Top Banner
Primes Groups, Rings, Fields Ring of Integers Modulo n ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography
50

ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

Apr 21, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

ECEN 5022 CryptographyElementary Algebra and Number Theory

Peter Mathys

University of Colorado

Spring 2008

Peter Mathys ECEN 5022 Cryptography

Page 2: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Divisibility, Primes

I Definition. N denotes the set {1, 2, 3, . . .} of naturalnumbers and Z denotes the set of integers{. . . ,−2,−1, 0, 1, 2, . . .}. R denotes the real numbers and Cdenotes the complex numbers.

I Definition. The integer n is divisible by the integer d ,denoted by d |n, if a , d = n for some integer a.

I Definition. A positive integer p, p > 1, is called a prime if itis divisible only by ±p and ±1. Any integer greater than 1which is not prime is called composite.

I Theorem. (Euclid, 300 B.C.) There are infinitely many primes.

I Proof. Assume that the set of primes is finite, e.g.,{p1, p2, . . . , pn}. Then the integer N = 1 + p1p2 · · · pn is notdivisible by any of the primes p1, . . . pn.

Peter Mathys ECEN 5022 Cryptography

Page 3: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Prime Numbers

I Between any two primes there can be arbitrarily large gaps.For instance, the sequence n! + 2, n! + 3, . . . n! + n containsn − 1 consecutive composite numbers.

I Definition. The prime counting function π(x) is defined by

π(x) = |{p prime | p ≤ x}| ,i.e., π(x) is equal to the number of primes less than or equalto x .

I Example: π(50) = 15 since

2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47

are all primes p ≤ 50.

I Prime Number Theorem. (Hadamard, de la Vallee Poussin,1896) π(x) satisfies

limx→∞

π(x) ln(x)

x= 1 =⇒ π(x) ≈ x

ln x.

Peter Mathys ECEN 5022 Cryptography

Page 4: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Example

I Using π(x) ≈ x/ ln x , the number of primes with n decimaldigits is

π(10n)− π(10n−1) ≈ 9n − 1

n (n − 1)10n−1 log10 e ≈ 10n

3n.

I Approximate numerical values are

n bits π(10n)− π(10n−1)

38 128 ≈ 3.5× 1036

77 256 ≈ 5.9× 1074

100 332 ≈ 3.9× 1097

154 512 ≈ 3.4× 10151

308 1024 ≈ 1.9× 10305

617 2048 ≈ 1.7× 10613

I As can be seen, there is no shortage for the number of primeswith n digits.

Peter Mathys ECEN 5022 Cryptography

Page 5: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Greatest Common Divisor

I Definition: The greatest common divisor of two integers n1

and n2, denoted gcd(n1, n2), is the largest positive integerthat divides both n1 and n2.

I Definition: If gcd(n1, n2) = 1, then n1 and n2 are said to berelatively prime.

I Example: Fermat’s (little) theorem states that for p prime

p | (ap−1 − 1) , if gcd(a, p) = 1 ,

e.g., 5 divides 34 − 1 = 80, or 7 divides 26 − 1 = 63.

I Definition: The least common multiple of two integers n1

and n2, denoted lcm(n1, n2), is the smallest positive integerdivisible by both n1 and n2.

Peter Mathys ECEN 5022 Cryptography

Page 6: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Division Algorithm

I Theorem: Division Algorithm. Given a pair of integers, cand d 6= 0, there is a unique pair of integers q and r , calledquotient and remainder, such that

c = q · d + r , 0 ≤ r < |d | .

I Proof: Assume that there are two solutions, i.e.,c = q1 · d + r1 = q2 · d + r2, with 0 ≤ r1 < |d | and0 ≤ r2 < |d |. Thus, (q1 − q2) · d = r2 − r1 and−|d | < r2 − r1 < |d |. But since r2 − r1 must be a multiple ofd , this implies that r2 − r1 = 0. Since d 6= 0, this also impliesthat q1 − q2 = 0 and thus q and r are unique. QED

Peter Mathys ECEN 5022 Cryptography

Page 7: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Remainders

I Definition: The notation

r = Rd(c) ,

means that r is the remainder of c when divided by d .I Note: Another notation that is often used in connection with

remainders isr ≡ c (mod d) .

This means that “r is congruent to c modulo d”. In this case0 ≤ r < |d | is not guaranteed and thus r is not unique. Forexample, 9 ≡ 16 (mod 7) as well as 2 ≡ 16 (mod 7).

I Theorem: Computations with remainders satisfy

(i) Rd(a + b) = Rd

(Rd(a) + Rd(b)

).

