Chapter 2 Mathematical Foundations of Public-Key Cryptography

2.3.4 Modular exponentiation

Computing numbers of the type

, can be very

time-consuming, using the traditional step-by-step multiplication (for e 1 multiplications) and

applying the modulo after each multiplication (for e 1 modulo operations). A more powerful
and time-conserving solution to this challenge is the repeated squaring modular
exponentiation method.

Applying the repeated squaring modular exponentiation method: [wiki]

1) Convert the exponent e to binary notation, that is write the exponent as
,
2) Using 1), write
3)

and

compute

4) Using 2) and 3), determine

Example:
Let

. Compute

Steps:
1)
2)

3)

30

Chapter 2 Mathematical Foundations of Public-Key Cryptography

4)

Computational algorithm: [Sch96]

Prototype: function ModularExponentiation(b, e, n) : result
Input: b, e, n

,n

Output: result

2, b < n

, result =

mod n

Pseudocode:
if (b = 0) then
result := 0
else if (e = 0) then
result := 1
else
while e > 0
if (e mod 2 = 1) then
result := (result * b) mod n
endif
e := e / 2
b := (b * b) mod n
endwhile
endif
return result

31

Chapter 2 Mathematical Foundations of Public-Key Cryptography

Computational algorithm:
Prototype: function SolveEquationModN(m, n, x) : xFinal
Input:

a set of primes such that

vector of size (m, 2), with x[i,1], x[i,2]

, x[i,1], x[i,2]

,x

is the solution vector to the equations

Output: the solution vector xFinal of size

, xFinal[j]

, xFinal[j] < n,

Pseudocode:
solutionIndex := 1
call BackTrackSolutionsModN(m, n, x, 1, solutionIndex, xFinal)
return xFinal

2.4 Primality testing methods

A primality test is an algorithm used to determine whether or not a given number

is prime. It is important to distinguish between primality testing and integer factorization

testing. Although in the case of nave primality tests, the integer factorization is implicit,
competent primality tests do not involve the decomposition (if any) of the candidate prime into
its proper factors.

Types of primality tests: [wiki]

nave (inefficient deterministic methods) - trial division, Sieve of Eratosthenes
slow deterministic methods (requiring exponential time) - cyclotomy test, elliptic curve
primality test
fast deterministic methods (requiring polynomial time) - AKS primality test [Agr04]
probabilistic methods (requiring polynomial time) - Fermat, Solovay-Strassen, MillerRabin primality tests

For cryptography purposes, the fastest and most efficient primality tests are the probabilistic ones
(with the Miller-Rabin test being the most effective), their downside residing in the fact that,
regardless of the number of test iterations applied on the candidate prime, the candidate number
45

Chapter 2 Mathematical Foundations of Public-Key Cryptography

cannot be proven to be prime with 100% confidence, although its compositeness (if any) can be
established with absolute certainty.

2.4.1 Fermat primality test

Let

and

. The map

Eulers totient function. [Cri06]

Eulers totient function properties: [Cri06]

1) if

2) if p is prime,
3) if
4) if

, p prime,
,

Fig.2.3 Eulers totient function

46

is called

Chapter 2 Mathematical Foundations of Public-Key Cryptography

Euler totient theorem [Sta05]

Let

, then

Fermats little theorem [Men96]

Let

prime and

. Then,

. Fermats little theorem is a

particular case of Eulers totient theorem, in which

is a prime number, and, by applying the

.

property 2) of Eulers totient function, we obtain

Fermats primality test

Let

Let

. If

, then

odd and composite,

is prime.

. Then,

. [Men96] Put slightly differently,

is said to be pseudoprime to the base , if

is a number pretending to be prime, by

passing the Fermat test for a given base . The probability of a composite number
Fermats tests for

is at most

different bases

passing

. [Cri06] After passing 6 different

Fermats tests, the probability that the tested number is prime is at least

A defining weakness of Fermats test are the Carmichael numbers. A natural composite number
is called a Carmichael number, if it passes Fermats test for any base . It has been proven that,
for a large-enough , the number of Carmichael numbers less than

is greater than

, and, as a

consequence to this fact, that the set of Carmichael numbers is infinite [Men96].

Distinguishing the Carmichael numbers

,

Let

odd and composite. Let

be a set of primes, such that

.
if

, for some

if

and

, then

is not a Carmichael number

, for every

47

, then

is a Carmichael number

Chapter 2 Mathematical Foundations of Public-Key Cryptography

Carmichael number example:

. Let

Let

, such that
and

. Also,
. Therefore,

is a Carmichael number.

