Announcements:Announcements:1.1. Pass in Homework 5 now.Pass in Homework 5 now.2.2. Term project groups and topics due by FridayTerm project groups and topics due by Friday
1.1. Can use discussion forum to find teammatesCan use discussion forum to find teammates
3.3. HW6 postedHW6 posted
Questions? Questions?
This week:This week: Primality testing, factoringPrimality testing, factoring Discrete LogsDiscrete Logs
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 22Day 22
The Square Root Compositeness Theorem gives a The Square Root Compositeness Theorem gives a way to factor certain composite numbersway to factor certain composite numbers
Given integers n, x, and y:Given integers n, x, and y:
Then n is composite, and gcd(x-y, n) is a Then n is composite, and gcd(x-y, n) is a non-trivial factornon-trivial factor
)(mod),(mod22 nyxbutnyxIf
1
The Miller-Rabin Compositeness Test just reorders The Miller-Rabin Compositeness Test just reorders the Fermat test’s powermod to catch pseudoprimesthe Fermat test’s powermod to catch pseudoprimes
Observe: n is odd and n>1 Observe: n is odd and n>1 Trick: write n-1=2Trick: write n-1=2kkm, where k >=1m, where k >=1
b0
)(mod12...21 naa mn
?
)(mod11 nan ?
We’ll compute powers from inside out, checking if the We’ll compute powers from inside out, checking if the result is +1 or -1 at each stepresult is +1 or -1 at each step
It uses the Square Root Compositeness Theorem to It uses the Square Root Compositeness Theorem to catch most pseudoprimescatch most pseudoprimes
Given odd n>1, write n-1=2Given odd n>1, write n-1=2kkm, where k >=1. m, where k >=1.
Choose a base a randomly (or just pick a=2)Choose a base a randomly (or just pick a=2)
Let bLet b00=a=amm(mod n)(mod n)If bIf b00=+/-1, stop. n is probably prime by =+/-1, stop. n is probably prime by
FermatFermatFor i = 1..k-1For i = 1..k-1
Compute Compute bbii=b=bi-1i-122..
If bIf bii=1(mod n), stop. n is composite by =1(mod n), stop. n is composite by SRCT, and gcd(bSRCT, and gcd(bi-1i-1-1,n) is a factor.-1,n) is a factor.If bIf bii=-1(mod n), stop. n is probably =-1(mod n), stop. n is probably prime by Fermat.prime by Fermat.
If bIf bkk=1 (mod n), stop. n is composite by =1 (mod n), stop. n is composite by SRCTSRCT
Else n is composite by Fermat.Else n is composite by Fermat.
k
b0
b1
bk
2...21
mn aa
b0
2
Examples of Miller-RabinExamples of Miller-RabinGiven odd n>1, write n-1=2Given odd n>1, write n-1=2kkm, where k >=1. m, where k >=1.
Choose a base a randomly (or just pick a=2)Choose a base a randomly (or just pick a=2)
Let bLet b00=a=amm(mod n)(mod n)If bIf b00=+/-1, stop. n is probably prime by =+/-1, stop. n is probably prime by
FermatFermatFor i = 1..k-1For i = 1..k-1
Compute Compute bbii=b=bi-1i-122..
If bIf bii=1(mod n), stop. n is composite by =1(mod n), stop. n is composite by SRCT, andSRCT, and
gcd(bgcd(bi-1i-1-1,n) is a factor.-1,n) is a factor.If bIf bii=-1(mod n), stop. n is probably =-1(mod n), stop. n is probably prime by Fermat.prime by Fermat.
If bIf bkk=1 (mod n), stop. n is composite by =1 (mod n), stop. n is composite by SRCTSRCT
Else n is composite by Fermat.Else n is composite by Fermat.
1. n=189
2. n=561 (recall Fermat says prob prime)
3. Complete the table on your quiz
3-4
1)(mod2?
1 nn
Even?
div by other small primes?
Prime by Factoring/advanced techn.?
n
no
no
yes
yes
prime
)(mod12?
1 nn
Fermat’s contrapositive is OK, Fermat’s contrapositive is OK, but Miller-Rabin is better!but Miller-Rabin is better!
Finding large probable primesFinding large probable primes
#primes < x = #primes < x =
Density of primes: ~1/ln(x)Density of primes: ~1/ln(x)
For 100-digit numbers, ~1/230.For 100-digit numbers, ~1/230.
So ~1/115 of odd 100-digit numbers So ~1/115 of odd 100-digit numbers are primeare prime
Can start with a random large odd Can start with a random large odd number and iterate, applying M-R number and iterate, applying M-R to remove composites. We’ll soon to remove composites. We’ll soon find one that is a likely prime.find one that is a likely prime.Can repeat with different bases to Can repeat with different bases to improve probability that it’s prime.improve probability that it’s prime.
Maple’s Maple’s nextprime()nextprime() appears to do appears to do this, but also runs the this, but also runs the Lucas testLucas test: : http://www.mathpages.com/home/kmath473.htm
Even?
div by other small primes?
Prime by Factoring/advanced techn.?
n
no
no
yes
yes
prime
Pass M-R?
)ln()(
x
xx
Fermat’s contrapositive is OK, Fermat’s contrapositive is OK, but Miller-Rabin is better!but Miller-Rabin is better!
FactoringFactoring
If you are trying to factor n=pq and know If you are trying to factor n=pq and know that p and q are close, use that p and q are close, use Fermat Fermat factoringfactoring:: Compute n + 1Compute n + 122, n + 2, n + 222, n + 3, n + 322, until you reach , until you reach
a perfect square, say ra perfect square, say r22 = n + k = n + k22
Then n = rThen n = r22 - k - k22 = (r+k)(r-k) = (r+k)(r-k)
Example: factor 2405597Example: factor 2405597
The moral of the story? The moral of the story? Choose p and q such that _____Choose p and q such that _____
(p-1) Algorithm(p-1) Algorithm
Useful if p|n and (p-1) has only small Useful if p|n and (p-1) has only small factorsfactorsChoose any a>1 (like a=2) and bound BChoose any a>1 (like a=2) and bound BCompute b=aCompute b=aB!B!(mod n) (How?)(mod n) (How?)Then compute d=gcd(b-1, n)Then compute d=gcd(b-1, n) If 1<d<n, then d is a non-trivial factorIf 1<d<n, then d is a non-trivial factor
Matlab example: n=5183. We’ll use a=2, B=6.Matlab example: n=5183. We’ll use a=2, B=6.
Why does it work?Why does it work?
Moral of this story?Moral of this story?
To get a 100-digit number n=pq resistant To get a 100-digit number n=pq resistant to this attack:to this attack: Make sure (p-1) has at least 1 large prime Make sure (p-1) has at least 1 large prime
factor: factor: Pick Pick pp00 = nextprime(10 = nextprime(104040)) Choose k~10Choose k~106060 such that such that p=(kpp=(kp00+1)+1)is primeis prime
How to test?How to test? Repeat for q. Repeat for q.
ExampleExample
Factor Factor nn = 3837523 = 3837523
Concepts we will learn also apply to factoring Concepts we will learn also apply to factoring really big numbers. They are the basis of the really big numbers. They are the basis of the best current methodsbest current methods
All you had to do to win $30,000 was factor a All you had to do to win $30,000 was factor a 212 digit number.212 digit number.
This is the RSA Challenge: This is the RSA Challenge: http://www.rsa.com/rsalabs/node.asp?id=2093#RSA704