4 (Prime density theorem)

lim

n_→∞

π(n) ln(n)

n = 1

In essence, the prime density theorem says that for sufficiently largenthe valueπ(n)is aboutn/ln(n)and that roughly everyln(n)thnumber of the size of

nis prime. For example,ln(10100) ≈ 230. This means that about 1 in 230 (115) integers (odd integers) with 100 decimal digits is a prime. More specifically, it is known that

π(n)≥ n ln(n)

for2< n∈Nand that

π(n)≤1.10555 n ln(n)

for17≤n∈N. Consequently,π(n)≈n/ln(n)is indeed a very good approxima- tion for almost alln∈N.

There are several open conjectures on prime numbers. For example, it is conjectured that there exist infinitely many twin primes (i.e., primespfor which

p+ 2is also prime), and that every even number is the sum of two primes. We don’t elaborate on these issues in this book.

3.2.4.3 Generating Large Primes

In cryptographic applications, one often needs large primes, and there are two methods for generating them:

• One can construct provable primes;

• One can randomly choose large odd numbers and apply primality (or compos- iteness) tests.

There are only a few algorithms to construct provable primes (e.g., [7]), and in practice one randomly chooses large odd numbers and applies primality (or compositeness) tests. If a number turns out to be composite, then it is discarded and the next odd number is taken into consideration. The primality decision problem as captured in Definition 3.27 has attracted many mathematicians in the past.

Definition 3.27 (Primality decision problem) Given a positive integer n ∈ N, decide whethern∈P(i.e.,nis prime) or not (i.e.,nis composite).

There are a couple of algorithms to address the primality decision problem. Most of them are probabilistic.17 Only a few deterministic primality testing algo- rithms are efficient (i.e., run in polynomial time). They are, however, much less efficient than their probabilistic counterparts. From a theoretical viewpoint, however, knowing efficient deterministic primality testing algorithms means that the primality decision problem is in the complexity classP(as introduced in Definition 6.6) This fact was proven in 2002.18

Numbers that are not truly known to be prime, but which have passed some probabilistic primality tests, are called probable primes or pseudoprimes. Some- times, the term “pseudoprime” is also used to refer to a nonprime (i.e., a composite number) that has nevertheless passed a probabilistic primality test. For the purpose of this book, however, a pseudoprime is a (prime or composite) numbernthat has passed some specified probabilistic primality tests. Each of these tests makes use of one or several randomly chosen auxiliary numbers1< a < n. If such anatells us thatais likely prime (composite), thenais a witness to the primality (composite- ness) ofn. A problem is that a significant fraction of numbers between 2 andn−1

may be false witnesses (sometimes called liars) to the primality ofn, meaning that they tell usnis prime when it’s not. Thus, part of the issue is to be sure that a large fraction of the numbersain the range1 < a < nare true witnesses to either the primality or the compositeness ofn. As discussed later, the fatal flaw in the Fermat test is that there are composite numbers for which there are no witnesses. The other two probabilistic primality tests have no such flaw.

17 The probabilistic primality testing algorithms can be converted into deterministic algorithms if the Extended Riemann Hypothesis is true. Many mathematicians believe that this hypothesis is true, and there is no simple evidence to the contrary.

Trial Division

The simplest (deterministic) primality testing algorithm for a positive integern∈N

is to test whether there exists a prime between 2 and√nthat dividesn. If such a number exists, thennis not prime (i.e., it is composite) and the algorithm can abort. If, however, such a number does not exist, then nis prime. In the literature, this algorithm is commonly referred to as trial division. It requires a list of known prime numbers between 2 and√n. As a consequence of the prime density theorem (i.e., Theorem 3.4), one must perform

√ n ln√n

trial divisions to show thatnis a prime. For example, in a typical cryptographic setting,nis larger than1075_{. In this case, one must perform}

√ 1075

ln√1075 >3.5·10 35

trial divisions. This is computationally infeasible, and hence the trial division al- gorithm cannot be used for numbers of a certain size. All major primality testing algorithms that work for large numbers are probabilistic.

Fermat Test

In the 17th century, Pierre de Fermat19_{proved Theorem 3.7 (also known as Fermat’s}

Little Theorem), which can be turned into a simple primality testing algorithm. Fermat’s Little Theorem states that for any prime numberpand any numberanot divisible byp, the equivalenceap−1 ≡ 1 (modp)must hold. Consequently, one can test the primality—or rather the compositeness—ofnby randomly choosing a value for a(not divisible by n) and computingan₋1 _{(modn). If this value is} not equal to1, thennis definitively not a prime (and we have found a witness for the compositeness of n, respectively). Unfortunately, the converse is not true and finding anafor whichan−1_{≡1 (modn)does not imply thatnis prime.}20_{In fact,}

there is an entire class of composite numbers for whichan−1 _{≡1 (modn)holds}

19 Pierre de Fermat was a French mathematician who lived from 1607 to 1665.

20 For this reason, the Fermat test (and the two other tests mentioned later) is referred to as a compositeness test.

for all a. These numbers are called Carmichael numbers.21 _{Because it is not able}

to correctly handle Carmichael numbers, the Fermat test is not widely deployed in practice. Instead, either the Solovay-Strassen test or the Miller-Rabin test is used.

Solovay-Strassen Test

The Solovay-Strassen test is a probabilistic compositeness testing algorithm that was developed by Robert Solovay and Volker Strassen in 1976. It can prove the compositeness of a large numbernwith certainty, but it can prove the primality of

nonly with a certain probability.

The Solovay-Strassen test makes use of some facts related to quadratic resid- uosity that we introduce in Section 3.3.7. More specifically, the test employs and takes advantage of the fact that ifnis prime, then the Legendre symbol

_a n

and

an−21 _(modn)

must be equal for every1 ≤ a ≤ n−1 (according to Euler’s criterion stated in Theorem 3.9 on page 93). Consequently, if one finds anafor which the two values are different, thennmust be composite (andais a witness for the compositeness of

n, respectively). Letnbe a large odd number for which we want to decide whether it is prime or composite. We execute the Solovay-Strassen test multiple times. In each execution, we randomly choose an integerabetween 1 andn−1and compute both the Legendre symbol(a|n)andan−1/2_{(modn). If the two values are not the} same, thennis composite andais a witness for the compositeness ofn. In this case, the algorithm can abort. Otherwise (i.e., if the two computed values are the same), the algorithm must continue with the next value ofa. If we execute the testktimes and two computed values are the same for allkvalues ofa, then we can say thatn

is prime with probability at least1−2−k_.

Miller-Rabin Test

The Miller-Rabin test is another probabilistic compositeness testing algorithm that was developed by Gary Miller and Michael O. Rabin in the late 1970s. Similar

21 It can be shown that a Carmichael number must be odd, square free, and divisible by at least 3 prime numbers. For example, the smallest Carmichael number is561 = 3·11·17.

to the Fermat and Solovay-Strassen tests, the Miller-Rabin test can prove the compositeness of a large number nwith certainty, but it can prove the primality ofnonly with a certain probability.

The underlying idea of the Miller-Rabin test is that if nis a prime, then 1 should have only 2 square roots inZn, namely±1. Alternatively speaking, ifnis

nonprime, then there are at least 2 elementsx ofZn withx2 ≡ 1 (modn)but

x = ±1. That is, there will be more square roots of 1 than there should be. The Miller-Rabin test itself is based on the properties of strong pseudoprimes. If we want to test the primality of a large odd numbern = 2r_{s+ 1, then we randomly}

choose an integerabetween 1 andn−1. If

as≡1 (modn)

or

a2js_{≡ −1 (modn)}

for some0 ≤ j ≤ r−1, then npasses the test for this value ofa(i.e.,ais not a witness for the compositeness ofn). Unfortunately, a number that passes the test is not necessarily prime. In fact, it can be shown that a composite number passes the test for at most 1/4 of the possible values fora. Consequently, ifktests are performed on a composite numbern, then the probability that it passes each test is at most1/4k_{. This means that the error probability can be made arbitrarily small.}

Note that the operation of the Miller-Rabin test is quite simple, though— even simpler than that of the Solovay-Strassen test. Consequently, the Miller-Rabin test is the primality (or compositeness) testing algorithm of choice for all practical purposes.

3.2.5 Factorization

First of all, it can be shown that a primepthat divides the productabof two natural numbersaandbdivides at least one of the two factors (i.e.,aorb). To prove this fact, we assume thatpdivides ab but notaand show that pmust then divide b. Becausepis a prime, we havegcd(a, p) = 1and hence there existx, y ∈ N with

gcd(a, p) = 1 =ax+py[refer to (3.1)]. This equation can be multiplied withbto getb=abx+pby. Obviously,pdividesabxandpby(the right side of the equation), sopmust also divideb(the left side of the equation).

This result can be generalized to more than two factors. In fact, ifpdivides a product

k

i=1

qi

of prime factors, thenpmust be equal to one of the prime factorsq1, . . . , qk. This

result can be proven by induction overk(using the result given earlier).

One of the fundamental theorems of integer arithmetic says that every natural numbern∈Nhas a unique prime factorization. This is Theorem 3.5, and it was first proved by Gauss in 1801. We provide the theorem without a proof.

Theorem 3.5 (Unique factorization) Every natural numbern∈Ncan be factored