Notes on Primality Testing Dan Klain last updated April 23, 2013 Comments and corrections are welcome These supplementary notes summarize some of results on primality testing pre- sented at the end of class on April 11, as well as some material to be presented on April 18. § Given n 2 Z, how can we determine if n is prime without actually factoring n? p If n is composite, then n must have a prime factor p ≤ n. So onep way to test for primality is to use test division of n by p for all primes p ≤ n. But this is impractical for large n, even on a fast computer. There are better approaches. § Fermat’s theorem says that, if p is prime and gcd(a, p) = 1, then ap ≡ a mod p. Suppose that n is a large odd number. It follows from Fermat’s theorem that, if 2p 6≡ 2 mod n, then n cannot be prime. On the other hand, if 2n ≡ 2 mod n, we still don’t know whether or not n is prime. If such a number n is composite, n is said to be a pseudoprime to base 2. For example, 341 = 31 · 11 is a pseudoprime to base 2. Moreover, if n is a pseudoprime to base 2, so is 2n − 1. It follows that there are infinitely many pseudoprimes to base 2. Pseudoprimes to other bases are defined analogously. A composite number n is a pseudoprime to base a if gcd(a, n) = 1 and an ≡ a mod n. Unfortunately there are pseudoprimes for every base. In fact, some numbers are pseudoprimes for every base at once! An composite integer is a Carmichael number if an ≡ a mod n for all integers a. In particular, a Carmichael number is a pseudoprime to every base. The smallest Carmichael number is 561. Here is a condition for finding more of them. Theorem 1. A composite positive integer n is a Carmichael number if and only if n is square-free, and if, for each prime pjn, we have (p − 1)j(n − 1). Proof. To begin, suppose that n is a Carmichael number. If a prime p divides n, k write n = p Q, where gcd(p, Q) = 1. Let r be a primitive root for Upk . By the 1 2 Chinese remainder theorem, there exists s 2 Un such that s ≡ 1 mod Q and s ≡ r mod pk. Since n is a Carmichael number and s is a unit mod n, we have sn−1 ≡ 1 mod n, so that sn−1 = 1 + tn = 1 + tpkQ, for some integer t. Modulo pk this becomes rn−1 ≡ 1 mod pk. Since r is primitive mod pk, the divisibility theorem for order implies that f(pk)j(n − 1), so that 1) pk−1(p − 1)j(n − 1).( In particular, (p − 1)j(n − 1) for each prime p dividing n. Moreover, if k > 1, then (1) implies that pj(n − 1). Since pjn, this contradicts the assumption that p is prime. It follows that k = 1, so that n is square-free. Conversely, suppose that n is a square-free composite number, and that each prime p dividing n satisfies (p − 1)j(n − 1). In this case we can write n = p1 ··· pk pi for primes p1 < ··· < pk. Let a 2 Z. By Fermat, we have a ≡ a mod pi for each i. Suppose that gcd(a, n) = 1. For each i we have n − 1 = (pi − 1)bi for some bi. It follows that n−1 (pi−1)bi pi−1 bi a = a = (a ) ≡ 1 mod pi. The Chinese remainder theorem then implies an−1 ≡ 1 mod n, so that an ≡ a mod n. n n By a similar argument, pj ≡ pj mod pi for each i 6= j, while obviously pj ≡ 0 ≡ n pj mod pj as well. Again the Chinese remainder theorem implies that pj ≡ pj mod n for each j. If gcd(a, n) = d, then d is a square-free product of some of the distinct primes pj, and a = dk with gcd(k, n) = 1, so that an = dnkn ≡ dk ≡ a mod n. In other words, n is a Carmichael number. q The existence of Carmichael numbers suggests a better approach is needed for efficient primality testing. § 3 Jacobi symbols. We now introduce a generalization of the Legendre symbol to a larger class of numbers. If p is an odd prime and a 2 Z, the Legendre symbol for the pair (a, p) is defined by 8 0 if pja, a < = 1 if a is a quadratic residue mod p, p : −1 otherwise. When p6 j a, the Euler criterion asserts that a p−1 = (−1) 2 . p Gauss’s Lemma and the Law of Quadratic Reciprocity gave us more efficient means for computing Legendre symbols. Suppose instead that a 2 Z and n > 1 is an odd integer, including the case where n is composite. By the unique factorization theorem, n has a unique expression as a product of powers of distinct odd primes: e1 e2 ek n = p1 p2 ··· pk . Define the Jacobi symbol for the pair (a, n) by a a e1 a e2 a ek (2) = ··· n p1 p2 pk where each factor in the product above is a Legendre symbol. Evidently the Jacobi symbols can take values 0, 1 or −1. Note that if n is itself an odd prime, then the Jacobi symbol is simply the usual Legendre symbol. Euler’s criterion does not typically tell us the value of the Jacobi symbol directly, although if gcd(a, n) = 1 then Euler’s criterion can be applied to each prime pi in the factorization of n to compute each factor in the expression (2). The downside of this approach is that one needs to know the factorization of the number n. Fortunately, there are easier ways to compute Jacobi symbols. The following elementary properties follow easily from similar properties of Legendre symbols. Proposition 1. Let a, b 2 Z, and let m, n > 1 be odd integers. a b (i) If a ≡ b mod n then n = n . ab a b (ii) n = n n . a a a (iii) mn = m n . a (iv) If gcd(a, n) 6= 1 then n = 0. ( ) = a = (v) If gcd a, n 1 then n2 1. a2 (vi) If gcd(a, n) = 1 then n = 1. 4 The proof is left as an exercise. a The converse of the last item is false in general: It is possible that n = 1 even though a is not a quadratic residue mod n. For example, 2 is not a quadratic residue mod 15, even though 2 2 2 = = (−1)(−1) = 1. 15 3 5 a On the other hand, if n = −1 then a cannot be a quadratic residue mod n. (Exercise: Why not?) The next proposition shows that two important formulas for Legendre symbols generalize without any change to Jacobi symbols. Proposition 2. Let n > 1 be an odd positive integer. Then −1 1 if n ≡ 1 mod 4 2 n2−1 = and = (−1) 8 n −1 if n ≡ 3 mod 4 n n2−1 Recall that (−1) 8 = 1 iff n ≡ ±1 mod 8. It follows that 2 n ≡ ± = 1 if 1 mod 8 n −1 if n ≡ ±3 mod 8 Proof. Another way of stating the first part is to assert that, if n is odd, then −1 n ≡ n mod 4. This follows from the Euler criterion when n is prime. It then follows for more general n by the denominator product rule (iii) of Proposition 1. To prove the second statement, observe that 3) (nm)2 − 1 = n2m2 − n2 + n2 − 1 = n2(m2 − 1) + (n2 − 1).( 2 If n is odd, then (−1)n = −1, so that (nm)2−1 n2(m2−1)+(n2−1) (−1) 8 = (−1) 8 2− m 1 2 n2 8 n −1 = (−1) (−1) 8 m2−1 n2−1 = (−1) 8 (−1) 8 . Suppose that 2 s2−1 (4) 6= (−1) 8 s for some odd integer s > 1, and let s be the smallest positive odd number for which this occurs. We know that the proposition holds for primes, so s must be 5 composite; that is, s = nm where n, m > 1 are odd and strictly smaller than s. By the minimality of s, the proposition holds for n and m, so that 2 2 2 2 2 n2−1 m2−1 (nm) −1 s2−1 = = = (−1) 8 (−1) 8 = (−1) 8 = (−1) 8 , s nm n m contradicting (4). The proposition now follows. q The Law of Quadratic Reciprocity also generalizes to Jacobi symbols. Theorem 2. If m, n > 1 are odd integers, then ( n m n m−1 n−1 if n ≡ 1 mod 4 or if m ≡ 1 mod 4 2 2 m = (−1) = n n m − m if n ≡ m ≡ 3 mod 4 Note that this statement of Quadratic Reciprocity is presented a little differently from the original version for primes, in order to account for the case in which either Jacobi symbol is zero. Proof. If gcd(m, n) 6= 1 then both sides of the identity are zero. The more inter- esting case, in which gcd(m, n) = 1, is left as an exercise. Here are some hints: Use the fact that quadratic reciprocity holds for odd primes. First, suppose that m is an odd prime and let n be the smallest odd composite number for which the theorem fails. Use an identity similar to (3) from the previous proof to derive a contradiction.