Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.6 Elliptic curve primality proving (ECPP) 369 constant k. Their idea is to find appropriate curves with orders that have large enough “probable prime” factors, and recurse on the notion that these factors should in turn be provably prime. In each recursive level but the last, Theorem 7.6.1 is used with s the probable prime factor of the curve order. This continues for smaller and smaller probable primes, until the number is so small it may be proved prime by trial division. This, in turn, justifies all previous steps, and establishes the primality of the starting number n. Algorithm 7.6.2 (Goldwasser–Kilian primality test). Given a nonsquare integer n>2 32 strongly suspected of being prime (in particular, gcd(n, 6) = 1 and presumably n has already passed a probable prime test), this algorithm attempts to reduce the issue of primality of n to that of a smaller number q. The algorithm returns either the assertion “n is composite” or the assertion “If q is prime then n is prime,” where q is an integer smaller than n. 1. [Choose a pseudocurve over Zn] Choose random (a, b) ∈ [0,n− 1] 2 such that gcd(4a 3 +27b 2 ,n)=1; 2. [Assess curve order] Via Algorithm 7.5.6 calculate the integer m that would be #Ea,b(Zn) if n is prime (however if the point-counting algorithm fails, return “n is composite”); // If n is composite, Algorithm 7.5.6 could fail if each candidate for t (mod l) is rejected or if the final curve order is not in the interval (n +1− 2 √ n, n +1+2 √ n). 3. [Attempt to factor] Attempt to factor m = kq where k>1 and q is a probable prime exceeding n 1/4 +1 2 , but if this cannot be done according to some time-limit criterion, goto [Choose a pseudocurve ...]; 4. [Choose point on Ea,b(Zn)] Choose random x ∈ [0,n− 1] such that Q =(x3 + ax + b) modnhas Q n = −1; Apply Algorithm 2.3.8 or 2.3.9 (with a = Q and p = n) to find an integer y that would satisfy y2 ≡ Q (mod n) if n were prime; if(y2 mod n = Q) return “n is composite”; P =(x, y); 5. [Operate on point] Compute the multiple U =[m/q]P (however if any illegal inversions occur, return “n is composite”); if(U == O) goto [Choose point ...]; Compute V =[q]U (however check the above rule on illegal inversions); if(V = O) return “n is composite”; return “If q is prime, then n is prime”; The correctness of Algorithm 7.6.2 follows directly from Theorem 7.6.1, with q playing the role of s in that theorem.

370 Chapter 7 ELLIPTIC CURVE ARITHMETIC In practice one would iterate the algorithm, getting a chain of inferences, with the last number q so small it can be proved prime by trial division. If some intermediate q is composite, then one can retreat one level in the chain and apply the algorithm again. Iterating the Goldwasser–Kilian scheme not only provides a rigorous primality test but also generates a certificate of primality. This certificate can be thought of as the chain (n = n0,a0,b0,m0,q0,P0), (q0 = n1,a1,b1,m1,q1,P1),... consisting of consecutive n, a, b, m, q, P entities along the recursion. The primary feature of the certificate is that it can be published alongside, or otherwise associated with, the original n that is proven prime. This concise listing can then be used by anyone who wishes to verify that n is prime, using Theorem 7.6.1 at the various steps along the way. The reconstruction of the proof usually takes considerably less time than the initial run that finds the certificate. The certificate feature is nontrivial, since many primality proofs must be run again from scratch if they are to be checked. It should be noted that the elliptic arithmetic in Algorithm 7.6.2 can be sped up using Montgomery coordinates [X : Z] with“Y ”dropped,as discussed in Section 7.2. To aid in the reader’s testing of any implementations, we now report a detailed example. Let us take the prime p =10 20 + 39. On the first pass of Algorithm 7.6.2, we use n = p and obtain random parameters in Step [Choose a pseudocurve ...]as a = 69771859804340235254, b = 10558409492409151218, for which 4a 3 +27b 2 is coprime to n. The number that would be the order of Ea,b(Zn) ifn is indeed prime is found, via Algorithm 7.5.6 to be m =#E = 99999999985875882644 = 2 2 · 59 · 1182449 · q, where 2, 59, 1182449 are known primes (falling below the threshold 2 32 suggested in the algorithm description), and q = 358348489871 is a probable prime. Then, in Step [Choose point ...] the random point obtained is P =[X : Z] = [31689859357184528586 : 1], where for practical simplicity we have adopted Montgomery parameterization, with a view to using Algorithm 7.2.7 for elliptic multiples. Accordingly, it was found that U =[m/q]P = [69046631243878263311 : 1] = O, V =[q]U = O. Therefore, p is prime if q is. So now we assign n = 358348489871 and run again through Algorithm 7.6.2. In so doing the relevant values encountered are a = 34328822753, b = 187921935449, m =#E = 358349377736 = 2 3 · 7 · 7949 · 805019,

7.6 Elliptic curve primality proving (ECPP) 369<br />

constant k. Their idea is to find appropriate curves with orders that have<br />

large enough “probable prime” factors, and recurse on the notion that these<br />

factors should in turn be provably prime. In each recursive level but the last,<br />

Theorem 7.6.1 is used with s the probable prime factor of the curve order.<br />

This continues for smaller and smaller probable primes, until the number is<br />

so small it may be proved prime by trial division. This, in turn, justifies all<br />

previous steps, and establishes the primality of the starting number n.<br />

Algorithm 7.6.2 (Goldwasser–Kilian primality test). Given a nonsquare<br />

integer n>2 32 strongly suspected of being prime (in particular, gcd(n, 6) = 1<br />

and presumably n has already passed a probable prime test), this algorithm attempts<br />

to reduce the issue of primality of n to that of a smaller number q. The<br />

algorithm returns either the assertion “n is composite” or the assertion “If q is<br />

prime then n is prime,” where q is an integer smaller than n.<br />

1. [Choose a pseudocurve over Zn]<br />

Choose random (a, b) ∈ [0,n− 1] 2 such that gcd(4a 3 +27b 2 ,n)=1;<br />

2. [Assess curve order]<br />

Via Algorithm 7.5.6 calculate the integer m that would be #Ea,b(Zn) if<br />

n is prime (however if the point-counting algorithm fails, return “n is<br />

composite”);<br />

// If n is composite, Algorithm 7.5.6 could fail if each candidate for t<br />

(mod l) is rejected or if the final curve order is not in the interval<br />

(n +1− 2 √ n, n +1+2 √ n).<br />

3. [Attempt to factor]<br />

Attempt to factor m = kq where k>1 and q is a probable prime exceeding<br />

n 1/4 +1 2 , but if this cannot be done according to some time-limit<br />

criterion, goto [Choose a pseudocurve ...];<br />

4. [Choose point on Ea,b(Zn)]<br />

Choose random x ∈ [0,n− 1] such that Q =(x3 + ax + b) modnhas Q<br />

n = −1;<br />

Apply Algorithm 2.3.8 or 2.3.9 (with a = Q and p = n) to find an integer<br />

y that would satisfy y2 ≡ Q (mod n) if n were prime;<br />

if(y2 mod n = Q) return “n is composite”;<br />

P =(x, y);<br />

5. [Operate on point]<br />

Compute the multiple U =[m/q]P (however if any illegal inversions occur,<br />

return “n is composite”);<br />

if(U == O) goto [Choose point ...];<br />

Compute V =[q]U (however check the above rule on illegal inversions);<br />

if(V = O) return “n is composite”;<br />

return “If q is prime, then n is prime”;<br />

The correctness of Algorithm 7.6.2 follows directly from Theorem 7.6.1, with<br />

q playing the role of s in that theorem.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!