A Prime Example CS Lecture 20

A positive integer p  2 is prime if the only positive integers that divide p are 1 and p itself. Positive integers n  2 which are not prime are called composite.

The prime factorization of a positive integer n is an expression of n as a product of primes n = p 1 p 2 p 3 …p k Theorem: (Fundamental Theorem of Arithmetic) Every positive integer n  2 has a unique prime factorization (up to order of the prime factors). Proof. Existence: Suppose m is the smallest positive integer  2 with no prime factorization. m is prime  m itself is a prime factorization m is composite  m = m 1 m 2 for 1  m 1  m and 1  m 2  m m 1 and m 2 have prime factorizations so m 1 m 2 yields a prime factorization for m 

Uniqueness: Suppose m is the smallest positive integer  2 with two different prime factorizations. m = p 1 p 2 …p i m = p 1 ’p 2 ’…p k ’ p 1 | p 1 ’p 2 ’…p k ’ p 1 | p j ’ for some 1  j  k p 1 = p j ’ (since both are prime) Remove p 1 from p 1 p 2 …p i and p j ’ from p 1 ’p 2 ’…p k ’ to get m’ with two different prime factorizations: m’ = p 2 …p i = p 1 ’p 2 ’…p j-1 ’p j+1 ’…p k ’ But m’  m, so m’ must have a unique prime factorization. 

Three Classic Problems 1. Density How many primes are in {1…n}? 3. Testing Given a positive integer n, is n prime? 2. Generation List all the primes in {1…n}. These problems go back to the ancient Greeks!

4. Random choice Pick a random prime number in {1...n}. …And a Modern Problem This problem arises in cryptographic algorithms (such as RSA) that need large prime numbers to make cryptographic keys. We’ll learn more about these algorithms in a future lecture.

Let  (n)  the number of primes in {1…n}  (10) = 4(2,3,5,7)  (20) = 8(2,3,5,7,11,13,17,19) 1. Density of Primes

Theorem (Euclid): The set of prime numbers is infinite. Proof: Suppose the primes are the finite set {p 1, p 2, …, p k } Let m = p 1 p 2 … p k + 1 m is not divisible by any prime p i, so m must be a multiple of a prime that is not in the “set of all primes”.  Thanks to Euclid, we know  (n)  as n . But how thickly distributed are the primes? That is, if we pick a random number in {1…n}, what’s the probability of getting a prime? We’ll see a better characterization of  (n) shortly.

2. Generating Primes Give an algorithm that lists all the primes in {1...n}. For each prime p, the Sieve eliminates all multiples of p. No prime will ever be eliminated, and every composite (which must have a prime factor smaller than itself) is guaranteed to be eliminated before the outer loop reaches it. Running time: O(  (n)n (logn) 2 + n) if multiplication is O((logn) 2 ) set prime [2..n] = 1 for p = 2 to n do if prime [p] = 1 then print “p is prime” for m = 2 to n/p do prime [mp] = 0 Sieve of Eratosthenes

3. Testing Primality Give an algorithm for deciding whether a number n is prime. A) Trial division for k = 2 to n do if k | n then return “n is not prime” otherwise return “n is prime” O(n (logn) 2 ) time if division is O((logn) 2 ) B) Sieve method Run the Sieve of Eratosthenes on {1...n} O(  (n)n (logn) 2 + n) time

C) Trial division up to  n for k = 2 to  n do if k |n then return “n is not prime” otherwise return “n is prime” O(  n (logn) 2 ) time if division is O((logn) 2 ) Claim: if n is composite, then n has a prime factor p   n. Proof: By contradiction. Suppose some composite n has a prime factorization n = p 1 p 2 … p k where all p i   n. But then n = p 1 p 2 … p k  (  n ) k which is a contradiction unless k  2, that is, unless n is prime. 

The trial division algorithm can be easily adapted to find at least one factor of n: for k = 2 to  n do if k |n then return “k is a factor of n” otherwise return “n is prime” This algorithm runs in O(  n (logn) 2 ) time, which is O(n) (in fact, sublinear). So why do we think factoring is so hard? Why are banks and governments willing to trust their secrets to a number that can be factored in O(n) time?

Trial division is exponential as a function of the length of its input! The input number n can be represented by k=O(logn) bits. As a function of k, the trial division algorithm runs in O(n) = 2 O(k) time

4. Random Primes Give an algorithm to pick a random prime number in {1..n}. Brute force algorithm Generate all the primes in {1…n} Pick one at random

Randomized algorithm Pick a random number m  {1…n} Test if m is prime If m is prime, return it Otherwise try again What is the expected number of tries before finding a prime? Let p = probability of picking a prime on one try p =  (n)/n Expected number of tries to get a prime is 1/p = n/  (n)

The randomized algorithm motivates us to look for better solutions to the classic problems in prime numbers. Density of primes We need some assurance that primes are numerous enough that the expected number of tries n/  (n) is about O(logn). Testing primality The O(n) trial division algorithm is intractably slow. We need something more like O(logn). Solving these two problems will consume the rest of the lecture.

Prime Density Theorem In other words, as n ,  (n)  n / lnn. This deep and famous result was conjectured by Euler around 1750, but not proved until 150 years later, by Hadamard. The proof is hard. Density of Primes (revisited)

Corollary: The density of primes  (n)/n  1/lnn as n . Example: How many primes are in {1 … }?  (10 10 )  / ln  434,000,000 Example: What is the probability that a random 100-digit number is prime?  ( )/  1 / ln  1 in 230

If this statement is true, we can put a lower bound on the probability that a randomly chosen number in {1..n} is prime:  (n)/n =  (1/logn) So picking randomly from {1…n}, we need only expected O(logn) tries to find a prime number. For our purposes, we don’t need to prove the Prime Density Theorem. All we need is the weaker statement:  (n) =  (n /logn)

Theorem:  (n) =  (n /logn) Proof: For a prime p and a positive integer n, define the multiplicity of p in n as the number of times p occurs in the prime factorization of n. 500 = 5  5  5  2  2 multiplicity of 5 in 500 = 3 multiplicity of 2 in 500 = 2 multiplicity of 11 in 500 = 0

Claim: for any prime p and positive integer n, the multiplicity of p in n ! is Look at n ! = 1  2  3  n This product contains  n/p  multiples of p  n/p 2  multiples of p 2  n/p i  multiples of p i So the formula above counts the multiples of p, p 2,… such that a multiple of p i (but not p i+1 ) is counted exactly i times. Since only multiples of p can contribute p factors, the formula counts the number of times p appears in the prime factorization of n !

Let r (p) be the natural number such that p r (p)  2n  p r (p)+1 Claim: for any prime p and positive integer n, the multiplicity of p in is at most r (p). since p r (p)+1  2n Lemma: a -  a   1 2a - 2  a   2  2a  - 2  a   2  2a  - 2  a   1 by lemma at left Each factor p in the denominator cancels out a factor p in the numerator. So the multiplicity of p in is

The prime factorization of is the product of its prime factors raised to the power of their multiplicities. Since the multiplicity of any prime factor p in is at most r (p), we get: since p r (p)  2n by definition since the prime factors of are at most 2n

Taking logs of both sides and rearranging terms gives Since, So we have the desired result:

The prime density theorem states that n/lnn is a good estimate for  (n). But how large is the error? The Riemann Hypothesis Riemann proposed this conjecture in It is one of the most famous open problems in mathematics. A quick detour...

For all primes p and integers a such that 1  a  p -1, a p -1 = 1 (mod p) Fermat’s Little Theorem For example: a = 5, p = = 15,625 = 2,232  = 1 (mod 7) What is 2 38 (mod 7)? 2 38 = (2 6 ) 6  2 2 = 1 6  2 2 = 4 (mod 7)

A group (G,  ) is a set G and a binary operation  that has closure, associativity, inverses, and identity. The set Z n * = { x | 1  x  n and gcd(x,n) = 1} is a group with respect to multiplication mod n. In particular, for prime p, Z p * = {1,…, p -1} is a group with multiplication mod p. Lagrange: If G is a finite group and S is a subgroup of G, then the size of S divides the size of G. Recall From Group Theory

Theorem. (Fermat) For all primes p and integers a such that 1  a  p -1, a p -1 = 1 (mod p) Proof: Given a  Z p * Let aZ p * = { ax | x  Z p *} So aZ p * = { a, 2a, 3a, …, (p-1)a } aZ p * = Z p * because ax  aZ p *  ax  Z p * and x  Z p *  x = a (a -1 x)  aZ p * Multiply all the elements in each set (mod p): a  2a  3a    (p -1)a = 1  2  3    (p -1) (mod p) a p -1 (1  2  3    (p -1)) = 1  2  3    (p -1) (mod p) a p -1 = 1 (mod p)

Testing Primality (revisited) A simple randomized primality test is based on Fermat’s Little Theorem. To test if n is prime: pick a  {1…n -1} at random if a n -1  1 (mod n), return “n is not prime” else return “n may be prime” Hmm... O(log n) multiplies by using repeated squaring

What if n = 341, a = 2? = (2 10 ) 34 = = (3  ) 34 = 1 (mod 341) But 341 is not prime. 341 = 11  31 Fermat’s Little Theorem doesn’t work in both directions. Just because some numbers n and a satisfy the Fermat property, that doesn’t necessarily mean that n is prime!

The situation is even worse than that. Some composite numbers (called Carmichael numbers) actually satisfy Fermat’s Little Theorem for all 1  a  n-1. Our simple primality test cannot tell Carmichael numbers from prime numbers. Fortunately Carmichael numbers are extremely rare -- only 255 of them occur in the first 100,000,000 integers. We will ignore them for now First three Carmichael numbers:

If n is not a Carmichael number, we can bound the probability that the primality test goes wrong. Define K n * = { a  Z n * | a n-1 = 1 (mod n)} So K p * = Z p * for primes p (by Fermat’s Theorem) K 341 * contains 2 K k * = Z k * for Carmichael numbers k (by definition) If our choice of a for the test happens to fall in K n *, then the test would give the wrong answer. We want K n * to be small relative to {1…n-1}, so that a random a  {1…n-1} has a good chance of missing K n *.

Theorem. If n is composite but not a Carmichael number, then Pr (a  K n *)  1/2. Proof: Recall K n * = { a  Z n * | a n-1 = 1 (mod n)} Claim: K n * is a subgroup of Z n * Closure: a n-1 = 1 (mod n), b n-1 = 1 (mod n)  (ab) n-1 = 1 (mod n) Identity: 1 n-1 = 1 (mod n) Associativity: multiplication is associative Inverses: a n-1 = 1  (a n-1 ) -1 = 1  (a -1 ) n-1 = 1 (mod n) Since n is neither prime nor Carmichael, K n *  Z n * |K n *|  |Z n *| But |K n *| divides |Z n *| (Lagrange’s Theorem) So |K n *|  1/2 |Z n *|  1/2 (n-1).

We can boost the probability of the randomized primality test as high as we like by repeating it. Randomized primality test: repeat k times pick a  {1…n -1} at random if a n -1  1 (mod n) then return “n is not prime” return “n is probably prime or Carmichael” (Chance of mistake < 1/2 k as we vary over the possible coin tosses of the algorithm) A slightly more complicated version of this algorithm (the “Miller-Rabin” algorithm) detects and eliminates Carmichael numbers with probability  1 - 1/2 k.