Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Slides by Adi Akavia

Background Sieve of Eratosthenes 240BC -  (n) Fermat’s Little Theorem (17 th century): p is prime, a  0 (mod p)  a p-1  1 (mod p) (The converse does not hold – Carmichael numbers) Polynomial-time algorithms: –[Miller 76] deterministic, assuming Extended Riemann Hypothesis. –[Solovay, Strassen 77; Rabin 80] unconditional, but randomized. –[Goldwasser, Kilian 86] randomized produces certificate for primality! (expected poly time for almost all inputs) –[Adelman Huang 92] primality certificate for all numbers. [Adelman, Pomerance, Rumely 83] deterministic (log n) O(log log log n) -time. Sieve of Eratosthenes 240BC -  (n) Fermat’s Little Theorem (17 th century): p is prime, a  0 (mod p)  a p-1  1 (mod p) (The converse does not hold – Carmichael numbers) Polynomial-time algorithms: –[Miller 76] deterministic, assuming Extended Riemann Hypothesis. –[Solovay, Strassen 77; Rabin 80] unconditional, but randomized. –[Goldwasser, Kilian 86] randomized produces certificate for primality! (expected poly time for almost all inputs) –[Adelman Huang 92] primality certificate for all numbers. [Adelman, Pomerance, Rumely 83] deterministic (log n) O(log log log n) -time.

This Paper Algo for deciding primality which is: unconditional, deterministic, polynomial-time Algo for deciding primality which is: unconditional, deterministic, polynomial-time

Special Numbers Def: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ), and 3.q|O r (n). Tools: –simple algebra –High density Thm for numbers with properties (1) and (2). [Fou85, BH96] Def: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ), and 3.q|O r (n). Tools: –simple algebra –High density Thm for numbers with properties (1) and (2). [Fou85, BH96] Def: order n mod r, denoted O r (n), is the smallest power t s.t. n t  1 (mod r).

Basic Idea Fact: For any a s.t (a,n)  =1: –n is prime  (x-a) n  x n -a (mod n) –n is composite  (x-a) n  x n -a (mod n) Naive algo: Pick an arbitrary a, check if (x-a) n  x n -a (mod n) Problem: time complexity -  (n). Fact: For any a s.t (a,n)  =1: –n is prime  (x-a) n  x n -a (mod n) –n is composite  (x-a) n  x n -a (mod n) Naive algo: Pick an arbitrary a, check if (x-a) n  x n -a (mod n) Problem: time complexity -  (n). Proof: Develop (x-a) n according to Newton-binomial. Assume n is prime, then Assume n is prime, then Assume n is composite, then let q|n, let q k ||n, then and, hence x q has non zero coefficient (mod n). Assume n is composite, then let q|n, let q k ||n, then and, hence x q has non zero coefficient (mod n).

Basic Idea Idea: Pick an arbitrary a, and some polynomial x r -1, with r = poly (log n), check if (x-a) n  x n -a (mod x r -1, n) –time complexity – poly(r) –n is prime  (x-a) n  x n -a (mod x r -1, n) –n is composite ??  ?? (x-a) n  x n -a (mod x r -1, n) Idea: Pick an arbitrary a, and some polynomial x r -1, with r = poly (log n), check if (x-a) n  x n -a (mod x r -1, n) –time complexity – poly(r) –n is prime  (x-a) n  x n -a (mod x r -1, n) –n is composite ??  ?? (x-a) n  x n -a (mod x r -1, n) Not true for some (few) values of a,r !

Improved Idea Improved Idea: Pick many (poly log n) a’s, check for all of them if: (x-a) n  x n -a (mod x r -1, n) Accept if equality holds for all a’s

Some Algebra Reminders Def: F p (p is prime) denotes the finite field of p elements {0,1,…,p-1}. Def: F p [x] denotes the ring of polynomials over F p. Let f(x) be a k-degree polynomial. Def: F p [x]/f(x) denotes the set of k-1-degree polynomials over F p, with addition and multiplication modulo f(x). Thm: If f(x) is irreducible over F p, then F p [x]/f(x)  GF(p k ) (the unique field with p k elements.) Def: F p (p is prime) denotes the finite field of p elements {0,1,…,p-1}. Def: F p [x] denotes the ring of polynomials over F p. Let f(x) be a k-degree polynomial. Def: F p [x]/f(x) denotes the set of k-1-degree polynomials over F p, with addition and multiplication modulo f(x). Thm: If f(x) is irreducible over F p, then F p [x]/f(x)  GF(p k ) (the unique field with p k elements.)

F p [x]/f(x) - Addition Let the polynomial f(x) over F 2 be: Represent polynomials as vectors (k-1 degree polynomial  vector of k coefficient) : Addition: Let the polynomial f(x) over F 2 be: Represent polynomials as vectors (k-1 degree polynomial  vector of k coefficient) : Addition:

F p [x]/f(x) - Multiplication Multiplication: First, multiply ‘mod p’: Next, apply ’mod f(x)’: Multiplication: First, multiply ‘mod p’: Next, apply ’mod f(x)’:

F p [x]/f(x) - mod f(x) Example: In general for f(x) = x r -1: Example: In general for f(x) = x r -1:

F p [x]/f(x) - mod f(x) Example: In general for f(x) = x r -1: Example: In general for f(x) = x r -1:

Irreducible Factors of (x r -1)/(x-1) Fact: Consider the polynomial (x r -1)/(x- 1) over F p. All its irreducible factors are of degree O r (p)

Irreducible Factors of (x r -1)/(x-1) Def: Let h(x) denote any irreducible factor of (x r -1)/(x-1), and d = deg(h(x)) Claim: h(x), d=O r (p) Proof: Denote k=O r (p). Note F p [x]/h(x) is of size p d, therefore F p [x]/h(x)* is cyclic of order p d -1. –k|d: x r  1 (mod h(x)), hence O h(x) (x) is r, therefore r|p d -1, i.e., p d  1 (mod r), and hence k|d (recall d=O r (p)). –d|k: let g be a generator, then hence p d -1 | p k -1. and therefore d|k. Def: Let h(x) denote any irreducible factor of (x r -1)/(x-1), and d = deg(h(x)) Claim: h(x), d=O r (p) Proof: Denote k=O r (p). Note F p [x]/h(x) is of size p d, therefore F p [x]/h(x)* is cyclic of order p d -1. –k|d: x r  1 (mod h(x)), hence O h(x) (x) is r, therefore r|p d -1, i.e., p d  1 (mod r), and hence k|d (recall d=O r (p)). –d|k: let g be a generator, then hence p d -1 | p k -1. and therefore d|k. Recall, if r is special with respect to n, then r-1 has a large prime factor q, s.t. q|O r (n). Choose p s.t. q|O r (p) (exists). Then d is large. exists

The Algorithm Input: integer n 1.Find r  O(log 6 n), s.t. r is special w.r. to n, 2.Let l = 2r 1/2 log n. 3.Small divisors test: For t=2,…,l, if t|n output COMPOSITE 4.Power test: If n is a power -- n=p k, for k>1 output COMPOSITE. 5.Polynomials test: For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise: output PRIME. Input: integer n 1.Find r  O(log 6 n), s.t. r is special w.r. to n, 2.Let l = 2r 1/2 log n. 3.Small divisors test: For t=2,…,l, if t|n output COMPOSITE 4.Power test: If n is a power -- n=p k, for k>1 output COMPOSITE. 5.Polynomials test: For a =1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise: output PRIME.

Saw: algorithm Yet to be seen: Special r  O(log 6 n) exists (later) If n is composite then one of the tests returns COMPOSITE. Saw: algorithm Yet to be seen: Special r  O(log 6 n) exists (later) If n is composite then one of the tests returns COMPOSITE. 1.Find r  O(log 6 n), s.t. r is special, 2.Let l = 2r 1/2 log n. 3.If exists a small ( < l+1) divisor, output COMPOSITE 4.If n is a power, output COMPOSITE. 5.For a = 1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise output PRIME.

Algo’s Correctness Thm: n is composite  algo returns ‘composite’. That is, If n is composite, and –n has no divisor t  l, and –n is not a (prime) power then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) Thm: n is composite  algo returns ‘composite’. That is, If n is composite, and –n has no divisor t  l, and –n is not a (prime) power then  a  [1..l] s.t. (x-a) n  x n -a (mod x r -1, n) 1.Find r  O(log 6 n), s.t. r is special, 2.Let l = 2r 1/2 log n. 3.If exists a small ( < l+1) divisor, output COMPOSITE 4.If n is a power, output COMPOSITE. 5.For a = 1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise output PRIME.

For Proof Purpose – Use p and h(x) Let p be a prime factor of n, and let h(x) be an irreducible factor of x r -1, Suffices to show inequality (mod h(x), p) instead of:(mod x r -1, n), i.e.  a  [1..l] s.t. (x-a) n  x n -a (mod h(x), p) Choose p and h(x) s.t. –q|O r (p), and –deg(h(x)) = O r (p) Let p be a prime factor of n, and let h(x) be an irreducible factor of x r -1, Suffices to show inequality (mod h(x), p) instead of:(mod x r -1, n), i.e.  a  [1..l] s.t. (x-a) n  x n -a (mod h(x), p) Choose p and h(x) s.t. –q|O r (p), and –deg(h(x)) = O r (p) Such p exists: q|O r (n)and O r (n) | lcm{O r (p i )}, where n=p 1 p 2 …p k. Such p exists: q|O r (n) and O r (n) | lcm{O r (p i )}, where n=p 1 p 2 …p k. Such h(x) exists: by previous fact.

Proof Assume by contradiction that n is composite, and passes all the tests, i.e. –n has no small factor, and –n is not a (prime) power, and –  a  [1..l] (x-a) n  x n -a (mod h(x), p), For any f(x), which is a multiple of polynomials (x-a) (where a  [1..l]), f(x) n =f(x n ). –Example: f(x)=(x-a 1 )(x-a 2 ) [(x-a 1 )(x-a 2 )] n = (x n -a 1 ) (x n -a 2 ) Assume by contradiction that n is composite, and passes all the tests, i.e. –n has no small factor, and –n is not a (prime) power, and –  a  [1..l] (x-a) n  x n -a (mod h(x), p), For any f(x), which is a multiple of polynomials (x-a) (where a  [1..l]), f(x) n =f(x n ). –Example: f(x)=(x-a 1 )(x-a 2 ) [(x-a 1 )(x-a 2 )] n = (x n -a 1 ) (x n -a 2 )

Variation on Polynomials test Therefore, consider the group generated by {(x-a)} a  [1..l] : Prop: n passes the polynomials test   f(x)  G, f(x) n  f(x n ) Proof: Recall, the polynomials test was:  a=1,…,l, check if (x-a) n  x n -a (mod x r -1, n), and by def of G. Therefore, consider the group generated by {(x-a)} a  [1..l] : Prop: n passes the polynomials test   f(x)  G, f(x) n  f(x n ) Proof: Recall, the polynomials test was:  a=1,…,l, check if (x-a) n  x n -a (mod x r -1, n), and by def of G. 1.Find small special r 2.Small divisors test – composite 3.Power test – composite 4.Polynomials test – composite 5.Otherwise - PRIME. if  f(x)  G, f(x) n  f(x n )

Defining I Are there other integers m s.t.  f(x)  G, f(x) m  f(x m ) ? Yes! For example: p, 1. Any others? Let I = { m |  f  G, f(x) m  f(x m ) }. What’s Ahead: –We first prove that I  [|G|] is small. –However, we show that if n is composite which passes all the tests then I  [|G|] must be large. –Thus obtaining a contradiction. Are there other integers m s.t.  f(x)  G, f(x) m  f(x m ) ? Yes! For example: p, 1. Any others? Let I = { m |  f  G, f(x) m  f(x m ) }. What’s Ahead: –We first prove that I  [|G|] is small. –However, we show that if n is composite which passes all the tests then I  [|G|] must be large. –Thus obtaining a contradiction.

I  [|G|] is small Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore: Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore:

I  [|G|] is small Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore: Lemma: Let m1, m2  I, then m1  m2 (mod |G|)  m1  m2 (mod r) Proof: Let g(x) be a generator of G. Let m2=m1+kr. (*) m1  m2 (mod r), then x m1  x m2 (mod h(x)) (as x r  1 (mod h(x))) Therefore:

I  [|G|] is large First note that |G| is large. Lemma: Proof: Let d=deg(h(x)). Consider all polynomials in G of degree<d. They are all distinct in F p [x]/h(x). Therefore First note that |G| is large. Lemma: Proof: Let d=deg(h(x)). Consider all polynomials in G of degree<d. They are all distinct in F p [x]/h(x). Therefore dis big: q|O r (p)=d d is big: q|O r (p)=d.

I  [|G|] is large – cont. Recall: –p, 1  I and –n passes the polynomials test  n  I Lemma: I is multiplicative, i.e. u,v  I  uv  I. Hence, in particular {n i p j : 0 ≤ i,j ≤ r 1/2 }  I. Therefore, Hence (since) A contradiction! Recall: –p, 1  I and –n passes the polynomials test  n  I Lemma: I is multiplicative, i.e. u,v  I  uv  I. Hence, in particular {n i p j : 0 ≤ i,j ≤ r 1/2 }  I. Therefore, Hence (since) A contradiction!

Proof Summary We saw that I  [|G|] is small (unconditionally, using properties of x r -1), However, if n is composite, has no small divisors, and it is not a prime power, then passing the polynomials test (i.e. n  I) implies that I  [|G|] is large. (using properties of the special r and of x r - 1) Therefore, the polynomials test must return ‘composite’. We saw that I  [|G|] is small (unconditionally, using properties of x r -1), However, if n is composite, has no small divisors, and it is not a prime power, then passing the polynomials test (i.e. n  I) implies that I  [|G|] is large. (using properties of the special r and of x r - 1) Therefore, the polynomials test must return ‘composite’.

Back to Special Numbers Recall: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ) 3.q|O r (n). Recall: r is special with respect to n if: 1.r is prime, 2.r-1 has a large prime factor q =  (r 2/3 ) 3.q|O r (n).

1.Find r  O(log 6 n), s.t. r is special, 2.Let l = 2r 1/2 log n. 3.If exists a small ( < l+1) divisor, output COMPOSITE 4.If n is a power, output COMPOSITE. 5.For a = 1,…,l, if (x-a) n  x n -a (mod x r -1, n), output COMPOSITE. 6.Otherwise output PRIME. Finding Special r Elaborating on step (1): 1.while r < c log 6 n 1.if r is prime 2.let q be the largest prime factor of r-1 3.if (q  4r 1/2 log n) and (n (r-1)/q  1 (mod r)) break; 4.r  r+1 Complexity: O(log 6 n) iterations, each taking: O(r 1/2 poly log r), hence total poly log n. Elaborating on step (1): 1.while r < c log 6 n 1.if r is prime 2.let q be the largest prime factor of r-1 3.if (q  4r 1/2 log n) and (n (r-1)/q  1 (mod r)) break; 4.r  r+1 Complexity: O(log 6 n) iterations, each taking: O(r 1/2 poly log r), hence total poly log n. when ‘break’ is reached: r is prime, q is large, and q|O r (n)when ‘break’ is reached: r is prime, q is large, and q|O r (n)

Special r  O(log 6 n) exists Consider interval [ ..  ], ,  =O(log 6 n). Numbers with properties (1) and (2) are dense in [ ..  ] –immediate from density bounds for numbers with these properties and for primes. For many primes r  [ ..  ], property (3) holds. –For many r’s O r (n) >  1/3 : O r (n) <  1/3  r |  =(n-1)(n 2 -1)...(n^  1/3 -1). However,  has no more than  2/3 log n prime divisors. –Moreover, O r (n) >  1/3  q | O r (n): if q doesn’t divide O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However (r-1)/q <  1/3 -- a contradiction. (here we utilize again the fact that q is large). Hence, by counting argument, exists a special r  [ ..  ]. Consider interval [ ..  ], ,  =O(log 6 n). Numbers with properties (1) and (2) are dense in [ ..  ] –immediate from density bounds for numbers with these properties and for primes. For many primes r  [ ..  ], property (3) holds. –For many r’s O r (n) >  1/3 : O r (n) <  1/3  r |  =(n-1)(n 2 -1)...(n^  1/3 -1). However,  has no more than  2/3 log n prime divisors. –Moreover, O r (n) >  1/3  q | O r (n): if q doesn’t divide O r (n), then n (r-1)/q  1, therefore O r (n)  (r-1)/q. However (r-1)/q <  1/3 -- a contradiction. (here we utilize again the fact that q is large). Hence, by counting argument, exists a special r  [ ..  ]. Recall: r is special with respect to n if: 1. r is prime, 2. q =  (r 2/3 ) prime factorr-1, 2. q =  (r 2/3 ) prime factor of r-1, 3. q|O r (n).

The End

Proof - G is large, Cont. Hence, Prop: d  2l Proof: Recall d=O r (p) and q|O r (p), hence d  q  2l (recall q  4r 1/2 log n, l=2r 1/2 log n) Hence Hence, Prop: d  2l Proof: Recall d=O r (p) and q|O r (p), hence d  q  2l (recall q  4r 1/2 log n, l=2r 1/2 log n) Hence This is the reason for seeking a large q s.t. q|O r (n)

Proof Lemma: I is multiplicative, i.e. u,v  I  uv  I. Proof: x r -1|x vr -1, therefore hence Lemma: I is multiplicative, i.e. u,v  I  uv  I. Proof: x r -1|x vr -1, therefore hence

Title

Slide Title