Modulo
Modulo
Cryptography – Part 2
• Modular arithmetic
Recall from elementary school how to divide a positive integer a (the dividend) by another
positive integer b (the divisor). You get a quotient and a remainder. That is, a = qb + r where
1
Cryptography 2 2
• Even numbers ≡ 0 (mod 2), i.e., when we divide any even number by 2 we always get the
same (zero) remainder, so we say that even numbers are congruent.
• Odd numbers ≡ 1 (mod 2).
• 6 ≡ 0 (mod 2) because 6 divides into 2 exactly three times and there is no remainder,
i.e., 6 = 3 × 2 with no remainder.
• 7 ≡ 1 (mod 2) because 6 divides into 2 to leave 2 remainder 1, i.e., 7 = 3 × 2 + 1.
• 15 ≡ 3 (mod 12) because 15 = 12 × 1 + 3.
For this last example we can make a connection between modular arithmetic and clocks – if
you count 15 hours round a clock (starting at 12) you get to 3 o’clock. Taking any number mod
12 is equivalent to counting round a clock that many times and looking at the result. Indeed,
modular arithmetic is sometimes called clock arithmetic for this reason. We can write the idea
of modular arithmetic in a more mathematical way and introduce the idea of equivalent, or
congruent, numbers:
It follows from the above definition that if
then
a + c ≡ b + d (mod n).
This is because if a ≡ b(mod n) then this means that we can write a = nq + b for some integer
value q. Similarly, we can write c = nr + d. So, adding these two results together means that
a + c = n(q + r) + b + d
and so indeed
a + c ≡ b + d (mod n).
Similarly,
ac ≡ bd (mod n)
(again, because if you work out the product of a and c, you recover bd by removing multiples
of n).
Cryptography 2 3
Often we are given the value of a (which can be large) and we want to find the value b which
is as small as possible, that is, between 0 and n − 1. In particular, if we need to make multiple
modular calculations, we simplify them after each step, so that we won’t need to multiply or
add numbers bigger than n − 1. This process of replacing a number with the remainder you
get when you divide it by n is called reduction modulo n.
Examples:
In this way you can find the remainder after division by 7 (or more general n) of huge numbers
without doing a lot of work.
What if you want to find 320984 (mod 7)? We know 320984 ≡ 5984 (mod 7), but 5984 is still
enormous! It turns out we can still do it easily by using the following trick. We start by writing
the exponent 984 as a sum of powers of 2. The successive powers of 2 are
We then write 984 as a sum of some of these numbers by first finding the largest power of 2 that
does not exceed 984 (that is 512 in this case), and “peeling off” successively smaller powers of
2 as follows:
984 = 512 + 472, 472 = 256 + 216, 216 = 128 + 88, 88 = 64 + 24, 24 = 16 + 8.
Comment: to represent a number as a sum of powers of two is actually equivalent to finding the
binary representation of a number. For example, the binary representation of 984 is 1111011000.
The last digit corresponds to the zero-th power of two, the next to last corresponds to the first
power etc. A “one” in the binary representation means that we should include the corresponding
power of 2, a “zero” means that we shouldn’t include the corresponding power. Let’s check: our
decomposition 984 = 29 + 28 + 27 + 26 + 0 × 25 + 24 + 23 + 0 × 22 + 0 × 21 + 0 × 20 translates
into 1111011000, the binary representation of 984.
We thus have
5984 = 5512+256+128+64+16+8
= 5512 × 5256 × 5128 × 564 × 516 × 58 .
Now
52 = 25 ≡ 4 (mod 7)
54 = 52 × 52 ≡ 4 × 4 (mod 7) = 16 (mod 7) ≡ 2 (mod 7)
58 = 54 × 54 ≡ 4 (mod 7)
516 = 58 × 58 ≡ 2 (mod 7)
532 ≡ 4 (mod 7), 564 ≡ 2 (mod 7), 5128 ≡ 4 (mod 7),
5256 ≡ 2 (mod 7), 5512 ≡ 4 (mod 7) .
