MASARYK UNIVERSITY FACULTY OF INFORMATICS

Baillie-PSW pseudoprimes

MASTER'S THESIS

Ondřej Krčma

Brno, Spring 2021

MASARYK UNIVERSITY FACULTY OF INFORMATICS

Baillie-PSW pseudoprimes

MASTER'S THESIS

Ondřej Krčma

Brno, Spring 2021

This is where a copy of the official signed thesis assignment and a copy of the Statement of an Author is located in the printed version of the document.

Declaration

Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Ondřej Krčma

Advisor: Mgr. Marek Sys, Ph.D.

i

Acknowledgements

I would like to thank Mgr. Marek Sys, Ph.D. for his invaluable advice during my work on this thesis. Computational resources were supplied by the project "e-Infrastruktura CZ" (e-INFRA LM2018140) provided within the program Projects of Large Research, Development and Innovations Infrastructures.

iii Abstract

The goal of this thesis is to examine and look for a weaker version of the Baillie-PSW pseudoprimes. First we examine the Fermat and the Lucas pseudoprimes and the divisibility properties of the order and the rank of appearance. We present the known theory and complete some missing proofs and algorithms. We also examine the notion of admissibility, which is the main necessary condition for the sought pseudoprimes. In the last chapter, we apply the theory and attempt to find the pseudoprimes in several special cases.

iv Keywords primality tests, pseudoprimes, Baillie-PSW, PSW-challenge pseudo- primes, rank of appearance, admissibility

v

Contents

Introduction 1

1 The Fermat test 3 1.1 Order of a modulo n 4 1.2 Fermat pseudoprimes to base 2 7

2 Lucas sequences 9 2.1 Computing Lucas sequences 10 2.2 Lucas pseudoprimes 13 2.3 Rank of appearance of n 15 2.4 Lucas pseudoprimes in the Fibonacci sequence 19

3 The Baillie-PSW test 21 3.1 Challenge pseudoprimes 22 3.1.1 Admissibility 23 3.1.2 Computing last prime 28

4 Search for challenge psudoprimes 31 4.1 Small prime factors 32 4.1.1 Admissibility from order and rank 33 4.1.2 Full version of the algorithm 34 4.2 Pseudoprimes of the form 2n_1 — 1 34 4.2.1 Primes with rank equal to a power of two .... 35 4.2.2 Mersenne primes 35 4.3 Two prime factors 36 4.3.1 Admissible primes p with e(p) = 1 37 4.3.2 Computing the other prime 37 4.4 Even number of prime factors 38 4.4.1 Case of p > 245 38 4.4.2 Case of p < 245 39 4.5 Lattice based solutions 40 4.5.1 Searching for the pseudoprimes 40 4.5.2 Transformation of the problem 41 4.5.3 Lattice for Fermat pseudoprimes 42 4.5.4 Example for Fermat pseudoprimes 43 4.5.5 Lattice for both Fermat and Lucas pseudoprimes 44

vii Conclusion

Bibliography

viii Introduction

Generating large random primes is a key component of cryptosystems such as RSA. However, deciding whether a random large (in the order of thousands of bits) integer is prime or composite is computationally expensive. There are two basic kinds of primality tests: deterministic and probabilistic. Deterministic tests will give us a definitive answer on whether the input integer is prime or not, but they are often too slow. In general, probabilistic tests are fast, however some composite integers also pass through. These composite integers which pass some probabilistic primality test are called pseudoprimes and the more pseudoprimes there are for a given test, the worse the test is. In this thesis we are looking for pseudoprimes for a weaker version of the Baillie-PSW test, because, so far, no pseudoprimes for this test have been found. The text of this thesis is split into four chapters. In the first chap• ter we introduce Fermat pseudoprimes and examine some of their properties, for example the order. In the second chapter we look at Lucas sequences and Lucas pseudoprimes. We briefly discuss how to compute Lucas sequences and then examine Lucas pseudoprimes and their properties, especially the rank of appearance. There are many similarities between the Fermat and the Lucas pseudoprimes, and the lemmas in the second chapter often parallel lemmas from the first chapter. In the third chapter we combine the two tests into the Baillie-PSW test and examine PSW-challenge pseudoprimes, which are composite integers passing the weaker version of the test. We mostly focus on the notion of admissibility, which is a strong neces• sary condition, which all PSW-challenge pseudoprimes must satisfy. And finally, in the fourth chapter we describe our attempts to find the PSW-challenge pseudoprimes. The reader is expected to be familiar with basic algebraic concepts such as the order of a group element, modular arithmetic or the Chi• nese Remainder Theorem. The first two chapters mostly cover the known theory, so a reader who is confident in their knowledge of Fer• mat and Lucas pseudoprimes may skip directly to the third chapter. However, we present some proofs and algorithms missing from the literature, and so we recommend starting from the beginning.

1

1 The Fermat test

One of the simplest primality tests is the Fermat test. Fermat's little theorem gives the following necessary condition which all primes must satisfy.

Theorem 1.1 (Fermat's little theorem). Let p be prime and a an integer such that a ^ 0 (mod p), then

aP'1 = 1 (mod p).

To test whether given n is prime, we choose a coprime to n (for example a = 2) and calculate an~x mod n. If the resulting value is not 1, then we are sure that n is not prime. Whereas if the result is 1, then n may or may not be prime. For example 2340 = 1 (mod 341), however 341 = 11 x 31 is a composite integer. Composite numbers which pass a primality test such as the Fermat test are called pseudoprimes. There are many different primality tests and an integer may be a pseudoprime relative to one test and not a pseudoprime relative to other tests. This gives us different types and definitions of pseu• doprimes, the first of which is the Fermat pseudoprime. Note that different authors may have slightly different definitions of the indi• vidual types of pseudoprimes. We will follow the terminology from [!]•

Definition 1. An odd composite integer n is a (Fermat) pseudoprime to base a if a""1 = 1 (mod n).

An integer n may be pseudoprime to some bases and not others, so if the test fails for one base, we may try another. Note that the set of bases to which n is pseudoprime forms a subgroup of Z*, so trying multiple bases one after another may lead to diminishing returns. The main problem however is that there exist Carmichael numbers, which are integers that are Fermat pseudoprimes to all possible bases. In 1994 Pomerance showed that there are infinitely many Carmichael numbers [2]. To get around this problem we may define stronger necessary conditions and stronger tests.

3 i. THE FERMAT TEST

Definition 2. An odd composite integer n is an Euler pseudoprime to base a if gcd(a, n) = 1 and

cf^ = ^—j (mod n), where (|) is the Jacobi symbol.

Clearly, an Euler pseudoprime is also Fermat pseudoprime. Be• cause of the multiplicative property of Jacobi symbols, the bases of an Euler pseudoprime still form a multiplicative group. However Lehmer showed that there are no integers which are Euler pseudoprimes to all possible bases [3] (i.e. there is no equivalent of Carmichael numbers for Euler pseudoprimes). Since the bases to which n is Euler pseudo- prime form a subgroup of Z* and n cannot be pseudoprime to all the bases, then n is pseudoprime to at most half of the possible bases. The test can be strengthened even further.

Definition 3. An odd composite integer n = d • 2s + 1, where d is odd, is a strong (Fermat) pseudoprime to base a if

ad = 1 (mod ft)

or ad-r = -1 (mod n)

for some 0 < r < s.

A strong (Fermat) pseudoprime is both Euler and Fermat pseu• doprime. Since it's an Euler pseudoprime, there are no equivalents of Carmichael numbers, but the bases no longer form a group. Unfortu• nately, there are still infinitely many strong pseudoprimes to any base [!]•

1.1 Order of a modulo n

In the rest of this thesis we will focus mainly on the basic Fermat test (in the second and the third chapters in combination with the Lucas test). In this chapter we present some properties of Fermat pseudoprimes and the order of base a modulo n.

4 i. THE FERMAT TEST

Definition 4. Given an odd positive integer n and a base a, the order of a modulo n is the least positive integer k such that

ak = 1 (mod n).

We will follow the notation of Pomerance, Self ridge and Wagstaff [1] and denote the order as la (n). The reason we do not follow the standard notation of ordn (a) is that in this context the order is a property of the modulus n and not of the base a.

k It is well known [4] that if a = 1 (mod n), then la{n) \ k. This means that if n is a Fermat pseudoprime, then la(n) \ (n — 1). The order la (n) also divides the group order (p{n), where cp denotes Euler's totient function. This leads to the following result.

Lemma 1.2. Let pbe a prime and n = pkbe a Fermat pseudoprime to base a, then

la(p) | p - 1 and la(p) \ k-l.

Proof. Since p is a prime, we immediately get la(p) \

(mod la{p))- • The previous lemma formulates a necessary condition for n being a Fermat pseudoprime, and if n has exactly two prime factors, then the condition is also sufficient, as demonstrated by the following lemma.

Lemma 1.3. Let n = pq where p, q are distinct primes and a be a base, then n is a Fermat pseudoprime to base a if and only if

la(p) | q-1 and la(q) \ p - 1.

Proof. One direction of the proof is given by Lemma 1.2, so let's assume la{p) \q-l and la(q) \ p - 1. Then

n - 1 = (p - l)(q - 1) + (p - 1) + (q - 1) = 0 (mod la{p)), which means that an~x = 1 (mod p).

5 i. THE FERMAT TEST

Similarly

an~x = 1 (mod q).

and by Chinese Remainder Theorem

an-i = (mod pq = n).

•

In the proof we used the fact that if p is prime, then la(p) \ p — 1. Fermat pseudoprimes have the same property, so we can generalize the lemma in the following way

Lemma 1.4. Let n = kl where k, I are either primes or pseudoprimes to base a and gcd(fc, I) = 1. Then n is a Fermat pseudoprime to base a if and only if

la(k) | / — 1 and la(l) \ k — 1.

Proof. The proof is analogous to the proof of Lemma 1.3. •

1 1 1 1 If la(k) | / - 1, then a ' = 1 (mod k) and so a ' >k + l. This inequality is not particularly strong, however, for example, if a = 2 and n = pq where p < q are primes, we get p • 7P~X > pq + p > n, and so to find all pseudoprimes with two prime factors, one of which is p, we only have to check positive integers up to p • 2p_1. This method tells us, for example, that there are no Fermat pseudoprimes to base 2 with exactly two prime factors one of which is 3,5 or 7. For 11 there's exactly one such pseudoprime 341.

As we've seen, the order la(n) gives us some necessary or even sufficient conditions for n being a pseudoprime, so the natural question

is: how do we compute la(n)7 In Handbook of Applied Cryptography [4] the authors give the following algorithm for computing the order of an element in a finite group. Later we will derive similar algorithm for the rank of appearance in Lucas sequences.

6 i. THE FERMAT TEST

Algorithm 1: Computing order la(n) [4]

Input: An odd positive integer n with prime factorization of the order of the group

Output: Order of a modulo n.

1 t <-

2 forall z do t <- ř/pf

fli «— «ř mod n

while «i 1 do

flj «— fl^' mod n

t 4-t-pi

8 return f

1.2 Fermat pseudoprimes to base 2

In the rest of this work we will consider Fermat pseudoprimes mostly to base 2, since that's the base in the Baillie-PSW test. The follow­ ing lemma gives a way of constructing infinite sequence of Fermat pseudoprimes.

Lemma 1.5. Let nbe a positive integer such that

2""1 = 1 (mod n), then

2(2«-l)-l = 1 (mod2"-l).

Proof. Let 2n~1 = 1 (mod n), then there exists integer k such that

2„_i _ 1 = kn^

2(2«-l)-l = ^(Z-i-l) = 22fc„ = _ ! (mod 2« _ 1}

•

7 i. THE FERMAT TEST

In other words, if n is prime or pseudoprime, then 2n — 1 is Mersenne prime or pseudoprime. For Mersenne primes however, it holds that if 2n — 1 is prime, then n is also prime. This means that if n is pseudo- prime, then 2n — 1 is also pseudoprime.

Lemma 1.6. Let p be an odd prime and n = pak be a Fermat pseudoprime, then 2^-1 = l (modpa).

Proof. Since p is a prime, hip01) |

h{pa) \p-l\pa-l. •

A prime p is called Wieferich prime iih(p2) \ p — 1. The proof of the previous lemma shows that, for pseudoprime n, if pK \ n, then p has to be a Wieferich prime. The only two known Wieferich primes are 1093 and 3511 and there are no other Wieferich primes up to 1017 [5].

8 2 Lucas sequences

In this chapter we discuss Lucas sequences, their properties and pri- mality tests, which are analogous to the Fermat test. We start with the definition of Lucas sequences.

Definition 5. Let P, Q be integers such that D = P2 - 4Q ^ 0, then we define Lucas sequence of the first kind Un(P, Q) as

Uo(P,Q)=0,

U1(P,Q) = lr

Un{P,Q) = PUn-ifrQ) - QUn.2(P,Q)

and Lucas sequence of the second kind Vn(P, Q) as

V0(P,Q)=2,

V1(P,Q)=P,

Vn{P,Q) = Pyn_i(P,Q) - QVn-2(P,Q)-

If P, Q are clear from the context or they are not relevant at the moment, we will omit them and write Un or Vn instead of Un(P, Q) or Vn(P,Q). Lucas sequences are sometimes defined equivalently [6] in the following way. Given characteristic equation x2 — Px + Q = 0, where

2 E D = P - 4Q ^ 0, with roots a = and b = ^-/ we define the Lucas sequences as

in -bn Un = - u — V and

n n Vn = a + b .

We will always use Lucas sequence of the first kind, unless stated otherwise. If P = 1 and Q = — 1, we get a sequence where each element is the sum the two previous elements, i.e. Un = \ln-\ + U-n-i- This sequence is known as the Fibonacci sequence and later we will focus mainly on tests based on this sequence.

9 2. LUCAS SEQUENCES

2.1 Computing Lucas sequences

In 1995, Joye and Quisquater [7] gave an efficient algorithm for com• puting Lucas sequences. Koval [8] gave the following slightly faster version of their algorithm.

Algorithm 2: Computing Un and Vn

Input: Integers P, Q such that P2 — 4Q ^ 0 and n with binary representation n = J^bj2', bj £ {0,1}.

Output: Elements of Lucas sequences Un and Vn.

2 Qi <- 1, Qfc <- 1

3 for z «— [log2 n] — 1 to 0 do

* Q/ <- Q/ • Qh

5 if = 1 then

6 Qh <- Q/ • Q

7 y; ^ y,,. y; _ P . Q;

8 Vfc <- Vfc • Vft - 2Qh

9 else

10 Qh <- Q; 11 V^Vft-Vi-P-Q,

12 [ L Vi Vi - Vi — 2Qh

2 13 LIn^(2^-P-V,)/(P -4Q)

14 return JIn, Vj

We will derive an algorithm (for computing Lucas sequences of the first kind) from the fact that elements of Lucas sequences can be

represented as matrices [9], which allows us to compute Un as the corresponding matrix An (as proven by the following lemma).

Lemma 2.1. Given a Lucas sequence Un(P, Q) and a matrix

10 2. LUCAS SEQUENCES it holds that

j^n | ~QUn—i Un

-QUn Un+\

Proof. By induction

A1'A = (~QUn-i Un\(<> 1

-QUn Un+J \-Q P,

-QUn -QUn-l+PUn

QUn+l -QUn+PUn+h

-QUn £4+1 | _ j±n+\

-QUn+l Un+2/ •

n So, to compute Un, we can compute A and take the upper right element. Matrix multiplication is associative and so we can use double- and-add method to compute An. From

QUn-i Un A2n

— QUn Un+\/

Q2^_! - QUI -QUn-lUn + UnUn+1

2 KQ Un-lUn ~ QUnUn+1 ~QUn + we get

Uj_n — —QUn-\Un + UnUn+l

— = (Uw+1 PUn) Un + UnUn+i

= 2UnUn+l-PUl and 2 2

^2«+i = —QUn + un+1, which gives us the double step in the following algorithm.

11 2. LUCAS SEQUENCES

Algorithm 3: Computing Un

Input: Integers P, Q and n = E&j2', b{ £ {0,1}.

Output: Element of Lucas sequences Un. u<-0

2 y<-i

3 for z «— [log2 wj to 0 do

Z <— X

x <— 2x1/ — Px2 > double step

y <- -Qz2 + y2

if bj = 1 then z •(— x

9 x^y add step 10 y <- Py - Qz li return x

Algorithm 3 illustrates the double and add method, but it can be improved. Instead of using the temporary variable z, we can precom- pute the squares x2 and y2 and join both double and add steps into one as in Algorithm 4. Algorithm 4 is slightly faster than Algorithm 3 and as an added benefit, both branches of the if statement take about the same time to compute, which might make this algorithm more resistant to timing attacks. We have implemented the four algorithms for parameters P = 1, Q = —1 in C++ using the NTL [10] library for big integers and we have briefly examined their relative performance. The original algorithm by Joye and Quisquater is about 20% slower than the other three. We have also implemented modular versions of the algorithms using the modular arithmetic package of NTL. For small moduli (up to about 250), Algorithms 2,3 and 4 are similar in performance, but for larger moduli Algorithm 2 starts to be slightly faster. Algorithm 2 however, uses division on line 13, which is not defined in the modular version if the modulus is not coprime to P2 — 4Q. For this reason we mostly use Algorithm 4.

12 2. LUCAS SEQUENCES

Algorithm 4: Computing Un

Input: Integers P, Q and n = E&j2', e {0,1}.

Output: Element of Lucas sequences Un.

1 X

2 y<-i

3 for z «— [log2 wj to 0 do

4 X2 <— X 5 6 if = 1 then

y <- -2Qxy + Py2 7

x < Qx2 + yi 8 else 9 10 x 2xy — Px2

11 y i Qx2 +y2

12 return x

2.2 Lucas pseudoprimes

Lucas [11] and Lehmer [12] discovered the following property of Lucas sequences, which is analogous to Fermat's little theorem.

Theorem 2.2. Let p be an odd prime and P, Q integers such that p\Q and D = P2 - 4Q ^ 0 then

Up-e(p) = 0 (mod p), where e(p) is the Legendre symbol (j\

Proof. For a concise proof see Theorem 3 in [9]. •

Based on this theorem, Baillie and Wagstaff [6] defined Lucas pseudoprimes in the following way.

13 2. LUCAS SEQUENCES

Definition 6. Let n be an odd composite integer and P, Q integers such that gcd(n, Q) = 1 and D = P2 — 4Q ^ 0, then n is a Lucas pseudoprime with parameters P, Q if

Un-e(n) = 0 (mod ")/ where e(n) denotes the Jacobi symbol (^). Similarly to Fermat pseudoprimes, an integer can be Lucas pseudo- prime to some parameters P, Q and not pseudoprime to others, which means that we may define numbers analogous to Carmichael numbers. Williams [13] defined these numbers as positive integers n having the following property: given positive integer D, for all integers P, Q such that gcd{P, Q) = 1, P1 - 4Q = D and gcd{n, QD) = 1, it holds

that Lfn_e(n) (P, Q) = 0 (mod n). These numbers are called absolute Lucas pseudoprimes to discriminant D. For example, for D = 5 we get n = 323 = 17 • 19. And as with Fermat pseudoprimes, we may define stronger versions. Definition 7. An odd composite integer is an Euler Lucas pseudo- prime with parameters P, Q if gcd(n, QD) = 1 and

U(n-e(n))/2 = 0 (mod Yl) for (0\ = +1

or

V(n-e(n))/2 = 0 (m°d ») f°r f^l = ~1-

Since U2n = UnVn (see [14]), Euler Lucas pseudoprimes are also Lucas pseudoprimes. And as there are no stronger Carmichael num• bers for Euler pseudoprimes, Williams [13] showed that there are no absolute Euler Lucas pseudoprimes. And finally we define strong Lucas pseudoprimes. Definition 8. And odd composite integer n is a strong Lucas pseudo- prime with parameters P, Q, iigcd{n, D) = 1 and for n — e(n) = d • 2s, where d is odd, either

Ud = 0 (mod n)

or

Vd-2r = 0 (mod n) for some 0 < r < s. Strong Lucas pseudoprimes are Euler Lucas pseudoprimes.

14 2. LUCAS SEQUENCES

2.3 Rank of appearance of n

In this section we will examine the so called rank of appearance (or rank of apparition), which is a notion analogous to order in Fermat pseudoprimes.

Definition 9. Given a positive integer n and parameters P, Q defining a Lucas sequence, the rank of appearance of n is the least positive integer k such that Ujt = 0 (mod n).

We will denote it as coprQ(n) or simply as co(n).

As a corollary of Theorem 2.2, for prime p \ Q, the rank of appear• ance co(p) exists. In general, the rank co(n) exists, if gcd(n, Q) = 1, which can be shown using the correspondence between and the matrix Ak (Lemma 2.1). Matrix A is invertible modulo n if and only if det(A) = Q is a unit modulo n, i.e. gcd(n, Q) = 1. Which means that if gcd(n, Q) = 1, then there exists k such that Ak = I (mod n), where I is the identity matrix, i.e. 11^ = 0 (mod n).

k Order la (n) of a modulo n has the property that a = 1 (mod n) if and only if la (n) \ k. We will show that the rank behaves analogously.

Lemma 2.3. Let k be an integer such that U\ = 0 (mod n), then for any integer I, it holds that Ujy = 0 (mod n).

Proof Let A be the matrix corresponding to 14/• It can be computed modulo n as

v ' V 0 uk+iJ

1 = ((-QUk-i) 0 (mod n), V 0 uUi which means that 1% = 0 (mod n). •

Lemma 2.3 shows that for any integer multiple kco(n) of the rank of appearance, it holds that Ukco^ = 0 (mod n). The following lemma shows the property of the opposite direction.

15 2. LUCAS SEQUENCES

Lemma 2.4. Let fc be an integer such that 14 = 0 (mod n), then coin) \ k.

Proof. Let = 0 (mod n), then the corresponding matrix Ak is

equivalent to \ ] modulo n, and similarly for LZ^/^ = 0 (mod n), \0 b J

W C the corresponding matrix A W is equivalent to [ j modulo n, \0 dJ where gcd(abcd, n) = 1. And so, we can compute Ujc-a>(«) m°d n as

1 U 0\ fc oY ^ fac" o \ (mod ^ which means that Ujc-a>(«) = 0 (mod n). By repeatedly subtracting

o;(n) from we get LTfc mod w^ = 0 (mod n). If w(n) f fc, then 0 < k mod oj(n) < co(n). However, by definition of the rank to(n), it holds that a?(n) > fc mod a;(n), therefore a;(n) | fc. •

So overall, LI^ = 0 (mod n) if and only if cv(n) | fc.Not e that it doesn't mean that the rank is the period of the sequence. For example for the Fibonacci sequence, as can be seen from the following table,

co(3) = 4, but U3 = 2 ^ 1 = 13 = U7 (mod 3).

n 0 12 3 4 5 6 7 8 9 10 11 u„ 0 112 3 5 8 13 21 34 55 89

Un mod 3 0 112 0 2 2 1 0 112

The rank co(n) divides the period n(n), however the rank of ap• pearance is more suitable for examining the pseudoprimes because if LZ/c = 0 (mod n) it doesn't necessarily mean that n(n) | fc. For more details about the period see [9]. Another property the order has is that given some base a and

modulus n and its prime factorization n = Ylpf'/ the- order la(n) is

equal to the least common multiple of the individual orders la(p^'). The following lemma shows, that the rank has the same property.

Lemma 2.5. Let nbea positive integer with prime factorization n = T~[ p*',

0i 1 then cv(n) = lcmi{co{p i )).

16 2. LUCAS SEQUENCES

Proof. Let cfi = p^. By definition = 0 (mod qi). Since co(qi) \ lcmi(co(qi)), from Lemma 2.3 we get Uicm.^^.)) = 0 (mod ^,-). By Chinese Remainder Theorem Uicm.^^.)) = 0 (mod n), and so co(n) \ \cmi(co(qi)). Since ^ | n and LT^) = 0 (mod n), it holds that = 0 (mod qi), so a?(^) | a?(n) for each i. Therefore overall, lcnii(co(qi)) | co(n) | lcmz(o;(^)), which means that co(n) = lcm,(a;(qi)). •

Renault [9] shows that for prime power pa, it holds that co(pa) \ _ e(p)). Which means that for n = T~[pt*' we may define func• tion ip(n) = YlPi'^iPi — e(Pi)) such that co(n) | ip(n). The function xp is analogous to Euler's totient function cp(n) = T~[ p°\l~X (p — 1). From now on we will consider only pseudoprimes n such that e(n) = — 1, because in the Baillie-PSW test the parameters P, Q are such that e(n) = —1. As we will see later, this makes the test stronger.

Similarly as for la(n) we can derive the following three lemmas for co(n).

Lemma 2.6. Let p be a prime and n = pkbe a Lucas pseudoprime (such that e(n) = —1), then co(p) | p-e(p) and co(p) | k — e(k).

Proof. We already know from Theorem 2.2 that co(p) \ p — e(p).

0 = n — e(n) = (p — e(p))(k + e(k)) — pe(k) + ke(p) = pe(p) + ke(p) = e(p)(k — e(k)) (mod co(p)) •

Lemma 2.7. Let n = pq, where p,qare distinct primes (such that e(n) = —1), then n is a Lucas pseudoprime if and only if

co(p) | q-e(q) and co(q) | p-e(p).

17 2. LUCAS SEQUENCES

Proof. One direction of the proof is given by Lemma 2.6, so assume co(p) | p — e(p) and co(p) | k — e(k). Then

n - e(n) = (p - e(p))(q + e(q)) + qe(p) - pe(q) = e(q)e(p) - e(p)e(q) =0 (modw(p))

Similarly, n — e(n) = 0 (mod co(q)) and so by Chinese Remainder Theorem n — e(n) = 0 (mod lcm(cv(p),cv(q)) — cv(n)). •

Lemma 2.8. Let n = kl, where k, I are either primes or Lucas pseudoprimes {such that e(n) = —1) and gcd(k,l) = 1. Then n is a Lucas pseudoprime if and only if co(k) | l-e(l)

and co(l) \ k-e{k).

Proof. The proof is analogous to the proof in Lemma 2.7. •

To compute the rank, we may employ the following algorithm, which is built on similar principles as Algorithm 1 which computes the order.

Algorithm 5: Computing co(n)

Input: An odd positive integer n with prime factorization otxp{ri) —Ylpf' and integers P, Q such that n\Q and P2 - 4Q ^ 0

Output: Rank of appearance win)

1 t <— ip(n)

2 forall i do

t <- t/p?

a\ *r- Ut mod n

while «i 0 do

a\ *r- Utpi mod n

t 4-t-pi

8 return t

18 2. LUCAS SEQUENCES

The values UtVi mod n on line 6 can be computed either by one of the algorithms from Section 2.1 with time complexity C(log(fpz-)) or the whole algorithm can be slightly modified to store and compute

t Ut as the corresponding matrix A and then UtVi can be computed as

AtPi = (Atyi ^ O(iog(p.)) time.

2.4 Lucas pseudoprimes in the Fibonacci sequence

In the rest of this work we will consider Lucas pseudoprimes mostly with parameters P — 1, Q — — 1, i.e. to the Fibonacci sequence. Let n be a Fermat pseudoprime to base 2 and p some prime, then if p2 | n, we know that p has to be a Wieferich prime, i.e. it has to satisfy h(p2) \ P — 1- There are only two known Wieferich primes, and so when searching for pseudoprimes we can mostly limit our search to square free integers. For Lucas pseudoprimes (to the Fibonacci sequence) there's an analogous type of primes: Wall-Sun-Sun primes. Let p be a prime and n = pak a Lucas pseudoprime such that e(n) 7^ 0. Then co(pa) | co(n) \ pak — e(n), which means that p \ co(pa). Since co(pa) | ip(pa) = pa~1(p — e(p)) and p \ co(pa), we get

cv(p2) | cv(p«) | p-e(p).

Primes p such that co\-\(p2) \ p — e\-\{p) are call Wall-Sun-Sun primes. There are no known Wall-Sun-Sun primes and all primes have been checked up to 28 • 1015 [5].

19

3 The Baillie-PSW test

In 1980 Baillie, Pomerance, Self ridge and Wagstaff examined Fermat pseudoprimes [1] and Lucas pseudoprimes [6] and noticed that if the parameters are chosen properly, then the two tests seem to be independent. Based on this observation they devised the following primality test [6]. Given an odd integer n which we want to test for primality, perform the following steps:

1. Optionally perform trial division test to some convenient limit. In other words, try dividing n by all primes up to the limit. If some such prime divides n, then n is composite, otherwise continue.

2. Perform strong Fermat test to base 2. If n fails, then it is composite, otherwise continue.

3. Chose parameters P, Q for strong Lucas test by one of these two methods:

• method A: Let D be the first element of the sequence 5, — 7,9, —11,13, ... such that (f) = -1. Set P = 1 and Q = • method B: Let D be the first element of the sequence 5,9,13,17,21,... such that (^) = —1. Let P be the least odd number exceed• ing VD and let Q = ^f^.

4. Perform strong Lucas test with parameters P, Q. If n fails, then it is composite, otherwise it is almost certainly a prime.

Note that in the search for parameters P, Q in step 3, if we en• counter D such that (^) =0, then n is composite and we can stop the algorithm. If n is a perfect square, then (^) > 0 for all D and so we never get —1. To solve this problem, if we do not find suitable D after trying several values, we may employ Newton's method to test for n being a perfect square. The authors show [6] that the average numbers of values that have to be tried before finding D such that (£) = -1 is 1.790479091 for method A and 1.922741874 for method

21 3. THE BAILLIE-PSW TEST

B. Method A is used most often, because it is simpler and seems to result in less Lucas pseudoprimes than method B. The reason why we need parameters P, Q such that (^) = —1 is that if (^) =0, then gcd(n, D) ^ 1, and so we know n is composite, and if (-^) = 1/ then Lucas and Fermat test are somehow related. As we have seen throughout the first two chapters, Fermat and Lu• cas pseudoprimes have many of the same properties. Grantham [15] noticed these similarities and formulated a definition of Frobenius pseudoprimes, which generalizes Fermat, Lucas and other kinds of pseudoprimes. He presented theorems, which describe the relations between the different kinds of pseudoprimes. As a corollary of the theorems, if n is a Lucas pseudoprime and (^) =1, then n is also a Fermat pseudoprime (for certain parameters P, Q and base a). At the end of paper [1] the authors offer $30 for a Baillie-PSW pseudoprime, but so far, no one has found it. They found no Baillie- PSW pseudoprimes up to 108. Gilchrist [16] further showed that there are no Baillie-PSW pseudoprimes up to 264, which means that for n < 264 the test is deterministic. However according to Pomerance's heuristic argument [17] there should be infinitely many Baillie-PSW pseudoprimes.

3.1 Challenge pseudoprimes

In this thesis we are mainly interested in a somewhat weaker version of the test, whose pseudoprimes are defined as follows.

Definition 10. A composite n is a PSW-challenge pseudoprime if it satisfies the following three conditions

(1) n = ±2 (mod 5),

(2) 2""1 = 1 (mod n),

(3) Un+1(l,-l) =0 (mod n).

The term PSW-challenge pseudoprime is not well established (that is also why the title of this thesis is Baillie-PSW pseudoprimes), how• ever we follow the terminology of Shallue and Webster [18] who named the pseudoprimes as such, because allegedly [18,19,15] there's

22 3. THE BAILLIE-PSW TEST an outstanding offer of $620 by Pomerance, Selfridge and Wagstaff for these pseudoprimes. The first condition is equivalent to (|) = —1, and so the three conditions together are basically the Baillie-PSW test with weak (as op• posed to strong) versions of the Fermat and Lucas test and only for the Fibonacci sequence. For D = 5 the Baillie-PSW test is strictly stronger and so any Baillie-PSW pseudoprime will also be PSW-challenge pseu- doprime. However for D 7^ 5 a Baillie-PSW pseudoprime n will most likely not be PSW-challenge pseudoprime, and in fact, if D is chosen by method A, then (|) 7^ —1, and so n cannot be a PSW-challenge pseudoprime. Gilchrist also checked the weaker version of the Baillie-PSW test and showed that there are no PSW-challenge pseudoprimes up to 2M [16]. Shallue and Webster moved the bound to 280 for pseudo- primes with two or three prime divisors [18]. No one has found a PSW-challenge pseudoprime yet, even though, heuristically, there should be infinitely many [19].

3.1.1 Admissibility

If n is a PSW-challenge pseudoprime, then Ijin) \ n — 1 and co(n) \ n + 1, therefore gcdfain),co(n)) < gcd(n — 1,n + 1) < 2. We will call odd integers n such that

gcd(l2(n),co(n)) < 2 admissible. If k divides n, then h{k) divides h(n) andco{k) divides co(n), there• fore gcd(l2(k),co(k)) < gcd(!2(ft)/co(n)), and so

if n is admissible, then k is also admissible.

In other words, a necessary condition for n being a PSW-challenge pseudoprime is that all divisors of n have to be admissible. With this condition we can for example rule out some prime divisors of n. For instance 11,19,29,31,41,59,61,71,79,89 are all the inadmissible primes less than 100. We will use this necessary condition prominently later on, and so we might wonder; how strong is it? Figure 1 shows comparison

23 3. THE BAILLIE-PSW TEST

of the prime counting function n(x) and a function na{x) counting all admissible primes up to x. The ratio seems to tend to \ as x increases, so we raise a conjecture that iirm;_>O0 = \-

all primes n(x)

admissible primes rca(x)

0 200000 400000 600000 800000 1000000

0 200000 400000 600000 800000 1000000

Figure 1: Comparison of distribution of all primes and distribution of admissible primes. The top graph shows the prime counting function n and a function na counting admissible primes in the interval [0, x]. The bottom graph shows their ratio.

Prime numbers can be found with an algorithm called sieve of Eratosthenes, which works as follows.

1. Given a bound B2, allocate B2 — 1 bits of memory and set them all to 1. The first bit will be indexed as \>i-

2. For n from 2 to B do the following. If bn is set to 0 then continue the loop, otherwise n is a prime. Set bits indexed with a multiple of n to 0.

24 3. THE BAILLIE-PSW TEST

2 3. For n from B + 1 to B , if bn is set to 1, then n is a prime.

The algorithm is built on the fact that n is a prime if and only if n is not divisible by any primes up to \fn. Admissible integers have similar property, that if n is divisible by an inadmissible integer, then n is also inadmissible. And so we can sieve for admissible integers with the following algorithm.

1. Given a bound B2, allocate B2 — 1 bits of memory. The first bit will be indexed as bi- Set bits with even indices to 0 and bits with odd indices to 1.

2. For n from 3 to B do the following. If bn is set to 0, then n is inadmissible, so continue the loop. Otherwise test admissibility of n. If it is inadmissible, then set bits indexed with multiple of n to 0.

2 3. For n from B + 1 to B , if bn is set to 0, then n is inadmissible. Otherwise test admissibility of n.

With this algorithm, for every inadmissible integer we find, we rule out all it's multiples. Unfortunately, since an integer, which has only admissible divisors, can still be inadmissible, we have to test all the integers which we didn't rule out. Another way to find admissible integers is to construct them as products of admissible primes as follows.

1. Given a bound B2, get a set S of admissible primes (possibly by testing primes obtained by the sieve of Eratosthenes) up to B. Initialize the set of admissible integers M to a copy of S.

2. For each m G M and p G S compute n = mp. If n < B2 and is admissible, then add it to M'.

3. Store integers of M in Mau and set M = M'. Repeat steps 2 and 3 as long as there are new products in M'.

In both algorithms only the integers, which have all divisors admis• sible, are tested for admissibility. So, the main difference between the algorithms is in how they store the integers. The first algorithm stores

25 3. THE BAILLIE-PSW TEST admissibility of the integers as a bit array of size n. This includes the zero bits for inadmissible integers. The second algorithm stores the admissible integers directly, and so the memory requirement depends on how common the admissible integers are. As we can see in Figure 2, admissible integers are about as common as primes, and so the mem• ory requirements of the two algorithms are very close. The second algorithm needs about 20% more memory (possible more depending on the variable type used in the underlying programming language). Overall, both algorithms are close in performance, however the second algorithm allows us to work directly with the integers and make some adjustments, such as storing the orders and rank along• side the integers for faster computation of admissibility, or ignoring integers which are divisible by perfect squares.

all primes n(x all admissible integers a(x)

200000 400000 600000 800000 1000000

200000 400000 600000 800000 1000000

Figure 2: Comparison of distribution of all primes and distribution of admissible integers. The top graph shows the prime counting function n and a function a counting all admissible integers in the interval [0, x]. The bottom graph shows their ratio. The comparison shows that there are about as many admissible integers as there are primes, although the two distributions may not be related.

26 3. THE BAILLIE-PSW TEST

And finally, we present an algorithm (Algorithm 6) to test admis• sibility of integers. We could simply compute gcd(l2(n),to(n)) and then test whether the result is less or equal to 2, however computing the order and especially the rank is somewhat time demanding. We do not actually need to compute the order nor the rank, we just need to find primes which divide the order and then test whether any of them (the prime 2 needs to be treated separately) divides the rank.

Algorithm 6: Deciding admissibility of integers

Input: An odd positive integer n > 2. Output: True if n is admissible, False otherwise. 1 forbidden_primes «— new empty list 2 foreach (p,e) e factor {(pin)) do

/ «— e if p 2 else e — 1 find primes which cannot divide the rank f if2

|_ add p to forbidden_primes

6 t

|_ t

11 |_ t

12 return Lff = 0 (mod n)

The function factor factors the given integer and returns a list of tu• ples (prime, power). The function (p is called multiple times, however this is just for simplicity of the pseudocode. It should be called only once and the result stored in a variable. As a final note, the admissibility depends on the bases a in the Fermat test and the parameters P, Q in the Lucas test. We can examine admissibility for any (meaningful) combination of the parameters. However, in the full Baillie-PSW test, the parameters P, Q are chosen

27 3. THE BAILLIE-PSW TEST

individually for each tested integer n, and so for different integers we are interested in different admissibilities, which makes the examina• tion considerably more complicated.

3.1.2 Computing last prime

Given an admissible integer k we may attempt to compute prime p such that n = pk is a challenge pseudoprime. Shallue and Webster [18] used the following two methods. In the first method we use the necessary condition that if n is a Fermat pseudoprime, then h(p) \ k — 1, and similarly if n is a Lucas pseudoprime, then co(p) \ k — e(k). Which means that p | 2fc_1 — 1 and p | Ufc-e(A:)/ so we can compute p as

fc 1 p|gcd(2 - -l,LTfc_eW).

This condition is only necessary, so n = pk may still not be challenge pseudoprime. On the other hand, this method gives us all possible p for which n = pk can be a challenge pseudoprime. It works best for small k, because both 2fc_1 — 1 and Ufc-e(X) §row exponentially, and computing with such large numbers quickly becomes too slow (for k > 270 it starts to be infeasible). Note that the Fibonacci sequence grows slightly slower than exponential with base 2, i.e. Ufc-e(X) — ~~ ^' and so we may compute the greatest common divisor as gcd(2fc_1 —

1 mod lZfc_e(jt), LTfc-e(fc))/ nevertheless for large k the following second method may be more suitable. The second method is based on the fact that if n = pk is a challenge pseudoprime, then n = pk = 1 (mod h(n)) and n = pk = — 1 (mod cv(n)), so

1 p = k' (mod l2{k)),

p = —k~x (mod co(k)).

The inverse k~x modulo h(k) always exists, because li{n) \ n — 1, therefore gcd(l2(^)/^) < gcd(?2(w),n) = 1. Similarly, the inverse k~x modulo co(k) always exists, since co(n) \ n + 1, so gcd(to(k),k) < gcd(o;(n), n) = 1. By Chinese Remainder Theorem we can compute a = p mod lcm(l2(k),co(k)). And then we get possible values for p as

a + b • \cm(l2{k),co(k))

28 3. THE BAILLIE-PSW TEST for integer b from 0 up to some bound. For example, if we want to check all p, such that n = pk = (a + b • lcm(l2(k),co(k))) - k < B, for some

nce s bound B, then we need to try all b from 0 to fc.lcm^2^ a>(k))' ^^ ^ ^ admissible, lcm(l2(k),cv(k)) is equal to h{k) -co{k) or {h(k) -co(k))/2. This method is suitable for large k, however its disadvantage is that it doesn't give us all the possible values of p.

29

4 Search for challenge psudoprimes

In this chapter we present our attempts to find the PSW-challenge pseudoprimes. We already know there are no pseudoprimes up to 2^ [16] and no pseudoprimes with two or three prime divisors up to 280 [18]. These bounds were checked using considerable amount of computational power, and so increasing the bounds using the same algorithms is not likely to yield new results. For this reason we focused on examination of the pseudoprimes in several special cases.

1. Firstly we examined pseudoprimes which have all prime divi• sors lower than some given bound B. The reason we may be interested in pseudoprimes with small prime divisors is that large primes are likely to have large order or rank, and so the conditions that h(p) \ k — 1 and co(p) \ k — e(k) are more restric• tive. To search for these pseudoprimes, we constructed a set of all admissible square-free products of the small primes using the second algorithm from Section 3.1.1 and applied the Fermat and the Lucas tests.

2. Another case we examined was pseudoprimes in the form 2n~1 — 1. By Lemma 1.5, if n is a Fermat pseudoprime (to base 2) or prime, then 2W_1 — 1 is also Fermat pseudoprime or prime, and so many of the integers in the form 2n~1 — 1 will be Fermat pseudoprimes. We search for PSW-challenge pseudoprimes in the form 2n~1 — 1 as products of primes which have rank equal to a power of two.

3. If n = pq is a PSW-challenge pseudoprime, where p, q are dis• tinct primes, then e(n) = e(p)e(q) = —1, so either e(p) = 1 or e(q) = 1. We searched for pseudoprimes with two prime factors by first finding admissible primes p with e(p) = 1 and then using divisibility properties of the order and the rank to find the other prime q.

4. Similarly to the previous case, if n is a PSW-challenge pseudo- prime with even number of prime divisors, then at least one of the primes has e(p) = 1. We used the primes p with e(p) = 1, which we found in the previous case, to search for pseudoprimes

31 4. SEARCH FOR CHALLENGE PSUDOPRIMES

with even number of prime divisors. Previously it was known that there are no such pseudoprimes up to 264. We have moved this bound to 270.

5. Lastly, we examined the set of primes given by Chen and Greene [20]. The set contains 1248 admissible primes, such that each square-free product of these primes is also admissible. It is es• timated that there should be about 748 pseudoprimes among the 21248 square-free products. We transformed the problem of finding the pseudoprimes to a Knapsack problem, which we at• tempted to solve by finding approximate solutions to the shortest vector problem using LLL and BKZ algorithms.

4.1 Small prime factors

In general, we may search for PSW-challenge pseudoprimes by find• ing admissible integers and then applying the Fermat and the Lucas tests. Using the second algorithm from Section 3.1.1 we may construct admissible integers as products of admissible primes, however, as we have seen, there are a lot of admissible integers, and so we need to somehow limit the construction. In [18], Shallue and Webster limit it to two or three prime divisors and the bound 280. Here we will not limit the number of prime divisors nor the maximum size of the pseu• doprimes, but instead we will limit the maximum size of the prime divisors. The general idea of the algorithm is as follows:

1. Create a set S of admissible primes up to the given bound B. Copy set S to set M of integers to be tested.

2. Compute the set M' of new admissible products p • m for each peS and m G M such that p\m.

3. Set M = M' and test each m G M with the Fermat and Lucas tests.

4. Repeat step 2 and 3 until there are no new admissible integers in M'.

32 4. SEARCH FOR CHALLENGE PSUDOPRIMES

In step 2 we require that p \ m (i.e. that the new products are square free), because we assume that p is neither Wieferich nor Wall- Sun-Sun prime. The algorithms eventually stops, since there's a finite number of square-free admissible products of primes from S. To test the admissibility of the primes and the products we can use Algorithm 6, however it is more effective to use the order and the rank instead, as we show next.

4.1.1 Admissibility from order and rank

If we compute the order and the rank of each prime p and product m, then we can test admissibility of p • m using the following lemma.

Lemma 4.1. Let p, m be admissible integers such that gcd(p, m) — 1. Then n = pm is admissible if and only if

gcd(l2(p),co(m)) < 2 and gcd(l2(m),to(p)) < 2.

Proof First assume n is admissible, i.e. gcd(l2(n),to(n)) < 2. Then, because h(p) | h(n) and to(m) | to(n), we get gcd(k(p)/co{m)) < gcd(l2(n),co(n)) < 2 and similarly because him) | h(n) and to(p) | to(n) we get gcdfaim),to(p)) < gcd(l2(n), to (n)) < 2. In the other direction, assume that gcd(!2(p),a;(ra)) < 2 and gcd(l2(m),co(p)) < 2. Also p, mare admissible, so gcd(l2(p)/^(p)) < 2 and gcd(l2(w),o;(m)) < 2. Letd = gcd(l2(n),co(n)) and assume by contradiction that d > 2. If d > 2, then d is divisible by some q which is either and odd prime or q = 4. Since p, m are coprime, it holds that h(n) = lcm(l2(p),hi^n)) and co(n) = lcm(co(p),co(m)). So, q | h(p) or q | l2(m),andq \ co(p) or q \ to(m), and since q > 2, this contradicts either one of the two assumption conditions or the admissibility of p or m. •

So, in step 2 of the algorithm, given p, I2 (p), to (p) and m, I2 (m), to (m), we test admissibility of p • m by checking that gcd(!2(p),a;(ra)) < 2 and gcd(l2(m)to(p)) < 2. The rank and order of n can be computed as h(n) = lcm(l2(p), h(in)) andto(n) = 1cm (a; (p), to (m)). This method is much faster than repeatedly using Algorithm 6 which relies on fac• torization of (p(n) and ip(n) and computation of modular power of two and modular Lucas sequence.

33 4. SEARCH FOR CHALLENGE PSUDOPRIMES

In step 3, to see if n is a challenge pseudoprime, we check whether h(n) | n — 1 and co(n) \ n + 1, which is faster than checking 2n~1 = 1

(mod n) and Un+\ = 0 (mod n).

4.1.2 Full version of the algorithm

1. Create a set S of triples (p, l2(p),co(p)) for each odd prime p up to the given bound B. Test admissibility of the primes by checking gcd(l2(p), co(p)) < 2 and remove all triples belonging to inadmissible primes. Copy S to set M of integers to be tested.

2. Compute the set M' of triples (m'',l2(m'),co(m')) for new ad• missible products m' = p • m in the following way. For each p £ S and m G M such that p \ m, gcdfaip), co (tn)) < 2 and gcd(l2(^)/^(p)) < 2, compute the new product m' = p • m, its order ^(^O = lcm(l2(p),h(m)) and its rank co(m') = lcm(co(p),co(tn)).

3. Set M = M' and test each m G M with the Fermat and Lucas tests by checking wheather ^2(m) | n — 1 and co(m) \ n + 1.

4. Repeat step 2 and 3 until there are no new admissible integers in M'.

We implemented the above algorithm in Python and ran it for B = 1400. The computation required 56GB of RAM and ran for about 30 hours. For higher values of B the computation exceeded our limit of 64GB of RAM. The set S contained 114 admissible primes and the algorithm ended after 25 iterations. Overall, the algorithm constructed and checked 770854835 admissible products, none of which are a challenge pseudoprime. The highest product had 218 bits.

4.2 Pseudoprimes of the form 2M_1 — 1

We started the search for pseudoprimes in the form 2n~1 — 1 simply by applying the PSW-challenge test to all integers 21 — 1 for i up to 215. We implemented the test in C+ + using the Big Integer class of NTL library [10]. To compute the Fibonacci sequence we implemented slightly modified version of the double-and-add algorithm. Since n + 1 =

34 4. SEARCH FOR CHALLENGE PSUDOPRIMES

2l — 1 + 1 = 2l, the binary representation has one leading 1 and the rest are Os, so we do one add step add the beginning and then do only double steps. The only integers n which passed the test were those with i = 2,3,7,19,31,107,127,607,1279,2203,4423. All these n are Mersenne primes [21]. Testing the integers one by one quickly became too slow, so instead we tried constructing them as products of suitable primes.

4.2.1 Primes with rank equal to a power of two

If n = 21 — 1 is a challenge pseudoprime and p is a prime such that p | n, then co(p) \ co(n) \ 2l. We searched, in several ways, for primes whose rank is a power of two, and overall we obtained 28 of such primes. Some of the primes were too large, therefore we used only primes p < 24423, which left us with 19 primes. We tested all 219 square-free products of the these primes and none of them were a challenge pseudoprime nor were they in the form 21 — 1. To search for these primes, we firstly checked all primes up to 230, which resulted in 13 primes where 9 were admissible. Our next approach was to factor U2i- Lucas [11] shows that U2n = UnVn, so

i-l

U2i = Y\ V2m.

Also, Vin — V% — 2QW, which gives us a way to compute Vjm as V^-i —

2. To factor U2i, we have to factor each Vjm, which unfortunately still grows too fast. We computed and factored V2m for m < 10. The last value V2w has 356 bits and to factor it we used an online tool [22]. This method gave us another 3 admissible primes.

4.2.2 Mersenne primes

Our third approach was to examine Mersenne primes, since these primes p = 21 — 1 with e(p) = —1 naturally have rank co(p) | 2K Mersenne primes are generally too large for Algorithm 6 or the com• putation of gcd(l2(p),Ci>(p))/ but the following lemma shows that e(p) = — 1 is a sufficient condition for the admissibility of Mersenne primes.

35 4. SEARCH FOR CHALLENGE PSUDOPRIMES

Lemma 4.2. Let p = 7' — 1 be a Mersenne prime, then p is admissible if e(p) = -1.

Proof. Let p = 7 — 1 be a Mersenne prime, then / is the least positive integer k such that 2k = 1 (mod p), and so by definition h(p) — j.lt is known that if 2^ — 1 is a prime, then j is also a prime. If e(p) = —1, then co(p) is a power of two, and so gcd(l2(p),to(p)) < 2, i.e. p is admissible. •

We require that co(p) | a?(n) | 7, i.e. the rank of p has to be a power of two, which is not possible if e(p) = 1. So, overall, we are interested precisely in Mersenne primes with e(p) = —1. Out of the 51 known Mersenne primes [21], 20 have e(p) = —1 (4 of which we have obtained by previous methods). As a side note, if n = pq is a challenge pseudoprime, then p, q are not Mersenne primes. We can show this by contradiction. Assume p = 7 — 1 is a Mersenne prime. Then / = hip) | q — l,so 2l2^ = 7)' = 1 (mod q), i.e. q \ 7' — 1 = p, and therefore q = p. Then e{n) = e(p2) = 1 7^ — 1, which contradicts n being challenge pseudoprime.

4.3 Two prime factors

Let n = pq, where p, q are distinct primes, be a challenge pseudoprime, then e(n) = e(p)e(q) = —1, so either e(p) = 1 or e(q) = 1 (without loss of generality we assume that e (p) = 1). Admissible primes p with e(p) = 1 are quite rare. The reason is that on the one hand both the order h(p) and the rank co(p) divide p — 1, but on the other hand, since p is admissible, the greatest common divisor of the order and the rank is at most two (i.e. gcd(l2(p),co(p)) < 2). At the end of their paper [18] Shallue and Webster noted that they found 7 such primes when generating primes up to 240, however they do not say whether they used these primes in any way to speed up their algorithm or not. In this and the next section we present several ways these primes can be used. To find a pseudoprime with two prime factors, we first searched for the admissible primes p with e(p) = 1 and then tried to find suitable primes q.

36 4. SEARCH FOR CHALLENGE PSUDOPRIMES

4.3.1 Admissible primes p with e(p) = 1

We implemented an algorithm which tested the admissibility of primes with e(p) = 1 up to 245 and we found 3 other primes on top of the 7 already known [18]. We implemented slightly adjusted version of Algorithm 6 in C++. To factor

V HP) to(p) 2847994170041 41.37 806587 1765460 10052678938039 43.19 69 145690999102 20474359556069 44.21 145084 141120727

4.3.2 Computing the other prime

To find q such that n = pq is a PSW-challenge pseudoprime we could use one of the two methods described in Section 3.1.2. However, as we already discussed, the second method doesn't give us all the possi• bilities and the first method calculates with LL_i, which in this case is too large. We present another way of computing the second prime. Instead of computing q as a factor of gcd(2p_1 — 1, Up_i), we will compute q as a factor of gcd(2/2^) — 1, ). The problem of course is that since we are looking for q, we do not know h(q) and to (q), however we know that h(q) \ p — 1, to(q) \ p — 1 and gc&faiq),oo(q)) < 2. So, we factor p — 1 and distribute the factors among the order and the rank of q, such that q is admissible, which gives us several candidates for h{q) and to(q). Let a be the number of unique prime factors of p — 1, then there are 2a ways to distribute the factors of p — 1 such that the order and the rank of q are coprime. The order and rank can also have gcd = 2, and so overall there are at most 2a+2 possibilities. Among the ten primes, 4562284561 and 10052678938039 have the most number of unique prime factors of p — 1: seven. So, in the worst case we have to try only 512 different combinations of the order and the rank.

37 4. SEARCH FOR CHALLENGE PSUDOPRIMES

Of course, among these possibilities there's a combination where the order or the rank are almost as large as p — 1, which means 2l2^ — 1 or U-cU) can still be too large. However, since both the order and rank divide p — 1, one of them is at most 2^/p — 1. So, if the order is lower than the rank, then we compute gcd(2?2W — 1, mod (2l2^ — 1)), and if the rank is lower than the order, the we compute gcd(2*2W — 1 mod IZfc^o), Uco(q))- m either case, both arguments of the gcd are at

most 22v/f_1 which is considerably lower than LL_i. We have implemented this method in Python and ran it for all the 10 primes. We found no q for which n = pq is a challenge pseudoprime. Since we tested all primes p with e(p) = 1 up to 245, if there is a challenge pseudoprime n = pq, then the prime p with e(p) = 1 must be larger than 245.

4.4 Even number of prime factors

Let n have even number of prime factors (counting multiple times for prime powers), then if n is a PSW-challenge pseudoprime, at least one of the prime divisors p has e(p) = 1. As in the case of two prime factors, we can use the primes with e(p) = 1 to search for the challenge pseudoprimes. In this section we describe the method we used to check that there are no challenge pseudoprimes up to 270 with even number of prime factors. Since there are no Wall-Sun-Sun primes up to 254 [5], any challenge pseudoprime lower than 270 has to be square free, and so we can write it as n = pk, where p is a prime with e(p) = 1 and p \k. We will treat two different cases: either p < 245 and it is one of the ten known primes, or p > 245 and it is unknown to us. We will discuss the latter case first.

4.4.1 Case of p > 245

Assume p > 245, then k < 225. We have generated a list of all 1142315 admissible integers k < 225 with e(k) = —1. We removed primes from this list, because the case of two prime factors has been checked by Shallue and Webster [18] up to 280, which reduced the list considerably

38 4. SEARCH FOR CHALLENGE PSUDOPRIMES to only 110191 composite integers. And finally, we applied the first method from Section 3.1.2 to each integer k on this list, i.e. we searched for p as p | gcd(2fc_1 — 1, Ujt+i)- We have found no primes p such that n = pk would be a challenge pseudoprime.

4.4.2 Case of p < 245

For the second case, assume that p is one of the ten known primes with e(p) = 1. We try to find k in a similar way to the second method of computing the last prime in Section 3.1.2. If n = pk is a challenge pseudoprime, then pk = 1 (mod h{n)) and pk = —1 (mod co(n)), so

k = p~x = 1 (mod h{p)) and

k = —p~x = —1 (mod co(p)).

Which means that by Chinese Remainder Theorem we can compute a = kmodlcm(l2(p),co(p)) andsearchforfcasa + bTcm(l2(p),a;(p)) for integer b from 0 up to some bound. To check pseudoprimes n = pkwp to bound 270, we need to try

270-iog2(Picm(/2(p),a;(p))) potential values of k. The larger p is, the less values of k we need to try. The following table show the approximate values of log2(p • 1cm (^(p), co(p))) for the ten known primes p.

V HP) cv{p) log2(p-lcm(Z2(p),a;(p))) 61681 40 1542 30.82 363101449 171436 1059 55.87 4278255361 80 6684774 59.98 4562284561 120 147934 55.16 4582537681 160453 1428 59.86 26509131221 748 14176006 66.92 422013019339 290442546 2906 77.23 2847994170041 806587 1765460 81.74 10052678938039 69 145690999102 86.38 20474359556069 145084 141120727 88.43

39 4. SEARCH FOR CHALLENGE PSUDOPRIMES

As is evident from the table, the bottleneck of this method is the prime p = 61681, for which we had to test about 239 values of k. We have implemented this method and ran it for all the ten primes, searching for n = pk up to 270, and we have found no k such that n = pk would be challenge pseudoprime. So overall, we have confirmed that there are no PSW-challenge pseudoprimes with even number of prime divisors up to 270.

4.5 Lattice based solutions

Chen and Greene [19] attempted to find a PSW-challenge pseudo- prime by constructing the following system of primes. Let M, N be integers such that gcd(M, N) < 2 and let P be a set of primes p such that

p \ MN, l2(p) | M and w{p) \ N. Then for any subset A C P, the product n = YlpeA P is a challenge pseudoprime if

n = 1 (mod M) and n = -1 (mod N). (4.1)

Assuming congruence classes of n modulo M, N are approximately uniformly distributed, the expected number of challenge pseudo- primes n constructed as a product of a subset of primes in P will be about 2\p\ cp(MN)' Chen and Greene were constructing systems, which contained as few primes as possible and at the same time had at least one expected pseudoprime. The smallest system they published [20] contains 1248 primes and -j^pf^ ~ 740, meaning that out of the 21248 possible prod• ucts we can expect about 740 to be challenge pseudoprimes. They do not say whether they attempted to find the pseudoprimes in the system.

4.5.1 Searching for the pseudoprimes

Since Chen and Greene did not say whether they tested any of the products, we started by trying all products made of exactly three

40 4. SEARCH FOR CHALLENGE PSUDOPRIMES primes. None of these products were a PSW-challenge pseudoprime. All the primes in the system have e — —1, and so any challenge pseudoprime in the system has to be a product of an odd number of primes. So overall, none of the products of two, three or four primes from the system are challenge pseudoprimes. Clearly, testing all the possible products one by one is computationally infeasible and so we attempted to find a solution to the congruences 4.1. We transformed the problem of finding the pseudoprimes among the 21248 possibilities to a multidimensional modular Knapsack prob• lem, which we then attempted to solve by finding short vectors in a lattice using the LLL and BKZ algorithms.

4.5.2 Transformation of the problem

Let nti, Yi[ be prime powers such that M = TJ m,- and N = Yl n-i, then by Chinese Remainder Theorem equations 4.1 are equivalent to the set of equations

n = 1 (mod nti) and n = z,- (mod n,-) (4.2) for some z,-. If m,-, n,- are odd or equal to 2, the modular multiplicative groups Z^.,Z*. are cyclic, meaning they contain some generators a,-, hi, and so we may apply discrete logarithms to the equations 4.2 and obtain

logain = 0 (modord(fl,-)) and log^.n = log^.Zi (mod ord(&,-)), (4.3) where ord(flj), ord(fof) are orders of the generators in their respective

13 groups. Note that N is divisible by 2 and Z*13 is not cyclic, however it can be generated by two generators (e.g. 8191 and 5), which gives us two logarithmic equations in 4.3 instead of one. To find the pseu• doprimes, we compute logaip and logt,.p for each p E P and try to compute A C P such that it has at least two primes and

E logaiP = 0 (modord(fli)) and log^. p = logb.Zi (modord(&i)). peA peA

This problem is similar to the Knapsack problem, which has many variants. This variant is multidimensional and in addition each di• mension is computed in different modular group (corresponding to

41 4. SEARCH FOR CHALLENGE PSUDOPRIMES

the different generators). In general, these kinds of problems are NP- complete, so we suspect this variant is also NP-complete, although we do not have a proof. Assuming the problem is NP-complete (and NP^P), there is no polynomial algorithm which would give us a definitive answer, how• ever there are still some methods which may produce some solutions. We used lattice reduction algorithms, which have been previously shown to solve similar problems (for example in [25]). We converted our set of equations to a lattice and then used the LLL and BKZ al• gorithms to find the shortest vectors, which in some situations could correspond to the pseudoprimes.

4.5.3 Lattice for Fermat pseudoprimes

To describe the method, we will start with only the equations necessary for n being a Fermat pseudoprime. For each generator a,- and prime pj we have the values of logaipj. We may write these values in a matrix

X = {logaiPj)jri, where the rows correspond to the primes and the columns correspond to the generators. The rows are vectors over Z and their linear combinations over Z form a lattice. We are looking for a linear combination of the rows such that each row is included at most once and the result is a multiple of the vector (ord(fl,-)),-. To find the combination, we extend the matrix to

1 0 \ X

0 1 ord(fli) 0 0

0 ord(fljt) /

This matrix forms the basis of the new lattice. The bottom left part was added because we want to compute each column modulo the order of the group. The upper right part was added so that we know how many times each row was added in the combination. A vector in the lattice with k leading zeros followed by sequence of zeroes or ones corresponds to a pseudoprime (or prime if it contains only one one).

42 4. SEARCH FOR CHALLENGE PSUDOPRIMES

Such vectors are relatively small, and so to try to find them we may apply the LLL or BKZ algorithm, which returns a reduced basis with small vectors. To make sure the left part is reduced to zeros, we may multiply it by some large constant c (for example c = 1000). As a proof of concept of this method, we have constructed a system of 77 primes, which contains a Fermat pseudoprime. We have started with a small system of 9 primes, such that their product is a Fermat pseudoprime, and then we added another 68 primes such that the congruences 4.1 still hold. In this system, the method with the BKZ algorithm finds the pseudoprime within a few seconds, which is much faster than trying all the 277 possible integers. However, in general, the method is highly unreliable and unlikely to discover the pseudoprime. The main problem is that the LLL and BKZ algorithms find only an approximately smallest basis, as the problem to find the actual smallest basis is again NP-complete. So, the larger the input matrix, the more likely it is the reduced basis vectors will not contain only zeros and ones but also other integers, which makes it less likely the method will produce a pseudoprime.

4.5.4 Example for Fermat pseudoprimes

We present a small example of the method for Fermat pseudoprimes. Let P = {7,13,23,31,41} be the system of primes. It contains Fermat pseudoprime n = 7-23-41. We set M = 660 and c = 10. Then the matrix of the lattice basis as described above looks as follows.

/ 10 0 10 70 1 0 0 0 o\ 0 0 30 10 0 1 0 0 0 10 10 30 0 0 0 1 0 0 10 0 0 60 0 0 0 1 0 0 10 0 30 0 0 0 0 1 20 0 0 0 0 0 0 0 0 0 20 0 0 0 0 0 0 0 0 0 40 0 0 0 0 0 0 0 0 0 100 0 0 0 0 0/

43 4. SEARCH FOR CHALLENGE PSUDOPRIMES

To find the pseudoprime, we apply the BKZ algorithm (implemented in SageMath) and get the following result.

/ 0 0 0 0 -1 0 -1 0 -1 \ 0 0 0 0 0 1 -1 1 1 0 0 0 0 1 -1 -2 -1 0 0 0 0 0 1 2 -1 -2 1 0 0 0 0 -1 0 -1 -2 3 10 0 0 0 -1 0 -1 -1 1 0 0 -10 -10 -1 0 0 1 0 0 10 -10 0 -1 0 0 -1 1 \ 0 10 10 0 1 0 0 1 -1 / As we can see, the top left part is completely zeroed out. This means that the top right part tells us the possible combinations of the primes. We are looking for a square-free product of the primes, i.e. row with only zeroes and ones in the right part. The first row contains only zeroes and negative ones, and so we can multiply it by —1 and get the solution.

4.5.5 Lattice for both Fermat and Lucas pseudoprimes

To use this method to look also for Lucas pseudoprimes, we need to extend the matrix to.

1 0 cX cY 0

0 1 c • ord(fli) 0 0 0 0

0 c • ord(%) c • ord(bi) 0 0 0 0

0 c • ord(bj)

2 0 loghlzx... logblzi 0 c 4. SEARCH FOR CHALLENGE PSUDOPRIMES where Y = (log^.p^j^. First we added the columns for the matrix Y (multiplied by c), which corresponds to the equations necessary for n being a Lucas pseudoprime. The columns also contain the order c • ord(bi) of the generators as in the case of only Fermat pseudoprimes. We also had to add the last row containing the vector of k zeros fol• lowed by log^.Zi. To make sure this last row is not used by the LLL or BKZ algorithms more than once, we also added a large constant c2 at the bottom right. After the reduction, a row corresponds to a challenge pseudoprime if it contains k + I leading zeroes followed by a sequence of zeros or ones and ends with c2. We have implemented this method using the SageMath Python LLL and BKZ functions and applied it to the system of the 1248 primes. Unfortunately, even though the algorithms are polynomial, the matrix is still too large and the computation never finished. For this method to be effective the system needs to contain only about 100 primes, and at the same time the expected number of pseudoprimes needs to be sufficiently large. The search for such a system may be a possible direction for further research into PSW-pseudoprimes.

45

Conclusion

In this thesis we examined the PSW-challenge pseudoprimes. We summarized the known relevant theory of the Fermat and the Lucas pseudoprimes and completed some missing lemmas and proofs. We described some algorithms which are often omitted in the literature, namely the algorithm to compute the rank of appearance. We also examined admissibility, which is the main necessary condition which all PSW-pseudoprimes must satisfy. We gave a new algorithm to test admissibility of integers, which is for individual integers faster than computation of the order, the rank and their greatest common divisor. In the last chapter we searched for the pseudoprimes in several special cases. Firstly, we examined pseudoprimes with small prime divisors. We tested integers with prime divisors lower than 1400 and found that none of them are PSW-challenge pseudoprimes. Next, we looked for pseudoprimes in the form 2W_1 — 1. Primes dividing such pseudoprimes must have rank equal to a power of two. We found 28 such admissible primes, we constructed square-free products of the first 19 primes and verified that none of these products are a PSW- challenge pseudoprime. We also examined pseudoprimes with even number of prime divi• sors. These pseudoprimes have to be divisible by an admissible prime p with e(p) = 1. Previously, seven such primes were known [18]. We tested all primes up to 245 and found three other suitable primes. Then, we implemented algorithms to search for integers k such that n = pk are pseudoprimes. We found no such integers k, and so we have shown that up to 270 there are no PSW-pseudoprimes with even number of prime divisors. Finally, we examined the system of primes given by Chen and Greene [19]. We transformed the problem of finding the pseudoprimes in the system to a multidimensional modular Knapsack problem. We attempted to solve this problem by implementing known heuristic method of further transforming the problem into finding short vectors in a lattice. Unfortunately, the system of primes was too large for this method. However, Chen and Greene conducted their research in 2000, so with greater computational resources a smaller system might be

47 4. SEARCH FOR CHALLENGE PSUDOPRIMES

found. Other methods for finding pseudoprimes as solutions to this Knapsack problem may be a possible avenue for further reaserch. Another potential direction for further reaserch is examining pseud- primes for different base a and parameters P, Q. We examined the weaker version of the Baillie-PSW test with parameters P = 1, Q = — 1, which allowed us to use the condition of admissibility However, ad• missibility can be defined for any parameters a, P, Q, and so the meth• ods described in this text can be applied to pseudoprimes with other parameters.

48 Bibliography

1. POMERANCE, Carl; SELFRIDGE, John L; WAGSTAFF, Samuel S. The pseudoprimes to 25 • 109. Mathematics of Computation. 1980, vol. 35, no. 151, pp. 1003-1026. 2. ALFORD, William R; GRANVILLE, Andrew; POMERANCE, Carl. There are infinitely many Carmichael numbers. Annals of Mathematics. 1994, pp. 703-722. 3. LEHMER, Derrick H. Strong Carmichael numbers. Journal of the Australian Mathematical Society. 1976, vol. 21, no. 4, pp. 508-510. 4. MENEZES, Alfred J; VAN OORSCHOT, Paul C; VANSTONE, Scott A. Handbook of applied cryptography. CRC press, 2018. 5. PrimeGrid. Available also from: https : //www. primegrid. com/ forum_thread.php?id=9436. 6. BAILLIE, Robert; WAGSTAFF, Samuel S. Lucas pseudoprimes. Mathematics of Computation. 1980, vol. 35, no. 152, pp. 1391-1417. 7. JOYE, Marc; QUISQUATER, J-J. Efficient computation of full Lucas sequences. Electronics Letters. 1996, vol. 32, no. 6, pp. 537- 538. 8. KOVAL, Aleksey et al. On Lucas Sequences Computation. IJCNS. 2010, vol. 3, no. 12, pp. 943-944. 9. RENAULT, Marc. The period, rank, and order of the (a, b)- Fibonacci sequence mod m. Mathematics Magazine. 2013, vol. 86, no. 5, pp. 372-380. 10. Number Theory Library (NTL). Available also from: https : // libntl.org/. 11. LUCAS, Edouard. Theorie des fonctions numeriques simplement periodiques. American Journal of Mathematics. 1878, pp. 289-321. 12. LEHMER, Derrick Henry. An extended theory of Lucas' func• tions. Annals of Mathematics. 1930, pp. 419-448. 13. WILLIAMS, Hugh C. On numbers analogous to the Carmichael numbers. Canadian Mathematical Bulletin. 1977, vol. 20, no. 1, pp. 133-143.

49 BIBLIOGRAPHY

14. CARMICHAEL, Robert D. On the numerical factors of the arith• metic forms a n±B n. The Annals of Mathematics. 1913, vol. 15, no. 1/4, pp. 49-70. 15. GRANTHAM, Jon. Frobenius pseudoprimes. Mathematics of com• putation. 2001, vol. 70, no. 234, pp. 873-891. 16. GILCHRIST, Jeff. Pseudoprime Enumeration with Probabilistic Pri- mality Tests. Available also from: http: //gilchrist. ca/jef f / factoring/pseudoprimes.html.

17. POMERANCE, Carl. Are there counter-examples to the Baillie- PSW primality test. Dopo he Parole aangeboden aan Dr. AK Lenstra. Privately published Amsterdam. 1984. 18. SHALLUE, Andrew; WEBSTER, Jonathan. Fast tabulation of chal• lenge pseudoprimes. The Open Book Series. 2019, vol. 2, no. 1, pp. 411-423. 19. CHEN, Zhuo; GREENE, John. Some comments on Baillie-PSW pseudoprimes. Fibonacci Quarterly. 2003, vol. 41, no. 4, pp. 334- 344. 20. CHEN, Zhuo; GREENE, John. Available also from: https : //www. d.umn.edu/~jgreene/baillie/Baillie-PSW.html. 21. List of known Mersenne primes. Available also from: https: //www. merserme. org/primes/.

22. Integer factorization calculator. Available also from: https: //www. alpertron.com.ar/ECM.HTM. 23. WALISCH, Kim. primesieve. Available also from: https: //github. com/kimwalisch/primesieve. 24. Metacentrum. Available also from: https : //metavo. metacentrum. cz/.

25. PLANTARD, Thomas; SUSILO, Willy; ZHANG, Zhenfei. Lattice reduction for modular knapsack. In: International Conference on Selected Areas in Cryptography. 2012, pp. 275-286.

50