If the Generalized Riemann Hypothesis is true, then some First Attempt 2 Second a ≤ 2(log n) suffices. Attempt In practice, (1) choose a large number n, then (2) try random a’s in the MRT until you get a sufficently high probability that n is prime. MRT Analysis
Primality Testing and the Miller-Rabin Algorithm If n is an odd composite number, then at least 75% of the
J. David integers in [1, n − 1] will show that n is composite via the Taylor Miller-Rabin Test.
Introduction If the Generalized Riemann Hypothesis is true, then some First Attempt 2 Second a ≤ 2(log n) suffices. Attempt In practice, (1) choose a large number n, then (2) try random a’s in the MRT until you get a sufficently high probability that n is prime.
The runtime for each n is between quadratic and quartic depending on implementation. The AKS algorithm is deterministic and proves that n is or is not prime.
In practice, MRT’s speed makes it preferable to AKS.
AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials).
AKS Primality Test
Primality Testing and the Miller-Rabin The paper “PRIMES is in P” by Agrawal, Kayal, and Saxena Algorithm presents an algorithm that can be modified to have runtime of J. David 6 Taylor O(log n).
Introduction
First Attempt
Second Attempt In practice, MRT’s speed makes it preferable to AKS.
AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials).
AKS Primality Test
Primality Testing and the Miller-Rabin The paper “PRIMES is in P” by Agrawal, Kayal, and Saxena Algorithm presents an algorithm that can be modified to have runtime of J. David 6 Taylor O(log n).
Introduction The AKS algorithm is deterministic and proves that n is or is First Attempt not prime. Second Attempt AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials).
AKS Primality Test
Primality Testing and the Miller-Rabin The paper “PRIMES is in P” by Agrawal, Kayal, and Saxena Algorithm presents an algorithm that can be modified to have runtime of J. David 6 Taylor O(log n).
Introduction The AKS algorithm is deterministic and proves that n is or is First Attempt not prime. Second Attempt In practice, MRT’s speed makes it preferable to AKS. AKS Primality Test
Primality Testing and the Miller-Rabin The paper “PRIMES is in P” by Agrawal, Kayal, and Saxena Algorithm presents an algorithm that can be modified to have runtime of J. David 6 Taylor O(log n).
Introduction The AKS algorithm is deterministic and proves that n is or is First Attempt not prime. Second Attempt In practice, MRT’s speed makes it preferable to AKS.
AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials). I’ve been informed that having no pictures is unacceptable ;-)
Primality Testing and the Miller-Rabin Algorithm
J. David Taylor
Introduction
First Attempt
Second Attempt
...Meow