Unformatted text preview: [945]. Here it tests if p is prime: (1) Choose a random number a less than p. (2) Calculate a(p 1)/2 mod p. (3) If a(p 1)/2 ` 1 or  1 (mod p), then p is definitely not prime. (4) If a(p 1)/2 a 1 or  1 (mod p), then the likelihood that p is not prime is no more than 50 percent. Again, the odds of a random a being a witness to p ’s compositeness is no less than 50 percent. Repeat this test t times. If the calculation equals 1 or 1, but does not always equal 1, then p is probably prime with an error rate of 1 in 2t . RabinMiller
The algorithm everyone uses—it’s easy—was developed by Michael Rabin, based in part on Gary Miller’s ideas [1093, 1284]. Actually, this is a simplified version of the algorithm recommended in the DSS proposal [1149, 1154]. Choose a random number, p, to test. Calculate b, where b is the number of times 2 divides p  1 (i.e., 2b is the largest power of 2 that divides p  1). Then calculate m, such that p = 1 + 2b *m. (1) Choose a random number, a, such that a is less than p. (2) Set j = 0 and set z = am mod p. (3) If z = 1, or if z = p  1, then p passes the test and may be prime. (4) If j > 0 and z = 1, then p is not prime. (5) Set j = j + 1. If j < b and z ` p  1, set z = z2 mod p and go back to step (4). If z = p  1, then p passes the test and may be prime. (6) If j = b and z ` p  1, then p is not prime. The odds of a composite passing decreases faster with this test than with previous ones. Threequarters of the possible values of a are guaranteed to be witnesses. This means that a composite number will slip through t tests no more than ¼t of the time, where t is the number of iterations. Actually, these numbers are very pessimistic. For most random numbers, something like 99.9 percent of the possible a values are witnesses [96]. There are even better estimations [417]. For n bit candidate primes (where n is more than 100), the odds of error in one test are less than 1 in 4n 2(k/2)(1/2). And for a 256bit n, the odds of error in six tests are less than 1 in 251 . More theory is in [418]. Practical Conside...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details