Prime Numbers

3.6.3Implementing the Lucas and quadratic Frobenius tests . 146

4.5The primality test of Agrawal, Kayal, and Saxena (AKS test) . 200

5.2.3Pollard lambda method for discrete logarithms . . . . . 233

6.4.2Discrete logarithms via smooth polynomials and smooth

8.5.2 The Shor quantum algorithm for factoring . . . . . . . . 422

8.6Curious, anecdotal, and interdisciplinary references to primes . 424

Chapter 1

PRIMES!

Prime numbers belong to an exclusive world of intellectual conceptions. We speak of those marvelous notions that enjoy simple, elegant description, yet lead to extreme—one might say unthinkable—complexity in the details. The basic notion of primality can be accessible to a child, yet no human mind harbors anything like a complete picture. In modern times, while theoreticians continue to grapple with the profundity of the prime numbers, vast toil and resources have been directed toward the computational aspect, the task of finding, characterizing, and applying the primes in other domains. It is this computational aspect on which we concentrate in the ensuing chapters. But we shall often digress into the theoretical domain in order to illuminate, justify, and underscore the practical import of the computational algorithms.

Simply put: A prime is a positive integer p having exactly two positive divisors, namely 1 and p. An integer n is composite if n > 1 and n is not prime. (The number 1 is considered neither prime nor composite.) Thus, an integer n is composite if and only if it admits a nontrivial factorization n = ab, where a, b are integers, each strictly between 1 and n. Though the definition of primality is exquisitely simple, the resulting sequence 2, 3, 5, 7, . . .

of primes will be the highly nontrivial collective object of our attention. The wonderful properties, known results, and open conjectures pertaining to the primes are manifold. We shall cover some of what we believe to be theoretically interesting, aesthetic, and practical aspects of the primes. Along the way, we also address the essential problem of factorization of composites, a field inextricably entwined with the study of the primes themselves.

In the remainder of this chapter we shall introduce our cast of characters, the primes themselves, and some of the lore that surrounds them.

1.1Problems and progress

1.1.1Fundamental theorem and fundamental problem

The primes are the multiplicative building blocks of the natural numbers, as is seen in the following theorem.

Theorem 1.1.1 (Fundamental theorem of arithmetic). For each natural number n there is a unique factorization

n = pa11 pa22 · · · pakk ,

where exponents ai are positive integers and p1 < p2 < · · · < pk are primes.

(If n is itself prime, the representation of n in the theorem collapses to the special case k = 1 and a1 = 1. If n = 1, sense is made of the statement by taking an empty product of primes, that is, k = 0.) The proof of Theorem

1.1.1naturally falls into two parts, the existence of a prime factorization of n, and its uniqueness. Existence is very easy to prove (consider the first number that does not have a prime factorization, factor it into smaller numbers, and derive a contradiction). Uniqueness is a bit more subtle. It can be deduced from a simpler result, namely Euclid’s “first theorem” (see Exercise 1.2).

The fundamental theorem of arithmetic gives rise to what might be called the “fundamental problem of arithmetic.” Namely, given an integer n > 1, find its prime factorization. We turn now to the current state of computational a airs.

1.1.2Technological and algorithmic progress

In a very real sense, there are no large numbers: Any explicit integer can be said to be “small.” Indeed, no matter how many digits or towers of exponents you write down, there are only finitely many natural numbers smaller than your candidate, and infinitely many that are larger. Though condemned always to deal with small numbers, we can at least strive to handle numbers that are larger than those that could be handled before. And there has been remarkable progress. The number of digits of the numbers we can factor is about eight times as large as just 30 years ago, and the number of digits of the numbers we can routinely prove prime is about 500 times larger.

It is important to observe that computational progress is two-pronged: There is progress in technology, but also progress in algorithm development. Surely, credit must be given to the progress in the quality and proliferation of computer hardware, but—just as surely—not all the credit. If we were forced to use the algorithms that existed prior to 1975, even with the wonderful computing power available today, we might think that, say, 40 digits was about the limit of what can routinely be factored or proved prime.

So, what can we do these days? About 170 decimal digits is the current limit for arbitrary numbers to be successfully factored, while about 15000 decimal digits is the limit for proving primality of arbitrary primes. A very famous factorization was of the 129-digit challenge number enunciated in M. Gardner’s “Mathematical Games” column in Scientific American [Gardner 1977]. The number

RSA129 =11438162575788886766923577997614661201021829672124236\

25625618429357069352457338978305971235639587050589890\

75147599290026879543541

had been laid as a test case for the then new RSA cryptosystem (see Chapter 8). Some projected that 40 quadrillion years would be required to factor RSA129. Nevertheless, in 1994 it was factored with the quadratic sieve

(QS) algorithm (see Chapter 6) by D. Atkins, M. Gra , A. Lenstra, and P. Leyland. RSA129 was factored as

3490529510847650949147849619903898133417764638493387843990820577

×

32769132993266709549961988190834461413177642967992942539798288533,

and the secret message was decrypted to reveal: “THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.”

Over the last decade, many other factoring and related milestones have been achieved. For one thing, the number field sieve (NFS) is by now dominant: As of this 2nd book edition, NFS has factored RSA-576 (174 decimal digits), and the “special” variant SNFS has reached 248 decimal digits. The elliptic curve method (ECM) has now reached 59 decimal digits (for a prime factor that is not the largest in the number). Such records can be found in [Zimmermann 2000], a website that is continually updated. We provide a more extensive list of records below.

Another interesting achievement has been the discovery of factors of various Fermat numbers Fn = 22n + 1 discussed in Section 1.3.2. Some of the lower-lying Fermat numbers such as F9, F10, F11 have been completely factored, while impressive factors of some of the more gargantuan Fn have been uncovered. Depending on the size of a Fermat number, either the number field sieve (NFS) (for smaller Fermat numbers, such as F9) or the elliptic curve method (ECM) (for larger Fermat numbers) has been brought to bear on the problem (see Chapters 6 and 7). Factors having 30 or 40 or more decimal digits have been uncovered in this way. Using methods covered in various sections of the present book, it has been possible to perform a primality test on Fermat numbers as large as F24, a number with more than five million decimal digits. Again, such achievements are due in part to advances in machinery and software, and in part to algorithmic advances. One possible future technology—quantum computation—may lead to such a tremendous machinery advance that factoring could conceivably end up being, in a few decades, say, unthinkably faster than it is today. Quantum computation is discussed in Section 8.5.

We have indicated that prime numbers figure into modern cryptography— the science of encrypting and decrypting secret messages. Because many cryptographic systems depend on prime-number studies, factoring, and related number-theoretical problems, technological and algorithmic advancement have become paramount. Our ability to uncover large primes and prove them prime has outstripped our ability to factor, a situation that gives some comfort to cryptographers. As of this writing, the largest number ever to have been proved prime is the gargantuan Mersenne prime 225964951 − 1, which can be thought of, roughly speaking, as a “thick book” full of decimal digits. The kinds of algorithms that make it possible to do speedy arithmetic with such giant numbers is discussed in Chapter 8.8. But again, alongside such algorithmic enhancements come machine improvements. To convey an idea of scale, the current hardware and algorithm marriage that found each

of the most recent “largest known primes” performed thus: The primality proof/disproof for a single candidate 2q − 1 required in 2004 about one CPUweek, on a typical modern PC (see continually updating website [Woltman 2000]). By contrast, a number of order 220000000 would have required, just a decade earlier, perhaps a decade of a typical PC’s CPU time! Of course, both machine and algorithm advances are responsible for this performance o set. To convey again an idea of scale: At the start of the 21st century, a typical workstation equipped with the right software can multiply together two numbers, each with a million decimal digits, in a fraction of a second. As explained at the end of Section 9.5.2, appropriate cluster hardware can now multiply two numbers each of a billion digits in roughly one minute.

The special Mersenne form 2q − 1 of such numbers renders primality proofs feasible. For Mersenne numbers we have the very speedy Lucas– Lehmer test, discussed in Chapter 4. What about primes of no special form— shall we say “random” primes? Primality proofs can be e ected these days for such primes having a few thousand digits. Much of the implementation work has been pioneered by F. Morain, who applied ideas of A. Atkin and others to develop an e cient elliptic curve primality proving (ECPP) method, along with a newer “fastECPP” method, discussed in Chapter 7. A typically impressive ECPP result at the turn of the century was the proof that (27331 − 1)/458072843161, possessed of 2196 decimal digits, is prime (by Mayer and Morain; see [Morain 1998]). A sensational announcement in July 2004 by Franke, Kleinjung, Morain, and Wirth is that, thanks to fastECPP, the Leyland number

44052638 + 26384405,

having 15071 decimal digits, is now proven prime.

Alongside these modern factoring achievements and prime-number analyses there stand a great many record-breaking attempts geared to yet more specialized cases. From time to time we see new largest twin primes (pairs of primes p, p +2), an especially long arithmetic progression {p, p +d, . . . , p +kd} of primes, or spectacular cases of primes falling in other particular patterns. There are searches for primes we expect some day to find but have not yet found (such as new instances of the so-called Wieferich, Wilson, or Wall–Sun– Sun primes). In various sections of this book we refer to a few of these many endeavors, especially when the computational issues at hand lie within the scope of the book.

Details and special cases aside, the reader should be aware that there is a widespread “culture” of computational research. For a readable and entertaining account of prime number and factoring “records,” see, for example, [Ribenboim 1996] as well as the popular and thorough newsletter of S. Wagsta , Jr., on state-of-the-art factorizations of Cunningham numbers (numbers of the form bn ± 1 for b ≤ 12). A summary of this newsletter is kept at the website [Wagsta 2004]. Some new factorization records as of this (early 2005) writing are the following:

The Pollard-(p − 1) method (see our Section 5.4) was used in 2003 by P. Zimmermann to find 57-digit factors of two separate numbers, namely 6396 + 1 and 11260 + 1.

There are recent successes for the elliptic-curve method (ECM) (see our Section 7.4.1), namely, a 57-digit factor of 2997 − 1 (see [Wagsta 2004]), a 58-digit factor of 8 · 10141 − 1 found in 2003 by R. Backstrom, and a 59digit factor of 10233 − 1 found in 2005 by B. Dodson. (It is surprising, and historically rare over the last decade, that the (p − 1) method be anywhere near the ECM in the size of record factors.)

In late 2001, the quadratic sieve (QS) (see our Section 6.1), actually a three- large-prime variant, factored a 135-digit composite piece of 2803 − 2402 + 1. This seems to have been in some sense a “last gasp” for QS, being as the more modern NFS and SNFS have dominated for numbers of this size.

The general-purpose number field sieve (GNFS) has, as we mentioned earlier, factored the 174-digit number RSA-576. For numbers of special form, the special number field sieve (SNFS) (see our Section 6.2.7) has factored numbers beyond 200 digits, the record currently being the 248-digit number 2821 + 2411 + 1.

Details in regard to some such record factorizations can be found in the aforementioned Wagsta newsletter. Elsewhere in the present book, for example after Algorithm 7.4.4 and at other similar junctures, one finds older records from our 1st edition; we have left these intact because of their historical importance. After all, one wants not only to see progress, but also track it.

Here at the dawn of the 21st century, vast distributed computations are not uncommon. A good lay reference is [Peterson 2000]. Another lay treatment about large-number achievements is [Crandall 1997a]. In the latter exposition appears an estimate that answers roughly the question, “How many computing operations have been performed by all machines across all of world history?” One is speaking of fundamental operations such as logical “and” as well as “add,” “multiply,” and so on. The answer is relevant for various issues raised in the present book, and could be called the “mole rule.” To put it roughly, right around the turn of the century (2000 ad), about one mole—that is, the Avogadro number 6 · 1023 of chemistry, call it 1024—is the total operation count for all machines for all of history. In spite of the usual mystery and awe that surrounds the notion of industrial and government supercomputing, it is the huge collection of personal computers that allows this 1024, this mole. The relevance is that a task such as trial dividing an integer N ≈ 1050 directly for prime factors is hopeless in the sense that one would essentially have to replicate the machine e ort of all time. To convey an idea of scale, a typical instance of the deepest factoring or primality-proving runs of the modern era involves perhaps 1016 to 1018 machine operations. Similarly, a fulllength graphically rendered synthetic movie of today—for example, the 2003 Pixar/Disney movie Finding Nemo—involves operation counts in the 1018 range. It is amusing that for this kind of Herculean machine e ort one may either obtain a single answer (a factor, maybe even a single “prime/composite”

decision bit) or create a full-length animated feature whose character is as culturally separate from a one-bit answer as can be. It is interesting that a computational task of say 1018 operations is about one ten-millionth of the overall historical computing e ort by all Earth-bound machinery.

1.1.3The infinitude of primes

While modern technology and algorithms can uncover impressively large primes, it is an age-old observation that no single prime discovery can be the end of the story. Indeed, there exist infinitely many primes, as was proved by Euclid in 300 bc, while he was professor at the great university of Alexandria [Archibald 1949]. This achievement can be said to be the beginning of the abstract theory of prime numbers. The famous proof of the following theorem is essentially Euclid’s.

Theorem 1.1.2 (Euclid). There exist infinitely many primes.

Proof. Assume that the primes are finite in number, and denote by p the largest. Consider one more than the product of all primes, namely,

n = 2 · 3 · 5 · · · p + 1.

Now, n cannot be divisible by any of the primes 2 through p, because any such division leaves remainder 1. But we have assumed that the primes up through p comprise all of the primes. Therefore, n cannot be divisible by any prime, contradicting Theorem 1.1.1, so the assumed finitude of primes is contradicted.

It might be pointed out that Theorem 1.1.1 was never explicitly stated by Euclid. However, the part of this theorem that asserts that every integer greater than 1 is divisible by some prime number was known to Euclid, and this is what is used in Theorem 1.1.2.

There are many variants of this classical theorem, both in the matter of its statement and its proofs (see Sections 1.3.2 and 1.4.1). Let us single out one particular variant, to underscore the notion that the fundamental Theorem 1.1.1 itself conveys information about the distribution of primes. Denote by P the set of all primes. We define the prime-counting function at real values of x by

π(x) = #{p ≤ x : p P};

that is, π(x) is the number of primes not exceeding x. The fundamental Theorem 1.1.1 tells us that for positive integer x, the number of solutions to

pai i ≤ x,

where now pi denotes the i-th prime and the ai are nonnegative, is precisely x itself. Each factor pai i must not exceed x, so the number of possible choices of exponent ai, including the choice zero, is bounded above by 1+(ln x)/(ln pi) .