Download literature review

Safer Security: A Novel Probabilistic
Algorithm for Detecting Carmichael Numbers
Sathwik Karnik
Massachusetts Academy of Math and Science
Contents
1 Introduction
3
2 Background
3
2.1
RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
2.2
Primality Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
2.3
Fermat Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
2.4
Fermat Witnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.5
Fermat Witnesses and Group Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6
Carmichael Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.7
Fermat Witnesses for Carmichael Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.8
Known Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.9
Research Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Methodology
16
3.1
Classification of Carmichael Numbers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2
Algorithms and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.3
Proving Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4
Calculating Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 Limitations and Assumptions
18
References
19
1
Abstract
In an era of rapid growth in information technology, an unprecedented danger threatens digital
security: the cyberattack. Public-key cryptosystems have been developed as one way to overcome
virtual vulnerabilities. RSA, one of the first practical and most widely used cryptosystems, requires
two large prime numbers to generate public and private keys to secure data. These prime numbers,
which are essential in creating cryptosystems, are found using primality tests. Occasionally, large
composite numbers are inadvertently selected in the place of prime numbers. Such mistakes occur
when primality testing yields false positives. One large class of false positives to many primality tests,
Carmichael numbers, weakens cryptosystems when implemented. This research classifies the proportion of Fermat witnesses, numbers a ∈ (Z/nZ)\{0} for which an−1 6≡ 1 (mod n), for Carmichael
numbers with a smallest prime factor greater than a determined lower bound. In addition, a Monte
Carlo simulation is conducted to create a probabilistic algorithm to detect if a given composite number is Carmichael. This highly accurate algorithm is modified with a deterministic primality test
to create a novel algorithm that differentiates between Carmichael numbers and prime numbers in
order to enhance cybersecurity.
2
1
Introduction
The overwhelming size and rapid growth of data necessitates safer information se-
curity. Cryptosystems have great importance in the search for safer security. In order
to implement a cryptosystem, one must generate the keys used in both encryption and
decryption. With the advent of cryptosystems in the late 20th century, the need for primality testing increased significantly; efficient, accurate primality tests offered ways to
find large prime factors used for generating keys.
In recent years, cybersecurity has been an issue because insecure cryptosystems
can be easily hacked. The implementation of composite numbers for key generation has
sacrificed security for efficiency in run-times, rendering systems fatally vulnerable (Pinch,
1997). Substantial progress has been made in this field; more primality tests have been
created to implement safer cryptosystems. Though the Fermat Test offers an efficient
probabilistic primality test, it allows many composite numbers to pass. The Miller-Rabin
Test provides a more efficient test with fewer false-positives. However, current primality
tests with fewer false positives are much less efficient for large numbers.
To accurately determine if a number is prime or composite, an algorithm to detect
false positives to probabilistic primality tests is needed. This research provides a novel
highly accurate algorithm that detects Carmichael numbers, false positives to several
primality tests.
2
2.1
Background
RSA Cryptosystem
A cryptosystem is a method of encrypting and decrypting messages using the keys
generated. Cryptosystems have been extensively studied to enhance cybersecurity. In
3
the late 20th century, Ronald Rivest, Adi Shamir, and Leonard Adleman proposed a
cryptosystem that became the most widely used method for encrypting and decrypting messages. Named after its discoverers, the RSA algorithm includes key generation,
encryption, and decryption (Paar & Pelzl, 2010).
Suppose that Albert and Bob want to send messages to one another using the RSA
cryptosystem. Below is the method for generating the public and private keys for the
RSA cryptosystem.
RSA Key Generation
1. Albert first chooses two large primes p and q of an approximate length of about 300
digits (Lenstra & Verheul, 2000).
2. Albert then computes n = p · q.
3. Albert computes the number of positive integers less than n that are relatively prime
to n, which is φ(n) = (p − 1)(q − 1).
4. Albert then selects the public exponent e ∈ {1, 2, . . . , φ(n) − 1} such that e is relatively prime to φ(n).
5. Albert finally computes the private key d such that
d·e≡1
(mod φ(n))
In other words, d is the multiplicative inverse of e (mod φ(n)).
