PrimalityTesting

8/9/2019 PrimalityTesting

1/56

65112387446958366881923942145969953800626924435950339964198

47516597821043404346149754821313651248295011809897305234882

17604849891459778057054967254017402283951019004568043245699

36096174193551956320888960038090755727900082200406265017680

28435884619468950564170454846432453862380457244609969247306

15751567338172666663369837508486303768286429550147397297054

88036775436305673079052042214800531950686336777349203237323

97975517993945715855278968432919794177285181018284268174033

10002925573168128933182362794967600911511003449936961572554

45954327182865207502557837105358731941913590891094966871662

48136568590990063814532199022187070097396819344937738986467

20823643230814335965521642419645491307858853143371641075265

98039397758678313175538427826638313659492230010456240508987

53205919993128319427447106880586613048563395477720466875083

28899178891595194886840450860396435999878503843349138525495

29213495193686293776318094505436216559372408912695254043597

83586956772842552514468661008379743834183031357408064476079

56904130329294719892292120513720814383825499389789169157015

CA622Advanced Algorithms


2/56

Course Overview

4 Parts: 6 Lectures on each part

Part I

Primality Testing

Factorisation Implications to Cryptography

Part II,III and IV will be taught by another lecturer

Continuous Assessment

25% Groups of 5

Will be related to part I of the course


3/56

Course Overview

Exam:

8 exam questions, answer 4, one from eachpart of the course

Therefore there will be two questions on theexam relating to the next 6 hours of lectures


4/56

Course Website

Notes for part I can be found at

www.computing.dcu.ie/~cwhelan/teaching.htmlwww.computing.dcu.ie/~cwhelan/teaching.html

although the site is not live just yet


5/56

65112387446958366881923942145969953800626924435950339964198

47516597821043404346149754821313651248295011809897305234882

17604849891459778057054967254017402283951019004568043245699

36096174193551956320888960038090755727900082200406265017680

28435884619468950564170454846432453862380457244609969247306

15751567338172666663369837508486303768286429550147397297054

88036775436305673079052042214800531950686336777349203237323

97975517993945715855278968432919794177285181018284268174033

10002925573168128933182362794967600911511003449936961572554

45954327182865207502557837105358731941913590891094966871662

48136568590990063814532199022187070097396819344937738986467

20823643230814335965521642419645491307858853143371641075265

98039397758678313175538427826638313659492230010456240508987

53205919993128319427447106880586613048563395477720466875083

28899178891595194886840450860396435999878503843349138525495

29213495193686293776318094505436216559372408912695254043597

83586956772842552514468661008379743834183031357408064476079

56904130329294719892292120513720814383825499389789169157015

Advanced Algorithms:Part I

Lecturer:

Claire Whelan


6/56

Section 1:

Primality Testing


7/56

13 = 3x mod 19


8/56

Overview

Since ancient times mathematicians have been facinated by problemsconcerning prime numbers. Since the days of Euclid (ca. 270 BC) andEratosthenes (ca. 240BC) prime numbers have been the subject of intensemathematical scrutiny.

Why are they so interesting? Well prime numbers are more elusive than

they seem. They do not follow a set pattern or particular sequence, there isno formula that can tell you whether a number is definitively prime in areasonable amount of time.

The Prime pages demonstrates the current facination for primes

The search for primes continues http://www.mersenne.org/prime.html

On September 4th 2006 the most recent Mersenne prime was found. The 44th

known Mersenne prime, 2^32,582,657 1, a 9,808,358 digit number. Thediscoverers used 700 PCs as part of a grid (PrimeNet) in CMSU, which is networked

with 70,000 computersto work in parrallel to compute 22 trillion calculations per

second. This would have taken 4000 years on a single PC


9/56

Definition

A primeprime number is a positive integer phaving exactly two positive divisors, 1and p.

A compositecomposite number is a positiveinteger n > 1 which is not prime.

i.e. iff it admits a nontrivial factorisationn = ab, where a and b are integers and

between 1 and n. Hence, primality testing and factorisation

go hand in hand (a field inextricablyentwined with primes!)


10/56

Fundamental Theorem ofArithmetic

For each natural number n there is aunique factorisation

Where ai are positive integers and

p1 < p2 < pk

are primes.

1 2

1 2

kaa a

kn p p p! K


11/56

What is Primality Testing?

Primality testing

Determining whether a number is prime ornot

Prime factorisation

Decomposing a number into its constituentprime factors


12/56


13/56

Testing Primality?

Obvious approach:

Given an integer n, check if any integer m from 2 ton-1 divides n. If n is divisible by any m, then n is

composite, otherwise it is prime.An improvement:

Check whether n is divisible by any of the primenumbers

Also can skip all even m except 2, since if any evennumber divides n then 2 does

Can repeat this for all prime numbers (Sieve ofSieve ofEratosthenesEratosthenes)

ne


14/56

Sieve of Erratosthenes

pic


15/56

Primality Testing

Two varieties of prime tests1. Probablistic

Probable prime: a false positive, a composite number isidentified as prime. This will happen with very low probablity.

But much faster than deterministic tests Pseudoprime: A number which passes a probablistic primality

test but which is actually composite

Types:

Fermats Little Theorem

Miller-Rabin

2. Deterministic Identifes real prime numbers

Types:

Lucas-Lehmer

Elliptic Curve Primality Proving

AKS


16/56

Probabilistic Algorithms


17/56

Fermats Little Theorem

If p is prime and 1 < a < p, then

a p-1 = 1 mod p

To test if n is prime, a number of random as are

chosen in the interval, and see if the equalityholds for each value of a.

a n-1 = 1 mod n

However, some composites pass Fermats test,

and so are falsely identified asprime.Carmichael Numbers

Carmichael numbers are numbers that for allvalues of a for which gcd(a,n) = 1 are Fermat

liars.


18/56

Modular Exponentiation

How to calculate ak mod n?

As will be seen throughout the lecture,modular exponentiation is required for usein all primality tests


19/56

Modular Exponentiation:Square and Multiply

Input: a, k

Set b = 1

If k = 0, return b

Set A = a

If k0 = 1 then set b = a

For i = 1 to t

Set A = A2 mod n

if ki is 1

Set b = A*b mod n

Output ak mod n


20/56

Modular Exponentiation:Square and Multiply

Example: Calculate 5596 mod 1234= 1013

i 0 1 2 3 4 5 6 7 8 9ki 0 0 1 0 1 0 1 0 0 1

A 5 25 625 681 1011 369 421 779 947 925

b 1 1 625 625 67 67 1059 1059 1059 1013


21/56

Miller-Rabin

Similar to Fermat in that it tests a series ofequalities that old true for prime values. Thensee whether they hold for a number we want to

test.First a note about x 2 = 1 mod p where x in Fp x 2 = 1 mod p and so x = sqrt(1) mod p and so x =

+-1

However, (x+1)(x-1) = 0 mod p and so x can neitherbe + or 1.

Therefore, if a prime cannot divide either of these twointegers, it cannot divide their product.


22/56

Miller-Rabin

Let n be an odd prime. We can write n -1as 2sr, where s is an interget and r is odd.

So for all a in Fp* either

ar = 1 mod n

Or

= -1 mod n2s r

a


23/56


24/56

Miller-Rabin

If

ar = 1 mod n

Or

= -1 mod n

For some 0


25/56

Miller-Rabin Example

n = 91

90 = 2*45, s = 1, r = 45

{1,9,10,12,16,17,22,29,38,53,62,69,74,

75,79,81,82,90} are all strong liars. 945 = 1 mod 91

1045 = 1 mod 91

.

All other bases are strong witnesses.

97 = 9 mod 91

98 = 81 mod 91


26/56

Miller Rabin

If n is an odd composite, the number ofstrong liars for n is at mostJ(n)/4.

For example, J(91)/4 = 18

Note J(n) is the Euler Phi Function


27/56

Miller-Rabin: The AlgorithmInput: An odd integer n and security parameter t

Write n-1 = 2sr such that r is odd

For i to t do

Choose a random integer a, 2 < a < n 2Compute y = ar mod n

If y !=1 and y != n 1 then

j = 1

While j s 1 and y != n 1Compute y = y2 mod n

if y = 1 then return COMPOSITE

j = j+1

if y != n-1 then return COMPOSITE

Output PRIME


28/56

What is required to compute this?

Algorithm for modular exponentiation


29/56

Deterministic Algorithms


30/56

Special Primes

Generally deterministic algorithms areused to test prime numbers with a specialform, such as

Mersenne Primes

A prime of the form 2s - 1

Solinas Primes

A prime number with low hamming weight Particularly of interest for pairing-based

cryptography


31/56

Lucas-Lehmer test for MersennePrimes

Input: a Mersenne number n = 2s1 for s >3

Use trial division to check whether s has any factors between 2 and

Return COMPOSITE

Set u = 4

For k=1 to s-2

Compute u = (u2 2) mod n

If u = 0 Return PRIME

Else Return COMPOSITE

s -


32/56

Mersenne PrimesIndex Mj Digits

1 2 1

2 3 1

3 5 2

4 7 35 13 4

6 17 6

7 19 6

8 31 10

9 61 19

10 89 27

11 107 33

12 127 39

Index Mj Digits

13 521 157

14 607 183

15 1279 386

16 2203 66417 2281 687

18 3217 969

19 4253 1281

20 4423 1332

21 9689 2917

22 9941 2993

23 11213 3376

24 19937 6002


33/56

Elliptic Curve Primality Proving

2004

4769 digit number was certified as primein approx. 2000 hours of computation ~ 3months of uninterupted computing timeon a 1GHz processor


34/56


35/56

AKS: The AlgorithmInput: An odd integer n > 1

If(n is of the form ab, b>1) Output COMPOSITE;

r =2;

While(r < n){

if(gcd(n,r) != 1) Output COMPOSITE;if(r is prime)

let q be the largest prime factpr of r-1;

if((q>=4*sqrt(r)*log n)&&(n(r-1)/q!=1 mod r))

break;

r = r+1;

}

For(a=1 to 2*sqrt(r)*log n){

if((x - a)n !=(xn - a) mod(n,xr-1)) Output COMPOSITE;

}

Output PRIME;


36/56

Organisation of the AKS algorithm

Module 1:

Detecting Perfect Powers

Module 2:

Finding a suitable r value

Module 3:

Evaluating a prime identity function


37/56

What is a Perfect Power?

n is a perfect power if n

can be written as: n = ab

For example,

65536 = 216

Therefore, need an algorithm to determinewhether n can be written as an integer to thepower of another integer.

A brute force approach is obviously not feasible.A method by Dan Bernstein gives an optimisedapproach

Ref: Detecting Perfect Powers in Essentially

Linear Time, Mathematics of Computation,1998.


38/56

Bernsteins Detecting Perfect Powers

Only prime exponents are checked.

If n = ab, then n = (am)p = xp

Therefore the following main checks areperformed

n = x2

n = 2p n = xn = xpp due to Bernstein


39/56

Bernsteins Detecting Perfect Powers

1. Compute an intermediate value y to helpchoose an appropriate approximation to the p-th root

2. An approximate p-th root of n is calculatedusing Newtons method3. This approximate root x is tested to see if n =

xp. If so then x is a perfect power, if not thenanother p value is chosen up to log2n

The proof for these steps is given in Bernsteins

paper.


40/56

Algorithms required to computeModule 1?

Method to generate square roots

Method to generate prime numbers

a bit of a chicken and egg scenario!Method to generate the tentative root pand finding whether xp = n

Newtons Method

Obviously, a fast exponentiationalgorithm


41/56

r is the value that will be used as the exponentof the modulus polynomial xr 1in the primeidentity function

The value rmust satisfy a numberof conditions: r< n

rmust be prime

r is O(log6n)

r-1 contains a prime factorwhich is close to the size

of the square root ofr

Requiring both primality and factorisationmethods!

How do we find the correctr?


42/56

The Algorithm to find r

Intermediate primality test

Factorization method Trial Division

Pollard Rho

Pollard p-1

GCD method

Euclidean AlgorithmSquare Root method

Log2 method


43/56

Euclidean Algorithm

Input: Two non negative numbers a and b with a>=b

While b!=0

set r = a mod b, a = b, b = r

Output a


44/56


45/56

Square Root

Firstly, use the Legendre Symbol to determinewhether a square root exists or not

x = y^2

Is x a quadratic residue or a quadratic non-residue?

If it is found that a square root exists, then a squareroot algorithm must be used to find the square root.

( 1) /1

mod1

nx is a QRx

x n x is a QNRn

! !


46/56

What is the Prime Identity Function?

The prime identity function is the heart of theprimality test

n is prime iff

for a = 1.bound

(x a)n = xn a mod (n, x r-1)

If LHS = RHS, for every value of a=> n is prime

This identity is based on Fermats little theorem


47/56

Example on board to demonstrate


48/56

What do we need for this part?

Knowledge of how operations onpolynomials are performed a polynomial

API?

Polynomial addition, multiplication,reduction


49/56

So how good is it?

Say n = 833310469,

a = 1, r = 53699

=>(x-1) 833310469 = x 8333104691

(mod 833310469, x53699-1)This primality test will take a very long time tocomplete

The number of polynomial operations to be

performed = 833310469 * aThis is without module 1 OR module 2 beingevaluated

ANDAND 833310469 is not a big prime number


50/56

6511238744695836688192394214596995380062692443595033996412

9501180989730523488241760484989145977805705496725401740228

3951019004568043245699236096174193551956320888960038090755

72790008220040626501768062843588461946895056417045484643245386238045724460996924730661575156733817266666336983750848

6303768286429550147397297054688036775436305673079052042214

8005319506863367773492032373234979755179939457158552789684

3291979417728518101828426817403361000292557316812893318236

27949676009115110034499369615725541459543271828652075025578371053587319419135908910949668716622481365685909900638145

3219902218707009739681934493773898646752082364323081433596

5521642419645491307858853143371641075265198039397758678313

1755384278266383136594922300104562405089876532059199931283

1942744710688058661304856339547772046687508342889917889159

5194886840450860396435999878503843349138525495629213495193

6862937763180945054362165593724089126952540435970835869567

7284255251446866100837974383418303135740806447607915690413

0329294719892292120513720814383825499389789169157015902231


51/56

Implementation

Have mentioned some of the algorithmswhich are required to implement AKS andother primality tests.

Some libraries will have some of thesealgorithms in built. For example, JavasBigInteger API.


52/56


53/56


54/56

References

Pomerence

Prime Numbers, A Computational Perspective

Bressoud

Factorisation and Primality Testing

Koblitz

A Course in Number Theory and Cryptography

Wolfram Mathworld, WikipediaThe Prime Pages

http://primes.utm.edu/


55/56

Task

Recap on finite field and modulararithmetic

Implement modular exponentiation

Implement any of the probabilistic or ifyou are patient deterministic primality test


56/56

Techniques

Trial Division

p-1 Method

p+1 MethodPollard Rho Method

Continued Fraction Method

Quadratic

Sieve

Elliptic Curve Method

Number Field Sieve

PrimalityTesting

Documents

Transcript of PrimalityTesting