Lucas–Lehmer primality test

From Wikipedia, the free encyclopedia
  (Redirected from Lucas-Lehmer primality test)
Jump to: navigation, search
This article is about the Lucas–Lehmer test that only applies to Mersenne numbers. For the Lucas–Lehmer test that applies to a natural number n, see Lucas primality test. For the Lucas–Lehmer–Riesel test, see Lucas–Lehmer–Riesel test.

In mathematics, the Lucas–Lehmer test (LLT) is a primality test for Mersenne numbers. The test was originally developed by Édouard Lucas in 1856,[1] and subsequently improved by Lucas in 1878 and Derrick Henry Lehmer in the 1930s.

The test[edit]

The Lucas–Lehmer test works as follows. Let Mp = 2p − 1 be the Mersenne number to test with p an odd prime (because p is exponentially smaller than Mp, we can use a simple algorithm like trial division for establishing its primality). Define a sequence {s i } for all i ≥ 0 by


  s_i=
   \begin{cases}
    4 & \text{if }i=0;
   \\
    s_{i-1}^2-2 & \text{otherwise.}
   \end{cases}

The first few terms of this sequence are 4, 14, 194, 37634, ... (sequence A003010 in OEIS). Then Mp is prime if and only if

s_{p-2}\equiv0\pmod{M_p}.

The number sp − 2 mod Mp is called the Lucas–Lehmer residue of p. (Some authors equivalently set s1 = 4 and test sp−1 mod Mp). In pseudocode, the test might be written:

// Determine if Mp = 2p − 1 is prime
Lucas–Lehmer(p)
    var s = 4
    var M = 2p − 1
    repeat p − 2 times:
        s = ((s × s) − 2) mod M
    if s = 0 return PRIME else return COMPOSITE

By performing the mod M at each iteration, we ensure that all intermediate results are at most p bits (otherwise the number of bits would double each iteration). It is exactly the same strategy employed in modular exponentiation.

Time complexity[edit]

In the algorithm as written above, there are two expensive operations during each iteration: the multiplication s × s, and the mod M operation. The mod M operation can be made particularly efficient on standard binary computers by observing the following simple property:

k \equiv (k \hbox{ mod } 2^n) + \lfloor k/2^n \rfloor \pmod{2^n - 1}.

In other words, if we take the least significant n bits of k, and add the remaining bits of k, and then do this repeatedly until at most n bits remain, we can compute the remainder after dividing k by the Mersenne number 2n−1 without using division. For example:

916 mod 25−1 = 11100101002 mod 25−1
= 111002 + 101002 mod 25−1
= 1100002 mod 25−1
= 12 + 100002 mod 25−1
= 100012 mod 25−1
= 100012
= 17.

Moreover, since s × s will never exceed M2 < 22p, this simple technique converges in at most 1 p-bit addition (and possibly a carry from the pth bit to the 1st bit), which can be done in linear time. As a small exceptional case, the above algorithm will produce 2n−1 for a multiple of the modulus, rather than the correct value of zero; this should be accounted for.

With the modulus out of the way, the asymptotic complexity of the algorithm depends only on the multiplication algorithm used to square s at each step. The simple "grade-school" algorithm for multiplication requires O(p2) bit-level or word-level operations to square a p-bit number, and since we do this O(p) times, the total time complexity is O(p3). A more efficient multiplication method, the Schönhage–Strassen algorithm based on the Fast Fourier transform, requires O(p log p log log p) time to square a p-bit number, reducing the complexity to O(p2 log p log log p) or Õ(p2).[2] Currently the most efficient known multiplication algorithm, Fürer's algorithm, needs p \log p\ 2^{O(\log^* p)} time to multiply two p-bit numbers.

By comparison, the most efficient randomized primality test for general integers, the Miller–Rabin primality test, takes O(k p2 log p log log p) bit operations using FFT multiplication for a p-digit number (here p can be any natural number, not necessarily a prime), where k is the number of iterations and is related to the error rate. So it is in the same complexity class as the Lucas-Lehmer test for constant k. But in practice the cost of doing many iterations and other differences leads to worse performance for Miller–Rabin. The most efficient deterministic primality test for general integers, the AKS primality test, requires Õ(p6) bit operations in its best known variant and is dramatically slower in practice.

Examples[edit]

Suppose we wish to verify that M3 = 7 is prime using the Lucas–Lehmer test. We start out with s set to 4 and then update it 3−2 = 1 time, taking the results mod 7:

  • s ← ((4 × 4) − 2) mod 7 = 0

Because we end with s set to zero, M3 is prime.

On the other hand, M11 = 2047 = 23 × 89 is not prime. To show this, we start with s set to 4 and update it 11−2 = 9 times, taking the results mod 2047:

  • s ← ((4 × 4) − 2) mod 2047 = 14
  • s ← ((14 × 14) − 2) mod 2047 = 194
  • s ← ((194 × 194) − 2) mod 2047 = 788
  • s ← ((788 × 788) − 2) mod 2047 = 701
  • s ← ((701 × 701) − 2) mod 2047 = 119
  • s ← ((119 × 119) − 2) mod 2047 = 1877
  • s ← ((1877 × 1877) − 2) mod 2047 = 240
  • s ← ((240 × 240) − 2) mod 2047 = 282
  • s ← ((282 × 282) − 2) mod 2047 = 1736

Because s is not zero, M11=2047 is not prime. Notice that we learn nothing about the factors of 2047, only its Lucas–Lehmer residue, 1736.

Proof of correctness[edit]

Lehmer's original proof of the correctness of this test is complex, so we'll depend upon more recent refinements. Recall the definition:


  s_i=
   \begin{cases}
    4 & \text{if }i=0;
   \\
    s_{i-1}^2-2 & \text{otherwise.}
   \end{cases}

Then our theorem is that Mp is prime iff s_{p-2}\equiv0\pmod{M_p}.

We begin by noting that {\langle}s_i{\rangle} is a recurrence relation with a closed-form solution. Define \omega = 2 + \sqrt{3} and \bar{\omega} = 2 - \sqrt{3}; then we can verify by induction that s_i = \omega^{2^i} + \bar{\omega}^{2^i} for all i:

s_0 = \omega^{2^0} + \bar{\omega}^{2^0} = (2 + \sqrt{3}) + (2 - \sqrt{3}) = 4.
\begin{array}{lcl}s_n & = & s_{n-1}^2 - 2 \\
                        & = & \left(\omega^{2^{n-1}} + \bar{\omega}^{2^{n-1}}\right)^2 - 2 \\
                        & = & \omega^{2^n} + \bar{\omega}^{2^n} + 2(\omega\bar{\omega})^{2^{n-1}} - 2 \\
                        & = & \omega^{2^n} + \bar{\omega}^{2^n}, \\
       \end{array}

where the last step follows from \omega\bar{\omega} = (2 + \sqrt{3})(2 - \sqrt{3}) = 1. We will use this in both parts.

Sufficiency[edit]

In this direction we wish to show that s_{p-2}\equiv0\pmod{M_p} implies that M_p is prime. We relate a straightforward proof exploiting elementary group theory given by J. W. Bruce[3] as related by Jason Wojciechowski.[4]

Suppose s_{p-2} \equiv 0 \pmod{M_p}. Then

\omega^{2^{p-2}} + \bar{\omega}^{2^{p-2}} = kM_p

for some integer k, and:

\omega^{2^{p-2}} = kM_p - \bar{\omega}^{2^{p-2}}

Multiplying by \omega^{2^{p - 2}},

\left(\omega^{2^{p-2}}\right)^2 = kM_p\omega^{2^{p-2}} - (\omega\bar{\omega})^{2^{p-2}}

Thus,

\omega^{2^{p-1}} = kM_p\omega^{2^{p-2}} - 1.\quad\quad\quad\quad\quad(1)

Now suppose Mp is composite, and let q be the smallest prime factor of Mp. Since Mersenne numbers are odd, we have q > 2. Informally,[note 1] let \mathbb{Z}_q be the integers mod q, let X = \{a + b\sqrt{3} | a, b \in \mathbb{Z}_q\}, and define multiplication in X using:

(a + \sqrt{3}b)(c + \sqrt{3}d) = [ac + 3bd \pmod{q}] + \sqrt{3}[bc + ad \pmod{q}].

Clearly, this multiplication is closed, i.e. the product of numbers from X is itself in X. We shall denote the size of X as | X |.

Since q > 2,  ~ \omega and \bar{\omega} are in X.[note 2] X under multiplication is not a group under multiplication because not every element x has an inverse y such that xy = 1.[note 3] If we consider only the elements that have inverses, we get a group X* of size | X^* |. Since 0 has no inverse, | X^* | \leq | X | - 1 = q^2 - 1.

Now, since M_p \equiv 0 \pmod{q}, and \omega \in X, we have, in X,

kM_p\omega^{2^{p-2}} = 0.

By equation (1),

\omega^{2^{p-1}} = -1

and squaring both sides gives

\omega^{2^p} = 1.

Thus \omega lies in X* and has inverse \omega^{2^{p}-1}. Moreover, \omega has an order dividing 2^p. However, \omega^{2^{p-1}} \neq 1, and so the order does not divide 2^{p-1}. Thus, the order must equal 2^p.

Since the order of an element is at most the order (size) of the group, we conclude that

2^p \leq |X^*| = q^2 - 1 < q^2.

But since q is the smallest prime factor of the composite M_p, we must have

q^2 \leq M_p = 2^p-1,

yielding the contradiction 2^p < 2^p-1. So M_p is prime.