Output: public key: kpub = (n, e) and private key: kpr = (n, d)
Using the keys described above, Bob must send messages by creating an encryption
function.
4
RSA Encryption
Given the public key kpub and the “message” x, Bob creates the following encryption
function:
y = e(n,e) ≡ xe
(mod n),
where x, y ∈ Z/nZ.
In order for Albert to open, or decrypt the message that Bob sends to him, Albert
must create the following decryption function:
RSA Decryption
Given the private key d = kpr and the cipher text, or encrypted message y, Albert
creates the following decryption function:
x = d(n,d) (y) ≡ y d
(mod n),
where x, y ∈ Z/nZ.
Because a possible attacker has access to the public key, it must be computationally
difficult to determine the value of the private key d given the values of the public key
e and n. In this context, computationally difficult refers to the difficulty in determining
the prime factors of a number with few prime factors. In other words, finding the inverse
of e in (Z/nZ)× must be not feasible in a computationally reasonable length of time. To
make the system difficult to break, one must use highly accurate primality tests.
5
2.2
Primality Testing
The RSA Algorithm requires two large prime numbers, p and q, that multiply to-
gether to form a new number n. In order to determine if a randomly generated large
number is prime, brute force may seem to be the primary option. Although brute force
algorithms are 100% accurate, or deterministic, these algorithms are not efficient in terms
of run time. For deterministic tests, the scheme for determining if a given number n is
prime is to prime factor a number, which is currently difficult for computers when n is
large. Thus, more efficient primality testing algorithms that maintain a high accuracy
are needed. Many practical primality tests for larger numbers are probabilistic. For probabilistic primality tests, a given natural number n serves as the input for the algorithm.
From this algorithm, either (1) n is determined to be composite (with 100% accuracy)
or (2) n is determined to be prime with a certain probability. To maximize the accuracy
of the primality test, one must test the algorithm with multiple random values from 1 to
n − 1 so that the chance that n is incorrectly shown to be prime is strictly less than a
predetermined value. Examples of probabilistic primality tests include the Fermat Test
and the Miller-Rabin Test (Paar & Pelzl, 2010).
2.3
Fermat Test
The Fermat Test is a probabilistic primality test that utilizes notions from Fermat’s
Little Theorem, which states that ap−1 ≡ 1 (mod p) for all a ∈ Up , where p is a prime
number (Lynn, n.d.). Note that Up is the set of all positive integers less than p that are
relatively prime to p. In the Fermat Test, a random number a is chosen from (Z/nZ)\{0}.
The test then checks if an−1 ≡ 1 (mod n). If an−1 6≡ 1 (mod n), then n is not a prime
number. Otherwise, if an−1 ≡ 1 (mod n), then n is said to be “probably prime.” For
instance, if n = 10 and a = 2, then an−1 ≡ 210−1 ≡ 29 ≡ 512 ≡ 2 (mod 10). In this case,
6
n is not a prime number because 29 is not congruent to 1 (mod 10). If n = 13 and a = 2,
then an−1 ≡ 212 ≡ 4096 ≡ 1 (mod 13). In this case, n = 13 is a prime number. However,
if n = 561 and a = 2, then an−1 ≡ 2560 ≡ 1 (mod 561). So, in this case, n is said to be
“probably prime.” But, 561 = 3 · 11 · 17, so 561 is not a prime number. In other words,
for the given a and n, n turns out to be a “false positive” for the Fermat Test. However,
there exist certain numbers a for composite numbers n such that a does not meet the
criterion that an−1 ≡ 1 (mod n).
The Fermat Test is flawed in that it has infinitely many false positives, which means
that there are infinitely many composite numbers n that are incorrectly determined to
be prime numbers. Suppose that t is equal to the number of times that the test is run. If
t = 10, then the probability that the given number n is “probably prime” is greater than
approximately 0.99902. For a primality test to work with high accuracy, almost no false
positives should be found when the value of n is bounded above.
