YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE

CPSC 467a: Cryptography and Computer Security Notes 16 (rev. 1)
Professor M. J. Fischer November 3, 2008

Lecture Notes 16

68 Legendre Symbol

Let p be an odd prime, a an integer. The Legendre symbol ( ) a p is a number in {-1,0,+1}, defined as follows:

( ( a) |{ +1 if a is a non-trivial quadratic residue m odulo p -- = 0 if a ≡ 0 (mod p) p |( - 1 if a is not a q uad ratic residue m odulo p

By the Euler Criterion (see Claim 3), we have

Theorem 1 Let p be an odd prime. Then

( a) p-1 -- ≡ a( 2 ) (mod p) p

Note that this theorem holds even when pa.

The Legendre symbol satisfies the following multiplicative property: Fact Let p be an odd prime. Then

( a1a2) (a1-) (a2-) p = p p

Not surprisingly, if a1 and a2 are both non-trivial quadratic residues, then so is a1a2. This shows that the fact is true for the case that

( a1) ( a2) --- = --- = 1. p p

More surprising is the case when neither a1 nor a2 are quadratic residues, so

( ) ( ) a1- = a2- = - 1. p p

In this case, the above fact says that the product a1a2 is a quadratic residue since

( ) a1a2- p = (- 1)(- 1) = 1.

Here’s a way to see this. Let g be a primitive root of p. Write a1 gk1 (mod p) and a2 gk2 (mod p). Since a1 and a2 are not quadratic residues, it must be the case that k1 and k2 are both odd; otherwise gk12 would be a square root of a1, or gk22 would be a square root of a2. But then k1 + k2 is even since the sum of any two odd numbers is always even. Hence, g(k1+k2)2 is a square root of a1a2 gk1+k2 (mod p), so a1a2 is a quadratic residue.

69 Jacobi Symbol

The Jacobi symbol extends the Legendre symbol to the case where the “denominator” is an arbitrary odd positive number n.

Let n be an odd positive integer with prime factorization i=1kpiei. We define the Jacobi symbol by

( ) k ( ) e a- = ∏ a- i , n i=1 pi
(1)

where the symbol on the left is the Jacobi symbol, and the symbol on the right is the Legendre symbol. (By convention, this product is 1 when k = 0, so (a) 1 = 1.) Clearly, when n = p is an odd prime, the Jacobi symbol and Legendre symbols agree, so the Jacobi symbol is a true extension of our earlier notion.

What does the Jacobi symbol mean when n is not prime? If (a) n = -1 then a is definitely not a quadratic residue modulo n, but if (a) n = 1, a might or might not be a quadratic residue.

Consider the important case of n = pq for p, q distinct odd primes. Then

(a ) ( a) (a) -- = -- -- n p q
(2)

so there are two cases that result in ( ) an = 1: either ( ) ap = ( ) aq = +1 or ( ) ap = ( ) aq = -1.

In the first case, a is a quadratic residue modulo both p and q, so a is a quadratic residue modulo n. Let b and c be square roots of a modulo p and q, respectively, so

a ≡ b2 (mod p) (3) 2 a ≡ c (mod q) (4)
By the Chinese Remainder Theorem, there exists unique d ∈ Zn satisfying
d ≡ b (mod p) (5) d ≡ c (mod q) (6)
Squaring both sides of (5) and (6) and combining with (3) and (4), we have
2 d ≡ a (mod p) (7) d2 ≡ a (mod q) (8)
Hence, d2 a (mod n), so a is a quadratic residue modulo n.

In the second case, a is not a quadratic residue modulo either p or q, so it is not a quadratic residue modulo n, either. Such numbers a are sometimes called “pseudo-squares” since they have Jacobi symbol 1 but are not quadratic residues.

70 Identities Involving the Jacobi Symbol

The Jacobi symbol ( ) an is easily computed using Equation 1 of section 69 and Theorem 1 of section 68 if the factorization of n is known. Similarly, gcd(u,v) is easily computed without resort to the Euclidean algorithm given the factorizations of u and v. The remarkable fact about the Euclidean algorithm is that it lets us compute gcd(u,v) efficiently even without knowing the factors of u and v. A similar algorithm allows the Jacobi symbol (a ) n to be computed efficiently without knowing the factorization of a or n.

The algorithm is based on identities satisfied by the Jacobi symbol:

  1. ( ) 01 = 1; ( ) 0n = 0 for n1;
  2. ( ) 2n = 1 if n ≡±1 (mod 8); ( ) 2n = -1 if n ≡±3 (mod 8);
  3. ( ) an1 = ( ) a2n- if a1 a2 (mod n);
  4. ( ) 2a n = ( ) 2 n(a) n;
  5. (a) n = -(n-) a if a n 3 (mod 4).
  6. ( ) an = ( ) na if a 1 (mod 4) or (a 3 (mod 4) and n 1 (mod 4));

There are many ways to turn these identities into an algorithm. Below is a straightforward recursive approach. Slightly more efficient iterative implementations are also possible.

int jacobi(int a, int n)  
/⋆ Precondition: a, n >= 0; n is odd ⋆/  
{  
  if (a == 0)                   /⋆ identity 1 ⋆/  
    return (n==1) ? 1 : 0;  
  if (a == 2) {                 /⋆ identity 2 ⋆/  
    switch (n%8) {  
    case 1:  
    case 7:  
      return 1;  
    case 3:  
    case 5:  
      return -1;  
    }  
  }  
  if ( a >= n )                 /⋆ identity 3 ⋆/  
    return jacobi(a%n, n);  
  if (a%2 == 0)                 /⋆ identity 4 ⋆/  
    return jacobi(2,n)⋆jacobi(a/2, n);  
  /⋆ a is odd ⋆/                /⋆ identities 5 and 6 ⋆/  
  return (a%4 == 3 && n%4 == 3) ? -jacobi(n,a) : jacobi(n,a);  
}

71 Solovay-Strassen Test of Compositeness

Recall that a test of compositeness for n is a set of predicates {τa(n)}a∈Z*n such that if τ(n) succeeds (is true), then n is composite. The Solovay-Strassen Test is the set of predicates {νa(n)}a∈Z*n, where

( ) νa(n) = true iff a- ⁄≡ a(n-1)∕2 (mod n). n

If n is prime, the test always fails by Theorem 1 of section 68. Equivalently, if some νa(n) succeeds, then n must be composite. Hence, the test is a valid- test of compositeness.

Let b = a(n-1)2, so b2 an-1. There are two possible reasons why the test might succeed. One possibility is that an-1 ⁄≡ 1 (mod n) in which case b ⁄≡±1 (mod n). This is just the Fermat test ζa(n) from section 52 of lecture notes 12. A second possibility is that an-1 1 (mod n) but nevertheless, b ⁄≡( ) an (mod n). In this case, b is a square root of 1 (mod n), but it might have the opposite sign from ( ) an, or it might not even be ±1 since 1 has additional square roots when n is composite. Strassen and Solovay show the probability that νa(n) succeeds for a randomly-chosen a ∈ Z*n is at least 12 when n is composite.1

72 Miller-Rabin Test of Compositeness

The Miller-Rabin Test is more complicated to describe than the Solovay-Strassen Test, but the probability of error (that is, the probability that it fails when n is composite) seems to be lower than for Solovay-Strassen, so that the same degree of confidence can be achieved using fewer iterations of the test. This makes it faster when incorporated into a primality-testing algorithm. It is also closely related to the algorithm presented in section 56.3 (lecture notes 13) for factoring an RSA modulus given the encryption and decryption keys and to Shanks Algorithm 66.1 (lecture notes 15) for computing square roots modulo an odd prime.

72.1 The test

The test μa(n) is based on computing a sequence b0,b1,,bs of integers in Z*n. If n is prime, this sequence ends in 1, and the last non-1 element, if any, is n- 1 (≡-1 (mod n)). If the observed sequence is not of this form, then n is composite, and the Miller-Rabin Test succeeds. Otherwise, the test fails.

The sequence is computed as follows:

  1. Write n - 1 = 2st, where t is an odd positive integer. Computationally, s is the number of 0’s at the right (low-order) end of the binary expansion of n, and t is the number that results from n when the s low-order 0’s are removed.
  2. Let b0 = at mod n.
  3. For i = 1,2,,s, let bi = (bi-1)2 mod n.

An easy inductive proof shows that bi = a2it mod n for all i, 0 i s. In particular, bs a2st = an-1 (mod n).

72.2 Validity

To see that the test is valid, we must show that μa(p) fails for all a ∈ Z*p when n is a prime p. By Euler’s theorem2 , ap-1 1 (mod p), so we see that bs = 1. Since 1 has only two square roots modulo p, 1 and -1, and bi-1 is a square root of bi modulo p, the last non-1 element in the sequence (if any) must be -1 mod p. This is exactly the condition for which the Miller-Rabin test fails. Hence, it fails whenever n is prime, so if it succeeds, n is indeed composite.

72.3 Accuracy

How likely is it to succeed when n is composite? It succeeds whenever an-1 ⁄≡ 1 (mod n), so it succeeds whenever the Fermat test ζa(n) would succeed. (See section 52 of lecture notes 12.) But even when an-1 1 (mod n) and the Fermat test fails, the Miller-Rabin test will succeed if the last non-1 element in the sequence of b’s is one of the two square roots of 1 that differ from ±1. It can be proved that μa(n) succeeds for at least 34 of the possible values of a. Empirically, the test almost always succeeds when n is composite, and one has to work to find a such that μa(n) fails.

72.4 Example

For example, take n = 561 = 3 11 17. This number is interesting because it is the first Carmichael number. A Carmichael number is an odd composite number n that satisfies an-1 1 (mod n) for all a ∈ Z*n. (See http://mathworld.wolfram.com/CarmichaelNumber.html.) These are the numbers that I have been calling “pseudoprimes”. Let’s go through the steps of computing μ37(561).

We begin by finding t and s. 561 in binary is 1000110001 (a palindrome!). Then n-1 = 560 = (1000110000)2, so s = 4 and t = (100011)2 = 35. We compute b0 = at = 3735 mod 561 = 265 with the help of the computer. We now compute the sequence of b’s, also with the help of the computer. The results are shown in the table below:

| -i-|--bi-- 0 |265 1 |100 2 |463 3 | 67 4 | 1 |

This sequence ends in 1, but the last non-1 element b3 ⁄≡-1 (mod 561), so the test μ37(561) succeeds. In fact, the test succeeds for every a ∈ Z*561 except for a = 1,103,256,460,511. For each of those values, b0 = at 1 (mod 561).

72.5 Optimization

In practice, one only wants to compute as many of the b’s as necessary to determine whether or not the test succeeds. In particular, one can stop after computing bi if bi ≡±1 (mod n). If bi ≡-1 (mod n) and i < s, the test fails. If bi 1 (mod n) and i 1, the test succeeds. This is because we know in this case that bi-1 ⁄≡-1 (mod n), for if it were, the algorithm would have stopped after computing bi-1.