Upload
danrcg
View
237
Download
0
Embed Size (px)
Citation preview
8/11/2019 Fermat and Mersenne Numbers
1/22
1
Fermat and Mersenne Numbers
Tutorial
R01942039
8/11/2019 Fermat and Mersenne Numbers
2/22
2
Content
1 Introduction .......................................................................................................... 2
2 Background of Fermat Numbers ........................................................................5
3 Geometric Interpretation of Fermat Numbers ................................................. 7
4 Factoring Status of Fermat Numbers ..................Error! Bookmark not defined.
5 Basic Properties of Fermat Numbers ............................................................... 10
6 Primality of Fermat Numbers .......................................................................... 12
7 Infinitude of Fermat Primes .................................Error! Bookmark not defined.
8 Divisibility of Fermat Numbers ............................ Error! Bookmark not defined.
9 Mersenne Numbers and Fermat Numbers ..........Error! Bookmark not defined.
10 Applications of Prime numbers ........................................................................ 17
11 Reference ............................................................................................................ 22
8/11/2019 Fermat and Mersenne Numbers
3/22
3
1. Introduction
Prime numbers are widely studied in the field of number theory and it has many
beautiful properties and applications. Euclid first proved that the number of primes is
infinite. There is no largest prime number as much as there is no largest number!Euclid started by looking at the known primes and adding one to their product. For
example both 2 and 3 are primes: their product + 1 is also a prime: 2*3+1=7. The nice
but not beautiful thing about this is that sometimes this algorithm will produce primes
and sometimes it will not!
Although Euclid did not find the way to using this procedure to find only primes,
he did find that this can easily be used to show that there are infinitely many primes!!
Proof:Let us suppose that are prime numbers. Multiply them together andadd 1, calling this number a new integer q . If q is a prime number, then we have a
new prime. If q is not a prime, it must be divisible by a prime number r . But r cannot
be or any other from our original list of prime numbers, because if you divide qbyany of you will get a remainder 1, which means that q is not divisible byany of these prime numbers. So r is a new prime. Whichever way you choose to look
at it, either you have found a new prime q, or if q is not a prime, than you have found
that it has a new prime for a prime factor.
Fig.1 Counting function of prime numbers.
The distribution of primes seems to be complicated and a little bit random. The
sequence of primes can be presented graphically in terms of a step
function or counting function which is traditionally denoted . The height of the graph at horizontal positionxindicates the number of primes less than or equal
tox. Hence at each prime value ofxwe see a vertical jump of one unit. The positions
8/11/2019 Fermat and Mersenne Numbers
4/22
4
of primes constitute just about the most fundamental, inarguable, nontrivial
information available to our consciousness. Zooming much further, we would expect
to see the "granular" nature of the actual graph vanish into the pixelation of thescreen.
Fig.2 Approximate byx/log x.
In 1896, de la Valee Poussin and Hadamard simultaneously proved what had been
suspected for several decades, and what is now known as theprime number theorem:
(1)
In words, the (discontinuous) prime counting function is asymptoticto the(smooth) logarithmic functionx/logx. This means that the ratio of tox/logxcan
be made arbitrarily close to 1 by considering large enoughx. Hencex/logxprovides
an approximation of the number of primes less than or equal to x, and if we take
sufficiently largex this approximation can be made as accurate as we would like(proportionally speaking - very simply, as close to 100% accuracy as is desired).
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000
200
400
600
800
1000
1200
1400
(x)
x/ln(x)
http://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htmhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htmhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htmhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htm8/11/2019 Fermat and Mersenne Numbers
5/22
5
2. Background of Fermat Numbers
One approach to investigate prime numbers is to study numbers of a certain form.
For example, it has been proven that there are infinitely many primes in the form a +
nd, where d 2 and gcd(d, a) = 1 (Dirichlets theorem). On the other hand, it isstill an
open question to whether there are infinitely many primes of the form + 1
In this paper, we will discuss in particular numbers of the form 2
+ 1 where nis a nonnegative integer. They are called Fermat numbers, named after the French
mathematician Pierre de Fermat (16011665) who first studied numbers in this form.
It is still an open problem to whether there are infinitely many primes in the form of
2
+ 1. We will not be able to answer this question in this paper, but we will provesome basic properties of Fermat numbers and discuss their primality and divisibility.
We will also briefly mention numbers of the form 2 1n
where n is a positive integer.
They are called Mersenne numbers, named after the French mathematician Marin
Mersenne. In section 9, we will see how Mersenne numbers relate to the primality of
Fermat numbers.
Pierre de Fermat (16011665) Marin Mersenne (15881648)
Fig.3 Fermat and Marin Mersenne.
Fermat first conjectured that all the numbers in the form of 2
+ 1 are primes.However, in 1732, Leonhard Euler refuted this claim by showing that F5 =2 + 1=4,294,967,297 = 641 x 6,700,417 is a composite. Euler proved that every factor
ofFn must have the form k2n+1 + 1 (later improved to k2n+2 + 1 byLucas1). It is
1 A theorem ofdouard Lucas:Any prime divisor p of Fn=2
+ 1 is of the formk2n+2+ 1.
http://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucas8/11/2019 Fermat and Mersenne Numbers
6/22
6
widely believed that Fermat was aware of the form of the factors later proved by Euler,
so it seems curious why he failed to follow through on the straightforward calculation
to find the factor. One common explanation is that Fermat made a computational
mistake and was so convinced of the correctness of his claim that he failed to
double-check his work.It then became a question to whether there are infinitely many primes in the form
of 2
+ 1. Primes in this form are called Fermat primes. Up-to-date there are onlyfive known Fermat primes. (See section4 for more details on the current status of
Fermat numbers.) In fact, little is known about Fermat numbers with large n. Each of
the following is still an open problem:
1. IsFncomposite for all n> 4?
2. Are there infinitely many Fermat primes?
3. Are there infinitely many composite Fermat numbers?In 1796, the German mathematician Carl Friedrich Gauss (1977 1855) found an
interesting relationship between the Euclidean construction (i.e. by ruler and compass)
of regular polygons and Fermat primes. His theorem is known as Gausss Theorem.
Gausss Theorem:
There exists an Euclidean construction of the regular n- polygons if and only if
n = 2 , where n 3,i 0, j 0, and are distinct Fermat primes.
Gausss theorem implies that all 2-gons for n 2 are constructible. Moreover, sinceso far only five Fermat numbers are known to be prime, it implies that for n odd, there
are only 2 1 = 31 n-gons that are known to be Euclidean constructible. If it turnsout that there is only a finite number of Fermat primes, then this theorem would imply
that there is only a finite number of Euclidean constructible n-gons for n odd. The
figure below shows five Euclidean constructible n-gons.
Fig. 4 Triangle, pentagon, heptadecagon, 257-gon and 65537-gon.
http://en.wikipedia.org/wiki/Composite_numberhttp://en.wikipedia.org/wiki/Composite_number8/11/2019 Fermat and Mersenne Numbers
7/22
7
3. Geometric Interpretation of Fermat Numbers
As Gausss theorem suggests, Fermat numbers might be closely related to some
of the problems in Geometry. It is hence useful if we can understand what they mean
geometrically. A Fermat number Fn = 2 + 1 (for n 1) can be thought of as a
square whose side length is 2
plus a unit square (see figure5). Hence, determining
whether a (Fermat) number is a composite or not is equivalent to determining whether
we can rearrange the unit-square blocks to form a rectangle. Moreover, determining
whether an integer d divides a (Fermat) number is the same as deciding whether we
can reorganize the blocks to form a rectangle with base d; or alternatively, we can also
think of it as determining whether we can fill the area with a number of rd
unit-square blocks for some integer r (see figure5).
F2 = 4 + 1 = 17
F2 = 17 is not a composite because no matter how you
rearrange the blocks, you cannot get a rectangle.
F2 = 17 is not divisible by 3.
Fig.5 Geometric interpretation of Fermat numbers
Some of the properties we will prove in section5 can be easily understood if we
interpret them geometrically. We will also make remarks on several of them.
