Solovay–Strassen primality test


The Solovay–Strassen primality test, developed by Robert M. Solovay and Volker Strassen in 1977, is a probabilistic test to determine if a number is composite or probably prime. The idea behind the test was discovered by M. M. Artjuhov in 1967
. This test has been largely superseded by the Baillie-PSW primality test and the Miller–Rabin primality test, but has great historical importance in showing the practical feasibility of the RSA cryptosystem. The Solovay–Strassen test is essentially an Euler–Jacobi pseudoprime test.

Concepts

proved that for any prime number p and any integer a,
where is the Legendre symbol. The Jacobi symbol is a generalisation of the Legendre symbol to, where n can be any odd integer. The Jacobi symbol can be computed in time O using Jacobi's generalization of
law of quadratic reciprocity.
Given an odd number n we can contemplate whether or not the congruence
holds for various values of the "base" a, given that a is relatively prime to n. If n is prime then this congruence is true for all a. So if we pick values of a at random and test the congruence, then
as soon as we find an a which doesn't fit the congruence we know that n is not prime. This base a is called an Euler witness for n; it is a witness for the compositeness of n. The base a is called an Euler liar for n if the congruence is true while n is composite.
For every composite odd n, at least half of all bases
are witnesses as the set of Euler liars is a proper subgroup of. For example, for, the set of Euler liars has order 8 and, and has order 48.
This contrasts with the Fermat primality test, for which the proportion of witnesses may be much smaller. Therefore, there are no composite n without many witnesses, unlike the case of Carmichael numbers for Fermat's test.

Example

Suppose we wish to determine if n = 221 is prime. We write /2=110.
We randomly select an a : 47.
Using an efficient method for raising a number to a power such as binary exponentiation, we compute:
This gives that, either 221 is prime, or 47 is an Euler liar for 221. We try another random a, this time choosing a = 2:
Hence 2 is an Euler witness for the compositeness of 221, and 47 was in fact an Euler liar. Note that this tells us nothing about the prime factors of 221, which are actually 13 and 17.

Algorithm and running time

The algorithm can be written in pseudocode as follows:
inputs: n, a value to test for primality
k, a parameter that determines the accuracy of the test
output: composite if n is composite, otherwise probably prime
repeat k times:
choose a randomly in the range

if or then
return composite
return probably prime
Using fast algorithms for modular exponentiation, the running time of this algorithm is O, where k is the number of different values of a we test.

Accuracy of the test

It is possible for the algorithm to return an incorrect answer. If the input n is indeed prime, then the output will always correctly be probably prime. However, if the input n is composite then it is possible for the output to be incorrectly probably prime. The number n is then called an Euler–Jacobi pseudoprime.
When n is odd and composite, at least half of all a with gcd = 1 are Euler witnesses. We can prove this as follows: let be the Euler liars and a an Euler witness. Then, for i = 1,2,...,m:
Because the following holds:
now we know that
This gives that each ai gives a number a·ai, which is also an Euler witness.
So each Euler liar gives an Euler witness and so the number of Euler witnesses is larger or equal to the number of Euler liars. Therefore, when n is composite, at least half of all a with gcd = 1 is an Euler witness.
Hence, the probability of failure is at most 2k.
For purposes of cryptography the more bases a we test, i.e. if we pick a sufficiently large value of k, the better the accuracy of test. Hence the chance of the algorithm failing in this way is so small that the prime is used in practice in cryptographic applications, but for applications for which it is important to have a prime, a test like ECPP or the Pocklington primality test should be used which proves primality.

Average-case behaviour

The bound 1/2 on the error probability of a single round of the Solovay–Strassen test holds for any input n, but those numbers n for which the bound is attained are extremely rare. On the average, the error probability of the algorithm is significantly smaller: it is less than
for k rounds of the test, applied to uniformly random. The same bound also applies to the related problem of what is the conditional probability of n being composite for a random number which has been declared prime in k rounds of the test.

Complexity

The Solovay-Strassen algorithm shows that the decision problem COMPOSITE is in the complexity class RP.