1 / 47

PRIMES is in P

PRIMES is in P. Manindra Agrawal NUS Singapore / IIT Kanpur. The Problem. Given number n , test if it is prime efficiently. Efficiently = in time a polynomial in number of digits = (log n ) c for some constant c. The Trial Division Method. Try dividing by all numbers up to n 1/2 .

adrina
Download Presentation

PRIMES is in P

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRIMES is in P Manindra Agrawal NUS Singapore / IIT Kanpur

  2. The Problem Given number n, test if it is prime efficiently. Efficiently = in time a polynomial in number of digits = (log n)cfor some constant c

  3. The Trial Division Method Try dividing by all numbers up ton1/2. • takes exponential time: (n1/2). • Also produces a factor of n when it is composite.

  4. A Possible Approach Find a characterization of prime numbers that is efficiently verifiable • Many characterizations of primes have been obtained over centuries. • But none were provably efficient until recently.

  5. Wilson’s Characterization (18th century) n is prime iff (n-1)! = -1 (mod n) • Requires O(n) operations

  6. Fermat’s Little Theorem (17th century) n is prime implies for anya: an = a (mod n). It is easy to check: Compute a2, square it to a4, square it to a8, … Needs only O(log n) multiplications.

  7. An Efficient but Wrong Characterization n is prime iff for 0 < a < 4 log2n: an = a (mod n) • Requires only O(log3n) multiplications and divisions. • Fails on Carmichael numbers, e.g., 561 = 3 * 11 * 17.

  8. Lucas’ Characterization (1891) n is prime iff for every prime divisor q of n-1: there is an 1 < a < n such that an-1 = 1 (mod n) and gcd(a(n-1)/q – 1, n) = 1 • Based on FLT • It is inefficient: requiresfactorization of n-1

  9. An NP  coNP Algorithm • A trivial algorithm shows that the set is in coNP: given a factor of n it is easy to verify thatnis composite. • [Pratt, 1974] Lucas’ characterization yields an NP algorithm: guess a prime factorization of n-1; recursively verify its correctness; and guess an a with required properties.

  10. Miller’s (unproven) Characterization (1975) n = 1 + 2t * s is odd prime iff for 0 < a < 4 log2n: either as = 1 (mod n) or a2k*s = -1 (mod n) for some 0 ≤ k < t

  11. Yields an Efficient Algorithm • Based on FLT • Yields an efficient algorithm:O(log4n)steps • It is correct assumingGeneralized Riemann Hypothesis

  12. coRP Algorithms • [1974] Solovay-Strassen gave the first unconditional but randomized polynomial time algorithm. • This algorithm might give awrong answerwith asmall probabilitywhenn is composite. • [1975] Rabin modified Miller’s characterization to obtain another algorithm with similar properties.

  13. An Almost Efficient Characterization • [1983] Adleman, Pomerance, and Rumely gave a (rather complicated) characterization that yields a deterministic algorithm running in time (log n)c log log log n.

  14. An Efficient Chracterization [2002] A., Kayal, Saxena gave the first deterministically verifiable efficient characterization.

  15. Starting Point: A Polynomial based Characterization n is prime iff (X + 1)n = Xn + 1 (mod n) Proof: If n is prime then all coefficients are divisible by n. If n is composite then at least one is not.

  16. A generalization of FLT to polynomials. • Simple and elegant. • Inefficient: although requires onlyO(log n) polynomial multiplications, intermediate polynomials are of large degree.

  17. A Way to Reduce Space • Test the equation modulo Xr - 1 for a small r. • Or, more generally, test if (X + a)n = Xn + a (mod n, Xr - 1) For a few a’s and a few small r’s.

  18. It Almost Works Or(n) = smallest k with nk = 1 (mod r). n is prime iff for any r such that Or(n) > 4 log2n: n has no divisor smaller than min(n,r) and for every a, 1 ≤ a ≤ 2 √r log n: (X + a)n = Xn + a (mod n, Xr – 1)

  19. The Algorithm Input n. • Find the smallest number r such that Or(n) > 4 (log n)2. • If any number < r divides n, output PRIME/COMPOSITE appropriately. • For every a  2r log n: • If (X+a)n Xn + a (mod n, Xr – 1) then output COMPOSITE. • Output PRIME.

  20. Correctness: Non-trivial Part Assume: • r is given such that Or(n) > 4(log n)2. • Smallest prime dividing n is at least min(n,r). • (X+a)n = Xn + a (mod n, Xr-1) for 0 < a  2r log n.

  21. Fix a prime p dividing n with p  r and Or(p) > 1. • Clearly, (X+a)n = Xn + a (mod p, Xr-1) too for 0 < a  2r log n. • And of course, (X+a)p = Xp + a (mod p, Xr-1) (according to previous prime characterization)

  22. Introspective Numbers • We call any numbermsuch thatg(X)m = g(Xm) (mod p, Xr-1) an introspective number forg(X). • So, p and n are introspective numbers for X+afor 0 < a  2r log n.

  23. Introspective Numbers Are Closed Under * Lemma: Ifsandtare introspective forg(X),so iss * t. Proof: g(X)st = g(Xs)t (mod p, Xr – 1), and g(Xs)t = g(Xst)(mod p, Xsr – 1) = g(Xst)(mod p, Xr – 1).

  24. So There Are Lots of Them • Let I = { ni * pj | i, j  0}. • EveryminIis introspective forX+afor0 < a  2r log n.

  25. Introspective Numbers Are Also For Products Lemma: Ifmis introspective for bothg(X) andh(X),then it is also forg(X) * h(X). Proof: (g(X) * h(X))m = g(X)m * h(X)m = g(Xm) * h(Xm) (mod p, Xr-1)

  26. So Introspective Numbers Are For Lots of Polynomials • Let Q = { a=1, 2r logn(X + a)ea | ea 0}. • Every minIis introspective for everyg(X)inQ.

  27. Finite Fields Facts • Let h(X) be an irreducible divisor of rth cyclotomic polynomialCr(X) in the ring Fp[X]: • Cr(X) divides Xr-1. • Polynomials modulop andh(X)form a field, say F. • Xi Xjin Ffor0  i  j < r.

  28. Moving to Field F • Sinceh(X)dividesXr-1, equations for introspective numbers continue to hold inF. • We now argue over F.

  29. Two Sets in Field F • Let G = { Xm | m  I }. • Every element of G is an rthroot of unity. • t = |G| Or(n) > 4 log2n. • Let H = { g(X) (mod p, h(X)) | g(X)  Q }. • H is a multiplicative group in F.

  30. H is large … • Let Qt be set of all polynomials in Q of degree < t. Lemma: There are>n2tdistinct polynomials inQt: • Consider all products of X+a’s of degee < t. • There are > >n2tof these (since r > t andt > 2 log n).

  31. … because Qt injects into F • Letf(X), g(X)inQtwith f(X) g(X). • Suppose f(X) = g(X)in F.Then: • For everyXminG,f(Xm) = f(X)m = g(X)m = g(Xm)inF. • So polynomialP(z) = f(z) – g(z)has |G| =troots in F. • Contradiction, since P(z) 0 and degree ofP(z)is< t.

  32. … implies that I has few small numbers • Let m1, m2, …, mk be numbers in I n2t. • Suppose k > t. • Then, there exist miand mj, mi > mj, such that Xmi = Xmj (in F) I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1 Q: set of introspective polynomials G = XI H = Q (mod h(X))

  33. Let g(X) be any element of H. • Then: g(X)mi = g(Xmi)= g(Xmj)= g(X)mj(in F) • Therefore, g(X) is a root of the polynomial P(z) =zmi – zmj in the field F. I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1 Q: set of introspective polynomials G = XI H = Q (mod h(X))

  34. SinceHhas more thann2telements in F, P(Y) has more than n2troots inF. • Contradiction, since P(z) 0 and degree of P(z) =mi n2t. I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1 Q: set of introspective polynomials G = XI H = Q (mod h(X))

  35. … so n must be a prime power! • Consider numbers na * pb with 0  a, b  t. • Each such number is  n2t (“small”). • So there are t (“few”) such numbers. • This givesa, b, c, dwith (a,b)  (c,d)andna * pb = nc * pd • Therefore, n = pefor some e > 0. t = Or(n,p) F = Fp[X]/(h(X)), h(X) | Xr-1 I: set of introspective numbers Qlow: polynomials of deg < t I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1 Q: set of introspective polynomials G = XI H = Q (mod h(X))

  36. This forces n to be prime Lemma [Hendrik Lenstra Jr.,1983]:Ifan = a (mod n) for 1 ≤ a ≤ 4 log2n then nis square-free. Since (X+a)n = Xn + a (mod n, Xr-1) for 0 < a  2r log n, we have an = a (mod n) for 0 < a  4 log2n, (as r > 4 log2n). So n must be square-free.

  37. The Choice of r • We need r such that Or(n) > 4 (log n)2. • Any r such that Or(n) 4 (log n)2must divide k=1, 4 log2n(nk-1) < n16 log4n = 216log5n. • By Chebyshev’s prime density estimates the lcm of first m numbers is at least 2m (for m > 7). • Therefore, there must exist anrthat we desire 16 (log n)5 + 1.

  38. Time Complexity • Step 3 dominates running time. • It needs to verifyO(r log n) equations. • Each equation needsO~(r log2n)time to verify. • So time complexity is O~(r1.5 log3n)= O~(log10.5n).

  39. Using a result of Fouvry, one can show that r = O(log3n) is enough. • The result shows that primes r such that r-1 has a large prime divisor have high density. • This brings time complexity down to O~(log7.5n).

  40. A Cleaner Characterization • The characterization is a bit messy. • Three different conditions need to hold: • rneeds to be such thatOr(n) > 4(log n)2 • No prime divisor of n is smaller than min(n,r) • For every a, 1 ≤ a ≤ √r log n: (X + a)n = Xn + a (mod n, Xr – 1) • Can these be combined into a single equation?

  41. Yes! Use the equation (X + 1)n = Xn + 1 (mod n, Q(X)) for appropriate small dgree Q(X).

  42. Eliminating Condition onr Try for all r ≤ 16 log5n!

  43. Eliminating Small Divisors Lemma:If(X + 1)n = Xn + 1 (mod n, Xr) thennhas no divisor less thenmin(n,r). Proof:If prime p < min(n,r) divides n, then (X + 1)n = 1 + n/p Xp + … (mod n, Xr)  1 (mod n, Xr).

  44. Eliminating Multiple Equations Lemma:(X + 1)n = Xn + 1 (mod n, Q(X-a)) for 0 < a ≤ B iff (X + a)n = Xn + a (mod n, Q(X)) for 1 < a ≤ B+1. Proof:Assume for B-1. Then: (X + 1)n = Xn + 1 (mod n, Q(X-B)) iff (X+B+1)n = (X+B)n + 1 (mod n, Q(X)) iff (X+B+1)n = Xn + B + 1 (mod n, Q(X))

  45. Putting These Together … n is prime iff (X + 1)n = Xn + 1 (mod n, Q(X)) where • Degree of Q(X) is O(log27/2n).

  46. Further work • [Lenstra-Pomerance,2003]:r = O(log2n) is enough with a different polynomial of degree r than Xr-1. • This improves time complexity toO~(log6n). • [Berrizbeitia-Bernstein,2003]: Randomized primality proving algorithm with time complexity O~(log4n).

  47. Further Improvement? • Conjecture: nis prime iff nis not a prime power, n  1 (mod r)for some prime r > log n, and(X-1)n = Xn –1(mod n, Xr – 1) • Yields a O~(log3n) time algorithm.

More Related