5. Prime Test

According to Fermat’s congruence theorem (commonly known as Fermat’s small theorem, which is a special case of Euler congruence theorem), if n is a prime number, the following congruence formula holds for all integers b, \((b,n)=1\),The above formula is an important characteristic of prime numbers. Although n satisfying the above formula is not necessarily prime, it can be used as an important basis for detecting prime numbers, because we can conclude that n not satisfying the above formula is definitely not a prime number. Using Formula (5.1) as the standard to detect prime numbers is called Fermat test.

The basic properties of pseudo prime numbers are discussed. Our working platform is a finite Abel group \(\mathbb {Z}_{n}^{*}\), define aswhere \(\bar{a}\) is a congruence class of \({{\,\mathrm{mod}\,}}n\) represented by a. The multiplication of two congruence classes is defined as \(\bar{a}\cdot \bar{b}=\bar{ab}\); obviously, \(\mathbb {Z}_{n}^{*}\) forms an Abel group of order \(\varphi (n)\) under multiplication, in a finite group G, the order of a group element \(g \in G\) is defined as\(o(g)=1\) if and only if g is the unit element of group G. By the definition of o(g), obviously,The following two lemmas are the basic conclusions about the order of group element g.

Back to the finite group \(\mathbb {Z}_{n}^{*}\), any integer \(a \in \mathbb {Z}\), \((a,n)=1\), then \(\bar{a} \in \mathbb {Z}_{n}^{*}\), we denote \(o(\bar{a})\) with o(a), a is called the order \({{\,\mathrm{mod}\,}}n\), obviously, \(o(a)=o(b)\), if \(a\equiv b({{\,\mathrm{mod}\,}}n)\). A basic problem in number theory is the existence of primitive roots of \({{\,\mathrm{mod}\,}}n\). equivalently, is \(\mathbb {Z}_{n}^{*}\) a cyclic group? If there is a positive integer a, \((a,n)=1\), \(o(\bar{a})=|\mathbb {Z}_{n}^{*}| =\varphi (n)\), then \(\mathbb {Z}_{n}^{*}\) is a cyclic group of order \(\varphi (n)\), so that the primitive root of \({{\,\mathrm{mod}\,}}n\) exists and a is the primitive root of \({{\,\mathrm{mod}\,}}n\).

By Lemma 5.3, if there is a base b so that n is not Fermat pseudo prime, detect a, \(1\le a\le n\), \((a,n)=1\) in sequence, whether \(a^{n-1}\equiv 1({{\,\mathrm{mod}\,}}n)\); that is, there is more than \(50 \% \) chance that find the exact b such that \(b^{n-1}\not \equiv 1 ({{\,\mathrm{mod}\,}}n)\), this proves that n is not a prime number. Is it possible that all a, \(1\le a\le n\), \((a,n)=1\), n is Fermat pseudo prime to base a The answer is yes, such a number n is called Carmichael number.

For Carmichael number, we have the following engraving.

Below we give some examples of Carmichael numbers, from property (ii) in Theorem 5.1, we can easily verify whether a square free number is Carmichael number.

Let \(p>2\) be an odd prime, Euler test uses the Euler criterion in the quadratic residue of \({{\,\mathrm{mod}\,}}p\) to detect whether a positive integer n is prime. Like Fermat’s test, it is obvious that the n that passes the test cannot be determined as prime, but the n that fails the test is certainly not prime. We know that when the positive integers a and n are given \((n>1)\), the solution of the quadratic congruence equation \(x^{2}\equiv a({{\,\mathrm{mod}\,}}n)\) is a famous “NP complete” problem. We can’t find a general solution in an effective time. However, in the special case where \(n=p>2\) is an odd prime number, we have rich theoretical knowledge to discuss the quadratic residue of \({{\,\mathrm{mod}\,}}p\), these knowledge include the famous Gauss quadratic reciprocal law and Euler criterion, which constitute the core knowledge system of elementary number theory. First, we introduce Legendre sign and let \(p>2\) be a given odd prime number.

\(\mathbb {Z}_{p}^{*}\) is a \((p-1)\)-order cyclic group, \(a\in \mathbb {Z}_{p}^{*} ~(\text {i.e.,}~(a,p)=1)\), we define the Legendre symbolic function asIf \((a,p)>1\), that is \(p\mid a\), we let \((\frac{a}{p})=0\), for \(\forall ~ a\in \mathbb {Z}\), Legendre symbolic function \((\frac{a}{p})\) is all defined, and it is a completely integral function of \(\mathbb {Z}\rightarrow \{1,-1,0\}\).andIf \((\frac{a}{p})=1\), then \(x^{2}\equiv a({{\,\mathrm{mod}\,}}p)\) is solvable, a is called a quadratic residue of \({{\,\mathrm{mod}\,}}p\), if \((\frac{a}{p})=-1\), then \(x^{2}\equiv a({{\,\mathrm{mod}\,}}p)\) is unsolvable, a is called a quadratic nonresidue of \({{\,\mathrm{mod}\,}}p\).

From the definition, we obviously have a corollary: if n is Euler pseudo prime under basis b, then n is Fermat pseudo prime under basis b. This conclusion can be proved by squaring both sides of Eq. (5.6) at the same time.

The following example shows that the inverse of inference is not tenable; that is, if n is Fermat pseudo prime under basis b, but not Euler pseudo prime.

From the Euler criterion of Lemma 5.6, we can easily calculate the Legendre symbols of \(-1\) and 2.

Let \((\frac{a}{n})\) be a Jacobi symbol, defined by Eq. (5.6), then Lemma 5.7 can be extended to Jacobi symbol.

Next, we discuss the computational complexity of Fermat test and Euler test.

Solovay and Strassen proposed a probabilistic method to detect prime numbers by Euler test in 1977. When \(n>1\) is an odd number, k numbers are randomly selected, \(b_{1},b_{2},\ldots ,b_{k}\), where \(1<b_{i}<n\), \((b_{i},n)=1\). Use Eq. (5.6) to calculate both sides of each b in turn, and the required bit operation is \(O(\log ^{4}n)\), if both sides of Eq. (5.6) are not equal, then n is not a prime number and the test is terminated. If k b pass the Euler test of Eq. (5.6), then n is the probability \(<\frac{1}{2^{k}}\) of compound number, that isThe above formula is directly derived from Lemma 5.3. Let’s introduce a better Miller–Rabin method than Solovay–Strassen method in a sense.

Below we give the main results of this section.

Before proving Theorem 5.2, let’s introduce Miller–Rabin’s test method, in order to test whether a large odd number n is a prime number, we write \(n-1=2^{t}\cdot m\), m is an odd number, \(t\ge 1\), select one b at random, \(1\le b<n\), \((b,n)=1\). We first calculate \(b^{m}{{\,\mathrm{mod}\,}}n\), if we get the result is \(\pm 1\), then n passes the strong pseudo prime test (5.12). If \(b^{m}{{\,\mathrm{mod}\,}}n\ne \pm 1\), then we square \(b^{m}{{\,\mathrm{mod}\,}}n\) and find the minimum nonnegative residue of the squared number under \({{\,\mathrm{mod}\,}}n\) to see if we get the result of \(- 1\) and perform r times. If we can’t get \(- 1\), then n to base b fails to test Formula (5.12). Therefore, it is asserted that n to base b is not a strong pseudo prime number. If \(- 1\) is obtained by r squared, then n passes the test under base b.

In Miller–Rabin’s test, if n to base b fails to pass the test Formula (5.12), then n must not be a prime number, if n to randomly selected k \(b=\{b_{1},b_{2},\ldots , b_{k}\}\) pass the test, by property (ii) of 5.2, each \(b_{i}\) accounts for no more than 25Compared with the Solovay–Strassen method using Euler test, the Miller–Rabin method using strong pseudo prime test is more powerful.

To prove 5.2, we first prove the following two lemmas.

With the above preparation, we now give the proof of Theorem 5.2.

