Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Speaker: Adi Akavia
p is prime, a0 (mod p) ap-11 (mod p) Background Sieve of Eratosthenes 240BC -(n) Fermat’s Little Theorem (17th century): p is prime, a0 (mod p) ap-11 (mod p) (The converse does not hold – Carmichael numbers) Polynomial-time algorithms: [Miller 76] deterministic, assuming Extended Riemann Hypothesis. [Solovay, Strassen 77; Rabin 80] unconditional, but randomized. [Goldwasser, Kilian 86] randomized produces certificate for primality! (for almost all numbers) [Adelman Huang 92] primality certificate for all numbers. [Adelman, Pomerance, Rumely 83] deterministic (log n)O(log log log n)-time.
unconditional, deterministic, polynomial This Paper unconditional, deterministic, polynomial Def: r is special with respect to n if: r is prime, r-1 has a large prime factor q = (r2/3) , and q|Or(n). Tools: simple algebra High density Thm for numbers with properties (1) and (2). [Fou85, BH96] Def: order n mod r, denoted Or(n), is the smallest power t s.t. nt 1 (mod r).h
Basic Idea Fact: For any a s.t (a,n)=1: n is prime (x-a)nxn-a (mod n) n is composite (x-a)nxn-a (mod n) Naive algo: Pick an arbitrary a, check if (x-a)nxn-a (mod n) Problem: time complexity - (n). Proof: Develop (x-a)n using Newton-binomial. Assume n is prime, then Assume n is composite, then let q|n, let qk||n, then and , hence xq has non zero coefficient (mod n).
Basic Idea Idea: Pick an arbitrary a, and some polynomial xr-1, with r = poly log n, check if (x-a)nxn-a (mod xr-1, n) time complexity – poly(r) n is prime (x-a)nxn-a (mod xr-1, n) n is composite ???? (x-a)nxn-a (mod xr-1, n) Not true for some (few) values of a,r !
Improved Idea Improved Idea: Pick many (poly log n) a’s, check for all of them if: (x-a)nxn-a (mod xr-1, n) Accept if equality holds for all a’s
Some Algebra Reminders Def: Fp (p is prime) denotes the finite field of p elements {0,1,…,p-1}. Def: Fp[x] denotes the ring of polynomials over Fp. Def: Let f(x) be a k-degree polynomial. Def: Fp[x]/f(x) denotes the set of k-1-degree polynomials over Fp, with addition and multiplication modulo f(x). Thm: If f(x) is irreducible over Fp, then Fp[x]/f(x) the unique field with pk elements.
Fp[x]/f(x) - Addition Let the polynomial f(x) over F2 be: Represent polynomials as vectors (k-1 degree polynomial vector of k coefficient): Addition:
Fp[x]/f(x) - Multiplication First, multiply ‘mod p’: Next, apply ’mod f(x)’:
Fp[x]/f(x) - mod f(x) Example: In general for f(x) = xr-1:
Irreducible Factors of (xr-1)/(x-1) Fact: Consider the polynomial (xr-1)/(x-1) over Fp. All its irreducible factors are of degree d = deg(h(x))
The Algorithm Input: integer n Find r O(log6n), s.t. r is special, Let l = 2r1/2log n. Small divisors test: For t=2,…,l, if t|n output COMPOSITE Power test: If n is a power -- n=pk, for k>1 output COMPOSITE . Polynomials test: For a =1,…,l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE . Otherwise: output PRIME.
Special r O(log6n) exists (later) Find r O(log6n), s.t. r is special, Let l = 2r1/2log n. If exists a small ( < l+1) divisor, output COMPOSITE If n is a power, output COMPOSITE . For a = 1,…,l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE . Otherwise output PRIME. Saw: algorithm Yet to be seen: Special r O(log6n) exists (later) If n is composite then one of the tests returns COMPOSITE.
Find r O(log6n), s.t. r is special, Let l = 2r1/2log n. If exists a small ( < l+1) divisor, output COMPOSITE If n is a power, output COMPOSITE . For a = 1,…,l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE . Otherwise output PRIME. Correctness Proof Lemma: n is composite algo returns ‘composite’. That is, If n is composite, and n has no divisor t l, and n is not a (prime) power then a[1..l] s.t. (x-a)n xn-a (mod xr-1, n)
In the Proof - Using p and h(x) Let p be a prime factor of n, and let h(x) be an irreducible factor of xr-1, Suffices to show inequality (mod h(x), p) instead of: (mod xr-1, n), i.e. a[1..l] s.t. (x-a)n xn-a (mod h(x), p) Choose p and h(x) s.t. q|Or(p), and deg(h(x)) = Or(p) Such p exists: q|Or(n) and Or(n) = lcm{Or(pi)}, where n=p1p2…pk. Such h(x) exists: by previous fact.
Proof Assume by contradiction that n is composite, and passes all the tests, i.e. n has no small factor, and n is not a prime-power, and a[1..l] (x-a)n xn-a (mod h(x), p), For any f(x), which is a multiple of polynomials (x-a) (where a[1..l]), f(x)n=f(xn). Example: [(x-a1)(x-a2)]n = (xn-a1) (xn-a2)
Proof Therefore, consider the group generated by {(x-a)}a[1..l]: Are there other integers m s.t. f(x)G, f(x)m f(xm) ? Yes! For example: p. Any others? Let I = { m | fG, f(x)m f(xm) }. Lemma: I is multiplicative, i.e. u,vI uvI. Hence, in particular {nipj : 0 ≤ i,j ≤ r1/2} I. Therefore,
Proof – I[|G|] is large Lemma: Proof: Consider all polynomials of degree < d. They are all distinct in Fp[x]/h(x). Therefore Hence, However, we next show that d is big: q|Or(p)=d.
Proof – I[|G|] is small Lemma: Let m1, m2 I, then m1 m2 (mod |G|) m1 m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1m2 (mod r), then xm1xm2 (mod h(x)) (as xr 1 (mod h(x))) Contradiction!
Proof Summary We saw that I[|G|] is small (unconditionally, using properties of xr-1), However, if n is composite and not a prime power, then passing the polynomials test (i.e. nI) implies that I[|G|] is large. (using properties of the special r and of xr-1) Therefore, the polynomials test must return ‘composite’.
Back to Special Numbers Recall: r is special with respect to n if: r is prime, r-1 has a large prime factor q = (r2/3) , and q|Or(n). We next show that Special r O(log6n) exists.
Finding Special r while r < c log6n Elaborating on step (1): Find r O(log6n), s.t. r is special, Let l = 2r1/2log n. If exists a small ( < l+1) divisor, output COMPOSITE If n is a power, output COMPOSITE . For a = 1,…,l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE . Otherwise output PRIME. Finding Special r Elaborating on step (1): while r < c log6n if r is prime let q be the largest prime factor of r-1 if (q4r1/2log n) and (n(r-1)/q 1 (mod r)) break; rr+1 Complexity: O(log6n) iterations, each taking: O(r1/2 poly log r), hence total poly log n. when ‘break’ is reached: r is prime, q is large, and q|Or(n)
Special r O(log6n) exists Recall: r is special with respect to n if: r is prime, q = (r2/3) prime factor of r-1, q|Or(n). Special r O(log6n) exists Consider interval [..], ,=O(log6n). Numbers with properties (1) and (2) are dense in [..] immediate from density bounds for numbers with these properties and for primes. For many primes r[..], property (3) holds. For many r’s Or(n) > 1/3: Or(n) < 1/3 r | =(n-1)(n2-1)...(n^1/3-1). However, has no more than 2/3log n prime divisors. Moreover, Or(n) > 1/3 q | Or(n): if q doesn’t divide Or(n), then n(r-1)/q 1, therefore Or(n) (r-1)/q. However (r-1)/q < 1/3 -- a contradiction. (here we utilize again the fact that q is large). Hence, by counting argument, exists a special r[..].
The End
Proof - G is large, Cont. Hence, Prop: d 2l This is the reason for seeking a large q s.t. q|Or(n) Hence, Prop: d 2l Proof: Recall d=Or(p) and q|Or(p), hence d q 2l (recall q4r1/2log n, l=2r1/2log n) Hence
Algebraic Background – Extension Field Def: Consider fields F, E. E is an extension of F, if F is a subfield of E. Def: Galois field GF(pk) (p prime) is the unique (up to isomorphism) finite field containing pk elements. (The cardinality of any finite fields is a prime-power.) Def: A polynomial f(x) is called irreducible in GF(p) if it does not factor over GF(p)
Multiplicative Group Def: GF*(pk) is the multiplicative group of the Galois Field GF(pk), that is, GF*(pk) = GF(pk)\{0}. Thm: GF*(pk) is cyclic, thus it has a generator g:
Fp[x]/f(x) - Example Let the irreducible polynomial f(x) be: Represent polynomials as vectors (k-1 degree polynomial vector of k coefficient): Addition:
Fp[x]/f(x) - Example Multiplication: First, multiply ‘mod p’: Next, apply ’mod f(x)’: