Primality - Factorization Christophe Ritzenthaler February 8, 2016 1 Primality Definition 1.1. An integer p > 1 is called a prime number if it has only 1 and p as divisors. Example 1. There are infinitely many prime numbers. The biggest generic one has 29,271 decimal digits and the proof was built using fastECPP on several networks of workstations (Jan. 2015). The largest known prime (January 2016) is a 22 millions digits Mersenne prime 274207281 − 1 (see tutorial) . We will write P the set of prime numbers. The simplest algorithm to test primality is based on the following result. Proposition 1.1. n is a composite number if and only if it has a divisor d such that p d ≤ n. p Proof. Since n is composite, n = ab and either a or b is smaller than n. This leads to an exponential test in log n. In the following we will explore some polynomial tests. Remark 1. Adleman, Pomerance, Rumely, Cohen and Lenstra have given an algorithm (APRCL) which is not polynomial but is feasible on numbers of 1000 digits (it runs in O(log nC log log log n)). 1.1 Probabilistic compositeness tests 1.1.1 Fermat test and Carmichael numbers By Fermat little theorem, one knows that if n is a prime number then an−1 ≡ 1 (mod n) for all a 2 Z coprime with n. If the theorem was an equivalence, we would have an easy polynomial algorithm to test if a number is a prime. Unfortunately Example 2. Consider n = 341 = 11 · 31. One has 2340 ≡ 1 (mod 341): Such a number is called pseudo-prime in base 2. We can prove that there are infinitely many pseudo-primes in base 2 by showing that if 1 n is such a number then 2n − 1 also. Indeed because n is a pseudo-prime in base 2 one has nj2n−1 − 1, i.e. there is c such that nc = 2n−1 − 1. Now n n−1 22 −1−1 − 1 = 22(2 −1) − 1 = 22nc − 1: The last expression is divisible by 2n − 1 so n 22 −1−1 ≡ 1 (mod 2n − 1): To finish the proof, one has to show that 2n − 1 is not a prime. Since n = ab, 2n − 1 is divisible by 2a − 1. An idea is then to change the value of a : for instance 3340 ≡ 56 (mod 341). Un- fortunately, there are numbers that are pseudo-prime in any base. Such numbers are called Carmichael numbers (for instance 561 = 3 · 11 · 17). It has been shown by Alford, Granville and Pomerance in 1994 that there are infinitely many Carmichael numbers so Fermat test cannot be completely sure. Let us show some properties of these numbers. Proposition 1.2. An (odd) composite number n ≥ 3 is a Carmichael number if and only if it is square free and for each prime divisor p of n, p − 1 divides n − 1. Proof. First it is easy to see that a Carmichael number is odd : indeed (−1)n−1 ≡ 1 (mod n) if and only if n is odd. Let a be a Carmichael number, for any a prime to n one has an−1 ≡ 1 (mod n): Let p be a prime divisor of n. There exists a primitive element modulo p that is prime to n. Indeed, let a a primitive element modulo p and n = pr · m with m coprime to r p. There exists an element (still denoted a) in Z=p Z lifting the initial a (because the r morphism Z=p Z ! Z=pZ est surjectif). We find s 2 Z=mZ coprime to m and since r Z=nZ ' Z=p Z × Z=mZ we construct the element a 2 Z=nZ image of (a; s). Such an element satisfies the properties for a. Now, one has of course an−1 ≡ 1 (mod p) but as a is primitive p − 1 divides n − 1. Now suppose that n = p2m and write a = 1 + pm. One has ap ≡ 1 + p2m + ::: ≡ 1 (mod n) So the order of a is p. But p does not divide n − 1 (pjn) so we get a contradiction. Conversely, let n be a square-free integer such that p − 1 divides n − 1 for all prime divisors p of n. Let a be prime to n one has ap−1 ≡ 1 (mod p) and because n − 1 is a multiple of p − 1, an−1 ≡ 1 (mod p): Using the Chinese Remainder theorem for all the factors p, one gets an−1 ≡ 1 (mod n): 2 Corollary 1.1. Any Carmichael number is the product of at least 3 distinct odd primes. Proof. Because a Carmichael number is without square factor and is not prime it has at least two prime factors. Let us assume that n = pq with p < q. Then q − 1 divides pq − 1 = p(q − 1) + p − 1 so q − 1 divides p − 1. Absurd. Example 3. Show that if 6m + 1, 12m + 1 and 18m + 1 are primes then n = (6m + 1)(12m+1)(18m+1) is a Carmichael number. First by the Chinese Remainder theorem, one can see that if n = ab with a; b coprime then for any x prime to n one has xlcm(φ(a),φ(b)) ≡ 1 (mod n): Now lcm(φ(6m + 1); φ(12m + 1); φ(18m + 1)) = 36m and also 36mjn − 1. One can check that 1729 is such a number. 1.1.2 Lucas test Let n > 1 be an integer. We will show that if there exists an a such that an−1 ≡ 1 (mod n) and aq 6≡ 1 (mod n) for all qjn − 1, q 6= n − 1, then n is prime. This is a 2m very good test for Fermat numbers Fm, i.e. numbers of the form n = 2 + 1 (For m = 0 ::: 32 only the first five are prime. F33 is so big that it may be many years before we can decide its nature). But obviously this test is not good for a generic prime since we must know the factorization of n − 1. ∗ n−1 Let assume that such an a exists and let d be the order of a in (Z=nZ) . Since a ≡ 1 (mod n), dj(n − 1). More exactly as no proper divisor of n − 1 is the order of a, one has d = n − 1. Now n − 1 = djφ(n). This is possible only if n is prime. 1.1.3 Rabin-Miller test Contrary to the Fermat test, the Miller-Rabin test can prove the compositeness of any composite number (i.e. there is no analog of Carmichael numbers for this test). But Rabin-Miller test is a Monte-Carlo algorithm : it always stops ; if it answers yes, the number is composite and if it answers no then the answer is correct with a probability greater than 3=4. r s Let n be an odd positive integer and s = maxfr 2 N; 2 jn − 1g. Let d = (n − 1)=2 . Lemma 1.1 (Miller). If n is a prime and if a is an integer prime to n then we have either ad ≡ 1 (mod n) or there exists r 2 f0; : : : ; s − 1g such that a2rd ≡ −1 (mod n). Proof. The order of a is a divisor of n − 1. It can be d and then ad ≡ 1 (mod n). If it is not then its order divides 2rd for r 2 f1; : : : ; sg that we choose minimal. So a2rd ≡ 1 (mod n) and a2r−1d is a non-trivial square root of 1 so a2r−1d ≡ −1 (mod n). If we find an a which is prime to n and that satisfies neither of the conditions, then n is composite. Such an integer a is called a witness for the compositeness of n. 3 Example 4. Let n = 561. a = 2 is a witness for n. Indeed here s = 4; d = 35 and 235 ≡ 263 (mod 561), 22·35 ≡ 166 (mod 561), 24·35 ≡ 67 (mod 561), 28·35 ≡ 1 (mod 561). For the efficiency of the Rabin-Miller test, it is important that there are sufficiently many witnesses for the compositeness of a composite number. Theorem 1.1 (Rabin). If n ≥ 3 is an odd composite number, then the set f1; : : : ; n−1g contains at most (n − 1)=4 numbers that are prime to n and not witnesses for the compositeness of n. ∗ Proof. Let k be the largest integer ≤ s−1 such that there exists at least one b 2 (Z=nZ) with b2k ≡ −1 (mod n) (such a k exists since b = −1 and k = 0 works). Let m = 2kd Qj ej and n = i=1 pi be the prime factorization of n. Let ∗ n−1 J = fa 2 (Z=nZ) ; a ≡ 1 (mod n)g ∗ m ei K = fa 2 (Z=nZ) ; a ≡ ±1 (mod pi ) for all ig ∗ m L = fa 2 (Z=nZ) ; a ≡ ±1 (mod n)g ∗ m M = fa 2 (Z=nZ) ; a ≡ 1 (mod n)g: ∗ We have M ⊂ L ⊂ K ⊂ J ⊂ (Z=nZ) as subgroups. Each a which is not a witness for the compositeness of n belongs to L. Indeed, if ad ≡ 1 (mod n) then a 2 L and if a2td ≡ −1 (mod n), then by the maximality of k, t ≤ k. We will prove that the index ∗ of L in (Z=nZ) is at least four. ∗ ei Let G = fa 2 (Z=nZ) ; a ≡ ±1 (mod pi ) for all ig. Every element of G is a m-th power.