(ii) Rd(a · b) = Rd

(Rd(a) · Rd(b)

).

I Proof: Left as an exercise.

Peter Mathys ECEN 5022 Cryptography

Page 8: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Euclid’s Algorithm

I Euclid’s Algorithm. The greatest common divisor,gcd(n1, n2), of two integers n1, n2, n2 6= 0, is computed byrepeated application of the division algorithm as follows:

n1 = q2 n2 + n3

n2 = q3 n3 + n4... 0 ≤ ni+1 < |ni |

nm−2 = qm−1 nm−1 + nm

nm−1 = qm nm + 0 .

The process stops when a zero remainder is obtained. The lastnonzero remainder is the desired result, i.e., gcd(n1, n2) = nm.

I Proof: Sketch. Use the fact thatgcd(n1, n2) = gcd(n1 + kn2, n2), for any integer k.

Peter Mathys ECEN 5022 Cryptography

Page 9: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Euclid’s Extended Algorithm

I Corollary: For any integers n1 and n2 6= 0 there exist integersa and b such that

gcd(n1, n2) = a n1 + b n2 .

That is, gcd(n1, n2) can be expressed as a linear combinationof n1 and n2.

I Proof: Use Euclid’s algorithm, starting with the last equationand work backwards to the first equation, to compute

gcd(n1, n2) = nm = nm−2 − qm−1 nm−1

nm−1 = nm−3 − qm−2 nm−2...

n3 = n1 − q2 n2 .

Then successively eliminate all the intermediate remaindersnm−1, nm−2, . . . , n3, to obtain gcd(n1, n2) as a linearcombination of n1 and n2 with integer coefficients. QED

Peter Mathys ECEN 5022 Cryptography

Page 10: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

ai ai�2 � q ai�1

bi bi�2 � q bi�1

i i + 1

ni+1 = 0 ?

Output ni; ai; bi

ni = gcd(n1; n2)

= ai n1 + bi n2

STOP

q

�ni�1

ni

ni+1 ni�1 � q ni

Input n1; n2

Initialize

i 2

a1 1; b1 0

a2 0; b2 1

STARTEuclid's Algorithm

for gcd

no yes

Peter Mathys ECEN 5022 Cryptography

Page 11: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Groups, Rings, Fields

I Over the reals R (or rationals Q or complex number C) onecan add, subtract, multiply, and divide.

I Over the integers Z one can add, subtract, and multiply.

I Group: Set of mathematical objects for which “addition” and“subtraction” are defined.

I Ring: Set of mathematical objects for which “addition”,“subtraction” and “multiplication” are defined.

I Field: Set of mathematical objects for which “addition”,“subtraction”, “multiplication” and “division” are defined.

I Note: “addition”, “subtraction”, “multiplication” and“division” are not necessarily the usual ‘+’, ‘−’, ‘×’ and ‘÷’.

Peter Mathys ECEN 5022 Cryptography

Page 12: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Some Definitions

I Definition: A set S is an arbitrary collection of elements,without any predefined operations between the set elements.

I Definition: The cardinality |S| of a set S is the number ofobjects in the set. |S| can be finite, countably infinite, oruncountably infinite.

I Examples: The set of tea cups in a kitchen cabinet is a finiteset. The set Q of rational numbers is countably infinite. Theset R of real numbers is uncountably infinite.

Peter Mathys ECEN 5022 Cryptography

Page 13: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Axioms

Let S denote a set of mathematical objects. For any a, b, c ∈ Sdefine the following axioms:

(A.1) a + b ∈ S Closure wrt +(A.2) a + (b + c) = (a + b) + c = a + b + c Associativity wrt +(A.3) a + 0 = 0 + a = a, 0 ∈ S Identity element wrt +(A.4) a + (−a) = (−a) + a = 0, (−a) ∈ S Inverse element wrt +(A.5) a + b = b + a Commutativity wrt +

(B.1) a · b ∈ S Closure wrt ·(B.2) a · (b · c) = (a · b) · c = a · b · c Associativity wrt ·(B.3) a · 1 = 1 · a = a, 1 ∈ S−{0} Identity element wrt ·(B.4) a · (a−1)=(a−1) · a = 1,

a, (a−1) ∈ S−{0} Inverse element wrt ·(B.5) a · b = b · a Commutativity wrt ·(C.1) (a + b) · c = a · c + b · c Distributivity

Peter Mathys ECEN 5022 Cryptography

Page 14: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Groups, Rings, Fields

I Depending on the subset of axioms that are satisfied thefollowing arithmetic systems are defined:

Axioms satisfied Name

(A.1). . .(A.4) Group(A.1). . .(A.4),(A.5) Commutative Group(A.1). . .(A.5),(B.1). . .(B.3),(C.1) Ring with Identity(A.1). . .(A.5),(B.1). . .(B.3),(B.5),(C.1) Commutative Ring

with Identity(A.1). . .(A.5),(B.1). . .(B.5),(C.1) Field

I Note: Commutative groups (rings, fields) are also calledAbelian groups (rings, fields) in honor of Niels Henrik Abel(1802-1829).

