JSIAM Letters Vol.11 (2019) pp.53–55 c 2019 Japan Society for Industrial and Applied Mathematics J S I A M Letters

Quadratic Frobenius pseudoprimes with respect to x2 +5x +5

Saki Nagashima1, Naoyuki Shinohara2 and Shigenori Uchiyama1

1 Tokyo Metropolitan University, 1-1 Minamiosawa, Hachioji-shi, Tokyo 192-0397, Japan 2 National Institute of Information and Communications Technology, 4-2-1 Nukuikita-machi, Koganei-shi, Tokyo 184-8795, Japan E-mail nagashima-saki ed.tmu.ac.jp Received January 15, 2019, Accepted April 24, 2019 Abstract The quadratic Frobenius test is a primality test. Some composite numbers may pass the test and such numbers are called quadratic Frobenius pseudoprimes. No quadratic Frobenius pseudoprimes with respect to x2 +5x + 5, which are congruent to 2 or 3 modulo 5, have been found. Shinohara studied a specific type of such a quadratic Frobenius pseudoprime, which is a product of distinct prime numbers p and q. He showed experimentally that p must be larger than 109, if such a quadratic Frobenius pseudoprime exists. The present paper extends the lower bound of p to 1011. Keywords quadratic Frobenius pseudoprime, primality test, primality-proving algorithm Research Activity Group Algorithmic Number Theory and Its Applications

1. Introduction gruent to 2 or 3 modulo 5. He proposed an algorithm Prime numbers are currently used in many cryptosys- for searching for them and experimentally showed that p 9 tems. For example, RSA-2048 cryptosystem uses two must be larger than 10 if such a quadratic Frobenius 1024-bit prime numbers as its secret keys. To gener- pseudoprime exists. The present paper extends the lower p 11 ate those prime numbers, we can select two kinds of bound of to 10 . algorithms to determine whether a positive integer is a prime. One kind comprises primality tests and the oth- 2. Preliminaries ers are called primality-proving algorithms. A primal- Throughout this section, we assume that a, b are in- ity test is probabilistic; namely, some composite num- tegers such that Δ = a2 − 4b = 0 unless otherwise indi- bers may pass it. There are efficient primality tests such cated. as the Miller-Rabin test and the quadratic Frobenius Theorem 1 ([1]). Let f(x)=x2 − ax + b.Ifn is a O n 3 test whose time complexities are ((log ) )foragiven prime number and gcd(n, 2bΔ) = 1, then integer n. On the other hand, primality-proving algo-  rithms are deterministic algorithms, and thus no com- a − x f x ,n , Δ − , xn ≡ (mod ( ( ) )) ( n )= 1 posite numbers pass their tests. However, the known Δ (1) x (mod (f(x),n)), ( n )=1. primality-proving algorithms have high computational · costs or require certain information to be able to apply (( · ) is the Jacobi symbol.) them to a given integer n, for example, knowledge of the Definition 2 ( [1]). We say that a composite num- integer factorization of n − 1. ber n such that gcd(n, 2bΔ) = 1 is a quadratic Frobe- The AKS method is the only polynomial-time nius pseudoprime with respect to f(x)=x2 − ax + b primality-proving algorithm not requiring any additional if (1) holds for n. Next, let fpsp(a, b) denote the set information. However, the AKS method is not as practi- of all quadratic Frobenius pseudprimes with respect to cal as the Miller-Rabin test and the quadratic Frobenius f(x)=x2 − ax + b. test, because its complexity is O((log n)6). Definition 3 ([1]). We refer to an element of fpsp(a, b) It is expected to construct an efficient primality- such that ( Δ )=−1 as a quadratic Frobenius pseu- proving algorithm from some primality tests, by improv- n doprime of the second type with respect to f(x)= ing those tests. x2 − ax + b. We denote the set of such numbers by We consider the quadratic Frobenius pseudoprimes fpsp2(a, b). with respect to x2 +5x + 5. No quadratic Frobenius pseudoprimes with respect to x2 +5x + 5, which are Here, we give the equivalence condition for an element congruent to 2 or 3 modulo 5, have yet been found. Shi- being in fpsp2(a, b). nohara studied quadratic Frobenius pseudoprimes of the Definition 4 ( [1]). For a positive integer n satis- form pq with respect to x2 +5x +5,wherep and q are n, b fying gcd( 2 Δ) = 1, we suppose the factorization p q k+l ei Δ primes, is congruent to 1 or 4 modulo 5, and is con- n = p ,wherek, l are positive integers, ( )=−1 i=1 i pi

–53– JSIAM Letters Vol. 11 (2019) pp.53–55 Saki Nagashima et al. for i ∈ [1,k]and(Δ )=1fori ∈ [k +1,k + l]. More- pi 4. Algorithm over, let Φm(x)bethem-th cyclotomic polynomial and From Theorem 9, we have an algorithm which com- 2 f(x)=x − ax + b. Then, we refer to the set of the putes a solution to Grantham’s problem for n = pq. following conditions on (n, a, b)asICF2. Input: L (the list of all prime numbers composite number n is in if q ≡ t (mod mp)andq ≡±2(mod5) a, b n a, b fpsp2( ) if and only if ICF2 holds for and ( ). then QL ← QL ∪{q} 3. Grantham’s Problem for q ∈ QL do When considering the construction of a primality- mq ← (the order of x ∈ Fq[x]/f(x)) proving algorithm from the quadratic Frobenius test, the if mq | p − 1 then following very interesting problem arises, in which we fix PQL ← PQL∪{pq} f(x)=x2 +5x +5. return PQL Problem 6 (Grantham’s Problem [1–3]). Are there any composite numbers n such that 5. Experimental Results n ≡±2(mod5),xn+1 ≡ 5(mod(f(x),n))? (2) In our proposed algorithm, for one fixed p, the param- eter t is used to find prime numbers q satisfying Theo- The discriminant Δ is equal to 5 and n ≡±2(mod5), t Δ rem 9, namely, we try to compute t such that c1 ≡ c2 so ( n )=−1. Therefore, if there exists a composite num- t (mod p), c2 ≡ c1 (mod p), and q ≡ t (mod mp). Since ber n satisfying (2), then n is in fpsp2(−5, 5). 2 ct ≡ c p m t2 − m We assume that there exists an element of 1 1 (mod ), p is a factor of 1. But, p does t− f x fpsp2(−5, 5) which is a product of two distinct prime not divide 1, because ( ) does not have any multiple Z/pZ c ≡ c ≡ ct p numbers. In other words, we assume that there exist roots over ,andso 1 2 1 (mod ). Thus, the t Z/m Z × prime numbers p, q such that p ≡±1(mod5),q ≡±2 order of in ( p ) is equal to 2. Therefore, by the (mod 5), and pq is in fpsp2(−5, 5). We denote the set of approach explained in [1], which uses Chinese remainder Z/rer Z × r such numbers by fpsp2 2(−5, 5). theorem and elements of order 2 in ( ) where is a prime factor of mp and er is the largest integer such Lemma 7 . q e ([1]) Let be an odd prime number. Sup- that r r | mp, we can easily compute t if the prime fac- a, b Δ b − pose that are integers such that ( q )=(q )= 1, torization of mp is known. To compute all prime factors 2 where Δ = a − 4b.Letm be the order of x ∈ of mp for a given p in our experiments, we factorize p−1 2 s s Fq[x]/(f(x)) and q − 1=2t where t is odd. Then 2 by using the trial division algorithm. In a similar way, 2 divides m. we try to compute mq by factoring q − 1, however, we As q2 − 1=(q +1)(q − 1) is always divisible by 8, we need not to compute it in our experiments, due to the have the following. following reason. We found that there exist three odd prime numbers Corollary 8 ([1]). Let q be an odd prime number. t Δ b p ≡ 1, 9 (mod 40) such that there exists t satisfying c1 ≡ Suppose that a, b are integers such that ( q )=(q )= t c2, c2 ≡ c1 (mod p) in the algorithm. The only prime − a2 − b 11 1, where Δ = 4 . Then 8 divides the order of numbers p<10 that are potential candidates are x ∈ F x / f x q[ ] ( ( )). 521, 221401, and 1644512641. The corresponding triples From Theorem 5, Lemma 7 and Corollary 8, we have of (p, t, mp) are (521, 181, 260), (221401, 17549, 36900), the following theorem. and (1644512641, 152977919, 822256320). In all cases, t ≡± | m q ≡ t ≡± Theorem 9 ([1]). Let p, q be prime numbers such that 1(mod5)and5 p,so 1(mod5). 5 5 This contradicts q ≡±2 (mod 5). Thus, prime numbers ( )=1and( )=−1. Then there exist integers c1,c2 p q q such that pq ∈ fpsp2 2(−5, 5), with these three p’s do such that f(x) ≡ (x − c1)(x − c2)(modp). Let mq be not exist. the order of x ∈ Fq[x]/(f(x)). Then pq is in fpsp2(−5, 5) We implemented the proposed algorithm on if and only if the following conditions hold: Risa/Asir. The computer environment for our ex- p ≡ 1, 9 (mod 40),q≡±2(mod5), perimentsisasfollows: • mq | p − 1, CPU: Intel(R)Xeon(R)CPU E5-2620 v4, 2.10GHz, q q • Memory: 256GB, c1 ≡ c2 (mod p),c2 ≡ c1 (mod p). • OS: Windows10 Pro.

–54– JSIAM Letters Vol. 11 (2019) pp.53–55 Saki Nagashima et al.

The computation of the list of all prime numbers < 1011 requires about 190 hours, and it takes about 707 hours to perform the proposed algorithm. The total running time is about 897 hours (37 days).

6. Conclusion From our experiment, we found that there exist three odd prime numbers p ≡ 1, 9 (mod 40) such that there t t exists t satisfying c1 ≡ c2, c2 ≡ c1 (mod p) in the algo- 2 rithm, where x +5x +5≡ (x − c1)(x − c2)(modp). However, there is no element n = pq ∈ fpsp2 2(−5, 5), such that p, q are prime numbers, p ≡ 1, 9 (mod 40), and p<1011. The future tasks are to expand the search range and to narrow down the conditions for prime factors of elements of fpsp2 2(−5, 5). If we can prove t ≡±1(mod5)and 5 | mp for prime numbers that are candidates for p, then we can prove that no composite numbers exist in fpsp2 2(−5, 5).

Acknowledgments The authors would like to thank the anonymous re- viewer for his/her valuable comments. This work was partially supported by consigned research fund from NTT Secure Platform Laboratories.

References

[1] N. Shinohara, Inefficacious conditions of the Frobenius primal- ity test and Grantham’s problem, IEICE Trans. Fundamentals, E91-A (2008), 3325–3334. [2] R. Crandall and C. Pomerance, Prime Numbers: A Computa- tional Perspective, Springer, New York, 2001. [3] J. Grantham, Frobenius pseudoprimes, Math. Comp., 70 (2001), 873–891.

–55–