modern probabilistic primetests · 2011. 11. 12. · introduction well-known tests the...

Outline

Modern probabilistic primetests

Daniel Loebenberger

University of Erlangen-Nuremberg

08.12.2005

Daniel Loebenberger Modern probabilistic primetests

Outline

Outline (I)

1 IntroductionWhy still probabilistic primetestsError probability and correctness

2 Well-known testsThe Solovay-Strassen testThe Miller-Rabin test

Outline

Outline (I)

Outline

Outline (II)

3 Primality testing using the Lucas sequencesDefinitionsFibonacci and Lucas pseudoprimesThe quadratic Frobenius test

4 The extended quadratic Frobenius testIdeaRuntime and error probability

5 Comparison of the tests

Outline

Outline (II)

Outline

Outline (II)

IntroductionWell-known tests

Why still probabilistic primetestsError probability and correctness

Deterministic vs. probabilistic

Naıve approches (sieving techniques or trial division) have anexponential complexity

The AKS-algorithm still has a complexity of O(log10.5 n

Probabilistic algorithms discussed here have a complexity ofO (log n) := O (M(log n) log n)

Still wide use of probabilistic algorithms

1See http://www.cse.iitk.ac.in/news/primality v3.ps, March 2003

Deterministic vs. probabilistic

Naıve approches (sieving techniques or trial division) have anexponential complexity

The AKS-algorithm still has a complexity of O(log10.5 n

Probabilistic algorithms discussed here have a complexity ofO (log n) := O (M(log n) log n)

Still wide use of probabilistic algorithms

1See http://www.cse.iitk.ac.in/news/primality v3.ps, March 2003

Error probability

Every probabilistic primetest works with an easily checkablearithmetic statement S : N → {true, false} that holds for anyprime

There may be composite numbers n with S(n) = true. Theseare S-pseudoprimes

Example: The Fermat predicate an−1 ≡ 1 (mod n) witha ∈ Z

If an algorithm classifies a composite in not more than 1/k ofthe cases as prime (k ∈ N≥2), 1/k is called the error

probability of the algorithm

Error probability after t iterations is not more than k−t

Error probability

Correctness (I)

It is tempting to conclude, that the probability that such aninteger is prime is 1 − k−t

This conclusion, however, is incorrect

Define the following random variables:

a := ”a random odd integer n of a given size is composite”

b := ”the algorithm anwers ’n is prime’ t times in succession”

Then in general prob(a|b) 6= prob(b|a)

Correctness (I)

It is tempting to conclude, that the probability that such aninteger is prime is 1 − k−t

This conclusion, however, is incorrect

Define the following random variables:

a := ”a random odd integer n of a given size is composite”

b := ”the algorithm anwers ’n is prime’ t times in succession”

Then in general prob(a|b) 6= prob(b|a)

Correctness (II)

Certainly prob(b|a) ≤ 1 − k−t , but we wish to knowprob(a|b), the correctness of the algorithm

Using Bayes’ theorem and the prime number theorem one

shows prob(a|b) ≤ln n − 2

(ln n − 2) + 2kt2

2See Douglas R. Stinson, CRYPTOGRAPHY – Theory and Practice, ISBN1-58488-206-9

Correctness (II)

Certainly prob(b|a) ≤ 1 − k−t , but we wish to knowprob(a|b), the correctness of the algorithm

Using Bayes’ theorem and the prime number theorem one

shows prob(a|b) ≤ln n − 2

(ln n − 2) + 2kt2

2See Douglas R. Stinson, CRYPTOGRAPHY – Theory and Practice, ISBN1-58488-206-9

The Solovay-Strassen testThe Miller-Rabin test

The Solovay-Strassen test

Definitions

Definition (Legendre symbol)

Let p be a prime and a ∈ Z. Define the Legendre symbol of a andp as

1 if a is a quadratic residue modulo p

0 if p | a

−1 if a is a quadratic nonresidue modulo p

Definition (Jacobi symbol)

Let N≥3 ∋ n = pe11 · · · pem

m be an odd integer and a ∈ Z. Define theJacobi symbol of a and n as

)e1 · · ·(

The Euler criterion states, that for any prime p and a ∈ Z×p

ap−1

2 ≡(

)(mod p)

Solovay-Strassen test

Given an odd n ∈ N≥2, select a ∈ Zn uniformly at random and test

an−1

)≡ 1 (mod n)

An odd composite number n with an−1

)≡ 1 (mod n) is

called a base-a Euler pseudoprime

Every base-a Euler pseudoprime is also a base-a Fermatpseudoprime

The Euler criterion states, that for any prime p and a ∈ Z×p

ap−1

2 ≡(

)(mod p)

Solovay-Strassen test

Given an odd n ∈ N≥2, select a ∈ Zn uniformly at random and test

an−1

)≡ 1 (mod n)

An odd composite number n with an−1

)≡ 1 (mod n) is

called a base-a Euler pseudoprime

Every base-a Euler pseudoprime is also a base-a Fermatpseudoprime

Runtime and error probability

Error probability ≤ 1/2

First base-2 Euler pseudoprime is 561, first base-3 is 121

Jacobi symbol and the gcd can be computed with O(log2 n

word operations

Fast exponentiation takes O (log n) word operations

Runtime of O (log n) word operations

word operations

The Miller-Rabin test

A 2nd root of unity is in a field either 1 or −1

Fermat property: an−1 ≡ 1 (mod n)

Miller-Rabin test

Given an odd number n ∈ N≥2, write n − 1 = 2s · t, t odd, selecta ∈ Zn uniformly at random and test

at ≡ 1 (mod n) or

there is a 0 ≤ s0 < s with at·2s0≡ −1 (mod n)

Call composites with this property base-a strong pseudoprimes

Any base-a strong pseudoprime is also a base-a Eulerpseudoprime

A 2nd root of unity is in a field either 1 or −1

Fermat property: an−1 ≡ 1 (mod n)

Miller-Rabin test

Given an odd number n ∈ N≥2, write n − 1 = 2s · t, t odd, selecta ∈ Zn uniformly at random and test

at ≡ 1 (mod n) or

there is a 0 ≤ s0 < s with at·2s0≡ −1 (mod n)

Call composites with this property base-a strong pseudoprimes

Any base-a strong pseudoprime is also a base-a Eulerpseudoprime

First base-2 strong pseudoprime is 2047

Runtime of the Miller-Rabin test: O (log n) word operations

Primality testing using the Lucas sequencesThe extended quadratic Frobenius test

Comparison of the tests

DefinitionsFibonacci and Lucas pseudoprimesThe quadratic Frobenius test

The Lucas test

The Lucas sequences

Definition (Lucas sequences)

Let f (x) := x2 − ax + b, with a, b ∈ Z be a polynomial, such that∆ := a2 − 4b not a square. Define the Lucas sequences

Uj := Uj(a, b) :=x j − (a − x)j

x − (a − x)(mod f (x))

Vj := Vj(a, b) := x j + (a − x)j (mod f (x))

Initial values: U0 = 0, U1 = 1 and V0 = 2, V1 = a

Recurrences (j ≥ 2): Uj = aUj−1 − bUj−2, Vj = aVj−1 − bVj−2

Lucas pseudoprimes

If p is prime and a, b ∈ Z \ {0}, ∆ := a2 − 4b not a squarewith gcd(p, 2ab∆) = 1 one has

) ≡ 0 (mod p)

Lucas test

Given a number n ∈ N≥3, select a, b ∈ Zn uniformly at randomsuch that gcd(n, 2ab∆) = 1 where ∆ := a2 − 4b and testU

) ≡ 0 (mod n)

Composites with this property are called Lucas pseudoprimes

For a = 1 and b = −1 we call such numbers Fibonacci

pseudoprimes

Lucas pseudoprimes

If p is prime and a, b ∈ Z \ {0}, ∆ := a2 − 4b not a squarewith gcd(p, 2ab∆) = 1 one has

) ≡ 0 (mod p)

Lucas test

Given a number n ∈ N≥3, select a, b ∈ Zn uniformly at randomsuch that gcd(n, 2ab∆) = 1 where ∆ := a2 − 4b and testU

) ≡ 0 (mod n)

Composites with this property are called Lucas pseudoprimes

For a = 1 and b = −1 we call such numbers Fibonacci

pseudoprimes

Error probability

The smallest Fibonacci pseudoprime coprime to 10 is 323

No number n ≡ ±2 (mod 5) is known that is simultaneouslyFibonacci pseudoprime and base-2 strong pseudoprime

Implementing the Lucas test:

Let a, b and ∆ be as above and n ∈ N≥3 withgcd(n, 2ab∆) = 1

Define Wj := b−jV2j (mod n)

Since gcd(b, n) = 1 this sequence is well defined and W0 ≡ 2(mod n), W1 ≡ a2b−1 − 2 (mod n)

Error probability

The smallest Fibonacci pseudoprime coprime to 10 is 323

No number n ≡ ±2 (mod 5) is known that is simultaneouslyFibonacci pseudoprime and base-2 strong pseudoprime

Implementing the Lucas test:

Let a, b and ∆ be as above and n ∈ N≥3 withgcd(n, 2ab∆) = 1

Define Wj := b−jV2j (mod n)

Since gcd(b, n) = 1 this sequence is well defined and W0 ≡ 2(mod n), W1 ≡ a2b−1 − 2 (mod n)

Obtaining a good runtime (I)

The sequence (Wj ) can be computed very efficiently. It canbe shown that

W2j ≡ W 2j − 2 (mod n)

W2j+1 ≡ WjWj+1 − W1 (mod n)

Use the sequence (Wj ) for the Lucas test

Let m := (n −(

))/2 and n be Lucas pseudoprime. It follows

U2m ≡ 0 (mod n)

Let δ := x − (a − x), i.e.δ2 ≡ x2 − 2b + (a − x)2 ≡ a2 − 4b ≡ ∆ (mod f (x), n)

Obtaining a good runtime (I)

The sequence (Wj ) can be computed very efficiently. It canbe shown that

W2j ≡ W 2j − 2 (mod n)

W2j+1 ≡ WjWj+1 − W1 (mod n)

Use the sequence (Wj ) for the Lucas test

Let m := (n −(

))/2 and n be Lucas pseudoprime. It follows

U2m ≡ 0 (mod n)

Let δ := x − (a − x), i.e.δ2 ≡ x2 − 2b + (a − x)2 ≡ a2 − 4b ≡ ∆ (mod f (x), n)

Obtaining a good runtime (II)

With the definition of the Lucas sequences we getVj + δUj = 2x j and Vj − δUj = 2(a − x)j

Thus we have for all i , j ∈ N the equations

(Vj + δUj) · (Vk + δUk) = 4x j+k = 2(Vj+k + δUj+k)

(Vj − δUj) · (Vk − δUk) = 4(a − x)j+k = 2(Vj+k − δUj+k)

Adding these yields 2Vj+k = VjVk + ∆UjUk

With j := 2m and k := 2 we get 2V2m+2 = V2mV2 + ∆U2mU2

Since gcd(b, n) = 1 it follows with the definition of thesequence (Wj): 2Wm+1 ≡ WmW1 + b−(m+1)∆U2mU2

(mod n)

Because n is Lucas pseudoprime one gets 2Wm+1 ≡ WmW1

(mod n). Since gcd(ab∆, n) = 1 the converse also holds

Runtime of the resulting algorithm

To summarize:

Theorem

Let n, a, b,∆,m and the sequence (Wj) defined as above. Then n

is Lucas pseudoprime if and only if 2Wm+1 ≡ W1Wm (mod n)

Runtime:

The pair Wm,Wm+1 can be computed modulo n using fewerthan 2 log2(n) multiplications mod n and log2(n) additionsmod n

Half of the multiplications mod n are squarings mod n

A Fermat test involves log2(n) squarings mod n and up tolog2(n) additional multiplications mod n if fast exponentiationis used

So the Lucas test takes at most twice of the time of a Fermattest, i.e. O (log n) word operations

To summarize:

Theorem

Runtime:

To summarize:

Theorem

Runtime:

To summarize:

Theorem

Runtime:

The Frobenius test

Frobenius pseudoprimes

Let a, b ∈ Z \ {0}, ∆ := a2 − 4b not a square. Call acomposite number n with gcd(n, 2ab∆) = 1 a Frobenius

pseudoprime with respect to x2 − ax + b if

xn ≡

{a − x (mod f (x), n) , if

)= −1

x (mod f (x), n) , if(

Restriction of Grantham’s general Frobenius test to quadraticpolynomials

No restriction on the determinant of f (x)

Using the Lucas sequences for the Frobenius test

Express the Frobenius property in terms of the Lucas sequences:

Frobenius test

Let be a, b,∆ and n as above. Then n is Frobenius pseudoprimewith respect to x2 − ax + b iff n is Lucas pseudoprime and

{2b (mod n) , if

)= −1

2 (mod n) , if(

Proof.

2xm ≡ (2x − a)Um + Vm (mod f (x), n) and x(a − x) ≡ b

(mod f (x), n)

Every Frobenius pseudoprime is Lucas pseudoprime

Rest straightforward

Error probability

Every Frobenius pseudoprime with respect to x2 − ax + b isalso an Lucas pseudoprime with respect to x2 − ax + b

Smallest Frobenius pseudoprime with respect to the Fibonaccipolynomial x2 − x − 1 is 4181

First with(

)= −1 is 5777

No number n with(

)= −1 is known that is Frobenius

pseudoprime with respect to the polynomial x2 + 5x + 5

Error probability of the algorithm ≤ 17710

Error probability

First with(

)= −1 is 5777

No number n with(

Error probability

First with(

)= −1 is 5777

No number n with(

Error probability

First with(

)= −1 is 5777

No number n with(

Using the sequence (Wj) for the Frobenius test

n is Lucas pseudoprime iff 2Wm+1 ≡ W1Wm (mod n)

Express the formula

{2b (mod n) , if

)= −1

2 (mod n) , if(

in terms of the sequence Wj

Let m := (n −(

))/2 and n be Frobenius pseudoprime

With the definition of (Wj) get Wm ≡ 2b−(n−1)/2 (mod n)

Putting B := b(n−1)/2 it follows BWm ≡ 2 (mod n)

Using the sequence (Wj) for the Frobenius test

n is Lucas pseudoprime iff 2Wm+1 ≡ W1Wm (mod n)

Express the formula

{2b (mod n) , if

)= −1

2 (mod n) , if(

in terms of the sequence Wj

Let m := (n −(

))/2 and n be Frobenius pseudoprime

With the definition of (Wj) get Wm ≡ 2b−(n−1)/2 (mod n)

Putting B := b(n−1)/2 it follows BWm ≡ 2 (mod n)

To summarize:

Theorem

is Frobenius pseudoprime if and only if 2Wm+1 ≡ W1Wm

(mod n) and BWm ≡ 2 (mod n) where B := b(n−1)/2

Runtime:

A Lucas test takes about twice the time a Fermat test needs

Additionally b(n−1)/2 (mod n) must be computed

So the test takes about three times of a Fermat test

Therefore the runtime is O (log n)

To summarize:

Theorem

is Frobenius pseudoprime if and only if 2Wm+1 ≡ W1Wm

(mod n) and BWm ≡ 2 (mod n) where B := b(n−1)/2

Runtime:

A Lucas test takes about twice the time a Fermat test needs

Additionally b(n−1)/2 (mod n) must be computed

So the test takes about three times of a Fermat test

Therefore the runtime is O (log n)

IdeaRuntime and error probability

Constructing an adequate quadratic extension

Given an integer n that is not divisible by 2 and 3, select asmall c ∈ Z

×n with

)= −1, set f (x) := x2 − c and define

R := Zn[x ]/(f (x))

Let H be the multiplicative group of R .

If n is prime, R ≃ Fn2 is a field and H is cyclic of order n2 − 1.

Let H24 be the subgroup of elements of order dividing 24 (thisis well defined since 24 divides n2 − 1)

If H is cyclic, i.e. n is prime, we certainly have |H24| = 24

Otherwise H is a direct product and we may have |H24| ≫ 24

×n with

R := Zn[x ]/(f (x))

×n with

R := Zn[x ]/(f (x))

Properties to check (I)

With an element r ∈ H of order 24 select a random elementz = sx + t ∈ H and test:

1. Frobenius property: Check zp ≡ z (mod f (x), p) wherez = sx + t := −sx + t means the conjugation.This property implies the (generalized) Fermatproperty zp2−1 ≡ 1 (mod f (x), p)

2. Quadratic residue property:Define the norm N : R → Zp as

N(z) := z · z = t2 − cs2 (mod f (x), p)

z 7→ N(z) is a surjective multiplicativehomomorphism. Since N maps squares to squaresand nonsquares to nonsquares, check

N(z)(p−1)/2 ≡ z (p2−1)/2 ≡(N(z)

)(mod f (x), p)

Properties to check (I)

With an element r ∈ H of order 24 select a random elementz = sx + t ∈ H and test:

1. Frobenius property: Check zp ≡ z (mod f (x), p) wherez = sx + t := −sx + t means the conjugation.This property implies the (generalized) Fermatproperty zp2−1 ≡ 1 (mod f (x), p)

2. Quadratic residue property:Define the norm N : R → Zp as

N(z) := z · z = t2 − cs2 (mod f (x), p)

z 7→ N(z) is a surjective multiplicativehomomorphism. Since N maps squares to squaresand nonsquares to nonsquares, check

N(z)(p−1)/2 ≡ z (p2−1)/2 ≡(N(z)

)(mod f (x), p)

Properties to check (II)

3. Φ4 property (generalized Miller-Rabin property):In R ≃ Fp2 the only possible 4th roots of unity are 1,−1 and ξ4, −ξ4, the two roots of Φ4(x) = x2 + 1.This implies for p2 − 1 = 2u3vq with gcd(q, 6) = 1that if z ∈ F

p2 is a square in Fp2 then

z3vq ≡ ±1 or z2i3vq ≡ ±ξ4, for some 0 ≤ i < u − 2

4. Φ3 property:In R ≃ Fp2 the only possible 3rd roots of unity are 1

and ξ3, ξ−13 , the two roots of Φ3(x) = x2 + x + 1.

This implies for p2 − 1 = 2u3vq with gcd(q, 6) = 1for z ∈ F

z2uq ≡ 1 or z2u3iq ≡ ξ±13 , for some 0 ≤ i < v

Properties to check (II)

3. Φ4 property (generalized Miller-Rabin property):In R ≃ Fp2 the only possible 4th roots of unity are 1,−1 and ξ4, −ξ4, the two roots of Φ4(x) = x2 + 1.This implies for p2 − 1 = 2u3vq with gcd(q, 6) = 1that if z ∈ F

p2 is a square in Fp2 then

z3vq ≡ ±1 or z2i3vq ≡ ±ξ4, for some 0 ≤ i < u − 2

4. Φ3 property:In R ≃ Fp2 the only possible 3rd roots of unity are 1

and ξ3, ξ−13 , the two roots of Φ3(x) = x2 + x + 1.

This implies for p2 − 1 = 2u3vq with gcd(q, 6) = 1for z ∈ F

z2uq ≡ 1 or z2u3iq ≡ ξ±13 , for some 0 ≤ i < v

How to get a element of order 24

Start with a random element z ∈ H, look for one element oforder 3 and one of order 8

One finds such elements while testing the Φ3 property and theΦ4 property for z

Once we know an element ξ3 of order 3, check if the newlygenerated element is in the subgroup 〈ξ3〉 ≤ H24

Of course no element of order 3 is known from start, but thecomputations on z may produce such an element

This element can be used in the next iteration

A similar idea can be applied for the element of order 8

Combining several iterations of the test

Illustration of four iterations of the test:

EQFT 1

EQFT 2

composite

pr. pr.xi3 1

pr. pr.xi3 xi4

probable prime

xi3 xi4

Runtime

Runtime: O (log n) word operations

It can be shown that the algorithms needs about twice of thetime of an ordinary pseudoprime test3

3See [DaFr03]: Damgard and Frandsen, An Extended Quadratic FrobeniusTest with Average and Worst Case Error Estimates, BRICS Report SeriesRS-03-9, February 2003

Error probability

Damgard and Frandsen showed a worst case error probabilityof at most 256/331776t after t iterations4

The proposed combination of four iterations has therefore aworst case error probability of

3317764=

47330370277129322496

Average case analysis: See [DaFr03], chapter 5

4For a detailed derivation of this bound see [DaFr03], chapter 3 and 4

Overview

Error probability Runtime in Fermat tests

Fermat ≤ 1/2 1

Solovay-Strassen ≤ 1/2 ≈ 1

Miller-Rabin ≤ 1/4 ≈ 1

Lucas ??? ≈ 2

Frobenius ≤ 1/7710 ≈ 3

EQF ≤ 256/331776 ≈ 2

modern probabilistic primetests · 2011. 11. 12. · introduction well-known tests the...

Documents