FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIME TEST

Transcription

1 ATHEATICS OF COPUTATION Volume 65, Number 3 January 996, Pages FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIE TEST RONALD JOSEPH BURTHE, JR. Abstract. Recently, Damgård, Landrock and Pomerance described a procedure in which a k-bit odd number is chosen at random and subected to t random strong probable prime tests. If the chosen number passes all t tests, then the procedure will return that number; otherwise, another k-bit odd integer is selected and then tested. The procedure ends when a number that passes all t tests is found. Let p k,t denote the probability that such a number is composite. The authors above have shown that p k,t 4 t when k 5 and t. In this paper we will show that this is in fact valid for all k and t.. Introduction Let n be an odd number with n = s u,whereuis odd. The following notation will be used in this article: S(n) ={a [,n ] : a u modnor a iu modnfor some i =0,,..., s }, S(n) = S(n). If a S(n)forsomepairaand n, wesaythatnis a strong probable prime to base a. Ifnis prime, then S(n) =n, and if n is an odd composite number, then S(n)/(n ) /4 (see onier [4], Rabin [5]). Now if for a given n we can find an integer a [,n ] such that a/ S(n), then we know that n is composite. If one picks ta s at random from [,n ] and discovers that each is in S(n), one cannot however conclude that n is prime. We can conclude that if n is an odd composite number, the probability that all the t randomly chosen a s are in S(n) islessthanorequalto4 t. These results suggest a procedure for finding random integers that are likely to be prime in the set k of odd k-bit integers. Choose a random n in k and then choose an a [,n ] and see if a S(n). If a S(n), then choose an a [,n ] and test to see if it is in S(n). This procedure is then repeated until either an a i is discovered such that a i / S(n)oruntilta i s are found that are all in S(n). In the former case, another n is picked from k, and in the latter case, the number n will be given as output. This procedure, as described in [] will be referred to here as the random bases procedure. Let p k,t denote the probability that the number which is given as output by the random bases procedure is composite. In [], it is left as an open question to find a value k 0 such that p k,t 4 t for all t andk k 0. From onier s and Rabin s Received by the editor ay 3, athematics Subect Classification. Primary Y; Secondary A c 996 American athematical Society

2 374 R. J. BURTHE, JR. result one sees that if n is an odd composite integer, then the probability that it passes t random strong pseudoprime tests is less than or equal to 4 t. However, this is not sufficient to show that p k,t 4 t as the following discussion shows. For afixedt chooseksufficiently large such that the density of the primes in k is much less than 4 t. Assume also that for most composite m in k that the probability that m passes a random bases test is about /4. Then, of course, the probability of it passing t testsisabout4 t. Suppose that we have an n from k that passes t tests. Since we are assuming that the primes in k are scarce, it will be much more likely that n is composite rather than prime. So p k,t would be close to. However, it will be shown in this dissertation, that p k,t 4 t for k and t. The flawed assumption that led us to the conclusion that p k,t was close to is the assumption that the probability of a composite n in k passing a test was about /4. In actuality the probability is usually much smaller and this is essentially the conclusion of Proposition. In the next section we will prove that p k,t ( /4 ) t l pk,l /( p k,l ) for integer l with l t. Taking l =wegetthatp k,t 4 t p k, /( p k, ), so to show that p k,t 4 t for all t, it suffices to show that p k, /5. In [3], it is shown that this is true for k 55. Taking l = in the above inequality, we can see that to show that p k,t 4 t for all t it will also suffice to show that p k, /4 and p k, /7. In [3], this is shown to be true for all k with 5 k 54. In this paper we will improve the results in [3] and show that p k,t 4 t for all k with k andt. This will be done by extending some of the ideas in [3] and sharpening the upper bounds found there as well. Some improvements are due to simple observations of the properties of certain numbers and easily lead to a lower upper bound. Other improvements are not quite as obvious and require more work while only minimally improving some of the results. The overall net effect is to reduce in general the upper bound for p k,t by a factor of a fourth. We are able to prove a theorem that enabled us to verify that p k,t 4 t for all k 5 and t. For k 4, the result is verified by actually computing p k,t using an equation due to onier. Thus we can take k 0 to be.. Preliminaries We will start by recalling Lemma from [3]. Here, ω(n) is the number of distinct prime factors of n, Ω(n) is the number of prime factors of n counted with multiplicity, φ(n) is the Euler phi function, and α(n) = S(n)/φ(n). For the remainder of the paper, p will always be used to denote a prime. Lemma. If n>is odd, then α(n) ω(n) p β n p β p (p,n ) Ω(n) p n p (p,n ). The following lemma is a generalization of Lemma in [3] and gives a slightly improved result. Lemma. If t R,t s, s Z +,then n= t + n < c s t,

