Prime Numbers
.pdf4.1 The n − 1 test |
179 |
4.1.3Succinct certificates
The goal in primality testing is to quickly find a short proof of primality for prime inputs p. But how do we know that a short proof exists? Any search will necessarily be in vain if p does not have a short primality proof. We now show that every prime p has a short proof of primality, or what V. Pratt has called a “succinct certificate.”
In fact, there is always a short proof that is based on the Lucas Theorem 4.1.1. This might appear obvious, for once you have somehow found the complete prime factorization of p − 1 and the primitive root a, the conditions (4.1) may be quickly verified.
However, for the proof to be complete, one needs a demonstration that we indeed have the complete factorization of p − 1; that is, that the numbers q appearing in (4.1) really are prime. This suggests an iteration of the method, but then arises the possibility that there may be a proliferation of cases. The heart of the proof is to show in the worst case, not too much proliferation can occur.
It is convenient to make a small, and quite practical, modification in the Lucas Theorem 4.1.1. The idea is to treat the prime q = 2 di erently from the other primes q dividing p − 1. In fact, we know what a(p−1)/2 should be congruent to (mod p) if it is not 1, namely −1. And if a(p−1)/2 ≡ −1 (mod p), we do not need to check that ap−1 ≡ 1 (mod p). Further, if q is an odd prime factor of p − 1, let m = a(p−1)/2q . If mq ≡ −1 (mod p) and m2 ≡ 1 (mod p), then m ≡ −1 (mod p) (regardless of whether p is prime or composite). Thus, to show that a(p−1)/q ≡1 (mod p) it su ces to show a(p−1)/2q ≡ −1 (mod p). Thus we have the following result.
Theorem 4.1.8.
a(p−1)/2 a(p−1)/2q
Suppose p > 1 is an odd integer and |
|
|
≡ −1 |
(mod p), |
(4.11) |
≡ −1 |
(mod p) for every odd prime q|p − 1. |
|
Then p is prime. Conversely, if p is an odd prime, then every primitive root a of p satisfies conditions (4.11).
We now describe what might be called a “Lucas tree.” It is a rooted tree with odd primes at the vertices, p at the root (level 0), and for each positive level k, a prime r at level k is connected to a prime q at level k − 1 if and only if r|q − 1. For example, here is the Lucas tree for p = 1279:
|
1279 |
|
level 0 |
|
|
|
|
|
|
|
|
|
level 1 |
|
3 |
|
71 |
|
|
|
|
|
|
|
|
|
|
||
|
|
7 |
level 2 |
|
|
5 |
|
||
|
|
|
|
level 3 |
|
|
3 |
|
|
180 |
Chapter 4 PRIMALITY PROVING |
Let M (p) be the number of modular multiplications (with integers not exceeding p) needed to prove p prime using Theorem 4.1.8 to traverse the Lucas tree for p, and using binary addition chains for the exponentiations (see Algorithm 2.1.5).
For example, consider p = 1279:
31278/2 ≡ −1 (mod 1279), |
31278/6 ≡ 775 (mod 1279), |
||||
22/2 |
≡ −1 |
(mod 3), |
31278/142 ≡ 498 (mod 1279), |
||
|
≡ 14 (mod 71), |
||||
770/2 ≡ −1 (mod 71), |
770/10 |
||||
24/2 |
≡ −1 |
(mod 5), |
770/14 |
≡ 51 (mod 71), |
|
36/6 ≡ 3 (mod 7), |
|||||
36/2 |
≡ −1 |
(mod 7), |
|||
22/2 |
≡ −1 |
(mod 3). |
|
|
|
If we use the binary addition chain for each exponentiation, we have the following number of modular multiplications:
1278/2 : 16
1278/6 : 11
1278/142 : 4
2/2 : 0
70/2 : 7
70/10 : 4
70/14 : 3
4/2 : 1
6/2 : 2
6/6 : 0
2/2 : 0.
Thus, using binary addition chains we have 48 modular multiplications, so M (1279) = 48.
The following result is essentially due to [Pratt 1975]:
Theorem 4.1.9. For every odd prime p, M (p) < 2 lg2 p.
