Advanced Algorithms and Complexity Course Project Report

Similar documents
Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

1. Algebra 1.7. Prime numbers

Factorization & Primality Testing

Applied Cryptography and Computer Security CSE 664 Spring 2018

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

The running time of Euclid s algorithm

THE SOLOVAY STRASSEN TEST

Postmodern Primality Proving

A Few Primality Testing Algorithms

Fibonacci Pseudoprimes and their Place in Primality Testing

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

Primality testing: then and now

Primality Testing- Is Randomization worth Practicing?

CPSC 467b: Cryptography and Computer Security

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

CSC 373: Algorithm Design and Analysis Lecture 30

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

CPSC 467b: Cryptography and Computer Security

Primality testing: then and now

IRREDUCIBILITY TESTS IN F p [T ]

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

NOTES ON SOME NEW KINDS OF PSEUDOPRIMES

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Lecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Lecture 11 - Basic Number Theory.

Introduction to Number Theory. The study of the integers

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Algorithms (II) Yu Yu. Shanghai Jiaotong University

The Impossibility of Certain Types of Carmichael Numbers

About complexity. We define the class informally P in the following way:

About complexity. Number theoretical algorithms

CPSC 467b: Cryptography and Computer Security

ECEN 5022 Cryptography

Ma/CS 6a Class 4: Primality Testing

Primality testing: variations on a theme of Lucas

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

D. J. Bernstein University of Illinois at Chicago

MASTERARBEIT / MASTER S THESIS

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Part II. Number Theory. Year

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Analyzing and Optimizing the Combined Primality test with GCD Operation on Smart Mobile Devices

THE MILLER RABIN TEST

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

SOME REMARKS ON PRIMALITY PROVING AND ELLIPTIC CURVES. Alice Silverberg. (Communicated by Neal Koblitz)

CRC Press has granted the following specific permissions for the electronic version of this book:

C.T.Chong National University of Singapore

Lecture 31: Miller Rabin Test. Miller Rabin Test

Basic Algorithms in Number Theory

arxiv: v3 [math.nt] 26 Apr 2011

10 Concrete candidates for public key crypto

Lecture Prelude: Agarwal-Biswas Probabilistic Testing

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

Pseudoprimes and Carmichael Numbers

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Elliptic curves: Theory and Applications. Day 3: Counting points.

ECE646 Lecture 11 Required Reading Chapter 8.3 Testing for Primality RSA Key Generation

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Introduction to Public-Key Cryptosystems:

Lecture 19: Finish NP-Completeness, conp and Friends

CSE 521: Design and Analysis of Algorithms I

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

Simultaneous Linear, and Non-linear Congruences

Basic counting techniques. Periklis A. Papakonstantinou Rutgers Business School

Factoring integers, Producing primes and the RSA cryptosystem. December 14, 2005

Uncertainty can be Better than Certainty:

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

Ma/CS 6a Class 4: Primality Testing

Public Key Encryption

Chapter 5 : Randomized computation

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

The Pseudosquares Prime Sieve

Lecture 6: Deterministic Primality Testing

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

God may not play dice with the universe, but something strange is going on with the prime numbers.

WXML Final Report: AKS Primality Test

arxiv:math/ v1 [math.nt] 16 Jan 2003

The group (Z/nZ) February 17, In these notes we figure out the structure of the unit group (Z/nZ) where n > 1 is an integer.

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

MATH 361: NUMBER THEORY FOURTH LECTURE

Number Theory and Algebra: A Brief Introduction

Primality Tests Using Algebraic Groups

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

Math/Mthe 418/818. Review Questions

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Transcription:

Advanced Algorithms and Complexity Course Project Report Eklavya Sharma (2014A7PS0130P) 26 November 2017 Abstract This document explores the problem of primality testing. It includes an analysis of the AKS algorithm and a comparison of randomized compositeness-proving algorithms. Contents 1 Introduction 2 2 Analysis of AKS 2 2.1 Preliminary arguments...................... 3 2.2 Important lemmas from Primes is in P............ 3 2.3 Framework for correctness of my algorithm........... 4 2.4 Lower bound on size of G*.................... 4 3 Comparison of Compositeness-Proving Algorithms 6 3.1 Probable primes.......................... 6 3.2 Miller-Rabin vs Solovay-Strassen................ 7 3.3 The Baillie-PSW Algorithm................... 7 4 Conclusion 8 1

1 Introduction This report explores the problem of primality testing. Given a positive integer n, the task is to determine whether n is prime or composite. The Agarwal-Kayal-Saxena (AKS) algorithm [1] is the first general deterministic unconditional polynomial-time algorithm for primality testing. But despite being a polynomial-time algorithm, it is very slow. In this report I have attempted to to devise a faster variant of the AKS algorithm. I did this by parametrizing the AKS test, i.e. I replaced a constant in the algorithm by a parameter while preserving the correctness of the algorithm. Then I tried to find a value of the parameter which would yield the best time complexity. I proved that the constant in the original algorithm was the best value of that parameter, so I failed to improve the algorithm. This report describes my parametrized algorithm. I then studied randomized compositeness-proving algorithms. I have compared the Miller-Rabin algorithm [3], the Solovay-Strassen algorithm [4] and the Baillie-PSW primality test [2]. 2 Analysis of AKS This is a parametrized variant of the AKS algorithm, where w and n 0 are the parameters. 0. If n n 0, return output using a lookup table. 1. If n = a b for a N and b > 1, return composite. 2. Find the smallest r such that order of n in Z r > log w n. 3. If 1 < gcd(a, n) < n for some a r, return composite. 4. If n r, return prime. 5. For a from 1 to l = φ(r)) log w 2 n, if (x + a) n x n + a (mod x r 1, n), return composite. 6. Return prime. The original AKS algorithm uses w = 2 and n 0 = 1. Suppose this algorithm is correct for a value of w less than 2. Then in step 2, a smaller r can be found. The worst-case running time of the algorithm is dominated by step 5. Reducing the value of r will reduce the running time 2

of steps 2, 3 and 5 and therefore reduce the worst-case running time of the entire algorithm. I will now try to find constraints on the value of w imposed by the correctness of this algorithm. 2.1 Preliminary arguments If n is prime, steps 0, 1 and 3 can never return composite. Step 5 will never return composite due to the follow lemma (proof is in [1]). Lemma 2.1. For n 2 and gcd(a, n) = 1, n is prime (x + a) n x n + a (mod n) If steps 0, 1 and 3 return composite, it is easy to see that n is indeed composite. Therefore, to prove correctness of this algorithm, the only thing left is to prove that when step 5 does not return composite, n is indeed prime. gcd(n, r) = 1 because otherwise step 3 or 4 would decide primality of n. Let o r (n) denote the order of n in Z r. Since o r (n) > 1, there must exist a prime divisor p of n such that o r (p) > 1. p > r, since otherwise step 3 or 4 would decide about the primality of n. r > log w n, since o r (n) > log w n. Since gcd(n, r) = 1, p, n Z r. The numbers p and r will be fixed throughout the discussion of the AKS algorithm. 2.2 Important lemmas from Primes is in P Let us define the following sets: { ( ) } i n I = p p j i, j 0. P = { l } a=0 (x + a)ea e a 0, where l < p. G = I mod r. G is a subgroup of Z r generated by n and p, since gcd(p, r) = 1 and gcd(n, r) = 1. G = P mod (h(x), p) where h(x) is an irreducible factor of x r 1 modulo p. G is a subgroup of F = F p /h(x) generated by x, x + 1,..., x + l. x, x + 1,..., x + l are distinct because l < p. Let G = t. The following bounds on G are proven in [1]. 3

G ( t+l t 1). When n is not a power of p, G n t. These bounds hold under this condition: a [1, l], (x + a) n x n + a (mod x r 1, n) 2.3 Framework for correctness of my algorithm To prove the correctness of our algorithm, we must prove that when step 5 does not output composite, n is indeed prime. When step 5 does not output composite, we have a [1, l], (x + a) n x n + a (mod x r 1, n) for l = φ(r) log w 2 n. This is the prerequisite condition for bounds on G. We must first prove that this value of l is appropriate. As per the definition of P, l should be less than p. l = φ(r) log w 2 n r r = r < p, so we are good to go. In the original paper by AKS [1], the authors used the first bound on G to prove that G > n t. According to the second bound, this implies that n is a power of p. Since we have ensured in step 1 of the algorithm that n is not of the form a b where b 2, we can conclude that n is prime. This proves the correctness of the AKS algorithm. I m going to do the same thing for my variant of AKS, but my proof of G > n t will be different because of a different value of l and different bounds on t. 2.4 Lower bound on G Since G is generated by p and n and o r (n) > log w n, t log w n + 1. Since G is a subset of Z r, t φ(r). Therefore, log w n + 1 t φ(r). Let q = t log w 2 n t > log w n t > log w 2 n t > t log w 2 n t t log w 2 n + 1 = q + 1 4

Let n 2 2 1 w ( we only care about large values of n) log n 2 1 w log w n 2 log w n 2 q = t log w 2 n log w n 2 ( 2q+1 ) q > 2 q+1 when q 2. This can be proved easily using mathematical ( ) q+1 ) q ) ) induction. 1 + q+1 ( Hint: (2q+3 = (2q+1 2 q+2 2 q+1 q+2 ( ) t + l G t 1 ( ) t + l = l + 1 ( ) q + l + 1 l + 1 ( ) q + l + 1 = q ( ) 2q + 1 q > 2 q+1 = 2 t log w 2 n +1 > 2 t log w 2 n = n t 2 t(log w 2 n log n) (l = φ(r) log w 2 n t log w 2 n = q) For G > n t, we have to choose w so that 2 t(log w w n log n) 1. 5

2 t(log w 2 n log n) 1 t(log w 2 n log n) 0 log w 2 n log n log w 2 1 n 1 ( w ) 2 1 log log n 0 w 2 (log log n > 0 n > 2) Since w 2 for the algorithm to be correct, the attempt to improve the running time of the AKS algorithm failed. Perhaps using a value of l other than φ(r) log w 2 n could have given better results, but I didn t find that amenable to mathematical analysis. 3 Comparison of Compositeness-Proving Algorithms 3.1 Probable primes All such algorithms that we discuss here either declare n to be composite or probably prime. A composite probable prime is called a pseudoprime. We assume here that n is odd. Let n 1 = 2 s d. With respect to a base a coprime to n: n is a Fermat probable prime iff a n 1 1 (mod n). n is an Euler-Jacobi probable prime iff a n 1 2 ( a n) (mod n). n is a strong probable prime iff a d 1 (mod n) or a d2r 1 (mod n) for some 0 r < s. These conditions can be used as tests of compositeness by first randomly choosing a value a, checking whether it is coprime to n and then checking whether n is a probable prime with respect to base a. The Fermat primality test tests for Fermat probable primes. The Solovay-Strassen test tests for Euler-Jacobi probable primes. The Miller-Rabin test tests for strong probable primes. 6

3.2 Miller-Rabin vs Solovay-Strassen Let s define the primality-strength of n as {a gcd(a, n) = 1 and n is a probable prime for base a} n Euler-Jacobi-primality-strength and Strong-primality-strength are defined analogously. For a compositeness test which uses the concept of probable primes as defined above, the error probability of the algorithm for n equals the primality-strength of n when n is composite. Solovay and Strassen claimed [4] that a composite number has a Euler-Jacobi-primality-strength less than 1. Miller and Rabbin claimed [3] that a composite number has a 2 Strong-primality-strength less than 1. 4 The Miller-Rabin algorithm requires one more multiplication than the Solovay-Strassen algorithm for calculating powers of a. But the Solovay- Strassen algorithm additionally involves calculating the Jacobi symbol ( a n), which takes O(log min(a, n)m(log min(a, n))) time. This implies that both these algorithms have comparable running times. So given their error bounds, the Miller-Rabin algorithm seems better. However, the error bounds may not be tight for most numbers. The average-case error probability is given by the average value of the primalitystrength, and the error bounds may not be a good indication of that. Pomerance et al prove in [2] that the strong-primality-strength of n is less than or equal to the Euler-Jacobi-primality-strength of n for all composite n. This result makes the Miller-Rabin algorithm a clear winner against the Solovay-Strassen algorithm. 3.3 The Baillie-PSW Algorithm The Baillie-PSW [2] test is a compositeness-proving heuristic algorithm which works by running 2 compositeness tests. It returns composite if one of these tests returns composite and returns probably prime otherwise. The first test is the Miller-Rabin test with base 2 and the second test is the Lucas test with base 2. This makes the Baillie-PSW test a deterministic algorithm. In some variations of Baillie-PSW, a stronger variant of the Lucas test is used or different (either fixed or randomly-selected) bases are used. It is not known whether the Baillie-PSW algorithm always returns the correct result. However, there are no known counterexamples (i.e. the set of strong-pseudoprimes and lucas-pseudoprimes have no known overlap), which is what makes Baillie-PSW test a good choice in practice. 7

4 Conclusion The AKS algorithm is a deterministic polynomial-time algorithm for primality testing. It is however so slow that it is not used in practice. Therefore, almost all primality tests used in practice are randomized. The Solovay- Strassen algorithm was one of the first randomized algorithms for primalitytesting. But it has been superseded by the Miller-Rabin algorithm and the Baillie-PSW algorithm, which are now very popular algorithms for primality testing. References [1] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. Primes is in p. Annals of mathematics, pages 781 793, 2004. [2] Carl Pomerance, John L Selfridge, and Samuel S Wagstaff. The pseudoprimes to 25 10 9. Mathematics of Computation, 35(151):1003 1026, 1980. [3] Michael O Rabin. Probabilistic algorithm for testing primality. Journal of number theory, 12(1):128 138, 1980. [4] Robert Solovay and Volker Strassen. A fast monte-carlo test for primality. SIAM journal on Computing, 6(1):84 85, 1977. 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback