DOCSLIB.ORG

Baillie-PSW Pseudoprimes

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

MASARYK UNIVERSITY FACULTY OF INFORMATICS Baillie-PSW pseudoprimes MASTER'S THESIS Ondřej Krčma Brno, Spring 2021 MASARYK UNIVERSITY FACULTY OF INFORMATICS Baillie-PSW pseudoprimes MASTER'S THESIS Ondřej Krčma Brno, Spring 2021 This is where a copy of the official signed thesis assignment and a copy of the Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondřej Krčma Advisor: Mgr. Marek Sys, Ph.D. i Acknowledgements I would like to thank Mgr. Marek Sys, Ph.D. for his invaluable advice during my work on this thesis. Computational resources were supplied by the project "e-Infrastruktura CZ" (e-INFRA LM2018140) provided within the program Projects of Large Research, Development and Innovations Infrastructures. iii Abstract The goal of this thesis is to examine and look for a weaker version of the Baillie-PSW pseudoprimes. First we examine the Fermat and the Lucas pseudoprimes and the divisibility properties of the order and the rank of appearance. We present the known theory and complete some missing proofs and algorithms. We also examine the notion of admissibility, which is the main necessary condition for the sought pseudoprimes. In the last chapter, we apply the theory and attempt to find the pseudoprimes in several special cases. iv Keywords primality tests, pseudoprimes, Baillie-PSW, PSW-challenge pseudo- primes, rank of appearance, admissibility v Contents Introduction 1 1 The Fermat test 3 1.1 Order of a modulo n 4 1.2 Fermat pseudoprimes to base 2 7 2 Lucas sequences 9 2.1 Computing Lucas sequences 10 2.2 Lucas pseudoprimes 13 2.3 Rank of appearance of n 15 2.4 Lucas pseudoprimes in the Fibonacci sequence 19 3 The Baillie-PSW test 21 3.1 Challenge pseudoprimes 22 3.1.1 Admissibility 23 3.1.2 Computing last prime 28 4 Search for challenge psudoprimes 31 4.1 Small prime factors 32 4.1.1 Admissibility from order and rank 33 4.1.2 Full version of the algorithm 34 4.2 Pseudoprimes of the form 2n_1 — 1 34 4.2.1 Primes with rank equal to a power of two .... 35 4.2.2 Mersenne primes 35 4.3 Two prime factors 36 4.3.1 Admissible primes p with e(p) = 1 37 4.3.2 Computing the other prime 37 4.4 Even number of prime factors 38 4.4.1 Case of p > 245 38 4.4.2 Case of p < 245 39 4.5 Lattice based solutions 40 4.5.1 Searching for the pseudoprimes 40 4.5.2 Transformation of the problem 41 4.5.3 Lattice for Fermat pseudoprimes 42 4.5.4 Example for Fermat pseudoprimes 43 4.5.5 Lattice for both Fermat and Lucas pseudoprimes 44 vii Conclusion Bibliography viii Introduction Generating large random primes is a key component of cryptosystems such as RSA. However, deciding whether a random large (in the order of thousands of bits) integer is prime or composite is computationally expensive. There are two basic kinds of primality tests: deterministic and probabilistic. Deterministic tests will give us a definitive answer on whether the input integer is prime or not, but they are often too slow. In general, probabilistic tests are fast, however some composite integers also pass through. These composite integers which pass some probabilistic primality test are called pseudoprimes and the more pseudoprimes there are for a given test, the worse the test is. In this thesis we are looking for pseudoprimes for a weaker version of the Baillie-PSW test, because, so far, no pseudoprimes for this test have been found. The text of this thesis is split into four chapters. In the first chap• ter we introduce Fermat pseudoprimes and examine some of their properties, for example the order. In the second chapter we look at Lucas sequences and Lucas pseudoprimes. We briefly discuss how to compute Lucas sequences and then examine Lucas pseudoprimes and their properties, especially the rank of appearance. There are many similarities between the Fermat and the Lucas pseudoprimes, and the lemmas in the second chapter often parallel lemmas from the first chapter. In the third chapter we combine the two tests into the Baillie-PSW test and examine PSW-challenge pseudoprimes, which are composite integers passing the weaker version of the test. We mostly focus on the notion of admissibility, which is a strong neces• sary condition, which all PSW-challenge pseudoprimes must satisfy. And finally, in the fourth chapter we describe our attempts to find the PSW-challenge pseudoprimes. The reader is expected to be familiar with basic algebraic concepts such as the order of a group element, modular arithmetic or the Chi• nese Remainder Theorem. The first two chapters mostly cover the known theory, so a reader who is confident in their knowledge of Fer• mat and Lucas pseudoprimes may skip directly to the third chapter. However, we present some proofs and algorithms missing from the literature, and so we recommend starting from the beginning. 