1. 6.3 Primality Testing

2. p2. (1) Prime numbers 1. How to generate large prime numbers? (1) Generate as candidate a random odd number n of appropriate size. (2) Test n for primality. (3) If n is composite, return to the first step.

3. p3. 2. Distribution of prime numbers (1) prime number theorem Let Π(x) denote the number of prime numbers ≦ x. Π(x) ~ x/ln(x) when n  ∞. (2)Dirichlet theorem If gcd(a, n)=1, then there are infinitely many primes congruent to a mod n.

4. p4. (3) Let Π(x, n, a) denote the number of primes in the interval [2, x] which are congruent to a modulo n, where gcd(a, n)=1. Then Π(x, n, a) ~ The prime numbers are roughly uniformly distributed among the φ(n) congruence classes in Z n * (4) Approximation for the nth prime number p n

5. p5. (2) Solovay-Strassen primality test 1. Trial method for testing n is prime or composite 2. Definition ： Euler witness Let n be an odd composite integer and. (1) If then a is an Euler witness (to compositeness) for n.

6. p6. (2) Otherwise, if then n is said to be an Euler pseudoprime to the base a. The integer a is called an Euler liar (to primality) for n.

7. p7. 3. Example (Euler pseudoprime) Consider n = 91 (= 7x13) Since 9 45 =1 mod 91, and so 91 is an Euler pseudoprime to the base 9. 4. Fact At most Φ(n)/2 of all the numbers a, are Euler liars for n.

8. p8. 5. Algorithm ： Solovay-Strassen(n, t ) INPUT: n is odd, n ≧ 3, t ≧ 1 OUTPUT: “prime” or “composite” 1. for i = 1 to t do : 1.1 choose a random integer a, 2 ≦ a ≦ n-2 if gcd(a,n) ≠1 then return ( “composite” ) 1.2 compute r=a (n-1)/2 mod n (use square-and- multiply) if r ≠ 1 and r ≠ n-1 then return ( “composite” ) 1.3 compute Jacobi symbol s= if r ≠ s then return ( “composite” ) 2. return ( “prime” )

9. p9. 6. Solovay-Strassen error-probability bound For any odd composite integer n, the probability that Solovay-Strassen (n, t) declares n to be “prime” is less than (1/2) t

10. p10.  (3) Miller-Rabin primality test 1. Fact p : odd prime p-1 = 2 s r, where r is odd For a in Z p * then a r = 1 (mod p) or a 2 j r = -1 (mod p) for some j, 0 ≦ j ≦ s-1 Why ? (1) Fermat’s little theorem, a p-1 = 1 mod p (2) 1, -1 are the only two square roots of 1 in Z p *

11. p11. 2. Definition n : odd composite integer n-1 = 2 s r, where r is odd 1 ≦ a ≦ n-1 a is a strong witness to compositeness for n if a r ≠ 1 (mod n), and a 2 j r ≠ -1 (mod n) for all j, 0 ≦ j ≦ s-1 n is a strong pseudoprime to the base a if a r = 1 (mod n) or a 2 j r = -1 (mod n) for some j, 0 ≦ j ≦ s-1 (a is called a strong liar to primality for n)

12. p12. 3. Algorithm: Miller-Rabin (n, t ) INPUT: n is odd, n ≧ 3, t ≧ 1 OUTPUT: “prime” or “composite” 1. write n-1 = 2 s r such that r is odd. 2. for i = 1 to t do : 2.1 choose a random integer a, 2 ≦ a ≦ n-2 2.2 compute y=a r mod n (use square-and-multiply) 2.3 if y ≠ 1 and y ≠ n-1 do : j  1 while j ≦ s-1 and y ≠n-1 do : y  y 2 mod n if y = 1 then return ( “composite” ) j  j+1 if y ≠ n-1 then return ( “composite” ) 3. return ( “prime” )

13. p13. 4. Example (strong pseudoprime) Consider n = 91 (= 7x13) 91-1 = 2*45, s=1, r=45 Since 9 r = 9 45 =1 mod 91, 91 is a strong pseudoprime to the base 9. The set of all strong liars for 91 is {1, 9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69, 74, 75, 79, 81, 82, 90} The number of strong liars of for 91 is 18 = Φ(91)/4

14. p14. 5. Fact If n is an odd composite integer, then at most ¼ of all the numbers a, 1 ≦ a ≦ n-1 are strong liars for n. In fact if n=!9, then number of strong liars for n is at most Φ(n)/4.

15. p15. 6. Miller-Rabin error-probability bound For any odd composite integer n, the probability that Miller-Rabin (n, t) declares n to be “prime” is less than (1/4) t 7. Remark For most composite integers n, the number of strong liars for n is actually much smaller than the upper bound of Φ(n)/4. Miller-Rabin error-probability bound is much smaller than (1/4) t.