Frobenius pseudoprime

In number theory, a Frobenius pseudoprime is a pseudoprime that passes a specific probable prime test described by Jon Grantham in a 1998 preprint and published in 2000. [1] [2] It has been studied by other authors for the case of quadratic polynomials. [3] [4]

Frobenius pseudoprimes w.r.t. quadratic polynomials

Frobenius pseudoprimes are defined with respect to a fixed monic polynomial. The case of a degree-2 (quadratic) polynomial ${\displaystyle \scriptstyle x^{2}-Px+Q}$, where ${\displaystyle \scriptstyle D=P^{2}-4Q}$ is not a square, is common and can be expressed in terms of Lucas sequences ${\displaystyle U_{n}(P,Q)}$ and ${\displaystyle V_{n}(P,Q)}$, leading to fast implementations for testing pseudoprimality.

A composite number n is a Frobenius ${\displaystyle (P,Q)}$ pseudoprime if and only if ${\displaystyle \textstyle \gcd(n,2QD)=1}$,

${\displaystyle (1)\qquad U_{n-k}(P,Q)\equiv 0{\pmod {n}}}$

and

${\displaystyle (2)\qquad V_{n-k}(P,Q)\equiv {\begin{cases}2Q{\pmod {n}}&{\mbox{if }}k=-1\\2{\pmod {n}}&{\mbox{if }}k=1{\mbox{,}}\end{cases}}}$

where ${\displaystyle \scriptstyle k=\left({\tfrac {D}{n}}\right)}$ is the Jacobi symbol.

Both conditions hold for all primes, hence this constitutes a probable prime test.

Condition (1) is the same condition that defines a Lucas pseudoprime, hence every Frobenius ${\displaystyle (P,Q)}$ pseudoprime is also a Lucas ${\displaystyle (P,Q)}$ pseudoprime, but because of the additional condition (2), the converse is not true. On the other hand, some Frobenius pseudoprimes are not strong Lucas pseudoprimes for the same parameters, e.g. 6721 is the first such number for ${\displaystyle (P,Q)=(1,-1)}$.

Example

Frobenius pseudoprimes with respect to the Fibonacci polynomial ${\displaystyle \scriptstyle x^{2}-x-1}$ are determined in terms of the Fibonacci numbers ${\displaystyle F_{n}=U_{n}(1,-1)}$ and Lucas numbers ${\displaystyle L_{n}=V_{n}(1,-1)}$. Such Frobenius pseudoprimes form the sequence:

4181, 5777, 6721, 10877, 13201, 15251, 34561, 51841, 64079, 64681, 67861, 68251, 75077, 90061, 96049, 97921, 100127, 113573, 118441, 146611, 161027, 162133, 163081, 186961, 197209, 219781, 231703, 252601, 254321, 257761, 268801, 272611, 283361, 302101, 303101, 330929, 399001, 430127, 433621, 438751, 489601, … (sequence A212424 in the OEIS).

While 323 is the first Lucas pseudoprime with respect to the Fibonacci polynomial ${\displaystyle \scriptstyle x^{2}-x-1}$, the first Frobenius pseudoprime with respect to the same polynomial is 4181 (Grantham indicates it is 5777[2] but multiple authors have noted this is incorrect and is instead the first pseudoprime with ${\displaystyle \left({\tfrac {5}{n}}\right)=-1}$ for this polynomial[3]).

Another case, Frobenius pseudoprimes with respect to the quadratic polynomial ${\displaystyle \scriptstyle x^{2}-3x-1}$ can be determined using the Lucas (3,-1) sequence and are:

119, 649, 1189, 4187, 12871, 14041, 16109, 23479, 24769, 28421, 31631, 34997, 38503, 41441, 48577, 50545, 56279, 58081, 59081, 61447, 75077, 91187, 95761, 96139, 116821, 127937, 146329, 148943, 150281, 157693, 170039, 180517, 188501, 207761, 208349, 244649, 281017, 311579, 316409, 349441, 350173, 363091, 371399, 397927, 423721, 440833, 459191, 473801, 479119, 493697, ….

In this case, the first Frobenius pseudoprime with respect to the quadratic polynomial ${\displaystyle \scriptstyle x^{2}-3x-1}$ is 119, which is also the first Lucas pseudoprime with respect to the same polynomial. Besides, ${\displaystyle \left({\tfrac {13}{119}}\right)=-1}$.

The quadratic polynomial ${\displaystyle \scriptstyle x^{2}-3x-5}$, with ${\displaystyle \scriptstyle (P,Q)=(3,-5)}$, has sparse pseudoprimes as compared to many other simple quadratics. Using the same process as above, we get the sequence:

13333, 44801, 486157, 1615681, 3125281, 4219129, 9006401, 12589081, 13404751, 15576571, 16719781, ….

Notice there are only 3 such pseudoprimes below 500000, while there are many Frobenius (1, −1) and (3, −1) pseudoprimes below 500000.

Every entry in this sequence is a Fermat pseudoprime to base 5 as well as a Lucas (3, −5) pseudoprime, but the converse is not true: 642001 is both a psp-5 and a Lucas (3,-5) pseudoprime, but is not a Frobenius (3, −5) pseudoprime. (note that Lucas pseudoprime for a (P, Q) pair need not to be a Fermat pseudoprime for base Q or base −Q, e.g. 14209 is a Lucas (1, −3) pseudoprime, but not a Fermat pseudoprime for base 3.

Using parameter selection ideas first laid out in Baillie and Wagstaff (1980)[5] as part of the Baillie-PSW primality test and used by Grantham in his quadratic Frobenius test,[6] one can create even better quadratic tests. For instance, for the parameters (P,2), where P is the first odd integer that satisfies ${\displaystyle \scriptstyle \left({\tfrac {D}{n}}\right)=-1}$, there are no pseudoprimes below ${\displaystyle \scriptstyle 2^{64}}$.

Relations to other pseudoprimes

For quadratic polynomials ${\displaystyle \scriptstyle x^{2}-Px+Q}$, every Frobenius (P,Q) pseudoprime is also a Lucas (P,Q) pseudoprime. [2] [3] [7] This immediately follows from condition (1) which defined a Lucas (P,Q) pseudoprime. The converse is not true, making the Frobenius pseudoprimes a subset of the Lucas pseudoprimes for a given (P,Q). The condition on ${\displaystyle \scriptstyle V_{k}}$ means it is a Dickson pseudoprime of the second kind.[7]

Every Frobenius pseudoprime to ${\displaystyle x^{3}-rx^{2}+sx-1}$ is also a Perrin pseudoprime.[2]

Alternate formulations

An alternate formulation is given by Khashin.[8] Given a number n, not a perfect square, where c is the smallest odd prime with Jacobi symbol ${\displaystyle \left({\tfrac {c}{n}}\right)=-1}$, n is either a prime or Frobenius pseudoprime if:

${\displaystyle (1+{\sqrt {c}})^{n}\equiv (1-{\sqrt {c}}){\pmod {n}}}$.

Note the additional condition of choosing a parameter based on the Jacobi symbol finding a quadratic non-residue. This is similar to the method from Baillie and Wagstaff shown in the examples section.[5] This makes far stronger tests, and is one reason for the success of the Baillie-PSW primality test. Similar to the example, Khashin notes that no pseudoprime has been found for his test. He further shows that any that exist under 260 must have a factor less than 19 or have c > 128.

Strong Frobenius pseudoprimes

Strong Frobenius pseudoprimes are also defined.[2] Details on implementation for quadratic polynomials can be found in Crandall and Pomerance.[3]

Properties

The computational cost of the Frobenius pseudoprimality test with respect to quadratic polynomials is roughly three times the cost of a strong pseudoprimality test (e.g. a single round of the Miller-Rabin primality test), 1.5 times that of a Lucas pseudoprimality test, and slightly more than a Baillie-PSW primality test.

Note that the quadratic Frobenius test is stronger than the Lucas test. For example, 1763 is a Lucas pseudoprime to (P, Q) = (3, -1) since U1764(3,-1) ≡ 0 (mod 1763) (U(3,-1) is given in ), and it also passes the Jacobi step since ${\displaystyle \left({\tfrac {13}{1763}}\right)=-1}$, but it fails the Frobenius test to x2 - 3x - 1. This property can be clearly seen when the algorithm is formulated as shown in Crandall and Pomerance Algorithm 3.6.9[3] or as shown by Loebenberger,[4] as the algorithm does a Lucas test followed by an additional check for the Frobenius condition.

While the quadratic Frobenius test does not have formal error bounds beyond that of the Lucas test, it can be used as the basis for methods with much smaller error bounds. Note that these have more steps, additional requirements, and non-negligible additional computation beyond what is described on this page. It is important to note that the error bounds for these methods do not apply to the standard or strong Frobenius tests with fixed values of (P,Q) described on this page.

Based on this idea of pseudoprimes, algorithms with strong worst-case error bounds can be built. The quadratic Frobenius test,[6] using a quadratic Frobenius test plus other conditions, has a bound of ${\displaystyle {\tfrac {1}{7710}}}$. Müller in 2001 proposed the MQFT test with bounds of essentially ${\displaystyle {\tfrac {1}{131040^{t}}}}$. [9] Damgård and Frandsen in 2003 proposed the EQFT with a bound of essentially ${\displaystyle {\tfrac {256}{{331776}^{t}}}}$. [10] Seysen in 2005 proposed the SQFT test with a bound of ${\displaystyle {\tfrac {1}{{4096}^{t}}}}$ and a SQFT3 test with a bound of ${\displaystyle {\tfrac {16}{336442^{t}}}}$. [11]

Given the same computational effort, these offer better worst-case bounds than the commonly used Miller-Rabin primality test.

References

1. ^ Jon Grantham (1998). Frobenius pseudoprimes (Report). preprint.
2. Jon Grantham (2001). "Frobenius pseudoprimes". Mathematics of Computation. 70 (234): 873–891. doi:10.1090/S0025-5718-00-01197-2.
3. Richard Crandall; Carl Pomerance (2005). Prime numbers: A computational perspective (2nd ed.). Springer-Verlag. ISBN 978-0-387-25282-7.
4. ^ a b Daniel Loebenberger (2008). "A Simple Derivation for the Frobenius Pseudoprime Test" (PDF). IACR Cryptology ePrint Archive. 2008.
5. ^ a b Robert Baillie; Samuel S. Wagstaff, Jr. (October 1980). "Lucas Pseudoprimes" (PDF). Mathematics of Computation. 35 (152): 1391–1417. doi:10.1090/S0025-5718-1980-0583518-6. MR 0583518.
6. ^ a b Jon Grantham (1998). "A Probable Prime Test With High Confidence". Journal of Number Theory. 72 (1): 32–47. arXiv:1903.06823. CiteSeerX 10.1.1.56.8827. doi:10.1006/jnth.1998.2247.
7. ^ a b Andrzej Rotkiewicz (2003). "Lucas and Frobenius pseudoprimes" (PDF). Annales Mathematicae Silesianae. Wydawnictwo Uniwersytetu Śląskiego. 17: 17–39.
8. ^ Khashin, Sergey (July 2013). "Counterexamples for Frobenius primality test". arXiv:1307.7920 [math.NT].
9. ^ Siguna Müller (2001). "A Probable Prime Test with Very High Confidence for N Equiv 1 Mod 4". Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology. ASIACRYPT. pp. 87–106. doi:10.1007/3-540-45682-1_6. ISBN 3-540-42987-5.
10. ^ Ivan Bjerre Damgård; Gudmund Skovbjerg Frandsen (October 2006). "An Extended Quadratic Frobenius Primality Test with Average- and Worst-Case Error Estimate" (PDF). Journal of Cryptology. 19 (4): 489–520. doi:10.1007/s00145-006-0332-x.
11. ^ Martin Seysen. A Simplified Quadratic Frobenius Primality Test, 2005.