Fermat's Little Theorem & Primality Tests: Fermat, Euler, & Rabin-Miller Tests, Study notes of Cryptography and System Security

Fermat's little theorem and its applications to primality testing through the fermat test, euler test, and rabin-miller test. The conditions for composite and prime numbers based on fermat's theorem, counterexamples, and the limitations and improvements of each test.

Typology: Study notes

Pre 2010

Uploaded on 07/23/2009

koofers-user-kb4
koofers-user-kb4 🇺🇸

10 documents

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
The Rabin-Miller Primality Test
Fermat Pseudoprimes; The Fermat Primality Test
Fermat’s Little Theorem allows us to prove that a number is composite
without actually factoring it.
Fermat’s Little Theorem (alternate statement): If an
1
/ 1 (mod n)
for some a with a
/ 0 (mod n), then n is composite.
This statement is absolute: There are no exceptions.
Unfortunately, the inverse statement is not always true.
Inverse to Fermat’s Little Theorem (not always true): If an
1 1
(mod n) for some a with a
/ 0 (mod n), then n is prime.
Some counterexamples:
2
340 1 (mod 341), but 341 = 11 31 is composite, and
5
560 1 (mod 561), but 561 = 31117 is composite.
We say that 341 is a Fermat pseudoprime (to the base 2), and
561 is a Fermat pseudoprime to the base 5.
It is even possible for an
1 1 (mod n) to hold for every a with
gcd(a,n) = 1, and still have n be composite.
This occurs if n is a Carmichael number (also called an absolute
Fermat pseudoprime). A Carmichael number is a Fermat
pseudoprime to any base a with gcd(a,n) = 1.
Carmichael numbers are fairly rare: There are only seven less than
10000:
561, 1105, 1729, 2465, 2821, 6601, 8911
In fact, there are only 585,355 Carmichael numbers less than 1017.
Given a randomly chosen odd integer n less than 1017, the
probability that n is a Carmichael number is only a little over
1011 (about one in one hundred billion).
For a randomly chosen odd integer n with 100 to 300 digits, the
probability that n is a Carmichael number appears to be exceedingly
low (for practical purpose, zero).
If n is composite and not a Carmichael number, then there are at most
ϕ(n)/2 values of a (1 a < n) for which an
1 1 (mod n).
Let n be any odd integer, other than a Carmichael number.
Say we choose 50 random integers a and compute that each
satisfies an
1 1 (mod n).
The probability that this would occur if n is composite is at most
250 1015.
So we can say with reasonable certainty that n is prime.
If n is composite and not a Carmichael number, then it is actually
possible to have ϕ(n)/2 values for which an
1 1 (mod n).
For example, take n = 91 = 713. ϕ(n) = 612 = 72.
There are 36 values of a with a72 1 (mod 91), namely a = 1, 3,
4, 9, 10, 12, 16, 17, 22, 23, 25, 27, 29, 30, 36, 38, 40, 43, 48, 51,
53, 55, 61, 62, 64, 66, 68, 69, 74, 75, 79, 81, 82, 87, 88, 90.
pf3
pf4
pf5

Partial preview of the text

Download Fermat's Little Theorem & Primality Tests: Fermat, Euler, & Rabin-Miller Tests and more Study notes Cryptography and System Security in PDF only on Docsity!

The Rabin-Miller Primality Test

Fermat’s Little Theorem (alternate statement): without actually factoring it. Fermat’s Little Theorem allows us to prove that a number is composite Fermat Pseudoprimes; The Fermat Primality Test

If

a (^) n − 1 / 1 (mod≡

n )

for some

a with

a

/ 0 (mod≡

n ), then

n is composite.

Inverse to Fermat’s Little Theorem ( Unfortunately, the inverse statement is not always true.This statement is absolute: There are no exceptions.

not always true

If

a (^) n − 1 ≡ (^1)

(mod

n ) for some

a with

a

/ 0 (mod≡

n ), then

n is prime.

Some counterexamples:

340

1 (mod 341), but 341 = 11

31 is composite, and

560

1 (mod 561), but 561 = 3

(^) 17 is composite.

561 is a Fermat pseudoprime to the base 5.We say that 341 is a Fermat pseudoprime (to the base 2), and

It is even possible for

a (^) n − 1 ≡ (^) 1 (mod

n ) to hold for

every

a with

gcd(

a , (^) n ) = 1, and still have

n be composite.

This occurs if

n is a Carmichael number (also called an absolute

pseudoprime to any baseFermat pseudoprime). A Carmichael number is a Fermat

a

with gcd(

a , (^) n ) = 1.

10000:Carmichael numbers are fairly rare: There are only seven less than

In fact, there are only 585,355 Carmichael numbers less than 10

17 .

Given a randomly chosen odd integer

n less than 10

17 , the

probability that

n is a Carmichael number is only a little over

− 11

(about one in one hundred billion).

For a randomly chosen odd integer

(^) n

with 100 to 300 digits, the

probability that

n is a Carmichael number appears to be exceedingly

low (for practical purpose, zero).

If

n is composite and not a Carmichael number, then there are at most

ϕ ( n )

/^

(^) 2 values of

a (

a <

n ) for which

a (^) n − 1 ≡ (^) 1 (mod

n ).

Let

n be any odd integer, other than a Carmichael number.

Say we choose 50 random integers

a and compute that each

satisfies

a (^) n − 1 ≡

1 (mod

n ).

The probability that this would occur if

n is composite is at most

− 50

≈ 10

− 15 .

So we can say with reasonable certainty that

n is prime.

If

n is composite and not a Carmichael number, then it is actually

possible to have

ϕ ( n )

/^

(^) 2 values for which

a (^) n − 1 ≡ (^) 1 (mod

n ).

For example, take

n = 91 = 7

ϕ ( n ) = 6

There are 36 values of

a with

a 72

≡ (^) 1 (mod 91), namely

a = 1, 3,

But this is unusual.

For nearly all odd composite integers

n (other than Carmichael

numbers),

a (^) n − 1 ≡ 1 (mod

n ) for far fewer than

(^) ϕ

( n )

/^

(^) 2 values of

a.

  1. For example, let us look at odd composite integers starting with

n

ϕ (n)

No of

a with

a n1 ≡^ 1 (mod

n )

This means that far fewer than the 50 random values of

a ,

integer (not a Carmichael number) is prime, with near certainty.mentioned earlier, are typically sufficient to show that an odd

For a randomly chosen odd integer

n with 100 to 300 digits, it appears

that if

a (^) n − 1 ≡ 1 (mod n) for even a single randomly chosen

a , then

(^) n

is

Fermat Test for Primality: prime with probability very close to 1.

To test whether n is prime or composite,

choose

a at random and compute

(^) a (^) n − 1 (mod

n ).

i)

If

a (^) n − 1 ≡

1 (mod

n ), declare

n a probable prime, and

optionally repeat the test a few more times.

ii)

If

a (^) n − 1 ≡^ / 1 (mod

n ), declare

n composite, and stop.

numbers.We have seen that the Fermat test is really quite good for large

One limitation:

If someone is supposed to provide us with a prime

In any case, we can improve upon the Fermat test at almost no cost.the deception with the Fermat test.number, and sends a Carmichael number instead, we cannot detect

If Euler Pseudoprimes; The Euler Test

n is an odd prime, we know that an integer can have at most two

square roots, mod

n

. In particular, the only square roots of 1 (mod

n )

are

numbers).(by analogy with the absolute Fermat pseudoprimes, i.e., CarmichaelThe integers 1729 and 2465 are called absolute Euler pseudoprimes

These are composite odd integers such that

a ( (^) n − 1)/

1 (mod

n )

for every

a with

gcd

a , (^) n ) = 1.

(unless we happen to choose anThese number cannot be proven composite with the Euler test

a with

gcd

a , (^) n ) > 1, which is

exceedingly unlikely if

n is a large integer lacking small prime

factors.

the fact, if 1 has a square root other than The Euler test improves upon the Fermat test by taking advantage of The Rabin-Miller Primality Test do exist.Carmichael numbers, but unfortunately absolute Euler pseudoprimesThere are fewer absolute Euler pseudoprimes than there are

1 (mod

n)

, then

n must be

composite.