8/11/2019 Fermat and Mersenne Numbers
8/22
8
4. Factoring Status of Fermat Numbers
Because of the size of Fermat numbers, it is difficult to factorize or to prove
primality of those.Ppin's test gives a necessary and sufficient condition for primality
of Fermat numbers, and can be implemented by modern computers. Theelliptic curvemethod is a fast method for finding small prime divisors of numbers. Distributed
computing projectFermatsearchhas successfully found some factors of Fermat
numbers. Yves Gallot's proth.exe has been used to find factors of large Fermat
numbers.douard Lucas,improving the above mentioned result by Euler, proved in
1878 that every factor of Fermat numberFn, with nat least 2, is of the form k 2n+2+
1 , where kis a positive integer; this is in itself almost sufficient to prove the primality
of the known Fermat primes.
The below table only shows the factoring status of Fermat numbers up to n = 200.For an up-to-date process of Fermat numbers and other details, see
http://www.prothsearch.net/fermat.html#Summary.
Prime
Composite with no known factors
Composite with complete factorization
Composite with incomplete factorization
Unknown
http://en.wikipedia.org/wiki/P%C3%A9pin%27s_testhttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/P%C3%A9pin%27s_test8/11/2019 Fermat and Mersenne Numbers
9/22
9
Completely factored Fermat numbers (Prime factors =k 2m+2+ 1)
m k n Year Discoverer
5 5 7 1732 L. Euler
52347 7 1732 L. Euler6 1071 8 1855 T. Clausen; F. Landry 1880
262814145745 8 1855T. Clausen; F. Landry & H. Le
Lasseur 1880
7 116503103764643 9 13 Sep 1970 M. A. Morrison & J. Brillhart
11141971095088142685 9 13 Sep 1970 M. A. Morrison & J. Brillhart
8 604944512477 11 1980 R. P. Brent & J. M. Pollard
[59 digits] 11 1980 R. P. Brent & J. M. Pollard
9 37 16 1903 A. E. Western
[46 digits] 11 15 Jun 1990A. K. Lenstra, M. S. Manasse & a
larger team
[96 digits] 11 15 Jun 1990A. K. Lenstra, M. S. Manasse & a
larger team
10 11131 12 15 Aug 1953 J. L. Selfridge
395937 14 1962 J. Brillhart
[37 digits] 12 20 Oct 1995 R. P. Brent
[248 digits] 13 1995 R. P. Brent
11 39 13 1899 A. Cunningham
119 13 1899 A. Cunningham
10253207784531279 14 17 May 1988 R. P. Brent
434673084282938711 13 13 May 1988 R. P. Brent
[560 digits] 13 20 Jun 1988 R. P. Brent & F. Morain
46 digit k= 3640431067210880961102244011816628378312190597
37 digit k= 1137640572563481089664199400165229051
Further, on May 14, 2013 and as part of PrimeGrid's Proth Prime Search,Marshall
Bishop found that 57 22747499 + 1 divides F2747497. This is now the largest Fermat
number known to be composite.
http://www.primegrid.com/http://www.primegrid.com/8/11/2019 Fermat and Mersenne Numbers
10/22
10
5. Basic Properties of Fermat Numbers
In this section, we will prove some basic properties of Fermat numbers.
Theorem1. For n 1,Fn = 1 + 1.
Proof. 1 + 1 = 2 + 1 1 + 1 = 2+ 1 =FnRemark1. This theorem is obvious if we interpret it geometrically:
Fig 6. Any Fermat number is exactly a square with side length 1 plusa unit square.
Theorem2. For n 1, = + 2.Proof. We will prove this by induction.
When n = 1, we have + 2 = 3 + 2 = 5 = Now assume = + 2Then, + 2= + 2= (2) + 2 (induction hypothesis)
= (21)(2
+ 1) + 2
= 2
+ 1 =
Remark2. To understand the proof of Theorem2 geometrically, we can think of 2as a square with side length 1 minus a unit square (Theorem1, see Fig. 7 (a)).
It is divisible by = 2
+ 1 because we can form a rectangle by moving the
top row and make it a column on the right (Fig. 7 (b)). To see that it is also divisible
by for 2 k n, we can use the induction hypothesis that divides
2 = 2 1. It means that we can fill each column of the rectangle in
8/11/2019 Fermat and Mersenne Numbers
11/22
11
figure7 (a) evenly by r number of blocks for some integer r.
(a) A 2
x 2
square minus (b) A (2
1) x (2
+ 1) rectanglea unit square
(c) Each column can be filled evenly byFn-k.
Fig 7. Geometric interpretation of = + 2
8/11/2019 Fermat and Mersenne Numbers
12/22
12
6. Primality of Fermat Numbers
Recall that we have defined Fermat numbers to be numbers in the form of 2+ 1
where n is a nonnegative integer. There is actually another definition for Fermat
numbers, namely numbers in the form of 2 + 1 where n is a nonnegative integer.We have chosen the former definition because it seems to be more commonly used
and it gives the properties that we have proved earlier. However, if we are only
interested in Fermat numbers that are primes, then it does not matter which definition
we use, as we will see from the next theorem.
Theorem3. [Reference3] If 2 + 1 is a prime, then n is a power of 2.Proof. Suppose n is a positive integer that is not a power of 2. Then we can write n =
s for some nonnegative integer r and some positive odd integer s. Also recall theidentity
= (ab)( + b + + a + ),which implies that ab divides . Now substituting a = 2, b =1 and n =s,we have 2 + 1 divides 21 = 2 + 1. However, r < n, which means that2 + 1 is not a prime. Hence, nmust be a power of 2 in order for 2 + 1 to be a
prime.
The next theorem concerns the properties of Fermat primes.
Theorem4. [Reference1, p. 31] No Fermat prime can be expressed as the difference of
twopth powers, wherep is an odd prime.
Proof. Assume for contradiction that there is such a Fermat prime. Then,Fn = = (ab)( + b + + a + ), where a > b andp is an odd prime.Since Fn is a prime, it must be the case that a b = 1. Moreover, by Fermats Little
Theorem, a (mod p) and b (mod p). Thus, Fn = a b = 1
(modp). This implies p | Fn1 =2, which is impossible because the only integer
that divides 2 is 2.
Note:
Fermat's little theoremstates that ifpis aprime number,then for anyinteger a, the
number apais an integer multiple ofp. In the notation ofmodular arithmetic,this is
expressed as
mod If ais not divisible byp, Fermat's little theorem is equivalent to the statement
that ap11 is an integer multiple ofp:
1 mod
http://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Prime_number8/11/2019 Fermat and Mersenne Numbers
13/22
13
7. Infinitude of Fermat Primes
As we have noted before, there are only five known Fermat primes so far. In fact, it
has been shown that Fn is composite for 5 n 32 and many other larger n (from
section4). Whether there is an infinite number of Fermat primes is still an openquestion, and below shows a heuristic argument that suggests there is only a finite
number of them. This argument is to due to Hardy and Wright [Reference1, p.158].
There is only a finite number of Fermat primes.
Recall that the Prime Number Theorem says ~/log, where (x) is the numberof primes x. Hence (x)
1 +
1 which diverges
But we know from Theorem3 that the sets {2 + 1: it is a prime} and {2
+ 1: it is a
prime} are the same set. This latter argument suggests Hardy and Wrights argument
does not take into account of the properties of Fermat numbers. It is to say that the
variable x is not that random. It works largely because gaps between successive
Fermat numbers are extremely large. Nevertheless, given any number (even a number
of a particular form), it is more likely to be a composite than prime. Therefore,
bounding the probability of it being a prime by a lower bound gives a weaker
argument that bounding it from above.
8/11/2019 Fermat and Mersenne Numbers
14/22
14
8. Divisibility of Fermat Numbers
In the last two sections, we focused on the primality of Fermat numbers and the
properties of Fermat primes. However, if a Fermat number is found to be composite,
we are interested in what its factorization is, or at least, what properties do its divisorshave to have. We will end our discussion of Fermat numbers in this section by
proving several theorems about their divisors
Theorem 5. [Reference1, p.37] Let q = be a power of an odd primep, where m
1. Then the Fermat numberFn is divisible by q if and only if ordq2 = 22.
Proof. First suppose q | Fn, then q | (2 + 1)(2
1) = 2
1, and hence
2
1 (mod q). It follows that 2 = kordq2 for some positive integer k. Thus, k
is a power of 2 and so is ordq2. Let e = ordq2 = 2. Ifj < n + 1, then we have q |2
1 = 2
1. But this is impossible because q | 2
+ 1 and q 2. Hence,j
= n + 1 and so ordq2 = 2. Conversely, if we assume that ordq2 = 2, then q |
2
1 = (2+ 1)(2
1). Since q is an odd prime, q divides either 2
+ 1 or
21. But q cannot divide 2
1 because2 < ordq2. Hence q | 2
+ 1 =Fn.
Theorem 6(Eul er). [Reference1, p. 38] Ifp is a prime andp |Fn, thenp is of the form
p = k2 + 1, where k is a positive integer.
Proof. By Fermats little theorem, 2
1 (modp), and it follows that ordq2 |p1.Hence, k ordq2 =p1 for some positive integer k, and by Theorem18,p = kordq2 + 1
= k2 + 1
2 Innumber theory,given aninteger aand a positive integer nwithgcd(a,n) = 1, the multiplicative
order of amodulo nis the smallest positive integer kwithak 1 (mod n).The order of amodulo nis usually written ordn(a),
http://en.wikipedia.org/wiki/Number_theoryhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Number_theory8/11/2019 Fermat and Mersenne Numbers
15/22
15
9. Mersenne Numbers and Fermat Numbers
Recall that we have defined Mersenne numbers to be numbers of the form Mn
=2 1 where n is a positive integer. Some definitions require n to be a prime.
However, like the case of Fermat numbers, if we are only interested in Mersennenumbers that are primes, then it does not matter which definition we choose. We can
see that in the following theorem. Mersenne primes take their name from the
17th-centuryFrench scholarMarin Mersenne,who compiled what was supposed to be
a list of Mersenne primes with exponents up to 257. His list was largely incorrect, as
Mersenne mistakenly includedM67andM257(which are composite), and
omittedM61,M89, andM107(which are prime). Mersenne gave little indication how he
came up with his list.
Though it was believed by early mathematicians thatMpis prime for allprimesp,Mp is very rarely prime. In fact, of the 1,622,441 prime numbers pup to
25,964,951,Mp is prime for only 42 of them. The smallest counterexample is the
Mersenne number
M11= 211 1 = 2047 = 23 89.
The lack of any simple test to determine whether a given Mersenne number is prime
makes the search for Mersenne primes a difficult task, since Mersenne numbers grow
very rapidly. TheLucasLehmer primality test (LLT) is an efficientprimality test that
greatly aids this task. The search for the largest known prime has somewhat of acult
following. Consequently, a lot of computer power has been expended searching for
new Mersenne primes, much of which is now done usingdistributed computing.
Mersenne primes are used inpseudorandom number generators such as
theMersenne twister,ParkMiller random number generator, Generalized Shift
Register and Fibonacci RNG.
The best method presently known for testing the primality of Mersenne numbers
is theLucasLehmer primality test. Specifically, it can be shown that for
primep> 2,Mp= 2p 1 is prime if and only ifMpdivides Sp2, where S0= 4 and,for k> 0, =
2. The search for Mersenne primes was revolutionized by theintroduction of the electronic digital computer as can be seen in Fig.8.
http://en.wikipedia.org/wiki/Francehttp://en.wikipedia.org/wiki/Marin_Mersennehttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Primality_testhttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Distributed_computinghttp://en.wikipedia.org/wiki/Pseudorandom_number_generatorhttp://en.wikipedia.org/wiki/Mersenne_twisterhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Mersenne_twisterhttp://en.wikipedia.org/wiki/Pseudorandom_number_generatorhttp://en.wikipedia.org/wiki/Distributed_computinghttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Marin_Mersennehttp://en.wikipedia.org/wiki/France8/11/2019 Fermat and Mersenne Numbers
16/22
8/11/2019 Fermat and Mersenne Numbers
17/22
17
10.Applications of Prime numbers
1. Pseudorandom Number Generation
Fermat primes are particularly useful in generating pseudo-random sequences of
numbers in the range 1 N, whereN is a power of 2. The most common methodused is to take any seed value between 1 and P1, wherePis a Fermat prime. Now
multiply this by a numberA, which is greater than the square root ofPand is
aprimitive root moduloP (i.e., it is not aquadratic residue). Then take the result
moduloP. The result is the new value for the RNG.
V = ( )mod This is useful in computer science since most data structures have members with
2Xpossible values. For example, a byte has 256 (28) possible values (0255).
Therefore to fill a byte or bytes with random values a random number generatorwhich produces values 1256 can be used, the byte taking the output value 1. Very
large Fermat primes are of particular interest in data encryption for this reason. This
method produces onlypseudorandom values as, afterP1 repetitions, the sequence
repeats. A poorly chosen multiplier can result in the sequence repeating sooner
thanP1.
2.RSA Encryption
RSA is analgorithm forpublic-key cryptography that is based on the presumeddifficulty offactoringlarge integers, thefactoring problem. RSA stands forRon
Rivest,Adi Shamir andLeonard Adleman,who first publicly described the algorithm
in 1977. A user of RSA creates and then publishes the product of two largeprime
numbers,along with an auxiliary value, as their public key. The prime factors must be
kept secret. Anyone can use the public key to encrypt a message, but with currently
published methods, if the public key is large enough, only someone with knowledge
of the prime factors can feasibly decode the message. Whether breaking
RSAencryption is as hard as factoring is an open question known as the RSA
problem.
The RSA algorithm involves three steps:key generation, encryption and decryption.
Key generation:
RSA involves a public keyand aprivate key. The public key can be known by
everyone and is used for encrypting messages. Messages encrypted with the public
key can only be decrypted in a reasonable amount of time using the private key. The
keys for the RSA algorithm are generated the following way:
1.
Choose two distinctprime numberspand q.
http://en.wikipedia.org/wiki/Primitive_root_modulo_nhttp://en.wikipedia.org/wiki/Quadratic_residuehttp://en.wikipedia.org/wiki/Pseudorandomhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Factorizationhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Factoring_problemhttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Adi_Shamirhttp://en.wikipedia.org/wiki/Leonard_Adlemanhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/Key_(cryptography)http://en.wikipedia.org/wiki/Private_keyhttp://en.wikipedia.org/wiki/Private_keyhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Private_keyhttp://en.wikipedia.org/wiki/Key_(cryptography)http://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Leonard_Adlemanhttp://en.wikipedia.org/wiki/Adi_Shamirhttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Factoring_problemhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Factorizationhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Pseudorandomhttp://en.wikipedia.org/wiki/Quadratic_residuehttp://en.wikipedia.org/wiki/Primitive_root_modulo_n8/11/2019 Fermat and Mersenne Numbers
18/22
18
For security purposes, the integerspand q should be chosen at random, and
should be of similar bit-length. Prime integers can be efficiently found using
aprimality test.
2. Compute n=pq.
nis used as themodulus for both the public and private keys. Its length, usuallyexpressed in bits, is thekey length.
3. Compute (n) = (p)(q) = (p 1)(q 1), where isEuler's totient function.
4. Choose an integer esuch that 1 < e< (n) andgcd(e, (n)) = 1; i.e. eand (n)
arecoprime.
eis released as the public key exponent.
ehaving a shortbit-length and smallHamming weight results in more
efficient encryption most commonly 216 + 1 = 65,537. However,
much smaller values of e(such as 3) have been shown to be less securein some settings.
5. Determine das d1e(mod(n)), i.e., dis themultiplicative
inverse of e(modulo (n)).
This is more clearly stated as solve for dgiven de 1 (mod (n))
This is often computed using theextended Euclidean algorithm.
dis kept as the private key exponent.
By construction, de 1 (mod (n)). The public keyconsists of the modulus nand
the public (or encryption) exponent e. The private keyconsists of the modulus nandthe private (or decryption) exponent d, which must be kept secret.p, q, and (n) must
also be kept secret because they can be used to calculate d.
Encryption:
Alice transmits her public key (n, e) toBob and keeps the private key secret. Bob
then wishes to send messageMto Alice.
He first turnsM into an integer m, such that 0 m< n by using an agreed-upon
reversible protocol known as apadding scheme. He then computes the
ciphertext ccorresponding to
c mod This can be done quickly using the method ofexponentiation by squaring.Bob then
transmits cto Alice.
Decryption:
Alice can recover mfrom cby using her private key exponent dvia computing
m mod Given m, she can recover the original messageMby reversing the padding scheme.
(In practice, there are more efficient methods of calculating cdusing the precomputed
http://en.wikipedia.org/wiki/Primality_testhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Key_lengthhttp://en.wikipedia.org/wiki/Euler%27s_totient_functionhttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Bit-lengthhttp://en.wikipedia.org/wiki/Hamming_weighthttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Extended_Euclidean_algorithmhttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/RSA_(algorithm)#Padding_schemeshttp://en.wikipedia.org/wiki/Exponentiation_by_squaringhttp://en.wikipedia.org/wiki/Exponentiation_by_squaringhttp://en.wikipedia.org/wiki/RSA_(algorithm)#Padding_schemeshttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/Extended_Euclidean_algorithmhttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Hamming_weighthttp://en.wikipedia.org/wiki/Bit-lengthhttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Euler%27s_totient_functionhttp://en.wikipedia.org/wiki/Key_lengthhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Primality_test8/11/2019 Fermat and Mersenne Numbers
19/22
19
values below.)
Using the Chinese remainder algorithm
For efficiency many popular crypto libraries (like OpenSSL, Java and .NET) use the
following optimization for decryption and signing based on theChinese remainder
theorem.The following values are precomputed and stored as part of the private key: p and q: the primes from the key generation,
= mod 1,
= mod 1and
= mod .These values allow the recipient to compute the exponentiation m= cd(modpq) more
efficiently as follows:
= mod .
= mod .
h = mod . (if < then some librariescompute has + mod )
m = + This is more efficient than computing mcd(modpq) even though two modular
exponentiations have to be computed. The reason is that these two modular
exponentiations both use a smaller exponent and a smaller modulus.
A working exampleHere is an example of RSA encryption and decryption. The parameters used here are
artificially small, but one can also use OpenSSL to generate and examine a real
keypair.
1. Choose two distinct prime numbers, such as p=61 and q=53.
2. Compute n=pqgiving n=6153=32333. Compute thetotient of the product as (n) = (p1)(q1) giving
(3233) = (611)(531)=3120.
4. Choose any number 1 < e< 3120 that iscoprime to 3120. Choosing a prime
number for eleaves us only to check that eis not a divisor of 3120.
Let e=17
5. Compute d, themodular multiplicative inverse of e(mod (n)) yielding
d=2753.
The public keyis (n= 3233, e= 17). For a paddedplaintext message m, the
encryption function is
c mod 3233.The private keyis (n= 3233, d= 2753). For an encryptedciphertext c, the decryption
function is c2753(mod 3233).
http://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikipedia.org/wiki/Totienthttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Ciphertexthttp://en.wikipedia.org/wiki/Ciphertexthttp://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Totienthttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikipedia.org/wiki/Chinese_remainder_theorem8/11/2019 Fermat and Mersenne Numbers
20/22
20
m=c2753(mod 3233).
For instance, in order to encrypt m= 65, we calculate
c 6 5mod 3233=2790To decrypt c= 2790, we calculate
.m=27902753(mod 3233)=65.
Practical implementations use theChinese remainder theorem to speed up the
calculation using modulus of factors (modpqusing modpand mod q).
The values dp, dqand qinv, which are part of the private key are computed as follows:
= mod 1 = 2753(mod 6 1 1) = 5 3 = mod 1 = 2753(mod5 3 1) = 4 9
= mod = 53mod 61 = 38
(Hence: mod = 38 53 mod 61 = 1)
Here is how dp, dqand qinvare used for efficient decryption. (Encryption is efficient
by choice of public exponent e)
= mod = 2790mod 61 = 4 = mod = 2790mod 53 = 12 h = mod = 38 8mod 61 = 1 m = + = 1 2 + 1 5 3 = 6 5
(same as above but computed more efficiently)
Proof using Fermat's little theorem
The proof of the correctness of RSA is based onFermat's little theorem.This theorem
states that ifpis prime andpdoes not divide an integer athen
1 mod We want to show that (me)dm(modpq) for every integer mwhenpand qare
distinct prime numbers and eand dare positive integers satisfying
1 mod 1 1We can write
1 = h 1 1for some nonnegative integer h.
To check two numbers, like medand m, are congruent modpqit suffices (and in fact is
equivalent) to check they are congruent modpand mod qseparately. (This is part of
the Chinese remainder theorem, although it is not the significant part of that theorem.)
To show medm(modp), we consider two cases: m 0 (modp) and m0 (modp).In the first case medis a multiple ofp, so med 0 m(modp). In the second case
= = = 1 mod
http://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikipedia.org/wiki/Fermat%27s_little_theoremhttp://en.wikipedia.org/wiki/Fermat%27s_little_theoremhttp://en.wikipedia.org/wiki/Chinese_remainder_theorem8/11/2019 Fermat and Mersenne Numbers
21/22
21
where we used Fermat's little theorem to replace mp1modpwith 1.
The verification that medm(mod q) proceeds in a similar way, treating separately
the cases m 0 (modq) and m 0 (mod q), using Fermat's little theorem formodulus qin the second case.
This completes the proof that, for any integer m,medm(modpq).
8/11/2019 Fermat and Mersenne Numbers
22/22
22
11.Reference
[1]. M. Krizek, F. Luca and L. Somer, 17 Lectures on Fermat Numbers From
Number Theory to Geometry, Springer-Verlag, New York, 2001.
[2]. W. Keller,Prime factors k2n + 1 of Fermat numbers Fm and complete factoring
status.
http://www.prothsearch.net/fermat.html#Summary
[3]. Fermat number
http://en.wikipedia.org/wiki/Fermat_numbers
[4]. Mersenne number
http://en.wikipedia.org/wiki/Mersenne_numbers
[5].Distribution of primes tutorial
http://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htm[6]Fermat Numbers - William Stein - University of Washington
[7] Sarah Flannery and David Flannery.In Code: A Mathematical Journey, 2001
[8] RSA
http://en.wikipedia.org/wiki/RSA_(algorithm)
http://en.wikipedia.org/wiki/Mersenne_numbershttps://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fempslocal.ex.ac.uk%2F~mwatkins%2Fzeta%2Fss-a.htm&ei=IFLGUcvTE4bCkgWAj4GYBQ&usg=AFQjCNHrqmTMAt4Jaz5rXPE99ZAwXDNHLQ&sig2=giBqi45eIc2DSNSJAmD3swhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htmhttps://www.google.com.tw/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CDgQFjAB&url=http%3A%2F%2Fmodular.math.washington.edu%2Fedu%2F2010%2F414%2Fprojects%2Ftsang.pdf&ei=cVLGUcD-FcPIkAWB7oCQBw&usg=AFQjCNF6Ghv9Ue5VSL2F8HpFXQKy8HOiNg&sig2=bWgaN0qJCwg2AiD_r0xNPg&bvm=bv.48293060,d.dGIhttps://www.google.com.tw/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CDgQFjAB&url=http%3A%2F%2Fmodular.math.washington.edu%2Fedu%2F2010%2F414%2Fprojects%2Ftsang.pdf&ei=cVLGUcD-FcPIkAWB7oCQBw&usg=AFQjCNF6Ghv9Ue5VSL2F8HpFXQKy8HOiNg&sig2=bWgaN0qJCwg2AiD_r0xNPg&bvm=bv.48293060,d.dGIhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htmhttps://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fempslocal.ex.ac.uk%2F~mwatkins%2Fzeta%2Fss-a.htm&ei=IFLGUcvTE4bCkgWAj4GYBQ&usg=AFQjCNHrqmTMAt4Jaz5rXPE99ZAwXDNHLQ&sig2=giBqi45eIc2DSNSJAmD3swhttp://en.wikipedia.org/wiki/Mersenne_numbers