Outline

• Tests for Primes
• In-Class Exercise

Testing for Primes

• One key component of RSA is to use large primes chosen at random.
• It turns out that primes are not too rare since it is known that `pi(n)` = the number of primes less than `n` grows as `n/(log n)`.
• However, we still need a way to check if an odd number is prime.
• One brute force approach is to try to divide each number up to `sqrt(n)`. This is exponential in the number of bits of `n`.
• Recall if `n` is prime then `a^(n-1) equiv 1 mod n`.
• A number `n` is pseudo-prime for `a`, if it is composite but `a^(n-1) equiv 1 mod n`.
• It turns out pseudo-primes are rare, so we could almost check for primality by checking this equation for different values for `a`.
• Unfortunately, there are even rarer numbers called Carmichael numbers.
• These are defined as composite numbers such that the equation `a^(n-1) equiv 1 mod n` holds for all nonzero `a`.
• Carmichael numbers are rare since one can show they needs to be a product of at least three distinct prime number.
• For example, `561 = 3 cdot 11 cdot 17` is a Carmichael Number. One can check for each nonzero `a` that `a^(560) equiv 1 mod 561` (probably want to do using a program).

Miller Rabin Primality Testing

• Idea:
  1. Try several randomly chosen values for `a`.
  2. While computing each modular exponentiation we check, if we ever see a nontrivial square root of `1 mod n`. If so, we know for sure the number is composite.
• The Non-Trivial Square root testing is done by the following routine:

  Witness(a,n)
  1 let n - 1 = 2^t*u, where t >= 1 and u is odd
  2 x_0 = Modular-Exponentiation(a, u, n)
  3 for i = 1 to t:
  4     x_i = (x_(i-1))^2 mod n
  5     if x_i = 1 and x_(i-1) != 1 and x_(i-1) != n-1:
  6         return true
  7 if x_t != 1: 
  8     return true
  9 return false
  

Miller Rabin continued

Miller-Rabin(n, s)
1 for j = 1 to s
2    a = Random(1, n - 1)
3    if Witness(a, n):
4        return "Composite"
5 return "Prime"

Error Rate

• If Miller-Rabin says composite, we know the number is composite.
• If it says prime, there is some error rate given by the next theorem:

Theorem. If `n` is composite, then the number of witnesses to compositeness is at least `(n-1)/2`.

Proof. We show the number of non-witnesses is at most `(n-1)/2`. First, any non-witness must be in `ZZ_n^(star)` as it must satisfy `a^(n-1) equiv 1 mod n`, i.e., `a cdot a^(n-2) equiv 1 mod n`; thus, it has an inverse. So we know `gcd(a,n) | 1` and hence `gcd(a, n) = 1`. Next we show that all non-witnesses are contained in a proper subgroup of `ZZ_n^(star)`. This implies the Theorem. There two cases to consider:

1. There is an `x in ZZ_n^(star)` such that `x^(n-1) ne 1 mod n`. In this case, we note all the `b` such that `b^(n-1) equiv 1 mod n` form a group. To see this note, `1` is in this group. As `b \cdot b^{n-2} equiv 1 mod n` and
   `(b^{n-2})^{n-1} equiv b^{(n-2)cdot(n-1)} equiv (b^{n-1})^{n-2} equiv 1^{n-2} equiv 1 mod n`.
   the inverse of `b`, `b^{-1} = b^{n-2}`, satisfies `(b^{-1})^{n-1} equiv 1 mod n`. Finally, given `b`, `c` satisfying the property,
   `(b \cdot c)^{n-1} equiv (b^{n-1}) (c^{n-1}) equiv 1 cdot 1 equiv 1 mod n`,
   So this set is a group. Since it does not contain `x`, it is a proper subgroup of `ZZ_n^(star)`.
2. The number `n` is Carmichael number. In this case, `x^(n-1) equiv 1 mod n` for all `x in ZZ_n^(star)`. i.e, such that `gcd(x, n) = 1`. We show this case after the In-class Exercise.

In-Class Exercise

• Give an algorithm to compute `a^x mod n` which runs in time some polynomial in `|a|`, |x|, `|n|`.
• Use your algorithm to step by step show `3^560 mod 561`.
• Post your solutions to the Apr 11 In-Class Exercise Thread.

Solution.

Assumptions: `a cdot b` and `a mod b` are computable in time proportional to `|a| \cdot |b|` (can do grade school algorithms).

