Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Similar documents

Primality - Factorization

PRIMES is in P. Manindra Agrawal Neeraj Kayal Nitin Saxena

Faster deterministic integer factorisation

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

An Overview of Integer Factoring Algorithms. The Problem

Factoring integers and Producing primes

How To Factoring

Factoring & Primality

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Recent Breakthrough in Primality Testing

Cryptography and Network Security Number Theory

Integer Factorization using the Quadratic Sieve

3. Computational Complexity.

On Generalized Fermat Numbers 3 2n +1

Cryptography and Network Security Chapter 8

Lecture 13 - Basic Number Theory.

Study of algorithms for factoring integers and computing discrete logarithms

2 Primality and Compositeness Tests

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

How To Solve The Prime Factorization Of N With A Polynomials

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Smooth numbers and the quadratic sieve

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

RSA and Primality Testing

Today s Topics. Primes & Greatest Common Divisors

Primality Testing and Factorization Methods

Computational Number Theory

On the largest prime factor of x 2 1

Factoring Algorithms

CIS 5371 Cryptography. 8. Encryption --

Elements of Applied Cryptography Public key encryption

Lecture 13: Factoring Integers

Primes in Sequences. Lee 1. By: Jae Young Lee. Project for MA 341 (Number Theory) Boston University Summer Term I 2009 Instructor: Kalin Kostadinov

HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS. 1. Thoery and Algorithm

FACTORING. n = fall in the arithmetic sequence

Computer and Network Security

15 Prime and Composite Numbers

2.1 Complexity Classes

Factorization Methods: Very Quick Overview

8 Primes and Modular Arithmetic

The Quadratic Sieve Factoring Algorithm

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

I. Introduction. MPRI Cours Lecture IV: Integer factorization. What is the factorization of a random number? II. Smoothness testing. F.

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Runtime and Implementation of Factoring Algorithms: A Comparison

Integer factoring and modular square roots

EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Prime numbers and prime polynomials. Paul Pollack Dartmouth College

Notes on Factoring. MA 206 Kurt Bryan

CONTINUED FRACTIONS AND FACTORING. Niels Lauritzen

A new probabilistic public key algorithm based on elliptic logarithms

On the number-theoretic functions ν(n) and Ω(n)

On prime-order elliptic curves with embedding degrees k = 3, 4 and 6

How To Prove The Dirichlet Unit Theorem

Lecture 10: Distinct Degree Factoring

A number field is a field of finite degree over Q. By the Primitive Element Theorem, any number

The van Hoeij Algorithm for Factoring Polynomials

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Number Theory Hungarian Style. Cameron Byerley s interpretation of Csaba Szabó s lectures

11 Ideals Revisiting Z

A Comparison Of Integer Factoring Algorithms. Keyur Anilkumar Kanabar

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

On Factoring Integers and Evaluating Discrete Logarithms

STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to

The Prime Facts: From Euclid to AKS

How To Factor In Prime Numbers

SOLUTIONS FOR PROBLEM SET 2

On prime-order elliptic curves with embedding degrees k = 3, 4 and 6

CRC Press has granted the following specific permissions for the electronic version of this book:

minimal polyonomial Example

Homework until Test #2

Elementary Number Theory

Generic attacks and index calculus. D. J. Bernstein University of Illinois at Chicago

c 2007 Society for Industrial and Applied Mathematics ÉRIC SCHOST

Factoring Algorithms

Math 453: Elementary Number Theory Definitions and Theorems

A New Generic Digital Signature Algorithm

DIVISORS IN A DEDEKIND DOMAIN. Javier Cilleruelo and Jorge Jiménez-Urroz. 1 Introduction

Efficiency of algorithms. Algorithms. Efficiency of algorithms. Binary search and linear search. Best, worst and average case.

INTEGER FACTORING USING SMALL ALGEBRAIC DEPENDENCIES

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

Factorizations of a n ± 1, 13 a < 100

The application of prime numbers to RSA encryption

CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma

An Introductory Course in Elementary Number Theory. Wissam Raji

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

3 1. Note that all cubes solve it; therefore, there are no more

Factoring. Factoring 1

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

Carmichael numbers and pseudoprimes

Lectures on Number Theory. Lars-Åke Lindahl

AMBIGUOUS CLASSES IN QUADRATIC FIELDS

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Basic Algorithms In Computer Algebra

A Study on the Necessary Conditions for Odd Perfect Numbers

Transcription:

Is n a Prime Number? Manindra Agrawal IIT Kanpur March 27, 2006, Delft Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 1 / 47

Overview 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 2 / 47

Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 3 / 47

The Problem Given a number n, decide if it is prime. Easy: try dividing by all numbers less than n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 4 / 47

The Problem Given a number n, decide if it is prime. Easy: try dividing by all numbers less than n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 4 / 47

The Problem Given a number n, decide if it is prime efficiently. Not so easy: several non-obvious methods have been found. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 5 / 47

The Problem Given a number n, decide if it is prime efficiently. Not so easy: several non-obvious methods have been found. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 5 / 47

Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47

Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47

Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47

Efficiently Solving a Problem There should exist an algorithm for solving the problem taking a polynomial in input size number of steps. For our problem, this means an algorithm taking log O(1) n steps. Caveat: An algorithm taking log 12 n steps would be slower than an algorithm taking log log log log n n steps for all practical values of n! Notation: log is logarithm base 2. O (log c n) stands for O(log c n log log O(1) n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 6 / 47

Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 7 / 47

The Sieve of Eratosthenes Proposed by Eratosthenes (ca. 300 BCE). 1 List all numbers from 2 to n in a sequence. 2 Take the smallest uncrossed number from the sequence and cross out all its multiples. 3 If n is uncrossed when the smallest uncrossed number is greater than n then n is prime otherwise composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 8 / 47

Time Complexity If n is prime, algorithm crosses out all the first n numbers before giving the answer. So the number of steps needed is Ω( n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 9 / 47

Time Complexity If n is prime, algorithm crosses out all the first n numbers before giving the answer. So the number of steps needed is Ω( n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 9 / 47

Wilson s Theorem Based on Wilson s theorem (1770). Theorem n is prime iff (n 1)! = 1 (mod n). Computing (n 1)! (mod n) naïvely requires Ω(n) steps. No significantly better method is known! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 10 / 47

Wilson s Theorem Based on Wilson s theorem (1770). Theorem n is prime iff (n 1)! = 1 (mod n). Computing (n 1)! (mod n) naïvely requires Ω(n) steps. No significantly better method is known! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 10 / 47

Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 11 / 47

Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47

Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47

Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47

Fundamental Idea Nearly all the efficient algorithms for the problem use the following idea. Identify a finite group G related to number n. Design an efficienty testable property P( ) of the elements G such that P(e) has different values depending on whether n is prime. The element e is either from a small set (in deterministic algorithms) or a random element of G (in randomized algorithms). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 12 / 47

Groups and Properties The group G is often: A subgroup of Z n or Z n [ζ] for an extension ring Z n [ζ]. A subgroup of E(Z n ), the set of points on an elliptic curve modulo n. The properties vary, but are from two broad themes. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 13 / 47

Groups and Properties The group G is often: A subgroup of Z n or Z n [ζ] for an extension ring Z n [ζ]. A subgroup of E(Z n ), the set of points on an elliptic curve modulo n. The properties vary, but are from two broad themes. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 13 / 47

Groups and Properties The group G is often: A subgroup of Z n or Z n [ζ] for an extension ring Z n [ζ]. A subgroup of E(Z n ), the set of points on an elliptic curve modulo n. The properties vary, but are from two broad themes. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 13 / 47

Theme I: Factorization of Group Size Compute a complete, or partial, factorization of the size of G assuming that n is prime. Use the knowledge of this factorization to design a suitable property. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 14 / 47

Theme I: Factorization of Group Size Compute a complete, or partial, factorization of the size of G assuming that n is prime. Use the knowledge of this factorization to design a suitable property. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 14 / 47

Theme II: Fermat s Little Theorem Theorem (Fermat, 1660s) If n is prime then for every e, e n = e (mod n). Group G = Z n and property P is P(e) e n = e in G. This property of Z n is not a sufficient test for primality of n. So try to extend this property to a neccessary and sufficient condition. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 15 / 47

Theme II: Fermat s Little Theorem Theorem (Fermat, 1660s) If n is prime then for every e, e n = e (mod n). Group G = Z n and property P is P(e) e n = e in G. This property of Z n is not a sufficient test for primality of n. So try to extend this property to a neccessary and sufficient condition. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 15 / 47

Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 16 / 47

Lucas Theorem Theorem (E. Lucas, 1891) Let n 1 = t i=1 pd i i where p i s are distinct primes. n is prime iff there is an e Z n such that e n 1 = 1 and gcd(e n 1 p i 1, n) = 1 for every 1 i t. The theorem also holds for a random choice of e. We can choose G = Z n and P to be the property above. The test will be efficient only for numbers n such that n 1 is smooth. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 17 / 47

Lucas Theorem Theorem (E. Lucas, 1891) Let n 1 = t i=1 pd i i where p i s are distinct primes. n is prime iff there is an e Z n such that e n 1 = 1 and gcd(e n 1 p i 1, n) = 1 for every 1 i t. The theorem also holds for a random choice of e. We can choose G = Z n and P to be the property above. The test will be efficient only for numbers n such that n 1 is smooth. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 17 / 47

Lucas Theorem Theorem (E. Lucas, 1891) Let n 1 = t i=1 pd i i where p i s are distinct primes. n is prime iff there is an e Z n such that e n 1 = 1 and gcd(e n 1 p i 1, n) = 1 for every 1 i t. The theorem also holds for a random choice of e. We can choose G = Z n and P to be the property above. The test will be efficient only for numbers n such that n 1 is smooth. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 17 / 47

Lucas-Lehmer Test G is a subgroup of Z n [ 3] containing elements of order n + 1. The property P is: P(e) e n+1 2 = 1 in Z n [ 3]. Works only for special Mersenne primes of the form n = 2 p 1, p prime. For such n s, n + 1 = 2 p. The property needs to be tested only for e = 2 + 3. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 18 / 47

Lucas-Lehmer Test G is a subgroup of Z n [ 3] containing elements of order n + 1. The property P is: P(e) e n+1 2 = 1 in Z n [ 3]. Works only for special Mersenne primes of the form n = 2 p 1, p prime. For such n s, n + 1 = 2 p. The property needs to be tested only for e = 2 + 3. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 18 / 47

Lucas-Lehmer Test G is a subgroup of Z n [ 3] containing elements of order n + 1. The property P is: P(e) e n+1 2 = 1 in Z n [ 3]. Works only for special Mersenne primes of the form n = 2 p 1, p prime. For such n s, n + 1 = 2 p. The property needs to be tested only for e = 2 + 3. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 18 / 47

Time Complexity Raising 2 + 3 to n+1 2 th power requires O(log n) multiplication operations in Z n. Overall time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 19 / 47

Time Complexity Raising 2 + 3 to n+1 2 th power requires O(log n) multiplication operations in Z n. Overall time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 19 / 47

Pocklington-Lehmer Test Theorem (Pocklington, 1914) If there exists a e such that e n 1 = 1 (mod n) and gcd(e n 1 p j 1, n) = 1 for distinct primes p 1, p 2,..., p t dividing n 1 then every prime factor of n has the form k t j=1 p j + 1. Similar to Lucas s theorem. Let G = Z n and property P precisely as in the theorem. The property is tested for a random e. For the test to work, we need t j=1 n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 20 / 47

Pocklington-Lehmer Test Theorem (Pocklington, 1914) If there exists a e such that e n 1 = 1 (mod n) and gcd(e n 1 p j 1, n) = 1 for distinct primes p 1, p 2,..., p t dividing n 1 then every prime factor of n has the form k t j=1 p j + 1. Similar to Lucas s theorem. Let G = Z n and property P precisely as in the theorem. The property is tested for a random e. For the test to work, we need t j=1 n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 20 / 47

Pocklington-Lehmer Test Theorem (Pocklington, 1914) If there exists a e such that e n 1 = 1 (mod n) and gcd(e n 1 p j 1, n) = 1 for distinct primes p 1, p 2,..., p t dividing n 1 then every prime factor of n has the form k t j=1 p j + 1. Similar to Lucas s theorem. Let G = Z n and property P precisely as in the theorem. The property is tested for a random e. For the test to work, we need t j=1 n. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 20 / 47

Time Complexity Depends on the difficulty of finding prime factorizations of n 1 whose product is at least n. Other operations can be carried out efficiently. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 21 / 47

Time Complexity Depends on the difficulty of finding prime factorizations of n 1 whose product is at least n. Other operations can be carried out efficiently. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 21 / 47

Elliptic Curves Based Tests Elliptic curves give rise to groups of different sizes associated with the given number. With good probability, some of these groups have sizes that can be easily factored. This motivated primality testing based on elliptic curves. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 22 / 47

Elliptic Curves Based Tests Elliptic curves give rise to groups of different sizes associated with the given number. With good probability, some of these groups have sizes that can be easily factored. This motivated primality testing based on elliptic curves. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 22 / 47

Elliptic Curves Based Tests Elliptic curves give rise to groups of different sizes associated with the given number. With good probability, some of these groups have sizes that can be easily factored. This motivated primality testing based on elliptic curves. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 22 / 47

Goldwasser-Kilian Test This is a randomized primality proving algorithm. Under a reasonable hypothesis, it is polynomial time on all inputs. Unconditionally, it is polynomial time on all but negligible fraction of numbers. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 23 / 47

Goldwasser-Kilian Test This is a randomized primality proving algorithm. Under a reasonable hypothesis, it is polynomial time on all inputs. Unconditionally, it is polynomial time on all but negligible fraction of numbers. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 23 / 47

Goldwasser-Kilian Test This is a randomized primality proving algorithm. Under a reasonable hypothesis, it is polynomial time on all inputs. Unconditionally, it is polynomial time on all but negligible fraction of numbers. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 23 / 47

Goldwasser-Kilian Test Consider a random elliptic curve over Z n. By a theorem of Lenstra (1987), the number of points of the curve is nearly uniformly distributed in the interval [n + 1 2 n, n + 1 + 2 n] for prime n. Assuming a conjecture about the density of primes in small intervals, it follows that there are curves with 2q points, for q prime, with reasonable probability. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 24 / 47

Goldwasser-Kilian Test Consider a random elliptic curve over Z n. By a theorem of Lenstra (1987), the number of points of the curve is nearly uniformly distributed in the interval [n + 1 2 n, n + 1 + 2 n] for prime n. Assuming a conjecture about the density of primes in small intervals, it follows that there are curves with 2q points, for q prime, with reasonable probability. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 24 / 47

Goldwasser-Kilian Test Consider a random elliptic curve over Z n. By a theorem of Lenstra (1987), the number of points of the curve is nearly uniformly distributed in the interval [n + 1 2 n, n + 1 + 2 n] for prime n. Assuming a conjecture about the density of primes in small intervals, it follows that there are curves with 2q points, for q prime, with reasonable probability. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 24 / 47

Goldwasser-Kilian Test Theorem (Goldwasser-Kilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n + 1 2 n then n must be composite. Otherwise, p + 1 + 2 p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47

Goldwasser-Kilian Test Theorem (Goldwasser-Kilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n + 1 2 n then n must be composite. Otherwise, p + 1 + 2 p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47

Goldwasser-Kilian Test Theorem (Goldwasser-Kilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n + 1 2 n then n must be composite. Otherwise, p + 1 + 2 p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47

Goldwasser-Kilian Test Theorem (Goldwasser-Kilian) Suppose E(Z n ) is an elliptic curve with 2q points. If q is prime and there exists A E(Z n ) O such that q A = O then either n is provably prime or provably composite. Proof. Let p be a prime factor of n with p n. We have q A = O in E(Z p ) as well. If A = O in E(Z p ) then n can be factored. Otherwise, since q is prime, E(Z p ) q. If 2q < n + 1 2 n then n must be composite. Otherwise, p + 1 + 2 p > n 2 n which is not possible. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 25 / 47

Goldwasser-Kilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47

Goldwasser-Kilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47

Goldwasser-Kilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47

Goldwasser-Kilian Test 1 Find a random elliptic curve over Z n with 2q points. 2 Prove primality of q recursively. 3 Randomly select an A such that q A = O. 4 Infer n to be prime or composite. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 26 / 47

Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47

Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47

Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47

Analysis The algorithm never incorrectly classifies a composite number. With high probability it correctly classifies prime numbers. The running time is O(log 11 n). Improvements by Atkin and others result in a conjectured running time of O (log 4 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 27 / 47

Adleman-Huang Test The previous test is not unconditionally polynomial time on a small fraction of numbers. Adleman-Huang (1992) removed this drawback. They first used hyperelliptic curves to reduce the problem of testing for n to that of a nearly random integer of similar size. Then the previous test works with high probability. The time complexity becomes O(log c n) for c > 30! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 28 / 47

Adleman-Huang Test The previous test is not unconditionally polynomial time on a small fraction of numbers. Adleman-Huang (1992) removed this drawback. They first used hyperelliptic curves to reduce the problem of testing for n to that of a nearly random integer of similar size. Then the previous test works with high probability. The time complexity becomes O(log c n) for c > 30! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 28 / 47

Adleman-Huang Test The previous test is not unconditionally polynomial time on a small fraction of numbers. Adleman-Huang (1992) removed this drawback. They first used hyperelliptic curves to reduce the problem of testing for n to that of a nearly random integer of similar size. Then the previous test works with high probability. The time complexity becomes O(log c n) for c > 30! Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 28 / 47

Outline 1 The Problem 2 Two Simple, and Slow, Methods 3 Modern Methods 4 Algorithms Based on Factorization of Group Size 5 Algorithms Based on Fermat s Little Theorem 6 An Algorithm Outside the Two Themes Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 29 / 47

Solovay-Strassen Test A Restatement of FLT If n is odd prime then for every e, 1 e < n, e n 1 2 = ±1 (mod n). When n is prime, e is a quadratic residue in Z n iff e n 1 2 = 1 (mod n). Therefore, if n is prime then ( e n ) = e n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 30 / 47

Solovay-Strassen Test A Restatement of FLT If n is odd prime then for every e, 1 e < n, e n 1 2 = ±1 (mod n). When n is prime, e is a quadratic residue in Z n iff e n 1 2 = 1 (mod n). Therefore, if n is prime then ( e n ) = e n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 30 / 47

Solovay-Strassen Test A Restatement of FLT If n is odd prime then for every e, 1 e < n, e n 1 2 = ±1 (mod n). When n is prime, e is a quadratic residue in Z n iff e n 1 2 = 1 (mod n). Therefore, if n is prime then ( e n ) = e n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 30 / 47

Solovay-Strassen Test Proposed by Solovay and Strassen (1973). A randomized algorithm based on above property. Never incorrectly classifies primes and correctly classifies composites with probability at least 1 2. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 31 / 47

Solovay-Strassen Test Proposed by Solovay and Strassen (1973). A randomized algorithm based on above property. Never incorrectly classifies primes and correctly classifies composites with probability at least 1 2. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 31 / 47

Solovay-Strassen Test Proposed by Solovay and Strassen (1973). A randomized algorithm based on above property. Never incorrectly classifies primes and correctly classifies composites with probability at least 1 2. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 31 / 47

Solovay-Strassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47

Solovay-Strassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47

Solovay-Strassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47

Solovay-Strassen Test 1 If n is an exact power, it is composite. 2 For a random e in Z n, test if ( e n ) = e n 1 2 (mod n). 3 If yes, classify n as prime otherwise it is proven composite. The time complexity is O (log 2 n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 32 / 47

Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b non-residue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47

Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b non-residue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47

Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b non-residue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47

Analysis Consider the case when n is a product of two primes p and q. Let a, b Z p, c Z q with a residue and b non-residue in Z p. Clearly, < a, c > n 1 2 =< b, c > n 1 2 (mod q). If < a, c > n 1 2 < b, c > n 1 2 (mod n) then one of them is not in {1, 1} and so compositeness of n is proven. Otherwise, either ( < a, c > ) < a, c > n 1 2 (mod n), n or ( ) < b, c > n < b, c > n 1 2 (mod n). Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 33 / 47

Miller s Test Theorem (Another Restatement of FLT) If n is odd prime and n = 1 + 2 s t, t odd, then for every e, 1 e < n, the sequence e 2s 1 t (mod n), e 2s 2 t (mod n),..., e t (mod n) has either all 1 s or a 1 somewhere. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 34 / 47

Miller s Test This theorem is the basis for Miller s test (1973). It is a deterministic polynomial time test. It is correct under Extended Riemann Hypothesis. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 35 / 47

Miller s Test This theorem is the basis for Miller s test (1973). It is a deterministic polynomial time test. It is correct under Extended Riemann Hypothesis. Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 35 / 47