Download Primality tests and Fermat factorization

Primality tests and Fermat factorization
The Solovay-Strassen and Miller-Rabin tests
Euler’s theorem gives us a condition on a number n in order that it be prime: if n is prime then
b(n−1)/2 = (b|n) mod n,
(1)
for all b. Conversely, for each composite n formula (1) holds for at most 1/4 of all possible bases b.
In particular there are no analogs of Carmichael numbers for this test. Moreover, since the expressions
on both sides of (1) can be computed in polynomial time, we have the ingredients for an efficient,
probabilistic primality test, called the Solovay-Strassen test. Choose a random value of b and check
whether (1) is true for that particular b. If not, then definitely n is composite. If so, then we say that
n is an Euler pseudoprime to base b. Being an Euler pseudoprime for many values of b can be regarded
as some evidence that the number being tested is prime. If n is an Euler pseudoprime for k randomly
chosen bases b then the odds that n is really composite are less than 1 in 4k .
The Solovay-Strassen test is a refinement of the Fermat test, since when n is prime and b is not
divisible by n both sides of (1) square to 1 mod n. Since there are exactly two square roots of 1 modulo
a prime, the Solovay-Strassen test in essence checks that the two sides of Fermat’s theorem have the
“correct” square root. The Miller-Rabin test is a variant of this idea. To apply this test, factor n − 1 as
s
2s t, where t is odd, then compute c = bt mod n, c2 mod n, (c2 )2 mod n, . . . , c2 mod n. If this last value
is not 1, then n is composite. If it is then the one before it must be ±1 mod n, unless n is composite. If
this value is 1 mod n then the one before it must be ±1 mod n, unless n is prime. And so forth.
Actually, the algorithm proceeds in the other direction.
1. Factor n − 1 as 2s t, where t is odd.
2. Compute c = bt mod n, c2 mod n.
3. If c 6= ±1 mod n but c2 = 1 mod n, n is composite. Otherwise replace c by c2 mod n.
4. If you have repeated step 3 s times, skip to step 5. Otherwise, repeat step 3.
5. If c 6= 1 mod n, n is composite. Otherwise n is a strong pseudoprime to base b.
Although this is apparently a probabilistic test, it would be deterministic if certain number-theoretic
conjectures prove to be true. Specifically, if the so-called Generalized Riemann Hypothesis is true then
for each composite n then there is at least one value of b less than 2(log n)2 for which the Miller-Rabin
test will return the response “composite”.
Even without such a result it turns out that in practice the Miller-Rabin test almost always detects
compositeness very quickly. In fact, even if we only apply the Miller-Rabin test with the four bases 2, 3,
5, and 7 then there is only one composite number less than 2.5 × 1010 which will not be detected. (The
number is 3215031751.)
Fermat factorization
If it is relatively easy to assert primality with a high degree of confidence, how difficult is it to find a
factor of a number, with a low rate of failure? This appears to be rather difficult. So far the only known
general method for determining a factor of a composite number employs an idea of Fermat, and the best
implementation of this idea runs in superpolynomial time — that is, not O((log n)k ) for any k. We will
present a very brief description of this approach to factoring.
If n can be expressed as a difference of squares, then n can be factored: s2 − t2 = ab, where a = s + t
and b = s − t. Fermat observed that, if n is odd, the converse is true: ab = s2 − t2 , where s = (a + b)/2
and t = (a−b)/2. So, for odd n the problem of factoring n and the problem of expressing n as a difference
of squares are equivalent. How does this help?
Trial division of n works quickly of n has a small prime factor. If n has only large
√ factors then
perhaps two of these,√say a and b, are close. In this case t = (a − b)/2 is small, and s√= n + t2 is only
slightly bigger than n. Perhaps we can find it quickly. To do this, compute r = d ne, and examine
the following candidates for s: r, r + 1, r + 2, r + 3, . . . . If, for any of these values, s2 − n is a perfect
square, then call its square root t, and you have accomplished a Fermat factorization: n = (s + t)(s − t).
1
For example, suppose we try to factor n = 200819. We compute r = 449. Consider 4492 − 200819 =
782: not a square. What about 4502 − 200819 = 1681? This is 412 , and so 200819 = (450√
+ 41)(450 − 41).
Now we try to factor n = 14167.√ When we consider the first several values of d ne + k are all
nonsquares, and so for grins we try d 3ne + k. (After all, if we can factor 3n completely then we can
factor n.) For the fourth value, 655, we find that 6552 −3·14167 = 682 . In other words, 6552 −682 = (655+
68)(655 − 68) = 0 mod n, and so 655 ± 68 has factors in common with n. Indeed, gcd(655 + 68, n) = 241.
We have succeeded in finding a nontrivial factor of n.
This last example illustrates the general strategy of the Fermat method: try to find s and t such
that s2 − t2 = 0 mod n. One way to organize the search for such s and t is to use factor bases. In this
approach, we fix a finite list of primes B = {p1 , . . . , pk } and search for a sequence of values of bi whose
squares mod n can be factored completely using only primes in B:
b2i mod n =
k
Y
e
pi ij .
j=1
If B is small, then for each bi it is fast to determine whether such a factorization exist. When we have
enough of these bi we will choose some of them and multiply these together so that the product of the
corresponding b2i mod n has a factorization with only even powers of primes. We will thus have found
two squares which are equivalent mod n.
In slightly more detail, suppose we have factored many quadratic residues b2i mod n, as above. If we
choose some of the bi and multiply these together we obtain the congruence
b2i1 · · · b2i` = pf11 · · · pfkk mod n, where fj = ei1 j + · · · + ei` j .
The right-hand side of this congruence is a square precisely when the vector f~ consists entirely of even
numbers — in other words, in the matrix [eij mod 2] the rows i1 , . . . , i` are linearly dependent (over
Z/2). Hence we have enough quadratic residues when this matrix has more rows than columns.
We will do an example after we have learned how to generate lots of with “small” quadratic residues.
One final remark. Since we are trying to find as many easily factorable quadratic residues b2i mod n
as possible, it makes sense to take the smallest possible residue — the “least absolute residue”. For this
algorithm “x mod y” will mean the unique residue of x in the interval (−y/2, y/2]. This implies that we
will have to expand our factor base, setting p0 = −1.
2