In this example, we have shown that 5984 ≡ 1 (mod 7). In fact, one could show that a984 ≡ 1
(mod 7) for any integer a. (Since you can reduce the number before taking all the powers, you
only need to really check for a = 0, 1, 2, 3, 4, 5, and 6. This would be a good exercise to see that
you have mastered modular arithmetic.) The next theorem will show us why this curious fact
is true.
Before we talk about the theorem, recall from elementary school that every positive integer n has
a unique factorization into prime numbers, for example, 77 = 7 × 11 and 120 = 2 × 2 × 2 × 3 × 5.
We say that an integer n is divisible by another integer m to mean that n = km for some integer
k. This is the same as saying that n divided by m leaves no remainder, or equivalently, that
n ≡ 0 (mod m). Note that n is divisible by a prime number p precisely when p is one of the
prime factors of n. Furthermore, it is a special property of primes that if m and n are integers
and if mn is divisible by p, then either m is divisible by p or n is divisible by p, because p must
Cryptography 2 5
Check: if a is itself a multiple of 3, then both ap and a are equal to 0 (mod 3), and the identity
is true. So we need check only the cases where a is not a multiple of 3. We can start by casting
out all 3-s from a, so that we need to check only the cases a = 1 and a = 2. For a = 1, it is
obvious that a3 = 1 ≡ a (mod 3). For a = 2, we have a3 = 8 ≡ 2 (mod 3) and so this works.
Our next example is p = 5. Is it true that
?
p = 5 ⇒ a5 ≡ a (mod 5)
for all a ≡ 1, 2, 3, or 4 (mod 5)? (For a ≡0 (mod 5), we again don’t need to check anything,
because then the identity is obviously true.)
Check:
• a = 1 → Okay
• a = 2 ⇒ a5 = 32 ≡ 2 (mod 5)
• a = 3 ⇒ a2 = 9 ≡ 4 (mod 5)
⇒ a5 = a × a2 × a2 ≡ 48 (mod 5) ≡ 3 (mod 5)
• a = 4 ⇒ a2 = 16 ≡ 1 (mod 5)
⇒ a4 ≡ 1 (mod 5)
⇒ a5 ≡ a × a4 ≡ a ≡ 4 (mod 5)
⇒ Okay again.
We could keep checking for one prime number after the other, but this would never be quite
enough—there could always be a nagging doubt that somewhere, beyond the largest number
that we checked, there was one p for which the statement would not be true. We need a different
argument, that establishes the truth of Fermat’s little theorem without any doubt. To see how
we can do that, let’s look at a different way of checking whether a7 is ≡ a (mod 7), for all a
between 1 and 6. We’ll try to do it in such a way that we can hope that a similar argument
would work for other p.
Here is the idea: we will let p be our prime number and a be any integer. We want to prove that
ap ≡ a (mod p). If a ≡ 0 (mod p), then clearly ap ≡ 0 (mod p) also, and so ap ≡ a (mod p).
So it only remains to prove that ap ≡ a (mod p) in the case where a 6≡ 0 (mod p), i.e., where
a is not divisible by p. This will require a devious excursion of a few paragraphs rather than a
frontal assault. So please be patient.
Cryptography 2 6
or equivalently, by subtracting
which is the same as saying that (ap−1 −1)×1×2×. . .×(p−2)×(p−1) is divisible by the prime
p. Well, none of the factors 1, 2, . . . , p − 1 are divisible by p since these are numbers smaller
than p. So we must have ap−1 − 1 divisible by the prime p, i.e., ap−1 − 1 ≡ 0 (mod p), i.e.,
ap−1 ≡ 1 (mod p). This is the alternative form of Fermat’s little theorem, which only applies
when a is not divisible by p (as we have been assuming). To get the usual form, multiply both
sides by a to get ap ≡ a (mod p) and we have proved Fermat’s little theorem!