To calculate the probability of success more accurately, one must use Bayes’ Rule
(Conrad, n.d.-b), which states that if A and B are random variables for events, then the
probability of A given that B occurs is:
P r(A|B) =
P r(B|A) · P r(A)
P r(B|A) · P r(A) + P r(B|A0 ) · P r(A0 )
Note that in this case, A0 is the complement of A. In this context, Bayes’ Rule is necessary
to calculate the probability that a given number is prime given that after running the
Fermat Test t times, no Fermat Witnesses have been found. Similarly, Bayes’ Rule is
used to calculate the probability of success of the algorithms detailed in this paper.
7
2.4
Fermat Witnesses
Consider the set of all a in {1, 2, 3, . . . , n − 1} for which an−1 (mod n) is not con-
gruent to 1. Such values for a are called Fermat witnesses for the Fermat Primality Test
because these values of a show that n is not a prime number. For example, Table 1 shows
an−1 (mod n) in the case when n = 21.
Table 1: Fermat Test for n = 21
a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
an−1 (mod n)
1
4
9
16
4
15
7
1
18
16
16
18
1
7
15
4
16
9
4
1
In the table above, the values of a that are Fermat Witnesses are in bold, and
for those values, an−1 ≡ a20 (mod 21) is not congruent to 1. In the 20-element set
{1, 2, 3, . . . , 20}, 16 elements are Fermat Witnesses. In other words, for n = 21, the
proportion of Fermat Witnesses is 80%. Suppose that a number a is defined as a nontrivial Fermat Witness if gcd(a, n) = 1 and an−1 is not congruent to 1 (mod n). Note
that a would be considered a trivial Fermat Witness if gcd(a, n) > 1 because a would
not be an element of Un , which is the set of all positive integers less than n that are
relatively prime to n. It has been shown that for n ∈ N, if there exists a non-trivial
Fermat Witness, then the proportion of Fermat Witnesses is greater than 50% (Conrad,
n.d.-b). The proof of this claim, which makes use of the notion of cosets in group theory
(Section 2.5), also uses the idea of three disjoint subsets that categorize all integers in
the set {1, 2, 3, . . . , n − 1}. The use of the three sets is essential to the progress made in
this paper.
Theorem 1 Let n be a natural number. If there exists an a such that gcd(a, n) = 1 and
an−1 6≡ 1 (mod n), then the proportion of Fermat Witnesses for n is greater than 50%.
In other words, if there exists a non-trivial Fermat Witness for n, then the proportion of
8
Fermat Witnesses for n is greater than 50% (Conrad, n.d.-b).
Proof: Let A, B, and C be sets such that:
• A = {1 ≤ a ≤ n − 1 : an−1 ≡ 1 (mod n)}
• B = {1 ≤ a ≤ n − 1 : gcd(a, n) = 1 and an−1 6≡ 1 (mod n)}
• C = {1 ≤ a ≤ n − 1 : gcd(a, n) > 1}
Note that the three sets are disjoint and form the set of all integers from 1 to
n − 1. Set B is the set of all non-trivial Fermat Witnesses, and set C is the set of all
trivial Fermat Witnesses. In other words, the union of sets B and C is the set of all
Fermat Witnesses and A consists of all other integers from 1 to n − 1. Note that A is
nonempty because 1 ∈ A. By the original claim, B contains at least one b ∈ N such that
bn−1 6≡ 1 (mod n) and gcd(b, n) = 1. Note that statement of Theorem 1 is equivalent
to the claim that if B is nonempty, |B| + |C| >
n−1
. In order to prove this theorem,
2
similar ideas as those used to prove Fermat’s Little Theorem (which states that for all
primes p ∈ N, ap−1 ≡ 1 (mod p) for all a ∈ Up ) must be used.
Choose an arbitrary element b from the set B. Consider the set formed by multiplying A by b. This set, {ab (mod n) : a ∈ A}, is a subset of B. For all a ∈ A,
gcd(ab, n) = 1 and (ab)n−1 ≡ an−1 · bn−1 ≡ bn−1 6≡ 1 (mod n), so ab (mod n) ∈ B. Note
that this property holds for all a ∈ A and b ∈ B, so Ab is a subset of B.
For a and a0 in A, if ab ≡ a0 b (mod n), then a ≡ a0 (mod n) because b is a unit in
Z/nZ (note that b is relatively prime to n, which implies that b is a unit). This congruence
implies that a = a0 because the elements of A lie strictly between 0 and n − 1. Thus,
|Ab| = |A|, so the fact that the set Ab is a subset of B implies that |A| = |Ab| ≤ |B|.
