652 FASTER PRIMALITY TESTING extended abstract Wieb Bosma and Marc-Paul van der Hulst Mathematisch lnstituut Universtiteit van Amsterdam Roetersstraat I5 1018 WB Amsterdam The Netherlands Acknowledgement. Research wr.3 done while the surhor. were supported by the Nederlandse organ;satic yo)or rctcnrchappclijk onderzock X‘i\VO. Abstract Several major improvements to the Jacobi sum primdity testing algorithm will speed it up in such a way that proving primality of primes of up to 500 digits will be a matter of routine. Primes of about 800 digits will take at most one night on a Cray. Primality Testing and Factoring Primality testing is one of two closely related classical problems in computational number theory, the other being that of factoring integers. Usually, if a positive integer n is composite, it is easy to find a proof for that. Since such a proof generally does not provide factors of n, for composite numbers the problem of factoring n remains. But if a number does not seem to be composite, one would like to find a proof for its primality; this is the object of primaIity testing and the subject of this paper. A primality test is an algorithm that gives a rigorous proof for the primality of prime numbers; one inputs an integer and the algorithm either yieids a proof that n is prime, or it MS, indicating that n must be composite. In this paper we describe several major improvements to the Jacobi sum primality test. As a consequence we will soon be able to prove the primality of prime numbers of up to many hundreds of digits routinely. Our estimates show that in the worst ca5e proofs for 900 digit primes will take at most one night on a Cray. Furthermore, our implementation allows distribution on almost any number of processors; in this way we can achieve an m fold speedup by running the test on m identical machines. There exist very fast compositeness tests, also calfed pseudo-prime tests, that on input n either give a proof for the fact that n is composite, or tell you that r~ is probably prime. A proof of compositeness usually consists of exhibiting an integer, called a witness to the compositeness of n, which has a special property (for instance concerning its order in the multiplicative group module n) that no integer can satisfy if n were prime. In particular, these proofs for compositeness do not give any clue as to the divisors of n; finding these is very hard in general, which is the raison d’ktre of the ‘factoring industry’. In the case of Rabin’s compositeness test [R] the probability that a random integer is a witness to the compositeness of some composite number, is at least t. Since such a test can be repeated independently as many times as one would like, the probability that a composite integer is declared J.J. Quisquater and J. Vandewalle (Eds.): Advances in Cryptology - EUROCRYPT ‘89, LNCS 434, pp. 652-656, 1990. 0 Springer-Verlag Berlin Heidelberg 1990