1 1 The Fermat test One of the simplest primality tests is the Fermat test. Fermat's little theorem gives the following necessary condition which all primes must satisfy. Theorem 1.1 (Fermat's little theorem). Let p be prime and a an integer such that a ^ 0 (mod p), then aP'1 = 1 (mod p). To test whether given n is prime, we choose a coprime to n (for example a = 2) and calculate an~x mod n. If the resulting value is not 1, then we are sure that n is not prime. Whereas if the result is 1, then n may or may not be prime. For example 2340 = 1 (mod 341), however 341 = 11 x 31 is a composite integer. Composite numbers which pass a primality test such as the Fermat test are called pseudoprimes. There are many different primality tests and an integer may be a pseudoprime relative to one test and not a pseudoprime relative to other tests. This gives us different types and definitions of pseu• doprimes, the first of which is the Fermat pseudoprime. Note that different authors may have slightly different definitions of the indi• vidual types of pseudoprimes. We will follow the terminology from [!]• Definition 1. An odd composite integer n is a (Fermat) pseudoprime to base a if a""1 = 1 (mod n). An integer n may be pseudoprime to some bases and not others, so if the test fails for one base, we may try another. Note that the set of bases to which n is pseudoprime forms a subgroup of Z*, so trying multiple bases one after another may lead to diminishing returns. The main problem however is that there exist Carmichael numbers, which are integers that are Fermat pseudoprimes to all possible bases. In 1994 Pomerance showed that there are infinitely many Carmichael numbers [2]. To get around this problem we may define stronger necessary conditions and stronger tests. 3 i. THE FERMAT TEST Definition 2. An odd composite integer n is an Euler pseudoprime to base a if gcd(a, n) = 1 and cf^ = ^—j (mod n), where (|) is the Jacobi symbol. Clearly, an Euler pseudoprime is also Fermat pseudoprime. Be• cause of the multiplicative property of Jacobi symbols, the bases of an Euler pseudoprime still form a multiplicative group. However Lehmer showed that there are no integers which are Euler pseudoprimes to all possible bases [3] (i.e. there is no equivalent of Carmichael numbers for Euler pseudoprimes). Since the bases to which n is Euler pseudo- prime form a subgroup of Z* and n cannot be pseudoprime to all the bases, then n is pseudoprime to at most half of the possible bases. The test can be strengthened even further. Definition 3. An odd composite integer n = d • 2s + 1, where d is odd, is a strong (Fermat) pseudoprime to base a if ad = 1 (mod ft) or ad-r = -1 (mod n) for some 0 < r < s. A strong (Fermat) pseudoprime is both Euler and Fermat pseu• doprime. Since it's an Euler pseudoprime, there are no equivalents of Carmichael numbers, but the bases no longer form a group. Unfortu• nately, there are still infinitely many strong pseudoprimes to any base [!]• 1.1 Order of a modulo n In the rest of this thesis we will focus mainly on the basic Fermat test (in the second and the third chapters in combination with the Lucas test). In this chapter we present some properties of Fermat pseudoprimes and the order of base a modulo n. 4 i. THE FERMAT TEST Definition 4. Given an odd positive integer n and a base a, the order of a modulo n is the least positive integer k such that ak = 1 (mod n). We will follow the notation of Pomerance, Self ridge and Wagstaff [1] and denote the order as la (n). The reason we do not follow the standard notation of ordn (a) is that in this context the order is a property of the modulus n and not of the base a. k It is well known [4] that if a = 1 (mod n), then la{n) \ k. This means that if n is a Fermat pseudoprime, then la(n) \ (n — 1). The order la (n) also divides the group order (p{n), where cp denotes Euler's totient function.
Recommended publications
  • Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster

    Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster

    THE OPEN BOOK SERIES 2 ANTS XIII Proceedings of the Thirteenth Algorithmic Number Theory Symposium Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster msp THE OPEN BOOK SERIES 2 (2019) Thirteenth Algorithmic Number Theory Symposium msp dx.doi.org/10.2140/obs.2019.2.411 Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster We provide a new algorithm for tabulating composite numbers which are pseudoprimes to both a Fermat test and a Lucas test. Our algorithm is optimized for parameter choices that minimize the occurrence of pseudoprimes, and for pseudoprimes with a fixed number of prime factors. Using this, we have confirmed that there are no PSW-challenge pseudoprimes with two or three prime factors up to 280. In the case where one is tabulating challenge pseudoprimes with a fixed number of prime factors, we prove our algorithm gives an unconditional asymptotic improvement over previous methods. 1. Introduction Pomerance, Selfridge, and Wagstaff famously offered $620 for a composite n that satisfies (1) 2n 1 1 .mod n/ so n is a base-2 Fermat pseudoprime, Á (2) .5 n/ 1 so n is not a square modulo 5, and j D (3) Fn 1 0 .mod n/ so n is a Fibonacci pseudoprime, C Á or to prove that no such n exists. We call composites that satisfy these conditions PSW-challenge pseudo- primes. In[PSW80] they credit R. Baillie with the discovery that combining a Fermat test with a Lucas test (with a certain specific parameter choice) makes for an especially effective primality test[BW80].
  • Primality Testing and Integer Factorisation

    Primality Testing and Integer Factorisation

    Primality Testing and Integer Factorisation Richard P. Brent, FAA Computer Sciences Laboratory Australian National University Canberra, ACT 2601 Abstract The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several recent algorithms for primality testing and factorisation, give examples of their use and outline some applications. 1. Introduction It has been known since Euclid’s time (though first clearly stated and proved by Gauss in 1801) that any natural number N has a unique prime power decomposition α1 α2 αk N = p1 p2 ··· pk (1.1) αj (p1 < p2 < ··· < pk rational primes, αj > 0). The prime powers pj are called αj components of N, and we write pj kN. To compute the prime power decomposition we need – 1. An algorithm to test if an integer N is prime. 2. An algorithm to find a nontrivial factor f of a composite integer N. Given these there is a simple recursive algorithm to compute (1.1): if N is prime then stop, otherwise 1. find a nontrivial factor f of N; 2.
  • Computing Prime Divisors in an Interval

    Computing Prime Divisors in an Interval

    MATHEMATICS OF COMPUTATION Volume 84, Number 291, January 2015, Pages 339–354 S 0025-5718(2014)02840-8 Article electronically published on May 28, 2014 COMPUTING PRIME DIVISORS IN AN INTERVAL MINKYU KIM AND JUNG HEE CHEON Abstract. We address the problem of finding a nontrivial divisor of a com- posite integer when it has a prime divisor in an interval. We show that this problem can be solved in time of the square root of the interval length with a similar amount of storage, by presenting two algorithms; one is probabilistic and the other is its derandomized version. 1. Introduction Integer factorization is one of the most challenging problems in computational number theory. It has been studied for centuries, and it has been intensively in- vestigated after introducing the RSA cryptosystem [18]. The difficulty of integer factorization has been examined not only in pure factoring situations but also in various modified situations. One such approach is to find a nontrivial divisor of a composite integer when it has prime divisors of special form. These include Pol- lard’s p − 1 algorithm [15], Williams’ p + 1 algorithm [20], and others. On the other hand, owing to the importance and the usage of integer factorization in cryptog- raphy, one needs to examine this problem when some partial information about divisors is revealed. This side information might be exposed through the proce- dures of generating prime numbers or through some attacks against crypto devices or protocols. This paper deals with integer factorization given the approximation of divisors, and it is motivated by the above mentioned research.
  • An Analysis of Primality Testing and Its Use in Cryptographic Applications

    An Analysis of Primality Testing and Its Use in Cryptographic Applications

    An Analysis of Primality Testing and Its Use in Cryptographic Applications Jake Massimo Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Information Security Royal Holloway, University of London 2020 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jake Massimo April, 2020 2 Abstract Due to their fundamental utility within cryptography, prime numbers must be easy to both recognise and generate. For this, we depend upon primality testing. Both used as a tool to validate prime parameters, or as part of the algorithm used to generate random prime numbers, primality tests are found near universally within a cryptographer's tool-kit. In this thesis, we study in depth primality tests and their use in cryptographic applications. We first provide a systematic analysis of the implementation landscape of primality testing within cryptographic libraries and mathematical software. We then demon- strate how these tests perform under adversarial conditions, where the numbers being tested are not generated randomly, but instead by a possibly malicious party. We show that many of the libraries studied provide primality tests that are not pre- pared for testing on adversarial input, and therefore can declare composite numbers as being prime with a high probability.
  • Triangular Numbers /, 3,6, 10, 15, ", Tn,'" »*"

