Deciding Primality is in P

11

Deciding Primality is in PDeciding Primality is in P

M. Agrawal, N. Kayal, N. M. Agrawal, N. Kayal, N. SaxenaSaxena

Speaker: Adi AkaviaSpeaker: Adi Akavia

22

BackgroundBackground Sieve of Eratosthenes 240BC -Sieve of Eratosthenes 240BC -(n)(n) Fermat’s Little TheoremFermat’s Little Theorem (17 (17thth century): century):

p is prime, ap is prime, a0 0 (mod p)(mod p) a ap-1p-11 1 (mod p)(mod p)(The converse does not hold – Carmichael numbers)(The converse does not hold – Carmichael numbers) Polynomial-time algorithms:Polynomial-time algorithms:

[Miller 76] deterministic, assuming [Miller 76] deterministic, assuming Extended Extended Riemann HypothesisRiemann Hypothesis..

[Solovay, Strassen 77; Rabin 80] unconditional, [Solovay, Strassen 77; Rabin 80] unconditional, but but randomizedrandomized. .

[Goldwasser, Kilian 86] randomized [Goldwasser, Kilian 86] randomized produces produces certificate for primalitycertificate for primality! (for almost all numbers)! (for almost all numbers)

[Adelman Huang 92] primality certificate for [Adelman Huang 92] primality certificate for allall numbers.numbers.

[Adelman, Pomerance, Rumely 83] [Adelman, Pomerance, Rumely 83] deterministic (log n)deterministic (log n)O(log log log n)O(log log log n)-time.-time.

33

This PaperThis Paper

unconditional, deterministic, polynomialunconditional, deterministic, polynomial

DefDef: : rr is is specialspecial with respect to with respect to n n if: if:

1.1. rr is is primeprime,,

2.2. r-1r-1 has a large prime factor has a large prime factor q = q = (r(r2/32/3) ) , , and and

3.3. q|Oq|Orr(n)(n).. ToolsTools: :

simple algebrasimple algebra High density Thm for numbers with High density Thm for numbers with

properties (1) and (2). [Fou85, BH96]properties (1) and (2). [Fou85, BH96]

DefDef: : orderorder nn mod mod rr, denoted , denoted OOrr(n)(n), is , is the smallest power the smallest power tt s.t. s.t. nntt 1 (mod 1 (mod r)r).h.h

44

Basic IdeaBasic Idea FactFact: For : For anyany aa s.t s.t (a,n)(a,n)=1=1::

nn is prime is prime (x-a) (x-a)nnxxnn-a -a (mod n)(mod n)

nn is composite is composite (x-a) (x-a)nnxxnn-a -a (mod n)(mod n)

Naive algoNaive algo: Pick an : Pick an arbitraryarbitrary aa, , check if check if (x-a)(x-a)nnxxnn-a (mod n)-a (mod n)

ProblemProblem: time complexity - : time complexity - (n)(n)..

ProofProof: Develop : Develop (x-a)(x-a)nn using Newton-binomial. using Newton-binomial. Assume Assume nn is prime, then is prime, then Assume Assume nn is composite, then let is composite, then let q|nq|n, let , let qqkk||n||n, then, then

andand , hence , hence xxqq has non zero coefficient has non zero coefficient (mod (mod nn).).

n

0 i n, 0 mod.ni

n0 i n, 0 mod.n

i

kn

q |q

kn

q |q

1, qnaq 1, qnaq

55

Basic IdeaBasic Idea IdeaIdea: Pick an : Pick an arbitraryarbitrary aa, and some , and some

polynomial polynomial xxrr-1-1, with , with r = poly log nr = poly log n, , check if check if (x-a)(x-a)nnxxnn-a (mod -a (mod xxrr-1-1, n), n) time complexity – time complexity – poly(r)poly(r) nn is prime is prime (x-a) (x-a)nnxxnn-a -a (mod x(mod xrr-1, n)-1, n)

nn is composite is composite ???????? (x-a) (x-a)nnxxnn-a -a (mod x(mod xrr-1, -1, n)n)

Not true for some (few) values of Not true for some (few) values of a,ra,r !!

66

Improved IdeaImproved Idea Improved IdeaImproved Idea: Pick : Pick manymany ((poly log npoly log n))

aa’s, ’s, check for check for all of themall of them if: if:

(x-a)(x-a)nnxxnn-a -a (mod x(mod xrr-1, n)-1, n)

Accept if equality holds for all Accept if equality holds for all aa’s’s

77

Some Algebra RemindersSome Algebra Reminders

DefDef:: F Fpp ( (pp is prime) denotes the finite field of is prime) denotes the finite field of pp elements elements {0,1,…,p-1}{0,1,…,p-1}. .

DefDef: : FFpp[x] [x] denotes the ring of polynomials over denotes the ring of polynomials over FFpp..

DefDef: Let : Let f(x)f(x) be a be a kk-degree polynomial.-degree polynomial.

DefDef: : FFpp[x]/f(x) [x]/f(x) denotes the set of denotes the set of k-1k-1-degree polynomials over -degree polynomials over FFpp, with , with addition and multiplication modulo addition and multiplication modulo f(x)f(x)..

ThmThm: If : If f(x)f(x) is irreducible over is irreducible over FFpp, then , then FFpp[x]/f(x) [x]/f(x) the unique field with the unique field with ppk k elements.elements.

88

FFpp[x]/f(x)[x]/f(x) - Addition - Addition Let the polynomial Let the polynomial f(x)f(x) over over FF22 be: be:

Represent polynomials as vectors Represent polynomials as vectors ((k-1k-1 degree polynomial degree polynomial vector of vector of kk coefficient) coefficient)::

AdditionAddition::

3f (x) x 1 3f (x) x 1

2

(x 1)

(x 1)

2

(x 1)

(x 1)

3x 1 (1,0,0,1) 3x 1 (1,0,0,1)

(0,1,1)

(1,0,1)

______

(1,1,0)

(0,1,1)

(1,0,1)

______

(1,1,0)

99

FFpp[x]/f(x)[x]/f(x) - Multiplication - Multiplication

MultiplicationMultiplication:: First, multiply ‘First, multiply ‘modmod pp’:’:

Next, apply Next, apply ’mod’mod f(x)f(x)’:’:

(0,1,1)

(1,0,1)

_____

011

000..

011.....

_____

1111

(0,1,1)

(1,0,1)

_____

011

000..

011.....

_____

1111

2x x2x x

3 2x x x 1 3 2x x x 1

3 2

3

x x x 1

mod

x 1

3 2

3

x x x 1

mod

x 1

2

(x 1)

(x 1)

2

(x 1)

(x 1)

1010

FFpp[x]/f(x)[x]/f(x) - mod f(x) - mod f(x) Example:Example:

In general for f(x) = xIn general for f(x) = xrr-1:-1:

7 3 4 3 4

4 3

x mod.x 1 x x 1 x

x x x 1 x x

7 3 4 3 4

4 3

x mod.x 1 x x 1 x

x x x 1 x x

7 6 5 4 3 27 6 5 3 2 1 04c x c x c x c x c x c x c x c 1 7 6 5 4 3 27 6 5 3 2 1 04c x c x c x c x c x c x c x c 1

22 1 0c' x c' x c' 1 22 1 0c' x c' x c' 1

i j

j i. mod.r

c' c

i jj i. mod.r

c' c

1111

Irreducible Factors of Irreducible Factors of (x(xrr-1)/(x-1)-1)/(x-1)

FactFact: : Consider the polynomial Consider the polynomial (x(xrr-1)/(x--1)/(x-1)1) over over FFpp. . All its irreducible factors are of All its irreducible factors are of degree degree d = deg(h(x))d = deg(h(x))

1212

The AlgorithmThe Algorithm

Input: integer Input: integer nn1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial,,2.2. Let Let l = 2rl = 2r1/21/2log nlog n. . 3.3. Small divisors testSmall divisors test::

For For t=2,…,lt=2,…,l, if , if t|nt|n output output COMPOSITECOMPOSITE

4.4. Power testPower test: : If If nn is a is a power --power -- n=pn=pkk, for , for k>1k>1

output output COMPOSITECOMPOSITE . .5.5. Polynomials testPolynomials test::

For For a =1,…,la =1,…,l, if , if (x-a)(x-a)nn x xnn-a (mod x-a (mod xrr-1, n)-1, n), ,

output output COMPOSITECOMPOSITE . .6.6. Otherwise: output Otherwise: output PRIMEPRIME..

1313

SawSaw: algorithm: algorithm

Yet to be seenYet to be seen:: Special Special r r O(log O(log66n)n) exists (later) exists (later) If If nn is composite then one of the is composite then one of the

tests returns COMPOSITE.tests returns COMPOSITE.

1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial, ,

2.2. Let Let l = 2rl = 2r1/21/2log nlog n. .

3.3. If exists a small ( If exists a small ( < l+1< l+1) divisor, ) divisor, output output COMPOSITECOMPOSITE

4.4. If If nn is a is a power, power, output output COMPOSITECOMPOSITE . .

5.5. For For a = 1,…,la = 1,…,l, if , if (x-a)(x-a)nn x xnn-a -a (mod x(mod xrr-1, n)-1, n), ,

output output COMPOSITECOMPOSITE . .

6.6. Otherwise output Otherwise output PRIMEPRIME..

1414

Correctness Proof Correctness Proof

LemmaLemma: : nn is composite is composite algo returns ‘composite’. algo returns ‘composite’. That is, That is,

If If nn is composite, and is composite, and n n has no divisor has no divisor t t l l, and, and nn is not a (prime) power is not a (prime) power

then then aa[1..l] s.t. (x-a)[1..l] s.t. (x-a)nn xxnn-a -a (mod x(mod xrr-1, n)-1, n)

1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial, ,

2.2. Let Let l = 2rl = 2r1/21/2log nlog n. .

3.3. If exists a small ( If exists a small ( < l+1< l+1) ) divisor, divisor,

output output COMPOSITECOMPOSITE

4.4. If If nn is a is a power, power, output output

COMPOSITECOMPOSITE . .

5.5. For For a = 1,…,la = 1,…,l, if , if (x-a)(x-a)nn xxnn-a -a (mod x(mod xrr-1, n)-1, n), ,

output output COMPOSITECOMPOSITE . .

6.6. Otherwise output Otherwise output PRIMEPRIME..

1515

In the Proof - Using In the Proof - Using pp and and h(x)h(x)

Let Let pp be a prime factor of be a prime factor of nn, and , and let let h(x)h(x) be an irreducible factor of be an irreducible factor of xxrr-1-1, ,

Suffices to show inequality Suffices to show inequality ((mod h(x), mod h(x), pp) ) instead of:instead of: ((mod xmod xrr-1, -1, nn), ), i.e. i.e. aa[1..l] [1..l] s.t. s.t. (x-a)(x-a)nn xxnn-a (-a (mod h(x), pmod h(x), p))

Choose Choose p p and and h(x)h(x) s.t. s.t. q|Oq|Orr(p)(p), and, and deg(h(x)) = Odeg(h(x)) = Orr(p)(p)

Such Such pp exists: exists: q|Oq|Orr(n)(n) and and OOrr(n) = lcm{Or(p(n) = lcm{Or(pii)})}, where , where n=pn=p11pp22…p…pkk..

Such Such h(x)h(x) exists: by previous fact. exists: by previous fact.

1616

ProofProof

Assume by contradiction that Assume by contradiction that nn is is composite, and passes all the tests, composite, and passes all the tests, i.e.i.e. n n has no small factor, andhas no small factor, and nn is not a prime-power, and is not a prime-power, and aa[1..l][1..l] (x-a)(x-a)nn x xnn-a (mod h(x), p)-a (mod h(x), p), ,

For any For any f(x)f(x), which is a multiple of , which is a multiple of polynomials polynomials (x-a)(x-a) (where (where aa[1..l][1..l]),),

f(x)f(x)nn=f(x=f(xnn)).. Example: Example: [(x-a[(x-a11)(x-a)(x-a22)])]nn = (x = (xnn-a-a11)) (x(xnn-a-a22))

1717

ProofProof Therefore, consider the group generated by Therefore, consider the group generated by

{(x-a)}{(x-a)}aa[1..l][1..l]::

Are there other integers Are there other integers mm s.t. s.t. f(x)f(x)G, f(x)G, f(x)mm f(x f(xmm) ) ??

Yes! For example: Yes! For example: pp. . Any others?Any others? Let Let I = I = {{ m m || ffG, f(x)G, f(x)mm f(x f(xmm) ) }.}. LemmaLemma: : II is is multiplicativemultiplicative, i.e. , i.e. u,vu,vII uv uvII.. Hence, in particular Hence, in particular {n{niippjj : 0 ≤ i,j ≤ r : 0 ≤ i,j ≤ r1/21/2} } I I.. Therefore, Therefore,

aia p

1 a l

G (x a) | i 0 F [x]/ h(x)

ai

a p1 a l

G (x a) | i 0 F [x]/ h(x)

2 rI n r 2 rI n r

1818

Proof – Proof – II[|G|][|G|] is large is large LemmaLemma:: ProofProof: :

Consider all polynomials of degree Consider all polynomials of degree < d< d..They are all distinct in They are all distinct in FFpp[x]/h(x)[x]/h(x). . ThereforeTherefore

Hence,Hence,

However, we next show that However, we next show that

2 rG n 2 rG n

l

dlG

1

l

dlG

1

I G r I G r

I G r I G r

dd is big: is big: q|q|OOrr(p)=d(p)=d.

1919

Proof – Proof – II[|G|][|G|] is small is small LemmaLemma: Let: Let m1, m2m1, m2 I I, then, then

m1 m1 m2 (mod |G|) m2 (mod |G|) m1 m1 m2 (mod r) m2 (mod r) ProofProof: Let : Let g(x) g(x) be a generator of be a generator of GG. .

Let Let m2=m1+krm2=m1+kr..

(*) (*) m1m1m2 (mod r)m2 (mod r), then , then xxm1m1xxm2m2 (mod (mod h(x)) h(x)) (as (as xxrr 1 (mod h(x)) 1 (mod h(x))))

ContradictionContradiction! !

kr m2(*) m1 m1m2 m1 kr m1kr kr

g x g xg x g x g x g x g x

g x g x

kr m2(*) m1 m1m2 m1 kr m1kr kr

g x g xg x g x g x g x g x

g x g x

krg x 1.(mod.h(x),p) krg x 1.(mod.h(x),p)

kr 0. mod. G kr 0. mod. G

2020

Proof SummaryProof Summary We saw that We saw that II[|G|][|G|] is small is small

(unconditionally, using properties of (unconditionally, using properties of xxrr-1-1),), However, if However, if nn is is

compositecomposite and and not a prime powernot a prime power, , then then passing the polynomials testpassing the polynomials test ( (i.e.i.e. nnII) implies that ) implies that II[|G|][|G|] is large. is large.(using properties of the special (using properties of the special rr and of and of xxrr--11))

Therefore, the polynomials test must Therefore, the polynomials test must return ‘composite’.return ‘composite’.

2121

Back to Special NumbersBack to Special Numbers RecallRecall: : rr is is specialspecial with respect to with respect to n n if: if:

1.1. rr is is primeprime,,

2.2. r-1r-1 has a large prime factor has a large prime factor q = q = (r(r2/32/3) ) , and , and

3.3. q|Oq|Orr(n)(n)..

We next show that Special We next show that Special r r O(logO(log66n)n) exists. exists.

2222

1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial, ,

2.2. Let Let l = 2rl = 2r1/21/2log nlog n. .

3.3. If exists a small ( If exists a small ( < l+1< l+1) ) divisor, divisor,

output output COMPOSITECOMPOSITE

4.4. If If nn is a is a power, power, output output COMPOSITECOMPOSITE . .

5.5. For For a = 1,…,la = 1,…,l, if , if (x-a)(x-a)nn x xnn-a -a (mod x(mod xrr-1, n)-1, n), ,

output output COMPOSITECOMPOSITE . .

6.6. Otherwise output Otherwise output PRIMEPRIME..

Finding Special rFinding Special rElaborating on step (1):Elaborating on step (1):

1.1. while while r < c logr < c log66nn1.1. if if rr is prime is prime2.2. let let qq be the largest be the largest

prime factor of prime factor of r-1r-13.3. if (if (qq4r4r1/21/2log nlog n) and () and (nn(r-1)/q (r-1)/q 1 (mod r) 1 (mod r)))

break;break;4.4. rrr+1r+1

ComplexityComplexity: : O(logO(log66n)n) iterations, each taking: iterations, each taking: O(rO(r1/21/2 poly log r) poly log r), hence total , hence total poly log npoly log n..

•when ‘break’ is when ‘break’ is reached: reached: rr is prime, is prime, qq is large, and is large, and q|Oq|Orr(n)(n)

2323

Special Special r r O(log O(log66n)n) existsexists

Consider interval Consider interval [[....]], , ,,=O(log=O(log66n)n).. Numbers with properties (1) and (2) are Numbers with properties (1) and (2) are

dense in dense in [[....]] immediate from density bounds for numbers with these immediate from density bounds for numbers with these

properties and for primes.properties and for primes.

For many primes For many primes rr[[....]], property (3) holds. , property (3) holds. For many For many rr’s ’s OOrr(n) > (n) > 1/31/3: :

OOrr(n) < (n) < 1/31/3 r | r | =(n-1)(n=(n-1)(n22-1)...(n^-1)...(n^1/31/3-1)-1). However, . However, has has no more than no more than 2/32/3log n log n prime divisors.prime divisors.

Moreover, Moreover, OOrr(n) > (n) > 1/31/3 q | O q | Orr(n)(n): : ifif q q doesn’t divide O Orr(n)(n), then , then nn(r-1)/q(r-1)/q 1 1, therefore , therefore OOrr(n) (n) (r-1)/q(r-1)/q. However. However (r-1)/q(r-1)/q < 1/31/3 -- a contradiction. -- a contradiction. (here we utilize again the fact that (here we utilize again the fact that qq is large) is large)..

Hence, by Hence, by counting argumentcounting argument, exists a , exists a special special rr[[....]]..

RecallRecall: : rr is is specialspecial with with respect to respect to n n if: if: 1.1. rr is is primeprime,,2.2. q = q = (r(r2/32/3) )

prime factorprime factor of r-1r-1, ,

3.3. q|Or(n)q|Or(n). .

2424

The EndThe End

2525

Proof - G is large, Cont.Proof - G is large, Cont.

Hence, Hence,

PropProp: : d d 2l 2l

ProofProof: Recall : Recall d=Od=Orr(p)(p) and and q|Oq|Orr(p)(p), , hence hence d d q q 2l 2l (recall (recall qq4r4r1/21/2log nlog n, , l=2rl=2r1/21/2log nlog n))

HenceHence

l d 1G S

l

l d 1G S

l

rl nG 22 rl nG 22

This is the reason This is the reason for seeking a for seeking a large large qq s.t. s.t. q|q|OOrr(n)(n)

2727

Algebraic Background – Algebraic Background – Extension FieldExtension Field

DefDef: Consider fields : Consider fields FF, , EE. . EE is an is an extension extension of of FF, if , if FF is a is a subfieldsubfield of of EE. .

DefDef: : Galois fieldGalois field GF(pGF(pkk) ) ((pp prime) prime) is the is the uniqueunique (up to isomorphism) finite (up to isomorphism) finite field containing field containing ppkk elements. elements. (The cardinality of any finite fields is a prime-(The cardinality of any finite fields is a prime-power.)power.)

DefDef: A polynomial : A polynomial f(x)f(x) is called is called irreducibleirreducible in in GF(p)GF(p) if it does not if it does not factor over factor over GF(p)GF(p)

2828

Multiplicative GroupMultiplicative Group

DefDef: : GFGF**(p(pkk)) is the multiplicative is the multiplicative group of the Galois Field group of the Galois Field GF(pGF(pkk)), , that is, that is, GFGF**(p(pkk) = GF(p) = GF(pkk)\{0})\{0}..

ThmThm:: GF GF**(p(pkk)) is cyclic, is cyclic, thus it has a generator thus it has a generator gg::

i k * kg x | 0 i p GF p i k * kg x | 0 i p GF p

2929

FFpp[x]/f(x)[x]/f(x) - Example - Example

Let the irreducible polynomial Let the irreducible polynomial f(x)f(x) be: be:

Represent polynomials as vectors Represent polynomials as vectors ((k-1k-1 degree polynomial degree polynomial vector of vector of kk coefficient) coefficient)::

AdditionAddition::

1)( 234 xxxxxf 1)( 234 xxxxxf

)1(

)1(23

34

xxx

xxx

)1(

)1(23

34

xxx

xxx

)1,1,1,1,1(1)( 234 xxxxxf )1,1,1,1,1(1)( 234 xxxxxf

)0,0,1,0,1(

________

)1,1,1,1,0(

)1,1,0,1,1(

)0,0,1,0,1(

________

)1,1,1,1,0(

)1,1,0,1,1(

3030

FFpp[x]/f(x)[x]/f(x) - Example - Example

MultiplicationMultiplication:: First, multiply ‘First, multiply ‘modmod pp’:’:

Next, apply Next, apply ’mod’mod f(x)f(x)’:’:

)1(

)1(3

34

xx

xxx

)1(

)1(3

34

xx

xxx

11110101

_________

___11011

__00000

_11011

11011

_________

)1,1,0,1,0(

)1,1,0,1,1(

11110101

_________

___11011

__00000

_11011

11011

_________

)1,1,0,1,0(

)1,1,0,1,1(

3 2x x 1 3 2x x 1

124567 xxxxx 124567 xxxxx

1

mod

1

234

24567

xxxx

xxxxx

1

mod

1

234

24567

xxxx

xxxxx