MTH6115 Cryptography Notes 8: Public-key cryptography—Primes and factorisation 8.1 Primality testing Primality testing is easy, but factorisation is hard. This assertion is the basis of the security of the RSA cipher. In this section and the next, we consider it further. 8.1.1 Trial division The basic algorithm for primality testing is trial division. In a very crudep form it asserts that, if n > 1 and n is not divisible by any integer m such that 2 6 m 6 n, then n is prime. The first thing to say about this algorithm is that, with minor modification, it leads to a factorisation of n into primes. If n is not prime, then the first divisor we find will be a prime p, and we continue dividing by p while this is possible to establish the exact power of p. The quotient is divisible only by primes greater than p, so we can continue the trial divisions from the point where we left off. The second thing is that this simple algorithm does not run in polynomialp time: the input is the string of digits of n, and the number of trial divisions is about n, (very) roughly 2b=2 if n has b digits to the base 2, and roughly 10d=2 if n has d decimal digits. There are some minor improvements to the algorithm, but they do not solve the fundamental problem that the algorithm is not polynomial time. We do not need to try a potential divisor if we know it is composite;p this is because a - n implies that ab - n for all integers b. But there are about 2 n=logn primes in the required interval, which is far too many to allow the algorithm to run in polynomial time. Making sure that a potential divisor is prime (presumably by trial division) is a bad idea (it would take too long).p Also, using the Sieve of Eratosthenes (or variants) to enumerate all primes up to n is also not recommended, because of memory issues. A reasonable compromise 1 p is to divide by 2, 3 and all numbers 6k ± 1 in the required range, for about 3 n trial divisions. 1 Nevertheless, for the very smallest n, trial division is the most efficient method to prove primality. For example, if we wish to prove that an integer n 6 1680 we should pdivide it by the integers from 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37 that do not exceed n. For larger n, it is probably more efficient to trial divide by some ‘small’ primes to root out composite numbers quickly, before applying a more sophisticated test. In this context, ‘small’ can mean quite a bit larger than you are used to. Also, here it would be worth making the list of ‘small’ primes we try. (Some tests may require checking that n is not divisible by some of the very smallest primes, such as 2 and 3, but it will always be advisable to use trial division somewhat beyond this.) 8.1.2 Some potentially useful results It is a bit surprising at first that primality testing can be easier than factorisation. This holds because there are algorithms which decide whether or not a number is prime without actually finding a factor if it is composite! Three examples of such theorems are given below. Theorem 34 (Fermat’s Little Theorem) If n > 1 is prime then xn ≡ x (mod n) for any integer x. Theorem 35 If n > 1 is prime and (for some integer x) x2 ≡ 1 (mod n) then x ≡ 1 or −1 (mod n). Theorem 36 (Wilson’s Theorem) An integer n > 1 is prime if and only if we have (n − 1)! ≡ −1 (mod n). We have already seen the proof of the little Fermat theorem. For the second of these we note that if p is prime and x2 ≡ 1 (mod p) then p j (x2 − 1) = (x + 1)(x − 1), and so p j (x + 1) or p j (x − 1). Here is the proof of Wilson’s Theorem. Suppose that n = p is prime. We know that every number x in the set f1;:::; p−1g has an inverse y modulo p (so that xy ≡ 1 (mod p)). The only numbers which are equal to their inverses are 1 and p − 1: for if x is equal to its inverse, then x2 ≡ 1 (mod p), and so x ≡ ±1 (mod p) (see above). The other p − 3 numbers in the range can be paired with their inverses, so that the product of each pair is congruent to 1 mod p. Now multiplying all these numbers together gives (p − 1)! ≡ 1 · 1(p−3)=2 · (p − 1) ≡ −1 (mod p): Conversely, suppose that n is composite. If q is a prime divisor of n, then certainly q divides (n − 1)!, and so (n − 1)! is congruent to a multiple of q modulo n, and so cannot be −1. (In this case, it is quite easy to show that n is a divisor of (n − 1)!, with the single exception of n = 4.) The proof of Wilson’s Theorem is not examinable. 