Peter Mathys ECEN 5022 Cryptography

Page 15: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Notation, Definitions

I Notation:I A group with set of elements G and operation ‘∗’ is denoted

by <G , ∗>.I A ring with set of elements R and operations ‘+’ and ‘·’ is

denoted by <R,+, ·>.I A field with set of elements F and operations ‘+’ and ‘·’ is

denoted by <F ,+, ·>.I Example: The set of all permutations of n objects forms a (generally

non-commutative) group under the operation of concatenation ofpermutations.

I Example: The set of all binary 2× 2 matrices forms a non-commutativering with identity under the operations of binary (i.e., modulo 2) matrixaddition and binary matrix multiplication. This ring has 16 elements.

I Example: The set of all polynomials in the indeterminate x with realcoefficients form a commutative ring with identity. This ring has aninifinite number of elements.

Peter Mathys ECEN 5022 Cryptography

Page 16: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Finite Groups, Rings, Fields

I Definition: If |G | (or |R| or |F |) is finite then <G , ∗> is calleda finite group (or <R,+, ·> is called a finite ring, <F ,+, ·> iscalled a finite field).

I Definition: A finite field with q elements is denoted byGF(q), where GF stands for Galois field in honor of EvaristeGalois (1811-1832).

I Theorem: Finite Fields.

(i) If F is a finite field then F contains pm elements for someprime p and integer m ≥ 1.

(ii) For every prime power pm there is a unique (up toisomorphism) finite field of order pm, called GF pm or Fpm

Peter Mathys ECEN 5022 Cryptography

Page 17: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Finite Groups, Rings, Fields

I Example: The integers 0, 1, . . . , 6 form the finite field GF (7)under the operations of addition and multiplication modulo 7.Here are the group operation tables for GF (7):

+ 0 1 2 3 4 5 60 0 1 2 3 4 5 61 1 2 3 4 5 6 02 2 3 4 5 6 0 13 3 4 5 6 0 1 24 4 5 6 0 1 2 35 5 6 0 1 2 3 46 6 0 1 2 3 4 5

× 0 1 2 3 4 5 60 0 0 0 0 0 0 01 0 1 2 3 4 5 62 0 2 4 6 1 3 53 0 3 6 2 5 1 44 0 4 1 5 2 6 35 0 5 3 1 6 4 26 0 6 5 4 3 2 1

Peter Mathys ECEN 5022 Cryptography

Page 18: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

More Definitions

I Definition: The elements in a ring with identity which havean inverse with respect to the second operation are calledunits.

I Example: The ring which is obtained by adding andmultiplying integers modulo 10 has units 1,3,7, and 9.

I Definition: Let <G , ∗> be a group and let H be a nonemptysubset of G . Then H is called a subgroup of G if <H, ∗> is agroup.

I Example: In the group of non-zero integers under theoperation of multiplication modulo 7, the set of elements{1, 2, 4} forms a subgroup. Another subgroup is formed bythe set of elements {1, 6}.

Peter Mathys ECEN 5022 Cryptography

Page 19: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

More Definitions

I Definition: Let <R,+, ·> be a ring and let H be a nonemptysubset of R. Then H is called a subring of R if <H,+, ·> is aring.

I Note: In particular, identity with respect to the firstoperation must be in H and closure must hold (under allspecified operations) for elements in H.

I Definition: Let <E ,+, ·> be a field. Then F ⊂ E is called asubfield of E if <F ,+, ·> is a field. The field E is called anextension field of F .

I Example: Consider the field of rational numbers Q, the fieldof real numbers R, and the field of complex numbers C. ThenQ ⊂ R ⊂ C , and Q is called a subfield of R and C is calledan extension field of R.

Peter Mathys ECEN 5022 Cryptography

Page 20: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Isomorphism

I Definition: Isomorphism. Two groups <G ,+> and <G ′, ∗>are iomorphic if a one-to-one mapping f (.) exists such that

(i) a′ = f (a) (and thus a = f −1(a′)) for all a ∈ G and a′ ∈ G ′,(ii) if a′ = f (a), b′ = f (b), then

a′ ∗ b′ = f (a + b) (and thus a + b = f −1(a′ ∗ b′)) ,

for any a, b ∈ G (or any a′, b′ ∈ G ′).

That is, there has to be a one-to-one correspondence betweenthe elements of the two groups which is preserved under thegroup operations ‘+’ and ‘∗’.

I Note: Isomorphism for rings and fields is defined analogously.In this case the one-to-one correspondence must be preservedfor both operations of the rings/fields.

Peter Mathys ECEN 5022 Cryptography

Page 21: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Subgroups

I To obtain a subgroup H of a finite group G , one can proceedas follows. Take any h ∈ G and let H be the set{h, h ∗ h, h ∗ h ∗ h, . . .}, or, using a more concise notation,

H = {h, h2, h3, . . . , hc = 1} ,

where c , called the order of H, is the smallest positive integersuch that hc = 1.

I Example: Consider the group G = {1, 2, . . . , 12} of integersunder the operation of multiplication modulo 13. Startingfrom h = 5, the set

H = {51 = 5, 52 = 12, 53 = 8, 54 = 1} ,

is obtained, which forms a subgroup of G of order 4.

Peter Mathys ECEN 5022 Cryptography

Page 22: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Subgroups

I Theorem: If G is a finite group and h ∈ G , then a smallestpositive integer c , called the order of the element h, existssuch that hc = 1. Moreover, the first element in the sequenceh, h2, h3, . . . which is repeated is h itself.

I Proof: The element h is a member of a finite group and thusa repetition must eventually occur in h, h2, h3, . . ., that is,there must be two positive integers k,m, m > k, such thathk = hm. Since h−k must be an element of G, one can write

1 = hk · h−k = hm · h−k = hm−k ,

which proves that there is at least one positive integer c suchthat hc = 1. But then hc+1 = h and, since h, h2, . . . , hc mustall be distinct (otherwise c is not smallest positive integer suchthat hc = 1), h is the first element which is repeated. QED

Peter Mathys ECEN 5022 Cryptography

Page 23: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

(Sub)Groups

I Definition: h, h2, h3, . . . , hc = 1 is called a cycle.

I Note: A cycle is a subgroup.

I Definition: A group that consists of all the powers of one ofits elements, say, α, is called a cyclic group (i.e.,G = {α, α2, . . . , αc = 1}). The element α is called a primitiveelement or a generator of the group.

I Example: Let <G , ·> be the set of integers undermultiplication modulo 13. Then, choosing α = 2,

α0 = 1 α4 = 3 α8 = 9 α12 = 1α1 = 2 α5 = 6 α9 = 5α2 = 4 α6 = 12 α10 = 10α3 = 8 α7 = 11 α11 = 7

Thus, <G , ·> is a cyclic group and α = 2 is a primitiveelement in this group.

Peter Mathys ECEN 5022 Cryptography

Page 24: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Generator of a Group

I Definition: Generator of a group. A subset X of a group<G , ∗> is called a generator if every element of G can beexpressed in the form xi ∗ xj ∗ . . . . If X is a finite set, then Gis said to be finitely generated.

I Example: X = {2} is a generator of the group of integersunder modulo 13 multiplication.

I Example: X = {2, 11} is a generator of the group of integers{1, 2, 4, 7, 8, 11, 13, 14} under multiplication modulo 15. Notethat this group is not cyclic.

Peter Mathys ECEN 5022 Cryptography

Page 25: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Coset Decomposition of a Group

I Definition: Coset Decomposition of finite group withrespect to subgroup. A finite group <G , ∗> can bedecomposed with respect to a subgroup <H, ∗> as follows:

h1 = 1 h2 h3 . . . hn

g2 ∗ h1 = g2 g2 ∗ h2 g2 ∗ h3 . . . g2 ∗ hn

g3 ∗ h1 = g3 g3 ∗ h2 g3 ∗ h3 . . . g3 ∗ hn...

......

. . ....

gm ∗ h1 = gm gm ∗ h2 gm ∗ h3 . . . gm ∗ hn

The rows of the coset decomposition are called cosets. Thefirst row is the subgroup H. The elements h1, g2, g3, . . . , gm inthe first column are called coset leaders.

Peter Mathys ECEN 5022 Cryptography

Page 26: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Coset Decomposition of a Group

I In general the construction of the coset decompositionproceeds as follows:

I Start with the elements of H in the first row (each elementoccurs exactly once).

I Then choose an (arbitrary) element of G which has not yetappeared in the table as coset leader and complete thecorresponding coset. Repeat this step until all elements of Gare used.

I Note that the array constructed in this way is alwaysrectangular and the construction always stops since G is finite.For non-Abelian groups left coset decompositions withelements gi ∗ hj are distinguished from right cosetdecompositions with elements hj ∗ gi .

Peter Mathys ECEN 5022 Cryptography

Page 27: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Coset Decomposition of a Group

I Theorem: Every element of G appears exactly once in acoset decomposition of G .

I Proof: omitted.

I Corollary: If H is a subgroup of G , then |H| divides |G |.I Proof: Follows from the rectangular structure of the coset

decomposition. QED

I Theorem: Lagrange. The order of a finite group is divisibleby the order of any of its elements.

I Proof: The group contains the cyclic subgroup generated byany element of the group. The above corollary thus proves thetheorem. QED

Peter Mathys ECEN 5022 Cryptography

Page 28: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Ring of Integers Modulo n

I Definition: Zn denotes the ring of integers modulo n withoperations + (addition mod n) and · (multiplication mod n).The elements of Zn are 0, 1, . . . , n − 1.

I Definition: The set of residues modulo n that are relativelyprime to n is denoted Z∗n . Since any a ∈ Z∗n satisfiesgcd(a, n) = 1, a−1 exists and thus Z∗n forms an Abelian groupunder multiplication modulo n. The elements a ∈ Z∗n are theunits of Zn.

Peter Mathys ECEN 5022 Cryptography

Page 29: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Euler’s Totient Function

I Definition: Euler’s Totient Function φ. Euler’s totientfunction, φ(n), evaluated at a positive integer n, is given by

φ (n) = |{0 ≤ r < n| gcd (r , n) = 1}| ,

i.e., it is the number of integers in the set {0, 1, 2, . . . , n − 1}that are relatively prime to n. By definition, φ(1) = 1.

I Euler’s totient function can be computed as follows. Assumethat n = pe1

1 pe22 · · · p

ekk is the factorization of n into distinct

prime powers. Then

φ(n) =m∏

i=1

pei−1i (pi − 1) = n

m∏i=1

(1− 1

pi

).

Peter Mathys ECEN 5022 Cryptography

Page 30: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Euler’s Totient Function

I Note that if gcd(n1, n2) = 1, then φ(n1 n2) = φ(n1) φ(n2),and thus

φ(n) = φ(pe11 ) φ(pe2

2 ) · · · φ(pemm ) ,

where φ(peii ) = pei−1

i (pi − 1). Note that this also implies thatφ(n) ≥ 1.

I Theorem: The order of the group Z∗n is φ (n).

I Proof: Follows directly from the definition of Euler’s totientfunction φ (n). QED

Peter Mathys ECEN 5022 Cryptography

Page 31: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Euler’s Theorem

I Theorem: Euler’s Theorem. If a ∈ Z∗n , then

aφ (n) = 1 (mod n) .

I Proof: The elements {r1, r2, . . . , rm} of Z∗n are all integers0 < r < n such that gcd(r , n) = 1 and thus |Z∗n | = φ(n) = m.For each i , 1 ≤ i ≤ m, there is a unique j , 1 ≤ j ≤ m suchthat ari = rj (mod n). Since both a and ri are relatively primeto n, ari is also relatively prime to n and thus

ar1 · ar2 · · · arm︸ ︷︷ ︸= am (r1 · r2 · · · rm)

= r1 · r2 · · · rm (mod n)

This implies that (am − 1) r1 · r2 · · · rm = 0 (mod n) andbecause of gcd(ri , n) = 1 for all i it follows thatam = aφ(n) = 1 (mod n). QED

Peter Mathys ECEN 5022 Cryptography

Page 32: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Fermat’s Little Theorem

I Corollary: Fermat’s Little Theorem. Suppose p is a primeand a ∈ Z∗p . Then

ap−1 = 1 (mod p) .

I Proof: Z∗p is a multiplicative group of order φ(p) = p − 1.QED

Peter Mathys ECEN 5022 Cryptography

Page 33: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Chinese Remainder Theorem

I Theorem: (The Chinese Remainder Theorem.) Givenn1, n2, . . . , nk such that gcd (ni , nj) = 1 for i 6= j , the set ofsimultaneous congruences

x = ai (mod ni ) , i = 1, 2, . . . , k ,

has a unique solution x modulo N = n1 n2 · · · nk .

I Proof: Define Ni = N/ni . Note that gcd (Ni , ni ) = 1. Thus,using Euclid’s extended algorithm,

gcd (Ni , ni ) = 1 = Mi Ni+mi ni =⇒ Mi Ni = 1 (mod ni ).

Therefore, the desired solution is

x = a1 M1 N1 + a2 M2 N2 + . . . + ak Mk Nk (mod N) .

Check: x = ai Mi Ni = ai (mod ni ).

Peter Mathys ECEN 5022 Cryptography

Page 34: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Chinese Remainder Theorem

I Proof: (contd.) To prove uniqueness of the solution, supposethat x and x ′ are two different solutions satisfying

x = ai (mod ni ) , i = 1, 2, . . . , k ,

x ′ = ai (mod ni ) , i = 1, 2, . . . , k .

Then

∆ = x − x ′ = 0 (mod ni ) , i = 1, 2, . . . , k .

Thus, ∆ is divisible by n1, n2, . . . , nk . Since gcd (ni , nj) = 1for i 6= j , ∆ must satisfy

∆ = m N , m integer , N = n1 n2 · · · nk ,

which implies ∆ = 0 (mod N). QED

Peter Mathys ECEN 5022 Cryptography

Page 35: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Chinese Remainder Theorem

Example: n1 = 3, n2 = 4, n3 = 5, and thus N = 60,N1 = 60/3 = 20, N2 = 60/4 = 15, and N3 = 60/5 = 12. Supposethat

x = 2 (mod 3) , x = 1 (mod 4) , x = 4 (mod 5) .

Compute the quantities

gcd (N1, n1) = gcd (20, 3) = 1 = −1 · 20 + 7 · 3 =⇒ M1 = −1 = 2 (mod 3) ,gcd (N2, n2) = gcd (15, 4) = 1 = −1 · 15 + 4 · 4 =⇒ M2 = −1 = 3 (mod 4) ,gcd (N3, n3) = gcd (12, 5) = 1 = −2 · 12 + 5 · 5 =⇒ M3 = −2 = 3 (mod 5) .

The solution x is then obtained as

x = 2·2·20+1·3·15+4·3·12 = 80+45+144 = 269 = 29 (mod 60).

Check:

29 = 2 (mod 3) , 29 = 1 (mod 4) , 29 = 4 (mod 5) .

Peter Mathys ECEN 5022 Cryptography

Page 36: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Quadratic Residues

I Definition: An element x ∈ Z∗n is called a quadratic residuemodulo n (QRn) if x = y2 (mod n) for some y ∈ Z∗n .Otherwise, if no such y ∈ Z∗n exists, x is called a quadraticnon-residue modulo n (QNRn).

I Note: If x ∈ QRn then an element y exists such that√

x = y(mod n).

I Example: If n = 13 (prime)

y : 1 2 3 4 5 6 7 8 9 10 11 12

y 2: 1 4 9 3 12 10 10 12 3 9 4 1

Thus, QR13 = {1, 3, 4, 9, 10, 12}, and QNR13 = {2, 5, 6, 7, 8, 11} and

√1 = ±1 (mod 13),

√3 = ±4 (mod 13),

√4 = ±2 (mod 13),√

9 = ±3 (mod 13),√

10 = ±6 (mod 13),√

12 = ±5 (mod 13).

Peter Mathys ECEN 5022 Cryptography

Page 37: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Quadratic Residues

I Example: If n = 21 (composite)

y : 1 2 4 5 8 10 11 13 16 17 19 20

y2: 1 4 16 4 1 16 16 1 4 16 4 1

Thus, QR21 = {1, 4, 16}, andQNR21 = {2, 5, 8, 10, 11, 13, 17, 19, 20}. Note that 33 = 9(mod 21), or 72 = 7 (mod 21), but 3, 9, and 7 are not inZ∗21. Each square root now has 4 solutions:

√1 = ±1 (mod 21), and

√1 = ±8 (mod 21),√

4 = ±2 (mod 21), and√

4 = ±5 (mod 21),√16 = ±4 (mod 21), and

√16 = ±10 (mod 21).

Peter Mathys ECEN 5022 Cryptography

Page 38: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Legendre Symbol, Euler’s Criterion

I Definition: Legendre symbol. Suppose p is an odd prime.Then, for any x , the Legendre symbol L(x , p) is defined as

L(x , p) =

0 , if x = 0 (mod p) ,1 , if x ∈ QRp ,−1 , if x ∈ QNRp .

L(x , p) can be computed easily using the following theorem.

I Theorem: Euler’s criterion. For all primes p > 2, and allx ∈ Zp

x (p−1)/2 = L(x , p) (mod p) .

Peter Mathys ECEN 5022 Cryptography

Page 39: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Euler’s Criterion

I Proof: If x = 0 the result is trivially true. Thus, assume thatx ∈ Z∗p . Then, according to Fermat’s Little Theorem,xp−1 = 1 (mod p) and either

x (p−1)/2 = 1 (mod p) , or x (p−1)/2 = −1 (mod p) .

