Announcements:Announcements:1.1. Pass in Homework 5 now.Pass in Homework 5 now.2.2. Term project groups and topics due by FridayTerm project groups and topics due by Friday

1.1. Can use discussion forum to find teammatesCan use discussion forum to find teammates

3.3. HW6 postedHW6 posted

Questions? Questions?

This week:This week: Primality testing, factoringPrimality testing, factoring Discrete LogsDiscrete Logs

DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 22Day 22

The Square Root Compositeness Theorem gives a The Square Root Compositeness Theorem gives a way to factor certain composite numbersway to factor certain composite numbers

Given integers n, x, and y:Given integers n, x, and y:

Then n is composite, and gcd(x-y, n) is a Then n is composite, and gcd(x-y, n) is a non-trivial factornon-trivial factor

)(mod),(mod22 nyxbutnyxIf

1

The Miller-Rabin Compositeness Test just reorders The Miller-Rabin Compositeness Test just reorders the Fermat test’s powermod to catch pseudoprimesthe Fermat test’s powermod to catch pseudoprimes

Observe: n is odd and n>1 Observe: n is odd and n>1 Trick: write n-1=2Trick: write n-1=2kkm, where k >=1m, where k >=1

b0

)(mod12...21 naa mn

?

)(mod11 nan ?

We’ll compute powers from inside out, checking if the We’ll compute powers from inside out, checking if the result is +1 or -1 at each stepresult is +1 or -1 at each step

It uses the Square Root Compositeness Theorem to It uses the Square Root Compositeness Theorem to catch most pseudoprimescatch most pseudoprimes

Given odd n>1, write n-1=2Given odd n>1, write n-1=2kkm, where k >=1. m, where k >=1.

Choose a base a randomly (or just pick a=2)Choose a base a randomly (or just pick a=2)

Let bLet b00=a=amm(mod n)(mod n)If bIf b00=+/-1, stop. n is probably prime by =+/-1, stop. n is probably prime by

FermatFermatFor i = 1..k-1For i = 1..k-1

Compute Compute bbii=b=bi-1i-122..

If bIf bii=1(mod n), stop. n is composite by =1(mod n), stop. n is composite by SRCT, and gcd(bSRCT, and gcd(bi-1i-1-1,n) is a factor.-1,n) is a factor.If bIf bii=-1(mod n), stop. n is probably =-1(mod n), stop. n is probably prime by Fermat.prime by Fermat.

If bIf bkk=1 (mod n), stop. n is composite by =1 (mod n), stop. n is composite by SRCTSRCT

Else n is composite by Fermat.Else n is composite by Fermat.

k

b0

b1

bk

2...21

mn aa

b0

2

Examples of Miller-RabinExamples of Miller-RabinGiven odd n>1, write n-1=2Given odd n>1, write n-1=2kkm, where k >=1. m, where k >=1.

Choose a base a randomly (or just pick a=2)Choose a base a randomly (or just pick a=2)

Let bLet b00=a=amm(mod n)(mod n)If bIf b00=+/-1, stop. n is probably prime by =+/-1, stop. n is probably prime by

FermatFermatFor i = 1..k-1For i = 1..k-1

Compute Compute bbii=b=bi-1i-122..

If bIf bii=1(mod n), stop. n is composite by =1(mod n), stop. n is composite by SRCT, andSRCT, and

gcd(bgcd(bi-1i-1-1,n) is a factor.-1,n) is a factor.If bIf bii=-1(mod n), stop. n is probably =-1(mod n), stop. n is probably prime by Fermat.prime by Fermat.

If bIf bkk=1 (mod n), stop. n is composite by =1 (mod n), stop. n is composite by SRCTSRCT

Else n is composite by Fermat.Else n is composite by Fermat.

1. n=189

2. n=561 (recall Fermat says prob prime)

3. Complete the table on your quiz

3-4

1)(mod2?

1 nn

Even?

div by other small primes?

Prime by Factoring/advanced techn.?

n

no

no

yes

yes

prime

)(mod12?

1 nn

Fermat’s contrapositive is OK, Fermat’s contrapositive is OK, but Miller-Rabin is better!but Miller-Rabin is better!

Finding large probable primesFinding large probable primes

#primes < x = #primes < x =

Density of primes: ~1/ln(x)Density of primes: ~1/ln(x)

For 100-digit numbers, ~1/230.For 100-digit numbers, ~1/230.

So ~1/115 of odd 100-digit numbers So ~1/115 of odd 100-digit numbers are primeare prime

Can start with a random large odd Can start with a random large odd number and iterate, applying M-R number and iterate, applying M-R to remove composites. We’ll soon to remove composites. We’ll soon find one that is a likely prime.find one that is a likely prime.Can repeat with different bases to Can repeat with different bases to improve probability that it’s prime.improve probability that it’s prime.

Maple’s Maple’s nextprime()nextprime() appears to do appears to do this, but also runs the this, but also runs the Lucas testLucas test: : http://www.mathpages.com/home/kmath473.htm

Even?

div by other small primes?

Prime by Factoring/advanced techn.?

n

no

no

yes

yes

prime

Pass M-R?

)ln()(

x

xx

Fermat’s contrapositive is OK, Fermat’s contrapositive is OK, but Miller-Rabin is better!but Miller-Rabin is better!

FactoringFactoring

If you are trying to factor n=pq and know If you are trying to factor n=pq and know that p and q are close, use that p and q are close, use Fermat Fermat factoringfactoring:: Compute n + 1Compute n + 122, n + 2, n + 222, n + 3, n + 322, until you reach , until you reach

a perfect square, say ra perfect square, say r22 = n + k = n + k22

Then n = rThen n = r22 - k - k22 = (r+k)(r-k) = (r+k)(r-k)

Example: factor 2405597Example: factor 2405597

The moral of the story? The moral of the story? Choose p and q such that _____Choose p and q such that _____

(p-1) Algorithm(p-1) Algorithm

Useful if p|n and (p-1) has only small Useful if p|n and (p-1) has only small factorsfactorsChoose any a>1 (like a=2) and bound BChoose any a>1 (like a=2) and bound BCompute b=aCompute b=aB!B!(mod n) (How?)(mod n) (How?)Then compute d=gcd(b-1, n)Then compute d=gcd(b-1, n) If 1<d<n, then d is a non-trivial factorIf 1<d<n, then d is a non-trivial factor

Matlab example: n=5183. We’ll use a=2, B=6.Matlab example: n=5183. We’ll use a=2, B=6.

Why does it work?Why does it work?

Moral of this story?Moral of this story?

To get a 100-digit number n=pq resistant To get a 100-digit number n=pq resistant to this attack:to this attack: Make sure (p-1) has at least 1 large prime Make sure (p-1) has at least 1 large prime

factor: factor: Pick Pick pp00 = nextprime(10 = nextprime(104040)) Choose k~10Choose k~106060 such that such that p=(kpp=(kp00+1)+1)is primeis prime

How to test?How to test? Repeat for q. Repeat for q.

ExampleExample

Factor Factor nn = 3837523 = 3837523

Concepts we will learn also apply to factoring Concepts we will learn also apply to factoring really big numbers. They are the basis of the really big numbers. They are the basis of the best current methodsbest current methods

All you had to do to win $30,000 was factor a All you had to do to win $30,000 was factor a 212 digit number.212 digit number.

This is the RSA Challenge: This is the RSA Challenge: http://www.rsa.com/rsalabs/node.asp?id=2093#RSA704