An Unconditional Improvement to the Running Time of the Quadratic Frobenius Test
Jon Grantham

TL;DR
This paper presents a new version of the Quadratic Frobenius Test that operates unconditionally, removing the reliance on the Extended Riemann Hypothesis, and achieves faster running times.
Contribution
It introduces an unconditional variant of the Quadratic Frobenius Test that maintains efficiency without assuming unproven hypotheses.
Findings
The new test is faster than previous versions under the same conditions.
It eliminates the need for the Extended Riemann Hypothesis in the test's construction.
The approach uses small nonresidues to improve arithmetic speed.
Abstract
In a 2006 paper, Damg{\aa}rd and Frandsen designed a faster version of the Quadratic Frobenius Test. This test assumes the Extended Riemann Hypothesis in order to find small nonresidues, which allow construction of quadratic extensions with faster arithmetic. In this paper, I describe a version of the test using small nonresidues, without assuming any unproven hypothesis.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
An Unconditional Improvement to the Running Time of the Quadratic Frobenius Test
Jon Grantham
Abstract
In a 2006 paper, Damgård and Frandsen designed a faster version of the Quadratic Frobenius Test. This test assumes the Extended Riemann Hypothesis in order to find small nonresidues, which allow construction of quadratic extensions with faster arithmetic. In this paper, I describe a version of the test using small nonresidues, without assuming any unproven hypothesis.
1 Introduction
From Fermat’s little theorem, we know that for any odd prime and with , . By its contrapositive, we know that any with is composite; this is known as the Fermat pseudoprime test.
Let Because there are only two square roots of modulo , we know that or for some . The contrapositive of this fact is the basis of the strong pseudoprime test.
This test has long been used as a fast way to prove the compositeness of integers. The test itself takes multiplications modulo . Monier [9] and Rabin [13] quantified the worst-case error bound in 1980 by showing that a composite will pass the test to at most of the bases . (This bound is sharp.)
Pseudoprime tests in terms of recurrence sequences exist. Let be a Lucas sequence, where and are integers, , and . Let . For a prime , we have . The contrapositive of this fact gives the Lucas pseudoprimality test.
Also in 1980, Baillie and Wagstaff [2], along with Pomerance, Selfridge and Wagstaff [12], recognized the utility of combining Lucas pseudoprime tests with Fermat or strong pseudoprime tests. In particular, the combination of a Fermat pseudoprime test with a Lucas pseudoprime test is often called a Baillie-PSW test.
In order to get a worst-case error bound in the style of Monier and Rabin [13], in 1998 I [6] introduced a randomized version of the Baillie-PSW test, known as the Quadratic Frobenius Test (QFT). The QFT takes time comparable to three iterations of the strong pseudoprime test, but produces a better worst-case error bound. The QFT is expressed in terms of quadratic extensions of rather than second-order recurrence sequences. Theorem 5.6 of [7] shows that composites that pass the QFT also pass a Lucas pseudoprime test. Although unfortunately not explicit in that paper, it is possible to show that composites passing the QFT also pass a Fermat test.
Subsequent improvements to the QFT were made by Zhang [14] and Müller [10], [11].
In their 2006 paper [5], Damgård and Frandsen made two improvements to the Quadratic Frobenius Test (QFT). They improved the worst-case and average-case error bounds by looking at th roots of unity. They also improved the running time of the algorithm, under the assumption of the Extended Riemann Hypothesis (ERH), by constructing a quadratic extension with small coefficients.
In this paper, I examine the second improvement, but drop the ERH assumption, at the cost of a somewhat larger quadratic extension.
Additionally, the original QFT analysis assumed that a modular multiplication and a modular squaring took equivalent time. Other authors have not followed this convention; I explore this distinction.
2 The Quadratic Frobenius Test and Its Reformulation
The original QFT is as follows.
Definition 2.1**.**
Suppose is odd, , and . Let . The Quadratic Frobenius Test (QFT) with parameters consists of the following.
Test for divisibility by primes less than or equal to . If it is divisible by one of these primes, declare to be composite and stop. 2. 2.
Test whether . If it is, declare to be composite and stop. 3. 3.
Compute mod . If , declare to be composite and stop. 4. 4.
Compute mod . If , declare to be composite and stop. 5. 5.
Let , where is odd. If mod , and for all , declare to be composite and stop. 6. 6.
If is not declared composite in Steps 1–5, declare to be a probable prime.
This test is based on finding a quadratic extension whose discriminant has Jacobi symbol , and then testing whether the th power map on behaves like the Frobenius map. Theorem 3.4 of [6] shows that the running time is at most three times that of an ordinary (Fermat) probable prime test.
Instead, one could choose an extension , and then choose an element of that extension. This is the approach introduced by Damgård and Frandsen.
Definition 2.2**.**
Suppose is odd, , and . Let . Let . The reformulated Quadratic Frobenius Test (rQFT) with parameters consists of the following.
Test for divisibility by primes less than or equal to . If it is divisible by one of these primes, declare to be composite and stop. 2. 2.
Test whether . If it is, declare to be composite and stop. 3. 3.
Compute mod . If , declare to be composite and stop. 4. 4.
Compute mod . If , declare to be composite and stop. 5. 5.
Let , where is odd. If mod , and mod for all , declare to be composite and stop. 6. 6.
If is not declared composite in Steps 1–5, declare to be a probable prime.
It is easy to pass between the two formulations with a change of variables.
An advantage of the second formulation is that if one can find small with , then the arithmetic is faster. (Alternatively, if one finds a nontrivial with , then is proven composite via factorization.)
3 Unconditionally Finding Small Quadratic Extensions
Damgård and Frandsen [5] assume the Extended Riemann Hypothesis to find small with .
We can, however, unconditionally find such a small enough to give us a computational advantage.
Theorem 3.1**.**
If is a sufficiently large composite number that is not a square, and , a positive proportion of the numbers have .
Proof.
First, a “Burgess bound” shows that the sum of Jacobi symbols modulo is small when the sum is taken to a power of near . Theorem A of [4] shows that for any , . We can then take to get .
Then a result of Granville and Soundararajan allows the power of to be reduced to that in the statement of the theorem. The result was listed as Theorem 4.1 of [3] as an “unpublished result,” but the arguments are given in [8], particuarly Corollary 1.8 The formulation in [3], however, is the one needed here. That states that if and , then , for some . For any we can choose and such that and get the bound in the theorem.
∎
4 The Cost of QFTs
Atkin [1] defined a “Selfridge unit” (SU) as the time required to perform modular squarings on a number of size . I [6] adapted that to the “selfridge”, the time required to perform modular multiplications (whether they were squarings or not). Atkin was displeased by this simplification; in fact, he made the assumption that one modular multiplication was equal to the cost of two modular squarings (MSQs).
Damgård and Frandsen [5], however, assume that each modular multiplication costs MSQs. The discrepancy between the ratio they use and the one Atkin used could be used in support of my assumption that the different costs of a squaring and a multiplication are implementation-dependent, and should be ignored. On the other hand, neither ratio is , which argues in favor of tracking the difference between squarings and multiplications. I do so below.
The original QFT takes two modular squarings and one modular multiply for each of operations in the quadratic extension. If we assume that each multiply is MSQs, that is a cost of MSQs per operation. The reformulation of Damgård and Frandsen takes 3 modular multiplies ( MSQs), or 2 modular multiplies () assuming the ERH. Using Theorem 3.1 allows one of the modular multiplies to be with a number of size , which cuts the time required to MSQs, for a total of MSQs.
Under Atkin’s original weighting (), the QFT costs SUs, SUs under the reformulation and under the ERH. Neither that cost nor SUs from Theorem 3.1 is an improvement.
Under the Damgård-Frandsen approach, where , the original QFT is SUs, the reformulation is SUs. The ERH brings that down to SUs, while Theorem 3.1 allows SUs.
Using the definition of selfridges from [6], both the original QFT and the reformulation cost selfridges, while the ERH brings that down to selfridges, and the result from the previous section allows selfridges.
Acknowledgments
Thanks to Paul Pollack for valuable e-mail exchanges about Burgess bounds. Thanks to Xander Faber for helpful comments on an earlier draft of this paper.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. O. L. Atkin, Intelligent primality test offer, in Computational perspectives on number theory (Chicago, IL, 1995) , AMS/IP Stud. Adv. Math., vol. 7, Amer. Math. Soc., Providence, RI, 1998, 1–11.
- 2[2] R. Baillie and S. S. Wagstaff, Jr., Lucas pseudoprimes, Math. Comp. 35 (1980) 1391–1417.
- 3[3] W. D. Banks, M. Z. Garaev, D. R. Heath-Brown, and I. E. Shparlinski, Density of non-residues in Burgess-type intervals and applications, Bull. Lond. Math. Soc. 40 (2008) 88–96.
- 4[4] D. A. Burgess, The character sum estimate with r = 3 𝑟 3 r=3 , J. London Math. Soc. (2) 33 (1986) 219–226.
- 5[5] I. B. Damgård and G. S. Frandsen, An extended quadratic Frobenius primality test with average- and worst-case error estimates, J. Cryptology 19 (2006) 489–520.
- 6[6] J. Grantham, A probable prime test with high confidence, J. Number Theory 72 (1998) 32–47.
- 7[7] , Frobenius pseudoprimes, Math. Comp. 70 (2001) 873–891.
- 8[8] A. Granville and K. Soundararajan, Large character sums: Burgess’s theorem and zeros of L 𝐿 L -functions, J. Eur. Math. Soc. (JEMS) 20 (2018) 1–14.
