primes stuttgart

8/13/2019 PRIMES Stuttgart

1/47

PRIMES is in P

Manindra Agrawal

NUS Singapore / IIT Kanpur


2/47

The Problem

Given number n, test if it is primeefficiently.

Efficiently = in time a polynomial in numberof digits

=(log n)cfor some constantc


3/47

The Trial Division Method

Try dividing by all numbers up ton1/2.

takes exponential time: (n1/2).

Also produces a factor of n when it iscomposite.


4/47

A Possible Approach

Find a characterization of prime

numbers that is efficiently verifiable

Many characterizations of primeshave been obtained over centuries.

But none were provably efficient untilrecently.


5/47

Wilsons Characterization (18th

century)

nis prime

iff(n-1)! = -1 (mod n)

Requires O(n) operations


6/47

Fermats Little Theorem (17th

century)n is prime

implies

for anya:an= a (mod n).

It is easy to check:Compute a2, square it to a4, square it to a8,

Needs only O(log n)multiplications.


7/47

An Efficient but Wrong

Characterization

nis prime

ifffor 0 < a < 4 log2n: an= a (mod n)

Requires only O(log3n) multiplications anddivisions.

Fails on Carmichael numbers, e.g., 561 = 3* 11 * 17.


8/47

Lucas Characterization (1891)

n is prime

iff

for every prime divisor qof n-1:there is an 1 < a < nsuch that

an-1= 1 (mod n) andgcd(a(n-1)/q1, n) = 1

Based on FLT It is inefficient: requiresfactorization of n-1


9/47

An NP coNP Algorithm

A trivial algorithm shows that the set is incoNP: given a factor ofn it is easy to

verify thatnis composite.

[Pratt, 1974]Lucas characterization yieldsan NPalgorithm: guess a primefactorization of n-1; recursively verify itscorrectness; and guess an awith requiredproperties.


10/47

Millers (unproven)

Characterization (1975)n = 1 + 2t* sis odd prime

iff

for0 < a < 4 log2n:

eitheras= 1 (mod n)

ora2k*s

= -1 (mod n) for some0 k < t


11/47

Yields an Efficient Algorithm

Based on FLT

Yields an efficient algorithm:O(log4n)steps

It is correct assumingGeneralized

Riemann Hypothesis


12/47

coRP Algorithms

[1974]Solovay-Strassen gave thefirst unconditionalbut randomized

polynomial time algorithm. This algorithm might give awrong answerwith asmall probabilitywhenn iscomposite.

[1975]Rabin modified Millerscharacterization to obtain anotheralgorithm with similar properties.


13/47

An Almost Efficient

Characterization

[1983]Adleman, Pomerance, and

Rumely gave a (rather complicated)characterization that yields adeterministic algorithm running in

time(log n)c log log log n.


14/47

An Efficient Chracterization

[2002] A., Kayal, Saxena gave the

first deterministically verifiableefficient characterization.


15/47

Proof:

Ifn is prime then all coefficients are divisible byn.

If n is composite then at least one is not.

Starting Point: A Polynomial

based Characterizationn is prime

iff(X + 1)n= Xn+ 1 (mod n)

jn

j

nnX

j

nXX

1

1

1)1(


16/47

A generalization of FLT topolynomials.

Simple and elegant. Inefficient:although requires only

O(log n) polynomial multiplications,

intermediate polynomials are of largedegree.


17/47

A Way to Reduce Space

Test the equation modulo Xr- 1for a

small r. Or, more generally, test if

(X + a)n= Xn+ a (mod n, Xr- 1)

For a few as and a few small rs.


18/47

It Almost Works

n is prime

iff

for any rsuch that Or(n) > 4 log2n:nhas no divisor smaller than min(n,r)and

for every a, 1 a 2 r log n:

(X + a)n= Xn+ a (mod n, Xr1)

Or(n) = smallest kwith nk= 1 (mod r).


19/47

The Algorithm

Input n.1. Find the smallest number rsuch that

Or(n) > 4 (log n)2

.2. If any number < rdivides n, outputPRIME/COMPOSITEappropriately.

3. For every a 2r log n: If (X+a)nXn+ a (mod n, Xr1)then outputCOMPOSITE.

4. Output PRIME.


20/47

Correctness: Non-trivial

PartAssume:

ris given such that Or(n) > 4(log n)2.

Smallest prime dividing nis at leastmin(n,r).

(X+a)n= Xn+ a (mod n, Xr-1)for 0 < a2r log n.


21/47

Fix a prime pdividing nwith p randOr(p) > 1.

Clearly, (X+a)n= Xn+ a (mod p, Xr-1)too for 0 < a 2r log n.

And of course, (X+a)p= Xp+ a (mod p,

Xr-1) (according to previous primecharacterization)


22/47

Introspective Numbers

We call any numbermsuch thatg(X)m= g(Xm) (mod p, Xr-1) an introspective

number forg(X).

So, pand nare introspective numbers

for X+afor 0 < a 2r log n.


23/47

Introspective Numbers Are

Closed Under *Lemma: Ifsandtare introspective for

g(X),so iss * t.

Proof:g(X)st= g(Xs)t(mod p, Xr1), and

g(Xs)t = g(Xst) (mod p, Xsr1)

= g(Xst)(mod p, Xr1).


24/47

So There Are Lots of Them

Let I = { ni* pj| i, j 0}.

EveryminIis introspective forX+afor0 < a 2r log n.


25/47

Introspective Numbers Are

Also For ProductsLemma: Ifmis introspective for both

g(X) andh(X),then it is also forg(X)

* h(X).Proof:

(g(X) * h(X))m= g(X)m* h(X)m

= g(Xm) * h(Xm) (mod p, Xr-1)


26/47

So Introspective Numbers

Are For Lots of Polynomials

Let Q = { a=1, 2r logn(X + a)ea| ea 0}.

Every minIis introspective foreveryg(X)inQ.


27/47

Finite Fields Facts

Let h(X)be an irreducible divisor ofrthcyclotomic polynomialCr(X)in the

ring Fp[X]: Cr(X) dividesXr-1.

Polynomials modulop andh(X)form a

field, say F. XiXjinFfor0 i j < r.


28/47

Moving to Field F

Sinceh(X)dividesXr-1, equations forintrospective numbers continue to

hold inF.

We now argue over F.


29/47

Two Sets in Field F

LetG = { Xm | m I }. Every element ofG is anrthroot of

unity. t = |G| Or(n) > 4 log2n.

LetH = { g(X) (mod p, h(X)) | g(X) Q }. H is a multiplicative group inF.


30/47

H is large

Let Qt be set of all polynomials in Qofdegree < t.

Lemma: There are>n2t distinct polynomials inQt: Consider all products of X+as of degee < t.

There are > >n2t of these(since r > tand t > 2 log n).

1log2

1log2

nr

nrt

ntnt

log2log4


31/47

becauseQtinjects into F

Letf(X), g(X)inQtwith f(X)g(X).

Suppose f(X) = g(X)in F. Then: For everyXminG,f(Xm) = f(X)m= g(X)m=

g(Xm)inF. So polynomialP(z) = f(z) g(z)has |G| =t

roots in F. Contradiction, since P(z)0 and degree of

P(z)is< t.


32/47

implies thatI has few

small numbers Let m1, m2, , mkbe numbers in I

n2t. Suppose k > t. Then, there exist miand mj, mi> mj,

such that

Xmi= Xmj(inF)

I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1Q: set of introspective polynomials G = XI H = Q (mod h(X))


33/47

Let g(X)be any element of H.

Then:

g(X)mi= g(Xmi)= g(Xmj)= g(X)mj(inF)

Therefore, g(X)is a root of thepolynomial P(z) =zmizmjin the field

F.



34/47

SinceHhas more thann2telementsin F, P(Y)has more than n2troots inF.

Contradiction, since P(z)0anddegree of P(z) =min2t.



35/47

t = Or(n,p) F = Fp[X]/(h(X)), h(X) | Xr-1

I: set of introspective numbers Qlow: polynomials of deg < t

so nmust be a prime power!

Consider numbers na* pbwith 0 a, b t.

Each such number is n2t (small). So there aret (few) such numbers. This givesa, b, c, dwith

(a,b) (c,d)andna* pb = nc* pd

Therefore,n = pefor some e > 0.



36/47

This forces nto be prime

Lemma [Hendrik Lenstra Jr.,1983]:Ifan= a(mod n) for1 a 4 log2n then nis square-free.

Since(X+a)n= Xn+ a (mod n, Xr-1)for 0 < a 2r log n,

we havean= a (mod n)for 0 < a 4 log2n,

(asr > 4 log2n). So nmust be square-free.


37/47

The Choice of r

We need rsuch that Or(n) > 4 (log n)2. Any rsuch that Or(n)4 (log n)2must

dividek=1, 4 log2n

(nk-1) < n16 log4n= 216log5n.

By Chebyshevs prime density estimates

the lcm of first mnumbers is at least 2m

(for m > 7). Therefore, there must exist anrthat we

desire16 (log n)5+ 1.


38/47

Time Complexity

Step 3 dominates running time. It needs to verifyO(r log n) equations. Each equation needsO~(r log2n)time to

verify.

So time complexity is O~(r1.5log3n)=

O~(log10.5n).


39/47

Using a result of Fouvry, one can showthatr = O(log3n) is enough.

The result shows that primesrsuch thatr-1 has a large primedivisor have high density.

This brings time complexity down toO~(log7.5n).


40/47

A Cleaner Characterization

The characterization is a bit messy. Three different conditions need to hold:

rneeds to be such thatOr(n) > 4(log n)2

No prime divisor ofn is smaller thanmin(n,r) For every a, 1 a r log n:

(X + a)n= Xn+ a (mod n, Xr1)

Can these be combined into a singleequation?


41/47

Yes!

Use the equation

(X + 1)n= Xn+ 1 (mod n, Q(X))

for appropriate small dgreeQ(X).


42/47

Eliminating Condition onr

Try for all r 16 log5n!


43/47

Eliminating Small Divisors

Lemma:If(X + 1)n= Xn+ 1 (mod n, Xr)thennhas no divisor less then

min(n,r).

Proof:If primep < min(n,r) dividesn,

then(X + 1)n= 1 + n/p Xp+ (mod n,Xr) 1 (mod n, Xr).


44/47

Eliminating Multiple

EquationsLemma:(X + 1)n= Xn+ 1 (mod n, Q(X-a)) for0

< a B iff

(X + a)n

= Xn

+ a (mod n, Q(X)) for1 < a B+1.

Proof:Assume forB-1. Then:

(X + 1)n= Xn+ 1 (mod n, Q(X-B)) iff

(X+B+1)n= (X+B)n+ 1 (mod n, Q(X)) iff

(X+B+1)n= Xn+ B + 1 (mod n, Q(X))


45/47

Putting These Together

nis prime

iff

(X + 1)n= Xn+ 1 (mod n, Q(X))where

Degree of Q(X)is O(log27/2n).

n

r

nr

a

rnaXXXQ

5

5log16

1

log2

1

log16)1)((*)(


46/47

Further work

[Lenstra-Pomerance,2003]:r = O(log2n)isenough with a different polynomial of

degree rthan Xr

-1. This improves time complexity toO~(log6n).

[Berrizbeitia-Bernstein,2003]:Randomized

primality provingalgorithm with timecomplexity O~(log4n).


47/47

Further Improvement?

Conjecture:

nis prime

iffnis not a prime power,

n 1 (mod r)for some prime r > log n,

and(X-1)n= Xn1(mod n, Xr1)

Yields a O~(log3n)time algorithm.

primes stuttgart

Documents