# Primality testing
-----------------------------------------
We want to know whether a given integer is prime or not.

## Modules

In [4]:
import numpy as np
import math as m

### Definition 1: Ring
A ring is a triplet $(A, +, \cdot)$, where $A$ is a set, and $(+, \cdot)$ are  binary operatios in $A$ where:  
1. $(A, +)$ is an abelian group.
2. $A$ is close under $\cdot$. 
3. $(A, \cdot)$ is asociative.
4. $(A, \cdot)$ is disributive with respect to $(A, +)$.



### Definition 2: Prime number  
An integer $N \in \mathbb{N}_{\geq2}$ is a prime number if $N | ab$ implies $N | a$ or $N | b$, or, equivalently, if $ab = N$ implies that $a \in {\pm 1}$ or $b \in {\pm 1}$, for all $a, b \in \mathbb{Z}$.

### Definition 3: Coprime integers
Let $a, b \in \mathbb{Z}$ such that $gcd(a, b) = 1$ the they are called coprimes.


### Definition 4: Euler's totient funtion
Euler's totient funtion counts the positive integers up to a given integer $n$ that are relatively prime to $n$. It is written as
$$\varphi(n)$$


### Definition 5: Coset
Let $g \in G$ and a sobgroup $H$ of $G$. The left and right cosets are define as follows:
$$gH = \{gh : h \in H\}$$
$$Hg = \{hg : h \in H\}$$

### Definition 6: Index of a group
It's the number of the cosets of a subgroup $H$ in a group $G$. It's written as
$$|G:H|$$

### Definition 7: Order de un número
The order of $a$ mod $N$ is the smallest integer $k>1$ such that $a^k \equiv 1 \mod N$. It is written as $ord_N(a)$.

### Definition 8: Equivalence relation
An equivalence relation on $G$ is a relation that satisfy the following properties: reflexive, symmetric and transitive. That is, for all $a, b$ and $c \in G$  
1. $aRa$
2. If $aRb$ then $bRa$
3. If $aRb \wedge bRc$ then $aRc$


### Theorem 1:
For a group $G$ and a subgroup $H$ of $G$ the relation $\sim_{H}$ define as $$x \sim_{H} y \Leftrightarrow x^{-1}y \in H$$ is an equivalence relation.  

**Proof**  
For all$a, b, c \in G$ we have the following
1. $a \sim_{H} a$ since $a*a^{-1} = I_{G} \in H$
2. If $a \sim_{H} b$ then $a*b^{-1} \in H \rightarrow (b*a^{-1})^{-1} \in H \rightarrow b*a^{-1} \in H \rightarrow b \sim_{H} a$
3. If $a \sim_{H} b$ and $b \sim_{H} c$ then $a*b^{-1}, b*c^{-1} \in H \rightarrow a*b^{-1}, (b^{-1}*c)^{-1} \in H $  
$\rightarrow a*b^{-1}, b^{-1}*c \in H \rightarrow a*b^{-1}, (b^{-1}*c)^{-1} \in H$

Therefore, $\sim_{H}$ is an equivalence relation.

### Theorem 2: Lagrange Theorem
If $G$ is a finite group and $H$ a subgroup of $G$, then
$$|G| = |H||G:H|$$
where $|G|$ and $|H|$ are the order of $G$ and $H$, and $[G:H]$ is the index of $H$ in $G$.

**Proof**  
Consider the equivalence relation ~$_{H}$ proven in the **Theorem 1**. 
Let's take the left coset $gH$ as the equivalence class of $g$ under the relation $\sim_{H}$. Since $G$ is partitioned into $[G:H]$ distinct left cosets then $|G| = \sum_{k=1}^{[G:H]}|g_kH|$. Finally, because of all left cosets have a cardinality equal to $|H|$ then it follows that $|G| = [G:H]|H|$.

### Corollary 1:
Suppose that $G$ is a finite group and $g \in G$. Then the order of $g$ must divide the number of elements in $G$.

### Theorem 3: Euler's Theorem
If $a$ and $n$ are positive integer such that $p$ and $a$ are coprime then $$a^{\varphi(n)} \equiv 1 \mod n$$

**Proof**  
Consider the group $(G, \otimes)$, where $G=\{a \mod n \in \mathbb{Z_n}: gcd(a, n) = 1\}$ and $\otimes$  is the multiplicative operation under the module $n$.   
Now, let $a$ be between $1$ and $\varphi(n)$, that is, an element of $G$, and $k$ the order of $a$. Then, we have the following $$a^k \equiv 1 \mod n$$  
Hence, by the Lagrange theorem, k divide the order of $G$, that is, $\varphi(n) = km$ for any integer $m$. Then $$a^{\varphi(n)} \equiv a^{km} \equiv (a^k)^m \equiv 1^m \equiv 1 \mod n$$

### Theorem 4: Fermat's Little Theorem
If $p$ is prime and $a$ is a positive integer such that $p$ and $a$ are coprime then $$a^{p-1} \equiv 1 \mod p$$

**Proof**  
By euler's theorem we have that $$a^{\varphi(p)} \equiv 1 \mod p$$
Since, $p$ is a prime number we have that $\varphi(p) = p-1$.  
Therefore, $$a^{p-1} \equiv 1 \mod p$$

### Definition 9: Mersenne number
It is a positive integer number $M_n$ define as follows
$$M_n = 2^n -1$$

#### Note
The largest known prime is a Mersenne number, it was discovered on 23 August 2008. It is $M_{43112609}$

### Theorem 10: Fermat's numbers
Fermat's numbers are define as 
$$F_n = 2^{2^n} + 1$$
where $n \in \mathbb{N}$

#### Note 
Pierre Fermat conjectured in August 1640 that all Fermat's numbers are prime, while he communicated his famous “little” theorem in a letter dated 18 October 1640. However, $3^{2^{32}} \equiv 1461798105 \not \equiv 1 \mod 2^{32} + 1$; therefore, by Fermat’s little theorem, Fermat’s conjecture is false :c. 

### Definition 11: Mersenne prime number
It is a mersenne number that is also prime.

## Theorem 11: FUNDAMENTAL THEOREM OF ARTIHMETIC  
Every positive integer can be writing as a product of positive prime factors.

### Theorem 12: Chinese remainder theorem
Let $n_1, ..., n_k$ be integers greater that 1. Let us define $N =\prod_{i = 1}^{k} n_i$.

The chinese remainder theorem asserts that if the $n_i$ are pairwise coprime, and if $a_1, ..., a_k$ are integers such that $0 \leq a_i \leq n_i$ for every $i$, then there is one and only one integer $x$, such that $0 \leq x \leq N$ and $x \equiv a_i \mod n_i$ for all $i$.


### Lemma 18.1
Let $N \in \mathbb{N_ {\geq2}}$.
1. If $a\in \mathbb{Z}$ is coprime to $N$ and $k \in \mathbb{N}$ with $a^k \equiv 1 \mod N$, then $ord_N(a)$ divides $k$. In particular $ord_N(a)$ divides $\varphi(N)$.
2. If $p$ is prime, $e \in \mathbb{N}_{\geq 2}$, $N = p^e$ and $a=1+p^{e-1}$, then $ord_N(a) = p$.

**Proof**  
1. Let $e = ord_N(a)$ and divide $k$ by $e$ with remainder: $k = qe+r$ with $0 \leq r \leq e$. Then $a^r = a^{k-qe} = a^k \cdot (a^e)^{-q} = 1 \cdot (1)^{-q} \equiv 1 \mod N$. Hence, since $e > r$ then the only way $a^{r} \equiv 1 \mod N$ is that $r=0$.  
By Euler's theorem, we have $a^{\varphi(N)} \equiv 1 \mod N$, since $ord_N(a)$ divides all $k$ then in particular it divides $k = \varphi(N)$.  

2. We have $a^p \equiv \sum_{0 \leq i \leq p} \binom{p}{i} p^{(e-1)i} \equiv 1 mod p^e$ by a property of congruency. By (1), $ord_N(a)$ is either 1 or $p$, and since $a \not \equiv 1 \mod N$, the claim follows. 

## Algorithms

Here we are going to star by the usual testing algorithm.

### ALGORITHM Testing whether is primer or not
--------------------------------------------------
**Input:** $N \in Z^{+}$.  
**Output:** True if it's **prime** else False.  
1. **for** $i = 2, 1, ..., \sqrt{N}+1$ **do**   
 $\ \ \ \ \ $ **if** $i | N$ **return** False
2. **else** **return** True
--------------------------------------------------
**O( $\sqrt{N}$)**

In [5]:
def usual_test(N):
    for i in range(2, int(m.sqrt(N))+1):
        if(N % i == 0):
            return False
    return True

In [101]:
for i in range(3, 100, 2):
    if usual_test(i):
        print(i, end=', ')
#     print(f"[{i}] is prime? : {usual_test(i)}")

3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 

It works pretty well, but as you could notice the running time of the algorithm grows along with the value of $N$

Here it's a more general approach to the above solution for cases that you want to know if more than one number is prime.

### ALGORITHM Get primes with the sieve of Eratosthenes
--------------------------------------------------
**Input:** $n \in Z^{+}$.
**Output:** All prime numbers less than $n$.  
1. Let be $mark_i \leftarrow False$, $primes_i \leftarrow 0$ for all $i \in \{0, n\}$ and $c = 0$.
2. **for** $i = 2, 3, 4, ..., n$ **do**  
   $\ \ \ \ \ \ $ **if** $mark[i] = True$ **then** **i** is **composite**   
   $\ \ \ \ \ \ $ **else**   
   $\ \ \ \ \ \ $ $\ \ \ \ \ \ $ **i** is **prime**  
   $\ \ \ \ \ \ $ $\ \ \ \ \ \ $ $primes_c = i$, $c +=1$, $j=2*i$  
   $\ \ \ \ \ \ $ $\ \ \ \ \ \ $ **while** $j <= n$ **do**   
   $\ \ \ \ \ \ $ $\ \ \ \ \ \ $ $\ \ \ \ \ \ $ $mark[j]$ $\leftarrow$ True, $j+=i$ 
3. **return** $primes$
--------------------------------------------------
**O( n * H(n) )**

### Harmonic number
The n-th harmonic number is the sum of the reciprocals of the first n natural numbers
$$H_n := 1 + \frac{1}{2} + \frac{1}{3} + ... + + \frac{1}{n} = \sum_{k=1}^{n} + \frac{1}{k}$$

In [8]:
def get_primes(n):
    primes = list()
    mark = [False]*n

    for i in range(2, n):
        if(mark[i]): continue
        primes.append(i)
        
        for j in range(2*i, n, i):
            mark[j] = True
    return primes

In [9]:
primes = get_primes(10**6)

However, we are looking for a faster algorithm to test primality.  

For this, first I am going to present you all two previous algorithms. Those are Eucludes' algorithm to find the greatest common divisor of two number.

### ALGORITHM Greatest Common DIvisor
--------------------------------------------------
**Input:** $a, b \in Z^{+}$ con $a>b$.
**Output:** $gcd(a, b)$.  
1. **if**(b = 0) **then** return a.
2. **else** **return** $gcd(b, a \ rem \ b)$
--------------------------------------------------
**O( loglog(b) )**  
__O(log(b))__
[Explanation](https://seriesdivergentes.wordpress.com/2010/02/03/gabriel-lame/)

In [10]:
def gcd(a, b):
    if(a < b):
        return gcd(b, a)
    elif(b == 0):
        return a
    return gcd(b, a%b)

And repeated squaring which will help us to do a more efficient exponentiation.

### ALGORITHM 4.8 Repeated squaring
--------------------------------------------------  
**Page 91**  
**Input:** $a \in R$ where $R$ is a ring with 1, and $n \in \mathbb{N}_{>0}$.  
**Output:** $a^n \in R$.  
1. { binary representation of n }  
write $n=2^k + n_{k-1} \cdot 2^{k-1} + ... + n_1 \cdot 2 + n_0$, with all $n_i \in \{0, 1\}$  
$b_k \leftarrow a$
2. **for** $i = k-1, k-2, ..., 0$ **do**  
   $\ \ \ \ \ \ $ **if** ($n_i = 1$) **then** $b_i \leftarrow b_{i+1}^2 a$   
   $\ \ \ \ \ \ $  **else** $b_i \leftarrow b_{i+1}^2$
3. **return** $b_0$
--------------------------------------------------
**O( $log_{2}(n)$))** 

In [11]:
def reapet_squared(a, n, mod):
    binary_n = bin(n)[2:][::-1]
    k = len(binary_n)
    b = [0]*(k)

    b[k-1] = a
    for i in range(k-2, -1, -1):
        if(binary_n[i] == '1'):
            b[i] = (b[i+1]**2 * a) % mod  
        else:
            b[i] = b[i+1]**2 % mod

    return b[0]


In [167]:
reapet_squared(28, 5, 17)

10

In [168]:
(28**5) % 17

10

Now start the fun part, here there is a probabilistic algorithm that test whether a number is prime or not.

### ALGORITHM 18.2 Fermat test
-------------------------------------------
**Page 535**  
**Input:** An odd integer $N \geq5$.  
**Output:** Either "composite" or "possibly prime".  
1. choose $a \in \{2, ..., N-2\}$ uniformly at random.  
2. call the reapeted squaring algorithm 4.8 to compute $b=a^{N-1}$ rem $N$.
3. **if** $b \neq 1$ **then** **return** "composite" **else return** "possibly prime".
--------------------------------------------
**O($log_2(N)$)**

In [14]:
%%html
<img src="https://drive.google.com/uc?export=download&id=1BwU4zXyj7cQVTtxgMjlvBd7F3wZdH_Mo">

In [15]:
def fermat_test(N):
    a = np.random.randint(N-2) + 2 
    b = reapet_squared(a, N-1, N)
    return "composite" if(b != 1) else "possibly prime"

This algorithm predict 100% composite numbers, but when it predict a prime number could be right or wrong.

### Definition 12: Fermat witness
If for any $1 < a < p-1$, and $n$ composite, $a$ holds the following
$$a^{n-1} \not\equiv 1 \mod n$$
then $a$ is known as a Fermat witness

### Definition 13: Fermat Liar
If for any $1 < a < p-1$, and $n$ composite, $a$ holds the following
$$a^{n-1} \equiv 1 \mod n$$
then $a$ is known as a Fermat liar

In [16]:
%%html
<img src="https://drive.google.com/uc?export=download&id=1vyefmuBN0hXNQKOS2iZLbua9pQiCfUIB">


This is because there are number that fulfill fermat test without being primes. Those are called Fermat Liars (FOOLS).  
Consider the following groups:

$$\mathbb{Z_{N}^{\times}} = \{a \mod N \in \mathbb{Z_N}: gcd(a, N) =1\}$$ 

$$L_N = \{u \in \mathbb{Z_{N}^{\times}}: u^{N-1} = 1\}$$ 

See that if $N$ is prime $L_N = Z_{N}^{\times}$, otherwise, that is $L_N \neq Z_{N}^{\times}$, $|L_N| \leq \frac{1}{2}|Z_{N}^{\times}|$, because of Lagrange theorem.

So, if we run the test $t$ times then $|L_N| \leq \frac{1}{2^t}|Z_{N}^{\times}|$, that is the more we repeat the process, the better results we will obtain.

### Theorem 18.3
If N is prime, then the Fermat test 18.2 return "possibly prime". If $N$ is composite and not a Carmichael number, then it returns "composite" with a probability at least $1/2$ The algorithm uses O($log_2 N \cdot M(log_2 N)$)

**Proof**  
If $gcd(a, N) \neq 1$, then also $gcd(b, N) \neq 1$, since $b$ is a power of $a$, and the test returns "composite", so that we only need to consider the cases where $a$ and $N$ are coprimes.  

If $N$ is "composite" and not Carmichael, then $|L_N| \leq \varphi(N)/2 = \frac{1}{2} \mathbb{Z_{N}^{\times}}$ by the Lagrange Theorem, so that at least half of the possible choices for $a$ in step 1 are Fermat witnesses.  

Repeated squaring in step 2 takes O(log_2 N) multiplications, since it is base on the binary representation of N. Let M be the complexity of make a multiplication, then the upper bound of the running time is O($log_2 N \cdot M(log_2 N)$.

In $N$ is a Carmichael number then it could happen one of the above cases, so the complexity stays as O($log_2 N \cdot M(log_2 N)$.



In [178]:
c=2
print("  Probability test \t   Prime number")
for i in range(5, 10000, 2):
    temp = fermat_test(i)
    if(temp == "possibly prime"):
        print(f'{c} \t [{i}] \t\t\t [{primes[c]}] ')
        if(i != primes[c]): break
        c+=1

  Probability test 	   Prime number
2 	 [5] 			 [5] 
3 	 [7] 			 [7] 
4 	 [11] 			 [11] 
5 	 [13] 			 [13] 
6 	 [17] 			 [17] 
7 	 [19] 			 [19] 
8 	 [23] 			 [23] 
9 	 [25] 			 [29] 


In [171]:
def fermat_test_k(n, k):
    for i in range(k):
        temp = fermat_test(n)
        if(temp != "possibly prime"):
            return False
    else: 
        return True

In [181]:
c=2

for i in range(5, 10000000, 2):
    temp = fermat_test_k(i, 10)
    if(temp == True):
#         print(f'{c} \t [{i}] \t\t\t [{primes[c]}] ')
        if(i != primes[c]): break
        c+=1
print(f'It predict {c-2} primes correctly, and fails in p = {primes[c]} : f = {i}')

It predict 408 primes correctly, and fails in p = 2833 : f = 2821


In [182]:
fermat_test_k(46657, 1000)

False

Or at least if $N$ is not a Carmichael number.

### Definition 14: Carmichael number
It is a composite number $n$ which satisfies the modular arithetic congruence relation:
$$b^{n-1} \equiv 1 \mod n$$
for all integers $b$ which are coprimes to $n$.

### Note
1729 is the smallest number expressible as the sum of two cubes in two different ways.
$$1729 = 1^3 + 12^3 = 9^3 + 10^3$$
Do you think 1729 is a Carmichael number?

So, we have to extend the idea of Fermat test to fix the problem with the Carmichael numbers. In this new algorithm we not only fix the problem of Carmichael numbers, but also returns a factor of it.

### Definition 15: Square-free integer
It is an integre which is divisible by no perfect square other than 1. That is, its prime factorization has exactly one factor for each prime that appears in it.

### Lemma 18.4.
Any Carmichael number is squarefree.

**Proof**  
We take a prime number $p$ and assume that it divides the Carmichael number $N$ exactly $e \geq 2$ times. By the Chinese Remainder Theorem, there exists an $a \in \mathbb{Z}$ that is the solution of the system of congruences
$$a \equiv 1 + p^{e-1} \mod p^e$$
$$a \equiv 1 \mod N / p^e$$.

Then $a$ has order $p$ modulo $p^e$, by Lemma 18.1, and hence also modulo $N$. Since $a^{N-1} \equiv 1 \mod N$ because $N$ is a Carmichael number, it follows that $p$ divides $N-1$, by Lemma 18.1. However, $p$ also divides $N$ $\rightarrow \leftarrow$.

### Exercise 18.9
Let $N \in \mathbb{N_{>3}}$. Prove:
1. If $N$ is a Carmichael number, then it has the property that $p − 1$ divides $N − 1$ for all prime divisors $p$ of $N$. Hint: CRT and Exercise 8.16.
2. $N$ is prime or a Carmichael number if and only if it is squarefree and the property in (1) holds.
3. A Carmichael number is odd and has at least three distinct prime divisors.
4. Which of the following integers are Carmichael numbers: 561, 663, 867, 935, 1105, 1482, 1547, 1729, 2077, 2465, 2647, 2821, 172081? You may use the integer factoring routine of your
favorite computer algebra system.

### Solution
1. *By Lemma 18.4, we may assume that $N$ is squarefree. Let $p$ be a prime divisor of $N$ and $b\in \mathbb{Z}$ coprime to $p$ with $ord_p(b) = p-1$; such $b$ exist according to Exercise 8.16. By the Chinese Reainder Theorem 5.3, there exists an $a \in \mathbb{Z}$ such that $a \equiv b \mod p$ and $a \equiv 1 \mod N/p$. Then $gcd(a, N) = 1$ and  Lemma 18.1 implies that $p-1$ divides $N-1$.

2. ($\Rightarrow$) It holds from Lemma 18.4 and (1).  
($\Leftarrow$) Let $N$ be squarefree and have the property in (1), and let $a \in Z_{N}^{\times}$. Then $a^{p-1} \equiv 1 \mod p$, and hence $a^{N-1} \equiv 1 \mod p$, for all prime divisors $p$ pf $N$.Thus $a^{N-1} \equiv 1 \mod N$. 

3. If the Carmichael number $N$ were even, then, since it is squarefree by Lemma 18.4 and composite, it would have an odd prime divisor $p$, and the even number $p-1$ would divide the odd number $N-1 = pq-1$, by (1)  , and hence it also divides $(pq-1)-p(q-1) = p-1 < q-1$. $\rightarrow \leftarrow$


In [60]:
def prime_factorization(n):
    ls = list()
    i=0
    while n != 1:
        if n % primes[i] == 0:
            n //= primes[i] 
            ls.append(primes[i])
        else:
            i+=1
    return ls

def is_carmichael(n):
    factors_n = prime_factorization(n)
    if len(set(factors_n)) < 3:
        print(factors_n)
        return False
    
    c = 0
    for fac in factors_n:
        if  (n-1) % (fac-1) != 0:
            print(fac-1, ' no divide a  ', n-1)
            print(factors_n)
            return False
    return True

4. The following number are Carmichael numbers
$$561 = 3 \cdot 11 \cdot 17$$
$$1105 = 5 \cdot 13 \cdot 17$$
$$1729 = 7 \cdot 13 \cdot 19$$
$$2465 = 5 \cdot 17 \cdot 29$$
$$2821 = 7 \cdot 13 \cdot 31$$
$$172081 = 7 \cdot 13 \cdot 31 \cdot 61$$
And the followings are not Carmichael numbers
$$663 = 3 \cdot 13 \cdot 17, 13-1 \not | 663-1$$
$$867 = 3 \cdot 17^2$$
$$935 = 5 \cdot 11 \cdot 17, 11-1 \not | 935-1$$
$$1482 \text{ is even}$$
$$1547 = 7 \cdot 13 \cdot 17, 7-1 \not | 1547-1$$
$$2077 = 31 \cdot 67$$
$$2647 \text{ is prime}$$

In [64]:
is_carmichael(867)

[3, 17, 17]


False

## Lemma 2
Let p be a prime, Then
$$x^2 \equiv 1 \mod p$$
if and only if $x \equiv \pm 1 \mod p$

**Proof**
First notice that 
$$x^2 \equiv 1 \mod p $$
$$\Leftrightarrow (x+1)(x-1) \equiv 0 \mod p$$ 
$$\Leftrightarrow p | (x+1)(x-1) $$
$$\Leftrightarrow p |(x+1) \vee p | (x-1) $$ 
$$\Leftrightarrow x+1 \equiv 0 \mod p \vee x-1 \equiv 0 \mod p $$
$$\Leftrightarrow x \equiv -1 \mod p \vee x \equiv 1 \mod p$$

## ALGORITHM 18.5 Strong pseudoprimality test
-------------------------------------------
Page 535  
**Input:** An odd integer $N \geq 3$.  
**Output:** Either "composite", or "possibly prime", or a proper factor of $N$.  
1. choose $a \in \{2, ..., N-2\}$ uniformly at random.
2. $d \leftarrow gcd(a N)$  
$\ \ \ \ \ \ $ **if** $d > 1$ **then return** $d$  
3. write $N-1 = 2^{v}m$ with $v, m \in \mathbb{N}$. $v \geq 1$, and $m$ odd.  
**call** the repeated squaring algorithm 4.8 to compute $b_0 = a^{m} \ rem \ N$  
**if** $b_0 = 1$ **then return** "probably prime"  
4. **for** $i = 1, ..., v$ **do** $b_i \leftarrow b_{i-1}^2 \ rem \ N$  
5. **If** $b_v = 1$ **then** $ j \leftarrow min\{0 \leq i < v: b_{i+1} = 1\}$ **else return** "composite"
6. $g \Leftarrow gcd(b_j+1, N)$   
**if** $g = 1$ or $g = N$ **then return** “probably prime” **else return** $g$
--------------------------------------------
**O($log_2(N)$)**

In [139]:
def get_v_m(s):
    v = 0
    while(s % 2 == 0):
        s //= 2
        v+=1
    m = s
    return m, v

def get_min_j(b, v):
    for i in range(1, v+1):
        if(b[i] == 1):
            return i-1
    

def strong_pseudoprimality_test(N):
    a = np.random.randint(N-2) + 2
    d = gcd(a, N)
    
    if(d > 1):
        return d, prime_factorization(N)
    
    m, v = get_v_m(N-1)
#     print("m: ",m, ' v:', v)
    b = [0]*(v+1)
    
    b[0] = reapet_squared(a, m, N)
    
    if(b[0] == 1):
        return "probably prime"
    
    for i in range(1, v+1):
        b[i] = reapet_squared(b[i-1], 2, N) 
    
#     print("b: ", b)
    if(b[v] != 1):
        return "composite", prime_factorization(N)
        
    j = get_min_j(b, v)

    g = gcd(b[j]+1, N)
    
    if(g == 1 or g == N):
        return "probably prime"
    else:
        return g, prime_factorization(N)

### Lemma 2
Let $N >= 3$ with $N$ odd, $a \in \{2, N-2\}$, $N-1 = 2^vm$ with $v, m \in \mathbb{N}$, and $b_0 = a^m \mod N$ **then** $b_i \equiv a^{2^î m}\mod N$ for $0 \leq i \leq v$. 

**Proof** (by induction over i)

We know by hypothesis that $i =0$ fulfill, now let's suppose that case $i=k$ is True, that is $b_k \equiv a^{2^km}$ and let see what happen for $i = k+1$.  
$$b_{k+1} \equiv b_{k}^2 \equiv (a^{2^km})^2 \equiv a^{2^{k+1}m} \mod M$$. 

### Theorem 18.6
If $N$ is prime, then Algorithm 18.5 returns “probably prime”. If N is composite and not a Carmichael number, then the algorithm returns “composite” with probability at least 1/2. If $N$ is a Carmichael number, the algorithm returns a proper divisor of $N$ with probability at least 1/2. It uses $O(logN · M(logN))$ word operation.


**Proof**  
By Lemma 2 we have that $b_i \equiv a^{2îm} \mod N$ for $0 \leq i \leq v$, and in particular $b_v \equiv a^{N-1} \mod N$. If $b_{i-1}$ = 1, then also $b_i=1$, for any $i$. 

If $N$ is composite and not Carmichael, then with probability at least 1/2, $a$ is a Fermat witness for $N$, $b_v \neq 1$, and the algorithm returns "composite" in step 5. 

We next assume that $N$ is prime. Then $b_v =1$. If $b_0 = 1$, then the algorithm correctly returns "probably prime" in step 3.  

Otherwise, we have $b_j \neq 1$ and $b_j^2 \equiv b_{j+1} = 1 \mod N$ in step 6.  By Lemma 2, the only square roots of 1 modulo $N$, that is $x^2 \equiv 1 \mod p$, are 1 and -1, so that $(b_j-1)(b_j+1) \equiv 0 \mod N \rightarrow$ if  $N | b_j-1$ then $g = N \vee g = 1$, and the correct result is return in step 6.

The last case to be considered is when $N$ is a Carmichael number. We let $P$ be the set of prime divisors of $N$. Since $N$ is squarefree, we have $N$ = $\prod_{p \in P} p$. We consider $$I = \{i: 0 \leq i \leq v \text{ and for all } u \in Z_N^{\times} u^{2im} =1 \}$$

Then $v \in I$, by the definition of Carmichael numbers, and $i+1 \in I$ for any $i \in I$ with $i<v$. Since $m$ is odd, we have $(-1)^{m} = -1 \neq 1$, and therefore $0 \notin I$. Hence there exists some $l < v$ such that $I =\{l+1, l+2, ..., v\}$. Now let $$G = \{u \in Z_{N}^{\times}: u^{2^lm} \pm 1\}$$

This is a subgroup of $Z_{N}^{\times}$, and we now show that $G \neq Z_{N}^{\times}$. There exists some $p \in P$ and $b \in Z$ coprime to $p$ with $b^{2^{l}m} \not \equiv 1 \mod p$, since otherwise we would have $l \in I$.

We take some such $p$ and $b$. The Chinese Remainder Theorem implies that there exists a $c \in Z$ such that $$c \equiv b \mod p$$ and $$c \equiv 1 \mod N/p$$

Then $c \mod N \in Z_{N}^{\times} / G$. Being a proper subgroup, $G$ has at most $|Z_{N}^{\times}|/2 = \varphi(N)/2$ elements.


If $a$ in step 1 is chosen so that $a \mod N \in Z_{N}^{\times} / G$, then we claim that the algorithm will actually discover a proper divisor of $N$. The fact that $b_{l+1} \equiv a^{2^{l+1}m} \equiv 1
\mod N$ implies that for all $p \in P$, also $b_{l+1} \equiv 1 \mod p$. Again, the only square roots of 1 modulo $p$ are 1 and −1, so that for each $p$, $a^{2^{l}m} \mod p$ is either 1 or −1. Since
$b_l \mod N = a^{2^{lm}} \mod N$ is neither 1 nor −1, both possibilities actually occur, we
have $j = l$ in step 5, and $$g=gcd(b_l +1, N) = \prod_{p\in P} p$$

is a proper divisor pf $N$. The fact that $| Z_{N}^{\times} / G| \geq 2 \varphi(N)/2$ implies the bound on the probability.

Step 2 and 6 take $O(M(log_2 N) loglog(N))$ word operations, the cost of step 3 and 4 is $O(log N)$ multiplications mod $N$ or in total $O(log_2 N M(log N))$


In [184]:
print("  Probability test \t   Prime number\n")

c=1
for i in range(3, 100000, 2):

    temp = strong_pseudoprimality_test(i)
    if(temp == 'probably prime'):
        print(f'{c} \t [{i}] \t\t\t [{primes[c]}] ')
        if(i != primes[c]): break
        c+=1


  Probability test 	   Prime number

1 	 [3] 			 [3] 
2 	 [5] 			 [5] 
3 	 [7] 			 [7] 
4 	 [11] 			 [11] 
5 	 [13] 			 [13] 
6 	 [17] 			 [17] 
7 	 [19] 			 [19] 
8 	 [23] 			 [23] 
9 	 [29] 			 [29] 
10 	 [31] 			 [31] 
11 	 [37] 			 [37] 
12 	 [41] 			 [41] 
13 	 [43] 			 [43] 
14 	 [47] 			 [47] 
15 	 [53] 			 [53] 
16 	 [59] 			 [59] 
17 	 [61] 			 [61] 
18 	 [67] 			 [67] 
19 	 [71] 			 [71] 
20 	 [73] 			 [73] 
21 	 [79] 			 [79] 
22 	 [83] 			 [83] 
23 	 [89] 			 [89] 
24 	 [97] 			 [97] 
25 	 [101] 			 [101] 
26 	 [103] 			 [103] 
27 	 [107] 			 [107] 
28 	 [109] 			 [109] 
29 	 [113] 			 [113] 
30 	 [127] 			 [127] 
31 	 [131] 			 [131] 
32 	 [137] 			 [137] 
33 	 [139] 			 [139] 
34 	 [149] 			 [149] 
35 	 [151] 			 [151] 
36 	 [157] 			 [157] 
37 	 [163] 			 [163] 
38 	 [167] 			 [167] 
39 	 [169] 			 [173] 


## Example

Let's take $N = 561$, $a = 2$.

$N-1 = 2^v m \rightarrow 560 = 2^4 35 $

$$2^{35} \equiv 263 \mod 561$$
$$(2^{35})^2 \equiv 166 \mod 561$$
$$(2^{35})^4 \equiv 67 \mod 561$$
$$(2^{35})^8 \equiv 1 \mod 561$$

After we get that it's equivalent mod 1, then we use Lemma 2 to see whether it's prime or not

$$67^2 \equiv 1 \mod 561$$
$$67^2 -1 \equiv 0 \mod 561$$
$$(67 -1)(67 +1) \equiv 0 \mod 561$$
$$68 \cdot 66 \equiv 0 \mod 561$$

$66 = 3*11$
$68 = 17$

## Exercise
Apply Miller-Rabin test with $N = 8911$

-----------------------------------------------------------

In [159]:
def strong_pseudoprimality_test_k(N, k):
    for j in range(k):
        a = np.random.randint(N-2) + 2
        d = gcd(a, N)

        if(d > 1):
#             return d, prime_factorization(N)
            return d

        m, v = get_v_m(N-1)
    #     print("m: ",m, ' v:', v)
        b = [0]*(v+1)

        b[0] = reapet_squared(a, m, N)

        if(b[0] == 1):
            continue

        for i in range(1, v+1):
            b[i] = reapet_squared(b[i-1], 2, N) 

    #     print("b: ", b)
        if(b[v] != 1):
#             return "composite", prime_factorization(N)
            return "composite"

        j = get_min_j(b, v)

        g = gcd(b[j]+1, N)

        if(g == 1 or g == N):
            continue
        else:
#             return g, prime_factorization(N)
            return g, prime_factorization(N)
    return "probably prime"

In [185]:
print("  Probability test \t   Prime number\n")

c=1
for i in range(3, 100000, 2):
    temp = strong_pseudoprimality_test_k(i, 10)
    if(temp == 'probably prime'):
#         print(f'{c} \t [{i}] \t\t\t [{primes[c]}] ')
        if(i != primes[c]): break
        c+=1
        
print(f'It predict {c-1} primes correctly, and fails in p = {primes[c]} : f = {i}')

  Probability test 	   Prime number

It predict 9591 primes correctly, and fails in p = 100003 : f = 99999


## Theorem 18.7
Let $ln$ denotate the logarithm in base $e$. Then we hace approximately
$$\pi(x) \approx \frac{x}{ln x}, \ \ p_n \approx n ln n$$
and more precisely
$$\frac{x}{ln x} \left (1 + \frac{1}{2 ln x}\right) < \pi(x) < \frac{x}{ln x} \left (1 + \frac{3}{2 ln x}\right) \ \ if \ x \geq 59,$$
$$n \left (ln n + ln ln n - \frac{3}{2}\right) < p_n < n \left (ln n + ln ln n - \frac{1}{2} \right) \ \ if \ n \geq 59$$

In [166]:
x = 10**6
print(x//np.log(x))

72382.0


In [165]:
print(len(primes))

78498
