Primality Testing

x^pn − x is the product of all irreducible polynomials over Z^p whose degrees are a factor of n.

5.6 Primality Testing

In our cryptography section we will often need to know if a number is prime or composite.

How can we check a given number is prime? How can we generate a large prime number?

5.6.1 Trial division

It is obvious if a number is divisible by

2 — it is even, that is, it ends in 0, 2, 4, 6, 8 5 — it ends in 0 or 5

3 — its decimal digits sum to a number which is divisible by 3 Then trial divide n by each prime number up to √

n and if none divide it, then n is prime, see question 1.

This is a legitimate strategy for small n, but hopelessly slow for large n, as the running time is O(√

n).

5.6.2 Pseudo-prime test

Euler’s theorem says that when n is prime, if gcd(a, n) = 1, then aⁿ⁻¹ ≡ 1 (mod n).

Hence, using the contrapositive:

If there exists a with gcd(a, n) = 1 and aⁿ⁻¹ 6≡ 1 (mod n) then n is composite.

This can be used as a test for primality:

Given a∈ Z⁺:

if gcd(a, n)6= 1 then n is composite (and you have a factor)

if gcd(a, n) = 1 and aⁿ⁻¹ 6≡ 1 (mod n) then n is composite and fails the test otherwise gcd(a, n) = 1 and aⁿ⁻¹ ≡ 1 (mod n) and n passes the test and is called a pseudo-prime to base a.

Unfortunately, as the name indicates, not all pseudo-primes are in fact primes. For example, n = 91 has gcd(3, 91) = 1 and 3⁹⁰ ≡ 1 (mod 91), so 91 is pseudo-prime base 3.

However, 91 = 7× 13, so 91 is in fact composite.

If we had tested 91 base 2 we would have deduced that it is composite since 2⁹⁰≡ 64 6≡ 1 (mod 91).

How do we find such high powers using a hand-held calculator?

In the above example, write the exponent 90 as a sum of powers of 2 viz. 90 = 64 + 16 + 8 + 2.

Find 3 to the power of a power of 2 by squaring and reducing mod 91 in Z91 3² = 9 3⁸ ≡ 81²≡ 6561 ≡ 9 3³²≡ 9

3⁴ = 81 3¹⁶≡ 81 3⁶⁴≡ 81

Finally combine as 3⁹⁰= 3⁶⁴3¹⁶3⁸3² ≡ 81 × 81 × 9 × 9 ≡ 1.

None of this arithmetic overflows a calculator’s 8-10 digit accuracy. Remember that all calculations are integers, so if you get a float or Engineering notation number you will have rounding errors.

We noticed that the composite number 91 is a pseudo-prime base 3 but not base 2.

Now we have seen this we might think that all we have to do is to test for pseudo-primality to lots of different bases.

Unfortunately, there are numbers which are pseudo-prime to very many different bases, but are in fact composite.

A Carmichael number is a number which is pseudo-prime to all bases which are prime to the number. That is, if gcd(a, n) = 1, then aⁿ⁻¹ ≡ 1(mod n). (If you picked a base with gcd(a, n) 6= 1 of course you know n is composite).

The smallest Carmichael number is n = 561 = 3× 11 × 17 and no-one would ever think it prime as it has such small factors. However, large Carmichael numbers are far more difficult to recognise. Alford, Granville & Pomerance proved in 1994 that there are infinitely many Carmichael numbers.

5.6. PRIMALITY TESTING 109

5.6.3 Lucas test

This depends on:

Theorem 5.9 : Lucas’ Theorem

Given n ∈ Z⁺, suppose that there exists a∈ Z⁺ such that gcd(a, n) = 1 and aⁿ⁻¹ ≡ 1 (mod n) and a^n−1p 6≡ 1 (mod n) for all primes p | n − 1.

Then n is prime.

This can be restated as:

If there exists an a with gcd(a, n) = 1 and ordn(a) = n− 1, then n is prime.

This test always works, but it assumes you know the prime factors of n− 1, and (as we see later) this is harder than knowing a number is prime (in general).

The Lucas test is only useful for an n where n− 1 easily factors.

5.6.4 Miller-Rabin test

Lemma 5.10 Let p be prime. Then if a² = 1 (mod p), a ≡ ±1 (mod p)

Proof: We have a²− 1 = (a + 1)(a − 1) ≡ 0 (mod p), so p divides one of a − 1 or a + 1.  Now let n = 2^st + 1 where t is odd and suppose gcd(a, n) = 1. If n is prime, then a^2st≡ 1 (mod n), so by our lemma either a^t≡ 1 (mod n) or there is an r with 0 ≤ r < s for which a^2rt ≡ −1 (mod n).

Conversely, if there is an integer a with 1≤ a ≤ n − 1 and either

• a^t≡ 1 (mod n), or

• there exists r with 0 ≤ r < s and a^2rt ≡ −1 (mod n)

then n is called a strong pseudo-prime base a, otherwise a is a witness to n being composite.

Fact: If n is odd and composite, then it is a strong pseudo-prime to base a for at most 25% of the bases a with 1 ≤ a ≤ n − 1, in other words, at least 75% of bases a are witnesses.

This gives rise to the Miller-Rabin probabilistic primality test, given in pseu-docode below. The output is either the message probably prime or the message composite.

INPUT: an odd number n to be tested for primality.

Write n = 2^st + 1 where t is odd;

Choose a∈ {1, . . . , n − 1} randomly;

if a^t ≡ 1 (mod n), then return probably prime;

else

for r from 0 to s− 1 do

if a^2rt ≡ −1 (mod n), then return probably prime;

end if;

end do;

return composite; (witness found) end if;

END.

The probability that a composite number passes k independent tests is thus less than (¹₄)^k. Using Bayes’ rule (see question 74) we can show that for a fixed n, the probability that a number is composite given that it passes k tests (for large k) is a constant multiple of (¹₄)^k, which can be made arbitrarily small by making k large enough.

So repeated Miller-Rabin tests either prove that n is composite by finding a witness, or suggest that n is probably prime with an error probability a constant multiple of (¹₄)^k. This is usually good enough in practice.

Notes:

1. In practice it has been found that the theoretically derived 1/4 is more like 1/1000 for most cases, so n is even more likely to be prime than the above estimate.

2. Miller-Rabin is a O(k(log n)³) test and so it takes time which is polynomial in the number of digits of n. This is called a polynomial time algorithm.

3. It is known for all n < 3.4× 10¹⁴ that if n passes the Miller-Rabin test for a = 2, 3, 5, 7, 11, 13, 17 then n is definitely prime.

This can be put on a programmable calculator without much difficulty.

4. Provided an unproved result known as the Extended Riemann Hypothesis is true, then, if n passes the Miller-Rabin test for all values of a = 2, 3, 4, . . . ,⌊2(log2n)²⌋ then n is definitely prime.

This test is O((log n)⁵), so is also a polynomial time algorithm.

5. There are also primality tests based on elliptic curve arithmetic which do not rely on any unproved assumptions and give a definite proof that a number is or is not prime. However, these tests are much slower than the Miller-Rabin test and are not polynomial time algorithms.

6. In August 2002 a new primality test was discovered by Agrawal, Kayal and Saxena, a group of Indian Computer Science researchers. This AKS algorithm proves a number definitely is or is not prime in polynomial time. The original paper is in Annals of Mathematics 160 (2004), pp. 781–793, available in the library, and the algorithm itself is quite simple — you should be able to follow it. (The notation q^kk n in the paper means q^k is the largest power of q dividing n.)

Unfortunately, for any reasonably sized numbers, the AKS test is far slower than the elliptic curve method and so is not of any practical use. The original algorithm was theoretically O((log n)^12+ǫ) for some small ǫ, and so much slower than the Miller-Rabin test. Improvements by Lenstra and Pomeranz (2005) have brought this down to O((log n)⁶).

7. The largest prime known as of 10 July 2014 is 2^57885161−1. This number has 17425170 decimal digits. (See http://www.utm.edu/research/primes/ for the latest infor-mation.)