Download 13.21. Wilson`s Primality Test威尔逊判别法

Study started since 2011 年 10 月 17 日
素性测试算法，素性测定(11Y11) primality testing
Bachelor semester project Randomized and Deterministic Primality Testing.pdf
1.
2.
3.
10
Quotes from Renowned Mathematicians ................................................................................. 8
Keyword .................................................................................................................................. 10
Introduction ............................................................................................................................ 12
3.1.
The Aim of Thesis .................................................................................................... 12
3.2.
The Scope of Thesis ................................................................................................. 12
3.3.
Research Hierarchical Diagram................................................................................ 12
4. Related Math Branches or Sub-Disciples................................................................................. 13
5. Presentation Styles .................................................................................................................. 13
6. Structure of Writing ................................................................................................................ 15
7. Styles ....................................................................................................................................... 18
8. Definitions. Terminology, Signs and Symbols .......................................................................... 19
8.1.
Alphabets and Signs ............................................................................................. 19
8.1.1.
Latin ................................................................................................................. 19
8.1.2.
Greek ............................................................................................................... 19
8.1.3.
Hebrew ............................................................................................................ 20
8.1.4.
Russian ............................................................................................................ 20
8.2.
Nomenclature ......................................................................................................... 20
8.3.
Notation .................................................................................................................. 20
8.4.
Definitions ............................................................................................................... 22
8.5.
List of theorems, formulars and equations ............................................................. 22
8.6.
List of abbreviations ................................................................................................ 22
8.7.
List of people mentioned in the book ..................................................................... 22
8.8.
Index ........................................................................................................................ 22
8.9.
Explanations ............................................................................................................ 23
8.10.
Fonts ........................................................................................................................ 23
8.11.
List of symbols ......................................................................................................... 23
8.12.
Sub and super scripts .............................................................................................. 23
8.13.
Marks....................................................................................................................... 24
8.14.
词冠??? ................................................................................................................... 24
8.15.
UNITS ....................................................................................................................... 24
8.16.
Units designation ..................................................................................................... 24
8.17.
Constants ................................................................................................................. 24
9. Comparisons of Algorithm ...................................................................................................... 26
10.
Intro ................................................................................................................................. 26
10.1.
TOC for Introduction to Algorithms ......................................................................... 26
11.
Recent developments in primality testing....................................................................... 31
11.1.
Recent developments in primality testing............................................................... 31
12.
Comparison / Benchmarking for Primality Testing .......................................................... 32
12.1.
Comparison study for Primality testing using Mathematica ................................... 32
13.
Deterministic Primality Testing........................................................................................ 33
13.1.
AKS primality test .................................................................................................... 33
13.2.
APR - Adleman–Pomerance–Rumely primality test ............................................ 33
13.3.
Atkin sieve ............................................................................................................... 34
13.3.1. Contents .......................................................................................................... 35
13.3.2. Algorithm......................................................................................................... 35
13.3.3. Pseudocode ..................................................................................................... 36
13.3.4. Explanation ...................................................................................................... 37
13.3.5. Computational complexity .............................................................................. 37
13.3.6. See also ........................................................................................................... 37
13.3.7. References ....................................................................................................... 38
13.4.
Bhattacharjee and Pandey ...................................................................................... 38
13.5.
Brillhart, Lehmer, Selfridge Test based on Lucas Test .............................................. 40
13.6.
Cyclotomic Deterministic Primality Test Cyclotomy ................................................ 40
13.7.
Demytko deterministic primality test method ........................................................ 40
13.8.
Elliptic curve methods ............................................................................................. 41
13.9.
Eratosthenes Sieve .................................................................................................. 41
13.9.1. Contents .......................................................................................................... 43
13.9.2. Algorithm description...................................................................................... 43
13.9.3. Example ........................................................................................................... 45
13.9.4. Algorithm complexity ...................................................................................... 45
13.9.5. Implementation ............................................................................................... 46
13.9.6. Arithmetic progressions .................................................................................. 46
13.9.7. Euler's sieve ..................................................................................................... 46
13.9.8. See also ........................................................................................................... 47
13.9.9. References ....................................................................................................... 47
13.10. Goldwasser Kilian Algorithm ................................................................................... 47
13.11. Jacobi Sums ............................................................................................................. 48
13.12. Lucas 素性测定算法 ............................................................................................... 48
13.12.1.
Contents .................................................................................................. 49
13.12.2.
Concepts .................................................................................................. 49
13.12.3.
Example ................................................................................................... 50
13.12.4.
Algorithm................................................................................................. 51
13.12.5.
See also.................................................................................................... 51
13.13. Lucas-Lehmer 测试 ................................................................................................. 51
13.13.1.
梅森素数判定算法 Lucas-Lehmer 测试................................................. 52
13.13.2.
Contents .................................................................................................. 53
13.13.3.
The test.................................................................................................... 53
13.13.4.
Time complexity ...................................................................................... 54
13.13.5.
Examples.................................................................................................. 55
13.13.6.
13.13.7.
13.13.8.
Proof of correctness ................................................................................ 56
Applications ............................................................................................. 60
See also.................................................................................................... 60
13.14. Lucas–Lehmer–Riesel .......................................................................................... 60
13.14.1.
Contents .................................................................................................. 61
13.14.2.
The algorithm .......................................................................................... 61
13.14.3.
Finding the starting value ........................................................................ 61
13.14.4.
How does the test work?......................................................................... 61
13.14.5.
LLR software ............................................................................................ 62
13.14.6.
References ............................................................................................... 62
13.14.7.
External links ........................................................................................... 62
13.14.8.
推广的 Lucas 型素性测定算法 .............................................................. 63
13.14.9.
Massey–Omura–Kryptosystem ............................................................ 63
13.15. Miller-Primzahltest .................................................................................................. 63
13.16. Pocklington Lehmer primality test .......................................................................... 63
13.16.1.
Contents .................................................................................................. 64
13.16.2.
Pocklington criterion ............................................................................... 64
13.16.3.
Generalized Pocklington method ............................................................ 66
13.16.4.
The test.................................................................................................... 67
13.16.5.
Example ................................................................................................... 67
13.17. Proth deterministic primality test method.............................................................. 68
13.18. Sundaram sieve ....................................................................................................... 69
13.18.1.
Contents .................................................................................................. 69
13.18.2.
Algorithm................................................................................................. 69
13.18.3.
Correctness.............................................................................................. 70
13.18.4.
Computational complexity ...................................................................... 70
13.18.5.
See also.................................................................................................... 70
13.18.6.
References ............................................................................................... 71
13.19. Trial division ............................................................................................................ 71
13.20. Ward’s primality test ............................................................................................ 71
13.21. Wilson's Primality Test 威尔逊判别法 ................................................................... 71
14.
Randomized /Probabilistic/ Probable / Provable / Primality Testing .............................. 73
14.1.
Adelman-Huang algorithm ...................................................................................... 73
14.2.
Agrawal-Biswas algorithm or Agarwal-Biswas Probabilistic Testing ........................ 74
14.3.
AKS parallel sorting algorithm of Ajtai, Koml´os and Szemer´edi .......................... 75
14.4.
ALI primality test ..................................................................................................... 75
14.5.
APR Test ................................................................................................................... 75
14.6.
APRT-CL (or APRCL) ................................................................................................. 75
14.7.
素性测试的 ARCL 算法........................................................................................... 75
14.8.
Baillie–PSW ........................................................................................................... 76
14.9.
BPP algorithm .......................................................................................................... 77
14.10. Baillie and Wagstaff Method ................................................................................... 78
14.11. Chen--Kao and Lewin--Vadhan tests ....................................................................... 79
14.12. Chinese Primality Test ............................................................................................. 79
14.13. Chinese Remaindering............................................................................................. 79
14.14. Cohen-Lenstra Method ........................................................................................... 80
14.15. Colin Plumb primality test (Euler Criterion) ............................................................ 80
14.16. Combination Algorithm ........................................................................................... 80
14.17. Cyclotomic Probabilistic Primality Test.................................................................... 81
14.18. ECPP Elliptic Curve Primality Proving ...................................................................... 81
14.19. Elliptic Curve Primality Testing ................................................................................ 82
14.19.1.
Proposition .............................................................................................. 83
14.19.2.
Proof ........................................................................................................ 83
14.19.3.
14.19.4.
Goldwasser–Kilian algorithm ................................................................ 84
Problems with the algorithm................................................................... 85
14.19.5.
14.19.6.
14.19.7.
14.19.8.
Atkin–Morain elliptic curve primality test (ECPP) ................................. 85
The test.................................................................................................... 86
Complex multiplication method .............................................................. 87
Discussion ................................................................................................ 87
14.19.9.
Example of Atkin–Morain ECPP ............................................................. 88
14.19.10.
Complexity and running times ................................................................ 89
14.19.11.
Conjecture ............................................................................................... 89
14.19.12.
Conjecture 2 ............................................................................................ 90
14.19.13.
Primes of special form ............................................................................. 90
14.19.14.
Group structure of E(FN) .......................................................................... 91
14.19.15.
Theorem 1 ............................................................................................... 91
14.19.16.
Theorem 2 ............................................................................................... 91
14.19.17.
Theorem 3 ............................................................................................... 91
14.19.18.
Theorem 4 ............................................................................................... 91
14.19.19.
The algorithm .......................................................................................... 92
14.19.20.
Justification of the algorithm .................................................................. 93
14.19.21.
References ............................................................................................... 93
14.20. Demytko .................................................................................................................. 93
14.21. Euler Test ................................................................................................................. 94
14.22. Fermat 素性测试 .................................................................................................... 94
14.22.1.
Contents .................................................................................................. 95
14.22.2.
Concept ................................................................................................... 95
14.22.3.
Example ................................................................................................... 96
14.22.4.
Algorithm and running time .................................................................... 96
14.22.5.
Flaw ......................................................................................................... 96
14.22.6.
Applications ............................................................................................. 97
14.23. Fermat-Euler............................................................................................................ 98
14.24. Frobenius pseudoprimality test .............................................................................. 98
14.25. Goldwasser Kilian Algorithm ................................................................................... 98
14.26. Gordon‟s algorithm ................................................................................................ 98
14.27. 雅克比和素性判别方法 ......................................................................................... 98
14.28. Konyagin – Pomerance n-1 Test .......................................................................... 99
14.29. Lehmann.................................................................................................................. 99
14.30. Maurer‟s algorithm .............................................................................................. 100
14.31. Miller-Rabin / Rabin-Miller 素性测试算法 Miller-Rabin Compositeness Test ..... 101
14.31.1.
快速判定素数-----Miller-Rabin 算法 .................................................... 101
14.31.2.
Miller-Rabin Algorithm .......................................................................... 102
14.31.3.
Miller-Rabbin 素性测试[ZJUT1517]...................................................... 103
14.31.4.
Rabin-Miller ........................................................................................... 105
14.31.5.
Contents ................................................................................................ 106
14.31.6.
Concepts ................................................................................................ 106
14.31.7.
Example ................................................................................................. 108
14.31.8.
Algorithm and running time .................................................................. 109
14.31.9.
Accuracy of the test ............................................................................... 109
14.31.10.
Deterministic variants of the test .......................................................... 110
14.31.11.
Notes ..................................................................................................... 111
14.32. MONTE CARLO PRIMALITY TESTS .......................................................................... 111
14.32.1.
A NOTE ON MONTE CARLO PRIMALITY TESTS AND ALGORITHMIC
INFORMATION THEORY ................................................................................................. 112
14.33. Pépin's ................................................................................................................... 112
14.33.1.
Contents ................................................................................................ 113
14.33.2.
Description of the test ........................................................................... 113
14.33.3.
Proof of correctness .............................................................................. 113
14.33.4.
References ............................................................................................. 114
14.34. Proth's theorem .................................................................................................... 114
14.34.1.
Contents ................................................................................................ 115
14.34.2.
Numerical examples .............................................................................. 115
14.34.3.
History ................................................................................................... 116
14.34.4.
See also.................................................................................................. 116
14.34.5.
References ............................................................................................. 116
14.35. Random Quadratic Frobenius Test (RQFT) ............................................................ 117
14.36. Solovay- Strassen 算法 .......................................................................................... 117
14.36.1.
Solovay-Strassen primality test. ............................................................ 117
14.36.2.
Solovag-Strasson ................................................................................... 118
14.36.3.
Contents ................................................................................................ 119
14.36.4.
Concepts ................................................................................................ 119
14.36.5.
Example ................................................................................................. 120
14.36.6.
Algorithm and running time .................................................................. 120
14.36.7.
Accuracy of the test ............................................................................... 121
14.36.8.
Average-case behaviour ........................................................................ 122
14.36.9.
Complexity............................................................................................. 122
14.37. Square Root Compositeness Theorem .................................................................. 122
14.38. Schwartz--Zippel test............................................................................................. 123
15.
Papers of Others ............................................................................................................ 124
15.1.
素性检测算法研究及其在现代密码学中的应用 ............................................... 124
16.
Math Tools ..................................................................................................................... 127
16.1.
Axiom .................................................................................................................... 127
17.
18.
19.
20.
16.2.
Bignum .................................................................................................................. 127
16.3.
Derive .................................................................................................................... 127
16.4.
GMP Library........................................................................................................... 127
16.5.
GNU Octave ........................................................................................................... 127
16.6.
Kant ....................................................................................................................... 127
16.7.
LiDIA ...................................................................................................................... 128
16.8.
Lisp ........................................................................................................................ 128
16.9.
Macsyma ............................................................................................................... 128
16.10. Magma .................................................................................................................. 128
16.11. Maple .................................................................................................................... 128
16.12. MathCad ................................................................................................................ 128
16.13. Mathematica ......................................................................................................... 129
16.14. Matlab ................................................................................................................... 129
16.15. Maxima.................................................................................................................. 129
16.16. MIRACL .................................................................................................................. 129
16.17. MuPAD................................................................................................................... 129
16.18. NTL library ............................................................................................................. 129
16.19. OpenMP ................................................................................................................ 130
16.20. Pari -GP.................................................................................................................. 130
16.21. Reduce ................................................................................................................... 130
16.22. Sage ....................................................................................................................... 130
16.23. Simath ................................................................................................................... 130
16.24. Ubasic .................................................................................................................... 131
COMPARISONS .............................................................................................................. 131
MY IDEAS FOR FURTHER IMPROVEMENT OF COMPLEXITY .......................................... 131
RESOURCES ................................................................................................................... 132
19.1.
MAJOR NUMBER THEORISTS................................................................................. 132
19.2.
KEY UNIVERSITIES .................................................................................................. 132
19.3.
KEY RESEARCH INSTITUTIONS ............................................................................... 132
19.4.
SEMINARS, SYMPOSIUMS, WORKSHOPS FORUMS ............................................... 132
19.5.
JOURNALS.............................................................................................................. 132
19.6.
ACADEMIC WEB RESOURCES ................................................................................ 132
LITERATURE –PRIMALITY ............................................................................................ 133
20.1.
BOOKS (BK) ............................................................................................................ 133
20.2.
LECTURE SCRIPTS .................................................................................................. 133
20.3.
THESES FOR POSTDOC, PHD, MASTER AND BACHELOR DEGREES (PDT, DT,MT,BT)
133
20.3.1. BT- Bachelor Thesis ........................................................................................ 133
20.3.2. MT – Master Thesis ................................................................................... 133
20.3.3. ST - Senior Thesis........................................................................................... 133
20.4.
GENERAL PAPER (GP) ............................................................................................ 133
20.5.
COLLECTIONS OF PAPERS ...................................................................................... 133
20.6.
PRESENTATIONS/SLIDES AT SEMINARS.................................................................. 133
20.7.
OTHER PAPERS....................................................................................................... 133
20.8.
PROPOSALS / SUGGESTIONS ................................................................................. 133
LITERATURE – OTHER RELATED ................................................................................. 134
21.1.
ALGEBRA................................................................................................................ 134
21.2.
NUMBER THEORY .................................................................................................. 134
21.3.
COMPUTER COMPLEXITY ...................................................................................... 134
21.4.
COMPLEX ANALYSIS / FUNCTIONS ........................................................................ 134
21.5.
Cryptography ......................................................................................................... 134
22.
APPENDICES .................................................................................................................. 134
22.1.
CHARTS .................................................................................................................. 135
22.2.
TABLES ................................................................................................................... 135
22.3.
DATABASES ............................................................................................................ 135
22.4.
MULTIMEDIA DATA ................................................................................................ 135
22.5.
COMPUTATION CODES .......................................................................................... 135
22.6.
WEBSITE FOR THIS THESIS ..................................................................................... 135
21.
1. Quotes from Renowned Mathematicians
Disquisitiones arithmeticae
”
Dass die Aufgabe, die Primzahlen von den zusammengesetzten zu unterscheiden [. . . ] zu den
wichtigsten und n¨utzlichsten der gesamten Arithmetik geh¨ort [. . . ] ist so bekannt, dass
es ¨uberfl¨ussig w¨are, hier ¨uber viele Worte zu verlieren. “
Carl Friedrich Gauß (1801)
Carl Friedrich Gauß (1777{1855):
"Zahlentheorie ist die Königin der Mathematik.
Mathematics is the queen of sciences and arithmetic the queen of mathematics
Carl Friedrich Gauss
The problem of distinguishing prime numbers from composite numbers and of resolving the
latter into their prime factors is known to be one of the most important and useful in arithmetic.
(. . . ) Further, the dignity of the science itself seems to require that every possible means be
explored for the solution of a problem so elegant and so celebrated problem be zealously
cultivated.
Carl Friedrich Gauss
« Le problème où l’on se propose de distinguer les nombres premiers des nombres composés,
et
de résoudre ceux-ci en leurs facteurs premiers, est connu comme l’un des plus importants et des
plus utiles de toute l’Arithmétique ; il a sollicité l’industrie et la sagacité des géomètres tant
anciens que modernes, à un point tel qu’il serait superflu de discuter en détail à cet égard.
[. . . ]
« De surcroît, la dignité de la science même semble demander que tous les secours possibles
soient explorés avec soin pour parvenir à la solution d’un problème si élégant et si célèbre. »
« Problema, numeros primos a compositis dignoscendi, hosque in factores suos primos
resoluendi,
ad grauissima ac utilissima totius Arithmeticæ pertinere, et geometrarum tum ueterum tum
recentiorum
industriam ac sagacitatem occupauisse, tam notum est, ut de hac re copiose loqui superfluum
foret. [. . . ]
« Prætereaque scientiæ dignitas requirere uidetur, ut omnia subsidia ad solutionem problematis
tam elegantis ac celebris sedulo excolantur. »
Disquisitiones Arithmeticæ
de Gauß est, dans le texte latin :
Johann Carl Friedrich Gauß, Disquisitiones Arithmeticæ, 329.
2. Keyword
素性测试算法
素性测定 page
primality prime
Prime number
testing test prove
proving
Primzahltests
test de primalité
nombres premiers
Πρώτοι αριθμοί
δοκιμές αριθμό
проверки простоты чисел
Randomized (Probalistic) Provable Primality Testing
Deterministic Primality Testing
AKS Primality testing
AKS Primality test
AKS Prime testing
AKS Prime test
AKS Primzahltests
AKS test de primalité
nombres premiers
Le test de primalité AKS
AKS δοκιμές αριθμό
AKS проверки простоты чисел
Prime number
3. Introduction
3.1. The Aim of Thesis
3.2. The Scope of Thesis
3.3. Research Hierarchical Diagram
4. Related Math Branches or Sub-Disciples
5. Presentation Styles
用各种 IT 技术
Interactive
Short texts
Electronically available only
Electronic formats
Strictly local yet
Easy to read even for laymen and like lovestory
Use as much as drawings, pictures.animations as possible to accompany or replace texts
Pictures
Drawings 图 三维图标
表
Graphs
Charts
Pies
SLIDES
PPT
Flash SWF Slides
OTHER FORMS OF SLIDES
EBOOKS IN CHM, HLP, EXE OR OTHERS
Movies and Animations
3D
VRML
FLASH MOVIES
web audio and video
streaming
QUICKTIME
REALMEDIA
WINDOWSMEDIA
WEB PORTAL
web incl web2.0
html
php
java
SOFTWARE
DATABASE
MOBILE AND HANDHELD DEVICES
DVD/VCDS
USB
网络多媒体
multimedia)
6. Structure of Writing
Newton or Euclid styles
Give every definiyion, axiom, proposition, theorem, corrolary etc a serial number and a name
conventions or notations
Common Notions
Πρώτοι Αριθμοί
Definitions
Terms
Terminology
Etymology
Encyclopedia
Glossary
Lexicon
Nomenclature
Abbreviations
List of Symbols
Index
Axiom
Principles
Assertion
Assumptions
Hypothesis
Conjecture
Suggestion
Common Notions
Fact
Proposition
If we can prove a statement true, then that statement is called a proposition.
a proposition is a less important or less fundamental assertion,
Predicates
Theory
Laws
Lemma
If a theorem is not particularly interesting, but is useful in proving an interesting statement,
then it’s often called a lemma. This one is found in Euclid’s Elements.
Sometimes instead of proving a theorem or proposition all at once, we break the proof down into
modules; that is, we prove several supporting propositions, which are called lemmas, and use the
results of these propositions to prove the main result.
a lemma is something that we will use later in this book to prove a proposition or theorem,
Statement
Rules
Porism
Theorem
A proposition of major importance is called a theorem.
a theorem is a deeper culmination of ideas,
A theorem is a valid implication of sufficient interest to warrant special attention.
If we can prove a proposition or a theorem, we will often, with very little effort, be able to derive
other related propositions called corollaries.
a corollary is an easy consequence of a proposition, theorem, or lemma.
Collonary
A corollary is a theorem that logically follows very simply from a theorem. A corollary is a
theorem that logically follows very simply from a theorem. Sometimes it follows from part of the
proof of a theorem rather than from the statement of the theorem. In any case, it should be easy
to
see why it’s true.
Collonary
A corollary is a theorem that logically follows very simply from a theorem. A corollary is a
theorem that logically follows very simply from a theorem. Sometimes it follows from part of the
proof of a theorem rather than from the statement of the theorem. In any case, it should be easy
to
see why it’s true.
Postulations
Scholium
Conclusions
Consequence
Comment
Remark
Observation
Claim
Proof
Equations
Formulas
Note
Caveat
Thesis
Conics
Literature Reference / Bibliography
 Books
 Databases
 Multimedia
 Websites

 Theses
 Proceedings
 Papers
 Presentations/Slides
7. Styles
Use as much as drawings, pictures.animations as possible to accompany or replace texts
Every definition shall be expressed in bold letters
8. Definitions. Terminology, Signs and
Symbols
燃烧界和燃烧污染控制领域存在许多混乱的说法，应该避免
任何科学都从概念开始。
术语名辞定语 Nomenclature 或 List of symbols
Definitions
Assertion
Hypothesis
Terms
Terminology
8.1. Alphabets
and Signs
详细规划和说明下列字母的意义和用途：拉丁字母，希腊字母，俄文字母和希伯来字母。
同时要符合国内外学术界的惯例和习惯，又要强调概念清晰，唯一，统一，易于理解和明确。
花体字母
空心体字母
重体字母
斜体字母
8.1.1. Latin
8.1.2. Greek
8.1.3. Hebrew
8.1.4. Russian
8.2. Nomenclature
Nomenclature is a term that applies to either a list of names or terms, or to the system of
principles, procedures and terms related to naming—which is the assigning of a word or phrase
to a particular object, event, or property. The principles of naming vary from the relatively
informal conventions of everyday speech to the internationally-agreed principles, rules and
recommendations that govern the formation and use of the specialist terms used in scientific and
other disciplines. ... nomenclature concerns itself more with the rules and conventions that are
used for the formation of names (wikipedia)
8.3. Notation
We will use
to denote the base 2 logarithm instead of
logarithms and natural logarithms will be denoted as
n and
or lgn. Base 10
respectively.
The notation ord r (a) represents the order of a modulo r, which is the smallest positive integer k,
such that
1(modr).
The notation  (r) will be used to represent Euler’s totient function, which is defined as the
number of positive integers less than or equal to r that are relatively prime to r.
The notation f(x) ≡g(x)mod(h(x),p) is used throughout to mean that f(x)=g(x) in the ring
Zp[x]/(h(x)). In some cases, p will be prime and will have degree d and be irreducible in Zp(x), so
that Zp[x]/(h(x)).will be a finite field of order
.
Notation: p(x) ≡ q(x) mod (h(x), n) means that h(x)|p(x) − q(x) all coefficients are taken
modulo n
Time complexity functions will be written in “big-O” notation. A function f(x) is considered to
be O (g(x))(pronounced “big-oh of g”) if given some function g(x) there exists a constant c such
that |f(x)|≤c|g (x)|⋅ for all values of x 0, where x is defined to be the binary input length of n.
The function M(n) will be used to represent the time complexity function for multiplication.
8.4. Definitions
Diophantine equation
Euclidean Algorithm Extended Euclid Algorithm
The greatest common divisor GCD (or greatest common factor GCF)
8.5. List of theorems, formulars and equations
8.6. List of abbreviations
8.7. List of people mentioned in the book
8.8. Index
8.9. Explanations
8.10. Fonts
italic: for scalers;
Bold italic: for vectors in D-dimensional vector space, D = 1, 2, 3;
Boldface: for vectors in Rb ;
Sans serif: for operators or second rank tensors (matrices);
Bold sans serif: for matrices with vector/tensor elements;
BLA C K B O A RD BO LD : for vector space.
8.11. List of symbols
8.12. Sub and super scripts
8.13. Marks
@↑↓
≈≠≡⌂∩∑∏ ≈∵∴⊥∥≌∽∈
8.14. 词冠???
10 12 Τ Τερα 核 10 9 Giga
京 10 -9 Nano 钎 10 -12 Pico
8.15. UNITS
8.16. Units designation
Atm BYU bar etc
8.17. Constants
9. Comparisons of Algorithm
Available software such as Maple, Mathmatica in computing primality tests
Different high level computer languages such as C/C++, Java
Low-level languages such as assembly
Machine languages
Different Oss such as Windows, Linux, BSD
Software available
Plarforms available
10. Intro
10.1. TOC for Introduction to Algorithms
Table of Contents
Preface
I Foundations
1 The Role of Algorithms in Computing
1.1 Algorithms
1.2 Algorithms as a technology
2 Getting Started
2.1 Insertion sort
2.2 Analyzing algorithms
2.3 Designing Algorithms
3 Growth of Functions
3.1 Asymptotic notation
3.2 Standard notations and common functions
4 Recurrences
4.1 The substitution method
4.2 The recursion-tree method
4.3 The master method
4.4 Proof of the master theorem
5 Probabilistic Analysis and Randomized Algorithms
5.1 The hiring problem
5.2 Indicator random variables
5.3 Randomized algorithms
5.4 Probabilistic analysis and further uses of indicator random variables
II Sorting and Order Statistics
6 Heapsort
6.1 Heaps
6.2 Maintaining the heap property
6.3 Building a heap
6.4 The heapsort algorithm
6.5 Priority queues
7 Quicksort
7.1 Description of quicksort
7.2 Performance of quicksort
7.3 Randomized versions of quicksort
7.4 Analysis of quicksort
8 Sorting in Linear Time
8.1 Lower bounds for sorting
8.2 Counting sort
8.3 Radix sort
8.4 Bucket sort
9 Medians and Order Statistics
9.1 Minimum and maximum
9.2 Selection in expected linear time
9.3 Selection in worst-case linear time
III Data Structures
10 Elementary Data Structures
10.1 Stacks and queues
10.2 Linked lists
10.3 Implementing pointers and objects
10.4 Representing rooted trees
11 Hash Tables
11.1 Direct-address tables
11.2 Hash tables
11.3 Hash functions
11.4 Open addressing
11.5 Perfect hashing
12 Binary Search Trees
12.1 What is a binary search tree?
12.2 Querying a binary search tree
12.3 Insertion and deletion
12.4 Randomly built binary search trees
13 Red-Black Trees
13.1 Properties of red-black trees
13.2 Rotations
13.3 Insertion
13.4 Deletion
14 Augmenting Data Structures
14.1 Dynamic order statistics
14.2 How to augment a data structure
14.3 Interval trees
IV Advanced Design and Analysis Technique
15 Dynamic Programming
15.1 Assembly-line scheduling
15.2 Matrix-chain multiplication
15.3 Elements of dynamic programming
15.4 Longest common subsequence
15.5 Optimal binary search trees
16 Greedy Algorithms
16.1 An activity-selection problem
16.2 Elements of the greedy strategy
16.3 Huffman codes
16.4 Theoretical foundations for greedy methods
16.5 A task-scheduling problem
17 Amortized Analysis
17.1 Aggregate analysis
17.2 The accounting method
17.3 The potential method
17.4 Dynamic tables
V Advanced Data Structures
18 B-Trees
18.1 Definition of B-trees
18.2 Basic operations on B-trees
18.3 Deleting a key from a B-tree
19 Binomial Heaps
19.1 Binomial trees and binomial heaps
19.2 Operations on binomial heaps
20 Fibonacci Heaps
20.1 Structure of Fibonacci heaps
20.2 Mergeable-heap operations
20.3 Decreasing a key and deleting a node
20.4 Bounding the maximum degree
21 Data Structures for Disjoint Sets
21.1 Disjoint-set operations
21.2 Linked-list representation of disjoint sets
21.3 Disjoint-set forests
21.4 Analysis of union by rank with path compression
VI Graph Algorithms
22 Elementary Graph Algorithms
22.1 Representations of graphs
22.2 Breadth-first search
22.3 Depth-first search
22.4 Topological sort
22.5 Strongly connected components
23 Minimum Spanning Trees
23.1 Growing a minimum spanning tree
23.2 The algorithms of Kruskal and Prim
24 Single-Source Shortest Paths
24.1 The Bellman-Ford algorithm
24.2 Single-source shortest paths in directed acyclic graphs
24.3 Dijkstra's algorithm
24.4 Difference constraints and shortest paths
24.5 Proofs of shortest-paths properties
25 All-Pairs Shortest Paths
25.1 Shortest paths and matrix multiplication
25.2 The Floyd-Warshall algorithm
25.3 Johnson's algorithm for sparse graphs
26 Maximum Flow
26.1 Flow networks
26.2 The Ford-Fulkerson method
26.3 Maximum bipartite matching
26.4 Push-relabel algorithms
26.5 The relabel-to-front algorithm
VII Selected Topics
27 Sorting Networks
27.1 Comparison networks
27.2 The zero-one principle
27.3 A bitonic sorting network
27.4 A merging network
27.5 A sorting network
28 Matrix Operations
28.1 Properties of matrices
28.2 Strassen's algorithm for matrix multiplication
28.3 Solving systems of linear equations
28.4 Inverting matrices
28.5 Symmetric positive-definite matrices and least-squares approximation
29 Linear Programming
29.1 Standard and slack forms
29.2 Formulating problems as linear programs
29.3 The simplex algorithm
29.4 Duality
29.5 The initial basic feasible solution
30 Polynomials and the FFT
30.1 Representation of polynomials
30.2 The DFT and FFT
30.3 Efficient FFT implementations
31 Number-Theoretic Algorithms
31.1 Elementary number-theoretic notions
31.2 Greatest common divisor
31.3 Modular arithmetic
31.4 Solving modular linear equations
31.5 The Chinese remainder theorem
31.6 Powers of an element
31.7 The RSA public-key cryptosystem
31.8 Primality testing
31.9 Integer factorization
32 String Matching
32.1 The naive string-matching algorithm
32.2 The Rabin-Karp algorithm
32.3 String matching with finite automata
32.4 The Knuth-Morris-Pratt algorithm
33 Computational Geometry
33.1 Line-segment properties
33.2 Determining whether any pair of segments intersects
33.3 Finding the convex hull
33.4 Finding the closest pair of points
34 NP-Completeness
34.1 Polynomial time
34.2 Polynomial-time verification
34.3 NP-completeness and reducibility
34.4 NP-completeness proofs
34.5 NP-complete problems
35 Approximation Algorithms
35.1 The vertex-cover problem
35.2 The traveling-salesman problem
35.3 The set-covering problem
35.4 Randomization and linear programming
35.4 The subset-sum problem
VIII Appendix: Mathematical Background
A Summations
A.1 Summation formulas and properties
A.2 Bounding summations
B Sets, Etc.
B.1 Sets
B.2 Relations
B.3 Functions
B.4 Graphs
B.5 Trees
C Counting and Probability
C.1 Counting
C.2 Probability
C.3 Discrete random variables
C.4 The geometric and binomial distributions
C.5 The tails of the binomial distribution
Bibliography
Index (created by the authors)
11. Recent developments in primality
testing
11.1. Recent developments in primality testing
Carl Pomerance1 <[email protected]>
(Joint work with Hendrik Lenstra.)
In August, 2002, Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, all from the Indian Institute
of Technology in Kanpur, announced a new algorithm to distinguish between prime numbers and
composite numbers. Unlike earlier methods, their test is completely rigorous, deterministic, and
runs in polynomial time. If n is prime and a is an integer, then the polynomials (x+a)n and xn+a
are congruent modulo n. Therefore they are also congruent modulo n and f(x) for any integer
polynomial f(x). The heart of the procedure for testing n involves verifying such a congruence
where a runs over a small set of integers, and f(x) is a (craftily chosen) polynomial. In the original
paper f(x) is of the form xr
−1, where r is a prime with some additional properties. We have found
a way to instead use polynomials like those that arise in the argument of Gauss for constructible
regular polygons. It is important that the degree of f(x) be large enough so that the primality test
is
valid, but not so large that the running time suffers.We are able to choose the degree fairly
precisely
using some tools from analytic number theory and a new result, due to Daniel Bleichenbacher
and
Vsevolod Lev, from combinatorial number theory. We thus achieve a rigorous and effective
running
time of about (log n)6, the heuristic complexity of the original test.
12. Comparison / Benchmarking for
Primality Testing
12.1. Comparison study for Primality testing using
Mathematica
Hailiza Kamarulhaili & Ega Gradini
[email protected]
School of Mathematical Sciences, Universiti Sains Malaysia, Minden 11800 Penang, MALAYSIA
13. Deterministic Primality Testing
13.1. AKS primality test
13.2. APR - Adleman–Pomerance–Rumely primality
test
Adleman–Pomerance–Rumely primality test
The Jacobi Sums algorithm
http://calistamusic.dreab.com/p-Adleman%E2%80%93Pomerance%E2%80%93Rumely_primality
_test
Unlike other algorithms, it avoids the use of random numbers, so it is a deterministic primality
test. It is named after its discoverers, Leonard Adleman, Carl Pomerance, and Robert Rumely. The
test involves arithmetic in cyclotomic fields.
It was later improved by Henri Cohen and Hendrik Willem Lenstra and called APRT-CL (or APRCL).
It is often used with UBASIC under the name APRT-CLE (APRT-CL extended) and can test primality
of an integer n in time:
Randomized (Probalistic) Provable Primality Testing
Deterministic Primality Testing
13.3. Atkin sieve
In mathematics, the sieve of Atkin is a fast, modern algorithm for finding
all prime numbers up to a specified integer. It is an optimized version
of the ancient sieve of Eratosthenes, but does some preliminary work and
then marks off multiples of primes squared, rather than multiples of
primes. It was created by A. O. L. Atkin and Daniel J. Bernstein.
13.3.1.







Contents
1 Algorithm
2 Pseudocode
3 Explanation
4 Computational complexity
5 See also
6 References
7 External links
13.3.2.
Algorithm
In the algorithm:



All remainders are modulo-sixty remainders (divide the number by sixty and return the
remainder).
All numbers, including x and y, are whole numbers (positive integers).
Flipping an entry in the sieve list means to change the marking (prime or nonprime) to
the opposite marking.
1. Create a results list, filled with 2, 3, and 5.
2. Create a sieve list with an entry for each positive integer; all entries of this list should
initially be marked nonprime.
3. For each entry number n in the sieve list, with modulo-sixty remainder r :
o If r is 1, 13, 17, 29, 37, 41, 49, or 53, flip the entry for each possible solution to
4x2 + y2 = n.
o If r is 7, 19, 31, or 43, flip the entry for each possible solution to 3x2 + y2 = n.
o If r is 11, 23, 47, or 59, flip the entry for each possible solution to 3x2 − y2 = n
when x > y.
o If r is something else, ignore it completely.
4. Start with the lowest number in the sieve list.
5. Take the next number in the sieve list still marked prime.
6. Include the number in the results list.
7. Square the number and mark all multiples of that square as nonprime.
8. Repeat steps five through eight.

This results in numbers with an odd number of solutions to the corresponding equation
being prime, and an even number being nonprime.
13.3.3.
Pseudocode
The following is pseudocode for a straightforward version of the
algorithm:
// arbitrary search limit
limit ← 1000000
// initialize the sieve
is_prime(i) ← false, ∀ i ∈ [5, limit]
// put in candidate primes:
// integers which have an odd number of
// representations by certain quadratic forms
for (x, y) in [1, √limit] × [1, √limit]:
n ← 4x²+y²
if (n ≤ limit) and (n mod 12 = 1 or n mod 12 = 5):
is_prime(n) ← ¬is_prime(n)
n ← 3x²+y²
if (n ≤ limit) and (n mod 12 = 7):
is_prime(n) ← ¬is_prime(n)
n ← 3x²-y²
if (x > y) and (n ≤ limit) and (n mod 12 = 11):
is_prime(n) ← ¬is_prime(n)
// eliminate composites by sieving
for n in [5, √limit]:
if is_prime(n):
// n is prime, omit multiples of its square; this is
// sufficient because composites which managed to get
// on the list cannot be square-free
is_prime(k) ← false, k ∈ {n², 2n², 3n², ..., limit}
print 2, 3
for n in [5, limit]:
if is_prime(n): print n
This pseudocode is written for clarity. Repeated and wasteful
calculations mean that it would run slower than the sieve of Eratosthenes.
To improve its efficiency, faster methods must be used to find solutions
to the three quadratics. At the least, separate loops could have tighter
limits than [1, √limit].
13.3.4.
Explanation
The algorithm completely ignores any numbers divisible by two, three, or
five. All numbers with an even modulo-sixty remainder are divisible by
two and not prime. All numbers with modulo-sixty remainder divisible by
three are also divisible by three and not prime. All numbers with
modulo-sixty remainder divisible by five are divisible by five and not
prime. All these remainders are ignored.
All numbers with modulo-sixty remainder 1, 13, 17, 29, 37, 41, 49, or 53
have a modulo-four remainder of 1. These numbers are prime if and only
2
2
if the number of solutions to 4x + y = n is odd and the number is squarefree
(proven as theorem 6.1 of ).
All numbers with modulo-sixty remainder 7, 19, 31, or 43 have a modulo-six
remainder of 1. These numbers are prime if and only if the number of
solutions to 3x2 + y2 = n is odd and the number is squarefree (proven as
theorem 6.2 of ).
All numbers with modulo-sixty remainder 11, 23, 47, or 59 have a
modulo-twelve remainder of 11. These numbers are prime if and only if the
number of solutions to 3x2 − y2 = n is odd and the number is squarefree
(proven as theorem 6.3 of ).
None of the potential primes are divisible by 2, 3, or 5, so they can't
be divisible by their squares. This is why squarefree checks don't include
22, 32, and 52.
13.3.5.
Computational complexity
This sieve computes primes up to N using O(N/log log N) operations with
only N1/2 + o(1) bits of memory. That is a little better than the sieve of
Eratosthenes which uses O(N) operations and O(N1/2(log log N)/log N)
bits of memory. These asymptotic computational complexities include
simple optimizations, such as wheel factorization, and splitting the
computation to smaller blocks.
13.3.6.


See also
Sieve of Sundaram
Sieve theory
13.3.7.
References
1. ^ a b c d e A.O.L. Atkin, D.J. Bernstein, Prime sieves using binary quadratic forms, Math.
Comp. 73 (2004), 1023-1030.[1]
13.4. Bhattacharjee and Pandey
http://www.cse.iitk.ac.in/research/btp2001/primality.html
The Ultimate PrimalityTest
Conjeture
(Bhattaharjeeand Pandey [8℄)
Ifris an odd
prime whih doesnot divide
n(n¾
1), and
(x
1)n= xn
1
in (Z=nZ)[x℄=(x
Remarks
an
r
1), then nisprime.
1.
We
whi
_nd anodd prime r = O(log n)
hdoesnotdividen¾ 1 simply by
heking r=3; 5; 7; 11; : : :.(Ifrjn then we
are
_nished.)
2.
The time
forthee
test is
e
O(rlog¾ n) =O(log¿n).
3. The onjeture has been
veri_ed for
r < 100, n < 10½¼,½6and also
numbersupto 10
(heking the
for Carmihael
smallest
appliable r).For partial results and
13.5. Brillhart, Lehmer, Selfridge Test based on Lucas
Test
13.6. Cyclotomic
Deterministic
Primality
Cyclotomy
13.7. Demytko deterministic primality test method
If “
” meets the four following
conditions, then pi+1 is sure to be a prime number.
Test
(a) Input a positive odd prime number pi . Let it be
regarded as a seed generating prime number. We also
look for them by using Look-Up Table (LUT) or
other primality test methods.
(b) For hi<4(pi+1) Hi, hi is an even number, so we must
use all of the even numbers from 2 to hi during the
test procedures.
(c) 1 2 1mod hi pi
(d) 1 2 1mod hi
13.8. Elliptic curve methods
ECPP is practical and has been used to prove
primality of a number 44052638 + 26384405 of
15071 decimal digits. The total CPU time was
5.1 Ghz-years (Franke, Kleinjung, Morain, and
Wirth, July 2004).
In practice ECPP is comparable to the Jacobi
Sums algorithm, but ECPP has the advantage
of producing an easily-checked certificate of
primality. In fact, ECPP produces a certificate
of size O( 2) that can be checked in
deterministic polynomial time eO ( 3).
13.9. Eratosthenes Sieve
In mathematics, the sieve of Eratosthenes (Greek: κόσκινον
Ἐρατοσθένους), one of a number of prime number sieves, is a
simple, ancient algorithm for finding all prime numbers up to a specified
integer. It is one of the most efficient ways to find all of the smaller
primes (below 10 million or so). The algorithm is named after Eratosthenes,
an ancient Greek mathematician; although none of Eratosthenes' works have
survived, the sieve was described and attributed to Eratosthenes in the
Introduction to Arithmetic by Nicomachus.
Sieve of Eratosthenes: algorithm steps for primes below 120 (including optimization of
terminating when square of prime exceeds upper limit)
13.9.1.









Contents
1 Algorithm description
o 1.1 Incremental sieve
o 1.2 Trial division
2 Example
3 Algorithm complexity
4 Implementation
5 Arithmetic progressions
6 Euler's sieve
7 See also
8 References
9 External links
13.9.2.
Algorithm description
Sift the Two's and Sift the Three's,
The Sieve of Eratosthenes.
When the multiples sublime,
The numbers that remain are Prime.
“
”
Anonymous
A prime number is a natural number which has exactly two distinct natural
number divisors: 1 and itself.
To find all the prime numbers less than or equal to a given integer n by
Eratosthenes' method:
1. Create a list of consecutive integers from 2 to n: (2, 3, 4, ..., n).
2. Initially, let p equal 2, the first prime number.
3. Starting from p, count up in increments of p and mark each of these numbers greater
than p itself in the list. These numbers will be 2p, 3p, 4p, etc.; note that some of them
may have already been marked.
4. Find the first number greater than p in the list that is not marked; let p now equal this
number (which is the next prime).
5. If there were no more unmarked numbers in the list, stop. Otherwise, repeat from step
3.
When the algorithm terminates, all the numbers in the list that are not
marked are prime.
As a refinement, it is sufficient to mark the numbers in step 3 starting
from p2, as all the smaller multiples of p will have already been marked
at that point. This means that the algorithm is allowed to terminate in
step 5 when p2 is greater than n. This does not appear in the original
algorithm.
Another refinement is to initially list odd numbers only (3, 5, ..., n),
and count up using an increment of 2p in step 3, thus marking only odd
multiples of p greater than p itself. This refinement actually appears
in the original description. This can be generalized with wheel
factorization, forming the initial list only from numbers coprime with
the first few primes and not just from odds, i.e. numbers coprime with
2.
13.9.2.1. Incremental sieve
An incremental formulation of the sieve generates primes indefinitely
(i.e. without an upper bound) by interleaving the generation of primes
with the generation of their multiples (so that primes can be found in
gaps between the multiples), where the multiples of each prime p are
generated directly, by counting up from the square of the prime in
increments of p (or 2p for odd primes).
13.9.2.2. Trial division
Trial division can be used to produce primes by filtering out the
composites found by testing each candidate number for divisibility by its
preceding primes. It is often confused with the sieve of Eratosthenes,
although the latter directly generates the composites instead of testing
for them. Trial division has worse theoretical complexity than that of
the sieve of Eratosthenes in generating ranges of primes.
When testing each candidate number, the optimal trial division algorithm
uses just those prime numbers not exceeding its square root. The widely
known 1975 functional code by David Turner is often presented as an example
of the sieve of Eratosthenes but is actually a sub-optimal trial division
algorithm.
13.9.3.
Example
To find all the prime numbers less than or equal to 30, proceed as follows.
First generate a list of integers from 2 to 30:
2 3 4 5 6
26 27 28 29 30
7
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
First number in the list is 2; cross out every 2nd number in the list after
it (by counting up in increments of 2), i.e. all the multiples of 2:
2 3 4 5 6
26 27 28 29 30
7
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Next number in the list after 2 is 3; cross out every 3-rd number in the
list after it (by counting up in increments of 3), i.e. all the multiples
of 3:
2 3 4 5 6
26 27 28 29 30
7
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Next number not yet crossed out in the list after 3 is 5; cross out every
5-th number in the list after it (by counting up in increments of 5), i.e.
all the multiples of 5:
2 3 4 5 6
26 27 28 29 30
7
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Next number not yet crossed out in the list after 5 is 7; the next step
would be to cross out every 7-th number in the list after it, but they
are all already crossed out at this point, as these numbers (14, 21, 28)
are also multiples of smaller primes because 7*7 is greater than 30. The
numbers left not crossed out in the list at this point are all the prime
numbers below 30:
2
29
3
13.9.4.
5
7
11
13
17
19
23
Algorithm complexity
Time complexity in random access machine model is O(nlog log n)
operations, a direct consequence of the fact that the prime harmonic
series asymptotically approaches log log n.
The bit complexity of the algorithm is O(n(log
operations with a memory requirement of O(n).
n)(log log n)) bit
The segmented version of the sieve of Eratosthenes, with basic
optimizations, uses O(n) operations and O(n1 / 2log log n / log n) bits
of memory.
13.9.5.
Implementation
In pseudocode:
Input: an integer n > 1
Let A be an array of bool values, indexed by integers 2 to n,
initially all set to true.
for i = 2, 3, 4, ..., while i ≤ n/2:
if A[i] is true:
for j = 2i, 3i, 4i, ..., while j ≤ n:
A[j] = false
Now all i such that A[i] is true are prime.
Large ranges may not fit entirely in memory. In these cases it is necessary
to use a segmented sieve where only portions of the range are sieved at
a time. For ranges so large that the sieving primes could not be held in
memory, space-efficient sieves like that of Sorenson are used instead.
13.9.6.
Arithmetic progressions
The sieve may be used to find primes in arithmetic progressions.
13.9.7.
Euler's sieve
Euler's proof of the zeta product formula contains version of the sieve
of Eratosthenes in which each composite number is eliminated exactly once.
It, too, starts with a list of numbers from 2 to n in order. On each step
the first element is identified as the next prime and the results of
multiplying this prime with each element of the list are marked in the
list for subsequent deletion. The initial element and the marked elements
are then removed from the working sequence, and the process is repeated:
[2] (3) 5 7 9 11
47 49 51 53 55 57 59
[3]
(5) 7
11
47 49
53 55
59
[4]
(7)
11
47 49
53
59
[5]
(11)
47
53
59
[...]
13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45
61 63 65 67 69 71 73 75 77 79 ...
13
17 19
23 25
29 31
35 37
41 43
61
65 67
71 73
77 79 ...
13
17 19
23
29 31
37
41 43
61
67
71 73
77 79 ...
13
17 19
23
29 31
37
41 43
61
67
71 73
79 ...
Here the example is shown starting from odds, after the 1st step of the
algorithm. Thus on k-th step all the multiples of the k-th prime are
removed from the list. If generating a bounded sequence of primes, when
the next identified prime exceeds the square root of the upper limit, all
the remaining numbers in the list are prime. In the example given above
that is achieved on identifying 11 as next prime, giving a list of all
primes less than or equal to 80.
Note that numbers that will be discarded by some step are still used while
marking the multiples, e.g. for the multiples of 3 it is 3 · 3 = 9, 3 · 5
= 15, 3 · 7 = 21, 3 · 9 = 27, ..., 3 · 15 = 45, ... .
13.9.8.



See also
Sieve theory
Sieve of Atkin
Sieve of Sundaram
13.9.9.
References
13.10.
Goldwasser Kilian Algorithm
13.11.
Jacobi Sums
The Jacobi Sums algorithm runs in time
O(log log ) .
This is almost polynomial time4.
We can be more precise: Odlyzko and
Pomerance have shown that, for all large n, the
running time is in
[ Alog log , B log log ] ,
where A,B are positive constants. The lower
bound shows that the Jacobi Sums algorithms
is definitely not polynomial-time (in theory
anyway).
The Jacobi sums algorithm is deterministic and
practical: it has been used for numbers of at
least 3395 decimal digits (Mihailescu: 6.5 days
on a 500 Mhz Dec Alpha).
13.12.
Lucas 素性测定算法
http://www.peach.dreab.com/p-Lucas_primality_test
Lucas
http://calistamusic.dreab.com/p-Lucas_primality_test
In computational number theory, the Lucas test is a primality test for
a natural number n; it requires that the prime factors of n − 1 be already
known. It is the basis of the Pratt certificate that gives a concise
verification that n is prime.
13.12.1. Contents





1 Concepts
2 Example
3 Algorithm
4 See also
5 Notes
13.12.2. Concepts
Let n be a positive integer. If there exists an integer 1
that
and for every prime factor q of n
−
<
a < n such
1
then n is prime. If no such number a exists, then n is composite.
The reason for the correctness of this claim is as follows: if the first
equality holds for a, we can deduce that a and n are coprime. If a also
survives the second step, then the order of a in the group (Z/nZ)* is equal
to n−1, which means that the order of that group is n−1 (because the order
of every element of a group divides the order of the group), implying that
n is prime. Conversely, if n is prime, then there exists a primitive root
modulo n, or generator of the group (Z/nZ)*. Such a generator has order
|(Z/nZ)*| = n−1 and both equalities will hold for any such primitive
root.
Note that if there exists an a < n such that the first equality fails,
a is called a Fermat witness for the compositeness of n.
13.12.3. Example
For example, take n = 71. Then n − 1 = 70 and the prime factors of 70
are 2, 5 and 7. We randomly select an a < n of 17. Now we compute:
For all integers a it is known that
Therefore, the multiplicative order of 17 (mod 71) is not necessarily 70
because some factor of 70 may also work above. So check 70 divided by its
prime factors:
Unfortunately, we get that 1710≡1 (mod 71). So we still don't know if 71
is prime or not.
We try another random a, this time choosing a
=
11. Now we compute:
Again, this does not show that the multiplicative order of 11 (mod 71)
is 70 because some factor of 70 may also work. So check 70 divided by its
prime factors:
So the multiplicative order of 11 (mod 71) is 70, and thus 71 is prime.
(To carry out these modular exponentiations, one could use a fast
exponentiation algorithm like binary or addition-chain exponentiation).
13.12.4. Algorithm
The algorithm can be written in pseudocode as follows:
Input: n > 2, an odd integer to be tested for primality; k, a parameter
that determines the accuracy of the test
Output: prime if n is prime, otherwise composite or possibly composite;
determine the prime factors of n−1.
LOOP1: repeat k times:
pick a randomly in the range [2, n − 1]
if an-1
1 (mod n) then return composite
otherwise
LOOP2: for all prime factors q of n−1:
if a(n-1)/q
1 (mod n)
if we did not check this equality for all prime factors
of n−1
then do next LOOP2
otherwise return prime
otherwise do next LOOP1
return possibly composite.
13.12.5. See also


Édouard Lucas
Fermat's little theorem
13.13.
Lucas-Lehmer 测试
Lucas–Lehmer
http://calistamusic.dreab.com/p-Lucas%E2%80%93Lehmer_primality_test
Der Lucas-Lehmer Test ist ein deterministischer Primzahltest, der entscheidet, ob eine
Mersenne-Zahl Mn = 2n − 1 f¨ur ein vorgelegtes n > 2 prim ist oder nicht.
13.13.1. 梅森素数判定算法 Lucas-Lehmer 测试
2010-03-14 13:14:20|
分类： 默认分类 |字号 订阅
梅森素数判定法的算法设计
法国数学家 Lucas 在研究著名的斐波那契数列时" 惊人地发现它与梅森素数的联系"他由此
提出了一个用以判别 Mp 是否为素数的重要定理!!!卢卡斯定理"为梅森素数的研究提供了有
利工具。1930 年，"美国数学家 Lehmer 改进了 Lucas，的工作" 给出一个针对 Mp 的新的素
性测试方法" 即 Lucas-Lehmer 测试：对于所有大于 1 的奇数 p，Mp 是素数当且仅当 Mp 整
除 S(p-1)，其中 S(n)由 S(n)=S(n-1)^2-2，S(1)=4 递归定义。
这个方法尤其适合于计算机运算，因为除以 Mp 的运算在二进制下可以简单地用计算机特别
擅长的移位和加法操作来实现。
以下是用 C 语言实现的可实际使用的 Lucas-Lehmer 测试：
Lucas-Lehmer_test(int p)
{
int s,i,s1;
for(i=0,s1=1;i<p;i++) s1*=2;
s1--;
for(i=3,s=4;i<=p;i++) (s=s*s-2)%s1;
return s==0?1:0;
}
This article is about the Lucas–Lehmer test that only applies to Mersenne numbers. For the
Lucas–Lehmer test that applies to a natural number n, see Lucas primality test. For the
Lucas–Lehmer–Riesel test, see Lucas–Lehmer–Riesel test.
In mathematics, the Lucas–Lehmer test (LLT) is a primality test for
Mersenne numbers. The test was originally developed by Édouard Lucas in
1856, and subsequently improved by Lucas in 1878 and Derrick Henry Lehmer
in the 1930s.
13.13.2. Contents








1 The test
2 Time complexity
3 Examples
4 Proof of correctness
o 4.1 Sufficiency
o 4.2 Necessity
5 Applications
6 See also
7 References
8 External links
13.13.3. The test
p
The Lucas–Lehmer test works as follows. Let Mp = 2 − 1 be the
Mersenne number to test with p an odd prime (because p is exponentially
smaller than Mp, we can use a simple algorithm like trial division for
establishing its primality). Define a sequence {s i } for all i ≥ 0 by
The first few terms of this sequence are 4, 14, 194, 37634, ... (sequence
A003010). Then Mp is prime iff
The number sp − 2 mod Mp is called the Lucas–Lehmer residue of p. (Some
authors equivalently set s1 = 4 and test sp−1 mod Mp). In pseudocode, the
test might be written:
// Determine if Mp = 2p − 1 is prime
Lucas–Lehmer(p)
var s = 4
var M = 2p − 1
repeat p − 2 times:
s = ((s × s) − 2) mod M
if s = 0 return PRIME else return COMPOSITE
By performing the mod M at each iteration, we ensure that all intermediate
results are at most p bits (otherwise the number of bits would double each
iteration). It is exactly the same strategy employed in modular
exponentiation.
13.13.4. Time complexity
In the algorithm as written above, there are two expensive operations
during each iteration: the multiplication s × s, and the mod M
operation. The mod M operation can be made particularly efficient on
standard binary computers by observing the following simple property:
In other words, if we take the least significant n bits of k, and add the
remaining bits of k, and then do this repeatedly until at most n bits remain,
n
we can compute the remainder after dividing k by the Mersenne number 2
−1 without using division. For example:
916 mod 25−1 = 11100101002 mod 25−1
= 111002 + 101002 mod 25−1
= 1100002 mod 25−1
= 12 + 100002 mod 25−1
= 100012 mod 25−1
= 100012
= 17.
Moreover, since s × s will never exceed M2 < 22p, this simple technique
converges in at most 2 p-bit additions, which can be done in linear time.
As a small exceptional case, the above algorithm may produce 2n−1 for a
multiple of the modulus, rather than the correct value of zero; this should
be accounted for.
With the modulus out of the way, the asymptotic complexity of the algorithm
depends only on the multiplication algorithm used to square s at each step.
The simple "grade-school" algorithm for multiplication requires O(p2)
bit-level or word-level operations to square a p-bit number, and since
we do this O(p) times, the total time complexity is O(p3). A more efficient
multiplication method, the Schönhage–Strassen algorithm based on the
Fast Fourier transform, requires O(p log p log log p) time to square a
p-bit number, reducing the complexity to O(p2 log p log log p) or Õ(p2)..
Currently the most efficient known multiplication algorithm, Fürer's
algorithm, needs
time to multiply two p-bit numbers.
By comparison, the most efficient randomized primality test for general
integers, the Miller–Rabin primality test, takes O(k p2 log p log log
p) bit operations using FFT multiplication for a p-digit number (here p
can be any natural number, not necessarily a prime), where k is the number
of iterations and is related to the error rate. So it is in the same
complexity class as the Lucas-Lehmer test for constant k. But in practice
the cost of doing many iterations and other differences leads to worse
performance for Miller–Rabin. The most efficient deterministic
primality test for general integers, the AKS primality test, requires Õ(p6)
bit operations in its best known variant and is dramatically slower in
practice.
13.13.5. Examples
Suppose we wish to verify that M3 = 7 is prime using the Lucas–Lehmer
test. We start out with s set to 4 and then update it 3−2 = 1 time, taking
the results mod 7:

s ← ((4 × 4) − 2) mod 7 = 0
Because we end with s set to zero, M3 is prime.
On the other hand, M11 = 2047 = 23 × 89 is not prime. To show this, we
start with s set to 4 and update it 11−2 = 9 times, taking the results
mod 2047:









s ← ((4 × 4) − 2) mod 2047 = 14
s ← ((14 × 14) − 2) mod 2047 = 194
s ← ((194 × 194) − 2) mod 2047 = 788
s ← ((788 × 788) − 2) mod 2047 = 701
s ← ((701 × 701) − 2) mod 2047 = 119
s ← ((119 × 119) − 2) mod 2047 = 1877
s ← ((1877 × 1877) − 2) mod 2047 = 240
s ← ((240 × 240) − 2) mod 2047 = 282
s ← ((282 × 282) − 2) mod 2047 = 1736
Because s is not zero, M11=2047 is not prime. Notice that we learn nothing
about the factors of 2047, only its Lucas–Lehmer residue, 1736.
13.13.6. Proof of correctness
Lehmer's original proof of the correctness of this test is complex, so
we'll depend upon more recent refinements. Recall the definition:
Then our theorem is that Mp is prime iff
We begin by noting that
is a recurrence relation with a closed-form
solution. Define
and
induction that
for all i:
where the last step follows from
; then we can verify by
. We will
use this in both parts.
13.13.6.1. Sufficiency
In this direction we wish to show that
implies that
Mp is prime. We relate a straightforward proof exploiting elementary group
theory given by J. W. Bruce as related by Jason Wojciechowski.
Suppose
. Then
for some
integer k, and:
Now suppose Mp is composite, and let q be the smallest prime factor of
Mp. Since Mersenne numbers are odd, we have q > 2. Define the set
with q2 elements, where
is the integers mod
q, a finite field (in the language of ring theory X is the quotient of
by the ideal generated by (T2 − 3)).
the univariate polynomial ring
The multiplication operation in X is defined by:
Since q
>
2,
and
are in X (in fact
are
in X, but by abuse of language we identify
and
X under the natural ring homomorphism from
with their images in
to X which sends the
square root of 3 to T). Any product of two numbers in X is in X, but it's
not a group under multiplication because not every element x has an inverse
y such that xy = 1 (in fact X is a ring and the set of non-zero elements
of X is a group if and only if
does not contain a square root of 3).
If we consider only the elements that have inverses, we get a group X*
of size at most q2 − 1 (since 0 has no inverse).
Now, since
, and
which by equation (1) gives
, we have
in X,
. Squaring both sides gives
, showing that ω is invertible with inverse
and so lies
in X*, and moreover has an order dividing 2p. In fact the order must equal
2p, since
and so the order does not divide 2p − 1. Since the order
of an element is at most the order (size) of the group, we conclude that
. But since q is the smallest prime factor of the
composite Mp, we must have
, yielding the
contradiction 2p < 2p − 1. So Mp is prime.
13.13.6.2. Necessity
In the other direction, we suppose Mp is prime and show
. We rely on a simplification of a proof by Öystein
J. R. Ödseth. First, notice that 3 is a quadratic non-residue mod Mp,
since 2 p − 1 for odd p > 1 only takes on the value 7 mod 12, and so
the Legendre symbol properties tell us (3 | Mp) is −1. Euler's criterion
then gives us:
On the other hand, 2 is a quadratic residue mod Mp, since
and so
Euler's criterion again gives:
Next, define
.
, and define X* similarly as before as the
multiplicative group of
following lemmas:
(from Proofs of Fermat's little
theorem#Proof_using_the_binomial_theorem)
for every integer a (Fermat's little theorem)
. We will use the
Then, in the group X* we have:
We chose σ such that ω = (6 + σ)2 / 24. Consequently, we can use this
to compute
in the group X*:
where we use the fact that
Since
this equation by
, all that remains is to multiply both sides of
and use
:
Since sp−2 is an integer and is zero in X*, it is also zero mod
Mp.
13.13.7. Applications
The Lucas–Lehmer test is the primality test used by the Great Internet
Mersenne Prime Search to locate large primes, and has been successful in
locating many of the largest primes known to date. The test is considered
valuable because it can provably test a very large number for primality
within affordable time and, in contrast to the equivalently fast Pépin's
test for any Fermat number, can be tried on a large search space of numbers
with the required form before reaching computational limits.
13.13.8. See also



Mersenne's conjecture
Lucas–Lehmer–Riesel test
GIMPS
13.14.
Lucas–Lehmer–Riesel
http://calistamusic.dreab.com/p-Lucas%E2%80%93Lehmer%E2%80%93Riesel_test
In mathematics, the Lucas–Lehmer–Riesel test is a primality test for
numbers of the form N = k2n − 1, with 2n > k. The test was developed
by Hans Riesel and it is based on the Lucas–Lehmer primality test. It
is the fastest deterministic algorithm known for numbers of that form.
The Brillhart–Lehmer–Selfridge test is the fastest deterministic
algorithm for numbers of the form N = k2n + 1
13.14.1. Contents






1 The algorithm
2 Finding the starting value
3 How does the test work?
4 LLR software
5 References
6 External links
13.14.2. The algorithm
The algorithm is very similar to the Lucas–Lehmer test, but with a
variable starting point depending on the value of k.
Define a sequence {ui} for all i
>
0 by:
Then N is prime if and only if it divides
un−2.
13.14.3. Finding the starting value



If k = 1: if n is odd, then we can take u0 = 4. If n = 3 mod 4, then we can take u0 = 3. Note
that if n is prime, these are Mersenne numbers.
If k = 3: if n = 0 or 3 mod 4 then u0 = 5778.
If k = 1 or 5 mod 6 and 3 does not divide N, then we take
.

Otherwise, we are in the case where k is a multiple of 3, and it is more difficult to select
the right value of u0
13.14.4. How does the test work?
The Lucas–Lehmer–Riesel test is a particular case of group-order
primality testing; we demonstrate that some number is prime by showing
that some group has the order that it would have were that number prime,
and we do this by finding an element of that group of precisely the right
order.
For Lucas-style tests on a number N, we work in the multiplicative group
of a quadratic extension of the integers modulo N; if N is prime, the order
of this multiplicative group is N2 − 1, it has a subgroup of order
N + 1, and we try to find a generator for that subgroup.
We start off by trying to find a non-iterative expression for the ui.
Following the model of the Lucas–Lehmer test, put
by induction we have
, and
.
So we can consider ourselves as looking at the 2ith term of the sequence
v(i) = ai + a − i. If a satisfies a quadratic equation, this is a Lucas
sequence, and has an expression of the form v(i) = αv(i − 1) + βv(i −
2). Really, we're looking at the
th term of a different sequence,
but since decimations (take every kth term starting with the zeroth) of
a Lucas sequence are themselves Lucas sequences, we can deal with the
factor k by picking a different starting point.
13.14.5. LLR software
LLR is a program that can run the LLR tests. The program was developed
by Jean Penné. Vincent Penné has modified the program so that it can obtain
tests via the Internet. The software is both used by individual prime
searchers and some distributed computing projects including Riesel Sieve
and PrimeGrid.
13.14.6. References

Riesel, Hans (1969). "Lucasian Criteria for the Primality of N = h·2n − 1". Mathematics of
Computation (American Mathematical Society) 23 (108): 869–875. doi:10.2307/2004975.
JSTOR 2004975.
13.14.7. External links

Download Jean Penné's LLR
13.14.8. 推广的 Lucas 型素性测定算法
13.14.9. Massey–Omura–Kryptosystem
Beispielsweise benötigt das Massey–Omura–Kryptosystem Primzahlen mit 2000 Bitstellen (Stand
2004), um endliche Körper zu konstruieren.
13.15.
Miller-Primzahltest
Extended Riemann Hyperthesis
erweiterte Riemannsche Vermutung
erweiterte Riemann-Hypothese
13.16.
Pocklington Lehmer primality test
http://calistamusic.dreab.com/p-Pocklington_primality_test
http://www.peach.dreab.com/p-Pocklington_primality_test
In mathematics,
test devised by
decide whether a
that the number
the Pocklington–Lehmer primality test is a primality
Henry Cabourn Pocklington and Derrick Henry Lehmer to
given number N is prime. The output of the test is a proof
is prime or that primality could not be established.
Pocklington primality test (deterministic)
Relies on (partial) factorization of p-1 to generate
recursive list of successive p
(uses Fermat's little theorem)
(isn't always able to work)
13.16.1. Contents






1 Pocklington criterion
o 1.1 Proof of this theorem
2 Generalized Pocklington method
3 The test
4 Example
5 References
6 External links
13.16.2. Pocklington criterion
The test relies on the Pocklington Theorem (Pocklington criterion) which
is formulated as follows:
Let N > 1 be an integer, and suppose there exist numbers a and q such that
(1) q is prime,
and
(2)
(3) gcd(a(N − 1) / q − 1,N) = 1
Then N is prime.
13.16.2.1. Proof of this theorem
Suppose N is not prime. This means there must be a prime p, where
that divides N.
Therefore, q > p − 1 which implies gcd(q,p − 1) = 1.
Thus there must exist an integer u with the property that
This implies
by (1) and (2), and
this contradicts (3)
The test is simple once the theorem above is established. Given N, seek
to find suitable a and q. If they can be obtained, then N is prime. Moreover,
a and q are the certificate of primality. They can be quickly verified
to satisfy the conditions of the theorem, confirming N as prime.
A problem which arises is the ability to find a suitable q, that must
satisfy (1)–(3) and be provably prime. It is even quite possible that
such a q does not exist. This is a large probability, indeed only 57.8%
of the odd primes, N,
have such a q. To find a is not nearly
so difficult. If N is prime, and a suitable q is found, each choice of
a where
will satisfy
, and so will
satisfy (2) as long as ord(a) does not divide (N − 1) / q. Thus a randomly
chosen a is likely to work. If a is a generator mod N its order is N-1
and so the method is guaranteed to work for this choice.
13.16.3. Generalized Pocklington method
A generalized version of Pocklington's theorem covers more primes N.
Corollary:
Let N
−
1 factor as N
−
AB, where A and B are relatively prime,
1=
and the factorization of A is known.
If for every prime factor p of A there exists an integer ap so that
then N is prime. The reverse implication
and
also holds: If N is prime then every prime factor of A can be written in
the above manner.
Proof of Corollary: Let p be a prime dividing A and let pe be the maximum
power of p dividing A. Let v be a prime factor of N. For the ap from the
corollary set
. This means
and because of
also
.
This means that the order of b(mod v) is pe
Thus,
. The same observation holds for each prime power factor
pe of A, which implies
.
Specifically, this means
If N were composite, it would necessarily have a prime factor which is
less than or equal to
. It has been shown that there is no such factor,
which implies that N is prime.
To see the converse choose ap a generator of the integers modulo p.
13.16.4. The test
The Pocklington–Lehmer primality test follows directly from this
corollary. We must first partially factor N − 1 into A and B. Then we
must find an ap for every prime factor p of A, which fulfills the conditions
of the corollary. If such ap's can be found, the Corollary implies that
N is prime.
According to Koblitz, ap = 2 often works.
13.16.5. Example
N = 11351
Choose
, which means B = 2
Now it is clear that gcd(A,B) = 1 and
.
Next find an ap for each prime factor p of A. E.g. choose a5 = 2.
.
So a5 = 2 satisfies the necessary conditions. Choose a227 = 7.
and
So both ap's work and thus N is prime.
We have chosen a small prime for calculation purposes but in practice when
we start factoring A we will get factors that themselves must be checked
for primality. It is not a proof of primality until we know our factors
of A are prime as well. If we get a factor of A where primality is not
certain, the test must be performed on this factor as well. This gives
rise to a so-called down-run procedure, where the primality of a number
is evaluated via the primality of a series of smaller numbers.
In our case, we can say with certainty that 2, 5, and 227 are prime, and
thus we have proved our result. The certificate in our case is the list
of ap's, which can quickly be checked in the corollary.
If our example had given rise to a down-run sequence, the certificate would
be more complicated. It would first consist of our initial round of ap's
which correspond to the 'prime' factors of A; Next, for the factor(s) of
A of which primality was uncertain, we would have more ap's, and so on
for factors of these factors until we reach factors of which primality
is certain. This can continue for many layers if the initial prime is large,
but the important thing to note, is that a simple certificate can be
produced, containing at each level the prime to be tested, and the
corresponding ap's, which can easily be verified. If at any level we cannot
find ap's then we cannot say that N is prime.
The biggest difficulty with this test is the necessity of discovering
prime factors of N - 1, in essence, factoring N − 1. In practice this
could be extremely difficult. Finding ap's is a less difficult problem.
13.17.
Proth deterministic primality test method
1
()
2 1mod
N
then N is prime.
The difference between probabilistic primality test
methods and deterministic primality test methods is that
the result of the later methods can be precisely accurate.
Namely, we are sure the number we calculate is a prime
number.
13.18.
Sundaram sieve
In mathematics, the sieve of Sundaram is a simple deterministic algorithm
for finding all prime numbers up to a specified integer. It was discovered
in 1934 by S. P. Sundaram, an Indian student from Sathyamangalam.
13.18.1. Contents





1 Algorithm
2 Correctness
3 Computational complexity
4 See also
5 References
13.18.2. Algorithm
Start with a list of the integers from 1 to n. From this list, remove all
numbers of the form i + j + 2ij where:


The remaining numbers are doubled and incremented by one, giving a list
of the odd prime numbers (i.e., all primes except 2) below 2n + 2.
The sieve of Sundaram sieves out the composite numbers just as sieve of
Eratosthenes does, but even numbers are not considered; the work of
"crossing out" the multiples of 2 is done by the final
double-and-increment step. Whenever Eratosthenes' method would cross out
k different multiples of a prime 2i+1, Sundaram's method crosses out i
+ j(2i+1) for
.
13.18.3. Correctness
The final list of doubled-and-incremented integers contains only odd
integers; we must show that the set of odd integers excluded from the list
is exactly the set of composite odd integers.
An odd integer is excluded from the final list if and only if it is of
the form 2(i + j + 2ij) + 1, and we have
2(i + j + 2ij) + 1
= 2i + 2j + 4ij + 1
= (2i + 1)(2j + 1).
So, an odd integer is excluded from the final list if and only if it has
a factorization of the form (2i + 1)(2j + 1) — which is to say, if it
has a non-trivial odd factor. Since every odd composite number has a
non-trivial odd factor, we may safely say that an odd integer is excluded
from the final list if and only if it is composite. Therefore the list
must be composed of exactly the set of odd prime numbers less than or equal
to n.
13.18.4. Computational complexity
The sieve of Sundaram finds the primes less than n in Θ(n log n) operations
using Θ(n) bits of memory.
13.18.5. See also

Sieve of Eratosthenes


Sieve of Atkin
Sieve theory
13.18.6. References
13.19.
Trial division
http://calistamusic.dreab.com/p-Trial_division
13.20.
Ward’s primality test
Lucas sequence Un
Sylvester cyclotomic number Qn
13.21.
Wilson's Primality Test 威尔逊判别法
n 是素数的充要条件是
(n  1)!1  0 (mod n )
a  b mod p
这里
是指 a-b 被 p 整除。
不过该算法的运算量为 O(nlogn^2),计算量太大。
14. Randomized /Probabilistic/ Probable /
Provable / Primality Testing
14.1. Adelman-Huang algorithm
Adelman-Huang
There is a complicated algorithm5, due to
Adleman and Huang (1992), that gives a
certificate of primality in expected polynomial
time. Thus
PRIMES ∈ RP.
It follows from Adelman-Huang and
Rabin-Miller that
PRIMES ∈ RP ∩ co-RP = ZPP.
Recall that ZPP is very close to P. The
difference is that for ZPP the expected running
time is polynomial in , but for P the
worst-case running time is polynomial in .
In practice no one uses the Adelman-Huang
algorithm because ECPP is much faster.
Adelman-Huang is of theoretical interest
because we can prove that its expected running
time is polynomial in .
14.2. Agrawal-Biswas algorithm or Agarwal-Biswas
Probabilistic Testing
14.3. AKS parallel sorting algorithm of Ajtai, Koml´os
and Szemer´edi
14.4. ALI primality test
14.5. APR Test
14.6. APRT-CL (or APRCL)
14.7. 素性测试的 ARCL 算法
１９８０年数学家 Adleman, Rumely, Cohen 和 Lenstra 研究出一种非常复杂、具有高度技巧
的素数判别方法，检验一个２０位数的素性只需１０秒，对一个５０位数，只要１５秒，而
一个１００位数只用４０秒。如果用试除法，判别一个５０位数的素性要一百亿年！
14.8. Baillie–PSW
http://calistamusic.dreab.com/p-Baillie%E2%80%93PSW_primality_test
The Baillie–PSW primality test is a probabilistic primality testing heuristic algorithm: it determines
if a number is composite or a probable prime. The authors of the test offered $30 for the
discovery of a composite number that passed this test. As of 1994, the value was raised to $620
and no pseudoprime was found up to 1017, consequently this can be considered a sound
primality test on numbers below that upper bound.
A primality testing software PRIMO uses this algorithm to check for probable primes, and no
certification of this test has yet failed. The author, Marcel Martin, estimates by those results that
the test is accurate for numbers below 10000 digits. There is a heuristic argument (Pomerance
1984) suggesting that there may be infinitely many counterexamples.
The test
Optionally, perform trial division to check if the number isn't a multiple of a small prime number.
Perform a base 2 strong pseudoprimality test. If it fails; n is composite.
Find the first a in the sequence 5, −7, 9, −11, ... for which the Jacobi symbol
Perform a Lucas pseudoprimality test with discriminant a on n. If this test does not fail, n is likely
a prime.
14.9. BPP algorithm
First, in all the algorithms we will assume that n is odd, not a prime
power, and not a perfect square. (These are fine to assume since we
can always begin by checking if the square-root, cube-root, etc. of n
is an integer, and if so saying "composite".)
Here's a BPP algorithm for primality testing. This one is probably the
easiest to analyze, and I think is due to Lehmer.
Repeat k times:
* Pick a in {1,...,n-1} at random.
* If gcd(a,n) != 1, then output COMPOSITE.
[this is actually unnecessary but conceptually helps]
* If a^{(n-1)/2} is not congruent to +1 or -1 (mod n),
then output COMPOSITE.
Now, if we ever got a "-1" above output "PROBABLY PRIME" else output
"PROBABLY COMPOSITE".
Theorem: this procedure has error probability at most 1/2^k.
Proof: if n is really prime, then in each iteration we get
a^{(n-1)/2} = -1 (mod n) with probability 1/2, so we get a -1 at least
once with probability 1 - 1/2^k. If n is composite, the proof of
success will follow from the lemma below with t = (n-1)/2.
Key Lemma: Let n be an odd composite, not a prime power, and let t <
n. If there exists a in Z_n^* such that a^t = -1 (mod n), then at
most half of the x's in Z_n^* have x^t = {-1,+1} (mod n). In fact, we
can weaken the condition to simply that there exists a in Z_n^* such
that a^t is not congruent to +1 (mod n).
Proof: Let S = {x in Z_n^* : x^t = +1 or -1 (mod n)}. S is a subgroup
of Z_n^* since it's closed under multiplication (xy)^t = (x^t)(y^t)
and inverse (x^{-1})^t = (x^t)^{-1}. So we just need to find some b
in Z_n^* not in S. (So, the "weakened condition" is equivalent to the
stronger condition because if a^t is not congruent to -1 (mod n), then
we're done.) Let n = q * r, where q and r are relatively prime
and greater than 1. Let b = (a,1), where we're using CRT notation:
b = a (mod q) and b = 1 (mod r). Note that b^t = (a^t, 1^t) = (-1,1).
Therefore, b is not in S since 1 = (1,1) and -1 = (-1, -1). QED.
========================================================================
An aside: it's clear that primality is in co-NP: if a number is
composite, there is a short witness: namely, a factor. Is primality
in NP? Yes. Here's an idea due to Pratt:
The certificate that n is prime will be a generator g of Z_n^*, a
prime factorization of n-1, and then (recursively) a proof
that each of those prime factors is really prime.
The idea is that if n is prime, then g^{n-1} = 1 (mod n) and g^t is
not congruent to 1 (mod n) for any 0 < t < n-1. On the other hand, if
n is composite, then phi(n) < n-1 so this cannot be the case. So, to
verify that n is prime, we just verify that g^{n-1} = 1 (mod n) and
then verify that g^{(n-1)/p} is not congruent to 1 for any prime
factor p of n, and then recursively verify that each of these factors
is prime (and, of course, verify that the prime factorization really
is a factorization of n). We can see that this certificate is not too
large since if you draw out the recursive "tree", the width is at most
log(n) (since the product of all primes on any given level is at most n)
and the depth is at most log(n) since the primes are dropping by at
least a factor or 2. QED.
14.10.
Baillie and Wagstaff Method
14.11.
Chen--Kao and Lewin--Vadhan tests
[Chen and Kao 1997;
Lewin and Vadhan 1998].
14.12.
Chinese Primality Test
14.13.
Chinese Remaindering
Primality and Identity Testing via Chinese Remaindering.
[DBLP_Link] [Online_Version] CitedBy 72
Authors:
http://arnetminer.org/pictures/thumb/489/1225201608105.jpeg
Manindra Agrawal social network
Professor
Department of Computer Science and Engineering Indian Institute of Technology Kanpur
http://arnetminer.org/images/no_photo.jpg
Somenath Biswas social network
Professor
Computer Science and Engineering Indian Institute of Technology, Kanpur
Abstract:
We give a simple and new randomized primality testing algorithm by reducing primality testing
for number n to testing if a specific univariate identity over Zn holds.We also give new
randomized algorithms for testing if a multivariate polynomial, over a finite field or over rationals,
is identically zero. The first of these algorithms also works over Zn for any n. The running time of
the algorithms is polynomial in the size of arithmetic circuit representing the input polynomial
and the error parameter. These algorithms use fewer random bits and work for a larger class of
polynomials than all the previously known methods, for example, the Schwartz--Zippel test
[Schwartz 1980; Zippel 1979], Chen--Kao and Lewin--Vadhan tests [Chen and Kao 1997; Lewin
and Vadhan 1998].
14.14.
Cohen-Lenstra Method
14.15.
Colin Plumb primality test (Euler Criterion)
14.16.
Combination Algorithm
Recall that ECPP produces a certificate of
primality. Thus, using a combination of
Rabin-Miller and ECPP, we can get a
randomized algorithm that produces a
certificate to prove that its result (whether
“prime” or “composite”) is correct.
All we have to do is run the Rabin-Miller and
ECPP algorithms in “parallel” until one of
them produces a certificate7. The expected
running time is believed to be eO ( 4), although
we can’t prove this.
To be guaranteed an expected polynomial
runtime, add a parallel thread for the
Adelman-Huang algorithm.
14.17.
Cyclotomic Probabilistic Primality Test
14.18.
ECPP Elliptic Curve Primality Proving
http://calistamusic.dreab.com/p-Elliptic_curve_primality_proving
http://calistamusic.dreab.com/p-Elliptic_curve_primality_proving
Elliptic Curve Primality Proving (ECPP) is a method based on elliptic curves to prove the primality
of a number (see Elliptic curve primality testing). It is a general-purpose algorithm, meaning it
does not depend on the number being of a special form. ECPP is currently in practice the fastest
known algorithm for testing the primality of general numbers, but the worst-case execution time
is not known. ECPP heuristically runs in time:
for some
. This exponent may be decreased to 4+\epsilon for some versions by heuristic
arguments. ECPP works the same way as most other primality tests do, finding a group and
showing its size is such that p is prime. For ECPP the group is an elliptic curve over a finite set of
quadratic forms such that p − 1 is trivial to factor over the group.
ECPP generates an Atkin-Goldwasser-Kilian-Morain certificate of primality by recursion and then
attempts to verify the certificate. The step that takes the most CPU time is the certificate
generation, because factoring over a class field must be performed. The certificate can be verified
quickly, allowing a check of operation to take very little time.
In 2006 the largest prime that has been proved with ECPP is the 20,562-digit Mills' prime:
(((((((((23 + 3)3 + 30)3 + 6)3 + 80)3 + 12)3 + 450)3 + 894)3 + 3636)3 + 70756)3 + 97220.
The distributed computation with software by François Morain started in September 2005 and
ended in June 2006. The cumulated time corresponds to one AMD Opteron 250 processor at 2.39
GHz for 2219 days (near 6 years).
As of 2011 the largest prime that has been proved with ECPP is the 26,643-digits LR prime. The
distributed computation with software by François Morain started in January 2011 and ended in
April 2011. The cumulated time corresponds to one processor for 2255 days (more than 6 years).
14.19.
Elliptic Curve Primality Testing
Elliptic curve
http://calistamusic.dreab.com/p-Elliptic_curve_primality_testing
http://www.peach.dreab.com/p-Elliptic_curve_primality_proving
Elliptic curve primality testing techniques are among the quickest and most widely used methods
in primality proving. It is an idea forwarded by Shafi Goldwasser and Joe Kilian in 1986 and
turned into an algorithm by A.O.L. Atkin the same year. The algorithm was altered and improved
by several collaborators subsequently, and notably by Atkin and Francois Morain, in 1993. The
concept of using elliptic curves in factorization had been developed by H.W. Lenstra in 1985, and
the implications for its use in primality testing (and proving) followed quickly.
The elliptic curve test, proves primality (or compositeness) with a quickly verifiable certificate.
Elliptic curve primality proving provides an alternative to (among others) the Pocklington
primality test, which can be difficult to implement in practice. Interestingly, the elliptic curve
primality tests are based on criteria which is analogous to the Pocklington criterion, on which that
test is based, where the group
is replaced by
, and E is a properly
chosen elliptic curve. We will now state a proposition on which to base our test, which is
analogous to the Pocklington criterion, and gives rise to the Goldwasser-Kilian-Atkin form of the
elliptic curve primality test.
Contents
14.19.1. Proposition
Let N be a positive integer, and E be the set which is defined by the equation y2 = x3 + ax + b(mod
N). Consider E over
, use the usual addition law on E, and write O for the neutral
element on E.
Let m be an integer. If there is a prime q which divides m, and is greater than (N1 / 4 + 1)2 and
there exists a point P on E such that
(1) mP = 0
(2) (m/q)P is defined and not equal to 0
Then N is prime.
14.19.2. Proof
If N is composite, then there exists a prime
that divides N. Define Ep as the elliptic
curve defined by the same equation as E but evaluated modulo p rather than modulo N. Define
mp as the order of the group Ep. By Hasse's theorem on elliptic curves we know
and thus gcd(q,mp) = 1 and there exists an integer u with the property that
Let Pp be the point P evaluated modulo p. Thus, on Ep we have
by (1), as mPp is calculated using the same method as mP, except modulo p rather than modulo N
(and
).
This contradicts (2), because if (m/q)P is defined and not equal to 0 (mod N), then the same
method calculated modulo p instead of modulo N will yield
14.19.3. Goldwasser–Kilian algorithm
From this proposition an algorithm can be constructed to prove an integer, N, is prime. This is
done as follows:
Choose three integers at random, a, x, y and set
Now P = (x,y) is a point on E, where we have that E is defined by y2 = x3 + ax + b. Next we need an
algorithm to count the number of points on E. Applied to E, this algorithm (Koblitz and others
suggest Schoof's algorithm) produces a number m which is the number of points on curve E over
FN, provided N is prime. Next we have a criterion for deciding whether our curve E is acceptable.
If we can write m in the form m = kq where
is a small integer and q a probable prime (it
has passed some previous probabilistic primality test, for example), then we do not discard E. If it
is not possible to write m in this form, we discard our curve and randomly select another triple (a,
x, y) to start over.
Assuming we find a curve which passes the criterion, proceed to calculate mP and kP. If at any
stage in the calculation we encounter an undefined expression (from calculating the multiples of
P or in our point counting algorithm), it gives us a non-trivial factor of N.
If
it is clear that N is not prime, because if N were prime then E would have order m,
and any element of E would become 0 on multiplication by m. If kP = 0 then we have hit a
dead-end and must start again with a different triple.
Now if mP = 0 and kP \neq 0 then our previous proposition tells us that N is prime. However
there is one possible problem, which is the primality of q. This must be verified, using the same
algorithm. So we have described a down-run procedure, where the primality of N can be proven
through the primality of q and indeed smaller 'probable primes' until we have reached certain
primes and are finished.
14.19.4. Problems with the algorithm
Atkin and Morain state "the problem with GK is that Schoof's algorithm seems almost impossible
to implement. It is very slow and cumbersome to count all of the points on E using Schoof's
algorithm, which is the preferred algorithm for the Goldwasser–Kilian algorithm. However, the
original algorithm by Schoof is not effcicient enough to provide the number of points in short
time. These comments have to be seen in the historical context, before the improvements by
Elkies and Atkin to Schoof's method.
A second problem Koblitz notes is the difficulty of finding the curve E whose number of points is
of the form kq, as above. There is no known theorem which guarantees we can find a suitable E in
polynomially many attempts. The distribution of primes on the Hasse interval
, which contains m, is not the same as the distribution of
primes in the group orders, counting curves with multiplity. However, this is not a significant
problem in practice.
14.19.5. Atkin–Morain elliptic curve primality test (ECPP)
In a 1993 paper, Atkin and Morain described an algorithm ECPP which avoided the trouble of
relying on a cumbersome point counting algorithm (Schoof's). The algorithm still relies on the
proposition stated above, but rather than randomly generating elliptic curves and searching for a
proper m, their idea was to construct a curve E where the number of points is easy to compute.
Complex multiplication is key in the construction of the curve.
Now, given an N for which primality needs to be proven we need to find a suitable m and q, just
as in the Goldwasser-Kilian test, that will fulfill the proposition and prove the primality of N. (Of
course, a point P and the curve itself, E, must also be found.)
ECPP uses complex multiplication to construct the curve E, doing so in a way that allows for m
(the number of points on E) to be easily computed. We will now describe this method:
Utilization of complex multiplication requires a negative discriminant, D, such that D can be
written as the product of two elements
, or completely equivalently, we can write
the equation:
For some a, b. If we can describe N in terms of either of these forms, we can create an elliptic
curve E on
with complex multiplication (described in detail below), and the number
of points is given by:
For N to split into two the two elements, we need that
(where
denotes
the Legendre symbol). This is a necessary condition, and we achieve sufficiency if the class
number h(D) of the order in
is 1. This happens for only 13 values of D, which are the
elements of {−3, −4, −7, −8, −11, −12, −16, −19, −27, −28, −43, −67, −163}
14.19.6. The test
Pick discriminants D in sequence of increasing h(D). For each D check if
and
whether 4N can be written as:
This part can be verified using Cornacchia's algorithm. Once acceptable D and a have been
discovered, calculate m = N + 1 − a. Now if m has a prime factor q of size
q > (N1 / 4 + 1)2
14.19.7. Complex multiplication method
For completeness, we will provide an overview of complex multiplication,
the way in which an elliptic curve can be created, given our D (which can
be written as a product of two elements).
Assume first that
and
(these cases are much more easily done).
It is necessary to calculate the elliptic j-invariants of the h(D) classes
of the order of discriminant D as complex numbers. There are several
formulas to calculate these.
Next create the monic polynomial HD(X), which has roots corresponding to
the h(D) values. Note, that HD(X) is the class polynomial. From complex
multiplication theory, we know that HD(X) has integer coefficients, which
allows us to estimate these coefficients accurately enough to discover
their true values.
Now, if N is prime, CM tells us that HD(X) splits modulo N into a product
of h(D) linear factors, based on the fact that D was chosen so that N splits
as the product of two elements. Now if j is one of the h(D) roots modulo
N we can define E as:
c is any quadratic nonresidue mod N, and r is either 0 or 1.
Given a root j there are only two possible nonisomorphic choices of E,
one for each choice of r. We have the cardinality of these curves as
or
14.19.8. Discussion
Just as with the Goldwasser–Killian test, this one leads to a down-run
procedure. Again, the culprit is q. Once we find a q that works, we must
check it to be prime, so in fact we are doing the whole test now for q.
Then again we may have to perform the test for factors of q. This leads
to a nested certificate where at each level we have an elliptic curve E,
an m and the prime in doubt, q.
14.19.9. Example of Atkin–Morain ECPP
We construct an example to prove that N = 167 is prime using the
Atkin–Morain ECPP test. First proceed through the set of 13 possible
discriminants, testing whether the Legendre Symbol (D / N) = 1, and if
4N can be written as 4N = a2 + | D | b2.
For our example D = −43 is chosen. This is because (D / N) = ( − 43 / 167)
= 1 and also, using Cornacchia's algorithm, we know that
and thus a = 25 and b = 1.
The next step is to calculate m. This is easily done as m = N + 1 − a which
yields m = 167 + 1 − 25 = 143. Next we need to find a probable prime divisor
of m, which was referred to as q. It must satisfy the condition that q >
(N1 / 4 + 1)2
Now in this case, m = 143 = 11*13. So unfortunately we cannot choose 11
or 13 as our q, for it does not satisfy the necessary inequality. We are
saved, however, by an analogous proposition to that which we stated before
the Goldwasser–Kilian algorithm, which comes from a paper by Morain. It
states, that given our m, we look for an s which divides m, s > (N1 / 4 +
1)2, but is not necessarily prime, and check whether, for each pi which
divides s
for some point P on our yet to be constructed curve.
If s satisfies the inequality, and its prime factors satisfy the above,
then N is prime.
So in our case, we choose s = m = 143. Thus our possible pi's are 11 and
13. First, it is clear that 143 > (1671 / 4 + 1)2, and so we need only check
the values of
(143 / 11)P = 13P and (143 / 13)P = 11P.
But before we can do this, we must construct our curve, and choose a point
P. In order to construct the curve, we make use of complex multiplication.
In our case we compute the J-invariant
Next we compute
and we
know our elliptic curve is of the form:
y2 = x3 + 3kc2x + 2kc3,
where k is as described previously and c a non-square in
. So we can
begin with
,
which yields
E: y2 = x3 + 140x + 149(mod 167)
Now, utilizing the point P = (6,6) on E it can be verified that 143P =
.
It is simple to check that 13(6, 6) = (12, 65) and 11P = (140, 147), and
so, by Morain's proposition, N is prime.
14.19.10. Complexity and running times
Goldwasser and Kilian's elliptic curve primality proving algorithm
terminates in expected polynomial time for at least
of prime inputs.
14.19.11. Conjecture
Let π(x) be the number of primes smaller than x
for sufficiently large x.
If one accepts this conjecture then the Goldwasser–Kilian algorithm
terminates in expected polynomial time for every input. Also, if our N
is of length k, then the algorithm creates a certificate of size O(k2)
that can be verified in O(k4).
Now consider another conjecture, which will give us a bound on the total
time of the algorithm.
14.19.12. Conjecture 2
Suppose there exist positive constants c1 and c2 such that the amount of
primes in the interval
is larger than
Then the Goldwasser Kilian algorithm proves the primality of N in an
expected time of
For the Atkin–Morain algorithm, the running time stated is
O((logN)6 + ε) for some ε > 0
14.19.13. Primes of special form
For some forms of numbers, it is possible to find 'short-cuts' to a
primality proof. This is the case for the Mersenne numbers. In fact, due
to their special structure, which allows for easier verification of
primality, the largest known prime number is a Mersenne number. There has
been a method in use for some time to verify primality of Mersenne numbers,
known as the Lucas–Lehmer test. This test does not rely on elliptic curves.
However we present a result where numbers of the form N = 2kn − 1 where
, n odd can be proven prime (or composite) using elliptic
curves. Of course this will also provide a method for proving primality
of Mersenne numbers, which correspond to the case where n = 1. It should
be noted that there is a method in place for testing this form of number
without elliptic curves (with a limitation on the size of k) known as the
Lucas–Lehmer–Riesel test. The following method is drawn from the paper
Primality Test for 2kn − 1 using Elliptic Curves, by Yu Tsumura.
14.19.14. Group structure of E(FN)
We take E as our elliptic curve, where E is of the form y2 = x3 − mx for
,
, where
is prime, and
odd.
14.19.15. Theorem 1
#E
14.19.16. Theorem 2
E
or
E
Depending on whether or not m is a quadratic residue modulo p.
14.19.17. Theorem 3
Let
be prime, E, k, n, m as above. Take Q = (x,y) on E,
x a quadratic nonresidue modulo p.
Then the order of Q is divisible by 2k in the cyclic group
.
First we will present the case where n is relatively small with respect
to 2k, and this will require one more theorem.
14.19.18. Theorem 4
Choose a λ > 1. E, k, n, m are specified as above with the added
restrictions that
and
p is a prime if and only if there exists a Q = (x,y) which is on E, such
that the
gcd(Si,p) = 1 for i = 1, 2, ...,k
−
1 and
where Si is a sequence with initial value S0 = x
14.19.19. The algorithm
We provide the following algorithm, which relies mainly on Theorems 3 and
4. To verify the primality of a given number N, perform the following
steps:
(1) Chose
, and find y such that
such that
Take
2
3
Then Q' = (x,y) is on E: y = x − mx where
Calculate Q = mQ'. If
then N is composite, otherwise proceed to
(2).
(2) Set Si as the sequence with initial value Q. Calculate Si for i = 1,2,...,
k − 1
If gcd(Si,N) > 1 for an i, where
then N is composite.
Otherwise, proceed to (3).
(3) If
This completes the test.
then N is prime. Otherwise, N is composite.
14.19.20. Justification of the algorithm
In (1), and elliptic curve, E is picked, along with a point Q on E, such
that the x-coordinate of Q is a quadratic nonresidue. We can say
Thus, if N is prime, Q' has order divisible by 2k, by Theorem 3,
and therefore the order of Q' is 2kd d | n.
This means Q = nQ' has order 2k. Therefore, if (1) concludes that N is
composite, it truly is composite. (2) and (3) check if Q has order 2k.
Thus, if (2) or (3) conclude N is composite, it is composite.
Now, if the algorithm concludes that N is prime, then that means S1
satisfies the condition of Theorem 4, and so N is truly prime.
There is an algorithm as well for when n is large, however for this we
refer to the aforementioned article.
14.19.21. References
14.20.
Demytko
14.21.
Euler Test
14.22.
Fermat 素性测试
http://www.doc.ic.ac.uk/~cd04/430notes/fermat.jar
http://kobep525.rsjp.net/~math/notes/note02.html
http://calistamusic.dreab.com/p-Fermat_primality_test
Fermat’s little theorem:
If n is prime and doesn’t divide a, then
a n1  1(mod n)
The Fermat primality test is a probabilistic test to determine if a number
is probable prime.
14.22.1. Contents






1 Concept
2 Example
3 Algorithm and running time
4 Flaw
5 Applications
6 References
14.22.2. Concept
Fermat's little theorem states that if p is prime and
, then
If we want to test if p is prime, then we can pick random a's in the interval
and see if the equality holds. If the equality does not hold for a value
of a, then p is composite. If the equality does hold for many values of
a, then we can say that p is probable prime.
It might be in our tests that we do not pick any value for a such that
the equality fails. Any a such that
when n is composite is known as a Fermat liar. Vice versa, in this case
n is called Fermat pseudoprime to base a.
If we do pick an a such that
then a is known as a Fermat witness for the compositeness of n.
14.22.3. Example
Suppose we wish to determine if n = 221 is prime. Randomly pick 1 ≤
a < 221, say a = 38. Check the above equality:
Either 221 is prime, or 38 is a Fermat liar, so we take another a, say
26:
So 221 is composite and 38 was indeed a Fermat liar.
14.22.4. Algorithm and running time
The algorithm can be written as follows:
Inputs: n: a value to test for primality; k: a parameter that determines
the number of times to test for primality
Output: composite if n is composite, otherwise probably prime
repeat k times:
pick a randomly in the range [1, n − 1]
if
, then return composite
return probably prime
Using fast algorithms for modular exponentiation, the running time of this
algorithm is O(k × log2n × log log n × log log log n), where k is the
number of times we test a random a, and n is the value we want to test
for primality.
14.22.5. Flaw
There are infinitely many values of n (known as Carmichael numbers) for
which all values of a for which gcd(a,n) = 1 are Fermat liars. While
Carmichael numbers are substantially rarer than prime numbers, there are
enough of them that Fermat's primality test is often not used in favor
of other primality tests such as Miller-Rabin and Solovay-Strassen.
In general, if n is not a Carmichael number then at least half of all
are Fermat witnesses. For proof of this, let a be a Fermat witness and
a1, a2, ..., as be Fermat liars. Then
and so all
for i = 1,2,...,s are Fermat witnesses.
14.22.6. Applications
The encryption program PGP uses this primality test in its algorithms.
The chance of PGP generating a Carmichael number is less than 1 in 1050,
which is more than adequate for practical purposes.
14.23.
Fermat-Euler
14.24.
Frobenius pseudoprimality test
http://www.peach.dreab.com/p-Frobenius_pseudoprime
14.25.
Goldwasser Kilian Algorithm
14.26.
Gordon‟s algorithm
14.27.
雅克比和素性判别方法
14.28.
Konyagin – Pomerance n-1 Test
14.29.
Lehmann
另一种更简单的测试是由 Lehmann 独自研究的。下面是它的测试算法：
（1）
（2）
（3）
（4）
选择一个小于 p 的随机数 a。
计算 a^(p-1)/2 mod p
如果 a^(p-1)/2<>1 或-1（mod p）
，那么 p 肯定不是素数。
如果 a^(p-1)/2=1 或-1（mod p），那麽 p 不是素数的可能性值多是 50%
同样，重复 t 次，那麽 p 可能是素数所冒的错误风险不超过 1/2^t。
14.30.
Maurer‟s algorithm
14.31.
Miller-Rabin / Rabin-Miller 素 性 测 试 算 法
Miller-Rabin Compositeness Test
http://en.literateprograms.org/Category:Miller-Rabin_primality_test
http://www.cryptomathic.com/Default.aspx?ID=479
http://calistamusic.dreab.com/p-Miller%E2%80%93Rabin_primality_test
Verification of the Miller–Rabin probabilistic primality test
This primality test is also called the Selfridge-Miller-Rabin test or the strong prime test. It is a
refinement of the Fermat test which works very well in practice.
14.31.1. 快速判定素数-----Miller-Rabin 算法
说 Miller-Rabin.这是个很容易且广泛使用的简单算法，它基于 Gary Miller 的部分象法，有
Michael Rabin 发展。事实上，这是在 NIST 的 DSS 建议中推荐的算法的一个简化版。 更多的
人叫它“测试”
，因为通过 Miller-Rabin 测试的并不一定就是素数，非素数通过测试的概率是
1/4。它的原理无论如何都会让人想起“费马小定理“
费马小定理 如果 P 是一个素数，且 0<a<p,则 a^(p-1)≡1(mod p)
例如，67 是一个素数，则 2^66mod 67=1。
利用费马小定理，对于给定的整数 n，可以设计一个素数判定算法。通过计算 d=2^(n-1)mod
n 来判定整数 n 的素性。当 d 不等于 1 时，n 肯定不是素数；当 d 等于 1 时，n 则很可能是
素数。但也存在合数 n 使得 2^(n-1)≡1(mod n)。例如，满足此条件的最小合数是 n=341。为
了提高测试的准确性，我们可以随机地选取整数 1
费马小定理毕竟只是素数判定的一个必要条件。满足费马小定理条件的整数 n 未必全是素
数。有些合数也满足费马小定理的条件。这些合数被称做 Carmichael 数，前 3 个 Carmichael
数是 561,1105,1729。Carmichael 数是非常少的。在 1~100,000,000 范围内的整数中，只有 255
个 Carmichael 数。利用下面的二次探测定理可以对上面的素数判定算法作进一步改进，以避
免将 Carmichael 数当作素数。
二次探测定理
如果 p 是一个素数，0<x<p,则方程 x^2≡1(mod p)的解为 x=1,p-1
上面是在王晓东的《计算机算法分析与设计》上抄录的，看不懂网上的文章，就这个解释费
马小定理的我看懂了-___-。下面具体说一下算法的步骤吧,n 是我们要测试的数据:
0、先计算出 m、j，使得 n-1=m*2^j，其中 m 是正奇数，j 是非负整数
1、随机取一个 b，2<=b
2、计算 v=b^m mod n
3、如果 v==1，通过测试，返回
4、令 i=1
5、如果 v=n-1，通过测试，返回
6、如果 i==j，非素数，结束
7、v=v^2 mod n，i=i+1
8、循环到 5
最后说明，运行一次测试的判断结果当然不能满意，多运行几次随机测试，这样我们判断错
的概率就变为(1/4)^loop 了:)，往往还要先通过一个小的素数表现进行一些筛选来提高效率:)
14.31.2. Miller-Rabin Algorithm
We now describe one final RP alg for compositeness. This is along the
lines of using a^{n-1} =? 1 (mod n) as a test.
* Let n = 2^r * B, where B is odd.
* pick a in {1,...,n-1} at random.
* Compute a^B, a^{2B}, ..., a^{n-1} (mod n).
* If a^{n-1} != 1 (mod n), then output COMPOSITE
* If we found a non {-1,+1} root of 1 in the above list, then
output COMPOSITE.
* else output POSSIBLY PRIME.
Note that we only have to worry about Carmichael numbers (composite n
such that all a in Z_n^* satisfy a^{n-1} = 1 (mod n)). For all other
composite numbers, at least half of the a's don't have this property
(since {a : a^{n-1} = 1 (mod n)} is a group).
Here's how we can argue for Carmichael numbers:
Suppose there exists a in Z_n^* satisfying a^{(n-1)/2} != 1 (mod n).
Then our "Key Lemma" implies that with probability at least 1/2, we
will find a non {-1,+1} root of 1 in computing a^{(n-1)/2} and output
COMPOSITE. If no such a exists, but there exists b in Z_n^* such that
b^{(n-1)/4} != 1 (mod n) then similarly we're OK (assuming n-1 is
divisible by 4). Going down the line from right-to-left, we can now
assume w.l.o.g. that all a in z_n^* satisfy a^B = 1 (mod n).
We now show a contradiction: let n=p1^e1 * r, where e1 is odd and p1
and r are relatively prime. Let g be a generator mod p1^e1 (we didn't
prove it, but the prime power groups are cyclic too; actually,
Carmichael numbers must be products of distinct primes, but we didn't
prove that either). Let a = (g,1) using CRT notation. If a^B = 1 (mod n)
then g^B = 1 (mod p1^e1), which means that B must be a multiple of
phi(p1^e1) since g is a generator. But B is odd and phi(p1^e1) is
even, a contradiction. QED
14.31.3. Miller-Rabbin 素性测试[ZJUT1517]
2010-03-20 21:04
今天校赛的一道题：[ZJUT1517]，一看就知道是大素数验证，所以自然而然想到了出错率为
(1/4)^s 的 RP 算法-Miller-Rabbin 素性测试，但是网上找到的模板都是 wa，只有过 PKU1811
的少数几个不 wa，后来才发现是在算快速幂取模的时候用到的 long long 乘法超出 long long
范围了，于是加上 long long 乘法后就可以了。
Miller-Rabbin 算法：如果 a^(n-1)≡1 (mod n)（a 为任意<n 的正整数）则可近似认为 n 为素数。
取多个底进行试验，次数越多概率越大。如取 2 3 5 7 11 是在 2^31 内只有一组解不能通过。
2.5*10^13 以内也只有 3215031751 这一个合数。
算法基于费马小定理：设 p 是素数，a 与 p 互素，则 a^(p-1) ≡1(mod p)
当 n>1 时, 1<=a<=n-1, 如果 a^(n-1)!≡1(mod n), 则 n 必然是合数
但是当 n 是合数时，不一定满足上式， 也就是当 a^(n-1)≡1(mod n)时, n 不一定是素数
例如当 a 取 2, n 取 341 时, 满足式子 a^(n-1)≡1(mod n),但是 341 是合数,此时称 341 为基 2
的伪素数.
即费马小定理只是必要条件,满足条件的也可能是合数
模板：
#include <iostream>
#include <cstdlib>
#include <ctime>
using namespace std;
inline long long mul(long long a,long long b,long long m)//a * b % m
{
long long ret = 0;
while (b > 0)
{
if (b & 1)
ret = (ret + a) % m;
b >>= 1;
a = (a << 1) % m;
}
return ret;
}
inline long long mod(long long a,long long b,long long m)//a^b % m
{
long long res,t;
res = 1;
t = a;
while (b > 0)
{
if (b & 1)
res = mul(res,t,m);//res = res * t % m;
t = mul(t,t,m);//t = t * t % m;
b >>= 1;
}
return res;
}
inline bool Miller_Rabbin(long long n)
{
long long a;
for (int i = 0;i < 5;i++)
{
a = (long long)rand()*rand()*rand() % (n-2) +2;
if (mod(a,n-1,n) != 1)
return false;
}
return true;
}
int main()
{
long long n;
srand((unsigned)time(NULL));
while (scanf("%I64d",&n) != EOF)
{
if (n == 2 || Miller_Rabbin(n))
printf("Yes\n");
else
printf("No\n");
}
return 0;
}
14.31.4. Rabin-Miller
这是个很容易且广泛使用的简单算法，它基于 Gary Miller 的部分象法，有 Michael Rabin 发
展。事实上，这是在 NIST 的 DSS 建议中推荐的算法的一个简化版。
首先选择一个代测的随机数 p，
计算 b，
b 是 2 整除 p-1 的次数。
然后计算 m，
使得 n=1+(2^b)m。
（1） 选择一个小于 p 的随机数 a。
（2） 设 j=0 且 z=a^m mod p
（3） 如果 z=1 或 z=p-1，那麽 p 通过测试，可能使素数
（4） 如果 j>0 且 z=1, 那麽 p 不是素数
（5） 设 j=j+1。如果 j<b 且 z<>p-1,设 z=z^2 mod p，然后回到(4)。如果 z=p-1，那麽 p 通过
测试，可能为素数。
（6） 如果 j=b 且 z<>p-1，不是素数
这个测试较前一个速度快。数 a 被当成证据的概率为 75%。这意味着当迭代次数为 t 时，它
产生一个假的素数所花费的时间不超过 1/4^t。实际上，对大多数随机数，几乎 99.99%肯定
a 是证据。
实际考虑：
在实际算法，产生素数是很快的。
（1） 产生一个 n-位的随机数 p
（2） 设高位和低位为 1（设高位是为了保证位数，设低位是为了保证位奇数）
（3） 检查以确保 p 不能被任何小素数整除：如 3，5，7，11 等等。有效的方法是测试小
于 2000 的素数。使用字轮方法更快
（4） 对某随机数 a 运行 Rabin-Miller 检测，如果 p 通过，则另外产生一个随机数 a,在测试。
选取较小的 a 值，以保证速度。做 5 次 Rabin-Miller 测试如果 p 在其中失败，从新产生 p，
再测试。
在 Sparc II 上实现： 2 .8 秒产生一个 256 位的素数
24.0 秒产生一个 512 位的素数
2 分钟产生一个 768 位的素数
5.1 分钟产生一个 1024 位的素数
The Miller–Rabin primality test or Rabin–Miller primality test is a
primality test: an algorithm which determines whether a given number is
prime, similar to the Fermat primality test and the Solovay–Strassen
primality test. Its original version, due to Gary L. Miller, is
deterministic, but the determinism relies on the unproven generalized
Riemann hypothesis; Michael O. Rabin modified it to obtain an
unconditional probabilistic algorithm.
14.31.5. Contents







1 Concepts
2 Example
3 Algorithm and running time
4 Accuracy of the test
5 Deterministic variants of the test
6 Notes
7 External links
14.31.6. Concepts
Just like the Fermat and Solovay–Strassen tests, the Miller–Rabin test
relies on an equality or set of equalities that hold true for prime values,
then checks whether or not they hold for a number that we want to test
for primality.
First, a lemma about square roots of unity in the finite field
,
where p is prime and p > 2. Certainly 1 and −1 always yield 1 when squared
mod p; call these trivial square roots of 1. There are no nontrivial square
roots of 1 mod p (a special case of the result that, in a field, a polynomial
has no more zeroes than its degree). To show this, suppose that x is a
square root of 1 mod p. Then:
In other words, p divides the product (x − 1)(x + 1). It thus divides one
of the factors and it follows that x is either congruent to 1 or −1 mod
p.
Now, let n be an odd prime. Then n−1 is even and we can write it as 2s·d,
where s and d are positive integers (d is odd). For each
,
either
or
for some
To show that one of these must be true, recall Fermat's little theorem:
By the lemma above, if we keep taking square roots of an − 1, we will get
either 1 or −1. If we get −1 then the second equality holds and we are
done. If we never get −1, then when we have taken out every power of 2,
we are left with the first equality.
The Miller–Rabin primality test is based on the contrapositive of the
above claim. That is, if we can find an a such that
and
for all
then n is not prime. We call a a witness for the compositeness of n
(sometimes misleadingly called a strong witness, although it is a certain
proof of this fact). Otherwise a is called a strong liar, and n is a strong
probable prime to base a. The term "strong liar" refers to the case where
n is composite but nevertheless the equations hold as they would for a
prime.
For every odd composite n, there are many witnesses a. However, no simple
way of generating such an a is known. The solution is to make the test
probabilistic: we choose nonzero
randomly, and check whether
or not it is a witness for the compositeness of n. If n is composite, most
of the choices for a will be witnesses, and the test will detect n as
composite with high probability. There is, nevertheless, a small chance
that we are unlucky and hit an a which is a strong liar for n. We may reduce
the probability of such error by repeating the test for several
independently chosen a.
14.31.7. Example
Suppose we wish to determine if n = 221 is prime. We write n − 1 =
220 as 22·55, so that we have s = 2 and d = 55. We randomly select
a number a such that a < n, say a = 174. We proceed to compute:


a20·d mod n = 17455 mod 221 = 47 ≠ 1, n − 1
a21·d mod n = 174110 mod 221 = 220 = n − 1.
Since 220 ≡ −1 mod n, either 221 is prime, or 174 is a strong liar for
221. We try another random a, this time choosing a=137:


a20·d mod n = 13755 mod 221 = 188 ≠ 1, n − 1
a21·d mod n = 137110 mod 221 = 205 ≠ n − 1.
Hence 137 is a witness for the compositeness of 221, and 174 was in fact
a strong liar. Note that this tells us nothing about the factors of 221
(which are 13 and 17).
14.31.8. Algorithm and running time
The algorithm can be written in pseudocode as follows:
Input: n > 3, an odd integer to be tested for primality;
Input: k, a parameter that determines the accuracy of the test
Output: composite if n is composite, otherwise probably prime
write n − 1 as 2s·d with d odd by factoring powers of 2 from n − 1
LOOP: repeat k times:
pick a random integer a in the range [2, n − 2]
x ← ad mod n
if x = 1 or x = n − 1 then do next LOOP
for r = 1 .. s − 1
x ← x2 mod n
if x = 1 then return composite
if x = n − 1 then do next LOOP
return composite
return probably prime
Using modular exponentiation by repeated squaring, the running time of
this algorithm is O(k log3 n), where k is the number of different values
of a we test; thus this is an efficient, polynomial-time algorithm.
FFT-based multiplication can push the running time down to O(k log2 n log
log n log log log n) = Õ(k log2 n).
In the case that the algorithm returns "composite" because x = 1, it has
also discovered that d2r is (an odd multiple of) the order of a — a fact
which can (as in Shor's algorithm) be used to factorize n, since n then
divides
but not either factor by
itself. The reason Miller–Rabin does not yield a probabilistic
factorization algorithm is that if
(i.e., n is not
a pseudoprime to base a) then no such information is obtained about the
period of a, and the second "return composite" is taken.
14.31.9. Accuracy of the test
The more bases a we test, the better the accuracy of the test. It can be
shown that for any odd composite n, at least ¾ of the bases a are witnesses
for the compositeness of n. The Miller–Rabin test is strictly stronger
than the Solovay–Strassen primality test in the sense that for every
composite n, the set of strong liars for n is a subset of the set of Euler
liars for n, and for many n, the subset is proper. If n is composite then
the Miller–Rabin primality test declares n probably prime with a
probability at most 4−k. On the other hand, the Solovay–Strassen primality
test declares n probably prime with a probability at most 2−k.
On average the probability that a composite number is declared probably
prime is significantly smaller than 4−k. Damgård, Landrock and Pomerance
compute some explicit bounds. Such bounds can, for example, be used to
generate primes; however, they should not be used to verify primes with
unknown origin, since in cryptographic applications an adversary might
try to send you a pseudoprime in a place where a prime number is required.
In such cases, only the error bound of 4−k can be relied upon.
14.31.10. Deterministic variants of the test
The Miller–Rabin algorithm can be made deterministic by trying all
possible a below a certain limit. The problem in general is to set the
limit so that the test is still reliable.
If the tested number n is composite, the strong liars a coprime to n are
contained in a proper subgroup of the group
, which means that
if we test all a from a set which generates
, one of them must
be a witness for the compositeness of n. Assuming the truth of the
generalized Riemann hypothesis (GRH), it is known that the group is
generated by its elements smaller than O((log n)2), which was already
noted by Miller. The constant involved in the Big O notation was reduced
to 2 by Eric Bach. This leads to the following conditional primality
testing algorithm:
Input: n > 1, an odd integer to test for primality.
Output: composite if n is composite, otherwise prime
write n−1 as 2s·d by factoring powers of 2 from n−1
repeat for all
:
then return composite
return prime
The running time of the algorithm is Õ((log n)4). The full power of the
generalized Riemann hypothesis is not needed to ensure the correctness
of the test: as we deal with subgroups of even index, it suffices to assume
the validity of GRH for quadratic Dirichlet characters.
This algorithm is not used in practice, as it is much slower than the
randomized version of the Miller-Rabin test. For theoretical purposes,
it was superseded by the AKS primality test, which does not rely on
unproven assumptions.
When the number n to be tested is small, trying all a < 2(ln n)2 is not
necessary, as much smaller sets of potential witnesses are known to
suffice. For example, Pomerance, Selfridge and Wagstaff and Jaeschke have
verified that






if n < 1,373,653, it is enough to test a = 2 and 3;
if n < 9,080,191, it is enough to test a = 31 and 73;
if n < 4,759,123,141, it is enough to test a = 2, 7, and 61;
if n < 2,152,302,898,747, it is enough to test a = 2, 3, 5, 7, and 11;
if n < 3,474,749,660,383, it is enough to test a = 2, 3, 5, 7, 11, and 13;
if n < 341,550,071,728,321, it is enough to test a = 2, 3, 5, 7, 11, 13, and 17.
See The Primes Page, Zhang and Tang, SPRP records and sequence A014233
in OEIS for other criteria of this sort. These results give very fast
deterministic primality tests for numbers in the appropriate range,
without any assumptions.
There is a small list of potential witnesses for every possible input size
(at most n values for n-bit numbers). However, no finite set of bases is
sufficient for all composite numbers. Alford, Granville, and Pomerance
have shown that there exist infinitely many composite numbers n whose
smallest compositeness witness is at least (ln n)1/(3ln ln ln n). They also argue
heuristically that the smallest number w such that every composite number
below n has a compositeness witness less than w should be of order Θ(log
n log log n).
14.31.11. Notes
14.32.
MONTE CARLO PRIMALITY TESTS
MONTE CARLO PRIMALITY
14.32.1. A NOTE ON MONTE CARLO PRIMALITY
TESTS
AND
ALGORITHMIC
INFORMATION
THEORY
Gregory J. Chaitin
IBM Thomas J. Watson Research Center
Jacob T. Schwartz1
Courant Institute of Mathematical Sciences
Algorithmic Information Theory
14.33.
Pépin's
http://calistamusic.dreab.com/p-P%C3%A9pin%27s_test
In mathematics, http://calistamusic.dreab.com/p-Mathematics Pépin's
test is a primality test,
http://calistamusic.dreab.com/p-Primality_test which can be used to
determine whether a Fermat number
http://calistamusic.dreab.com/p-Fermat_number is prime
http://calistamusic.dreab.com/p-Prime_number . It is a variant of
Proth's test http://calistamusic.dreab.com/p-Proth%27s_theorem . The
test is named for a French mathematician, Théophile Pépin
http://calistamusic.dreab.com/p-Th%C3%A9ophile_P%C3%A9pin .
14.33.1. Contents


1 Description of the test
2 Proof of correctness
3 References
4 External links


14.33.2. Description of the test
be the nth Fermat number. Pépin's test states that for
Let
n > 0,
Fn is prime if and only if
The expression
can be evaluated modulo Fn by repeated squaring.
This makes the test a fast polynomial-time algorithm. However, Fermat
numbers grow so rapidly that only a handful of Fermat numbers can be tested
in a reasonable amount of time and space.
Other bases may be used in place of 3, for example 5, 6, 7, or 10 (sequence
A129802).
14.33.3. Proof of correctness
For one direction, assume that the congruence
holds. Then
modulo Fn divides
, thus the multiplicative order of 3
, which is a power of two. On the other
hand, the order does not divide (Fn − 1) / 2, and therefore it must be
equal to Fn − 1. In particular, there are at least Fn − 1 numbers below
Fn coprime to Fn, and this can happen only if Fn is prime.
For the other direction, assume that Fn is prime. By Euler's criterion,
,
where
is the Legendre symbol. By repeated squaring, we find that
, thus
, and
. As
, we conclude
from the law of quadratic
reciprocity.
14.33.4. References

P. Pépin, Sur la formule
, Comptes Rendus Acad. Sci. Paris 85 (1877),
pp. 329–333.
14.34.
Proth's theorem
http://calistamusic.dreab.com/p-Proth%27s_theorem
http://www.peach.dreab.com/p-Proth%27s_theorem
Proth's test http://calistamusic.dreab.com/p-Proth%27s_theorem .
In number theory, Proth's theorem is a primality test for Proth numbers.
It states that if p is a Proth number, of the form k2n + 1 with k odd and
k < 2n, then if for some integer a,
then p is prime (called a Proth prime). This is a practical test because
if p is prime, any chosen a has about a 50 percent chance of working.
If p is a quadratic nonresidue modulo a then the converse is also true,
and the test is conclusive. Such an a may be found by iterating a over
small primes and computing the Jacobi symbol until:
14.34.1. Contents





1 Numerical examples
2 History
3 See also
4 References
5 External links
14.34.2. Numerical examples
Examples of the theorem include:




for p = 3, 21 + 1 = 3 is divisible by 3, so 3 is prime.
for p = 5, 32 + 1 = 10 is divisible by 5, so 5 is prime.
for p = 13, 56 + 1 = 15626 is divisible by 13, so 13 is prime.
for p = 9, which is not prime, there is no a such that a4 + 1 is divisible by 9.
The first Proth primes are (sequence
A080076):
3, 5, 13, 17, 41, 97, 113, 193, 241, 257, 353, 449, 577, 641, 673, 769, 929, 1153 ….
As of 2009, the largest known Proth prime is 19249 · 213018586 + 1, found
by Seventeen or Bust. It has 3918990 digits and is the largest known prime
which is not a Mersenne prime.
14.34.3. History
François Proth (1852 – 1879) published the theorem around 1878.
14.34.4. See also

Sierpinski number
14.34.5. References
14.35.
Random Quadratic Frobenius Test (RQFT)
14.36.
Solovay- Strassen 算法
Solovay–Strassen
http://calistamusic.dreab.com/p-Solovay%E2%80%93Strassen_primality_test
14.36.1. Solovay-Strassen primality test.
We now turn to an RP algorithm for compositeness, the Solovay-Strassen
algorithm. First, we need to define a generalization of the Legendre
symbol called the Jacobi symbol:
If n = p1 * p2 * ... * pt, where the pi are primes not nec. distinct,
[a/n] = [a/p1]*[a/p2]*...*[a/pt].
It turns out that the Jacobi symbol can be calculated efficiently
(essentially using a Euclidean GCD-like algorithm) via a number of
identities that are not trivial to prove. A couple easy-to-prove
identities are: [ab/n] = [a/n]*[b/n], and if a=b (mod n) then [a/n]=[b/n].
Here is the Solovay-Strassen algorithm:
* Pick random a in {1,...,n-1}
* if gcd(a,n) != 1, then COMPOSITE.
* if [a/n] != a^{(n-1)/2} then COMPOSITE.
* else say POSSIBLY PRIME.
Thm: if n is composite, then this algorithm says "composite" with
probability at least 1/2.
Proof: the proof is much like that of our "key lemma".
Let J = {a in Z_n^* : [a/n] = a^{(n-1)/2} (mod n)}.
J is a group (e.g., use fact that [ab/n] = [a/n]*[b/n]) so it suffices
to show there exists b not in J. By the assumption that n is not a
prime power and is not a perfect square, we can write n = p1^e1 * r,
where p1 and r are realatively prime, and e1 is odd. Let g be an
arbitrary non-residue mod p1, and let b = (g,1), in CRT notation. We
can see that b^{(n-1)/2} = (g^{(n-1)/2}, 1) is *not* congruent to -1
(mod n), since -1 = (-1, -1). So, it suffices to show that [b/n] = -1.
This in turn follows from the basic Jacobi symbol identities:
[b/n] = ([b/p1])^e1 * [b/r] = ([g/p1])^e1 * [1/r] = (-1)^e1 * 1 = -1.
QED
14.36.2. Solovag-Strasson
Robert Solovag 和 Volker Strasson 开发了一种概率的基本测试算法。这个算法使用了雅可比
函数来测试 p 是否为素数：
（1）
（2）
（3）
（4）
（5）
（6）
选择一个小于 p 的随机数 a。
如果 gcd(a,p) <> 1，那么 p 通不过测试，它是合数。
计算 j=a^(p-1)/2 mod p。
计算雅可比符号 J（a,p）
。
如果 j<>J（a,p）
，那么 p 肯定不是素数。
如果 j=J(a,p),那麽 p 不是素数的可能性值多是 50%
数 a 被称为一个证据，如果 a 不能确定 p，p 肯定不是素数。如果 p 是合数。随机数 a 是证
据的概率不小于 50%。对 a 选择 t 个不同的随机值，重复 t 次这种测试。p 通过所有 t 次测
试后，它是合数的可能性不超过 1/2^t。
The Solovay–Strassen primality test, developed by Robert M. Solovay and
Volker Strassen, is a probabilistic test to determine if a number is
composite or probably prime. It has been largely superseded by the
Miller–Rabin primality test, but has great historical importance in
showing the practical feasibility of the RSA cryptosystem.
14.36.3. Contents








1 Concepts
2 Example
3 Algorithm and running time
4 Accuracy of the test
5 Average-case behaviour
6 Complexity
7 References
8 Further reading
14.36.4. Concepts
Euler proved that for an odd prime number p and any integer a,
where
is the Legendre symbol. The Jacobi symbol is a generalisation
of the Legendre symbol to
, where n can be any odd integer. The Jacobi
symbol can be computed in time O((log
of law of quadratic reciprocity.
n)²) using Jacobi's generalization
Given an odd number n we can contemplate whether or not the congruence
holds for various values of the "base" a. If n is prime then this congruence
is true for all a. So if we pick values of a at random and test the
congruence, then as soon as we find an a which doesn't fit the congruence
we know that n is not prime (but this does not tell us a nontrivial
factorization of n). This base a is called an Euler witness for n; it is
a witness for the compositeness of n. The base a is called an Euler liar
for n if the congruence is true while n is composite.
For every composite odd n at least half of all bases
are (Euler) witnesses: this contrasts with the Fermat primality test, for
which the proportion of witnesses may be much smaller. Therefore, there
are no (odd) composite n without lots of witnesses, unlike the case of
Carmichael numbers for Fermat's test.
14.36.5. Example
Suppose we wish to determine if n
=
We randomly select an a = 47
n. We compute:


<
221 is prime. We write (n−1)/2=110.
a(n−1)/2 mod n = 47110 mod 221 = −1 mod 221
mod n =
mod 221 = −1 mod 221.
This gives that, either 221 is prime, or 47 is an Euler liar for 221. We
try another random a, this time choosing a = 2:


a(n−1)/2 mod n = 2110 mod 221 = 30 mod 221
mod n =
mod 221 = −1 mod 221.
Hence 2 is an Euler witness for the compositeness of 221, and 47 was in
fact an Euler liar. Note that this tells us nothing about the factors of
221 (which are 13 and 17).
14.36.6. Algorithm and running time
The algorithm can be written in pseudocode as follows:
Inputs: n, a value to test for primality; k, a parameter that determines
the accuracy of the test
Output: composite if n is composite, otherwise probably prime
repeat k times:
choose a randomly in the range [2,n − 1]
x ←
if x = 0 or
then return composite
return probably prime
Using fast algorithms for modular exponentiation, the running time of this
algorithm is O(k·log3 n), where k is the number of different values of
a we test.
14.36.7. Accuracy of the test
It is possible for the algorithm to return an incorrect answer. If the
input n is indeed prime, then the output will always correctly be probably
prime. However, if the input n is composite then it is possible for the
output to be incorrectly probably prime. The number n is then called a
pseudoprime.
When n is odd and composite, at least half of all a with gcd(a,n) = 1
are Euler witnesses. We can prove this as follows: let {a1, a2, ..., am}
be the Euler liars and a an Euler witness. Then, for i = 1,2,...,m:
Because the following holds:
now we know that
This gives that each ai gives a number a·ai, which is also an Euler witness.
So each Euler liar gives an Euler witness and so the number of Euler
witnesses is larger or equal to the number of Euler liars. Therefore, when
n is composite, at least half of all a with gcd(a,n) = 1 is an Euler
witness.
Hence, the probability of failure is at most 2−k (compare this with the
probability of failure for the Miller-Rabin primality test, which is at
most 4−k).
For purposes of cryptography the more bases a we test, i.e. if we pick
a sufficiently large value of k, the better the accuracy of test. Hence
the chance of the algorithm failing in this way is so small that the (pseudo)
prime is used in practice in cryptographic applications, but for
applications for which it is important to have a prime, a test like ECPP
or Pocklington should be used which proves primality.
14.36.8. Average-case behaviour
The bound 1/2 on the error probability of a single round of the
Solovay–Strassen test holds for any input n, but those numbers n for which
the bound is (approximately) attained are extremely rare. On the average,
the error probability of the algorithm is significantly smaller: it is
less than
for k rounds of the test, applied to uniformly random n ≤ x. The same
bound also applies to the related problem of what is the conditional
probability of n being composite for a random number n ≤ x which has been
declared prime in k rounds of the test.
14.36.9. Complexity
The Solovay–Strassen algorithm shows that the decision problem COMPOSITE
is in the complexity class RP.
14.37.
Square Root Compositeness Theorem
Given integers n, x, and y:
If x 2  y 2 (mod n), but x   y(mod n)
Then n is composite, and gcd(x-y, n) is a non-trivial factor
14.38.
Schwartz--Zippel test
[Schwartz 1980; Zippel 1979],
15. Papers of Others
15.1. 素性检测算法研究及其在现代密码学中的应用
专 业: 系统分析与集成
关键词: 素性检测 公钥密码学 公钥密码体制 椭圆曲线 离散对数
分类号: TN918.1
形 态: 共 63 页 约 41,265 个字 约 1.974 M 内容
阅 读: 获取全文
优秀研究生学位论文题录展示
内容摘要
素数问题是一个使很多数学家着迷的问题。
素数就是一个除了 1 和它自身以外不能被其它数整除的数。
素数的一个基本问题是如何有效地确定一个数是否是一个素数，即素性测试问题。
素性测试问题不仅在数学上是一个有挑战性的问题，而且在实际应用中也是非常重要的。
在现代密码系统中，大素数的判别和寻找对一些加密系统的建立起着关键作用。
很多公钥密码算法都用到素数，特别是 160 位（二进制）以上的大素数。
RSA 的公共模数就是两个 512 位以上的大素数的乘积；基于有限域 PF 上离散对数的公钥密
码体制，其中素数 p 要求在 512 位以上；基于椭圆曲线离散对数的公钥密码体制（ECC）中，
一般要求基点的阶是一个 160 位以上的大整数，且是一个素数。
由此可见对大数进行的素性判断的重要性。
判定一个整数是否是素数，最为简单的想法是直接利用素数的定义，用比要判断的整数小的
素数去一一试除，如果能整除被检测的数的话，那就能确定无疑为合数了．但是对于大素数
来说，由于计算量太大，根本无法实现以用于具体应用。
所以科学家们根据素数判断的理论发明了许多新的算法，提高了判断一个大数是否是一个大
素数的效率。
Eratosthenes 筛法是对于所有素数都有效的最古老的算法，然而它的时间复杂性是输入规模
的幂指数，因此在实际中使用它是不合适的。
17 世纪的 Fermat 小定理是一些有效素性测试算法的起点，但其逆定理是不满足的。
许多科学家在费马小定理的基础上进行研究发明了很多新的素数检测方法，但是这些算法大
部分都是概率性的，比如说 Miller-Rabin 算法和 Solovay-Strassen 概率素数测试法。
直 2002 年，印度的三位科学家发明了确定性的素数检测算法 AKS 算法。
但是研究表明 AKS 算法的时间复杂度和空间复杂度并不能满足时间中的需要。
随着椭圆曲线算法的研究的开展，许多科学家又发明了利用椭圆曲线算法进行素性检测的方
法，并且成为今年来素性检测领域里的一个重要方向。
本文也对 2 中基本的椭圆曲线素性检测算法做了简单的分析。
本文从素性检测算法的基本理论入手，对素性将测算法做一个全面的介绍，对大部分的素性
检测算法进行了分析，其中着重对实践中常用的 Miller-Rabin 算法进行了分析，并且对
Miller-Rabin 算法做了一定的优化，使 Miller-Rabin 算法的效率提高了一倍，生成 1024 位素
数的效率提升至，在 1．5G 的计算机上每 1．5 秒生成一个，并且给出了 Miller-Rabin 算法
的算法流程图和部分关键代码的实现..……
全文目录
中文摘要
符号说明
第一章 引言
第二章 素性判定的概述
第三章 素性判定的理论依据
3.1 定义
3.2 素性判定方法理论依据
3.3 本章总结
第四章 几种素性检测算法研究
4.1 概率算法的基础
4.1.1 PP 类
4.1.2 Monte Carlo 算法
4.1.3 Las Vegas 算法
4.2 几种素性检测所需要的算法的复杂度
4.2.1 欧几里德算法
4.2.2 模指数算法
4.2.3 随机素数的生成算法
4.2.4 计算 Jacobi 符号的算法
4.3 素性检测算法及其分析
4.3.1 Fermat 小定理作为合性检测
4.3.2 Euler 判则作为合性检测
4.3.3 Lucas 检测算法
4.3.4 Pocklington 检测算法
4.3.5 Demytko 定理
4.3.6 Monte-Carlo 算法进行素性检测
4.3.7 Las Vegas 算法进行素性检测
4.3.8 Solovay-Strassen 概率素数测试法
4.3.9 AKS 素性检测算法
4.3.10 几种椭圆曲线素性检测算法
4.4 本章总结
第五章 Miller_Rabin 素性检测算法
5.1 算法描述
5.2 算法分析
5.3 Miller-Rabin 算法的流程图及关键部分的代码
5.3.1 Miller-Rabin 算法的工作流程
5.3.2 Miller-Rabin 算法中的测试函数
5.4 Miller-Rabin 算法的一些优化
5.5 有关 Miller-Rabin 算法的最近一些进展
第六章 素性检测算法在密码学中的重要应用
6.1 RSA 公钥密码算法
6.1.1 RSA 加密解密运算
6.1.2 RSA 签名体制
6.1.3 Rabin 签名体制
6.3 ElGamal 密码体制
6.3.2 ElGamal 签名体制
6.4 本章总结
第七章 结束语及展望
参考文献
16. Math Tools
16.1. Axiom
16.2. Bignum
16.3. Derive
16.4. GMP Library
16.5. GNU Octave
16.6. Kant
A library for computational number theory
16.7. LiDIA
A library for computational number theory
Ingrid Biehl Johannes Buchmann Thomas Papanikolaou
Universit at des Saarlandes
Fachbereich
Saarbr ucken
16.8. Lisp
16.9. Macsyma
16.10.
Magma
Modular Exponentiation in Magma
16.11.
Maple
Modular Exponentiation in Maple
16.12.
MathCad
16.13.
Mathematica
16.14.
Matlab
the command rand(1) returns a random number between 0 and 1
16.15.
Maxima
16.16.
MIRACL
16.17.
MuPAD
16.18.
NTL library
16.19.
OpenMP
16.20.
Pari -GP
A library for computational number theory
16.21.
Reduce
16.22.
Sage
Prime Numbers and Integer Factorization in Sage
16.23.
Simath
A library for computational number theory
16.24.
Ubasic
17. COMPARISONS
18. MY IDEAS FOR FURTHER
IMPROVEMENT OF COMPLEXITY
19. RESOURCES
19.1. MAJOR NUMBER THEORISTS
19.2. KEY UNIVERSITIES
19.3. KEY RESEARCH INSTITUTIONS
19.4. SEMINARS,
SYMPOSIUMS,
FORUMS
19.5. JOURNALS
19.6. ACADEMIC WEB RESOURCES
WORKSHOPS
20. LITERATURE –PRIMALITY
20.1. BOOKS (BK)
20.2. LECTURE SCRIPTS
20.3. THESES FOR POSTDOC, PHD, MASTER AND
BACHELOR DEGREES (PDT, DT,MT,BT)
20.3.1.
BT- Bachelor Thesis
20.3.2.
MT – Master Thesis
20.3.3.
ST - Senior Thesis
20.4. GENERAL PAPER (GP)
20.5. COLLECTIONS OF PAPERS
20.6. PRESENTATIONS/SLIDES AT SEMINARS
20.7. OTHER PAPERS
20.8. PROPOSALS / SUGGESTIONS
21. LITERATURE – OTHER
RELATED
21.1. ALGEBRA
21.2. NUMBER THEORY
21.3. COMPUTER COMPLEXITY
21.4. COMPLEX ANALYSIS / FUNCTIONS
21.5. Cryptography
22. APPENDICES
22.1. CHARTS
22.2. TABLES
22.3. DATABASES
22.4. MULTIMEDIA DATA
22.5. COMPUTATION CODES
22.6. WEBSITE FOR THIS THESIS