2 Can any of these results give us a quick test for primality? Fermat’s Little Theorem gives a necessary, but not sufficient condition that n be prime. We shall say more about this in the next subsection. For Theorem 35, we note a a + that if n = 2, 4, p or 2p , where p is an odd prime and a 2 Z then x2 ≡ 1 (mod n) implies that x ≡ ±1 (mod n); if n > 1 is any other integer then this implication does not hold. We can detect whether n is even or a proper power relatively easily, and a a thus we can easily know if n has any hope of being in f2;4; p (a > 2);2p g. So we reduce to the case where n is an odd prime or has two distinct odd prime divisors. In the former case, we do not know how to show (directly and fast enough) that if x2 ≡ 1 (mod n) then x ≡ ±1 (mod n). And in the latter case, we do not know how to find (in an efficient way, even probabilistically, except if n is somewhat special) x such that x2 ≡ 1 (mod n) and x 6≡ ±1 (mod n). (The Miller–Rabin primality test makes the latter potential problem into a non-issue.) In contrast, Wilson’s Theorem gives a necessary and sufficient condition for n to be prime. That is, if (n − 1)! ≡ −1 (mod n), then n is prime; if not, then not. But nobody knows how to calculate (n − 1)! (mod n) sufficiently quickly (or even how to determine whether gcd(n;(n − 1)!) = 1 efficiently); the natural method would require n − 2 multiplications. 8.1.3 The Fermat primality test Strictly speaking this is a compositeness test: if n > 1 and you have found an x such that xn 6≡ x (mod n) then you know that n is composite, without having found any of the factors of n. If there is an x with this property, then we can reduce it modulo n to get an x with this property that satisfies xn 6≡ x (mod n). As we explained in Notes n 7, there is an efficient way to calculate x mod n, involving at most 2log2 n multipli- cations of numbers not exceeding n and calculation of the remainder modulo n after each multiplication, so each individual Fermat test is polynomial time. The possible outcomes of each Fermat test are (n is definitely) COMPOSITE if xn 6≡ x (mod n) and (n is) MAYBE PRIME if xn ≡ x (mod n). Thus, for example, 2589 ≡ 326 6≡ 2 (mod 589), and so we know that 589 is com- posite. For two larger examples, we take m = 7 · 1011 + 1 and n = 4 · 1012 + 1 and find that 2m ≡ 295817535273 6≡ 2 (mod m) and 2n ≡ 3374782511254 6≡ 2 (mod n). In none of these three cases did the test reveal a (prime) factor of the number proven to be composite. (The factorisations are 589 = 19 · 31 (very easy), 7 · 1011 + 1 = 41149 · 17011349 and 4 · 1012 + 1 = 277 · 7213 · 2002001; part of the latter factorisation stems from the algebraic identity 4X4 + 1 = (2X2 + 2X + 1)(2X2 − 2X + 1).) Unfortunately, this test doesn’t work in the other direction. For example, we have 3 2341 ≡ 2 (mod 341), even though 341 = 11 · 31 is not prime. We say that 341 is a pseudoprime to (the) base 2. Definition An integer n > 1 is a (weak or Fermat) pseudoprime to the base a if n is not prime but an ≡ a (mod n). (We really ought to specify that the integer a is at least 2, since every composite number would be a pseudoprime to the bases 0 and 1.) Any a such that an 6≡ a (mod n) is a Fermat witness (to the compositeness of n), while the other a are Fermat liars. Pseudoprimes are not very common, though it is known that there are still infinitely many of them, and if we are prepared to take the small risk that the number we chose is a pseudoprime rather than a prime, then we could simply accept such numbers. The smallest pseudoprimes to base 2 are 341, 561, 645, 1105, 1387, 1729, 1905, 2047. We could feel safer if we checked different values.