3 FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIE TEST 375 where ( π s c s =(s+) 6 ) n. n= Proof. Let m = t. Som Z,m s. Then n=m+ n = < n= m n (m +) t n= n = π 6 m ( π 6 m Letting k Z + with k s +,wehavethat k c k c k = π 6 + k + n = π 6 + k n= k x dx + n= n= n= n ) n = t c m. n > π 6 + n= n =0. Thus the sequence c s,c s+,... is decreasing, and in particular c m c s. Substituting into the previous inequality gives the desired result. Lemma 3. If l, t Z + with l t, then p k,l p k,t 4 l. p k,l Proof. The event that a number chosen at random from k passes the ith test will be denoted by D i, and we define the event E i by E i = D D D i. We will also let C denote the event that a number chosen at random from k is composite, and C will denote the set of composites. Also let α(n) =S(n)/(n ), and recall that for odd composite n we will have α(n) /4. P (A) will be used here to denote the probability that event A occurs. Note that P (C E i )= (k ) n C k α(n) i. Now for l t wehave Now p k,t = P (C E t )= P(C E t) P(E t ) = P(C E t) P(C E t ) P(C E t ) P(C E t )...P(C E l+) P (C E l ) P (C E l ). P (E t ) P (C E i ) n C P (C E i ) = k α(n) i n C n C k α(n) i k 4 α(n)i n C k α(n) i = 4.

4 376 R. J. BURTHE, JR. Letting A c denote the complement of event A, weseethatc c is the event that anumberisprime. Sinceaprimein k will always pass each test we see that P (C c E t )=P(C c )=P(C c E l ). Thus we see that Also p k,t ( ) t l P (C E l ) 4 P (E l ) P (E l ) P (E t ) = ( ) t l P (E l ) p k,l 4 P (E t ). P (E l ) P (E t ) P (E l ) P (C c E t ) = P (E l) P (C c ) = P (E l) P (C c E l ) = P (C c E l ) = p k,l which completes the proof of the lemma. 3. Estimates Now as in [3], C m will denote the set of odd composite integers n with α(n) > m. However, we will allow m to assume nonintegral values. Since α(n) /4 for odd composite n 9 (see [4] or [5]) and since α(9) = /3, we will have C m = for 0 <m ln 3/ ln and C m = {9} for ln 3/ ln <m. We will now generalize Theorem from [3] for the case where m is not necessarily an integer. Theorem. Assume k Z +, k, m R +,s Z + such that s ( (k )/ ) m for =,3,...,. Then C m k k < c s m+ k where c s is defined as in Lemma. Proof. From Lemma, we have /α(n) Ω(n) for all odd n. Soifn C m,we have m > /α(n) Ω(n) and thus m+ > Ω(n). Since Ω(n) Z +, this implies that Ω(n).Now letting N(m, k, ) ={n C m k Ω(n) =},weseethat C m k = N(m, k, ). Let n N(m, k, ),,andletpbe the largest prime factor of n. Now k <n p implies that p> (k )/. Let d(p, n) =(p )/(p,n ). Lemma implies that m >α(n) Ω(n) d(p, n) = d(p, n), so we must have d(p, n) < m+. Given p, d such that p> (k )/, d p, and d< m+,wewanttoget an upper bound for the number of n N(m, k, ) with largest prime factor p and d(p, n) =d; it will suffice to consider the set S k,d,p := {n k : p n, d = d(p, n), n composite}. The set S k,d,p iscontainedinthesetr k,d,p := {n Z : n 0modp, n mod(p )/d, p<n< k }which has, via the Chinese Remainder Theorem,

5 FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIE TEST 377 less than k d/(p(p )) elements. If S k,d,p, then there exists an n S k,d,p with (n,p ) = (p )/d, and thus (p )/d must be even since n and p are odd. Thus we need only consider those d and p such that (p )/d is even. Letting o denote a sum over p with k <p< k,d p and(p )/d even, we get that N(m, k, ) o Sk,d,p o Rk,d,p k d< m+ d< m+ o d p(p ). d< m+ Now o d p(p ) ud> (k )/ d (ud +)ud 4d < c s d 4d ( (k )/ ) = c s ( (k )/ ) u> (k )/ d u with the last inequality coming from Lemma. Note: to use Lemma, we must have that ( (k )/ )/(d) s, but this follows from the hypothesis that s ( (k )/ ) m,sinced< m+.thus, Therefore, N(m, k, ) kc s C m k = (k )/ =kc s d< m+ N(m, k, ) < k c s m+ (k )/. m+ (k )/. Now since k, we have k = k. So by dividing each side of the inequality by k we get the desired result and our proof of Theorem is complete. Now let denote a sum over composite integers. As in [3], recalling that p denotes a prime, we have p k,t = ( α(n) t) α(n) t ( = α(n) t ) + α(n) t n k n k n k p k n k = ( α(n) t + π( k ) π( k ) ) α(n) t. n k n k Now if we have an upper bound N for n k α(n) t and a lower bound P for π( k ) π( k ), then () p k,t N N + P. Let (q) denote a sum with increments of length /q where q Z +.

6 378 R. J. BURTHE, JR. Proposition. Let k,, t, s, q Z + with k 5, 3 and s ( (k )/ ) for =,3,...,. Then n k α(n) t t+k + k c s ( t/q ) (q) m=+ q mt m+. k Proof. Since k 5, we have 9 / k. C m k =. Thus So for all m with 0 <m, we have n k α(n) t = (q) m=+ q n k (C m\c m q ) α(n) t (q) m=+ q n k (C m\c m q ) α(n) t (q) m=+ q t (m q )t k (C m \ C m q ) (q) m=+ q = t k \ C + k (C m \ C m q ) + (q) m=+ q (q) m=+ q (m q )t k (C m \ C m q ). (m q )t k (C m \ C m q ) Let T m = C m k,andletu m be an upper bound for T m. Rewriting the above inequality, we get n k α(n) t t ( k T )+ (q) m=+ q (m q )t (T m T m q ) = t ( k T )+ t+k + t+k + (q) m=+ q (q) m=+ q q (q) m=+ q ( (m q )t mt) T m + ( q )t T t T ( (m q )t mt) T m ( (m q )t mt) U m. Now (m q )t mt =( t q ) mt, and since we can take from Theorem, this gives U m = k c s m+ k

7 FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIE TEST 379 (q) α(n) t t+k + k c s ( t q ) mt m+. n k m=+ k q This concludes our proof of Proposition. From Proposition in [3], we know that for k we have π( k ) π( k ) > (.7867) k k. Thus, we may take N and P in () as (q) N = t+k + k c s ( t q ) m=+ q mt ( m+ )/( k ) and P =(.7867) k k for k, where 3ands ( (k )/ ) for. Now in our computations we need s to be a positive integer at most ( (k )/ ) for each with. So we choose such that the greatest integer less than or equal to ( (k )/ ) is positive. So essentially we want to have g() :=(k )/ +. Taking and k as fixed, we see that g has a minimum of + k at= k. So for our purposes, it is sufficient to choose such that 3 k 3. This guarantees that we can find a largest positive integer say s withs ( (k )/ ) for each with. Choosings=s gives us the best possible constant for c s (but computing c s for large s uses more running time while yielding only negligible improvements). So for each with 3 k 3, we choose s to be the minimum of s and 30 and compute our upper bound using that s and taking q = 4. Taking the minimum of all the upper bounds we were able to show that p k, /4 andp k, /7 for 5 k 50. Thus we were able to show that p k,t 4 t for all k with 5 k 50. In our approximations for the upper bound of p k,t,thes-value we chose was only dependent upon but if we brought the c s inside the summation over m in the above expression for N, we could have in fact chosen our s so that it would be dependent upon m instead, and it would only have to satisfy the inequality s ( (k )/ ) m. This was attempted for some values of k but it did not produce any significant improvements. Subsequently, we continued to use the value for s determined by. The main results of our computations are shown in Table I and Table II. Table I. u k : upper bound for p k, for 5 k 50 k u k k u k k u k k u k

8 380 R. J. BURTHE, JR. Table II. u k, : upper bound for p k, for 5 k 50 k u k, k u k, k u k, k u k, Exact values The above upper bound method fails to give us the desired result for k 4 and in this section the method used to handle these cases will be discussed. Let ν(n) denote the largest integer such that ν(n) p for each prime p n, andletu denote the largest odd factor of n. If one recalls that α(n) =S(n)/(n ), it is computationally possible to compute p k, exactly for k 4, using (as described in [4]) onier s result ( S(n) = + ω(n)ν(n) ) (p,u) ω(n) and our previous formula (recalling that is a sum over composite integers) p k, = ( α(n) ) α(n). n k n k To compute S(n), all of the prime factors of n must be determined so computationally we can only use this formula for fairly small values of k. The C program we used for our computations first found all the primes less than 4096 (the square root of 4 ) and put these primes into a file. Then for each odd n with k <n< k, we were able to determine ω(n) and ν(n), using this file and trial division. These computations were done on a SPARC I computer and took only several hours to run. Table III shows the values of p k, (approximated to six place accuracy) obtained by using the above equations in our program for k 4. Since all these values are less than /5 we can conclude that p k,t 4 t for all k with k 4 and t. Combining these results with the results obtained using the upper bounds, we have shown that p k,t 4 t for all k andt. p n Table III. Computed values of p k, for k 4 k p k, k p k, k p k, k p k,

9 FURTHER INVESTIGATIONS WITH THE STRONG PROBABLE PRIE TEST Further numerical results Using the upper bound p k,t N /(N + P )wheren and P are defined as in 3, we can improve most of the values found in Table of [3]. For each possible k and t in the table, we computed a lower bound for lg p k,t in the following way. For each within a well chosen range, we chose our s as before to be the minimum of the largest allowable value for s and 30 to obtain a lower bound for lg p k,t and we then took the maximum of all these lower bounds. The entries in Table IV reflect the maximum of the computed values and the entries from Table of [3] where the italicized entries are those entries from [3] which were not improved upon by our computations. We believe that it is possible to improve this table even more by using the combined method discussed in [3] and the results obtained in this paper, but we did not attempt to do so. Table IV. Lower bounds for lg p k,t k\t Acknowledgment Special thanks go to Carl Pomerance who was instrumental in all aspects of writing this paper and without whom this paper could not have been written. The comments of Andrew Granville were also very much appreciated. References. P. Beauchemin, G. Brassard, C. Crépeau, and C. Goutier, Two observations on probabilistic primality testing, Advances in Cryptology Crypto 86 Proceedings (A.. Odlyzko, ed.), Lecture Notes in Comput. Sci., vol. 63, Springer-Verlag, Berlin, 987, pp R 89c:80. P. Beauchemin, G. Brassard, C. Crépeau, C. Goutier, and C. Pomerance, The generation of random numbers that are probably prime, J. Cryptology (988), R 89g:6 3. I. Damgård, P. Landrock, and C. Pomerance, Average case error estimates for the strong probable prime test, ath. Comp. 6 (993), R 94b:4 4. L. onier, Evaluation and comparison of two efficient probabilistic primality testing algorithms, Theoret. Comput. Sci. (980), R 8a: O.Rabin, Probabilistic algorithm for testing primality, J. Number Theory (980), R 8f:0003 Department of athematics, University of Georgia, Athens, Georgia address: ronnie@alpha.math.uga.edu