Euler test and strong pseudo prime test require some complex quadratic residual techniques. We summarize the main conclusions of this section as follows:

Using all the prime number test methods introduced in the previous two sections, for a huge odd number n, even if we already know that n is not a prime number, we cannot successfully decompose n, because the prime number test does not provide prime factor decomposition information, A more direct method—like the sieve method—verifies whether the prime factor of n is for prime numbers not greater than \(\sqrt{n}\), because a compound number n must have a prime factor p, \(p\le \sqrt{n}\). Selected \(p\le \sqrt{n}\), the bit operation required to divide n by p is \(O(\log n)\), there are \(O(\frac{\sqrt{n}}{\log n})\) prime numbers \(p\le \sqrt{n}\) in total, therefore, the bit operation required for such a verification is \(O(\sqrt{n})\). A more effective method was proposed by J. M. Pollard in 1975. We call it Monte Carlo method, or “rho” method.

First, find a convenient mapping f of \(\mathbb {Z}_{n} {\mathop {\longrightarrow }\limits ^{f}} \mathbb {Z}_{n}\); for example, f(x) is an integer coefficient polynomial, such as \(f(x)=x^{2}+1\); secondly, a prime number \(x_{0}\) is randomly generated, let \(x_{1}=f(x_{0})\), \(x_{2}=f(x_{1})\), \(\ldots \), \(x_{j+1}=f(x_{j})(j=0, 1, 2, \cdots )\). In these \(x_{j}\), we want to find two integers \(x_{j}\) and \(x_{k}\), which are different elements in \(\mathbb {Z}_{n}\), but there are some factors d of n, d|n, and \(x_{j}\) and \(x_{k}\) are the same elements in \(\mathbb {Z}_{d}\), that is to sayOnce \(x_{j}\) and \(x_{k}\) are found, the algorithm is said to be completed.

Monte Carlo method uses a polynomial \(f(x) \in \mathbb {Z}[x]\), so that n is a positive integer, and the congruence equation of \({{\,\mathrm{mod}\,}}n\) is invariant to polynomial f(x), that is\(x_{0} \in \mathbb {Z}_{n}\) given, \(x_{j+1}=f(x_{j})(j=0,1,\ldots )\), if you find an \(x_{k_{0}} \in \mathbb {Z}_{n}\) that satisfies \(x_{k_{0}}\equiv x_{j_{0}}({{\,\mathrm{mod}\,}}r)\), where r|n, \(r>1\), \(k_{0}>j_{0}\). By (5.25),Thus for any \(k>j\), if \(k-j=k_{0}-j_{0}\), there is \(x_{k}\equiv x_{j}({{\,\mathrm{mod}\,}}r)\), this proves that a polynomial mapping \(\mathbb {Z}_{n} {\mathop {\longrightarrow }\limits ^{f}} \mathbb {Z}_{n}\) produces \(k_{0}\) different residue classes under \({{\,\mathrm{mod}\,}}r (r|n)\),Therefore, there is the following Lemma 5.14.

We call the polynomial f and the initial value \(x_{0}\) described in Lemma 5.14 an average mapping. When the first subscript k is very large, the amount of calculation is very large. Here we give an improved Monte Carlo algorithm.

\(f(x) \in \mathbb {Z}[x]\) given, Monte Carlo algorithm needs to continuously calculate \(x_{k}(k=1,2,\ldots )\). Let \(2^{h}\le k <2^{k+1}(h\ge 0)\), \(j=2^{h}-1\); that is, k is an \((h+1)\)-bit number, j is the maximum h-bit number, compare \(x_{k}\) with \(x_{j}\) and calculate \((x_{k}-x_{j},n)\), if \((x_{k}-x_{j},n)>1\), then the calculation is terminated, otherwise consider \(k+1\). The improved Monte Carlo algorithm only needs to calculate \((x_{k}-x_{j},n)\) once for each k, \(j=2^{h}-1\). There is no need to verify every j, \(0\le j<k\), when k is very large, it reduces a lot of computation, but there is a disadvantage. It may miss the smallest subscript k satisfying the condition, but the error is controllable. In fact, we have the following error estimation.

The above simple lemma provides us with a method of factor decomposition, called Fermat factor decomposition: if \(n=ab\), a is very close to b, then \(n=(\frac{a+b}{2})^{2}+(\frac{a-b}{2})^{2}=t^{2}-s^{2}\), where s is very small and t is only a little larger than \(\sqrt{n}\). Therefore, starting from \(t=[\sqrt{n}]+1\), we successively detect whether \(t^{2}-n\) is a complete square number. If not, we change it to \(t=[\sqrt{n}]+2\) for detection. In this way, until \(t^{2}-n=s^{2}\), we get \(n=(t+s)(t-s)\) through Fermat factorization. This method is effective when \(n=ab\), a and b are very close.

Fermat factor decomposition can be further expanded into a factor-based method to become a more effective factor decomposition method. Its basic idea is: in Fermat factorization, \(t^{2}-n^{2}\) is required to be a complete square, which is difficult to appear in practice, but \(t^{2}\equiv s^{2}({{\,\mathrm{mod}\,}}n)\), \(t\not \equiv \pm s({{\,\mathrm{mod}\,}}n)\) is easy to appear. Calculate the maximum common divisor \((t+s,n)\) and \((t-s,n)\), then we have factorization

If b is a B-number, \(b^{2} {{\,\mathrm{mod}\,}}n\) represents the minimum nonnegative residue of \(b^{2}\) under \({{\,\mathrm{mod}\,}}n\), by the definition,Let \(e=\{e_{1},e_{2},\ldots ,e_{h}\} \in \mathbb {F}_{2}^{h}\) be an h-dimensional binary vector, definee is called the binary vector corresponding to b if \(\{b_{i}\}=A\) is a set of B-numbers. The binary vector corresponding to each \(b_{i}\) is denoted as \(e_{i}=\{e_{i_{1}},e_{i_{2}}, \ldots , e_{i_{h}}\} \), denote \(b_{i}^{2} {{\,\mathrm{mod}\,}}n\) with \(a_{i}\). We haveSuppose \(\sum _{i \in A}e_{i}=(0,0, \ldots , 0)\) is the zero vector in \(\mathbb {F}^{h}_{2}\), thenThat is, \(\prod a_{i}\) is a square number. Let \(r_{j}=\frac{1}{2}\sum _{i \in A}\alpha _{ij}\), thenOn the other hand, \(b_{i} {{\,\mathrm{mod}\,}}n\) represents the minimum nonnegative residue of \(b_{i}\) under \({{\,\mathrm{mod}\,}}n\), letwhere \(\delta _{i}=b_{i}{{\,\mathrm{mod}\,}}n\), that is \(0\le \delta _{i}<n\), and \(b_{i}\equiv \delta _{i}({{\,\mathrm{mod}\,}}n)\), thusBecause of \(a_{i}=b_{i}^{2} {{\,\mathrm{mod}\,}}n \), that is \(0\le a_{i}<n\), and \(b_{i}^{2}\equiv a_{i}({{\,\mathrm{mod}\,}}n)\). There isTwo different integers b and c defined by Eqs. (5.29) and (5.30) satisfy \(b^{2}\equiv c^{2}({{\,\mathrm{mod}\,}}n)\), We write the above analysis as the following lemma.

From the above lemma, if \(b^{2}\equiv c^{2}({{\,\mathrm{mod}\,}}n)\), \(b\not \equiv \pm c({{\,\mathrm{mod}\,}}n)\). Then we will find a nontrivial factor \(d=(b+c,n)\) of n. Now the question is, if \(b^{2}\equiv c^{2}({{\,\mathrm{mod}\,}}n)\), how likely is \(b\not \equiv \pm c({{\,\mathrm{mod}\,}}n)\)? Might as well make \((b,n)=(c,n)=1\), otherwise both sides are divided by \((b,n)^{2}\): by \(b^{2}\equiv c^{2}({{\,\mathrm{mod}\,}}n), \Longrightarrow (bc^{-1})^{2}\equiv 1({{\,\mathrm{mod}\,}}n)\). The problem is transformed into how many solutions x are in \(x^{2}\equiv 1({{\,\mathrm{mod}\,}}n)\), \(1\le x<n\).

According to Lemma 5.20, b and c are selected by using factor basis, if \(b\equiv \pm c({{\,\mathrm{mod}\,}}n)\), then select failure, and the probability of failure is \(\le \frac{1}{2}\). If the selection fails, select another \(b_{1}\) and \(c_{1}\), in this way, we randomly select k b and c equally almost independently, and the probability of success of \(b\not \equiv \pm c({{\,\mathrm{mod}\,}}n)\) isIn other words, the probability of finding a nontrivial factor \(d=(b+c,n)\) of n by using the factor base can be infinitely close to 1. Below, we systematically summarize the factor base decomposition method as follows:

Factor-based method

Let n be a large odd number and y be an appropriately selected integer (e.g., \(y\le n^{\frac{1}{10}}\)), let the factor base beSelect a certain number of B-number at random, \(A_{1}=\{b_{1},b_{2},\ldots ,b_{N}\}\), usually \(N\le \pi (y)+2\) will meet the needs. Each \(b_{i}\) is expressed as the product of prime numbers in B. Calculate the corresponding binary vector \(e_{i}\), select a subset \(A\subset A_{1}\) in \(A_{1}\), such that \(\sum _{i \in A}e_{i}=0\), \(b_{i}\) corresponding to binary vector \(e_{i}\), denote as \(A=\{b_{1},b_{2},\ldots ,b_{i},\ldots \}\). LetandWe have \(b^{2}\equiv c^{2}({{\,\mathrm{mod}\,}}n)\), if \(b\equiv \pm c({{\,\mathrm{mod}\,}}n)\), then reselect the subset A, Until finally \(b \not \equiv \pm c({{\,\mathrm{mod}\,}}n)\), in this way, we find a nontrivial factor d|n of n, \(d=(b+c,n)\). Therefore, there is factorization \(n=d\cdot \frac{n}{d}\).

Factor decomposition using factor-based method cannot guarantee the success rate of \(100\%\) because \(b \not \equiv \pm c({{\,\mathrm{mod}\,}}n)\) cannot be deduced from \(b^{2}\equiv c^{2}({{\,\mathrm{mod}\,}}n)\), however, the success probability of factorization for large odd n can be infinitely close to 1. Under the condition of success probability \(\ge 1-\frac{1}{2^{k}}\) (k is a given normal number), the computational complexity of factorization n of by factor-based method can be estimated asThe proof of Formula (5.32) is relatively complex. No detailed proof is given here. Interested readers can refer to pages 136–141 of Pomerance (1982a) in reference 5. The exact value of C in (5.32) is unknown. It is generally guessed that \(C=1+\varepsilon \), where \(\varepsilon >0\) is any small positive real number.

Let k be the number of bits of n, and the estimate on the right of (5.32) can be written as \(O(\mathrm{e}^{c\sqrt{k\log k}})\). Therefore, the computational complexity of the factor-based method is sub-exponential. Compared with the Monte Carlo method introduced in the previous section (see (5.31)), its computational complexity is exponential, becauseAs we all know, the security of RSA public key cryptography is based on the prime factorization \(n=pq\) of n. Although there is no general method to factorize any large odd n, although Monte Carlo method and factor-based method are probability calculation methods, the probability of successful factorization is very large, The disadvantage is that their computational complexity is exponential and sub exponential, which is the reason for choosing huge prime numbers p and q in RSA.

In the factor-based method introduced in the previous section, \(b^{2}{{\,\mathrm{mod}\,}}n\) can be the residual of the minimum absolute value of \(b^{2}\) under \({{\,\mathrm{mod}\,}}n\), that isIn this way, \(b^{2}{{\,\mathrm{mod}\,}}n\) can be decomposed into the product of some smaller prime numbers. The continued fraction method is the best method at present. How to find the integer b, so that \(|b^{2}{{\,\mathrm{mod}\,}}n|<2\sqrt{n}\), \(b^{2}{{\,\mathrm{mod}\,}}n\) is more likely to be decomposed into the product of some small prime numbers. First, we introduce what is continued fraction and some basic properties.

Suppose \(x\in \mathbb {R}\) is a real number, [x] is the integer part of x, and \(\{x\}\) is the decimal part of x. Let \(a_{0}=[x]\), if \(\{x\}\ne 0\), and let \(a_{1}=[\frac{1}{\{x\}}]\), because of \(x=[x]+\{x\}\), there isIf \(\{\{x\}^{-1}\}\ne 0\), writeconsiderSo we gotThe above formula is called the continued fraction expansion of real number x. To save space, write \(x=[a_{0},a_{1},\ldots ,a_{n},\ldots ]\), if and only if x is a rational number, the continued fraction of x is expanded to be finite, denote asIt is called the standard expansion of rational number x.

The progressive fraction \(\frac{b_{i}}{c_{i}}\) of the real number x is a reduced fraction, that is \((b_{i},c_{i})=1\), and has the following properties.

Continued fractions have many important applications in numbers, such as rational approximation of real numbers and rational approximation of algebraic numbers. Periodic continued fractions are an important special case in rational approximation of algebraic numbers. \(x=[a_{0},a_{1},\ldots ,a_{n},\ldots ]\). If these \(a_{i}\) occur in cycles of a certain length, they are called periodic continued fractions. The famous Lagrange theorem shows that the necessary and sufficient condition for the expansion of the continued fraction of x into a periodic continued fraction is that x is a quadratic real algebraic number. Here we do not discuss some profound properties of continued fractions, but only prove some properties we need.

Combining the above Lemma 5.23 with the factorization method, we obtain the continued fraction decomposition method.

Continued fraction decomposition method:

The operations of \({{\,\mathrm{mod}\,}}n\) involved in this algorithm, except that it is specially pointed out, are the minimum nonnegative residue of \({{\,\mathrm{mod}\,}}n\). If n is a large odd number, it is also a compound number, first let \(b_{-1}=b\), \(b_{0}=a_{0}=[\sqrt{n}]\), and \(x_{0}=\sqrt{n}-a_{0}=\{\sqrt{n}\}\), calculate \(b_{0}^{2}{{\,\mathrm{mod}\,}}n\), in fact, \(b_{0}^{2}{{\,\mathrm{mod}\,}}n=b_{0}^{2}-n\). Second, consider \(i=1,2,\ldots \). To determine \(b_{i}\), we proceed in several steps:

By Lemma 5.23, \(b_{i}^{2}{{\,\mathrm{mod}\,}}n <2\sqrt{n}\), it can be decomposed into the product of some small prime numbers. If a prime number p appears in the decomposition of two or more \(b_{i}^{2}{{\,\mathrm{mod}\,}}n\), or in the decomposition of an \(b_{i}^{2}{{\,\mathrm{mod}\,}}n\), p appears to an even power, p is called a standard prime number, in other words, a standard prime p isOrWe choose factor base B asIn this way, all \(b_{i}^{2}{{\,\mathrm{mod}\,}}n\) are B-numbers, and the corresponding binary vector is \(e_{i}\). Select a subset \(A=\{b_{i}\}, \Longrightarrow \sum _{i\in A}e_{i}=0\). Letand \(c=\prod _{j\in B}p_{j}^{r_{j}}\), whereIf \(b\not \equiv \pm c({{\,\mathrm{mod}\,}}n)\), then \((b+c,n)\) is a nontrivial factor of n, and we obtain the factorization of n. If \(b \equiv \pm c({{\,\mathrm{mod}\,}}n)\), then another subset A is selected and repeated to complete the continued fraction factorization method.

Solution: We calculate \(a_{i}\), \(b_{i}\) and \(b_{i}^{2}{{\,\mathrm{mod}\,}}n\) in turn, where \(b_{i}=(a_{i}b_{i-1}+b_{i-2}){{\,\mathrm{mod}\,}}n\), the table is as follows:

From the value of \(b_{i}^{2}{{\,\mathrm{mod}\,}}n\), we can choose the factor base B as \(B=\{-1,2,3,7\}\). Then \(b_{i}^{2}{{\,\mathrm{mod}\,}}n\) is the number of B-number, when \(i=0,2,4,\ldots \). The corresponding binary vector isEasy to calculate \(e_{0}+e_{4}=(0,0,0,0)\). Therefore, we chooseBecause \(b^{2}\equiv c^{2}({{\,\mathrm{mod}\,}}9073)\), that is \(3834^{2}=36^{2}({{\,\mathrm{mod}\,}}9073)\), but \(3834\not \equiv \pm 36({{\,\mathrm{mod}\,}}9073)\), so we get a nontrivial factor of \(n=9073\), \(d=(3834+36,9073)=43\). Thus \(9073=43\cdot 211\), the factorization of 9073 is obtained.

Exercise 5