Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Slides by Adi Akavia.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Slides by Adi Akavia."— Presentation transcript:

1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Slides by Adi Akavia

2 Background Sieve of Eratosthenes 240BC -  (n) Fermat’s Little Theorem (17 th century): p is prime, a  0 (mod p)  a p-1  1 (mod p) (The converse does not hold – Carmichael numbers) Polynomial-time algorithms: –[Miller 76] deterministic, assuming Extended Riemann Hypothesis. –[Solovay, Strassen 77; Rabin 80] unconditional, but randomized. –[Goldwasser, Kilian 86] randomized produces certificate for primality! (expected poly time for almost all inputs) –[Adelman Huang 92] primality certificate for all numbers. [Adelman, Pomerance, Rumely 83] deterministic (log n) O(log log log n) -time. Sieve of Eratosthenes 240BC -  (n) Fermat’s Little Theorem (17 th century): p is prime, a  0 (mod p)  a p-1  1 (mod p) (The converse does not hold – Carmichael numbers) Polynomial-time algorithms: –[Miller 76] deterministic, assuming Extended Riemann Hypothesis. –[Solovay, Strassen 77; Rabin 80] unconditional, but randomized. –[Goldwasser, Kilian 86] randomized produces certificate for primality! (expected poly time for almost all inputs) –[Adelman Huang 92] primality certificate for all numbers. [Adelman, Pomerance, Rumely 83] deterministic (log n) O(log log log n) -time.

3 This Paper Algo for deciding primality which is: unconditional, deterministic, polynomial-time Algo for deciding primality which is: unconditional, deterministic, polynomial-time

4 Special Numbers Def: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ), and 3.q|O r (n). Tools: –simple algebra –High density Thm for numbers with properties (1) and (2). [Fou85, BH96] Def: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ), and 3.q|O r (n). Tools: –simple algebra –High density Thm for numbers with properties (1) and (2). [Fou85, BH96] Def: order n mod r, denoted O r (n), is the smallest power t s.t. n t  1 (mod r).

5 Basic Idea Fact: For any a s.t (a,n)  =1: –n is prime  (x-a) n  x n -a (mod n) –n is composite  (x-a) n  x n -a (mod n) Naive algo: Pick an arbitrary a, check if (x-a) n  x n -a (mod n) Problem: time complexity -  (n). Fact: For any a s.t (a,n)  =1: –n is prime  (x-a) n  x n -a (mod n) –n is composite  (x-a) n  x n -a (mod n) Naive algo: Pick an arbitrary a, check if (x-a) n  x n -a (mod n) Problem: time complexity -  (n). Proof: Develop (x-a) n according to Newton-binomial. Assume n is prime, then Assume n is prime, then Assume n is composite, then let q|n, let q k ||n, then and, hence x q has non zero coefficient (mod n). Assume n is composite, then let q|n, let q k ||n, then and, hence x q has non zero coefficient (mod n).

6 Basic Idea Idea: Pick an arbitrary a, and some polynomial x r -1, with r = poly (log n), check if (x-a) n  x n -a (mod x r -1, n) –time complexity – poly(r) –n is prime  (x-a) n  x n -a (mod x r -1, n) –n is composite ??  ?? (x-a) n  x n -a (mod x r -1, n) Idea: Pick an arbitrary a, and some polynomial x r -1, with r = poly (log n), check if (x-a) n  x n -a (mod x r -1, n) –time complexity – poly(r) –n is prime  (x-a) n  x n -a (mod x r -1, n) –n is composite ??  ?? (x-a) n  x n -a (mod x r -1, n) Not true for some (few) values of a,r !

7 Improved Idea Improved Idea: Pick many (poly log n) a’s, check for all of them if: (x-a) n  x n -a (mod x r -1, n) Accept if equality holds for all a’s

8 Some Algebra Reminders Def: F p (p is prime) denotes the finite field of p elements {0,1,…,p-1}. Def: F p [x] denotes the ring of polynomials over F p. Let f(x) be a k-degree polynomial. Def: F p [x]/f(x) denotes the set of k-1-degree polynomials over F p, with addition and multiplication modulo f(x). Thm: If f(x) is irreducible over F p, then F p [x]/f(x)  GF(p k ) (the unique field with p k elements.) Def: F p (p is prime) denotes the finite field of p elements {0,1,…,p-1}. Def: F p [x] denotes the ring of polynomials over F p. Let f(x) be a k-degree polynomial. Def: F p [x]/f(x) denotes the set of k-1-degree polynomials over F p, with addition and multiplication modulo f(x). Thm: If f(x) is irreducible over F p, then F p [x]/f(x)  GF(p k ) (the unique field with p k elements.)

9 F p [x]/f(x) - Addition Let the polynomial f(x) over F 2 be: Represent polynomials as vectors (k-1 degree polynomial  vector of k coefficient) : Addition: Let the polynomial f(x) over F 2 be: Represent polynomials as vectors (k-1 degree polynomial  vector of k coefficient) : Addition:

10 F p [x]/f(x) - Multiplication Multiplication: First, multiply ‘mod p’: Next, apply ’mod f(x)’: Multiplication: First, multiply ‘mod p’: Next, apply ’mod f(x)’:

11 F p [x]/f(x) - mod f(x) Example: In general for f(x) = x r -1: Example: In general for f(x) = x r -1:

12 F p [x]/f(x) - mod f(x) Example: In general for f(x) = x r -1: Example: In general for f(x) = x r -1:

13 Irreducible Factors of (x r -1)/(x-1) Fact: Consider the polynomial (x r -1)/(x- 1) over F p. All its irreducible factors are of degree O r (p)

14 Irreducible Factors of (x r -1)/(x-1) Def: Let h(x) denote any irreducible factor of (x r -1)/(x-1), and d = deg(h(x)) Claim: h(x), d=O r (p) Proof: Denote k=O r (p). Note F p [x]/h(x) is of size p d, therefore F p [x]/h(x)* is cyclic of order p d -1. –k|d: x r  1 (mod h(x)), hence O h(x) (x) is r, therefore r|p d -1, i.e., p d  1 (mod r), and hence k|d (recall d=O r (p)). –d|k: let g be a generator, then hence p d -1 | p k -1. and therefore d|k. Def: Let h(x) denote any irreducible factor of (x r -1)/(x-1), and d = deg(h(x)) Claim: h(x), d=O r (p) Proof: Denote k=O r (p). Note F p [x]/h(x) is of size p d, therefore F p [x]/h(x)* is cyclic of order p d -1. –k|d: x r  1 (mod h(x)), hence O h(x) (x) is r, therefore r|p d -1, i.e., p d  1 (mod r), and hence k|d (recall d=O r (p)). –d|k: let g be a generator, then hence p d -1 | p k -1. and therefore d|k. Recall, if r is special with respect to n, then r-1 has a large prime factor q, s.t. q|O r (n). Choose p s.t. q|O r (p) (exists). Then d is large. exists

15 The Algorithm Input: integer n 1.Find r  O(log 6 n), s.t. r is special w.r. to n, 2.Let l = 2r 1/2 log n. 3.Small divisors test: For t=2,…,l, if t|n output COMPOSITE 4.Power test: If n is a power -- n=p k, for k>1 output COMPOSITE. 5.Polynomials test: For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise: output PRIME. Input: integer n 1.Find r  O(log 6 n), s.t. r is special w.r. to n, 2.Let l = 2r 1/2 log n. 3.Small divisors test: For t=2,…,l, if t|n output COMPOSITE 4.Power test: If n is a power -- n=p k, for k>1 output COMPOSITE. 5.Polynomials test: For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise: output PRIME.

16 Saw: algorithm Yet to be seen: Special r  O(log 6 n) exists (later) If n is composite then one of the tests returns COMPOSITE. Saw: algorithm Yet to be seen: Special r  O(log 6 n) exists (later) If n is composite then one of the tests returns COMPOSITE. 1.Find r  O(log 6 n), s.t. r is special, 2.Let l = 2r 1/2 log n. 3.If exists a small ( < l+1) divisor, output COMPOSITE 4.If n is a power, output COMPOSITE. 5.For a = 1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise output PRIME.

17 Algo’s Correctness Thm: n is composite  algo returns ‘composite’. That is, If n is composite, and –n has no divisor t  l, and –n is not a (prime) power then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) Thm: n is composite  algo returns ‘composite’. That is, If n is composite, and –n has no divisor t  l, and –n is not a (prime) power then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) 1.Find r  O(log 6 n), s.t. r is special, 2.Let l = 2r 1/2 log n. 3.If exists a small ( < l+1) divisor, output COMPOSITE 4.If n is a power, output COMPOSITE. 5.For a = 1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise output PRIME.

18 For Proof Purpose – Use p and h(x) Let p be a prime factor of n, and let h(x) be an irreducible factor of x r -1, Suffices to show inequality (mod h(x), p) instead of:(mod x r -1, n), i.e.  a  [1..l] s.t. (x-a) n  x n -a (mod h(x), p) Choose p and h(x) s.t. –q|O r (p), and –deg(h(x)) = O r (p) Let p be a prime factor of n, and let h(x) be an irreducible factor of x r -1, Suffices to show inequality (mod h(x), p) instead of:(mod x r -1, n), i.e.  a  [1..l] s.t. (x-a) n  x n -a (mod h(x), p) Choose p and h(x) s.t. –q|O r (p), and –deg(h(x)) = O r (p) Such p exists: q|O r (n)and O r (n) | lcm{O r (p i )}, where n=p 1 p 2 …p k. Such p exists: q|O r (n) and O r (n) | lcm{O r (p i )}, where n=p 1 p 2 …p k. Such h(x) exists: by previous fact.

19 Proof Assume by contradiction that n is composite, and passes all the tests, i.e. –n has no small factor, and –n is not a (prime) power, and –  a  [1..l] (x-a) n  x n -a (mod h(x), p), For any f(x), which is a multiple of polynomials (x-a) (where a  [1..l]), f(x) n =f(x n ). –Example: f(x)=(x-a 1 )(x-a 2 ) [(x-a 1 )(x-a 2 )] n = (x n -a 1 ) (x n -a 2 ) Assume by contradiction that n is composite, and passes all the tests, i.e. –n has no small factor, and –n is not a (prime) power, and –  a  [1..l] (x-a) n  x n -a (mod h(x), p), For any f(x), which is a multiple of polynomials (x-a) (where a  [1..l]), f(x) n =f(x n ). –Example: f(x)=(x-a 1 )(x-a 2 ) [(x-a 1 )(x-a 2 )] n = (x n -a 1 ) (x n -a 2 )

20 Variation on Polynomials test Therefore, consider the group generated by {(x-a)} a  [1..l] : Prop: n passes the polynomials test   f(x)  G, f(x) n  f(x n ) Proof: Recall, the polynomials test was:  a=1,…,l, check if (x-a) n  x n -a (mod x r -1, n), and by def of G. Therefore, consider the group generated by {(x-a)} a  [1..l] : Prop: n passes the polynomials test   f(x)  G, f(x) n  f(x n ) Proof: Recall, the polynomials test was:  a=1,…,l, check if (x-a) n  x n -a (mod x r -1, n), and by def of G. 1.Find small special r 2.Small divisors test – composite 3.Power test – composite 4.Polynomials test – composite 5.Otherwise - PRIME. if  f(x)  G, f(x) n  f(x n )

21 Defining I Are there other integers m s.t.  f(x)  G, f(x) m  f(x m ) ? Yes! For example: p, 1. Any others? Let I = { m |  f  G, f(x) m  f(x m ) }. What’s Ahead: –We first prove that I  [|G|] is small. –However, we show that if n is composite which passes all the tests then I  [|G|] must be large. –Thus obtaining a contradiction. Are there other integers m s.t.  f(x)  G, f(x) m  f(x m ) ? Yes! For example: p, 1. Any others? Let I = { m |  f  G, f(x) m  f(x m ) }. What’s Ahead: –We first prove that I  [|G|] is small. –However, we show that if n is composite which passes all the tests then I  [|G|] must be large. –Thus obtaining a contradiction.

22 I  [|G|] is small Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore: Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore:

23 I  [|G|] is small Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore: Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore:

24 I  [|G|] is large First note that |G| is large. Lemma: Proof: Let d=deg(h(x)). Consider all polynomials in G of degree<d. They are all distinct in F p [x]/h(x). Therefore First note that |G| is large. Lemma: Proof: Let d=deg(h(x)). Consider all polynomials in G of degree<d. They are all distinct in F p [x]/h(x). Therefore dis big: q|O r (p)=d d is big: q|O r (p)=d.

25 I  [|G|] is large – cont. Recall: –p, 1  I and –n passes the polynomials test  n  I Lemma: I is multiplicative, i.e. u,v  I  uv  I. Hence, in particular {n i p j : 0 ≤ i,j ≤ r 1/2 }  I. Therefore, Hence (since) A contradiction! Recall: –p, 1  I and –n passes the polynomials test  n  I Lemma: I is multiplicative, i.e. u,v  I  uv  I. Hence, in particular {n i p j : 0 ≤ i,j ≤ r 1/2 }  I. Therefore, Hence (since) A contradiction!

26 Proof Summary We saw that I  [|G|] is small (unconditionally, using properties of x r -1), However, if n is composite, has no small divisors, and it is not a prime power, then passing the polynomials test (i.e. n  I) implies that I  [|G|] is large. (using properties of the special r and of x r - 1) Therefore, the polynomials test must return ‘composite’. We saw that I  [|G|] is small (unconditionally, using properties of x r -1), However, if n is composite, has no small divisors, and it is not a prime power, then passing the polynomials test (i.e. n  I) implies that I  [|G|] is large. (using properties of the special r and of x r - 1) Therefore, the polynomials test must return ‘composite’.

27 Back to Special Numbers Recall: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ) 3.q|O r (n). Recall: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ) 3.q|O r (n).

28 1.Find r  O(log 6 n), s.t. r is special, 2.Let l = 2r 1/2 log n. 3.If exists a small ( < l+1) divisor, output COMPOSITE 4.If n is a power, output COMPOSITE. 5.For a = 1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise output PRIME. Finding Special r Elaborating on step (1): 1.while r < c log 6 n 1.if r is prime 2.let q be the largest prime factor of r-1 3.if (q  4r 1/2 log n) and (n (r-1)/q  1 (mod r)) break; 4.r  r+1 Complexity: O(log 6 n) iterations, each taking: O(r 1/2 poly log r), hence total poly log n. Elaborating on step (1): 1.while r < c log 6 n 1.if r is prime 2.let q be the largest prime factor of r-1 3.if (q  4r 1/2 log n) and (n (r-1)/q  1 (mod r)) break; 4.r  r+1 Complexity: O(log 6 n) iterations, each taking: O(r 1/2 poly log r), hence total poly log n. when ‘break’ is reached: r is prime, q is large, and q|O r (n)when ‘break’ is reached: r is prime, q is large, and q|O r (n)

29 Special r  O(log 6 n) exists Consider interval [ ..  ], ,  =O(log 6 n). Numbers with properties (1) and (2) are dense in [ ..  ] –immediate from density bounds for numbers with these properties and for primes. For many primes r  [ ..  ], property (3) holds. –For many r’s O r (n) >  1/3 : O r (n) <  1/3  r |  =(n-1)(n 2 -1)...(n^  1/3 -1). However,  has no more than  2/3 log n prime divisors. –Moreover, O r (n) >  1/3  q | O r (n): if q doesn’t divide O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However (r-1)/q <  1/3 -- a contradiction. (here we utilize again the fact that q is large). Hence, by counting argument, exists a special r  [ ..  ]. Consider interval [ ..  ], ,  =O(log 6 n). Numbers with properties (1) and (2) are dense in [ ..  ] –immediate from density bounds for numbers with these properties and for primes. For many primes r  [ ..  ], property (3) holds. –For many r’s O r (n) >  1/3 : O r (n) <  1/3  r |  =(n-1)(n 2 -1)...(n^  1/3 -1). However,  has no more than  2/3 log n prime divisors. –Moreover, O r (n) >  1/3  q | O r (n): if q doesn’t divide O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However (r-1)/q <  1/3 -- a contradiction. (here we utilize again the fact that q is large). Hence, by counting argument, exists a special r  [ ..  ]. Recall: r is special with respect to n if: 1. r is prime, 2. q =  (r 2/3 ) prime factorr-1, 2. q =  (r 2/3 ) prime factor of r-1, 3. q|O r (n).

30 The End

31 Proof - G is large, Cont. Hence, Prop: d  2l Proof: Recall d=O r (p) and q|O r (p), hence d  q  2l (recall q  4r 1/2 log n, l=2r 1/2 log n) Hence Hence, Prop: d  2l Proof: Recall d=O r (p) and q|O r (p), hence d  q  2l (recall q  4r 1/2 log n, l=2r 1/2 log n) Hence This is the reason for seeking a large q s.t. q|O r (n)

32 Proof Lemma: I is multiplicative, i.e. u,v  I  uv  I. Proof: x r -1|x vr -1, therefore hence Lemma: I is multiplicative, i.e. u,v  I  uv  I. Proof: x r -1|x vr -1, therefore hence

33 Title

34 Slide Title

Download ppt "Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Slides by Adi Akavia."

Similar presentations

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
Chapter 5 The Witness Reduction Technique: Feasible Closure Properties of #P Greg Goldstein Andrew Learn 18 April 2001.

Chapter 5 The Witness Reduction Technique: Feasible Closure Properties of #P Greg Goldstein Andrew Learn 18 April 2001.
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia.

1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia.
Computability and Complexity

Computability and Complexity
Having Proofs for Incorrectness

Having Proofs for Incorrectness
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Basic properties of the integers

Basic properties of the integers
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006
1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.

1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.
Probabilistic Complexity. Probabilistic Algorithms Def: A probabilistic Turing Machine M is a type of non- deterministic TM, where each non-deterministic.

Probabilistic Complexity. Probabilistic Algorithms Def: A probabilistic Turing Machine M is a type of non- deterministic TM, where each non-deterministic.
6/20/2015List Decoding Of RS Codes 1 Barak Pinhas ECC Seminar Tel-Aviv University.

6/20/2015List Decoding Of RS Codes 1 Barak Pinhas ECC Seminar Tel-Aviv University.
Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.

Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.
K. -C. Yang and J. -L. Lin National Tsing Hua University

K. -C. Yang and J. -L. Lin National Tsing Hua University
Introduction Polynomials

Introduction Polynomials

Similar presentations

Ads by Google