1. No category

1. Algebra 1.7. Prime numbers

1.
ALGEBRA
1.
Algebra
1.7.
30
Prime numbers
Definition
Let n ∈ ZZ , with n ≥ 2. If n is not a prime number, then n is called a composite number.
We look for a way to test if a given positive integer is prime or composite. The first test is based
on Fermat’s little theorem.
1.7.1.
Fermat Test
This test is based on Fermat’s little theorem. If n is a prime number and a ∈ ZZ , with gcd(a, n) = 1,
then Fermat’s little theorem implies that an−1 ≡ 1 (mod n). Thus if an−1 6≡ 1 (mod n), then n is
composite.
Fermat Test
Let n ∈ ZZ , with n ≥ 2. Let a ∈ ZZ , with gcd(a, n) = 1. If an−1 ≡ 1 (mod n), then we say that n
passes the Fermat test for a.
Example
2340 ≡ 1 (mod 341), so 341 passes the Fermat test for 2.
3340 ≡ 56 (mod 341), so 341 does not passes the Fermat test for 3. Hence 341 is a composite number
(in fact, 341 = 11 · 31).
Remark
Since the test is based on modular arithmetic it suffices to take 1 ≤ a ≤ n, but in fact we will
assume 1 < a < n, for 1 and n are not the numbers you want to test on. If for such an a we have
gcd(a, n) 6= 1, then 1 < gcd(a, n) < n, so n is composite. Thus always first calculate the greatest
common divisor.
Definition
Let n be a composite number, a ∈ ZZ , with gcd(a, n) = 1. If n passes the Fermat test for a, we say
that n is an a-pseudo prime. If n is an a-pseudo prime for all a ∈ ZZ with gcd(a, n) = 1, then n is
called a Carmichael number.
If n is an even number with n 6= 2, then it is clearly not prime. We are mainly interested in odd
numbers. The following theorem tells us that Carmichael numbers exist, that is there exist numbers
n that passes the Fermat test for any a ∈ ZZ , with gcd(a, n) = 1.
Theorem 1.7.1 Let n ∈ ZZ , with n ≥ 3 and n odd. Then n is a Carmichael number if and only
if n = p1 · p2 · · · ps , where p1 , . . . , ps are distinct odd prime numbers, and (pi − 1)|(n − 1) for all
i ∈ {1, 2, . . . , s}.
Proof. Suppose n = p1 ·p2 · · · ps , where p1 , . . . , ps are distinct odd prime numbers, and (pi −1)|(n−1)
for all i ∈ {1, 2, . . . , s}. Consider the isomorphism
(ZZ /nZZ )∗
[b]n
∼
= (ZZ /p1 ZZ )∗
7
→
([b]p1
× (ZZ /p2 ZZ )∗
,
[b]p2
× ···
, ...
×
,
(ZZ /ps ZZ )∗
.
[b]ps )
For each i ∈ {1, 2, . . . , s} the group (ZZ /pi ZZ )∗ is a cyclic group of order pi − 1 and (pi − 1)|(n − 1).
Hence for each i ∈ {1, 2, . . . , s} we have ([b]pi )n−1 = [1]pi , that is
(([b]p1 , [b]p2 , . . . , [b]ps ))n−1 = ([1]p1 , [1]p2 , . . . , [1]ps ).
It follows that for any element of g ∈ (ZZ /nZZ )∗ , we have o(g)|(n − 1). Now let a ∈ ZZ , with
gcd(a, n) = 1. Then [a]n ∈ (ZZ /nZZ )∗ , so ([a]n )n−1 = [1]n . Hence an−1 ≡ 1 (mod n), and thus n
1.
ALGEBRA
31
is an a-pseudo prime. Since this is true for any a ∈ ZZ with gcd(a, n) = 1, it follows that n is a
Carmichael number.
Suppose n is a Carmichael number. If a ∈ ZZ , with gcd(a, n) = 1, then an−1 ≡ 1 (mod n), that
is ([a]n )n−1 = [1]n . In particular o([a]n ) divides n − 1, for any [a]n ∈ (ZZ /nZZ )∗ .
Write n = pr11 · pr22 · · · prss , where p1 , . . . , ps are distinct odd prime numbers and ri ≥ 1, for all
i ∈ {1, 2, . . . , s}. Consider the isomorphism
(ZZ /nZZ )∗
[b]n
∼
= (ZZ /pr11 ZZ )∗
7
→
([b]pr1
1
×
,
(ZZ /pr22 ZZ )∗
[b]pr2
2
×
,
··· ×
... ,
(ZZ /prss ZZ )∗
.
[b]prss )
For each i ∈ {1, 2, . . . , s} let βi be a generator of the cyclic group (ZZ /pri i ZZ )∗ and let ai ∈ ZZ , with
1 ≤ ai < n, be such that
(ZZ /nZZ )∗
[ai ]n
∼
= (ZZ /pr11 ZZ )∗
7
→
(1
×
,
(ZZ /pr22 ZZ )∗
1
×
,
··· ×
... ,
(ZZ /pri i ZZ )∗
βi
×
,
...
...
×
,
(ZZ /prss ZZ )∗
.
1)
Thus o([ai ]n ) = pri 1 −1 (pi − 1).
So for each i ∈ {1, 2, . . . , s}, pri 1 −1 (pi − 1) divides n − 1, whence ri = 1, since pi and n − 1
are relatively prime. Thus n = p1 · p2 · · · ps , where p1 , . . . , ps are distinct odd prime numbers, and
(pi − 1)|(n − 1) for all i ∈ {1, 2, . . . , s} 2
Example
Some Carmichael numbers are
561 = 3 · 11 · 17, for 560 = 24 · 5 · 7;
1105 = 5 · 13 · 17, for 1104 = 24 · 3 · 23;
1729 = 7 · 13 · 19, for 1728 = 26 · 33 .
Remark
It was shown in 1994 that there are an infinite number of Carmichael numbers.
1.7.2.
Miller-Rabin Test
Let n be an odd number, s = max{r ∈ ZZ | 2r divides n − 1} and d =
d ∈ ZZ an odd number, and s and d are easely calculated.
n−1
2s .
So n − 1 = 2s · d, with
Lemma 1.7.2 Let n be an odd prime number and a ∈ ZZ , with gcd(a, n) = 1. One of the following
holds:
(i) ad ≡ 1 (mod n).
r
(ii) there exists an r ∈ {0, . . . , s − 1}, such that ad·2 ≡ −1 (mod n).
Proof. Let n be an odd prime and a ∈ ZZ , with gcd(a, n) = 1, so [a]n ∈ (ZZ /nZZ )∗ . Since n is an
odd prime the group (ZZ /nZZ )∗ is cyclic of order n − 1. In particular, it has only one element of
s
order 2, namely [−1]n . Let k = o([ad ]n ). Since ([ad ]n )2 = ([a]n )n−1 = [1]n , we have k|2s .
If k = 1, then [ad ]n = [1]n , so (i) holds.
l
l−1
If k 6= 1, then k = 2l , for certain 1 ≤ l ≤ s. Now [1]n = ([ad ]n )2 = (([ad ]n )2 )2 and
l−1
l−1
l−1
([ad ]n )2
6= [1]n . Thus ([ad ]n )2
is an element of order 2. Whence ([ad ]n )2
= [−1]n , that is
l−1
r
d·2
d·2
a
≡ −1 (mod n). Let r = l − 1, then 0 ≤ r < s and a
≡ −1 (mod n), so (ii) holds. 2
1.
ALGEBRA
32
Miller-Rabin Test
Let n ∈ ZZ , be n an odd number with n ≥ 2. Let a ∈ ZZ , with gcd(a, n) = 1. Consider the sequence
s−1
[ad ]n , ([ad ]n )2 , . . . , ([ad ]n )2
.
