Prime Numbers
.pdf432 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
Argue now that the private key D can be obtained (since you know the public pair N, E) in polynomial e ort (operation count bounded by a power of ln N ).
(4)So-called timing attacks have also been developed. If a machine calculates numbers such as xD using a power ladder whose square and multiply operations take di erent but fixed times, one can glean information about the exponent D. Say that you demand of a cryptosystem the generation
of many signatures xDi mod N for i running through some set, and that you store the respective times Ti required for the signing system to give the i-th signature. Then do the same timing experiment but for each x3i , say. Describe how correlations between the sets {ti} and {Ti} can be used to determine bits of the private exponent D.
We have given above just a smattering of RSA attack notions. There are also attacks based on lattice reduction [Coppersmith 1997] and interesting issues involving the (incomplete) relation between factoring and breaking RSA [Boneh and Venkatesan 1998]. There also exist surveys on this general topic [Boneh 1999]. We are grateful to D. Cao for providing some ideas for this exercise.
8.3.We have noted that both y-coordinates and the “clue” point are not fundamentally necessary in the transmission of embedded encryption from Algorithm 8.1.10. With a view to Algorithm 7.2.8 and the Miller generator, equation (8.1), work out an explicit, detailed algorithm for direct embedding but with neither y-coordinates nor data expansion (except that one will still need to transmit the sign bit d—an asymptotically negligible expansion). You might elect to use a few more “parity bits,” for example in Algorithm 7.2.8 you may wish to specify one of two quadratic roots, and so on.
8.4.Describe how one may embed any plaintext integer X {0, . . . , p − 1} on a single given curve, by somehow counting up from X as necessary, until X3 + aX + b is a quadratic residue (mod p). One such scheme is described in [Koblitz 1987].
8.5.In Algorithm 8.1.10 when is it the case that X is the x-coordinate of a point on both curves E, E ?
8.6.Whenever we use Montgomery parameterization (Algorithm 7.2.7) in any cryptographic mode, we do not have access to the precise Y -coordinate. Actually, for the Montgomery (X, Z) pair we know that Y 2 = (X/Z)3 + c(X/Z)2 + a(X/Z) + b, thus there can be two possible roots for Y . Explain how, if Alice is to communicate to Bob a point (X, Y ) on the curve, then she can e ect so-called “point compression,” meaning that she can send Bob the X coordinate and just a very little bit more.
But before she can send accurate information, Alice still needs to know herself which is the correct Y root. Design a cryptographic scheme (e.g., key exchange) where Montgomery (X, Z) algebra is used but Y is somehow recovered. (One reason to have Y present is simply that some current industry
8.7 Exercises |
433 |
standards insist on such presence.) The interesting research of [Okeya and Sakurai 2001] is relevant to this design problem. In fact such issues—usually relating to casting e cient ECC onto chips or smart cards—abound in the current literature. A simple Internet search on ECC optimizations now brings up a great many very recent references. Just one place (of many) to get started on this topic is [Berta and Mann 2002] and references therein.
8.7.Devise a coin-flip protocol based on the idea that if n is the product of two di erent odd primes, then quadratic residues modulo n have 4 square roots of the form ±a, ±b. Further computing these square roots, given the quadratic residue, is easy when one knows the prime factorization of n and, conversely, when one has the 4 square roots, the factorization of n is immediate. Note in this connection the Blum integers of Exercise 2.26, which integers are often used in coin-flip protocols. References are [Schneier 1996] and [Bressoud and Wagon 2000, p. 146].
8.8.Explore the possibility of cryptographic defects in Algorithm 8.1.11. For example, Bob could cheat if he could quickly factor n, so the fairness of the protocol, as with many others, should be predicated on the presumed di culty in factoring the number n that Alice sends. Is there any way for Alice to cheat by somehow misleading Bob into preferring one of the primes over the other? If Bob knows or guesses that Alice is choosing the primes p, q, r at random in a certain range, is there some way for him to improve his chances? Is there any way for either party to lose on purpose?
8.9.It is stated after Algorithm 8.1.11 that a coin-flip protocol can be extended to group games such as poker. Choose a specific protocol (from the text algorithm or such references as in Exercise 8.7), and write out explicitly a design for “telephone poker,” in which there is, over a party-line phone connection, a deal of say 5 cards per person, hands eventually claimed, and so on. It may be intuitively clear that if flipping a coin can be done, so can this poker game, but the exercise here is to be explicit in the design of a full-fledged poker game.
8.10.Prove that the verification step of Algorithm 8.1.8 works, and discuss both the probability of a false signature getting through and the di culty of forging.
8.11.Design a random-number generator based on a one-way function. It turns out that any suitable one-way function can be used to this e ect. One reference is [H˚astad et al. 1999]; another is [Lagarias 1990].
8.12.Implement the Halton-sequence fast qMC Algorithm 8.3.6 for dimension D = 2, and plot graphically a cloud of some thousands of points in the unit square. Comment on the qualitative (visual) di erence between your plot and a plot of simple random coordinates.
434 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
8.13. Prove the claim concerning equation (8.3) under the stated conditions on k. Start by analyzing the Diophantine equation (mod 4), concluding that x ≡ 1 (mod 4), continuing on with further analysis (mod 4) until a Legendre
symbol −4m2 is encountered for p ≡ 3 (mod 4). (See, for example, [Apostol
p
1976, Section 9.8].)
8.14. Note that if c = an + bn, then x = ac, y = bc, z = c is a solution to xn + yn = zn+1. Show more generally that if gcd(pq, r) = 1, then the Fermat– Catalan equation xp + yq = zr has infinitely many positive solutions. Why is this not a disproof of the Fermat–Catalan conjecture? Show that there are no positive solutions when gcd(p, q, r) ≥ 3. What about the cases gcd(p, q, r) = 1 or 2? (The authors do not know the answer to this last question.)
8.15. Fashion an at least somewhat convincing heuristic argument for the Fermat–Catalan conjecture. For example, here is one for the case that p, q, r are all at least 4: Let S be the set of fourth and higher powers of positive integers. Unless there is a cheap reason, as in Exercise 8.14, there should be no particular tendency for the sum of two members of S to be equal to a third member of S. Consider the expression a + b − c, where a S ∩ [t/2, t], b S ∩ [1, t], c S ∩ [1, 2t] and gcd(a, b) = 1. This number a + b − c is in the interval (−2t, 2t) and the probability that it is 0 ought to be of magnitude 1/t. Thus, the expected number of solutions to a + b = c for such a, b, c should be at most S(t)2S(2t)/t, where S(t) is the number of members of S ∩ [1, t]. Now S(t) = O(t1/4), so this expected number is O(t−1/4). Now let t run over powers of 2, getting that the total number of solutions is expected to be just O(1).
8.16.As in Exercise 8.15, fashion an at least somewhat convincing heuristic argument for the ABC conjecture.
8.17.Show that the ABC conjecture is false with = 0. In fact, show
that there are infinitely many coprime triples a, b, c of positive integers with a + b = c and γ(abc) = o(c). (As before, γ(n) is the largest squarefree divisor of n.)
8.18.[Tijdeman] Show that the ABC conjecture implies the Fermat–Catalan conjecture.
8.19.[Silverman] Show that the ABC conjecture implies that there are infinitely many primes p that are not Wieferich primes.
8.20.Say q1 < q2 < . . . is the sequence of powers. That is, q1 = 1, q2 = 4, q3 = 8, q4 = 9, and so on. It is not known if the gaps qn+1 − qn tend to infinity with n, but show that this is indeed the case if the ABC conjecture is
assumed. In fact, show on the ABC conjecture that for each > 0, we have qn+1 − qn > n1/12− for all su ciently large values of n.
8.21. Show that there is a polynomial in two variables with integer coe cients whose values at positive integral arguments coincide with the set
8.7 Exercises |
435 |
of positive composite numbers. Next, starting from the Lagrange theorem that every positive integer is a sum of 4 squares (see Exercise 9.41), exhibit a polynomial in 8 variables with integer coe cients such that its values at all integral arguments constitute the set of positive composites.
8.22. Suppose the integer n of Proposition 8.5.1 has the distinct prime factors p1, . . . , pk, where 2si pi − 1 and s1 ≤ · · · ≤ sk. Show that the relevant probability is then
1 |
|
2−(s1 |
+···+sk ) |
1 + |
2s1k − 1 |
|
|
− |
|
|
|
|
|
|
|
|
2k − 1 |
and that this expression is not less than 1 − 21−k. (Compare with Exercise 3.15.)
8.23. Complete one of the details for Shor factoring, as follows. We gave as relation (8.4) the probability Pc,k of finding our QTM in the composite state | c | xk . Explain quantitatively how the probability (for a fixed k, with c the running variable) should show spikes corresponding to solutions d to the Diophantine approximation
|
|
c |
|
d |
|
1 |
|
|
|
|
q |
− |
r |
≤ |
|
2q |
. |
|
|
|
|
|
|
|
|
|
Explain, then, how one can |
find |
d/r |
in lowest terms from (measured) |
|||||
knowledge of appropriate c. Note that if gcd(d, r) happens to be 1, this procedure gives the exact period r for the algorithm, and we know that two random integers are coprime with probability 6/π2.
On the computational side, model (on a classical TM, of course) the spectral behavior of the QTM occurring at the end of Algorithm 8.5.2, using the following exemplary input. Take n = 77, so that the [Initialization] step sets q = 8192. Now choose (we are using hindsight here) x = 3, for which the period turns out to be r = 30 after the [Detect periodicity . . .] step. Of course, the whole point of the QTM is to measure this period physically, and quickly! To continue along and model the QTM behavior, use a (classical) FFT to make a graphical plot of c versus the probability Pc,1 from formula (8.4). You should see very strong spikes at certain c values. One of these values is c = 273, for example. Now from the relation
|
273 |
d |
|
1 |
|
|
|
|
8192 |
− |
r |
≤ |
2q |
|
|
|
|
|
|
|
|
|
|
one can derive the result r = |
30 (the literature |
explains continued-fraction |
|||||
methods for finding the relevant approximants d/r). Finally, extract a factor of n via gcd(xr/2 − 1, n). These machinations are intended show the flavor of the missing details in the presentation of Algorithm 8.5.2; but beyond that, these examples pave the way to a more complete QTM emulation (see Exercise 8.24). Note the instructive phenomenon that even this small-n factoring emulation- via-TM requires FFT lengths into the thousands; yet a true QTM might require only a dozen or so qbits.
436 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
8.24. It is a highly instructive exercise to cast Algorithm 8.5.2 into a detailed form that incorporates our brief overview and the various details from the literature (including the considerations of Exercise 8.23).
A second task that lives high on the pedagogical ladder is to emulate a QTM with a standard TM program implementation, in a standard language. Of course, this will not result in a polynomial-time factorer, but only because the TM does what a QTM could do, yet the former involves an exponential slowdown. For testing, you might start with input numbers along the lines of Exercise 8.23. Note that one still has unmentioned options. For example, one could emulate very deeply and actually model quantum interference, or one could just use classical arithmetic and FFTs to perform the algebraic steps of Algorithm 8.5.2.
8.8Research problems
8.25.Prove or disprove the claim of physicist D. Broadhurst that the number
|
29035682 |
∞ |
|
906 sin(x ln 2) |
1 |
|
||
P = |
|
0 |
dx |
x |
|
|
|
+ 8 sinh2(πx/5) |
514269 |
sinh(πx/2) |
cosh(πx/5) |
||||||
is not only an integer, but in fact a prime number. This kind of integral shows up in the theory of multiple zeta functions, which theory in turn has application in theoretical physics, in fact in quantum field theory (and we mean here physical fields, not the fields of algebra!).
Since the 1st printing of the present book, Broadhurst has used a publicly available primality-proof package to establish that P is indeed prime. One research extension, then, is to find—with proof—an even larger prime having this kind of trigonometric-integral representation.
8.26. Here we explore a connection between prime numbers and fractals. Consider the infinite-dimensional Pascal matrix P with entries
Pi,j = |
i + j |
, |
|
i |
|||
|
|
||
for both i and j running through 0, |
1, 2, 3, . . .; thus the classical Pascal |
||
triangle of binomial coe cients has its apex packed into the upper-left corner
of P , like so: |
|
1 |
1 |
1 |
1 |
· · · |
|
|
|
|
|||||
P = |
1 |
2 |
3 |
4 |
· · · |
||
|
1 |
3 |
6 |
10 |
· · · |
. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 10 20 · · ·
. |
. |
. |
. |
. |
. |
|
. |
. |
. |
. |
|
. |
|
. |
. |
. |
. |
|
|
There are many interesting features of this P matrix (see [Higham 1996, p. 520]), but for this exercise we concentrate on its fractal structure modulo primes.
Define the matrix Qn = P mod n, where the mod operation is taken elementwise. Now imagine a geometrical object created by coloring each zero
8.8 Research problems |
437 |
element of Qn black, and all nonzero elements white. Imagine further that this object is the full infinite-dimensional Qn matrix, but compressed into a finite planar square, so that we get, if you will, a kind of “snowflake” with many holes of black within a fabric of white. Now, argue that for prime modulus p, so that the mod matrix is Qp, the fractal dimension of the “snowflake” object is given by
δ = ln(p(p + 1)/2) . ln p
Technically, this is a “box dimension,” and for this and other dimension definitions one source is [Crandall 1994b] and references therein. (Hint: The basic method for getting δ is to count how many nonzero elements there are in an upper-left pk × pk submatrix of Qp, and see how this scales with the submatrix size p2k.) Thus for example, the Pascal triangle modulo 2 has dimension δ = (ln 3)/(ln 2) and the triangle modulo 3 has dimension δ = (ln 6)/(ln 3). The case p = 2 here gives the famous Sierpi´nski gasket, a well-studied object in the theory of fractals. It is sometimes said that such a “gasket” amounts to “more than a line but less than the plane.” Clarify this vague statement in quantitative terms, by looking at the numerical magnitude of the dimension δ.
Extensions to this fractal-dimension exercise abound. For example, one finds that for prime p, in the upper-left p × p submatrix of Qp, the number of nonzero elements is always a triangular number. (A triangular number is a number of the form 1 + 2 + . . . + n = n(n + 1)/2.) Question is, for what composite n does the upper-left n × n submatrix have a triangular number of nonzero elements? And here is an evidently tough question: What is the fractal dimension if we consider the object in “gray-scale,” that is, instead of white/black pixels that make up the gasket object, we calculate δ using proper weight of an element of Qp not as binary but as its actual residue in [0, p − 1]?
8.27. In the field of elliptic curve cryptography (ECC) it is important to be able to construct elliptic curves of prime order. Describe how to adapt the Schoof method, Algorithm 7.5.6, so that it “sieves” curve orders, looking for such a prime order. In other words, curve parameters a, b would be chosen randomly, say, and small primes L would be used to “knock out” a candidate curve as soon as p+1−t is ascertained as composite. Assuming that the Schoof
algorithm has running time O lnk p , estimate the complexity of this sieving
scheme as applied to finding just one elliptic curve of prime order. Incidentally, it may not be e cient overall to use maximal prime powers L = 2a, 3b, etc. (even though as we explained these do work in the Schoof algorithm) for such a sieve. Explain why that is. Note that some of the complexity issues herein are foreshadowed in Exercise 7.29 and related exercises of that chapter.
If one did implement a “Schoof sieve” to find a curve of prime order, the following example would be useful in testing the software:
p = 2113 − 133, a = −3, b = 10018.
438 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
Now, for the following moduli (we give here some prime-power L values even though, as we said, that is not necessarily an e cient approach)
7, 11, 13, 17, 19, 23, 25, 27, 29, 31, 32, 37, 41, 43,
the curve order #E = p + 1 − t has values t mod L as
2, 10, 3, 4, 6, 11, 14, 9, 26, 1, 1, 10, 8, 8,
leading to the prime curve order
#E = 10384593717069655112027224311117371.
Note that the task of finding curves for which both the order p + 1 − t and the twist order p + 1 + t are prime is more di cult, not unlike the task of finding twin primes as opposed to primes. A research problem: Prove via the methods of analytic number theory that there is a positive constant c such that for most primes p there are at least c√p/ ln2 p integers t with 0 < t < 2√p, such that p + 1 ± t are both prime.
8.28.Work out software that very stringently tests random-number generators. The basic idea is simple: Assume an input stream of integers, say. But the implementation is hard: There are spectral tests, collision tests, general statistical tests, normality tests, and so on. The idea is that the software would give a “score” to the generated stream, and thereby select “good” random number generators. Of course, goodness itself could even be contextdependent. For example, a good random generator for numerical integration in computational physics might be a cryptographically bad generator, and so on. One thing to note during such a research program is the folklore that chaos-based generators are cryptographically risky. To this end, one might consider the measurement of fractal dimension and Lyapunov exponents of generated pseudorandom sequences as something to add to one’s test arsenal.
8.29.Investigate elliptic-curve-based random generation. Possible research directions are indicated in the text after iteration (8.1), including the possibility of casting the Gong–Berson–Stinson generator scheme ([Gong et al. 1999]) into a form suitable for curves over odd-characteristic fields.
8.30.Investigate possibilities for random generators that have even longer periods than the Marsaglia example of the text. For example, [Brent 1994] notes that, for any Mersenne prime Mq = 2q − 1 with q ≡ ±1 (mod 8), there may be a primitive trinomial of degree Mq , giving rise to a Fibonacci generator with period at least Mq . A known working example is q = 132049, giving a long period indeed!
8.31.Though Definition 8.3.1 is rather technical, and though the study of discrepancies DN , DN remains di cult and incomplete to this day, there do exist some interesting discrepancy bounds of a general character. One such is
440 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
of the RH, but because of a strong interdisciplinary flavor in what follows, the description belongs here just as well.
Consider these RH equivalences as research directions, primarily computational but always potentially theoretical:
(1)There is an older, Riesz condition [Titchmarsh 1986, Section 14.32] that is equivalent to the RH, namely,
∞ |
(−x)n |
= O x1/4+ε . |
|
n=1 ζ(2n)(n − 1)! |
|
|
|
|
|
|
|
Note the interesting feature that only integer arguments of ζ appear. One question is this: Can there be any value whatsoever in numerical evaluations of the sum? If there be any value at all, methods for socalled “recycled” evaluations of ζ come into play. These are techniques for evaluating huge sets of ζ values having the respective arguments in arithmetic progression [Borwein et al. 2000].
(2) The work of [Balazard et al. 1999] proves that
I = |
ln |s |
2 |
| |
ds = 2π Re(ρ)>1/2 ln |
|
1 |
ρ |
ρ , |
||
|
|
ζ(s) |
|
|
|
|
− |
|
||
|
| | |
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
where the line integral is carried out over the critical line, and ρ denotes any zero in the critical strip, but to the right of the critical line as indicated, counting multiplicity. Thus the simple statement “I = 0” is equivalent to the RH. One task is to plot the behavior of I(T ), which is the integral I restricted to Im(s) [−T, T ], and look for evident convergence I(T ) → 0, possibly giving a decay estimate. Another question mixes theory and computation: If there is a single errant zero ρ = σ + it with σ > 1/2 (and its natural reflections), and if the integral is numerically computed to some height T and with some appropriate precision, what, if anything, can be said about the placement of that single zero? A challenging question is: Even if the RH is true, what is a valid positive α such that
I(T ) = O(T −α) ?
It has been conjectured [Borwein et al. 2000] that α = 2 is admissible.
(3) Some new equivalences of the RH involve the standard function
ξ(s) = 12 s(s − 1)π−s/2Γ(s/2)ζ(s).
The tantalizing result in [Pustyl’nikov 1999] says that a condition applicable at a single point s = 1/2 as
dnξ 1
dsn 2
> 0,
8.8 Research problems |
441 |
for every n = 2, 4, 6, . . ., is equivalent to the RH. The interesting computational exercise would be to calculate some vast number of such derivatives. A single negative derivative would destroy the RH. Yet another criterion equivalent to the RH is that of [Lagarias 1999]:
Re |
ξ(s) |
> 0 |
|
|
|
ξ (s) |
|
whenever Re(s) > 1/2. Again some graphical or other computational means of analysis is at least interesting. Then there is the work in [Li 1997], [Bombieri and Lagarias 1999] to the e ect that the RH is equivalent to the positivity property
λn = |
ρ |
1 − 1 − |
1 |
n |
> 0 |
ρ |
|
||||
|
|
|
|
|
|
holding for each n = 1, 2, 3, . . . . The λn constants can be cast in terms of derivatives of ln ξ(s), but this time, all such evaluated at s = 1. Again various computational avenues are of interest.
Further details, some computational explorations of these, and yet other new RH equivalences appear in [Borwein et al. 2000].
8.35. It is not clear what the search limit is for coprime positive solutions to the Fermat–Catalan equation xp + yq = zr when 1/p + 1/q + 1/r ≤ 1. This search limit certainly encompasses the known 10 solutions mentioned in the chapter, but maybe it is not much higher. Extend the search for solutions, where the highest of the powers, namely zr, is allowed to run up to 1025 or perhaps even higher. To aid in this computation, one should not consider triples p, q, r where we know there are no solutions. For example, if 2 and 3 are in {p, q, r}, then we may assume the third member is at least 10. See [Beukers 2004] and [Bruin 2003] for an up-to-date report on those exponent triples for which no search is necessary. Also, see [Bernstein 2004c] for a neat way to search for solutions in the most populous cases.
8.36. Investigate alternative factoring and discrete-logarithm algorithms for quantum Turing machines (QTMs). Here are some (unguaranteed) ideas.
The Pollard–Strassen method of Section 5.5 uses fast algorithms to deterministically uncover factors of N in O(N 1/4) operations. However, the usual approach to the required polynomial evaluations is FFT-like, and in practice often does involve FFTs. Is there a way to go deeper into the Pollard– Strassen method, using the inherent massive parallelism of QTMs in order to e ect an interesting deterministic algorithm?
Likewise, we have seen exercises involving parallelization of Pollard-rho, ECM, QS, NFS factoring, and it is a good rule that whenever parallelism reveals itself, there is some hope of a QTM implementation.
As for DL problems, the rho and lambda methods admit of parallelism; indeed, the DL approach in [Shor 1999] is very much like the collision methods