651123874469583668819239421459699538006269244359503399641984

475165978210434043461497548213136512482950118098973052348824
176048498914597780570549672540174022839510190045680432456992
360961741935519563208889600380907557279000822004062650176806
284358846194689505641704548464324538623804572446099692473066
CA622
157515673381726666633698375084863037682864295501473972970546
Advanced Algorithms
880367754363056730790520422148005319506863367773492032373234
979755179939457158552789684329197941772851810182842681740336
100029255731681289331823627949676009115110034499369615725541
459543271828652075025578371053587319419135908910949668716622
481365685909900638145321990221870700973968193449377389864675
208236432308143359655216424196454913078588531433716410752651
980393977586783131755384278266383136594922300104562405089876
532059199931283194274471068805866130485633954777204668750834
288991788915951948868404508603964359998785038433491385254956
292134951936862937763180945054362165593724089126952540435970
835869567728425525144686610083797438341830313574080644760791
569041303292947198922921205137208143838254993897891691570159
Course Overview
4 Parts: 6 Lectures on each part
 Part I
 Primality Testing
 Factorisation
 Implications to Cryptography
 Part II,III and IV will be taught by another lecturer
Continuous Assessment
 25%
 Groups of 5
 Will be related to part I of the course
Course Overview
Exam:
 8 exam questions, answer 4, one from each
part of the course
 Therefore there will be two questions on the
exam relating to the next 6 hours of lectures
Course Website
Notes for part I can be found at

www.computing.dcu.ie/~cwhelan/teaching.html

although the site is not live just yet…

651123874469583668819239421459699538006269244359503399641984
475165978210434043461497548213136512482950118098973052348824
176048498914597780570549672540174022839510190045680432456992
360961741935519563208889600380907557279000822004062650176806
284358846194689505641704548464324538623804572446099692473066
Advanced Algorithms:
157515673381726666633698375084863037682864295501473972970546
Part I
880367754363056730790520422148005319506863367773492032373234
979755179939457158552789684329197941772851810182842681740336
100029255731681289331823627949676009115110034499369615725541
Lecturer:
459543271828652075025578371053587319419135908910949668716622
481365685909900638145321990221870700973968193449377389864675
Claire Whelan
208236432308143359655216424196454913078588531433716410752651
980393977586783131755384278266383136594922300104562405089876
532059199931283194274471068805866130485633954777204668750834
288991788915951948868404508603964359998785038433491385254956
292134951936862937763180945054362165593724089126952540435970
835869567728425525144686610083797438341830313574080644760791
569041303292947198922921205137208143838254993897891691570159
Section 1:
Primality Testing
13 = 3x mod 19
Overview
Since ancient times mathematicians have been facinated by problems
concerning prime numbers. Since the days of Euclid (ca. 270 BC) and
Eratosthenes (ca. 240BC) prime numbers have been the subject of intense
mathematical scrutiny.
Why are they so interesting? Well prime numbers are more elusive than
they seem. They do not follow a set pattern or particular sequence, there is
no formula that can tell you whether a number is definitively prime in a
reasonable amount of time.
The Prime pages demonstrates the current facination for primes
The search for primes continues
 http://www.mersenne.org/prime.html
“On September 4th 2006 the most recent Mersenne prime was found. The 44 th
known Mersenne prime, 2^32,582,657 – 1, a 9,808,358 digit number. The
discoverers used 700 PCs as part of a grid (PrimeNet) in CMSU, which is networked
with 70,000 computersto work in parrallel to compute 22 trillion calculations per
second. This would have taken 4000 years on a single PC…”
Definition
A prime number is a positive integer p
having exactly two positive divisors, 1
and p.
A composite number is a positive
integer n > 1 which is not prime.
 i.e. iff it admits a nontrivial factorisation
n = ab, where a and b are integers and
between 1 and n.
 Hence, primality testing and factorisation
go hand in hand (a field inextricably
entwined with primes!)
Fundamental Theorem of
Arithmetic
For each natural number n there is a
unique factorisation
n p p p
a1
1
a2
2
ak
k
Where ai are positive integers and
p1 < p 2 < … p k
are primes.
What is Primality Testing?
Primality testing
 Determining whether a number is prime or
not
Prime factorisation
 Decomposing a number into its constituent
prime factors
Q:
Factorise

11364600
Testing Primality?
Obvious approach:
 Given an integer n, check if any integer m from 2 to
n-1 divides n. If n is divisible by any m, then n is
composite, otherwise it is prime.
An improvement:
 Check whether n is divisible by any of the prime
numbers  n
 Also can skip all even m except 2, since if any even
number divides n then 2 does
 Can repeat this for all prime numbers (Sieve of
Eratosthenes)
Eratosthenes
Sieve of Erratosthenes
pic
Primality Testing
Two varieties of prime tests
1. Probablistic
 “Probable prime”: a false positive, a composite number is identified
as prime. This will happen with very low probablity.
 But much faster than deterministic tests
 Pseudoprime: A number which passes a probablistic primality test
but which is actually composite
 Types:
 Fermat’s Little Theorem
 Miller-Rabin
2. Deterministic
 Identifes real prime numbers
 Types:
 Lucas-Lehmer
 Elliptic Curve Primality Proving
 AKS
Probabilistic Algorithms
Fermat’s Little Theorem
If p is prime and 1 < a < p, then
a p-1 = 1 mod p
To test if n is prime, a number of random a’s are chosen in
the interval, and see if the equality holds for each value of
a.
a n-1 = 1 mod n
However, some composites pass Fermat’s test, and so are
falsely identified as prime….Carmichael Numbers
Carmichael numbers are numbers that for all values of a
for which gcd(a,n) = 1 are Fermat liars.
Modular Exponentiation
How to calculate ak mod n?

As will be seen throughout the lecture,

modular exponentiation is required for use
in all primality tests
Modular Exponentiation:
Square and Multiply
Input: a, k

Set b = 1
If k = 0, return b
Set A = a
If k0 = 1 then set b = a
For i = 1 to t
Set A = A2 mod n
if ki is 1
Set b = A*b mod n

Output ak mod n
Modular Exponentiation:
Square and Multiply
Example: Calculate 5596 mod 1234= 1013

i 0 1 2 3 4 5 6 7 8 9
ki 0 0 1 0 1 0 1 0 0 1
A 5 25 625 681 1011 369 421 779 947 925
b 1 1 625 625 67 67 1059 1059 1059 1013
Miller-Rabin
Similar to Fermat in that it tests a series of
equalities that old true for prime values. Then
see whether they hold for a number we want to
test.
First a note about x 2 = 1 mod p where x in Fp
 x 2 = 1 mod p and so x = sqrt(1) mod p and so x =
+-1
 However, (x+1)(x-1) = 0 mod p and so x can neither
be + or – 1.
 Therefore, if a prime cannot divide either of these two
integers, it cannot divide their product.
Miller-Rabin
Let n be an odd prime. We can write n -1
as 2sr, where s is an interget and r is odd.

So for all a in Fp* either

 ar = 1 mod n
Or s
2 r
 a = -1 mod n
Miller-Rabin
If
 ar != 1 mod n
Or
j
 a
2 r
!= -1 mod n
For all 0 <= j <= s – 1

Then a is a strong witness to compositeness

for n.
Miller-Rabin
If
 ar = 1 mod n
Or
j
 a
2 r
= -1 mod n
For some 0 <= j <= s – 1
Then n is said to be a strong pseudoprime
to the base a.
Then a is a strong liar to primality for n.
Miller-Rabin Example
n = 91
90 = 2*45, s = 1, r = 45
{1,9,10,12,16,17,22,29,38,53,62,69,74,
75,79,81,82,90} are all strong liars.
 945 = 1 mod 91
 1045 = 1 mod 91
 ….
All other bases are strong witnesses.
 97 = 9 mod 91
 98 = 81 mod 91
Miller Rabin
If n is an odd composite, the number of
strong liars for n is at most (n)/4.
For example, (91)/4 = 18

