Proth's theorem

In number theory, Proth's theorem is a theorem which forms the basis of a primality test for Proth numbers known as Proth's test. Proth numbers, sometimes called Proth Numbers of the First Kind, are those integers p which take the form p = k2ⁿ + 1 with an odd k where k < 2ⁿ. For Proth Numbers of the Second Kind, see related topic Riesel numbers.

The theorem states^[1][2] that for any Proth number (of the first kind), p, then p is prime if there exists an integer a for which Euler's criterion yields –1, that is,

${\displaystyle a^{\frac {p-1}{2}}\equiv -1{\pmod {p}}}$.

In this case, p is called a Proth prime. The contrapositive is also true: if p is composite, then no such a exists.

It might be noted that the presumption of k being odd does not restrict generality. So long as the condition that k < 2ⁿ is met, any factors of 2 in an even k may be factored out of k and into 2ⁿ, growing the latter while shrinking the former even further; the inequality condition remains true. Thus, k may always be reduced to an odd value.

Only one such value of a need be found for the test to deterministically confirm primality, provided that p is a Proth number. This is a practical test because, if p is prime, then any chosen a has about a 50 percent chance of working, and if p is not prime, then no chosen a will work. Furthermore, since the calculation is modulo p, only values of a smaller than p have to be considered.

If p is composite, then no base a will work to bear witness of primality. As such, we may check all base values [2, p − 1] to verify compositeness (note that a = 0 and a = 1 will never work). If any one base a bears witness, then primality is confirmed. If none do, then compositeness is confirmed. This process, though the most straightforward and trivial, can be made slightly more efficient.

In principle, since if p is prime, there is roughly a 50% chance of a chosen a of proving primality, we may make the process slightly more efficient by checking about one-half of all possible a-values smaller than p. Once more than p/2 distinct values of a have been tested, compositeness is deterministic. This is because, if p is prime then we expect half of all bases to bears witness; by the pigeonhole principle, once more than half have been checked, we can deduce that none will bear witness, and if no base value a will work, then p is composite. If on the other hand p is prime, then at least one of the values checked would inevitably have borne witness, as would all remaining unchecked values. This variation of the test is similar to the deterministic variant of the Fermat primality test.

Both of these naïve variants are grossly inefficient and never employed in practice. Note that both of these approaches represent significantly more computational work than simple brute force trial division.

As 50% of bases a are expected to bear witness to primality, if p is indeed prime, then we may form a Monte Carlo probabilistic test thus: if the test is repeatedly performed m times, each iteration with a random a, each time failing to confirm primality, then we may infer that p is probably composite (contrary to the probably prime results typical of other Monte Carlo algorithms such as the Miller-Rabin test). An approximate upper bound error probability ε < 2^−m of a prime being falsely identified as composite can also be inferred. A composite will, however, never be falsely identified as prime.

This probabilistic implementation is not typically performed. Even though it is far more efficient than the deterministic naïve test, with computational efficiency on par with the Miller-Rabin test, it can still be improved both in performance runtime and in accuracy (or definitiveness).

The Las Vegas formulation of Proth's test is by far the most efficient of the variants, and as definitive as the deterministic variant. This is the variant typically employed, though there are some variations in implementation still.

In practice, a quadratic nonresidue of p is found and taken as the value of a. Since, if a is a quadratic nonresidue modulo p then the converse of Proth's theorem is also true (if Euler's criterion does not yield –1 then p is composite) and the test becomes conclusive. The theorem may be restated:

For all Proth numbers p, and for all quadratic nonresidues a of p, p is prime if and only if ${\displaystyle a^{\frac {p-1}{2}}\equiv -1{\pmod {p}}}$.

A quadratic nonresidue a of p may be identified when the Legendre symbol is –1, thus for such a value:

${\displaystyle \left({\frac {a}{p}}\right)=-1.}$

For such a value of a, the test is deterministic for both primality and compositeness; thus, for such an a the check against Proth's/Euler's criteria only requires one iteration: congruence or non-congruence to -1 is wholly descriptive of primeness. The difficulty is in finding such of a value a.

The value of a may be found either by systematically checking values in the interval [2, p − 1], through random selection and checking, or by a more direct computation, the latter of which is the more efficient option. A systematic check is not grossly inefficient; a candidate is likely found in a handful of attempts. Random selection is also not grossly inefficient; the probability of finding a candidate is about 50% per iteration. A more direct calculation is typically employed, however, via a modified Euclidean algorithm.^{[citation needed]}

If no quadratic nonresidue exists then compositeness can be inferred; determining this fact is more complicated in programming. Both a systematic search and random selection always carry a certain probability of failing to find a candidate, when one exists, in a reasonably small number of attempts, thus potentially resulting in an early-exit condition with misleading results. We may infer probabilistic compositeness with a threshold of confidence if through random selection no nonresidue can be found in a reasonable number of attempts. If a candidate does not exist and no early-exit condition is defined, it may cost significant computational resources.

As such, and to guarantee a deterministic (and efficient) test, a direct computation of the nonresidue is preferred. If direct computation of such a quadratic nonresidue fails, then compositeness can be inferred.

In any case, when a value of a is verified against the Legendre symbol as a valid candidate, it may be applied in Proth's / Euler's criterion to determine primality or compositeness conclusively.

Thus, in contrast to many Monte Carlo primality tests (randomized algorithms that can return a false positive or false negative), this deterministic variant of the primality testing algorithm is a Las Vegas algorithm, always returning the correct answer but with a randomly varying runtime.

The check against Proth's criterion, a simple modular exponentiation operation, once a has been determined, has a runtime on the order of the bit-length of p; the random variability in the overall test runtime, therefore, is primarily a result of the search for an appropriate a value, however that may be done.

Given a Proth number p = k2ⁿ + 1, particular forms of p, k, and n have been identified that correspond to predetermined quadratic nonresidue values that are appropriate for use. It has been shown that:

• If p>3 and 3 ∤ k, then a = 3 is always a quadratic nonresidue (candidate) and therefore a valid base to check, and so:

${\displaystyle 3^{\frac {p-1}{2}}\equiv -1{\pmod {p}}}$ if and only if p is prime.

This is the basis of Pépin's test for Fermat numbers and their corresponding primes, wherein k = 1 is indivisible by 3.

• If p>5 and p is 2 or 3 modulo 5, then a = 5 is always a quadratic nonresidue (candidate) and therefore a valid base to check, and so:

${\displaystyle 5^{\frac {p-1}{2}}\equiv -1{\pmod {p}}}$ if and only if p is prime.

Examples of the theorem include:

• for p = 3 = 1(2¹) + 1, we have that 2^(3−1)/2 + 1 = 3 is divisible by 3, so 3 is prime.
• for p = 5 = 1(2²) + 1, we have that 3^(5−1)/2 + 1 = 10 is divisible by 5, so 5 is prime.
• for p = 13 = 3(2²) + 1, we have that 5^(13−1)/2 + 1 = 15626 is divisible by 13, so 13 is prime.
• for p = 9, which is not prime, there is no a such that a^(9−1)/2 + 1 is divisible by 9.

The fact that p = 9 is not prime can be deterministically verified by checking that no such a (in mod 9) exists. This may be done by systematically checking each value of a from 2 to 8 (a = 0 and a = 1 will never work for any p). It is, however, sufficient to check values 2 to 5, or one-half of all possible values under 9. If 9 were a prime then by the pigeonhole principle, at lease one of these values of a will confirm primality, since it is expected that half of them would.

Alternatively, if we employ the deterministic variant wherein the quadratic nonresidue is directly computed, the work requires fewer iterations to confirm both compositeness and primality:

• for p = 97 = 3(2⁵) + 1, we have a quadratic nonresidue of a = 5, and 5^(97−1)/2 + 1 = 3552713678800500929355621337890626 is divisible by 97, so 97 is prime.
• for p = 1537 = 3(2⁹) + 1, we have a quadratic nonresidue of a = 5, and 5^(1537−1)/2 + 1 = 1052 (mod 1537) is not divisible by 1537, so 1537=29×53 is not prime.

In each of the previous two examples, an appropriate value of a was directly computed using a quadratic nonresidue computation such that the results of the test would be conclusive – a valid quadratic nonresidue in both the prime and composite cases. It was not necessarily to systematically search for an a to witness the prime case, or to reiterate the test a sufficient number of times for the composite. If a quadratic nonresidue cannot be found, or if one does not exist, then we may take this as confirmation of compositeness.

Euler's criterion provides additional insights to a number p, which are not necessarily components of Proth's theorem. These are secondary facts largely attributed to other theorems, which are trivially evaluated during any implementation of Proth's test. The number p need not be a Proth number for the criterion to be useful. Given an integer p, let us choose an arbitrary a value. Evaluate Euler's criterion:

${\displaystyle a^{\frac {p-1}{2}}\equiv b{\pmod {p}}.}$

There are generally five distinct outcomes. Some of these results do not rely on p being a Proth number, and are therefore valid for any form of prime candidate.

Primality of p:

• b = −1, in which case Proth's criterion is met and p is confirmed to be a Proth prime, as per Proth's theorem, if indeed p is a Proth number.

If p is not a Proth number yet b = −1, then this is indicative, but not conclusive, of primality. Refer to the probabilistic Solovay–Strassen primality test and the Miller-Rabin test.

Inconclusive result:

• b = 1, in which case the test is inconclusive and must be tried again with a new a value.

This condition is what requires reiteration and makes the test probabilistic, as if p were prime, then b = ±1 occurs with roughly equal probability, though the b = 1 condition may still be met with p either composite or non-Proth.

This is true unless a happens to also be a quadratic nonresidue of a Proth number p, in which case compositeness is indicated.

Compositeness of p, as per Euler's criterion and the Legendre symbol, which offer early exit conditions when b ≠ ±1. In each of these cases p is not prime and also need not be a Proth number:

• b² = 1, with nontrivial divisors of p being GCD(b ± 1, p).
• b² ≠ 1, where p is proven composite by Fermat's test, base a.
• b = 0, where p has a nontrivial divisor GCD(a, p).

The first Proth primes are (sequence A080076 in the OEIS):

3, 5, 13, 17, 41, 97, 113, 193, 241, 257, 353, 449, 577, 641, 673, 769, 929, 1153 ....

The largest known Proth prime as of 2016^[update] is 10223 × 2^31172165 + 1, and is 9,383,761 digits long.^[3] It was found by Peter Szabolcs in the PrimeGrid volunteer computing project, which announced it on 6 November 2016.^[4] It is the 11th-largest known prime number as of January 2024, it was the largest known non-Mersenne prime until being surpassed in 2023,^[5] and is the largest Colbert number.^{[citation needed]} The second-largest known Proth prime is 202705 × 2^21320516 + 1, found by PrimeGrid.^[6]

The proof for this theorem uses the Pocklington-Lehmer primality test. It is a relatively simple special case to prove Proth's theorem from it. It also closely resembles the proof of Pépin's test. The proof can be found on page 52 of.^[1]

When k = n, the Proth number takes the form of p = n2ⁿ + 1. If we relax the condition requiring that k (or n) is odd, these are known as Cullen numbers, with corresponding Cullen primes. Though Proth's test works when n is odd, Cullen numbers have their own primality tests for arbitrary n.

Furthermore, Cullen's primality tests may be generalized to numbers of the form p = ncⁿ + 1, for arbitrary bases c.

François Proth (1852–1879) published the theorem in 1878.^[7][8]

• Pépin's test (the special case k = 1, where one chooses a = 3)
• Sierpiński number

• Weisstein, Eric W. "Proth's Theorem". MathWorld.