Deciding Primality is in P

Deciding Primality is in P

M. Agrawal, N. Kayal, N. Saxena

Slides by Adi Akavia

M. Agrawal, N. Kayal, N. Saxena

Slides by Adi Akavia

BackgroundBackground• Sieve of Eratosthenes 240BC -(n)• Fermat’s Little Theorem (17th century):

p is prime, a0 (mod p) ap-11 (mod p)(The converse does not hold – Carmichael numbers)

• Polynomial-time algorithms:– [Miller 76] deterministic, assuming Extended Riemann

Hypothesis.– [Solovay, Strassen 77; Rabin 80] unconditional, but

randomized. – [Goldwasser, Kilian 86] randomized produces certificate

for primality! (expected poly time for almost all inputs) – [Adelman Huang 92] primality certificate for all numbers.

• [Adelman, Pomerance, Rumely 83] deterministic (log n)O(log log log n)-time.

• Sieve of Eratosthenes 240BC -(n)• Fermat’s Little Theorem (17th century):

p is prime, a0 (mod p) ap-11 (mod p)(The converse does not hold – Carmichael numbers)

• Polynomial-time algorithms:– [Miller 76] deterministic, assuming Extended Riemann

Hypothesis.– [Solovay, Strassen 77; Rabin 80] unconditional, but

randomized. – [Goldwasser, Kilian 86] randomized produces certificate

for primality! (expected poly time for almost all inputs) – [Adelman Huang 92] primality certificate for all numbers.

• [Adelman, Pomerance, Rumely 83] deterministic (log n)O(log log log n)-time.

This PaperThis Paper

Algo for deciding primality which is:

• unconditional,• deterministic,• polynomial-time

Algo for deciding primality which is:

• unconditional,• deterministic,• polynomial-time

Special NumbersSpecial Numbers

• Def: r is special with respect to n if: 1. r is prime,2. r-1 has a large prime factor q =

(r2/3) , and 3. q|Or(n).

• Tools: – simple algebra– High density Thm for numbers with

properties (1) and (2). [Fou85, BH96]

• Def: r is special with respect to n if: 1. r is prime,2. r-1 has a large prime factor q =

(r2/3) , and 3. q|Or(n).

• Tools: – simple algebra– High density Thm for numbers with

properties (1) and (2). [Fou85, BH96]

DefDef: : orderorder nn mod mod rr, denoted , denoted OOrr(n)(n), is , is the smallest power the smallest power tt s.t. s.t. nntt 1 (mod 1 (mod r)r)..

23 x

p| p is prime, p x and P(p 1) x clogx

23 x

p| p is prime, p x and P(p 1) x clogx

Basic IdeaBasic Idea

• Fact: For any a s.t (a,n)=1:– n is prime (x-a)nxn-a (mod n)

– n is composite (x-a)nxn-a (mod n)

• Naive algo: Pick an arbitrary a, check if (x-a)nxn-a (mod n)

• Problem: time complexity - (n).

• Fact: For any a s.t (a,n)=1:– n is prime (x-a)nxn-a (mod n)

– n is composite (x-a)nxn-a (mod n)

• Naive algo: Pick an arbitrary a, check if (x-a)nxn-a (mod n)

• Problem: time complexity - (n).

ProofProof: Develop : Develop (x-a)(x-a)nn according to Newton-binomial. according to Newton-binomial. Assume Assume nn is prime, then is prime, then Assume Assume nn is composite, then let is composite, then let q|nq|n, let , let qqkk||n||n, then, then

andand , hence , hence xxqq has non zero coefficient has non zero coefficient (mod (mod nn).).

n

0 i n, 0 mod.ni

n

0 i n, 0 mod.ni

kn

q |q

kn

q |q 1, qnaq 1, qnaq

Basic IdeaBasic Idea

• Idea: Pick an arbitrary a, and some polynomial xr-1, with r = poly (log n), check if (x-a)nxn-a (mod xr-1, n)– time complexity – poly(r) – n is prime (x-a)nxn-a (mod xr-1, n)

– n is composite ???? (x-a)nxn-a (mod xr-1, n)

• Idea: Pick an arbitrary a, and some polynomial xr-1, with r = poly (log n), check if (x-a)nxn-a (mod xr-1, n)– time complexity – poly(r) – n is prime (x-a)nxn-a (mod xr-1, n)

– n is composite ???? (x-a)nxn-a (mod xr-1, n)

Not true for some (few) values of Not true for some (few) values of a,ra,r !!

Improved IdeaImproved Idea

• Improved Idea: Pick many (poly log n) a’s, check for all of them if:

(x-a)nxn-a (mod xr-1, n)

Accept if equality holds for all a’s

• Improved Idea: Pick many (poly log n) a’s, check for all of them if:

(x-a)nxn-a (mod xr-1, n)

Accept if equality holds for all a’s

Some Algebra RemindersSome Algebra Reminders

Def: Fp (p is prime) denotes the finite field of p elements {0,1,…,p-1}.

Def: Fp[x] denotes the ring of polynomials over Fp.

Let f(x) be a k-degree polynomial.Def: Fp[x]/f(x) denotes the set of

k-1-degree polynomials over Fp, with addition and multiplication modulo f(x).

Thm: If f(x) is irreducible over Fp, then Fp[x]/f(x) GF(pk) (the unique field with pk elements.)

Def: Fp (p is prime) denotes the finite field of p elements {0,1,…,p-1}.

Def: Fp[x] denotes the ring of polynomials over Fp.

Let f(x) be a k-degree polynomial.Def: Fp[x]/f(x) denotes the set of

k-1-degree polynomials over Fp, with addition and multiplication modulo f(x).

Thm: If f(x) is irreducible over Fp, then Fp[x]/f(x) GF(pk) (the unique field with pk elements.)

Fp[x]/f(x) - AdditionFp[x]/f(x) - Addition

• Let the polynomial f(x) over F2 be:

• Represent polynomials as vectors (k-1 degree polynomial vector of k coefficient):

• Addition:

• Let the polynomial f(x) over F2 be:

• Represent polynomials as vectors (k-1 degree polynomial vector of k coefficient):

• Addition:

3f (x) x 1 3f (x) x 1

2

(x 1)

(x 1)

2

(x 1)

(x 1)

3x 1 (1,0,0,1) 3x 1 (1,0,0,1)

(0,1,1)

(1,0,1)

______

(1,1,0)

(0,1,1)

(1,0,1)

______

(1,1,0)

Fp[x]/f(x) - MultiplicationFp[x]/f(x) - Multiplication

Multiplication:• First, multiply ‘mod p’:

• Next, apply ’mod f(x)’:

Multiplication:• First, multiply ‘mod p’:

• Next, apply ’mod f(x)’:

(0,1,1)

(1,0,1)

_____

011

000..

011.....

_____

1111

(0,1,1)

(1,0,1)

_____

011

000..

011.....

_____

1111

2x x2x x

3 2x x x 1 3 2x x x 1

3 2

3

x x x 1

mod

x 1

3 2

3

x x x 1

mod

x 1

2

(x 1)

(x 1)

2

(x 1)

(x 1)

Fp[x]/f(x) - mod f(x)Fp[x]/f(x) - mod f(x)

• Example:

• In general for f(x) = xr-1:

• Example:

• In general for f(x) = xr-1:

7 4 3 3x x x x 1 x x mod x 1 7 4 3 3x x x x 1 x x mod x 1

7 6 5 4 3 27 6 5 3 2 1 04c x c x c x c x c x c x c x c 1 7 6 5 4 3 27 6 5 3 2 1 04c x c x c x c x c x c x c x c 1

22 1 0c' x c' x c' 1 22 1 0c' x c' x c' 1

i j

j i. mod.r

c' c

i jj i. mod.r

c' c

Irreducible Factors of (xr-1)/(x-1)

Irreducible Factors of (xr-1)/(x-1)

• Fact: Consider the polynomial (xr-1)/(x-1) over Fp. All its irreducible factors are of degree Or(p)

• Fact: Consider the polynomial (xr-1)/(x-1) over Fp. All its irreducible factors are of degree Or(p)

The AlgorithmThe Algorithm

Input: integer n1. Find r O(log6n), s.t. r is special w.r. to n,2. Let l = 2r1/2log n. 3. Small divisors test:

For t=2,…,l, if t|n output COMPOSITE

4. Power test: If n is a power -- n=pk, for k>1

output COMPOSITE .5. Polynomials test:

For a =1,…,l, if (x-a)n xn-a (mod xr-1, n),

output COMPOSITE .6. Otherwise: output PRIME.

Input: integer n1. Find r O(log6n), s.t. r is special w.r. to n,2. Let l = 2r1/2log n. 3. Small divisors test:

For t=2,…,l, if t|n output COMPOSITE

4. Power test: If n is a power -- n=pk, for k>1

output COMPOSITE .5. Polynomials test:

For a =1,…,l, if (x-a)n xn-a (mod xr-1, n),

output COMPOSITE .6. Otherwise: output PRIME.

Saw: algorithm

Yet to be seen:• Special r O(log6n) exists (later)• If n is composite then one of the

tests returns COMPOSITE.

Saw: algorithm

Yet to be seen:• Special r O(log6n) exists (later)• If n is composite then one of the

tests returns COMPOSITE.

1. Find r O(log6n), s.t. r is special, 2. Let l = 2r1/2log n. 3. If exists a small ( < l+1) divisor,

output COMPOSITE 4. If n is a power,

output COMPOSITE .5. For a = 1,…,l, if (x-a)n xn-a

(mod xr-1, n), output COMPOSITE .

6. Otherwise output PRIME.

Algo’s CorrectnessAlgo’s Correctness

Thm: n is composite algo returns ‘composite’. That is,

• If n is composite, and– n has no divisor t l, and– n is not a (prime) power

• then a[1..l] s.t. (x-a)n xn-a (mod xr-1, n)

Thm: n is composite algo returns ‘composite’. That is,

• If n is composite, and– n has no divisor t l, and– n is not a (prime) power

• then a[1..l] s.t. (x-a)n xn-a (mod xr-1, n)

1. Find r O(log6n), s.t. r is special,

2. Let l = 2r1/2log n. 3. If exists a small ( < l+1)

divisor, output

COMPOSITE 4. If n is a power,

output COMPOSITE .

5. For a = 1,…,l, if (x-a)n xn-a (mod xr-1, n),

output COMPOSITE .

6. Otherwise output PRIME.

For Proof Purpose – Use p and h(x)

For Proof Purpose – Use p and h(x)

• Let p be a prime factor of n, and let h(x) be an irreducible factor of xr-1,

• Suffices to show inequality (mod h(x), p) instead of: (mod xr-1, n), i.e. a[1..l] s.t. (x-a)n xn-a (mod h(x), p)

• Choose p and h(x) s.t. – q|Or(p), and

– deg(h(x)) = Or(p)

• Let p be a prime factor of n, and let h(x) be an irreducible factor of xr-1,

• Suffices to show inequality (mod h(x), p) instead of: (mod xr-1, n), i.e. a[1..l] s.t. (x-a)n xn-a (mod h(x), p)

• Choose p and h(x) s.t. – q|Or(p), and

– deg(h(x)) = Or(p)

Such Such pp exists: exists: q|Oq|Orr(n)(n) and and OOrr(n) | lcm{O(n) | lcm{Orr(p(pii)})}, where , where n=pn=p11pp22…p…pkk..

Such Such h(x)h(x) exists: by previous fact. exists: by previous fact.

ProofProof

• Assume by contradiction that n is composite, and passes all the tests, i.e.– n has no small factor, and– n is not a (prime) power, and a[1..l] (x-a)n xn-a (mod h(x), p),

• For any f(x), which is a multiple of polynomials (x-a) (where a[1..l]),

f(x)n=f(xn).– Example: f(x)=(x-a1)(x-a2)

[(x-a1)(x-a2)]n = (xn-a1) (xn-a2)

• Assume by contradiction that n is composite, and passes all the tests, i.e.– n has no small factor, and– n is not a (prime) power, and a[1..l] (x-a)n xn-a (mod h(x), p),

• For any f(x), which is a multiple of polynomials (x-a) (where a[1..l]),

f(x)n=f(xn).– Example: f(x)=(x-a1)(x-a2)

[(x-a1)(x-a2)]n = (xn-a1) (xn-a2)

Variation on Polynomials testVariation on Polynomials test

• Therefore, considerthe group generatedby {(x-a)}a[1..l]:

• Prop: n passes the polynomials test f(x)G, f(x)n f(xn)

• Proof: Recall, the polynomials test was:a=1,…,l, check if (x-a)n xn-a (mod xr-1, n), and by def of G.

• Therefore, considerthe group generatedby {(x-a)}a[1..l]:

• Prop: n passes the polynomials test f(x)G, f(x)n f(xn)

• Proof: Recall, the polynomials test was:a=1,…,l, check if (x-a)n xn-a (mod xr-1, n), and by def of G.

aia p

1 a l

G (x a) | i 0 F [x]/ h(x)

ai

a p1 a l

G (x a) | i 0 F [x]/ h(x)

1. Find small special r2. Small divisors test –

composite3. Power test –

composite4. Polynomials test –

composite5. Otherwise - PRIME.

if if f(x)f(x)G, f(x)G, f(x)nn f(x f(xnn) )

Defining IDefining I

• Are there other integers m s.t. f(x)G, f(x)m f(xm) ?

• Yes! For example: p, 1. • Any others?• Let I = { m | fG, f(x)m f(xm) }.• What’s Ahead:

– We first prove that I[|G|] is small. – However, we show that if n is

composite which passes all the tests then I[|G|] must be large.

– Thus obtaining a contradiction.

• Are there other integers m s.t. f(x)G, f(x)m f(xm) ?

• Yes! For example: p, 1. • Any others?• Let I = { m | fG, f(x)m f(xm) }.• What’s Ahead:

– We first prove that I[|G|] is small. – However, we show that if n is

composite which passes all the tests then I[|G|] must be large.

– Thus obtaining a contradiction.

I[|G|] is smallI[|G|] is small

• Lemma: Let m1, m2 I, then m1 m2 (mod |G|) m1 m2 (mod r)

• Proof: Let g(x) be a generator of G. Let m2=m1+kr.

• (*) m1m2 (mod r), then xm1xm2 (mod h(x)) (as xr 1 (mod h(x)))

• Therefore:

• Lemma: Let m1, m2 I, then m1 m2 (mod |G|) m1 m2 (mod r)

• Proof: Let g(x) be a generator of G. Let m2=m1+kr.

• (*) m1m2 (mod r), then xm1xm2 (mod h(x)) (as xr 1 (mod h(x)))

• Therefore:

(*)m1 kr m1m2 m1g x g x g x g x (*)m1 kr m1m2 m1g x g x g x g x

krg x 1 (mod h(x),p) krg x 1 (mod h(x),p)

kr 0 mod G kr 0 mod G

I G r I G r

I[|G|] is largeI[|G|] is large

• First note that |G| is large .• Lemma:• Proof: Let d=deg(h(x)).

Consider all polynomials in G of degree<d.They are all distinct in Fp[x]/h(x). Therefore

• First note that |G| is large .• Lemma:• Proof: Let d=deg(h(x)).

Consider all polynomials in G of degree<d.They are all distinct in Fp[x]/h(x). Therefore

2 rG n 2 rG n

l

dlG

1

l

dlG

1

dd is big: is big: q|q|OOrr(p)=d(p)=d.

I[|G|] is large – cont.I[|G|] is large – cont.

• Recall: – p, 1 I and – n passes the polynomials test nI

• Lemma: I is multiplicative, i.e. u,vI uvI.

• Hence, in particular {nipj : 0 ≤ i,j ≤ r1/2} I.

• Therefore,• Hence (since ) • A contradiction!

• Recall: – p, 1 I and – n passes the polynomials test nI

• Lemma: I is multiplicative, i.e. u,vI uvI.

• Hence, in particular {nipj : 0 ≤ i,j ≤ r1/2} I.

• Therefore,• Hence (since ) • A contradiction!

2 rI n r 2 rI n r

2 rG n 2 rG nI G r I G r

Proof SummaryProof Summary

• We saw that I[|G|] is small (unconditionally, using properties of xr-1),

• However, if n is composite, has no small divisors, and it is not a prime power, then passing the polynomials test (i.e. nI) implies that I[|G|] is large.(using properties of the special r and of xr-1)

• Therefore, the polynomials test must return ‘composite’.

• We saw that I[|G|] is small (unconditionally, using properties of xr-1),

• However, if n is composite, has no small divisors, and it is not a prime power, then passing the polynomials test (i.e. nI) implies that I[|G|] is large.(using properties of the special r and of xr-1)

• Therefore, the polynomials test must return ‘composite’.

Back to Special NumbersBack to Special Numbers

• Recall: r is special with respect to n if: 1.r is prime,2.r-1 has a large prime factor q = (r2/3)

3.q|Or(n).

• Recall: r is special with respect to n if: 1.r is prime,2.r-1 has a large prime factor q = (r2/3)

3.q|Or(n).

1. Find r O(log6n), s.t. r is special,

2. Let l = 2r1/2log n. 3. If exists a small ( < l+1)

divisor, output COMPOSITE

4. If n is a power, output COMPOSITE .

5. For a = 1,…,l, if (x-a)n xn-a (mod xr-1, n),

output COMPOSITE .6. Otherwise output PRIME.

Finding Special rFinding Special r

Elaborating on step (1):

1. while r < c log6n1. if r is prime2. let q be the largest

prime factor of r-13. if (q4r1/2log n) and (n(r-1)/q 1 (mod r))

break;4. rr+1

Complexity: O(log6n) iterations, each taking: O(r1/2 poly log r), hence total poly log n.

Elaborating on step (1):

1. while r < c log6n1. if r is prime2. let q be the largest

prime factor of r-13. if (q4r1/2log n) and (n(r-1)/q 1 (mod r))

break;4. rr+1

Complexity: O(log6n) iterations, each taking: O(r1/2 poly log r), hence total poly log n.

•when ‘break’ is when ‘break’ is reached: reached: rr is prime, is prime, qq is large, and is large, and q|Oq|Orr(n)(n)

Special r O(log6n) existsSpecial r O(log6n) exists• Consider interval [..], ,=O(log6n).

• Numbers with properties (1) and (2) are dense in [..]– immediate from density bounds for numbers with these

properties and for primes.

• For many primes r[..], property (3) holds. – For many r’s Or(n) > 1/3:

Or(n) < 1/3 r | =(n-1)(n2-1)...(n^1/3-1). However, has no more than 2/3log n prime divisors.

– Moreover, Or(n) > 1/3 q | Or(n): if q doesn’t divide Or(n), then n(r-1)/q 1, therefore Or(n) (r-1)/q. However (r-1)/q < 1/3 -- a contradiction. (here we utilize again the fact that q is large).

• Hence, by counting argument, exists a special r[..].

• Consider interval [..], ,=O(log6n).

• Numbers with properties (1) and (2) are dense in [..]– immediate from density bounds for numbers with these

properties and for primes.

• For many primes r[..], property (3) holds. – For many r’s Or(n) > 1/3:

Or(n) < 1/3 r | =(n-1)(n2-1)...(n^1/3-1). However, has no more than 2/3log n prime divisors.

– Moreover, Or(n) > 1/3 q | Or(n): if q doesn’t divide Or(n), then n(r-1)/q 1, therefore Or(n) (r-1)/q. However (r-1)/q < 1/3 -- a contradiction. (here we utilize again the fact that q is large).

• Hence, by counting argument, exists a special r[..].

RecallRecall: : rr is is specialspecial with with respect to respect to n n if: if: 1.1. rr is is primeprime,,2.2. q = q = (r(r2/32/3) )

prime factorprime factor of r-1r-1, ,

3.3. q|Oq|Orr(n)(n). .

The EndThe End

TitleTitle

Slide TitleSlide Title