primality and generation of prime numbers
DESCRIPTION
Primality and generation of prime numbers. Motivations. Most of the public key encryption algorithms require large prime numbers. Example: in the RSA scheme, the modulo is the product of two prime numbers. In El-Gamal, LUC, ECC, etc … large prime numbers are also required. - PowerPoint PPT PresentationTRANSCRIPT
Primality and generation ofprime numbers
Motivations
• Most of the public key encryption algorithms require large prime numbers.
• Example: in the RSA scheme, the modulo is the product of two prime numbers.
• In El-Gamal, LUC, ECC, etc … large prime numbers are also required.
Prime and composite numbers
• A number is said to be prime if it is divisible only by 1 and by itself (1 is not a prime number). Otherwise it is said to be composite.
• Example: 7 is prime, 9 is composite.
• Euclid’s theorem: There is infinitely many prime numbers.
Density
• LaVallée-Poussin theorem: the number of prime numbers smaller than N is almost equal to N/ln(N).
• A number smaller than N randomly chosen has approximately 1 chance out of ln(N) to be prime.
• Example: a number with 100 decimal digits has 1 chance out of 230 to be prime.
• There are « relatively » many prime numbers.
Primality: prehistory
• Erathostene’s sieve: to determine whether N is prime, try to divide it by all the integer numbers between 2 and N.
• Unpracticable if N is large.• China (200 BC): If 2N-1 1 (mod. N) then N is
prime.• Other works: ideonal numbers (Euler).• Before Lehmer, there were no efficient criterion.
Primality: history
• Lehmer (186?): two efficient criteria which require the factorization of either N-1 or N+1.
• Pocklington (1914): improved Lehmer’s criterion (an incomplete factorization of N-1 is sufficient).
• Brillhart (1973): lighter factorization and combination of N-1 and N+1criteria.
• Other works (1976-1978): Judd, Williams, Bach, … Criteria using factorizations de N2+1, N2+N+1, N2-N+1, …
• Lenstra-Cohen (1983): First generalist test (no factorization required).• Schoof (1985): Generalist test using elliptic curves. • Atkin-Morain (1988): Elliptic curves. Lighter than Schoof’s algorithm.• Agarwal-Saxena-Kayal (2001): Primality has a polynomial
complexity.
Complexity
• Factorization of numbers with more than 100 decimal digits are not practically feasible.
• Elliptic curve algorithms are unpracticable for digits with more than 300 decimal digits. Moreover, they are difficult to implement.
• There are inexact (or only incomplete) methods which give good results.
Fermat’s theorem
• Let a and N be two integers with 2aN-1. If N is prime then aN-11 (mod N).
• N=7, a=2, 26=641 (mod 7). So 7 is maybe prime.• N=9, a=5, 587 (mod 9). So 9 is not prime.• N=341, a=2, 23401 (mod 341). But 341=1131 is
composite. 341 is said to be pseudo-prime for the basis 2.
• The converse of Fermat’s theorem is false. • The chinese criterion is not true.
Fermat’s test
• 334056 (mod 341) and thus 341 is not prime.
• We can consider to combine several Fermat’s tests.
• But 561 takes any Fermat’s test in default: 25601 (mod 561), 35601 (mod 561), 55601 (mod 561), etc …
• Fermat’s test, alone, is insufficient.
Carmichael’s numbers
• A composite number which suceed for any Fermat’s test is said to be a Carmichael’s number.
• 561 is the smallest Carmichael’s number.• Let n be an integer such that 6n+1, 12n+1 et 18n+1 are
prime, then N=(6n+1)(12n+1)(18n+1) is said to be a Chernick’s number.
• A Chernick’s number is a Carmichael’s number (1729 is the least one).
• Heuristically, there are infinitely many Chernick’s numbers. • Granville’s theorem (1993): There are infinitely many
Carmichael’s numbers.
The equation X21 (mod N)
• Let X be an integer suxh that X21 (mod N).
• Then X2-1=(X+1)(X-1)0 (mod N).
• If X1 and XN-1, then we have the product of 2 numbers smaller than N whose result is a multiple of N, then N is not prime.
• Example 521 (mod 24), thus 640 (mod 24).
Miller-Rabin’s test
• Let N be an odd integer greater or equal to 3.• Let a be an integer such that 2aN-1.• Suppose that aN-11 (mod N).• N-1 is even. Let X=a(N-1)/21 (mod N).• Then X21 (mod N).• Thus if X1 et XN-1 then N is not prime. • If X1 (mod N) and (N-1)/2 is even, we continue with
Y=a(N-1)/41 (mod N).• If X=N-1 then the test is finished.• N is said to pass Miller-Rabin’s test for the basis a when all the
possible verifications have been made without to obtain any contradiction.
Iterative version
• N,a integers, N odd, N3, 2aN-1.
N succeeds
X=1 or N-1 ?
N,a
Determine h and dsuch that d oddand N-1=2h.d
ComputeXad(mod N)
i0
N succeeds
X=N-1 ?
X=1 ?
XX2 (mod N)
i=h ?
ii+1
N fails
yes
no
yes
yes
yes
no no
no
N fails
Example 1
• N=53, a=2
• N-1=52=2213
• X0=213 (mod 53)30
• X1=302 (mod 53)52=N-1
• We have obtained no contradiction thus 53 passes the test for basis 2.
Example 2
• N=561, a=2• N-1=2435• X0=235 (mod 53)263• X1=2632 (mod 53)166• X2=1662 (mod 53)67• X3=672 (mod 53)1• We have obtained a contradiction thus 561 does not
pass the test.• 561 is not prime.
Example 3
• N=2047, a=2
• N-1=21023
• X0=21023 (mod 53)1
• 2047 passes Miller-Rabin’s test for basis 2.
• But 2047=2389 is not prime.
• 2047 is said to be a strong pseudo-prime for basis 2.
Miller-Rabin’s test
• Miller’s theorem: Let N be a composite number, then it can pass successfully at most N/4 Miller-Rabin’s test.
• In fact this is a very pessimistic bound.• Let N be a number to be tested, we choose
randomly n basis for the tests.• If N passes all the tests, then there is less than 1
chance out of 4n that N is in fact composite.
Balance
• The algorithmic cost of a Miller-Rabin’s test is inferior to the one of Fermat’s test.
• It enables to efficiently distinguish composite numbers from prime numbers.
• But this test cannot establish that a number is prime above any doubt.
• Note nevertheless that no strong pseudo-prime for at least 30 different basis is known.
Prime number generation
• There exist methods which generate numbers which are effectively prime.
• In counterpart, the generated numbers are not absolutely random.
• Any prime number cannot be generated. In fact, the generated numbers N have a shape such that if N is effectively prime, the « proof » is easy to obtain.
Lehmer’s theorem
• Let N be an odd integer greater than 3.
• Suppose that there exists an integer a2 such that aN-11 (mod N).
• Suppose moreover that for any prime divisor p of N-1, there exists an integer ap such that ap
(N-1)/p1 (mod N).
• Then N is prime.
Gordon’s method (1985)
• Choose N randomly and try to factorize N-1.• If N-1 can be entirely factorized, apply Lehmer’s
theorem to N.• If the factorization is not successful, choose
another integer N and iterate.• Problem: The entire factorization of N-1 does not
have any chance to terminate if N has several hundreds of decimal digits.
Example (Knuth)
• N0=37866809061660057264219253397.
• 3N0-11 (mod N0), thus N0 is suspected to be prime.
• We factorize N0-1 and we obtain N0-1=22 . 19 . 107 . 353 . 91813 . N1 with N1=143675413657196977.
• 3N1-11 (mod N1), thus N1 is suspected to be prime.
• N1-1=24 . 32 . 547 . 1103 . N2 with N2=1653701519.
• 3N2-11 (mod N2), thus N2 is suspected to be prime.
• N2-1=2 . 7 . 19 . 23 . 137 . 1973.
• The factorization of N2-1 is exact: all the prime divisors are known with certainty.
• We can try to apply Lehmer’s criterion.
Example (Knuth)
• We have 2(N2-1)/21 (mod N2), thus a2=2 is not satistactory.
• We try successively 2, 3, 5, 7 …• We have 7(N2-1)/21653701518 (mod N2) thus a2=7
satisfy Lehmer’s condition.• We also find a7=a19=a23=a137=a1973=2.• N2 is then established to be prime.• The factorization of N1-1 is then exact and we try to
apply Lehmer’s criterion to N1.
Example (Knuth)
• We continue and we show that N1, then N0 are prime.
• This is a descending proof. • N0 is prime if N1<N0 is prime, N1 is prime if
N2<N1 is prime and N2 is small enough to be easily shown to be prime.
• Other certificates like Atkin-Morain’s one use also a descending principle.
Pocklington’s theorem
• Let N be an odd integer greater than 3.• Hypotheses: N=R.F+1 with F even.• The factorization of F is entirely known.• GCD(R,F)=1.• There exists an integer a such that aN-11 (mod N) for
any prime divisor p of F, GCD(a(N-1)/p-1,N)=1.• Then: Any prime divisor of N is of the form k.F+1
with k1.• In particular, if N<(F+1)2, then N is prime.• In fact, if N<(F+1).(2F+1) then N is prime.
Maurer’s method (1987)
• We wish to generate a prime number with 20 decimal digits.
• We choose F even whose factorization is known. For instance, F=23257376907=5010183422.
• We choose randomly an odd integer R such that R2F, for instance R=7419669081.
• We compute N=R.F+1=37173903026352175183.• We choose a randomly and compute aN-1 (mod N).• Example 2N-1 31953700866015605260 (mod N).• The result is not equal to 1 so N is not prime.• We choose a new value for R and we iterate.
Maurer’s method (1987)
• R=7785640265.• N=39007485785358686831.• We have 7N-11 (mod N) thus N is maybe prime.• We have 7(N-1)/2 39007485785358686830 (mod N).• GCD(39007485785358686829,N)=1 thus N
satisfies the first condition.• Likewise, GCD(7(N-1)/32573-1,N)=1 and
GCD(7(N-1)/76907-1,N)=1.• Thus N is prime.
Remarks
• In the preceding example, if we take a=2, we effectively have 2N-11 (mod N) and thus N is suspected to be prime.
• But 2(N-1)/21 (mod N) and thus GCD(2(N-1)/2-1,N)=N.• The value a=2 does not permit to establish the
primality of N.• Two strategies are possible: either we insist and
choose a new value for a (because we expect that N is effectively prime), or we give away and generate a new candidate.
Remarks
• Most of the problems appear when the divisor 2 of F is tested: half of the times, a « does not work ».
• We can avoid this problem by computing the Jacobi symbol of a for N: if J(a,N)=-1, a will not cause a problem.
• This computation is quick with respect of the exponentiations.
• Another remark: in order to choose the prime divisors of F, we can recursively use the same method.
• Then we can choose values for F with large prime factors.
Refinement of Brillhart et al.
• Let N verifying the conditions of Pocklington’s theorem except that N<2F3 only.
• We pose R=2Fs+r with 0r2F.• Then if s=0 or if r2-8s is not a perfect
square, then N is prime.• Determining exactly whether a number is a
perfect square is algorithmically costly.
Perfect square
• When generating prime numbers, only sufficient conditions are considered.
• If N2 (mod 3), N is not a perfect square.• If N2 ou 3 (mod 5) or N3, 5 ou 6 (mod 7) idem.• If N verifies at least one of these congruences, then N
is not a perfect square.• Generally, if Na (mod M) with J(a,M)=-1 where J
is Jacobi’s symbol (resp. Legendre) if M is composite (resp. prime), then N is not a perfect square.
Other methods
• There also exist primality tests based on Lucas series.• Those criteria permit to establish if a number not too large
is prime, to generate large prime numbers or to test with a great fiability (Strong pseudo-primalité for Lucas’s criterion)
• The primality criteria of logiciels like Mupad, Maple or Mathematica are in fact most of the time composed of a series of Miller-Rabin’s tests followed by a strong pseudo-primality test for Lucas’s criterion.
• It is also possible to combine with other tests: Perrin’s series, Fibonacci, Judd, Williams, elliptic curve tests.