Primality Testing and the Miller-Rabin Algorithm J. David Primality Testing and the Miller-Rabin Taylor Algorithm Introduction FA 2018 Cryptography Seminar First Attempt Second Attempt J. David Taylor October 12, 2018 Bob needs a pair of large prime numbers! If p; q are composite, then Bob will need to know how to factor them, and the cipher will be less secure. Why Primality Testing? Primality Testing and the Miller-Rabin Algorithm J. David Taylor Suppose Bob wants to implement RSA. Introduction First Attempt Second Attempt If p; q are composite, then Bob will need to know how to factor them, and the cipher will be less secure. Why Primality Testing? Primality Testing and the Miller-Rabin Algorithm J. David Taylor Suppose Bob wants to implement RSA. Introduction First Attempt Bob needs a pair of large prime numbers! Second Attempt and the cipher will be less secure. Why Primality Testing? Primality Testing and the Miller-Rabin Algorithm J. David Taylor Suppose Bob wants to implement RSA. Introduction First Attempt Bob needs a pair of large prime numbers! Second Attempt If p; q are composite, then Bob will need to know how to factor them, Why Primality Testing? Primality Testing and the Miller-Rabin Algorithm J. David Taylor Suppose Bob wants to implement RSA. Introduction First Attempt Bob needs a pair of large prime numbers! Second Attempt If p; q are composite, then Bob will need to know how to factor them, and the cipher will be less secure. If Bob can efficiently distinguish prime numbers from composite numbers, then Bob can choose large numbers at random and check which are prime. Bob wants an efficient algorithm that detects composite numbers. Why Primality Testing? Primality Testing and the Miller-Rabin Algorithm The prime number theorem tells us that J. David Taylor N The number of primes ≤ N ≈ Introduction log N First Attempt . Second Attempt Bob wants an efficient algorithm that detects composite numbers. Why Primality Testing? Primality Testing and the Miller-Rabin Algorithm The prime number theorem tells us that J. David Taylor N The number of primes ≤ N ≈ Introduction log N First Attempt . Second Attempt If Bob can efficiently distinguish prime numbers from composite numbers, then Bob can choose large numbers at random and check which are prime. Why Primality Testing? Primality Testing and the Miller-Rabin Algorithm The prime number theorem tells us that J. David Taylor N The number of primes ≤ N ≈ Introduction log N First Attempt . Second Attempt If Bob can efficiently distinguish prime numbers from composite numbers, then Bob can choose large numbers at random and check which are prime. Bob wants an efficient algorithm that detects composite numbers. Example: Let n = 31987937737479355332620068643713101490952335301. The congruence ( mod n) 2n−1 ≡ 1281265953551359064133601216247151836053160074 tells Bob that n is not prime! Fermat's Little Theorem Primality Testing and the Miller-Rabin Algorithm Theorem p J. David Let p be a prime number, then a ≡ a mod p for every integer Taylor a. Introduction First Attempt Second Attempt The congruence ( mod n) 2n−1 ≡ 1281265953551359064133601216247151836053160074 tells Bob that n is not prime! Fermat's Little Theorem Primality Testing and the Miller-Rabin Algorithm Theorem p J. David Let p be a prime number, then a ≡ a mod p for every integer Taylor a. Introduction First Attempt Example: Let Second Attempt n = 31987937737479355332620068643713101490952335301. Fermat's Little Theorem Primality Testing and the Miller-Rabin Algorithm Theorem p J. David Let p be a prime number, then a ≡ a mod p for every integer Taylor a. Introduction First Attempt Example: Let Second Attempt n = 31987937737479355332620068643713101490952335301. The congruence ( mod n) 2n−1 ≡ 1281265953551359064133601216247151836053160074 tells Bob that n is not prime! For example, 2 is a witness for 6, but 3 isn't. Idea: Try numbers less than n until you find a witness or try all of them Witnesses Primality Testing and the Miller-Rabin Algorithm J. David Taylor Let a; n be integers. We say that a is a witness for (the Introduction compositeness of) n if an 6≡ a mod n. First Attempt Second Attempt Idea: Try numbers less than n until you find a witness or try all of them Witnesses Primality Testing and the Miller-Rabin Algorithm J. David Taylor Let a; n be integers. We say that a is a witness for (the Introduction compositeness of) n if an 6≡ a mod n. First Attempt Second For example, 2 is a witness for 6, but 3 isn't. Attempt Witnesses Primality Testing and the Miller-Rabin Algorithm J. David Taylor Let a; n be integers. We say that a is a witness for (the Introduction compositeness of) n if an 6≡ a mod n. First Attempt Second For example, 2 is a witness for 6, but 3 isn't. Attempt Idea: Try numbers less than n until you find a witness or try all of them (Korselt) Theorem: A positive composite integer n is Carmichael iff n is square-free and p − 1jn − 1 for every prime pjn. First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911. (Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers Carmichael Numbers Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor Introduction First Attempt Second Attempt First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911. (Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers Carmichael Numbers Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor Introduction (Korselt) Theorem: A positive composite integer n is First Attempt Carmichael iff n is square-free and p − 1jn − 1 for every Second prime pjn. Attempt (Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers Carmichael Numbers Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor Introduction (Korselt) Theorem: A positive composite integer n is First Attempt Carmichael iff n is square-free and p − 1jn − 1 for every Second prime pjn. Attempt First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911. Carmichael Numbers Primality Testing and the Miller-Rabin Algorithm Composite numbers with no witnesses are called J. David Carmichael numbers. Taylor Introduction (Korselt) Theorem: A positive composite integer n is First Attempt Carmichael iff n is square-free and p − 1jn − 1 for every Second prime pjn. Attempt First seven Carmichael numbers are 561, 1105, 1729, 2465, 2821, 6601, and 8911. (Alfred, Granville, Pomerance) Theorem: There are infinitely many Carmichael numbers Let a be an integer coprime to p. Then aq ≡ 1 mod p, or one of aq; a2q; a4q;:::; a2k−1q is congruent to −1 mod p. Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1. Miller-Rabin Criterion Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor Introduction First Attempt Second Attempt Then aq ≡ 1 mod p, or one of aq; a2q; a4q;:::; a2k−1q is congruent to −1 mod p. Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1. Miller-Rabin Criterion Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor Introduction Let a be an integer coprime to p. First Attempt Second Attempt or one of aq; a2q; a4q;:::; a2k−1q is congruent to −1 mod p. Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1. Miller-Rabin Criterion Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor Introduction Let a be an integer coprime to p. Then First Attempt q Second a ≡ 1 mod p, Attempt Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a or some number in the list is a non-trivial square root of 1. Miller-Rabin Criterion Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor Introduction Let a be an integer coprime to p. Then First Attempt q Second a ≡ 1 mod p, or Attempt one of aq; a2q; a4q;:::; a2k−1q is congruent to −1 mod p. so either q kills a or some number in the list is a non-trivial square root of 1. Miller-Rabin Criterion Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor Introduction Let a be an integer coprime to p. Then First Attempt q Second a ≡ 1 mod p, or Attempt one of aq; a2q; a4q;:::; a2k−1q is congruent to −1 mod p. Essentially, a2k q = ap−1 ≡ 1 mod p, or some number in the list is a non-trivial square root of 1. Miller-Rabin Criterion Primality Testing and the Miller-Rabin Algorithm J. David Let p = 2k q + 1 be an odd prime number with q odd. Taylor Introduction Let a be an integer coprime to p. Then First Attempt q Second a ≡ 1 mod p, or Attempt one of aq; a2q; a4q;:::; a2k−1q is congruent to −1 mod p. Essentially, a2k q = ap−1 ≡ 1 mod p, so either q kills a Miller-Rabin Criterion Primality Testing and the Miller-Rabin Algorithm J.