An Extended Quadratic Frobenius Primality Test with Average and Worst Case Error Estimates ∗†

Ivan Bjerre Damg˚ard Gudmund Skovbjerg Frandsen

BRICS‡ Department of Computer Science University of Aarhus IT-parken, Aabogade 34 DK-8200 Aarhus N, Denmark ivan,gudmund @daimi.au.dk { }

DRAFT - December 8, 2005

Abstract We present an Extended Quadratic Frobenius Primality Test (EQFT), which is related to the Miller-Rabin test and to several other known probabilistic tests. EQFT takes time equivalent to about 2-3 Miller-Rabin tests, but has much smaller error probability, namely 256/331776t for t iterations of the test in the worst case. We also give bounds on the average-case behaviour of the test: consider the algorithm that repeatedly chooses random odd k bit numbers, subjects them to t iterations of our test and outputs the ﬁrst one found that passes all tests. We obtain numeric upper bounds for the error probability of this algorithm as well as a general closed expression bounding the error. For instance, it is at most 2−155 for k = 500, t = 2. Compared to earlier similar results for the Miller-Rabin test, the results indicates that our test in the average case has the eﬀect of 9 Miller-Rabin tests. We also give bounds for the error in case a prime is sought by incremental search from a random starting point.

1 Introduction

Efficient methods for primality testing are important, in theory as well as in practice. In particular, this is true for many scenarios in cryptography. From a theoretical point of view, the primality testing problem is completely solved by the AKS algorithm[1, 14], which is polynomial time and always returns correct results. In practice, however, it continues to be significantly less efficient than probabilistic tests with bounded error probability, such as the Miller-Rabin test. Probabilistic tests are therefore a natural alternative for practical scenarios, and particularly for cryptographic applications, since in cryptography we must live with non-zero probabilities of unwanted events. For instance, there is always a non-zero (but hopefully small) probability that an adversary guesses

∗Partially supported by the IST Programme of the EU under contract number IST-1999-14186 (ALCOM-FT). †An extended abstract of this paper was presented at FCT’2003, see [11]. ‡Basic Research in Computer Science, Centre of the Danish National Research Foundation.

1 a key he should not know, or happens to make random choices in his attack that lead him to the answer much faster than expected. Hence the question is not how we we can remove all error probabilities, but rather how we can efficiently reduce them to the level we have to live with anyway. One concrete application of primality tests is in public-key cryptography, where efficient methods for generating large, random primes are indispensable tools. The natural algorithm is to choose random candidate numbers and test for primality until a prime is found. Here, it is important to know how the test behaves in the average case, that is, which error probability do we expect when it is known that the input has been chosen according to some particular probability distribution. But there are also scenarios, e.g., in connection with Diffie-Hellman key exchange, where one needs to test if a number n is prime, and where n may have been chosen by an adversary with the aim of fooling the primality test. Here, the worst case performance of the test is important, i.e., the maximal probability that a composite number will be accepted. In this paper, we present and analyze a new probabilistic primality test which we call the Extended Quadratic Frobenius test (EQFT). The motivation for this name will hopefully become clear in the following. For the average case analysis: consider an algorithm that repeatedly chooses random odd k-bit numbers, subject each number to t iterations of EQFT, and outputs the first number found that passes all t tests Under the ERH, each iteration takes expected time equivalent to 2-3 Miller-Rabin tests (the ERH is only used to bound the run time and does not affect the error probability). Let qk,t be the probability that a composite number is output. We derive numeric upper bounds for q , e.g., we show q 2 155, and also show a general upper bound, namely for 2 k,t 500,2 ≤ − ≤ t k 1, q is O(k3/22(σt+1)tt 1/24 √2σttk) with an easily computable big-O constant, where ≤ − k,t − − σ = log 24 1/t. We also analyze the error probability when a random k-bit prime is instead t 2 − generated using incremental search from a random starting point, still using (up to) t iterations of our test to distinguish primes from composites. Note that in practice, one could of course discard most non-primes efficiently by subjecting each candidate to test division by small primes, and a Miller-Rabin test before using EQFT. This saves time, but the error analysis we do here is valid for any such algorithm, as long as the extra testing accepts all prime candidates. Concerning worst case analysis, we show that t iterations of EQFT err with probability at most 256/331776t except for an explicit finite set of numbers1. The time needed to run EQFT involves first a one-time start-up cost equivalent to about 2 Miller-Rabin tests and then, for each iteration of the actual test, time equivalent to about 2-3 Miller-Rabin tests (we give a more detailed analysis of the running time later). We note that there exists a variant of our algorithm called EQFTac satisfying the same bounds on the error probabilities and where no start-up cost is needed. However, the analysis is more complicated and the algorithm is only as fast as the variant presented here when the input is randomly chosen (it can be up to 4 times slower on worst case inputs than in the average case). EQFTac may be preferable for generation of random primes. For details on EQFTac, see [11].

1.1 Related Work Virtually all known probabilistic tests are built on the same basic principle: from the input number n, one deﬁnes an Abelian group and then tests if the group structure we expect to see if n is prime, is actually present. The well-known Miller-Rabin test uses the group Zn∗ in exactly this way. A natural alternative is to try a quadratic extension of Zn, that is, we look at the ring Zn[x]/(f(x)) where f(x) is a degree 2 polynomial chosen such that it is guaranteed to be irreducible if n is prime.

1namely if n has no prime factors less than 118, or if n ≥ 242

2 In that case the ring is isomorphic to the finite field with n2 elements. This idea of a quadratic extension is central in our algorithm and can be traced back at least to Baillie, Pomerance, Selfridge and Wagstaff [3, 24], who suggested combining a Miller-Rabin test with a Lucas sequence test (we call such a combined test a BPSW test in the following). The specific test described in [24] is deterministic, and the authors offered a cash prize for anyone exhibiting a composite number that would pass the combined test, and this cash prize has apparently not been claimed yet, more than twenty years later. Grantham [13] seems to be the first to make a worst-case error analysis of a randomized variant of the BPSW test. His variant is called QFT. Grantham showed that his test has error probability 1/7710 in the worst case. Zhang seems to be the first to give explicit simple expressions for the number of pseudo primes for his version of BPSW, which he calls OPQBT (One-Parameter Quadratic-Base Test) [26]. This test has worst case error probability 1/119726. All of the above tests check that the order of the involved group is what we expect and in addition that all squareroots of 1 we encounter along the way are 1 (this is what we expect since if n is prime, the involved group is cyclic, and so there is exactly one element of order 2). Berrizbeitia and Berry[4] suggest looking at r’th roots of 1 in Z and note that if r divides n 1 n∗ − and an r’th root of 1 is known in advance, one can get a smaller error probability than for the MR test. Of course, one cannot assume in general that such a root is given for free, but the paper discusses the possibility of obtaining an r’th root during the executing of several iterations of the algorithm. Muller¨ uses 3rd and 4th roots of 1 in quadratic extensions of Zn∗ to develop a test that only works for numbers n = 3 mod 4 [22]. The worst case error probability is 1/331000, and is smaller in some cases, depending on the values of n mod 3 and n mod 16. She also suggested a different test for n = 1 mod 4 in [21]. This test has error probability 1/1048350 for the first iteration and 1/131040 for each of the following ones. All results mentioned so far in this overview are for worst case error probabilities. However, on most composite numbers, the tests tend to have much smaller error probabilities than indicated by the worst case behavior. The first previous result taking advantage of this fact is by Damg˚ard, Landrock and Pomerance for the MR test[9]. They consider an algorithm that repeatedly chooses random odd k-bit numbers, subjects each number to t iterations of the MR test, and outputs the first number found that passes all t tests. Let pk,t be the probability that this algorithm outputs a composite. Some numeric upper bounds are shown on pk,t , as well as some closed expressions that upper bound p . For instance, p k242 √k. One may also consider the case where k,t k,1 ≤ − candidate primes are of form n0, n0 + 2, .. for a random starting point n0, since this test division by small primes to be done more efficiently. This type of analysis was done in [5] for the MR test. Unfortunately, the error bounds in [5] were either based on unproven number theoretic conjectures or were only valid for an algorithm that might terminate with no output. To compare our results to earlier ones, we first note that we present the first average case analysis of the error probability of a BPSW-like test. A comparison to the similar analysis by Damg˚ard, Landrock and Pomerance for the MR test indicates that EQFT in the average case roughly speaking has the effect of 9 MR tests. Moreover, for the case of incremental search, we extend the techniques from [5] to analyse an algorithm that is guaranteed to generate output, without relying on conjectures. Comparing our concrete algorithms to the earlier ones, there are many similarities, most im- portantly that we work in a quadratic extension of Zn∗ like most of the known tests. A couple of essential ideas are new, however: first, given the input n, we choose initially a fixed degree 2

3 polynomial f over Zn defining the quadratic extension, and keep it fixed over all iterations of the test. Previous tests instead choose a new random polynomial for each iteration. This difference means that we can store elements with special properties, say, of small order found in one iteration of the test in order to help us in subsequent iterations, as in [4]. This would not be directly possible in other tests using quadratic extensions. Second, since our analysis of error probabilities works for any polynomial f, we can pick one for which arithmetic in Zn[x]/(f(x)) can be implemented faster than in general. It turns out that if we choose f(x) = x2 c where c is a small number with Jacobi symbol -1 mod n we can, for − instance, execute a squaring in Zn[x]/(f(x)) essentially by doing 2 modular multiplications mod n (rather than 3, which would be necessary in general). As detailed below, this means that EQFT offers in many setting the best known trade-off between worst case error probability and running time. Furthermore, our algorithms do not need trial division, provided that the input is sufficiently large (see Theorem 23). Grantham and Muller¨ needs to eliminate all small prime divisors by trial division to achieve the stated error bounds. Zhangs algorithm and error bound is formulated in a different way, but in order to get the bound 1/119726 we have cited here, trial division is also needed.