Fermats primality test example:

Let
1)
2)
3)
4)
5)
6)
Seeing that, for 6 bases of our choosing, the number
primality test, we can conclude that

has passed Fermats

is a prime, with a probability of at least

Let
1)
The number
conclude that

failed Fermats primality test for the base

, therefore we can

is not a prime, with complete confidence.

Computational algorithm: [Cri06]

Prototype: function FermatTest(n, k) : res
Input: n

N, n

3, k

Output: res

, corresponding to

complete certainty) or prime

Pseudocode:
for i :=1 to k do
Randomly choose a, 1 < a < n - 1
result := ModularExponentiation(a, n - 1, n)
48

being either composite (with

Chapter 2 Mathematical Foundations of Public-Key Cryptography

if (result

1) then

return COMPOSITE
endif
endfor
return PRIME

2.4.2 Miller-Rabin primality test

Let

. Uniquely write

be a prime number,
,

as

odd. Let

odd. Let

. Then, either:

or
, for some

[Men96]

Miller-Rabin primality test

Let

. Uniquely express

be an odd number,
,

as

. If either:

or
, for some
then

is prime.

A natural composite number

pseudoprime to the base

, if either

or

. Regarded from a distinct perspective,

the Miller-Rabin test for a given base
passing the Miller-Rabin test for

odd, is said to be strong

, for some

is a number acting as a prime, by passing

. The maximum probability of a composite number

different bases

is

[Cri06]. After passing 3

different Miller-Rabin tests, the probability that the tested number is prime is at least
.

49

Chapter 2 Mathematical Foundations of Public-Key Cryptography

Miller-Rabin primality test example:

Let

1)

1.
2.
3.
4.
5.

2)

1.
2.
3.
4.
5.
6.

3)

1.
2.
3.
4.
5.

Observing that our number

bases, we can infer that

has passed the Miller-Rabin test for 3 different

is a prime, with a probability of at least

Let

1)

1.

50

Chapter 2 Mathematical Foundations of Public-Key Cryptography

2.
Seeing that our number
can claim that

has failed the Miller-Rabin test for the base

, we

is not a prime, with complete confidence.

Computational algorithm: [Cri06]

Prototype: function MillerRabinTest(n, k) : res
Input: n

N, n

3, k

Output: res

, corresponding to

complete certainty) or prime

Pseudocode:
, r,s

Write

, r odd

for i :=1 to k do
Randomly choose a, 1 < a < n - 1
result := ModularExponentiation(a, r, n)
if ( (result

1) and (result

n - 1) ) then

j :=1
while ( (j

s - 1) and (result

n - 1) ) do

result := (result * result) mod n

if (result

1) then

return COMPOSITE
endif
j := j + 1
endwhile
if (result

n - 1) then

return COMPOSITE
endif
endif
endfor
return PRIME

51

being either composite (with

Chapter 2 Mathematical Foundations of Public-Key Cryptography

2.4.3 The Miller-Rabin test vs. Fermats test

Correctness. The Miller-Rabin test is a significant improvement over Fermats test in
terms of correctness, since, unlike Fermats, it does not contain a characteristic weakness
regarding a particular type of numbers (like Fermats Carmichael numbers) that would
render the test completely ineffective for that category of numbers.

Speed. The Miller-Rabin average-case amount of computations is much smaller than

Fermats, becoming approximatively equal to Fermats amount of computations only for
the worst-case.

The algorithms for both tests employ operations of the same computational
complexity.

Both tests can determine composite numbers with absolute certainty. Since the set
of strong liars (bases for which a given composite number

passes the Miller-

Rabin test) is a narrow subset of the set of Fermat liars (bases for which a given
composite number

passes Fermats test), the Miller-Rabin test generally requires

a smaller amount of bases, to be tested against a number

in order to prove its

compositeness, than Fermats.

Fermat liars for

strong liars for

Fig. 2.4 Relationship between the Fermat and the strong liars for any composite
number

52

[Men96]

Chapter 2 Mathematical Foundations of Public-Key Cryptography

The probability that a natural number

dependent on the amount

is a prime, is, for both tests, directly

of bases tested against

probability of a number being prime is at least

and at least

. However, since the

for the Miller-Rabin test

for Fermats test, it becomes clear that the Miller-Rabin test

requires only half of the bases Fermats test would need in order to achieve the
same confidence on the primality of .

53