Proth's theorem

Only one such value of a need be found for the test to deterministically confirm primality, provided that p is a Proth number. This is a practical test because, if p is prime, then any chosen a has about a 50 percent chance of working, and if p is not prime, then no chosen a will work. Furthermore, since the calculation is modulo p, only values of a smaller than p have to be considered. Systematic naïve variant If p is Proth composite, then no base a will work to bear witness of primality. If any one base a bears witness, then primality is confirmed. If none do, then compositeness is confirmed. This is because the inverse of Proth's theorem is also true: : If no a exists such that a^{\frac{p-1}{2}}\equiv -1 \pmod{p}, and p is a Proth number, then p is composite. The contrapositive of this statement is that if p is a Proth prime, such an a value is guaranteed to exist. Indeed, if p is a Proth prime then we expect roughly half of all a-values to satisfy the formula, in the general case. On the other hand, if the second condition is not met - if p is not a Proth number - then compositeness cannot be guaranteed (the inverse is not generally true for non-Proth), even if the first condition of congruence is met. As such, we may systematically check all base values [2, p − 1] to verify compositeness (note that a = 0 and a = 1 will never work), unless and until one is found to confirm primality. This process, as it is stated, though the most straightforward and trivial, can be made more efficient. In principle, since if p is prime, there is roughly a 50% chance of a chosen a of proving primality, we may make the process slightly more efficient by checking about one-half of all possible a-values smaller than p - we expect half of said values to satisfy the congruence. Once more than p/2 distinct values of a have been tested, compositeness is deterministic. This is because, if p is prime then we expect half of all bases to bears witness; by the pigeonhole principle, once more than half have been checked, we can deduce that none will bear witness, and if no base value a will work, then p is composite. If on the other hand p is prime, then at least one of the values checked would inevitably have borne witness, as would all remaining unchecked values. This variation of the test is similar to the deterministic variant of the Fermat primality test. Both of these naïve variants are grossly inefficient and never employed in practice. Note that both of these approaches represent significantly more computational work than simple brute force trial division in the worst case scenario. Probabilistic Monte Carlo Variant As 50% of bases a are expected to bear witness to primality, if p is indeed prime, then we may form a Monte Carlo probabilistic test thus: if the test is repeatedly performed m times, each iteration with a random a, each time failing to confirm primality, then we may infer that p is probably composite - this is in contrast to the probably prime results typical of other Monte Carlo algorithms such as the Miller-Rabin test. An approximate upper bound error probability of a prime being falsely identified as composite can also be inferred. A composite will, however, never be falsely identified as prime. This probabilistic implementation is not typically performed. Even though it is far more efficient than the deterministic naïve test, with computational efficiency on par with the Miller-Rabin test, it can still be improved both in performance runtime and in accuracy (or definitiveness). Las Vegas Variant The Las Vegas formulation of Proth's test is by far the most efficient of the variants, and as definitive as the deterministic variant. This is the variant typically employed, though there are some nuances in implementation approach still. In practice, a quadratic nonresidue of p is found and taken as the value of a. Since, if a is a quadratic nonresidue modulo p then the converse of Proth's theorem is also true (if Euler's criterion does not yield –1 then p is composite) and the test becomes conclusive (bidirectional). The theorem may be restated: : For all Proth numbers p, and for any quadratic nonresidue a of p, p is prime if and only if a^{\frac{p-1}{2}}\equiv -1 \pmod{p}. A quadratic nonresidue a of p may be identified when the Legendre symbol is –1, thus for such an a-value: :: \left(\frac{a}{p}\right)=-1 . For such a value of a, the test is deterministic for both primality and compositeness; thus, for such an a the check against Proth's/Euler's criteria only requires one iteration: congruence or non-congruence to -1 is wholly descriptive of primeness. The difficulty is in finding such of an a-value. The value of a may be found either by systematically checking values in the interval [2, p − 1], through random selection and checking, or by a more direct computation (the more efficient option), against the Legendre symbol. In any case, when a value of a is verified against the Legendre symbol as a valid candidate, it may be applied in Proth's / Euler's criterion to determine primality or compositeness conclusively. A systematic check is not grossly inefficient; candidates are fairly common in the general case and one will likely found in a handful of attempts, regardless of whether p is prime or composite. Random selection is also not grossly inefficient; the probability of finding a candidate is about 50% per iteration. For a variety of reasons, however, a more direct calculation is typically employed via a modified Euclidean algorithm. Though only when p is composite, it is possible for no quadratic nonresidue a to exist at all. In such a case, compositeness can be deduced with certainty, though establishing this case is more complicated in programming without exhaustive verification. Both a systematic search and random selection always carry a certain probability of failing to find a candidate, when one exists, in a reasonably small number of attempts, thus potentially resulting in an early-exit condition with a misleading result of presumed compositeness. We may infer probabilistic compositeness (Monte Carlo) with a threshold of confidence if through random selection no nonresidue satisfying the Legendre symbol can be found in a reasonable number of attempts. If a candidate does not exist and no early-exit condition is defined, it may cost significant computational resources. As such, and to guarantee a deterministic (and efficient) test, a direct computation of the nonresidue is preferred. If direct computation of a quadratic nonresidue fails, then compositeness can be deduced with absolute certainty. Thus, in contrast to many Monte Carlo primality tests (randomized algorithms that can return a false positive or false negative), this deterministic variant of the primality testing algorithm is a Las Vegas algorithm, always returning the correct answer but with a randomly varying runtime. The check against Proth's criterion, a simple modular exponentiation operation, once a has been determined, has a runtime on the order of the bit-length of p; the random variability in the overall test runtime, therefore, is primarily a result of the search for an appropriate a value, however that may be done. Simplified forms Given a Proth number p = k2n + 1, particular forms of p, k, and n have been identified that correspond to predetermined quadratic nonresidue values that are appropriate for use. It has been shown that: • If p>3 and 3 ∤ k, then a = 3 is always a quadratic nonresidue (candidate) and therefore a valid base to check, and so: :: 3^{\frac{p-1}{2}} \equiv -1 \pmod{p} if and only if p is prime. : This is the basis of Pépin's test for Fermat numbers and their corresponding primes, wherein k = 1 is indivisible by 3. • If p>5 and p is 2 or 3 modulo 5, then a = 5 is always a quadratic nonresidue (candidate) and therefore a valid base to check, and so: :: 5^{\frac{p-1}{2}} \equiv -1 \pmod{p} if and only if p is prime. :- Though no such simple rule exists for the case where p is 1 or 4 modulo 5, in the latter 4 mod 5 case, one can increase the chances of finding a quadratic nonresidue candidate systematically by checking values in the narrow vicinities of the two distinct square roots of 5 modulo p. If there are not precisely two distinct square roots (see the Tonelli-Shanks algorithm) then p is not prime. Direct computation of the nonresidue is still likely more efficient. ==Numerical examples==

Examples of the theorem include: • for p = 3 = 1(21) + 1, we have that 2(3−1)/2 + 1 = 3 is divisible by 3, so 3 is prime. • for p = 5 = 1(22) + 1, we have that 3(5−1)/2 + 1 = 10 is divisible by 5, so 5 is prime. • for p = 13 = 3(22) + 1, we have that 5(13−1)/2 + 1 = 15626 is divisible by 13, so 13 is prime. • for p = 9, which is not prime, there is no a such that a(9−1)/2 + 1 is divisible by 9. The fact that p = 9 is not prime can be deterministically verified by checking that no such a (in mod 9) exists. This may be done by systematically checking each value of a from 2 to 8 (a = 0 and a = 1 will never work for any p). It is, however, sufficient to check values 2 to 5, or one-half of all possible values under 9. If 9 were a prime then by the pigeonhole principle, at lease one of these values of a will confirm primality, since it is expected that half of them would. Alternatively, if we employ the deterministic variant wherein the quadratic nonresidue is directly computed, the work requires fewer iterations to confirm both compositeness and primality: • for p = 97 = 3(25) + 1, we have a quadratic nonresidue of a = 5, and 5(97−1)/2 + 1 = 3552713678800500929355621337890626 is divisible by 97, so 97 is prime. • for p = 1537 = 3(29) + 1, we have a quadratic nonresidue of a = 5, and 5(1537−1)/2 + 1 = 1052 (mod 1537) is not divisible by 1537, so 1537=29×53 is not prime. In each of the previous two examples, an appropriate value of a was directly computed using a quadratic nonresidue computation such that the results of the test would be conclusive – a valid quadratic nonresidue in both the prime and composite cases. It was not necessarily to systematically search for an a to witness the prime case, or to reiterate the test a sufficient number of times for the composite. If a quadratic nonresidue cannot be found, or if one does not exist, then we may take this as confirmation of compositeness. == Alternative Testing Results ==

Euler's criterion provides additional insights to a number p, which are not necessarily components of Proth's theorem. These are secondary facts largely attributed to other theorems, which are trivially evaluated during any implementation of Proth's test. The number p need not be a Proth number for the criterion to be useful. Given an integer p, let us choose an arbitrary a value. Evaluate Euler's criterion: :a^{\frac{p-1}{2}}\equiv b \pmod{p}. There are generally five distinct outcomes. Some of these results do not rely on p being a Proth number, and are therefore valid for any form of prime candidate. Primality of p: • b = −1, in which case Proth's criterion is met and p is confirmed to be a Proth prime, as per Proth's theorem, if indeed p is a Proth number. : If p is not a Proth number yet b = −1, then this is indicative, but not conclusive, of primality. Refer to the probabilistic Solovay–Strassen primality test and the Miller-Rabin test. Inconclusive result: • b = 1, in which case the test is inconclusive and must be tried again with a new a value. : This condition is what requires reiteration and makes the test probabilistic, as if p were prime, then b = ±1 occurs with roughly equal probability, though the b = 1 condition may still be met with p either composite or non-Proth. : This is true unless a happens to also be a quadratic nonresidue of a Proth number p, in which case compositeness is indicated. Compositeness of p, as per Euler's criterion and the Legendre symbol, which offer early exit conditions when b ≠ ±1. In each of these cases p is not prime and also need not be a Proth number: • b2 = 1, with nontrivial divisors of p being GCD(b ± 1, p). • b2 ≠ 1, where p is proven composite by Fermat's test, base a. • b = 0, where p has a nontrivial divisor GCD(a, p). == Proth Certificate ==

A Proth Certificate is a primality certificate associated with Proth numbers and Proth's test, specifically. It is a document or digital proof of verification of any conditions proving primality (or compositeness). It typically contains the values k and n that comprises the Proth number, p, thus proving that it is a Proth number, as well as the a-value that proves primality. It may also prove compositeness, if appropriate. The certificate often shows the work of proof, including evidence that a is a quadratic nonresidue, etc., if necessary. == Prime Search ==

The first Proth primes are : :3, 5, 13, 17, 41, 97, 113, 193, 241, 257, 353, 449, 577, 641, 673, 769, 929, 1153 .... The largest known Proth prime is 10223 × 231172165 + 1, and is 9,383,761 digits long. It was found by Peter Szabolcs in the PrimeGrid volunteer computing project, which announced it on 6 November 2016. It is the 11th-largest known prime number as of January 2024, it was the largest known non-Mersenne prime until being surpassed in 2023, and is the largest Colbert number. The second-largest known Proth prime is 202705 × 221320516 + 1, found by PrimeGrid. ==Proof==

The proof for this theorem uses the Pocklington-Lehmer primality test. It is a relatively simple special case to prove Proth's theorem from it. It also closely resembles the proof of Pépin's test. The proof can be found on page 52 of. == Generalization ==

When k = n, the Proth number takes the form of p = n2n + 1. If we relax the condition requiring that k (or n) is odd, these are known as Cullen numbers, with corresponding Cullen primes. Though Proth's test works when n is odd, Cullen numbers have their own primality tests for arbitrary n. Furthermore, Cullen's primality tests may be generalized to numbers of the form p = ncn + 1, for arbitrary bases c. ==History==

François Proth (1852–1879) published the theorem in 1878. ==See also==