Postmodern Primality Proving

Similar documents
Primality testing: then and now

Primality testing: then and now

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

DUAL ELLIPTIC PRIMES AND APPLICATIONS TO CYCLOTOMY PRIMALITY PROVING PREDA MIHĂILESCU

Advanced Algorithms and Complexity Course Project Report

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

Uncertainty can be Better than Certainty:

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

arxiv: v1 [math.nt] 26 Sep 2007

Primality Test Via Quantum Factorization. Abstract

arxiv: v1 [math.nt] 24 Jan 2008

Applied Cryptography and Computer Security CSE 664 Spring 2018

arxiv:math/ v1 [math.nt] 16 Jan 2003

SOME REMARKS ON PRIMALITY PROVING AND ELLIPTIC CURVES. Alice Silverberg. (Communicated by Neal Koblitz)

D. J. Bernstein University of Illinois at Chicago

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

A Few Primality Testing Algorithms

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

1. Algebra 1.7. Prime numbers

Primality testing: variations on a theme of Lucas

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Primality Tests Using Algebraic Groups

A Course in Computational Algebraic Number Theory

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

PROVING PRIMALITY AFTER AGRAWAL-KAYAL-SAXENA

Lecture Prelude: Agarwal-Biswas Probabilistic Testing

MASTERARBEIT / MASTER S THESIS

GENERATING RANDOM FACTORED GAUSSIAN INTEGERS, EASILY

ECEN 5022 Cryptography

Elliptic curves: Theory and Applications. Day 3: Counting points.

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

CSC 373: Algorithm Design and Analysis Lecture 30

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Factorization & Primality Testing

Primes of the Form n! ± 1 and p ± 1

Primality Testing- Is Randomization worth Practicing?

Counting points on elliptic curves over F q

arxiv: v3 [math.nt] 26 Apr 2011

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Primality Testing Using Elliptic Curves

Counting points on hyperelliptic curves

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

ON THE EQUATION X n 1 = BZ n. 1. Introduction

CRC Press has granted the following specific permissions for the electronic version of this book:

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

THE SOLOVAY STRASSEN TEST

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

CPSC 467b: Cryptography and Computer Security

NOTES ON SOME NEW KINDS OF PSEUDOPRIMES

CPSC 467b: Cryptography and Computer Security

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Cryptography. Number Theory with AN INTRODUCTION TO. James S. Kraft. Lawrence C. Washington. CRC Press

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

Elliptic curves: applications and problems

Constructing genus 2 curves over finite fields

DETERMINISTIC ELLIPTIC CURVE PRIMALITY PROVING FOR A SPECIAL SEQUENCE OF NUMBERS

Constructing Abelian Varieties for Pairing-Based Cryptography

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

The knapsack Problem

ECPP in PARI/GP. Jared Asuncion. 29 January Asuncion, J. ECPP in PARI/GP 29 January / 27

Finite Fields and Elliptic Curves in Cryptography

The running time of Euclid s algorithm

Part II. Number Theory. Year

C.T.Chong National University of Singapore

ON THE SEMIPRIMITIVITY OF CYCLIC CODES

Quasi-reducible Polynomials

DISTINGUISHING PRIME NUMBERS FROM COMPOSITE NUMBERS: THE STATE OF THE ART IN 2004

On Solving Univariate Polynomial Equations over Finite Fields and Some Related Problems

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

WXML Final Report: AKS Primality Test

Public-key Cryptography: Theory and Practice

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Lecture 6: Cryptanalysis of public-key algorithms.,

EFFICIENTLY CERTIFYING NON-INTEGER POWERS

Genus 2 Curves of p-rank 1 via CM method

Galois theory (Part II)( ) Example Sheet 1

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups

Characters (definition)

Some mysteries of multiplication, and how to generate random factored integers

Attempt QUESTIONS 1 and 2, and THREE other questions. penalised if you attempt additional questions.

Lemma 1.1. The field K embeds as a subfield of Q(ζ D ).

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

A Guide to Arithmetic

Factoring integers, Producing primes and the RSA cryptosystem. December 14, 2005

A Proof of the Lucas-Lehmer Test and its Variations by Using a Singular Cubic Curve

IRREDUCIBILITY TESTS IN F p [T ]

c Copyright 2012 Wenhan Wang

COMPUTING MODULAR POLYNOMIALS

1: Please compute the Jacobi symbol ( 99

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Analyzing and Optimizing the Combined Primality test with GCD Operation on Smart Mobile Devices

Transcription:

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 1 / 29 Postmodern Primality Proving Preda Mihăilescu Mathematical Institute, University of Göttingen, Germany June 28, 2013

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 2 / 29 Present talk focuses on the problem of distinguishing rational primes from composites. Thus n N is always a test - number. The algorithms for doing this may fulfill one ore more of the following purposes: A. Ad hoc (trial division is sufficient). B. Practical applications high reliability required, proofs not necessary (e.g. cryptography). C. (Reproducible) proofs for very large numbers. D. Achieve complexity theoretical goals (polynomial, deterministic, etc.)

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 3 / 29 Pocklington - Morrison: Theorem Suppose that I know some large factored part: F = i q i = i l m i i (n 1). Furthermore, a i Z with (a i, n) = 1 and a n 1 i 1 mod n, ( ) a (n 1)/l i i 1, n = 1 i. Then p 1 mod F for all primes p n. Similar in a quadratic extension, for q (n + 1). In particular, if F > n, then n is prime.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 4 / 29 Consequences: Together with some not too surprizing tricks for extensions of degree 2 and 4: origin of the Lucas Lehmer family of tests. These are deterministic tests, requiring some massive additional information (factor F ).

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 5 / 29 Certificates Idea: Let the first run of a primality test find some information on n which allows it, in later runs, to quick(er) prove its primality (if it does hold). Pratt Certificates: Recursive tree rooted at n and based on the previous Theorem: Et each level, a prime m to be certified comes with a list of triples (a i, l i, e i ) such that q i = l e i i and F = ( i q e i i ) (m 1), and the Pocklington - Morrison test is verified. The values q i are pseudo - primes and nodes for a primality certificate at the next level. Sufficiently small (e.g. < 1000) primes are certified by trial and error division. This are the terminal primes of the certificate tree.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 6 / 29 Compositeness tests revisited Solovay Strassen C : a (n 1)/2 = ( a n ), δ C = 1/2. Strong pseudoprime test (Selfridge, Miller, Rabin et. al.). Let n 1 = 2 h m with odd m. { a m 1 mod n or C : a 2k 1 m 1 mod n and a 2k m 1 mod n for some 0 < k h. For this δ C = 1/4. Quadratic (Frobenius!) test of Grantham. C :... more complicated, essentially Lucas in quadratic extensions. δ C < 1/7710.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 7 / 29 Alternative estimate of Damgård, Landrock, Pomerance Rather than worst case, average case error probability - tables for the strong pseudoprime test. k / t 1 2 3 4 5 6 7 8 9 10 100 5 14 20 25 29 33 36 39 41 44 150 8 20 28 34 39 43 47 51 54 57 200 11 25 34 41 47 52 57 61 65 69 250 14 29 39 47 54 60 65 70 75 79 300 19 33 44 53 60 67 73 78 83 88 350 28 38 48 58 66 73 80 86 91 97 400 37 46 55 63 72 80 87 93 99 105 450 46 54 62 70 78 85 93 100 106 112 500 56 63 70 78 85 92 99 106 113 119 550 65 72 79 86 93 100 107 113 119 126 600 75 82 88 95 102 108 115 121 127 133 Table: Lower bounds for p k,t : from [DLP]

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 8 / 29 The problem of general primality proving. Problem statement. Input a number n, decide and prove in (wishfully) polynomial time, whether n is prime or not. No false outputs, no (or few ) undecisions allowed. Known approaches: Cyclotomy (Adleman, Pomerance, Lenstra, Bosma, M., et. al.) Elliptic curve Pocklington (Goldwasser, Kilian, Atkin, Morain) Hyperelliptic curve Pocklington (Adleman, Huang). Introspection group cyclotomy (Agrawal, Kayal, Saxena). CIDE - Cyclotomy Improved by Dual Ellptic Primes.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 9 / 29 In the Lucas Lehmer test, the values b i = a (n 1)/l i i are primitive q i th roots of unity modulo n (in some sense...). Their product b = i b i is an F th p.r.u. Generalize this idea to extension algebras over Z/(n Z)!

Theorem (Lenstra,1981) Let s Z >0. Let A be a ring containing Z/(n Z) as a subring. Suppose that there exists α A satisfying the following conditions: Ψ α (X ) = t 1 i=0 α s = 1, α s/q 1 A, for every prime q s, (1) ( X α n i ) Z/(n Z)[X ], for some t Z >0 Then, for every divisor r of n there exists i(r) such that 1 i(r) < t : r = n i(r) mod s, (2) and in particular if r is a prime < n, it is equal to the minimal positive representant of n i(r) mod s. Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 10 / 29

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 11 / 29 Consequence: Cyclotomy test CPP Analytic number theory shows that there is a ( t = O (log n) c log log log n), with c < 1 + ɛ, such that s = q : q 1 t q > log n, for prime powers q. For such t, s, the cyclotomy test implicitely proves the existence of the algebra A and α verifying Lenstra s theorem. It uses Jacobi sums and exponentiation in small extensions of Z/(n Z). Asymptotic runtime overpolynomial, O(t). De facto runtime for log 10 (n) < 10 6 is O ( log(n) 4). For input the size of the Universe (log(n) 10 100, the run time still is T = O ( log(n) 7).

Elliptic curves - ECPP Uses Pocklington for elliptic curves E n (a, b) : y 2 x 3 + ax + b mod n. (defined as varieties only if n is prime... ) Recursive: search a, b such that E n (a, b) = q.r, with q some large pseudoprime. Use Pocklington, then recurse to prove primality of q. Initial Goldwasser - Kilian variant: O(log n) 11, random polynomial for all but an exponentially thin subset of the inputs. Counts points using Schoof s algorithm. Impractical. Improvement due to Atkin and implemented by Morain: O ( (log n) 6), but not provable random polynomial any more - it works in practice with very few exceptions. Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 12 / 29

Comparing General Primality Proving Methods Complexity theoretic, de facto performance marked 1 5 and use of random decisions (yes/no). Alg. / Quality Complexity Perf. de facto Random (0/1) Cyclotomy 1 5 0 ECPP 2 4 1 Hyper Elliptic 4 1 1 AKS 5 3 0 Table: Quality Marks for General Primality Proving Algorithms Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 13 / 29

The Agrawal, Kayal, Saxena (AKS) test. Theorem (AKS) Let n be an odd integer and r N such that: ord r (n) > 4 log 2 (n), and (r, n) = 1. The number n has no prime factor < r. The number n is not a prime power. Let l = 2 ϕ(r) log(n) and ζ = ζ r C a primitive r th root of unity. If (ζ a) n ζ n a mod (n, Z[ζ]), 1 a l, then n is prime. Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 14 / 29

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 15 / 29 Run time count. Lemma There is an r N satisfying the conditions and such that r < (2 log n) 5. Let M(l) be the time for a multiplication in an extension of degree l of Z/(n Z); then run-time is T = O (l log n M(l)) O(l log n) ρ, for some 2 < ρ < 3 Thus, for some 3 k 6 T = O(log n) k ρ, for some 2 < ρ < 3.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 16 / 29 Run time count. Lemma There is an r N satisfying the conditions and such that r < (2 log n) 5. Let M(l) be the time for a multiplication in an extension of degree l of Z/(n Z); then run-time is T = O (l log n M(l)) O(l log n) ρ, for some 2 < ρ < 3. Thus, for some 3 k 6 T = O(log n) k ρ, for some 2 < ρ < 3.

We gather the lower bound The proof of theorem (AKS) Definition For fixed n, r and α = f (ζ r ) Z[ζ r ] we say that m is introspective with respect to α, if σ m (α) α m mod nz[ζ r ]. Introspection is multiplicative with respect both to m and α. Clue of the proof: Find two groups G Z[ζ r ]/ (nz[ζ r ]) and I Z/(r Z) such that G is introspective for I and then derive contradictory bounds for the size of G mod p, for any possible prime p n, provided that n is not a prime power. Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 17 / 29

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 18 / 29 Some details Assume that p n is a prime divisor and let p Z[ζ] be a maximal ideal. Let G Z[ζ] be the group generated by {a + ζ r : 1 a l} and G = G mod, so G is a multiplicative group in a field of characteristic p: let o(g) be its order. Consider the set I 0 = {m : α m σ m (α)) mod n, α G} N and I = I 0 mod r Z/(r Z). With these definitions, one proves: If m, m I 0 are such that m m mod r then m m mod o(g). Define t = I. 1, n i, p j I. Let E = {n i p j : 0 i, j r } I. We have E > r: pigeon hole implies n i 1 p j 1 n i 2 p j 2 mod r.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 19 / 29 Above congruence holds aslo mod o(g) > n 2 r. Since both terms are < n 2 r, it must be an equality: n i 1 i 2 = p j 2 j 1,

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 20 / 29 If n is not a power of p, we gather the upper bound G n t. For the upper bound, let F q = Z[ζ]/ and prove that ζ + a mod G are pairwise distinct in F q, for 1 a l. Together with the group structure and the definition of ζ, this leads to the lower bound: G ( ) t + l. l 1 The two bounds are contradictory, so n must be a prime power. The group with generators G replaces the cycle of a root of unity which was used in all previous, essentially Pocklingotn based tests.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 21 / 29 Berrizbeitia: Uses Kummer extensions and their Galois theory and drops the condition of a deterministic test. Obtains a variant which is faster then AKS by a factor of (log n) 2. Theorem (Berrizbeitia, M.) Let m > log 2 (n) and A Z/(n Z) an algebra with some ζ A, Φ m (ζ) = 0, where Φ m (x) Z[x] is the m th cyclotomic polynomial. Let R = A[X ]/ (X m ζ) and ξ R be the image of X in R. If 1 + ξ n = (1 + ξ) n, then n is a prime power.

Certificates for CPP In (1) we have identities α (nd 1)/p r = ζp m r in some algebra A. Let E = (n d 1)/p r and m E u mod p r (assumption on r required!). Then ( αζ u ) E = 1, If n is prime, then there exists a β A with β pr = αζ u. This leads to the certificate idea: attempt to compute β; if computation fails, then n is composite. Otherwise β A certifies the test of (1) for α. One proves explicitly that if β A verifies its defining identity, then the tests (1) are correct, so the central part of the cyclotomy test is verified. Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 22 / 29

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 23 / 29 The resulting certificate is verified in time O(log(n)) faster than it was obtained. It is conceptually an extension of the Pratt certificates to the setting of CPP. The certification method has been implemented, works requires rather large certificates. Not a problem with modern computer in the realm of up to one million decimal digits, say.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 24 / 29 CIDE - A combination of CPP and ECPP CIDE: Cyclotomy improved with dual elliptic primes. A variant using elliptic curves. Two primes p, q are dual elliptic, if there is an ordinary elliptic curve over F p which has q points. Then there also exists an elliptic curve over F q with p points! CIDE uses integers which have some related property, without being certified primes. The test is random polynomial with run time (heuristically) O ( log(n) 3+ε).

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 25 / 29 CIDE - Main Lemmata Lemma Two integers m, n are dual elliptic, if there is an imaginary quadratic field K = Q[ d] in which both split in principal ideals, and m = µ µ, n = ν ν with ν = µ ± 1. Then m, n are simultaneoulsy prime or composite. In the second case, there are prime factors p m, q n, which are dual elliptic primes. Moreover p q 2 4 max(m, n).

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 26 / 29 CIDE - A definition Definition Suppose that l is a prime, E : Y 2 = X 3 + ax + b an elliptic curve and f (X ) is a divisor of the l th division polynomial of E which has a zero modulo n. Let P = (X + (f (X ), n), Y + (Y 2 (X 3 + ax + b))) and τ(χ) = l 1 k=1 χ(k)[kp] x. We say n allows an l-th elliptic extension for E, iff τ(χ) n = χ n (λ) τ(χ n ) mod (n, f (X )).

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 27 / 29 CIDE - Main Theorem Theorem Let m, n be dual elliptic pseudoprimes and suppose that s th cyclotomic extensions M, N exist for both m, n and s 2 max(m 1/4, n 1/4 ) (CPP - tests!). Let µ µ = m; ν ν = n be the decomposition in K = Q[ d]. Let L be a square free integer all the prime factors of which split in K and suppose that there is an elliptic curve E together with an L-th elliptic extension for E with respect to both m and n. Then there are two integers k, k such that (µ + 1) k µ k ±1 mod LO(K). (3)

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 28 / 29 CIDE - Algorithm For given n find a dual m, with some preprocessing step of ECPP. Let K be the imaginary quadratic extension in which the two split, so that µ = ν ± 1, as above. Let E, E be corresponding CM curves. Choose the paramters s, t for the cyclotomic extensions M, N and prove their existence. Find an integer L for which the identity (3) has no solution (combinatorial problem, L = O(log log(n))). Perform the elliptic Gauss sum verifications for all primes l L. If all these steps are performed successfully, declare n, m primes. Otherwise either no decision or composite (simultaneously). Extend the certificates for N, M by some for the elliptic Gauss sums.

Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 29 / 29 The computations of Jens Franke et. al. We have confirmed the primality of the Leyland numbers 3110 63 + 63 3110 (5596 digits) and 8656 2929 + 2929 8656 (30008 digits) by an implementation of a version of Mihăilescu s CIDE. The certificates may be found at http://www.math.uni-bonn.de:people/franke/ptest/x3110y63.cert.tar.bz2 and http://www.math.unibonn.de:people/franke/ptest/x8656y2929.cert.tar.bz2.

Damgard I; Landrock, P; Pomerance, C.: Average Case Bounds for the Strong Probable Prime Test, Math. Comp. 61, no.203, pp.177-194. Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 29 / 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback