A Formalisation of Lehmer s Primality Criterion

Transcription

1 A Formalisation of Lehmer s Primality Criterion By Simon Wimmer and Lars Noschinski April 17, 2016 Abstract In 1927, Lehmer presented criterions for primality, based on the converse of Fermat s litte theorem [2]. This work formalizes the second criterion from Lehmer s paper, a necessary and sufficient condition for primality. As a side product we formalize some properties of Euler s ϕ-function, the notion of the order of an element of a group, and the cyclicity of the multiplicative group of a finite field. Contents 1 Introduction 1 2 Simplification Rules for Polynomials 2 3 Properties of the Euler ϕ-function 3 4 Order of an Element of a Group 5 5 Number of Roots of a Polynomial 7 6 The Multiplicative Group of a Field 8 7 Lehmer s Theorem 10 1 Introduction Section 2 provides some technical lemmas about polynomials. Section 3 to 5 formalize some basic number-theoretic and algebraic properties: Euler s ϕ-function, the order of an element of a group and an upper bound of the number of roots of a polynomial. Section 6 combines these results to prove that the multiplicative group of a finite field is cyclic. Based on that, Section 7 formalizes an exted version of Lehmer s Theorem, which gives us necessary and sufficient conditions to decide whether a number is prime. 1

2 theory Multiplicative-Group imports Complex-Main /src/hol/algebra/group /src/hol/number-theory/miscalgebra /src/hol/algebra/coset /src/hol/algebra/univpoly /src/hol/number-theory/number-theory begin 2 Simplification Rules for Polynomials lemma (in ring-hom-cring) hom-sub[simp]: assumes x carrier R y carrier R shows h (x y) = h x S h y context UP-ring begin lemma deg-nzero-nzero: assumes deg-p-nzero: deg R p 0 shows p 0 P lemma deg-add-eq: assumes c: p carrier P q carrier P assumes deg R q deg R p shows deg R (p P q) = max (deg R p) (deg R q) lemma deg-minus-eq: assumes p carrier P q carrier P deg R q deg R p shows deg R (p P q) = max (deg R p) (deg R q) context UP-cring begin lemma evalrr-add: assumes p carrier P q carrier P assumes x:x carrier R shows eval R R id x (p P q) = eval R R id x p eval R R id x q lemma evalrr-sub: assumes p carrier P q carrier P assumes x:x carrier R shows eval R R id x (p P q) = eval R R id x p eval R R id x q 2

3 lemma evalrr-mult: assumes p carrier P q carrier P assumes x:x carrier R shows eval R R id x (p P q) = eval R R id x p eval R R id x q lemma evalrr-monom: assumes a: a carrier R and x: x carrier R shows eval R R id x (monom P a d) = a x (ˆ) d lemma evalrr-one: assumes x: x carrier R shows eval R R id x 1 P = 1 lemma carrier-evalrr: assumes x: x carrier R and p carrier P shows eval R R id x p carrier R lemmas evalrr-simps = evalrr-add evalrr-sub evalrr-mult evalrr-monom evalrr-one carrier-evalrr 3 Properties of the Euler ϕ-function In this section we prove that for every positive natural number the equation n d n ϕ(d) = n holds. hide-const (open) Multiset.mult lemma dvd-div-ge-1 : fixes a b :: nat assumes a 1 b dvd a shows a div b 1 lemma dvd-nat-bounds : fixes n p :: nat assumes p > 0 n dvd p shows n > 0 n p definition phi :: nat => nat 3

4 where phi m = card {x. 1 x x m gcd x m = 1 } notation (latex-output) phi (ϕ -) lemma phi -nonzero : assumes m > 0 shows phi m > 0 lemma dvd-div-eq-1 : fixes a b c :: nat assumes c dvd a c dvd b a div c = b div c shows a = b lemma dvd-div-eq-2 : fixes a b c :: nat assumes c>0 a dvd c b dvd c c div a = c div b shows a = b lemma div-mult-mono: fixes a b c :: nat assumes a > 0 a d shows a b div d b We arrive at the main result of this section: For every positive natural number the equation n d n ϕ(d) = n holds. The outline of the proof for this lemma is as follows: We count the n fractions 1/n,..., (n 1)/n, n/n. We analyze the reduced form a/d = m/n for any of those fractions. We want to know how many fractions m/n have the reduced form denominator d. The condition 1 m n is equivalent to the condition 1 a d. Therefore we want to know how many a with 1 a d exist, s.t. coprime a d. This number is exactly phi d. Finally, by counting the fractions m/n according to their reduced form denominator, we get: ( d d dvd n. phi d) = n. To formalize this proof in Isabelle, we analyze for an arbitrary divisor d of n the set of reduced form numerators {a. 1 a a d coprime a d} the set of numerators m, for which m/n has the reduced form denominator d, i.e. the set {m {1..n}. n div gcd m n = d} 4

5 We show that λa. a n div d with the inverse λa. a div gcd a n is a bijection between theses sets, thus yielding the equality phi d = card {m {1..n}. n div gcd m n = d} This gives us ( d d dvd n. phi d) = card ( d {d. d dvd n} {m {1..n}. n div gcd m n = d}) and by showing {1..n} ( d {d. d dvd n} {m {1..n}. n div gcd m n = d}) (this is our counting argument) the thesis follows. lemma sum-phi -factors : fixes n :: nat assumes n > 0 shows ( d d dvd n. phi d) = n 4 Order of an Element of a Group context group begin lemma pow-eq-div2 : fixes m n :: nat assumes x-car: x carrier G assumes pow-eq: x (ˆ) m = x (ˆ) n shows x (ˆ) (m n) = 1 definition ord where ord a = Min {d {1.. order G}. a (ˆ) d = 1} lemma assumes finite:finite (carrier G) assumes a:a carrier G shows ord-ge-1 : 1 ord a and ord-le-group-order: ord a order G and pow-ord-eq-1 : a (ˆ) ord a = 1 lemma finite-group-elem-finite-ord : assumes finite (carrier G) x carrier G shows d::nat. d 1 x (ˆ) d = 1 lemma ord-min: assumes finite (carrier G) 1 d a carrier G a (ˆ) d = 1 shows ord a d lemma ord-inj : 5

6 assumes finite: finite (carrier G) assumes a: a carrier G shows inj-on (λ x. a (ˆ) x) {0.. ord a 1 } lemma ord-inj : assumes finite: finite (carrier G) assumes a: a carrier G shows inj-on (λ x. a (ˆ) x) {1.. ord a} lemma ord-elems : assumes finite (carrier G) a carrier G shows {a(ˆ)x x. x (UNIV :: nat set)} = {a(ˆ)x x. x {0.. ord a 1 }} (is?l =?R) lemma ord-dvd-pow-eq-1 : assumes finite (carrier G) a carrier G a (ˆ) k = 1 shows ord a dvd k lemma dvd-gcd : fixes a b :: nat obtains q where a (b div gcd a b) = b q lemma ord-pow-dvd-ord-elem : assumes finite[simp]: finite (carrier G) assumes a[simp]:a carrier G shows ord (a(ˆ)n) = ord a div gcd n (ord a) lemma ord-1-eq-1 : assumes finite (carrier G) shows ord 1 = 1 theorem lagrange-dvd: assumes finite(carrier G) subgroup H G shows (card H ) dvd (order G) lemma element-generates-subgroup: assumes finite[simp]: finite (carrier G) assumes a[simp]: a carrier G shows subgroup {a (ˆ) i i. i {0.. ord a 1 }} G lemma ord-dvd-group-order : 6

7 assumes finite[simp]: finite (carrier G) assumes a[simp]: a carrier G shows ord a dvd order G 5 Number of Roots of a Polynomial definition mult-of :: ( a, b) ring-scheme a monoid where mult-of R ( carrier = carrier R {0 R }, mult = mult R, one = 1 R ) lemma carrier-mult-of : carrier (mult-of R) = carrier R {0 R } lemma mult-mult-of : mult (mult-of R) = mult R lemma nat-pow-mult-of : op (ˆ) mult-of R = (op (ˆ) R :: - nat -) lemma one-mult-of : 1 mult-of R = 1 R lemmas mult-of-simps = carrier-mult-of mult-mult-of nat-pow-mult-of one-mult-of context field begin lemma field-mult-group : shows group (mult-of R) lemma finite-mult-of : finite (carrier R) = finite (carrier (mult-of R)) lemma order-mult-of : finite (carrier R) = order (mult-of R) = order R 1 lemma (in monoid) Units-pow-closed : fixes d :: nat assumes x Units G shows x (ˆ) d Units G lemma (in comm-monoid) is-monoid: 7

8 shows monoid G declare comm-monoid.is-monoid[intro?] lemma (in ring) r-right-minus-eq[simp]: assumes a carrier R b carrier R shows a b = 0 a = b context UP-cring begin lemma is-up-cring:up-cring R lemma is-up-ring : shows UP-ring R context UP-domain begin lemma roots-bound: assumes f [simp]: f carrier P assumes f-not-zero: f 0 P assumes finite: finite (carrier R) shows finite {a carrier R. eval R R id a f = 0} card {a carrier R. eval R R id a f = 0} deg R f lemma (in domain) num-roots-le-deg : fixes p d :: nat assumes finite:finite (carrier R) assumes d-neq-zero : d 0 shows card {x carrier R. x (ˆ) d = 1} d 6 The Multiplicative Group of a Field In this section we show that the multiplicative group of a finite field is generated by a single element, i.e. it is cyclic. The proof is inspired by the first proof given in the survey [1]. lemma (in group) pow-order-eq-1 : assumes finite (carrier G) x carrier G shows x (ˆ) order G = 1 lemma nat-div-eq: a 0 = (a :: nat) div b = a b = 1 8

9 lemma (in group) assumes finite : finite (carrier G) assumes a carrier G shows pow-ord-eq-ord-iff : group.ord G (a (ˆ) k) = ord a coprime k (ord a) (is?l?r) context field begin lemma num-elems-of-ord-eq-phi : assumes finite: finite (carrier R) and dvd: d dvd order (mult-of R) and exists: a carrier (mult-of R). group.ord (mult-of R) a = d shows card {a carrier (mult-of R). group.ord (mult-of R) a = d} = phi d theorem (in field) finite-field-mult-group-has-gen : assumes finite:finite (carrier R) shows a carrier (mult-of R). carrier (mult-of R) = {a(ˆ)i i::nat. i UNIV } This result can be transferred to the multiplicative group of Z/pZ for p prime. lemma mod-nat-int-pow-eq: fixes n :: nat and p a :: int assumes a 0 p 0 shows (nat a ˆ n) mod (nat p) = nat ((a ˆ n) mod p) theorem residue-prime-mult-group-has-gen : fixes p :: nat assumes prime-p : prime p shows a {1.. p 1 }. {1.. p 1 } = {aˆi mod p i. i UNIV } theory Lehmer imports Main Multiplicative-Group begin 9

10 7 Lehmer s Theorem In this section we prove Lehmer s Theorem [2] and its converse. These two theorems characterize a necessary and complete criterion for primality. This criterion is the basis of the Lucas-Lehmer primality test and the primality certificates of Pratt [3]. lemma mod-1-coprime-nat: fixes a b :: nat assumes 0 < n [a ˆ n = 1 ] (mod b) shows coprime a b lemma phi-leq: phi x nat x 1 lemma phi-nonzero: assumes 2 x shows phi x 0 This is a weak variant of Lehmer s theorem: All numbers less then p 1 must be considered. lemma lehmers-weak-theorem: assumes 2 p assumes min-cong1 : x. 0 < x = x < p 1 = [a ˆ x 1 ] (mod p) assumes cong1 : [a ˆ (p 1 ) = 1 ] (mod p) shows prime p lemma prime-factors-elem: fixes n :: nat assumes 1 < n shows p. p prime-factors n lemma prime-factors-dvd-nat: fixes p :: nat assumes x prime-factors p shows x dvd p lemma cong-pow-1-nat: fixes a b :: nat assumes [a = 1 ] (mod b) shows [a ˆ x = 1 ] (mod b) lemma cong-gcd-eq-1-nat: fixes a b :: nat assumes 0 < m and cong-props: [a ˆ m = 1 ] (mod b) [a ˆ n = 1 ] (mod b) shows [a ˆ gcd m n = 1 ] (mod b) lemma One-leq-div: fixes a b :: nat assumes a dvd b a < b shows 1 < b div a 10

11 theorem lehmers-theorem: assumes 2 p assumes pf-notcong1 : x. x prime-factors (p 1 ) = [a ˆ ((p 1 ) div x) 1 ] (mod p) assumes cong1 : [a ˆ (p 1 ) = 1 ] (mod p) shows prime p The converse of Lehmer s theorem is also true. lemma converse-lehmer-weak: assumes prime-p:prime p shows a. [aˆ(p 1 ) = 1 ] (mod p) ( x. 0 < x x p 2 [aˆx 1 ] (mod p)) a > 0 a < p theorem converse-lehmer: assumes prime-p:prime(p) shows a. [aˆ(p 1 ) = 1 ] (mod p) ( q. q prime-factors (p 1 ) [aˆ((p 1 ) div q) 1 ] (mod p)) a > 0 a < p References [1] K. Conrad. Cyclicity of (Z/(p)). kconrad/blurbs/grouptheory/cyclicfp.pdf. [2] D. H. Lehmer. Tests for primality by the converse of fermat s theorem. Bull. Amer. Math. Soc., 33: , [3] V. R. Pratt. Every prime has a succinct certificate. SIAM Journal on Computing, 4(3): ,