    Triangular Numbers /, 3,6, 10, 15, ", Tn,'" »*"

    TRIANGULAR NUMBERS V.E. HOGGATT, JR., and IVIARJORIE BICKWELL San Jose State University, San Jose, California 9111112 1. INTRODUCTION To Fibonacci is attributed the arithmetic triangle of odd numbers, in which the nth row has n entries, the cen- ter element is n* for even /?, and the row sum is n3. (See Stanley Bezuszka [11].) FIBONACCI'S TRIANGLE SUMS / 1 =:1 3 3 5 8 = 2s 7 9 11 27 = 33 13 15 17 19 64 = 4$ 21 23 25 27 29 125 = 5s We wish to derive some results here concerning the triangular numbers /, 3,6, 10, 15, ", Tn,'" »*". If one o b - serves how they are defined geometrically, 1 3 6 10 • - one easily sees that (1.1) Tn - 1+2+3 + .- +n = n(n±M and (1.2) • Tn+1 = Tn+(n+1) . By noticing that two adjacent arrays form a square, such as 3 + 6 = 9 '.'.?. we are led to 2 (1.3) n = Tn + Tn„7 , which can be verified using (1.1). This also provides an identity for triangular numbers in terms of subscripts which are also triangular numbers, T =T + T (1-4) n Tn Tn-1 • Since every odd number is the difference of two consecutive squares, it is informative to rewrite Fibonacci's tri- angle of odd numbers: 221 222 TRIANGULAR NUMBERS [OCT. FIBONACCI'S TRIANGLE SUMS f^-O2) Tf-T* (2* -I2) (32-22) Ti-Tf (42-32) (52-42) (62-52) Ti-Tl•2 (72-62) (82-72) (9*-82) (Kp-92) Tl-Tl Upon comparing with the first array, it would appear that the difference of the squares of two consecutive tri- angular numbers is a perfect cube.
  • FACTORING COMPOSITES TESTING PRIMES Amin Witno

    FACTORING COMPOSITES TESTING PRIMES Amin Witno

    WON Series in Discrete Mathematics and Modern Algebra Volume 3 FACTORING COMPOSITES TESTING PRIMES Amin Witno Preface These notes were used for the lectures in Math 472 (Computational Number Theory) at Philadelphia University, Jordan.1 The module was aborted in 2012, and since then this last edition has been preserved and updated only for minor corrections. Outline notes are more like a revision. No student is expected to fully benefit from these notes unless they have regularly attended the lectures. 1 The RSA Cryptosystem Sensitive messages, when transferred over the internet, need to be encrypted, i.e., changed into a secret code in such a way that only the intended receiver who has the secret key is able to read it. It is common that alphabetical characters are converted to their numerical ASCII equivalents before they are encrypted, hence the coded message will look like integer strings. The RSA algorithm is an encryption-decryption process which is widely employed today. In practice, the encryption key can be made public, and doing so will not risk the security of the system. This feature is a characteristic of the so-called public-key cryptosystem. Ali selects two distinct primes p and q which are very large, over a hundred digits each. He computes n = pq, ϕ = (p − 1)(q − 1), and determines a rather small number e which will serve as the encryption key, making sure that e has no common factor with ϕ. He then chooses another integer d < n satisfying de % ϕ = 1; This d is his decryption key. When all is ready, Ali gives to Beth the pair (n; e) and keeps the rest secret.
  • The Pseudoprimes to 25 • 109

    The Pseudoprimes to 25 • 109

    MATHEMATICS OF COMPUTATION, VOLUME 35, NUMBER 151 JULY 1980, PAGES 1003-1026 The Pseudoprimes to 25 • 109 By Carl Pomerance, J. L. Selfridge and Samuel S. Wagstaff, Jr. Abstract. The odd composite n < 25 • 10 such that 2n_1 = 1 (mod n) have been determined and their distribution tabulated. We investigate the properties of three special types of pseudoprimes: Euler pseudoprimes, strong pseudoprimes, and Car- michael numbers. The theoretical upper bound and the heuristic lower bound due to Erdös for the counting function of the Carmichael numbers are both sharpened. Several new quick tests for primality are proposed, including some which combine pseudoprimes with Lucas sequences. 1. Introduction. According to Fermat's "Little Theorem", if p is prime and (a, p) = 1, then ap~1 = 1 (mod p). This theorem provides a "test" for primality which is very often correct: Given a large odd integer p, choose some a satisfying 1 <a <p - 1 and compute ap~1 (mod p). If ap~1 pi (mod p), then p is certainly composite. If ap~l = 1 (mod p), then p is probably prime. Odd composite numbers n for which (1) a"_1 = l (mod«) are called pseudoprimes to base a (psp(a)). (For simplicity, a can be any positive in- teger in this definition. We could let a be negative with little additional work. In the last 15 years, some authors have used pseudoprime (base a) to mean any number n > 1 satisfying (1), whether composite or prime.) It is well known that for each base a, there are infinitely many pseudoprimes to base a.
  • Primes and Primality Testing

    Primes and Primality Testing

    Primes and Primality Testing A Technological/Historical Perspective Jennifer Ellis Department of Mathematics and Computer Science What is a prime number? A number p greater than one is prime if and only if the only divisors of p are 1 and p. Examples: 2, 3, 5, and 7 A few larger examples: 71887 524287 65537 2127 1 Primality Testing: Origins Eratosthenes: Developed “sieve” method 276-194 B.C. Nicknamed Beta – “second place” in many different academic disciplines Also made contributions to www-history.mcs.st- geometry, approximation of andrews.ac.uk/PictDisplay/Eratosthenes.html the Earth’s circumference Sieve of Eratosthenes 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 Sieve of Eratosthenes We only need to “sieve” the multiples of numbers less than 10. Why? (10)(10)=100 (p)(q)<=100 Consider pq where p>10. Then for pq <=100, q must be less than 10. By sieving all the multiples of numbers less than 10 (here, multiples of q), we have removed all composite numbers less than 100.
  • On the Discriminator of Lucas Sequences

    On the Discriminator of Lucas Sequences

    Ann. Math. Québec (2019) 43:51–71 https://doi.org/10.1007/s40316-017-0097-7 On the discriminator of Lucas sequences Bernadette Faye1,2 · Florian Luca3,4,5 · Pieter Moree4 Received: 18 August 2017 / Accepted: 28 December 2017 / Published online: 12 February 2018 © The Author(s) 2018. This article is an open access publication Abstract We consider the family of Lucas sequences uniquely determined by Un+2(k) = (4k+2)Un+1(k)−Un(k), with initial values U0(k) = 0andU1(k) = 1andk ≥ 1anarbitrary integer. For any integer n ≥ 1 the discriminator function Dk(n) of Un(k) is defined as the smallest integer m such that U0(k), U1(k),...,Un−1(k) are pairwise incongruent modulo m. Numerical work of Shallit on Dk(n) suggests that it has a relatively simple characterization. In this paper we will prove that this is indeed the case by showing that for every k ≥ 1there is a constant nk such that Dk(n) has a simple characterization for every n ≥ nk. The case k = 1 turns out to be fundamentally different from the case k > 1. FRENCH ABSTRACT Pour un entier arbitraire k ≥ 1, on considère la famille de suites de Lucas déterminée de manière unique par la relation de récurrence Un+2(k) = (4k + 2)Un+1(k) − Un(k), et les valeurs initiales U0(k) = 0etU1(k) = 1. Pour tout entier n ≥ 1, la fonction discriminante Dk(n) de Un(k) est définie comme le plus petit m tel que U0(k), U1(k),...,Un−1(k) soient deux à deux non congruents modulo m.
  • A Clasification of Known Root Prime-Generating

    A Clasification of Known Root Prime-Generating

    Special properties of the first absolute Fermat pseudoprime, the number 561 Marius Coman Bucuresti, Romania email: [email protected] Abstract. Though is the first Carmichael number, the number 561 doesn’t have the same fame as the third absolute Fermat pseudoprime, the Hardy-Ramanujan number, 1729. I try here to repair this injustice showing few special properties of the number 561. I will just list (not in the order that I value them, because there is not such an order, I value them all equally as a result of my more or less inspired work, though they may or not “open a path”) the interesting properties that I found regarding the number 561, in relation with other Carmichael numbers, other Fermat pseudoprimes to base 2, with primes or other integers. 1. The number 2*(3 + 1)*(11 + 1)*(17 + 1) + 1, where 3, 11 and 17 are the prime factors of the number 561, is equal to 1729. On the other side, the number 2*lcm((7 + 1),(13 + 1),(19 + 1)) + 1, where 7, 13 and 19 are the prime factors of the number 1729, is equal to 561. We have so a function on the prime factors of 561 from which we obtain 1729 and a function on the prime factors of 1729 from which we obtain 561. Note: The formula N = 2*(d1 + 1)*...*(dn + 1) + 1, where d1, d2, ...,dn are the prime divisors of a Carmichael number, leads to interesting results (see the sequence A216646 in OEIS); the formula M = 2*lcm((d1 + 1),...,(dn + 1)) + 1 also leads to interesting results (see the sequence A216404 in OEIS).
  • Elementary Number Theory

    Elementary Number Theory

    Elementary Number Theory Peter Hackman HHH Productions November 5, 2007 ii c P Hackman, 2007. Contents Preface ix A Divisibility, Unique Factorization 1 A.I The gcd and B´ezout . 1 A.II Two Divisibility Theorems . 6 A.III Unique Factorization . 8 A.IV Residue Classes, Congruences . 11 A.V Order, Little Fermat, Euler . 20 A.VI A Brief Account of RSA . 32 B Congruences. The CRT. 35 B.I The Chinese Remainder Theorem . 35 B.II Euler’s Phi Function Revisited . 42 * B.III General CRT . 46 B.IV Application to Algebraic Congruences . 51 B.V Linear Congruences . 52 B.VI Congruences Modulo a Prime . 54 B.VII Modulo a Prime Power . 58 C Primitive Roots 67 iii iv CONTENTS C.I False Cases Excluded . 67 C.II Primitive Roots Modulo a Prime . 70 C.III Binomial Congruences . 73 C.IV Prime Powers . 78 C.V The Carmichael Exponent . 85 * C.VI Pseudorandom Sequences . 89 C.VII Discrete Logarithms . 91 * C.VIII Computing Discrete Logarithms . 92 D Quadratic Reciprocity 103 D.I The Legendre Symbol . 103 D.II The Jacobi Symbol . 114 D.III A Cryptographic Application . 119 D.IV Gauß’ Lemma . 119 D.V The “Rectangle Proof” . 123 D.VI Gerstenhaber’s Proof . 125 * D.VII Zolotareff’s Proof . 127 E Some Diophantine Problems 139 E.I Primes as Sums of Squares . 139 E.II Composite Numbers . 146 E.III Another Diophantine Problem . 152 E.IV Modular Square Roots . 156 E.V Applications . 161 F Multiplicative Functions 163 F.I Definitions and Examples . 163 CONTENTS v F.II The Dirichlet Product .
  • Anomalous Primes and Extension of the Korselt Criterion

    Anomalous Primes and Extension of the Korselt Criterion

    Anomalous Primes and Extension of the Korselt Criterion Liljana Babinkostova1, Brad Bentz2, Morad Hassan3, André Hernández-Espiet4, Hyun Jong Kim5 1Boise State University, 2Brown University, 3Emory University, 4University of Puerto Rico, 5Massachusetts Institute of Technology Motivation Elliptic Korselt Criteria Lucas Pseudoprimes Cryptosystems in ubiquitous commercial use base their security on the dif- ficulty of factoring. Deployment of these schemes necessitate reliable, ef- Korselt Criteria for Euler and Strong Elliptic Carmichael Numbers Lucas Groups ficient methods of recognizing the primality of a number. A number that ordp(N) D; N L passes a probabilistic test, but is in fact composite is known as a pseu- Let N;p(E) be the exponent of E Z=p Z . Then, N is an Euler Let be coprime integers. The Lucas group Z=NZ is defined on elliptic Carmichael number if and only if, for every prime p dividing N, 2 2 2 doprime. A pseudoprime that passes such test for any base is known as a LZ=NZ = f(x; y) 2 (Z=NZ) j x − Dy ≡ 1 (mod N)g: Carmichael number. The focus of this research is analysis of types of pseu- 2N;p j (N + 1 − aN) : doprimes that arise from elliptic curves and from group structures derived t (N + 1 − a ) N If is the largest odd divisor of N , then is a strong elliptic Algebraic Structure of Lucas Groups from Lucas sequences [2]. We extend the Korselt criterion presented in [3] Carmichael number if and only if, for every prime p dividing N, for two important classes of elliptic pseudoprimes and deduce some of their If p is a prime and D is an integer coprime to p, then L e is a cyclic properties.