Note that:
n − 1 = |A| + |B| + |C| ≥ |A| + |A| + 1 > 2|A|,
9
which means that |A| < (n − 1)/2. In other words, the size of the set A is less than half
of the size of {1, 2, . . . , n − 1}, so its complement B ∪ C has size of more than half of
{1, 2, . . . , n − 1}. Note that the final result is algebraically equivalent to
|B| + |C| = (n − 1) − |A| > (n − 1) −
Because |B| + |C| >
n−1
n−1
=
2
2
1
n−1
, |B| + |C| > , as desired.
2
2
This proof provides key insight into the classification of the numbers in the set
{1, 2, 3, . . . , n − 1} when the number n is tested for primality. Furthermore, such insight
can be better understood with several notions in group theory, including groups, cosets,
and Lagrange’s Theorem, which are all discussed in the next section.
2.5
Fermat Witnesses and Group Theory
A group is defined to be a algebraic structure with a set, G, and an operation, ?,
which combines any two elements of the group a and b to form a ? b, another element of
G. Every group also satisfies the following four properties:
(1) Closure: ∀ a, b ∈ G, a ? b ∈ G.
(2) Associativity: ∀ a, b, c ∈ G, a ? (b ? c) = (a ? b) ? c.
(3) Identity Element: ∃ e ∈ G such that ∀ a ∈ G, e ? a = a ? e = a, where e is the
identity element.
(4) Inverse Element: ∀ a ∈ G, ∃ b ∈ G such that a ? b = b ? a = e.
Note that Un is an example of a group closed under multiplication. A subgroup H is
a group closed under the same operation as G and is also a subset of G. Note that in the
proof of Theorem 1, A∪B forms the group of all relatively prime numbers to n less than
10
n. This group is more commonly referred to as Un . Now, because the set A is a subset of
Un closed under multiplication, A is a subgroup of Un . Lagrange’s Theorem states that if
H is a subgroup of a group G, then |H| divides |G| (Conrad, n.d.-a). Because the number
of nontrivial Fermat Witnesses is greater than 0, |A| ≤ 0.5 · |Un |, which implies the result
of Theorem 1. Thus, by considering the group Un and its disjoint subsets, one may
recognize the relation of Fermat witnesses and group theory. Furthermore, the relation
between Fermat Witnesses and the statement of Lagrange’s Theorem is essential to the
research in this paper.
2.6
Carmichael Numbers
Carmichael numbers are composite numbers n with the property that for all a ∈ N
such that gcd(a, n) = 1, an−1 ≡ 1 (mod n). Carmichael numbers are “absolute pseudoprimes” for the Fermat Primality Test. In other words, Carmichael numbers have no
nontrivial Fermat Witnesses, which are numbers a such that an−1 6≡ 1 (mod n). In addition, there are infinitely many Carmichael numbers (Alford, Granville, & Pomerance,
1994). This property of Carmichael numbers makes the Fermat Primality Test vulnerable
because there are infinitely many false positives. In other words, if a number a relatively
prime to a Carmichael number n is chosen to check if an−1 ≡ 1 (mod n), then the number
will be incorrectly classified as a prime number.
Carmichael numbers obey Korselt’s Criterion, which states that a composite number
n is Carmichael if the following two criteria are met (Löh & Niebuhr, 1996).
(i) for all positive integer factors k of n, k cannot be expressed as
k = m2 for m ∈ N, m > 1
(ii) for all prime factors p of n, (p − 1)|(n − 1).
Korselt’s Criterion provides a way to construct Carmichael numbers of the form
11
n = (6m + 1)(12m + 1)(18m + 1) for m ∈ N, where 6m + 1, 12m + 1, and 18m + 1 are
prime numbers. It is not difficult to show that 6m|(n − 1), 12m|(n − 1), and 18m|(n − 1)
because n − 1 = (6m + 1)(12m + 1)(18m + 1) − 1 = 1296m3 + 396m2 + 36m + 1 −
1=1296m3 + 396m2 + 36m (Pomerance, n.d.).
