From 996c2d6db925ebda3de0518968d02fa4626b8d99 Mon Sep 17 00:00:00 2001
From: Tim Daly
Date: Fri, 29 Jun 2018 21:51:06 -0400
Subject: [PATCH] books/bookvol10.1 add chapter on Primality Testing
Goal: Axiom Literate Programming
---
books/bookvol10.1.pamphlet | 756 +++++++++++++++++++++++++++++++++++++++++
changelog | 2 +
patch | 4 +-
src/axiom-website/patches.html | 2 +
4 files changed, 762 insertions(+), 2 deletions(-)
diff --git a/books/bookvol10.1.pamphlet b/books/bookvol10.1.pamphlet
index d7848e2..c92f2c6 100644
--- a/books/bookvol10.1.pamphlet
+++ b/books/bookvol10.1.pamphlet
@@ -1,5 +1,6 @@
\documentclass{book}
\newcommand{\VolumeName}{Volume 10.1: Axiom Algebra: Theory}
+\usepackage{amsmath}
\input{bookheader.tex}
\mainmatter
\setcounter{chapter}{0} % Chapter 1
@@ -21707,6 +21708,761 @@ significant difference~ the interconnections between modules have been
marked with heavy ~nes whereas for all dependencies on the package
constructor SPDE thin lines are applied.
+\chapter{Primality Testing Revisited by James Davenport}
+
+This is from Davenport \cite{Dave92}
+
+It is customary in computer algebra to use the algorithm presented
+by Rabin \cite{Rabi80} to determine if numbers are prime (and primes
+are needed throughout algebraic algorithms). As is well known, a
+single iteration of Rabin's algorithm, applied to the number $N$, has
+probability at most of 0.25 of reporting ``$N$ is probably prime'',
+when in fact $N$ is composite. For most $N$, the probability is much
+less than 0.25. Here, ``probability'' refers to the fact hat Rabin's
+algorithm begins with the choice of a ``random'' seed $x$, not
+congruent to 0 modulo $N$. In practice, however, true randomness is
+hard to achieve, and computer algebra systems often use a fixed set of
+$x$ -- for example, Axiom release 1 uses the set
+\[\{3,4,7,11,13,17,19,23,29,31\}\eqno{(1)}\]
+As Pomerance {\sl et al.} \cite{Pome80} point out, there is some
+sense in using primes as the $x$-values: for example the value $x=4$
+gives no more information than the value $x=2$, and the value $x=6$
+can only give more information than 2 or 3 under rare circumstances
+(in particular, we need the 2-part of the orders of 2 and 3 to differ,
+but be adjacent). By Rabin's theorem, a group-theoretic proof of which
+is given in Davenport and Smith \cite{Dave87}, 10 elements in the set
+gives a probability less than 1 in $10^6$ of giving the wrong
+answer. In fact, it is possible to do rather better than this: for
+example Damgard and Landrock \cite{Damg91} show that, for 256-bit
+integers, six tests give a probability of less than $2^{-51}$ of
+giving the wrong answer.
+
+Nevertheless, given any such fixed set of $x$ values, there are
+probably some composite $N$ for which all the $x$ in the set report
+``$N$ is probably prime''. In particluar Jaeschke \cite{Jaes91}
+reports that the 29-digit number
+\[56897193526942024370326972321=\\
+137716125329053\cdot 413148375987157\]
+has this property for the set (1). For brevity, let us call this
+number $J$ -- ``the Jaeschke number'', and its factors $J_1$ and $J_2$
+respectively. Now
+\[J=1+2^5\cdot 1778037297716938261572717885\]
+so Rabin's algorithm will begin by raising each element of (1) to the
+power 1778037297716938261572717885 (modulo $J$), thus getting
+\[\begin{array}{rcccr}
+3 & \rightarrow & 1
+& \stackrel{\text{squaring}}{\rightarrow} & 1\\
+5 & \rightarrow & 4199061068131012714084074012
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+7 & \rightarrow & 40249683417692701270027867121
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+11 & \rightarrow & 40249683417692701270027867121
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+13 & \rightarrow & 52698132458811011656242898309
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+17 & \rightarrow & 4199061068131012714084074012
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+19 & \rightarrow & 40249683417692701270027867121
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+23 & \rightarrow & 16647510109249323100299105200
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+29 & \rightarrow & 40249683417692701270027867121
+& \stackrel{\text{squaring}}{\rightarrow} & J-1\\
+31 & \rightarrow & 1
+& \stackrel{\text{squaring}}{\rightarrow} & 1\\
+\end{array}\]
+Hence, for all these $x$-values, Rabin's algorithm will say ``$J$ is
+probably prime'', since we arrive at a value of 1 in our repeated
+squaring, either directly ($x=3$ and $x=31$) or via $J-1$. However,
+this table indicates (to the suspicious human eye) two things.
+
+(A) The first is that $-1$ appears to have four square roots modulo
+$J$, viz.
+\[4199061068131012714084074012\]
+\[40249683417692701270027867121\]
+\[16647510109249323100299105200\]
+\[52698132458811011656242898309\]
+This contradicts Lagrange's theorem, so $J$ cannot be prime.
+
+(B) The second is that, if $J$ were prime, we would expect about half
+of the elements of (1) to be quadratic non-residues, and hence to need
+five squarings to reach 1 (4 to reach $J-1$), about a quarter to be
+quadratic residues, but quartic non-residues, hence needing three
+squarings to reach $J-1$, and only an eighth to be octic residues or
+better, and to reach $J-1$ in at most one squaring. Hence, if $J$ were
+prime, we have observed an event of probability $(1/8)^{10}$ -- less
+than 1 in $10^9$.
+
+Much of thie paper is taken up with a detailed exploration of these
+observations and their generalisations. We observe that, at least in
+principle, we are only concerned with the problem of testing
+relatively large numbers: numbers less than $25\cdot 10^9$ are covered
+by Pomerance {\sl et al.} \cite{Pome80}.
+
+\section{Rabin revisited}
+
+Throughout this paper, we assume that all integers to be tested for
+primality are positive and odd. We use the standard notation
+\[\phi(n)=\vert\{x:0 false
+[ 3] n < nextSmallPrime => member?(n, smallPrimes)
+[ 4] not one? gcd(n, productSmallPrimes) => false
+[ 5] n < nextSmallPrimeSquared => true
+[ 6] nm1:=n-1
+[ 7] q := (nm1) quo two
+[ 8] for k in 1.. while not odd? q repeat q := q quo two
+[ 9] -- q = (n-1) quo 2**k for largest possible k
+[10] mn := minIndex smallPrimes
+[11] for i in mn+1..mn+10 repeat
+[12] rabinProvesComposit(smallPrimes i,n,nm1,q,k) => return false
+[13] true
+[14]
+[15] rabinProvesComposite(p,n,mn1,q,k) ==
+[16] -- nm1 = n-1 = q*2**k; q odd
+[17] -- probability false for n composite is < 1/4
+[18] -- for most n this probability is much less than 1/4
+[19] t := powmod(p, q, n)
+[20] -- neither of these cases tells us anything
+[21] if not (one? t or t = nm1) then
+[22] for j in 1..k-1 repeat
+[23] t := mulmod(t, t, n)
+[24] one? t => return true
+[25] -- we have squared somethiong not -1 and got 1
+[26] t = mn1 =>
+[27] leave
+[28] not (t = nm1) => return true
+[29] false
+\end{verbatim}
+
+where we have numbered the lines for ease of refernce. {\bf I} is the
+datatype of $n$, and can be thought of as being the integers.
+{\tt smallPrimes} is a list of primes up to 313, and
+{\tt nextSmallPrime} is therefore 317.
+
+\section{Non-square-free numbers}
+
+If Rabin's algorithm is handed a number $N$ with a repeated prime
+factor $p^k$, then the factor of $p^{k-1}$ in $\hat{\phi}(N)$ will
+certainly be coprime to $N-1$. This means that we will return ``$N$ is
+definitely not prime'' unless we use an $x$-value which is actually a
+perfect $p^{k-1}$-st power -- an event with probability
+$1/p^{k-1}$. This probability is less than 0.25 except in the case
+$p=3$, $k=2$, when we can calculate explicitly that the probability of
+incorrectly saying ``$N$ is probably prime'' is exactly 0.25 in the
+case $N=9$.
+
+In the implementation given above, then test at line [ 4] ensures that
+$N$ has no factors less than 317, and, {\sl a fortiori}, no such
+repeated factors. Hence the probability that an $x$-value would be a
+perfect $p$-th power is at most 1/317. This compares favourably with
+some of the probabilities that will be analysed later, and shows the
+practical utility of this preliminary test.
+
+\section{Jaeschke analysed}
+
+Let us analyse the number $J$ more closely. To begin with, both $J_1$
+and $J_2$ are prime. These numbers can be written as
+\[J_1=1+2^2\cdot 3^2\cdot 829\cdot 4614533083\]
+\[J_2=1+2^2\cdot 3^3\cdot 829\cdot 4614533083\]
+\[J=1+2^5\cdot 3^2\cdot 5\cdot 11\cdot 59\cdot 829\cdot 34849\cdot
+456679\cdot 4614533083\]
+
+$J$ is not a Carmichael number, but it is ``fairly close'', since it
+is only the factor of $3^3$, rather than $3^2$, in $J_2-1$ which
+prevents it from being so. In addition, $J$ is a product of two
+primes, of the form $(K+1)\cdot (rK+1)$ (with $r=3$) -- a form
+observed by Pomerance {\sl et al.} \cite{Pome80} to account for
+nearly all pseudoprimes.
+
+Why does Rabin's test (using the primes (1)) think that $J$ is prime?
+To begin with, all the primes in the set (1) are actually perfect
+cubes modulo $J_2$, so their orders divide $(J_2-1)/3$, and hence
+$J-1$. Put another way, $J$ is a pseudoprime($p$) for all the $p$ in
+(1): these 10 primes all cause the Fermat test to be
+satisfied. Assuming that $3~|~p-1$, 1/3 of non-zero congruenece
+classes are perfect cubes modulo $p$.
+
+For $J$ to pass Rabin's test, we must also ensure that, for every $p$
+in (1), the 2-part of the order of $p$ modulo $J_1$ is equal to the
+2-part of the order of $p$ modulo $J_2$. 3 and 3l are both quadratic
+residues modulo both $J_1$ and $J_2$, whilst the other primes are all
+non-residues. For the non-residues, the 2-part is maximal, viz $2^2$
+modulo both these factors, so these eight primes all cause $J$ to pass
+Rabin's test, as well as Fermat's. 3 and 3l are, in fact, not only
+quadratic residues, but also quartic residues for both $J_1$ and
+$J_2$, so their orders have 2-part $2^0$, and hence also cause $J$ to
+pass Rabin's test.
+
+Since $J_2\equiv J_1\equiv 1~(\text{mod}~4)$, the quadratic character
+$(a~|~J_i)=(J_i~|~a)$, and so depends only on the value of
+$J_i~(\text{mod}~a)$ (in general, one might have to work modulo
+$4a$). $J_2=3J_1-2$, so the two are not independent, but we would
+expect 1/4 of congruence classes of $J_1~(\text{mod}~a)$ to make $a$ a
+non-residue for both $J_1$ and $J_2$. Another 1/4 would have $a$ a
+quadratic residue for both, but it would then be necessary to
+investigate quartic properties, and so on. For a given $a$,
+asymptotically, about 1/3 of the values of $J_1$ will arrange that the
+quadratic, quartic, octic etc. characters of $a$ module $J_1$ and
+$J_2$ are compatible with passing Rabin's tightening of the Fermat
+test.
+
+What are the implications of this for an $n$-step Rabin algorithm, if
+our opponent, the person who is trying to find a composite $N$ such
+that our use of Rabin's algorithm says ``$N$ is probably prime'',
+chooses $N=M_1\cdot M_2$, with $M_1$, $M_2$ prime and $M_2-1=3(M_1-1)$
+(and hence $M_1\equiv 1~(\text{mod}~3)$, otherwise $x=3$ will fail
+Rabin's test)? Each prime $p$ we use forces the condition that $p$
+should be a perfect cube module $M_2$ -- satisfied about 1/3 of the
+time. In addition, the quadratic characters of $p$ module $M_1$ and
+$M_2$ must be compatible -- at best, with
+$M_1-1\equiv 2~(\text{mod}~4)$, this happens 1/3 of the time on
+average. Hence each $p$ we use imposes constraints satisfied about 1/9
+of the time (assuming independence, which seems in practice to be the
+case). So we might expect to find a ``rogue'' number with $M_1$ about
+$9^n$, and so $N$ is about $9^{2n}$, which is $10^{19}$ if
+$n=10$. However, we also have to insist that $M_1$ and $M_2$ are prime,
+which reduces our chance of finding a rogue pair quite considerably --
+roughly by 1/22 for each of $M_1$ and $M_2$, which would give us an
+estimated ``time to find a rogue value'' of $5\cdot 10^{21}$. We can,
+in fact, be surprised that $J$ is as large as it is -- perhaps a
+smaller value exists.
+
+\section{Roots of $-1$}
+
+Here we look at observation (A) above -- that a suspicious human being
+would observe more than two square roots of $-1$, and hence deduce
+that $J$ was not prime, irrespective of the details of Rabin's
+algorithm. This is certainly true -- how programmable, and how widely
+applicable, is it? A global (to {\tt prime?} and
+{\tt rabinProvesComposite}) variable {\tt rootsMinus1} is added, whose
+type is a {\tt Set} of {\tt I}. The code now reads:
+\begin{verbatim}
+ "Roots of -1" Modifications
+
+[ 1] prime? n ==
+[ 2] n < two => false
+[ 3] n < nextSmallPrime => member?(n, smallPrimes)
+[ 4] not one? gcd(n, productSmallPrimes) => false
+[ 5] n < nextSmallPrimeSquared => true
+[ 6] nm1:=n-1
+[ 7] q := (nm1) quo two
+[ 8] for k in 1.. while not odd? q repeat q := q quo two
+[ 9] -- q = (n-1) quo 2**k for largest possible k
+[10] mn := minIndex smallPrimes
+[10g] rootsMinus1 := [] -- the empty set
+[11] for i in mn+1..mn+10 repeat
+[12] rabinProvesComposit(smallPrimes i,n,nm1,q,k) => return false
+[13] true
+[14]
+[15] rabinProvesComposite(p,n,mn1,q,k) ==
+[16] -- nm1 = n-1 = q*2**k; q odd
+[17] -- probability false for n composite is < 1/4
+[18] -- for most n this probability is much less than 1/4
+[19] t := powmod(p, q, n)
+[20] -- neither of these cases tells us anything
+[21] if not (one? t or t = nm1) then
+[22] for j in 1..k-1 repeat
+[22a] oldt := t
+[23] t := mulmod(t, t, n)
+[24] one? t => return true
+[25] -- we have squared somethiong not -1 and got 1
+[26] t = mn1 =>
+[26a] rootsMinus1:=union(rootsMinus1,oldt)
+[26b] # rootsMinus1 > 2 => return true
+[27] leave
+[28] not (t = nm1) => return true
+[29] false
+\end{verbatim}
+
+These changes certainly stop the algorithm from returning ``N is
+probably prime'' on the Jaeschke number, and do not otherwise alter
+the correctness of the algorithm, so might as well be
+incorporated. They only take effect when $k>1$, since only then is the
+loop at [22] onwards executed.
+
+If $k>1$ then these changes certainly may be executed. But if all the
+prime factors $p_i$ of $N$ have small 2-part in $\phi(p_i)$, in
+particular if the 2-part of $\hat{\phi}(N)=2^1$, then these changes
+will not take effect (but those proposed in the next section will). In
+general it is hard to analyse the precise contribution of these
+changes, other than to be certain that it is never negative.
+
+\section{The ``maximial 2-part'' test}
+
+Here we attempt to generalise observation (B) above. Let us suppose
+that $N$ is still the composite number that we wish to prove is
+composite, and that $N=\prod_{i=1}^n p_i$ with the $p_i$
+distinct. Write $N=1+2^kl$ with $l$ odd, and $p_i=1+2^{k_i}l_i$, with
+$l_i$ odd. Clearly $k \ge \text{min}_i~k_i$, if $N$ were prime, we
+would know that half the residue classes modulo $N$ were quadratic
+non-residue, and hence we would expect half the $x$-values chosen to
+have 2-order $k$. Conversely, if all the $k_i$ were equal to each
+other and to $k$, we would expect $X$ to be a quadratic non-residue
+about half the time {\sl with respect to each $p_i$}, and so about 1
+in $2^n$ of the $x$-values will have maximal 2-rank.
+
+One very simple variant on this test that can be imposed is to insist
+that, before deciding that ``$N$ is probably prime'', we actually
+observe an element of 2-order $k$. If $N$ actually were prime, we
+would have a chance of 1023/1024 of observing this before finishing
+the loop starting on line [11], so this test is extremely unlikely to
+slow down the performance of the system on primes. On non-primes, it
+may slow us down, but increases the change of our giving the
+``correct'' answer.
+
+We need a global (to {\tt prime?} and {\tt rabinProvesComposite})
+variable {\tt count2Order} whose type is a {\tt Vector} of
+{\tt NonNegativeInteger}s. This variable is used to count the number
+of elements of each 2-order.
+\begin{verbatim}
+ "Maximal 2-part" Modifications
+
+[ 1] prime? n ==
+[ 2] n < two => false
+[ 3] n < nextSmallPrime => member?(n, smallPrimes)
+[ 4] not one? gcd(n, productSmallPrimes) => false
+[ 5] n < nextSmallPrimeSquared => true
+[ 6] nm1:=n-1
+[ 7] q := (nm1) quo two
+[ 8] for k in 1.. while not odd? q repeat q := q quo two
+[ 9] -- q = (n-1) quo 2**k for largest possible k
+[10] mn := minIndex smallPrimes
+[10g] rootsMinus1 := [] -- the empty set
+[10h] count2Order := new(k,0) -- vector of k zeros
+[11] for i in mn+1..mn+10 repeat
+[12] rabinProvesComposit(smallPrimes i,n,nm1,q,k) => return false
+[12e] currPrime:=smallPrimes(mn+10)
+[12f] while count2Order(k) = 0 repeat
+[12g] currPrime := nextPrime currPrime
+[12h] rabinProvesComposite(currPrime,n,nm1,q,k) => false
+[13] true
+[14]
+[15] rabinProvesComposite(p,n,mn1,q,k) ==
+[16] -- nm1 = n-1 = q*2**k; q odd
+[17] -- probability false for n composite is < 1/4
+[18] -- for most n this probability is much less than 1/4
+[19] t := powmod(p, q, n)
+[19a] if t=mn1 then count2Order(1):=count2Order(1)+1
+[20] -- neither of these cases tells us anything
+[21] if not (one? t or t = nm1) then
+[22] for j in 1..k-1 repeat
+[22a] oldt := t
+[23] t := mulmod(t, t, n)
+[24] one? t => return true
+[25] -- we have squared somethiong not -1 and got 1
+[26] t = mn1 =>
+[26a] rootsMinus1:=union(rootsMinus1,oldt)
+[26b] # rootsMinus1 > 2 => return true
+[26c] count2Order(j+1):=count2Order(j+1)+1
+[27] leave
+[28] not (t = nm1) => return true
+[29] false
+\end{verbatim}
+We currently collect more information than we use. Again, this
+modification to the Rabin algorithm proves that the Jaeschke number
+is not prime.
+
+\section{How would one defeat these modifications?}
+
+It is all very well to propose new algorithms, an demonstrate that
+they are ``better'' than the old ones, but might they really have
+loop-holes just as large? The ``maximal 2-part'' requirement defeats a
+whole family of pseudoprimes -- all those of the form
+$(K+1)\cdot (rK+1)$ with $r$ odd, since then $N-1$ has a higher 2-part
+than $\hat{\phi}(N)$. This test is therefore useful in general, and
+defeats any straight-forward generalisation of the Jaeschke number to
+larger sets of $x$.
+
+There are various possible constructions which these modifications do
+not defeat. We could make our pseudoprime $N$ take the form
+$(K+1)\cdot(6K+1)$ with $K\equiv 2~(\text{mod}~4)$. Then the 2-part of
+$\hat{\phi}(N)$ would be $2^2$, whereas that of $N-1$ would be $2^1$
+(and so the ``roots of -1'' enhancement would never operate). A value
+$x$ would pass Rabin's test, with the ``maximal 2-part'' enhancement,
+if it were
+\begin{itemize}
+\item[(1)] a cubic residue modulo $6K+1$
+\item[(2)] a quadratic residue modulo $6K+1$
+\item[(3)] a quartic non-residue modulo $6K+1$
+\item[(4)] a quadratic non-residue modulo $K+1$
+\end{itemize}
+
+On average, one $K$-value in 24 will have these properties for a fixed
+$x$.
+
+A value $x$ would also pass Rabin's test, but would not contribute to
+the ``maximal 2-part'', if it were
+\begin{itemize}
+\item[(1)] a cubic residue modulo $6K+1$
+\item[(2)] a quadratic residue modulo $6K+1$
+\item[(3)] a quartic residue modulo $6K+1$
+\item[(4)] a quadratic residue modulo $K+1$
+\end{itemize}
+
+Again, on average, one $K$-value in 24 will have these properties for
+a fixed $x$.
+
+We note, therefore, that we might expect 50\% of $x$-values causing
+$N$ to pass Rabin's test to have 2-part $2^1$ and 50\% to have 2-part
+$2^0$; the same distribution as for a prime value of $N$ (with
+$k=1$). If we use $n$ different $x$-values, we might expect $K$ to
+have to be of the order of $12^n$, and $N$ to be of the order of
+$144^n$. In addition, both $K+1$ and $6K+1$ have to be prime. For
+$n=10$, the probability of this is about 1/25, so we might expect to
+find such an $N$ at around $2\cdot 10^{24}$.
+
+\section{Leech's attack}
+
+Leech \cite{Leec92} has suggested an attack of the form
+$N=(K+1)\cdot (2K+1)\cdot (3K+1)$. If the three factors are prime
+(which incidentally forces $K=2$, a case we can discard, or
+$K\equiv 0~(\text{mod}~6$)), then these numbers are certainly Carmichael,
+and hence a good attack on the original version of Rabin's
+algorithm. Indeed, almost 25\% of seed values will yield the result
+``$N$ is probably prime''.
+
+Fortunately, we are saved by the ``maximal 2-part'' variant. Suppose
+$K=3\cdot n\cdot 2^m$ with $n$ odd (and $m$ at least 1). Then the
+maximal 2-part we can actually observe is $2^m$, whereas
+\[N-1=162 n^3 (2^m)^3 + 90 n^2 (2^m)^2 + 18 n 2^m\]
+which is divisible by $2^{m+1}$. Hence we will never observe an element
+of the maximal 2-part, and the loop at line [12f] will run until a
+counter-example to primality is found.
+
+In fact, if $m=1$, $N-1$ is divisible by 8, and if $m>1$, $N-1$ is
+divisible by $2^{m+1}$, which is at least 8. Hence the ``roots of -1''
+test also acts, and reduces the probability of passing the modified
+Rabin well below 25\%.
+
+Other forms of attack are certainly possible, e.g. taking
+$N=(K+1)\cdot (3K+1)\cdot (5K+1)$. Here the ``maximal 2-part'' does
+not help us, since the 2-part of $N-1$ is equal to that of
+$\hat{\phi}(N)$. However these numbers are not generally Carmichael,
+only ``nearly Carmichael'', since 5 does not divide $N-1$. Hence we
+would need to insist that all our seed values were quintic residues
+modulo $5K+1$ as well as having the same 2-part modulo all the
+factors, and so on. These more complex families seem to create more
+problems for the inventor of counter-examples, so we can probably say
+that taking one prime for every factor of 100 in $N$ probably makes the
+systematic construction of counter-examples by this technique
+impossible.
+
+However, if we also force $K\equiv 12~(\text{mod}~30)$, Leech
+\cite{Leec92} has pointed out that $N$ is Charmichael. By
+construction, the factors are congruent to each other, and to their
+product, modulo 12, so the quadratic characters of 3 modulo the
+different factors are compatible. In fact we also need
+$K\equiv 0~(\text{mod}~7)$, since $K\equiv 1,3,5$ gives incompatible
+quadratic characters for 7 modulo the different factors, and
+$K\equiv 2,4,6$ gives non-prime factors. However, the three factors
+are congruent respectively to 3, 2 and 1 modulo 5, and so 5 will be a
+quadratic non-residue modulo the first two factors, but a residue
+modulo the last, hence ensuring that Rabin's algorithm with $x=5$
+always says ``$N$ is certainly composite''.
+
+\section{The $(K+1)\cdot (2K+1)$ attack}
+
+This attack has been used recently by Arnault \cite{Arna91} to defeat
+the set of $x$-values
+\[\{2,3,5,7,11,13,17,19,23,29\}\]
+The number
+\[1195068768795265792518361315725116351898245581=\]
+\[48889032896862784894921\cdot 24444516448431392447461\]
+passes all these tests. In effect, the requirement is that $x$ be a
+quadratic residue modulo $2K+1$, and that the quadratic character of
+$x$ modulo $K+1$ should equate to the quartic character of $x$ modulo
+$2K+1$. These conditions are satisfied for approximately 25\% of
+$K$-values. In addition, of course, $K+1$ and $2K+1$ must be prime. It
+would almost certainly be possible to construct a much smaller number
+than Arnault's, with the same properties -- he fixed the congruences
+classes he was considering; for example he chose one class modulo 116,
+rather than examining all 29 satisfactory classes.
+
+This form of attack is particularly worrying, since it is much easier
+to use than the other attacks in the previous sections. Indeed, one
+should probably consider $\text{log}_4~N$ values $x$ to test a number
+$N$ if one is to defend against this attack. Fortunately, we have a
+simpler defence; we can check explicitly if the number we are given is
+of the form.
+
+It is worth noting that Damgard and Landrock \cite{Damg91} prove the
+following.
+
+{\bf Theorem} {\sl If N is an odd composite number, such that N is not
+divisible by 3, and more than 1/8 of the x-values yield ``N is
+probably prime'' then one of the following holds}
+\begin{itemize}
+\item {\sl N is a Carmichael number with precisely three prime factors}
+\item $3N+1$ {\sl is a perfect square}
+\item $8N+1$ {\sl is a perfect square}
+\end{itemize}
+
+$8(K+1)\cdot (2K+1)+1=(4K+3)^2$, so this attack is a special case of
+the above theorem. There seems no reason not to test both the
+exceptional conditions in the Damgard-Landrock Theorem -- such numbers
+are always composite, except for trivial cases ruled out by lines
+before [ 5].
+\begin{verbatim}
+ "Damgard-Landrock" Modifications
+
+[ 1] prime? n ==
+[ 2] n < two => false
+[ 3] n < nextSmallPrime => member?(n, smallPrimes)
+[ 4] not one? gcd(n, productSmallPrimes) => false
+[ 5] n < nextSmallPrimeSquared => true
+[ 6] nm1:=n-1
+[ 7] q := (nm1) quo two
+[ 8] for k in 1.. while not odd? q repeat q := q quo two
+[ 9] -- q = (n-1) quo 2**k for largest possible k
+[10] mn := minIndex smallPrimes
+[10g] rootsMinus1 := [] -- the empty set
+[10h] count2Order := new(k,0) -- vector of k zeros
+[11] for i in mn+1..mn+10 repeat
+[12] rabinProvesComposit(smallPrimes i,n,nm1,q,k) => return false
+[12a] import IntegerRoots(I)
+[12b] q > 1 and perfectSquare?(3*n+1) => false
+[12c] ((n9:=n rem (9::I))=1 or n9 = -1) and perfectSquare(8*n+1) => false
+[12d] -- Both previous tests fro Damgard & Landrock
+[12e] currPrime:=smallPrimes(mn+10)
+[12f] while count2Order(k) = 0 repeat
+[12g] currPrime := nextPrime currPrime
+[12h] rabinProvesComposite(currPrime,n,nm1,q,k) => false
+[13] true
+[14]
+[15] rabinProvesComposite(p,n,mn1,q,k) ==
+[16] -- nm1 = n-1 = q*2**k; q odd
+[17] -- probability false for n composite is < 1/4
+[18] -- for most n this probability is much less than 1/4
+[19] t := powmod(p, q, n)
+[19a] if t=mn1 then count2Order(1):=count2Order(1)+1
+[20] -- neither of these cases tells us anything
+[21] if not (one? t or t = nm1) then
+[22] for j in 1..k-1 repeat
+[22a] oldt := t
+[23] t := mulmod(t, t, n)
+[24] one? t => return true
+[25] -- we have squared somethiong not -1 and got 1
+[26] t = mn1 =>
+[26a] rootsMinus1:=union(rootsMinus1,oldt)
+[26b] # rootsMinus1 > 2 => return true
+[26c] count2Order(j+1):=count2Order(j+1)+1
+[27] leave
+[28] not (t = nm1) => return true
+[29] false
+\end{verbatim}
+
+\section{Conclusions}
+
+It is certainly possible to draw more information from a fixed set of
+$x$-values than Rabin's original algorithm does, and we have explained
+two ways of doing this. While we have not yet constructed a number
+that defeats our enhanced version of Rabin's algorithm, it should
+certainly be possible to do so, if the set of $x$-values is fixed. In
+general, the number of primes used should be proportional to log $N$,
+and we have made some suggestions as to what the constant of
+proportionality should be. A better constant of proportionality can be
+used if we test explicitly for numbers of the form
+$(K+1)\cdot (2K+1)$, probably via the Damgard-Landrock Theorem. This
+approach converts Rabin's algorithm form a $O(\text{log}^3~N)$ test to
+a $O(\text{log}^4~N)$, but we believe that a general-purpose system
+needs the additional security.
+
+It must be emphasised that we have not produced a guaranteed
+$O(\text{log}^4~N)$ primality test: merely one that we do not believe
+we can break by the technology we know. It would be tempting to
+conjecture that, with an appropriate constant of proportionality, this
+test is guaranteed never to return ``$N$ is probalby prime'' when in
+fact it is composite. The closest result to this we know of is a
+statement by Lenstra \cite{Lens80} (see also Koblitz \cite{Kobl87})
+that, if suitable assumptions similar to the generalised Riemann
+hypothesis are made, the 70 $\text{log}^2~N$ values suffice, which
+would be a $O(\text{log}^5~N)$ primality test.
+\begin{verbatim}
+ The Pomerance et al. Modifications
+
+[ 0a] PomeranceList:=[25326001::I,161304001::I,960946321::I,1157839381::I,
+[ 0b] -- 3215031751::I, -- has a factor of 151
+[ 0c] 3697278427::I, 5764643587::I, 6770862367::I,
+[ 0d] 14386156093::I, 15579919981::I, 18459366157::I,
+[ 0e] 18459366157::I, 21276028621::I]::(List I)
+[ 0f] PomeranceLimit:=(25*10**9)::I
+[ 1] prime? n ==
+[ 2] n < two => false
+[ 3] n < nextSmallPrime => member?(n, smallPrimes)
+[ 4] not one? gcd(n, productSmallPrimes) => false
+[ 5] n < nextSmallPrimeSquared => true
+[ 6] nm1:=n-1
+[ 7] q := (nm1) quo two
+[ 8] for k in 1.. while not odd? q repeat q := q quo two
+[ 9] -- q = (n-1) quo 2**k for largest possible k
+[10] mn := minIndex smallPrimes
+[10a] n < PomeranceLimit =>
+[10b] rabinProvesCompositeSmall(2::I,n,nm1,q,k) => return false
+[10c] rabinProvesCompositeSmall(3::I,n,nm1,q,k) => return false
+[10d] rabinProvesCompositeSmall(5::I,n,nm1,q,k) => return false
+[10e] member?(n,PomeranceList) => return false
+[10f] true
+[10g] rootsMinus1 := [] -- the empty set
+[10h] count2Order := new(k,0) -- vector of k zeros
+[11] for i in mn+1..mn+10 repeat
+[12] rabinProvesComposit(smallPrimes i,n,nm1,q,k) => return false
+[12a] import IntegerRoots(I)
+[12b] q > 1 and perfectSquare?(3*n+1) => false
+[12c] ((n9:=n rem (9::I))=1 or n9 = -1) and perfectSquare(8*n+1) => false
+[12d] -- Both previous tests fro Damgard & Landrock
+[12e] currPrime:=smallPrimes(mn+10)
+[12f] while count2Order(k) = 0 repeat
+[12g] currPrime := nextPrime currPrime
+[12h] rabinProvesComposite(currPrime,n,nm1,q,k) => false
+[13] true
+[14]
+[15] rabinProvesComposite(p,n,mn1,q,k) ==
+[16] -- nm1 = n-1 = q*2**k; q odd
+[17] -- probability false for n composite is < 1/4
+[18] -- for most n this probability is much less than 1/4
+[19] t := powmod(p, q, n)
+[19a] if t=mn1 then count2Order(1):=count2Order(1)+1
+[20] -- neither of these cases tells us anything
+[21] if not (one? t or t = nm1) then
+[22] for j in 1..k-1 repeat
+[22a] oldt := t
+[23] t := mulmod(t, t, n)
+[24] one? t => return true
+[25] -- we have squared somethiong not -1 and got 1
+[26] t = mn1 =>
+[26a] rootsMinus1:=union(rootsMinus1,oldt)
+[26b] # rootsMinus1 > 2 => return true
+[26c] count2Order(j+1):=count2Order(j+1)+1
+[27] leave
+[28] not (t = nm1) => return true
+[29] false
+\end{verbatim}
+
+\begin{verbatim}
+ O(Log^4 N) Modifications
+
+[ 0a] PomeranceList:=[25326001::I,161304001::I,960946321::I,1157839381::I,
+[ 0b] -- 3215031751::I, -- has a factor of 151
+[ 0c] 3697278427::I, 5764643587::I, 6770862367::I,
+[ 0d] 14386156093::I, 15579919981::I, 18459366157::I,
+[ 0e] 18459366157::I, 21276028621::I]::(List I)
+[ 0f] PomeranceLimit:=(25*10**9)::I
+[ 1] prime? n ==
+[ 2] n < two => false
+[ 3] n < nextSmallPrime => member?(n, smallPrimes)
+[ 4] not one? gcd(n, productSmallPrimes) => false
+[ 5] n < nextSmallPrimeSquared => true
+[ 6] nm1:=n-1
+[ 7] q := (nm1) quo two
+[ 8] for k in 1.. while not odd? q repeat q := q quo two
+[ 9] -- q = (n-1) quo 2**k for largest possible k
+[10] mn := minIndex smallPrimes
+[10a] n < PomeranceLimit =>
+[10b] rabinProvesCompositeSmall(2::I,n,nm1,q,k) => return false
+[10c] rabinProvesCompositeSmall(3::I,n,nm1,q,k) => return false
+[10d] rabinProvesCompositeSmall(5::I,n,nm1,q,k) => return false
+[10e] member?(n,PomeranceList) => return false
+[10f] true
+[10g] rootsMinus1 := [] -- the empty set
+[10h] count2Order := new(k,0) -- vector of k zeros
+[11] for i in mn+1..mn+10 repeat
+[12] rabinProvesComposit(smallPrimes i,n,nm1,q,k) => return false
+[12a] import IntegerRoots(I)
+[12b] q > 1 and perfectSquare?(3*n+1) => false
+[12c] ((n9:=n rem (9::I))=1 or n9 = -1) and perfectSquare(8*n+1) => false
+[12d] -- Both previous tests fro Damgard & Landrock
+[12e] currPrime:=smallPrimes(mn+10)
+[12f] probablySav=fe:=tenPowerTwenty
+[12g] while count2Order(k) = 0 or n > probablySaferepeat
+[12h] currPrime := nextPrime currPrime
+[12i] probablySafe:=probablySafe*(100::I)
+[12j] rabinProvesComposite(currPrime,n,nm1,q,k) => false
+[13] true
+[14]
+[15] rabinProvesComposite(p,n,mn1,q,k) ==
+[16] -- nm1 = n-1 = q*2**k; q odd
+[17] -- probability false for n composite is < 1/4
+[18] -- for most n this probability is much less than 1/4
+[19] t := powmod(p, q, n)
+[19a] if t=mn1 then count2Order(1):=count2Order(1)+1
+[20] -- neither of these cases tells us anything
+[21] if not (one? t or t = nm1) then
+[22] for j in 1..k-1 repeat
+[22a] oldt := t
+[23] t := mulmod(t, t, n)
+[24] one? t => return true
+[25] -- we have squared somethiong not -1 and got 1
+[26] t = mn1 =>
+[26a] rootsMinus1:=union(rootsMinus1,oldt)
+[26b] # rootsMinus1 > 2 => return true
+[26c] count2Order(j+1):=count2Order(j+1)+1
+[27] leave
+[28] not (t = nm1) => return true
+[29] false
+\end{verbatim}
+
\chapter{Finite Fields in Axiom (Grabmeier/Scheerhorn)}
This was written by Johannes Grabmeier and Alfred Scheerhorn.
diff --git a/changelog b/changelog
index ffc1490..5bfb1c6 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,5 @@
+20180629 tpd src/axiom-website/patches.html 20180629.03.tpd.patch
+20180629 tpd books/bookvol10.1 add chapter on Primality Testing
20180629 tpd src/axiom-website/patches.html 20180629.02.tpd.patch
20180629 tpd books/bookvol13 add additional ideas to explore
20180629 tpd src/axiom-website/patches.html 20180629.01.tpd.patch
diff --git a/patch b/patch
index abf7b07..95d23aa 100644
--- a/patch
+++ b/patch
@@ -1,3 +1,3 @@
-books/bookvol13 add additional ideas to explore
+books/bookvol10.1 add chapter on Primality Testing
-Goal: Proving Axiom Sane
+Goal: Axiom Literate Programming
diff --git a/src/axiom-website/patches.html b/src/axiom-website/patches.html
index 6f9b795..5840e46 100644
--- a/src/axiom-website/patches.html
+++ b/src/axiom-website/patches.html
@@ -5942,6 +5942,8 @@ books/bookvolbib add references

books/*.sty add latex style files

20180629.02.tpd.patch
books/bookvol13 add additional ideas to explore

+20180629.03.tpd.patch
+books/bookvol10.1 add chapter on Primality Testing

--
1.9.1