Better bounds on the rate of non-witnesses of Lucas
pseudoprimes
David Amirault
Mentor David Corwin
PRIMES conference
May 16, 2015
David Amirault
Lucas pseudoprimes
May 16, 2015
1 / 14
Starting Small
Theorem (Fermat’s Little Theorem)
Let a be an integer and n prime with n - a. Then
an−1 ≡ 1 (mod n).
David Amirault
Lucas pseudoprimes
May 16, 2015
2 / 14
Starting Small
Theorem (Fermat’s Little Theorem)
Let a be an integer and n prime with n - a. Then
an−1 ≡ 1 (mod n).
Theorem (Miller-Rabin)
Write n − 1 = 2k q with q odd. One of the following is true:
aq ≡ 1 (mod n),
or for some m with 0 ≤ m < k,
mq
a2
David Amirault
≡ −1 (mod n).
Lucas pseudoprimes
May 16, 2015
2 / 14
Starting Small
Running a Test
Put 1517 − 1 = 22 · 379. Try a = 2:
David Amirault
Lucas pseudoprimes
May 16, 2015
3 / 14
Starting Small
Running a Test
Put 1517 − 1 = 22 · 379. Try a = 2:
0 ·379
≡ 2379 ≡ 923 6≡ ±1 (mod 1517).
21 ·379
≡ 2758 ≡ 892 6≡ −1 (mod 1517).
a2
a
David Amirault
Lucas pseudoprimes
May 16, 2015
3 / 14
Starting Small
Running a Test
Put 1517 − 1 = 22 · 379. Try a = 2:
0 ·379
≡ 2379 ≡ 923 6≡ ±1 (mod 1517).
21 ·379
≡ 2758 ≡ 892 6≡ −1 (mod 1517).
a2
a
Thus, 1517 is not prime (1517 = 37 · 41).
David Amirault
Lucas pseudoprimes
May 16, 2015
3 / 14
Generalizing Integers
Definition
A quadratic integer is a solution to an equation of the form
x 2 − Px + Q = 0
with P, Q integers.
David Amirault
Lucas pseudoprimes
May 16, 2015
4 / 14
Generalizing Integers
Definition
A quadratic integer is a solution to an equation of the form
x 2 − Px + Q = 0
with P, Q integers.
Theorem
Let D = P 2 − 4Q. The set of all quadratic integers in the field Q
form a ring, denoted by OQ[√D ] .
David Amirault
Lucas pseudoprimes
h√ i
D
May 16, 2015
4 / 14
Generalizing Integers
Quadratic Integer Rings
D = −4. The ring of quadratic integers OQ[√−4] is the Gaussian
√ integers, Z −1 . Notice ±i satisfy x 2 + 1 = 0, for which
P 2 − 4Q = −4.
David Amirault
Lucas pseudoprimes
May 16, 2015
5 / 14
Generalizing Integers
Quadratic Integer Rings
D = −4. The ring of quadratic integers OQ[√−4] is the Gaussian
√ integers, Z −1 . Notice ±i satisfy x 2 + 1 = 0, for which
P 2 − 4Q = −4.
√ D = −5. Here, OQ[√−5] ∼
= Z −5 .
David Amirault
Lucas pseudoprimes
May 16, 2015
5 / 14
Generalizing Integers
Quadratic Integer Rings
D = −4. The ring of quadratic integers OQ[√−4] is the Gaussian
√ integers, Z −1 . Notice ±i satisfy x 2 + 1 = 0, for which
P 2 − 4Q = −4.
√ D = −5. Here, OQ[√−5] ∼
= Z −5 .
h √ i
D = 5. In this real case, OQ[√5] ∼
= Z 1+2 5 .
David Amirault
Lucas pseudoprimes
May 16, 2015
5 / 14
Lucas Primality Test
Theorem
Let P, Q be integers such that D = P 2 − 4Q 6= 0. Let τ be the quotient of
the two roots of x 2 − Px + Q. For n an odd prime not dividing QD, put
n − (D/n) = 2k q with q odd. One of the following is true:
τ q ≡ 1 (mod n),
or for some m with 0 ≤ m < k,
τ2
David Amirault
mq
≡ −1 (mod n).
Lucas pseudoprimes
May 16, 2015
6 / 14
Lucas Primality Test
Definition
m
If n is a composite integer for which τ q ≡ 1 (mod n) or τ 2 q ≡ −1 (mod n)
with 0 ≤ m < k, then we call n a strong Lucas pseudoprime, or slpsp, with
respect to P and Q.
David Amirault
Lucas pseudoprimes
May 16, 2015
7 / 14
Lucas Primality Test
Definition
m
If n is a composite integer for which τ q ≡ 1 (mod n) or τ 2 q ≡ −1 (mod n)
with 0 ≤ m < k, then we call n a strong Lucas pseudoprime, or slpsp, with
respect to P and Q.
Theorem (Arnault)
Define
0 ≤ P, Q < n, P 2 − 4Q ≡ D (mod n),
SL(D, n) = # (P, Q)
gcd(QD, n) = 1,
n is slpsp(P, Q)
4
SL(D, n) ≤ 15
n unless n = 9 or n is of the form (2k1 q1 − 1)(2k1 q1 + 1), a
product of twin primes with q1 odd.
David Amirault
Lucas pseudoprimes
May 16, 2015
7 / 14
Better Bounds
Theorem
SL(D, n) ≤ 16 n unless one of the following is true:
David Amirault
Lucas pseudoprimes
May 16, 2015
8 / 14
Better Bounds
Theorem
SL(D, n) ≤ 16 n unless one of the following is true:
n = 9 or n = 25,
n = (2k1 q1 − 1)(2k1 q1 + 1),
n = (2k1 q1 + ε1 )(2k1 +1 q1 + ε2 ),
n = (2k1 q1 + ε1 )(2k1 q2 + ε2 )(2k1 q3 + ε3 ),
David Amirault
Lucas pseudoprimes
q1 , q2 , q3 |q,
May 16, 2015
8 / 14
Better Bounds
Theorem
SL(D, n) ≤ 16 n unless one of the following is true:
n = 9 or n = 25,
n = (2k1 q1 − 1)(2k1 q1 + 1),
n = (2k1 q1 + ε1 )(2k1 +1 q1 + ε2 ),
n = (2k1 q1 + ε1 )(2k1 q2 + ε2 )(2k1 q3 + ε3 ),
q1 , q2 , q3 |q,
where εi is determined by the Jacobi symbol (D/pi ) such that pi is a
prime factor of n.
David Amirault
Lucas pseudoprimes
May 16, 2015
8 / 14
Better Bounds
Suppose we wish to determine that n is prime to a probability of
1 − 2−128 .
David Amirault
Lucas pseudoprimes
May 16, 2015
9 / 14
Better Bounds
Suppose we wish to determine that n is prime to a probability of
1 − 2−128 .
log4/15 (2−128 ) ≈ 67.
log1/6 (2−128 ) ≈ 50.
David Amirault
Lucas pseudoprimes
May 16, 2015
9 / 14
Better Bounds
Suppose we wish to determine that n is prime to a probability of
1 − 2−128 .
log4/15 (2−128 ) ≈ 67.
log1/6 (2−128 ) ≈ 50.
17 fewer trials are required using the improved bound.
David Amirault
Lucas pseudoprimes
May 16, 2015
9 / 14
Solving Exceptions
Quiz!
√
961 =
David Amirault
Lucas pseudoprimes
May 16, 2015
10 / 14
Solving Exceptions
Quiz!
√
961 = 31.
David Amirault
Lucas pseudoprimes
May 16, 2015
10 / 14
Solving Exceptions
Quiz!
√
961 = 31.
Let x0 be a guess of a root of the function f . A sequence of better
approximations xn is defined by
xn+1 = xn −
f (xn )
f 0 (xn ) .
Skip Example
David Amirault
Lucas pseudoprimes
May 16, 2015
10 / 14
Solving Exceptions
Newton’s Method
Consider the case n = (2k1 q1 − 1)(2k1 q1 + 1). Does 2627 factor in this
form?
David Amirault
Lucas pseudoprimes
May 16, 2015
11 / 14
Solving Exceptions
Newton’s Method
Consider the case n = (2k1 q1 − 1)(2k1 q1 + 1). Does 2627 factor in this
form?
Write x = 2k1 q1 , so 2627 = (x − 1)(x + 1) = x 2 − 1 and x 2 − 2628 = 0.
David Amirault
Lucas pseudoprimes
May 16, 2015
11 / 14
Solving Exceptions
Newton’s Method
Consider the case n = (2k1 q1 − 1)(2k1 q1 + 1). Does 2627 factor in this
form?
Write x = 2k1 q1 , so 2627 = (x − 1)(x + 1) = x 2 − 1 and x 2 − 2628 = 0.
x0 = 40.
x1 = 40 −
x2 = x1 −
x3 = x2 −
David Amirault
402 −2628
= 52.85.
2·40
x12 −2628
= 51.28782.
2x1
2
x2 −2628
= 51.26403.
2x2
Lucas pseudoprimes
May 16, 2015
11 / 14
Solving Exceptions
Newton’s Method
Consider the case n = (2k1 q1 − 1)(2k1 q1 + 1). Does 2627 factor in this
form?
Write x = 2k1 q1 , so 2627 = (x − 1)(x + 1) = x 2 − 1 and x 2 − 2628 = 0.
x0 = 40.
x1 = 40 −
x2 = x1 −
√
x3 = x2 −
402 −2628
= 52.85.
2·40
x12 −2628
= 51.28782.
2x1
2
x2 −2628
= 51.26403.
2x2
2628 = 51.26402.
David Amirault
Lucas pseudoprimes
May 16, 2015
11 / 14
Importance
Primality testing is highly applicable to cryptography.
David Amirault
Lucas pseudoprimes
May 16, 2015
12 / 14
Importance
Primality testing is highly applicable to cryptography.
Many popular cryptosystems, including RSA, require numerous pairs
of large prime numbers for key generation.
David Amirault
Lucas pseudoprimes
May 16, 2015
12 / 14
Importance
Primality testing is highly applicable to cryptography.
Many popular cryptosystems, including RSA, require numerous pairs
of large prime numbers for key generation.
Factoring a large semiprime takes more time than multiplying its two
prime factors.
David Amirault
Lucas pseudoprimes
May 16, 2015
12 / 14
Future Research
The Baillie-PSW primality test combines a Miller-Rabin test using
a = 2 with a strong Lucas primality test.
David Amirault
Lucas pseudoprimes
May 16, 2015
13 / 14
Future Research
The Baillie-PSW primality test combines a Miller-Rabin test using
a = 2 with a strong Lucas primality test.
No known composite passes this test.
David Amirault
Lucas pseudoprimes
May 16, 2015
13 / 14
Future Research
The Baillie-PSW primality test combines a Miller-Rabin test using
a = 2 with a strong Lucas primality test.
No known composite passes this test.
What must be true of such n?
David Amirault
Lucas pseudoprimes
May 16, 2015
13 / 14
Acknowledgments
Huge Thanks To:
David Corwin, my mentor
Stefan Wehmeier, for suggesting the project
Dr. Tanya Khovanova, head mentor
MIT PRIMES
And of course, my parents for providing transportation and support
throughout the project!
David Amirault
Lucas pseudoprimes
May 16, 2015
14 / 14