1 / 38

A Deterministic Polynomial-time Primality Test

A Deterministic Polynomial-time Primality Test. Manindra Agrawal Neeraj Kayal Nitin Saxena Brought to you by Amit Chakrabarti. “Turns out, Primes are in P” -- Slashdot post, Aug 7, 00:08 

elda
Download Presentation

A Deterministic Polynomial-time Primality Test

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A DeterministicPolynomial-time Primality Test Manindra Agrawal Neeraj Kayal Nitin Saxena Brought to you by Amit Chakrabarti Amit Chakrabarti

  2. “Turns out, Primes are in P” -- Slashdot post, Aug 7, 00:08  “If this is true, they could have easily taken over the infrastructure of a modernized computer-bent, encryption-shielded society such as the US or Japan. If that is indeed the case, these guys deserve a Nobel Peace Prize for giving this powerful tool to all and not using it as a weapon of war.” -- Slashdot comment, Aug 7, 00:20  “If this turns out to be true, then you can bet the NSA has had this algorithm for decades.” -- Slashdot comment, Aug 7, 00:26 Amit Chakrabarti

  3. “Turns out, Primes are in P” -- Slashdot post, Aug 7, 00:08  “If this is true, they could have easily taken over the infrastructure of a modernized computer-bent, encryption-shielded society such as the US or Japan. If that is indeed the case, these guys deserve a Nobel Peace Prize for giving this powerful tool to all and not using it as a weapon of war.” -- Slashdot comment, Aug 7, 00:20  “If this turns out to be true, then you can bet the NSA has had this algorithm for decades.” -- Slashdot comment, Aug 7, 00:26 Amit Chakrabarti

  4. The Problem Given integer n, decide whether or not n is prime in time poly(log n). Previously: • Randomized poly(log n)-time test • Deterministic poly((log n)log log log n)-time test • Deterministic poly-time test assuming ERH Amit Chakrabarti

  5. The Test • Easy: the identity (x - a)n= xn – a (mod n) holds for all a iff n is prime. • Concern: identity takes Q(n) time to verify even for a single a. And there are Q(n) a’s. • Key new result: if (x – a)n = xn – a (mod n, xr-1) for a “small” r and all “small” a, then n is prime. Amit Chakrabarti

  6. Notation • Pmin(n) = smallest prime factor of n • Pmax(n) = largest prime factor of n • or(n) = order of n mod r = min { t > 0: nt= 1 (mod r) } Amit Chakrabarti

  7. The Test in More Detail Let t = 2r1/2 log n • Suppose r is prime; r < Pmin(n) • Suppose q = Pmax(r-1) satisfies • q > 2t • q | or(n) • Suppose (x – a)n = xn – a (mod n, xr-1) for all a in {1,2,…,t} • Then n is a prime power. Amit Chakrabarti

  8. In Full Detail if(n = ab, b>1) output COMPOSITE; for(r = 2 to n) if(gcd(n,r) ≠ 1) output COMPOSITE; if(r is prime) q = Pmax(r-1); if(q  2t && n(r-1)/q ≢1 (mod r)) break; for(a = 1 to t) if((x-a)n ≢xn-a (mod n,xr-1)) output COMPOSITE; output PRIME; Amit Chakrabarti

  9. In Full Detail if(n = ab, b>1) output COMPOSITE; for(r = 2 to n) if(gcd(n,r) ≠ 1) output COMPOSITE; if(r is prime) q = Pmax(r-1); if(q  2t && n(r-1)/q ≢1 (mod r)) break; for(a = 1 to t) if((x-a)n ≢xn-a (mod n,xr-1)) output COMPOSITE; output PRIME; Loop 1 Amit Chakrabarti

  10. In Full Detail if(n = ab, b>1) output COMPOSITE; for(r = 2 to n) if(gcd(n,r) ≠ 1) output COMPOSITE; if(r is prime) q = Pmax(r- 1); if(q  2t && n(r-1)/q ≢1 (mod r)) break; for(a = 1 to t) if((x-a)n ≢ xn-a (mod n,xr-1)) output COMPOSITE; output PRIME; Loop 2 Amit Chakrabarti

  11. What We Must Prove THE HARD PARTS Lemma 1: The first loop finishes with a “small” value for r . . . r = O(log6n). Theorem 1: If n is composite, the algorithm outputs COMPOSITE. Amit Chakrabarti

  12. What We Must Prove THE EASY PARTS Theorem 2: If n is prime, the algorithm outputs PRIME. Theorem 3: The algorithm runs in poly(log n) time. Amit Chakrabarti

  13. Proof of Lemma 1 Enough to show: ∃ c1,c2 and prime r  [c1log6n, c2log6n] s.t. q = Pmax(r-1) satisfies q > 2t and q | or(n). There are W(x/log x) primes p < x s.t. Pmax(p-1) > x2/3. [Fouvry’85] Thus, W(log6n/log log n) primes r satisfy the first condition . . . use r2/3> 4r1/2log n = 2t. Amit Chakrabarti

  14. Proof of Lemma 1 Enough to show: ∃ c1,c2 and prime r  [c1log6n, c2log6n] s.t. q = Pmax(r-1) satisfies q > 2t and q | or(n). There areW(x/log x)primesp < xs.t. Pmax(p-1) > p2/3. [Fouvry’85] Thus, W(log6n/log log n) primes r satisfy the first condition . . . use r2/3> 4r1/2log n = 2t. Amit Chakrabarti

  15. Proof of Lemma 1 Enough to show: ∃ c1,c2 and prime r  [c1log6n, c2log6n] s.t. q = Pmax(r-1) satisfies q > 2t and q | or(n). There areW(x/log x)primesp < xs.t. Pmax(p-1) > p2/3. [Fouvry’85] Thus, W(log6n/log log n) primes r in the range satisfy q > r2/3> 4r1/2log n = 2t. Amit Chakrabarti

  16. Proof of Lemma 1, cont’d Let x = c2log6n. Take any such r which does not divide N = (n - 1) (n2 - 1) … (nx1/3 - 1) Exists, because log N < x2/3log n = O(log5n). Then, (r-1)/q < r1/3< x1/3 So, n(r-1)/q≢ 1 (mod r) So, q | or(n). Amit Chakrabarti

  17. Proof of Theorem 2 if(n = ab, b>1) output COMPOSITE; for(r = 2 to n) if(gcd(n,r) ≠ 1) output COMPOSITE; if(r is prime) q = Pmax(r-1); if(q  2t && n(r-1)/q ≢1 (mod r)) break; for(a = 1 to t) if((x-a)n ≢xn-a (mod n,xr-1)) output COMPOSITE; output PRIME; Amit Chakrabarti

  18. Proof of Theorem 3 if(n = ab, b>1) output COMPOSITE; for(r = 2 to n) if(gcd(n,r) ≠ 1) output COMPOSITE; if(r is prime) q = Pmax(r-1); if(q  2t && n(r-1)/q ≢1 (mod r)) break; for(a = 1 to t) if((x-a)n ≢xn-a (mod n,xr-1)) output COMPOSITE; output PRIME; Loop 1 Amit Chakrabarti

  19. Proof of Theorem 3 if(n = ab, b>1) output COMPOSITE; for(r = 2 to n) if(gcd(n,r) ≠ 1) output COMPOSITE; if(r is prime) q = Pmax(r- 1); if(q  2t && n(r-1)/q ≢1 (mod r)) break; for(a = 1 to t) if((x-a)n ≢ xn-a (mod n,xr-1)) output COMPOSITE; output PRIME; Loop 2 Amit Chakrabarti

  20. Finally… Proof of Theorem 1 To prove: if n is composite, the algorithm outputs COMPOSITE. Assume that it outputs PRIME. Then (x – a)n = xn – a (mod n, xr-1) for all a in {1,2,…,t}. Also, q = Pmax(r-1) is s.t. q > 2t and q | or(n) Also, r < Pmin(n) Our goal: to prove that n is a prime power. Amit Chakrabarti

  21. Two Key Inequalities Suppose n = p1k1 . p2k2 . .. psks Then or(n) = lcm{ or(piki) } | lcm{ or(pi) } . Amit Chakrabarti

  22. Two Key Inequalities Suppose n = p1k1 . p2k2 . .. psks Then q | or(n) = lcm{ or(piki) } | lcm{ or(pi) } So, n has a prime factor p s.t. q | or(p) Let d = or(p) Then, d > q > 2t. Also, p > Pmin(n) > r > q > 2t > t. Our goal: to prove that n is a power of p. Amit Chakrabarti

  23. Algebra For integer m and f(x)Z[x], say (f,m) is nice if f(xm) = f(x)m (mod p, xr-1) • If (f,m) and (g,m) are nice, then so is (fg,m). • If (f,m) and (f,m’) are nice, then so is (f,mm’). Amit Chakrabarti

  24. Algebra For integer m and f(x)Z[x], say (f,m) is nice if f(xm) = f(x)m (mod p, xr-1) • If (f,m) and (g,m) are nice, then so is (fg,m). • If (f,m) and (f,m’) are nice, then so is (f,mm’). Proof… f(xmm’) = f(xm)m’ (mod p, xmr-1)  f(xmm’) = f(xm)m’ (mod p, xr-1)  f(xmm’) = f(x)mm’ (mod p, xr-1) Amit Chakrabarti

  25. More Algebra • In Fp[x], xr-1 has an irreducible factor h(x) with deg(h) = or(p) = d. • Fix h(x); let K = Fp[x]/h(x). Amit Chakrabarti

  26. Constructions Ŝ = S = image of Ŝ in K = Ŝ mod p, h(x) Use the key inequalities: Since p > t, |S| = |Ŝ| = > (d/t)t. Since d > 2t, |S| > 2t = 22r1/2log n = n2r1/2. Amit Chakrabarti

  27. Constructions, cont’d • Let E = { nipj: 0 < i,j < r1/2 } • For all mE, m <n2r1/2 < |S| • Assume n is not a power of p Then, |E| > (1 + r1/2)2 > r, so E contains m,m’ such that m = m’ (mod r) i.e., xm= xm’ (mod xr-1) i.e., xm = xm’ in the field K. Amit Chakrabarti

  28. The Nice Property For any ĝŜ and mE, (ĝ,m) is nice, i.e., ĝ(xm) =ĝ(x)m (mod p, xr-1) Enough to consider ĝ(x) = x – a. Enough to consider m = n and m = p. Now it’s trivial… (x – a)n= xn – a (mod xr-1). (x – a)p= xp – a (mod p) . Corollary: in the field K, for gS and mE, g(xm) = g(x)m. Amit Chakrabarti

  29. The Nice Property For any ĝŜ and mE, (ĝ,m) is nice, i.e., ĝ(xm) =ĝ(x)m (mod p, xr-1) Enough to consider ĝ(x) = x – a. Enough to consider m = n and m = p. Now it’s trivial… (x – a)n= xn – a (mod xr-1). (x – a)p= xp – a (mod p) . Corollary: in the field K, for gS and mE, g(xm) = g(x)m. Amit Chakrabarti

  30. The Nice Property For any ĝŜ and mE, (ĝ,m) is nice, i.e., ĝ(xm) =ĝ(x)m (mod p, xr-1) Enough to consider ĝ(x) = x – a. Enough to consider m = n and m = p. Now it’s trivial… (x – a)n= xn – a (mod xr-1). (x – a)p= xp – a (mod p) . Corollary: in the field K, for gS and mE, g(xm) = g(x)m. Amit Chakrabarti

  31. The Nice Property For any ĝŜ and mE, (ĝ,m) is nice, i.e., ĝ(xm) =ĝ(x)m (mod p, xr-1) Enough to consider ĝ(x) = x – a. Enough to consider m = n and m = p. Now it’s trivial… (x – a)n= xn – a (mod xr-1). (x – a)p= xp – a (mod p) . Corollary: in the field K, for gS and mE, g(xm) = g(x)m. Amit Chakrabarti

  32. The Nice Property For any ĝŜ and mE, (ĝ,m) is nice, i.e., ĝ(xm) =ĝ(x)m (mod p, xr-1) Enough to consider ĝ(x) = x – a. Enough to consider m = n and m = p. Now it’s trivial… (x – a)n= xn – a (mod xr-1). (x – a)p= xp – a (mod p) . Corollary: in the field K, for gS and mE, g(xm) = g(x)m. Amit Chakrabarti

  33. The Contradiction Let G = S, multiplicative subgroup of K*. Since K* is cyclic, G is cyclic. Suppose G = g. Recall:  distinct m,m’E s.t. xm = xm’ in K. So, g(x)m = g(xm) = g(xm’) = g(x)m’. Thus, m = m’ (mod |G|). But |G| > |S| > m,m’. Contradiction. Amit Chakrabarti

  34. The Contradiction Let G = S, multiplicative subgroup of K*. Since K* is cyclic, G is cyclic. Suppose G = g. Recall:  distinct m,m’E s.t. xm = xm’ in K. So, g(x)m = g(xm) = g(xm’) = g(x)m’. Thus, m = m’ (mod |G|). But |G| > |S| > m,m’. Contradiction. Amit Chakrabarti

  35. Another Way [Kalai,Sahai,Sudan] As before,  distinct m,m’E s.t. xm = xm’ in K. For any fS, f(x)m = f(xm) = f(xm’) = f(x)m’. So, f is a root of the polynomial Q(z) = zm - zm’ K[z] But deg(Q) = max(m,m’) < |S|. Contradiction. Amit Chakrabarti

  36. Another Way [Kalai,Sahai,Sudan] As before,  distinct m,m’E s.t. xm = xm’ in K. For any fS, f(x)m = f(xm) = f(xm’) = f(x)m’. So, f is a root of the polynomial Q(z) = zm - zm’ K[z] But deg(Q) = max(m,m’) < |S|. Contradiction. Amit Chakrabarti

  37. Another Way [Kalai,Sahai,Sudan] As before,  distinct m,m’E s.t. xm = xm’ in K. For any fS, f(x)m = f(xm) = f(xm’) = f(x)m’. So, f is a root of the polynomial Q(z) = zm - zm’ K[z] But deg(Q) = max(m,m’) < |S|. Contradiction. Amit Chakrabarti

  38. That’s All, Folks “This is highly unlikely. It will only be a matter of time before somebody finds a flaw in the paper. I suppose I will give it a bash.” -- Slashdot comment, Aug 7, 05:37  What do you think? Amit Chakrabarti

More Related