1.2 Comparison of Running Times and Error Probabilities In order to compare worst-case error probabilities and running times in a meaningful way, we ﬁrst need to make the setting more precise: we will consider implementations of the algorithms in software on a standard, say 32-bit architecture based on the standard quadratic algorithm for multiplication of integers. We do not consider more advanced multiplication algorithms (based on Fourier transforms, for instance), since they are not faster than the standard ones for numbers of sizes that are interesting in practice. We consider this to be numbers in the range of 500 to 10000 bits, taking into account the future development in key sizes for public-key cryptography we may expect in a few years. The most important operations to consider are modular multiplications and squarings modulo n, since the algorithms spend almost all their time doing these operations. Taking into account that n is constant over many such operations, the fastest known general way to implement them is Montgomery multiplication[20]. A straightforward implementation of Montgomery’s technique on m-word numbers requires 2m2 + m single precision multiplications, whereas a modular squaring requires 3 (m2 + m) [19, ch.16]. Based on this, and that we expect m 10 for numbers of practical 2 ≥ interest, we will take the time for a modular squaring as our basic time unit, called MSQ, and we will assume that a modular multiplication takes time about 1.3 MSQ. We note that many variations and optimizations have been proposed, see for instance [15], but to the best of our knowledge, this does not signiﬁcantly alter the comparison between modular multiplications and squarings. The algorithms typically spend most of their time doing exponentiations in some ring. If the exponent has length u bits, this requires u squarings and o(u) multiplications using the standard sliding window algorithm, i.e., a total of (1 + o(1))u squarings, assuming a multiplication costs a constant times the time for a squaring, which is the case for all rings considered here. We can therefore obtain an asymptotic estimate of the running time in MSQ’s by counting how many squarings and multiplications mod n is required for a squaring in the ring in question. In this model, an MR test takes time (1 + o(1)) log n MSQ, and Grantham’s test takes (3.3 + o(1)) log n MSQ. Mullers¨ test for the case of n = 3 mod 4 does essentially an MR test plus exactly log n modular squarings and log n modular multiplications, corresponding to (3.3+o(1)) log n MSQ.

4 2 In addition, a one-time start-up cost corresponding to 1 MR test is required. Mullers¨ test for n = 1 mod 4 is technically different, but from inspection of the algorithm it follows quite easily that it takes at least the time needed for the n = 3 mod 4 test. Note that Muller¨ states her running times in a different way, namely assuming a random input number, and that the standard square and multiply algorithm is used for exponentiation. However, using the sliding window variant makes exponentiation faster and makes it take the same number of multiplications for all inputs. We therefore assume here that sliding window is used for all algorithms we consider. For our test, we have (2.6 + o(1)) log n MSQ and in addition a one-time start-up procedure that costs (2.3 + o(1)) log n MSQ. This shows that, at least in the model we consider here, our test is faster than previous tests for all large enough input numbers, and for a large enough number of iterations (we have a larger start-up cost than other algorithms, but the effect of this will decay as the number of iterations increase). We cannot conclude, however, that it is faster for numbers of practical interest, due to the o(1) terms. They are clearly not the same for different tests, and they are to some extent system dependent, so it is hard to estimate them from a theoretical point of view. However, there are some experimental results we can use as an indication. In [8], Lars Christensen reports on implementations in Java of the MR-test and a single iteration of EQFT, using in both cases the same optimized Montgomery based code for the underlying arithmetic modulo n. Using standard 32-bit machines, he obtained the following factors between the running time of MR and EQFT, for different bit lengths of the input:

bit length 512 768 1024 1536 2048 3072 4096 ratio EQFT to MR 3.94 3.63 3.23 3.07 2.99 2.91 2.89

This seems to agree reasonably well with the theoretical prediction that the ratio should be 2.6 in the limit. These results also allow us to give an estimate of how large numbers should be before our test becomes faster than Mullers¨ tests, since the o(1) contribution in her case is the same as for the MR test. Say we consider 4000 bit numbers and let the running time for MR be (1 + ) log n MSQ and the running time for our test be (2.6 + δ) log n MSQ. The experimental results suggest that 2.9 (1 + ) = (2.6 + δ), i.e., δ = 0.3 + 2.9. In order for our test to be faster, we would need · that 2.6 + δ 3.3 + which, combined with the previous equation, is equivalent to 0.21. ≤ ≤ Concrete calculations on the sliding windows algorithm show that the number of multiplications (non-squarings) required for exponentiating 4000 bit numbers is about 600, suggesting that the actual value of is about 1.3 600/4000 = 0.195. We therefore expect that in the considered · setting, an iteration of our test will be faster than Muller’s¨ for numbers with more than 4000 bits. It is important to note that this conclusion depends a lot on the setting. For typical hardware implementations where the same chip area is used for both squarings and multiplications mod n, there is no time diﬀerence between the two. This would favor our algorithm and cause the cross-over point to occur for smaller numbers. We believe that this analysis and experimental results indicate that there are quite a few practical settings where our test is faster than the tests by Grantham, Muller¨ and Zhang, while our worst case error probabilities are in general smaller. It should be noted that for some special classes of inputs, Muller’s¨ test has smaller error probability that what we cite here. On the other

2In fact, Muller’s¨ algorithm is slower for inputs where large powers of 3 divide n − 1 and may take up to (3.7 + o(1)) log n MSQ, whereas EQFT takes the same expected time for all inputs. We have chosen to assume (3.3 + o(1)) log n MSQ in order not to give ourselves an unfair advantage in the comparison.

5 Algorithm 1 Plain Quadratic Frobenius Test. Require: input is odd number n > 1 Ensure: output is “composite”, or “probable prime” 1: if n is a perfect square return “composite” 2: choose a small c with (c/n) = 1 − 3: select random z R(n, c) ∈ ∗ 4: if zn = z return “composite” 6 5: return “probable prime” hand, the same is true for EQFT, namely if larger powers of 2, 3 than 23 3 divide n2 1 (see · − remark following Theorem 18). These special properties are to some extent incomparable, so we concentrate on the worst case error here. In conclusion, if an application desires some (very) small ﬁxed worst case error, our test oﬀers in many cases the fastest way to guarantee this. We do not mean to suggest, however, that our test is always preferable. For instance, if size and simplicity of the code are more important that anything else, the MR test is probably the best choice.

2 Plain Quadratic Frobenius Test

In this section we describe our test stripped of all root tests. It builds on the idea that if n is prime then any element z in the finite field GF (n2) satisfies that

zn = z (1) where z denotes the Frobenius automorphism (the only nontrivial automorphism of the field) ap- n2 1 plied to z. This condition implies z − = 1 for all invertible z, so we are implicitly verifying that the multiplicative group in the ring has the order we expect when n is prime. It may therefore be seen as a generalization of the Fermat test, but is much stronger, as we shall see. We will first define the test and afterwards explain its close similarity but also crucial differences compared to earlier tests. Finally we discuss error bounds and implementation details.

2.1 Plain QFT: the test Definition 1 Let n be an odd integer and let c be a unit modulo n. Let R(n, c) denote the ring Z [x]/(x2 c). n − For z = ax + b R(n, c) let ∈ z = ax + b R(n, c) − ∈ N(z) = z z = b2 ca2 Z · − ∈ n Observe that if p is an odd prime and (c/p) = 1 then the polynomial x2 c is irreducible − − modulo p and R(p, c) is isomorphic to the field GF (p2). In that case z is identical to the Frobenius automorphism. Algorithm 1 describes a construction of R(n, c) followed by a verification of (1).

2.2 Relation to earlier tests All the earlier tests of Grantham [13], Muller¨ [22] and Zhang [26] are also based on (1) directly or indirectly. Granthams test is almost identical, in that he checks the equivalent condition z n+1 =

6 N(z), but selects the random basis restricted to have (N(z)/n) = 1. Zhang and Muller¨ break 2 the test into two independent parts. When z GF (p )∗ with (N(z)/p) = 1 then one may write ∈ 2 z = z1z2 for (non)unique z1 Zp∗ and z2 GF (p )∗ with N(z2) = 1 and Equation (1) becomes p ∈ p ∈ z1 = z1 (a Fermat test) and z2 = z2 (a Lucas Test). Both Zhang and Muller¨ essentially make independent Fermat and Lucas tests. The most crucial diﬀerence between our test and the above mentioned tests is that we seperate the construction of the supposed ﬁeld R(n, c) from choosing a random z R(n, c), whereas all the ∈ other tests combine the two tasks. By the separation we obtain two crucial advantages.

We may choose a representation R(n, c) that is particularly eﬃcient regarding implementation • of arithmetic as explained in section 2.3.

We may use the same representation over several iterations of the test and this can be used • to make an improved test for roots of 1 as explained in section 3.

Concerning the error analysis, both Zhang and Muller¨ ﬁnd closed expressions for the number of liars. Unfortunately, their expressions are not valid for our test. Our expression (unlike theirs) must be for a worst case quadratic extension R(n, c). In addition, their expressions arise as a product of expressions from the two independent tests, whereas our expression is for the combined test and does not factor in a meaningful way. This may seem surprising, but in the combined analysis we obtain a (slightly) better bound using the cyclic group Zp2 1 than one would obtain − from the noncyclic product group Zp 1 Zp+1 used by Zhang and Muller.¨ On this background we − × have found it necessary to include a complete derivation of our error expression (see section 2.4).

2.3 Plain QFT: Implementation Multiplication of elements in R(n, c) may be done very eﬃciently when c is small. Represent | | z = z x + z R(n, c) by the pair (z , z ) Z Z . 1 0 ∈ 1 0 ∈ n × n Lemma 2 For z, w R(n, c), zw and z2 may be computed using 3 respectively 2 multiplications ∈ and O(log c ) additions in Z . | | n ze may be computed from z using 2 log e + o(log e) multiplications and O(log e log c ) additions | | in Zn.

Proof. For zw use the equations

(zw)1 = m1 + m2 (zw) = (cz + z )(w + w ) (cm + m ) 0 1 0 1 0 − 1 2 where

m1 = z1w0

m2 = z0w1

2 For z we need only observe that m1 = m2 when z = w. For ze, we use the standard sliding window technique aka 2k-ary method for constructing addition chains [18]. In this way ae may be computed using log e squarings and 2k + 1/k log e · multiplications in R(n, c). By choosing k appropriately depending on e, the result of the lemma follows. We also need to argue that it is easy to ﬁnd a small c with (c/n) = 1. One may note that if − n 1 mod 24, then some c 1, 2, 3 can be used. In general, we have the following: 6≡ ∈ {− − − }

7 Lemma 3 Let n be an odd composite number that is not a perfect square. Let π (x, n) denote the − number of primes p x such that (p/n) = 1, and, as usual, let π(x) denote the total number ≤ − of primes p x. Assuming the Extended Riemann Hypothesis (ERH), there exists a constant C ≤ (independent of n) such that

π (x, n) 1 2 − > for all x C(log n log log n) π(x) 3 ≥

Proof. π (x, n) counts the number of primes outside the group G = x Zn∗ (x/n) = 1 . − { ∈ | } When n is not a perfect square, then G has index 2 in Zn∗ , and by [2, th.8.4.6], the ERH implies that 1 π (x, n) = li(x) + O(√x(log x + log n)) (2) − 2 similarly, by [2, th.8.3.3], the Riemann Hypothesis implies that

π(x) = li(x) + O(√x log x) (3)

x where li(x) = 2 dt/ ln t satisﬁes that R li(x) = Θ(x/ log x) (4)

In addition the constants implied by the O( )-notation are all universal and therefore one may · readily verify that for any > 0 there is a universal constant C such that

π (x, n) 1 2 − > for all x C (log n log log n) π(x) 2 − ≥

Theorem 4 There is an implementation of algorithm 1 that on input n takes time expected to be 2 bounded by O(log n) plus the time for 2 log n + o(log n) multiplications in Zn, when assuming the ERH.

Remark. We emphasize that the “expected” qualiﬁcation of the runtime is due to random choices in the algorithm and has nothing to do with averaging over the input. The expected time is for a worst case input. Also the ERH is only used to bound the running time (size of c) and does not aﬀect the error probability, as is the case with the original Miller test. Proof. line 1: By Newton iteration one may compute the square root of n in time corresponding to O(log log n) multiplications in Zn. line 2: The Jacobi symbol may be computed in time O(log2 n) using the binary algorithm [25]. Lemma 3 does not give us an explicit bound on the interval which we must select c from to have probability at least 1/3 of getting (c/n) = 1. However, Lemma 3 does ensure that we only expect − to use O(1) trials and thereby O(1) Jacobi symbol computations when using the following strategy. i 2 Let Bi = 2 (log n log log n) . Try up to 4 random prime c’s from the interval [1..B0]. If no good c is found try up to 4 from [1..B1]. If still no good c is found continue in this way doubling the size of the interval for every 4 attempts until success. line 4: Using Lemma 2 and Lemma 3, we may compute zn using 2 log n+o(log n) multiplications.

8 2.4 Plain QFT: Error bound Deﬁnition 5 Let n be an odd number, let c be a unit modulo n. Deﬁne the number of liars

n H(n, c) = z R(n, c)∗ z = z { ∈ | }

Clearly, H(n, c) is a multiplicative subgroup of R(n, c)∗. We need the following structural charac- terization of R(n, c)∗

Lemma 6 Let n be an odd integer and let c be a unit modulo n. Let p denote a prime.

Zp2 1, for n = p and (c/p) = 1 − −  Zp 1 Zp 1, for n = p and (c/p) = 1 R(n, c)∗ − × − m '  Z m−1 Z m−1 R(p, c)∗, for n = p  p × p ×  R(pm1 , c) R(pmω , c) , for n = ω pmi 1 ∗ × · · · × ω ∗ i=1 i   Q p If (c/p) = 1 and z = (z1, z2) R(p, c) Zp 1 Zp 1 then (z1, z2) = (z2, z1) and z = z. ∈ ' − × − If (c/p) = 1 and z R(p, c) then zp = z. − ∈ Proof. The condition (c/p) = 1 implies that x2 c is irreducible over Z , and hence R(p, c) − − p is isomorphic to GF (p2), the finite field with p2 elements. In this field the map z zp = z is the 7→ Frobenius automorphism. The condition (c/p) = 1 implies that c has a square root d Z , i.e. x2 c = (x d)(x + d). ∈ p − − Hence, by Chinese remaindering

R(p, c) Z[x]/(p, x d) Z[x]/(p, x + d) GF (p) GF (p) ' − × ' × The map z zp is the identity map on GF (p). Let (z , z ) = ax + b R(p, c). Using that 7→ 1 2 ∈ ax + b = (ad + b, ad + b), we find that (z1, z2) = (z2, z1). −m i m 1 i Consider n = p . Define the sets A = (1 + p) i = 1, . . . , p − and B = (1 + px) i = m 1 { | } { | 1, . . . , p − . It is easy to verify that A B = 1 , and each of A and B are cyclic subgroups of m } m 1 ∩ { } m R(p , c)∗ of order p − . Define the homomorphism h : R(p , c)∗ R(p, c)∗ by h(z) = z mod p. 7→ m Clearly h is surjective, and hence R(p, c)∗ is isomorphic to a subgroup of R(p , c)∗. It suffices to 1 2(m 1) prove that the kernel of h is A B. Clearly, A B h− (1), and since also A B = p − = 1 × × ⊆ | × | h− (1) , the proof is complete. | | ω mi For n = i=1 pi we use Chinese remaindering. Q Lemma 7 Let n be an odd number, let c be a unit modulo n. ω mi If n has prime power factorisation n = i=1 pi then

H(n, c) = H(n,Qp , c) H(n, p , c). (5) 1 × · · · × ω

where H(n, p, c) is a cyclic subgroup of R(p, c)∗ of size

gcd(n/p 1, p2 1), if (c/p) = 1 H(n, p, c) = − − − | | gcd(n2/p2 1, p 1), if (c/p) = 1 ( − −

2 Proof. For z H(n, c) we know that zn 1 = z/z = 1. Therefore the order of z cannot be ∈ ∗ − divisible by a prime factor pi of n. Since H(n, c) is a subgroup of R(n, c)∗, it follows by Lemma 6

9 that H(n, c) is a subgroup of R(p , c) R(p , c) . Let H(n, p , c) be the subgroup of R(p , c) 1 ∗ × · · · × ω ∗ i i ∗ deﬁned by (5). n n2 1 Let z H(n, c), and deﬁne zi H(n, pi, c) by z zi mod pi. Clearly, zi = zi and zi − = 1. ∈ ∈ ≡ pi Consider the case (c/pi) = 1. By lemma 6, zi = zi implying that the order of zi divides 2 −2 2 gcd(n pi, n 1) = gcd(n pi, pi 1) = gcd(n/pi 1, pi 1). Since the multiplicative subgroup − − 2 − − − − of R(pi, c) GF (pi ) is cyclic, the stated bound on the size of H(n, pi, c) follows. ' |pi | Consider next the case (c/pi) = 1. By lemma 6, zi = zi , i.e. the order of zi in R(pi, c) divides gcd(n2 1, p 1) = gcd(n2/p2 1, p 1). Since R(p , c) GF (p ) GF (p ), one may − i − i − i − i ' i × i represent zi by (w1, w2) GF (pi) GF (pi), implying that w1 is in the cyclic subgroup of GF (pi)∗ 2 2 ∈ × of order gcd(n /pi 1, pi 1). In addition w2 is uniquely determined by w1, since by lemma 6, − − n n n (w2, w1) = (w1, w2) = (w1, w2) = (w1 , w2 ).

ω mi Theorem 8 Let n be an odd composite number with prime power factorisation n = i=1 pi . The probability that n passes the plain Quadratic Frobenius Test of Algorithm 1 is bounded by Q H(n, c) max | | (c/n)= 1 R(n, c) − | ∗| and ω 2 2 2 H(n, c) 2(1 mi) (n/pi 1, pi 1) (n /pi 1, pi 1) − | | pi sel[(c/pi), −2 − , − 2 − ] R(n, c)∗ ≤ pi 1 (pi 1) | | iY=1 − − where we have used the notation sel[ 1, E , E ] for a conditional expression with the semantics 1 2 sel[ 1, E , E ] = E and sel[1, E , E ] = E . − 1 2 1 1 2 2 3 Extended Quadratic Frobenius Test

The extension we now add to the test is based on the fact that the multiplicative group in R(n, c) is cyclic of order n2 1 if n is prime. In general, let H be the subgroup of elements of order − 24 dividing 24. Since we test that n is not divisible by 2 or 3, 24 divides n2 1, so if n is prime, − H = 24. However, if n is not prime, H is the direct product of a number of subgroups, one for | 24| 24 each distinct prime factor in n, and we may have H >> 24. | 24| Suppose for the moment that we were magically given an element r24 of order 24, and that we could somehow produce a uniformly chosen element in H24. We could then test that this element is ω a power of r24. In the best case, H24 = 24 , so we would then discover that n is composite except 1 ω | | with probability 24 − . The problem is, of course, how to find a suitable element r24, and how can we be sure that H = 24ω, and how do we produce correctly distributed elements in H ? | 24| 24 To understand how we solve this, it may be helpful to see how a similar problem can be handled for the group Zn∗ : we choose a random z Zn∗ that “looks like a non-square”, i.e., subject to the ∈ (n 1)/2 restriction (z/n) = 1 and we verify that z − = 1 mod n. This must be the case, or n is u − − (n 1)/2 composite. Let 2 be the maximal 2-power dividing n 1. Then z − = 1 mod n implies that (n 1)/2u u u − − z − mod n has order 2 , and also that 2 divides the order of Zp∗ for any prime factor p in n. This allows to do further testing in a very simple way, namely by selecting z Z and verifying ∈ n∗ that z(n 1)/2 = 1. Each such test will have error probability 21 ω(n). − ≤ − Similarly, we make our extended Quadratic Frobenius Test (EQFT) with a special first iteration that allows very simple subsequent iterations each of which consists in taking a random z R(n, c) 2 ∈ and checking whether z = zn and z(n 1)/24 ri i = 0, . . . , 23 , where r R(n, c) is − ∈ { 24 | } 24 ∈ a primitive 24th root of 1 that is constructed in the first iteration. The first iteration must in

10 Algorithm 2 Extended Quadratic Frobenius Test (EQFT). First iteration: Require: input is an odd number n 5 ≥ Ensure: output is “composite” or “probable prime”, c Z , r R(n, c) , where (c/n) = 1 ∈ n 24 ∈ ∗ − and Φ24(r24) = 0. 1: if n is divisible by 2 or 3 return “composite” 2: if n is a perfect square or a perfect cube return “composite” 3: choose a small c with (c/n) = 1 (if n 2 mod 3 use c = 3) − ≡ − 4: compute r R(n, c) satisfying Φ (r) = r2 + r + 1 = 0 ∈ 3 5: select a random z R(n, c) with (N(z)/n) = 1 and res (z) = 1 ∈ ∗ − 3 6 6: if z = zn return “composite”. 6 2 7: Let r = z(n 1)/24. If r8 = r 1 or r12 = 1 return “composite”. 24 − 24 6 24 6 − 8: return “probable prime”, c, r24 Subsequent iterations:

Require: n, c, r24 Ensure: output is “composite” or “probable prime” 10: select random z R(n, c) ∈ ∗ 11: if z = zn return “composite” 6 2 12: if z(n 1)/24 ri i = 0, . . . , 23 return “composite” − 6∈ { 24 | } 13: return “probable prime”

addition ensure that all maximal cyclic subgroups of R(n, c)∗ have order divisible by suﬃciently high powers of 2 and 3 to ensure an error probability 241 ω in all iterations. This is done ≤ − by selecting a random z R(n, c)∗ that looks like both a nonsquare and a noncube, computing 2 ∈ 2 2 r = z(n 1)/24, and checking that z(n 1)/2 = 1 and that z(n 1)/3 = r 1, where r is a primitive 24 − − − − third root of 1. Our test is described in Algorithm 2. Before giving details of the implementation and the analysis, we discuss the relation to earlier tests.

3.1 Relation to earlier tests Grantham [13], Muller¨ [22] and Zhang [26] have used the simple square root of one test as it occurs in the Miller-Rabin test, viz. if n 1 = 2ms for s odd, then for random base z verify that either i − zs = 1 or z2 s = 1 for some i = 0, . . . , m 1. Muller¨ used the same idea for third roots of one. − − Berrizbeitia and Berry [4] gave a general formulation and analysis for using p’th roots of one in combination with the Fermat test. There are some practical issues with using these test for a prime p = 2. When p = 2, the test 6 just need to produce some x in an appropriate way and test x = 1 since this is always the unique − primitive square root of one. In case p = 2, the simple comparison to 1 must be replaced with 6 − either the stronger x r , r2, . . . , rp 1 test or the weaker Φ (x) = 0 test, where r is a primitive ∈ { p p p− } p p pth root of 1 and Φp is the pth cyclotomic polynomial, i.e. Φp(rp) = 0. The strong version of the test requires that rp is precomputed. The start-up cost of the Muller¨ test is essentially due to such precomputation related to third roots. However, when the root test is used in combination with the Quadratic Frobenius test (rather than the Fermat test) then roots may lie in the quadratic extension (rather than in Zn∗ ), which makes precomputation of such roots meaningless unless the representation of the quadratic extension is kept ﬁxed between iterations. None of the earlier tests (including Grantham, Muller,¨ Zhang) use a ﬁxed representation and hence they can not use the

11 strong version of the root tests for p n 1. 6 | − There are additional ineﬃciency problems with the above test. When p = 2 and a large power 6 of p divides n 1 (respectively n2 1), then it is slower to make the root test than to do the Fermat − − test (respectively QFT) alone. Muller¨ notes this as the reason why her algorithm slow downs when high powers of 3 divides n 1. It is even worse, if we want to test for pq’th roots of 1, where p, q − are primes, as one must do computations for both p and q, slowing down the test correspondingly. Muller¨ discusses this problem for p = 2, q = 3. Her solution is to replace the full = 1-test in − the p = 2 case with a scaled down version where she only checks that the quadratic residiosity computed by Jacobi symbol and powering, respectively, agree. Our algorithm has two crucial properties compared to the previous algorithms. We avoid the problem that an rth root of one test takes extra time when large prime powers • and/or several prime factors of r divide the supposed order of the group (in our case n2 1) by − computing only a single power of the randomly chosen base. Yet, we still get error probability r1 ω. The penalty is that the ﬁrst iteration takes longer time because we must select a ≤ − base that is a pth power nonresidue for all p dividing r. This technique can also be applied to the ordinary MR test.

We are able to make a strong rth-root of one test also when the involved roots lie in the • quadratic extension. We do this by having a fixed representation of the quadratic extension that is preserved between iterations. The penalty is that in the first iteration, we can only make a (partly) weak rth-root of one test. These properties allow us to extend the QFT efficiently with a 24th root of one test for all n. Because of the new character of our root test, we feel it is necessary to give a complete proof of its error bound, though the proof of course uses ideas similar to those used earlier. We start by some preliminaries about nonresidues before describing details of the implementation and the error analysis.

3.2 Quadratic and cubic (non)residuosity in R(n, c) Let us ﬁrst deal with quadratic nonresiduosity since that is very simple. All we need to know is included in the following lemma:

Lemma 9 Let n, c satisfy (c/n) = 1. − 1 z R(n, c)∗ (N(z)/n) = 1 = R(n, c)∗ |{ ∈ | − }| 2| | Proof. Since the map z (N(z)/n) is a multiplicative group homomorphism R(n, c) 1, 1 7→ ∗ 7→ {− } it suﬃces to argue that there is at least one z R(n, c) such that (N(z)/n) = 1. Let n = ∈ ∗ − ω pmi , i.e. (N(z)/n) = ω (N(z)/p )mi . Since (c/n) = 1, there must be some i for which i=1 i i=1 i − (c/p ) = 1 and m is odd. Modulo p , N(z) maps GF (p2) onto GF (p ), and therefore there is z Q i − i Q i i i with (N(z)/p ) = 1, and by the Chinese remainder theorem it is possible to get i − (N(z)/n) = ω (N(z)/p )mi = 1 for some z. i=1 i − To speak abQout and compute cubic residuosity We will be using the following deﬁnitions and facts, see f.x. [16]. Let Z[ζ] be the ring of integers extended with a primitive third root of unity ζ (complex root of z2 + z + 1). For α Z[ζ] let α¯ and N(α) = αα¯ denote complex conjugation and complex norm, ∈ respectively.

12 A unit in Z[ζ] is an element of norm 1. There are 6 units in Z[ζ]: 1, ζ, ζ 2. Two elements α, β Z[ζ] are said to be associates if there exists a unit such that α = β. ∈ A prime π in Z[ζ] is a non-unit such that for any α, β Z[ζ], if π αβ, then π α or π β. Z[ζ] ∈ | | | is a unique factorisation domain and the gcd of two elements in Z[ζ] is uniquely deﬁned up to multiplication with a unit. 1 ζ is a prime in Z[ζ] with N(1 ζ) = 3. Let p = 3 be a prime in Z. If p 2 mod 3 then p is − − 6 ≡ also a prime in Z[ζ]. If p 1 mod 3 then p = ππ¯, where π is a prime in Z[ζ] and π = gcd(p, r ζ) ≡ − for r 0, . . . , p 1 being a primitive third root of 1 modulo p, i.e. r2 + r + 1 0 mod p. ∈ { − } ≡ If α Z[ζ] is not divisible by 1 ζ then N(α) 1( mod 3). ∈ − ≡ The cubic residuosity symbol [ / ] : Z[ζ] (Z[ζ] (1 ζ)Z[ζ]) 0, 1, ζ, ζ 1 is a multiplicative · · × − − 7→ { − } homomorphism in both arguments. For prime π Z[ζ] where π is not associated to 1 ζ: ∈ − N(π)−1 [α/π] = (α 3 ) mod π,

(N(π) 1)/3 where the notation “. . . mod π” refers to the unique congruence value for α − among the elements 0, 1, ζ, ζ 1 . { − } We are now ready to make the connection between R(n, c) and Z[ζ].

Deﬁnition 10 For arbitrary n 5 with (n, 6) = 1, for arbitrary c with (c/n) = 1, assume there ≥ − exists an r = gx + h R(n, c) with r2 + r + 1 = 0, and if n 1 mod 3 assume in addition that ∈ ≡ r Z , i.e. g = 0. ∈ n Deﬁne res : R(n, c) 1, ζ, ζ2 Z[ζ] by 3 ∗ 7→ { } ⊆ [b2 ca2 / gcd(n, r ζ)], if n 1 mod 3 res3(ax + b) = − − ≡ [(b + a(ζ h)/g) / n], if n 2 mod 3 ( − ≡

The function res3 is a nice multiplicative homomorphism but for same composite numbers (f.x. n = 537, c = 3 and r = x/2 1/2) it is trivial. Fortunately, we only need it to be nontrivial − − − for prime n. In addition, we can speed up some later computations, when we know that it is also nontrivial for composite n 1 mod 3: ≡

Lemma 11 For arbitrary n, c, r satisfying the asssumptions of definition 10, the mapping res3 is a multiplicative homomorphism res : R(n, c) 1, ζ, ζ2 Z[ζ]. 3 ∗ 7→ { } ⊆ If n is a prime, or if n 1 mod 3 and n is not a perfect cube then res3 is surjective, i.e. 1 ≡ res− (1) = R(n, c) /3. | 3 | | ∗| Proof. For proof of the homomorphism property, observe that the second argument of the cubic residuosity symbol is either n or a divisor of n, and in any case is constant and independent of ax + b. Hence, it suffices to prove that the mapping of ax + b to the first argument of the cubic residuosity symbol is a multiplicative homomorphism when taken modulo n. For the case of n 1 mod 3, it suffices to note that b2 ca2 is the norm of ax + b in R(n, c), ≡ − and taking the norm is a multiplicative homomorphism. Next consider the case of n 2 mod 3. Note that ax + b = b + a(r h)/g. In addition, for ≡ − A, B Z the mapping of Ar + B to Aζ + B is a multiplicative homomorphism modulo n, since r ∈ and ζ are roots of z2 + z + 1 in the rings R(n, c) and Z[ζ], respectively. For proof of surjectivity, it suffices to find an element that is not mapped into 1. Consider first the case of n 1 mod 3 and n is not a perfect cube. Assume that n = ω pmi . ≡ i=1 i Since r2 + r + 1 = 0 mod n it must be the case that r2 + r + 1 = 0 mod p for r = r mod p , i i i i Q i

13 i.e. r is a primitive third root of 1 in Z . This is only possible if p 1 mod 3 for all i. i pi i ≡ Let π = gcd(p , r ζ). Then π is a prime of norm p in Z[ζ], and n = ω (π π¯ )mi . Let i i i − i i i=1 i i ν = gcd(n, r ζ). Since n N(r ζ) and p (r ζ) it follows that ν = ω πmi and N(ν) = n. − | − i 6 | − i=1 Qi Since n is a not a perfect cube there is m with 3 m , and we may assume 3 m without loss i 6 | i Q 6 | 1 of generality. Finally, we are ready to present an element that is not mapped into 1 by res3. Let z = 0 x + b R(n, c) be chosen such that b 1 mod p for all i 2 and b k mod p , where · ∈ ≡ i ≥ ≡ 1 Z (p1 1)/3 1 k is a generator of the multiplicative group p∗1 . In particular, this implies that k − = r1 modulo p (and therefore also modulo π ). Note also that r ζ modulo π . Using that the cubic 1 1 1 ≡ 1 residuosity symbol is a multiplicative homomorphism, one gets: ω 2 2 mi 2 m1 2 1 res3(z) = [b / ν] = [b / πi] = [k / π1] = [k / π1] iY=1 Using the deﬁnition of the cubic residuosity symbol, we continue the computation modulo π1:

2 2(N(π1) 1)/3 2(p1 1)/3 1 1 [k / π ] = k − = k − = r∓ = ζ∓ = 1 1 1 6 Consider next the case of n prime and n 2 mod 3. In that case n is a prime in Z[ζ] of norm n2. ≡ 2 Let k = ax + b be a generator of the multiplicative group R(n, c)∗ ∼= GF (n )∗. In particular, this (n2 1)/3 1 (n2 1)/3 implies that k − = r modulo n in R(n, c), or phrased diﬀerently, (b + a(r h)/g) − = 1 − r . As noted under the proof of the homomorphism property, such an equality is valid modulo n 2 in Z[ζ] when substituting ζ for r, i.e. (b + a(ζ h)/g)(n 1)/3 = ζ 1. Using the deﬁnition of the − − cubic residuosity symbol, one gets the following computation modulo n: res (k) = [b + a(ζ h)/g / n] 3 − (N(n) 1)/3 (n2 1)/3 1 = (b + a(ζ h)/g) − = (b + a(ζ h)/g) − = ζ = 1 − − 6

3.3 EQFT: Implementation The most nontrivial part of Algorithm 2 is lines 4 and 5. We divide in two cases depending on n’s residue class modulo 3.

Lemma 12 For n 5 with n 1 mod 3 and (c/n) = 1, we may ≥ ≡ − find some r Z with r2 + r + 1 = 0, or discover that n is composite • ∈ n find some z R(n, c) that is neither a square nor a cube or discover that n is composite • ∈ ∗ in time that is expected to be bounded by O(log2 n) plus the time taken by log n squarings and log n multiplications in Zn. Proof. Note that r = 1 1 √ 3, so we need to compute √ 3. If n 3 mod 4 this may be − 2 2 − − ≡ done as a = ( 3)(n+1)/4 mod n, and if a2 = 3 mod n then n is composite. If n 1 mod 4 we may − 6 − ≡ use the square root algorithm described by Muller¨ [23]. In all cases, we expect to find r within the time bound of the lemma. Lemmas 9 and 11 guarantees that 1/3 = 1/2 2/3 of all z R(n, c) satisfies both (N(z)/n) = 1 · ∈ ∗ − and res (z) = 1. Hence, we expect to make 3 attempts to find z. Each attempt costs O(log2 n) 3 6 time since it consists of a constant number of arithmetic operations in Zn combined with one Jacobi symbol computation, one gcd computation in Z[ζ] and one cubic residuosity symbol computation. An algorithm for doing the latter two in time O(log2 n) is described in [12].

14 Lemma 13 For n 5 with n 2 mod 3, let c = 3. ≥ ≡ − Then (c/n) = 1, and r = ( x 1)/2 R(n, c) satisﬁes r2 + r + 1 = 0. We may − − − ∈ ∗ ﬁnd some z R(n, c) that is neither a square nor a cube or discover that n is composite • ∈ ∗ 2 4 in time that is expected to be bounded by O(log n) plus the time taken by 3 log n squarings and o(log n) multiplications in Zn.

Proof. If n is prime then we may ﬁnd a z that is a non-square and a non-cube in expected time O(log2 n) by an argument similar to the one used in the proof of Lemma 12. If n is composite, then res3( ) may be trivial and we risk never succeeding in ﬁnding z. However, · 4 if n is composite, then a standard Miller-Rabin test is expected to need at most 3 attempts to discover that. This corresponds to the time bound of lemma. Since we don’t know whether n is prime or composite, we make a parallel approach. First try up to 4 random z, if neither of these have (N(z)/n) = 1 and res (z) = 1 we run a Miller-Rabin − 3 6 test. If the Miller-Rabin test results in “possible prime” we start all over again with 4 new z-values etc. We have already argued for the time bound in the case of n being composite. If n is prime the probability of at least one of the 4 z’s being acceptable is 1 16/81 > 3/4. Hence, the time bound − is also valid in that case.

Theorem 14 There is an implementation of algorithm 2 that on input n takes expected time equivalent to at most 2 log n + o(log n) multiplications in Zn per iteration, when assuming the ERH. The ﬁrst iteration is more complicated and takes additional time expected to be bounded by 2 O(log n) plus the time for log n squarings and log n multiplications in Zn.

Remark. The remarks about the use of “expected” and dependence on ERH following Theorem 4 are also relevant for this theorem. Proof. Lines 1-5 of the first iteration can be implemented using the techniques described in (the proofs of) Lemmas 12 and 13 and Theorem 4. This accounts for the stated difference in runtime between the first and subsequent iterations. The remaining part of the first iteration is not essentially different from the subsequent iterations. Let us concentrate on lines 10-12. For the selection of z R(n, c) in line 10, note that we need only select z R(n, c) 0 . If z is not ∈ ∗ ∈ \ { } invertible, we will discover that n is composite in line 12. We may assume that n = 24A + B for 0 < B < 24 and gcd(B, 6) = 1. Compute z A using the strategy from the proof of Theorem 4. This uses the allowed 2 log n + o(log n) multiplications n 24A+B n in Zn. Compute z = z (using O(1) multiplications) and verify z = z. Finally compute (n2 1)/24 A AB+(B2 1)/24 z − = z z − . This takes only O(1) multiplications and the used identity follows from zi = zni (that is implied by zn = z). Note that (B2 1)/24 is integral. −

3.4 EQFT: Error bound In this section, assume n2 1 = 2u3vs, where s is prime to 2,3, Using the notation of Lemma 7, − recall the structure of the group of liars of the plain QFT

H(n, c) H(n, p , c) H(n, p , c), (6) ' 1 × · · · × ω where the groups H(n, pi, c) are cyclic.

15 Lemma 15 If n passes the ﬁrst iteration of the EQFT then 2u3v divides H(n, p , c) for i = | i | 1, . . . , ω.

Proof. Let z be the base selected in the first iteration. Since n passed the test we must have (n2 1)/2 (n2 1)/3 2 z H(n, c), z − = 1 and z − is a root of Φ3(x) = x + x + 1. ∈ (n2 1)/2u − (n2 1)/2 Let w = z − = (w1, . . . , wω) with wi H(n, pi, c). Since z − = 1, we must have 2u−1 u ∈ (n2 1)/3v − wi = 1, i.e. wi has order 2 in H(n, pi, c). Similarly, let y = z − = (y1, . . . , yω). Since (n2 1)/3 − 2 3v−1 2 z − is a root of x + x + 1, we must also have yi is a root of x + x + 1, i.e. a primitive v third root of one in H(n, pi, c). Hence, yi has order 3 in H(n, pi, c). u v 0 1 k 1 Let k 2 3 . Assume r , a primitive kth root of 1 in R(n, c) exists, and let S r , r , . . . , r − . | k ∗ ⊆ { k k k } Define (n2 1)/k P r (S, n, c) = Pr( z − S z H(n, c) ) k ⊆ | ∈ Lemma 16 Assume 2u3v divides H(n, p , c) for i = 1, . . . , ω, then | i | ω P r (S, n, c) = S k− k | | · 2 Proof. The mapping f : z z(n 1)/k is a group homomorphism from H(n, c) into G G , 7→ − 1 ×· · ·× ω where Gi is the unique subgroup of order k in H(n, pi, c). For a surjective group homomorphism h : K L and a L it is always the case that h 1(a) = 7→ ∈ | − | K / L . Hence, if f is surjective then P r (S, n, c) = S H(n, c) / G G / H(n, c) = | | | | k | | · | | | 1 × · · · × ω| | | S k ω. | | · − So we need only argue that f is surjective. Let Hi be the unique (cyclic) subgroup of H(n, pi, c) of order 2u3v. It is enough to prove that f is surjective from H H into G G . 1 × · · · × ω 1 × · · · × ω By Chinese remaindering, it suffices to argue that the projection of f is surjective from Hi into Gi. u v But f = f f is a composition of f (z) = zs that is a permutation on H and f (z) = z2 3 /k. 2 ◦ 1 1 i 2 Hence, it suffices to prove that f2 is surjective from Hi into Gi, but that is immediate, considering that H is cyclic and H / G = 2u3v/k. i | i| | i|

Lemma 17 The probability that a composite n passes the ﬁrst iteration of the EQFT is at most

1 ω 6 − H(n, c) / R(n, c)∗ · | | | | The probability that a composite n passes a subsequent iteration of the EQFT is

1 ω 24 − H(n, c) / R(n, c)∗ · | | | | Proof. The statement for a subsequent iteration is an immediate consequence of Lemmas 15 and 16. For the first iteration there is the complication that we do not select z randomly in R(n, c)∗ but outside the kernels of the two homomorphisms (N( )/n) that maps into 1, 1 and res ( ) · {− } 3 · that maps into ζ, ζ 1, 1 , respectively. I.e. we choose z from a set of size R(n, c) /3. If 2u3v { − } | ∗| does not divide H(n, p , c) for some i then by Lemma 15, n will not pass the first iteration. If | i | 2u3v divides H(n, p , c) for all i then by Lemma 16, n has probability at most | i | 1 ω r, r− 6− H(n, c) /( R(n, c)∗ /3) |{− − }| · · | | | | of not passing the first iteration. This bound is easily rewritten to the expression in the statement of the lemma.

16 ω mi Theorem 18 Let n be an odd composite number with prime power factorisation n = i=1 pi , let Ω = ω m . i=0 i Q Let γ (n) denote the probability that n passes t iterations of EQFT (algorithm 2). γ (n) satisﬁes P t t the following inequalities:

γt(n)

ω 1 t(1 ω) H(n, c) t max 4 − 24 − ( | | ) ≤ (c/n)= 1 R(n, c) − | ∗| ω 2 2 2 ω 1 1 ω 2(1 mi) (n/pi 1, pi 1) (n /pi 1, pi 1) t − max 4 − (24 − pi sel[(c/pi), −2 − , − 2 − ]) ≤ (c/n)= 1 pi 1 (pi 1) − iY=1 − − ω 1 t(1 Ω) 4 − 24 − ≤ Remark. Note that if 2i3j divides n2 1 for i > 3 or j > 1 then our test and error analysis can − be improved, essentially replacing 24 by 2i3j. This has a nice consequence when comparing error probability with the time spent on the test. If n 1 mod 24 then we may use c 1, 2, 3 6≡ ∈ {− − − } and obtain a very eﬃcient implementation of arithmetic in R(n, c). Otherwise, if n 1 mod 24, ≡ we know that 48 n2 1 and we may modify the test and obtain a better error bound. | − 4 Worst case error

The classic Fermat test is known to have a very bad worst case performance because of the existence of Carmichael numbers. Such numbers have at least Ω = 3 factors. Combined with the Miller-Rabin 1 Ω 2 error bound, 2 − , this gives the well known worst case error bound 2− . For our test, a number n for which H(n, c) = R(n, c) for some c with (c/n) = 1 would ∗ − correspond to a Carmichael number for the MR test. It appears unknown whether any such numbers exist, but Grantham [13] essentially proved that any such numbers must have Ω 5 4 ≥ prime factors. To obtain a corresponding error bound 24− for our test, it is not enough to know that H(n, c) < R(n, c) for Ω 4. A stronger result is needed. ∗ ≤ Two techniques have been used in the literature. It is possible to parametrize the error probability with the size of the smallest prime divisor when Ω 4 [13, 22, 26]. To apply such a result, the ≤ primality test must eliminate small prime divisors using trial division. In addition Zhang showed that it is possible to get a bound of the form n c for Ω = ω 3 [26]. − ≤ We use both techniques to obtain bounds for our test. However, compared to the earlier tests,

We obtain bounds of the form n c for all n with Ω 4. Thus we can completely eliminate • − ≤ the need for trial divisions. 2/5 2/7 Our bound 2n− for the case of ω = 3 is stronger than Zhangs corresponding bound n− . Our proof uses functional analysis to derive inequalities for the error expression of Theorem 8 • for Ω = ω = 3, 4. Based on these inequalities, we get a simple derivation of both types of bounds for Ω = ω = 3, 4, compared to the computer calculations needed by Zhangs proof.

