Misplaced Pages

Lucas–Lehmer primality test

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Test if a Mersenne number is prime This article is about the Lucas–Lehmer test that applies only to Mersenne numbers. For the Lucas–Lehmer test that applies to a natural number n, see Lucas primality test. For the Lucas–Lehmer–Riesel test, see Lucas–Lehmer–Riesel test.

In mathematics, the Lucas–Lehmer test (LLT) is a primality test for Mersenne numbers. The test was originally developed by Édouard Lucas in 1878 and subsequently proved by Derrick Henry Lehmer in 1930.

The test

The Lucas–Lehmer test works as follows. Let Mp = 2 − 1 be the Mersenne number to test with p an odd prime. The primality of p can be efficiently checked with a simple algorithm like trial division since p is exponentially smaller than Mp. Define a sequence { s i } {\displaystyle \{s_{i}\}} for all i ≥ 0 by

s i = { 4 if  i = 0 ; s i 1 2 2 otherwise. {\displaystyle s_{i}={\begin{cases}4&{\text{if }}i=0;\\s_{i-1}^{2}-2&{\text{otherwise.}}\end{cases}}}

The first few terms of this sequence are 4, 14, 194, 37634, ... (sequence A003010 in the OEIS). Then Mp is prime if and only if

s p 2 0 ( mod M p ) . {\displaystyle s_{p-2}\equiv 0{\pmod {M_{p}}}.}

The number sp − 2 mod Mp is called the Lucas–Lehmer residue of p. (Some authors equivalently set s1 = 4 and test sp−1 mod Mp). In pseudocode, the test might be written as

// Determine if Mp = 2 − 1 is prime for p > 2
Lucas–Lehmer(p)
    var s = 4
    var M = 2 − 1
    repeat p − 2 times:
        s = ((s × s) − 2) mod M
    if s == 0 return PRIME else return COMPOSITE

Performing the mod M at each iteration ensures that all intermediate results are at most p bits (otherwise the number of bits would double each iteration). The same strategy is used in modular exponentiation.

Alternate starting values

Starting values s0 other than 4 are possible, for instance 10, 52, and others (sequence A018844 in the OEIS). The Lucas-Lehmer residue calculated with these alternative starting values will still be zero if Mp is a Mersenne prime. However, the terms of the sequence will be different and a non-zero Lucas-Lehmer residue for non-prime Mp will have a different numerical value from the non-zero value calculated when s0 = 4.

It is also possible to use the starting value (2 mod Mp)(3 mod Mp), usually denoted by 2/3 for short. This starting value equals (2 + 1) /3, the Wagstaff number with exponent p.

Starting values like 4, 10, and 2/3 are universal, that is, they are valid for all (or nearly all) p. There are infinitely many additional universal starting values. However, some other starting values are only valid for a subset of all possible p, for example s0 = 3 can be used if p = 3 (mod 4). This starting value was often used where suitable in the era of hand computation, including by Lucas in proving M127 prime. The first few terms of the sequence are 3, 7, 47, ... (sequence A001566 in the OEIS).

Sign of penultimate term

If sp−2 = 0 mod Mp then the penultimate term is sp−3 = ± 2 mod Mp. The sign of this penultimate term is called the Lehmer symbol ϵ(s0p).

In 2000 S.Y. Gebre-Egziabher proved that for the starting value 2/3 and for p ≠ 5 the sign is:

ϵ ( 2 3 ,   p ) = ( 1 ) p 1 2 {\displaystyle \epsilon ({2 \over 3},\ p)=(-1)^{p-1 \over 2}}

That is, ϵ(2/3, p) = +1 if p = 1 (mod 4) and p ≠ 5.

The same author also proved Woltman's conjecture that the Lehmer symbols for starting values 4 and 10 when p is not 2 or 5 are related by:

ϵ ( 10 ,   p ) = ϵ ( 4 ,   p )   ×   ( 1 ) ( p + 1 ) ( p + 3 ) 8 {\displaystyle \epsilon (10,\ p)=\epsilon (4,\ p)\ \times \ (-1)^{{(p+1)(p+3)} \over 8}}

That is, ϵ(4, p) × ϵ(10, p) = 1 if p = 5 or 7 (mod 8) and p ≠ 2, 5.

OEIS sequence A123271 shows ϵ(4, p) for each Mersenne prime Mp.

Time complexity

In the algorithm as written above, there are two expensive operations during each iteration: the multiplication s × s, and the mod M operation. The mod M operation can be made particularly efficient on standard binary computers by observing that

k ( k mod 2 n ) + k / 2 n ( mod 2 n 1 ) . {\displaystyle k\equiv (k\,{\bmod {\,}}2^{n})+\lfloor k/2^{n}\rfloor {\pmod {2^{n}-1}}.}

This says that the least significant n bits of k plus the remaining bits of k are equivalent to k modulo 2−1. This equivalence can be used repeatedly until at most n bits remain. In this way, the remainder after dividing k by the Mersenne number 2−1 is computed without using division. For example,

916 mod 2−1 = 11100101002 mod 2−1
= ((916 mod 2) + int(916 ÷ 2)) mod 2−1
= (101002 + 111002) mod 2−1
= 1100002 mod 2−1
= (100002 + 12) mod 2−1
= 100012 mod 2−1
= 100012
= 17.

Moreover, since s × s will never exceed M < 2, this simple technique converges in at most 1 p-bit addition (and possibly a carry from the pth bit to the 1st bit), which can be done in linear time. This algorithm has a small exceptional case. It will produce 2−1 for a multiple of the modulus rather than the correct value of 0. However, this case is easy to detect and correct.

With the modulus out of the way, the asymptotic complexity of the algorithm only depends on the multiplication algorithm used to square s at each step. The simple "grade-school" algorithm for multiplication requires O(p) bit-level or word-level operations to square a p-bit number. Since this happens O(p) times, the total time complexity is O(p). A more efficient multiplication algorithm is the Schönhage–Strassen algorithm, which is based on the Fast Fourier transform. It only requires O(p log p log log p) time to square a p-bit number. This reduces the complexity to O(p log p log log p) or Õ(p). An even more efficient multiplication algorithm, Fürer's algorithm, only needs p log p   2 O ( log p ) {\displaystyle p\log p\ 2^{O(\log ^{*}p)}} time to multiply two p-bit numbers.

By comparison, the most efficient randomized primality test for general integers, the Miller–Rabin primality test, requires O(k n log n log log n) bit operations using FFT multiplication for an n-digit number, where k is the number of iterations and is related to the error rate. For constant k, this is in the same complexity class as the Lucas-Lehmer test. In practice however, the cost of doing many iterations and other differences leads to worse performance for Miller–Rabin. The most efficient deterministic primality test for any n-digit number, the AKS primality test, requires Õ(n) bit operations in its best known variant and is extremely slow even for relatively small values.

Examples

The Mersenne number M3 = 2−1 = 7 is prime. The Lucas–Lehmer test verifies this as follows. Initially s is set to 4 and then is updated 3−2 = 1 time:

  • s ← ((4 × 4) − 2) mod 7 = 0.

Since the final value of s is 0, the conclusion is that M3 is prime.

On the other hand, M11 = 2047 = 23 × 89 is not prime. Again, s is set to 4 but is now updated 11−2 = 9 times:

  • s ← ((4 × 4) − 2) mod 2047 = 14
  • s ← ((14 × 14) − 2) mod 2047 = 194
  • s ← ((194 × 194) − 2) mod 2047 = 788
  • s ← ((788 × 788) − 2) mod 2047 = 701
  • s ← ((701 × 701) − 2) mod 2047 = 119
  • s ← ((119 × 119) − 2) mod 2047 = 1877
  • s ← ((1877 × 1877) − 2) mod 2047 = 240
  • s ← ((240 × 240) − 2) mod 2047 = 282
  • s ← ((282 × 282) − 2) mod 2047 = 1736

Since the final value of s is not 0, the conclusion is that M11 = 2047 is not prime. Although M11 = 2047 has nontrivial factors, the Lucas–Lehmer test gives no indication about what they might be.

Proof of correctness

The proof of correctness for this test presented here is simpler than the original proof given by Lehmer. Recall the definition

s i = { 4 if  i = 0 ; s i 1 2 2 otherwise. {\displaystyle s_{i}={\begin{cases}4&{\text{if }}i=0;\\s_{i-1}^{2}-2&{\text{otherwise.}}\end{cases}}}

The goal is to show that Mp is prime iff s p 2 0 ( mod M p ) . {\displaystyle s_{p-2}\equiv 0{\pmod {M_{p}}}.}

The sequence s i {\displaystyle {\langle }s_{i}{\rangle }} is a recurrence relation with a closed-form solution. Let ω = 2 + 3 {\displaystyle \omega =2+{\sqrt {3}}} and ω ¯ = 2 3 {\displaystyle {\bar {\omega }}=2-{\sqrt {3}}} . It then follows by induction that s i = ω 2 i + ω ¯ 2 i {\displaystyle s_{i}=\omega ^{2^{i}}+{\bar {\omega }}^{2^{i}}} for all i:

s 0 = ω 2 0 + ω ¯ 2 0 = ( 2 + 3 ) + ( 2 3 ) = 4 {\displaystyle s_{0}=\omega ^{2^{0}}+{\bar {\omega }}^{2^{0}}=\left(2+{\sqrt {3}}\right)+\left(2-{\sqrt {3}}\right)=4}

and

s n = s n 1 2 2 = ( ω 2 n 1 + ω ¯ 2 n 1 ) 2 2 = ω 2 n + ω ¯ 2 n + 2 ( ω ω ¯ ) 2 n 1 2 = ω 2 n + ω ¯ 2 n . {\displaystyle {\begin{aligned}s_{n}&=s_{n-1}^{2}-2\\&=\left(\omega ^{2^{n-1}}+{\bar {\omega }}^{2^{n-1}}\right)^{2}-2\\&=\omega ^{2^{n}}+{\bar {\omega }}^{2^{n}}+2(\omega {\bar {\omega }})^{2^{n-1}}-2\\&=\omega ^{2^{n}}+{\bar {\omega }}^{2^{n}}.\end{aligned}}}

The last step uses ω ω ¯ = ( 2 + 3 ) ( 2 3 ) = 1. {\displaystyle \omega {\bar {\omega }}=\left(2+{\sqrt {3}}\right)\left(2-{\sqrt {3}}\right)=1.} This closed form is used in both the proof of sufficiency and the proof of necessity.

Sufficiency

The goal is to show that s p 2 0 ( mod M p ) {\displaystyle s_{p-2}\equiv 0{\pmod {M_{p}}}} implies that M p {\displaystyle M_{p}} is prime. What follows is a straightforward proof exploiting elementary group theory given by J. W. Bruce as related by Jason Wojciechowski.

Suppose s p 2 0 ( mod M p ) . {\displaystyle s_{p-2}\equiv 0{\pmod {M_{p}}}.} Then

ω 2 p 2 + ω ¯ 2 p 2 = k M p {\displaystyle \omega ^{2^{p-2}}+{\bar {\omega }}^{2^{p-2}}=kM_{p}}

for some integer k, so

ω 2 p 2 = k M p ω ¯ 2 p 2 . {\displaystyle \omega ^{2^{p-2}}=kM_{p}-{\bar {\omega }}^{2^{p-2}}.}

Multiplying by ω 2 p 2 {\displaystyle \omega ^{2^{p-2}}} gives

( ω 2 p 2 ) 2 = k M p ω 2 p 2 ( ω ω ¯ ) 2 p 2 . {\displaystyle \left(\omega ^{2^{p-2}}\right)^{2}=kM_{p}\omega ^{2^{p-2}}-(\omega {\bar {\omega }})^{2^{p-2}}.}

Thus,

ω 2 p 1 = k M p ω 2 p 2 1. ( 1 ) {\displaystyle \omega ^{2^{p-1}}=kM_{p}\omega ^{2^{p-2}}-1.\qquad \qquad (1)}

For a contradiction, suppose Mp is composite, and let q be the smallest prime factor of Mp. Mersenne numbers are odd, so q > 2. Let Z q {\displaystyle \mathbb {Z} _{q}} be the integers modulo q, and let X = { a + b 3 a , b Z q } . {\displaystyle X=\left\{a+b{\sqrt {3}}\mid a,b\in \mathbb {Z} _{q}\right\}.} Multiplication in X {\displaystyle X} is defined as

( a + 3 b ) ( c + 3 d ) = [ ( a c + 3 b d ) mod q ] + 3 [ ( a d + b c ) mod q ] . {\displaystyle \left(a+{\sqrt {3}}b\right)\left(c+{\sqrt {3}}d\right)=+{\sqrt {3}}.}

Clearly, this multiplication is closed, i.e. the product of numbers from X is itself in X. The size of X is denoted by | X | . {\displaystyle |X|.}

Since q > 2, it follows that ω {\displaystyle \omega } and ω ¯ {\displaystyle {\bar {\omega }}} are in X. The subset of elements in X with inverses forms a group, which is denoted by X* and has size | X | . {\displaystyle |X^{*}|.} One element in X that does not have an inverse is 0, so | X | | X | 1 = q 2 1. {\displaystyle |X^{*}|\leq |X|-1=q^{2}-1.}

Now M p 0 ( mod q ) {\displaystyle M_{p}\equiv 0{\pmod {q}}} and ω X {\displaystyle \omega \in X} , so

k M p ω 2 p 2 = 0 {\displaystyle kM_{p}\omega ^{2^{p-2}}=0}

in X. Then by equation (1),

ω 2 p 1 = 1 {\displaystyle \omega ^{2^{p-1}}=-1}

in X, and squaring both sides gives

ω 2 p = 1. {\displaystyle \omega ^{2^{p}}=1.}

Thus ω {\displaystyle \omega } lies in X* and has inverse ω 2 p 1 . {\displaystyle \omega ^{2^{p}-1}.} Furthermore, the order of ω {\displaystyle \omega } divides 2 p . {\displaystyle 2^{p}.} However ω 2 p 1 1 {\displaystyle \omega ^{2^{p-1}}\neq 1} , so the order does not divide 2 p 1 . {\displaystyle 2^{p-1}.} Thus, the order is exactly 2 p . {\displaystyle 2^{p}.}

The order of an element is at most the order (size) of the group, so

2 p | X | q 2 1 < q 2 . {\displaystyle 2^{p}\leq |X^{*}|\leq q^{2}-1<q^{2}.}

But q is the smallest prime factor of the composite M p {\displaystyle M_{p}} , so

q 2 M p = 2 p 1. {\displaystyle q^{2}\leq M_{p}=2^{p}-1.}

This yields the contradiction 2 p < 2 p 1 {\displaystyle 2^{p}<2^{p}-1} . Therefore, M p {\displaystyle M_{p}} is prime.

Necessity

In the other direction, the goal is to show that the primality of M p {\displaystyle M_{p}} implies s p 2 0 ( mod M p ) {\displaystyle s_{p-2}\equiv 0{\pmod {M_{p}}}} . The following simplified proof is by Öystein J. Rödseth.

Since 2 p 1 7 ( mod 12 ) {\displaystyle 2^{p}-1\equiv 7{\pmod {12}}} for odd p > 1 {\displaystyle p>1} , it follows from properties of the Legendre symbol that ( 3 | M p ) = 1. {\displaystyle (3|M_{p})=-1.} This means that 3 is a quadratic nonresidue modulo M p . {\displaystyle M_{p}.} By Euler's criterion, this is equivalent to

3 M p 1 2 1 ( mod M p ) . {\displaystyle 3^{\frac {M_{p}-1}{2}}\equiv -1{\pmod {M_{p}}}.}

In contrast, 2 is a quadratic residue modulo M p {\displaystyle M_{p}} since 2 p 1 ( mod M p ) {\displaystyle 2^{p}\equiv 1{\pmod {M_{p}}}} and so 2 2 p + 1 = ( 2 p + 1 2 ) 2 ( mod M p ) . {\displaystyle 2\equiv 2^{p+1}=\left(2^{\frac {p+1}{2}}\right)^{2}{\pmod {M_{p}}}.} This time, Euler's criterion gives

2 M p 1 2 1 ( mod M p ) . {\displaystyle 2^{\frac {M_{p}-1}{2}}\equiv 1{\pmod {M_{p}}}.}

Combining these two equivalence relations yields

24 M p 1 2 ( 2 M p 1 2 ) 3 ( 3 M p 1 2 ) ( 1 ) 3 ( 1 ) 1 ( mod M p ) . {\displaystyle 24^{\frac {M_{p}-1}{2}}\equiv \left(2^{\frac {M_{p}-1}{2}}\right)^{3}\left(3^{\frac {M_{p}-1}{2}}\right)\equiv (1)^{3}(-1)\equiv -1{\pmod {M_{p}}}.}

Let σ = 2 3 {\displaystyle \sigma =2{\sqrt {3}}} , and define X as before as the ring X = { a + b 3 a , b Z M p } . {\displaystyle X=\{a+b{\sqrt {3}}\mid a,b\in \mathbb {Z} _{M_{p}}\}.} Then in the ring X, it follows that

( 6 + σ ) M p = 6 M p + ( 2 M p ) ( 3 M p ) = 6 + 2 ( 3 M p 1 2 ) 3 = 6 + 2 ( 1 ) 3 = 6 σ , {\displaystyle {\begin{aligned}(6+\sigma )^{M_{p}}&=6^{M_{p}}+\left(2^{M_{p}}\right)\left({\sqrt {3}}^{M_{p}}\right)\\&=6+2\left(3^{\frac {M_{p}-1}{2}}\right){\sqrt {3}}\\&=6+2(-1){\sqrt {3}}\\&=6-\sigma ,\end{aligned}}}

where the first equality uses the Binomial Theorem in a finite field, which is

( x + y ) M p x M p + y M p ( mod M p ) {\displaystyle (x+y)^{M_{p}}\equiv x^{M_{p}}+y^{M_{p}}{\pmod {M_{p}}}} ,

and the second equality uses Fermat's little theorem, which is

a M p a ( mod M p ) {\displaystyle a^{M_{p}}\equiv a{\pmod {M_{p}}}}

for any integer a. The value of σ {\displaystyle \sigma } was chosen so that ω = ( 6 + σ ) 2 24 . {\displaystyle \omega ={\frac {(6+\sigma )^{2}}{24}}.} Consequently, this can be used to compute ω M p + 1 2 {\displaystyle \omega ^{\frac {M_{p}+1}{2}}} in the ring X as

ω M p + 1 2 = ( 6 + σ ) M p + 1 24 M p + 1 2 = ( 6 + σ ) ( 6 + σ ) M p 24 24 M p 1 2 = ( 6 + σ ) ( 6 σ ) 24 = 1. {\displaystyle {\begin{aligned}\omega ^{\frac {M_{p}+1}{2}}&={\frac {(6+\sigma )^{M_{p}+1}}{24^{\frac {M_{p}+1}{2}}}}\\&={\frac {(6+\sigma )(6+\sigma )^{M_{p}}}{24\cdot 24^{\frac {M_{p}-1}{2}}}}\\&={\frac {(6+\sigma )(6-\sigma )}{-24}}\\&=-1.\end{aligned}}}

All that remains is to multiply both sides of this equation by ω ¯ M p + 1 4 {\displaystyle {\bar {\omega }}^{\frac {M_{p}+1}{4}}} and use ω ω ¯ = 1 {\displaystyle \omega {\bar {\omega }}=1} , which gives

ω M p + 1 2 ω ¯ M p + 1 4 = ω ¯ M p + 1 4 ω M p + 1 4 + ω ¯ M p + 1 4 = 0 ω 2 p 1 + 1 4 + ω ¯ 2 p 1 + 1 4 = 0 ω 2 p 2 + ω ¯ 2 p 2 = 0 s p 2 = 0. {\displaystyle {\begin{aligned}\omega ^{\frac {M_{p}+1}{2}}{\bar {\omega }}^{\frac {M_{p}+1}{4}}&=-{\bar {\omega }}^{\frac {M_{p}+1}{4}}\\\omega ^{\frac {M_{p}+1}{4}}+{\bar {\omega }}^{\frac {M_{p}+1}{4}}&=0\\\omega ^{\frac {2^{p}-1+1}{4}}+{\bar {\omega }}^{\frac {2^{p}-1+1}{4}}&=0\\\omega ^{2^{p-2}}+{\bar {\omega }}^{2^{p-2}}&=0\\s_{p-2}&=0.\end{aligned}}}

Since s p 2 {\displaystyle s_{p-2}} is 0 in X, it is also 0 modulo M p . {\displaystyle M_{p}.}

Applications

The Lucas–Lehmer test is one of the main primality tests used by the Great Internet Mersenne Prime Search (GIMPS) to locate large primes. This search has been successful in locating many of the largest primes known to date. The test is considered valuable because it can provably test a large set of very large numbers for primality within an affordable amount of time. In contrast, the equivalently fast Pépin's test for any Fermat number can only be used on a much smaller set of very large numbers before reaching computational limits.

See also

Notes

  1. Formally, let Z q = Z / q Z {\displaystyle \mathbb {Z} _{q}=\mathbb {Z} /q\mathbb {Z} } and X = Z q [ T ] / T 2 3 {\displaystyle X=\mathbb {Z} _{q}/\langle T^{2}-3\rangle } .
  2. Formally, ω + T 2 3 {\displaystyle \omega +\langle T^{2}-3\rangle } and ω ¯ + T 2 3 {\displaystyle {\bar {\omega }}+\langle T^{2}-3\rangle } are in X. By abuse of language ω {\displaystyle \omega } and ω ¯ {\displaystyle {\bar {\omega }}} are identified with their images in X under the natural ring homomorphism from Z [ 3 ] {\displaystyle \mathbb {Z} } to X which sends 3 {\displaystyle {\sqrt {3}}} to T.

References

  1. Jaroma, John H. (2004). "Note on the Lucas–Lehmer Test" (PDF). Bulletin of the Irish Mathematical Society. 54 (2). Irish Mathematical Society: 63. doi:10.33232/BIMS.0054.63.72. S2CID 16831811.
  2. ^ Jansen, B.J.H. (2012). Mersenne primes and class field theory (Doctoral thesis). Leiden University. pp. iii–iv. Retrieved 2018-12-17.
  3. Robinson, Raphael M. (1954). "Mersenne and Fermat numbers". Proc. Amer. Math. Soc. 5 (5): 842–846. doi:10.1090/S0002-9939-1954-0064787-4.
  4. Haworth, Guy (1990). Mersenne numbers (PDF) (Technical report). p. 20. Retrieved 2018-12-17.
  5. Lenstra, Jr., H. W. (2001-05-13). Buhler, J.; Niederreiter, H.; Pohst, M.E. (eds.). Woltman's conjecture on the Lucas-Lehmer test (PDF). Algorithms and Number Theory. p. 20. Retrieved 2024-10-16.
  6. Colquitt, W. N.; Welsh, L. Jr. (1991), "A New Mersenne Prime", Mathematics of Computation, 56 (194): 867–870, doi:10.2307/2008415, JSTOR 2008415, The use of the FFT speeds up the asymptotic time for the Lucas–Lehmer test for Mp from O(p) to O(p log p log log p) bit operations.
  7. Bruce, J. W. (1993). "A Really Trivial Proof of the Lucas–Lehmer Test". The American Mathematical Monthly. 100 (4): 370–371. doi:10.2307/2324959. JSTOR 2324959.
  8. Jason Wojciechowski. Mersenne Primes, An Introduction and Overview. 2003.
  9. Rödseth, Öystein J. (1994). "A note on primality tests for N=h·2^n−1" (PDF). BIT Numerical Mathematics. 34 (3): 451–454. doi:10.1007/BF01935653. S2CID 120438959. Archived from the original (PDF) on March 6, 2016.
  10. The "Top Ten" Record Primes, The Prime Pages

External links

Number-theoretic algorithms
Primality tests
Prime-generating
Integer factorization
Multiplication
Euclidean division
Discrete logarithm
Greatest common divisor
Modular square root
Other algorithms
  • Italics indicate that algorithm is for numbers of special forms
Categories: