Primality Testing - PowerPoint PPT Presentation

About This Presentation
Title:

Primality Testing

Description:

Consider an-1, which is equal to ape-1. ... ape-1 = aphi(n) pe-1-1 = ape-1-1 (by Euler's Theorem) Recursively, we get ape-1 = a-1. ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 24
Provided by: cseCu
Category:

less

Transcript and Presenter's Notes

Title: Primality Testing


1
Primality Testing
  • Patrick Lee
  • 12 July 2003
  • (updated on 13 July 2003)

2
Finding a Prime Number
  • Finding a prime number is critical for public-key
    cryptosystems, such as RSA and Diffie-Hellman.
  • Naïve approach
  • Randomly pick a number n. Try if n is divided by
    2, 3, 5, 7, ., p, where p is the largest prime
    number less than or equal to the square root of
    n.
  • Computationally expensive.
  • You need to pre-obtain all small prime numbers.

3
Introduction to Number Theory
  • Number theory modular arithmetic on a finite set
    of integers
  • Most of the randomized algorithms starts by
    choosing a random number from some domain and
    then works deterministically from there on. We
    hope that with high probability the chosen number
    has some desirable properties.
  • Goal Given a number n, the desired complexity is
    O(logn), i.e., polynomial in the length of n.

4
Computing GCD
  • gcd(a, b) greatest common divisor of (a,b)
  • a and b are co-prime iff gcd(a,b) 1
  • Euclids algorithm
  • Finding gcd(a,b)
  • for agtb, gcd(a,b) gcd(b, a mod b)
  • Extended Euclids
  • Finding gcd d and numbers x and y such that
    daxby

5
Groups
  • Additive Group
  • Zn 0, 1, , n-1 forms a group under addition
    modulo n.
  • Multiplicative Group
  • Zn x 1 lt x lt n and gcd(x,n) 1 forms a
    group under multiplication modulo n.
  • For prime p, Zp includes all elements 1,p-1.
  • E.g., Z6 1, 5
  • E.g., Z7 1, 2, 3, 4, 5, 6

6
Chinese Remainder Theorem (CRT)
  • Given n1, n2,, nk are pairwise co-prime.
  • There exists a unique r, r in 0, n n1n2nk),
    satisfying
  • r ri mod ni
  • for any sequence r1,..,rk, where ri in 0,
    ni).
  • E.g.,
  • r 2 (mod 3)
  • r 3 (mod 5)
  • r 2 (mod 7)
  • We have r 23, unique in 0,105).

7
Euler phi Function phi(.)
  • phi(n) Zn
  • e.g., phi(p) p1 for prime p
  • Theorem if n p1e1p2e2pkek,
  • phi(n) (p1-1)p1e1 - 1...(pk-1)pkek 1
  • e.g., if n pq, phi(n) (p-1)(q-1)
  • If we know phi(n), we can factorize n.
  • Eulers Theorem for all n and x in Zn
  • xphi(n) 1 (mod n)
  • For any prime p, xp-1 1 (mod p) for all x in
    1, p-1.
  • (Fermats Little Theorem).
  • If xn-1 ltgt 1, n is not prime (e.g., 45 mod 6 4).

8
Order and Generator
  • ord(x) smallest t such that xt 1 mod n
  • E.g., in Z11, ord(3) 5, ord(2) 10
  • Generator an element whose order group size.
  • E.g., 3 is the generator of Z7
  • Subgroup generated from an element of order t lt
    phi(n)
  • 1,3,329,335,344 1,3,4,5,9 is a subgroup
    of Z11
  • A group is cyclic if it has a generator.
  • For any prime p, the group Zp is cyclic, i.e,
    every Zp has a generator, say g.
  • Zp 1, g, g2, g3, , gp-2

9
Group Size
  • Subgroup size divides group size (for all n)
  • Group size phi(n)
  • We use an element of order t lt phi(n) as the
    generator of the subgroup, (say 2 in Z7).
  • The subgroup spans t elements.
  • For x in subgroup, we observe t has to divide
    phi(n) so that xtk xphi(n) 1, for some
    integer k. You can prove it by contradiction by
    assuming t does not divide phi(n).
  • E.g., H 1, 3, 4, 5, 9 is a subgroup of Z11,
    H dividies Z11.
  • This proposition applies to all n (prime /
    composite).

10
Quadratic Residue
  • y is a quadratic residue (mod n) if there exists
    x in Zn such that x2 y (mod n)
  • i.e., y has a square root in Zn
  • Claim For any prime p, every quadratic residue
    has exactly two square roots x, -x mod p.
  • Proof if x2 u2 (mod p), then (x-u)(xu) 0
    (mod p), so either p divides x-u (i.e., xu), or
    p divides xu (i.e., x-u).
  • It implies if x2 1 (mod p), x 1 or -1.

11
Quadratic Residue (contd)
  • Theorem For any prime p, and g is generator, gk
    is a quadratic residue iff k is even.
  • Given Zp 1, g, g2, g3, , gp-2
  • Even powers of g are quadratic residues
  • Odd powers of g are not quadratic residues
  • Legendre symbol
  • a/p 1 if a is a quadratic residue mod p, and
    -1 if a is not a quadratic residue mod p.

12
Quadratic Residue (contd)
  • Theorem For prime p and a in Zp, a/p
    a(p-1)/2 (mod p).
  • Zp is cyclic, a gk for some k.
  • If k is even, let k 2m, a(p-1)/2 g(p-1)m 1.
  • If k is odd, let k 2m1, a(p-1)/2 g(p-1)/2
    -1. Reasons
  • This is a square root of 1.
  • g(p-1)/2 ltgt 1 since ord(g) ltgt (p-1)/2.
  • But 1 has two square roots. Thus, the only
    solution is -1.
  • If n is prime, a(n-1)/2 1 or -1. If we find
    a(n-1)/2 is not 1 and -1, n is composite.

13
Ideas of Primality Testing
  • Idea 1
  • If xn-1 mod n ltgt 1, n is definitely composite.
  • If xn-1 mod n 1, n is probably prime.
  • Idea 2
  • If x(n-1)/2 mod n ltgt 1,-1, n is definitely
    composite.
  • If x(n-1)/2 mod n 1,-1, n is probably prime.

14
Simple Primality Testing Alg.
  • Repeat k times
  • Pick a in 2,...,n-1 at random.
  • If gcd(a,n) ! 1, then output COMPOSITE.
  • this is actually unnecessary but conceptually
    helps
  • If a(n-1)/2 is not congruent to 1 or -1 (mod n),
    then output COMPOSITE.
  • Now, if we ever got a "-1" above output
    "PROBABLY PRIME" else output "PROBABLY COMPOSITE".

15
Error of the Simple Alg.
  • The alg is BPP with error probability 1/2k.
  • If n is prime, half of them makes a(n-1)/2 1.
    Prob. error in each iteration is ½.
  • If n is composite, error occurs if n is claimed
    to be PROBABLY PRIME. We use the key lemma.
  • Key Lemma Let n be an odd composite, not a prime
    power, and let t(n-1)/2. If there exists a in
    Zn such that at -1 (mod n), then at most half
    of the x's in Zn have xt -1,1 (mod n).

16
Error of the Simple Alg. (contd)
  • Let S x in Zn xt 1 or -1 (let t
    (n-1)/2).
  • Wed like to show S is a proper subgroup of Zn.
  • S is a subgroup of Zn since it's closed under
    multiplication (xt)(yt) (xy)t.
  • Find b in Zn but not in S.
  • Let n qr, where q and r are co-prime.
  • Using the CRT notation, let b (a,1), denoting
    ba (mod q), b1 (mod r). CRT assures the
    existence of b.
  • Thus, bt (at, 1t) (-1, 1), implying b ltgt 1
    and -1, since 1 (1, 1) and -1 (-1,-1).
  • S is a proper subgroup. Since the subgroup size
    divides the group size, S lt ½ Zn.

17
Case of Prime-Power Composites
  • Key Lemma doesnt apply if n is a prime-power.
    However, it doesnt matter since it cannot pass
    the test of step (3), i.e., we are sure that
    a(n-1)/2 ltgt 1,-1 mod n for all a.
  • Proof (assume all operations are mod n)
  • Write n pe, where p is prime.
  • Consider an-1, which is equal to ape-1.
  • Note that phi(n) pe-1(p-1) pe-pe-1, according
    to the theorem in slide 7.
  • ape-1 aphi(n)pe-1-1 ape-1-1 (by Eulers
    Theorem)
  • Recursively, we get ape-1 a-1.
  • Since altgt1, a-1 ltgt 1. We have an-1 ltgt 1, and its
    square root is not 1 and -1.
  • Thus, if n is prime-power, it does not pass the
    test case in step (3). We can safely ignore the
    case of prime-powers in the Key Lemma.

18
Miller-Rabin Algorithm
  • pick a in 2,...,n-1 at random.
  • If an-1 ! 1 (mod n), then output COMPOSITE
  • Let n-1 2r B, where B is odd.
  • Compute aB, a2B, ..., an-1 (mod n).
  • If we found a non -1,1 root of 1 in the above
    list, then
  • output COMPOSITE.
  • else output POSSIBLY PRIME.

19
Error of MR Algorithm
  • It is RP.
  • For prime n, the algorithm always returns prime.
  • For non-Carmichael composite n, the algorithm
    returns prime with probability at most ½ in each
    iteration (i.e., step 2 detects compositeness
    with probability at least ½).
  • Carmichael number a composite n such that for
    all a in Zn, an-1 1 mod n. (e.g., 561, 1729)

20
Error of MR Algorithm (Proof)
  • Let Fn x in Zn xn-1 1 mod n, the set of
    elements that do not violate Fermats theorem.
  • Lemma Let n be a composite non-Carmichael
    number. Then Fn lt ½ Zn.
  • Clearly, Fn ltgt Zn .
  • There exists a such that an-1 ltgt 1 mod n.
  • Fn forms a group.
  • It is closed under multiplication (trivial
    proof!)
  • Fn is a proper subgroup of Zn. Fn divides
    Zn, and Fn is strictly less than Zn.

21
Detecting Carmichael Numbers
  • Computing aB, a2B, ..., a2rB (mod n), where B
    (n-1)/2r, detects Carmichael numbers.
  • Idea a(n-1)/2 1,-1, how about a(n-1)/4? If
    a(n-1)/4 1,-1, how about a(n-1)/8?
  • Prove by contradiction.
  • Assume n is Carmichael, for all a, aB 1 mod n.
  • Property Carmichael number is the product of
    distinct prime. Thus, let n p1p2..pk.
  • Let g is a generator of Zp1.
  • Let a (g, 1), i.e., a g (mod p1), a 1
    (mod p2..pr), by CRT
  • By assumption, aB 1 (mod n). It implies gB 1
    (mod p1) (why?).
  • Since g is the generator, B p-1, which
    contradicts B is odd.
  • Thus, for some a, aB ltgt 1. The probability is gt ½.

22
How to Find a Prime Number?
  • Algorithm
  • Randomly pick a number from 1,n-1.
  • Plug it into the primality testing algorithm.
  • If fails, repeat the test with another number.
  • Are prime numbers rare? No.
  • Prime number theorem
  • No. of prime numbers less than n n/ln(n).

23
References
  • R. Motwani and P. Raghavan, Randomized
    Algorithms, Ch. 14.
  • CMU, Randomized algorithms, http//www-2.cs.cmu.
    edu/afs/cs/usr/avrim/www/Randalgs98/home.html
  • CLRS, Introduction to Algorithms, 2nd edition.
    Ch. 31.
Write a Comment
User Comments (0)
About PowerShow.com