Finding Primitive Roots Pseudo-Deterministically

Similar documents
THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

Foundations of Arithmetic

Min Cut, Fast Cut, Polynomial Identities

Problem Set 9 Solutions

Problem Solving in Math (Math 43900) Fall 2013

a b a In case b 0, a being divisible by b is the same as to say that

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

arxiv: v6 [math.nt] 23 Aug 2016

Short running title: A generating function approach A GENERATING FUNCTION APPROACH TO COUNTING THEOREMS FOR SQUARE-FREE POLYNOMIALS AND MAXIMAL TORI

Lecture 10: May 6, 2013

Lecture 4: Universal Hash Functions/Streaming Cont d

Maximizing the number of nonnegative subsets

Finding Dense Subgraphs in G(n, 1/2)

18.781: Solution to Practice Questions for Final Exam

and problem sheet 2

On quasiperfect numbers

SL n (F ) Equals its Own Derived Group

Lecture 2: Gram-Schmidt Vectors and the LLL Algorithm

Beyond Zudilin s Conjectured q-analog of Schmidt s problem

HMMT February 2016 February 20, 2016

Section 8.3 Polar Form of Complex Numbers

Anti-van der Waerden numbers of 3-term arithmetic progressions.

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

The internal structure of natural numbers and one method for the definition of large prime numbers

The Ramanujan-Nagell Theorem: Understanding the Proof By Spencer De Chenne

Math 217 Fall 2013 Homework 2 Solutions

arxiv: v1 [math.co] 1 Mar 2014

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,

The Order Relation and Trace Inequalities for. Hermitian Operators

2.3 Nilpotent endomorphisms

Christian Aebi Collège Calvin, Geneva, Switzerland

FACTORING POLYNOMIALS OVER FINITE FIELDS USING BALANCE TEST CHANDAN SAHA

Errors for Linear Systems

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013

Stanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011

Introduction to Algorithms

Restricted divisor sums

A 2D Bounded Linear Program (H,c) 2D Linear Programming

Exercises of Chapter 2

Randomness and Computation

princeton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg

Lecture Space-Bounded Derandomization

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

The Minimum Universal Cost Flow in an Infeasible Flow Network

Lecture Notes on Linear Regression

APPENDIX A Some Linear Algebra

Algorithms for factoring

Notes on Frequency Estimation in Data Streams

n ). This is tight for all admissible values of t, k and n. k t + + n t

Case A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k.

Module 9. Lecture 6. Duality in Assignment Problems

Approximate Smallest Enclosing Balls

Chowla s Problem on the Non-Vanishing of Certain Infinite Series and Related Questions

Complete subgraphs in multipartite graphs

Calculation of time complexity (3%)

Math 261 Exercise sheet 2

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

FACTORING POLYNOMIALS OVER FINITE FIELDS USING BALANCE TEST CHANDAN SAHA

On the irreducibility of a truncated binomial expansion

Fixed points of IA-endomorphisms of a free metabelian Lie algebra

On the size of quotient of two subsets of positive integers.

princeton univ. F 13 cos 521: Advanced Algorithm Design Lecture 3: Large deviations bounds and applications Lecturer: Sanjeev Arora

Perron Vectors of an Irreducible Nonnegative Interval Matrix

Section 3.6 Complex Zeros

More metrics on cartesian products

FACTORIZATION IN KRULL MONOIDS WITH INFINITE CLASS GROUP

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix

Difference Equations

Physics 5153 Classical Mechanics. Principle of Virtual Work-1

Computing Correlated Equilibria in Multi-Player Games

Exercises. 18 Algorithms

First day August 1, Problems and Solutions

Lecture 5 Decoding Binary BCH Codes

18.1 Introduction and Recap

Edge Isoperimetric Inequalities

A note on almost sure behavior of randomly weighted sums of φ-mixing random variables with φ-mixing weights

Generalized Linear Methods

On the Interval Zoro Symmetric Single-step Procedure for Simultaneous Finding of Polynomial Zeros

STEINHAUS PROPERTY IN BANACH LATTICES

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

5 The Rational Canonical Form

inv lve a journal of mathematics 2008 Vol. 1, No. 1 Divisibility of class numbers of imaginary quadratic function fields

Dirichlet s Theorem In Arithmetic Progressions

A CLASS OF RECURSIVE SETS. Florentin Smarandache University of New Mexico 200 College Road Gallup, NM 87301, USA

