1 / 39

PRIMES is in P

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena Dept of CSE, IIT Kanpur. The Problem. Given number n , test if it is prime efficiently. Efficiently = in time a polynomial in number of digits = (log n ) c for some constant c. In Complexity Theory Terminology.

gretchen-torres
Download Presentation

PRIMES is in P

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRIMES is in P Manindra Agrawal Neeraj Kayal Nitin Saxena Dept of CSE, IIT Kanpur

  2. The Problem Given number n, test if it is prime efficiently. Efficiently = in time a polynomial in number of digits = (log n)cfor some constant c

  3. In Complexity Theory Terminology is PRIMES in P? • PRIMES: set of all prime numbers • P : class of efficiently solvable problems All problems that can be solved in time which grows as polynomial in the input size of the problem instance.

  4. The Trial Division Method Try dividing by all numbers up ton1/2. • Already known since ~230 BC (Sieve of Eratosthenes) • takes exponential time: (n1/2). • Also produces a factor of n when it is composite.

  5. Trial Division is Too Slow • Trial division method is too inefficient for large numbers: • For a 100 digit number, it will require about 1050 divisions. • A supercomputer working at 100 teraflops will require more than the life of the universe to do this!

  6. Is There a Faster Method? • Many attempts were made to find an efficient characterization of primes. • None succeeded. • For example, Wilson (18th century) showed: Nis prime iff(n-1)! = -1 (mod n) • This requires n-3 multiplications

  7. Fermat’s Little Theorem ifn is prime then for anya: an = a (mod n). It is easy to check: Compute a2, square it to a4, square it to a8, … Needs only O(log n) multiplications.

  8. A Potential Test • For a “few”a’s test ifan = a (mod n); • if yes, outputPRIMEelse outputCOMPOSITE. This fails! • For n = 561 = 3 * 11 * 17, alla’s satisfy the equation!!

  9. The Class NP • NP: A set is in NP if every member of the set has an efficiently verifiable proof of membership. • It may not be possible to find such a proof efficiently. • Example: set of graphs that contain a cycle covering all vertices • coNP: the complements of sets in NP.

  10. PRIMES in NP  coNP • A trivial algorithm shows that the set is in coNP: given a factor of n it is easy to verify that n is composite. • [1974] Vaughan Pratt designed an NP algorithm for testing primality.

  11. PRIMES in P (conditionally) • [1973] Miller designed a test based on Fermat’s Little Theorem: • It was efficient: O(log4 n) steps • It was correct assuming Generalized Riemann Hypothesis.

  12. PRIMES in coRP • Soon after, Rabin modified Miller’s algorithm to obtain an unconditional but randomized polynomial time algorithm. • This algorithm might give awrong answerwith asmall probabilitywhenn is composite. • [1973] Solovay-Strassen gave another algorithm with similar properties.

  13. PRIMES in P (almost) • [1983] Adleman, Pomerance, and Rumely gave a deterministic algorithm running in time (log n)c log log log n.

  14. PRIMES in RP • [1986] Goldwasser and Kilian gave a randomized algorithm that • works almost alwaysin polynomial time • errs only on primes. • [1992] Adleman and Huang improved this to an algorithm that is always polynomial time.

  15. PRIMES is in P [2002] We gave a deterministic and unconditionalpolynomial-time algorithm for primality testing.

  16. Main Idea • Start from Fermat’s Little Theorem. • However: • Numbers modulo n (ring Z/nZ) does not seem to have nice structure to exploit. • So extend the ring to a larger ring in the hope for more structure. Consider polynomials modulonand Xr–1, or the ring Z/nZ[X]/(Xr-1).

  17. Generalized FLT If n is prime then for anya: (X + a)n = Xn + a (mod n, Xr-1). Proof: If n is prime, n divides for every i, 0 < i < n. If n is composite, then n does not divide for any prime p dividing n.

  18. A Potential Test For a “small” r and a “few” a’s, test the Generalized FLT equation.

  19. It Works (Almost)! • We prove: If (X + a)n = Xn + a (mod n, Xr-1) for every0 < a <2 r log n and for suitably chosen “small” r then either nis a prime power or has a prime divisor less than r

  20. The Algorithm • Input n. • Output COMPOSITE if n = mk, k > 1. • Find the smallest number r such that Or(n) > 4 (log n)2. • If any number < r divides n, output PRIME/COMPOSITE appropriately. • For every a  2 r log n: • If (X+a)n Xn + a (mod n, Xr – 1) then output COMPOSITE. • Output PRIME. Or(n) = smallest k with nk = 1 (mod r).

  21. Correctness • If the algorithm outputs COMPOSITE, n must be composite: • COMPOSITE in step 1  n = mk, k > 1. • COMPOSITE in step 3  a number < r divides n. • COMPOSITE in step 4  (X+a)n Xn + a (mod n, Xr-1)for some a. • If the algorithm outputs PRIME in step 3, n is a prime number < r.

  22. When Algorithm Outputs PRIME in Step 5 • Then (X+a)n = Xn + a (mod n, Xr-1) for 0 < a  2 r log n. • Let prime p | n withOr(p) > 1. • Clearly, (X+a)n = Xn + a (mod p, Xr-1) too for 0 < a  2 r log n. • And of course, (X+a)p = Xp + a (mod p, Xr-1) (according to Generalized FLT)

  23. Introspective Numbers • We call any numbermsuch thatg(X)m = g(Xm) (mod p, Xr-1) an introspective number forg(X). • So, 1, p and n are introspective numbers for X+afor 0 < a  2 r log n.

  24. Introspective Numbers Are Closed Under * Lemma: Ifsandtare introspective forg(X),so iss * t. Proof: g(X)st = g(Xs)t (mod p, Xr – 1), and g(Xs)t = g(Xst)(mod p, Xsr – 1) = g(Xst)(mod p, Xr – 1).

  25. So There Are Lots of Them! • Let I = { ni * pj | i, j  0}. • EveryminIis introspective forX+afor0 < a  2 r log n.

  26. Introspective Numbers Are Also For Products Lemma: Ifmis introspective for bothg(X) andh(X),then it is also forg(X) * h(X). Proof: (g(X) * h(X))m = g(X)m * h(X)m = g(Xm) * h(Xm) (mod p, Xr-1)

  27. So Introspective Numbers Are For Lots of Products! • Let Q = { a=1, 2r logn(X + a)ea | ea 0}. • Every minIis introspective for everyg(X)inQ. • So there are lots of introspective numbers for lots of polynomials.

  28. Finite Fields Facts • Let h(X) be an irreducible divisor of rth cyclotomic polynomialCr(X) in the ring Fp[X]: • Cr(X) divides Xr-1. • Polynomials modulop andh(X)form a field, say F. • Xi Xjin Ffor0  i  j < r.

  29. Moving to Field F • Sinceh(X)dividesXr-1, equations for introspective numbers continue to hold inF. • We now argue over F.

  30. Two Sets in Field F • Let G = { Xm | m  I }. • Every element of G is an rthroot of unity. • |G| Or(n) > 4 log2n. • Let H = { g(X) (mod p, h(X)) | g(X)  Q }. • H is a multiplicative group in F.

  31. H is large … • Let Qlow be set of all polynomials in Q of degree < |G|. Lemma: There are>n2|G|distinct polynomials inQlow: • Consider all products of X+a’s of degee < |G|. • There are > >n2|G| of these (since r > |G| and|G| > 2 log n).

  32. … because Qlow injects into F • Letf(X), g(X)inQlowwith f(X) g(X). • Suppose f(X) = g(X)in F.Then: • For everyXminG,f(Xm) = f(X)m = g(X)m = g(Xm)inF. • So polynomialP(Y) = f(Y) – g(Y)has |G|roots in F. • Contradiction, since P(Y) 0 and degree ofP(Y)is< |G|.

  33. … implies that I has few small numbers • Let m1, m2, …, mk be numbers in I n2|G|. • Suppose k > |G|. • Then, there exist miand mj, mi > mj, such that Xmi = Xmj (in F) I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1 Q: set of introspective polynomials G = XI H = Q (mod h(X))

  34. Let g(X) be any element of H. Then: g(X)mi = g(Xmi)= g(Xmj)= g(X)mj(in F) • Therefore, g(X) is a root of the polynomial P(Y) =Ymi – Ymj in the field F. • SinceHhas more thann2|G|polynomials in F, P(Y) has more than n2|G|roots inF. • Contradiction, since P(Y) 0 and degree of P(Y) =mi n2|G|. I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1 Q: set of introspective polynomials G = XI H = Q (mod h(X))

  35. … so n must be a prime! • Consider numbers na * pb with 0  a, b  |G|. • Each such number is  n2|G| (“small”). • So there are |G| (“few”) such numbers. • This givesa, b, c, dwith (a,b)  (c,d)andna * pb = nc * pd • Therefore, n = pewhich implies n = p. t = Or(n,p) F = Fp[X]/(h(X)), h(X) | Xr-1 I: set of introspective numbers Qlow: polynomials of deg < t I: set of introspective numbers F = Fp[X]/(h(X)), h(X) | Xr-1 Q: set of introspective polynomials G = XI H = Q (mod h(X))

  36. The Choice of r • We need r such that Or(n) > 4 (log n)2. • Any r such that Or(n) 4 (log n)2must divide k=1, 4 log2n(nk-1) < n16 log4n = 216log5n. • By Chebyshev’s prime deensity estimates: lcm of first m numbers is at least 2m (for m > 7). • Therefore, there must exist anrthat we desire 16 (log n)5 + 1.

  37. Time Complexity • Step 4 dominates running time. • It needs to verifyO(r log n) equations. • Each equation needsO~(r log2n)time to verify. • So time complexity is O~(r1.5 log3n)= O~(log10.5n). • Using a result of Fouvry, one can show that r = O(log3n) is enough. • The result shows that primes r such that r-1 has a large prime divisor have high density. • This brings time complexity down to O~(log7.5n).

  38. Further work • [Lenstra-Pomerance]r = O(log2n) is enough with a different polynomial. • This improves time complexity toO~(log6n). • [Berrizbeitia-Bernstein] Randomized primality proving algorithm with time complexity O~(log4n).

  39. Further Improvement? • Conjecture:Ifn  1 (mod r)for some prime r > log n and(X-1)n = Xn –1(mod n, Xr – 1)thennmust be a prime power. • Yields a O~(log3n) time algorithm.

More Related