Easy numb ers for the
Ellipti c Curve Primality Proving Algorithm
�y z
F� Morain
morain�inria�inria�fr
May �� ����
There exist easy numb ers for the N � � test�
Abstract
namely those N for which the factorization of
We present some new classes of numb ers that
N � � is trivial� such as Fermat numb ers �N �
k
2
are easier to test for primality with the Elliptic
� � �� or sp ecial numb ers� N � � � k �� N �
n
Curve Primality Proving algorithm than aver�
� � k � a � etc� �see ���� for all this��
age numb ers� It is shown that this is the case
The purp ose of this pap er is to exhibit some
for ab out half the numb ers of the Cunningham
numb ers that are easy to test with ECPP� It ap�
n
pro ject� Computational examples are given�
p ears that many numb ers of the form b � � are
of this kind� Section � recalls a part of the the�
ory of ECPP� In Section �� we describ e very easy
� Intro duction
numb ers � numb ers analogous to Fermat num�
b ers � and easy numb ers � numb ers that can b e
The so�called Elliptic Curve Primality Proving
dealt with more quickly than average numb ers
algorithm �ECPP� is one of the most p ower�
of the same size� Numerical computations are
ful algorithms for proving the primality of large
describ ed that exemplify our results�
numb ers with up to ���� decimal digits �see
��� �� � �� ��� This algorithm generalizes the old
Fermat�like primality proving tests based on the
� A brief presentation of
factorization of N � � when N is the numb er to
ECPP
b e proven prime�
�
LIX� Lab oratoire d�Informatique de l�Ecole Poly�
��� Fermat�s test
technique Ecole Polytechnique� ����� Palaiseau Cedex�
France
Let us b egin with the converse of Fermat�s little
y
Institut National de Recherche en Informatique et
Theorem�
en Automatique �INRIA�� Domaine de Voluceau� B� P�
��� ����� LE CHESNAY CEDEX �France��
Theorem ��� If there exists an a prime to N
z
On leave from the French Department of Defense�
such that
D�el�egation G�en�erale p our l�Armement�
N �1
a � � mo d N
but
(N �1)�q
a �� � mo d N
for every prime divisor q of N � �� then N is prime�
Theorem ��� Let N be an integer prime to �� If we cannot factor N � � completely� it can
E an el liptic curve over Z �N Z � together with a happ en that the cofactor of N � �� call it N � is a
1
point P on E and m and s two integers with probable prime� Then� we can try to factor N �
1
s j m� For each prime divisor q of s� we put � and so on� This idea forms the DOWNRUN
�m�q �P � �x � y � z �� We assume that mP � pro cess of ����� Build a decreasing sequence of
q q q
O and gcd �z � N � � � for al l q � Then� if p is probable primes N � N � N � � � � � N
E q 0 1 k
a prime divisor of N � one has �E �Z�pZ � � such that the primality of N implies that of
i+1
� mo d s� N �see ��� � pp� ���������� As an example�
i
5
consider a pro of that N � �� � � is prime� We
We have also�
�nd
Corollary ��� With the same conditions� if
N � ������� N � � � � � � � � � N �
0 0 1
p
4
2
2
N � �� � then N is prime� s � �
N � ����� N � � � � � � � � � ��
1 1
It should b e noted that in order for the preced�
if we assume that we can decide the primality
ing condition on s to b e ful�lled� m must not
of numb ers less than �� very quickly� Then� we
b e a p erfect square� It was shown in ��� that
can take a � � for proving that N is prime
1
this can only happ en if D � � �resp� D � ��
and a � � for N � now that we know that N is
0 1
2 2
for N � x � x � � �resp� N � x � ���
prime�
We can now give a brief description of the
More sensitive tests are describ ed in ���� A
algorithm�
di�erent typ e of primality proving algorithm is
describ ed in ��� � � ���
function ECPP�N �
p
�D � in �� �nd a quadratic �eld K � Q�
��� Elliptic curves
which N is the norm of an algebraic in�
The material of this section is taken from ���� In
teger � and for which m � N �� � ��
K
order to overcome the di�culty of having just
is completely factored or has a probable
one numb er to factor� we use elliptic curves�
prime cofactor M �
Informally� an elliptic curve over a �nite �eld
�� put s � m and use Theorem ��� to prove
Z�pZ is the set �of classes� of p oints in the pro�
the primality of N �
jective plane of Z�pZ
2
�� recursively prove the primality of M �
E �Z�pZ � � f�x � y � z � � P �Z�pZ ��
2 3 2 3
This algorithm combines a Fermat�like theorem y z � x � axz � bz mo d pg�
and the DOWNRUN approach� For the actual
We can de�ne a group law on this set� known as
implementation of this test� we refer to the ar�
the tangent�and�chord metho d� ordinarily de�
ticle ��� as well as ����� We insist on the follow�
noted by �� If m is the cardinality of E �Z�pZ ��
ing p oints� That N is a norm in an imaginary
then Hasse�s theorem tells us that jm � �p � ��j �
p
quadratic �eld is equivalent to the fact that
� p� More precisely� there exists an algebraic
p
p p
2 2 integer � in a quadratic �eld K � Q� �D ��
�N � A � DB � �A � B �D ��A � B �D �
D a p ositive integer� such that p � N �� � and
K
m � N �� � ��� where N �� � is the norm of
K K
with A and B two rational integers� In turn�
the algebraic numb er � in K �
this implies that
From ����� we have a primality theorem
2 2
�m � �A � �� � DB � analogous to Theorem ����
ECPP� Supp ose we are given a probable prime A numb er N will b e easy to test if the largest
N that can b e written as prime factor of m is easy to �nd� for instance if
it is small� For average numb ers� the cofactor
2 2 2 2
N � �c � D a ���c � D b �
p p
we get is smaller than N � say the ratio m�M is
� N ��c � a �D ���c � b �D ��
K
10
ab out �� at b est� The following section will
� N �� �
K
deal with extraordinary numb ers with resp ect
to this problem�
where D is a suitable squarefree p ositive integer
Throughout the pap er� we keep the preced�
and �a� �b and �c are integer� Then a p otential
ing notations�
numb er of p oints on an elliptic curve mo dulo N
is
2
D �a � b�
m � N �� � �� � �
K
� Easy numb ers
2 2
c � D b
We must select the signs of a and b such that
��� Building easy numb ers
this is an integer in Z� If we have luck� then
a � b is easy to factor and we can get a probable
It follows from the preceding section that there
prime cofactor N of m with size ab out half that
1
exist numb ers for which ECPP is very easy�
of N �
This is indeed the case when N � N �� � and
K
where N �� � �� is easy to factor� An example
K
k
����� Examples
� � where � is of such numb ers is � � � �
i 0
1
an algebraic integer of small norm of K and k
Many numb ers taken from the Cunningham
a p ositive integer� These numb ers� called El lip�
pro ject ��� are indeed easy numb ers� The �rst
tic Mersenne primes were intro duced in ��� and
and third examples are taken from a list of prob�
some large ones were given in ���� �see also �����
able primes that S� S� Wagsta� sent to the au�
Let us assume for simplicity that D �
thor recently�
� mo d �� Then� starting from
First� let us consider the ����digit probable
prime
� � D �� � U
193
N � ��� � �����
2
we can multiply b oth sides by k and have
and write it as
2 2 2
k � k D �� � U k � m�
2 2 2 2
N � �� � ���X � ���� � � � � �
2
To m� we can now asso ciate N �k � � �k � �� �
� N ����N �� � � N ���� � � N �� �
K K K K
2
k D �� and sometimes we get a prime� If k is
p
96
easy to factor� we have built a prime N for
with X � �� � � � � � �X �� and � � � �
p
which the ratio N �N is quite large� For ex�
� �� � A p otential numb er of p oints is
1
100
ample� taking D � � and k � �� � ����� �
�
2
� � ���� � ������� � k yields a corresp onding
��X � �� � m � N �� � �� �
1
K
��
numb er N �k � which is a ����digit prime and
we can prove that N is prime by proving that With this� X � � � ��X and
0
N � k is prime� The ratio N �N is ab out
1 1 1
2
112 m � � � �� � ��X � �
0
�� �
96
Therefore� we are done if X � � � �� � � is
��� Finding easy numb ers
easy to factor� which it is�
Y
96
Another kind of relatively easy numb er was dis�
z � � � � �z ��
d
covered during the actual implementation of
dj96
d � �z � factors of � ����
d d
� z � � ��
� z � � ��
2
� z � z � � ���
2
� z � � � � ��
2
� z � z � � � � ��
4
� z � � �� � ���
4 2
�� z � z � � �����
8
�� z � � �� � �� � ������
8 4
�� z � z � � ��� � �������
16
�� z � � ���������� �� � � ������
16 8
�� z � z � � ��������� � ����� � ����
32 16
�� z � z � � ���� � ������� � ���������� �� ��� �� ��� �� ���
yielding where � �z � stands for the d�th cyclo�
d
Q
tomic p olynomial �� �z � � �z �
d
(a�d)=1
1769
� � � � � � �� � ������� � p � C
18 506
exp��i� a�d���� We list in the following table
96
the algebraic factors of �� � �� �It should b e
�with C � � ���� a strong pseudoprime
506 1769
noted that one can �nd the factors of such a
to base �� so that the primality of N can b e
numb er quite rapidly without resorting to cy�
deduced from the factorization of a ����digit
clotomic factorization by using Pollard�s p � �
numb er instead of a ���� numb er as in �����
metho d ��� ��� In the DOWNRUN pro cess� we
A less trivial example is given by the cofac�
327
may take N � ��������� �� ��� ��� �� ��� �� ��
1
tor of �� � �� We �rst write
96
the largest probable prime factor of �� � ��
327
183
X �� � �� ��X �� ��X �� ��X �� ��X ��
1 3 109 327
The ratio m�N is approximatively �� �
1
Another very interesting example is the fol�
The numb er we are interested in is N �
lowing� Take
� ������ We rewrite this as
327
3539
� � �
327
� � ��
N �
2
� �����N � ��N � � � � Y � Y
3
�
109
� � ��
which was �rst proved prime by Morain �����
109
where Y � �� � Now comes the trick� Multi�
We have
2 2
ply this relation by � in order to get
� � �X
N �
2 2
2 2
� � ����
� � �� � N � � � �Y � �Y � � � ��Y � �� �
1769
with X � � � Write this as
We multiply each side by � and �nally get
p p
N � N ���� � � N ��� � X ������ � �����
K K
2 2 2 2
� � ���Y � �� � � ���Y � ��
N � � �
2 2
With � � ��� � one gets
�� � �� � � � � ��
p p
�
Cho osing � � �� � ��Y � �� ������ � �� ����
2
�X � �� � m � N �� � �� �
K
this implies that a p otential numb er of p oints
�
is
And hop efully� we have that
Y
m � N �� � ��
K
1769 1769
X � � � ����X � � �� � � � ��X �
d
2 2
� ��Y � ��� ���� � �Y � ��� ����
dj1769
����� Comments
References
We can hop e that this situation o ccurs when�
��� L� M� Adleman� C� Pomerance� and
ever we try to prove the primality of �a fac�
R� S� Rumely� On distinguishing prime
n
tor of � a numb er of the form b � � with b �
numb ers from comp osite numb ers� Annals
f�� �� �� �� �� ��� ��� ��g and particularly num�
of Math� ��� ������� ��������
2k +1
b ers of the form �b � ����b � ��� If b �
p
�b� has unique f�� �� �� ��� ��g� the �eld Q�
��� A� O� L� Atkin and F� Morain� Ellip�
factorization and the preceding tricks might
tic curves and primality proving� Research
work� For other values� we can have some luck
Rep ort ����� INRIA� Juin ����� Submit�
as demonstrated by our last numerical example�
ted to Math� Comp�
2k +1
Note also that if N � �b � ����b � ���
��� A� O� L� Atkin and F� Morain� Find�
one has
ing suitable curves for the elliptic curve
k k
b�b � ���b � ��
N � � �
metho d of factorization� To app ear in
b � �
Mathematics of Computation� Also avail�
and a p otential m is�
able as INRIA Research Rep ort no �����
k 2
�b � �� b
March �����
� m �
b � �
��� W� Bosma� Primality testing using ellip�
ECPP do es not give a faster primality pro of
tic curves� Tech� Rep� ������ Math� Insti�
than the use of one of the re�ned version of
tuut� Universiteit van Amsterdam� �����
the N � � test� which needs the factorisation of
p
N �see ����� Similar remarks can N � � up to
��� J� Brillhart� D� H� Lehmer� and
b e made concerning the N � � test�
J� L� Selfridge� New primality criteria
m These numb ers illustrate the need for a ro�
and factorizations of � � �� Math� Comp�
bust factorization routine for ECPP� As a mat�
��� ��� ������� ��������
ter of fact� the program must take into account
��� J� Brillhart� D� H� Lehmer� J� L�
the miraculous phenomena describ ed ab ove�
Selfridge� B� Tuckerman� and S� S�
Wagstaff� Jr� Factorizations of
n
� Conclusion
b � �� b � �� �� �� �� �� ��� ��� �� up to high
powers� � ed� No� �� in Contemp orary
We have seen that there are p otentially many
Mathematics� AMS� �����
easy numb ers for ECPP� In particular� many
Cunningham numb ers are easy� This strength�
��� D� V� Chudnovsky and G� V� Chud�
ens the idea that these numb ers are not ran�
novsky� Sequences of numb ers generated
dom numb ers with resp ect to primality proving�
by addition in formal groups and new pri�
Primality proving algorithms should b e run on
mality and factorization tests� Advances in
more random numb ers� such as partition num�
Applied Mathematics � ������� ��������
b ers ��� � or numb ers built up from the decimal
��� H� Cohen and A� K� Lenstra� Imple�
representation of � �see �����
mentation of a new primality test� Math�
Acknowledgments� We wish to thank S� S�
Comp� ��� ��� ������� ��������
Wagsta� for providing us with the list of proba�
��� H� Cohen and H� W� Lenstra� Jr� ble primes cited ab ove� V� M�enissier� P� Dumas
Primality testing and Jacobi sums� Math� and M� Golin for reading earlier versions of the
Comp� ��� ��� ������� �������� manuscript�
���� M� C� Wunderlich� A p erformance ���� S� Goldwasser and J� Kilian� Almost
analysis of a simple prime�testing algo� all primes can b e quickly certi�ed� In Proc�
rithm� Math� Comp� ��� ��� ������� ���� ��th STOC �Berkeley� May ����� ������
���� pp� ��������
���� D� E� Knuth� The Art of Computer
Programming� Seminumerical Algorithms�
Addison�Wesley� �����
���� A� K� Lenstra� H� W� Lenstra� Jr��
M� S� Manasse� and J� M� Pollard�
The factorization of the ninth Fermat num�
b er� To app ear� �����
���� F� Morain� Courbes el liptiques et tests de
primalit�e� PhD thesis� Universit�e Claude
Bernard�Lyon I� Septembre �����
���� F� Morain� Distributed primality prov�
3539
ing and the primality of �� � �����
In Advances in Cryptology � EURO�
CRYPT ��� ������� I� B� Damg�ard� Ed��
vol� ��� of Lect� Notes in Computer Sci�
ence� Springer�Verlag� pp� �������� Pro�
ceedings of the Workshop on the Theory
and Application of Cryptographic Tech�
niques� Aarhus� Denmark� May ������
�����
���� F� Morain� Elliptic curves� primal�
ity proving and some Titanic primes�
In Journ�ees Arithm�etiques ���� �������
vol� ���������� � of Ast�erisque� SMF�
pp� ��������
���� F� Morain� Prime values of partition
numb ers and some new large primes� In
preparation� Apr� �����
���� J� M� Pollard� Theorems on factoriza�
tion and primality testing� Proc� Cambr�
Philos� Soc� �� ������� ��������
���� P� Ribenboim� The book of prime number
records� �nd ed� Springer� �����