Escolar Documentos
Profissional Documentos
Cultura Documentos
or any other from our original list of prime numbers, because if you divide q by
any of
+ 1
In this paper, we will discuss in particular numbers of the form 2
+1 where n
is a nonnegative integer. They are called Fermat numbers, named after the French
mathematician Pierre de Fermat (1601 1665) who first studied numbers in this form.
It is still an open problem to whether there are infinitely many primes in the form of
2
+1. We will not be able to answer this question in this paper, but we will prove
some basic properties of Fermat numbers and discuss their primality and divisibility.
We will also briefly mention numbers of the form 2 1
n
where n is a positive integer.
They are called Mersenne numbers, named after the French mathematician Marin
Mersenne. In section 9, we will see how Mersenne numbers relate to the primality of
Fermat numbers.
Pierre de Fermat (1601 1665) Marin Mersenne (1588 1648)
Fig.3 Fermat and Marin Mersenne.
Fermat first conjectured that all the numbers in the form of 2
+1 are primes.
However, in 1732, Leonhard Euler refuted this claim by showing that F5 =2
3
+1=
4,294,967,297 = 641 x 6,700,417 is a composite. Euler proved that every factor
of F
n
must have the form k2
n+1
+ 1 (later improved to k2
n+2
+ 1 by Lucas
1
). It is
1
A theorem of douard Lucas: Any prime divisor p of F
n
=2
n
+ 1 is of the form k2
n+2
+ 1.
6
widely believed that Fermat was aware of the form of the factors later proved by Euler,
so it seems curious why he failed to follow through on the straightforward calculation
to find the factor. One common explanation is that Fermat made a computational
mistake and was so convinced of the correctness of his claim that he failed to
double-check his work.
It then became a question to whether there are infinitely many primes in the form
of 2
+1. Primes in this form are called Fermat primes. Up-to-date there are only
five known Fermat primes. (See section4 for more details on the current status of
Fermat numbers.) In fact, little is known about Fermat numbers with large n. Each of
the following is still an open problem:
1. Is F
n
composite for all n > 4?
2. Are there infinitely many Fermat primes?
3. Are there infinitely many composite Fermat numbers?
In 1796, the German mathematician Carl Friedrich Gauss (1977 1855) found an
interesting relationship between the Euclidean construction (i.e. by ruler and compass)
of regular polygons and Fermat primes. His theorem is known as Gausss Theorem.
Gausss Theorem:
There exists an Euclidean construction of the regular n- polygons if and only if
n = 2
, where n 3, i 0, j 0, and
1
plus a unit square (see figure5). Hence, determining
whether a (Fermat) number is a composite or not is equivalent to determining whether
we can rearrange the unit-square blocks to form a rectangle. Moreover, determining
whether an integer d divides a (Fermat) number is the same as deciding whether we
can reorganize the blocks to form a rectangle with base d; or alternatively, we can also
think of it as determining whether we can fill the area with a number of r d
unit-square blocks for some integer r (see figure5).
F2 = 4
+ 1 = 17
F2 = 17 is not a composite because no matter how you
rearrange the blocks, you cannot get a rectangle.
F2 = 17 is not divisible by 3.
Fig.5 Geometric interpretation of Fermat numbers
Some of the properties we will prove in section5 can be easily understood if we
interpret them geometrically. We will also make remarks on several of them.
8
4. Factoring Status of Fermat Numbers
Because of the size of Fermat numbers, it is difficult to factorize or to prove
primality of those. Ppin's test gives a necessary and sufficient condition for primality
of Fermat numbers, and can be implemented by modern computers. The elliptic curve
method is a fast method for finding small prime divisors of numbers. Distributed
computing project Fermatsearch has successfully found some factors of Fermat
numbers. Yves Gallot's proth.exe has been used to find factors of large Fermat
numbers. douard Lucas, improving the above mentioned result by Euler, proved in
1878 that every factor of Fermat number Fn , with n at least 2, is of the form k 2
n+2
+
1 , where k is a positive integer; this is in itself almost sufficient to prove the primality
of the known Fermat primes.
The below table only shows the factoring status of Fermat numbers up to n = 200.
For an up-to-date process of Fermat numbers and other details, see
http://www.prothsearch.net/fermat.html#Summary.
Prime
Composite with no known factors
Composite with complete factorization
Composite with incomplete factorization
Unknown
9
Completely factored Fermat numbers (Prime factors =k 2
m+2
+ 1)
m
k
n
Year
Discoverer
5
5
7
1732
L. Euler
52347
7
1732
L. Euler
6
1071
8
1855
T. Clausen; F. Landry 1880
262814145745
8
1855
T. Clausen; F. Landry & H. Le
Lasseur 1880
7
116503103764643
9
13 Sep 1970
M. A. Morrison & J. Brillhart
11141971095088142685
9
13 Sep 1970
M. A. Morrison & J. Brillhart
8
604944512477
11
1980
R. P. Brent & J. M. Pollard
[59 digits]
11
1980
R. P. Brent & J. M. Pollard
9
37
16
1903
A. E. Western
[46 digits]
11
15 Jun 1990
A. K. Lenstra, M. S. Manasse & a
larger team
[96 digits]
11
15 Jun 1990
A. K. Lenstra, M. S. Manasse & a
larger team
10
11131
12
15 Aug 1953
J. L. Selfridge
395937
14
1962
J. Brillhart
[37 digits]
12
20 Oct 1995
R. P. Brent
[248 digits]
13
1995
R. P. Brent
11
39
13
1899
A. Cunningham
119
13
1899
A. Cunningham
10253207784531279
14
17 May 1988
R. P. Brent
434673084282938711
13
13 May 1988
R. P. Brent
[560 digits]
13
20 Jun 1988
R. P. Brent & F. Morain
46 digit k = 3640431067210880961102244011816628378312190597
37 digit k = 1137640572563481089664199400165229051
Further, on May 14, 2013 and as part of PrimeGrid's Proth Prime Search,
Marshall
Bishop found that 57 2
2747499
+ 1 divides F
2747497
. This is now the largest Fermat
number known to be composite.
10
5. Basic Properties of Fermat Numbers
In this section, we will prove some basic properties of Fermat numbers.
Theorem1. For n 1, Fn =
+ 1.
Proof.
+ 1 = 2
1
+ 1 1
+ 1 = 2
+ 1 = Fn
Remark1. This theorem is obvious if we interpret it geometrically:
Fig 6. Any Fermat number
1 plus
a unit square.
Theorem2. For n 1,
+ 2.
Proof. We will prove this by induction.
When n = 1, we have
+ 2 = 3 + 2 = 5 =
Now assume
+ 2
Then,
+ 2 =
+ 2
= (
2)
+ 2 (induction hypothesis)
= (2
1) (2
+ 1) + 2
= 2
1
+ 1 =
Remark2. To understand the proof of Theorem2 geometrically, we can think of
2
as a square with side length
= 2
1
+ 1 because we can form a rectangle by moving the
top row and make it a column on the right (Fig. 7 (b)). To see that it is also divisible
by
divides
2 = 2
1
1. It means that we can fill each column of the rectangle in
11
figure7 (a) evenly by r
1
x 2
1
square minus (b) A (2
1
1) x (2
1
+ 1) rectangle
a unit square
(c) Each column can be filled evenly by Fn-k.
Fig 7. Geometric interpretation of
+ 2
12
6. Primality of Fermat Numbers
Recall that we have defined Fermat numbers to be numbers in the form of 2
+ 1
where n is a nonnegative integer. There is actually another definition for Fermat
numbers, namely numbers in the form of 2
= (a b)(
b + + a
),
which implies that a b divides
. Now substituting a = 2
, b = 1 and n = s,
we have 2
+ 1 divides 2
= 2
+ 1 to be a
prime.
The next theorem concerns the properties of Fermat primes.
Theorem4. [Reference1, p. 31] No Fermat prime can be expressed as the difference of
two pth powers, where p is an odd prime.
Proof. Assume for contradiction that there is such a Fermat prime. Then, Fn =
= (a b) (
b + + a
a (mod p) and
a b = 1
(mod p). This implies p | Fn 1 =2
is 2.
Note:
Fermat's little theorem states that if p is a prime number, then for any integer a, the
number a
p
a is an integer multiple of p. In the notation of modular arithmetic, this is
expressed as
mod
If a is not divisible by p, Fermat's little theorem is equivalent to the statement
that a
p 1
1 is an integer multiple of p:
1 mod
13
7. Infinitude of Fermat Primes
As we have noted before, there are only five known Fermat primes so far. In fact, it
has been shown that Fn is composite for 5 n 32 and many other larger n (from
section4). Whether there is an infinite number of Fermat primes is still an open
question, and below shows a heuristic argument that suggests there is only a finite
number of them. This argument is to due to Hardy and Wright [Reference1, p.158].
There is only a finite number of Fermat primes.
Recall that the Prime Number Theorem says ~/log, where (x) is the number
of primes x. Hence (x) < /log for some constant A, and the probability that x
is a prime is at most /log. For x = 2
+ 1) /log 2
)= /2
log 2)] /2
+ 1.
Using the exact same argument as above, the expected number of primes in this form
is >
which diverges
But we know from Theorem3 that the sets {2
+ 1: it is a prime} and {2
+ 1: it is a
prime} are the same set. This latter argument suggests Hardy and Wrights argument
does not take into account of the properties of Fermat numbers. It is to say that the
variable x is not that random. It works largely because gaps between successive
Fermat numbers are extremely large. Nevertheless, given any number (even a number
of a particular form), it is more likely to be a composite than prime. Therefore,
bounding the probability of it being a prime by a lower bound gives a weaker
argument that bounding it from above.
14
8. Divisibility of Fermat Numbers
In the last two sections, we focused on the primality of Fermat numbers and the
properties of Fermat primes. However, if a Fermat number is found to be composite,
we are interested in what its factorization is, or at least, what properties do its divisors
have to have. We will end our discussion of Fermat numbers in this section by
proving several theorems about their divisors
Theorem 5. [Reference1, p.37] Let q =
2
.
Proof. First suppose q | Fn, then q | (2
+ 1) (2
1) = 2
1
1, and hence
2
1
1 (mod q). It follows that 2
1 = 2
+ 1 and q 2. Hence, j
= n + 1 and so ordq2 = 2
, then q |
2
1
1 = (2
+ 1) (2
+ 1 or
2
1 because2
+ 1 = Fn.
Theorem 6(Euler). [Reference1, p. 38] If p is a prime and p | Fn, then p is of the form
p = k2
+ 1
2
In number theory, given an integer a and a positive integer n with gcd(a,n) = 1, the multiplicative
order of a modulo n is the smallest positive integer k with
a
k
1 (mod n).
The order of a modulo n is usually written ord
n
(a),
15
9. Mersenne Numbers and Fermat Numbers
Recall that we have defined Mersenne numbers to be numbers of the form M
n
=2
1 is prime only if n is a
prime.
Proof. Recall the identity 2
1 = (2
1) (1 + 2
+ 2
+ + 2
).
Hence if n = ab is not a prime, then Mn = 2
1 is divisible by 2
1 1.
The next theorem shows how Mersenne numbers relate to the primality of the
associated Fermat numbers.
Theorem8. [Reference1, p.44] If p is a prime, then all Mersenne numbers Mp are
prime or pseudoprimes
3
to the base 2.
Proof. Let Mp =2
1 0 (mod
p). So (Mp 1)/2 = kp for some positive integer k. Hence, Mp = 2
1 | 2
1 =
2
/
1. It is equivalent to say that 2
/
1 (mod Mp), which implies
that 2
1 (mod Mp).
3
Fermat's little theorem states that if p is prime and a is coprime to p, then a
p1
1 is divisible by p. If
a composite integer x is coprime to an integer a > 1 and x divides a
x1
1, then x is called a Fermat
pseudoprime to base a. Some sources use variations of this definition, for example to only allow odd
numbers to be pseudoprimes.
17
10. Applications of Prime numbers
1. Pseudorandom Number Generation
Fermat primes are particularly useful in generating pseudo-random sequences of
numbers in the range 1 N, where N is a power of 2. The most common method
used is to take any seed value between 1 and P 1, where P is a Fermat prime. Now
multiply this by a number A, which is greater than the square root of P and is
a primitive root modulo P (i.e., it is not a quadratic residue). Then take the result
modulo P. The result is the new value for the RNG.
V
= (
)mod
This is useful in computer science since most data structures have members with
2
X
possible values. For example, a byte has 256 (2
8
) possible values (0255).
Therefore to fill a byte or bytes with random values a random number generator
which produces values 1256 can be used, the byte taking the output value 1. Very
large Fermat primes are of particular interest in data encryption for this reason. This
method produces only pseudorandom values as, after P 1 repetitions, the sequence
repeats. A poorly chosen multiplier can result in the sequence repeating sooner
than P 1.
2.RSA Encryption
RSA is an algorithm for public-key cryptography that is based on the presumed
difficulty of factoring large integers, the factoring problem. RSA stands for Ron
Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm
in 1977. A user of RSA creates and then publishes the product of two large prime
numbers, along with an auxiliary value, as their public key. The prime factors must be
kept secret. Anyone can use the public key to encrypt a message, but with currently
published methods, if the public key is large enough, only someone with knowledge
of the prime factors can feasibly decode the message. Whether breaking
RSA encryption is as hard as factoring is an open question known as the RSA
problem.
The RSA algorithm involves three steps: key generation, encryption and decryption.
Key generation:
RSA involves a public key and a private key. The public key can be known by
everyone and is used for encrypting messages. Messages encrypted with the public
key can only be decrypted in a reasonable amount of time using the private key. The
keys for the RSA algorithm are generated the following way:
1. Choose two distinct prime numbers p and q.
18
For security purposes, the integers p and q should be chosen at random, and
should be of similar bit-length. Prime integers can be efficiently found using
a primality test.
2. Compute n = pq.
n is used as the modulus for both the public and private keys. Its length, usually
expressed in bits, is the key length.
3. Compute (n) = (p)(q) = (p 1)(q 1), where is Euler's totient function.
4. Choose an integer e such that 1 < e < (n) and gcd(e, (n)) = 1; i.e. e and (n)
are coprime.
e is released as the public key exponent.
e having a short bit-length and small Hamming weight results in more
efficient encryption most commonly 2
16
+ 1 = 65,537. However,
much smaller values of e (such as 3) have been shown to be less secure
in some settings.
5. Determine d as d
1
e (mod(n)), i.e., d is the multiplicative
inverse of e (modulo (n)).
This is more clearly stated as solve for d given de 1 (mod (n))
This is often computed using the extended Euclidean algorithm.
d is kept as the private key exponent.
By construction, de 1 (mod (n)). The public key consists of the modulus n and
the public (or encryption) exponent e. The private key consists of the modulus n and
the private (or decryption) exponent d, which must be kept secret. p, q, and (n) must
also be kept secret because they can be used to calculate d.
Encryption:
Alice transmits her public key (n, e) to Bob and keeps the private key secret. Bob
then wishes to send message M to Alice.
He first turns M into an integer m, such that 0 m < n by using an agreed-upon
reversible protocol known as a padding scheme. He then computes the
ciphertext c corresponding to
c
mod
This can be done quickly using the method of exponentiation by squaring. Bob then
transmits c to Alice.
Decryption:
Alice can recover m from c by using her private key exponent d via computing
m
mod
Given m, she can recover the original message M by reversing the padding scheme.
(In practice, there are more efficient methods of calculating c
d
using the precomputed
19
values below.)
Using the Chinese remainder algorithm
For efficiency many popular crypto libraries (like OpenSSL, Java and .NET) use the
following optimization for decryption and signing based on the Chinese remainder
theorem. The following values are precomputed and stored as part of the private key:
p and q: the primes from the key generation,
= mod 1,
= mod 1 and
mod .
These values allow the recipient to compute the exponentiation m = c
d
(mod pq) more
efficiently as follows:
mod .
mod .
h =
mod . (if
<
mod )
m =
+
This is more efficient than computing m c
d
(mod pq) even though two modular
exponentiations have to be computed. The reason is that these two modular
exponentiations both use a smaller exponent and a smaller modulus.
A working example
Here is an example of RSA encryption and decryption. The parameters used here are
artificially small, but one can also use OpenSSL to generate and examine a real
keypair.
1. Choose two distinct prime numbers, such as p=61 and q=53.
2. Compute n = pq giving n=6153=3233
3. Compute the totient of the product as (n) = (p1)(q1) giving
(3233) = (611)(531)=3120.
4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime
number for e leaves us only to check that e is not a divisor of 3120.
Let e=17
5. Compute d, the modular multiplicative inverse of e (mod (n)) yielding
d=2753.
The public key is (n = 3233, e = 17). For a padded plaintext message m, the
encryption function is
c
7
mod 3233.
The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption
function is c
2753
(mod 3233).
20
m=c
2753
(mod 3233).
For instance, in order to encrypt m = 65, we calculate
c 65
7
mod 3233=2790
To decrypt c = 2790, we calculate
. m=2790
2753
(mod 3233)=65.
Practical implementations use the Chinese remainder theorem to speed up the
calculation using modulus of factors (mod pq using mod p and mod q).
The values d
p
, d
q
and q
inv
, which are part of the private key are computed as follows:
= mod 1 = 2753(mod 61 1) = 53
= mod 1 = 2753(mod53 1) = 49
mod = 53
mod 61 = 38
(Hence:
mod = 38 53 mod 61 = 1 )
Here is how d
p
, d
q
and q
inv
are used for efficient decryption. (Encryption is efficient
by choice of public exponent e)
mod = 2790
53
mod 61 = 4
mod = 2790
49
mod 53 = 12
h =
mod = 38 8mod 61 = 1
m =
+ = 12 +1 53 = 65
(same as above but computed more efficiently)
Proof using Fermat's little theorem
The proof of the correctness of RSA is based on Fermat's little theorem. This theorem
states that if p is prime and p does not divide an integer a then
1 mod
We want to show that (m
e
)
d
m (mod pq) for every integer m when p and q are
distinct prime numbers and e and d are positive integers satisfying
1 mod 1 1
We can write
1 = h 1 1
for some nonnegative integer h.
To check two numbers, like m
ed
and m, are congruent mod pq it suffices (and in fact is
equivalent) to check they are congruent mod p and mod q separately. (This is part of
the Chinese remainder theorem, although it is not the significant part of that theorem.)
To show m
ed
m (mod p), we consider two cases: m 0 (mod p) and m 0 (mod p).
In the first case m
ed
is a multiple of p, so m
ed
0 m (mod p). In the second case
mod
21
where we used Fermat's little theorem to replace m
p1
mod p with 1.
The verification that m
ed
m (mod q) proceeds in a similar way, treating separately
the cases m 0 (mod q) and m 0 (mod q), using Fermat's little theorem for
modulus q in the second case.
This completes the proof that, for any integer m,
m
ed
m (mod pq).
22
11. Reference
[1]. M. Krizek, F. Luca and L. Somer, 17 Lectures on Fermat Numbers From
Number Theory to Geometry, Springer-Verlag, New York, 2001.
[2]. W. Keller, Prime factors k2n + 1 of Fermat numbers Fm and complete factoring
status.
http://www.prothsearch.net/fermat.html#Summary
[3]. Fermat number
http://en.wikipedia.org/wiki/Fermat_numbers
[4]. Mersenne number
http://en.wikipedia.org/wiki/Mersenne_numbers
[5]. Distribution of primes tutorial
http://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htm
[6] Fermat Numbers - William Stein - University of Washington
[7] Sarah Flannery and David Flannery. In Code: A Mathematical Journey, 2001
[8] RSA
http://en.wikipedia.org/wiki/RSA_(algorithm)