fermat and mersenne numbers

8/11/2019 Fermat and Mersenne Numbers

1/22

1

Fermat and Mersenne Numbers

Tutorial

R01942039


2/22

2

Content

1 Introduction .......................................................................................................... 2

2 Background of Fermat Numbers ........................................................................5

3 Geometric Interpretation of Fermat Numbers ................................................. 7

4 Factoring Status of Fermat Numbers ..................Error! Bookmark not defined.

5 Basic Properties of Fermat Numbers ............................................................... 10

6 Primality of Fermat Numbers .......................................................................... 12

7 Infinitude of Fermat Primes .................................Error! Bookmark not defined.

8 Divisibility of Fermat Numbers ............................ Error! Bookmark not defined.

9 Mersenne Numbers and Fermat Numbers ..........Error! Bookmark not defined.

10 Applications of Prime numbers ........................................................................ 17

11 Reference ............................................................................................................ 22


3/22

3

1. Introduction

Prime numbers are widely studied in the field of number theory and it has many

beautiful properties and applications. Euclid first proved that the number of primes is

infinite. There is no largest prime number as much as there is no largest number!Euclid started by looking at the known primes and adding one to their product. For

example both 2 and 3 are primes: their product + 1 is also a prime: 2*3+1=7. The nice

but not beautiful thing about this is that sometimes this algorithm will produce primes

and sometimes it will not!

Although Euclid did not find the way to using this procedure to find only primes,

he did find that this can easily be used to show that there are infinitely many primes!!

Proof:Let us suppose that are prime numbers. Multiply them together andadd 1, calling this number a new integer q . If q is a prime number, then we have a

new prime. If q is not a prime, it must be divisible by a prime number r . But r cannot

be or any other from our original list of prime numbers, because if you divide qbyany of you will get a remainder 1, which means that q is not divisible byany of these prime numbers. So r is a new prime. Whichever way you choose to look

at it, either you have found a new prime q, or if q is not a prime, than you have found

that it has a new prime for a prime factor.

Fig.1 Counting function of prime numbers.

The distribution of primes seems to be complicated and a little bit random. The

sequence of primes can be presented graphically in terms of a step

function or counting function which is traditionally denoted . The height of the graph at horizontal positionxindicates the number of primes less than or equal

tox. Hence at each prime value ofxwe see a vertical jump of one unit. The positions


4/22

4

of primes constitute just about the most fundamental, inarguable, nontrivial

information available to our consciousness. Zooming much further, we would expect

to see the "granular" nature of the actual graph vanish into the pixelation of thescreen.

Fig.2 Approximate byx/log x.

In 1896, de la Valee Poussin and Hadamard simultaneously proved what had been

suspected for several decades, and what is now known as theprime number theorem:

(1)

In words, the (discontinuous) prime counting function is asymptoticto the(smooth) logarithmic functionx/logx. This means that the ratio of tox/logxcan

be made arbitrarily close to 1 by considering large enoughx. Hencex/logxprovides

an approximation of the number of primes less than or equal to x, and if we take

sufficiently largex this approximation can be made as accurate as we would like(proportionally speaking - very simply, as close to 100% accuracy as is desired).

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

200

400

600

800

1000

1200

1400

(x)

x/ln(x)
http://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htmhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htmhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htmhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/pnt.htm


5/22

5

2. Background of Fermat Numbers

One approach to investigate prime numbers is to study numbers of a certain form.

For example, it has been proven that there are infinitely many primes in the form a +

nd, where d 2 and gcd(d, a) = 1 (Dirichlets theorem). On the other hand, it isstill an

open question to whether there are infinitely many primes of the form + 1

In this paper, we will discuss in particular numbers of the form 2

+ 1 where nis a nonnegative integer. They are called Fermat numbers, named after the French

mathematician Pierre de Fermat (16011665) who first studied numbers in this form.

It is still an open problem to whether there are infinitely many primes in the form of

2

+ 1. We will not be able to answer this question in this paper, but we will provesome basic properties of Fermat numbers and discuss their primality and divisibility.

We will also briefly mention numbers of the form 2 1n

where n is a positive integer.

They are called Mersenne numbers, named after the French mathematician Marin

Mersenne. In section 9, we will see how Mersenne numbers relate to the primality of

Fermat numbers.

Pierre de Fermat (16011665) Marin Mersenne (15881648)

Fig.3 Fermat and Marin Mersenne.

Fermat first conjectured that all the numbers in the form of 2

+ 1 are primes.However, in 1732, Leonhard Euler refuted this claim by showing that F5 =2 + 1=4,294,967,297 = 641 x 6,700,417 is a composite. Euler proved that every factor

ofFn must have the form k2n+1 + 1 (later improved to k2n+2 + 1 byLucas1). It is

1 A theorem ofdouard Lucas:Any prime divisor p of Fn=2

+ 1 is of the formk2n+2+ 1.
http://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucas


6/22

6

widely believed that Fermat was aware of the form of the factors later proved by Euler,

so it seems curious why he failed to follow through on the straightforward calculation

to find the factor. One common explanation is that Fermat made a computational

mistake and was so convinced of the correctness of his claim that he failed to

double-check his work.It then became a question to whether there are infinitely many primes in the form

of 2

+ 1. Primes in this form are called Fermat primes. Up-to-date there are onlyfive known Fermat primes. (See section4 for more details on the current status of

Fermat numbers.) In fact, little is known about Fermat numbers with large n. Each of

the following is still an open problem:

1. IsFncomposite for all n> 4?

2. Are there infinitely many Fermat primes?

3. Are there infinitely many composite Fermat numbers?In 1796, the German mathematician Carl Friedrich Gauss (1977 1855) found an

interesting relationship between the Euclidean construction (i.e. by ruler and compass)

of regular polygons and Fermat primes. His theorem is known as Gausss Theorem.

Gausss Theorem:

There exists an Euclidean construction of the regular n- polygons if and only if

n = 2 , where n 3,i 0, j 0, and are distinct Fermat primes.

Gausss theorem implies that all 2-gons for n 2 are constructible. Moreover, sinceso far only five Fermat numbers are known to be prime, it implies that for n odd, there

are only 2 1 = 31 n-gons that are known to be Euclidean constructible. If it turnsout that there is only a finite number of Fermat primes, then this theorem would imply

that there is only a finite number of Euclidean constructible n-gons for n odd. The

figure below shows five Euclidean constructible n-gons.

Fig. 4 Triangle, pentagon, heptadecagon, 257-gon and 65537-gon.
http://en.wikipedia.org/wiki/Composite_numberhttp://en.wikipedia.org/wiki/Composite_number


7/22

7

3. Geometric Interpretation of Fermat Numbers

As Gausss theorem suggests, Fermat numbers might be closely related to some

of the problems in Geometry. It is hence useful if we can understand what they mean

geometrically. A Fermat number Fn = 2 + 1 (for n 1) can be thought of as a

square whose side length is 2

plus a unit square (see figure5). Hence, determining

whether a (Fermat) number is a composite or not is equivalent to determining whether

we can rearrange the unit-square blocks to form a rectangle. Moreover, determining

whether an integer d divides a (Fermat) number is the same as deciding whether we

can reorganize the blocks to form a rectangle with base d; or alternatively, we can also

think of it as determining whether we can fill the area with a number of rd

unit-square blocks for some integer r (see figure5).

F2 = 4 + 1 = 17

F2 = 17 is not a composite because no matter how you

rearrange the blocks, you cannot get a rectangle.

F2 = 17 is not divisible by 3.

Fig.5 Geometric interpretation of Fermat numbers

Some of the properties we will prove in section5 can be easily understood if we

interpret them geometrically. We will also make remarks on several of them.


8/22

8

4. Factoring Status of Fermat Numbers

Because of the size of Fermat numbers, it is difficult to factorize or to prove

primality of those.Ppin's test gives a necessary and sufficient condition for primality

of Fermat numbers, and can be implemented by modern computers. Theelliptic curvemethod is a fast method for finding small prime divisors of numbers. Distributed

computing projectFermatsearchhas successfully found some factors of Fermat

numbers. Yves Gallot's proth.exe has been used to find factors of large Fermat

numbers.douard Lucas,improving the above mentioned result by Euler, proved in

1878 that every factor of Fermat numberFn, with nat least 2, is of the form k 2n+2+

1 , where kis a positive integer; this is in itself almost sufficient to prove the primality

of the known Fermat primes.

The below table only shows the factoring status of Fermat numbers up to n = 200.For an up-to-date process of Fermat numbers and other details, see

http://www.prothsearch.net/fermat.html#Summary.

Prime

Composite with no known factors

Composite with complete factorization

Composite with incomplete factorization

Unknown
http://en.wikipedia.org/wiki/P%C3%A9pin%27s_testhttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/%C3%89douard_Lucashttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/Elliptic_curve_methodhttp://en.wikipedia.org/wiki/P%C3%A9pin%27s_test


9/22

9

Completely factored Fermat numbers (Prime factors =k 2m+2+ 1)

m k n Year Discoverer

5 5 7 1732 L. Euler

52347 7 1732 L. Euler6 1071 8 1855 T. Clausen; F. Landry 1880

262814145745 8 1855T. Clausen; F. Landry & H. Le

Lasseur 1880

7 116503103764643 9 13 Sep 1970 M. A. Morrison & J. Brillhart

11141971095088142685 9 13 Sep 1970 M. A. Morrison & J. Brillhart

8 604944512477 11 1980 R. P. Brent & J. M. Pollard

[59 digits] 11 1980 R. P. Brent & J. M. Pollard

9 37 16 1903 A. E. Western

[46 digits] 11 15 Jun 1990A. K. Lenstra, M. S. Manasse & a

larger team

[96 digits] 11 15 Jun 1990A. K. Lenstra, M. S. Manasse & a

larger team

10 11131 12 15 Aug 1953 J. L. Selfridge

395937 14 1962 J. Brillhart

[37 digits] 12 20 Oct 1995 R. P. Brent

[248 digits] 13 1995 R. P. Brent

11 39 13 1899 A. Cunningham

119 13 1899 A. Cunningham

10253207784531279 14 17 May 1988 R. P. Brent

434673084282938711 13 13 May 1988 R. P. Brent

[560 digits] 13 20 Jun 1988 R. P. Brent & F. Morain

46 digit k= 3640431067210880961102244011816628378312190597

37 digit k= 1137640572563481089664199400165229051

Further, on May 14, 2013 and as part of PrimeGrid's Proth Prime Search,Marshall

Bishop found that 57 22747499 + 1 divides F2747497. This is now the largest Fermat

number known to be composite.
http://www.primegrid.com/http://www.primegrid.com/


10/22

10

5. Basic Properties of Fermat Numbers

In this section, we will prove some basic properties of Fermat numbers.

Theorem1. For n 1,Fn = 1 + 1.

Proof. 1 + 1 = 2 + 1 1 + 1 = 2+ 1 =FnRemark1. This theorem is obvious if we interpret it geometrically:

Fig 6. Any Fermat number is exactly a square with side length 1 plusa unit square.

Theorem2. For n 1, = + 2.Proof. We will prove this by induction.

When n = 1, we have + 2 = 3 + 2 = 5 = Now assume = + 2Then, + 2= + 2= (2) + 2 (induction hypothesis)

= (21)(2

+ 1) + 2

= 2

+ 1 =

Remark2. To understand the proof of Theorem2 geometrically, we can think of 2as a square with side length 1 minus a unit square (Theorem1, see Fig. 7 (a)).

It is divisible by = 2

+ 1 because we can form a rectangle by moving the

top row and make it a column on the right (Fig. 7 (b)). To see that it is also divisible

by for 2 k n, we can use the induction hypothesis that divides

2 = 2 1. It means that we can fill each column of the rectangle in


11/22

11

figure7 (a) evenly by r number of blocks for some integer r.

(a) A 2

x 2

square minus (b) A (2

1) x (2

+ 1) rectanglea unit square

(c) Each column can be filled evenly byFn-k.

Fig 7. Geometric interpretation of = + 2


12/22

12

6. Primality of Fermat Numbers

Recall that we have defined Fermat numbers to be numbers in the form of 2+ 1

where n is a nonnegative integer. There is actually another definition for Fermat

numbers, namely numbers in the form of 2 + 1 where n is a nonnegative integer.We have chosen the former definition because it seems to be more commonly used

and it gives the properties that we have proved earlier. However, if we are only

interested in Fermat numbers that are primes, then it does not matter which definition

we use, as we will see from the next theorem.

Theorem3. [Reference3] If 2 + 1 is a prime, then n is a power of 2.Proof. Suppose n is a positive integer that is not a power of 2. Then we can write n =

s for some nonnegative integer r and some positive odd integer s. Also recall theidentity

= (ab)( + b + + a + ),which implies that ab divides . Now substituting a = 2, b =1 and n =s,we have 2 + 1 divides 21 = 2 + 1. However, r < n, which means that2 + 1 is not a prime. Hence, nmust be a power of 2 in order for 2 + 1 to be a

prime.

The next theorem concerns the properties of Fermat primes.

Theorem4. [Reference1, p. 31] No Fermat prime can be expressed as the difference of

twopth powers, wherep is an odd prime.

Proof. Assume for contradiction that there is such a Fermat prime. Then,Fn = = (ab)( + b + + a + ), where a > b andp is an odd prime.Since Fn is a prime, it must be the case that a b = 1. Moreover, by Fermats Little

Theorem, a (mod p) and b (mod p). Thus, Fn = a b = 1

(modp). This implies p | Fn1 =2, which is impossible because the only integer

that divides 2 is 2.

Note:

Fermat's little theoremstates that ifpis aprime number,then for anyinteger a, the

number apais an integer multiple ofp. In the notation ofmodular arithmetic,this is

expressed as

mod If ais not divisible byp, Fermat's little theorem is equivalent to the statement

that ap11 is an integer multiple ofp:

1 mod
http://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Prime_number


13/22

13

7. Infinitude of Fermat Primes

As we have noted before, there are only five known Fermat primes so far. In fact, it

has been shown that Fn is composite for 5 n 32 and many other larger n (from

section4). Whether there is an infinite number of Fermat primes is still an openquestion, and below shows a heuristic argument that suggests there is only a finite

number of them. This argument is to due to Hardy and Wright [Reference1, p.158].

There is only a finite number of Fermat primes.

Recall that the Prime Number Theorem says ~/log, where (x) is the numberof primes x. Hence (x)

1 +

1 which diverges

But we know from Theorem3 that the sets {2 + 1: it is a prime} and {2

+ 1: it is a

prime} are the same set. This latter argument suggests Hardy and Wrights argument

does not take into account of the properties of Fermat numbers. It is to say that the

variable x is not that random. It works largely because gaps between successive

Fermat numbers are extremely large. Nevertheless, given any number (even a number

of a particular form), it is more likely to be a composite than prime. Therefore,

bounding the probability of it being a prime by a lower bound gives a weaker

argument that bounding it from above.


14/22

14

8. Divisibility of Fermat Numbers

In the last two sections, we focused on the primality of Fermat numbers and the

properties of Fermat primes. However, if a Fermat number is found to be composite,

we are interested in what its factorization is, or at least, what properties do its divisorshave to have. We will end our discussion of Fermat numbers in this section by

proving several theorems about their divisors

Theorem 5. [Reference1, p.37] Let q = be a power of an odd primep, where m

1. Then the Fermat numberFn is divisible by q if and only if ordq2 = 22.

Proof. First suppose q | Fn, then q | (2 + 1)(2

1) = 2

1, and hence

2

1 (mod q). It follows that 2 = kordq2 for some positive integer k. Thus, k

is a power of 2 and so is ordq2. Let e = ordq2 = 2. Ifj < n + 1, then we have q |2

1 = 2

1. But this is impossible because q | 2

+ 1 and q 2. Hence,j

= n + 1 and so ordq2 = 2. Conversely, if we assume that ordq2 = 2, then q |

2

1 = (2+ 1)(2

1). Since q is an odd prime, q divides either 2

+ 1 or

21. But q cannot divide 2

1 because2 < ordq2. Hence q | 2

+ 1 =Fn.

Theorem 6(Eul er). [Reference1, p. 38] Ifp is a prime andp |Fn, thenp is of the form

p = k2 + 1, where k is a positive integer.

Proof. By Fermats little theorem, 2

1 (modp), and it follows that ordq2 |p1.Hence, k ordq2 =p1 for some positive integer k, and by Theorem18,p = kordq2 + 1

= k2 + 1

2 Innumber theory,given aninteger aand a positive integer nwithgcd(a,n) = 1, the multiplicative

order of amodulo nis the smallest positive integer kwithak 1 (mod n).The order of amodulo nis usually written ordn(a),
http://en.wikipedia.org/wiki/Number_theoryhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Number_theory


15/22

15

9. Mersenne Numbers and Fermat Numbers

Recall that we have defined Mersenne numbers to be numbers of the form Mn

=2 1 where n is a positive integer. Some definitions require n to be a prime.

However, like the case of Fermat numbers, if we are only interested in Mersennenumbers that are primes, then it does not matter which definition we choose. We can

see that in the following theorem. Mersenne primes take their name from the

17th-centuryFrench scholarMarin Mersenne,who compiled what was supposed to be

a list of Mersenne primes with exponents up to 257. His list was largely incorrect, as

Mersenne mistakenly includedM67andM257(which are composite), and

omittedM61,M89, andM107(which are prime). Mersenne gave little indication how he

came up with his list.

Though it was believed by early mathematicians thatMpis prime for allprimesp,Mp is very rarely prime. In fact, of the 1,622,441 prime numbers pup to

25,964,951,Mp is prime for only 42 of them. The smallest counterexample is the

Mersenne number

M11= 211 1 = 2047 = 23 89.

The lack of any simple test to determine whether a given Mersenne number is prime

makes the search for Mersenne primes a difficult task, since Mersenne numbers grow

very rapidly. TheLucasLehmer primality test (LLT) is an efficientprimality test that

greatly aids this task. The search for the largest known prime has somewhat of acult

following. Consequently, a lot of computer power has been expended searching for

new Mersenne primes, much of which is now done usingdistributed computing.

Mersenne primes are used inpseudorandom number generators such as

theMersenne twister,ParkMiller random number generator, Generalized Shift

Register and Fibonacci RNG.

The best method presently known for testing the primality of Mersenne numbers

is theLucasLehmer primality test. Specifically, it can be shown that for

primep> 2,Mp= 2p 1 is prime if and only ifMpdivides Sp2, where S0= 4 and,for k> 0, =

2. The search for Mersenne primes was revolutionized by theintroduction of the electronic digital computer as can be seen in Fig.8.
http://en.wikipedia.org/wiki/Francehttp://en.wikipedia.org/wiki/Marin_Mersennehttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Primality_testhttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Distributed_computinghttp://en.wikipedia.org/wiki/Pseudorandom_number_generatorhttp://en.wikipedia.org/wiki/Mersenne_twisterhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Park%E2%80%93Miller_random_number_generatorhttp://en.wikipedia.org/wiki/Mersenne_twisterhttp://en.wikipedia.org/wiki/Pseudorandom_number_generatorhttp://en.wikipedia.org/wiki/Distributed_computinghttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Cult_followinghttp://en.wikipedia.org/wiki/Primality_testhttp://en.wikipedia.org/wiki/Lucas%E2%80%93Lehmer_primality_testhttp://en.wikipedia.org/wiki/Marin_Mersennehttp://en.wikipedia.org/wiki/France


16/22


17/22

17

10.Applications of Prime numbers

1. Pseudorandom Number Generation

Fermat primes are particularly useful in generating pseudo-random sequences of

numbers in the range 1 N, whereN is a power of 2. The most common methodused is to take any seed value between 1 and P1, wherePis a Fermat prime. Now

multiply this by a numberA, which is greater than the square root ofPand is

aprimitive root moduloP (i.e., it is not aquadratic residue). Then take the result

moduloP. The result is the new value for the RNG.

V = ( )mod This is useful in computer science since most data structures have members with

2Xpossible values. For example, a byte has 256 (28) possible values (0255).

Therefore to fill a byte or bytes with random values a random number generatorwhich produces values 1256 can be used, the byte taking the output value 1. Very

large Fermat primes are of particular interest in data encryption for this reason. This

method produces onlypseudorandom values as, afterP1 repetitions, the sequence

repeats. A poorly chosen multiplier can result in the sequence repeating sooner

thanP1.

2.RSA Encryption

RSA is analgorithm forpublic-key cryptography that is based on the presumeddifficulty offactoringlarge integers, thefactoring problem. RSA stands forRon

Rivest,Adi Shamir andLeonard Adleman,who first publicly described the algorithm

in 1977. A user of RSA creates and then publishes the product of two largeprime

numbers,along with an auxiliary value, as their public key. The prime factors must be

kept secret. Anyone can use the public key to encrypt a message, but with currently

published methods, if the public key is large enough, only someone with knowledge

of the prime factors can feasibly decode the message. Whether breaking

RSAencryption is as hard as factoring is an open question known as the RSA

problem.

The RSA algorithm involves three steps:key generation, encryption and decryption.

Key generation:

RSA involves a public keyand aprivate key. The public key can be known by

everyone and is used for encrypting messages. Messages encrypted with the public

key can only be decrypted in a reasonable amount of time using the private key. The

keys for the RSA algorithm are generated the following way:

1.

Choose two distinctprime numberspand q.
http://en.wikipedia.org/wiki/Primitive_root_modulo_nhttp://en.wikipedia.org/wiki/Quadratic_residuehttp://en.wikipedia.org/wiki/Pseudorandomhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Factorizationhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Factoring_problemhttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Adi_Shamirhttp://en.wikipedia.org/wiki/Leonard_Adlemanhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/Key_(cryptography)http://en.wikipedia.org/wiki/Private_keyhttp://en.wikipedia.org/wiki/Private_keyhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Private_keyhttp://en.wikipedia.org/wiki/Key_(cryptography)http://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/RSA_problemhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Prime_numberhttp://en.wikipedia.org/wiki/Leonard_Adlemanhttp://en.wikipedia.org/wiki/Adi_Shamirhttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Ron_Rivesthttp://en.wikipedia.org/wiki/Factoring_problemhttp://en.wikipedia.org/wiki/Integerhttp://en.wikipedia.org/wiki/Factorizationhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Pseudorandomhttp://en.wikipedia.org/wiki/Quadratic_residuehttp://en.wikipedia.org/wiki/Primitive_root_modulo_n


18/22

18

For security purposes, the integerspand q should be chosen at random, and

should be of similar bit-length. Prime integers can be efficiently found using

aprimality test.

2. Compute n=pq.

nis used as themodulus for both the public and private keys. Its length, usuallyexpressed in bits, is thekey length.

3. Compute (n) = (p)(q) = (p 1)(q 1), where isEuler's totient function.

4. Choose an integer esuch that 1 < e< (n) andgcd(e, (n)) = 1; i.e. eand (n)

arecoprime.

eis released as the public key exponent.

ehaving a shortbit-length and smallHamming weight results in more

efficient encryption most commonly 216 + 1 = 65,537. However,

much smaller values of e(such as 3) have been shown to be less securein some settings.

5. Determine das d1e(mod(n)), i.e., dis themultiplicative

inverse of e(modulo (n)).

This is more clearly stated as solve for dgiven de 1 (mod (n))

This is often computed using theextended Euclidean algorithm.

dis kept as the private key exponent.

By construction, de 1 (mod (n)). The public keyconsists of the modulus nand

the public (or encryption) exponent e. The private keyconsists of the modulus nandthe private (or decryption) exponent d, which must be kept secret.p, q, and (n) must

also be kept secret because they can be used to calculate d.

Encryption:

Alice transmits her public key (n, e) toBob and keeps the private key secret. Bob

then wishes to send messageMto Alice.

He first turnsM into an integer m, such that 0 m< n by using an agreed-upon

reversible protocol known as apadding scheme. He then computes the

ciphertext ccorresponding to

c mod This can be done quickly using the method ofexponentiation by squaring.Bob then

transmits cto Alice.

Decryption:

Alice can recover mfrom cby using her private key exponent dvia computing

m mod Given m, she can recover the original messageMby reversing the padding scheme.

(In practice, there are more efficient methods of calculating cdusing the precomputed
http://en.wikipedia.org/wiki/Primality_testhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Key_lengthhttp://en.wikipedia.org/wiki/Euler%27s_totient_functionhttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Bit-lengthhttp://en.wikipedia.org/wiki/Hamming_weighthttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Extended_Euclidean_algorithmhttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/RSA_(algorithm)#Padding_schemeshttp://en.wikipedia.org/wiki/Exponentiation_by_squaringhttp://en.wikipedia.org/wiki/Exponentiation_by_squaringhttp://en.wikipedia.org/wiki/RSA_(algorithm)#Padding_schemeshttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/Alice_and_Bobhttp://en.wikipedia.org/wiki/Extended_Euclidean_algorithmhttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Hamming_weighthttp://en.wikipedia.org/wiki/Bit-lengthhttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Greatest_common_divisorhttp://en.wikipedia.org/wiki/Euler%27s_totient_functionhttp://en.wikipedia.org/wiki/Key_lengthhttp://en.wikipedia.org/wiki/Modular_arithmetichttp://en.wikipedia.org/wiki/Primality_test


19/22

19

values below.)

Using the Chinese remainder algorithm

For efficiency many popular crypto libraries (like OpenSSL, Java and .NET) use the

following optimization for decryption and signing based on theChinese remainder

theorem.The following values are precomputed and stored as part of the private key: p and q: the primes from the key generation,

= mod 1,

= mod 1and

= mod .These values allow the recipient to compute the exponentiation m= cd(modpq) more

efficiently as follows:

= mod .

= mod .

h = mod . (if < then some librariescompute has + mod )

m = + This is more efficient than computing mcd(modpq) even though two modular

exponentiations have to be computed. The reason is that these two modular

exponentiations both use a smaller exponent and a smaller modulus.

A working exampleHere is an example of RSA encryption and decryption. The parameters used here are

artificially small, but one can also use OpenSSL to generate and examine a real

keypair.

1. Choose two distinct prime numbers, such as p=61 and q=53.

2. Compute n=pqgiving n=6153=32333. Compute thetotient of the product as (n) = (p1)(q1) giving

(3233) = (611)(531)=3120.

4. Choose any number 1 < e< 3120 that iscoprime to 3120. Choosing a prime

number for eleaves us only to check that eis not a divisor of 3120.

Let e=17

5. Compute d, themodular multiplicative inverse of e(mod (n)) yielding

d=2753.

The public keyis (n= 3233, e= 17). For a paddedplaintext message m, the

encryption function is

c mod 3233.The private keyis (n= 3233, d= 2753). For an encryptedciphertext c, the decryption

function is c2753(mod 3233).
http://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikipedia.org/wiki/Totienthttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Ciphertexthttp://en.wikipedia.org/wiki/Ciphertexthttp://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Modular_multiplicative_inversehttp://en.wikipedia.org/wiki/Coprimehttp://en.wikipedia.org/wiki/Totienthttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikibooks.org/wiki/Transwiki:Generate_a_keypair_using_OpenSSLhttp://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikipedia.org/wiki/Chinese_remainder_theorem


20/22

20

m=c2753(mod 3233).

For instance, in order to encrypt m= 65, we calculate

c 6 5mod 3233=2790To decrypt c= 2790, we calculate

.m=27902753(mod 3233)=65.

Practical implementations use theChinese remainder theorem to speed up the

calculation using modulus of factors (modpqusing modpand mod q).

The values dp, dqand qinv, which are part of the private key are computed as follows:

= mod 1 = 2753(mod 6 1 1) = 5 3 = mod 1 = 2753(mod5 3 1) = 4 9

= mod = 53mod 61 = 38

(Hence: mod = 38 53 mod 61 = 1)

Here is how dp, dqand qinvare used for efficient decryption. (Encryption is efficient

by choice of public exponent e)

= mod = 2790mod 61 = 4 = mod = 2790mod 53 = 12 h = mod = 38 8mod 61 = 1 m = + = 1 2 + 1 5 3 = 6 5

(same as above but computed more efficiently)

Proof using Fermat's little theorem

The proof of the correctness of RSA is based onFermat's little theorem.This theorem

states that ifpis prime andpdoes not divide an integer athen

1 mod We want to show that (me)dm(modpq) for every integer mwhenpand qare

distinct prime numbers and eand dare positive integers satisfying

1 mod 1 1We can write

1 = h 1 1for some nonnegative integer h.

To check two numbers, like medand m, are congruent modpqit suffices (and in fact is

equivalent) to check they are congruent modpand mod qseparately. (This is part of

the Chinese remainder theorem, although it is not the significant part of that theorem.)

To show medm(modp), we consider two cases: m 0 (modp) and m0 (modp).In the first case medis a multiple ofp, so med 0 m(modp). In the second case

= = = 1 mod
http://en.wikipedia.org/wiki/Chinese_remainder_theoremhttp://en.wikipedia.org/wiki/Fermat%27s_little_theoremhttp://en.wikipedia.org/wiki/Fermat%27s_little_theoremhttp://en.wikipedia.org/wiki/Chinese_remainder_theorem


21/22

21

where we used Fermat's little theorem to replace mp1modpwith 1.

The verification that medm(mod q) proceeds in a similar way, treating separately

the cases m 0 (modq) and m 0 (mod q), using Fermat's little theorem formodulus qin the second case.

This completes the proof that, for any integer m,medm(modpq).


22/22

22

11.Reference

[1]. M. Krizek, F. Luca and L. Somer, 17 Lectures on Fermat Numbers From

Number Theory to Geometry, Springer-Verlag, New York, 2001.

[2]. W. Keller,Prime factors k2n + 1 of Fermat numbers Fm and complete factoring

status.

http://www.prothsearch.net/fermat.html#Summary

[3]. Fermat number

http://en.wikipedia.org/wiki/Fermat_numbers

[4]. Mersenne number

http://en.wikipedia.org/wiki/Mersenne_numbers

[5].Distribution of primes tutorial

http://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htm[6]Fermat Numbers - William Stein - University of Washington

[7] Sarah Flannery and David Flannery.In Code: A Mathematical Journey, 2001

[8] RSA

http://en.wikipedia.org/wiki/RSA_(algorithm)
http://en.wikipedia.org/wiki/Mersenne_numbershttps://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fempslocal.ex.ac.uk%2F~mwatkins%2Fzeta%2Fss-a.htm&ei=IFLGUcvTE4bCkgWAj4GYBQ&usg=AFQjCNHrqmTMAt4Jaz5rXPE99ZAwXDNHLQ&sig2=giBqi45eIc2DSNSJAmD3swhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htmhttps://www.google.com.tw/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CDgQFjAB&url=http%3A%2F%2Fmodular.math.washington.edu%2Fedu%2F2010%2F414%2Fprojects%2Ftsang.pdf&ei=cVLGUcD-FcPIkAWB7oCQBw&usg=AFQjCNF6Ghv9Ue5VSL2F8HpFXQKy8HOiNg&sig2=bWgaN0qJCwg2AiD_r0xNPg&bvm=bv.48293060,d.dGIhttps://www.google.com.tw/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CDgQFjAB&url=http%3A%2F%2Fmodular.math.washington.edu%2Fedu%2F2010%2F414%2Fprojects%2Ftsang.pdf&ei=cVLGUcD-FcPIkAWB7oCQBw&usg=AFQjCNF6Ghv9Ue5VSL2F8HpFXQKy8HOiNg&sig2=bWgaN0qJCwg2AiD_r0xNPg&bvm=bv.48293060,d.dGIhttp://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htmhttps://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fempslocal.ex.ac.uk%2F~mwatkins%2Fzeta%2Fss-a.htm&ei=IFLGUcvTE4bCkgWAj4GYBQ&usg=AFQjCNHrqmTMAt4Jaz5rXPE99ZAwXDNHLQ&sig2=giBqi45eIc2DSNSJAmD3swhttp://en.wikipedia.org/wiki/Mersenne_numbers

fermat and mersenne numbers

Documents