Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

Similar documents
Primality testing: then and now

Primality testing: then and now

Primality testing: variations on a theme of Lucas

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Postmodern Primality Proving

Advanced Algorithms and Complexity Course Project Report

SOME REMARKS ON PRIMALITY PROVING AND ELLIPTIC CURVES. Alice Silverberg. (Communicated by Neal Koblitz)

Applied Cryptography and Computer Security CSE 664 Spring 2018

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Uncertainty can be Better than Certainty:

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

A Few Primality Testing Algorithms

Fibonacci Pseudoprimes and their Place in Primality Testing

THE SOLOVAY STRASSEN TEST

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Euler s ϕ function. Carl Pomerance Dartmouth College

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Elliptic curves: applications and problems

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Equivalence of Pepin s and the Lucas-Lehmer Tests

D. J. Bernstein University of Illinois at Chicago

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

MASTERARBEIT / MASTER S THESIS

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Basic Algorithms in Number Theory

Basic Algorithms in Number Theory

The first dynamical system

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Euclidean prime generators

arxiv: v3 [math.nt] 26 Apr 2011

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

arxiv: v1 [math.nt] 24 Jan 2008

Primes. Rational, Gaussian, Industrial Strength, etc. Robert Campbell 11/29/2010 1

RSA Cryptosystem and Factorization

#A11 INTEGERS 12 (2012) FIBONACCI VARIATIONS OF A CONJECTURE OF POLIGNAC

Zsigmondy s Theorem. Lola Thompson. August 11, Dartmouth College. Lola Thompson (Dartmouth College) Zsigmondy s Theorem August 11, / 1

FERMAT S TEST KEITH CONRAD

Factorization & Primality Testing

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

PROVING PRIMALITY AFTER AGRAWAL-KAYAL-SAXENA

Lecture 6: Cryptanalysis of public-key algorithms.,

The ranges of some familiar arithmetic functions

Quasi-reducible Polynomials

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

WXML Final Report: AKS Primality Test

Primality Tests Using Algebraic Groups

IRREDUCIBILITY TESTS IN Q[T ]

IRREDUCIBILITY TESTS IN F p [T ]

Elliptic curves: Theory and Applications. Day 3: Counting points.

Part II. Number Theory. Year

The New Largest Known Prime is 2 p 1 With p = Who Cares? Sam Wagstaff Computer Sciences and Mathematics.

Summary Slides for MATH 342 June 25, 2018

Balanced subgroups of the multiplicative group

Order and chaos. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

MATH 361: NUMBER THEORY FOURTH LECTURE

A Variation of a Congruence of Subbarao for n = 2 α 5 β, α 0, β 0

Elementary Number Theory

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

NOTES ON SOME NEW KINDS OF PSEUDOPRIMES

DETERMINISTIC ELLIPTIC CURVE PRIMALITY PROVING FOR A SPECIAL SEQUENCE OF NUMBERS

arxiv:math/ v1 [math.nt] 16 Jan 2003

Primes of the Form n! ± 1 and p ± 1

PRIMALITY TEST FOR FERMAT NUMBERS USING QUARTIC RECURRENCE EQUATION. Predrag Terzic Podgorica, Montenegro

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

ON THE PRIMALITY OF n! ± 1 AND p ± 1

Primality Test Via Quantum Factorization. Abstract

The ranges of some familiar arithmetic functions

A Guide to Arithmetic

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Order and chaos. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

The 98th Mathematics Colloquium Prague November 8, Random number theory. Carl Pomerance, Dartmouth College

Irreducible radical extensions and Euler-function chains

EULER S THEOREM KEITH CONRAD

Prime and Perfect Numbers

More Hodge-Podge Pseudoprimes

Why the ABC conjecture

The multiplicative order mod n, on average

arxiv: v3 [math.nt] 15 Dec 2016

ON CARMICHAEL NUMBERS IN ARITHMETIC PROGRESSIONS

Math Topics in Algebra Course Notes: A Proof of Fermat s Last Theorem. Spring 2013

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

SQUARE PATTERNS AND INFINITUDE OF PRIMES

1. multiplication is commutative and associative;

A Proof of the Lucas-Lehmer Test and its Variations by Using a Singular Cubic Curve

Heuristics for Prime Statistics Brown Univ. Feb. 11, K. Conrad, UConn

GENERATING RANDOM FACTORED GAUSSIAN INTEGERS, EASILY

Cryptography. Number Theory with AN INTRODUCTION TO. James S. Kraft. Lawrence C. Washington. CRC Press

CYCLOTOMIC POLYNOMIALS

Primality Testing- Is Randomization worth Practicing?

Galois Theory TCU Graduate Student Seminar George Gilbert October 2015

Roots of Unity, Cyclotomic Polynomials and Applications

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena

E.J. Barbeau. Polynomials. With 36 Illustrations. Springer

Transcription:

Primality testing: variations on a theme of Lucas Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

In 1801, Carl Friedrich Gauss wrote: The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors, is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superfluous to discuss the problem at length. Nevertheless we must confess that all methods that have been proposed thus far are either restricted to very special cases or are so laborious and difficult that even for numbers that do not exceed the limits of tables constructed by estimable men, they try the patience of even the practiced calculator. And these methods do not apply at all to larger numbers... Further, the dignity of science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated. 1

Two elementary theorems: Wilson: If p is prime, then (p 1)! 1 (mod p). Fermat: If p is prime and p a, then a p 1 1 (mod p). How efficient are these as primality criteria? It would seem neither, since they both involve gigantic numbers when p is large. 2

For Fermat, the repeated squaring algorithm is quite efficient: Use a k mod n = ( a k/2 mod n ) 2 mod n, if k is even, a ( a (k 1)/2 mod n ) 2 mod n, if k is odd. Let s check out Fermat for a = 2, p = 91. We have 2 5 32 (mod p), 2 10 23 (mod p), 2 11 45 (mod p) 2 22 23 (mod p), 2 44 17 (mod p), 2 45 34 (mod p) 2 90 64 (mod p). Huh? 3

So, we conclude that it is efficient to check Fermat, but the theorem is wrong!? Actually, the theorem is correct, and the calculation proves that 91 is composite! Not boring you with the calculation, but if we try it we find that What should be concluded? 2 340 1 (mod 341). Answer: 341 is prime 4

So, we conclude that it is efficient to check Fermat, but the theorem is wrong!? Actually, the theorem is correct, and the calculation proves that 91 is composite! Not boring you with the calculation, but if we try it we find that What should be concluded? 2 340 1 (mod 341). Answer: 341 is prime or composite. 5

In fact: 341 = 11 31. So the converse of Fermat is false in general. But note that the converse of Wilson is correct: If (n 1)! 1 (mod n), then n is 1 or prime. Unfortunately, we know no fast way to check the Wilson congruence. Returning to Fermat, it seems the converse is almost true. Can we find some way to turn Fermat around and make it a primality-proving engine? 6

Lucas: Suppose that n > 1 and a are integers with a n 1 1 (mod n) and a (n 1)/q 1 (mod n) for all primes q n 1. Then n is prime. Proof. Let h be the multiplicative order of a in the group (Z/nZ). The first congruence implies that h n 1. The second batch of congruences imply that h is not a proper divisor of n 1. Thus, h = n 1 and so ϕ(n) = (Z/nZ) n 1. We conclude that n is prime. 7

This delightfully simple and elegant idea of Lucas has been the basis of essentially all of primality testing. But first, why do we need to go further, isn t this the converse of Fermat that we were looking for? Questions: 1. If n is prime, is there a number a satisfying the hypothesis? 2. If so, how do we find such a number a? 3. If we have a number a, how do we find the primes q n 1 needed for the second batch of congruences? 8

1. If n is prime, is there a number a satisfying the hypothesis? That is, must (Z/nZ) be a cyclic group? Yes, by a theorem of Gauss. 2. If so, how do we find such a number a? A sequential search starting with a = 2 is conjectured to succeed quickly, and this is provable assuming the GRH. The probabilistic algorithm of choosing random numbers a is very fast in practice and in theory. (The randomness involved is in finding the proof that n is prime; there should be no doubt in the conclusion.) 9

3. If we have a number a, how do we find the primes q n 1 needed for the second batch of congruences? 10

3. If we have a number a, how do we find the primes q n 1 needed for the second batch of congruences? Aye, there s the rub. 11

3. If we have a number a, how do we find the primes q n 1 needed for the second batch of congruences? Aye, there s the rub. Well, for some numbers n it is not so hard, say if n = 2 2k + 1. Pepin: If k 1, then n = 2 2k + 1 is prime if and only if 3 (n 1)/2 1 (mod n). Proof. If the congruence holds, then Lucas implies n is prime. Say n is prime. Then n 5 (mod 12) so that Euler and Gauss imply that the congruence holds. 12

The Lucas idea applied to elliptic curve groups: For p > 3 prime and a, b integers with 4a 3 + 27b 2 0 (mod p), consider the set of nonzero triples (x : y : z) mod p with y 2 z x 3 + axz 2 + bz 3 (mod p), where the notation (x : y : z) means that for c 0 (mod p), we identify (x : y : z) with (cx : cy : cz). We can create a group structure on these triples, with the identity being (0 : 1 : 0). (The group law involves some simple polynomial operations and comes from the geometric chord-tangent method for elliptic curves.) Hasse, Schoof: The order of the group is in the interval (p+1 2 p, p+1+2 p); it can be quickly computed. 13

Say we have a number n that we think is prime, we choose a, b with (4a 3 + 27b 2, n) = 1, we compute the order h of the elliptic curve group (as if n were prime), we have the complete prime factorization of h, and we have a point P on the curve of order h, found as with Lucas. Then if h (n+1 2 n, n+1+2 n), then n is prime. This is the basic idea behind ECPP (Elliptic Curve Primality Proving), due to Goldwasser & Kilian, Atkin, and Elkies, though you can see it is really just Lucas in another setting. Note: The elliptic curve group need not be cyclic, but it often is, and almost always is nearly so. Many tweaks make this idea into a better algorithm. 14

Back to the original Fermat/Lucas setting: Proth, Pocklington, Brillhart, Lehmer, & Selfridge: Suppose n > 1 and a are integers, F n 1, F > n, Then n is prime. a F 1 (mod n) and (a F/q 1, n) = 1 for all primes q F. Proof. Let p denote the least prime factor of n. The hypotheses imply that a has order F in (Z/pZ), so that p > F. But F > n, so n has no prime factors below n, which implies that n is prime. 15

Note that if n is prime and g is a cyclic generator of (Z/nZ), then g (n 1)/F has order F. So, finding an element a of order F as in the theorem is at least as easy as finding a cyclic generator of the group. But now, we only have to factor part of n 1. Lucas and later Lehmer also explored using the Fibonacci sequence, and more general Lucas sequences to test n for primality. For example, if p ±2 (mod 5), then u k 0 (mod p) whenever p + 1 k (and u k denotes the kth Fibonaccci number). This can be turned into a primality criterion for those numbers n ±2 (mod 5) provided you have the prime factorization of n + 1, or a large factored portion. For n ±2 (mod 5) we can use other Lucas sequences. 16

The $620 problem If n is an odd composite number and D is 1 mod 4, D minimal with (D/n) = 1, must 2 n 1 1 (mod n) or must the rank of appearance of n in the Lucas sequence with discriminant D not be a divisor of n + 1? Prove this and earn $620 ($500 from me, $100 from Wagstaff, $20 from Selfridge). The first counterexample found (with the prime factorization of n) also earns $620 ($500 from Selfridge, $100 from Wagstaff, and $20 from me). 17

Working with a Lucas sequence mod p, where the characteristic polynomial f(x) is irreducible mod p, is akin to working in the finite field F p [x]/(f(x)) of order p 2. And taking this view there is no reason to restrict f to degree 2. Say we have a monic polynomial f (Z/nZ)[x] of degree k with x nk x (mod f(x)), gcd(x nj x, f(x)) = 1 for 1 j k/2. If n is prime, these conditions hold if and only if f is irreducible over F n = Z/nZ. 18

The finite fields test: Lenstra: Suppose n, k, f are as on the previous slide. Suppose too that F n k 1 and F > n. Say g (Z/nZ)[x] satisfies 1. g(x) F 1 (mod f(x)), 2. (g(x) F/q 1, f(x)) = 1 for each prime q F, 3. each elementary symmetric polynomial in g(x) nj for 0 j k 1 is in Z/nZ. If none of the residues n j mod F for 0 j k 1 are proper factors of n, then n is prime. 19

Proof. Let p be a prime factor of n. We ll write bars over objects to indicate they re taken mod p. Let f 1 be an irreducible factor of f in F p [x]. The first two items in the theorem imply that α := ḡ has order F in the finite field K = F p [x]/( f 1 (x)). Consider the polynomial h(t) = (t α)(t α n )... (t α nk 1 ) in K[t]. The third item implies that h(t) F p [t]. Then h(α p ) = 0, so that α p = α nj for some j, and so p n j (mod F ). 20

Note that it is easier to find a large factored divisor of n k 1 then it is of n 1. For example, if k = 2, then we automatically have 24 n 2 1 (assuming n is coprime to 6). If k = 12, we automatically have 2 4 3 2 5 7 13 n 12 1, and so on. Adleman, P, & Rumely: There is a value of k < (log n) c log log log n such that the least common multiple of the prime powers q with ϕ(q) k exceeds n. In particular, the finite fields test of Lenstra can be made into a probabilistic algorithm with expected time of (log n) O(log log log n) to decide if n is prime. 21

