PRIMES is in P. Manindra Agrawal. NUS Singapore / IIT Kanpur

Similar documents
Lecture Prelude: Agarwal-Biswas Probabilistic Testing

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena

Applied Cryptography and Computer Security CSE 664 Spring 2018

Advanced Algorithms and Complexity Course Project Report

Factorization & Primality Testing

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Postmodern Primality Proving

Great Theoretical Ideas in Computer Science

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

1. Algebra 1.7. Prime numbers

Primality testing: variations on a theme of Lucas. Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA

Primality testing: then and now

PROVING PRIMALITY AFTER AGRAWAL-KAYAL-SAXENA

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Primality Testing- Is Randomization worth Practicing?

CSC 373: Algorithm Design and Analysis Lecture 30

Chapter 7 Randomization Algorithm Theory WS 2017/18 Fabian Kuhn

Primality testing: then and now

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

THE SOLOVAY STRASSEN TEST

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

arxiv:math/ v1 [math.nt] 16 Jan 2003

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

CPSC 467b: Cryptography and Computer Security

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Uncertainty can be Better than Certainty:

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Lucas Lehmer primality test - Wikipedia, the free encyclopedia

Automorphisms of Finite Rings and Applications to Complexity of Problems

Improving the Accuracy of Primality Tests by Enhancing the Miller-Rabin Theorem

Industrial Strength Factorization. Lawren Smithline Cornell University

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Lecture 6: Deterministic Primality Testing

Lecture 31: Miller Rabin Test. Miller Rabin Test

CSE 521: Design and Analysis of Algorithms I

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Section IV.23. Factorizations of Polynomials over a Field

Lecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.

CPSC 467b: Cryptography and Computer Security

About complexity. We define the class informally P in the following way:

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

NOTES ON SOME NEW KINDS OF PSEUDOPRIMES

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Primes and Factorization

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Algebra Review 2. 1 Fields. A field is an extension of the concept of a group.

Homework 8 Solutions to Selected Problems

The running time of Euclid s algorithm

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

MASTERARBEIT / MASTER S THESIS

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

arxiv: v1 [math.nt] 24 Jan 2008

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Chapter 4. Remember: F will always stand for a field.

Primality Proofs. Geoffrey Exoo Department of Mathematics and Computer Science Indiana State University Terre Haute, IN

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 19: Finish NP-Completeness, conp and Friends

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

arxiv: v3 [math.nt] 26 Apr 2011

10 Concrete candidates for public key crypto

Classification of Finite Fields

Basic elements of number theory

Basic elements of number theory

C.T.Chong National University of Singapore

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

On Solving Univariate Polynomial Equations over Finite Fields and Some Related Problems

Chapter 5 : Randomized computation

The Impossibility of Certain Types of Carmichael Numbers

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

PROBLEMS ON CONGRUENCES AND DIVISIBILITY

EFFICIENTLY CERTIFYING NON-INTEGER POWERS

WXML Final Report: AKS Primality Test

Explicit Methods in Algebraic Number Theory

Theoretical Cryptography, Lecture 13

Primality Testing and Sub-Exponential Factorization. David Emerson Advisor: Howard Straubing Boston College Computer Science Senior Thesis

Correctness, Security and Efficiency of RSA

Analyzing and Optimizing the Combined Primality test with GCD Operation on Smart Mobile Devices

Euler s ϕ function. Carl Pomerance Dartmouth College

Primality Test Via Quantum Factorization. Abstract

Homework 7 solutions M328K by Mark Lindberg/Marie-Amelie Lawn

D. J. Bernstein University of Illinois at Chicago

God may not play dice with the universe, but something strange is going on with the prime numbers.

Primes of the Form n! ± 1 and p ± 1

CRC Press has granted the following specific permissions for the electronic version of this book:

Introduction to Number Theory. The study of the integers

A Few Primality Testing Algorithms

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

ALG 4.0 Number Theory Algorithms:

IRREDUCIBILITY TESTS IN F p [T ]

Basic Algorithms in Number Theory

About complexity. Number theoretical algorithms

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

The knapsack Problem

Irreducible radical extensions and Euler-function chains

Primality testing: variations on a theme of Lucas

Transcription:

PRIMES is in P Manindra Agrawal NUS Singapore / IIT Kanpur

The Problem Given number n, test if it is prime efficiently. Efficiently = in time a polynomial in number of digits = (log n) c for some constant c

The Trial Division Method Try dividing by all numbers up to n 1/2. takes exponential time: (n 1/2 ). Also produces a factor of n when it is composite.

A Possible Approach Find a characterization of prime numbers that is efficiently verifiable Many characterizations of primes have been obtained over centuries. But none were provably efficient until recently.

Wilson s Characterization (18 th century) n is prime iff (n-1)! = -1 (mod n) Requires O(n) operations

Fermat s Little Theorem (17 th century) n is prime implies for any a: a n = a (mod n). It is easy to check: Compute a 2, square it to a 4, square it to a 8, Needs only O(log n) multiplications.

An Efficient but Wrong Characterization n is prime iff for 0 < a < 4 log 2 n: a n = a (mod n) Requires only O(log 3 n) multiplications and divisions. Fails on Carmichael numbers, e.g., 561 = 3 * 11 * 17.

Lucas Characterization (1891) n is prime iff for every prime divisor q of n-1: there is an 1 < a < n such that a n-1 = 1 (mod n) and gcd(a (n-1)/q 1, n) = 1 Based on FLT It is inefficient: requires factorization of n-1

An NP conp Algorithm A trivial algorithm shows that the set is in conp: given a factor of n it is easy to verify that n is composite. [Pratt, 1974] Lucas characterization yields an NP algorithm: guess a prime factorization of n-1; recursively verify its correctness; and guess an a with required properties.

Miller s (unproven) Characterization (1975) n = 1 + 2 t * s is odd prime iff for 0 < a < 4 log 2 n: either a s = 1 (mod n) or a 2k *s = -1 (mod n) for some 0 k < t

Yields an Efficient Algorithm Based on FLT Yields an efficient algorithm: O(log 4 n) steps It is correct assuming Generalized Riemann Hypothesis

corp Algorithms [1974] Solovay-Strassen gave the first unconditional but randomized polynomial time algorithm. This algorithm might give a wrong answer with a small probability when n is composite. [1975] Rabin modified Miller s characterization to obtain another algorithm with similar properties.

An Almost Efficient Characterization [1983] Adleman, Pomerance, and Rumely gave a (rather complicated) characterization that yields a deterministic algorithm running in time (log n) c log log log n.

An Efficient Chracterization [2002] A., Kayal, Saxena gave the first deterministically verifiable efficient characterization.

Starting Point: A Polynomial based Characterization n is prime iff (X + 1) n = X n + 1 (mod n) Proof: ( X 1) n X n 1 n 1 j 1 n X j j If n is prime then all coefficients are divisible by n. If n is composite then at least one is not.

A generalization of FLT to polynomials. Simple and elegant. Inefficient: although requires only O(log n) polynomial multiplications, intermediate polynomials are of large degree.

A Way to Reduce Space Test the equation modulo X r - 1 for a small r. Or, more generally, test if (X + a) n = X n + a (mod n, X r - 1) For a few a s and a few small r s.

It Almost Works n is prime iff for any r such that O r (n) > 4 log 2 n: n has no divisor smaller than min(n,r) and for every a, 1 a 2 r log n: (X + a) n = X n + a (mod n, X r 1) O r (n) = smallest k with n k = 1 (mod r).

The Algorithm Input n. 1. Find the smallest number r such that O r (n) > 4 (log n) 2. 2. If any number < r divides n, output PRIME/COMPOSITE appropriately. 3. For every a 2 r log n: If (X+a) n X n + a (mod n, X r 1) then output COMPOSITE. 4. Output PRIME.

Correctness: Non-trivial Assume: Part r is given such that O r (n) > 4(log n) 2. Smallest prime dividing n is at least min(n,r). (X+a) n = X n + a (mod n, X r -1) for 0 < a 2 r log n.

Fix a prime p dividing n with p r and O r (p) > 1. Clearly, (X+a) n = X n + a (mod p, X r -1) too for 0 < a 2 r log n. And of course, (X+a) p = X p + a (mod p, X r -1) (according to previous prime characterization)

Introspective Numbers We call any number m such that g(x) m = g(x m ) (mod p, X r -1) an introspective number for g(x). So, p and n are introspective numbers for X+a for 0 < a 2 r log n.

Introspective Numbers Are Closed Under * Lemma: If s and t are introspective for g(x), so is s * t. Proof: g(x) st = g(x s ) t (mod p, X r 1), and g(x s ) t = g(x st ) (mod p, X sr 1) = g(x st ) (mod p, X r 1).

So There Are Lots of Them Let I = { n i * p j i, j 0}. Every m in I is introspective for X+a for 0 < a 2 r log n.

Introspective Numbers Are Also For Products Lemma: If m is introspective for both g(x) and h(x), then it is also for g(x) * h(x). Proof: (g(x) * h(x)) m = g(x) m * h(x) m = g(x m ) * h(x m ) (mod p, X r -1)

So Introspective Numbers Are For Lots of Polynomials Let Q = { a=1, 2 r logn (X + a) e a e a 0}. Every m in I is introspective for every g(x) in Q.

Finite Fields Facts Let h(x) be an irreducible divisor of r th cyclotomic polynomial C r (X) in the ring F p [X]: C r (X) divides X r -1. Polynomials modulo p and h(x) form a field, say F. X i X j in F for 0 i j < r.

Moving to Field F Since h(x) divides X r -1, equations for introspective numbers continue to hold in F. We now argue over F.

Two Sets in Field F Let G = { X m m I }. Every element of G is an rth root of unity. t = G O r (n) > 4 log 2 n. Let H = { g(x) (mod p, h(x)) g(x) Q }. H is a multiplicative group in F.

H is large Let Q t be set of all polynomials in Q of degree < t. Lemma: There are > n 2 t distinct polynomials in Q t : Consider all products of X+a s of degee < t. t 2 r log n 1 t log n There are > > n 2 t 2 r log n 1 of these 2 t log n (since r > t and t > 2 log n). 4

because Q t injects into F Let f(x), g(x) in Q t with f(x) g(x). Suppose f(x) = g(x) in F. Then: For every X m in G, f(x m ) = f(x) m = g(x) m = g(x m ) in F. So polynomial P(z) = f(z) g(z) has G = t roots in F. Contradiction, since P(z) 0 and degree of P(z) is < t.

implies that I has few small numbers Let m 1, m 2,, m k be numbers in I n 2 t. Suppose k > t. Then, there exist m i and m j, m i > m j, such that X m i = X m j (in F) I: set of introspective numbers F = F p [X]/(h(X)), h(x) X r -1 Q: set of introspective polynomials G = X I H = Q (mod h(x))

Let g(x) be any element of H. Then: g(x) m i = g(x m i ) = g(x m j ) = g(x) m j (in F) Therefore, g(x) is a root of the polynomial P(z) = z m i z m j in the field F. I: set of introspective numbers F = F p [X]/(h(X)), h(x) X r -1 Q: set of introspective polynomials G = X I H = Q (mod h(x))