If

a ( n − 1)/

1 (mod

n ), where

gcd

a (^) , n ) = 1, then

n must be

composite for one of two reasons:

i) If

a (^) n − 1 ≡^ / 1 (mod

n ), then

n must be composite by Fermat’s

Little Theorem

ii) If

a (^) n − 1 ≡ 1 (mod

n ), then

n must be composite because

a ( (^) n − 1)/

is a square root of 1 (mod

n ) different from

effort to find square roots of 1, different fromThe limitation of the Euler test is that is does not go to any special

  1. The Rabin-Miller

test does do this.

because 2For example, recall the Euler Test declares 341 a probable prime

170

1 (mod 341).

But if we compute 2

85

(mod 341), we find 2

85

32 (mod 341).

Thus 32 is a square root of 2

2 ⋅ 85

≡ 2 170

1 (mod 341), different

from

1, so we would find that 341 is composite.

In the Rabin-Miller test, we write

n − 1 = 2

sm , with

m

odd and

s

We then start by compute

a (^) m (mod^

n ) using fast exponentiation.

If

a m

± 1 (mod

(^) n ), we declare n a probable prime, and stop.

Why? We know that a

(^) n − 1 ≡ ( a m ) 2 s1 (mod n), and we will not

find a square root of 1, other than

1, in repeated squaring of a

m

to get a

(^) n − 1 .

Otherwise, unless

s = 1, we square

a m (mod

n ) to obtain

a 2 m .

If

a 2 m

1 (mod

n ), we declare

n composite, and stop.

Why? a

m is a square root of a

2m

1 (mod n), different from

If

a 2 m

− 1 (mod

n ), we declare

n a probable prime, and stop.

Why? Just as above, we know that a

(^) n − 1 ≡ 1 (mod n), and we

will not find a square root of 1, other than

1.

Otherwise, unless

s

= 2, we square

a 2 m

(mod

n ) to obtain

a 2 2 m .

If

a 2 2 m

1 (mod

n ), we declare

n composite, and stop.

from Why? We have found a square root of 1 (mod n), different

1, just as above

If

a 2 m ≡ − 1 (mod

n ), we declare

n a probable prime, and stop.

Why? Just above, we know that a

(^) n − 1 ≡ 1 (mod n), and we will

not find a square root of 1, other than

1.

test, or (b) we have computed Otherwise we continue in this manner until either (a) we stop the

a 2 s − 1 m , and stopped if

a 2 s − 1 m

a ( (^) n − 1)/

1 (mod

n ).

If we haven’t stopped by this point, we declare

n composite and

stop.

Why? Exactly as with the Euler test.

pseudoprime 1729, using Let us carry out the Rabin-Miller test on the absolute Euler

a = 671.

6 ⋅

So

s = 6,

m

= 27.

27

1084

(mod 1729)

27 ⋅ 2 ≡ 1084

2 ≡

1065

(mod 1729)

27 ⋅ 2 2 ≡

1065

2 ≡

1

(mod 1729)

The test declares

n composite, and terminates.

Next we test a much larger integer,

n = 972133929835994161 (also a

Carmichael number), using

a = 2.

n − 1 = 2

4 ⋅^ (^) 60758370614749635.

60758370614749635

(mod

n )

2 (^) ⋅ (^60758370614749635)

2

(mod

n )

(mod

n )

2 2 ⋅^ (^60758370614749635)

2

(mod

n )

(mod

n )

2 3 ⋅^ (^60758370614749635)

2

(mod

n )

(mod

n )

The test declares

n composite, and terminates.

number,Next we test an integer that is composite, but not a Carmichael

n = 2857191047211793, using

a = 1003.

n

1 = 2

4 ⋅^ (^) 178574440450737.

178574440450737

(mod

n )

2 ⋅ 178574440450737

2

(mod

n )

(mod

n )

2 2 ⋅ 178574440450737

≡^

2

(mod

n )

(mod

n )

2 3 ⋅ 178574440450737

≡^

2

(mod

n )

(mod

n )

The test declares

n

composite, and terminates.