Handbook of Applied Cryptography

Handbook of Applied Cryptography - CH 4, from 4. 1~4. 3 Doo-Hee Hwang 2017. 10. 16

Agenda 4. 1 introduction 4. 1. 1 Approaches to generating large prime numbers 4. 1. 2 Distribution of prime numbers 4. 2 Probabilistic primality tests 4. 2. 1 Fermat’s test 4. 2. 2 Solovay-Strassen test 4. 2. 3 Miller-Rabin test 4. 2. 4 Comparison: Fermat, Solovay-Strassen, and Miller-Rabin 4. 3 (True) Primality tests 4. 3. 1 Testing Mersenne numbers 4. 3. 2 Primality testing using the factorization of n-1 4. 3. 3 Jacobi sum test 4. 3. 4 Tests using elliptic curves

4. 1. 1 Approaches to generating large prime number To introduce many of the relevant concepts, the problem of generating large prime numbers is first considered. The most natural method is to generate a random number n of appropriate size, and check if it is prime. This can be done by checking whether n is divisible by any of the prime numbers. more efficient methods are consider the following approach : 1. Generate as candidate a random odd number n of appropriate size. 2. Test n for primality. 3. If n is composite, return to the first step. In step 2, the test for primality might be either a test which proves that the candidate is prime (in which case the outcome of the generator is called a provable prime), or a test which establishes a weaker result, such as that n is “probably prime” (in which case the outcome of the generator is called a probable prime).

4. 1. 1 Approaches to generating large prime number Most so-called probabilistic primality tests are absolutely correct when they declare candidates n to be composite, but do not provide a mathematical proof that n is prime in the case when such a number is n이 합성수인지 아닌지 declared to be “probably” so. For this reason, such tests are more properly called compositeness tests than probabilistic primality tests. True primality tests, which allow one to conclude with mathematical certainty that a number is prime, generally require considerably greater computational resources. A final distinction between different techniques for prime number generation is the use of randomness. Candidates are typically generated as a function of a random input. The technique used to judge the primality of the candidate, however, may or may not itself use random numbers. If it does not, the technique is deterministic, and the result is reproducible; if it does, the technique is said to be randomized. Both deterministic and randomized probabilistic primality tests exist.

4. 1. 2 Distribution of prime numbers Let π(x) denote the number of primes in the interval [2, x]. The prime number theorem (Fact 2. 95) states that. The prime numbers are quite uniformly distributed, as the following three results illustrate. 4. 1 Fact (Dirichlet theorem) If gcd(a, n)=1, then there are infinitely many primes congruent to a modulo n. 4. 2 Fact Let π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1. 4. 3 Fact (approximation for the nth prime number) Let pn denote the nth prime number. Then.

4. 1. 2 Distribution of prime numbers list of prime number less than 2000 is :

4. 2 Probabilistic primality tests probabilistic primality tests have the following framework. For each odd positive integer n, a set is defined such that the following properties hold : 4. 4 Definition. If n is composite, the elements of W(n) are called witnesses to the compositeness of n, and the elements of the complementary set are called liars. * n의 소수성에 대해서 절대 확실성을 가진 결론을 내릴 수 없음. 즉, “prime” 선언이 올바르지 않을 수도 있음. 4. 5 Definition. An integer n which is believed to be prime on the basis of a probabilistic primality test is called a probable prime.

4. 2. 1 Fermat’s test Fermat’s Theorem (also known as Fermat’s Little Theorem. ) • • If n is prime and a is a positive integer not divisible by n (gcd(a, n)=1), then an-1 = 1 (mod n) Proof of an-1 = 1 (mod n) , gcd(a, n) = 1 • • • Consider the set of positive integers less than n. that is {1, 2, …, n-1} and multiply each element by a, and then apply modulo n. We can get X={a mod n, 2 a mod n, …, (n-1)a mod n}. Here, none of the elements of X is equal to zero because n does not divide a. Furthermore no two of the integers in X are equal. To see this, assume that ja=ka(mod n) where 1<=j<k<=n-1. Because a is relatively prime to n, gcd(a, n)=1, we can eliminate a from both sides of ja=ka(mod n). We now get j=k(mod n). This is impossible because j and k are both positive integers less than n. Therefore, we know that the (n-1) elements of X are all positive integers, with no two elements equal. We can conclude the X consists of the set of integers {1, 2, …, n-1} in some order. Multiplying the numbers in both sets and taking the result mod n yields: a x 2 a x … x (n-1)a = [ (1 x 2 x…x(n-1)](mod n) an-1 (n-1)! = (n-1)! (mod n) That is, an-1 = 1 (mod n)

4. 2. 1 Fermat’s test Example of Fermat’s Theorem a = 7, n = 19 72 = 49 = 11(mod 19) 74 = 121 = 7(mod 19) 78 = 49 = 11(mod 19) 716 = 121 = 7(mod 19) an-1 = 718 = 716 x 72 = 7 x 11 = 1 (mod 19)

4. 2. 1 Fermat’s test a 4. 6 n이 소수이면 모든 a에 대해서 gcd(a, n)=1 이기 때문에 a^(n-1) ≠ 1인 a를 찾으면 소수가 아님이 증명됨. 4. 7 4. 8 Example. (pseudoprime) The composite integer n = 341 (= 11 x 31) is a pseudoprime to the base 2 since 2340 = 1 (mod 341)

4. 2. 1 Fermat’s test 4. 9 a 임의의 정수 a를 선택함. 선택한 a의 n-1승을 계산함. 1이 아니면 “composite”. If this algorithm declares “composite”, then n is certainly composite. On the other hand, if the algorithm declares “prime” then no proof is provided that n is indeed prime. “composite”가 반환되면 n는 확실한 합성수임. 반면에, “prime”이 반환되면 확실한 증명이 없음. 아마도 “prime” Nonetheless, since pseudoprimes for a given base a are known to be rare, Fermat’s test provides a correct answer on most inputs.

4. 2. 1 Fermat’s test 4. 10 Definition. A Carmichael number n is a composite integer such that for all integers a which satisfy gcd(a, n) = 1. Carmichael(카마이클) number n에 대한 Fermat witnesses는 오직 한 개만 존재. 이러한 Fermat test의 결함(소수가 아닌 Carmichael number를 소수라고 판단하는 결함)은 Solovay-Strassen과 Miller-Rabin probabilistic primality test에서 보완됨.

4. 2. 1 Fermat’s test 4. 11 Fact. (necessary and sufficient conditions for Carmichael numbers) A composite integer n is a Carmichael number if and only if the following two conditions are satisfied : (i) n is square-free, i. e. , n is not divisible by the square of any prime; and (ii) p – 1 divides n – 1 for every prime divisor p of n. 4. 12 Fact. Every Carmichael number is the product of at least three distinct primes. 4. 13 Fact. (bounds for the number of Carmichael numbers)

4. 2. 2 Solovay-Strassen test the first test popularized by the advent of public-key cryptography There is no longer any reason to use this test, because an alternative is available (the Miller-Rabin test) which is both more efficient and always at least as correct The Solovay-Strassen test is based on the following fact. a^{(n-1)/2}는 a^(n-1)의 제곱근, 즉, a^(n-1)=1이므로 ± 1 4. 14 Fact. (Euler’s criterion) Let n be an odd prime. Then for all integers a which satisfy gcd(a, n) = 1. 4. 15 4. 16 Example (Euler pseudoprime) The composite integer 91 (=7 x 13) is an Euler pseudoprime to the base 9 since 여기서의 p도 소수

4. 2. 2 Solovay-Strassen test a 4. 17 Fact. Let n be an odd composite integer. Then at most of all the numbers a, 1 ≤ a ≤ n-1, are Euler liars for n. Here, is the Euler phi function. 4. 18 a r을 계산 r이 1과 n-1 둘다 아닐 경우 복합 수 s를 계산

4. 2. 2 Solovay-Strassen test a 4. 19 Fact. (Solovay-Strassen error-probability bound) Let n be an odd composite a integer. The probability that SOLOVAY-STRASSEN(n, t) declares n to be “prime” is less than

4. 2. 3 Miller-Rabin test The probabilistic primality test used most in practice * n이 홀수이므로, n-1은 항상 짝수임. based on the following fact : s 4. 20 Fact. 짝수는 2 r 으로 표현될 수 있음. (r is odd #) *** * 2의 s승의 square root는 2의 s-1승이기 때문 4. 21. ***

4. 2. 3 Miller-Rabin test 4. 24 범위 : 20 p 참고 ar을 계산 ar이 1 또는 -1인지 검사 =>> 를 계산

4. 2. 3 Miller-Rabin test The probabilistic primality test used most in practice based on the following fact :

4. 2. 3 Miller-Rabin test (컴퓨터보안 강의자료) Note that we have excluded a = 1 or n-1. ( a=1 혹은 n-1일때, n가 prime이든 composite이는 관계없이 a 2 mod n =1 이므로) 제곱관계 Each number is square root of the following number Since n – 1 = 2 km, The last number is square root of an-1 mod n

4. 2. 3 Miller-Rabin test (컴퓨터보안 강의자료)

4. 2. 3 Miller-Rabin test (컴퓨터보안 강의자료) Ex 1) Test 121 for primality using Miller-Rabin algorithm and base a = 10 We have n=121, n-1=120, 120 = 15 X 2^3, m=15, k=3 Now, 1015 mod 121 =43, 10(15 x 2) mod 121 = 34, 10(15 x 4) mod 121 = 67 Thus, 121 is composite. Ex 2) Test 97 for primality using Miller-Rabin algorithm and base a = 10 We have n=97, n-1=96, 96=3 x 25, m=3, k=5. Now, 103 mod 97 = 30; 103 x 2 mod 97 = 27; 103 x 4 mod 97 = 50; 103 x 8 mod 97 = 75; 103 x 6 mod 97 = 96 = n-1 Thus, 97 is a prime number with high probability. 참고: Cryptography and Network Security by Gupta

4. 2. 4 Comparison: Fermat, Solovay-Strassen, and Miller-Rabin 4. 30 Fact. Let n be an odd composite integer. (i) If a is Euler liar for n, then it is also a Fermat liar for n. (ii) If a is a strong liar for n, then it is also an Eular liar for n. a

4. 3 (True) Primality tests methods by which positive integers can be proven to be prime, often referred to as primality proving algorithms. generally more computationally intensive than the probabilistic primality tests. Consequently, before applying one of these tests to a candidate prime n, the candidate should be subjected to a probabilistic primality test such as Miller-Rabin. 4. 34 Definition. An integer n which is determined to be prime on the basis of a primality proving algorithm is called a provable prime.

4. 3. 1 Testing Mersenne numbers Mersenne number 필요 충분 조건 a 조건 (i) 조건 (ii)

4. 3. 2 Primality testing using the factorization of n -1 ㅇ

4. 3. 2 Primality testing using the factorization of n -1 4. 40 4. 41

4. 3. 3 Jacobi sum test another true primality test. The basic idea is to test a set of congruences which are analogues of Fermat’s theorem (Fact 2. 127(i)) in certain cyclotomic rings. The running time of the Jacobi sum test for determining the primality of an integer n is bit operations for some constant c. Drawback : it does not produce a “certificate” which would enable the answer to be verified in much shorter time than running the algorithm itself.

4. 3. 4 Tests using elliptic curves d

Handbook of Applied Cryptography — CH 4 from