Transcript Primes-in-P

Deciding Primality is in P
M. Agrawal, N. Kayal, N. Saxena
Presentation by Adi Akavia
1
Background


Sieve of Eratosthenes 240BC -(n)
Fermat’s Little Theorem (17th century):
p is prime, a0 (mod p)  ap-11 (mod p)
(The converse does not hold – Carmichael numbers)

Polynomial-time algorithms:





[Miller 76] deterministic, assuming Extended
Riemann Hypothesis.
[Solovay, Strassen 77; Rabin 80] unconditional, but
randomized.
[Goldwasser, Kilian 86] randomized produces
certificate for primality! (for almost all numbers)
[Atkin 86; Adelman Huang 92] primality certificate
for all numbers.
[Adelman, Pomerance, Rumely 83]
deterministic (log n)O(log log log n)-time.
2
This Paper
unconditional, deterministic, polynomial



Def (Sophie-Germain primes):
primes (p-1)/2 s.t. p is also prime.
Def: r is “almost Sophie-Germain“ (ASG) if:
 r is prime,
 r-1 has a large prime factor q = (r2/3)
Tools:
 simple algebra
 High
for p that are

Highdensity
densityconjecture
Thm for primes
primes
s.t. (p-1)/2 is Sophie-Germain
‘almostpSophie-Germain’.
[Fou85, BH96]
4
Basic Idea

Fact: For any a s.t (a,n) =1:


n is prime  (x-a)nxn-a (mod n)
n is composite  (x-a)nxn-a (mod n)
Proof: Develop (x-a)n using Newton-binomial.
n 

0

i

n,

Assume n is prime, then
 i   0  mod.n 
n 
 
k
k

Assume n is composite, then let q|n, let q ||n, then q |  q 
 n).

and q, a n q  1 , hence xq has non zero coefficient (mod




Naive algo: Pick an arbitrary a,
check if (x-a)nxn-a (mod n)
Problem: time complexity - (n).
5
Basic Idea

Idea: Pick an arbitrary a, and some
polynomial xr-1, with r = poly log n,
check if (x-a)nxn-a (mod xr-1, n)



time complexity – poly(r)
n is prime  (x-a)nxn-a (mod xr-1, n)
n is composite ???? (x-a)nxn-a (mod xr-1, n)
Not true for some (few) values of a,r !
6
Improved Idea

Improved Idea: Pick many (poly log n) a’s,
check for all of them if:
(x-a)nxn-a (mod xr-1, n)
Accept if equality holds for all a’s
7
Algebraic Background –
Extension Field
Def: Consider fields F, E.
E is an extension of F, if F is a subfield
of E.
Def: Galois field GF(pk) (p prime) is the
unique (up to isomorphism) finite field
containing pk elements.
(The cardinality of any finite fields is a prime-power.)
Def: A polynomial f(x) is called irreducible
in GF(p) if it does not factor over GF(p)
8
Multiplicative Group
Def: GF*(pk) is the multiplicative
group of the Galois Field GF(pk),
that is, GF*(pk) = GF(pk)\{0}.
Thm: GF*(pk) is cyclic,
thus it has a generator g:
g  x  | 0  i  p   GF p 
i
k
*
k
9
Constructing Galois Fields
Def: Fp denotes a finite field of p
elements (p is prime).
Def: Let f(x) be a k-degree polynomial.
Def: Let Fp[x]/f(x) be the set of
k-1-degree polynomials over Fp, with
addition and multiplication modulo f(x).
Thm: If f(x) is irreducible over GF(p),
then GF(pk)Fp[x]/f(x).
10
Fp[x]/f(x) - Example
Let the irreducible polynomial f(x) be:
f ( x)  x  x  x  x  1
4
3
2
Represent polynomials as vectors
(k-1 degree polynomial  vector of k coefficient):
f ( x)  x  x  x  x  1  (1,1,1,1,1)
4
3
2
Addition:
( x  x  x  1)
4
3
 ( x  x  x  1)
3
2
(1,1,0,1,1)

 (0,1,1,1,1)
________
(1,0,1,0,0)
11
Fp[x]/f(x) - Example
Multiplication:
 First, multiply ‘mod p’:
( x 4  x 3  x  1)
 ( x  x  1)
3
x7  x6  x5  x 4  x 2  1


Next, apply ’mod f(x)’:
x7  x6  x5  x 4  x 2  1
mod


x 4  x3  x 2  x  1
(1,1,0,1,1)
 (0,1,0,1,1)
_________
11011
11011 _
00000 __
 11011 ___
_________
11110101
 x
3
 x  1
2
12
The
Algorithm
Def: r is special if:
r is Almost Sophie-Germain, and
q|Or(n)
(where q is the large prime factor of r-1).
Input: integer n
1.
Find r  O(log6n), s.t. r is special,
2.
Let l = 2r1/2log n.
3.
For t=2,…,l, if t|n
output COMPOSITE
4.
If n is (prime) power -- n=pk, for k>1
output COMPOSITE .
5.
For a =1,…,l, if (x-a)n  xn-a (mod xr-1, n),
output COMPOSITE .
6.
Otherwise: output PRIME.
13
Proof’s Structure
Saw: primality test.
1.
2.
3.
4.
5.
Find r  O(log6n), s.t. r is
special,
Let l = 2r1/2log n.
For t=2,…,l, if t|n output
COMPOSITE
If n is a prime power, i.e.
n=pk, for some prime p,
output COMPOSITE .
For a =1,…,l, if (x-a)n  xn-a
(mod xr-1, n), output
COMPOSITE .
Otherwise output PRIME.
We next show:

Special r  O(log6n) exists.

For such r: if n is composite
s.t. n passes steps (3) and (4), then
a[1..l] s.t. (x-a)n  xn-a (mod xr-1, n)
6.
(hence, returns COMPOSITE at step (5))
14
Finding Suitable r
Elaborating on step (1):
1.
while r < c log6n
1.
2.
3.
4.
1.
2.
3.
4.
5.
Find r  O(log6n), s.t. r is
special,
Let l = 2r1/2log n.
For t=2,…,l, if t|n output
COMPOSITE
If n is a prime power, i.e.
n=pk, for some prime p,
output COMPOSITE .
For a =1,…,l, if (x-a)n  xn-a
(mod xr-1, n), output
COMPOSITE .
Otherwise output PRIME.
if r is prime
6.
let q be the largest
prime factor of r-1
if (q4r1/2log n) and (n(r-1)/q  1 (mod r))
break;
•when ‘break’ is reached:
r is prime,
rr+1
q is large, and
q|Or(n)
Complexity: O(log6n) iterations, each taking:
O(r1/2 poly log r), hence total poly log n.
15
Lemma: Special r  O(log6n) exists.
Proof:
 let ,=O(log6n), consider the interval [..].
 ASG numbers are dense in [..]
#ASG[..]  #ASG[1..] - #primes[1..] = (log6n / loglog n)
(using density of ASG numbers, and upper bound on density of primes)

there are only few primes r[..] s.t Or(n) < 1/3.
Or(n) < 1/3  r | =(n-1)(n2-1)...(n^1/3-1).
However,  has no more than 2/3log n prime divisors


Hence, by counting argument, exists a ASG r[..]
s.t. Or(n) > 1/3.
Moreover, Or(n) > 1/3  q | Or(n).
assume q doesn’t divide Or(n), then n(r-1)/q  1, therefore Or(n)(r-1)/q.
However (r-1)/q < 1/3 -- a contradiction.

Therefore, exists a special r[..].
17
1.
Correctness Proof
Lemma: n is composite 
step (5) returns
‘composite’.
That is,
 If n is composite, and



2.
3.
4.
5.
6.
Find r  O(log6n), s.t. r is
special,
Let l = 2r1/2log n.
For t=2,…,l, if t|n output
COMPOSITE
If n is a prime power, i.e.
n=pk, for some prime p,
output COMPOSITE .
For a =1,…,l, if (x-a)n  xn-a
(mod xr-1, n), output
COMPOSITE .
Otherwise output PRIME.
n has no factor t  l, and
n is not a prime-power
then
a[1..l] s.t. (x-a)n  xn-a (mod xr-1, n)
18
Proof



Let p be a prime factor of n, and
let h(x) be an irreducible factor of xr-1,
It suffices to show inequality
(mod h(x), p)
instead of (mod xr-1, n), i.e.
a[1..l] s.t. (x-a)n  xn-a (mod h(x), p)
Such p exists:
Choose p and h(x) s.t. Let n=p1p2…pk, then
Or(n) = lcm{Or(pi)}.
 q|Or(p), and
Therefore: q|Or(n) 
 deg(h(x)) = Or(p)
i q|Or(pi) (as q is prime)
Such h exists: by previous claim.
19
Proof

Assume by contradiction that n is
composite, and passes all the tests, i.e.



n has no small factor, and
n is not a prime-power, and
 a[1..l] (x-a)n  xn-a (mod h(x), p),
20
Proof





Consider the group generated by
{(x-a)}a[1..l] (mod h(x), p), i.e.


ia
G    (x  a) |ia  0   Fp [x]/h(x)
1 a l

Note: f(x)G, f(x)n  f(xn)
Let I = { m | fG, f(x)m  f(xm) }.
Lemma: I is multiplicative, i.e. u,vI uvI.
Proof: xr-1|xvvru-1, therefore
vu
v r
hence

g (x )  g (x ) mod.  x

- 1, p

 g (x v )u  g (x vu )  mod.x r - 1, p 

g ( x)  g ( x)
vu

v u
 g ( x v )u  g ( x vu )
21
Proof - nI  I is large


Prop: (i,j)(i’,j’) nipj  ni’pj (since n  pk)
Lemma: , if u,vI s.t. (i,j)(i’,j’) uivjui’vj’,
then |I| [uv] > 2.
(+1)2 different pairs (i,j), each give a distinct value


Corollary: , nI  |I| [uv] > 2.
Proof: pI.
2 r
However, Lemma: G  n
Consider all polynomials of degree bound <d.
 l  d  1

There are all distinct in Fp[x]/h(x). Therefore G  
l



Corollary: nI  |I| [|G|] > r.
22
Irreducible Factors of
(xr-1)/(x-1)

Def: Let h(x) denote any irreducible
factor of (xr-1)/(x-1), and d = deg(h(x))
Recall, if r is special with respect to n, then r-1 has a
large prime factor q, s.t. q|Or(n).
Choose p s.t. q|Or(p) (exists). Then d is large.


Claim: h(x), d=Or(p)
Proof: Denote k=Or(p). Note Fp[x]/h(x) is of size pd,
therefore Fp[x]/h(x)* is cyclic of order pd-1.
 k|d: xr1 (mod h(x)), hence Oh(x)(x) is r, therefore
r|pd-1, i.e., pd 1 (mod r), and hence k|d (recall
d=Or(p)).
pk 1
 d|k: let g be a generator, then g  x 
1
hence pd-1 | pk-1. and therefore d|k.
23
Proof – I is small

Lemma: Let m1, m2 I, then
m1  m2 (mod |G|)  m1  m2 (mod r)
Proof:
Let g(x) be
generator
Let m2=m1+kr.
 Lemma(I
is asmall):
|I|ofG. [|G|]
r
g x 
g x 
 g x  g x   g x  

kr
kr

x
g x 
 Each two elements in |I|  [|G|] gare
kr
 g different
x   1.(modmod
.h( x|G|.
), p)
 Therefore
are different mod r.
 kr
 0.(mod . G they
)
 Hence |I|  [|G|]  r.
(*) m1m2 (mod r), then xm1xm2 (mod h(x)) (as xr  1 (mod h(x)))
m2
g xProof:
 g x m1 kr
  

  
(*)
m1
kr
m1
m2
m1
Contradiction!
24
The End
25
Proof - G is large, Cont.
Hence,
l  d  1 
G  S 

l


This is the reason
for seeking a large
q s.t. q|Or(n)
Prop: d  2l
Proof: Recall d=Or(p) and q|Or(p),
hence d  q  2l
(recall q4r1/2log n, l=2r1/2log n)
Hence G  2l  n 2
r
26