If either this sequence is all 1, or −1 appears in it, then we say that n passes the Miller-Rabin test
for a.
i+1
i
Since ([ad ]n )2 = (([ad ]n )2 )2 , the lemma states that if n is a prime then either this sequence is all
1, or −1 appears in it. So all primes pass the Miller-Rabin test for any a ∈ ZZ with gcd(a, n) = 1.
The answer depends only on a (mod n), so one can assume that 1 ≤ a < n.
Remark
Observe that for a = 1 and a = n − 1, n passes the Miller-Rabin test for a.
Definition
Let n be a composite number, a ∈ ZZ , with gcd(a, n) = 1. If n passes the Miller-Rabin test for a,
we say that n is a strong a-pseudo prime, and a will be called a false witness. If n does not pass the
Miller-Rabin test for a, we say that a is a witness for n being a composite number.
Example
Let n = 561, which is a Carmichael number, then n − 1 = 24 · 35. Consider the sequence
[a35 ]n , ([a35 ]n )2 , ([a35 ]n )4 , ([a35 ]n )8 .
If a = 2, then the sequence is 263, 166, 67, 1; 2 is a witness that 561 is composite;
If a = 101, then the sequence is −1, 1, 1, 1; 101 is a false witness;
If a = 103, then the sequence is 1, 1, 1, 1; 103 is a false witness;
Thus 561 is a strong 101-pseudo prime and a strong 103-pseudo prime.
Lemma 1.7.3 Any strong a-pseudo prime is also an a-pseudo prime.
r
s
Proof. If either [ad ]n = [1]n or ([ad ]n )2 = [−1]n , for some 0 ≤ r < s, then ([ad ]n )2 = [1]n . Hence
([a]n )n−1 = [1]n , so n passes the Fermat test for a. 2
Let n be an odd number and a ∈ ZZ , with gcd(a, n) = 1, and d, s ∈ ZZ such that n − 1 = 2s · d,
with d an odd number. Suppose n is a strong a-pseudo prime. Since it is also a a-pseudo prime, we
s
r
have ([ad ]n )2 = [1]n . Thus the order of [ad ]n divides 2s . If ([ad ]n )2 = [−1]n , for some 0 ≤ r < s,
r
then o([ad ]n ) = 2r+1 . Though it is not true that if o([ad ]n ) = 2r+1 , then ([ad ]n )2 = [−1]n . The
r
element ([ad ]n )2 will be of order 2, but need not be [−1]n . Moreover, we have [ad ]n = [1]n if and
only if o([ad ]n ) = 1. Thus the order of [ad ]n determines whether the sequence is all 1 or the place
where a [−1]n could appear.
Before we can determine false witnesses we need a lemma about d-th powers of elements in
Abelian groups.
Lemma 1.7.4 Let G be a finite Abelian group d ∈ ZZ with d ≥ 1 an odd number and r ∈ ZZ , with
r ≥ 0. Let Ar = {a ∈ G | o(a) = 2r }, the set of elements of order 2r , and K = {g ∈ G | o(g)|d},
the set of elements whose order divides d. Then {g | g d ∈ Ar } = {ak | a ∈ Ar , k ∈ K}. Moreover,
|{g | g d ∈ Ar }| = |Ar ||K|.
1.
ALGEBRA
33
Proof. Consider ψ : G → G defined by ψ : g 7→ g d . Since G is Abelian this is a homomorphism
of groups. If a ∈ Ar , then o(ad ) = o(a) so ψ(Ar ) ⊆ Ar . On the other hand, if a, b ∈ Ar with
r
ψ(a) = ψ(b), then ad = bd and so (ab−1 )d = 1. But (ab−1 )2 = 1 and gcd(d, 2r ) = 1, so ab−1 = 1.
Hence a = b. Since Ar is a finite set we have Ar = ψ(Ar ).
Let X={g | g d ∈ Ar } and Y = {ak | a ∈ Ar , k ∈ K}. We claim that X = Y . Let g ∈ X, then
d
g = a for some a ∈ Ar . By the above a = bd , for some b ∈ Ar . So g d = bd . Hence (gb−1 )d = 1.
Hence gb−1 ∈ K and g = b(gb−1 ) ∈ Y . On the other hand, if g ∈ Y then g = ak for some a ∈ Ar
and k ∈ K, then g d = (ak)d = ad k d = ad ∈ Ar , so g ∈ X.
−1
−1
r
If a1 , a2 ∈ Ar and k1 , k2 ∈ K, with a1 k1 = a2 k2 , then a−1
2 a1 = k2 k1 . But o(a2 a1 )|2
−1
−1
−1
and o(k2 k1 )|d, hence o(a2 a1 ) = o(k2 k1 ) = 1. It follows that a1 = a2 and k1 = k2 and thus
|{ak|a ∈ Ar , k ∈ K}| = |Ar ||K|. 2
Example
We find the numbers a, 1 < a < 561 for which n = 561 is a strong a-pseudo prime. Since 561 =
3 · 11 · 17 we consider the isomorphism
(ZZ /561ZZ )∗
[b]561
∼
= (ZZ /3ZZ )∗
7
→
([b]3
× (ZZ /11ZZ )∗
,
[b]11
×
,
(ZZ /17ZZ )∗
.
[b]17 )
Since all three latter groups are cyclic, they contain exactly one element of order 2. Since 560 = 24 ·35
the sequence becomes
2
3
[a35 ]561 , ([a35 ]561 )2 , ([a36 ]561 )2 , ([a35 ]561 )2 .
Case 1. [a35 ]561 = [1]561 . This holds if and only if o([a]561 ) divides 35. Hence if and only if o([a]3 ),
o([a]11 ) and o([a]17 ), divide 35. It follows that o([a]3 ) = 1, o([a]11 ) divides 5 and o([a]17 ) = 1. So
there are 5 possibilities, one of which is ([1]561 ). The elements of order 5 in (ZZ /11ZZ )∗ are [3]11 , [4]11 ,
[5]11 and [9]11 . Thus the elements are ([1]3 , [b]11 , [1]17 ), with [b]11 ∈ {[3]11 , [4]11 , [5]11 , [9]11 , [1]11 },
that is [256]561 , [103]561 , [511]561 , [460]561 and [1]561 .
Case 2. [a35 ]561 = [−1]561 . This holds if and only ([a]3 , [a]11 , [a]17 )35 = ([−1]3 , [−1]11 , [−1]17 ). This
holds if and only if o([a35 ]3 ) = o([a35 ]11 ) = o([a35 ]17 ) = 2. The elements are ([−1]3 , [b]11 , [−1]17 ),
with [b]11 ∈ {[−3]11 , [−4]11 , [−5]11 , [−9]11 , [−1]11 }, that is [305]561 , [458]561 , [50]561 [101]561 and
[560]561 .
i
i
Case 3. ([a35 ]561 )2 = [−1]561 , with i ≥ 1. This holds if and only if ([a35 ]3 , [a35 ]11 , [a35 ]17 ))2 =
([−1]3 , [−1]11 , [−1]17 ). Hence, if and only if o([a35 ]3 ) = o([a35 ]11 ) = o([b35 ]17 ) = 2i+1 . Observe that
there are no possibilities for the algorithm to give such a sequence as an answer as (ZZ /3ZZ )∗ does
not contain elements of order 4.
Example
Let n = 481 and a ∈ ZZ , with 1 ≤ a < 481 and gcd(a, n) = 1. We count the number of values of a
such that 481 is a strong a-pseudo prime. We have (ZZ /481ZZ )∗ ∼
= (ZZ /13ZZ )∗ × (ZZ /37ZZ )∗ . Since
5
n − 1 = 480 = 2 · 15 and the sequence becomes
2
3
4
[a15 ]481 , ([a15 ]481 )2 , ([a15 ]481 )2 , ([a15 ]481 )2 , ([a15 ]481 )2 .
Case 1. [a15 ]481 = [1]481 . This holds if and only if ([a15 ]13 , [a15 ]37 ) = ([1]13 , [1]37 ). Hence, if and
only if o([a]13 )|15 and o([a]37 )|15. We look at the 2 groups separately. In (ZZ /13ZZ )∗ we have that,
since gcd(15, 12) = 3, [a15 ]13 = [1]13 if and only if [a3 ]13 = [1]13 . Moreover, this group is cyclic so
has 3 elements with this property. In (ZZ /37ZZ )∗ we have that, since gcd(15, 36) = 3, [a15 ]37 = [1]37
if and only if [a3 ]37 = [1]37 . Moreover, this group is cyclic so has 3 elements with this property.
Hence there are 3 · 3 = 9 values for a in this case.
1.
ALGEBRA
34
Case 2. [a15 ]481 = [−1]481 . This holds if and only if ([a15 ]13 , [a15 ]37 ) = ([−1]13 , [−1]37 ). Hence, if
and only if o([a15 ]13 ) = o([a15 ]37 ) = 2. Hence there are 3 · 3 = 9 values for a in this case.
Case 3. ([a15 ]481 )2 = [−1]481 . This holds if and only if (([a15 ]13 )2 , ([a15 ]37 )2 ) = ([−1]13 , [−1]37 ).
Hence, if and only if o([a15 ]13 ) = o([a15 ]37 ) = 4. Hence there are 6 · 6 = 36 values for a in this case.
i
i
i
Case 4. ([a15 ]481 )2 = [−1]481 , with i ≥ 2. This holds if and only if (([a15 ]13 )2 , ([a15 ]37 )2 ) =
([−1]13 , [−1]37 ). Hence, if and only if o([a15 ]13 ) = o([a15 ]37 ) = 2i+1 . This is not possible for
(ZZ /13ZZ )∗ has no elements of order 8.
Hence there are 54 a ∈ ZZ , with 1 ≤ a < 481 and gcd(a, n) = 1, that are a false witness.
We will redo this calculation now in a different, more down to earth, way.
Example
Let n = 481 and a ∈ ZZ , with 1 ≤ a < 481 and gcd(a, n) = 1. We count the number of values of a
such that 481 is a strong a-pseudo prime. We have (ZZ /481ZZ )∗ ∼
= (ZZ /13ZZ )∗ × (ZZ /37ZZ )∗ . Since
5
n − 1 = 480 = 2 · 15 and the sequence becomes
2
3
4
[a15 ]481 , ([a15 ]481 )2 , ([a15 ]481 )2 , ([a15 ]481 )2 , ([a15 ]481 )2 .
Case 1. The calculation remains the same as in the previous way.
Case 2. [a15 ]481 = [−1]481 . This holds if and only if ([a15 ]13 , [a15 ]37 ) = ([−1]13 , [−1]37 ). We look at
the 2 groups separately.
In (ZZ /13ZZ )∗ we have [a15 ]13 = [−1]13 if and only if [a30 ]13 = 1 and [a15 ]13 6= 1, for the group
has only one element of order 2, namely [−1]13 . Thus [a15 ]13 = [−1]13 if and only if o([a]13 )|30 and
o([a]13 ) 6 |15. Since gcd(12, 30) = 6, gcd(12, 15) = 3 and the group is cyclic, there are 6 − 3 = 3
choices for [a]13 .
In (ZZ /37ZZ )∗ we have [a15 ]37 = [−1]13 if and only if [a30 ]37 = 1 and [a15 ]37 6= 1, for the group
has only one element of order 2, namely [−1]37 . Thus [a15 ]37 = [−1]37 if and only if o([a]37 )|30 and
o([a]37 ) 6 |15. Since gcd(36, 30) = 6, gcd(36, 15) = 3 and the group is cyclic, there are 6 − 3 = 3
choices for [a]37 . Hence 3 · 3 = 9 numbers in total.
Case 3. [a30 ]481 = [−1]481 . This holds if and only if ([a30 ]13 , [a30 ]37 ) = ([−1]13 , [−1]37 ). We look at
the 2 groups separately.
In (ZZ /13ZZ )∗ we have [a30 ]13 = [−1]13 if and only if [a60 ]13 = 1 and [a30 ]13 6= 1, for the group
has only one element of order 2, namely [−1]13 ). Thus [a30 ]13 = [−1]13 if and only if o([a]13 )|60 and
o([a]13 ) 6 |30. Since gcd(12, 60) = 12, gcd(12, 30) = 6 and the group is cyclic, there are 12 − 6 = 6
choices for [a]13 .
In (ZZ /37ZZ )∗ we have [a30 ]37 = [−1]13 if and only if [a60 ]37 = 1 and [a30 ]37 6= 1, for the group
has only one element of order 2, namely [−1]37 ). Thus [a30 ]37 = [−1]37 if and only if o([a]37 )|60 and
o([a]37 ) 6 |30. Since gcd(36, 60) = 12, gcd(36, 30) = 6 and the group is cyclic there are 12 − 6 = 6
choices for [a]37 . Hence 6 · 6 = 36 numbers in total.
i
i
i
Case 4. ([a15 ]481 )2 = [−1]481 , with i ≥ 2. This holds if and only if (([a15 ]13 )2 , ([a15 ]37 )2 ) =
i
([−1]13 , [−1]37 ). We look at the first group. In (ZZ /13ZZ )∗ we have [a15 ]213 = [−1]13 if and only if
i
i+1
[a15 ]213 = [1]13 and [a15 ]213 6= [−1]13 , for the group has only one element of order 2, namely [−1]13 ).
i
Thus [a15 ]213 = [−1]13 if and only if o([a]13 )|15·2i+1 and o([a]13 ) 6 |15·2i+1 . Since gcd(12, 15·2i+1 ) = 12
and gcd(12, 15 · 2i ) = 12, there are no possible choices for [a]13 .
Hence there are 54 a ∈ ZZ , with 1 ≤ a < 481 and gcd(a, n) = 1, that are a false witness.
Lemma 1.7.5 For any odd composite number n there exists an a ∈ ZZ , with 1 < a < n and
gcd(a, n) = 1, such that a is a witness for n being composite.
1.
ALGEBRA
35
Proof. Let n = pr11 · pr22 · · · prt t , where p1 , . . . , pt are distinct odd prime numbers and ri ≥ 1, for all
i ∈ {1, 2, . . . , t} be the factorization of n in primes. Let n − 1 = 2s · d, with d odd. Consider the
isomorphism
(ZZ /nZZ )∗
[b]n
∼
= (ZZ /pr11 ZZ )∗
7
→
([b]pr1
1
× (ZZ /pr22 ZZ )∗
,
[b]pr2
2
×
,
··· ×
... ,
(ZZ /prt t ZZ )∗
.
[b]prt t )
Suppose t ≥ 2. Let a ∈ ZZ , with 1 < a < n, be such that [a]n 7→ ([−1]pr1 , [1]pr2 , . . . , [1]prt t ). Then
1
2
[ad ]n = [a]n 6= [±1]n , since d is odd and t ≥ 2, and ([ad ]n )2 = [1]n . If s = 1, then the sequence
consists only of [ad ]n , and a is a witness. If s ≥ 2, then the sequence starts with [ad ]n , [1]n , . . ., hence
a is a witness.
If t = 1 and r1 > 1, then gcd(d, p1 ) = 1. In this case we have (ZZ /nZZ )∗ = (ZZ /pr11 ZZ )∗ , which
is a group cyclic group of order pr11 −1 (p1 − 1). Let a ∈ ZZ , with 1 < a < n, be such that [a]n
i
has order p1 (there are p1 − 1 of them). Since o([ad ]n ) = p1 we have o([ad ]n )2 = p1 too. Hence
i
([ad ]n )2 6= [−1]n , since o([−1]n ) = 2, thus a is a witness. 2
In fact there are many witnesses.
Theorem 1.7.6 (Rabin, 1980) Let n ≥ 3 be an odd composite number. At most
a ∈ ZZ , with 1 < a < n and gcd(a, n) = 1, is a false witness.
1
4
of the numbers
Let n ≥ 3 be an odd composite number and a ∈ ZZ , with 1 < a < n. If gcd(a, n) 6= 1, then n is
composite. If gcd(a, n) = 1, then the probability that n passes the Miller-Rabin test for a is at most
1
4 . In fact, there are better estimates one can make.
Remarks
Between 1 and 1010 there are 455052511 prime numbers, 14884 2-pseudo primes and 3291 strong
2-pseudo primes.
In practice one can use the Miller-Rabin test to create large prime numbers. We look for a prime
p with 2127 ≤ p < 2128 . Then, in base 2, p can represented as a bit string of length 128, which
starts and ends with 1. Now choose a random bit string of length 128, which starts and end with
1, and let n be the corresponding number in base 2. Then apply the following probabilistic test to
see if the number is prime: Check if n is divisible by a prime less then 106 (there is a known list of
these primes). If not, then apply the Miller-Rabin test for 3 different values of a. If the number has
survived this test then the probability that n is not a prime is less then ( 21 )80 .
In 2002 Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, created a deterministic primalityproving algorithm. The algorithm, known as the AKS primality test, determines whether a number
is prime or composite within polynomial time (over the number of digits). Current implementations
are not fast enough yet.
Lemma 1.7.7 Let n be an odd number and a ∈ ZZ , with gcd(a, n) = 1. If n is an a-pseudo prime,
but not a strong a-pseudo prime, then there exist a fast algorithm to find some factors of n.
Proof. Let n − 1 = 2s · d, with d odd. Consider the sequence
[ad ]n , ([ad ]n )2 , . . . , ([ad ]n )2
s−1
s
, ([ad ]n )2 .
s
Since n is an a-pseudo prime we have ([ad ]n )2 = [1]n . Since but not a strong a-pseudo prime the
sequence
s−1
[ad ]n , ([ad ]n )2 , . . . , ([ad ]n )2
l
is not all 1 nor does it contain [−1]n . Whence there exists an 0 ≤ l < s, such that ([ad ]n )2 6= [±1]n ,
l+1
l
and ([ad ]n )2 = [1]n . Let b ∈ ZZ , with 0 ≤ b < n such that b ≡ a2 ·d (mod n). Then b2 ≡ 1 (mod n)
1.
ALGEBRA
36
and b 6≡ ±1 (mod n). In particular, n divides (b2 − 1) = (b + 1)(b − 1). If gcd(n, b − 1) = 1, then
n|(b+1), contradicting the fact that b 6≡ −1 (mod n). If gcd(n, b−1) = n, then n|(b−1), contradicting
the fact that b 6≡ 1 (mod n). Hence 1 < gcd(n, b − 1) < n. Similarly 1 < gcd(n, b + 1) < n. 2
Example
Let n = 561, which is a Carmichael number, and a = 2. Then n − 1 = 560 = 24 · 35. The sequence
[235 ]n , ([235 ]n )2 , ([235 ]n )4 , ([235 ]n )8 , ([235 ]n )16 equals 263, 166, 67, 1, 1.
Let b = 67, then gcd(561, 66) = 11 and gcd(561, 68) = 17. Thus 11 and 17 are divisors of 561.
Indeed 561 = 3 · 11 · 17.
In particular, if n is the product of two odd primes, then the above algorithm give a way of
factorizing n into primes. The RSA-modules should therefore not be of this type.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz