Function: primecert
Section: number_theoretical
C-Name: primecert0
Prototype: GD0,L,D0,L,
Help: primecert(N,{flag=0},{partial=0}): If N is a prime, return a Primality
 Certificate.  Return 0 otherwise. If flag = 0 return an ECPP certificate
 (Atkin-Morain); if flag = 1 return an N-1 certificate (Pocklington-Lehmer)
Doc:
 If N is a prime, return a PARI Primality Certificate for the prime $N$,
 as described below. Otherwise, return 0. A Primality Certificate
 $c$ can be checked using \tet{primecertisvalid}$(c)$.

 If $\fl = 0$ (default), return an ECPP certificate (Atkin-Morain)

 If $\fl = 0$ and $\var{partial}>0$, return a (potentially) partial
 ECPP certificate.

 A PARI ECPP Primality Certificate for the prime $N$ is either a prime
 integer $N < 2^{64}$ or a vector \kbd{C} of length $\ell$ whose $i$th
 component \kbd{C[i]} is a vector $[N_{i}, t_{i}, s_{i}, a_{i}, P_{i}]$
 of length $5$
 where $N_{1} = N$. It is said to be \emph{valid} if for each
 $i = 1, \ldots, \ell$, all of the following conditions are satisfied

 \item $N_{i}$ is a positive integer

 \item $t_{i}$ is an integer such that $t_{i}^{2} < 4N_{i}$

 \item $s_{i}$ is a positive integer which divides $m_{i}$ where
  $m_{i} = N_{i} + 1 - t_{i}$

 \item If we set $q_{i} = \dfrac{m_{i}}{s_{i}}$, then

 \quad\item $q_{i} > (N_{i}^{1/4}+1)^{2}$

 \quad\item $q_{i} = N_{i+1}$ if $1 \leq i < l$

 \quad\item $q_{\ell} \leq 2^{64}$ is prime

 \item $a_{i}$ is an integer

 \quad\item \kbd{P[i]} is a vector of length $2$ representing the affine
 point $P_{i} = (x_{i}, y_{i})$ on the elliptic curve
 $E: y^{2} = x^{3} + a_{i}x + b_{i}$ modulo $N_{i}$ where
 $b_{i} = y_{i}^{2} - x_{i}^{3} - a_{i}x_{i}$ satisfying the following:

 \quad\item $m_{i} P_{i} = \infty$

 \quad\item $s_{i} P_{i} \neq \infty$

 Using the following theorem, the data in the vector \kbd{C} allows to
 recursively certify the primality of $N$ (and all the $q_{i}$) under the single
 assumption that $q_{\ell}$ be prime.

 \misctitle{Theorem} If $N$ is an integer and there exist positive integers
 $m, q$ and a point $P$ on the elliptic curve $E: y^{2} = x^{3} + ax + b$
 defined modulo $N$ such that $q > (N^{1/4} + 1)^{2}$, $q$ is a prime divisor
 of $m$, $mP = \infty$ and $\dfrac{m}{q}P \neq \infty$, then $N$ is prime.

 A partial certificate is identical except that the condition $q_{\ell} \leq
 2^{64}$ is replaced by $q_{\ell} \leq 2^{partial}$.
 Such partial certificate $C$ can be extended to a full certificate by calling
 $C=primecert(C)$, or to a longer partial certificate by calling
 $C=primecert(C,,b)$ with $b<partial$.

 \bprog
 ? primecert(10^35 + 69)
 %1 = [[100000000000000000000000000000000069, 5468679110354
 52074, 2963504668391148, 0, [60737979324046450274283740674
 208692, 24368673584839493121227731392450025]], [3374383076
 4501150277, -11610830419, 734208843, 0, [26740412374402652
 72 4, 6367191119818901665]], [45959444779, 299597, 2331, 0
 , [18022351516, 9326882 51]]]
 ? primecert(nextprime(2^64))
 %2 = [[18446744073709551629, -8423788454, 160388, 1, [1059
 8342506117936052, 2225259013356795550]]]
 ? primecert(6)
 %3 = 0
 ? primecert(41)
 %4 = 41

 ? N = 2^2000+841;
 ? Cp1 = primecert(N,,1500); \\ partial certificate
 time = 16,018 ms.
 ? Cp2 = primecert(Cp1,,1000); \\ (longer) partial certificate
 time = 5,890 ms.
 ? C = primecert(Cp2); \\ full certificate for N
 time = 1,777 ms.
 ? primecertisvalid(C)
 %9 = 1
 ? primecert(N);
 time = 23,625 ms.
 @eprog\noindent As the last command shows, attempting a succession of
 partial certificates should be about as fast as a direct computation.

 \smallskip

 If $\fl = 1$ (very slow), return an $N-1$ certificate (Pocklington Lehmer)

 A PARI $N-1$ Primality Certificate for the prime $N$ is either a prime
 integer $N < 2^{64}$ or a pair $[N, C]$, where $C$ is a vector with $\ell$
 elements which are either a single integer $p_{i} < 2^{64}$ or a
 triple $[p_{i},a_{i},C_{i}]$ with $p_{i} > 2^{64}$ satisfying the following
 properties:

 \item $p_{i}$ is a prime divisor of $N - 1$;

 \item $a_{i}$ is an integer such that $a_{i}^{N-1} \equiv 1 \pmod{N}$ and
 $a_{i}^{(N-1)/p_{i}} - 1$ is coprime with $N$;

 \item $C_{i}$ is an $N-1$ Primality Certificate for $p_{i}$

 \item The product $F$ of the $p_{i}^{v_{p_{i}}(N-1)}$ is strictly larger than
 $N^{1/3}$. Provided that all $p_{i}$ are indeed primes, this implies that any
 divisor of $N$ is congruent to $1$ modulo $F$.

 \item The Brillhart--Lehmer--Selfridge criterion is satisfied: when we write
 $N = 1 + c_{1} F + c_{2} F^{2}$ in base $F$ the polynomial
 $1 + c_{1} X + c_{2} X^{2}$
 is irreducible over $\Z$, i.e. $c_{1}^{2} - 4c_{2}$ is not a square. This
 implies that $N$ is prime.

 This algorithm requires factoring partially $p-1$ for various prime integers
 $p$ with an unfactored parted $\leq p^{2/3}$ and this may be exceedingly
 slow compared to the default.

 The algorithm fails if one of the pseudo-prime factors is not prime, which is
 exceedingly unlikely and well worth a bug report. Note that if you monitor
 the algorithm at a high enough debug level, you may see warnings about
 untested integers being declared primes. This is normal: we ask for partial
 factorizations (sufficient to prove primality if the unfactored part is not
 too large), and \kbd{factor} warns us that the cofactor hasn't been tested.
 It may or may not be tested later, and may or may not be prime. This does
 not affect the validity of the whole Primality Certificate.

Variant: Also available is
 \fun{GEN}{ecpp0}{GEN N, long partial} ($\fl = 0$).