The smallest Carmichael number is 561, which has 3 prime factors: 3, 11, and 17.
Note that n − 1 = 561 − 1 = 560, and 3 − 1 = 2 ⇒ 2|560, 11 − 1 = 10 ⇒ 10|560, and
17 − 1 = 16 ⇒ 16|560.
Carmichael numbers are important to study and classify because of their significant
role in primality tests. By understanding the importance of Carmichael numbers, cryptographers and number theorists can modify primality tests in a way that Carmichael
numbers can be easily identified.
2.7
Fermat Witnesses for Carmichael Numbers
Now, consider the Fermat Witnesses for Carmichael numbers. Let a be an element
of (Z/nZ)\{0}. Then, a is a Fermat Witness for the Carmichael number n if gcd(a, n) >
1 because all Fermat Witnesses for Carmichael numbers are trivial. The proportion
of Fermat Witnesses for Carmichael numbers is an important subject for investigation
because it determines the probability that the number will be correctly determined to
be composite. Because the number of a in (Z/nZ)\{0} such that gcd(a, n) = 1 is equal
to φ(n) (as defined by the Euler phi function), the proportion of Fermat Witnesses for
Carmichael number is given by 1 −
φ(n)
.
n−1
It is important to consider a few small examples of the proportion of Fermat Witnesses for Carmichael numbers. Note that 561 = 3·11·17 is a Carmichael number because
(3 − 1)|(561 − 1) ⇒ 2|560, (11 − 1)|(561 − 1) ⇒ 10|560, and (17 − 1)|(561 − 1) ⇒ 16|560.
For the Carmichael number n = 561, the proportion of Fermat Witnesses is equal to
12
320
φ(n)
= 1−
= 0.4286. For the Carmichael number n = 1105, the proportion of Fern−1
560
φ(n − 1)
768
mat Witnesses is equal to 1 −
= 1−
= 0.3043. For the Carmichael number
n
1104
φ(n)
1296
n = 1729, the proportion of Fermat Witnesses is equal to 1 −
= 1−
= 0.2504.
n−1
1728
1−
The examples above seem to suggest that the rate of Fermat Witnesses is less than
50% for all Carmichael numbers. However, this hypothesis is not correct; below is a table
of all Carmichael numbers less than 1017 with the property that 1 −
φ(n)
is greater than
n−1
50% (Pinch, 2008).
Table 2: Proportion of Fermat Witnesses is > 50% for some Carmichael numbers
1−
φ(n)
(%)
n−1
50.04
Carmichael Number n
Prime factors of n
3,852,971,941,960,065
3 · 5 · 23 · 89 · 113 · 1409 · 788,129
50.10
655,510,549,443,465
3 · 5 · 23 · 53 · 389 · 2,663 · 34,607
50.21
13,462,627,333,098,945
3 · 5 · 23 · 53 · 197 · 8,009 · 466,649
50.25
26,708,253,318,968,145
3 · 5 · 17 · 113 · 57,839 · 16,025,297
50.76
26,904,099,2399,565
3 · 5 · 23 · 29 · 4,637 · 5,799,149
50.79
158,353,658,932,305
3 · 5 · 17 · 89 · 149 · 563 · 83,177
50.89
1,817,671,359,979,245
51.72
16,057,190,782,234,785
3 · 5 · 17 · 29 · 269 · 6089 · 1,325,663
51.76
75,131,642,415,974,145
3 · 5 · 23 · 29 · 53 · 617 · 9,857 · 23,297
51.95
881,715,504,450,705
3 · 5 · 17 · 47 · 89 · 113 · 503 · 14,543
52.01
31,454,143,858,820,145
3 · 5 · 17 · 23 · 2,129 · 39,293 · 64,109
52.13
6,128,613,921,672,705
52.34
12,301,576,752,408,945
52.70
1,886,616,373,665
52.72
3,193,231,538,989,185
53.26
11,947,816,523,586,945
3 · 5 · 23 · 29 · 359 · 11027 · 45,893
3 · 5 · 17 · 23 · 353 · 7,673 · 385,793
3 · 5 · 23 · 29 · 53 · 113 · 197 · 1,042,133
3 · 5 · 17 · 23 · 83 · 353 · 10,979
3 · 5 · 17 · 23 · 113 · 167 · 2,927 · 9,857
3 · 5 · 17 · 23 · 89 · 113 · 233 · 617 · 1,409
Although the proportion of Fermat Witnesses for Carmichael numbers is not bounded
above by 50%, the observations pertaining to the rate of Fermat Witnesses for Carmichael
numbers are essential to the creation of the algorithm detailed in this paper.
13
2.8
Known Algorithms
In 1992, Erdős created an algorithm for constructing Carmichael numbers starting
with the prime factors (Löh & Niebuhr, 1996). The algorithm is detailed below:
1. First, choose A =
Qr
hi
i=1 qi
where q1 , q2 , . . . , qr are the first r prime numbers in
increasing order and the values of hi for hi ∈ N are all at least 1 and non-increasing.
2. Construct the set P = {p prime : p − 1|A, p 6 |A}
3. Construct a Carmichael number n as a product of prime numbers in P in one of the
following two ways:
(a) Find a subset S of P such that
Y
p≡1
(mod A).
p∈S
Then, by Korselt’s Criterion, n =
(b) Let b ≡
Q
p∈P
Q
p∈S
p is Carmichael.
p (mod A) and find a subset T of P such that
Y
p ≡ b (mod A).
p∈T
Then n =
Q
p∈P \T
p is a Carmichael number.
In addition, an algorithm was recently created to construct a Carmichael number
with 10,333,229,505 prime factors. More computations have led to the exploitation of
the non-uniform distribution of prime numbers p with the property that p − 1 divides
A (Alford, Grantham, Hayman, & Shallue, 2014). However, these constructions do not
directly utilize primality tests to generate a list of Carmichael numbers.
14
2.9
Research Plan
Mathematical Question
How can the properties of Fermat Witnesses for Carmichael numbers be used to
create an algorithm for detecting Carmichael numbers?
Mathematical Objective
The objective of this project is to prove a probabilistic algorithm for distinguishing
between Carmichael numbers and other numbers.
Motivation
Carmichael numbers, absolute pseudoprimes for the Fermat Primality Test, exhibit
the property that the rate of Fermat Witnesses is less than 50% for many Carmichael
numbers; in particular, most Carmichael numbers less than 1021 exhibit this property
(Pinch, 2008). This observation will serve as the crux of the algorithm that is developed
in this paper. Note that if a Carmichael number does not exhibit this property, then
the number is tested for any nontrivial Fermat Witnesses a ∈ Z/nZ\{0}. By creating
such an algorithm, one may better understand the properties of Carmichael numbers, so
that primality tests will be more accurate and more efficient. By creating more accurate
primality tests, cryptosystems will use two large numbers that are more likely to be prime
numbers.
Procedure
Basic properties of Carmichael numbers will be exploited to understand the importance of these absolute pseudoprimes. Next, properties of prime numbers and prime
factors of Carmichael numbers will be used to form several generalizations. Furthermore,
properties of Carmichael numbers, including the number of Fermat Witnesses, will be
15
used to generate data using SAGE. These data will be used to form a general probabilistic algorithm that distinguishes between Carmichael numbers and other composite
numbers. This algorithm will be implemented through a Python program. To evaluate
the efficiency of this algorithm, the probability of accuracy will be calculated using Bayes’
Rule. The run time of the algorithm will also be calculated, and extensions to primality
tests will be made.
3
Methodology
The procedure followed in this project relied on the initial observation that many
Carmichael numbers have a proportion of Fermat witnesses of less than 50%. Below is a
flowchart of the procedure followed after finding the initial observation.
Figure 1: Flowchart of Procedure Followed After the Initial Observation
16
3.1
Classification of Carmichael Numbers
A classification of Carmichael numbers based on the proportion of Fermat witnesses
was first formed using the Newton’s Method. This classification was based on inequalities
from the proportion of Fermat witnesses, which is 1 −
φ(n)
. Furthermore, in order to
n−1
examine the inequalities, a program in SAGE was written for test values that increase
exponentially.
3.2
Algorithms and Implementation
Furthermore, based on the initial observation, the first algorithm was developed to
distinguish between Carmichael numbers and other composite numbers. This algorithm
first conducts a Monte Carlo Simulation to randomly select t = b(ln n)2 c numbers from
1 to n − 1. For each element a in this random sample, the algorithm checks if an−1
is congruent to 1 in Z/nZ. If proportion of Fermat witnesses is less than 45%, then
the algorithm determines that the number is Carmichael with a certain probability. If
the proportion of Fermat witnesses is greater than or equal to 45%, then the sample
is checked for any non-trivial Fermat witnesses. Note that if there are any non-trivial
Fermat witnesses, then the number n is determined to be an “other composite” number. If
there are no non-trivial Fermat witnesses, then the algorithm determines that the number
is Carmichael with a certain probability.
A second algorithm was developed to detect Carmichael numbers. This algorithm
used the same original scheme used in the first algorithm. However, instead of only
accepting composite numbers, this algorithm accepted any number, but it used a deterministic primality test to distinguish between Carmichael numbers and prime numbers
to improve the efficiency in detecting common false positives to primality tests.
Both algorithms were implemented in Python 3.5.2 to test for various values of n.
17
3.3
Proving Algorithms
To show that the algorithms work, the probability that a number is Carmichael
given that it is composite and has no non-trivial Fermat witnesses in the random sample.
This calculation was determined using Bayes’ Rule and both the probability density
function, which describes a normal distribution, as well as the cumulative distribution
function, which describes the area under the probability density function. Furthermore,
Mathematica 10 was used to estimate the probability for numbers n of the same size as
the size of prime numbers (1024 bits) used in the RSA cryptosystem.
3.4
Calculating Efficiency
The efficiency of the algorithm was calculated using notions from computational
complexity theory. These calculations, which used the big O notation in algorithm analysis and classifications, were used to compare the efficiencies of the existing algorithms
and the algorithms detailed in this paper.
4
Limitations and Assumptions
There are several limitations and assumptions in this project. One limitation is
that the algorithms described in this paper are based on implementation of the RSA
cryptosystem, which is one of the most widely used and practical cryptosystems. In
addition, the algorithms were made with the assumption that there are no quantum
cryptography algorithms that can break the current cryptosystems, despite the strength of
primality tests. The algorithms also used the information from a Monte Carlo simulation
under the assumption that the samples of the numbers from 1 to n − 1 are representative
of all numbers from 1 to n − 1.
18
References
Alford, W. R., Grantham, J., Hayman, S., & Shallue, A. (2014). Constructing Carmichael Numbers
through improved subset-product algorithms. Math. Comput., 83 .
Alford, W. R., Granville, A., & Pomerance, C. (1994). There are Infinitely Many Carmichael Numbers.
The Annals of Mathematics, 139 (3), 703. doi: 10.2307/2118576
Conrad, K. (n.d.-a). Cosets and Lagrange’s Theorem. Retrieved from http://www.math.uconn.edu/
~kconrad/blurbs/grouptheory/coset.pdf
Conrad, K. (n.d.-b). Fermat Primality Test. Retrieved from http://www.math.uconn.edu/~kconrad/
blurbs/ugradnumthy/fermattest.pdf
Lenstra, A. K., & Verheul, E. R. (2000). Selecting cryptographic key sizes. J. Cryptology, 14 , 255-293.
Löh, G., & Niebuhr, W. (1996, Jan). A new algorithm for constructing large Carmichael numbers.
Mathematics of Computation, 65 (214), 823–837. doi: 10.1090/s0025-5718-96-00692-8
Lynn, B.
(n.d.).
Number theory.
Retrieved from https://crypto.stanford.edu/pbc/notes/
numbertheory/millerrabin.html
Paar, C., & Pelzl, J. (2010). Understanding cryptography: a textbook for students and practitioners.
Springer.
Pinch, R. G. E. (1997). On using Carmichael numbers for public key encryption systems. Crytography
and Coding Lecture Notes in Computer Science, 265–269. doi: 10.1007/bfb0024472
Pinch, R. G. E. (2008). The Carmichael Numbers up to 10 21.
Pomerance, C. (n.d.). Retrieved from https://math.dartmouth.edu/~carlp/carmsurvey.pdf
19