Since H has more than n 2 t elements in F, P(Y) has more than n 2 t roots in F. Contradiction, since P(z) 0 and degree of P(z) = m i n 2 t. I: set of introspective numbers F = F p [X]/(h(X)), h(x) X r -1 Q: set of introspective polynomials G = X I H = Q (mod h(x))

so n must be a prime power! Consider numbers n a * p b with 0 a, b t. Each such number is n 2 t ( small ). So there are t ( few ) such numbers. This gives a, b, c, d with (a,b) (c,d) and n a * p b = n c * p d Therefore, n = p e for some e > 0. t = O r (n,p) I: set of introspective numbers p [X]/(h(X)), h(x) r -1 F = F p [X]/(h(X)), h(x) X r -1 I: set of introspective numbers Q: set of introspective polynomials Q low : polynomials of deg < t G = X I H = Q (mod h(x))

This forces n to be prime Lemma [Hendrik Lenstra Jr.,1983]: If a n = a (mod n) for 1 a 4 log 2 n then n is squarefree. Since (X+a) n = X n + a (mod n, X r -1) for 0 < a 2 r log n, we have a n = a (mod n) for 0 < a 4 log 2 n, (as r > 4 log 2 n). So n must be square-free.

The Choice of r We need r such that O r (n) > 4 (log n) 2. Any r such that O r (n) 4 (log n) 2 must divide k=1, 4 log 2 n (nk -1) < n 16 log 4n = 2 16 log 5n. By Chebyshev s prime density estimates the lcm of first m numbers is at least 2 m (for m > 7). Therefore, there must exist an r that we desire 16 (log n) 5 + 1.

Time Complexity Step 3 dominates running time. It needs to verify O( r log n) equations. Each equation needs O ~ (r log 2 n) time to verify. So time complexity is O ~ (r 1.5 log 3 n) = O ~ (log 10.5 n).

Using a result of Fouvry, one can show that r = O(log 3 n) is enough. The result shows that primes r such that r-1 has a large prime divisor have high density. This brings time complexity down to O ~ (log 7.5 n).

A Cleaner Characterization The characterization is a bit messy. Three different conditions need to hold: r needs to be such that O r (n) > 4 (log n) 2 No prime divisor of n is smaller than min(n,r) For every a, 1 a r log n: (X + a) n = X n + a (mod n, X r 1) Can these be combined into a single equation?

Yes! Use the equation (X + 1) n = X n + 1 (mod n, Q(X)) for appropriate small dgree Q(X).

Eliminating Condition on r Try for all r 16 log 5 n!

Eliminating Small Divisors Lemma: If (X + 1) n = X n + 1 (mod n, X r ) then n has no divisor less then min(n,r). Proof: If prime p < min(n,r) divides n, then (X + 1) n = 1 + n/p X p + (mod n, X r ) 1 (mod n, X r ).

Eliminating Multiple Equations Lemma: (X + 1) n = X n + 1 (mod n, Q(X-a)) for 0 < a B iff (X + a) n = X n + a (mod n, Q(X)) for 1 < a B+1. Proof: Assume for B-1. Then: (X + 1) n = X n + 1 (mod n, Q(X-B)) iff (X+B+1) n = (X+B) n + 1 (mod n, Q(X)) iff (X+B+1) n = X n + B + 1 (mod n, Q(X))

Putting These Together n is prime iff (X + 1) n = X n + 1 (mod n, Q(X)) where Q( X) X 16log r 1 n 2 r logn a 1 Degree of Q(X) is O(log 27/2 n). 5 n * 16log 5 (( X a) r 1)

Further work [Lenstra-Pomerance,2003]: r = O(log 2 n) is enough with a different polynomial of degree r than X r -1. This improves time complexity to O ~ (log 6 n). [Berrizbeitia-Bernstein,2003]: Randomized primality proving algorithm with time complexity O ~ (log 4 n).

Further Improvement? Conjecture: n is prime iff n is not a prime power, n 1 (mod r) for some prime r > log n, and (X-1) n = X n 1 (mod n, X r 1) Yields a O ~ (log 3 n) time algorithm.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback