Lucas–Lehmer primality test

In mathematics, the Lucas–Lehmer test (LLT) is a primality test for Mersenne numbers. The test was originally developed by Édouard Lucas in 1876 and subsequently improved by Derrick Henry Lehmer in the 1930s.

The test

The Lucas–Lehmer test works as follows. Let ''M''_''p'' = 2^''p'' − 1 be the Mersenne number to test with ''p'' an odd prime. The primality of ''p'' can be efficiently checked with a simple algorithm like trial division since ''p'' is exponentially smaller than ''M''_''p''. Define a sequence $\$ for all ''i'' ≥ 0 by

:$s_i= \begin 4 & \texti=0; \\ s_^2-2 & \text \end$

The first few terms of this sequence are 4, 14, 194, 37634, ... .
Then ''M''_''p'' is prime if and only if
:$s_ \equiv 0 \pmod.$
The number ''s''_{''p'' − 2} mod ''M''_''p'' is called the Lucas–Lehmer residue of ''p''. (Some authors equivalently set ''s''₁ = 4 and test ''s''_''p''−1 mod ''M''_''p''). In pseudocode, the test might be written as

// Determine if ''M''_''p'' = 2^''p'' − 1 is prime for ''p'' > 2
Lucas–Lehmer(p)
var s = 4
var M = 2^''p'' − 1
repeat p − 2 times:
s = ((s × s) − 2) mod M
if s

0 return PRIME else return COMPOSITE

Performing the mod M at each iteration ensures that all intermediate results are at most ''p'' bits (otherwise the number of bits would double each iteration). The same strategy is used in modular exponentiation.

Alternate starting values

Starting values ''s''₀ other than 4 are possible, for instance 10, 52, and others . The Lucas-Lehmer residue calculated with these alternative starting values will still be zero if ''M''_''p'' is a Mersenne prime. However, the terms of the sequence will be different and a non-zero Lucas-Lehmer residue for non-prime ''M''_''p'' will have a different numerical value from the non-zero value calculated when ''s''₀ = 4.

It is also possible to use the starting value (2 mod ''M''_''p'')(3 mod ''M''_''p'')⁻¹, usually denoted by 2/3 for short. This starting value equals (2^p + 1) /3, the Wagstaff number with exponent ''p''.

Starting values like 4, 10, and 2/3 are universal, that is, they are valid for all (or nearly all) ''p''. There are infinitely many additional universal starting values. However, some other starting values are only valid for a subset of all possible ''p'', for example ''s''₀ = 3 can be used if ''p'' = 3 (mod 4). This starting value was often used where suitable in the era of hand computation, including by Lucas in proving ''M''_''127'' prime.
The first few terms of the sequence are 3, 7, 47, ... .

Sign of penultimate term

If ''s''_''p''−2 = 0 mod ''M''_''p'' then the penultimate term is ''s''_''p''−3 = ± 2^(''p''+1)/2 mod ''M''_''p''. The sign of this penultimate term is called the Lehmer symbol ϵ(''s''₀, ''p'').

In 2000 S.Y. Gebre-Egziabher proved that for the starting value 2/3 and for ''p'' ≠ 5 the sign is:
:$\epsilon (,\ p) = (-1) ^$
That is, ϵ(2/3, ''p'') = +1 iff ''p'' = 1 (mod 4) and p ≠ 5.

The same author also proved that the Lehmer symbols for starting values 4 and 10 when ''p'' is not 2 or 5 are related by:
:$\epsilon (10,\ p) = \epsilon (4,\ p) \ \times \ (-1) ^$
That is, ϵ(4, ''p'') × ϵ(10, ''p'') = 1 iff ''p'' = 5 or 7 (mod 8) and p ≠ 2, 5.

OEIS sequence shows ϵ(4, ''p'') for each Mersenne prime ''M''_''p''.

Time complexity

In the algorithm as written above, there are two expensive operations during each iteration: the multiplication s × s, and the mod M operation. The mod M operation can be made particularly efficient on standard binary computers by observing that

:$k \equiv (k\,\bmod\,2^n) + \lfloor k/2^n \rfloor \pmod.$

This says that the least significant ''n'' bits of ''k'' plus the remaining bits of ''k'' are equivalent to ''k'' modulo 2^''n''−1. This equivalence can be used repeatedly until at most ''n'' bits remain. In this way, the remainder after dividing ''k'' by the Mersenne number 2^''n''−1 is computed without using division. For example,

Moreover, since s × s will never exceed M² < 2^2p, this simple technique converges in at most 1 ''p''-bit addition (and possibly a carry from the ''p''th bit to the 1st bit), which can be done in linear time. This algorithm has a small exceptional case. It will produce 2^''n''−1 for a multiple of the modulus rather than the correct value of 0. However, this case is easy to detect and correct.

With the modulus out of the way, the asymptotic complexity of the algorithm only depends on the multiplication algorithm used to square ''s'' at each step. The simple "grade-school" algorithm for multiplication requires O(''p''²) bit-level or word-level operations to square a ''p''-bit number. Since this happens O(''p'') times, the total time complexity is O(''p''³). A more efficient multiplication algorithm is the Schönhage–Strassen algorithm, which is based on the Fast Fourier transform. It only requires O(''p'' log ''p'' log log ''p'') time to square a ''p''-bit number. This reduces the complexity to O(''p''² log ''p'' log log ''p'') or Õ(''p''²). An even more efficient multiplication algorithm, Fürer's algorithm, only needs $p \log p\ 2^$ time to multiply two ''p''-bit numbers.

By comparison, the most efficient randomized primality test for general integers, the Miller–Rabin primality test, requires O(''k'' ''n''² log ''n'' log log ''n'') bit operations using FFT multiplication for an ''n''-digit number, where ''k'' is the number of iterations and is related to the error rate. For constant ''k'', this is in the same complexity class as the Lucas-Lehmer test. In practice however, the cost of doing many iterations and other differences leads to worse performance for Miller–Rabin. The most efficient deterministic primality test for any ''n''-digit number, the AKS primality test, requires Õ(n⁶) bit operations in its best known variant and is extremely slow even for relatively small values.

Examples

The Mersenne number M₃ = 2³−1 = 7 is prime. The Lucas–Lehmer test verifies this as follows. Initially ''s'' is set to 4 and then is updated 3−2 = 1 time:

* s ← ((4 × 4) − 2) mod 7 = 0.

Since the final value of ''s'' is 0, the conclusion is that M₃ is prime.

On the other hand, M₁₁ = 2047 = 23 × 89 is not prime. Again, ''s'' is set to 4 but is now updated 11−2 = 9 times:

* s ← ((4 × 4) − 2) mod 2047 = 14
* s ← ((14 × 14) − 2) mod 2047 = 194
* s ← ((194 × 194) − 2) mod 2047 = 788
* s ← ((788 × 788) − 2) mod 2047 = 701
* s ← ((701 × 701) − 2) mod 2047 = 119
* s ← ((119 × 119) − 2) mod 2047 = 1877
* s ← ((1877 × 1877) − 2) mod 2047 = 240
* s ← ((240 × 240) − 2) mod 2047 = 282
* s ← ((282 × 282) − 2) mod 2047 = 1736

Since the final value of ''s'' is not 0, the conclusion is that M₁₁ = 2047 is not prime. Although M₁₁ = 2047 has nontrivial factors, the Lucas–Lehmer test gives no indication about what they might be.

Proof of correctness

The proof of correctness for this test presented here is simpler than the original proof given by Lehmer. Recall the definition
:$s_i= \begin 4 & \texti=0;\\ s_^2-2 & \text \end$
The goal is to show that ''M''_''p'' is prime iff $s_ \equiv 0 \pmod.$

The sequence $s_i$ is a recurrence relation with a closed-form solution. Let $\omega = 2 + \sqrt$ and $\bar = 2 - \sqrt$. It then follows by induction that $s_i = \omega^ + \bar^$ for all ''i'':

:$s_0 = \omega^ + \bar^ = \left(2 + \sqrt\right) + \left(2 - \sqrt\right) = 4$
and
:$\begin s_n &= s_^2 - 2 \\ &= \left(\omega^ + \bar^\right)^2 - 2 \\ &= \omega^ + \bar^ + 2(\omega\bar)^ - 2 \\ &= \omega^ + \bar^. \end$
The last step uses $\omega\bar = \left(2 + \sqrt\right) \left(2 - \sqrt\right) = 1.$ This closed form is used in both the proof of sufficiency and the proof of necessity.

Sufficiency

The goal is to show that $s_ \equiv 0 \pmod$ implies that $M_p$ is prime. What follows is a straightforward proof exploiting elementary group theory given by J. W. Bruce as related by Jason Wojciechowski.

Suppose $s_ \equiv 0 \pmod.$ Then
:$\omega^ + \bar^ = k M_p$
for some integer ''k'', so
:$\omega^ = k M_p - \bar^.$
Multiplying by $\omega^$ gives
:$\left(\omega^\right)^2 = k M_p\omega^ - (\omega \bar)^.$
Thus,
:$\omega^ = k M_p\omega^ - 1.\qquad\qquad(1)$

For a contradiction, suppose ''M''_''p'' is composite, and let ''q'' be the smallest prime factor of ''M''_''p''. Mersenne numbers are odd, so ''q'' > 2. Informally,Formally, let $\mathbb_q = \mathbb / q \mathbb$ and X = \mathbb_q / \langle T^2 - 3 \rangle. let $\mathbb_q$ be the integers modulo ''q'', and let $X = \left\.$ Multiplication in $X$ is defined as

:\left(a + \sqrt b\right) \left(c + \sqrt d\right) = a c + 3 b d) \,\bmod\,q+ \sqrt a d + b c) \,\bmod\,q

Clearly, this multiplication is closed, i.e. the product of numbers from ''X'' is itself in ''X''. The size of ''X'' is denoted by $, X, .$

Since ''q'' > 2, it follows that $\omega$ and $\bar$ are in ''X''.Formally, $\omega + \langle T^2 - 3 \rangle$ and $\bar + \langle T^2 - 3 \rangle$ are in ''X''. By abuse of language $\omega$ and $\bar$ are identified with their images in ''X'' under the natural ring homomorphism from $\mathbb$sqrt to ''X'' which sends $\sqrt$ to ''T''. The subset of elements in ''X'' with inverses forms a group, which is denoted by ''X''* and has size $, X^*, .$ One element in ''X'' that does not have an inverse is 0, so $, X^*, \leq , X, - 1 = q^2 - 1.$

Now $M_p \equiv 0 \pmod$ and $\omega \in X$, so
:$kM_p\omega^ = 0$
in ''X''.
Then by equation (1),
:$\omega^ = -1$
in ''X'', and squaring both sides gives
:$\omega^ = 1.$
Thus $\omega$ lies in ''X''* and has inverse $\omega^.$ Furthermore, the order of $\omega$ divides $2^p.$ However $\omega^ \neq 1$, so the order does not divide $2^.$ Thus, the order is exactly $2^p.$

The order of an element is at most the order (size) of the group, so
:$2^p \leq , X^*, \leq q^2 - 1 < q^2.$
But ''q'' is the smallest prime factor of the composite $M_p$, so
:$q^2 \leq M_p = 2^p-1.$
This yields the contradiction $2^p < 2^p-1$. Therefore, $M_p$ is prime.

Necessity

In the other direction, the goal is to show that the primality of $M_p$ implies $s_ \equiv 0 \pmod$. The following simplified proof is by Öystein J. Rödseth.

Since $2^p - 1 \equiv 7 \pmod$ for odd $p > 1$, it follows from properties of the Legendre symbol that $(3, M_p) = -1.$ This means that 3 is a quadratic nonresidue modulo $M_p.$ By Euler's criterion, this is equivalent to

:$3^ \equiv -1 \pmod.$

In contrast, 2 is a quadratic residue modulo $M_p$ since $2^p \equiv 1 \pmod$ and so $2 \equiv 2^ = \left(2^\right)^2 \pmod.$ This time, Euler's criterion gives

:$2^ \equiv 1 \pmod.$

Combining these two equivalence relations yields

:$24^ \equiv \left(2^\right)^3 \left(3^\right) \equiv (1)^3(-1) \equiv -1 \pmod.$

Let $\sigma = 2\sqrt$, and define ''X'' as before as the ring $X = \.$ Then in the ring ''X'', it follows that

:$\begin (6+\sigma)^ &= 6^ + \left(2^\right) \left(\sqrt^\right) \\ &= 6 + 2 \left(3^\right) \sqrt \\ &= 6 + 2 (-1) \sqrt \\ &= 6 - \sigma, \end$

where the first equality uses the Binomial Theorem in a finite field, which is

: $(x+y)^ \equiv x^ + y^ \pmod$,

and the second equality uses Fermat's little theorem, which is

: $a^ \equiv a \pmod$

for any integer ''a''. The value of $\sigma$ was chosen so that $\omega = \frac.$ Consequently, this can be used to compute $\omega^$ in the ring ''X'' as

:$\begin \omega^ &= \frac \\ &= \frac \\ &= \frac \\ &= -1. \end$

All that remains is to multiply both sides of this equation by $\bar^$ and use $\omega \bar = 1$, which gives

:$\begin \omega^ \bar^ &= -\bar^ \\ \omega^ + \bar^ &= 0 \\ \omega^ + \bar^ &= 0 \\ \omega^ + \bar^ &= 0 \\ s_ &= 0. \end$

Since $s_$ is 0 in ''X'', it is also 0 modulo $M_p.$

Applications

The Lucas–Lehmer test is one of the main primality tests used by the Great Internet Mersenne Prime Search (GIMPS) to locate large primes. This search has been successful in locating many of the largest primes known to date.The "Top Ten" Record Primes
The Prime Pages The test is considered valuable because it can probably test a large set of very large numbers for primality within an affordable amount of time. In contrast, the equivalently fast Pépin's test for any Fermat number can only be used on a much smaller set of very large numbers before reaching computational limits.

See also

* Mersenne's conjecture
* Lucas–Lehmer–Riesel test

Notes

References

*

External links

*

GIMPS (The Great Internet Mersenne Prime Search)

A proof of Lucas–Lehmer–Reix test (for Fermat numbers)

Lucas–Lehmer test
at MersenneWiki

{{DEFAULTSORT:Lucas-Lehmer Primality Test
Primality tests
Mersenne primes