What is the fastest deterministic primality test for numbers in the range 2^1024 to 2^4096?

Question

I am writing an implementation of a cryptography protocol. So far I\'ve been having a difficult time finding the fastest deterministic primality test for 1024-bit to 4096-bit i

Answer 1

This article is answering your question:

PRIMALITY TESTING by Richard P. Brent: http://cs.anu.edu.au/student/comp4600/lectures/comp4600_primality.pdf

It compares in complexity and in "real world speed" the 3 algorithms.

Answer 2

I'm new, so i can't comment on the above link, but here is the internet archive link to that article:

https://web.archive.org/web/20110414142105/http://cs.anu.edu.au/student/comp4600/lectures/comp4600_primality.pdf

Answer 3

The fastest proof methods for this size would be APR-CL (e.g. mpz_aprcl) and ECPP (e.g. Primo or ecpp-dj). APR-CL is deterministic and almost polynomial time, while ECPP is randomized but the answer returned is proven, not probabilistic. Alternately, use a constructive method for proven primes such as Maurer's methods or Shawe-Taylor. These are methods for quickly generating random n-bit primes created by building up Pocklington-style proofs. From a practical point of view, if you are generating the random candidates rather than receiving them from a third party then the error rates for Miller-Rabin are extraordinarily low, and almost all people in this case are satisfied with multiple Miller-Rabin tests using random bases, possibly with a strong Lucas test in addition. See FIPS 186-4 for lots of info on constructive methods and recommendations for probable prime testing.

Times are shown in this graph for a selection of random n-digit primes run through trial division, BPSW (an efficient probable prime test), two versions of AKS, APR-CL, and ECPP. This shows how AKS compares to the other methods.

I didn't add deterministic M-R as I assume you're not talking about 64-bit inputs, and over that you have to either test n/4 bases or prove the Riemann Hypothesis so you only have to test 2*log^2(n) bases. Neither one is attractive compared to our other options even if you use the latter without a proof. In practice the Bach version is faster than AKS as expected, but noticeably slower than ECPP and APR-CL in my tests with C+GMP. I haven't looked at asymptotics, but at 300 digits it is over 100x slower. Hence I don't see any point vs. APR-CL (Det M-R is slower) or ECPP (Det M-R is slower and ECPP gives you a certificate to boot).

Brent's paper can be found in this UMS10 version from 2010 as well as a similar version from 2006. It basically agrees with what I've found from more modern implementations in C+GMP of the various algorithms. AKS is a landmark theoretical result, but is of no current practical use.