24
1 Deciding Primality is in Deciding Primality is in P P M. Agrawal, N. Kayal, N. M. Agrawal, N. Kayal, N. Saxena Saxena Presentation by Adi Akavia Presentation by Adi Akavia
11
Deciding Primality is in PDeciding Primality is in P
M. Agrawal, N. Kayal, N. SaxenaM. Agrawal, N. Kayal, N. Saxena
Presentation by Adi AkaviaPresentation by Adi Akavia
22
BackgroundBackground Sieve of Eratosthenes 240BC -Sieve of Eratosthenes 240BC -(n)(n) Fermat’s Little TheoremFermat’s Little Theorem (17 (17thth century): century):
p is prime, ap is prime, a0 0 (mod p)(mod p) a ap-1p-11 1 (mod p)(mod p)(The converse does not hold – Carmichael numbers)(The converse does not hold – Carmichael numbers) Polynomial-time algorithms:Polynomial-time algorithms:
[Miller 76] deterministic, assuming [Miller 76] deterministic, assuming Extended Extended Riemann HypothesisRiemann Hypothesis..
[Solovay, Strassen 77; Rabin 80] unconditional, [Solovay, Strassen 77; Rabin 80] unconditional, but but randomizedrandomized. .
[Goldwasser, Kilian 86] randomized [Goldwasser, Kilian 86] randomized produces produces certificate for primalitycertificate for primality! (for almost all numbers)! (for almost all numbers)
[Atkin 86; Adelman Huang 92] primality [Atkin 86; Adelman Huang 92] primality certificate for certificate for allall numbers. numbers.
[Adelman, Pomerance, Rumely 83] [Adelman, Pomerance, Rumely 83] deterministic (log n)deterministic (log n)O(log log log n)O(log log log n)-time.-time.
44
This PaperThis Paperunconditional, deterministic, polynomialunconditional, deterministic, polynomial
DefDef ( (Sophie-Germain primesSophie-Germain primes): ): primes primes (p-1)/2(p-1)/2 s.t. s.t. pp is also prime. is also prime.
DefDef: : rr is “ is “almost Sophie-Germainalmost Sophie-Germain“ “ (ASG) (ASG) if: if: rr is is primeprime,, r-1r-1 has a large prime factor has a large prime factor q = q = (r(r2/32/3) )
ToolsTools: : simple algebrasimple algebra High density High density conjectureconjecture for for
primes primes p p s.t. s.t. (p-1)/2(p-1)/2 is Sophie-Germain is Sophie-Germain High density Thm for primes High density Thm for primes pp that are that are
‘almost Sophie-Germain’. [Fou85, BH96]‘almost Sophie-Germain’. [Fou85, BH96]
55
Basic IdeaBasic Idea FactFact: For : For anyany aa s.t s.t (a,n)(a,n)=1=1::
nn is prime is prime (x-a) (x-a)nnxxnn-a -a (mod n)(mod n) nn is composite is composite (x-a) (x-a)nnxxnn-a -a (mod n)(mod n)
Naive algoNaive algo: Pick an : Pick an arbitraryarbitrary aa, , check if check if (x-a)(x-a)nnxxnn-a (mod n)-a (mod n)
ProblemProblem: time complexity - : time complexity - (n)(n)..
ProofProof: Develop : Develop (x-a)(x-a)nn using Newton-binomial. using Newton-binomial. Assume Assume nn is prime, then is prime, then Assume Assume nn is composite, then let is composite, then let q|nq|n, let , let qqkk||n||n, then, then
andand , hence , hence xxqq has non zero coefficient has non zero coefficient (mod (mod nn).).
n0 i n, 0 mod.ni
k nq | q
1, qnaq
66
Basic IdeaBasic Idea IdeaIdea: Pick an : Pick an arbitraryarbitrary aa, and some , and some
polynomial polynomial xxrr-1-1, with , with r = poly log nr = poly log n, , check if check if (x-a)(x-a)nnxxnn-a (mod -a (mod xxrr-1-1, n), n) time complexity – time complexity – poly(r)poly(r) nn is prime is prime (x-a) (x-a)nnxxnn-a -a (mod x(mod xrr-1, n)-1, n) nn is composite is composite ???????? (x-a) (x-a)nnxxnn-a -a (mod x(mod xrr-1, -1,
n)n)Not true for some (few) values of Not true for some (few) values of a,ra,r !!
77
Improved IdeaImproved Idea Improved IdeaImproved Idea: Pick : Pick manymany ((poly log npoly log n))
aa’s, ’s, check for check for all of themall of them if: if:
(x-a)(x-a)nnxxnn-a -a (mod x(mod xrr-1, n)-1, n)Accept if equality holds for all Accept if equality holds for all aa’s’s
88
Algebraic Background – Algebraic Background – Extension FieldExtension Field
DefDef: Consider fields : Consider fields FF, , EE. . EE is an is an extension extension of of FF, if , if FF is a is a subfieldsubfield of of EE. .
DefDef: : Galois fieldGalois field GF(pGF(pkk) ) ((pp prime) prime) is the is the uniqueunique (up to isomorphism) finite (up to isomorphism) finite field containing field containing ppkk elements. elements. (The cardinality of any finite fields is a prime-(The cardinality of any finite fields is a prime-power.)power.)
DefDef: A polynomial : A polynomial f(x)f(x) is called is called irreducibleirreducible in in GF(p)GF(p) if it does not if it does not factor over factor over GF(p)GF(p)
99
Multiplicative GroupMultiplicative GroupDefDef: : GFGF**(p(pkk)) is the multiplicative is the multiplicative
group of the Galois Field group of the Galois Field GF(pGF(pkk)), , that is, that is, GFGF**(p(pkk) = GF(p) = GF(pkk)\{0})\{0}..
ThmThm:: GF GF**(p(pkk)) is cyclic, is cyclic, thus it has a generator thus it has a generator gg::
i k * kg x | 0 i p GF p
1010
Constructing Galois FieldsConstructing Galois FieldsDefDef:: F Fpp denotes a finite field of denotes a finite field of pp
elements (elements (pp is prime). is prime). DefDef: Let : Let f(x)f(x) be a be a kk-degree polynomial.-degree polynomial.
DefDef: Let : Let FFpp[x]/f(x) [x]/f(x) be the set of be the set of k-1k-1-degree polynomials over -degree polynomials over FFpp, with , with addition and multiplication modulo addition and multiplication modulo f(x)f(x)..
ThmThm: If : If f(x)f(x) is irreducible over is irreducible over GF(p)GF(p), , then then GF(pGF(pkk))FFpp[x]/f(x)[x]/f(x)..
1111
FFpp[x]/f(x)[x]/f(x) - Example - ExampleLet the irreducible polynomial Let the irreducible polynomial f(x)f(x) be: be:
Represent polynomials as vectors Represent polynomials as vectors ((k-1k-1 degree polynomial degree polynomial vector of vector of kk coefficient) coefficient)::
AdditionAddition::
1)( 234 xxxxxf
)1(
)1(23
34
xxx
xxx
)1,1,1,1,1(1)( 234 xxxxxf
)0,0,1,0,1(________
)1,1,1,1,0()1,1,0,1,1(
1212
FFpp[x]/f(x)[x]/f(x) - Example - ExampleMultiplicationMultiplication:: First, multiply ‘First, multiply ‘modmod pp’:’:
Next, apply Next, apply ’mod’mod f(x)f(x)’:’:
)1(
)1(3
34
xx
xxx
11110101_________
___11011__00000_11011
11011_________
)1,1,0,1,0()1,1,0,1,1(
3 2x x 1
124567 xxxxx
1
mod1
234
24567
xxxx
xxxxx
1313
The The AlgorithmAlgorithmInput: integer Input: integer nn1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial,,2.2. Let Let l = 2rl = 2r1/21/2log nlog n. . 3.3. For For t=2,…,lt=2,…,l, if , if t|nt|n
output output COMPOSITECOMPOSITE 4.4. If If nn is ( is (prime) power --prime) power -- n=pn=pkk, for , for k>1k>1
output output COMPOSITECOMPOSITE . .5.5. For For a =1,…,la =1,…,l, if , if (x-a)(x-a)nn x xnn-a (mod x-a (mod xrr-1, n)-1, n), ,
output output COMPOSITECOMPOSITE . .6.6. Otherwise: output Otherwise: output PRIMEPRIME..
DefDef: : rr is is specialspecial if: if: rr is Almost Sophie-Germain, and is Almost Sophie-Germain, and q|Oq|Orr(n) (n) (where (where qq is the large prime factor of the large prime factor of r-1r-1).).
1414
Proof’s StructureProof’s StructureSawSaw: primality test.: primality test.
We next showWe next show:: Special Special r r O(log O(log66n)n) exists. exists. For such For such rr: if : if nn is composite is composite
s.t. s.t. nn passes steps (3) and (4), then passes steps (3) and (4), then aa[1..l] s.t. (x-a)[1..l] s.t. (x-a)nn xxnn-a -a (mod x(mod xrr-1, n)-1, n)(hence, returns COMPOSITE at step (5))(hence, returns COMPOSITE at step (5))
1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial, ,
2.2. Let Let l = 2rl = 2r1/21/2log nlog n. . 3.3. For For t=2,…,lt=2,…,l, if , if t|nt|n output output
COMPOSITECOMPOSITE 4.4. If If nn is a is a prime powerprime power, i.e. , i.e.
n=pn=pkk, for some prime , for some prime pp, , output output COMPOSITECOMPOSITE . .
5.5. For For a =1,…,la =1,…,l, if , if (x-a)(x-a)nn xxnn-a (mod x-a (mod xrr-1, n)-1, n), output , output COMPOSITECOMPOSITE . .
6.6. Otherwise output Otherwise output PRIMEPRIME..
1515
Finding Suitable rFinding Suitable rElaborating on step (1):Elaborating on step (1):
1.1. while while r < c logr < c log66nn1.1. if if rr is prime is prime2.2. let let qq be the largest be the largest
prime factor of prime factor of r-1r-13.3. if (if (qq4r4r1/21/2log nlog n) and () and (nn(r-1)/q (r-1)/q 1 (mod r) 1 (mod r)))
break;break;4.4. rrr+1r+1
ComplexityComplexity: : O(logO(log66n)n) iterations, each taking: iterations, each taking: O(rO(r1/21/2 poly log r) poly log r), hence total , hence total poly log npoly log n..
•when ‘break’ is when ‘break’ is reached: reached: rr is prime, is prime, qq is large, and is large, and q|Oq|Orr(n)(n)
1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial, ,
2.2. Let Let l = 2rl = 2r1/21/2log nlog n. . 3.3. For For t=2,…,lt=2,…,l, if , if t|nt|n output output
COMPOSITECOMPOSITE 4.4. If If nn is a is a prime powerprime power, i.e. , i.e.
n=pn=pkk, for some prime , for some prime pp, , output output COMPOSITECOMPOSITE . .
5.5. For For a =1,…,la =1,…,l, if , if (x-a)(x-a)nn xxnn-a (mod x-a (mod xrr-1, n)-1, n), output , output COMPOSITECOMPOSITE . .
6.6. Otherwise output Otherwise output PRIMEPRIME..
1717
LemmaLemma: Special : Special r r O(log O(log66n)n) exists.exists.
ProofProof:: let let ,,=O(log=O(log66n)n), consider the interval , consider the interval [[....]].. ASG numbers are dense in ASG numbers are dense in [[....]]
there are only few primes there are only few primes rr[[....] ] s.t s.t OOrr(n) < (n) < 1/31/3..
Hence, by Hence, by counting argumentcounting argument, exists a , exists a ASG rASG r[[....] ] s.t.s.t. O Orr(n) > (n) > 1/31/3..
Moreover, Moreover, OOrr(n) > (n) > 1/31/3 q | O q | Orr(n)(n)..
Therefore, exists a Therefore, exists a special rspecial r[[....]]..
#ASG#ASG[[....]] #ASG #ASG[1..[1..] - #primes] - #primes[1..[1..]] = = (log(log66n / loglog n)n / loglog n)(using density of ASG numbers, and upper bound on density of (using density of ASG numbers, and upper bound on density of
primes)primes)
OOrr(n) < (n) < 1/31/3 r | r | =(n-1)(n=(n-1)(n22-1)...(n^-1)...(n^1/31/3-1)-1)..However, However, has no more than has no more than 2/32/3log n log n prime divisorsprime divisors
assumeassume q q doesn’t divide O Orr(n)(n), then , then nn(r-1)/q(r-1)/q 1 1, therefore , therefore OOrr(n)(n)(r-(r-1)/q1)/q. However. However (r-1)/q(r-1)/q < 1/31/3 -- a contradiction.-- a contradiction.
1818
Correctness Proof Correctness Proof LemmaLemma: : nn is composite is composite
step (5) returns step (5) returns ‘composite’. ‘composite’. That is, That is,
If If nn is composite, and is composite, and n n has no factor has no factor t t l l, and, and nn is not a prime-power is not a prime-power
then then aa[1..l] s.t. (x-a)[1..l] s.t. (x-a)nn xxnn-a -a (mod x(mod xrr-1, -1, nn))
1.1. Find Find r r O(log O(log66n)n), s.t. , s.t. rr is is specialspecial, ,
2.2. Let Let l = 2rl = 2r1/21/2log nlog n. . 3.3. For For t=2,…,lt=2,…,l, if , if t|nt|n output output
COMPOSITECOMPOSITE 4.4. If If nn is a is a prime powerprime power, i.e. , i.e.
n=pn=pkk, for some prime , for some prime pp, , output output COMPOSITECOMPOSITE . .
5.5. For For a =1,…,la =1,…,l, if , if (x-a)(x-a)nn xxnn-a (mod x-a (mod xrr-1, n)-1, n), output , output COMPOSITECOMPOSITE . .
6.6. Otherwise output Otherwise output PRIMEPRIME..
1919
ProofProof Let Let pp be a prime factor of be a prime factor of nn, and , and
let let h(x)h(x) be an irreducible factor of be an irreducible factor of xxrr-1-1, , It suffices to show inequality It suffices to show inequality
((mod h(x),mod h(x), pp) ) instead of (instead of (mod xmod xrr-1,-1, nn), i.e.), i.e. aa[1..l] [1..l] s.t. s.t. (x-a)(x-a)nn xxnn-a (-a (mod h(x), mod h(x), pp))
Choose Choose p p and and h(x)h(x) s.t. s.t. q|Oq|Orr(p)(p), and, and deg(h(x)) = Odeg(h(x)) = Orr(p)(p)
Such Such pp exists: exists: Let Let n=pn=p11pp22…p…pkk, then, thenOOrr(n) = lcm{Or(p(n) = lcm{Or(pii)})}..Therefore: Therefore: q|Oq|Orr(n)(n) i q|Oi q|Orr(p(pii)) (as (as qq is prime) is prime)
Such Such hh exists: by previous exists: by previous claim.claim.
2020
ProofProof Assume by contradiction that Assume by contradiction that nn is is
composite, and passes all the tests, composite, and passes all the tests, i.e.i.e. n n has no small factor, andhas no small factor, and nn is not a prime-power, and is not a prime-power, and aa[1..l][1..l] (x-a)(x-a)nn x xnn-a (mod h(x), p)-a (mod h(x), p), ,
2121
ProofProof Consider the group generated by Consider the group generated by
{(x-a)}{(x-a)}aa[1..l][1..l] (mod h(x), p)(mod h(x), p), i.e., i.e.
Note: Note: f(x)f(x)G, f(x)G, f(x)nn f(x f(xnn)) Let Let I = I = {{ m m || ffG, f(x)G, f(x)mm f(x f(xmm) ) }.}. LemmaLemma: : II is is multiplicativemultiplicative, i.e. , i.e. u,vu,vII uv uvII.. ProofProof: : xxrr-1|x-1|xvrvr-1-1, therefore, therefore
hencehence
aia p
1 a lG (x a) | i 0 F [x]/ h(x)
( ) ( ) mod. - 1,( ) ( ) mod. - 1,
rv u vu v
v u vu r
g x g x x p
g x g x x p )()()()( vuuvuvvu xgxgxgxg
2222
Proof - Proof - nnII I I is largeis large PropProp: : (i,j)(i,j)(i’,j’) n(i’,j’) niippjj n ni’i’ppjj (since (since n n p pkk)) LemmaLemma: : , if , if u,vu,vII s.t. s.t. (i,j)(i,j)(i’,j’) (i’,j’)
uuiivvjjuui’i’vvj’j’, , then then |I||I| [u [uvv] > ] > 22..
CorollaryCorollary: : , , nnII |I||I| [u [uvv] > ] > 22. . ProofProof: : ppII..
However, However, LemmaLemma::
CorollaryCorollary: : nnII |I||I| [|G|] > r [|G|] > r. .
((+1)+1)22 different pairs different pairs (i,j)(i,j), each give a distinct value , each give a distinct value
rnG 2
Consider all polynomials of Consider all polynomials of degree bound degree bound <d<d..There are all distinct in There are all distinct in FFpp[x]/h(x)[x]/h(x). Therefore . Therefore
ldl
G1
2323
Irreducible Factors of Irreducible Factors of (x(xrr-1)/(x-1)-1)/(x-1)
DefDef: Let : Let h(x)h(x) denote any irreducible denote any irreducible factor of factor of (x(xrr-1)/(x-1)-1)/(x-1), and , and d = deg(h(x))d = deg(h(x))
ClaimClaim: : h(x)h(x), , d=Od=Orr(p)(p) ProofProof: Denote : Denote k=Ok=Orr(p)(p). Note . Note FFpp[x]/h(x) [x]/h(x) is of size is of size ppdd, ,
therefore therefore FFpp[x]/h(x)*[x]/h(x)* is cyclic of order is cyclic of order ppdd-1-1.. k|dk|d: xxrr1 (mod h(x))1 (mod h(x)), hence , hence OOh(x)h(x)(x)(x) is is rr, therefore , therefore
r|pr|pdd-1-1, i.e., , i.e., ppdd 1 (mod r)1 (mod r), and hence , and hence k|dk|d (recall (recall d=Od=Orr(p)(p)).).
d|kd|k: let gg be a generator, then be a generator, then hencehence ppdd-1 |-1 | ppkk-1-1. and therefore therefore d|kd|k..
kp 1g x 1
Recall, if Recall, if rr is is specialspecial with respect to with respect to nn, then , then r-1r-1 has a has a large prime factor large prime factor qq, s.t. , s.t. q|Oq|Orr(n)(n)..Choose Choose p p s.t. s.t. q|Oq|Orr(p)(p) ( (exists). Then ). Then dd is large. is large.
2424
Proof – Proof – II is small is small LemmaLemma: Let: Let m1, m2m1, m2 I I, then, then
m1 m1 m2 (mod |G|) m2 (mod |G|) m1 m1 m2 (mod r) m2 (mod r)
LemmaLemma((II is small): is small): |I| |I| [|G|] [|G|] r r ProofProof: :
Each two elements in Each two elements in |I| |I| [|G|] [|G|] are are different mod different mod |G||G|..
Therefore they are different mod Therefore they are different mod rr.. Hence Hence |I| |I| [|G|] [|G|] r r. .
ContradictionContradiction! !
ProofProof: Let : Let g(x) g(x) be a generator of be a generator of GG. Let . Let m2=m1+krm2=m1+kr..
(*) (*) m1m1m2 (mod r)m2 (mod r), then , then xxm1m1xxm2m2 (mod h(x)) (mod h(x)) (as (as xxrr 1 (mod 1 (mod h(x))h(x))))
kr
m
kr
krmmmkrmm
xgxg
xgxgxgxgxgxgxg
2111
(*)12
)),(..(mod1 pxhxg kr
)..(mod0 Gkr
2525
The EndThe End
2626
Proof - G is large, Cont.Proof - G is large, Cont.Hence, Hence,
PropProp: : d d 2l 2lProofProof: Recall : Recall d=Od=Orr(p)(p) and and q|Oq|Orr(p)(p), ,
hence hence d d q q 2l 2l (recall (recall qq4r4r1/21/2log nlog n, , l=2rl=2r1/21/2log nlog n))
HenceHence
l d 1G S l
rl nG 22
This is the reason This is the reason for seeking a for seeking a large large qq s.t. s.t. q|q|OOrr(n)(n)