A new Approach for Solving Linear Ordinary Differential Equations

Introduction to Algorithms

Lecture 4. Instructor: Haipeng Luo

On the correction of the h-index for career length

Tabulating pseudoprimes and tabulating liars

No-three-in-line problem on a torus: periodicity

Self-complementing permutations of k-uniform hypergraphs

Graph Reconstruction by Permutations

On the Divisibility of Binomial Coefficients

An efficient algorithm for multivariate Maclaurin Newton transformation

Affine transformations and convexity

Singular Value Decomposition: Theory and Applications

International Mathematical Olympiad. Preliminary Selection Contest 2012 Hong Kong. Outline of Solutions

Games of Threats. Elon Kohlberg Abraham Neyman. Working Paper

A CHARACTERIZATION OF ADDITIVE DERIVATIONS ON VON NEUMANN ALGEBRAS

Transcription:

Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms whch output unque solutons (e, wth hgh probablty they output the same soluton on each executon) We present a pseudo-determnstc algorthm that, gven a prme p, fnds a prmtve root modulo p n tme exp(o( p log )) Ths mproves upon the prevous best known provable determnstc (and pseudo-determnstc) algorthm whch runs n exponental tme p 4 +o() Our algorthm matches the problem s best known runnng tme for Las Vegas algorthms whch may output d erent prmtve roots n d erent executons When the factorzaton of p s known, as may be the case when generatng prmes wth p n factored form for use n certan applcatons, we present a pseudo-determnstc polynomal tme algorthm for the case that each prme factor of p s ether of sze at most log c (p) or at least p /c for some constant c>0 Ths s a sgnfcant mprovement over a result of Gat and Goldwasser [5], whch descrbed a polynomal tme pseudo-determnstc algorthm when the factorzaton of p was of the form kq for prme q and k = poly() We remark that the Generalzed Remann Hypothess (GRH) mples that the smallest prmtve root g satsfes g apple O(log 6 (p)) Therefore, assumng GRH, gven the factorzaton of p, the smallest prmtve root can be found and verfed determnstcally by brute force n polynomal tme Introducton Pseudo-determnstc algorthms are randomzed search algorthms whch, wth hgh probablty, output the same soluton on each executon Formally, A s a pseudo-determnstc algorthm for a bnary relaton R f there exsts some functon s such that when executed on nput x, the algorthm A outputs s(x) wth hgh probablty, and (x, s(x)) 2 R In other words, when we execute A on nput x, we get the same output s(x) for almost all random seeds Standard randomzed search algorthms, on the other hand, may output a d erent y satsfyng (x, y) 2 R on each executon wth nput x In [5], Gat and Goldwasser ask whether there exsts a pseudo-determnstc algorthm that fnds a prmtve root mod p faster than the best known determnstc algorthm, whch runs n tme p 4 +o() We answer ths queston n the a rmatve: Theorem There exsts a pseudo-determnstc algorthm for Prmtve-Root that runs n expected tme L p (/2) = exp(o( p log )) ogrossma@mtedu Department of Mathematcs, MIT ISSN 433-8092

We note that ths matches the tme bound for the best known Las Vegas algorthms for Prmtve-Root Ths problem may have cryptographc applcatons, as protocols based on the D e-hellman problem [4] rely on prmtve roots to establsh keys It may be desrable for two partes to ndependently generate the same key, or prmtve root, for F p In ths stuaton, pseudo-determnstc algorthms are helpful whle standard randomzed algorthms wll not su ce A closely related problem to Prmtve-Root s Prmtve-Root-Gven-Factorzaton Ths problem asks for a prmtve root mod p, gven both p and the factorzaton of p Prmtve-Root-Gven-Factorzaton may be relevant to applcatons snce the factorzaton of p s often known For example, protocols may requre e cent ways to verfy that an element s a prmtve root, n whch case the factorzaton of p wll be known For such applcatons, t s possble to e cently generate prmes p wth p n factored form [] Assumng the generalzed Remann Hypothess (GRH), Shoup proved n [7] that the smallest non-resdue mod p s of sze O(log 6 (p)), whch mples a brute force polynomal tme algorthm for Prmtve-Root-Gven-Factorzaton Wthout the GRH assumpton, the best determnstc algorthm remans the p 4 +o() algorthm from [2] In [5], polynomal tme pseudo-determnstc algorthms are presented for Prmtve-Root- Gven-Factorzaton when the nput prme satsfes p =kq, wth q prme and k = poly() We mprove upon ths result by fndng polynomal tme pseudo-determnstc algorthms for prmes satsfyng p = Q k = qe, where for some constant c each of the q s ether at most of sze log c (p) or at least of sze p /c (our dependence on c s exponental) It remans open to fnd a polynomal tme pseudo-determnstc algorthm for Prmtve-Root-Gven-Factorzaton for general prmes 2 Prelmnares In ths secton we establsh some lemmas we wll later use All lemmas n ths secton assume p s a prme, a, b 6 0 mod p, and ord refers to the order n F p (the multplcatve group of F p ) Lemma 2 Suppose a, b 2 F p If ord(a) and ord(b) are relatvely prme, then ord(ab) = ord(a)ord(b) Proof Frst, we note that (ab) ord(a)ord(b) = Therefore, ord(ab) ord(a)ord(b) Suppose ord(ab) < ord(a)ord(b) Let q be a prme dvdng ord(a)ord(b) ord(ab) We know that (ab) ord(a)ord(b)/q = However, q dvdes ether ord(a) or ord(b) Suppose wthout loss of generalty that q ord(a) Then =a ord(a)ord(b)/q b ord(b) (ord(a)/q) = a ord(a)ord(b)/q Therefore, ord(a) (ord(a)/q)ord(b) However, because ord(a) and ord(b) are relatvely prme, ths mples ord(a) (ord(a)/q), whch s mpossble Defnton 22 (qth resdue) Let q p be a prme We call an element a whch s a qth power (e, there exsts some b such that a = b q )aqth resdue Otherwse, we call a a qth non-resdue Lemma 23 Suppose q e s the largest power of q dvdng p dvsble by q e Then a qth non-resdue has order 2

Proof Suppose g s a prmtve root mod p An element a = g k satsfes ord(a) = p gcd(p,k) If a s a qth non-resdue, then we know k s not dvsble by q Therefore, q - gcd(p that ord(a) sdvsblebyq e, where q e s the largest power of q dvdng p,k) It follows The followng lemma wll show that to fnd a prmtve root modulo p, t s enough f for each prme q dvdng p wefndaq th non-resdue Lemma 24 Let p Then the product s a prmtve root = Q m = qe Suppose that for each, the element a s a q th non-resdue my a (p = )/qe )/qe = Proof We can wrte a = g k for some prmtve root g, and k not dvsble by q Then a (p g k (p )/q e must have order exactly q e, snce qe s the smallest number N such that Nk (p )/q e s dvsble by p, whch s the order of g Therefore, the element a (p )/qe has order exactly q e It follows that the orders of each of the a (p )/qe are relatvely prme, and so by Lemma 2,! my ord a (p )/qe my = The order of a (p s a prmtve root )/qe = = ord a (p )/qe s q e, so the product of the orders s Q m = qe = p Hence Q m = a(p )/qe Lemma 25 Gven p and q p, there exsts a pseudo-determnstc algorthm that fnds a qth non-resdue n tme q poly() Proof See Theorem 3 n [5] Lemma 26 Gven the factorzaton p ord(a) n poly() tme = Q m = qe and an element a 2 F p, we can compute Proof See page 329 n [8] The followng theorem from [3] gves a bound on smooth numbers (we say that n s m-smooth f all prme factors of n are at most m) Theorem 27 (Canfeld-Erdös-Pomerance) Let (x, y) denote the number of y-smooth postve ntegers bounded by x Let u = log x log y Suppose that u<( ) log x log log x for some > 0 Then holds unformly as u and x approach x u+o(u) (x, y) =u 3

3 Algorthm and Analyss In ths secton, we present and analyze our algorthm The dea for the algorthm s as follows Frst we factor p Now, for each prme factor q of p, we fnd a qth non-resdue We then use Lemma 24, to construct a prmtve root To fnd a qth non-resdue, we frst check f q s large or small (compared to exp( p log )) If q s small, we run the algorthm from Lemma 25 If q s large, we check the elements {, 2,,p } (n order) untl we fnd one whch s a qth non-resdue Lemma 3 guarantees that for large q, we wll encounter a qth non-resdue wthn the frst exp( p log ) elements: Lemma 3 For all su cently large p, for all q exp( p log ) dvdng p, there exsts a postve s apple exp( p log ) whch s a qth non-resdue Proof Our strategy wll be to assume Lemma 3 s false and then to wrte an nequalty comparng the number of exp( p log )-smooth numbers wth the number of qth resdues We wll then reduce ths nequalty to a contradcton We frst calculate (p, exp( p log )) We use the Canfeld-Erdös-Pomerance theorem p (Theorem 27), and see that u = p log = p log Therefore, p (p, exp(p log )) = p p log p +o p p p log log () For the sake of contradcton, assume that every element s apple exp( p log ) saqth resdue Snce the product of two elements whch are qth resdues s also a qth resdue, every exp( p log )-smooth number s a qth resdue We therefore know that (p, exp( p log )) s bounded above by the number of qth resdues, whch s p/q apple p/ exp( p log ) Combnng ths wth () yelds p (p/ exp(p log )) p p log p +o p p p log log Takng the log of both sdes gves p p p p log p + o p log log log Multplyng both sdes by And ths mples log apple p log p results n p log + p o p p log log log apple ( + o()) log 2 The above nequalty s clearly false, completng the proof p p log 4

Now that we have proven Lemma 3, we are ready to analyze the algorthm (Fgure ) Prmtve-Root(p) Factor p = Q m = qe 2 for each q : 3 f q > exp( p log ) 4 Compute the order of, 2,, untl an element a wth q e ord(a ) s found 5 f q apple exp( p log ) 6 Fnd a q th non-resdue a usng Lemma 25 7 return Q m = )/qe a(p Fgure : A pseudo-determnstc algorthm fndng a prmtve root modulo a gven prme p Correctness of the algorthm follows mmedately from Lemma 24 We wll now analyze the tme complexty of the algorthm: Lemma 32 The algorthm n Fgure runs n tme L p (/2) = exp(o( p log )) Proof By Lenstra and Pomerance s factorng algorthm [6], lne takes tme L p (/2) For each q > exp( p log ), by Lemma 3, n lne 4 we have to fnd the order of at most L p (/2) elements By Lemma 26, fndng the order each requres poly() tme, so lne 4 takes a total of L p (/2) poly() =L p (/2) tme For q apple exp( p log ), lne 6 takes at most exp( p log ) poly() =L p (/2) tme by Lemma 25 Snce there are at most prmes dvdng p, the loop n lne 2 takes a total of L p (/2) = L p (/2) tme Calculatng the product n lne 7 takes poly() tme Therefore, the algorthm as a whole termnates n expected tme L p (/2) We now show that the algorthm s pseudo-determnstc Note that the only randomzed steps of the algorthm are lne and lne 6 In lne, we use an algorthm that wth hgh probablty outputs the factorzaton of p, whch s always the same In lne 6, we use an algorthm whch s pseudo-determnstc by Lemma 25 Ths mples our man theorem: Theorem 33 There exsts a pseudo-determnstc algorthm for Prmtve-Root that runs n expected tme L p (/2) 4 Fndng a Prmtve Root Gven Factorzaton A related problem to Prmtve-Root s Prmtve-Root-Gven-Factorzaton: Defnton 4 The Prmtve-Root-Gven-Factorzaton problem s the problem of fndng a prmtve root mod p when both p and the factorzaton of p are gven as nput 5

For Prmtve-Root-Gven-Factorzaton, the best known Las-Vegas algorthm runs n polynomal tme The best prevously known pseudo-determnstc algorthm runs n tme p 4 +o() The algorthm from secton 3 mproves ths to L p (/2) In [5], Gat and Goldwasser pose as a problem to fnd a polynomal tme pseudo-determnstc algorthm for Prmtve-Root-Gven-Factorzaton The authors present a polynomal tme algorthm for the case p =kq, where q s prme and k s of sze poly() We mprove upon ths result wth a polynomal tme algorthm for all p where each prme factor of p s of sze ether at most log c (p) or at least p /c, for some constant c> Our algorthm runs n tme log c (p) poly() We descrbe our algorthm n Fgure 2 Prmtve-Root-Gven-Factorzaton(p, p for each q : 2 f q > exp( p log ) = Q m = qe ) 3 Compute the order of, 2,, untl an element a wth q e ord(a ) s found 4 f q apple exp( p log ) 5 Fnd a q th non-resdue a usng Lemma 25 6 return Q m = )/qe a(p Fgure 2: A pseudo-determnstc algorthm fndng a prmtve root modulo a prme p, gven both p and the factorzaton of p Correctness of the algorthm follows mmedately from Lemma 24 We now prove that f there s some constant c such that all q satsfy ether q < log c p or q >p /c, then the algorthm termnates n tme at most log c (p) poly() Frst, note that for large enough p, f q < log c p then q < exp( p log ) Also, f q >p /c then q > exp( p log ) To prove that lne 3 takes polynomal tme, we argue that for all fxed " > 0, for large enough p, f q >p /c then there exsts an a<log c+" (p) that s a q th non-resdue We do ths wth a smlar strategy to our proof of Lemma 3 We know that there are at most p q elements whch are q th resdues Suppose for the sake of contradcton that all a<log c+" (p) are q th resdues Ths mples that there are at least (p, log c+" (p)) elements whch are q th resdues Therefore, we have the nequalty q p q (p, log c+" (p)) By the Canfeld-Erdös-Pomerance theorem (Theorem 27), (p, log c+" (p)) = pu u+o(u), where u = Pluggng ths n and takng the log of both sdes yelds log log c+" p log + o log log c+" log (p) log log c+" (p) Smplfyng gves log q apple + o 6 log

But we know that q p /c Therefore, log q c c apple + o Further smplfyng now gves c apple (c + ") log + o Pluggng ths n and smplfyng yelds log log log However, the rght sde approaches c+", whereas the left sde s c Therefore, we have reached a contradcton, and so wthn the frst log c+" (p) elements that we test n lne 3, we wll encounter a q th non-resdue Therefore, lne 3 of the algorthm requres calculatng the order of up to log c+" (p) elements, each of whch takes poly() tme by Lemma 26 Lne 5 takes up to log c (p) poly() tme by Lemma 25 Snce there are at most prmes dvdng p, the loop n lne s of length up to It follows that our algorthm termnates and outputs a prmtve root n expected tme log c (p) poly() Note that on every executon of the algorthm, we output the same prmtve root, snce the only randomzed step of the algorthm s lne 5 whch s pseudo-determnstc by Lemma 25 Ths completes the proof of the followng theorem: Theorem 42 For any constant c>, there exsts a pseudo-determnstc algorthm for Prmtve- Root-Gven-Factorzaton that runs n polynomal tme for all p where each prme factor q of p satsfes ether q<log c (p) or q>p /c 5 Dscusson It would be nterestng to fnd a polynomal tme pseudo-determnstc algorthm for Prmtve- Root-Gven-Factorzaton for general prmes The slowest step n Las Vegas algorthms for Prmtve-Root s factorng p It would be nterestng to fnd an algorthm whch can verfy an element s a prmtve root wthout usng the factorzaton of p Acknowledgments I would lke to thank Shaf Goldwasser for ntroducng me to the prmtve root problem, for helpful dscussons, and for advce and encouragement on the paper I would also lke to thank Andrew Sutherland for helpful dscussons References [] Erc Bach How to generate factored random numbers SIAM Journal on Computng, 7(2):79 93, 988 [2] DA Burgess On character sums and prmtve roots Proceedngs of the London Mathematcal Socety, 3():79 92, 962 7

[3] E Rodney Canfeld, Paul Erdös, and Carl Pomerance On a problem of oppenhem concernng factorsato numerorum Journal of Number Theory, 7(): 28, 983 [4] Whtfeld D e and Martn E Hellman New drectons n cryptography Informaton Theory, IEEE Transactons on, 22(6):644 654, 976 [5] Eran Gat and Shaf Goldwasser Probablstc search algorthms wth unque answers and ther cryptographc applcatons In Electronc Colloquum on Computatonal Complexty (ECCC), volume 8, page 36, 20 [6] Hendrk W Lenstra and Carl Pomerance A rgorous tme bound for factorng ntegers Journal of the Amercan Mathematcal Socety, 5(3):483 56, 992 [7] Vctor Shoup Searchng for prmtve roots n fnte felds Mathematcs of Computaton, 58(97):369 380, 992 [8] Vctor Shoup A computatonal ntroducton to number theory and algebra Cambrdge unversty press, 2009 8 ECCC ISSN 433-8092 http://eccchp-webde

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback