Testing for Prime Numbers: The Solovay-Strassen Algorithm
To impliment the RSA cryptosystem, we need to produce a pair of large prime numbers. We shall describe one method for doing this called the Solovay-Strassen Algorithm. To be absolutely certain that a given number is prime may take a considerable amount of time due to all the checking that is involved. Our practical need is for a fast method, so in order to gain speed we trade off with certainty. That is, we use a method which quickly determines that a number is prime, with a high probability, rather than absolute certainty. In order to describe the method, we need to examine some concepts from Number Theory.
Quadratic Residues Modulo an Odd Prime
Let p be an odd prime number. An integer x, with 1xp-1 is defined to be a quadratic residue modulo p if the congruence y2x mod p has a solution. The other non-zero x's are called quadratic non-residues.
For example, with p = 13, the quadratic residues are 1 = (±1)2, 4 = (±2)2, 9 =(±3)2, 3 = (±4)2, 12 = (±5)2 and 10 = (±6)2, while the quadratic non-residues are: 2, 5, 6, 7, 8, and 11.
It is true that for any odd prime p, as in the above example, half of the non-zero elements are quadratic residues and the other half are quadratic non-residues.
For any odd prime p and any integer a0, we define the Legendre symbol as follows:
It follows from a result of Euler that
This means that determining whether or not a number is a quadratic residue can be done computationally. Thus, 2 is a quadratic residue modulo 17, since 2(17-1)/2 = 28 = 256 1 mod 17. And indeed, 262 mod 17. While 5 is a quadratic non-residue mod 7, since 5(7-1)/2= 53 = 125 6 -1 mod 7.
The Legendre symbol can be generalized to the Jacobi symbol. Let n be any positive odd integer and a0 any integer. The Jacobi symbol is defined as:
Note that the Jacobi symbol, since it is the product of Legendre symbols, can only have the values of 0, +1 or -1.
There are several properties of the Jacobi symbol that make its computation fairly easy and, most importantly, do not require that n be factored. We list these here:
- If m1m2 mod n then,
- The Jacobi symbol is multiplicative, i.e.,
In particular, if m = 2kt, where t is odd, then
- We have,
- Suppose m and n are odd integers. Then
Here is an example of using these properties to calculate a Jacobi symbol.
The Solovay-Strassen Algorithm
Note that if n is a prime number then it follows that
then n is definitely not a prime (i.e., n is a composite number). However, there are composite numbers n so that (1) is satisfied for some a. These numbers are called Euler psuedo-primes with base a. It can be shown however, that for any given composite number n, there are at most n/2 values of a less than n for which n is an Euler psuedo-prime with base a. This is the basis of the Solovay-Strassen algorithm. The algorithm is as follows:
If the algorithm does not report that n is composite, then the probability that n is an Euler psuedo-prime with respect to the k choices of a is 1/2k. If k is large enough, this is a very small probability. Put another way, for large enough k, there is a very high probability that n is a prime.
- Let n be the number that is being tested for primality.
- Randomly choose an integer a, with 1an.
then stop and report that n is composite.
- Otherwise, repeat steps 2 and 3 k times (where k is a preselected integer).
So, to use this algorithm to find primes, you randomly select odd numbers in the size range you are interested in. Run them through the algorithm with k set at say 100. If the algorithm reports that the number is composite, then choose another random selection, until the algorithm reports that your choice is prime. The prime number theorem from number theory, tells you that the probability of selecting a prime at random is about 2/ln n (selecting only odd numbers), so, for an n in the 512-bit range this is about 2/177. Thus, on average you would expect to select a prime of this size randomly about once every 90 tries.