Necessity[edit]

In the other direction, we suppose M_p is prime and show s_{p-2} \equiv 0 \pmod{M_p}. We rely on a simplification of a proof by Öystein J. R. Ödseth.[5]

First, notice that 3 is a quadratic non-residue mod M_p, since 2^p - 1 \equiv 7 \pmod{12} for odd p > 1, and so the Legendre symbol properties tell us (3|M_p) is −1. Euler's criterion then gives us:

3^{\frac{M_p-1}{2}} \equiv -1 \pmod{M_p}.\,

On the other hand, 2 is a quadratic residue mod M_p, since 2^p \equiv 1 \pmod{M_p} and so 2 \equiv 2^{p+1} = \left(2^{\frac{p+1}{2}}\right)^2 \pmod{M_p}. Euler's criterion again gives:

2^{\frac{M_p-1}{2}} \equiv 1 \pmod{M_p}.\,

Next, define \sigma = 2\sqrt{3}, and define X* as before as the field of units of \{a + b\sqrt{3} | a, b \in \mathbb{Z}_{M_p}\}. We will use the following lemmas:

(x+y)^{M_p} \equiv x^{M_p} + y^{M_p} \pmod{M_p}

(the Binomial Theorem in a finite field) and

a^{M_p} \equiv a \pmod{M_p}

for every integer a (Fermat's little theorem).

Then, in the field X* we have:


\begin{align}
(6+\sigma)^{M_p} & = 6^{M_p} + (2^{M_p})(\sqrt{3}^{M_p}) \\
                 & = 6 + 2(3^{\frac{M_p-1}{2}})\sqrt{3} \\
                 & = 6 + 2(-1)\sqrt{3} \\
                 & = 6 - \sigma.
\end{align}

We chose \sigma such that \omega = \frac{(6+\sigma)^2}{24}. Consequently, we can use this to compute \omega^{\frac{M_p+1}{2}} in the field X*:

\begin{align}
\omega^{\frac{M_p+1}{2}} & = \frac{(6 + \sigma)^{M_p+1}}{24^{\frac{M_p+1}{2}}} \\
                   & = \frac{(6 + \sigma)^{M_p}(6 + \sigma)}{(24 \cdot 24^{\frac{M_p-1}{2}})} \\
                   & = \frac{(6 - \sigma)(6 + \sigma)}{-24} \\
                   & = -1.
\end{align}

where we use the fact that

24^{\frac{M_p-1}{2}} = (2^{\frac{M_p-1}{2}})^3(3^{\frac{M_p-1}{2}}) = (1)^3(-1) = -1.

Since M_p \equiv 3 \pmod 4, all that remains is to multiply both sides of this equation by \bar{\omega}^{\frac{M_p+1}{4}} and use \omega\bar{\omega}=1:

\begin{align}
\omega^{\frac{M_p+1}{2}}\bar{\omega}^{\frac{M_p+1}{4}} & = -\bar{\omega}^{\frac{M_p+1}{4}} \\
\omega^{\frac{M_p+1}{4}} + \bar{\omega}^{\frac{M_p+1}{4}} & = 0 \\
\omega^{\frac{2^p-1+1}{4}} + \bar{\omega}^{\frac{2^p-1+1}{4}} & = 0 \\
\omega^{2^{p-2}} + \bar{\omega}^{2^{p-2}} & = 0 \\
s_{p-2} & = 0.
\end{align}

Since s_{p - 2} is an integer and is zero in X*, it is also zero mod M_p.

Applications[edit]

The Lucas–Lehmer test is the primality test used by the Great Internet Mersenne Prime Search to locate large primes, and has been successful in locating many of the largest primes known to date.[6] The test is considered valuable because it can provably test a very large number for primality within affordable time and, in contrast to the equivalently fast Pépin's test for any Fermat number, can be tried on a large search space of numbers with the required form before reaching computational limits.

See also[edit]

Notes[edit]

  1. ^ Formally, let \mathbb{Z}_q = \mathbb{Z}/q\mathbb{Z} and X = \mathbb{Z}_q[T]/\langle T^2 - 3 \rangle.
  2. ^ Formally,  ~ \omega + \langle T^2 - 3 \rangle and  \bar{\omega}+ \langle T^2 - 3 \rangle are in X. By abuse of language we identify  ~ \omega and \bar{\omega} with their images in X under the natural ring homomorphism from \mathbb{Z}[\sqrt{3}] to X which sends \sqrt{3} to T.
  3. ^ In fact, the set of non-zero elements of X is a group if and only if \mathbb{Z}_q does not contain a square root of 3.

References[edit]

  1. ^ The Largest Known Prime by Year: A Brief History
  2. ^ Colquitt, W. N.; Welsh, L., Jr. (1991), "A New Mersenne Prime", Mathematics of Computation 56 (194): 867–870, "The use of the FFT speeds up the asymptotic time for the Lucas–Lehmer test for Mp from O(p3) to O(p2 log p log log p) bit operations." 
  3. ^ J. W. Bruce (1993). "A Really Trivial Proof of the Lucas–Lehmer Test". The American Mathematical Monthly 100 (4): 370–371. doi:10.2307/2324959. 
  4. ^ Jason Wojciechowski. Mersenne Primes, An Introduction and Overview. 2003.
  5. ^ Öystein J. R. Ödseth. A note on primality tests for N = h · 2n − 1. Department of Mathematics, University of Bergen.
  6. ^ The "Top Ten" Record Primes, The Prime Pages

External links[edit]