ON AN ANALOGUE TO THE LUCAS-LEHMER-RIESEL TEST USING ELLIPTIC CURVES

Following an idea of B. H. Gross, who presented an elliptic curve test for Mersenne primes M p = 2 p − 1, we propose a similar test with elliptic curves for generalized Thabit primes K(h, n) := h · 2 n − 1 for any positive odd number h and any integer n > log 2 (h) + 2.


Introduction
In 1876, Édouard Lucas invented an efficient primality test for Mersenne numbers M p = 2 p − 1 for prime numbers p.The test uses a recursion defined by He showed that a given Mersenne number M p for p ≥ 3 is prime if and only if L p−2 ≡ 0 (mod M p ) (cf. [6]).The general idea of the proof given in [9] is to interpret the recursion as squaring a point on the algebraic torus over Q associated to the quadratic field Q( √ 3).This test was optimized by Derrick Henry Lehmer in 1935 (cf.[5]) and therefore it is known as Lucas-Lehmer test.In 1969, H. Riesel proposed a test for so called generalized Thabit numbers K(h, n) = h • 2 n − 1 for h ∈ N odd and n ∈ N using the Lucasian sequence where the first value L 0 of the recursion depends on h and n (cf.[8]).Some special cases of his generalization, especially for 3 h, had already been found by Lucas and Lehmer themselves.This test is referred to as the Lucas-Lehmer-Riesel test.The idea of using elliptic curves for primality tests is due to Hendrik Lenstra.He invented a general primality test for integers.In 2005, Benedict H. Gross used the ideas of Lucas and Lenstra to create an elliptic curve test especially for Mersenne primes.It is based on doubling the point P = (−2, 4) on the rational elliptic curve with Weierstrass equation y 2 = x 3 − 12x.
In [2], R. Denomme and G. Savin developed similar primality tests for Fermat numbers F n = 2 2 n + 1 and numbers of the form 2 2 n − 2 2 n−1 + 1 and 3 2 n − 3 2 n−1 + 1.These tests are also based on doubling some suitable point on a twisted rational elliptic curve.
In this paper, we will extend the algorithm of Gross to all generalized Thabit numbers K(h, n) with n > log 2 (h) + 2. If h is disible by 3, we will usually not be able to work with a global point on some rational elliptic curve.Instead, we will be using quadratic twists of rational elliptic curves E ε as it was done in [2].The curves E ε we are using have Weierstrass equations of the form where ε ∈ Z depends on h and n.We also give an algorithm to find appropriate values for ε.
All the primality tests mentioned above are based on the following idea.Let N be some integer such that the factorization of a sufficiently large factor of N ± 1 is known.These algorithms then construct an element g in some suitable group (e.g. the reduction of some rational elliptic curve modulo N or (Z F /N Z F ) * where Z F denotes the ring of integers in some algebraic number field F ). Then N is prime if and only if the order of g is sufficiently large.The survey article [7] by Carl Pomerance contains some more primality tests based on this idea.
The paper is organized as follows.A short proof of the Lucas-Lehmer-Riesel test is given in Section 2. In Section 3, we recall division polynomials and in Section 4, we summarize some properties of elliptic curves of the form E ε .In Section 5, we prove our primality test for generalized Thabit numbers.Finally in Section 6, we compare the efficiency of the mentioned primality tests: the Lucas-Lehmer test to Gross' test using elliptic curves for Mersenne numbers (cf.[3]) and the Lucas-Lehmer-Riesel test to our test for generalized Thabit numbers.
Notation By P we denote the set of positive prime numbers.For positive integers m, n let m n denote the Jacobi-Symbol.In particular, if n is prime, then m n coincides with the Legendre-Symbol.
For an elliptic curve E over a field K we set E(L) the group of L-rational points of E for any extension field L of K and O as the point at infinity, the zero-element of E as an abelian group.
If K = Q and p ∈ Z is prime, we denote the reduction of E modulo p by E and we set E(p) := E(F p ).
If O = P = (x 0 , y 0 ) is a point of an elliptic curve E, we denote by x(P ) := x 0 the projection to the first affine coordinate of P .

The Lucas-Lehmer-Riesel Test
At first we want to give a short proof of Riesel's original primality test for numbers of the form K(h, n) (see [8]).
For this section, let d ≥ 2 be a square-free integer, F := Q( √ d) the corresponding real quadratic number field and Z F its ring of integers.Further, let ¯: F → F denote the nontrivial Galois automorphism of F .The following theorem is well known from the theory of quadratic number fields, but essential for the further discussion of the Lucas-Lehmer-Riesel test.Thus we give a short proof here.
Proof.Let ϕ : From this fact, we can now derive the Lucas-Lehmer-Riesel test: Proposition 2.2.Suppose p ∈ P is an odd prime with Proof.According to Theorem 2.1 we obtain modulo pZ Proposition 2.3.Let n ≥ 2 and let h < 2 n be an odd number.Further let then K is prime.
Proof.Let p be some prime factor of K(h, n).Then Let ϕ : Z F → Z F /pZ F be the canonical epimorphism and let The order of ϕ(α) in (Z/pZ F ) * is 2k since p is odd.Further, ϕ(α (K+1)/2−k ) = 1 implies that h • 2 n−1 = (K + 1)/2 = k + 2kr = k(1 + 2r) for some r ∈ Z.In particular, k is divisible by 2 n−1 .Let ε := d p .Then ε = 0 since gcd(K, d) = 1.Further, αα = 1, so α is a unit in Z F .Thus, if ε = 1 then Theorem 2.1 shows that In particular, α p−ε ≡ 1 (mod pZ F ). Thus we have Furthermore, K is not a square since K ≡ 3 (mod 4).So if K is not a prime, then K has two distinct prime factors p and q.We may assume that p < q.Then gives the desired contradiction.Hence K must be prime.
Corollary 2.4 (Lucas-Lehmer-Riesel test).Let n ≥ 2 and let h < 2 n be an odd integer.Suppose there exist a, b ∈ Z and some square-free integer d ≥ 2 such that α = (a+b where Since L n−2 ∈ Z this shows that L n−2 ≡ 0 (mod K(h, n)) as claimed.Conversely, by Proposition 2.3 and the above calculation we see that the given conditions are also sufficient for the primality of K(h, n).
Given a generalized Thabit number K(h, n), a triple (a, b, d) as in the Corollary above can be found by inspecting the fundamental units of various real quadratic number fields, see [8] for details.
Remark 2.5.Suppose the notation of Corollary 2.4.Then the Lucas-Lehmer-Riesel test can be summed up as follows.Let ϕ :

Division Polynomials
In this section, let E be an elliptic curve over a field K with char(K) = 2, 3 given by a Weierstrass equation of the form These polynomials have the following property.
Lemma 3.2.Let m be a positive integer.
2. Let L/K be a field extension and P = (x, y) be a point on E(L). .
In particular, m

Some properties of the curves E ε
In the following, let E t ε be the (twisted) elliptic curve over Q given by When t = 1, we will usually omit the superscript t.Then is an isogeny.Further, E t ε defined over Q(i) has complex multiplication by the ring of Gaussian integers Z[i]: and the discriminant of This leads to the following lemma.
1.The reduction of E t ε modulo q is supersingular and the group E t ε (q) has order q + 1.
2. If ε is not a square modulo q, then the group E t ε (q) is cyclic and the only point of order 2 in E t ε (q) is (0, 0).
Proof.Because of the isogeny τ ε,t from equation (1), we may assume that t = 1.Let i be a primitive fourth root of unity in F q .Then the reduction E ε of E ε modulo q has complex multiplication by [i] as well.Let Φ be the q-th power Frobenius endomorphism and P = (x, y) a point of E ε .We have Therefore the endomorphism ring End( E ε ) is not commutative, hence E ε is supersingular by [10, Theorem V.3.1].Thus the abelian group E ε (q) has order q + 1 (cf. [10, exercise 5.10]).This proves the first claim.Let [q + 1] denote the isogeny of E ε which multiplies each point on ) since the Weil-pairing is surjective and Galois-invariant (cf.[10, Proposition III.8.1]).Thus d 1 | gcd(q − 1, q + 1) = 2, so either E ε (q) is cyclic or all 2-torsion points of E ε are F q -rational, which means all roots of x 3 − εx = x • (x 2 − ε) lie in F q .But this is impossible because ε is not a square in F q .Hence the group E ε (q) must be cyclic.
Lemma 4.2.Let q ∈ P be a prime not dividing 2εt and let P = (x 0 , y 0 ) ∈ E t ε (q).If x 0 t is not a square in F q , then P is not divisible by 2 in E t ε (q).
Proof.It suffices to show that P := τ ε,t (P ) = (x 0 t, y 0 t 2 ) is not divisible by 2 in which is a square in F q .Since x 0 t = x(P ) is not, there cannot be any point 5. Generalized Thabit numbers

Choosing the curve
For our primality test for generalized Thabit numbers K(h, n) = h • 2 n − 1 in Theorem 5.5 we need a (twisted) rational elliptic curve E such that and a point that generates the Sylow-2-subgroup of E(K(h, n)) provided that K(h, n) is prime.
Proposition 5.1.Let n ≥ 2 and h ∈ N be odd.Suppose there exists a pair

The reduction of P modulo
Proof.If K(h, n) would divide x 0 , then which is impossible.In particular, K(h, n) does not divide x 0 (x 2 0 − ε) = ty 2 0 .Hence the second statement immediately follows from Lemma 4.1.Further, ( Note that different factorizations of x 0 (x 2 0 − ε) into t • y 2 0 yield isomorphic curves.If h is not divisible by 3 then one can easily find pairs (ε, x 0 ) satisfying the conditions in Proposition 5.1 for all generalized Thabit primes of the form K(h, n) by quadratic reciprocity.
If h is divisible by 3 then it is not possible to find such a pair (ε, x 0 ) which is independent from h and n.However, we have the following lemma.
1.There exists a minimal prime p ∈ P such that p K(h,n) = 1.
Proof.The integer K(h, n) is not a square in Z since K(h, n) ≡ −1 (mod 4).Thus the existence of a minimal number p ∈ N satisfying p K(h,n) = 1 follows from the Chinese Remainder Theorem.Since the Jacobi symbol is multiplicative in the first component, any nontrivial factorization of p would yield a smaller number d with = 1, which is a contradiction to the minimality of p. Hence p must be prime.Moreover, since 1 < p < K(h, n) we know that either p is a proper divisor of K(h, n) = −1.In the latter case, the choice of p implies If n ≥ 3 and h ∈ N is odd but not divisible by 3 then Hence, if we plug (ε, x 0 ) = (3, 1) into Proposition 5.1, we end up with the point P = (1, 1) on the curve E −2 3 .Under the isogeny τ 3,−2 from equation (1) this point corresponds to the point (−2, 4) on the curve E 12 .So Example 5.2 is just a special case of Lemma 5.3.
The curve E 12 has rank 1.Similarly, the rational curves E 30 1 and the one given by 7y 2 = x 3 + 1 also have rank 1.These latter curves were used in [2] for primality tests of Fermat numbers and numbers of the form 2 2 − 2 2 −1 + 1 respectively.So one might wonder what are the ranks of the rational curves E 1−p p .Proposition 5.4.Let p be a prime.Then the rank of the rational elliptic curve E 1−p p is at least 1.
Proof.For p = 2 one can check the rank explicitly.So suppose p ≥ 3 and let m be the product of all primes ≤ p. Then by the Chinese Remainder Theorem, there exists a positive odd number h such that p = min{q The choice of p implies gcd(8m, 8h − 1) = 1.Thus the sequence (a k ) contains infinitely many primes by Dirichlet's theorem on arithmetic progressions.But then Lemma 5.3 and Proposition 5.1 imply that the rank of the twisted rational curve E 1−p p cannot be 0.
It turns out that the smallest prime p such that E 1−p p has rank 2 is p = 7.

An elliptic curve primality test for generalized Thabit numbers
Now we are able to prove the main theorem of this paper, which gives a primality test for numbers of the form K(h, n).
Let (ε, x 0 ) a pair of integers that satisfies the conditions of Proposition 5.1.See Example 5.2 or Lemma 5.3 on how to find such a pair.Write x 3 0 − εx 0 = ty 2 0 for some y 0 , t ∈ Z and set P = (x 0 , y 0 ) ∈ E t ε (Q).Now we recursively define a sequence of rational numbers as follows: Then T k = x(h2 k • P ) for all k ≥ 0. Also note that the initial value T 0 only depends on x 0 and ε.Moreover, it can be computed without knowing y 0 and t as explained in Remark 5.7 below.
Theorem 5.5.Let h ∈ N be odd and n > log 2 (h) + 2 be some integer.Suppose (ε, x 0 ) ∈ Z 2 satisfies the conditions of Proposition 5.1 and let (T k ) be the sequence defined in equation (2).Then the number K(h, n) = h • 2 n − 1 is prime if and only if the following three conditions are met: Proof.Write x 3 0 − εx 0 = ty 2 0 for some y 0 , t ∈ Z.Further let Q = h • P where P denotes the point (x 0 , y 0 ) ∈ E t ε (Q).First, suppose that K(h, n) is prime.Then gcd(x 0 , K(h, n)) = 1 by Proposition 5.1.This proposition also shows that the point Q generates the Sylow-2-subgroup of the cyclic group The same holds for T 2 k − ε since ε is not a square modulo K(h, n).Conversely, suppose that K(h, n) is composite and satisfies the three conditions above.Let q ≤ K(h, n) be the smallest positive prime divisor of K(h, n).Note that by assumption q = 2 is coprime to x 0 , x 2 0 − ε and ε.So q does also not divide x 0 (x 2 0 − ε) = ty 2 0 .In particular, gcd(q, 2εt) = 1.Thus E t ε has good reduction modulo q.By assumption, 2 n−1 • Q has order 2 in E t ε (q), so Q has order 2 n in E t ε (q).Since (0, 0) ∈ E t ε (q) is the only point with x-coordinate 0, we get the trivial bound #E t ε (q) ≤ 2q.But then which is impossible by the choice of n.Hence q does not exist.
Remark 5.6.The primality test given in Theorem 5.5 is based on the following idea.The candidate K(h, n) is prime if and only if the reduction of h • P modulo K(h, n) generates a cyclic subgroup of order 2 n .So it is completely analogous to the Lucas-Lehmer-Riesel test (see Remark 2.5).
We close this section with a remark concerning the implementation of the above primality criterion.
Remark 5.7.If K(h, n) is prime then the order of P = (x 0 , y 0 ) ∈ E t ε (Q) is at least 2 n > h (see Lemma 4.1).So in particular, m • P = O for any 1 ≤ m ≤ h.Let 1 ≤ m ≤ h and α ∈ C such that α 2 = t.Then Lemma 3.2 and the change of coordinates E t ε (C) → E ε (C), (x, y) → (x, αy) show that m • P = (f m , g m y 0 ) for some f m , g m ∈ Q that only depend on ε, x 0 and ty 2 0 = x 3 0 − εx 0 .Thus without actually knowing t or y 0 , one can compute T 0 = x(h • P ) = f h using "square and multiply" by adding at most 2 log 2 (h) points.
Moreover, these calculations can be done directly in Z/K(h, n)Z.This has the advantage that if a necessary computation cannot be performed in Z/K(h, n)Z (i.e.some nonzero element cannot be inverted) then K(h, n) is immediately proven not to be prime.The same holds for the computation of T 1 , T 2 , . . . .

Efficiency
We have implemented our primality test for generalized Thabit numbers as well as the Lucas-Lehmer-Riesel test in Magma (see [1]) to compare the efficiency of both tests.All tests were performed on a Core i7, 940 running at 2.93 GHz.
In our primality test it is necessary to divide in the residue class ring Z/K(h, n)Z.Thus on the one hand the calculations in each step of the iteration are more complex than the calculations in the Lucas-Lehmer-Riesel test (four multiplications and one division versus one multiplication in the ring Z/K(h, n)Z) but on the other hand we know that, if the necessary division is not possible, K(h, n) cannot be prime.So if K(h, n) is composite, it might happen that the algorithm aborts without computing all values T 0 , T 1 , . . ., T n−1 modulo K(h, n).
For example, K(3, 100 008) is composite and the Lucas-Lehmer-Riesel test as well as Magma's build-in primality test both take about 4 minutes to verify that.Our elliptic curve test (using (ε, x 0 ) = (5, 1)) recognizes this in virtually no time since already T 4 (mod K(h, n)) does not exist.
To see how often such premature aborts occur, we have run the Lucas-Lehmertest and our primality test using 27 different pairs (ε, x 0 ) for Mersenne primes in Magma to compute a list of all prime exponents 3 ≤ p ≤ 10 000, such that the Mersenne number M p = K(1, p) = 2 p − 1 is prime.For some pairs (ε, x 0 ), there was no premature abort at all, for others there were up to five.Table 1 gives the chosen values ε (where ε = 0 represents the Lucas-Lehmer-test), the chosen initial values T 0 = x 0 , the exponents p that yield an premature abort, and the time in seconds required for the test.
We see that it takes the elliptic curve tests about 50 times as long as the Lucas-Lehmer-test to do the task.This is easily explained by the fact that there were never more than four exponents out of 1 228 (i.e. the number of odd primes ≤ 10 000), which yielded an premature abort.So the possible advantage of the elliptic curve tests towards the Lucas-Lehmer-test does not play any significant role for the efficiency on average.Similarly, we considered generalized Thabit numbers.We compared the Lucas-Lehmer-Riesel test (LLR) to Theorem 5.5 (where the pair (ε, x 0 ) was chosen as in Lemma 5.3) and measured the time needed to compute all exponents log 2 (h) + 2 < n ≤ 3 000 such that K(h, n) is prime for all odd numbers h ∈ {1, . . .99} using both tests.Additionally we calculated the ratio ρ of premature aborts that occurred using the algorithm from Theorem 5.5 to the number of composite generalized Thabit numbers in the tested range.The results are given in Table 2.
2 K(h,n = 1.So if K(h, n) is divisible by 3, then Lemma 5.3 will immediately detect this.Hence we excluded all pairs (h, n) from the test for which Lemma 5.3 does find a nontrivial divisor since this would definitely favor our algorithm.Moreover, any serious implementation of a primality test would test for small prime factors anyway.
By our experiments we conclude that our test is obviously less efficient than the Lucas-Lehmer-Riesel test.Although in some cases, where there are very many premature aborts (for example for h = 11 or h = 71) we are very close to its efficiency.We also see, that the value of ρ does indeed play a significant role for the velocity of our test.But still there are not enough premature aborts to compensate the fact that the calculations in each iteration step are much more expensive for our test compared to the
1 denote the corresponding generalized Thabit number.If gcd(K, d) = 1 and if there are a, b ∈ Z such that

Table 1 :
Lucas-Lehmer-Riesel test.Efficiency of the tests for Mersenne numbers

Table 2 :
Efficiency of the tests for Thabit numbers