So now we know that ap ≡ a (mod p) when p is a prime and a is any integer. When
a ≡ 0 (mod p), this is obvious, and when a is not divisible by p, we showed this by show-
ing that ap−1 ≡ 1 (mod p), and then multiplying both sides by a. One consequence of the
latter case is that if a is not divisible by p, then a × ap−2 ≡ 1 (mod p). We say that ap−2 is
a multiplicative inverse of a modulo p. More generally, if m is any number (prime or not) and
ab ≡ 1 (mod m), we say that b is a multiplicative inverse of a modulo m.
It turns out that whenever a and m have no common factors (i.e., any prime appearing in the
prime factorization of a does not appear in the prime factorization of m), then we can always
find a multiplicative inverse of a modulo m. Furthermore, there is an algorithm (procedure
guaranteed to work) that finds the inverse very quickly! The algorithm is named after Euclid,
an ancient Greek mathematician, in whose book Elements it appears (although he was likely
documenting something known before his time).
We shall illustrate with an example rather than a proof. Suppose that we want to find a
multiplicative inverse of a modulo m with a = 20 and m = 63. That is, we want a number b
so that 20 × b ≡ 1 (mod 63). Note that a = 20 = 22 × 5 and m = 63 = 7 × 9, so they have no
common factor. The Euclidean algorithm works like this:
We consider our two elements 63 and 20. We put them on a list, with the larger element first.
63
20
Our list will also contain bookkeeping information in the form of congruences modulo the first
number. (In this case, modulo 63.) Record the reductions of the first two numbers modulo 63,
i.e., 63 ≡ 0 (mod 63) and 20 ≡ 20 (mod 63). So our list is actually
63 ≡ 0 (mod 63)
20 ≡ 20 (mod 63)
1. Divide the second-to-last element in the list by the last element in the list.
Cryptography 2 8
2. Write the remainder as the dividend (63) minus the quotient (3) times the divisor (20).
That is, write 3 = 63 − 3 × 20.
3. Now we change this equation to an equivalence modulo the first element on the list (i.e.,
modulo 63).
If two numbers are equal, they are equivalent modulo 63, so 3 ≡ 63 − 3 × 20 (mod 63).
4. Now we modify this equivalence: we use previous equivalences in our list to replace the
dividend (63) and divisor (20).
From our list, we know that 63 ≡ 0 (mod 63) and 20 ≡ 20 (mod 63), so our equivalence
3 ≡ 63 − 3 × 20 (mod 63) becomes 3 ≡ 0 − 3 × 20 ≡ −3 × 20 (mod 63).
Notice that this new equivalence gives our remainder 3 as a multiple of 20 modulo 63.
We should always get our remainder as a multiple of the second element on the list (20)
modulo the first element on the list (63).
5. Now append the new remainder plus this congruence to the end of the list to get
63 ≡ 0 (mod 63)
20 ≡ 20 (mod 63)
3 ≡ −3 × 20 (mod 63)
2. Write it as 2 = 20 − 6 × 3.
4. Replace dividend (20) and divisor (3) using congruences that are already on the list:
2 ≡ 20 − 6 × (−3 × 20) (mod 63). This should work out to some multiple of 20 modulo
63: in fact, 2 ≡ 20 + 18 × 20 ≡ 19 × 20 (mod 63).
63 ≡ 0 (mod 63)
20 ≡ 20 (mod 63)
3 ≡ −3 × 20 (mod 63)
2 ≡ 19 × 20 (mod 63)
Third step:
Cryptography 2 9
2. Write it as 1 = 3 − 1 × 2.
4. Replace dividend (3) and divisor (2) using congruences that are already on the list: 1 ≡
−3 × 20 − 1 × (19 × 20) (mod 63). This should work out to some multiple of 20 modulo
63: in fact, 1 ≡ −22 × 20 (mod 63).
63 ≡ 0 (mod 63)
20 ≡ 20 (mod 63)
3 ≡ −3 × 20 (mod 63)
2 ≡ 19 × 20 (mod 63)
1 ≡ −22 × 20 (mod 63)
Fourth step:
2. Write it as 0 = 2 − 2 × 1.
4. Replace dividend (2) and divisor (1) using congruences that are already on the list: 0 ≡
19 × 20 − 2 × (−22 × 20) (mod 63). This should work out to some multiple of 20 modulo
63: in fact, 0 ≡ 63 × 20 (mod 63).
63 ≡ 0 (mod 63)
20 ≡ 20 (mod 63)
3 ≡ −3 × 20 (mod 63)
2 ≡ 19 × 20 (mod 63)
1 ≡ −22 × 20 (mod 63)
0 ≡ 63 × 20 (mod 63)
So the Euclidean algorithm gave us the multiplicative inverse of 20 modulo 63. How can we
be sure that it will work for to find the multiplicative of any number a modulo any number m
when a and m have no common factor? (We always insist on the no-common-factor condition
for reasons beyond the scope of this lesson.) Is it just a freak accident that the information
we wanted appeared on our list? Is it even necessary that the Euclidean algorithm come to a
stop? Might we not just go on dividing forever?
Let’s analyze the last question. Note that each number is smaller than its predecessor since
it is the remainder of some calculation where we divide by the predecessor. For example the
remainder of 63 divided by 20 must be from 0 to 19 (in fact, it is 3). So we know the third
entry of our list must be less than 20, that is, less than the second entry of our list. Since
each number is less than the previous one, it is inevitable that the list end in zero. In fact the
numbers get small quite quickly, so the algorithm is quite fast in coming to a halt.
Okay, so the process stops, but how can we be sure that one line in the list will show us the
multiplicative inverse of a modulo m? Were we just “lucky” to find the equivalence 1 ≡ −22×20
(mod 63) as the second-to-last line of our list in the example above? A typical line of the list
(after the initial two lines) is of the form
r ≡ k × a (mod m),
i.e., some remainder is equal to a multiple of a modulo m. If r happens to be 1, then we have
1 ≡ k × a (mod m), so that k is the multiplicative inverse of a modulo m. So all we need to
do is show that 1 is one of the numbers appearing in our list. If this is so, then we shall always
obtain the multiplicative inverse by reading off this entry on our list.
In fact, we claim that the number right before 0 in our list will always be 1. This is a little
harder to prove, but here is the key idea:
Claim: Any two consecutive numbers in the list have no common factor, i.e., there is no
prime p such that both numbers are divisible by p.
You can check that it is true on our list 63, 20, 3, 2, 1, 0. Note that 63 is divisible by
the primes 3 and 7, but 20 is not. And 20 is divisible by the primes 2 and 5, but 3 is not. And
3 and 2 have no common prime factor, nor do 2 and 1, nor 1 and 0. Suppose for the moment
that the above claim is true in all applications of our algorithm (we will prove this shortly).
Then it is not hard to prove that the second-to-last (penultimate) entry on the list must be
1. This is because the last element, 0, is divisible by every prime p, in a very stupid but very
genuine way, namely, 0 = p × 0. So if the penultimate entry were divisible by any prime p
whatsoever, then the last two consecutive entries would be divisible by p, violating our claim.
So the penultimate entry must not be divisible by any prime. So it must be 1.
So we just need to prove the claim above that each consecutive pair in our list has no common
factor; this shows that the penultimate entry must be 1; if the penultimate entry in the list is
1, the congruence for that entry gives the multiplicative inverse of a modulo m. So let’s prove
the claim. The first two elements in our list are m and a, and they have no common factor
because we never run the Euclidean algorithm here unless m and a have no common factor. (It
is done in other circumstances, but not in this class.)
Cryptography 2 11
Now let’s show that the second and third element have no common factor. The third element
on our list (which we shall call r) is obtained as the remainder when we divide the first element
m by the second element a. Say m = qa + r, where q is the quotient. If both a (the second
element) and r (the third element) had a common prime factor p, then m = qa + r would also
be divisible by p. But then m and a would both be divisible by p—preposterously violating our
initial assumption that m and a have no common factor. So a and r cannot have any common
factors—that would lead straight to a contradiction.
So the second and third elements of the list, a and r, have no common factor. The fourth
element (which we shall call s) is obtained as the remainder when we divide the second element
by the third. So a = kr + s, where k is the quotient. Again, if the third and fourth elements
(r and s) had a common factor p, then a = kr + s would also have p as a factor. Then a and
r would have a common factor, contrary to what we just showed. So r and s have no common
factor.
We can keep on going like this: if two consecutive entries u and v have no common factor, and
if w is the remainder that you get when you divide u by v, then v has no factor in common
with w. We can continue this argument until we reach the end of the list, and thus prove that
each consecutive pair in the list has no common factor.
We conclude this section with one more example of the Euclidean algorithm, just to help you
get the hang of it. Suppose we want to find the multiplicative inverse of 69 modulo 25, i.e., a
number b such that 69 × b ≡ 1 (mod 25). Note that 69 ≡ 19 (mod 25), so it is just as well to
say that we are looking for a multiplicative inverse of 19 modulo 25. Note that 19 is prime and
25 = 52 , so the numbers have no common factors, so we can apply our algorithm. We begin
the list
25 ≡ 0 (mod 25)
19 ≡ 19 (mod 25)
First step:
2. Write it as 6 = 25 − 1 × 19.
4. Replace dividend (25) and divisor (19) using congruences that are already on the list:
6 ≡ 0 − 1 × 19 ≡ −1 × 19 (mod 25).
25 ≡ 0 (mod 25)
19 ≡ 19 (mod 25)
6 ≡ −1 × 19 (mod 25)
Second step:
Cryptography 2 12
2. Write it as 1 = 19 − 3 × 6.
4. Replace dividend (19) and divisor (6) using congruences that are already on the list:
1 ≡ 19 − 3 × (−1 × 19) ≡ 4 × 19 (mod 25).
25 ≡ 0 (mod 25)
19 ≡ 19 (mod 25)
6 ≡ −1 × 19 (mod 25)
1 ≡ 4 × 19 (mod 25)
We can actually abandon the Euclidean algorithm before we get the zero remainder, because
our list now has the entry 1 ≡ 4 × 19 (mod 25), which tells us that 4 is a multiplicative inverse
of 19 modulo 25. (Hence 4 is a multiplicative inverse of 69 modulo 25, since 19 ≡ 69 (mod 25).)
We only continued the Euclidean algorithm beyond this point in our first example to prove that
the algorithm halts and that it always works properly. Now that we know this, there is no need
to go to the end!
ap ≡ a (mod p)
We can repeat this multiplication with ap−1 as many times as we want, leading to
aK(p−1) × ap ≡ a (mod p) .
a(K+1)(p−1)+1 ≡ a (mod p) .
The RSA algorithm uses Fermat’s little theorem in a very ingenious way. Suppose that p and
q are two primes. We compute their product: n = p × q. Now we pick a positive integer r that
has no common factor with (p − 1)(q − 1). Then we find the multiplicative inverse of r modulo
(p − 1)(q − 1), that is we find a number s such that
y ≡ xr (mod n) .
The number y will be the encrypted version of the number x. To decrypt, we compute
z ≡ y s (mod n) ≡ xrs (mod n). We then claim that z is our original x again. To show that this
is the case, we first show that z ≡ x (mod n). By the equivalence labeled (1) above, and using
that rs = L(p − 1)(q − 1) + 1, we see that
or
xrs − x = multiple of q .
Since p and q are two different primes, xrs − x can be a multiple of both p and q only if it is a
multiple of their product n = p × q, which implies, as claimed above,
xrs ≡ x (mod n) .
This equivalence establishes only that xrs and x have the same remainders when divided by n.
But remember that we took care to pick x positive and less than n itself, so the remainder of
dividing xrs by n is always x; so we can recover x by computing the smallest positive number
that is equivalent to y s (mod n).
The idea to use this for encryption is now the following: Let x be a block of “plain text” (but
in the form of numbers). Then compute
y ≡ xr (mod n) .
Cryptography 2 14
The pair of values n, r is the public encryption key. This information is publicly available,
so anyone can compute y if they are given x. To decrypt, you also need to know s, the private
decryption key; to decrypt, you simply compute
y s (mod n) ≡ x .
That is, you need to know s to decrypt. Now s is the multiplicative inverse of r modulo
(p − 1)(q − 1). The outsiders know r, and if they knew (p − 1)(q − 1), then it would be easy
(with the Euclidean Algorithm) to compute s. But they don’t know (p − 1)(q − 1). They know
n, which is equal to pq, but they don’t have n factored into p and q. To find (p − 1)(q − 1), they
would need to know the prime factors p and q of n, and factoring large numbers is not easy.
In 1994, a team of many mathematicians made the headlines (in the science section) because
they factored a number of 129 digits. The effort took 8 months of computation by about 600
volunteers from more than 20 countries, on all continents except Antarctica. The number was
known as an RSA-129 challenge; this challenge had been published in Scientific American in
August 1977. One of the inventors of RSA, Ronald Rivest, had then made an estimation of the
time that would be needed to break RSA-129, based on 1977 knowledge and technology. It was
equal to 4 million lifetimes of the universe. (A lot of progress had been made between 1977 and
1994, mostly in the speed of the technology, but the 1994 factorization was still a heroic effort,
for a number with only 129 digits.)
Here is that factorization:
RSA-129 and Its Factors
1143816257578888676692357799761466120102182967212 (number continues on next line)
04236256256184293576935245733897830597123563958705058989075147599290026879543541
=
3490529510847650949147849619903898133417764638493387843990820577
×
32769132993266709549961988190834461413177642967992942539798288533
Once the factorization was obtained, it could be used to decrypt a message that Rivest, Shamir,
and Adelman had given as part of the challenge. The decrypted message was
This sentence was hidden in a 128-digit ciphertext. In this case, n had “only” 129 digits. With
every digit that you add, the problem becomes harder. (You’ll see this in the on-line Lab!) In
practical RSA schemes, n has 400 or more digits . . . .
How then do we construct n? We have to find p and q first.
How do you factor a number? Here is a straightforward and somewhat naive approach:
69 = 3 × 23
72 = 2 × 36 = 22 × 18 = 23 × 9 = 23 × 32
143 = ? not divisible by 2, 3, 5, 7
but divisible by 11 !
⇒ 143 = 11 × 13.
You run through the primes, starting from 2 and up from there, and
√ check every time whether
this is a divisor. If you haven’t found any divisors smaller than n, then you can stop: the
number n is prime.
667 = ? not divisible by 2, 3, 5, 7, 11, 13, 17, 19
√ but divisible by 23
667 ≈ 25.8
667 = 23 × 29
661
√ = ? not divisible by 2, 3, 5, 7, 11, 13, 17, 19, 23
661 ≈ 25.6 no other primes below 26
⇒ 661 is prime.
Factoring a number with three digits is not so hard, although not as immediate as factoring a
number of 2 digits. How hard is it to factor a number of 100 digits?
To factor a number of 100 digits by the method just proposed, we would have to run through
the different primes, checking each time whether we have a divisor or not, and this until we
either find a divisor or until we reach the square root of our number n. This square root
will have about 50 digits. How many primes are there that have 50 digits or less? After all,
primes become less and less common as you move up: between 1 and 100 there are 28 primes
(more than 1 out of 4, on average!), but between 1000 and 1100 there are only 16, a much
smaller number. So maybe they become so rare in those regions of very large numbers, that
the factoring task is sped up there! And maybe there is only a finite number of primes to worry
about anyway?
This last hopeful statement turns out to be mere wishful thinking. The Greeks already knew
that there are infinitely many primes.
Not only are there infinitely many primes, but their distribution is rather unpredictable (in
the sense that nobody has ever found a simple formula that produces all of the primes). On
the other hand, they are not totally unpredictable: for instance, each prime is less than 2
times its predecessor. (You can check on the first few: 2, 3, 5, 7, 11, 13, 19, 23, 29, 31, 37, . . . see
http://primes.utm.edu for a larger list of primes and lots of other information on primes).
Prime numbers become less frequent as we keep enumerating all the integers. We have pretty
accurate estimates of how many primes there are, say, between Y and 10Y . The “prime number
theorem” gives a formula for the number of primes with N or fewer digits, that is pretty accurate
when N is larger than, say, ten:
10N −1 10N −2
PN − PN −1 ' 4.3 × − 4.3 ×
N N −1
For N = 100, say, this gives
P100 − P99 ' 3.9 × 1097 .
So there are indeed much fewer prime numbers here: on average, only one out of every 238
numbers is prime in this region, but the region is so vast, that it still makes for a highly
respectable number of primes (much larger than the number of atoms that physicists estimate
to be in the visible universe . . . ). So, even though primes do become less frequent, there are
still plenty of them.
In practice, there are much smarter approaches than our method of successive trials. Mathe-
maticians have developed algorithms, with the intriguing names of the quadratic sieve, or the
number field sieve, which are much more efficient.
The factoring of the 193-digit number RSA-640 (so called because its binary representation has
640 binary digits) in 2005 took about five months of computing by a whole team of mathemati-
cians using 80 computers. The total run time would have been about 30 years if run on a single
desktop computer. Here is the exact quote describing this end of the series of RSA-challenges
(quoted from http://www.rsa.com/rsalabs/node.asp?id=2092):
Cryptography 2 17
If, for some a between 1 and n − 1, we find that an−1 6≡ a (mod n), then n is
necessarily composite (i.e., not prime).
This test is called the Fermat test for primality. By itself, this criterion is not strong enough
for our purposes, because it does not tell us when a number is prime.
So the idea is that we choose a lot of different values of a. If ever we get an−1 − 1 not divisible
by n, we can stop: our number n is certainly not prime. It fails. But if the number does not
fail after a large number of such tests, then we can be almost certain that it is prime (without
perfect certainty). However, for practical purposes this is usually enough; picking a composite
number which somehow doesn’t fail a battery of tests of this kind is more unlikely than a lot
of other possibilities that are not worth worrying about. Given that about one in every 260 of
the 100-digit numbers is prime, it is therefore easy to find 100-digit primes. You just pick a
random string of 100 digits, and you test it. If it is not prime, you just pick another one, and
you continue until you have found one.
Comment: in fact there are composite numbers n for which an−1 − 1 is a multiple of n for
almost any a between 1 and n − 1; such numbers n are rather rare themselves; a number n for
which an−1 ≡ 1 (mod n) whenever a shares no common factors with n is called a Carmichael
number.
Remark: Note that the existence of these criteria means that it is possible to say conclusively
that a number can be factored without being able to produce the factors! (In fact, this is a feat
that we can already achieve just by applying Fermat’s little theorem.)
Cryptography 2 18
243,112,609 − 1
discovered by the GIMPS PrimeNet network on August 23rd, 2008. This is a 12,978,189 digit
number (!) and the 45th known Mersenne prime.
More information can be found at http://www.mersenne.org/ . The GIMPS PrimeNet is a
network of “prime-searchers,” volunteers who download small pieces of one gigantic computation
that run quietly in the background on their PCs, and of which they report the results back to
the GIMPS central hub.
For more information about large prime numbers, see http://primes.utm.edu/ , and links
you find there.