Download Difficulties in Factoring a Number: Prime Numbers

Prime Numbers
—
Difficulties in Factoring a Number:
from the Perspective of Computation
電腦安全
—
—
—
海洋大學資訊工程系
丁培毅
—
Prime number: an integer p>1 that is divisible only by 1
and itself, ex. 2, 3, 5, 7, 11, 13, 17…
Composite number: an integer n>1 that is not prime; can
be expressible as a product a·b of integers with 1 < a, b< n;
the prime factorization of n is unique
Fact: there are infinitely many prime numbers. (by Euclid)
Prime Number Theorem:
the number of primes less than x, π(x) ≈ x/ln x
How difficult is it to certify a prime number?
How difficult is it to factor a composite number?
1
2
Computation Theory
—
Turing Machine
Complexity Theory:
—
central problem
“What makes some problems computationally hard and others easy?”
major achievements
—
1. Schemes for classifying problems of different computational difficulties
2. Options in confronting a difficult problem
@ What is the most difficult part of a problem?
ComplexityComputability
Can we alter this part to avoid that problem?
Theory
Theory
@ Are there sub-optimal or heuristic solutions to a problem?
@ What kind of instance of a problem is hard?
@ Is there a randomized computable algorithm for a problem?
Automata
Computability Theory:
central problem
“What is computable? What is not computable? in what model?”
major achievements
Theory
1. Theoretical models of computers (ex. LBA, DTM, NTM, …)
2. Classify problems as solvable or non-solvable
—
Automata Theory: definitions and properties of mathematical models of computation
‘
‘
Finite automata: text processing, compilers, H/W design
Push down automata: programming language, artificial intelligence
3
—
Complexity / Computability is defined w.r.t. a certain
model of computation
state
read/write head
Turing Machine
‘
‘
‘
d a c b a Y
Alan Turing, 1936
Similar to finite automaton but with an unlimited and
unrestricted memory
Formally, a 7-tuple (Q, Σ, Γ, δ, q0, qaccept, qreject)
1. Q is the set of states
2. Σ is the input alphabet not containing the special blank symbol Y
3. Γ is the tape alphabet, where Y ∈ Γ and Σ ⊆ Γ
4. δ: Q × Γ → Q × Γ × {L, R} is the transition function
5. q0 ∈ Q is the initial state
6. qaccept ∈ Q is the accept state
7. qreject ∈ Q is the reject state, where qreject ≠ qaccept
4
Turing Machine (cont’d)
—
DTM vs. NTM
—
TM computes as follows:
‘
‘
‘
‘
‘
‘
Deterministic Turing Machine: at any time, a DTM knows its
next configuration (the state, the tape head, the tape content) for sure;
a single configuration specified by its transition function
δ: Q × Γ → Q × Γ × {L, R}
— Non-deterministic Turing Machine: at each moment, an NTM
has several choices to proceed as the next configurations. i.e. the
range of the transition function is modified to be a set:
M’s input w = w1w2…wn ∈Σ* on the leftmost n squares of the
tape, the rest of the tape are blanks Y (the first Y marks the
end)
Initial state is q0
read/write head starts on the leftmost square
Computation proceeds according to the transition function δ
If M tries to move its head to the left off the left hand end of
the tape, the read/write head stays at the same place for that
move
read/write head
The computation continues state
until it enters either the accept
or reject state. If neither occurs,
d a c b a Y
M goes on forever.
δ: Q × Γ → P (Q × Γ × {L, R})
‘
‘
NTM has two equivalent evaluation ways if you only consider the capability:
@ Process in a parallel fashion
@ Process in a probabilistic fashion
Probabilistic one seems slower. If you consider the time complexity, in
polynomial time, the parallel one defines class NP, and the probabilistic one
defines class BPP. Security professionals surely believe that BPP ⊂ NP.
NTM can be proved to be equivalent to DTM
5
6
Many-One (Mapping) Reducibility
Deterministic vs. Nondeterministic
Def: Given two problems P and Q, P is reducible to Q iff
there exists a TM Mτ (computable function, algorithm,
program, etc) which can transform every instance in P to
an instance of Q
M
P
τ
x
x
Q
…
…
Properties: capture the difficulties between problems
‘
‘
accept or reject
accept or reject
Note that an NTM decider halts on all branches.
x
x
x
7
If Q is solvable, then P is also solvable
If P is a well known unsolvable problem and can be reduced to Q,
then Q is also unsolvable
Extension: Efficient mapping reducibility - Mτ is poly-time
8
Turing Reducibility
—
Language Classes
There are some intuitive reducibility cases that cannot be
captured by “mapping reduction”, e.g.
ATM and ATM seem to be reducible to one another (a solution to
either one could be used to solve the other by simply reversing
the answer). However,
‘ ATM is not mapping reducible to ATM because it is not Turingrecognizable (find a solution to map each unacceptable <M, w>
to an acceptable <M, w> is clearly not possible)
Need a general notation that captures more problem reductions.
able
ogniz
c
e
r
ng
-Turi
h co
context sensitive grammar
e
‘
Def: Given two problems P and Q, P is Turing reducible to
Q iff there exists an oracle TM MA ,which given an oracle
A for solving problem Q, can solve every instance in P
i.e. MA using A as a subroutine (a blackbox) and can invoke A for
(polynomially) many times
9
Language Examples
c regular: closed under union, intersection, and complement
Σ = {0, 1}, 0*10*, Σ*1Σ*, Σ*001Σ*, (ΣΣ)*, 01∪10, (0 ∪ ε)1*
D={w|w has an equal number of occurrence of 01 and 10 as substrings},
Bn={ak | where k is a multiple of n, n≥1},
Cn={x | x is a binary number that is a multiple of n}
d CFL: closed under union
B={0n1n | n ≥ 0}, C={w|w has equal number of 0’s and 1’s}
D={1n2 | n ≥ 0}, E={0i1j | i ≥ j}, {0n1m0n | m, n ≥ 0}
{0m1n | m ≠ n}, {ai bj ck | i,j,k ≥ 0 and i=j or i=k}, {wwR | w∈{0,1}*},
{w | w ∈{0,1}* and w is not a palindrome}
e CSL:
{w w | w ∈{0,1}*}, {w # w | w ∈{0,1}*}, {w w w | w ∈{0,1}*},
{an bn cn | n ≥ 0}, {ai bj ck | 0 ≤ i ≤ j ≤ k}, {a2n | n ≥ 0},
{ai bj ck | i×j=k, i, j, k ≥ 1}, {#x1#x2#…#xl | xi∈{0,1}*, xi ≠ xj, ∀i ≠j},
{<G> | G is a connected undirected graph}, {w | w is a palindrome},
11
AREX, EREX, EQREX, ANFA, ENFA, EQNFA, ADFA, EDFA, ACFG, ECFG, ALBA
d
c
recursive
g
⊂
Nor co-recognizable
f
regular
context free grammar
regular
regular expression
i Not Turing recognizable,
ble
mera
u
n
e
sive
recur
context free grammar
context sensitive grammar
push down automata (PDA) ⊂ linear bounded automata (LBA)
Semi-solvable
solvable (problem)
Recursive enumerable
recursive (language)
Turing recognizable
Turing decidable
Turing enumerable
⊂
⊂ ? µ-recursive function
decidable
? Primitive recursive function
(TM can decide)
? Unrestricted grammar
computable (function)
(TM can semi-decide)
⊂
* Unsolvable means undecidable (includes semi-solvable and totally unsolvable)10
Language Examples (cont’d)
f Recursive (Turing computable, infinite tape required)
g or h or i
{p | p is a polynomial with two or more variables with an
integral root} Hilbert’s 10th
ELBA, ETM, REGULARTM, CFLTM (Rice Thm: Testing any
property (ex. CS, CF, regular, finite decidable) of L(M),
M is a TM, is non-decidable), ALLCFG, PCP,
{incompressible strings}
g Recursive Enumerable (Turing recognizable)
ATM, HALTTM
h co-Turing recognizable
ATM, HALTTM, EQCFG, MINTM, Th(N, +, ×),
i Not Turing recognizable nor co-Turing recognizable
EQTM, EQTM,
12
Complexity Classes
—
‘
‘
‘
‘
polynomially decided by an NTM (has a polynomial time verifier)
P ⊆ NP
worst case is difficult to solve, general instances might be easy
witness can be verified in polynomial time
‘
—
‘
‘
polynomially decided by a probabilistic TM (a sort of NTM)
BPP ⊆ NP (BPP =? NP)
‘
RP:
‘
‘
BPP with one-sided error probability (accept with error prob < 1/2,
reject with prob. 1)
RP ⊂ BPP ⊆ NP
NP-complete: NP-hard ∩ NP
14
Refining Complexity Classes
PSPACE: can be solved by a deterministic TM with
TM recognizable
the memory requirement a polynomial in n
— NPSPACE: nondeterministic TM, polynomial space
‘ P ⊆ NP ⊆ PSPACE=NPSPACE ⊆ EXPTIME
‘ PSPACE-complete
—
For all decision problems in NP, there is a polynomial-time
many-one reduction to H, which is in NP-hard
the problem H is NP-hard if for every decision problem L in NP
there is an oracle machine that has an oracle for solving H and
this oracle machine can solve L in polynomial time
(poly-time Turing reduction)
13
Complexity Classes (cont’d)
—
—
O(2nk)
decided by a DTM in exponential time steps
P ⊆ NP ⊆ EXPTIME
n! is larger than en; however TSP ∈ EXPTIME
NP-hard: (non-deterministic polynomial time hard)
BPP:
‘
—
EXPTIME:
‘
the class of problems that can be polynomially decided by a DTM
NP:
‘
—
—
P: O(nk)
‘
—
Complexity Classes (cont’d)
TM decidable
NP
BPP
IP:
NPC P
‘ IP
= PSPACE
— EXPSPACE: exponential space is required
NPHard
L: sublinear space, deterministic TM
— NL: sublinear space, nondeterministic TM
—
EXPTIME
co-NP
PSPACE/IP
EXPSPACE
co-TM recognizable
‘ NL-complete
15
16
Refining Complexity Classes
NP vs. co-NP
Four possibilities:
P
P = NP = co-NP
REX
NP = co-NP
P
CFL
NP might be closed
under complement
most unlikely
P
co-NP
P =
NP
NP ∩ co-NP
co-NP
NP ∩ co-NP
NL=coNL
NP
P
most likely
17
18
Problem Definitions
NP-Complete problems
—
CIRCUIT-SAT
ALL-NPs
‘
‘
SAT
3SAT
PRIMES:
Bounded-Tiling
—
COMPOSITES:
‘
CLIQUE
SUBSET-SUM
—
‘
—
19
the problem to decide if an integer passes Fermat tests to all
bases (i.e. an absolute pseudoprime (Carmichael number) or a
prime)
FACTORING: (this is a search problem)
‘
TSP
the problem to decide if an integer is composite (i.e. not prime)
PAPP: (Prime ∨ Absolute Pseudo Prime)
VERTEX-COVER
HAM-CYCLE
the problem to decide if an integer is a prime number
in terms of language decidability, the language L is {the set of all
prime numbers}
the problem to find factors of a composite integer
20
Pseudoprimes
—
—
Def: a pseudoprime to the base b is a composite positive
integer n such that the integer b satisfies
bn-1 ≡ 1 (mod n)
Ex. 341=11·31, 561=3·11·17, and 645=3·5·43 are pseudoprimes to the base 2
‘
‘
‘
—
Pseudoprimes (cont’d)
—
Ex. 561=3·11·17 and 6601=7·23·41 are Carmichael
numbers
If gcd(b, 561) = 1 then gcd(b,3)=gcd(b,11)=gcd(b,17)=1.
From Fermat’s Little Theorem, b2 ≡3 1, b10 ≡11 1, and b16 ≡17 1.
Consequently, b560 ≡3 (b2)280≡3 1, b560 ≡11 (b10)56≡11 1, and b560≡17 (b16)35≡17 1.
560
By CRT, b ≡561 1
There are 455,052,512 primes less than 1010 but only 14884
pseudoprimes to the base 2.
There are infinitely many pseudoprimes to any given base.
Note: 341 is not a pseudoprime to the base 7
‘
‘
If n=q1q2…qk, qj are distinct primes that satisfy (qj-1)|(n-1) for
all j, then n is a Carmichael number
There are infinitely many Carmichael numbers. (conjectured 1912
by Carmichael, proved 1992 Alford, Granville and Pomerance)
‘
Def: a Carmichael Number (an absolute pseudoprime) is a
composite integer that satisfies bn-1 ≡ 1 (mod n) for all
positive integers b where gcd(b,n) = 1
‘
6
43 Carmichael numbers not exceeding 10 , and 105,212 of them
not exceeding 1015
Carmichael numbers cannot be distinguished from a prime
number by “Fermat Test” with respect to any integer base
21
22
PAPP
—
Error Probability of the Fermat Test
Def:
—
PAPP={p|p is a prime number or an absolute pseudoprime}
—
—
—
Claim: PAPP is a decidable problem
Fermat Test … a probabilistic poly-time algorithm to
decide PAPP: given an integer p,
step 1. randomly pick a < p and compute b ≡p ap-1
step 2. if b ≠p 1 reject (i.e. declare p ∉ PAPP),
else repeat for k times
step 3. accept (declare p∈PAPP) otherwise
This PPT algorithm decides PAPP with a one-sided error
rate, Pr{Fermat Test declares x∈PAPP|x∉PAPP}=2-k
Pr{Fermat Test declares x∉PAPP|x∈PAPP}=0
Lemma: for any integer n > 1, if n fails the Fermat test to
some base a in Zn, then n fails the Fermat test to at least
half of all numbers in Zn
i.e. n∉PAPP
Proof:
n
given a∈Zn such that a -1 ≠n 1, ( i.e. a is a witness for the composite
number n)
we want to prove that for any non-witness h, i.e. hn-1≡n 1, there
exists a unique witness t such that tn-1 ≠n 1 i.e. #witnesses≥n/2
let n = q · r and gcd(q, r) = 1 (for applying CRT)
tn-1 ≠n 1
n-1
1. Construct t ≡q h ≡r a, in that case, t ≡q 1 ≠r 1 i.e. t is a witness
(note that we assume an-1 ≠n kr + 1; otherwise construct t ≡r h ≡q a)
23
2. if h' ≠ h then t' ≠ t from CRT, i.e. t is a distinct witness
24
Error Probability (cont’d)
—
Miller-Rabin Test
—
The previous lemma implies that for an n∉PAPP
if you randomly pick a number a∈Zn and perform the
Fermat test to this base on n, you have a probability
greater than 0.5 for getting a witness in Zn
i.e.
Pr{a single repetition of FT declares n∉PAPP |
n∉PAPP}≥1/2
with k repetitions (each picks independently a base),
Pr{Fermat Test declares n∈PAPP | n∉PAPP}≤2-k
—
Fermat test cannot distinguish Carmichael numbers from
true prime numbers while the “Miller-Rabin Test” can.
Miller-Rabin test for primality utilizes another number
theory property:
‘
‘
‘
25
26
Basic Factoring Principle
—
The number 1 has exactly two square roots, 1 and –1, modulo
any prime number p
For a composite number c, could be a Carmichael number,
1 has four or more square roots modulo c
One pass in Miller-Rabin test:
“if a number p passes the Fermat test to the base a, the algorithm
finds one of the square roots of 1 modulo p at random and
determines whether that square root is 1 or -1. If it is not,
we know that the number p is not a prime”
i.e. starting from 1 ≡p ap-1, a(p-1)/2 is a square root of 1, a(p-1)/4 …
One Pass of Miller-Rabin Primality Test
Is n a composite number?
Let n be an integer and suppose there exist integers x and y with
x2 ≡ y2 (mod n), but x ≠ ±y (mod n). Then n n is composite, o
both gcd(x-y, n) and gcd(x+y, n) are nontrivial factors of n.
—
—
—
Proof:
let d = gcd(x-y, n).
Case 1: assume d = n ⇒ x ≡ y (mod n) contradiction
Case 2: assume d is 1 (the trivial factor)
—
x2 ≡ y2 (mod n) ⇒ x2 - y2 = (x-y)(x+y) = k · n
d=1 means gcd(x-y, n)=1 ⇒
n | x+y ⇒ x ≡ -y (mod n) contradiction
Case 1 and 2 implies that 1 < d < n
i.e. d must be a nontrivial factor of n
—
—
—
27
Let n > 1 be odd, write n-1 = 2k · m with m being odd
Choose a random integer a with 1 < a < n-1 n will pass Fermat test
n is a pseudoprime
Compute b0 ≡ am (mod n)
if b0 ≡ ±1 (mod n), stop, n is probably prime
Compute b1 ≡ b02 (mod n)
if b1 ≡ 1 (mod n), stop, gcd(b0-1, n) is a factor of n
…
if b1 ≡ -1 (mod n), stop, n is probably prime
Compute b2 ≡ b12 (mod n)
……..
Compute bk-1 ≡ bk-22 (mod n)
if bk-1 ≡ 1 (mod n), stop, gcd(bk-2-1, n) is a factor of n
if bk-1 ≡ -1 (mod n), stop, n is probably prime
Compute bk ≡ bk-12 (mod n)
if bk ≡ 1 (mod n), stop, gcd(bk-1-1, n) is a factor of n
otherwise n is composite (Fermat Little Thm, bk ≡ an-1 (mod n))
28
Strong Pseudoprime
One Pass of MRP Test (cont’d)
—
In summary: there are 4 possible sorts of sequences for
b0, b1, b2, … bi-1, bi, … bk :
342, 22, 5, 1, 1, 1, 1, …, 1
45, 5634, 325, 213, -1, 1, …, 1
±1,
1, 1, …,
1
214, 987, …, 8931, 321, 134
—
composite, factored
possibly prime
possibly prime
composite
‘ Ex.
Up to 1010, there are only 3291 strong pseudoprime
numbers to the base 2
—
There are infinitely many strong pseudoprimes to
the base 2
—
There is no parallel set in strong pseudoprimes to
the Carmichael numbers as to the pseudoprime.
Error Probability of MRP-Test
—
—
30
Error Probability (cont’d)
—
Def:
PRIMES = {p|p is a prime number}
The Miller Rabin Primality test selects a1, …, ak randomly
in Zp, and repeats the previous square root test for k times,
is a probabilistic polynomial time algorithm
The maximum error probability is
Lemma 1: Pr{MR declares x∈PRIMES | x∈PRIMES} = 1
the MR algorithm rejects x only when 1) ax-1 ≠x 1 and 2)
successive square roots of ax-1ever ≠x 1; however, both cases
imply that x must be a composite, contradiction with the
assumption x∈PRIME
—
Lemma 2: Pr{MR declares x∈PRIMES | x∉PRIMES} = 2-k
We want to show that if p is an odd composite number
and a is selected randomly in Zp,
Pr{a is a composite witness} > 1/2
i.e. we would like to demonstrate that at least as many
witnesses as non-witnesses exist in Zp; we could prove
that for any non-witness h, i.e. , there exists a unique
witness b i.e. #witnesses>p/2
Pr{MR declares x∈PRIMES | x∉PRIMES} = 2 k
-
even stronger
Pr{MR declares x∈PRIMES | x∉PRIMES} = 4 k
-
—
2047 is a strong pseudoprime to the base 2
—
29
—
If n passes the Miller-Rabin test with base a
(without being identified as a composite), we say
that n is a strong pseudoprime number to the base a.
On the other hand
Pr{MR declares x∈PRIMES | x∈PRIMES} = 1
31
32
Error Probability (cont’d)
Error Probability (cont’d)
Ken Rose, Elementary Number Theory, 4-th Ed. A/W
—
—
If the generalized Riemann hypothesis is valid, then there is an
algorithm to determine whether a positive integer n is prime
using O((log2n)2) bit operations
Thm 6.10 (in Ken. Rosen): If n is an odd composite
positive integer, then n passes Miller-Rabin’s test for at
most (n-1)/4 bases b with 1 ≤ b ≤ n-1
‘
Thm 6.12:
Stronger convergence property
—
Thm 6.11:
—
Pr{MR declares x∈PRIMES | x∉PRIMES} = 4-k
Conjecture 6.1: Generalized Riemann hypothesis
For every composite positive integer n, there is a base b with b <
2(log2n)2, such that n fails Miller-Rabin’s test for the base b
33
34
Miller-Rabin Primality Test
One Pass of Miller-Rabin Primality Test
—
Both of these two tests can identify subsets of composite numbers
I: integers
SPPa
I=P∪C
P: prime
numbers
C = SPPa ∪ SPPa
= PPa ∪ PPa
SPPa ⊂ PPa
PPa ⊂ SPPa ⊂ C
PPa
—
SPPa: strong pseudo prime
numbers for base a,
the set of composite n
where M-T test says
‘probably prime’
C: composite
numbers
Both of these two tests can identify subsets of composite numbers
I: integers
SPP
I=P∪C
PPa: pseudo prime
numbers for base a,
the set of composite
n where an-1≡1(mod n)
: mysterious part
not prime, but cannot be identified as composite
35
P: prime
numbers
C = SPP ∪ SPP
= CM ∪ CM
? SPP ⊂ CM
φ=
CM ⊂ SPP ⊆ C
CM
SPP: strong pseudo prime
numbers for all base a,
the set of composite n
where M-T test says
‘probably prime’
C: composite
numbers
CM: Carmichael numbers
the set of composite
n where an-1≡1(mod n)
for all base a
?
: mysterious part
not prime, but cannot be identified as composite
36
Practical Question
—
—
—
COMPOSITES
Consider a composite number n = p · q, where p and q are
two large prime numbers, each with k/2 bits
—
COMPOSITES ∈ NP
‘
Applying Miller-Rabin test on n for k times, the probability
that n is not detected as a composite is less than 2-k which
is extremely small if k is say 1024
‘
Note that n must at least satisfy n∉PAPP otherwise Miller-Rabin
test will factor n in the process of identifying its compositeness
‘
But there is still some chance that for some base a, n passes the
Fermat test but detected by the Miller-Rabin test
@
@
@
‘
Is n still hard to be factored?
Actually, factoring n is a hard non-poly time problem:
1/3
GNFS: exp{(1.923+O(1))}(ln(n)) (ln(ln(n)))
—
‘
@
Pratt certificate
Atkin-Goldwasser-Kilian-Morain certificate
¾
—
By applying Fermat’s little theorem converse to n and recursively to each
purported factor of n-1, a certificate for a given prime number n can be
generated. (for prime < 1010)
—
ex. n = 7919, n-1 = 7918 = 2 · 37 · 107, let a = 7
let a = 2, 236 ≡37 1, 236/2 ≠37 1, 236/3 ≠37 1
n = 107, n-1 = 106 = 2 · 53,
let a = 2, 2106 ≡107 1, 2106/2 ≠107 1, 2106/53 ≠107 1
n = 53, n-1 = 52 = 22 · 13
use the probabilistic Miller-Rabin algorithm to decide if a number is a
prime number
the error probability:
¾
38
77918 ≡7919 1, 77918/2 ≠7919 1, 77918/37 ≠7919 1, 77918/107 ≠7919 1
n = 2 is called “self-witness”
n = 37, n-1 = 36 = 22 · 32,
PRIMES ∈ RP ⊂ BPP ⊂ NP
@
If x ∈ COMPOSITES, Pr{accept x} > 1/2
If x ∉ COMPOSITES, Pr{reject x} = 1
Prime Witness: Pratt Certificate
PRIMES ∈ NP
‘ There are several kinds of witnesses for a prime number (an
instance of PRIMES) ex.
@
actually, COMPOSITES ∈ RP ⊂ BPP ⊂ NP
@ use the probabilistic Miller-Rabin algorithm to decide if a
number is a composite number
@ the error probability:
¾
37
The complement of COMPOSITES
@ PRIMES ∈ CoNP by definition
@
A factor of it (one of them is enough)
or
A positive integer a such that an-1 ≠ 1 (mod n)
or
n-1
A positive integer a such that a ≡ 1 (mod n) and
j
j+1
as2 ≠ ±1 (mod n) and as2 ≡ 1 (mod n)
where n-1 = s · 2k and s is an odd integer, 0≤j<k
¾
2/3
PRIMES
—
There are several kinds of witnesses for a composite number
(an instance of COMPOSITES), ex:
let a = 2, 252≡53 1, 252/2 ≠53 1, 252/13 ≠53 1
n = 13, n-1 = 12 = 22 · 3
If x ∈ PRIMES, Pr{accept x} = 1
If x ∉ PRIMES, Pr{reject x} > 1/2
let a = 2, 212 ≡13 1, 212/2 ≠13 1, 212/3 ≠13 1
n = 3, n-1 = 2 = 2
39
let a = 2, 22 ≡3 1, 22/2 ≠3 1
40
Pratt Certificate: an example
7919
7
2
37
107
2
53
2
2
2
2
13
—
7918=2·37·107
36=22·32
106=2·53
52=22·13
12=22·3
2 is a self witness
2
2
3
Atkin-Goldwasser-Kilian-Morain Certificate
A recursive primality certificate: (for prime > 1010)
‘
y2 = x3 + g2 x + g3 (mod p) for some number g2 and g3
‘
A prime q with q > (p1/4 + 1)2, such that for some other number k
and m=kq with k≠1, mC(x,y,g2,g3,p) is the identity on the curve,
but kC(x,y,g2,g3,p) is not the identity. This guarantees primality
of p by a theorem of Goldwasser and Killian (1986).
‘
Each q has its recursive certificate following it. So if the
smallest q is known to be prime, all the numbers are certified
prime up the chain.
2
2
3
2
2
A point on an elliptic curve C
2
41
42
(“Fair-MAH”)
Related Theorems
Fermat’s Little Theorem
—
Fermat’s Little Theorem
—
Euler’s Theorem
—
Carmichael Theorem
S = {1, 2, 3, …, p-1} (Zp*), define ψ(x) ≡ a · x (mod p) be
a mapping ψ: S→Z
@ ∀x ∈ S, ψ(x) ≠ 0 (mod p) ⇒ ∀x ∈ S, ψ(x) ∈ S, i.e. ψ: S→S
—
Fermat Little Theorem Converse
@∀
—
If p is a prime, pFa then ap-1≡1 (mod p)
Proof:
@ let
if ψ(x) ≡ a · x ≡ 0 (mod p) ⇒ x ≡ 0 (mod p) since gcd(a, p) = 1
x, y ∈ S, if x ≠ y then ψ(x) ≠ ψ(y) since
if ψ(x) ≡ ψ(y) ⇒ a · x ≡ a · y ⇒ x ≡ y since gcd(a, p) = 1
the above two observations, ψ(1), ψ(2),... ψ(p-1) are
distinct elements of S
@ 1·2 ·... ·(p-1) ≡ ψ(1)·ψ(2)·...·ψ(p-1) ≡ (a·1)·(a·2)·…·(a·(p-1))
≡ ap-1 (1·2 ·... ·(p-1)) (mod p)
@ since gcd(j, p) = 1 for j ∈ S, we can divide both side by 1, 2,
3, … p-1, and obtain ap-1≡1 (mod p)
@ from
43
44
Fermat’s Little Theorem Converse
Euler’s Theorem
For an odd integer n, if ∃ a, an-1 ≡ 1 (mod n) and
r
∀ pi, where n-1 = Πi pi i, a(n-1)/pi ≠ 1 (mod n)
then 1. ordn(a) = n-1
2. n is a prime number
3. a is a primitive in Zn*
—
If gcd(a,n)=1 then aφ(n) ≡ 1 (mod n)
This is true even when n = p2
Proof: @ let S be the set of integers 1≤x≤n, with gcd(x, n) = 1,
define ψ(x) ≡ a · x (mod n) be a mapping ψ: S→Z
@ ∀x ∈ S and gcd(a, n) = 1,
if ψ(x) ≡ a · x ≡ 0 (mod n) ⇒ x ≡ 0 (mod n)
ψ(x) ≠ 0 (mod n)
gcd(a, n)=1 and gcd(x, n) = 1
gcd(ψ(x), n) = 1
⇒ ∀x ∈ S, ψ(x) ∈ S, i.e. ψ: S→S
@ ∀ x, y ∈ S, ‘if x ≠ y then ψ(x) ≠ ψ(y) (mod n)’
Proof: let ordn(a) be the smallest integer d such that ad≡n1,
i.e. aordn(a)≡n1, ordn(a)≤n-1, let n-1 = k · ordn(a) + r
an-1≡n1 ⇒ an-1≡nak·ordn(a)+r≡n1 ⇒ 1≡n1k·ar ⇒ r = 0 i.e. ordn(a) | (n-1)
⇒ ordn(a)=n-1 or
r
∃ pi, n-1=Πi pi i s.t. ordn(a) | (n-1)/pi i.e. a(n-1)/pi ≡n(aordn(a))k ≡n1
if ψ(x) ≡ ψ(y) ⇒ a · x ≡ a · y ⇒ x ≡ y since gcd(a, n) = 1
the above two observations, ∀x∈S, ψ(x) are distinct
elements of S (i.e. {ψ(x) | ∀x∈S} is S)
@ from
⇒ an-1≡n1 and
r
∀pi, where n-1=Πi pi i, a(n-1)/pi ≠n 1 ⇒ ordn(a)=n-1
⇒ n is a prime number (for a composite number, the order of any a
is at most φ(n), which is strictly less than n-1) and a is a primitive
@
∏ x ≡ ∏ ψ(x) ≡ aφ(n) ∏ x (mod n)
x∈S
x∈S
x∈S
gcd(x, n) = 1 for x ∈ S, we can divide both side by x
∈ S one after another, and obtain aφ(n)≡1 (mod n)
@ since
45
46
Carmichael Theorem
Primitive Roots modulo p
Carmichael’s Theorem:
∀a∈Zn*, aλ(n) ≡ 1 (mod n) and an·λ(n) ≡ 1 (mod n2)
—
where n=p·q, p ≠ q, λ(n) = lcm(p-1, q-1), λ(n) | φ(n)
—
—
like Euler’s Theorem, we can prove it through Fermat’s
Little Theorem, consider n = p · q, where p≠q,
∀a∈Zp*, ap-1 ≡ 1 (mod p) ⇒ (ap-1)(q-1)/gcd(p-1,q-1) ≡ aλ(n) ≡ 1 (mod p)
∀a∈Zq*, aq-1 ≡ 1 (mod q) ⇒ (aq-1)(p-1)/gcd(p-1,q-1) ≡ aλ(n) ≡ 1 (mod q)
from CRT, ∀a ∈ Zp* ∩ Zq* = Zn*, aλ(n) ≡ 1 (mod n)
therefore, ∀a∈Zn*, aλ(n) = 1 + k · n
n
raise both side to the n-th power, we get an·λ(n) = (1 + k · n) ,
⇒ an·λ(n) = 1 + n·k·n + ... ⇒ ∀a ∈ Zn* (or Zn2*), an·λ(n) ≡ 1 (mod n2)
47
—
—
When p is a prime number, a primitive root modulo p is a
number whose powers yield every nonzero element mod
p. (equivalently, the order of a primitive root is p-1)
ex: 31≡3, 32≡2, 33≡6, 34≡4, 35≡5, 36≡1 (mod 7)
3 is a primitive root mod 7
sometimes called a multiplicative generator
there are plenty of primitive roots, actually φ(p-1)
‘
ex. p=101, φ(p-1)=100·(1-1/2)·(1-1/5)=40
p=143537, φ(p-1)=143536·(1-1/2)·(1-1/8971)=71760
48
Primitive Testing Procedure
—
Primitive Testing Procedure (cont’d)
How do we test whether h is a primitive root modulo p?
‘
naïve method:
‘
faster method:
—
Procedure to test a primitive g:
assuming p-1 has prime factors q1, q2, …, qn, (i.e. p-1 =q1r1...qnrn)
p-2
go through all powers h2, h3, …, h , and make sure ≠ 1 modulo p
for all q i, make sure g(p-1)/qi (mod p) is not 1
Proof:
assume p-1 has prime factors q1, q2, …, qn,
for all qi, make sure h(p-1)/qi modulo p is not 1,
then h is a primitive root
ordp(g)
(a) by definition, g
≡ 1 (mod p), gφ(p) ≡ 1 (mod p) therefore ordp(g) ≤ φ(p)
if φ(p) = ordp(g) * k + s with s < ordp(g)
ord (g) * k s
gφ(p) ≡ g p
g ≡ gs ≡ 1 (mod p), but s < ordp(g) ⇒ s = 0
⇒ ordp(g) | φ(p) and ordp(g) ≤ φ(p)
(b) assume g is not a primitive root i.e ordp(g) < φ(p)=p-1
then ∃ i, such that ordp(g) | (p-1)/q i i.e. g (p-1)/q i ≡ 1 (mod p) for some q i
(c) if for all q i, g (p-1)/q i ≠ 1 (mod p)
then ordp(g) = φ(p) and g is a primitive root modulo p
Intuition: let h ≡ ga(mod p), if gcd(a, p-1)=d (i.e. ga is not a
primitive root), (ga) (p-1)/qi ≡ (ga/qi)(p-1) ≡ 1 (mod p) for
some q i | d
49
50