3 Lemma 19 Let n be an odd composite number that is the product of 3 distinct primes n = i=1 pi. Assume that p < p < p , then the following inequalities hold 1 2 3 Q 3 (n/p 1) 1 1 < i=1 i − < 1 + (7) 3 (p2 1) p2 1 Q i=1 i − 1 − Q 17 and 3 2 gcd(n/pi 1, pi 1) 1 2− − < 2 (8) pi 1 p1 1 iY=1 − − Proof. We start by proving (7). Deﬁne

(p p 1)(p p 1)(p p 1) f(p , p , p ) = 1 2 − 1 3 − 2 3 − 1 2 3 (p2 1)(p2 1)(p2 1) 1 − 2 − 3 − When diﬀerentiating f with respect to p3, one easily ﬁnds that under the assumption 1 < p1 < p2 < p3 then

(p1p2 1)p1p2 f(p1, p2, p3) < lim f(p1, p2, p3) = 2 − 2 p3 (p 1)(p 1) →∞ 1 − 2 − and (p p 1)2 f(p , p , p ) > f(p , p , p ) = 1 2 − 1 2 3 1 2 2 (p2 1)(p2 1) 1 − 2 −

When differentiating the simplified expressions with respect to p2 one finds that (assuming 1 < p1 < p2)

(p1p2 1)p1p2 1 f(p1, p2, p3) < lim 2 − 2 = 1 + 2 p2 (p 1)(p 1) p 1 →∞ 1 − 2 − 1 − and

f(p1, p2, p3) > f(p1, p1, p1) = 1

Finally, we consider the last inequality. Since

3 (n/p 1) 3 (n/p 1)/ gcd(n/p 1, p2 1) 1 < i=1 i − = i=1 i − i − i − 3 (p2 1) 3 (p2 1)/ gcd(n/p 1, p2 1) Q i=1 i − Q i=1 i − i − i − it follows that Q Q 1 3 (n/p 1) 1 1 + i=1 i − < 1 + 3 (p2 1)/ gcd(n/p 1, p2 1) ≤ 3 (p2 1) p2 1 i=1 i − i − i − Q i=1 i − 1 − which proves the Qlemma. Q

4 Lemma 20 Let n be an odd composite number that is the product of 4 distinct primes n = i=1 pi. Assume that 1 < p < p < p < p , then the following inequalities hold 1 2 3 4 Q 4 (n/p 1) 3 p3 < i=2 i − < p3(1 + ) (9) 1 4 (p2 1) 1 p2 1 Q i=2 i − 2 − and Q 4 2 3 gcd(n/pi 1, pi 1) 3p1 2− − < 2 (10) pi 1 p2 1 iY=2 − −

18 Proof. We start by proving the upper bound of (9).

4 (n/p 1) 4 n/p i=2 i − < i=2 i 4 (p2 1) 4 (p2 1) Q i=2 i − Qi=2 i − p3 Q = Q 1 4 (p2 1)/p2 i=2 i − i 4 Q3 1 = p1 (1 + 2 ) pi 1 iY=2 − 3 < p3(1 + ) 1 p2 1 2 − The lower bound is implied by (7):

4 (n/p 1) 4 ((n/p )/p 1) i=2 i − > p3 i=2 1 i − > p3 4 (p2 1) 1 4 (p2 1) 1 Q i=2 i − Q i=2 i − Finally, we consider theQ last inequality. Since Q

4 (n/p 1) 4 (n/p 1)/ gcd(n/p 1, p2 1) p3 < i=2 i − = i=2 i − i − i − 1 4 (p2 1) 4 (p2 1)/ gcd(n/p 1, p2 1) Q i=2 i − Q i=2 i − i − i − it follows that Q Q 1 4 (n/p 1) 3p3 p3 + i=2 i − < p3 + 1 1 4 (p2 1)/ gcd(n/p 1, p2 1) ≤ 4 (p2 1) 1 p2 1 i=2 i − i − i − Q i=2 i − 2 − which proves the Qlemma. Q Results similar to the following lemma are given by both Grantham, Muller¨ and Zhang. How- ever, since our proof is quite short, we include it for completeness.

ω mi Lemma 21 Let n be an odd composite number having complete prime factorisation n = i=1 pi , let Ω = ω m 4, and let c satisfy that (c/n) = 1. i=1 i ≤ − Q If p is the smallest prime factor of n, then H(n, c) / R(n, c) is bounded by the entries of the P | | | ∗| following table Ω = 2 Ω = 3 Ω = 4 4 ω = 1 p− ω = 2 (p2 1) 1 p 2 p 4 − − − − ω = 3 (p2 1) 1 p 2 − − − ω = 4 (p 1) 1 − − Proof. All the entries with Ω > ω are consequences of Theorem 8. For the entry with Ω = ω = 4, we argue that since (c/n) = 1 and 4 is an even number, we must have (c/p ) = 1 for − i some prime factor p of n. Hence, the bound (p 1) 1 is also implied by Theorem 8. For the i i − − entry with Ω = ω = 2, we have n = p1p2, and without loss of generality, we may assume that (c/p ) = (c/p ) = 1. By Theorem 8, we have 1 − 2 − H(n, c) gcd(p 1, p2 1) gcd(p2 1, p 1) 1 | | 2 − 1 − 1 − 2 − R(n, c) ≤ p2 1 · (p 1)2 ≤ p2 1 | ∗| 1 − 2 − 1 −

19 Finally, consider the case of Ω = ω = 3, i.e. n = p p p . The assumption (c/n) = 1 implies 1 2 3 − that (c/p ) = 1 either for all i or for precisely one i. Consider ﬁrst the latter case, and assume i − (c/p ) = 1 and (c/p ) = (c/p ) = 1. By Theorem 8, 1 − 2 3 H(n, c) 1 1 1 | | R(n, c) ≤ p 1 · p 1 ≤ p2 1 | ∗| 2 − 3 − − In the former case, (c/p ) = 1 for all i, and by the inequality of lemma 19, we have i − H(n, c) 1 | | R(n, c) ≤ p2 1 | ∗| −

ω mi Lemma 22 Let n be an odd composite number having complete prime factorisation n = i=1 pi , let Ω = ω m 4, and let c satisfy that (c/n) = 1. H(n, c) / R(n, c) is bounded by the i=1 i ≤ − | | | ∗| Q entries of the following table P Ω = 2 Ω = 3 Ω = 4 4/3 ω = 1 n− 2/3 2/3 10/9 ω = 2 2n− n− 2n− 2/5 2/3 ω = 3 2n− 2n− 2/15 ω = 4 2n−

Remark. It is an open question whether all bounds of the table are optimal. However, if n = p (p + (p2 1)/2) (p + p2 1) is a product of 3 distinct primes satisfying that p 1 mod 4 · − · − 2/5 ≡ then max(c/n)= 1 H(n, c) / R(n, c)∗ = 1/(p(p + 3)) > 0.5 n− . The smallest number on this − | | | | · form is n = 5 17 29, and heuristics suggest there are inﬁnitely many. Zhang [26] mentions another · · number from this sequence n = 41 881 1721. · · Proof. Case n = p1p2p3p4: The assumption (c/n) = 1 implies that (c/p ) = 1 either for precisely three i or for precisely − i − one i, and in the latter case we may assume that (c/p ) = 1 without loss of generality, 1 − 4 H(n, c) p2p3p4 1 1 2/3 | | min 1, 2 − 2n− R(n, c)∗ ≤ { p1 1 } · pi 1 ≤ | | − iY=2 − In the former case, where (c/p ) = 1 for precisely three i, we assume that (c/p ) = 1, i − 1 H(n, c) 1 p p p 1 p p p 1 | | min 1, 1 2 4 − 1 2 3 − R(n, c) ≤ p 1 · { p2 1 · p2 1 } | ∗| 1 − 3 − 4 − 1/6 2n− for p > p ≤ 1 2

We need the assumption p1 > p2 to make the above estimate. This is always possible after permutation of indices except when p1 is the smallest prime factor. In that case, we may assume that p1 < p2 < p3 < p4, and by Lemma 20 and the part of the previous argument that holds also when p1 < p2, we ﬁnd H(n, c) 1 p p p 1 p p p 1 3p3 | | min 1, 1 2 4 − 1 2 3 − , 1 R(n, c) ≤ p 1 · { p2 1 · p2 1 p2 1} | ∗| 1 − 3 − 4 − 2 − 2/15 2n− ≤

20 Case n = p1p2p3: The assumption (c/n) = 1 implies that (c/p ) = 1 either for all i or for precisely one i, and − i − in the latter case, we may assume without loss of generality that (c/p ) = 1: 1 −

H(n, c) p2p3 1 1 1 2/3 | | min 1, − 2n− R(n, c) ≤ { p2 1 } · p 1 · p 1 ≤ | ∗| 1 − 2 − 3 − In the former case, (c/p ) = 1 for all i. Without loss of generality, we may assume that p < p < i − 1 2 p3, and by lemma 19,

3 2 H(n, c) gcd(n/pi 1, pi 1) | | 2− − R(n, c)∗ ≤ pi 1 | | iY=1 − 1 p p 1 p p 1 min , 1 3 − 1 2 − ≤ {p2 1 p2 1 · p2 1 } 1 − 2 − 3 − 2/5 2n− ≤ The remaining cases are left to the reader (details may be found in [10]).

Theorem 23 Let n be an odd composite number. The probability that t iterations of the test of algorithm 2 result in the output “probable prime” when input n is bounded by

4 4t 8 18.36t γ (n) 4 24− 2 − t ≤ ≈ if either n has no prime factor 118 or n 242. ≤ ≥ Proof. Combine Theorem 18 and Lemmas 21 and 22.

5 Average Case Error

In this section we analyse what happens when we generate random probably primes by selecting candidates according to some distribution and subjecting each candidate to 1 MR test followed by up to t iterations of EQFT. We output the ﬁrst number that passes all tests. We might just as well have carried the analysis assuming that only EQFT was used, but by including an MR test in the algorithm and analysis, we obtain two advantages:

Consider the scenario, where candidates are selected as random k-bit numbers. We expect • to discard approximately k ln 2 composite numbers before finding a probable prime. It would be very inefficient to invoke EQFT on every composite number. By using an initial MR test, we expect to discard almost all composite candidates more efficiently, and we will only have to invoke EQFT on the final probable prime. In practice, one would screen for small prime divisors or use other tricks to eliminate some of the non prime candidates even more efficiently than by using the MR test. Any such method can be used without affecting the error estimates we give, as long as the extra testing reject no primes.

The error bound for the EQFT is worse for the initial iteration than for subsequent iterations. • However, when including an MR-test with the ﬁrst EQFT iteration, we partly eliminate this handicap.

21 We consider two cases. In the ﬁrst case k-bit numbers are selected uniformly at random and tested for primality until a number is found that passes MR and t iterations of EQFT. In the second case the tested numbers are not selected independently, but are of the form n0, n0 + 2, . . . with a random starting point n0. In both cases we give bounds on the probability that the found probable prime is a composite number. Our results in the two scenarios correspond to the results obtained for the MR-test by Damg˚ard, Landrock and Pomerance [9] and by Brandt and Damg˚ard [5], respectively. We note that the error bounds in [5] were either based on unproven number theoretic conjectures or were only valid for an algorithm that might terminate with no output. Here, we extend the techniques from [5] to analyse an algorithm that is guaranteed to generate output, without relying on conjectures.

5.1 Uniform Choice of Candidates k 1 k Let Mk be the set of odd k-bit integers (2 − < n < 2 ). Consider the algorithm that repeatedly chooses random numbers in Mk, until one is found that passes a single MR-test and t iterations of EQFT, and outputs this number. Let qk,t be the probability that this algorithm outputs a composite number. The rest of this section is aimed at ﬁnding estimates for qk,t. When running 1 iteration of the Miller-Rabin test and t iterations of our test on input n, the probability βt(n) of accepting n satisﬁes

2 1 Ω ω 1 t(1 Ω) (n/p 1, p 1) 1 t β (n) 2 − 4 − 24 − max − − , t ≤ · { p2 1 p 1} − − where p is the largest prime factor in n and Ω is the number of prime factors in n, counted with 1 Ω multiplicity. This bound follows from Theorem 18 combined with a factor 2 − arising from the independent Miller-Rabin test [9, Lemma 1]. Let σ = log 24 1/t. Using this and ω Ω, we can rewrite the estimate to t 2 − ≤ 2 σtt(1 Ω) (n/p 1, p 1) 1 t β (n) 2 − max − − , t ≤ { p2 1 p 1} − − Deﬁne βσ(n), for any positive σ, by:

2 σ(1 Ω) (n/p 1, p 1) 1 β (n) = 2 − max − − , (11) σ { p2 1 p 1} − − For any t and any composite n, the above estimate of βt(n) shows that 1 MR-test and t iterations t of EQFT accept n with probability no larger than βσt (n) . Now assume we have a (hypothetical) primality test that always accepts a prime and accepts a composite n with probability βσ(n). Suppose we used this test in place of EQFT when generating a probable prime, and let q be the resulting error probability. It is then clear that q q . So σ,k,t k,t ≤ σt,k,t to estimate q , it is enough to estimate q for all t 1 and all σ with log 24 1 σ log 24. k,t σ,k,t ≥ 2 − ≤ ≤ 2 We deﬁne C to be the class of odd composite integers with β (n) > 2 m. Since β (n) σ,m σ − σ ≤ 2σ(1 Ω) we have for n C that Ω < m/σ + 1. Let N(m, k, j) be the set of integers in C M − ∈ σ,m σ,m ∩ k with Ω = j. Then trivially,

C M = N(m, k, j) (12) | σ,m ∩ k| | | 2 j

22 For an n N(m, k, j) we have n > 2k 1 and Ω = j. This implies for the largest prime factor p ∈ − in n that p > 2(k 1)/j , and we have 1/(p 1) 2 (k 1)/j 2. − − ≤ − − · Now, let us assume that m + σ + 1 4σ(k 1). In general, it holds for any positive j ≤ − that 4σ(k 1) σj + (k 1)/j. This, together with the above estimate on 1/(p 1), gives us − ≤ − p − 1/(p 1) 2 m σ(1 j). −p ≤ − − − Now, (11) gives us that any n N(m, k, j) must satisfy ∈ 2 (n/p 1, p 1) 1 m σ(1 j) max − − , > 2− − − { p2 1 p 1} − − Inserting the estimate on 1/(p 1), we get − 2 (n/p 1, p 1) m σ(1 j) − − > 2− − − p2 1 − If we deﬁne p2 1 d(p, n) = − , (n/p 1, p2 1) − − m+σ(1 j) we have d(p, n) < 2 − . This means that for any prime p > 2(k 1)/j and integer d (p2 1) with d < 2m+σ(1 j), we can − | − − count the number of n M with the property that p n, d = d(p, n) and n is composite. This is at ∈ k | most the number of solutions to the system

p2 1 n = 0 mod p, n = p mod − , p < n < 2k d By the Chinese remainder theorem, the number of solutions is at most

2kd p(p2 1) − We therefore have 2kd N(m, k, j) | | ≤ p(p2 1) p>2(k−1)/j d<2m+σ(1−j), d (p2 1) X X | − − d = 2k p(p2 1) d<2m+σ(1−j) p>2(k−1)/j , d (p2 1) X X | − − Taking only the inner sum in this, and deﬁne T (d) to be the number of solutions x 1, 2, . . . , d ∈ { } to the congruence x2 = 1 mod d, we get d d 2 p(p2 1) ≤ p3 p>2(k−1)/j , d p2 1 − p>2(k−1)/j , p2 1 mod d X | − X≡ ∞ d 2 T (d) (k 1)/j 3 ≤ (du + 2 − ) uX=0 (k 1)/j T (d) ∞ 2 − 3 2 (u + )− ≤ d2 d uX=0

23 To bound the latter, we use the assumptions d < 2m+σ(1 j) and σj + (k 1)/j 4σ(k 1) − − ≥ − ≥ m + σ + 1: (k 1)/j p 2 − m+σ(j 1)+(k 1)/j > 2− − − 2 d ≥ 3 3 3 2 2 For c 2, it holds that ∞ (u + c) < c + ∞ x dx = c (1/c + 1/2) c . Using this, ≥ u=0 − − c − − ≤ − our inner sum above can be estimated as P R

d 1 2(k 1)/j T (d) 2 − − p(p2 1) ≤ p>2(k−1)/j ,d p2 1 X | − − Inserting into the expression for N(m, k, j) , we get | | k 1 2(k 1)/j N(m, k, j) 2 2 − − T (d) | | ≤ m+σ(1−j) d<2 X k 3σ/2+2+3m/2 3σj/2 2(k 1)/j 2 2 − − − ≤ Here, we have used that T (d) 2√d. Inserting the estimate for N(m, k, j) in (12), we get: ≤ | | Theorem 24 Let m, k be positive integers with m + σ + 1 4σ(k 1). Then we have ≤ − k+3σ/2+2 3m/2 p 3σj/2 2(k 1)/j C M 2 2 2− − − | σ,m ∩ k| ≤ 2 j m/σ+1 ≤ ≤X

Let us now choose some M with 3 M 4σ(k 1) σ 1 (this is possible if k 6). Using ≤ ≤ − − − ≥ exactly the same arguments as in Prop. 1 of [9p], we get that 2 Mt M C + M 2 (m 1)t M C ) q − | k \ σ,M | m=3 − − | k ∩ σ,m| σ,k,t ≤ π(2k) π(2k 1) P− − Prop. 2 of [9] says that π(2k) π(2k 1) 0.71867 2k /k. Let f(k) = 0.71867 2k /k. Then inserting − − ≥ · · the result of the theorem and changing summation order, we have

Mt+k 2 f(k)q 2− − + σ,k,t ≤ M/σ+1 M k+3σ/2+2 (m 1)t+3m/2 3σj/2 2(k 1)/j 2 2− − − − − j=2 m=σ(j 1) X X− Mt+k 2 = 2− − + M/σ+1 M t+k+3σ/2+2 3σj/2 2(k 1)/j m(3/2 t) 2 2− − − 2 − j=2 m=σ(j 1) X X− Numerical estimates for q q can obtained from this by choosing an optimal value of M k,t ≤ σt,k,t within the range given. Some sample results are shown in Table 1, which contains log of the − 2 estimates, so we assert that, e.g., q 2 155. 500,2 ≤ − To get an explicit expression, we can use the general inequality that for t 2, M 2m(3/2 t) ≥ m=x − ≤ 2x(3/2 t)/(1 23/2 t). We use this with x = σ(j 1). Moreover, we want to use the estimate for − − − − P q we derived above with M = 8σ(k 1)/t. Up to an additive constant, we can do this for all σ,k,t − 2 t k 1. Inserting this and substituting σ for σ, one easily obtains ≤ ≤ − p t

24 k t 1 2 3 4 \ 300 53 116 147 172 400 63 137 174 203 500 72 155 198 231 600 80 173 219 255 1000 106 229 290 339 2000 154 334 421 491 5000 252 542 682 796 10000 362 778 976 1140

Table 1: Lower bounds on log q − 2 k,t

Theorem 25 For 2 t k 1, we have that ≤ ≤ −

3/2 (σt+1)t 1/2 √2σttk qk,t is O(k 2 t− 4− )

In comparison, results in [9] for the corresponding probability pk,t for the Miller-Rabin test say, for instance, that p is O(k3/22tt 1/24 √tk) for 2 t k/9. In our case, σ is at least k,t − − ≤ ≤ t log 24 1 and approaches log 24 as t increases. Since 2 log 24 9.2, this analysis indicates that 2 − 2 2 ' if several iterations of EQFT are performed, then roughly speaking each iteration has the eﬀect of 9 Miller-Rabin tests Note that [9] contains sharper numeric estimates for the MR test than what the above type of analysis implies, and also more work has been done in this direction after [9], for instance [7]. These estimates are based on a result from [17] where a single iteration of the basic Fermat test is analyzed. It is possible that similar improvements could be obtained for EQFT. However, this could only work for a ﬁnite set of bit-lengths because the bounds from [17] vanish polynomially with increasing k, while our type of analysis (like the one from [9]) gives bounds that vanish faster. Hence, from a asymptotic point of view, the relative strengths of the MR and EQFT tests remain as indicated above.

5.2 Incremental Search The algorithm we have just analysed is in fact seldom used in practice. Most real implementations will not want to choose candidates for primes uniformly at random. Instead one will choose a random starting point n0 in Mk and then test n0, n0 + 2, n0 + 4, . . . for primality until one is found that passes t iterations of the test. Many variations on this theme are possible, such as other step sizes, various types of sieving, but the basic principle remains the same. The reason for applying such an algorithm is that test division by small primes can be implemented much more eﬃciently because one can exploit the fact that diﬀerent candidates are related (see for instance [6]). On the other hand, the analysis we did above depends on the assumption that candidates are independent. In [5], a way to get around this problem for the Miller-Rabin test was suggested. We apply an extension of that technique here. We will analyse the following example algorithm which depends on parameters t and s:

1. Choose n0 uniformly in Mk, set n = n0, and execute the following loop until it stops: (a) Run 1 MR-test and up to t iterations of EQFT on n, if n passes all iterations, output n and exit loop.

25 (b) Otherwise, set n = n + 2. If n n + 2s, exit loop, else go to step 1a. ≥ 0 2. If the loop in the previous step produced a number n, output n and stop. Otherwise, go to step 1.

So this algorithm tries incremental search from a random starting point until s candidates have been examined. If no probable prime was found, it tries again with a new starting point. Let qk,t,s be the probability that one execution of the loop (steps 1a-1b) outputs a composite number. To do this, we consider again the hypothetical test from the previous subsection, that accepts composites with probability βσ(n), and analyse what happens if we use this test in place of EQFT in the algorithm. We let qσ,k,t,s be the probability that one execution of the loop outputs a composite in this case. Then, in the same way as before, it follows that qk,t,s qσt,k,t,s. ≤ m Recall that we defined Cσ,m to be the set of odd composites with βσ(n) > 2− . From this, we define: D = n M [n..n + 2s[ C = , for m 3. Of course D = by the σ,m,k,s { ∈ k| ∩ σ,m 6 ∅} ≥ σ,2,k,s ∅ worst-case error bound. Since a number in Cσ,m can be in at most s different intervals of form [n..n + 2s[, we clearly have

Lemma 26 Dσ,m 1,k,s Dσ,m,k,s and Dσ,m,k,s s Mk Cσ,m − ⊂ | | ≤ · | ∩ | The idea with deﬁning the sets Dσ,m,k,s is that if we are lucky enough to choose a starting point n0 for the inner loop which is not in Dσ,m,k,s, then we know that all composites we will test before m the loop exits will pass with probability at most 2− . This translates into a bound on qσ,k,t,s as follows:

Lemma 27 Let s = c ln(2k) for some constant c. Then for any M 3, we have · ≥ M 2 Cσ,m Mk t(m 1) tM qσ,k,t,s 0.5(ck) | ∩ |2− − + 0.7ck2− ≤ Mk mX=3 | |

Proof. Let E be the event that we output a composite, and identify Dσ,m,k,s with the event that the starting point n0 is in Dσ,m,k,s. Then we have

M qσ,k,t,s = P (E (Dσ,m,k,s Dσ,m 1,k,s)) + P (E Dσ,M,k,s) ∩ \ − ∩ ¬ mX=3 M P (Dσ,m,k,s)P (E (Dσ,m,k,s Dσ,m 1,k,s)) + P (E Dσ,M,k,s) ≤ | \ − ∩ ¬ mX=3

Consider the case where some ﬁxed n D was chosen as starting point. Then no candidate 0 6∈ σ,m,k,s n we test will be in M C , and so will pass all tests with probability at most 2 mt. The k ∩ σ,m − probability of outputting a composite in such a case is clearly maximal when all numbers in the interval we consider are composite. In this case, we accept one of the candidates with probability at most s 2 mt. From this and Lemma 26, we get · − M 2 Cσ,m Mk t(m 1) tM qσ,k,t,s s | ∩ |2− − + s 2− ≤ Mk · mX=3 | | M 2 Cσ,m Mk t(m 1) tM 0.5(ck) | ∩ |2− − + 0.7ck2− ≤ Mk mX=3 | | 26 k t 1 2 3 4 \ 300 30 84 115 140 400 40 104 141 170 500 49 121 163 197 600 57 138 184 220 1000 82 192 253 302 2000 128 294 381 451 5000 223 498 638 752 10000 331 731 929 1093

Table 2: Estimates of the overall error probability with incremental search, lower bounds on log Q using s = c ln(2k) and c = 10. − 2 k,t,s ·

From this lemma and Theorem 24, we can directly get numeric estimates of q q for any k,t,s ≤ σt,k,t,s value of s, by choosing an optimal value of M. To analyse the overall error probability of the algorithm, observe that the inner loop always ter- minates when the starting point is a prime. This happens with probability (π(2k) π(2k 1))/ M − − | k| ≥ 2.8/k, by the estimates we gave earlier. Moreover, the error probability of our algorithm cannot be worse than that of a procedure that runs the inner loop up to k2 times and outputs a composite if all executions of the loop output “fail”. Clearly, the error probability of this modiﬁed algorithm is at most 2 Q = k2q + (1 2.8/k)k , k,t,s k,t,s − and so we have an estimate of the overall error, for any value of s. What remains is to consider the choice of s. Based on Hardy and Littlewoods prime r-tuple conjecture, it is shown in [5] that when s = c ln(2k), the probability of failure is less than 2 exp( 2c) · − for all large enough k (and is in fact essentially exp( 2c)). Overwhelming heuristic evidence shows − that this is an accurate estimate for realistic values of k 3. So for instance, for c = 10, we fail with 28 probability about 2− , or once in 256 million times. In other words, with such a choice of c, the algorithm will almost always terminate after one execution of the inner loop, so this gives us all the eﬃciency advantages of the incremental search method. Table 2 shows sample numerical results of the analysis, with c = 10.

References

[1] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. PRIMES is in P. Preprint 2002. Depart- ment of Computer Science & Engineering, Indian Institute of Technology, Kanpur Kanpur- 208016, INDIA. To appear in Annals of Mathematics.

[2] Eric Bach and Jeﬀrey Shallit. Algorithmic number theory. Vol. 1. Foundations of Computing Series. MIT Press, Cambridge, MA, 1996. Eﬃcient algorithms.

[3] Robert Baillie and Samuel S. Wagstaﬀ, Jr. Lucas pseudoprimes. Math. Comp., 35(152):1391– 1417, 1980.

3even though this was shown in [5] in connection with the MR test, the result applies to any algorithm of the form we consider here, as long as the test used always accepts a prime number

27 [4] Pedro Berrizbeitia and T. G. Berry. Generalized strong pseudoprime tests and applications. J. Symbolic Comput., 30(2):151–160, 2000.

[5] Jørgen Brandt and Ivan Damg˚ard. On generation of probable primes by incremental search. In Advances in cryptology—CRYPTO ’92 (Santa Barbara, CA, 1992), volume 740 of Lecture Notes in Comput. Sci., pages 358–370. Springer, Berlin, 1993.

[6] Jørgen Brandt, Ivan Damg˚ard, and Peter Landrock. Speeding up prime number generation. In Advances in cryptology—ASIACRYPT ’91 (Fujiyoshida, 1991), volume 739 of Lecture Notes in Comput. Sci., pages 440–449. Springer, Berlin, 1993.

[7] Ronald Joseph Burthe, Jr. Further investigations with the strong probable prime test. Math. Comp., 65(213):373–381, 1996.

[8] Lars Hesel Christensen. An experimental comparison of the Miller-Rabin and the extended quadratic Frobenius primality tests. Master’s thesis, Department of Computer Science, Uni- versity of Aarhus, June 2005.

[9] Ivan Damg˚ard, Peter Landrock, and Carl Pomerance. Average case error estimates for the strong probable prime test. Math. Comp., 61(203):177–194, 1993.

[10] Ivan B. Damg˚ard and Gudmund Skovbjerg Frandsen. An extended quadratic Frobe- nius primality test with average and worst case error estimates. Research Series RS- 03-9, BRICS, Department of Computer Science, University of Aarhus, February 2003. http://www.brics.dk/RS/03/9/index.html.

[11] Ivan Bjerre Damg˚ard and Gudmund Skovbjerg Frandsen. An extended quadratic Frobenius primality test with average and worst case error estimates. In Fundamentals of computation theory, volume 2751 of Lecture Notes in Comput. Sci., pages 118–131. Springer, Berlin, 2003.

[12] Ivan Bjerre Damg˚ard and Gudmund Skovbjerg Frandsen. Eﬃcient algorithms for gcd and cubic residuosity in the ring of Eisenstein integers. J. Symbolic Comput., 39(6):643–652, 2005.

[13] Jon Grantham. A probable prime test with high conﬁdence. J. Number Theory, 72(1):32–47, 1998.

[14] Andrew Granville. It is easy to determine whether a given integer is prime. Bull. Amer. Math. Soc. (N.S.), 42(1):3–38 (electronic), 2005.

[15] Seong-Min Hong, Sang-Yeop Oh, and Hyunsoo Yoon. New modular multiplication algorithms for fast modular exponentiation. In Advances in Cryptology - EUROCRYPT ’96, volume 1070 of Lecture Notes in Comput. Sci., pages 166–177, 1996.

[16] Kenneth Ireland and Michael Rosen. A classical introduction to modern number theory, volume 84 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1990.

[17] Su Hee Kim and Carl Pomerance. The probability that a random probable prime is composite. Math. Comp., 53(188):721–741, 1989.

[18] Donald E. Knuth. The art of computer programming. Vol. 2. Addison-Wesley Publishing Co., Reading, Mass., second edition, 1981. Seminumerical algorithms, Addison-Wesley Series in Computer Science and Information Processing.

28 [19] Alfred J. Menezes, Scott A. Vanstone, and Paul C. Van Oorschot. Handbook of Applied Cryp- tography. CRC Press, Inc., Boca Raton, FL, USA, 1996.

[20] Peter L. Montgomery. Modular multiplication without trial division. Math. Comp., 44(170):519–521, 1985.

[21] Siguna Muller.¨ A probable prime test with very high conﬁdence for n 1 mod 4. In Advances ≡ in cryptology—ASIACRYPT 2001 (Gold Coast), volume 2248 of Lecture Notes in Comput. Sci., pages 87–106. Springer, Berlin, 2001.

[22] Siguna Muller.¨ A probable prime test with very high conﬁdence for n 3 mod 4. J. Cryptology, ≡ 16(2):117–139, 2003.

[23] Siguna Muller.¨ On the computation of square roots in ﬁnite ﬁelds. Des. Codes Cryptogr., 31(3):301–312, 2004.

[24] Carl Pomerance, J. L. Selfridge, and Samuel S. Wagstaﬀ, Jr. The pseudoprimes to 25 109. · Math. Comp., 35(151):1003–1026, 1980.

[25] Jeﬀrey Shallit and Jonathan Sorenson. A binary algorithm for the Jacobi symbol. SIGSAM Bull., 27(1):4–11, 1993.

[26] Zhenxiang Zhang. A one-parameter quadratic-base version of the Baillie-PSW probable prime test. Math. Comp., 71(240):1699–1734 (electronic), 2002.