An Extended Quadratic Frobenius Primality Test with Average and Worst Case Error Estimates ∗y Ivan Bjerre Damg˚ard Gudmund Skovbjerg Frandsen BRICSz Department of Computer Science University of Aarhus IT-parken, Aabogade 34 DK-8200 Aarhus N, Denmark ivan,gudmund @daimi.au.dk f g DRAFT - December 8, 2005 Abstract We present an Extended Quadratic Frobenius Primality Test (EQFT), which is related to the Miller-Rabin test and to several other known probabilistic tests. EQFT takes time equivalent to about 2-3 Miller-Rabin tests, but has much smaller error probability, namely 256=331776t for t iterations of the test in the worst case. We also give bounds on the average-case behaviour of the test: consider the algorithm that repeatedly chooses random odd k bit numbers, subjects them to t iterations of our test and outputs the first one found that passes all tests. We obtain numeric upper bounds for the error probability of this algorithm as well as a general closed expression bounding the error. For instance, it is at most 2−155 for k = 500; t = 2. Compared to earlier similar results for the Miller-Rabin test, the results indicates that our test in the average case has the effect of 9 Miller-Rabin tests. We also give bounds for the error in case a prime is sought by incremental search from a random starting point. 1 Introduction Efficient methods for primality testing are important, in theory as well as in practice. In particular, this is true for many scenarios in cryptography. From a theoretical point of view, the primality testing problem is completely solved by the AKS algorithm[1, 14], which is polynomial time and always returns correct results. In practice, however, it continues to be significantly less efficient than probabilistic tests with bounded error probability, such as the Miller-Rabin test. Probabilistic tests are therefore a natural alternative for practical scenarios, and particularly for cryptographic applications, since in cryptography we must live with non-zero probabilities of unwanted events. For instance, there is always a non-zero (but hopefully small) probability that an adversary guesses ∗Partially supported by the IST Programme of the EU under contract number IST-1999-14186 (ALCOM-FT). yAn extended abstract of this paper was presented at FCT'2003, see [11]. zBasic Research in Computer Science, Centre of the Danish National Research Foundation. 1 a key he should not know, or happens to make random choices in his attack that lead him to the answer much faster than expected. Hence the question is not how we we can remove all error probabilities, but rather how we can efficiently reduce them to the level we have to live with anyway. One concrete application of primality tests is in public-key cryptography, where efficient methods for generating large, random primes are indispensable tools. The natural algorithm is to choose random candidate numbers and test for primality until a prime is found. Here, it is important to know how the test behaves in the average case, that is, which error probability do we expect when it is known that the input has been chosen according to some particular probability distribution. But there are also scenarios, e.g., in connection with Diffie-Hellman key exchange, where one needs to test if a number n is prime, and where n may have been chosen by an adversary with the aim of fooling the primality test. Here, the worst case performance of the test is important, i.e., the maximal probability that a composite number will be accepted. In this paper, we present and analyze a new probabilistic primality test which we call the Extended Quadratic Frobenius test (EQFT). The motivation for this name will hopefully become clear in the following. For the average case analysis: consider an algorithm that repeatedly chooses random odd k-bit numbers, subject each number to t iterations of EQFT, and outputs the first number found that passes all t tests Under the ERH, each iteration takes expected time equivalent to 2-3 Miller-Rabin tests (the ERH is only used to bound the run time and does not affect the error probability). Let qk;t be the probability that a composite number is output. We derive numeric upper bounds for q , e.g., we show q 2 155, and also show a general upper bound, namely for 2 k;t 500;2 ≤ − ≤ t k 1, q is O(k3=22(σt+1)tt 1=24 p2σttk) with an easily computable big-O constant, where ≤ − k;t − − σ = log 24 1=t. We also analyze the error probability when a random k-bit prime is instead t 2 − generated using incremental search from a random starting point, still using (up to) t iterations of our test to distinguish primes from composites. Note that in practice, one could of course discard most non-primes efficiently by subjecting each candidate to test division by small primes, and a Miller-Rabin test before using EQFT. This saves time, but the error analysis we do here is valid for any such algorithm, as long as the extra testing accepts all prime candidates. Concerning worst case analysis, we show that t iterations of EQFT err with probability at most 256=331776t except for an explicit finite set of numbers1. The time needed to run EQFT involves first a one-time start-up cost equivalent to about 2 Miller-Rabin tests and then, for each iteration of the actual test, time equivalent to about 2-3 Miller-Rabin tests (we give a more detailed analysis of the running time later). We note that there exists a variant of our algorithm called EQFTac satisfying the same bounds on the error probabilities and where no start-up cost is needed. However, the analysis is more complicated and the algorithm is only as fast as the variant presented here when the input is randomly chosen (it can be up to 4 times slower on worst case inputs than in the average case). EQFTac may be preferable for generation of random primes. For details on EQFTac, see [11]. 1.1 Related Work Virtually all known probabilistic tests are built on the same basic principle: from the input number n, one defines an Abelian group and then tests if the group structure we expect to see if n is prime, is actually present. The well-known Miller-Rabin test uses the group Zn∗ in exactly this way. A natural alternative is to try a quadratic extension of Zn, that is, we look at the ring Zn[x]=(f(x)) where f(x) is a degree 2 polynomial chosen such that it is guaranteed to be irreducible if n is prime. 1namely if n has no prime factors less than 118, or if n ≥ 242 2 In that case the ring is isomorphic to the finite field with n2 elements. This idea of a quadratic extension is central in our algorithm and can be traced back at least to Baillie, Pomerance, Selfridge and Wagstaff [3, 24], who suggested combining a Miller-Rabin test with a Lucas sequence test (we call such a combined test a BPSW test in the following). The specific test described in [24] is deterministic, and the authors offered a cash prize for anyone exhibiting a composite number that would pass the combined test, and this cash prize has apparently not been claimed yet, more than twenty years later. Grantham [13] seems to be the first to make a worst-case error analysis of a randomized variant of the BPSW test. His variant is called QFT. Grantham showed that his test has error probability 1=7710 in the worst case. Zhang seems to be the first to give explicit simple expressions for the number of pseudo primes for his version of BPSW, which he calls OPQBT (One-Parameter Quadratic-Base Test) [26]. This test has worst case error probability 1=119726. All of the above tests check that the order of the involved group is what we expect and in addition that all squareroots of 1 we encounter along the way are 1 (this is what we expect since if n is prime, the involved group is cyclic, and so there is exactly one element of order 2). Berrizbeitia and Berry[4] suggest looking at r'th roots of 1 in Z and note that if r divides n 1 n∗ − and an r'th root of 1 is known in advance, one can get a smaller error probability than for the MR test. Of course, one cannot assume in general that such a root is given for free, but the paper discusses the possibility of obtaining an r'th root during the executing of several iterations of the algorithm. Muller¨ uses 3rd and 4th roots of 1 in quadratic extensions of Zn∗ to develop a test that only works for numbers n = 3 mod 4 [22]. The worst case error probability is 1=331000, and is smaller in some cases, depending on the values of n mod 3 and n mod 16. She also suggested a different test for n = 1 mod 4 in [21]. This test has error probability 1=1048350 for the first iteration and 1=131040 for each of the following ones. All results mentioned so far in this overview are for worst case error probabilities. However, on most composite numbers, the tests tend to have much smaller error probabilities than indicated by the worst case behavior. The first previous result taking advantage of this fact is by Damg˚ard, Landrock and Pomerance for the MR test[9].