CSF352: Number Theory and Cryptology

Session: 2024-25

B. Tech (CSE) 5th Semester

Course Instructor Course Coordinator

Dr. Parul Saini Dr. Parul Saini

Assistant Professor, School Assistant Professor, School
of Computing of Computing
Primality Testing
• Primality testing is the problem of deciding whether a given number n is
prime.
• Efficient primality tests are needed for generating keys used in many
modern cryptographic systems.
• Primality testing is essential in cryptography, particularly for algorithms like
RSA, which relies on large prime numbers to create secure encryption keys.
• Algorithms for Primality testing can be divided into two broad categories:
deterministic algorithms and probabilistic algorithms
• A deterministic algorithm always gives a correct answer; a probabilistic
algorithm gives an answer that is correct most of the time, but not all of
the time.
• Although a deterministic algorithm is ideal, it is normally less efficient than
the corresponding probabilistic one.
2
Deterministic Algorithms
• A deterministic primality testing algorithm accepts an integer and
always outputs a prime or a composite.
• Until recently, all deterministic algorithms were so inefficient at
finding larger primes that they were considered infeasible.
• Divisibility Algorithm
• Step-by-step approach:
• If n < 2, return false (0 and 1 are not prime).
• For n = 2 to n-1.
• If n is divisible by any of these numbers
• return false.
• Else
• return true.

3
Probabilistic Algorithms
• A probabilistic algorithm in this category returns either a prime or a
composite based on the following rules:
• If the integer to be tested is actually a prime, the algorithm definitely returns
a prime.
• If the integer to be tested is actually a composite, it returns a composite with
probability 1− ε, but it may return a prime with the probability ε.
• The probability of mistake can be improved if we run the algorithm
more than once with different parameters or using different methods.
If we run the algorithm m times, the probability of error may reduce
to εm.

4
1. Fermat primality test
• If n is a prime, then an-1≡ 1 mod n .
• Note that this means that if n is a prime, the congruence holds. It
does not mean that if the congruence holds, n is a prime. The integer
can be a prime or composite. So the Fermat test is
• If n is a prime, an−1 ≡ 1 mod n
• If n is a composite, it is possible that an−1 ≡ 1 mod n
• The probability can be improved by testing with several bases (a1,a2,
a3, and so on). Each test increases the probability that the number is a
prime.
• Example: Since 5 is prime,
• 24 = 1 (mod 5) [or 24 %5 = 1], 34 = 1 (mod 5) and 44 = 1 (mod 5)
• Since 7 is prime, 26 = 1 (mod 7), 36 = 1 (mod 7), 46 = 1 (mod 7) 56 = 1
(mod 7) and 66 = 1 (mod 7)

5
Fermat Liars
• Fermat liars are composite numbers that falsely pass Fermat's
primality test for certain bases a, meaning they satisfy the
congruence an−1≡1(mod n) even though they are not prime.
• Example:
• 9 with base 2
• 28 mod 9 = 1 which is true
• 341 with bases 2, 3, and 5:
• 341 satisfies a340≡1(mod341) for several bases, such as a=2, a=3, and a=5.
• 341 is composite (341 = 11 × 31)
• Does the number 561 pass the Fermat test?
• Use base 2
• 2561–1 = 1 mod 561
• The number passes the Fermat test, but it is not a prime, because 561 = 33 ×
17.
6
2. Miller-Rabin Test
Algorithm:
Miller_Rabin_Test (n, a) // n is the number; a is the base.
{
Find m and k such that n − 1 = 2k X m
b = am mod n // choose a, 1<= a<=n-1
if (b ≡ ± 1 mod n)
return “n is a prime"
for (i = 0 to k − 1) // k − 1 is the maximum number of steps.
{
if (b ≡ −1 mod n)
return “ n is a prime“
else
b = b2 mod n
}
return “n is a composite"
}

7
Examples 560

2 280
• 561
Using base 2, let 561 − 1= 560 = 35 × 24, 7 40
which means m = 35, k = 4, and a = 2
4 10
Initialization:
b0 = 235 mod 561 = 263 mod 561 = 263 2 2 5 2
For i = 0 to 3 (4-1)
k = 0: b0 = 235 mod 561 = 263 mod 561 = 263
k = 1: b1 = 2632 mod 561 = 166
k = 2: b2 = 1662 mod 561 = 67
k = 3: b2 = 672 mod 561 = 1
Since last value is not equal to -1
561 is a composite number
8
 60
• 61
We know that 61 is a prime, 15 4
n − 1 = 2k × m
2 5 3 2 2
61 − 1 = 60 = 15 × 2 → m = 15 k = 2 a = 2
Initialization: b0 = 215 mod 61 = 11 mod 61 = 11
K= 0 b0 = 215 mod 61 = 11 mod 61 = 11
k=1 b1 = 112 mod 61 = −1 mod 61 → a prime

9
Chinese Remainder Theorem
• The Chinese remainder theorem (CRT) is used to solve a set of
congruent equations with one variable but different moduli, which
are relatively prime, as shown below:

• The Chinese remainder theorem states that the above equations have
a unique solution if the moduli are relatively prime.

10
The solution to the set of equations follows these steps:
1. Find M = m1 × m2 × … × mk. This is the common modulus.
2. Find M1 = M/m1, M2 = M/m2, …, Mk = M/mk.
3. Find the multiplicative inverse of M1, M2, …, Mk using the
corresponding moduli (m1, m2, …, mk). Call the inverses M1−1, M2−1, …,
Mk−1.
4. The solution to the simultaneous equations is
x = (a1 × M1 × M1−1 + a2 × M2 × M2−1 + ………. + ak × Mk × Mk−1) mod M

11
Example:
Solve x ≡ 2 mod 3
x ≡ 3 mod 5
x ≡ 2 mod 7
• Solution: Following the steps:
Step 1. M = 3 × 5 × 7 = 105
Step 2. M1 = 105 / 3 = 35, M2 = 105 / 5 = 21, M3 = 105 / 7 = 15
Step 3. The inverses are M1−1 = 2 (35 × 2 mod 3 =1) ,
M2−1 = 1, (21 × 1 mod 5 =1)
M3−1 = 1 (15 × 1 mod 7 =1)
Step 4. x = (2 × 35 × 2 + 3 × 21 × 1 + 2 × 15 × 1) mod 105
= 23 mod 105 = 23
12
Find an integer that has a remainder of 3 when divided by 7 and
13, but is divisible by 12.
Solution: This is a CRT problem. We can form three equations and solve them to find
the value of x.
x = 3 mod 7
x = 3 mod 13
x = 0 mod 12
• Following the steps:
Step 1. M = 7 × 13 × 12 = 1092
Step 2. M1 = 1092 / 7 = 156, M2 = 1092 / 13 = 84, M3 = 1092 / 12 = 91
Step 3. The inverses are M1−1 = 4, (156 × 4 mod 7 =1)
M2−1 = 11, (84 × 11 mod 13 =1)
M3−1 = 7 (91 × 7 mod 12 =1)
Step 4. x = (3 × 156 × 4 + 3 × 84 × 11 + 0 × 91 × 7) mod 1092
= 4644 mod 1092 = 276
13
Quadratic Congruence
• Quadratic congruence that is, equations of the form a2x2 + a1x + a0 ≡ 0
(mod n). We limit our discussion to quadratic equations in which a2 =
1 and a1 = 0, that is equations of the form
x2 ≡ a (mod n)
• in which p is a prime, a is an integer such that p does not divide a.

14
Quadratic Residues and Nonresidue
• In the equation x2 ≡ a (mod p), a is called a quadratic residue (QR) if
the equation has two solutions; a is called quadratic nonresidue
(QNR) if the equation has no solutions.
• It can be proved that in Zp* , with p − 1 elements, exactly (p − 1)/2
elements are quadratic residues and (p − 1)/2 are quadratic
nonresidues.
• Euler’s Criterion: How can we check to see if an integer is a QR
modulo p? Euler’s criterion gives a very specific condition:
a. If a(p−1)/2 ≡ 1 (mod p), a is a quadratic residue modulo p.
b. If a(p−1)/2 ≡ −1 (mod p), a is a quadratic nonresidue modulo p.

15
Example: Find out if 14 or 16 is a QR in Z23*
• 14(23−1)/2 mod 23 = 1411 mod 23 =
142mod 23 = 196 mod 23 = 12
8 2 1
= 14 .14 .14 mod 23 144mod 23 = (142)2 mod 23 = 122 mod 23 = 144 mod 23 = 6
= [13.12.14] mod 23 148mod 23 = (144)2 mod 23 = 62 mod 23 = 36 mod 23 = 13

= 2184 mod 23
= 22 = 22 mod 23 = −1 mod 23, Hence 14 is Quadratic nonresidue QNR
• 16(23−1)/2 mod 23 = 1611 mod 23 =
= 168.162.161 mod 23 162mod 23 = 256 mod 23 = 3
= [12.3.16] mod 23 164mod 23 = (162)2 mod 23 = 32 mod 23 = 9 mod 23 = 9
168mod 23 = (164)2 mod 23 = 92 mod 23 = 81 mod 23 = 12
= 576 mod 23
= 1, Hence 16 is Quadratic residue QR

16
Solving Quadratic Equation Modulo a Prime
• Although the Euler criterion tells us if an integer a is a QR or QNR in
Zp*, it cannot find the solution to x2 ≡ a (mod p). To find the solution
to this quadratic equation, we notice that a prime can be either p = 4k
+ 1 or p = 4k + 3, in which k is a positive integer. The solution to a
quadratic equation is very involved in the first case; it is easier in the
second.
• Special Case: p = 4k + 3 If p is in the form 4k + 3 (that is, p ≡ 3 mod 4)
and a is a QR in Zp*, then
x ≡ a(p+1)/4 (mod p) and x ≡ − a(p + 1)/4 (mod p)

17
Solve the following quadratic equations:
a. x2 ≡ 3 (mod 23)
Solution: Check 3 is QR or not in Z*23 (Explained 2
in Slide 15)
3 mod 23 = 9 mod 23 = 9
3 (23-1)/2 11
mod 23 = 3 mod 23 34mod 23 = (32)2 mod 23 = 92 mod 23 = 81 mod 23 = 12
8 2 1 38mod 23 = (34)2 mod 23 = 122 mod 23 = 144 mod 23 = 6
= 3 .3 .3 mod 23
= 6.9.3 mod 23 = 162 mod 23 = 1
Hence 3 is a QR, therfore solutions are
x ≡ a(p+1)/4 (mod p) and x ≡ − a(p + 1)/4 (mod p)
x ≡ 3(23+1)/4 (mod 23) and x ≡ − 3(23+ 1)/4 (mod 23)
x ≡ 36 (mod 23) and x ≡ − 36 (mod 23)
x ≡ ± 36 (mod 23)
x ≡ ± 16 (mod 23)
Hence x = ± 16
18
b. x2 ≡ 2 (mod 11)
Solution: Check 2 is QR or not in Z*11 (Explained in Slide 15)
2(11-1)/2mod 11 = 25 mod 11
= 32 mod 11 = 10 = -1 mod 11 = -1
Hence 2 is a QNR, Therefore the equation has no solution
c. x2 ≡ 7 (mod 19)
Solution: Check 7 is QR or not in Z*19 (Explained in Slide 15)
7(19-1)/2mod 19 = 79 mod 19 = 1
Hence 7 is a QR, therfore solutions are
x ≡ a(p+1)/4 (mod p) and x ≡ − a(p + 1)/4 (mod p)
x ≡ ± 7(19+1)/4 (mod 19) = ± 75 mod 19 = ± 11

19
Practice Questions:
1. Determine how many of the following integers pass the Fermat primality test:
100, 110, 130, 150, 200, 250, 271, 341, 561. Use base 2.
2. Determine how many of the following integers pass the Miller-Rabin primality
test: 100, 109, 201, 271, 341, 349. Use base 2.
3. Find the value of x for the following sets of congruence using the Chinese
remainder theorem.
1. x ≡ 2 mod 7, and x ≡ 3 mod 9
2. x ≡ 4 mod 5, and x ≡ 10 mod 11
3. x ≡ 7 mod 13, and x ≡ 11 mod 12
4. Using quadratic residues, solve the following congruences:
1. x2 ≡ 4 mod 14
2. x2 ≡ 5 mod 10
3. x2 ≡ 7 mod 33
4. x2 ≡ 12 mod 34

20
Contd.
5. Write an algorithm in pseudocode for the Fermat primality test.
6. Write an algorithm in pseudocode for the Miller Rabin primality
test.
7. Write an algorithm in pseudocode for the Chinese remainder
theorem.
8. Write an algorithm in pseudocode to find QRs and QNRs for any Zp*
9. Distinguish between deterministic and probabilistic algorithms for
primality testing.
10. Define the Chinese remainder theorem and its application.
11. Define quadratic congruence and the importance of QRs and QNRs
in solving quadratic equations.
21