Proof. Let N (p) be the number of (not necessarily distinct) odd primes in the Lucas tree for p. We first show that N (p) < lg p. This is true for p = 3. Suppose it is true for every odd prime less than p. If p − 1 is a power of 2, then N (p) = 1 < lg p. If p − 1 has the odd prime factors q1, . . . , qk, then, by the induction hypothesis,
k |
|
k |
|
|
|
1 · · · |
|
|
≤ |
|
|
2 |
|
i=1 |
i |
i=1 |
lg q |
i |
= 1+lg(q |
k |
) |
1+lg |
|||||
N (p) = 1+ |
N (q |
) < 1+ |
|
|
q |
|
|
p − 1 |
< lg p. |
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.2 The n + 1 test |
181 |
So N (p) < lg p always holds.
If r is one of the odd primes appearing in the Lucas tree for p, and r < p, then there is some other prime q also appearing in the Lucas tree with r|q − 1 and q ≤ p. We have to show at one point that for some a, a(q−1)/2r ≡ −1 (mod q), and, at another point, that for some b, b(r−1)/2 ≡ −1 (mod r). Note that the number of modular multiplications in the binary addition chain for m does not exceed 2 lg m. Thus, the number of modular multiplications in the above two calculations does not exceed
|
|
|
2r |
|
|
2 |
|
− |
|
|
|
|
2 lg |
q − 1 |
+ 2 lg |
|
r − 1 |
< 2 lg q |
|
4 < 2 lg p. |
|||||
|
|
|
|
|
||||||||
We conclude that |
|
|
− |
|
|
|
|
|
− |
|
||
|
2 |
|
|
|
|
|
|
|
||||
M (p) < 2 lg |
p − |
1 |
+ (N (p) |
|
1)2 lg p < 2 lg p + (lg p |
|
1)2 lg p = 2 lg2 p. |
|||||
|
|
|
|
|||||||||
This completes the proof. |
|
|
|
|
|
|
|
|
||||
By using more e cient addition chains we may reduce the coe cient 2. We do not know whether there is some c > 0 such that for infinitely many primes p, the Lucas tree proof of primality for p actually requires at least c lg2 p modular multiplications. We also do not know whether there are infinitely many primes p with M (p) = o(lg2 p). It is known, however, that via Theorem 7.6.1 (see [Pomerance 1987a]), there exists in principle some primality proof for every prime p using only O(lg p) modular multiplications. As with the Lucas tree proof, existence is comforting to know, but the rub is in finding such a short proof.
4.2 The n + 1 test
The principal di culty in applying the n − 1 test of the previous section to prove n prime is in finding a su ciently large completely factored divisor of n − 1. For some values of n, this is no problem, such as with Fermat numbers, for which we have the Pepin test. For other classes of numbers, such as the Mersenne numbers Mp = 2p − 1, the prime factorization of 1 more than the number is readily apparent. Can we use this information in a primality test? Indeed, we can.
4.2.1The Lucas–Lehmer test
With a, b Z, let
f (x) = x2 − ax + b, ∆ = a2 − 4b. |
(4.12) |
We reintroduce the Lucas sequences (Uk), (Vk), already discussed in Section 3.6.1:
U |
|
= |
xk − |
(a |
− x)k |
(mod f (x)), |
V |
|
= xk + (a |
− |
x)k (mod f (x)). (4.13) |
|||
k |
(a |
k |
||||||||||||
|
|
x |
− |
− |
x) |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|||
182 |
Chapter 4 PRIMALITY PROVING |
Recall that the polynomials Uk, Vk do not have positive degree; that is, they are integers.
Definition 4.2.1. With the above notation, if n is a positive integer with gcd(n, 2b∆) = 1, the rank of appearance of n, denoted by rf (n), is the least positive integer r with Ur ≡ 0 (mod n).
This concept sometimes goes by the name “rank of apparition,” but according to Ribenboim, this is due to a mistranslation of the French apparition. There is nothing ghostly about the rank of appearance!
It is apparent from the definition (4.13) that (Uk) is a “divisibility sequence,” that is, if k|j then Uk|Uj . (We allow the possibility that Uk = Uj = 0.) It follows that if gcd(n, 2b∆) = 1, then Uj ≡ 0 (mod n) if and only if j ≡ 0 (mod rf (n)). On the basis of Theorem 3.6.3 we thus have the following result:
Theorem 4.2.2. |
With f, ∆ as in (4.12) and p a prime not dividing 2b∆, |
||||||||
we have rf (p)|p − |
∆p . |
|
|
from Definition 2.3.2.) |
|
||||
(Recall the Legendre symbol |
p· |
|
|||||||
In analogy to Theorem |
4.1.3, we have the following result: |
|
|||||||
|
|
|
|
|
|||||
Theorem 4.2.3 (Morrison). |
|
Let f, ∆ be as in (4.12) and let n be a positive |
|||||||
integer with gcd(n, 2b) = 1, ∆n = −1. If F is a divisor of n + 1 and |
|
||||||||
Un+1 ≡ 0 (mod n), gcd(U(n+1)/q , n) = 1 for every prime q|F, |
(4.14) |
||||||||
every prime p dividing n satisfies p |
|
∆ |
|
||||||
then √ |
|
|
|
|
|
|
≡ |
p (mod F ). In particular, if |
|
F > n + 1 and (4.14) holds, then n is prime.
(Recall the Jacobi symbol |
n· |
|
from Definition 2.3.3.) |
|
|
||||||||
Proof. Let p be a prime |
factor of n. Then (4.14) implies that F divides r |
f (p). |
|||||||||||
|
|
|
(mod F ). If, in addition, we have F > √ |
|
|||||||||
So, by Theorem 4.2.2, p ≡ ∆p |
|
+ 1, |
|||||||||||
n |
|||||||||||||
then every prime factor p of |
n has p |
|
F |
|
1 > √ |
|
|
|
|
||||
|
|
≥ |
|
− |
|
n, so n is prime. |
|
|
|||||
If Theorem 4.2.3 is to be used in a primality test, we will need to find an appropriate f in (4.12). As with Algorithm 4.1.7 where a is chosen at random, we may choose a, b in (4.12) at random. When we start with a prime n, the expected number of choices until a successful pair is found is not large, as the following result indicates.
Theorem 4.2.4. Let p be an odd prime and let N be the number of pairs
and rf (p) = p + 1. Then N = 21 (p − 1)ϕ(p + 1). |
∆p |
|
a, b {0, 1, . . . , p − 1} such that if f, ∆ are given as in (4.12), then |
= −1 |
We leave the proof as Exercise 4.12. A consequence of Theorem 4.2.4 is that if n is an odd prime and if a, b are chosen randomly in {0, 1, . . . , n − 1} with not both 0, then the expected number of choices until one is found where the
4.2 The n + 1 test |
183 |
f in (4.12) satisfies rf (n) = n + 1 is 2(n + 1)/ϕ(n + 1). If n > 892271479, then this expected number of choices is less than 4 ln ln n; see Exercise 4.16.
It is also possible to describe a primality test using the V sequence in (4.13).
Theorem 4.2.5. |
Let f, ∆ be as in (4.12) and let n be a positive integer with |
gcd(n, 2b) = 1 and |
∆n = −1. If F is an even divisor of n + 1 and |
VF/2 ≡ 0 (mod n), gcd(VF/2q , n) = 1 for every odd prime q|F, (4.15)
then |
every prime p dividing n satisfies p |
≡ |
∆ |
(mod F ). In particular, if |
||
|
√ |
|
+ 1, then n is prime. |
p |
||
F > |
n |
|
||||
Proof. Suppose p is an odd prime that divides both Um, Vm. Then (4.13) implies xm ≡ (a − x)m (mod (f (x), p)) and xm ≡ −(a − x)m (mod f (x), p), so that xm ≡ 0 (mod (f (x), p)). Then bm ≡ (x(a − x))m ≡ 0 (mod (f (x), p)); that is, p divides b. Since n is coprime to 2b, and since U2m = UmVm, we have
gcd(U2m, n) = gcd(Um, n) · gcd(Vm, n).
Thus, the first condition in (4.15) implies UF ≡ 0 (mod n) and gcd(UF/2, n) =
1. Now suppose q is an odd prime factor of F . We have UF/q = UF/2q VF/2q coprime to n. Indeed, UF/2q divides UF/2, so that gcd(UF/2q , n) = 1, and so
with the second condition in (4.15) we have that gcd(UF/q , n) = 1. Thus, rf (p) = F , and as in the proof of Theorem 4.2.3, this is su cient for the conclusion.
Just as the n − 1 is particularly well suited for Fermat numbers, the n + 1 test is especially speedy for Mersenne numbers.
Theorem 4.2.6 (Lucas–Lehmer test for Mersenne primes). Consider |
the |
|||||||||
sequence (v |
k) for k = 0, 1, . . . , |
recursively defined by v |
0 |
= 4 and v |
k+1 |
= v2 |
− |
2. |
||
|
|
p |
|
|
k |
|
||||
Let p be an odd prime. Then Mp = 2 |
|
− 1 is prime if and only if vp−2 ≡ 0 |
||||||||
(mod Mp).
Proof. Let f (x) = x2 − 4x + 1, so that ∆ = 12. Since Mp ≡ 3 (mod 4)
and Mp ≡ 1 (mod 3), we see that ∆ = −1. We apply Theorem 4.2.5 with
Mp
F = 2p−1 = (Mp + 1)/2. The conditions (4.15) reduce to the single condition V2p−2 ≡ 0 (mod Mp). But
V2m ≡ x2m +(4−x)2m = (xm +(4−x)m)2 −2xm(4−x)m ≡ Vm2 −2 (mod f (x)),
since x(4 − x) ≡ 1 (mod f (x)); see (3.15). Also, V1 = 4. Thus, V2k = vk, and it follows from Theorem 4.2.5 that if vp−2 ≡ 0 (mod Mp), then Mp is prime.
Suppose, conversely, that M = Mp is prime. Since ∆ = −1,
M
Z[x]/(f (x), M ) is isomorphic to the finite field FM 2 . Thus, raising to the M power is an automorphism and xM ≡ 4 − x (mod (f (x), M )); see the proof of Theorem 3.6.3. We compute (x − 1)M +1 two ways. First, since (x − 1)2 ≡ 2x
184 |
Chapter 4 PRIMALITY PROVING |
(mod (f (x), M )) and by the Euler criterion we have 2(M −1)/2 ≡ (2/M ) = 1 (mod M ), so
(x − 1)M +1 ≡ (2x)(M +1)/2 = 2 · 2(M −1)/2x(M +1)/2
≡ 2x(M +1)/2 (mod (f (x), M )).
Next,
(x − 1)M +1 = (x − 1)(x − 1)M ≡ (x − 1)(xM − 1) ≡ (x − 1)(3 − x)
≡ −2 (mod (f (x), M )).
Thus, x(M +1)/2 ≡ −1 (mod (f (x), M )); that is, x2p−1 ≡ −1 (mod (f (x), M )).
Using our automorphism, we also have (4 − x)2p−1 ≡ −1 (mod (f (x), M )), so that U2p−1 ≡ 0 (mod M ). If U2p−2 ≡ 0 (mod M ), then x2p−2 ≡ (4 − x)2p−2
(mod (f (x), M )), so that
−1 ≡ x2p−1 ≡ x2p−2 (4−x)2p−2 ≡ (x(4−x))2p−2 ≡ 12p−2 ≡ 1 (mod (f (x), M )),
a contradiction. Since U2p−1 = U2p−2 V2p−2 , we have V2p−2 ≡ 0 (mod M ). But we have seen that V2p−2 = vp−2, so the proof is complete.
Algorithm 4.2.7 (Lucas–Lehmer test for Mersenne primes). We are given an odd prime p. This algorithm decides whether 2p −1 is prime (YES) or composite (NO).
1.[Initialize] v = 4;
2.[Compute Lucas–Lehmer sequence]
for(k [1, p − 2]) v = (v2 − 2) mod (2p − 1); // k is a dummy counter.
3. [Check residue]
if(v == 0) return YES; return NO;
The celebrated Lucas–Lehmer test for Mersenne primes has achieved some notable successes, as mentioned in Chapter 1 and in the discussion surrounding Algorithm 9.5.19. Not only is the test breathtakingly simple, there are ways to perform with high e ciency the p − 2 repeated squarings in Step [Compute Lucas–Lehmer sequence].
4.2.2An improved n + 1 test, and a combined n2 − 1 test
As with the n − 1 test, which is useful only in the case that we have a large, fully factored divisor of n − 1, the principal hurdle in implementing the n + 1 test for most numbers is coming up with a large, fully factored divisor of n + 1. In this section we shall improve Theorem 4.2.3 to get a result similar to Theorem 4.1.5. That is, we shall only require the fully factored divisor of n + 1 to exceed the cube root. (Using the ideas in Theorem 4.1.6, this can be improved to the 3/10 root.) Then we shall show how fully factored divisors
4.2 The n + 1 test |
185 |
of both n − 1 and n + 1, that is, a fully factored divisor of n2 − 1, may be combined into one test.
Theorem 4.2.8. Suppose f, ∆ are as in (4.12) and n is a positive integer
with gcd(n, 2b) = 1 and ∆n |
= −1. Suppose n + 1 = F R with F > n1/3 + 1 |
|||||||||
in base F , so that R = r |
F + r |
, 0 |
≤ |
r |
i ≤ |
F |
− |
1. |
||
and (4.14) holds. Write R |
2 |
1 |
2 0 |
|
|
|
|
|||
Then n is prime if and only if neither x |
+ r0x − r1 nor x + (r0 − F )x − r1 − 1 |
|||||||||
has a positive integral root.
Note that in the case R < F we have r1 = 0, and so neither quadratic can have positive integral roots. Thus, Theorem 4.2.8 contains the final assertion of Theorem 4.2.3.
Proof. Theorem 4.2.3 implies that all prime factors p of n satisfy p ≡ |
∆ |
|
|||||||||||||
p |
|
||||||||||||||
(mod F ). So, if n is composite, it must be the product pq of just two |
prime |
||||||||||||||
|
|
|
|||||||||||||
|
or more prime factors, n exceeds (F |
∆− |
1)3, a |
||||||||||||
factors. Indeed, if n has |
3 ∆ |
|
2 |
∆ |
|
∆ |
|
∆ |
|
− |
|
= −1. |
|||
2 |
|
|
|
|
|
|
|
||||||||
contradiction. Since −1 = |
n |
= |
p |
|
q , we have, say, |
p |
|
= 1, |
q |
||||||
Thus, there are positive integers c, d with p = cF + 1, q = dF |
|
1. Since both |
|||||||||||||
(F + 1)(F − 1) > n, (F + 1)(F |
|
− 1) > n, we have 1 ≤ c, d ≤ F − 1. Note |
|||||||||||||
that |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
r1F + r0 = R = n + 1 = cdF + d − c, F
so that d − c ≡ r0 (mod F ). It follows that d = c + r0 or d = c + r0 − F , that is, d = c + r0 − iF for i = 0 or 1. Thus,
r1F + r0 = c(c + r0 − iF )F + r0 − iF,
so that r1 = c(c + r0 − iF ) − i, which implies that
c2 + (r0 − iF )c − r1 − i = 0.
But then x2 + (r0 − iF )x − r1 − i has a positive integral root for one of i = 0, 1. This proves one direction.
Suppose now that x2 + (r0 − iF )x − r1 − i has a positive integral root c for one of i = 0, 1. Undoing the above algebra we see that cF + 1 is a divisor of n. But n ≡ −1 (mod F ), so n is composite, since the hypotheses imply F > 2.
We can improve the n + 1 test further, requiring only F ≥ n3/10. The proof is completely analogous to Theorem 4.1.6, and we leave said proof as Exercise 4.15.
Theorem 4.2.9. |
Suppose n |
214 and the hypotheses of Theorem 4.2.8 |
||||||||||
3/10 |
|
≥1/3 |
|
|
||||||||
hold, except that n |
|
≤ F ≤ n + 1. Say the base-F expansion of n + 1 is |
||||||||||
|
3 |
+ c2F |
2 |
|
|
|
||||||
c3F |
|
|
+ c1F , and let c4 = c3F + c2. Then n is prime if and only if the |
|||||||||
following conditions hold: |
|
|
|
|
|
|||||||
(1) |
(c1 + tF )2 − 4t + 4c4 is not a square for t integral, |t| ≤ 5, |
|
||||||||||
(2) |
with u/v |
the continued |
fraction convergent |
to c1/F such that v |
is |
|||||||
|
|
maximal |
subject to v < |
F 2/√ |
|
and with |
d = c4v/F + 1/2 , |
the |
||||
|
|
n |
||||||||||
186 |
Chapter 4 PRIMALITY PROVING |
polynomial vx3 − (uF − c1v)x2 − (c4v − dF + u)x + d has no integral root a such that aF + 1 is a nontrivial factor of n, and the polynomial vx3 + (uF − c1v)x2 − (c4v + dF + u)x + d has no integral root b such that bF − 1 is a nontrivial factor of n.
The next result allows one to combine partial factorizations of both n − 1 and n + 1 in attempting to prove n prime.
Theorem 4.2.10 (Brillhart, Lehmer, and Selfridge). Suppose that n is a positive integer, F1|n−1, and that (4.3) holds for some integer a1 and F = F1. Suppose, too, that f, ∆ are as in (4.12), gcd(n, 2b) = 1, ∆n = −1, F2|n + 1, and that (4.14) holds for F = F2. Let F be the least common multiple of
F1, F2. Then each prime factor of n is congruent to either 1 or n (mod F ).
√
In particular, if F > n and n mod F is not a nontrivial factor of n, then n is prime.
Note that if F1, F2 are both even, then F = 12 F1F2, otherwise F = F1F2.
Proof. Let p be a prime factor of n. Theorem 4.1.3 implies p ≡ 1 (mod F1), while Theorem 4.2.3 implies that p ≡ ∆p (mod F2). If ∆p = 1, then p ≡ 1
(mod F ), and if |
∆ |
= −1, then p ≡ n (mod F ). The last assertion of the |
|
p |
|||
theorem is then |
immediate. |
|
|
|
|
|
|
4.2.3Divisors in residue classes
What if in Theorem 4.2.10 we have F < n1/2? The theorem would be useful if we had a quick way to search for prime factors of n that are either 1 or n (mod F ). The following algorithm in [Lenstra 1984] provides such a quick method when F/n1/3 is not too small.
Algorithm 4.2.11 (Divisors in residue classes). We are given positive integers n, r, s with r < s < n and gcd(r, s) = 1. This algorithm creates a list of all divisors of n that are congruent to r (mod s).
1. [Initialize]
r = r−1 mod s; r = nr mod s;
(a0, a1) = (s, r r mod s);
(b0, b1) = (0, 1);
(c0, c1) = (0, (nr − ra1)/s mod s);
2. [Euclidean chains]
Develop the Euclidean sequences (ai), (qi), where ai = ai−2 − qiai−1 and 0 ≤ ai < ai−1 for i even, 0 < ai ≤ ai−1 for i odd, terminating at at = 0 with t even;
Develop the sequences (bi), (ci) for i = 0, 1, . . . , t with the rules bi = bi−2 − qibi−1, ci = ci−2 − qici−1;
3. [Loop]
for(0 ≤ i ≤ t) {
4.2 The n + 1 test |
187 |
For each integer c ≡ ci (mod s) with |c| < s if i is even, 2aibi < c < aibi + n/s2 if i is odd, attempt to solve the following system for x, y:
xai + ybi = c, (xs + r)(ys + r ) = n; |
(4.16) |
If a nonnegative integral solution (x, y) is found, report xs + r as a divisor of n that is also ≡ r (mod s);
}
The theoretical justification for this algorithm is as follows:
Theorem 4.2.12 (Lenstra). Algorithm 4.2.11 creates the list of all divisors of n that are congruent to r (mod s). Moreover, if s ≥ n1/3, then the running time is O(ln n) arithmetic operations on integers of size O(n) and O(ln n) evaluations of the integer part of square root for arguments of size O(n7).
Proof. We first note some simple properties of the sequences (ai), (bi). We have
ai > 0 for 0 ≤ i < t, at = 0. |
(4.17) |
In addition, we have
bi+1ai − ai+1bi = (−1)is for 0 ≤ i < t. |
(4.18) |
Indeed, the relation (4.18) holds for i = 0. If 0 < i < t and the relation holds for i − 1, then
bi+1ai − ai+1bi = (bi−1 − qi+1bi)ai − (ai−1 − qi+1ai)bi
=bi−1ai − ai−1bi
=(−1)is.
Thus (4.18) follows from induction.
Finally, note that we have
b0 = 0, bi < 0 for i even, and i = 0, bi > 0 for i odd. |
(4.19) |
Indeed, (4.19) holds for i = 0, 1, and from bi = bi−2 − qibi−1 and qi > 0, we see that it holds for the general i if it holds for i − 1, i − 2. Thus (4.19) holds via induction.
Suppose now that xs + r is a divisor of n with x ≥ 0. We must show that the algorithm discovers it. There is an integer y ≥ 0 with n = (xs+r)(ys+r ). We have
xai + ybi ≡ ci |
(mod s) for 0 ≤ i ≤ t. |
(4.20) |
Indeed, (4.20) holds trivially for |
i = 0, it holds for i = |
1 because of |
n = (xs + r)(ys + r ) and the definition of c1, and it holds for larger values of i from the inductive definitions of the sequences (ai), (bi), (ci).
It thus su ces to show that there is some even value of i with |xai+ybi| < s or there is some odd value of i with 2aibi < xai + ybi < aibi + n/s2. For
188 Chapter 4 PRIMALITY PROVING
if so, xai + ybi will be one of the numbers c computed in Step [Loop] of Algorithm 4.2.11, because of (4.20). Thus, Step [Loop] will successfully retrieve the numbers x, y.
We have xa0 + yb0 = xa0 ≥ 0 and xat + ybt = ybt ≤ 0, so there is some even index i with
xai + ybi ≥ 0, xai+2 + ybi+2 ≤ 0.
If one of these quantities is less than s in absolute value, we are done, so assume that the first quantity is ≥ s and the second is ≤ −s. Then from (4.17), (4.18), (4.19),
xai ≥ xai + ybi ≥ s = bi+1ai − ai+1bi ≥ bi+1ai,
from which we conclude that x ≥ bi+1. We also have
ybi+2 ≤ xai+2 + ybi+2 ≤ −s = bi+2ai+1 − ai+2bi+1 < bi+2ai+1,
so that y > ai+1. Therefore,
xai+1 + ybi+1 > 2ai+1bi+1,
and from (x − bi+1)(y − ai+1) > 0, we have
n xai+1 + ybi+1 ≤ xy + ai+1bi+1 < ai+1bi+1 + s2 .
This completes the proof of correctness.
The running-time assertion follows from Theorem 2.1.3 and Algorithm 2.1.4. These results imply that the calculation of r is within our time bound and that t = O(ln n). Moreover, if s ≥ n1/3, then for each i there are at most 2 values of c for which the system (4.16) must be solved. Solving such a system involves O(1) arithmetic operations and a square root extraction, as we shall see. Thus, there are a total of O(ln n) arithmetic operations and square root extractions.
It remains to estimate the size of the integers for which we need to compute the integer part of the square root. Note that x, y are solutions to the system (4.16) if and only if u = ai(xs + r), v = bi(ys + r ) are roots of the quadratic
polynomial
T 2 − (cs + air + bir )T + aibin.
For this polynomial to have integral roots it is necessary and su cient that
∆ = (cs + air + bir )2 − 4aibi
be a square. We now show that ∆ = O(s7) = O(n7). Let B = max{|bi|}. We shall show that B < s5/2. Then, since c, ai, r, r are all bounded in absolute value by 2s, it follows that ∆ = O(s7). (To see that |c| < 2s, note that |c| < s if i is even; and if i is odd, for the interval (2aibi, aibi + n/s2) to have any integers in it, then 0 < aibi < n/s2 ≤ s.)