If x ∈ QRp, i.e., x = y2 (mod p) for some y ∈ Z∗p , then

x (p−1)/2 = (y2)(p−1)/2

= yp−1 = 1 (mod p) .

Conversely, if x ∈ QNRp, then x 6= y2 (mod p) for y ∈ Z∗pand thus x (p−1)/2 must be congruent to −1 modulo p. QED

Peter Mathys ECEN 5022 Cryptography

Page 40: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Jacobi Symbol

I Definition: Jacobi symbol. Let n be any positive oddinteger with prime factorization

n = pe11 · p

e22 · . . . · p

ekk .

Then, for any x , the Jacobi symbol J(x , n) is defined as

J(x , n) = L(x , p1)e1 · L(x , p2)

e2 · . . . · L(x , pk)ek .

I An important special case in cryptography is the case n = p q,where p and q are distinct odd primes. In this case

J(x , n) =

0 , ⇒ gcd(x , n) 6= 1 ,−1 , ⇒ x ∈ QNRn ,

1 , ⇒ x ∈ QRn or x ∈ QNRn .

If J(x , n) = L(x , p) L(x , q) = 1, it is impossible to tell whetherx ∈ QRn or not since both 1× 1 and (−1)× (−1) are equal toone. In the first case x ∈ QRn, in the second case x ∈ QNRn.

Peter Mathys ECEN 5022 Cryptography

Page 41: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Jacobi Symbol

I Theorem: Properties of Jacobi symbol. The Jacobisymbol satisfies the following properties which make it easy tocompute J(x , n), n odd:

(1) J(x ± n, n) = J(x , n) ,(2) J(x · y , n) = J(x , n) · J(y , n) ,(3) J(x ,m · n) = J(x ,m) · J(x , n) ,(4) J(1, n) = 1

(5) J(−1, n) = (−1)(n−1)/2 =

{1 , if n = 1 (mod 4) ,−1 , if n = −1 (mod 4) ,

(6) J(2, n) = (−1)(n2−1)/8 =

{1 , if n = ±1 (mod 8) ,−1 , if n = ±3 (mod 8) ,

(7) If x , n odd and gcd(x , n) = 1

J(x , n) · J(n, x) = (−1)(x−1)(n−1)/4 , or equivalently,

J(x , n) =

{−J(n, x) , if x = n = 3 (mod 4) ,

J(n, x) , otherwise .

Peter Mathys ECEN 5022 Cryptography

Page 42: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Primality Tests

I A decision problem is a problem where a question is posedthat can be answered by “yes” or “no”.

I A probabilistic algorithm is an algorithm that uses some formof randomness, e.g., random numbers, during its execution.

I Definition: A yes-biased Monte Carlo Algorithm is aprobabilistic algorithm for a decision problem in which a “yes”answer is always correct, but a “no” answer may be incorrect,e.g., with probability ≤ ε.

I Example: The Solovay-Strassen algorithm is a yes-biasedMonte Carlo algorithm for composite integers n with ε = 1/2.Thus, if the algorithm answers “yes” then n is composite forsure, but if it answers “no” then n may still be composite,with probability ≤ 1/2.

Peter Mathys ECEN 5022 Cryptography

Page 43: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Pseudo-Primes

I Example: According to Fermat’s Little Theorem, every primen must satisfy xn−1 = 1 (mod n) for x ∈ Zn. Thus, if for agiven n an x is found such that this statement is not true,then it is known that n is composite. But some compositesmay actually pass this test, which motivates the followingdefinition.

I Definition: If n is an odd composite number and x ∈ Z∗n isan integer such that

xn−1 = 1 (mod n) ,

holds, then n is called a pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is a pseudo-prime.

Peter Mathys ECEN 5022 Cryptography

Page 44: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Distribution of Pseudo-Primes

0 500 1000 1500 2000 25000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

n

Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Pseudo−Prime to Base a

I Definition: A Carmichael number is a composite integer nsuch that

xn−1 = 1 (mod n) ,

holds for every x ∈ Z∗n . The first few Carmichael numbers are561, 1105, 1729, 2465.

Peter Mathys ECEN 5022 Cryptography

Page 45: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Euler Pseudo-Primes

I Definition: Let n be an odd integer and let J(x , n) denotethe Jacobi symbol. If n is composite and x ∈ Z∗n satisfies (cf.Euler’s criterion)

x (n−1)/2 ≡ J(x , n) (mod n) ,

then n is called an Euler pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is an Euler pseudo-prime.

I Example: The number n = 91 (= 7× 13) is an Euler pseudo-prime tothe base x = 9 since (quite obviously 9 ∈ QR91)

92 = 81 , 93 = 9× (−10) = 1 ⇒ 9(91−1)/2 = (93)15 = 1 = J(9, 91) .

But 91 is not an Euler pseudo-prime to the base 4 since

4(91−1)/2 = (46)7 × 43 = 64 6= J(4, 91) = 1 .

Question: Are there any composite numbers n which are Eulerpseudo-primes to every x ∈ Z∗n ?

Peter Mathys ECEN 5022 Cryptography

Page 46: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Distribution of Euler Pseudo-Primes

0 500 1000 1500 2000 25000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

n

Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Euler Pseudo−Prime to Base a

I Theorem: If n is an odd composite integer, then n is an Eulerpseudo-prime to the base x for at most 50% of all x such thatgcd(x , n) = 1. Holds with equality for n = 1729, 2465, . . ..

Peter Mathys ECEN 5022 Cryptography

Page 47: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Solovay-Strassen Primality Test

I Theorem: Solovay-Strassen 1977. For any odd integern > 1 the following statements are equivalent:

(1) n is prime.(2) x (n−1)/2 = J(x , n) (mod n) holds for all x ∈ Z∗

n .

I Solovay-Strassen Primality Test. This is a probabilistic testwhich is based on the above theorem. Assume n > 1 is anodd integer. The steps for each test are:

(1) Choose a random integer x , 1 < x < n − 1.(2) If J(x , n) = x (n−1)/2 (mod n) then answer “n is prime,” else

answer “n is composite.”

I Note: It will never happen that the answer is “n is composite” if n isindeed a prime. But with probability at most 1/2 it can happen that theanswer is “n is prime” if n is indeed composite. By repeating the test asufficient number of times, the probability of error can be made arbitrarilysmall (≈ 2−m where m is the number of tests performed).

Peter Mathys ECEN 5022 Cryptography

Page 48: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Strong Pseudo-Primes

I Theorem: Miller 1976. For any odd integer n > 1 writen − 1 = 2s m, where m is odd. Then the following statementsare equivalent:

(1) n is prime.(2) For all x ∈ Z∗

n , if xm 6= 1 (mod n), then there exists an i ,

0 ≤ i < k such that x2i m = −1 (mod n).

I Definition: Let n = 2s m + 1, m odd, be an odd integer. If nis composite and x ∈ Z∗n satisfies

either xm ≡ 1 (mod n) ,

or there exists i , 0 ≤ i < k , such that (xm)2i

= −1 (mod n) ,

then n is called a strong pseudo-prime to the base x . Thegraph on the next slide shows the fraction of x for whichn ≤ 2500 is a strong pseudo-prime.

Peter Mathys ECEN 5022 Cryptography

Page 49: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Distribution of Strong Pseudo-Primes

0 500 1000 1500 2000 25000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

n

Composite odd n, gcd(a,n)=1: Fraction of a s.t. n is Strong Pseudo−Prime to Base a

I Example: Let n = 133 (= 7× 19) and thus n − 1 = 132 = 22 × 33.Testing with x ∈ Z∗133 yields

x = 11 : 1133 = 1 =⇒ “n is prime”x = 12 : 1233 = 132 =⇒ “n is prime”x = 13 : 1333 = 27 , (1333)2 = 64 =⇒ “n is composite”

n = 133 is strong pseudo-prime to base 11, 12, but not to base 13.

Peter Mathys ECEN 5022 Cryptography

Page 50: ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/eaant90.pdf · ECEN 5022 Cryptography Elementary Algebra and Number Theory Peter Mathys

PrimesGroups, Rings, Fields

Ring of Integers Modulo n

Miller-Rabin Primality Test

I Miller-Rabin Primality Test. This is a probabilistic testwhich is based on Miller’s theorem. Assume n > 1 is an oddinteger and write n− 1 = 2s m, where m is odd. The steps foreach test are:

(1) Choose a random integer x , 1 < x < n − 1.(2) Compute b = xm (mod n)(3) If b = 1 (mod n) then answer “n is prime” and stop.(4) For i = 0 to s − 1 do(5) If b = −1 (mod n) then answer “n is prime” and stop, else

b ← b2 (mod n)(6) If you did not quit in step (3) or (5), answer “n is composite.”

I Note: Like in the Solovay-Strassen test, it will never happen in theMiller-Rabin test that the answer is “n is composite” if n is indeed aprime. But with probability at most 1/4 it can happen that the answer is“n is prime” if n is indeed composite. By repeating the test a sufficientnumber of times, the probability of error can be made arbitrarily small(≈ 4−m where m is the number of tests performed).

Peter Mathys ECEN 5022 Cryptography