Note (n) is the Euler Phi Function

Miller-Rabin: The Algorithm
Input: An odd integer n and security parameter t

Write n-1 = 2sr such that r is odd

For i to t do
Choose a random integer a, 2 < a < n – 2
Compute y = ar mod n
If y !=1 and y != n – 1 then
j=1
While j  s – 1 and y != n – 1
Compute y = y2 mod n
if y = 1 then return COMPOSITE
j = j+1
if y != n-1 then return COMPOSITE

Output PRIME
What is required to compute this?
Algorithm for modular exponentiation
Deterministic Algorithms
Special Primes
Generally deterministic algorithms are
used to test prime numbers with a special
form, such as
 Mersenne Primes
 A prime of the form 2s - 1
 Solinas Primes
 A prime number with low hamming weight
 Particularly of interest for pairing-based
cryptography
Lucas-Lehmer test for Mersenne
Primes
Input: a Mersenne number n = 2s –1 for s >3

Use trial division to check whether s has any factors between 2 and  s 
Return COMPOSITE

Set u = 4
For k=1 to s-2
Compute u = (u2 – 2) mod n
If u = 0 Return PRIME
Else Return COMPOSITE
Mersenne Primes
Index Mj Digits Index Mj Digits
1 2 1 13 521 157
2 3 1 14 607 183
3 5 2 15 1279 386
4 7 3 16 2203 664
5 13 4 17 2281 687
6 17 6 18 3217 969
7 19 6 19 4253 1281
8 31 10 20 4423 1332
9 61 19 21 9689 2917
10 89 27 22 9941 2993
11 107 33 23 11213 3376
12 127 39 24 19937 6002
Elliptic Curve Primality Proving
2004
4769 digit number was certified as prime
in approx. 2000 hours of computation ~ 3
months of uninterupted computing time
on a 1GHz processor
AKS
The first polynomial time primality test
 In August 2002 a deterministic polynomial
time primality test was written by Agrawal,
Kayal & Saxena, namely the AKS algorithm

Ref: “PRIMES is in P”, Agrawal, Kayal and

Saxena.
AKS: The Algorithm
Input: An odd integer n > 1

If(n is of the form ab, b>1) Output COMPOSITE;

r =2;
While(r < n){
if(gcd(n,r) != 1) Output COMPOSITE;
if(r is prime)
let q be the largest prime factpr of r-1;
if((q>=4*sqrt(r)*log n)&&(n(r-1)/q!=1 mod r))
break;
r = r+1;
}
For(a=1 to 2*sqrt(r)*log n){
if((x - a)n !=(xn - a) mod(n,xr-1)) Output COMPOSITE;
}
Output PRIME;
Organisation of the AKS algorithm

Module 1:
Detecting Perfect Powers

Module 2:
Finding a suitable r value

Module 3:
Evaluating a prime identity function
What is a Perfect Power?
n is a perfect power if n
can be written as: n = ab
For example,
 65536 = 216
Therefore, need an algorithm to determine whether n
can be written as an integer to the power of another
integer.
A brute force approach is obviously not feasible.
A method by Dan Bernstein gives an optimised
approach
Ref: “Detecting Perfect Powers in Essentially Linear
Time”, Mathematics of Computation,1998.
Bernsteins Detecting Perfect Powers
Only prime exponents are checked.
 If n = ab, then n = (am)p = xp

Therefore the following main checks are

performed
 n = x2
 n = 2p
 n = xp …due to Bernstein
Bernsteins Detecting Perfect Powers
1. Compute an intermediate value y to help
choose an appropriate approximation to the p-
th root
2. An approximate p-th root of n is calculated
using Newton’s method
3. This approximate root x is tested to see if n =
xp. If so then x is a perfect power, if not then
another p value is chosen up to log2n

The proof for these steps is given in Bernsteins

paper.
Algorithms required to compute
Module 1?
Method to generate square roots
Method to generate prime numbers
…a bit of a chicken and egg scenario!
Method to generate the tentative root p
and finding whether xp = n
Newton’s Method
Obviously, a fast exponentiation
algorithm
How do we find the correct r?
r is the value that will be used as the exponent of
the modulus polynomial xr – 1in the prime identity
function
The value r must satisfy a number of conditions:
 r<n
 r must be prime
 r is O(log6n)
 r-1 contains a prime factor which is close to the size of
the square root of r

Requiring both primality and factorisation methods!

The Algorithm to find r
Intermediate primality test
Factorization method
 Trial Division
 Pollard Rho
 Pollard p-1
GCD method
 Euclidean Algorithm
Square Root method
Log2 method
Euclidean Algorithm
Input: Two non negative numbers a and b with a>=b

While b!=0
set r = a mod b, a = b, b = r

Output a
Example
Find gcd(4864,3458)

4864 = 1*3458 + 1406

3458 = 2*1406 + 646
1406 = 2*646 + 114
646 = 5*114 + 76
114 = 1*76 + 38
76 = 2*38 + 0

Therefore gcd(4864,3458) = 38
Square Root
Firstly, use the Legendre Symbol to determine
whether a square root exists or not
 x = y^2
 Is x a quadratic residue or a quadratic non-residue?

 x ( n 1) / 2 1 x is a QR
 x mod n  
n 1 x is a QNR

 If it is found that a square root exists, then a square

root algorithm must be used to find the square root.
What is the Prime Identity Function?
The prime identity function is the heart of the
primality test
n is prime iff

for a = 1….bound
(x – a)n = xn – a mod (n, xr-1)

If LHS = RHS, for every value of a

=> n is prime
This identity is based on Fermat’s little theorem
Example on board to demonstrate…
What do we need for this part?
Knowledge of how operations on
polynomials are performed – a polynomial
API?
 Polynomial addition, multiplication,
reduction…
So how good is it?
Say n = 833310469,
a = 1, r = 53699
=>(x-1) 833310469 = x 833310469 –1
(mod 833310469, x53699-1)
This primality test will take a very long time to
complete
The number of polynomial operations to be
performed = 833310469 * a
This is without module 1 OR module 2 being
evaluated
AND 833310469 is not a big prime number
6511238744695836688192394214596995380062692443595033996412
9501180989730523488241760484989145977805705496725401740228
3951019004568043245699236096174193551956320888960038090755
7279000822004062650176806284358846194689505641704548464324
5386238045724460996924730661575156733817266666336983750848
6303768286429550147397297054688036775436305673079052042214
8005319506863367773492032373234979755179939457158552789684
3291979417728518101828426817403361000292557316812893318236
2794967600911511003449936961572554145954327182865207502557
8371053587319419135908910949668716622481365685909900638145
3219902218707009739681934493773898646752082364323081433596
5521642419645491307858853143371641075265198039397758678313
1755384278266383136594922300104562405089876532059199931283
1942744710688058661304856339547772046687508342889917889159
5194886840450860396435999878503843349138525495629213495193
6862937763180945054362165593724089126952540435970835869567
7284255251446866100837974383418303135740806447607915690413
0329294719892292120513720814383825499389789169157015902231
Implementation
Have mentioned some of the algorithms
which are required to implement AKS and
other primality tests.
Some libraries will have some of these
algorithms in built. For example, Java’s
BigInteger API.
BigInteger
BigInteger in Java provides a probabilistic primality test,
isProbablePrime().
To use probable prime a certainty must be passed as a
parameter.
The certainty is the amount of error that the user is willing to
tolerate.
The higher the certainty, the more probable the number is
prime.
public boolean isProbablePrime(int certainty)
The certainty is calculate from (1-1\2 certainty), which will
dictate the number of rounds of tests performed on the input.
isProbablePrime() uses Miller-Rabin and Lucas-Lehmer
Summary
Considering that the last prime found was
estimated to take 1 PC approximately
4000 years to test… I think the crypto
community will use probablistic primality
tests.
References
Pomerence
“Prime Numbers, A Computational Perspective”
Bressoud
“Factorisation and Primality Testing”
Koblitz
“A Course in Number Theory and Cryptography”
Wolfram Mathworld, Wikipedia…
The Prime Pages
http://primes.utm.edu/
Task
Recap on finite field and modular
arithmetic
Implement modular exponentiation
Implement any of the probabilistic or if
you are patient deterministic primality test
Techniques
Trial Division
p-1 Method
p+1 Method
Pollard Rho Method
Continued Fraction Method
Quadratic Sieve
Elliptic Curve Method
Number Field Sieve