Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur


 Dayna Collins
 1 years ago
 Views:
Transcription
1 Is n a Prime Number? Manindra Agrawal IIT Kanpur March 27, 2006, Delft Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 1 / 47
2 Overview 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 2 / 47
3 Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 3 / 47
4 The Problem Given a number n, decide if it is prime. Easy: try dividing by all numbers less than n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 4 / 47
5 The Problem Given a number n, decide if it is prime. Easy: try dividing by all numbers less than n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 4 / 47
6 The Problem Given a number n, decide if it is prime efficiently. Not so easy: several nonobvious methods have been found. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 5 / 47
7 The Problem Given a number n, decide if it is prime efficiently. Not so easy: several nonobvious methods have been found. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 5 / 47
8 Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47
9 Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47
10 Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47
11 Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47
12 Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 7 / 47
13 The Sieve of Eratosthenes Proposed by Eratosthenes (ca. 300 BCE). 1 List all numbers from 2 to n in a sequence. 2 Take the smallest uncrossed number from the sequence and cross out all its multiples. 3 If n is uncrossed when the smallest uncrossed number is greater than n then n is prime otherwise composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 8 / 47
14 Time Complexity If n is prime, algorithm crosses out all the first n numbers before giving the answer. So the number of steps needed is Ω( n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 9 / 47
15 Time Complexity If n is prime, algorithm crosses out all the first n numbers before giving the answer. So the number of steps needed is Ω( n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 9 / 47
16 Wilson s Theorem Based on Wilson s theorem (1770). Theorem n is prime iff (n 1)! = 1 (mod n). Computing (n 1)! (mod n) naïvely requires Ω(n) steps. No significantly better method is known! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 10 / 47
17 Wilson s Theorem Based on Wilson s theorem (1770). Theorem n is prime iff (n 1)! = 1 (mod n). Computing (n 1)! (mod n) naïvely requires Ω(n) steps. No significantly better method is known! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 10 / 47
18 Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 11 / 47
19 Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47
20 Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47
21 Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47
22 Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47
23 Groups and Properties The group G is often: A subgroup of Z n or Z n [ζ] for an extension ring Z n [ζ]. A subgroup of E(Z n ), the set of points on an elliptic curve modulo n. The properties vary, but are from two broad themes. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 13 / 47
24 Groups and Properties The group G is often: A subgroup of Z n or Z n [ζ] for an extension ring Z n [ζ]. A subgroup of E(Z n ), the set of points on an elliptic curve modulo n. The properties vary, but are from two broad themes. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 13 / 47
25 Groups and Properties The group G is often: A subgroup of Z n or Z n [ζ] for an extension ring Z n [ζ]. A subgroup of E(Z n ), the set of points on an elliptic curve modulo n. The properties vary, but are from two broad themes. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 13 / 47
26 Theme I: Factorization of Group Size Compute a complete, or partial, factorization of the size of G assuming that n is prime. Use the knowledge of this factorization to design a suitable property. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 14 / 47
27 Theme I: Factorization of Group Size Compute a complete, or partial, factorization of the size of G assuming that n is prime. Use the knowledge of this factorization to design a suitable property. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 14 / 47
28 Theme II: Fermat s Little Theorem Theorem (Fermat, 1660s) If n is prime then for every e, e n = e (mod n). Group G = Z n and property P is P(e) e n = e in G. This property of Z n is not a sufficient test for primality of n. So try to extend this property to a neccessary and sufficient condition. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 15 / 47
29 Theme II: Fermat s Little Theorem Theorem (Fermat, 1660s) If n is prime then for every e, e n = e (mod n). Group G = Z n and property P is P(e) e n = e in G. This property of Z n is not a sufficient test for primality of n. So try to extend this property to a neccessary and sufficient condition. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 15 / 47
30 Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 16 / 47
