Prime Numbers

The reader should consult Chapter 4 for strategies on proving prime those numbers we strongly suspect to be prime. However, for practical applications, one may be perfectly happy to use a number that is almost certainly prime, but has not actually been proved to be prime. It is with this mindset that people refer to Algorithm 3.5.6 as a “primality test.” It is perhaps more accurate to refer to a number produced by such a test as an “industrial-grade prime,” to use a phrase of H. Cohen.

The following algorithm may be used for the generation of random numbers that are likely to be prime.

Algorithm 3.5.7 (“Industrial-grade prime” generation). We are given an integer k ≥ 3 and an integer T ≥ 1. This probabilistic algorithm produces a random k-bit number (that is, a number in the interval +2k−1, 2k ) that has not been recognized as composite by T iterations of Algorithm 3.5.6.

1. [Choose candidate]

Choose a random odd integer n in the interval 2k−1, 2k ;

2. [Perform strong probable prime tests]

for(1 ≤ i ≤ T ) { // i is a dummy counter. Via Algorithm 3.5.6 attempt to find a witness for n;

if(a witness is found for n) goto [Choose candidate];

An interesting question is this: What is the probability that a number produced by Algorithm 3.5.7 is composite? Let this probability be denoted by P (k, T ). One might think that Theorem 3.5.4 immediately speaks to this question, and that we have P (k, T ) ≤ 4−T . However, the reasoning is fallacious. Suppose k = 500, T = 1. We know from the prime number theorem (Theorem 1.1.4) that the probability that a random odd 500-bit number is prime is about 1 chance in 173. Since it is evidently more likely that one will witness an event with probability 1/4 occurring before an event with probability 1/173, it may seem that there are much better than even odds that Algorithm 3.5.7 will produce composites. In fact, though, Theorem 3.5.4 is a worst-case estimate, and for most odd composite numbers the fraction of witnesses is much larger than 3/4. It is shown in [Burthe 1996] that indeed we do have P (k, T ) ≤ 4−T .

If k is large, one gets good results even with T = 1 in Algorithm 3.5.7. It

√

is shown in [Damg˚ard et al. 1993] that P (k, 1) < k242− k. For specific large values of k the paper has even better results, for example, P (500, 1) < 4−28. Thus, if a randomly chosen odd 500-bit number passes just one iteration of a random strong probable prime test, the number is composite with vanishingly small probability, and may be safely accepted as a “prime” in all but the most sensitive practical applications.

Before proving Theorem 3.5.4 we first establish some lemmas.

Lemma 3.5.8. Say n is an odd composite with n − 1 = 2st, t odd. Let ν(n) denote the largest integer such that 2ν(n) divides p−1 for each prime p dividing n. If n is a strong pseudoprime base a, then a2ν(n)−1t ≡ ±1 (mod n).

Lemma 3.5.9. Recall the notation in Lemma 3.5.8 and (3.6). Let ω(n) be the number of di erent prime factors of n. We have

S(n) = 2 · 2(ν(n)−1)ω(n) gcd(t, p − 1).

p|n

Proof. Let m = 2ν(n)−1t. Suppose that the prime factorization of n is pj11 pj22 · · · pjkk , where k = ω(n). We have that am ≡ 1 (mod n) if and only if am ≡ 1 (mod pjii ) for i = 1, 2, . . . , k. For an odd prime p and positive integer

j, the group Zpj of reduced residues modulo pj is cyclic of order pj−1(p − 1); that is, there is a primitive root modulo pj . (This theorem is mentioned in Section 1.4.3 and can be found in most books on elementary number theory. Compare, too, to Theorem 2.2.5.) Thus, the number of solutions a (mod pjii ) to am ≡ 1 (mod pjii ) is

gcd(m, pjii −1(pi − 1)) = gcd(m, pi − 1) = 2ν(n)−1 · gcd(t, pi − 1).

(Note that the first equality follows from the fact that m divides n − 1, so is not divisible by pi.) We conclude, via the Chinese remainder theorem, that the number of solutions a (mod n) to am ≡ 1 (mod n) is

To complete the proof we must show that there are exactly as many solutions to the congruence am ≡ −1 (mod n). Note that am ≡ −1 (mod pjii ) if and only if a2m ≡ 1 (mod pjii ) and am ≡1 (mod pjii ). Since 2ν(n) divides pi − 1 it follows as above that the number of solutions to am ≡ −1 (mod pjii ) is

2ν(n) · gcd(t, pi − 1) − 2ν(n)−1 · gcd(t, pi − 1) = 2ν(n)−1 · gcd(t, pi − 1).

Proof of Theorem 3.5.4. From Lemma 3.5.8 and (3.6), it will su ce to show that S(n)/ϕ(n) ≤ 1/4 whenever n is an odd composite that is greater than 9. From Lemma 3.5.9, we have

where the notation pa n means that pa is the exact power of the prime p in the prime factorization of n. Each factor (p − 1)/(2ν(n)−1 gcd(t, p − 1)) is an even integer, so that ϕ(n)/S(n) is an integer. In addition, if ω(n) ≥ 3, it follows that ϕ(n)/S(n) ≥ 4. If ω(n) = 2 and n is not squarefree, the product

divide n − 1. This implies there is an odd prime dividing q − 1 to a higher power than it divides n − 1; that is, 2ν(n)−1 gcd(t, q − 1) ≤ (q − 1)/6. We

3.5.1The least witness for n

We have seen in Theorem 3.5.4 that an odd composite number n has at least 3n/4 witnesses in the interval [1, n − 1]. Let W (n) denote the least of the witnesses for n. Then W (n) ≥ 2. In fact, for almost all odd composites, we have W (n) = 2. This is an immediate consequence of Theorem 3.4.2. The following theorem shows that W (n) ≥ 3 for infinitely many odd composite numbers n.

Theorem 3.5.10. If p is a prime larger than 5, then n = (4p + 1)/5 is a strong pseudoprime base 2, so that W (n) ≥ 3.

Proof. We first show that n is a composite integer. Since 4p ≡ (−1)p ≡ −1 (mod 5), we see that n is an integer. That n is composite follows from the identity

4p + 1 = (2p − 2(p+1)/2 + 1)(2p + 2(p+1)/2 + 1).

It is natural to ask whether W (n) can be arbitrarily large. In fact, this question is crucial. If there is a number B that is not too large such that every

odd composite number n has W (n) ≤ B, then the whole subject of testing primality becomes trivial. One would just try each number a ≤ B and if (3.4) holds for each such a, then n is prime. Unfortunately, there is no such number B. The following result is shown in [Alford et al. 1994b].

Theorem 3.5.11. There are infinitely many odd composite numbers n with

W (n) > (ln n)1/(3 ln ln ln n).

In fact, the number of such composite numbers n up to x is at least

x1/(35 ln ln ln x)

when x is su ciently large.

Failing a universal bound B, perhaps there is a slowly growing function of n which is always greater than W (n). Based on [Miller 1976], the following result is proved in [Bach 1985].

Theorem 3.5.12. On the ERH, W (n) < 2 ln2 n for all odd composite numbers n.

Proof. Let n be an odd composite. Exercise 3.19 says that W (n) < ln2 n if n is divisible by the square of a prime, and this result is not conditional on any unproved hypotheses. We thus may assume that n is squarefree. Suppose p is a prime divisor of n with p − 1 = 2s t , t odd. Then the same considerations that were used in the proof of Lemma 3.5.8 imply that if (3.4)

holds, then (a/p) = −1 if and only if a2s −1t ≡ −1 (mod n). Since n is odd, composite, and squarefree, it must be that n is divisible by two di erent odd primes, say p1, p2. Let pi − 1 = 2si ti, ti odd, for i = 1, 2, with s1 ≤ s2. Let χ1(m) = (m/p1p2), χ2(m) = (m/p2), so that χ1 is a character to the modulus p1p2 and χ2 is a character to the modulus p2. First, consider the case s1 = s2. Under the assumption of the extended Riemann hypothesis, Theorem 1.4.5 says that there is a positive number m < 2 ln2(p1p2) ≤ 2 ln2 n with χ1(m) = 1. Thenχ1(m) = 0 or −1. If χ1(m) = 0, then m is divisible by p1 or p2, which implies that m is a witness. Suppose χ1(m) = −1, so that either (m/p1) = 1, (m/p2) = −1 or vice versa. Without loss of generality, assume the first holds. Then, as noted above, if (3.4) holds then m2s2−1t ≡ −1 (mod n), which in turn implies that (m/p1) = −1, since s1 = s2. This contradiction shows that m is a witness for n. Now assume that s1 < s2. Again, Theorem 1.4.5 implies that there is a natural number m < 2 ln2 p2 < 2 ln2 n with

We might ask what can be proved unconditionally. It is obvious that W (n) ≤ n1/2, since the least prime factor of an odd composite number n

is a witness for n. In [Burthe 1997] it is shown that W (n) ≤ nc+o(1) as

√

n → ∞ through the odd composites, where c = 1/(6 e). Heath-Brown (see [Balasubramanian and Nagaraj 1997]) has recently shown this with c = 1/10.82.

We close this section with the Miller primality test. It is based on Theorem 3.5.12 and shows that if the extended Riemann hypothesis holds, then primality can be decided in deterministic polynomial time.

Algorithm 3.5.13 (Miller primality test). We are given an odd number n >

1. This algorithm attempts to decide whether n is prime (YES) or composite (NO). If NO is returned, then n is definitely composite. If YES is returned, n is either prime or the extended Riemann hypothesis is false.

1. [Witness bound]

W = min{ 2 ln2 n! , n − 1};

2.[Strong probable prime tests] for(2 ≤ a ≤ W ) {

Decide via Algorithm 3.5.2 whether n is a strong probable prime base a; if(n is not a strong probable prime base a) return NO;

}

return YES;

3.6Lucas pseudoprimes

We may generalize many of the ideas of the past two sections to incorporate finite fields. Traditionally the concept of Lucas pseudoprimes has been cast in the language of binary recurrent sequences. It is profitable to view this pseudoprime construct using the language of finite fields, not just to be fashionable, but because the ideas then seem less ad hoc, and one can generalize easily to higher order fields.

3.6.1Fibonacci and Lucas pseudoprimes

The sequence 0, 1, 1, 2, 3, 5, . . . of Fibonacci numbers, say uj is the j-th one starting with j = 0, has an interesting rule for the appearance of prime factors.

Theorem 3.6.1. If n is prime, then

where εn = 1 when n ≡ ±1 (mod 5), εn = −1 when n ≡ ±2 (mod 5), and

εn = 0 when n ≡ 0 (mod 5).

Remark. The reader should recognize the function εn. It is the Legendre symbol n5 ; see Definition 2.3.2.

Definition 3.6.2. We say that a composite number n is a Fibonacci pseudoprime if (3.7) holds.

For example, the smallest Fibonacci pseudoprime coprime to 10 is 323.

The Fibonacci pseudoprime test is not just a curiosity. As we shall see below, it can be implemented on very large numbers. In fact, it takes only about twice as long to run a Fibonacci pseudoprime test as a conventional pseudoprime test. And for those composites that are ±2 (mod 5) it is, when combined with the ordinary base-2 pseudoprime test, very e ective. In fact, we know no number n ≡ ±2 (mod 5) that is simultaneously a base-2 pseudoprime and a Fibonacci pseudoprime; see Exercise 3.41.

In proving Theorem 3.6.1 it turns out that with no extra work we can establish a more general result. The Fibonacci sequence satisfies the recurrence uj = uj−1 + uj−2, with recurrence polynomial x2 − x − 1. We shall consider the more general case of binary recurrent sequences with polynomial f (x) = x2 − ax + b, where a, b are integers with ∆ = a2 − 4b not a square. Let

where the notation means that we take the remainder in Z[x] upon division by f (x). The sequences (Uj ), (Vj ) both satisfy the recurrence for the polynomial x2 − ax + b, namely,

Uj = aUj−1 − bUj−2, Vj = aVj−1 − bVj−2,

and from (3.8) we may read o the initial values

U0 = 0, U1 = 1, V0 = 2, V1 = a.

If it was not already evident from (3.8), it is now clear that (Uj ), (Vj ) are integer sequences.

In analogy to Theorem 3.6.1 we have the following result. In fact, we can read o Theorem 3.6.1 as the special case corresponding to a = 1, b = −1.

Theorem 3.6.3. Let a, b, ∆ be as above and define the sequences (Uj ), (Vj ) via (3.8). If p is a prime with gcd(p, 2b∆) = 1, then

Note that for ∆ = 5 and p odd, p5 = p5 , so the remark following Theorem

3.6.1 is justified. Since the Jacobi symbol ∆n (see Definition 2.3.3) is equal to the Legendre symbol when n is an odd prime, we may turn Theorem 3.6.3 into a pseudoprime test.

Definition 3.6.4. We say that a composite number n with gcd(n, 2b∆) = 1 is a Lucas pseudoprime with respect to x2 − ax + b if Un−(∆n ) ≡ 0 (mod n).

Since the sequence (Uj ) is constructed by reducing polynomials modulo x2 − ax + b, and since Theorem 3.6.3 and Definition 3.6.4 refer to this sequence reduced modulo n, we are really dealing with objects in the ring

R = Zn[x]/(x2 − ax + b). To somewhat demystify this concept, we explicitly list a complete set of coset representatives:

{i + jx : i, j are integers with 0 ≤ i, j ≤ n − 1}.

We add coset representatives as vectors (mod n), and we multiply them via x2 = ax − b. Thus, we have

(i1 + j1x) + (i2 + j2x) = i3 + j3x

(i1 + j1x)(i2 + j2x) = i4 + j4x,

We now prove Theorem 3.6.3. Suppose p is an odd prime with ∆p = −1. Then ∆ is not a square in Zp, so that the polynomial x2 − ax + b, which has discriminant ∆, is irreducible over Zp. Thus, R = Zp[x]/(x2 − ax + b) is isomorphic to the finite field Fp2 with p2 elements. The subfield Zp (= Fp) is recognized as those coset representatives i + jx with j = 0.

In Fp2 the function σ that takes an element to its p-th power (known as the Frobenius automorphism) has the following pleasant properties, which are easily derived from the binomial theorem and Fermat’s little theorem (see (3.2)): σ(u + v) = σ(u) + σ(v), σ(uv) = σ(u)σ(v), and σ(u) = u if and only if u is in the subfield Zp.

We have created the field Fp2 so as to provide roots for x2 − ax + b, which were lacking in Zp. Which coset representatives i + jx are the roots? They

Then xp+1 − (a − x)p+1 ≡ x(a − x) − (a − x)x ≡ 0 (mod (f (x), p)), so that

R = Zp[x]/(x −ax+b) is not a finite field. Rather, it is isomorphic to Zp ×Zp, and every element to the p-th power is itself. Thus,

Note, too, that our assumption that gcd(p, b) = 1 implies that x and a − x are invertible in R, since x(a − x) ≡ b (mod f (x)). Hence xp−1 = (a − x)p−1 = 1 in R. Thus, (3.8) implies Up−1 ≡ 0 (mod p). This concludes the proof of Theorem 3.6.3.

Because of Exercise 3.26, it is convenient to rule out the polynomial x2 − x + 1 when dealing with Lucas pseudoprimes. A similar problem occurs with x2 + x + 1, and we rule out this polynomial, too. No other polynomials with nonsquare discriminants are ruled out, though. (Only x2 ± x + 1 are monic, irreducible over the rationals, and have their roots also being roots of 1.)

3.6.2Grantham’s Frobenius test

The key role of the Frobenius automorphism (raising to the p-th power) in the Lucas test has been put in center stage in a new test of J. Grantham. It allows for an arbitrary polynomial in the place of x2 − ax + b, but even in the case of quadratic polynomials, it is stronger than the Lucas test. One of the advantages of Grantham’s approach is that it cuts the tie to recurrent sequences. We describe below his test for quadratic polynomials. A little is said about the general test in Section 3.6.5. For more on Frobenius pseudoprimes see [Grantham 2001].

The argument that establishes Theorem 3.6.3 also establishes on the way (3.10) and (3.11). But Theorem 3.6.3 only extracts part of the information from these congruences. The Frobenius test maintains their full strength.

Definition 3.6.5. Let a, b be integers with ∆ = a2 −4b not a square. We say that a composite number n with gcd(n, 2b∆) = 1 is a Frobenius pseudoprime with respect to f (x) = x2 − ax + b if

At first glance it may seem that we are still throwing away half of (3.10) and (3.11), but we are not; see Exercise 3.27.

It is easy to give a criterion for a Frobenius pseudoprime with respect to a quadratic polynomial, in terms of the Lucas sequences (Um), (Vm).

Theorem 3.6.6. Let a, b be integers with ∆ = a2 − 4b not a square and let n be a composite number with gcd(n, 2b∆) = 1. Then n is a Frobenius pseudoprime with respect to x2 − ax + b if and only if

Proof. Let f (x) = x2 − ax + b. We use the identity

2xm ≡ (2x − a)Um + Vm (mod (f (x), n)),

which is self-evident from (3.8). Then the congruences in the theorem lead to xn+1 ≡ b (mod (f (x), n)) in the case ∆n = −1 and xn−1 ≡ 1 (mod (f (x), n)) in the case ∆n = 1. The latter case immediately gives xn ≡ x (mod (f (x), n)),

(mod (f (x), n)). Thus, n is a Frobenius pseudoprime with respect to f (x). Now suppose n is a Frobenius pseudoprime with respect to f (x). Exercise

3.27 shows that n is a Lucas pseudoprime with respect to f (x), namely

The first Frobenius pseudoprime n with respect to x2 − x − 1 is 4181 (the nineteenth Fibonacci number), and the first with n5 = −1 is 5777. We thus see that not every Lucas pseudoprime is a Frobenius pseudoprime, that is, the Frobenius test is more stringent. In fact, the Frobenius pseudoprime test can be very e ective. For example, for x2 + 5x + 5 we don’t know any examples at all of a Frobenius pseudoprime n with n5 = −1, though such numbers are conjectured to exist; see Exercise 3.42.

3.6.3Implementing the Lucas and quadratic Frobenius tests

It turns out that we can implement the Lucas test in about twice the time of an ordinary pseudoprime test, and we can implement the Frobenius test in about three times the time of an ordinary pseudoprime test. However, if we approach these tests naively, the running time is somewhat more than just claimed. To achieve the factors two and three mentioned, a little cleverness is required.

As before, we let a, b be integers with ∆ = a2 − 4b not a square, and we define the sequences (Uj ), (Vj ) as in (3.8). We first remark that it is easy to deal solely with the sequence (Vj ). If we have Vm and Vm+1, we may immediately recover Um via the identity

We next remark that it is easy to compute Vm for large m from earlier values using the following simple rule: If 0 ≤ j ≤ k, then

Suppose now that b = 1. We record the formula (3.14) in the special cases k = j and k = j + 1:

Thus, if we have the residues Vj (mod n), Vj+1 (mod n), then we may compute, via (3.15), either the pair V2j (mod n), V2j+1 (mod n) or the pair V2j+1 (mod n), V2j+2 (mod n), with each choice taking 2 multiplications modulo n and an addition modulo n. Starting from V0, V1 we can recursively

use (3.15) to arrive at any pair Vm, Vm+1. For example, say m is 97. We travel from 0, 1 to 97, 98 as follows:

0, 1 → 1, 2 → 3, 4 → 6, 7 → 12, 13 → 24, 25 → 48, 49 → 97, 98.

There are two types of moves, one that sends the pair a, a + 1 to 2a, 2a + 1 and one that sends it to 2a + 1, 2a + 2. An easy way to find which sequence of moves to make is to start from the target pair m, m + 1 and work backwards. Another easy way is to write m in binary and read the binary digits from most significant bit to least significant bit. A zero signifies the first type of move and a one signifies the second. So in binary, 97 is 1100001, and we see above after the initial 0,1 that we have two moves of the second type, followed by four moves of the first type, followed by a move of the second type.

Such a chain is called a binary Lucas chain. For more on this subject, see [Montgomery 1992b] and [Bleichenbacher 1996]. Here is our pseudocode summarizing the above ideas:

Algorithm 3.6.7 (Lucas chain). For a sequence x0, x1, . . . with a rule for computing x2j from xj and a rule for computing x2j+1 from xj , xj+1, this algorithm computes the pair (xn, xn+1) for a given positive integer n. We have n in binary as (n0, n1, . . . , nB−1) with nB−1 being the high-order bit. We write the rules as follows: x2j = xj xj and x2j+1 = xj ◦ xj+1. At each step in the for() loop in the algorithm we have u = xj , v = xj+1 for some nonnegative integer j.

Let us see how we might relax the condition b = 1; that is, we are back in the general case of x2 − ax + b. If a = cd, b = d2 we can use the identity

Vm(cd, d2) = dmV (c, 1)

to quickly return to the case b = 1. More generally, if b is a square, say b = d2 and gcd(n, b) = 1, we have

Vm(a, d2) ≡ dmVm(ad−1, 1) (mod n),

where d−1 is a multiplicative inverse of d modulo n. So again we have returned to the case b = 1. In the completely general case that b is not necessarily a square, we note that if we run through the Vm sequence at double time, it is as if we were running through a new Vj sequence. In fact,

V2m(a, b) = Vm(a2 − 2b, b2),