Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRIMES is in P Manindra Agrawal Neeraj Kayal Nitin Saxena Dept of CSE, IIT Kanpur.

Published byAndrea Aleesha Summers Modified over 7 years ago

Similar presentations

Presentation on theme: "PRIMES is in P Manindra Agrawal Neeraj Kayal Nitin Saxena Dept of CSE, IIT Kanpur."— Presentation transcript:

1 PRIMES is in P Manindra Agrawal Neeraj Kayal Nitin Saxena Dept of CSE, IIT Kanpur

2 The Problem Given number n, test if it is prime efficiently. Efficiently = in time a polynomial in number of digits = (log n) c for some constant c

3 In Complexity Theory Terminology is PRIMES in P? PRIMES : set of all prime numbers P : class of efficiently solvable problems All problems that can be solved in time which grows as polynomial in the input size of the problem instance.

4 The Trial Division Method Try dividing by all numbers up to n 1/2. –Already known since ~230 BC (Sieve of Eratosthenes) –takes exponential time:  (n 1/2 ). –Also produces a factor of n when it is composite.

5 Trial Division is Too Slow Trial division method is too inefficient for large numbers: –For a 100 digit number, it will require about 10 50 divisions. A supercomputer working at 100 teraflops will require more than the life of the universe to do this!

6 Is There a Faster Method? Many attempts were made to find an efficient characterization of primes. None succeeded. –For example, Wilson (18 th century) showed: N is prime iff (n-1)! = -1 (mod n) –This requires n-3 multiplications

7 Fermat’s Little Theorem if n is prime then for any a: a n = a (mod n). It is easy to check: Compute a 2, square it to a 4, square it to a 8, … Needs only O(log n) multiplications.

8 A Potential Test For a “few” a’s test if a n = a (mod n); if yes, output PRIME else output COMPOSITE. This fails! –For n = 561 = 3 * 11 * 17, all a’s satisfy the equation!!

9 The Class NP NP: A set is in NP if every member of the set has an efficiently verifiable proof of membership. –It may not be possible to find such a proof efficiently. –Example: set of graphs that contain a cycle covering all vertices coNP: the complements of sets in NP.

10 PRIMES in NP  coNP A trivial algorithm shows that the set is in coNP: given a factor of n it is easy to verify that n is composite. [1974] Vaughan Pratt designed an NP algorithm for testing primality.

11 PRIMES in P (conditionally) [1973] Miller designed a test based on Fermat’s Little Theorem: –It was efficient: O(log 4 n) steps –It was correct assuming Generalized Riemann Hypothesis.

12 PRIMES in coRP Soon after, Rabin modified Miller’s algorithm to obtain an unconditional but randomized polynomial time algorithm. –This algorithm might give a wrong answer with a small probability when n is composite. [1973] Solovay-Strassen gave another algorithm with similar properties.

13 PRIMES in P (almost) [1983] Adleman, Pomerance, and Rumely gave a deterministic algorithm running in time (log n) c log log log n.

14 PRIMES in RP [1986] Goldwasser and Kilian gave a randomized algorithm that –works almost always in polynomial time –errs only on primes. [1992] Adleman and Huang improved this to an algorithm that is always polynomial time.

15 PRIMES is in P [2002] We gave a deterministic and unconditional polynomial-time algorithm for primality testing.

16 Main Idea Start from Fermat’s Little Theorem. However: –Numbers modulo n (ring Z/nZ) does not seem to have nice structure to exploit. –So extend the ring to a larger ring in the hope for more structure. Consider polynomials modulo n and X r –1, or the ring Z/nZ[X]/(X r -1).

17 Generalized FLT If n is prime then for any a: (X + a) n = X n + a (mod n, X r -1). Proof: If n is prime, n divides for every i, 0 < i < n. If n is composite, then n does not divide for any prime p dividing n.

18 A Potential Test For a “small” r and a “few” a’s, test the Generalized FLT equation.

19 It Works (Almost)! We prove: If (X + a) n = X n + a (mod n, X r -1) for every 0 < a < 2  r log n and for suitably chosen “small” r then either n is a prime power or has a prime divisor less than r

20 The Algorithm Input n. 1.Output COMPOSITE if n = m k, k > 1. 2.Find the smallest number r such that O r (n) > 4 (log n) 2. 3.If any number < r divides n, output PRIME/COMPOSITE appropriately. 4.For every a  2  r log n: –If (X+a) n  X n + a (mod n, X r – 1) then output COMPOSITE. 5.Output PRIME. O r (n) = smallest k with n k = 1 (mod r).

21 Correctness If the algorithm outputs COMPOSITE, n must be composite: –COMPOSITE in step 1  n = m k, k > 1. –COMPOSITE in step 3  a number < r divides n. –COMPOSITE in step 4  (X+a) n  X n + a (mod n, X r -1) for some a. If the algorithm outputs PRIME in step 3, n is a prime number < r.

22 When Algorithm Outputs PRIME in Step 5 Then (X+a) n = X n + a (mod n, X r -1) for 0 < a  2  r log n. Let prime p | n with O r (p) > 1. Clearly, (X+a) n = X n + a (mod p, X r -1) too for 0 < a  2  r log n. And of course, (X+a) p = X p + a (mod p, X r -1) (according to Generalized FLT)

23 Introspective Numbers We call any number m such that g(X) m = g(X m ) (mod p, X r -1) an introspective number for g(X). So, 1, p and n are introspective numbers for X+a for 0 < a  2  r log n.

24 Introspective Numbers Are Closed Under * Lemma: If s and t are introspective for g(X), so is s * t. Proof: g(X) st = g(X s ) t (mod p, X r – 1), and g (X s ) t = g (X st ) (mod p, X sr – 1) = g(X st ) (mod p, X r – 1).

25 So There Are Lots of Them! Let I = { n i * p j | i, j  0}. Every m in I is introspective for X+a for 0 < a  2  r log n.

26 Introspective Numbers Are Also For Products Lemma: If m is introspective for both g(X) and h(X), then it is also for g(X) * h(X). Proof: (g(X) * h(X)) m = g(X) m * h(X) m = g(X m ) * h(X m ) (mod p, X r -1)

27 So Introspective Numbers Are For Lots of Products! Let Q = {  a=1, 2  r logn (X + a) e a | e a  0}. Every m in I is introspective for every g(X) in Q. So there are lots of introspective numbers for lots of polynomials.

28 Finite Fields Facts Let h(X) be an irreducible divisor of r th cyclotomic polynomial C r (X) in the ring F p [X]: –C r (X) divides X r -1. –Polynomials modulo p and h(X) form a field, say F. –X i  X j in F for 0  i  j < r.

29 Moving to Field F Since h(X) divides X r -1, equations for introspective numbers continue to hold in F. We now argue over F.

30 Two Sets in Field F Let G = { X m | m  I }. –Every element of G is an rth root of unity. –|G|  O r (n) > 4 log 2 n. Let H = { g(X) (mod p, h(X)) | g(X)  Q }. –H is a multiplicative group in F.

31 H is large … Let Q low be set of all polynomials in Q of degree < |G|. Lemma: There are > n 2  |G| distinct polynomials in Q low : –Consider all products of X+a’s of degee < |G|. –There are > > n 2  |G| of these (since r > |G| and  |G| > 2 log n).

32 … because Q low injects into F Let f(X), g(X) in Q low with f(X)  g(X). Suppose f(X) = g(X) in F. Then: For every X m in G, f(X m ) = f(X) m = g(X) m = g(X m ) in F. So polynomial P(Y) = f(Y) – g(Y) has |G| roots in F. Contradiction, since P(Y)  0 and degree of P(Y) is < |G|.

33 … implies that I has few small numbers Let m 1, m 2, …, m k be numbers in I  n 2  |G|. Suppose k > |G|. Then, there exist m i and m j, m i > m j, such that X m i = X m j (in F) I: set of introspective numbers F = F p [X]/(h(X)), h(X) | X r -1 Q: set of introspective polynomialsG = X I H = Q (mod h(X))

34 Let g(X) be any element of H. Then: g(X) m i = g(X m i ) = g(X m j ) = g(X) m j (in F) Therefore, g(X) is a root of the polynomial P(Y) = Y m i – Y m j in the field F. Since H has more than n 2  |G| polynomials in F, P(Y) has more than n 2  |G| roots in F. Contradiction, since P(Y)  0 and degree of P(Y) = m i  n 2  |G|. I: set of introspective numbers F = F p [X]/(h(X)), h(X) | X r -1 Q: set of introspective polynomialsG = X I H = Q (mod h(X))

35 t = O r (n,p)F = F p [X]/(h(X)), h(X) | X r -1 I: set of introspective numbersQ low : polynomials of deg < t … so n must be a prime! Consider numbers n a * p b with 0  a, b   |G|. Each such number is  n 2  |G| (“small”). So there are  |G| (“few”) such numbers. This gives a, b, c, d with (a,b)  (c,d) and n a * p b = n c * p d Therefore, n = p e which implies n = p. I: set of introspective numbers F = F p [X]/(h(X)), h(X) | X r -1 Q: set of introspective polynomialsG = X I H = Q (mod h(X))

36 The Choice of r We need r such that O r (n) > 4 (log n) 2. Any r such that O r (n)  4 (log n) 2 must divide  k=1, 4 log 2 n (n k -1) < n 16 log 4 n = 2 16 log 5 n. By Chebyshev’s prime deensity estimates: lcm of first m numbers is at least 2 m (for m > 7). Therefore, there must exist an r that we desire  16 (log n) 5 + 1.

37 Time Complexity Step 4 dominates running time. –It needs to verify O(  r log n) equations. –Each equation needs O ~ (r log 2 n) time to verify. So time complexity is O ~ (r 1.5 log 3 n) = O ~ (log 10.5 n). Using a result of Fouvry, one can show that r = O(log 3 n) is enough. The result shows that primes r such that r-1 has a large prime divisor have high density. This brings time complexity down to O ~ (log 7.5 n).

38 Further work [Lenstra-Pomerance] r = O(log 2 n) is enough with a different polynomial. –This improves time complexity to O ~ (log 6 n). [Berrizbeitia-Bernstein] Randomized primality proving algorithm with time complexity O ~ (log 4 n).

39 Further Improvement? Conjecture: If n  1 (mod r) for some prime r > log n and (X-1) n = X n –1 (mod n, X r – 1) then n must be a prime power. Yields a O ~ (log 3 n) time algorithm.

Download ppt "PRIMES is in P Manindra Agrawal Neeraj Kayal Nitin Saxena Dept of CSE, IIT Kanpur."

Similar presentations

Presented by Alex Atkins.  An integer p >= 2 is a prime if its only positive integer divisors are 1 and p.  Euclid proved that there are infinitely.

Presented by Alex Atkins.  An integer p >= 2 is a prime if its only positive integer divisors are 1 and p.  Euclid proved that there are infinitely.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Primality Testing) Prof. Dr. Th. Ottmann.
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
Prime Numbers: A Recent Discovery, Secure Communications, and Million Dollar Prizes George T. Gilbert TCU January 29, 2003.

Prime Numbers: A Recent Discovery, Secure Communications, and Million Dollar Prizes George T. Gilbert TCU January 29, 2003.
1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia.

1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia.
Computability and Complexity

Computability and Complexity
Having Proofs for Incorrectness

Having Proofs for Incorrectness
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel:03- 5742968, Fax : 886-3-572-3694.

1 Chapter 7– Introduction to Number Theory Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.

1 Fingerprint 2 Verifying set equality Verifying set equality v String Matching – Rabin-Karp Algorithm.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Slides by Adi Akavia.

Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Slides by Adi Akavia.
Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.

Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.
K. -C. Yang and J. -L. Lin National Tsing Hua University

K. -C. Yang and J. -L. Lin National Tsing Hua University

Similar presentations

Ads by Google