The finite fields test contains essentially the Lucas Lehmer test for Mersenne primes: Suppose p is an odd prime and n = 2 p 1. Then n is prime if and only if in (Z/nZ)[x]. x (n+1)/2 1 (mod x 2 4x + 1) Proof. We apply the finite fields test with f(x) = x 2 4x + 1, g(x) = x and F = n+1. Suppose the congruence above holds. Then g(x) F 1 (mod f(x)) and g(x) F/2 1 (mod f(x)), so that g(x) F/2 1 is a unit mod f(x). From x n+1 1 (mod f(x)) we have g(x)g(x) n 1 (mod f(x)), and from x 1 4 x (mod f(x)), we have g(x) + g(x) n 4 (mod f(x)). Thus, the hypotheses hold and every prime factor of n is 1 or n mod n. Hence n is prime. 22

Now assume that n = 2 p 1 is prime. Since n 7 (mod 24), we have ( 2 n ) = 1, (3 n ) = 1. In particular f(x) = x2 4x + 1 is irreducible mod n. We compute (x 1) n+1 in the finite field K = F n [x]/(f(x)) two ways. Using (x 1) 2 = 2x and x n = 4 x, (x 1) n+1 = ( (x 1) 2) (n+1)/2 = (2x) (n+1)/2 = 2x (n+1)/2, (x 1) n+1 = (x 1) n (x 1) = (x n 1)(x 1) = (3 x)(x 1) = 2. Equating these two expressions we have the congruence in the theorem. 23

There are drawbacks with each of the tests considered so far: The basic Lucas test needs a large factored divisor of n 1, and randomness is used to produce a proof. The elliptic curve test uses randomness and it has not been rigorously proved to run in polynomial time. The finite fields test uses randomness and it is not a polynomial time algorithm. From a theoretical perspective what would be ideal is a determininistic, polynomial-time algorithm... Which brings us to the test of Agrawal, Kayal, & Saxena. 24

Agrawal, Kayal, & Saxena: Suppose n, r are positive integers with (n, r) = 1 and the multiplicative order of r Z/nZ exceeds (log 2 n) 2. If, in (Z/nZ)[x], (x + a) n x n + a (mod x r 1) for each integer a in [0, ϕ(r) log 2 n], then either n has a prime factor in this interval or n is a prime power. Note: It is easy to show that a number r that has the requisite multiplicative order exists below (log 2 n) 5. Using some fancy stuff, one can get r smaller. 25

Using Fast Fourier Transform techniques for integer arithmetic and polynomial arithmetic, it is possible to show that the running time of the AKS test is O(r 1.5 (log n) 3 ) times some power of log log n. Thus, since r can be bounded by a power of log n, it follows that the test runs in polynomial time. And no randomness is needed. Heuristically, there should be a value for r near (log n) 2 leading to the complexity (log n) 6, but the best that has been proved for r is a little lower than (log n) 3, leading to (log n) 7.5 for the complexity of the test. Note that the AKS test uses the polynomial x r 1. Might we use other polynomials? 26

Lenstra & P: Suppose f(x) (Z/nZ)[x] is a monic polynomial of degree d > (log 2 n) 2 with If f(x n ) 0 (mod f(x)), x nd x (mod f(x)), (x nd/q x, f(x)) = 1 for all primes q d. (x + a) n x n + a (mod f(x)) for all a [0, d log 2 n], then either n is divisible by a prime in this interval or n is a prime power. The proofs of this theorem and the AKS theorem both involve building up large groups using the given information. Sound familiar? Again it is the idea of Lucas. 27

One can show, with considerable effort, that there is a fast algorithm to produce a valid f(x) for the theorem with degree 4(log 2 n) 2 (or prove n composite along the way). In fact, to be valid, it is sufficient that f(x) is irreducible, but it is not an easy task to quickly, rigorously, and deterministically produce an irreducible polynomial over a finite field. The proof uses the cyclotomic periods that Gauss used in his proof on the constructibility of regular n-gons. We have found it pleasing to use this signature result of Gauss to make progress on his call-to-arms of distinguishing prime numbers from composite numbers. 28

Further reading: M. Agrawal, N. Kayal, and N. Saxena, PRIMES is in P, Ann. of Math. 160 (2004), 781 793. R. Crandall and C. Pomerance, Prime numbers: a computational perspective, 2nd ed., Springer, New York, 2005. A. Granville, It is easy to determine if a given number is prime, Bull. Amer. Math. Soc. 42 (2004), 3 38. H. Williams, Édouard Lucas and primality testing, Canadian Math. Soc. Monographs 22, Wiley, New York, 1998. 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback