Primality Testing A survey of techniques Harish G.

Rohan Ramanath

Department of Computer Science & Engineering R.V. College of Engineering Bangalore, India. [email protected]

Department of Computer Science & Engineering R.V. College of Engineering Bangalore, India. [email protected]

Abstract — This expository paper briefly surveys the history of testing whether a number is prime. The recently discovered deterministic polynomial time primality test due to Agrawal, Kayal and Saxena is presented and some improvements are briefly discussed. Keywords— primality tests, polynomial time, P, NP

I.

INTRODUCTION

Prime numbers are studied in number theory but they occur in many other subfields of mathematics. In the last few decades, prime numbers entered the real world in many applications, e.g. as generator for keys in modern cryptographic algorithms. An integer n > 1 is called prime if it has no other positive divisors than 1 and itself (within the set of integers); otherwise n is said to be composite. Every integer has a unique factorization into powers of distinct prime numbers. Euclid was the first who proved that there are infinitely many primes. His proof is that if p1, p2, …, pm are prime, then the number q = p1 × … × pm + 1 is not divisible by any of the pjs. Thus q has a prime divisor different from p1, …, pm (one of which can be q itself). This construction of a new prime number out of an arbitrary finite collection of given primes implies the infinitude of prime numbers. Other proofs of this basic fact are in Ribbenboim [7]. The celebrated prime number theorem gives information on how the primes are distributed. On the first view the prime numbers seem to appear in the sequence of positive integers without any visible rule. However, as conjectured by Gauss and first proved by Hadamard and de la Vallée-Poussin (independently) on the base of outstanding contributions due to Riemann, they satisfy a distribution law. Roughly speaking, the number π(x) of primes less than or equal to x is:    


 = 

+ error term

(1)

The appearing logarithmic integral is asymptotically equal to x/log x, where log x is the natural logarithm. The error term in the prime number theorem is small in comparison with x/log x and is closely related to the zero distribution of the Riemann zeta-function. 

 !

ζ = ∑" #  = ∏ 1 − 

(2)

1

where s has to be regarded as a complex variable and the product is taken over all primes. The series, and so the product, converges absolutely for real(s) > 1. The identity between the series and the product is the analytic version of the unique factorization of integers, and provides another proof for the existence of infinitely many prime numbers which is due to Euler: assuming that there are only finitely many primes, the product converges throughout the complex plane, contradicting the fact that the series reduces for s = 1 to the divergent harmonic series. The Riemann hypothesis claims that the complex zeros of $(s) all lie on the so-called critical line Re s = 1/2 in the complex plane. This famous conjecture was stated by Riemann in 1859 and is still unproved. If the Riemann hypothesis is true, the error term in the prime number theorem is as small as possible, namely ~ x1/2 log x, and so the prime numbers are distributed as uniformly as possible [7]. II. BACKGROUND It is easy to check that 97 is prime and 99 is not, but it seems much harder to answer the same question for the numbers 10 000 000 000 097 and 10 000 000 000 099, at least in the same time. Indeed, a fundamental problem in number theory is the decision problem Primes: given a positive integer n, decide whether n is prime or not! This problem became very important by developments in cryptography in the late 1970s. It is easy to multiply two large prime numbers but it is much harder to factor a given large integer; at least there are no factoring algorithms of satisfying speed known so far. This simple observation led to so-called public key cryptosystems where the key, a large integer N of about two hundred digits, is public knowledge (as the telephone number) but its prime factorization is the secret of its owner. This idea is attackable if N splits into small primes, but if N is the product of two (carefully chosen) primes with about hundred digits, the factorization of N is a nearly unsolvable task with present day computers [4]. For generating such keys one needs to find large prime numbers or, in other words, one needs to have a fast primality test, where fast means that the running time depending on the size of the number to be tested is small. Notice that a factoring algorithm and a primality test are different things: a number n

expectation value for the number of Mersenne primes Mp with p ≤ x is 1 1 log log  1 ( ∼ ( ∼  log2 − 1 log 2 . log 2

can fail a primality test and the test does not tell us any of its divisors, whereas a factoring algorithm gives the complete factorization of n. One of the first ideas for testing a given number n of being prime might be trial division, i.e., to try all positive integers ≤ √n whether they divide n or not. Obviously, if there is no divisor of n among them, then n is prime. This strategy is not very useful if n is large. For example, it would take about 1050 arithmetic operations to test an integer with 100 digits. If 1010 operations can be performed by a computer within one second, then this test would take about 1040 seconds, which is still much more than 12 billion years, the estimated age of the Universe. However, hypothetical quantum computers that are computers which compute with quantum states, if once realized, would solve this factorization problem within a fraction of a second. The simple idea of trial division leads to the sieve of Eratosthenes (due to the ancient Greek Eratosthenes who was the first to measure approximately the circumference of the Earth 250 B.C.). If one deletes out of a list of integers 1 < n ≤ x all multiples n of the primes p ≤ √, then only the prime numbers in between √x and x remain. This gives a list of all primes under a given magnitude. Moreover, we obtain the factorizations of all integers in the list. For a primality test, this is a lot of superfluous information and we might ask for faster algorithms for detecting primes. For some special numbers, primality tests of satisfying speed are known for quite a long time. For instance, the Mersenne numbers, invented by the monk Mersenne in 1644, are defined by Mp = 2p − 1, where p ≥ 3 is prime. It is easily seen that composite exponents cannot produce primes of this form. In 1750, Euler corrected Mersenne’s erroneous list of Mersenne prime numbers by use of the following criterion: if p is a prime number of the form p = 4k + 3, then q = 2p + 1 is a divisor of Mp if and only if q is prime; primes of the form 2p+1 for prime p are called Sophie Germain-primes. For example, M11 = 2047 = 23 × 89 is not prime as it was stated by Mersenne. In 1878, Lucas found a simple and fast primality test for Mersenne numbers (but only in 1935 Lehmer gave the first proof of the underlying mathematical theorem). His algorithm makes use of the congruence calculus and the test (called Lucas-Lehmer test) can be described as follows: Input: a prime p ≥ 3. Output: Mp is prime or composite. 1. Put s = 4. 2. For j from 3 to p do s := s2 − 2 mod Mp. 3. If s = 0, return prime; otherwise return composite. Crandall et. al. give a proof [4]. The first iterations (without reducing modulo Mp) are s = 4 → 14 = 2 × 7 → 194 → 37 634 = 2 × 31 × 607, which yields the first two Mersenne primes M3 = 7 and M5 = 31. The world record among prime numbers, i.e., the largest known prime number, is a Mersenne prime, namely M20996011 = 220996011 − 1. This number has more than six million digits and was found in November 2003. It is an open question whether there are infinitely many Mersenne primes. With a bit heuristics we can be optimistic. We may interpret the prime number theorem, shown in Equation (1) as follows: a positive integer n is prime with probability 1/log n. Then, the

-

-

which tends with x to infinity; the last asymptotic identity relies on taking the logarithm in Equation (2). Note that this fits pretty well to the number of detected Mersenne primes. III. DESIRED CHARACTERISTICS OF PRIMALITY TESTS

A. Generality There are many fast primality tests but they work for numbers with only certain properties. For example, the Lucas– Lehmer test for Mersenne numbers can only be applied for Mersenne numbers. Pépin's test works only for Fermat numbers. We would like an algorithm that can be used to test any general number for primality.

B. Polynomial time in input size The maximum running time of the algorithm can be expressed as a polynomial over the number of digits in the target number. Certain algorithms can deterministically determine whether a given number is prime or not, but their running time is not polynomial for all inputs. Algorithms like ECPP (Elliptic Curve Primality Proving) and APR (AdlemanPomerance-Rumely) deterministically prove primality, but they do not have polynomial running time for all inputs. We would like an algorithm that runs in polynomial time for all possible inputs.

C. Deterministic The algorithm guarantees to deterministically distinguish whether the target number is prime or composite. There are certain randomized algorithms like Solovay-Strassen and Miller-Rabin, that can test any given number for primality in polynomial time, but they may produce some false positives also. We would like an algorithm that can “prove” or “disprove” primality with certainty.

