The AKS Primality Test Pranshu Bhatnagar Chennai Mathematical Institute Indraprastha Institute of Information Technology 11 th June 2015
The AKS Primality Test
Pranshu BhatnagarChennai Mathematical Institute
Indraprastha Institute of Information Technology
11th
June 2015
Introduction to Primality Testing• Goal: given an integer n > 1, determine whether n is
prime
• Most people know the smallest primes • 2, 3, 5, 7, 11, 13, 17, 19, 23, …
• What about:• 38,476? No, because it is even• 4,359? No, because the sum of the digits is 21, a multiple of 3• 127? Yes, because it does not have any factors < √127 ≈ 11.27• 257,885,161 − 1?
• This has over 17 million digits. We need better tests…
2
3 CategoriesFor some arithmetic statement S which is easy to check:1.n is prime S(n)⇒
• pseudoprimes • strong pseudoprimes
2.S(n) n is prime⇒• n-1 test (Lucas Theorem)• n+1 test (Lucas-Lehmer)
3.S(n) ⇔ n is prime• AKS test
3
n is prime S(n)⇒• S(n): n = 2 or n is odd
• S(n): n = 3 or sum of digits of n is not divisible by 3
• ¬ S(n) n is composite⇒
• S(n) ?⇒
5
Pseudoprimes• n prime S(n)⇒
• S-pseudoprime: n is composite but S(n) holds
• S(n): n = 2 or n is odd• n = 15 is a pseudoprime
7
Intro to Modular Arithmetic• a ≡ b (mod n)
• Formally n|(a-b)• a/n leaves remainder b
• Clocks keep time (mod 12)• 16:30 (military time) ≡ 4:30 pm• 8:00 am + 7 hours = 15:00 ≡ 3 pm
• Subtract the modulus until the result is small enough• 11 ≡ 4 (mod 7)• 35 ≡ 0 (mod 5)• 23 = 8 ≡ 2 (mod 3)
11
Fermat Pseudoprimes• n prime S(n)⇒
• S is based on Fermat’s Little Theorem: If n is prime then an ≡ a (mod n), a∀ ∈ℤ
• S(n): an ≡ a (mod n)
• Fermat pseudoprime: n is composite but an ≡ a (mod n) for some a
13
Examplesn prime a⇒ n ≡ a (mod n)• Let n = 91
• Composite: 91 = 7 * 13
• 391 ≡ 3 (mod 91)• 91 is a Fermat pseudoprime base 3
• 291 ≠ 2 (mod 91)• 91 is not a Fermat pseudoprime base 2 (91 is composite)
• Note: Most probably, infinite Carmichael numbers, ∃composites with
an ≡ a (mod n) for every a
17
S(n) n is prime⇒• n is composite ¬ S(n) ⇒
• ¬ S(n) ?⇒
19
The n-1 Test• S is based on the Lucas Theorem:
If an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n) prime q|n-1,∀ then n is prime (for some a )∈ℤ
• S(n): an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)
23
Example [an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)] n ⇒prime• Let n = 19
• n-1 = 18 = 2 * 32
• Let a = 2218 ≡ 1 (mod 19)29 ≡ 18 (mod 19)26 ≡ 7 (mod 19)
• So 19 is prime
29
Another Example[an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)] n ⇒prime• S(n) n is prime⇒
• ¬ S(n) ?⇒
• Let n = 13, a = 5• n-1 = 12 = 22 * 3
512 ≡ 1 (mod 13) 56 ≡ 12 (mod 13)
But 54 ≡ 1 (mod 13)
• S(n) is false, but n = 13 is prime
31
S(n) ⇔ n is prime• S(n) n is prime⇒
• ¬ S(n) n is composite⇒
• Theorem: Given some a with gcd(a,n) = 1:
n is prime iff (x + a)n ≡ xn + a (mod n)
• S(n): (x + a)n ≡ xn + a (mod n)
37
ExampleS(n): (x + a)n ≡ xn + a (mod n)• (x+4)7
= x7 + 28x6 + 336x5 + 2240x4 + 8960x3 + 21504x2 + 28672x + 16384 ≡ x7 + 4 (mod 7)
• 7 is prime
• (x+3)4
= x4 + 12x3 + 54x2 + 108x + 81 ≡ x4 + 2x2 + 1 (mod 4) ≠ x4 + 3
• 4 is composite
41
Improvement: The AKS Theorem• Agrawal-Kayal-Saxena (AKS) Theorem: n is prime iff
• n is not a power,• n has no small factors,• (x + a)n ≡ xn + a (mod n, xr - 1)
for certain r and small values of a
43
The AKS Algorithm
47
Input: n ≥ 1STEP 1. If a, b > 1 N such that n = a∃ ∈ b , then Output COMPOSITE;STEP 2. Find the minimal r N such that o∈ r(n) > log2(n);STEP 3. For a = 1 to r do if 1 < (a, n) < n, then Output COMPOSITE;STEP 4. if r ≥ n, then Output PRIME ;STEP 5. For a = 1 to do if (x + a)n ≡ xn + a (mod xr − 1, n), then Output COMPOSITE;STEP 6. Output PRIME;
Proof Of Correctness
n is prime S(n)⇒l n is certainly not of the form ab for any a, b > 1, sol STEP 1 will not output COMPOSITE. l Since n is prime, we also know that x N, (n, x) = 1 or n. ∀ ∈
Hence STEP 3 will not output composite either. l We have seen that for any prime n, (x+a)n ≡ xn+a (mod n),
so STEP 5 will not output COMPOSITE. l Therefore the algorithm will output PRIME
S(n) n is prime⇒l If the algorithm returns PRIME during STEP 4, then we
know that m < n, (m, n) = 1 (this was checked in STEP 3), ∀meaning n is prime.
l The remaining case, in which the algorithm returns PRIME during STEP 6, will take considerably more effort and require some extra machinery.
Runtime Analysis
Notation
Basic Operationsl Let n, m N. Then∈l Computing m + n takes O(||n|| + ||m||) = O(log(n) + log(m))
bit operations.l Computing m · n takes O(||n|| · ||m||) = O(log(n) · log(m))
bit operations.l Computing the quotient n div m and the remainder n mod
m takes O((||n|| −||m|| + 1) · ||m||) bit operations.
Basic Operationsl Let m, n N with at most k bits each. Then:∈l m and n can be multiplied with O(k(log(k))(loglogk)) =
O~(k) bit operations.l n div m and n mod m can be computed using O(k(log(k))
(log logk)) = O~(k) bit operations.l Multiplication of two polynomials of degree d with
coefficients at most m bits in size can be done in O~(d · m) bit operations.
Euclidean Algorithml Input: m, n Z∈l 0: a, b integer;l 1: if |n| ≥ |m|l 2: then a ← |n|; b ← |m|;l 3: else b ← |m|; a ← |n|;l 4: while b > 0 repeatl 5: (a, b) ← (b, a mod b); //i.e., ai = bi−1 , bi = ai−1 mod bi−1l 6: return a;l This algorithm runs in O(log(n) · log(m)).
Fast Modular Exponentiationl Let n = 2a
1 + 2a2 + · · · + 2a
l where a1 > a2 > · · · > al. l Define f0 := (x + a),l fi+1(x) = fi(x)2 (mod xr − 1, n). l Then faj(x) = (x + a)aj . l If we further define g1(x) := fa1(x) and gk(x)≡gk−1(x) fk (x)
(mod xr − 1, n), then we see thatl gl(x) ≡ (x + a)2a
1 +···+2a
l = (x + a) n (mod x r − 1, n).l We have therefore computed (x + a)n (mod xr − 1, n) in a1 +
l ≤ 2log(n) steps, where a step consists of multiplying two polynomials of degree less than r with coefficients in Z/nZ.
This leads to a total runtime of O∼(r·log2 (n)).
Perfect power Testl Input : n N∈l 0: a, b, c, m integerl 1: b ← 2l 2: while (b ≤ log(n)) dol 3: a=1;c=m;l 4: while c − a ≥ 2 do l 5: m ← (a + c) div 2;l 6: p ← min {mb , 1};l 7: if p = n then return "n is
a perfect power";l 8: if p < n then a ← m else
c ← m;l 9: b ← b + 1;l 10: return "n is not a perfect
power."
l Loop 1 will run at most log(n) times. Also, it will take at most log(n) iterations of loop 2 before |c − a| ≤ 1. During each iteration of loop 2, we calculate (a + c) div 2 and mb , which can be done in
O~(log(n)) bit operations. l The complexity of the entire
algorithm is therefore
O∼(log3(n)).
Overall
STEP 1 At most O∼(log3(n)) bit operations.
STEP 2 We know that there exists an r< log5(n) such that or(n) > log2(n) .The easiest way to find such an r is simply to calculate nk(mod r) for k = 1, 2, ..., log2(n). This involves O(log2(n)) multiplications modulo r for each r, so STEP 2 takes O∼(log7(n)) bit operations.
STEP 3 While determining whether (a,n)> 1 for some a ≤ r, computing each gcd takes O∼(log2(n)) bit operations using the Euclidean Algorithm, resulting in a total of O∼(log7(n)) bit operations
OverallSTEP 5 Given a ≤ , calculating (x + a)n in the ring Z/nZ as reducing modulo xr − 1 is trivial (simply replace xs by x(s−r)). In order to calculate (x+a)n, we must perform O(log(n)) multiplications of polynomials of degree<r with coefficients of size O(log(n)) (as the coefficients are written modulo n; recall that all polynomials are reduced modulo xr −1
during Fast Modular Exponentiation).Each congruence therefore takes O∼(log7(n)) bit operations to verify. This step therefore takes O∼( log(n) log7(n)) = O∼( log8(n)) = O∼(log21/2(n)) bit operations. The complexity of STEP 5 clearly dominates the complexity of the other steps, so the overall complexity of the algorithm is O∼(log10.5(n)), which is indeed polynomial.
Example• Is n = 1993 prime?
1.1993 is not a power ✓
53
Example Continued(Is n = 1993 prime?)
1.(i) Find “certain r:” Really finding the least integer r > log2n with order of n in ℤr
*
We find r = 5. (ii) Check that n has no “small factors” Really checking no factors in [2, log n * √φ(r)] = [2, log(1993)*√4] = [2, 21.92]) 2, 3, 4, 5, …, 21 are not factors ✓
Note: √1993 ≈ 44.643 – AKS checks less than half as many numbers as possible factors
59
Example Continued(Is n = 1993 prime?)1.Check (x + a)n ≡ xn + a (mod n, xr - 1) for a up to the same value (log n* √φ(r))
So for 1 ≤ a ≤ 21 check (x + a)1993 ≡ x1993 + a (mod 1993, x5 - 1) ✓
Result: n = 1993 passed all 3 tests. So 1993 is prime.
61
Significance• Determines whether n is prime or composite in
polynomial time
• AKS Test is an iff statement• If pass the test then n is definitely prime• If fail the test then n is definitely composite
67
Work Cited• Linowitz, Benjamin. An Exposition of the AKS Polynomial
Time Primality Testing• Stay, Michael, Primes is in P, slowly.• Crandall, Richard, and Carl Pomerance. Prime Numbers:
A Computational Perspective. New York: Springer, 2005.
• Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P"
71