31 Lucas Theorem Theorem (E. Lucas, 1891) Let n 1 = t i=1 pd i i where p i s are distinct primes. n is prime iff there is an e Z n such that e n 1 = 1 and gcd(e n 1 p i 1, n) = 1 for every 1 i t. The theorem also holds for a random choice of e. We can choose G = Z n and P to be the property above. The test will be efficient only for numbers n such that n 1 is smooth. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 17 / 47
32 Lucas Theorem Theorem (E. Lucas, 1891) Let n 1 = t i=1 pd i i where p i s are distinct primes. n is prime iff there is an e Z n such that e n 1 = 1 and gcd(e n 1 p i 1, n) = 1 for every 1 i t. The theorem also holds for a random choice of e. We can choose G = Z n and P to be the property above. The test will be efficient only for numbers n such that n 1 is smooth. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 17 / 47
33 Lucas Theorem Theorem (E. Lucas, 1891) Let n 1 = t i=1 pd i i where p i s are distinct primes. n is prime iff there is an e Z n such that e n 1 = 1 and gcd(e n 1 p i 1, n) = 1 for every 1 i t. The theorem also holds for a random choice of e. We can choose G = Z n and P to be the property above. The test will be efficient only for numbers n such that n 1 is smooth. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 17 / 47
34 LucasLehmer Test G is a subgroup of Z n [ 3] containing elements of order n + 1. The property P is: P(e) e n+1 2 = 1 in Z n [ 3]. Works only for special Mersenne primes of the form n = 2 p 1, p prime. For such n s, n + 1 = 2 p. The property needs to be tested only for e = Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 18 / 47
35 LucasLehmer Test G is a subgroup of Z n [ 3] containing elements of order n + 1. The property P is: P(e) e n+1 2 = 1 in Z n [ 3]. Works only for special Mersenne primes of the form n = 2 p 1, p prime. For such n s, n + 1 = 2 p. The property needs to be tested only for e = Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 18 / 47
36 LucasLehmer Test G is a subgroup of Z n [ 3] containing elements of order n + 1. The property P is: P(e) e n+1 2 = 1 in Z n [ 3]. Works only for special Mersenne primes of the form n = 2 p 1, p prime. For such n s, n + 1 = 2 p. The property needs to be tested only for e = Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 18 / 47
37 Time Complexity Raising to n+1 2 th power requires O(log n) multiplication operations in Z n. Overall time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 19 / 47
38 Time Complexity Raising to n+1 2 th power requires O(log n) multiplication operations in Z n. Overall time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 19 / 47
39 PocklingtonLehmer Test Theorem (Pocklington, 1914) If there exists a e such that e n 1 = 1 (mod n) and gcd(e n 1 p j 1, n) = 1 for distinct primes p 1, p 2,..., p t dividing n 1 then every prime factor of n has the form k t j=1 p j + 1. Similar to Lucas s theorem. Let G = Z n and property P precisely as in the theorem. The property is tested for a random e. For the test to work, we need t j=1 n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 20 / 47
40 PocklingtonLehmer Test Theorem (Pocklington, 1914) If there exists a e such that e n 1 = 1 (mod n) and gcd(e n 1 p j 1, n) = 1 for distinct primes p 1, p 2,..., p t dividing n 1 then every prime factor of n has the form k t j=1 p j + 1. Similar to Lucas s theorem. Let G = Z n and property P precisely as in the theorem. The property is tested for a random e. For the test to work, we need t j=1 n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 20 / 47
41 PocklingtonLehmer Test Theorem (Pocklington, 1914) If there exists a e such that e n 1 = 1 (mod n) and gcd(e n 1 p j 1, n) = 1 for distinct primes p 1, p 2,..., p t dividing n 1 then every prime factor of n has the form k t j=1 p j + 1. Similar to Lucas s theorem. Let G = Z n and property P precisely as in the theorem. The property is tested for a random e. For the test to work, we need t j=1 n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 20 / 47
42 Time Complexity Depends on the difficulty of finding prime factorizations of n 1 whose product is at least n. Other operations can be carried out efficiently. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 21 / 47
43 Time Complexity Depends on the difficulty of finding prime factorizations of n 1 whose product is at least n. Other operations can be carried out efficiently. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 21 / 47
44 Elliptic Curves Based Tests Elliptic curves give rise to groups of different sizes associated with the given number. With good probability, some of these groups have sizes that can be easily factored. This motivated primality testing based on elliptic curves. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 22 / 47
45 Elliptic Curves Based Tests Elliptic curves give rise to groups of different sizes associated with the given number. With good probability, some of these groups have sizes that can be easily factored. This motivated primality testing based on elliptic curves. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 22 / 47
46 Elliptic Curves Based Tests Elliptic curves give rise to groups of different sizes associated with the given number. With good probability, some of these groups have sizes that can be easily factored. This motivated primality testing based on elliptic curves. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 22 / 47
47 GoldwasserKilian Test This is a randomized primality proving algorithm. Under a reasonable hypothesis, it is polynomial time on all inputs. Unconditionally, it is polynomial time on all but negligible fraction of numbers. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 23 / 47
48 GoldwasserKilian Test This is a randomized primality proving algorithm. Under a reasonable hypothesis, it is polynomial time on all inputs. Unconditionally, it is polynomial time on all but negligible fraction of numbers. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 23 / 47
49 GoldwasserKilian Test This is a randomized primality proving algorithm. Under a reasonable hypothesis, it is polynomial time on all inputs. Unconditionally, it is polynomial time on all but negligible fraction of numbers. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 23 / 47
50 GoldwasserKilian Test Consider a random elliptic curve over Z n. By a theorem of Lenstra (1987), the number of points of the curve is nearly uniformly distributed in the interval [n n, n n] for prime n. Assuming a conjecture about the density of primes in small intervals, it follows that there are curves with 2q points, for q prime, with reasonable probability. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 24 / 47
51 GoldwasserKilian Test Consider a random elliptic curve over Z n. By a theorem of Lenstra (1987), the number of points of the curve is nearly uniformly distributed in the interval [n n, n n] for prime n. Assuming a conjecture about the density of primes in small intervals, it follows that there are curves with 2q points, for q prime, with reasonable probability. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 24 / 47
52 GoldwasserKilian Test Consider a random elliptic curve over Z n. By a theorem of Lenstra (1987), the number of points of the curve is nearly uniformly distributed in the interval [n n, n n] for prime n. Assuming a conjecture about the density of primes in small intervals, it follows that there are curves with 2q points, for q prime, with reasonable probability. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 24 / 47
53 GoldwasserKilian Test Theorem (GoldwasserKilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n n then n must be composite. Otherwise, p p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47
54 GoldwasserKilian Test Theorem (GoldwasserKilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n n then n must be composite. Otherwise, p p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47
55 GoldwasserKilian Test Theorem (GoldwasserKilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n n then n must be composite. Otherwise, p p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47
56 GoldwasserKilian Test Theorem (GoldwasserKilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n n then n must be composite. Otherwise, p p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47
57 GoldwasserKilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47
58 GoldwasserKilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47
59 GoldwasserKilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47
60 GoldwasserKilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47
61 Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47
62 Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47
63 Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47
64 Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47
65 AdlemanHuang Test The previous test is not unconditionally polynomial time on a small fraction of numbers. AdlemanHuang (1992) removed this drawback. They first used hyperelliptic curves to reduce the problem of testing for n to that of a nearly random integer of similar size. Then the previous test works with high probability. The time complexity becomes O(log c n) for c > 30! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 28 / 47
66 AdlemanHuang Test The previous test is not unconditionally polynomial time on a small fraction of numbers. AdlemanHuang (1992) removed this drawback. They first used hyperelliptic curves to reduce the problem of testing for n to that of a nearly random integer of similar size. Then the previous test works with high probability. The time complexity becomes O(log c n) for c > 30! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 28 / 47
67 AdlemanHuang Test The previous test is not unconditionally polynomial time on a small fraction of numbers. AdlemanHuang (1992) removed this drawback. They first used hyperelliptic curves to reduce the problem of testing for n to that of a nearly random integer of similar size. Then the previous test works with high probability. The time complexity becomes O(log c n) for c > 30! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 28 / 47
68 Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 29 / 47
69 SolovayStrassen Test A Restatement of FLT If n is odd prime then for every e, 1 e < n, e n 1 2 = ±1 (mod n). When n is prime, e is a quadratic residue in Z n iff e n 1 2 = 1 (mod n). Therefore, if n is prime then ( e n ) = e n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 30 / 47
70 SolovayStrassen Test A Restatement of FLT If n is odd prime then for every e, 1 e < n, e n 1 2 = ±1 (mod n). When n is prime, e is a quadratic residue in Z n iff e n 1 2 = 1 (mod n). Therefore, if n is prime then ( e n ) = e n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 30 / 47
71 SolovayStrassen Test A Restatement of FLT If n is odd prime then for every e, 1 e < n, e n 1 2 = ±1 (mod n). When n is prime, e is a quadratic residue in Z n iff e n 1 2 = 1 (mod n). Therefore, if n is prime then ( e n ) = e n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 30 / 47
72 SolovayStrassen Test Proposed by Solovay and Strassen (1973). A randomized algorithm based on above property. Never incorrectly classifies primes and correctly classifies composites with probability at least 1 2. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 31 / 47
73 SolovayStrassen Test Proposed by Solovay and Strassen (1973). A randomized algorithm based on above property. Never incorrectly classifies primes and correctly classifies composites with probability at least 1 2. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 31 / 47
74 SolovayStrassen Test Proposed by Solovay and Strassen (1973). A randomized algorithm based on above property. Never incorrectly classifies primes and correctly classifies composites with probability at least 1 2. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 31 / 47
75 SolovayStrassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47
76 SolovayStrassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47
77 SolovayStrassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47
78 SolovayStrassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47
79 Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b nonresidue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47
80 Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b nonresidue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47
81 Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b nonresidue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47
82 Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b nonresidue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47
83 Miller s Test Theorem (Another Restatement of FLT) If n is odd prime and n = s t, t odd, then for every e, 1 e < n, the sequence e 2s 1 t (mod n), e 2s 2 t (mod n),..., e t (mod n) has either all 1 s or a 1 somewhere. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 34 / 47
84 Miller s Test This theorem is the basis for Miller s test (1973). It is a deterministic polynomial time test. It is correct under Extended Riemann Hypothesis. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 35 / 47
85 Miller s Test This theorem is the basis for Miller s test (1973). It is a deterministic polynomial time test. It is correct under Extended Riemann Hypothesis. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 35 / 47
PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena
PRIMES is in P Manindra Agrawal Neeraj Kayal Nitin Saxena Department of Computer Science & Engineering Indian Institute of Technology Kanpur Kanpur208016, INDIA Email: {manindra,kayaln,nitinsa}@iitk.ac.in
More informationA new probabilistic public key algorithm based on elliptic logarithms
A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa
More informationRevised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)
Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.
More informationAn Introductory Course in Elementary Number Theory. Wissam Raji
An Introductory Course in Elementary Number Theory Wissam Raji 2 Preface These notes serve as course notes for an undergraduate course in number theory. Most if not all universities worldwide offer introductory
More informationHow many numbers there are?
How many numbers there are? RADEK HONZIK Radek Honzik: Charles University, Department of Logic, Celetná 20, Praha 1, 116 42, Czech Republic radek.honzik@ff.cuni.cz Contents 1 What are numbers 2 1.1 Natural
More informationNUMBER RINGS. P. Stevenhagen
NUMBER RINGS P. Stevenhagen Universiteit Leiden 2012 Date of this online version: September 24, 2012 Please send any comments on this text to psh@math.leidenuniv.nl. Mail address of the author: P. Stevenhagen
More informationThe Gödel Phenomena in Mathematics: A Modern View
Chapter 1 The Gödel Phenomena in Mathematics: A Modern View Avi Wigderson Herbert Maass Professor School of Mathematics Institute for Advanced Study Princeton, New Jersey, USA 1.1 Introduction What are
More informationRegular Languages are Testable with a Constant Number of Queries
Regular Languages are Testable with a Constant Number of Queries Noga Alon Michael Krivelevich Ilan Newman Mario Szegedy Abstract We continue the study of combinatorial property testing, initiated by Goldreich,
More informationGeneralized compact knapsacks, cyclic lattices, and efficient oneway functions
Generalized compact knapsacks, cyclic lattices, and efficient oneway functions Daniele Micciancio University of California, San Diego 9500 Gilman Drive La Jolla, CA 920930404, USA daniele@cs.ucsd.edu
More informationON THE DISTRIBUTION OF SPACINGS BETWEEN ZEROS OF THE ZETA FUNCTION. A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey ABSTRACT
ON THE DISTRIBUTION OF SPACINGS BETWEEN ZEROS OF THE ZETA FUNCTION A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey ABSTRACT A numerical study of the distribution of spacings between zeros
More informationA Method for Obtaining Digital Signatures and PublicKey Cryptosystems
A Method for Obtaining Digital Signatures and PublicKey Cryptosystems R.L. Rivest, A. Shamir, and L. Adleman Abstract An encryption method is presented with the novel property that publicly revealing
More information8430 HANDOUT 3: ELEMENTARY THEORY OF QUADRATIC FORMS
8430 HANDOUT 3: ELEMENTARY THEORY OF QUADRATIC FORMS PETE L. CLARK 1. Basic definitions An integral binary quadratic form is just a polynomial f = ax 2 + bxy + cy 2 with a, b, c Z. We define the discriminant
More informationA mini course on additive combinatorics
A mini course on additive combinatorics 1 First draft. Dated Oct 24th, 2007 These are notes from a mini course on additive combinatorics given in Princeton University on August 2324, 2007. The lectures
More informationCOSAMP: ITERATIVE SIGNAL RECOVERY FROM INCOMPLETE AND INACCURATE SAMPLES
COSAMP: ITERATIVE SIGNAL RECOVERY FROM INCOMPLETE AND INACCURATE SAMPLES D NEEDELL AND J A TROPP Abstract Compressive sampling offers a new paradigm for acquiring signals that are compressible with respect
More informationTHE CONGRUENT NUMBER PROBLEM
THE CONGRUENT NUMBER PROBLEM KEITH CONRAD 1. Introduction A right triangle is called rational when its legs and hypotenuse are all rational numbers. Examples of rational right triangles include Pythagorean
More informationMaximizing the Spread of Influence through a Social Network
Maximizing the Spread of Influence through a Social Network David Kempe Dept. of Computer Science Cornell University, Ithaca NY kempe@cs.cornell.edu Jon Kleinberg Dept. of Computer Science Cornell University,
More informationExtending Nymblelike Systems
Extending Nymblelike Systems Ryan Henry and Ian Goldberg Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada N2L 3G1 {rhenry,iang}@cs.uwaterloo.ca Abstract We present several
More informationGeneralized Compact Knapsacks are Collision Resistant
Generalized Compact Knapsacks are Collision Resistant Vadim Lyubashevsky Daniele Micciancio University of California, San Diego 9500 Gilman Drive, La Jolla, CA 920930404, USA {vlyubash,daniele}@cs.ucsd.edu
More informationIf A is divided by B the result is 2/3. If B is divided by C the result is 4/7. What is the result if A is divided by C?
Problem 3 If A is divided by B the result is 2/3. If B is divided by C the result is 4/7. What is the result if A is divided by C? Suggested Questions to ask students about Problem 3 The key to this question
More informationSubspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity
Subspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity Wei Dai and Olgica Milenkovic Department of Electrical and Computer Engineering University of Illinois at UrbanaChampaign
More informationTHE PROBLEM OF finding localized energy solutions
600 IEEE TRANSACTIONS ON SIGNAL PROCESSING, VOL. 45, NO. 3, MARCH 1997 Sparse Signal Reconstruction from Limited Data Using FOCUSS: A Reweighted Minimum Norm Algorithm Irina F. Gorodnitsky, Member, IEEE,
More informationA number field is a field of finite degree over Q. By the Primitive Element Theorem, any number
Number Fields Introduction A number field is a field of finite degree over Q. By the Primitive Element Theorem, any number field K = Q(α) for some α K. The minimal polynomial Let K be a number field and
More information= 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that
Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without
More informationYou know from calculus that functions play a fundamental role in mathematics.
CHPTER 12 Functions You know from calculus that functions play a fundamental role in mathematics. You likely view a function as a kind of formula that describes a relationship between two (or more) quantities.
More informationLinear systems over composite moduli
Linear systems over composite moduli Arkadev Chattopadhyay IAS, Princeton achatt3@ias.edu Avi Wigderson IAS, Princeton avi@ias.edu Abstract We study solution sets to systems of generalized linear equations
More informationWHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?
WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly
More informationProvable Data Possession at Untrusted Stores
Provable Data Possession at Untrusted Stores Giuseppe Ateniese Randal Burns Reza Curtmola Joseph Herring Lea Kissner Zachary Peterson Dawn Song ABSTRACT We introduce a model for provable data possession
More informationShort Cycles make Whard problems hard: FPT algorithms for Whard Problems in Graphs with no short Cycles
Short Cycles make Whard problems hard: FPT algorithms for Whard Problems in Graphs with no short Cycles Venkatesh Raman and Saket Saurabh The Institute of Mathematical Sciences, Chennai 600 113. {vraman
More informationA Googlelike Model of Road Network Dynamics and its Application to Regulation and Control
A Googlelike Model of Road Network Dynamics and its Application to Regulation and Control Emanuele Crisostomi, Steve Kirkland, Robert Shorten August, 2010 Abstract Inspired by the ability of Markov chains
More informationTruthful Mechanisms for OneParameter Agents
Truthful Mechanisms for OneParameter Agents Aaron Archer Éva Tardos y Abstract In this paper, we show how to design truthful (dominant strategy) mechanisms for several combinatorial problems where each
More information