D. Unconditional The Miller test for primality is fully deterministic and runs in polynomial time over all inputs, but its correctness depends on the truth of the yet-unproven generalized Riemann hypothesis. We would like an algorithm that is not based on any unproven hypothesis. IV. KINDS OF ALGORITHMS AND COMPLEXITY CLASSES A. Monte Carlo For any x which does not belong to the language L, the algorithms that belong to this class will conclusively say that x ∉ L. For any x which belongs to the language L (class of prime numbers with certain properties), these algorithms say that x ∊ L with at least 0.5 probability. This type of behavior is termed as “x is accepted with one-sided error”. The class of languages with polynomial time Monte Carlo recognition algorithms is termed as RP. 2

theorem to polynomials: a positive integer n > 1 is prime if and only if x + 1P =   + 1 (3) in the ring of polynomials with coefficients from Z/nZ. For example, the Carmichael number n = 561 leads to the polynomial (x + 1)561 = (x561 + … + 51x11 + … + 1) mod 561. The proof makes only use of Fermat’s little theorem ap-1≡1 (mod p) and divisibility properties of binomial coefficients. However, this characterization would not give a polynomial time primality test since for testing n, one has to compute about n coefficients for the polynomial on the left hand side of (3). Agrawal et. al. replaced the polynomial identity (3) by a set of weaker congruences (x − a)n ≡ xn − a mod (n, xr − 1) (4) where the a’s have to be small residue classes modulo n and the r is a small positive integer. However, to assure that switching from the polynomial identity Equation (3) to the set of congruences Equation (4) still yields a characterization of prime numbers, one has to consider quite many a’s and r’s. On the contrary, these congruences can be checked much faster than Equation (3) since it suffices to compute with polynomials of degree ≤ 2r. The right balance leads to a deterministic primality test with polynomial running time.

B. Atlantic City For any x, algorithms that belong to this class will say either x ∊ L or x ∉ L with a probability of 0.75. This is termed as “x is accepted with two-sided error”. The class of languages with polynomial time Atlantic City recognition algorithms is termed as BPP. C. Las Vegas It can be defined as a combination of two algorithms: a Monte Carlo algorithm for L and a Monte Carlo algorithm for L2 (complement of L). These classes of algorithms conclusively say whether x ∊ L or x ∉ L, but the running time is probabilistic. The class of languages with polynomial time Las Vegas algorithms is termed as ZPP. Both Strassen-Solvay and Miller-Rabin tests belong to the Monte Carlo class of algorithms. V. DETERMINISTIC PRIMALITY TEST These tests are mostly based on factorization techniques. Two best current methods are Cyclotomic Ring Test and Elliptic Curve Test [1]. The Lucas Test discussed before is a deterministic primality test designed to find only Mersenne primes sequence [2]. Deterministic tests are so complicated to implement that probability of making an error in the implementation far exceeds the probability that a probabilistic test will return composite [1].

Theorem 1 (Agrawal, Kayal, Saxena). Let s, n be positive integers. Suppose that q and r are primes such that q divides r − 1, n(r−1)/q !≡ 0, 1 mod r, and QRNS! T ≥ 3[√9] S If for all 1 ≤ a < s, a coprime with n, the congruence (3) holds to be true, then n is a prime power.

A. Pocklington Primality Test

Let 3 − 1 = 45 where 4 is the factored part of a number 4 = . 67 ⋯ .9 6: , where GCD5, 4 = 1 and 5 < √3 . Pocklington's theorem, also known as the PocklingtonLehmer test, then says that if there exists a @A for i=1, …, r GH7 IJ

such that @A! ≡ 1mod 3 and GCD DbF

VI. PROBABILISTIC PRIMALITY TEST These tests can determine whether a number is prime or not with a given degree of confidence. Assuming this degree of confidence is large enough, these tests are good enough [5]. As probabilistic tests are fast, it is suggested that they be used with error ratios smaller than 2–100 (~7.8x10-31) [9]. Fermat, Slovay-Strassen, Lehmann, Miller-Rabin (M&R) and Frobenius tests can be given as examples of probabilistic primality tests. More theory about these tests can be found in [5], [10-15]. Numbers passing these tests are called probable primes or pseudoprimes. A number between 1 and n that can be used to demonstrate the compositeness (non-primeness) of n is called witness. The density of witnesses (1-d) is very small. The probability of number n to be prime after i iterations is given: Prb(prime) = 1 - Prb(composite) = 1 – (1-d)i A larger d means faster convergence to the desired confidence threshold. M&R is the most popular in practice since density is large (d=0.75) [16]. To have an error ratio about 2–100, 50 different base (a) values must be taken with M&R test. About 99.9% of the possible base (a) values are witnesses [5].

− 1, nK = 1 ,

then n is prime. B. Elliptic Curve Primality Proving (ECPP) Elliptic Curve Primality Proving (ECPP) is a method based on elliptic curves to prove the primality of a number. It is a general-purpose algorithm, meaning it does not depend on the number being a special form. ECPP is currently, in practice, the fastest known algorithm for testing the primality of general numbers, but the worst-case execution time is not known. ECPP heuristically runs in time: Llog 3MNO  for some ε > 0. This exponent may be decreased to 4 + ε for some versions by heuristic arguments. ECPP works the same way as most other primality tests do, i.e., finding a group and showing its size is such that p is prime. For ECPP, the group is an elliptic curve over a finite set of quadratic forms such that p − 1 is trivial to factor over the group. C. AKS Test In August 2002, Agrawal, Kayal and Saxena [3] gave a first deterministic primality test in polynomial time without assuming any unproven hypothesis. The main idea of the AKS-algorithm is the following extension of Fermat’s little

Fermat’s Theorem & Pseudoprime: This theorem is the basis for probable primality tests. n is called Fermat pseudoprime to the base a, if n satisfies Equation 3 for base a (a to be any integer 1 ≤ a ≤ n-1). In other words, a 3

pseudoprime is a number that “pretends” to be prime by passing Fermat’s theorem for given base values.

C. Carmichael Numbers Carmichael numbers are numbers which mislead probabilistic probability tests. Andrew Granville and Pomerance proved that for any given finite set of bases there are infinitely many Carmichael numbers that are ‘strong pseudoprimes’ to all the bases in that set [17]. Pinch shows that there are 246.683 prime numbers up to 1016, all with at most 10 prime factors [18].

A. Solovay Strassen Test The test was proposed by Solovay and Strassen [6] and was the first efficient algorithm for primality testing. Its starting point is a restatement of Fermat’s Little Theorem: Theorem (Fermat’s Little Theorem, Restatement 1) For any odd prime number n, and for any number a, YH7

0 < a < n, X Z = ±1 (mod n). It is an easy observation that for prime n, a is a quadratic residue (in other words, a = b2 (mod n) for some b) if G-7

D. Frobenius Numbers In number theory, a Frobenius pseudoprime is a composite number which passes a three-step probable prime test set out by Jon Grantham in section 3 of his paper "Frobenius pseudoprimes". Although a single round of Frobenius is slower than a single round of most standard tests, it has the advantage of a much smaller worst-case per-round error bound of 1/7710, which would require 7 rounds to achieve with the Miller-Rabin primality test according to best known bounds.

]

and only if a Z = 1 (mod n). The Legendre symbol  equals P 1 if a is a quadratic residue modulo n else equals −1 for prime n. Therefore, for prime n, YH7

]

 = X Z mod n) P Legendre symbol can be generalized to composite numbers by defining: 

b

X X Oa = ^_ ` 3 .A

VII. CONCLUSION In view of the primality test of Agrawal and his students it follows that the decision problem Primes ∊ P. On the other side, the integer factoring problem, which reads as given an integer N, find the prime factorization of N, is not expected to lie in class P but in class NP. The class NP is, roughly speaking, the class of decision problems having solutions that, once given, can be verified in polynomial time. By definition the classes P and NP seem to be quite different: solving a problem seems to be harder than verifying a given solution. In the language of prime numbers, it is rather difficult to factor a given large integer, e.g., N = 10 000 000 000 097, into its prime divisors, but it is easy to check whether or not 811 × 12330456227 is the prime factorization of N. Once the factorization of an integer is produced by some factoring algorithm, we can use the AKS-algorithm to test its factors on primality in polynomial time. This shows that Factoring ∊ NP. It is widely expected that Factoring does not lie in P; public key-cryptography relies in the main part on this belief (however, this is not true for hypothetical quantum computers). Surprisingly, it seems to be rather difficult to find an example which is a member of NP but not of P. Moreover, it is an open problem to prove (or disprove) P ≠ NP. We conclude our report on primes, primality testing and open problems with a nice quotation due to Paul Leyland who expressed his surprise about the unexpected discovery of a simple deterministic polynomial time primality test by saying: “Everyone is now wondering what else has been similarly overlooked.”

A#

where n =∏bA# .A ca , pi is prime for each i. This generalization is called Jacobi symbol. Jacobi symbol satisfies quadratic reciprocity law: 6





.

 6

= −1

eH7YH7 f

This along with the property that  6

6



=

6N 

gives an

algorithm to compute  that takes only O(log n) arithmetic  operations. For composite n, it is no longer necessary that 



6

 6  6

=1 if and only if a is a quadratic residue modulo n or that = X

YH7 Z

YH7 Z

mod 3 . This suggests that checking if

 = X mod 3 may be a test for primality of n. Solovay and Strassen showed that this works with high probability when a is chosen randomly.

B. Miller Rabin Test This test was proposed by Michael Rabin [9] by slightly modifying a test by Miller [8]. The starting point is another restatement of Fermat’s Little Theorem: Theorem (Fermat’s Little Theorem, Restatement 2) For any odd prime n = 2s · t with t odd, and for any number a, 0 < Z a < n, the sequence at (mod n), a2t (mod n), a g (mod n),…, h a g (mod n) either has all 1’s or the pair −1, 1 occurs somewhere in the sequence. If n is composite, then the sequence may not satisfy the above property. Miller proved that, assuming Extended Riemann Hypothesis, for at least one a between 1 and log2 n, the above sequence fails to satisfy the property when n is composite but not a prime power. Miller proved that the same holds with high probability for a random a without any hypothesis. The test requires O(log n) arithmetic operations and hence is polynomial time.

REFERENCES [1]

[2] [3]

4

Silverman, R.D., Fast Generation of Random, Strong RSA Primes, RSA Laboratories’ Crypto Bytes Magazine - Volume 3, Number 1, 1997. Emerson P., Prime Number Generation and Primality Testing, MSc Thesis, Computer Science at Middlebury College, 1997. Agrawal M., Kayal N., Saxena N. Primes is in P, available at http://www.cse.iitk.ac.in/news/primality.html

[4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

Crandall R., Pomerance C. Prime numbers – a computational perspective, Springer 2001 Schneier B., Applied Cryptography (Second Edition), John Wiley & Sons Inc., pages: 258-261, 1996. R. Solovay and V. Strassen. A fast Monte-Carlo test for primality. SIAM Journal on Computing, 6:84–86, 1977. Ribbenboim P. The new book of prime number records, Springer, 3rd ed., 1996 Menezes, A. and Oorschot P., Handbook of Applied Cryptography, CRC Press, 1997. M. O. Rabin. Probabilistic algorithm for testing primality. J. Number Theory, 12:128–138, 1980. G. L. Miller. Riemann’s hypothesis and tests for primality. J. Comput. Sys. Sci.,13:300–317, 1976. Caldwell C.K., Finding Primes & Proving Primality, http://www.utm.edu/research/primes/prove1.html, 1997. Zachary S, McGregor Dorsey, Methods of Primality Testing, http://www-math.mit.edu/phase2/UJM/vol1/DORSEY-F.PDF , 1999 Grantham, J., Frobenius Pseudoprimes, Institute for Defense Analyses, Center for Computing Sciences, 1998. Grantham, J., A Probable Prime Test with High Confidence, Journal of Number Theory 72, 32-47, 1998. Maurer, U.M., Fast Generation of Prime Numbers& Secure Public-Key Cryptographic Parameters, to appear in Journal of Cryptography, 1994. Segre, A., Computer and Network Security, Iowa University “Data Security” Lecture Notes (last modified 97), 2000. Granville A., Primality Testing & Carmichael Numbers, Notices Amer. Math. Soc. 39 (pages: 696-700), 1992. Pinch, R.G.E., The Carmichael Numbers Up to 1016 www.chalcedon.demon.co.uk/rcam.html, 1998.

5