6.046 Lecture 8

3/2/04

Recall:

Z_N^* = {0 <a < N : gcd(a,N) = 1}.

Z_N^* is a group under multiplication mod N:

For each a in Z_n^* can compute an inverse using the extended GCD:

a number b such that ab = 1 mod n.

Define: phi(n) = |Z_n^*|. Called "Euler Phi function"

FACT:

Let S be a subgroup of Z_N^*, then |G| divides |Z_N^*|

EULER'S THEOREM: for any a in Z_N^*, a^{phi(N)} = 1 (mod N).

PROOF: Let t = order(a). Notice that {1, a, a^2, ..., a^{t-1}} is a subgroup of Z_N^*: it's closed under multiplication and inverses.

Now we can use the fact from group theory that the size of any subgroup divides the group. Get that phi(N) = b*t for some multiple b. So, a^{phi(N)} =(a^t)^b = 1 (mod N).

Primality Testing for an n-bit number N

Ideally, we'd like to show a fast deterministic algorithm for primality that runs in time O(nc) for some c>0. Instead, we're going to give a randomized algorithm that on input (N,k) it has the following property:

1. if N is prime, then it always outputs ``probably PRIME’’

2. if N is composite, then it outputs ``composite’’ with probability at least 1 - 1/2^k.

So, if our algorithm will say `probably prime’, you don't have a 100% proof that the number is prime, but quite high probability.

Theorem: On input N:

1. If N is prime, then for all a, a ^{N-1} = 1 mod N.

2. If N is composite AND there exists an a in Z_N^* such that a^{N-1} != 1 mod N, then for at least ½ of the a’s in Z_N^*, a^{N-1} != 1 mod N.

Proof:

By Euler’s theorem (also called Fermat’s little theorem), when N is prime phi(N) = N-1 and thus a^{N-1} = 1 mod N for all a in Z_N^*.

Let S = {a such that a^{N-1} = 1 mod N. Then this set is a subset of Z_N^* which is closed under multiplication, closed under inverses, and contains the identity 1. Thus S is a subgroup of Z_N^*. We know that S != Z_N^* (since assumed there exists an a in Z_N^*, such that a^{N-1} != 1 mod N), and we know by the fact from group theory that |S| divides the |Z_N^*|, so |S| <= ½ |Z_N^*| and at least ½ of Z_N^* is not in S, namely at least ½ of the a’s are such that a^{N-1} mod N != 1

Can we make an algorithm out of this theorem?

Unfortunately, not yet, since there exists composite N such that for all a in Z_N^*, a^{N-1} mod N = 1. These are called Carmichael numbers. Smallest is 561. Fortunately, they are easy to recognize and even factor.

Putting it all together you get the following probabilistic primality test for N.

MILLER-RABIN PRIMALITY TEST

On input: N,k

Let N-1 = 2^t * r where r is an odd number.

Repeat k times:

Pick a in {1,...,N-1} at random.

If GCD(a,N) != 1, output N is composite, else continue.

Compute a^r, a^2r, a^4r, ..., a^{N-1} mod N.

If a^{N-1} != 1 (mod n), then output COMPOSITE

If any e in {r,2r,...}

have a^e != {1,-1} mod N, but a^{2e} = 1 mod N,

then GCD(a^t - 1,N) is a factor of N, Output COMPOSITE

Otherwise, output "PROBABLY PRIME".

The proof that this works uses the following key lemma:

KEY LEMMA: Suppose N is odd and Carmichael ( means not a prime power or perfect square). Let r odd < N. If there exists a in Z_N^* such that a^r != 1 (mod N), then at least half of x in Z_n^* have x^r != {-1,+1} mod n, and such an a always exists.