Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia.

Published bySophie Hortense Sherman Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia."— Presentation transcript:

1 1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia

2 2 Background Sieve of Eratosthenes 240BC -  (n) Sieve of Eratosthenes 240BC -  (n) Fermat’s Little Theorem (17 th century): Fermat’s Little Theorem (17 th century): p is prime, a  0 (mod p)  a p-1  1 (mod p) (The converse does not hold – Carmichael numbers) Polynomial-time algorithms: Polynomial-time algorithms: [Miller 76] deterministic, assuming Extended Riemann Hypothesis. [Miller 76] deterministic, assuming Extended Riemann Hypothesis. [Solovay, Strassen 77; Rabin 80] unconditional, but randomized. [Solovay, Strassen 77; Rabin 80] unconditional, but randomized. [Goldwasser, Kilian 86] randomized produces certificate for primality! (for almost all numbers) [Goldwasser, Kilian 86] randomized produces certificate for primality! (for almost all numbers) [Atkin 86; Adelman Huang 92] primality certificate for all numbers. [Atkin 86; Adelman Huang 92] primality certificate for all numbers. [Adelman, Pomerance, Rumely 83] deterministic (log n) O(log log log n) -time. [Adelman, Pomerance, Rumely 83] deterministic (log n) O(log log log n) -time.

3 3 This Paper unconditional, deterministic, polynomial Def (Sophie-Germain primes): primes (p-1)/2 s.t. p is also prime. Def (Sophie-Germain primes): primes (p-1)/2 s.t. p is also prime. Def: r is special with respect to n if: Def: r is special with respect to n if: r is prime, r is prime, r-1 has a large prime factor q =  (r 2/3 ), and r-1 has a large prime factor q =  (r 2/3 ), and q|O r (n). q|O r (n). Tools: Tools: simple algebra simple algebra High density conjecture for primes p s.t. (p-1)/2 is Sophie-Germain High density conjecture for primes p s.t. (p-1)/2 is Sophie-Germain High density Thm for primes p s.t. p-1 has a large (  (r 2/3 )prime factor. [Fou85, BH96] High density Thm for primes p s.t. p-1 has a large (  (r 2/3 )) prime factor. [Fou85, BH96] Def: order n mod r, denoted O r (n), is the smallest power t s.t. n t  1 (mod r).

4 4 This Paper unconditional, deterministic, polynomial Def (Sophie-Germain primes): primes (p-1)/2 s.t. p is also prime. Def (Sophie-Germain primes): primes (p-1)/2 s.t. p is also prime. Def: r is “almost Sophie-Germain“ (ASG) if: Def: r is “almost Sophie-Germain“ (ASG) if: r is prime, r is prime, r-1 has a large prime factor q =  (r 2/3 ) r-1 has a large prime factor q =  (r 2/3 ) Tools: Tools: simple algebra simple algebra High density conjecture for primes p s.t. (p-1)/2 is Sophie-Germain High density conjecture for primes p s.t. (p-1)/2 is Sophie-Germain High density Thm for primes p that are ‘almost Sophie-Germain’. [Fou85, BH96] High density Thm for primes p that are ‘almost Sophie-Germain’. [Fou85, BH96]

5 5 Basic Idea Fact: For any a s.t (a,n)  =1: Fact: For any a s.t (a,n)  =1: n is prime  (x-a) n  x n -a (mod n) n is prime  (x-a) n  x n -a (mod n) n is composite  (x-a) n  x n -a (mod n) n is composite  (x-a) n  x n -a (mod n) Naive algo: Pick an arbitrary a, check if (x-a) n  x n -a (mod n) Naive algo: Pick an arbitrary a, check if (x-a) n  x n -a (mod n) Problem: time complexity -  (n). Problem: time complexity -  (n). Proof: Develop (x-a) n using Newton-binomial. Assume n is prime, then Assume n is prime, then Assume n is composite, then let q|n, let q k ||n, then and, hence x q has non zero coefficient (mod n). Assume n is composite, then let q|n, let q k ||n, then and, hence x q has non zero coefficient (mod n).

6 6 Basic Idea Idea: Pick an arbitrary a, and some polynomial x r -1, with r = poly log n, check if (x-a) n  x n -a (mod x r -1, n) Idea: Pick an arbitrary a, and some polynomial x r -1, with r = poly log n, check if (x-a) n  x n -a (mod x r -1, n) time complexity – poly(r) time complexity – poly(r) n is prime  (x-a) n  x n -a (mod x r -1, n) n is prime  (x-a) n  x n -a (mod x r -1, n) n is composite ??  ?? (x-a) n  x n -a (mod x r -1, n) n is composite ??  ?? (x-a) n  x n -a (mod x r -1, n) Not true for some (few) values of a,r !

7 7 Improved Idea Improved Idea: Pick many (poly log n) a’s, check for all of them if: (x-a) n  x n -a (mod x r -1, n) Accept if equality holds for all a’s Improved Idea: Pick many (poly log n) a’s, check for all of them if: (x-a) n  x n -a (mod x r -1, n) Accept if equality holds for all a’s

8 8 Algebraic Background – Extension Field Def: Consider fields F, E. E is an extension of F, if F is a subfield of E. Def: Galois field GF(p k ) (p prime) is the unique (up to isomorphism) finite field containing p k elements. (The cardinality of any finite fields is a prime-power.) Def: A polynomial f(x) is called irreducible in GF(p) if it does not factor over GF(p)

9 9 Multiplicative Group Def: GF * (p k ) is the multiplicative group of the Galois Field GF(p k ), that is, GF * (p k ) = GF(p k )\{0}. Thm: GF * (p k ) is cyclic, thus it has a generator g:

10 10 Constructing Galois Fields Def: F p denotes a finite field of p elements (p is prime). Def: Let f(x) be a k-degree polynomial. Def: Let F p [x]/f(x) be the set of k-1-degree polynomials over F p, with addition and multiplication modulo f(x). Thm: If f(x) is irreducible over GF(p), then GF(p k )  F p [x]/f(x).

11 11 F p [x]/f(x) - Example Let the irreducible polynomial f(x) be: Represent polynomials as vectors (k-1 degree polynomial  vector of k coefficient) : Addition:

12 12 F p [x]/f(x) - Example Multiplication: First, multiply ‘mod p’: First, multiply ‘mod p’: Next, apply ’mod f(x)’: Next, apply ’mod f(x)’:

13 13 The Algorithm Input: integer n 1. Find r  O(log 6 n), s.t. r is special, 2. Let l = 2r 1/2 log n. 3. For t=2,…,l, if t|n output COMPOSITE 4. If n is (prime) power -- n=p k, for k>1 output COMPOSITE. 5. For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6. Otherwise: output PRIME.  Def: r is special if:  r is Almost Sophie-Germain, and  q|O r (n) (where qthe large prime factor of r-1).  q|O r (n) (where q is the large prime factor of r-1).

14 14 Proof’s Structure Saw: primality test. We next show: Special r  O(log 6 n) exists. Special r  O(log 6 n) exists. For such r: if n is composite s.t. n passes steps (3) and (4), then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) (hence, returns COMPOSITE at step (5)) For such r: if n is composite s.t. n passes steps (3) and (4), then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) (hence, returns COMPOSITE at step (5)) 1. Find r  O(log 6 n), s.t. r is special, 2. Let l = 2r 1/2 log n. 3. For t=2,…,l, if t|n output COMPOSITE 4. If n is a prime power, i.e. n=p k, for some prime p, output COMPOSITE. 5. For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6. Otherwise output PRIME.

15 15 Finding Suitable r Elaborating on step (1): 1. while r < c log 6 n 1. if r is prime 2. let q be the largest prime factor of r-1 3. if (q  4r 1/2 log n) and (n (r-1)/q  1 (mod r)) break; 4. r  r+1 Complexity: O(log 6 n) iterations, each taking: O(r 1/2 poly log r), hence total poly log n. when ‘break’ is reached: r is prime, q is large, and q|O r (n)when ‘break’ is reached: r is prime, q is large, and q|O r (n) 1. Find r  O(log 6 n), s.t. r is special, 2. Let l = 2r 1/2 log n. 3. For t=2,…,l, if t|n output COMPOSITE 4. If n is a prime power, i.e. n=p k, for some prime p, output COMPOSITE. 5. For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6. Otherwise output PRIME.

16 16 Lemma: Special r  O(log 6 n) s.t. q|O r (n) exists. Proof: let ,  =O(log 6 n), consider the interval [ ..  ]. let ,  =O(log 6 n), consider the interval [ ..  ]. special numbers are dense in [ ..  ] special numbers are dense in [ ..  ] there are only few primes r  [ ..  ] s.t O r (n) <  1/3. there are only few primes r  [ ..  ] s.t O r (n) <  1/3. Hence, by counting argument, exists a special r  [ ..  ] s.t. O r (n) >  1/3. Hence, by counting argument, exists a special r  [ ..  ] s.t. O r (n) >  1/3. Moreover, O r (n) >  1/3  q | O r (n). Moreover, O r (n) >  1/3  q | O r (n). Therefore, exists a special r  [ ..  ] s.t. q|O r (n). Therefore, exists a special r  [ ..  ] s.t. q|O r (n). #special  [ ..  ]  #special  [1..  ] - #primes  [1..  ] =  (log 6 n / loglog n) (using density of special numbers, and lower bound on density of primes) O r (n) <  1/3  r |  =(n-1)(n 2 -1)...(n^  1/3 -1). However,  has no more than  2/3 log n prime divisors assumeq O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However(r-1)/q  1/3 -- a contradiction. assume q doesn’t divide O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However (r-1)/q <  1/3 -- a contradiction.

17 17 Lemma: Special r  O(log 6 n) exists. Proof: let ,  =O(log 6 n), consider the interval [ ..  ]. let ,  =O(log 6 n), consider the interval [ ..  ]. ASG numbers are dense in [ ..  ] ASG numbers are dense in [ ..  ] there are only few primes r  [ ..  ] s.t O r (n) <  1/3. there are only few primes r  [ ..  ] s.t O r (n) <  1/3. Hence, by counting argument, exists a ASG r  [ ..  ] s.t. O r (n) >  1/3. Hence, by counting argument, exists a ASG r  [ ..  ] s.t. O r (n) >  1/3. Moreover, O r (n) >  1/3  q | O r (n). Moreover, O r (n) >  1/3  q | O r (n). Therefore, exists a special r  [ ..  ]. Therefore, exists a special r  [ ..  ]. #ASG  [ ..  ]  #ASG  [1..  ] - #primes  [1..  ] =  (log 6 n / loglog n) (using density of ASG numbers, and upper bound on density of primes) O r (n) <  1/3  r |  =(n-1)(n 2 -1)...(n^  1/3 -1). However,  has no more than  2/3 log n prime divisors assumeq O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However(r-1)/q  1/3 -- a contradiction. assume q doesn’t divide O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However (r-1)/q <  1/3 -- a contradiction.

18 18 Correctness Proof Lemma: n is composite  step (5) returns ‘composite’. That is, If n is composite, and If n is composite, and n has no factor t  l, and n has no factor t  l, and n is not a prime-power n is not a prime-power then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) 1. Find r  O(log 6 n), s.t. r is special, 2. Let l = 2r 1/2 log n. 3. For t=2,…,l, if t|n output COMPOSITE 4. If n is a prime power, i.e. n=p k, for some prime p, output COMPOSITE. 5. For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6. Otherwise output PRIME.

19 19 Proof Let p be a prime factor of n, and let h(x) be an irreducible factor of x r -1, Let p be a prime factor of n, and let h(x) be an irreducible factor of x r -1, It suffices to show inequality (mod h(x), p) instead of (mod x r -1, n), i.e.  a  [1..l] s.t. (x-a) n  x n -a (mod h(x), p) It suffices to show inequality (mod h(x), p) instead of (mod x r -1, n), i.e.  a  [1..l] s.t. (x-a) n  x n -a (mod h(x), p) Choose p and h(x) s.t. Choose p and h(x) s.t. q|O r (p), and q|O r (p), and deg(h(x)) = O r (p) deg(h(x)) = O r (p) Such p exists: Let n=p 1 p 2 …p k, then O r (n) = lcm{Or(p i )}. Therefore: q|O r (n)   i q|O r (p i ) (as q is prime) Such h exists: by previous claim.

20 20 Proof Assume by contradiction that n is composite, and passes all the tests, i.e. Assume by contradiction that n is composite, and passes all the tests, i.e. n has no small factor, and n has no small factor, and n is not a prime-power, and n is not a prime-power, and  a  [1..l] (x-a) n  x n -a (mod h(x), p),  a  [1..l] (x-a) n  x n -a (mod h(x), p),

21 21 Proof Consider the group generated by {(x-a)} a  [1..l] (mod h(x), p), i.e. Consider the group generated by {(x-a)} a  [1..l] (mod h(x), p), i.e. Note:  f(x)  G, f(x) n  f(x n ) Note:  f(x)  G, f(x) n  f(x n ) Let I = { m |  f  G, f(x) m  f(x m ) }. Let I = { m |  f  G, f(x) m  f(x m ) }. Lemma: I is multiplicative, i.e. u,v  I  uv  I. Lemma: I is multiplicative, i.e. u,v  I  uv  I. Proof: x r -1|x vr -1, therefore Proof: x r -1|x vr -1, thereforehence

22 22 Proof - n  I  I is large Prop:  (i,j)  (i’,j’) n i p j  n i’ p j (since n  p k ) Prop:  (i,j)  (i’,j’) n i p j  n i’ p j (since n  p k ) Lemma: , if  u,v  I s.t.  (i,j)  (i’,j’) u i v j  u i’ v j’, then |I|  [u  v  ] >  2. Lemma: , if  u,v  I s.t.  (i,j)  (i’,j’) u i v j  u i’ v j’, then |I|  [u  v  ] >  2. Corollary: , n  I  |I|  [u  v  ] >  2. Proof: p  I. Corollary: , n  I  |I|  [u  v  ] >  2. Proof: p  I. However, Lemma: However, Lemma: Corollary: n  I  |I|  [|G|] > r. Corollary: n  I  |I|  [|G|] > r. (  +1) 2 different pairs (i,j), each give a distinct value Consider all polynomials of degree bound <d. There are all distinct in F p [x]/h(x). Therefore

23 23 Irreducible Factors of (x r -1)/(x-1) Def: Let h(x) denote any irreducible factor of (x r -1)/(x-1), and d = deg(h(x)) Def: Let h(x) denote any irreducible factor of (x r -1)/(x-1), and d = deg(h(x)) Claim: h(x), d=O r (p) Claim: h(x), d=O r (p) Proof: Denote k=O r (p). Note F p [x]/h(x) is of size p d, therefore F p [x]/h(x)* is cyclic of order p d -1. Proof: Denote k=O r (p). Note F p [x]/h(x) is of size p d, therefore F p [x]/h(x)* is cyclic of order p d -1. k|dx r  1 (mod h(x)), hence O h(x) (x) is r, therefore r|p d -1, i.e., p d  1 (mod r), and hence k|d (recall d=O r (p)). k|d: x r  1 (mod h(x)), hence O h(x) (x) is r, therefore r|p d -1, i.e., p d  1 (mod r), and hence k|d (recall d=O r (p)). d|kg be a generator, then hencep d -1 |p k -1therefore d|k. d|k: let g be a generator, then hence p d -1 | p k -1. and therefore d|k. Recall, if r is special with respect to n, then r-1 has a large prime factor q, s.t. q|O r (n). Choose p s.t. q|O r (p) (exists). Then d is large. exists

24 24 Proof – I is small Lemma: Letm1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Lemma(I is small): |I|  [|G|]  r Lemma(I is small): |I|  [|G|]  r Proof: Proof: Each two elements in |I|  [|G|] are different mod |G|. Each two elements in |I|  [|G|] are different mod |G|. Therefore they are different mod r. Therefore they are different mod r. Hence |I|  [|G|]  r. Hence |I|  [|G|]  r. Contradiction! Contradiction! Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x)))

25 25 The End

26 26 Proof - G is large, Cont. Hence, Prop: d  2l Proof: Recall d=O r (p) and q|O r (p), hence d  q  2l (recall q  4r 1/2 log n, l=2r 1/2 log n) Hence This is the reason for seeking a large q s.t. q|O r (n)

Download ppt "1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia."

Similar presentations

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
Finite Fields Rong-Jaye Chen. p2. Finite fields 1. Irreducible polynomial f(x)  K[x], f(x) has no proper divisors in K[x] Eg. f(x)=1+x+x 2 is irreducible.

Finite Fields Rong-Jaye Chen. p2. Finite fields 1. Irreducible polynomial f(x)  K[x], f(x) has no proper divisors in K[x] Eg. f(x)=1+x+x 2 is irreducible.
BCH Codes Hsin-Lung Wu NTPU.

BCH Codes Hsin-Lung Wu NTPU.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Computability and Complexity

Computability and Complexity
Having Proofs for Incorrectness

Having Proofs for Incorrectness
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Information and Coding Theory Finite fields. Juris Viksna, 2015.

Information and Coding Theory Finite fields. Juris Viksna, 2015.
Basic properties of the integers

Basic properties of the integers
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006
1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.

1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Probabilistic Complexity. Probabilistic Algorithms Def: A probabilistic Turing Machine M is a type of non- deterministic TM, where each non-deterministic.

Probabilistic Complexity. Probabilistic Algorithms Def: A probabilistic Turing Machine M is a type of non- deterministic TM, where each non-deterministic.

Similar presentations

Ads by Google