Deciding Primality is in P M Agrawal N

Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia 1

Background n n Sieve of Eratosthenes 240 BC - (n) Fermat’s Little Theorem (17 th century): p is prime, a 0 (mod p) ap-1 1 (mod p) (The converse does not hold – Carmichael numbers) n Polynomial-time algorithms: n n n [Miller 76] deterministic, assuming Extended Riemann Hypothesis. [Solovay, Strassen 77; Rabin 80] unconditional, but randomized. [Goldwasser, Kilian 86] randomized produces certificate for primality! (for almost all numbers) [Atkin 86; Adelman Huang 92] primality certificate for all numbers. [Adelman, Pomerance, Rumely 83] deterministic (log n)O(log log n)-time. 2

This Paper unconditional, deterministic, polynomial n n n Def (Sophie-Germain primes): primes (p-1)/2 s. t. p is also prime. Def: r is “almost Sophie-Germain“ (ASG) if: n r is prime, n r-1 has a large prime factor q = (r 2/3) Tools: n simple algebra n High density Thm for primes p that are n High density conjecture for primes p. Sophie-Germain’. [Fou 85, BH 96] ‘almost s. t. (p-1)/2 is Sophie-Germain 4

Basic Idea n Fact: For any a s. t (a, n) =1: n is prime (x-a)n xn-a (mod n) n n is composite (x-a)n xn-a (mod n) n Proof: Develop (x-a)n using Newton-binomial. n Assume n is prime, then n Assume n is composite, then let q|n, let qk||n, then and , hence xq has non zero coefficient (mod n). n n Naive algo: Pick an arbitrary a, check if (x-a)n xn-a (mod n) Problem: time complexity - (n). 5

Basic Idea n Idea: Pick an arbitrary a, and some polynomial xr-1, with r = poly log n, check if (x-a)n xn-a (mod xr-1, n) time complexity – poly(r) n n is prime (x-a)n xn-a (mod xr-1, n) n n is composite ? ? (x-a)n xn-a (mod xr-1, n) n Not true for some (few) values of a, r ! 6

Improved Idea n Improved Idea: Pick many (poly log n) a’s, check for all of them if: (x-a)n xn-a (mod xr-1, n) Accept if equality holds for all a’s 7

Algebraic Background – Extension Field Def: Consider fields F, E. E is an extension of F, if F is a subfield of E. Def: Galois field GF(pk) (p prime) is the unique (up to isomorphism) finite field containing pk elements. (The cardinality of any finite fields is a prime-power. ) Def: A polynomial f(x) is called irreducible in GF(p) if it does not factor over GF(p) 8

Multiplicative Group Def: GF*(pk) is the multiplicative group of the Galois Field GF(pk), that is, GF*(pk) = GF(pk){0}. Thm: GF*(pk) is cyclic, thus it has a generator g: 9

Constructing Galois Fields Def: Fp denotes a finite field of p elements (p is prime). Def: Let f(x) be a k-degree polynomial. Def: Let Fp[x]/f(x) be the set of k-1 -degree polynomials over Fp, with addition and multiplication modulo f(x). Thm: If f(x) is irreducible over GF(p), then GF(pk) Fp[x]/f(x). 10

Fp[x]/f(x) - Example Let the irreducible polynomial f(x) be: Represent polynomials as vectors (k-1 degree polynomial vector of k coefficient): Addition: 11

Fp[x]/f(x) - Example Multiplication: n First, multiply ‘mod p’: n Next, apply ’mod f(x)’: 12

The Algorithm §Def: r is special if: §r is Almost Sophie-Germain, and §q|Or(n) (where q is the large prime factor of r-1). Input: integer n 1. Find r O(log 6 n), s. t. r is special, 2. Let l = 2 r 1/2 log n. 3. For t=2, …, l, if t|n output COMPOSITE 4. If n is (prime) power -- n=pk, for k>1 output COMPOSITE. 5. For a =1, …, l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE. 6. Otherwise: output PRIME. 13

Proof’s Structure Saw: primality test. 1. 2. 3. 4. 5. 6. Find r O(log 6 n), s. t. r is special, Let l = 2 r 1/2 log n. For t=2, …, l, if t|n output COMPOSITE If n is a prime power, i. e. n=pk, for some prime p, output COMPOSITE. For a =1, …, l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE. Otherwise output PRIME. We next show: n Special r O(log 6 n) exists. n For such r: if n is composite s. t. n passes steps (3) and (4), then a [1. . l] s. t. (x-a)n xn-a (mod xr-1, n) (hence, returns COMPOSITE at step (5)) 14

Finding Suitable r Elaborating on step (1): 1. while r < c log 6 n 1. 2. 3. 4. 5. Find r O(log 6 n), s. t. r is special, Let l = 2 r 1/2 log n. For t=2, …, l, if t|n output COMPOSITE If n is a prime power, i. e. n=pk, for some prime p, output COMPOSITE. For a =1, …, l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE. Otherwise output PRIME. if r is prime 6. let q be the largest prime factor of r-1 if (q 4 r 1/2 log n) and (n(r-1)/q 1 (mod r)) break; • when ‘break’ is reached: r is prime, r r+1 q is large, and q|Or(n) Complexity: O(log 6 n) iterations, each taking: O(r 1/2 poly log r), hence total poly log n. 15

Lemma: Special r O(log 6 n) exists. Proof: n let , =O(log 6 n), consider the interval [. . ]. n ASG numbers are dense in [. . ] #ASG [. . ] #ASG [1. . ] - #primes [1. . ] = (log 6 n / loglog n) (using density of ASG numbers, and upper bound on density of primes) n there are only few primes r [. . ] s. t Or(n) < 1/3 r | =(n-1)(n 2 -1). . . (n^ 1/3 -1). However, has no more than 2/3 log n prime divisors n n Hence, by counting argument, exists a ASG r [. . ] s. t. Or(n) > 1/3. Moreover, Or(n) > 1/3 q | Or(n). assume q doesn’t divide Or(n), then n(r-1)/q 1, therefore Or(n) (r-1)/q. However (r-1)/q < 1/3 -- a contradiction. n Therefore, exists a special r [. . ]. 17

1. Correctness Proof Lemma: n is composite step (5) returns ‘composite’. That is, n If n is composite, and 2. 3. 4. 5. 6. Find r O(log 6 n), s. t. r is special, Let l = 2 r 1/2 log n. For t=2, …, l, if t|n output COMPOSITE If n is a prime power, i. e. n=pk, for some prime p, output COMPOSITE. For a =1, …, l, if (x-a)n xn-a (mod xr-1, n), output COMPOSITE. Otherwise output PRIME. n has no factor t l, and n n is not a prime-power n n then a [1. . l] s. t. (x-a)n xn-a (mod xr-1, n) 18

Proof n n n Let p be a prime factor of n, and let h(x) be an irreducible factor of xr-1, It suffices to show inequality (mod h(x), p) instead of (mod xr-1, n), i. e. a [1. . l] s. t. (x-a)n xn-a (mod h(x), p) Such p exists: Choose p and h(x) s. t. Let n=p 1 p 2…pk, then Or(n) = lcm{Or(pi)}. n q|Or(p), and Therefore: q|Or(n) n deg(h(x)) = Or(p) i q|Or(pi) (as q is prime) Such h exists: by previous claim. 19

Proof n Assume by contradiction that n is composite, and passes all the tests, i. e. n has no small factor, and n n is not a prime-power, and n a [1. . l] (x-a)n xn-a (mod h(x), p), n 20

Proof n n n Consider the group generated by {(x-a)}a [1. . l] (mod h(x), p), i. e. Note: f(x) G, f(x)n f(xn) Let I = { m | f G, f(x)m f(xm) }. Lemma: I is multiplicative, i. e. u, v I uv I. Proof: xr-1|xvr-1, therefore hence 21

Proof - n I I is large n n Prop: (i, j) (i’, j’) nipj ni’pj (since n pk) Lemma: , if u, v I s. t. (i, j) (i’, j’) uivj ui’vj’, then |I| [u v ] > 2. ( +1)2 different pairs (i, j), each give a distinct value n n Corollary: , n I |I| [u v ] > 2. Proof: p I. However, Lemma: Consider all polynomials of degree bound r. 22

Irreducible Factors of (xr-1)/(x-1) n Def: Let h(x) denote any irreducible factor of (xr-1)/(x-1), and d = deg(h(x)) Recall, if r is special with respect to n, then r-1 has a large prime factor q, s. t. q|Or(n). Choose p s. t. q|Or(p) (exists). Then d is large. n n Claim: h(x), d=Or(p) Proof: Denote k=Or(p). Note Fp[x]/h(x) is of size pd, therefore Fp[x]/h(x)* is cyclic of order pd-1. n k|d: xr 1 (mod h(x)), hence Oh(x)(x) is r, therefore k|d r|pd-1, i. e. , pd 1 (mod r), and hence k|d (recall d=Or(p)). n d|k: let g be a generator, then d|k hence pd-1 | pk-1. and therefore d|k. -1 23

Proof – I is small n Lemma: Let m 1, m 2 I, then m 1 m 2 (mod |G|) m 1 m 2 (mod r) Proof: Let g(x) be a generator of . [|G|] r n Lemma(I is small): |I| G Let m 2=m 1+kr. n Proof: Each two elements in |I| [|G|] are different mod |G|. n Therefore they are different mod r. n Hence |I| [|G|] r. (*) m 1 m 2 (mod r), then xm 1 xm 2 (mod h(x)) (as xr 1 (mod h(x))) n n Contradiction! 24

The End 25

Proof - G is large, Cont. Hence, This is the reason for seeking a large q s. t. q|Or(n) Prop: d 2 l Proof: Recall d=Or(p) and q|Or(p), hence d q 2 l (recall q 4 r 1/2 log n, l=2 r 1/2 log n) Hence 26