primality testing and the miller-rabin algorithmjtaylor/notes/crypto... · primality testing and...
TRANSCRIPT
![Page 1: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/1.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Primality Testing and the Miller-RabinAlgorithm
FA 2018 Cryptography Seminar
J. David Taylor
October 12, 2018
![Page 2: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/2.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Why Primality Testing?
Suppose Bob wants to implement RSA.
Bob needs a pair of large prime numbers!
If p, q are composite, then Bob will need to know how tofactor them, and the cipher will be less secure.
![Page 3: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/3.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Why Primality Testing?
Suppose Bob wants to implement RSA.
Bob needs a pair of large prime numbers!
If p, q are composite, then Bob will need to know how tofactor them, and the cipher will be less secure.
![Page 4: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/4.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Why Primality Testing?
Suppose Bob wants to implement RSA.
Bob needs a pair of large prime numbers!
If p, q are composite, then Bob will need to know how tofactor them,
and the cipher will be less secure.
![Page 5: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/5.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Why Primality Testing?
Suppose Bob wants to implement RSA.
Bob needs a pair of large prime numbers!
If p, q are composite, then Bob will need to know how tofactor them, and the cipher will be less secure.
![Page 6: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/6.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Why Primality Testing?
The prime number theorem tells us that
The number of primes ≤ N ≈ N
logN
.
If Bob can efficiently distinguish prime numbers fromcomposite numbers, then Bob can choose large numbersat random and check which are prime.
Bob wants an efficient algorithm that detects compositenumbers.
![Page 7: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/7.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Why Primality Testing?
The prime number theorem tells us that
The number of primes ≤ N ≈ N
logN
.
If Bob can efficiently distinguish prime numbers fromcomposite numbers, then Bob can choose large numbersat random and check which are prime.
Bob wants an efficient algorithm that detects compositenumbers.
![Page 8: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/8.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Why Primality Testing?
The prime number theorem tells us that
The number of primes ≤ N ≈ N
logN
.
If Bob can efficiently distinguish prime numbers fromcomposite numbers, then Bob can choose large numbersat random and check which are prime.
Bob wants an efficient algorithm that detects compositenumbers.
![Page 9: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/9.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Fermat’s Little Theorem
Theorem
Let p be a prime number, then ap ≡ a mod p for every integera.
Example: Letn = 31987937737479355332620068643713101490952335301.
The congruence ( mod n)
2n−1 ≡ 1281265953551359064133601216247151836053160074
tells Bob that n is not prime!
![Page 10: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/10.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Fermat’s Little Theorem
Theorem
Let p be a prime number, then ap ≡ a mod p for every integera.
Example: Letn = 31987937737479355332620068643713101490952335301.
The congruence ( mod n)
2n−1 ≡ 1281265953551359064133601216247151836053160074
tells Bob that n is not prime!
![Page 11: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/11.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Fermat’s Little Theorem
Theorem
Let p be a prime number, then ap ≡ a mod p for every integera.
Example: Letn = 31987937737479355332620068643713101490952335301.
The congruence ( mod n)
2n−1 ≡ 1281265953551359064133601216247151836053160074
tells Bob that n is not prime!
![Page 12: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/12.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Witnesses
Let a, n be integers. We say that a is a witness for (thecompositeness of) n if an 6≡ a mod n.
For example, 2 is a witness for 6, but 3 isn’t.
Idea: Try numbers less than n until you find a witness or try allof them
![Page 13: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/13.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Witnesses
Let a, n be integers. We say that a is a witness for (thecompositeness of) n if an 6≡ a mod n.
For example, 2 is a witness for 6, but 3 isn’t.
Idea: Try numbers less than n until you find a witness or try allof them
![Page 14: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/14.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Witnesses
Let a, n be integers. We say that a is a witness for (thecompositeness of) n if an 6≡ a mod n.
For example, 2 is a witness for 6, but 3 isn’t.
Idea: Try numbers less than n until you find a witness or try allof them
![Page 15: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/15.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Carmichael Numbers
Composite numbers with no witnesses are calledCarmichael numbers.
(Korselt) Theorem: A positive composite integer n isCarmichael iff n is square-free and p − 1|n − 1 for everyprime p|n.
First seven Carmichael numbers are 561, 1105, 1729,2465, 2821, 6601, and 8911.
(Alfred, Granville, Pomerance) Theorem: There areinfinitely many Carmichael numbers
![Page 16: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/16.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Carmichael Numbers
Composite numbers with no witnesses are calledCarmichael numbers.
(Korselt) Theorem: A positive composite integer n isCarmichael iff n is square-free and p − 1|n − 1 for everyprime p|n.
First seven Carmichael numbers are 561, 1105, 1729,2465, 2821, 6601, and 8911.
(Alfred, Granville, Pomerance) Theorem: There areinfinitely many Carmichael numbers
![Page 17: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/17.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Carmichael Numbers
Composite numbers with no witnesses are calledCarmichael numbers.
(Korselt) Theorem: A positive composite integer n isCarmichael iff n is square-free and p − 1|n − 1 for everyprime p|n.
First seven Carmichael numbers are 561, 1105, 1729,2465, 2821, 6601, and 8911.
(Alfred, Granville, Pomerance) Theorem: There areinfinitely many Carmichael numbers
![Page 18: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/18.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Carmichael Numbers
Composite numbers with no witnesses are calledCarmichael numbers.
(Korselt) Theorem: A positive composite integer n isCarmichael iff n is square-free and p − 1|n − 1 for everyprime p|n.
First seven Carmichael numbers are 561, 1105, 1729,2465, 2821, 6601, and 8911.
(Alfred, Granville, Pomerance) Theorem: There areinfinitely many Carmichael numbers
![Page 19: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/19.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Criterion
Let p = 2kq + 1 be an odd prime number with q odd.
Let a be an integer coprime to p. Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q, . . . , a2k−1q is congruent to −1 mod p.
Essentially, a2kq = ap−1 ≡ 1 mod p, so either q kills a or some
number in the list is a non-trivial square root of 1.
![Page 20: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/20.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Criterion
Let p = 2kq + 1 be an odd prime number with q odd.
Let a be an integer coprime to p.
Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q, . . . , a2k−1q is congruent to −1 mod p.
Essentially, a2kq = ap−1 ≡ 1 mod p, so either q kills a or some
number in the list is a non-trivial square root of 1.
![Page 21: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/21.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Criterion
Let p = 2kq + 1 be an odd prime number with q odd.
Let a be an integer coprime to p. Then
aq ≡ 1 mod p,
or
one of aq, a2q, a4q, . . . , a2k−1q is congruent to −1 mod p.
Essentially, a2kq = ap−1 ≡ 1 mod p, so either q kills a or some
number in the list is a non-trivial square root of 1.
![Page 22: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/22.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Criterion
Let p = 2kq + 1 be an odd prime number with q odd.
Let a be an integer coprime to p. Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q, . . . , a2k−1q is congruent to −1 mod p.
Essentially, a2kq = ap−1 ≡ 1 mod p, so either q kills a or some
number in the list is a non-trivial square root of 1.
![Page 23: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/23.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Criterion
Let p = 2kq + 1 be an odd prime number with q odd.
Let a be an integer coprime to p. Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q, . . . , a2k−1q is congruent to −1 mod p.
Essentially, a2kq = ap−1 ≡ 1 mod p,
so either q kills a or somenumber in the list is a non-trivial square root of 1.
![Page 24: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/24.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Criterion
Let p = 2kq + 1 be an odd prime number with q odd.
Let a be an integer coprime to p. Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q, . . . , a2k−1q is congruent to −1 mod p.
Essentially, a2kq = ap−1 ≡ 1 mod p, so either q kills a
or somenumber in the list is a non-trivial square root of 1.
![Page 25: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/25.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Criterion
Let p = 2kq + 1 be an odd prime number with q odd.
Let a be an integer coprime to p. Then
aq ≡ 1 mod p, or
one of aq, a2q, a4q, . . . , a2k−1q is congruent to −1 mod p.
Essentially, a2kq = ap−1 ≡ 1 mod p, so either q kills a or some
number in the list is a non-trivial square root of 1.
![Page 26: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/26.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 27: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/27.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 28: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/28.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 29: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/29.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 30: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/30.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 31: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/31.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 32: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/32.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 33: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/33.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 34: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/34.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Primality Test
We’ll test n with potential witness a:
1 if 2|n or 1 < gcd(a, n) < n, return “composite”
2 factor n − 1 = 2kq with q odd.
3 set a = aq mod n
4 if a ≡ 1 mod n, return “fail”
5 for i = 0, . . . , k − 1,
if a ≡ −1 mod n, return “fail”
set a = a2 mod n
6 return “composite”
![Page 35: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/35.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 36: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/36.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 37: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/37.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 38: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/38.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 39: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/39.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 40: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/40.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 41: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/41.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 42: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/42.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 43: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/43.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
Miller-Rabin Example
Let’s test n = 561 with a = 2.
Step 2 560 = 24 · 35
Step 3 a = 235 ≡ 263 mod 561
Step 5 The loop 0,1,2,3
263 6≡ −1
2632 ≡ 166
1662 ≡ 67
672 ≡ 1
Step 6 return “composite”
![Page 44: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/44.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
MRT Analysis
If n is an odd composite number, then at least 75% of theintegers in [1, n − 1] will show that n is composite via theMiller-Rabin Test.
If the Generalized Riemann Hypothesis is true, then somea ≤ 2(log n)2 suffices.
In practice, (1) choose a large number n, then (2) try randoma’s in the MRT until you get a sufficently high probability thatn is prime.
The runtime for each n is between quadratic and quarticdepending on implementation.
![Page 45: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/45.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
MRT Analysis
If n is an odd composite number, then at least 75% of theintegers in [1, n − 1] will show that n is composite via theMiller-Rabin Test.
If the Generalized Riemann Hypothesis is true, then somea ≤ 2(log n)2 suffices.
In practice, (1) choose a large number n, then (2) try randoma’s in the MRT until you get a sufficently high probability thatn is prime.
The runtime for each n is between quadratic and quarticdepending on implementation.
![Page 46: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/46.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
MRT Analysis
If n is an odd composite number, then at least 75% of theintegers in [1, n − 1] will show that n is composite via theMiller-Rabin Test.
If the Generalized Riemann Hypothesis is true, then somea ≤ 2(log n)2 suffices.
In practice, (1) choose a large number n, then (2) try randoma’s in the MRT until you get a sufficently high probability thatn is prime.
The runtime for each n is between quadratic and quarticdepending on implementation.
![Page 47: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/47.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
MRT Analysis
If n is an odd composite number, then at least 75% of theintegers in [1, n − 1] will show that n is composite via theMiller-Rabin Test.
If the Generalized Riemann Hypothesis is true, then somea ≤ 2(log n)2 suffices.
In practice, (1) choose a large number n, then (2) try randoma’s in the MRT until you get a sufficently high probability thatn is prime.
The runtime for each n is between quadratic and quarticdepending on implementation.
![Page 48: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/48.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
AKS Primality Test
The paper “PRIMES is in P” by Agrawal, Kayal, and Saxenapresents an algorithm that can be modified to have runtime ofO(log6 n).
The AKS algorithm is deterministic and proves that n is or isnot prime.
In practice, MRT’s speed makes it preferable to AKS.
AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials).
![Page 49: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/49.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
AKS Primality Test
The paper “PRIMES is in P” by Agrawal, Kayal, and Saxenapresents an algorithm that can be modified to have runtime ofO(log6 n).
The AKS algorithm is deterministic and proves that n is or isnot prime.
In practice, MRT’s speed makes it preferable to AKS.
AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials).
![Page 50: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/50.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
AKS Primality Test
The paper “PRIMES is in P” by Agrawal, Kayal, and Saxenapresents an algorithm that can be modified to have runtime ofO(log6 n).
The AKS algorithm is deterministic and proves that n is or isnot prime.
In practice, MRT’s speed makes it preferable to AKS.
AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials).
![Page 51: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/51.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
AKS Primality Test
The paper “PRIMES is in P” by Agrawal, Kayal, and Saxenapresents an algorithm that can be modified to have runtime ofO(log6 n).
The AKS algorithm is deterministic and proves that n is or isnot prime.
In practice, MRT’s speed makes it preferable to AKS.
AKS uses: Let a, n be coprime with n ≥ 2. Then n is prime iff
(x + a)n ≡ (xn + a) mod n
(as polynomials).
![Page 52: Primality Testing and the Miller-Rabin Algorithmjtaylor/notes/crypto... · Primality Testing and the Miller-Rabin Algorithm J. David Taylor Introduction First Attempt Second Attempt](https://reader036.vdocument.in/reader036/viewer/2022070223/6146b397f4263007b1355913/html5/thumbnails/52.jpg)
PrimalityTesting and
theMiller-RabinAlgorithm
J. DavidTaylor
Introduction
First Attempt
SecondAttempt
I’ve been informed that having no pictures isunacceptable ;-)
...Meow