Lecture Prelude: Agarwal-Biswas Probabilistic Testing

Similar documents
PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Homework 8 Solutions to Selected Problems

Section IV.23. Factorizations of Polynomials over a Field

Lecture Examples of problems which have randomized algorithms

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

IRREDUCIBILITY TESTS IN F p [T ]

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

Lecture 31: Miller Rabin Test. Miller Rabin Test

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

1. Algebra 1.7. Prime numbers

Algebra Review 2. 1 Fields. A field is an extension of the concept of a group.

Lecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman

MATH 115, SUMMER 2012 LECTURE 12

Lecture 6: Deterministic Primality Testing

Chapter 14: Divisibility and factorization

Advanced Algorithms and Complexity Course Project Report

CHAPTER 10: POLYNOMIALS (DRAFT)

Postmodern Primality Proving

Mathematical Olympiad Training Polynomials

6.S897 Algebra and Computation February 27, Lecture 6

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

CSC 373: Algorithm Design and Analysis Lecture 30

g(x) = 1 1 x = 1 + x + x2 + x 3 + is not a polynomial, since it doesn t have finite degree. g(x) is an example of a power series.

Example: This theorem is the easiest way to test an ideal (or an element) is prime. Z[x] (x)

Lecture 11 - Basic Number Theory.

12x + 18y = 30? ax + by = m

1: Please compute the Jacobi symbol ( 99

Factorization & Primality Testing

TOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS. 1. Introduction

The knapsack Problem

Randomized Complexity Classes; RP

Applied Cryptography and Computer Security CSE 664 Spring 2018

TOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS. 1. Introduction

Lecture 7.4: Divisibility and factorization

Math 120 HW 9 Solutions

LECTURE 10, MONDAY MARCH 15, 2004

IRREDUCIBLES AND PRIMES IN COMPUTABLE INTEGRAL DOMAINS

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Great Theoretical Ideas in Computer Science

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

φ(xy) = (xy) n = x n y n = φ(x)φ(y)

Homework 9 Solutions to Selected Problems

Polynomial Rings. (Last Updated: December 8, 2017)

Polynomials. Chapter 4

Theoretical Cryptography, Lecture 13

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

CHAPTER I. Rings. Definition A ring R is a set with two binary operations, addition + and

Math 547, Exam 2 Information.

MASTERS EXAMINATION IN MATHEMATICS

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

Finite Fields. [Parts from Chapter 16. Also applications of FTGT]

Lecture 11: Cantor-Zassenhaus Algorithm

Algebra Exam Fall Alexander J. Wertheim Last Updated: October 26, Groups Problem Problem Problem 3...

Chapter 4. Remember: F will always stand for a field.

MTH310 EXAM 2 REVIEW

(January 14, 2009) q n 1 q d 1. D = q n = q + d

MATH 361: NUMBER THEORY TENTH LECTURE

THE SOLOVAY STRASSEN TEST

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

Lecture 6: Finite Fields

CYCLICITY OF (Z/(p))

Lecture 22: Derandomization Implies Circuit Lower Bounds

Rigid Divisibility Sequences Generated by Polynomial Iteration

CHAPTER 14. Ideals and Factor Rings

PRIME NUMBERS YANKI LEKILI

Lecture Notes. Advanced Discrete Structures COT S

1 Randomized Computation

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Polynomial Rings. i=0

Primality testing: then and now

Pr[X = s Y = t] = Pr[X = s] Pr[Y = t]

The Berlekamp algorithm

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

RINGS: SUMMARY OF MATERIAL

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

Algebraic function fields

Name: MAT 444 Test 4 Instructor: Helene Barcelo April 19, 2004

LECTURE NOTES IN CRYPTOGRAPHY

Randomness and non-uniformity

Gauss s Theorem. Theorem: Suppose R is a U.F.D.. Then R[x] is a U.F.D. To show this we need to constuct some discrete valuations of R.

SPECIAL POINTS AND LINES OF ALGEBRAIC SURFACES

IV.3. Zeros of an Analytic Function

Explicit Methods in Algebraic Number Theory

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

FACTORING AFTER DEDEKIND

On Additive Polynomials

An irreducibility criterion for integer polynomials

COURSE SUMMARY FOR MATH 504, FALL QUARTER : MODERN ALGEBRA

A connection between number theory and linear algebra

Selected Math 553 Homework Solutions

arxiv:math/ v1 [math.nt] 16 Jan 2003

Polynomials over UFD s

Lecture 7: Fingerprinting. David Woodruff Carnegie Mellon University

On Computably Enumerable Sets over Function Fields

Factorization of integer-valued polynomials with square-free denominator

8. Limit Laws. lim(f g)(x) = lim f(x) lim g(x), (x) = lim x a f(x) g lim x a g(x)

Transcription:

6.S897 Algebra and Computation March 19, 2012 Lecture 12 Lecturer: Madhu Sudan Scribe: Zeyuan Allen Zhu 1 Today s Problem: Primality Testing Given an n-bit integer N, output YES if n is prime and NO otherwise. This is one of the most basic questions about numbers, with the following history. By definition Prime conp, because the prime decomposition is a short certificate for a number that is not prime. [Pratt 75] showed that Prime NP. The Pratt certificate of a number N being prime, is by looking at all prime factor q of N 1 (which will be proved recursively), and giving some a such that a (N 1)/q 1 (mod N) for all such q s. This proof is of length polylogn. The subsequent discoveries by [Solovay-Strassen 70s] [Miller-Rabin 70s] put Prime in corp. This algorithm uses the fact that if there exists some a, k such that a 2k 1 (mod n) but a k ±1 (mod n) then N is composite. Moreover, the probabilistic algorithm picks a at random, and with > 1/2 probability there will be some k satisfying such compositeness criterion if N is composite. [Goldwassar-Killian 86] [Adleman-Huang 87] used algebraic (elliptic curve) techniques and proved that Prime RP. In 2002, Agarwal, Kayal, and Saxena finally put Prime in P, and this will be the main topic of today. 2 Prelude: Agarwal-Biswas Probabilistic Testing Lemma 1 For all a such that (a, N) 1, N is a prime = (x + a) N x N + a (mod N) = N is a prime power. careful calculation one can verify that ( N B The first = is easy. For the) second one, if N = B C and (B, C) = 1, then after some C 0 (mod N). This means, the coefficient for the x B term does not equal to zero in the expansion of (x + a) N = N i=0 xi a N i( N i ). The lemma reduces our number theoretical question to an algebraic question of checking whether (x + a) N x N + a (mod N). However, we cannot write down this big expansion explicitly, because we want an algorithm that runs in time O(poly(n)) = O(polylogN). [Agarwal-Biswas 99] then proposed the following test: pick a monic polynomial Q Z N [x] of degree polylogn at random; then verify if (x + a) N x N + a (mod Q). This is an efficient algorithm because the degree of Q is small and we can use power method to compute (x + a) N mod Q in polylogn time. The correctness can be verified using the following two properties: 12-1

1 With probability at least deg Q, Q is irreducible over mod N. This is because letting d = deg Q, x qd x = (all irred. polys. of degree dividing d), and thus counting the degree on both sides we have at least qd d irreducible polynomials of degree dividing d, and since there are a total of q d choices for monic polynomials of Q over F p, at least with probability 1 d we will get a polynomial Q that is irreducible over F p, and then of course Q is also irreducible module N. Conditioning on Q being irreducible, the probability that (x + a) N x N + a (mod Q) if N is composite is very very small due to the Chinese Reminder Theorem. This is because, if (x+a) N x N +a (mod Q) holds for many polynomials Q 1, Q 2,..., Q t s, then the congruence also holds module lcm(q 1, Q 2,..., Q t ) due to Chinese Reminder Theorem, but when deg(lcm(q 1, Q 2,..., Q t )) exceeds N we will have (x + a) N x N + a (mod N) as well because the degree on both sides are only N, contradicting the fact that N is composite. 3 Derandomization: Agarwal-Kayal-Saxena Primality Testing [Agarwal-Kayal-Saxena 02] considered the nice form Q(x) = x r 1 for some nice prime r = Θ(polylogN), and their primality testing is as follows: Pick some prime r = Θ(polylogN). Pick A = {1, 2,..., polylogn}. Verify if N = m t for integer t, and output NO if this happens. (By enumerating all possible choices of t and computing m using binary search for each t.) Verify if a A divides N, and output NO if this happens. Verify if for all a A, we have (x + a) N x N + a (mod N, x r 1). Output YES if this is true, and NO if there exists some a A that fails the test. (The proof of AKS (to be shown below) is quite a novel one. Prof. Madhu Sudan claims no such proof was seen before in either the CS or number theory literature.) Notice that R := Z[x]/(N, x r 1) is not a field, because it is module N which is not a prime, and module x r 1 which might not be irreducible. In fact, if we define p to be any prime divisor of N, we can let L := Z[x]/(p, x r 1), while identities in R imply these in L. We can go another step further, by letting h(x) to be any irreducible factor of xr 1 x 1 in F p[x], and define K := Z[x]/(p, h(x)). Now, K is finally a field, and although R is the ring we are performing the primality testing, K is where we are going to work on the proof. Notice that identities in R also hold in K. overview: The main idea of the proof is to find a large collection of polynomials F Z[x] that, when viewed as elements of L satisfy several semi -nice near -algebraic conditions (called introversion below), assuming N passes the AKS test. The key idea in AKS is to convert this semi -nice near - algebraic conditions into a pure algebraic one, i.e., in the form of a non-zero polynomial P K[z] such that every element of F, when viewed as an element of K, is a zero of P. This conversion is neat in that P has low-degree if (and potentially only if) N is not a prime power. This leads to a contradiction because P now has many distinct zeroes (namely appropriately chosen elements of F) while its degree is small! (Note that if N had been a prime, the degree of P would have been much larger and so the presence of so many zeroes would be perfectly OK.) Definition 2 (Introversion) We say that f(x) L is introverted for m if f(x m ) f(x) m in L. 12-2

Proposition 3 1. For any a A, f(x) = x + a is introverted for m = N (if N passes the test); 2. for all f(x) L, f is introverted for m = p; 3. if f(x), g(x) L are both introverted for m, then f(x) g(x) is introverted for m; and 4. if f(x) L is introverted for both a and b, then f(x) is also introverted for a b. The first three propositions are trivial, so we only prove the last one. Starting from: we have: Now, since z r 1 z br 1, we also have: f(x) a f(x a ) (mod x r 1), f(z b ) a f(z ba ) (mod z br 1). f(z b ) a f(z ba ) (mod z r 1), and this is one place (and we will see another place shortly) that we have specific reason to use polynomials of the form x r 1; in general, it may not be the case that h(z) h(z b ). We have not used any property of r yet. At last, we have: f(z) ba = f(z b ) a f(z ba ) (mod z r 1). Proposition 4 If f(x) L is introverted for m 1 and m 2 while m 1 = m 2 (mod r), then f(x) m1 = f(x) m2. f(x) m1 = f(x m1 ) = f(x m2 ) = f(x) m2 and the second equality is because m 1 m 2 (mod r) and we are in the ring module x r 1. 3.1 High Level Ideas for the Analysis Now using above propositions, we want to find a large set F of polynomials, even when viewed module h(x), and two small integers m 1 and m 2 satisfying m 1 = m 2 (mod r), such that for any f(x) F, f is introverted for both m 1 and m 2. If we found such m 1, m 2, then all f F are roots to polynomial P(z) := z m1 z m2, and although f L and L is not a field, but it is contained in K which is a field, so P(z) K[z]. Now notice that F is a large set of zeros of P(z), so if we had F > max{m 1, m 2 } we would have a contradiction. 3.2 Details A very natural set F to consider is, for some fixed t, let { F t := (x + a) da a A a A } d a t. 12-3

Then, F t = ( ) t+ A A. If we choose t = A we always have Ft 2 t being a large set. Notice that we still need to make sure that all polynomials in F t are distinct module h(x), but we will worry about this later. Now, how to make m 1 and m 2 small? Recall from Proposition 3 that all polynomials in F t are introverted for all numbers in {N i P j 0 i r, 0 j r}. In fact, since this set has more than r elements we can find two distinct m 1, m 2 N 2 r such that all polynomials in F t are introverted for m 1 and m 2 and m 1 m 2 (mod r). 1 At last, we use the following powerful lemma Lemma 5 (Fourry 80s) prime r = O(polylogN) s.t. for sufficiently large p, deg h(x) > r 2/3. Using the above lemma, if we pick t = deg h 1 for F t, then F t 2 r2/3 and it contains only distinct polynomials module h(x). Recall that m 1, m 2 2 r log N, so this is sufficient to give the contradiction and is indeed the original proof. We emphasize here that one needs to check all small r s because the Fourry lemma does not give an explicit construction for such prime r. 3.3 Improved Analysis We will now potentially choose t > deg h, but still try to argue that elements in F t are distinct module h(x). Let us define T = { N i p j (mod r) i, j Z 0 }, and define l = T r. We know that all polynomials in F are introverted for any m T. Now, let us consider a specific one F l 1, and will show that elements of F l 1 are all distinct module h(x) (which will be proved in Lemma 6). m 1, m 2 N 2 l (using similar proof as before), such that m 1 m 2 (mod r) and all polynomials in F l 1 are introverted for m 1 and m 2. Now if we let A = l 1, we can lower bound F l 1 = ( ) l 1+ A A 2 l 1, and we will have a similar contradiction as before if 2 l 1 > N 2 l. This latter inequality will always be true when l = T = Ω(log 2 N), to be shown in Lemma 7. 3.4 Two Technical Lemmas Lemma 6 Suppose f g and f, g F l 1 are introverted with respect to m 1,..., m l (all distinct mod r). Then f g (mod h(x)). We can view f(z), g(z) F p [z] as f(z), g(z) K[z] because F p K. If f(x) g(x) (mod h(x)), then x K is a root of f(z) g(z) which is a non-zero polynomial with degree no more than l 1. Now using introversion, we also have f(x m ) = f(x) m = g(x) m = g(x m ) for each m T so there are at least l roots to f(z) g(z), so there must be true that x mi x mj (mod h(x)) for some distinct m i, m j T. In such a case, we have both x mi mj 1 0 (mod h(x)) x r 1 0 (mod h(x)) (This is another reason for our choice of polynomials like x r 1). We therefore have that x gcd(mi mj,r) 1 0 (mod h(x)), giving x 1 0 (mod h(x)) but this is against our choice of h(x). 1 Notice that if we just look at all N i we can get N r naively, but using p we can benefit. 12-4

Lemma 7 There exists prime r O(k 2 log N) such that {N i (mod r) i} k. Notice that by choosing choosing k = log 2 N we have l = T {N i (mod r) i} log 2 N. [not provided in class but can be found in prenotes] Suppose this is not true for some prime r, that is {N i (mod r) i} < k, then r must divide the difference between N i and N j for some 0 i, j k 2, and therefore: r k 2 M := (N i 1), and M N k2. However, if this is true for all prime r that is below m, then we have p i M N k2. i=1 p i m, p i is prime But this contradicts with Corollary 9 below, when m = Ω(k 2 log N). Theorem 8 (Weak Prime Number Theorem) { prime number 2m + 1 } m log 4 (2m + 1). Ommited, but it uses the fact that lcm(1, 2,..., 2m + 1) 4 m. See the prenotes. Corollary 9 There exists some constant c > 1 such that p i > c m. p i m, p i is prime 12-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback