A Simple Derivation for the Frobenius Pseudoprime Test

Transcription

1 A Simple Derivatio for the Frobeius Pseudoprime Test Daiel Loebeberger Bo-Aache Iteratioal Ceter for Iformatio Techology March 17, 2008 Abstract Probabilistic compositeess tests are of great practical importace i cryptography. Besides promiet tests (like the well-kow Miller-Rabi test there are tests that use Lucas-sequeces for testig compositeess. Oe example is the so-called Frobeius test that has a very low error probability. Usig a slight modificatio of the above metioed Lucas sequeces we preset a simple derivatio for the Frobeius pseudoprime test i the versio proposed by Cradall ad Pommerace i [CrPo05]. 1 Lucas ad Frobeius Pseudoprimes For f(x = x 2 ax + b Z[x] the Lucas sequeces are give by U j := U j (a,b := xj (a x j x (a x V j := V j (a,b := x j + (a x j (mod f(x (mod f(x (1 These sequeces both satisfy the same recurrece relatio U j = au j 1 bu j 2 ; V j = av j 1 bv j 2 for j 2 with iitial values U 0 = 0, U 1 = 1 V 0 = 2, V 1 = a The followig theorem is the basis for a probabilistic prime test, called the Lucas test: Theorem 1. Let a,b Z\{0}, := a 2 4b ad the sequeces (U j,(v j defied as above. If p is prime, with gcd(p,2ab = 1, we have: U ( 0 (mod p (2 p p Proof. If is a quadratic oresidue modulo p, the the polyomial f(x Z p [x] is irreducible 1

2 over Z p, which meas that Z p [x]/(f(x is a field ad isomorphic to F p 2. The elemets of the subfield Z p are exactly those elemets i + jx Z p [x]/(f(x with j = 0. The zeroes of the polyomial f(x are x ad a x, both i F p 2 \Z p, ad therefore permuted by the Frobeius automorphism. Thus we have i the case ( p = 1 : x p a x (mod f(x,p (a x p x (mod f(x,p which implies x p+1 (a x p+1 = x(a x (a xx 0 (mod f(x,p, as claimed. If, o the other had, is a quadratic residue modulo p, the f(x mod p has two roots i Z p ad R := Z p [x]/(f(x is isomorphic to the direct product Z p Z p. I this case the Frobeius automorphism acts trivially o R ad we have: i the case ( p = 1 : x p x (mod f(x,p (a x p a x (mod f(x,p Sice gcd(p,b = 1 ad sice x(a x b (mod f(x,p, the elemets x ad a x are uits i R. Therefore we have x p 1 = (a x p 1 = 1 as desired. Defiitio 2. Let a,b Z \ {0}, with = a 2 4b ot a square. A composite iteger, with gcd(2ab, = 1 is called a Lucas pseudoprime with respect to f(x := x 2 ax + b, if U ( 0 (mod The first Lucas pseudoprime with respect to the Fiboacci-polyomial x 2 x 1 is 323 = Gratham proposed a stroger test, the Frobeius test (see [Gra98] ad [Gra01]. The defiitio of the Frobeius pseudoprime is give by Defiitio 3. Let a,b Z \ {0}, with = a 2 4b ot a square. A composite iteger, with gcd(2ab, = 1 is called a Frobeius pseudoprime with respect to f(x := x 2 ax+b, if x a x (mod f(x,, if ( = 1 x (mod f(x,, if ( = 1 Next we show that the Frobeius pseudoprime test is at least as strog as the Lucas pseudoprime test: Theorem 4. Let f(x := x 2 ax + b ad N. If is Frobeius pseudoprime with respect to f(x, the is also Lucas pseudoprime with respect to f(x. Before we ca prove this theorem we eed the followig lemma: 2

3 Lemma 5. Let m, N, f(x,g(x,r(x Z[x]. If f(r(x 0 (mod f(x, ad x m g(x (mod f(x,, the r(x m g(r(x (mod f(x,. Proof. Clearly x m f(xh(x + g(x (mod for h(x Z[x]. Sice x is a variable we also have r(x m f(r(xh(r(x + g(r(x (mod. Because we have f(r(x 0 (mod f(x,, it follows r(x m g(r(x (mod f(x, Now the the proof for Theorem 4 is easy: Proof. Let be Frobeius pseudoprime with respect to f(x, accordig to Defiitio 3. Assume ( = 1. The x x (mod f(x,. Sice gcd(b, = 1, x modulo (f(x, is ivertible ad we have x 1 1 (mod f(x,. Sice f(a x 0 (mod f(x, Lemma 5 implies the cogruece (a x 1 1 (mod f(x,, i.e. (a x (a x (mod f(x,. O the other had, if ( = 1, we get from x a x (mod f(x, ad f(a x 0 (mod f(x, directy by Lemma 5 the cogruece (a x x (mod f(x, as desired. Thus i both cases is Lucas pseudoprime with respect to f(x. The Frobeius property for quadratic polyomials ca be expressed usig the Lucas sequeces (U j ad (V j : Theorem 6. Let a,b N, with = a 2 4b ot a square. A iteger, with gcd(2ab, = 1 is Frobeius pseudoprime with respect to f(x := x 2 ax + b, if ad oly if 2b (mod, if ( U ( 0 (mod ad V ( = 1 2 (mod, if ( (3 = 1 Proof. From the defiitios of the Lucas sequeces (1 oe easily sees, that 2x j V j + (2x au j (mod f(x (4 Assume (3. I the case ( = 1 Eq. (4 implies x +1 b (mod f(x, ad i the case = 1 Eq. (4 gives x 1 1 (mod f(x,. The latter implies x x (mod f(x,, ( ad sice x(a x b (mod f(x, the first leads to x a x (mod f(x,. So is Frobeius pseudoprime. O the other had, if is Frobeius pseudoprime with respect to f(x, we have U ( 0 (mod by Theorem 4. For j = ( Eq. (4 gives ( 2x V ( (mod f(x, Assume ( = 1. The Defiitio 3 gives x +1 (a xx b (mod f(x,, i.e. V +1 2b (mod. Fially assume ( = 1. Sice x is ivertible i Z [x]/(f(x, it follows x 1 1 (mod f(x,, i.e. V 1 2 (mod. 3

4 The first Frobeius pseudoprime with respect to the Fiboacci polyomial x 2 x 1 is 4181, the ieteeth Fiboacci umber, the first with ( 5 = 1 is Thus ot every Lucas pseudoprime is a Frobeius pseudoprime. We coclude that the Frobeius test is more striget tha the Lucas test. 2 Efficiet implemetatio Suppose we wat to apply the Frobeius test o a give umber. Choose a,b N, with = a 2 4b ot a square such that gcd(2ab, = 1. Sice gcd(2, = 1 the umber ( is always eve, say ( = 2m, m N. Followig Williams [Wil98] we defie the followig modified Lucas sequece W j := b j V 2j (mod (5 Sice gcd(b, = 1 the sequece (W j := (W j j 0 is well defied ad starts with W 0 2 (mod ad W 1 a 2 b 1 2 (mod The sequece (W j ca be computed efficietly. I fact, the followig two formulas allow the computatio of the values W 2j ad W 2j+1 from W j ad W j+1 (j 0: W 2j Wj 2 2 (mod W 2j+1 W j W j+1 W 1 (mod Proof. Let δ := x (a x, i.e Also, (1 has the cosequece δ 2 x 2 2b + (a x 2 a 2 4b (mod f(x, (6 V j + δu j = 2x j ad V j δu j = 2(a x j So we have for arbitrary j,k N (V j + δu j (V k + δu k = 4x j+k = 2(V j+k + δu j+k (V j δu j (V k δu k = 4(a x j+k = 2(V j+k δu j+k Addig these equatios yields 2V j+k = V j V k + U j U k (7 Backwards readig of the recurrece relatio leads to b k U k = U k ud b k V k = V k 4

5 Subsitutig this i equatio (7 gives Puttig k = j yields From (7 we get for k = j the idetity Addig the last two equatios leads to Puttig j := 2j the defiitio (5 gives 2b k V j k = V j V k U j U k (8 V 2 j U 2 j = 4b j 2V 2j = V 2 j + U 2 j V 2j = V 2 j 2b j W 2j W 2 j 2 (mod (9 To derive a formula for W 2j+1, subtract equatio (8 from (7 ad get V j+k = V j V k b k V j k Here we take two adjacet eve umbers, i.e. we put j := 2j + 2 ad k := 2j ad get I terms of the W-sequece (5 this is: V 4j+2 = V 2j V 2j+2 b 2j V 2 W 2j+1 W j W j+1 W 1 (mod (10 To compute for a give idex j N the value W j write j i biary, say j = (b 0 b 1... b k 2. Now go through all bits ad compute the sequece of pairs S i = {A,B} (i 0 {A 2 2,AB W 1 } (mod, if b i+1 = 0 S i = {A,B} S i+1 := {AB W 1,B 2 2} (mod, if b i+1 = 1 Iitialisig S 0 := {W 0,W 1 } oe gets with the pair S k exactly the values W j ud W j+1. So the sequece (W j ca be computed i a time Õ (log. The sequece (W j shall ow be used for the Lucas test. Let be Lucas pseudoprime. Let m := ( ( /2. The we get U2m 0 (mod. Puttig j := 2m, k := 2 i formula (7, it follows 2V 2m+2 = V 2m V 2 + U 2m U 2 (11 5

6 Sice gcd(b, = 1 it follows by (5: 2W m+1 W m W 1 + b (m+1 U 2m U 2 (mod Because is Lucas pseudoprime, we get 2W m+1 W m W 1 (mod Sice gcd(ab, = 1 the coverse also holds. To summarize: Theorem 7. Let,a,b,,m ad the sequece (W j defied as above. The is Lucas pseudoprime if ad oly if 2W m+1 W 1 W m (mod Let ow N 3 be a umber, that fullfills the assumptios of Defiitio 3. The the Frobeius test ca be easily implemeted usig the sequece (W j. This sequece ca be used for the Frobeius test, sice from gcd(2, = 1 follows, that ( = 2m is eve. Clearly Theorem 7 ca be used, to test if is Lucas pseudoprime. We eed a cogruece i terms of the sequece (W j, that is equivalet to the fact V ( 2b (mod, if ( = 1 2 (mod, if ( = 1 Let ow be Frobeius pseudoprime ad m = ( ( /2. The from the defiitio of the sequece (W j we get Puttig B := b ( 1/2, it follows To summarize we get the followig theorem: W m 2b ( 1/2 (mod BW m 2 (mod Theorem 8. Let,a,b,,m ad the sequece (W j defied as above. The is Frobeius pseudoprime if ad oly if 2W m+1 B = b ( 1/2. W 1 W m (mod ad BW m 2 (mod, where 6

7 3 The Algorithm We get the followig algorithm: 1 2 Iput : A odd iteger N 3 Output: A boolea value which idicates that is Frobeius-pseudoprime with respect to the polyomial x 2 ax + b choose a,b {1,..., 1} uiformly at radom, such that = a 2 4b ot a square ad gcd(2ab, = 1; W 1 a 2 b 1 2 (mod ; m 1 2 ( ( 3 4 compute Wm,Wm+1 usig equatios (9 ad ( if (W 1 W m 2W m+1 (mod the retur false; ed B b ( 1/2 (mod ; if (BW m 2 (mod the retur true; else retur false; ed Algorithm 1: Frobeius-Test Accordig to [CrPo05] the rutime of the Lucas test is that of two Miller-Rabi tests, i.e. O (log multiplicatios modulo. For the Frobeius test additioally b ( 1/2 must be computed, so the test takes approximately the time of three Miller-Rabi tests, which are agai O (log multiplicatios modulo. Refereces [CrPo05] Richard Cradall, Carl Pomerace, Prime Numbers A Computatioal Perspective, Spriger, [Gra98] Joh Gratham, A probable primetest with high cofidece, Joural of Number Theory 72, 32-47, 1998 [Gra01] Joh Gratham, Frobeius Pseudoprimes, Math.comp. 70, , 2001 [Wil98] Hugh C. Williams, Édouard Lucas ad Primality Testig, Wiley-Itersciece,