Exp-Mod(a, x, n)
   c := (Exp-Mod(a, floor(x/2), n))^2 mod n
   if x is even return c;
   else
     return a * c mod n;

Using the algorithm we have:

Exp-Mod(3, 560, 561) 
= (Exp-Mod(3, 280, 561))^2 mod 561
= ((Exp-Mod(3, 140, 561))^2 mod 561)^2 mod 561
= (((Exp-Mod(3, 70, 561))^2 mod 561)^2 mod 561)^2 mod 561
= ((((Exp-Mod(3, 35, 561))^2 mod 561)^2 mod 561)^2 mod 561)^2 mod 561
Let c = Exp-Mod(3, 35, 561) then
c=
= 3 * (Exp-Mod(3, 17, 561))^2 mod 561
= 3 * (3 * (Exp-Mod(3, 8, 561))^2 mod 561)^2 mod 561
... to save writing we note Exp-Mod(3, 8, 561) = 3^4 * 3^4 = 81*81 = 390 mod 561
= 3 * (3 * (390)^2 mod 561)^2 mod 561
= 3 * (207 mod 561) ^2 mod 561
= 78 mod 561
Plugging in for c in the above
= ((((c)^2 mod 561)^2 mod 561)^2 mod 561)^2 mod 561
= (((474)^2 mod 561)^2 mod 561)^2 mod 561
= ((276)^2 mod 561)^2 mod 561
= 441^2 mod 561
= 375 mod 561.

Notice this isn't 1, but that's okay as `gcd(3, 561) = 3 ne 1`.

Miller-Rabin Correctness -- The Carmichael Number Case

• Suppose `n` is a Carmichael number.
• First, notice `n` can't be a prime power. To see this suppose `n = p^e`. Since `n` is odd, `p` must also be odd, so `ZZ_n^star` will be cyclic, so has a generator `g` and by assumption we have `g^(n-1) equiv 1 mod n`. On the other hand, `o\r\d(g) = phi(n) = (p-1)p^(e-1)` and the discrete logarithm theorem implies `n-1 equiv 0 mod phi(n)`. I. e., `(p-1)p^(e-1) | p^e - 1`, which is impossible as the left hand-side is divisible by `p`, but the right hand side is not.
• So suppose `n` is odd, not a prime power and composite. We can then decompose it as `n =n_1 cdot n_2` where `n_1` and `n_2` have different prime factors.
• Define `t` and `u` so that `n - 1 = 2^t u` and `u` is odd.
• The Witness procedure we gave computes the sequence:
  `X = langle a^u, a^(2u), a^((2^2)u), ..., a^((2^t)u) rangle` (all mod n)
• Call a pair `(v, j)` acceptable if `v in ZZ_n^star` and `v^((2^j)u) equiv -1 mod n`.
• For example, `v = n-1` and `j=0` is acceptable.
• Pick an acceptable pair `(v, j)` (from above we know there is one) with the largest possible value `j le t`.
• Then one can show
  `B = {x in ZZ_n^star |x^((2^j)u) equiv +-1 mod n}`
  is a subgroup of `ZZ_n^star`.

Miller-Rabin Correctness -- Finish The Carmichael Number Case

• Every non-witness must be a member of `B`, since the sequence `X` produced by a non-witness must be all `1`'s or else have a `-1` no later than the `j`th position, by the maximality of `j`.
• We now use the existence of `v` such that `v^((2^j)u) equiv -1 mod n` to show there exists a `w` in `ZZ_n^star setminus B`.
• Since `v^((2^j)u) equiv -1 mod n` we have `v^((2^j)u) equiv -1 mod n_1`.
• So we can find by the Chinese Remainder Theorem a `w` such that `w equiv v mod n_1` and `w equiv 1 mod n_2`.
• In which case, `w^((2^j)u) equiv -1 mod n_1` and `w^((2^j)u) equiv 1 mod n_2`.
• So using Chinese Remainder theorem (which says `x equiv a mod n iff x equiv a mod n_i` for each `n_i` ), we get `w^((2^j)u)` is not congruent to `+-1 mod n`.
• So `w` is not in `B`. Nevertheless, one can show its `gcd(w, n) = 1` using the Chinese Remainder Theorem together with the fact that `v` is in `ZZ_n^star` . So `w` is in `ZZ_n^star` completing the proof.