Baillie–PSW primality test

The Baillie–PSW primality test is a probabilistic primality testing algorithm that determines whether a number is composite or is a probable prime. It is named after Robert Baillie, Carl Pomerance, John Selfridge, and Samuel Wagstaff.

The Baillie-PSW test is a combination of a strong Fermat probable prime test to base 2 and a strong Lucas probable prime test. The Fermat and Lucas test each have their own list of pseudoprimes, that is, composite numbers that pass the test. For example, the first ten strong pseudoprimes to base 2 are

2047, 3277, 4033, 4681, 8321, 15841, 29341, 42799, 49141, and 52633 (sequence A001262 in the OEIS).

The first ten strong Lucas pseudoprimes (with Lucas parameters (P, Q) defined by Selfridge's Method A) are

5459, 5777, 10877, 16109, 18971, 22499, 24569, 25199, 40309, and 58519 (sequence A217255 in the OEIS).

There is no known overlap between these lists of strong Fermat pseudoprimes and strong Lucas pseudoprimes, and there is even evidence that the numbers in these lists tend to be different kinds of numbers. For example, Fermat pseudoprimes to base 2 tend to fall into the residue class 1 (mod m) for many small m, whereas Lucas pseudoprimes tend to fall into the residue class −1 (mod m).[1]:§6[2]:Table 2 & §5 As a result, a number that passes both a strong Fermat and a strong Lucas test is very likely to be prime.

No composite number below 264 (approximately 1.845·1019) passes the Baillie-PSW test.[3] Consequently, this test is a deterministic primality test on numbers below that bound. There are also no known composite numbers above that bound that pass the test, in other words, there are no known Baillie-PSW pseudoprimes. Despite this, there are conjectured to be infinitely many.

In 1980 the authors Pomerance, Selfridge, and Wagstaff offered $30 for the discovery of a counterexample, that is, a composite number that passed this test. Richard Guy incorrectly stated that the value of this prize had been raised to $620, but he was confusing the Lucas sequence with the Fibonacci sequence, and his remarks really apply only to a Conjecture of Selfridge's.[4] As of June 2014 the prize remains unclaimed. However, a heuristic argument by Pomerance suggests that there are infinitely many counterexamples.[5] Moreover, Chen and Greene [6] [7] have constructed a set S of 1248 primes such that, among the nearly 21248 products of distinct primes in S, there may be about 740 counterexamples. However, they are talking about the weaker PSW test that substitutes a Fibonacci test for the Lucas one.

The test

Let n be the odd positive integer that we wish to test for primality.

  1. Optionally, perform trial division to check if n is divisible by a small prime number less than some convenient limit.
  2. Perform a base 2 strong probable prime test. If n is not a strong probable prime base 2, then n is composite; quit.
  3. Find the first D in the sequence 5, −7, 9, −11, 13, −15, ... for which the Jacobi symbol (D/n) is −1. Set P = 1 and Q = (1 − D) / 4.
  4. Perform a strong Lucas probable prime test on n using parameters D, P, and Q. If n is not a strong Lucas probable prime, then n is composite. Otherwise, n is almost certainly prime.

Remarks.

  1. The first step is for efficiency only. The Baillie-PSW test works without this step, but if n has small prime factors, then the quickest way to show that n is composite is to find a factor by trial division.
  2. Step 2 is, in effect, a single application of the Miller-Rabin primality test, but using the fixed base 2. There is nothing special about using base 2; other bases might work just as well. However, much work has been done (see above) to verify that the combination of the base 2 strong probable prime test and a strong Lucas test does a good job of distinguishing primes from composites.
  3. Baillie and Wagstaff proved in Theorem 9 on page 1413 of [2] that the average number of Ds that must be tried is about 3.147755149.
  4. If n is a perfect square, then step 3 will never yield a D with (D/n) = −1; this is not a problem because perfect squares are easy to detect using Newton's method for square roots. If step 3 fails to produce a D quickly, one should check whether n is a perfect square.
  5. Given n, there are other methods for choosing D, P, and Q.[2]:1401, 1409 What is important is that the Jacobi symbol (D/n) be −1. Bressoud and Wagon explain why we want the Jacobi symbol to be −1, as well as why one gets more powerful primality tests if Q ≠ ±1.[8]:266–269
  6. Section 6 of [2] recommends that if Q ≠ ±1, a good primality test should also check two additional congruence conditions. These two congruences involve almost no extra computational cost, and are only rarely true if n is composite: and .
  7. There are weaker versions of the Baillie-PSW test, and this one is sometimes referred to as the Strong Baillie-PSW test.
  8. If the Lucas test is replaced by a Fibonacci test, then it shouldn't be called a Baillie-PSW test, but rather a Selfridge test or a PSW test. See Selfridge's Conjecture on Primality Testing.
  9. Pomerance, Selfridge and Wagstaff offered $30 in 1980 for a composite number passing a weaker version of the Baillie-PSW test. Such a number passing the (strong) Baillie-PSW test would qualify.[1]

The danger of relying only on Fermat tests

There is significant overlap among the lists of pseudoprimes to different bases.

Choose a base a. If n is a pseudoprime to base a, then n is likely to be one of those few numbers that is a pseudoprime to many bases.[9]

For example, n = 341 is a pseudoprime to base 2. It follows from Theorem 1 on page 1392 of [2] that there are 100 values of a (mod 341) for which 341 is a pseudoprime base a. (The first ten such a are 1, 2, 4, 8, 15, 16, 23, 27, 29, and 30). The proportion of such a compared to n is usually much smaller.

Therefore, if n is a pseudoprime to base a, then n is more likely than average to be a pseudoprime to some other base.[1]:1020 For example, there are 21853 pseudoprimes to base 2 up to 25·109. This is only about two out of every million odd integers in this range. However:[1]:1021

  • 4709 of these 21853 numbers (over 21 percent) are also pseudoprimes to base 3;
  • 2522 of these 4709 numbers (over 53 percent) are pseudoprimes to bases 2, 3, and 5;
  • 1770 of these 2522 numbers (over 70 percent) are pseudoprimes to bases 2, 3, 5, and 7.

29341 is the smallest pseudoprime to bases 2 through 12. All of this suggests that probable prime tests to different bases are not independent of each other, so that performing Fermat probable prime tests to more and more bases will give diminishing returns. On the other hand, the calculations in [2]:1400 and the calculations up to 264 mentioned above suggest that Fermat and Lucas probable prime tests are independent, so that a combination of these types of tests would make a powerful primality test, especially if the strong forms of the tests are used.

Note that a number that is pseudoprime to all prime bases 2, ..., p is also pseudoprime to all bases that are p-smooth.

There is also overlap among strong pseudoprimes to different bases. For example, 1373653 is the smallest strong pseudoprime to bases 2 through 4, and 3215031751 is the smallest strong pseudoprime to bases 2 through 10. Arnault [10] gives a 397-digit Carmichael number N that is a strong pseudoprime to all prime bases less than 307. Because this N is a Carmichael number, N is also a (not necessarily strong) pseudoprime to all bases less than p, where p is the 131-digit smallest prime factor of N. A quick calculation shows that N is not a Lucas probable prime when D, P, and Q are chosen by the method described above, so this number would be correctly determined by the Baillie-PSW test to be composite.

Applications of combined Fermat and Lucas primality tests

The following computer algebra systems and software packages use some version of the Baillie–PSW primality test.

Maple's isprime function ,[11] Mathematica's PrimeQ function ,[12] PARI/GP's isprime and ispseudoprime functions ,[13] and SageMath's is_pseudoprime function [14] all use a combination of a Fermat strong probable prime test and a Lucas test. Maxima's primep function uses such a test for numbers greater than 341550071728321 .[15]

The FLINT library has functions n_is_probabprime and n_is_probabprime_BPSW that use a combined test, as well as other functions that perform Fermat and Lucas tests separately .[16]

The BigInteger class in standard versions of Java and in open-source implementations like OpenJDK, has a method called isProbablePrime. This method does one or more Miller-Rabin tests with random bases. If n, the number being tested, has 100 bits or more, this method also does a non-strong Lucas test that checks whether Un+1 is 0 (mod n). [17] [18] The use of random bases in the Miller-Rabin tests has an advantage and a drawback compared to doing a single base 2 test as specified in the Baillie–PSW test. The advantage is that, with random bases, one can get a bound on the probability that n is composite. The drawback is that, unlike the Baillie–PSW test, one cannot say with certainty that if n is less than some fixed bound such as 264, then n is prime.

In Perl, the Math::Primality[19] and Math::Prime::Util[20][21] modules have functions to perform the strong Baillie-PSW test as well as separate functions for strong pseudoprime and strong Lucas tests. In Python, the NZMATH[22] library has the strong pseudoprime and Lucas tests, but does not have a combined function. The SymPy[23] library does implement this.

As of 6.2.0, GNU Multiple Precision Arithmetic Library's mpz_probab_prime_p function uses a strong Lucas test and a Miller-Rabin test; previous versions did not make use of Baillie-PSW.[24] Magma's IsProbablePrime and IsProbablyPrime functions use 20 Miller-Rabin tests for numbers > 34·1013, but do not combine them with a Lucas probable prime test.[25]

Cryptographic libraries often have prime-testing functions. Albrecht et al. discuss the tests used in these libraries. Some use a combined Fermat and Lucas test; many do not.[26]:Table 1 For some of the latter, Albrecht, et al. were able to construct composite numbers that the libraries declared to be prime.

References

  1. Pomerance, Carl; Selfridge, John L.; Wagstaff, Samuel S. Jr. (July 1980). "The pseudoprimes to 25·109" (PDF). Mathematics of Computation. 35 (151): 1003–1026. doi:10.1090/S0025-5718-1980-0572872-7. JSTOR 2006210.
  2. Baillie, Robert; Wagstaff, Samuel S. Jr. (October 1980). "Lucas Pseudoprimes" (PDF). Mathematics of Computation. 35 (152): 1391–1417. doi:10.1090/S0025-5718-1980-0583518-6. JSTOR 2006406. MR 0583518.
  3. Nicely, Thomas R. (2012-01-13) [First published 2005-06-10]. "The Baillie-PSW Primality Test". trnicely.net. Archived from the original on 2019-11-21. Retrieved 2013-03-17.
  4. Guy, R. (1994). "Pseudoprimes. Euler Pseudoprimes. Strong Pseudoprimes." §A12 in Unsolved Problems in Number Theory. 2nd ed., p. 28, New York: Springer-Verlag. ISBN 0-387-20860-7.
  5. Pomerance, C. (1984). "Are There Counterexamples to the Baillie-PSW Primality Test?" (PDF).
  6. Greene, John R. (n.d.). "Baillie-PSW". University of Minnesota Duluth. Retrieved May 29, 2020.
  7. Chen, Zhuo; Greene, John (August 2003). "Some Comments on Baillie-PSW Pseudoprimes" (PDF). The Fibonacci Quarterly. 41 (4): 334–344.
  8. Bressoud, David; Wagon, Stan (2000). A Course in Computational Number Theory. New York: Key College Publishing in cooperation with Springer. ISBN 978-1-930190-10-8.
  9. Wagstaff, Samuel S. Jr. (1982). "Pseudoprimes and a generalization of Artin's conjecture". Acta Arithmetica. 41 (2): 141–150. doi:10.4064/aa-41-2-141-150.
  10. Arnault, F. (August 1995). "Constructing Carmichael Numbers Which Are Strong Pseudoprimes to Several Bases". Journal of Symbolic Computation. 20 (2): 151–161. doi:10.1006/jsco.1995.1042.
  11. isprime - Maple Help documentation at maplesoft.com.
  12. Wolfram Language & System Documentation Center - Some Notes on Internal Implementation documentation at wolfram.com.
  13. User's Guide to PARI/GP (version 2.11.1) documentation for PARI/GP.
  14. SageMath Documentation documentation for SageMath.
  15. Maxima Manual documentation for Maxima.
  16. FLINT: Fast Library for Number Theory documentation for FLINT 2.5.
  17. BigInteger.java DocJar: Search Open Source Java API.
  18. BigInteger.java documentation for OpenJDK.
  19. Math::Primality Perl module with BPSW test
  20. Math::Prime::Util Perl module with primality tests including BPSW
  21. Math::Prime::Util::GMP Perl module with primality tests including BPSW, using C+GMP
  22. NZMATH Archived 2013-01-17 at the Wayback Machine number theory calculation system in Python
  23. "SymPy". SymPy - A Python library for symbolic mathematics.
  24. GNU MP 6.2.0 Prime Testing Algorithm documentation for GMPLIB.
  25. Magma Computational Algebra System - Primes and Primality Testing documentation for Magma.
  26. Albrecht, Martin R.; Massimo, Jake; Paterson, Kenneth G.; Somorovsky, Juraj (15 October 2018). Prime and Prejudice: Primality Testing Under Adversarial Conditions (PDF). ACM SIGSAC Conference on Computer and Communications Security 2018. Toronto: Association for Computing Machinery. pp. 281–298. doi:10.1145/3243734.3243787.

Further reading

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.