PRIMES is in P

1
PRIMES is in P

• Manindra Agrawal
• Neeraj Kayal
• Nitin Saxena
• Dept of CSE, IIT Kanpur

2
The Problem

• Given number n, test if it is prime efficiently.
• Efficiently in time a polynomial in number of
  digits
• (log n)c for some constant c

3
A brief history

• 230BC Eratosthenes proposed the trial division
  method it is exponential time though (takes
  time ?(n1/2)).
• The trial division method factors any composite
  number.
• Factoring numbers perhaps does not admit
  efficient solutions.
• So one needs to try a different approach!

4
History contd.

• 17th century Fermats Little Theorem
• if n is prime then for any a, (a, n) 1
• an a (mod n).
• The converse does not hold though.
• 1973 Miller generalized the theorem to obtain a
  polynomial time algorithm that is correct under
  Extended Riemann Hypothesis.

5
History contd.

• 1976 Rabin modified Millers algorithm to obtain
  an unconditional but randomized polynomial time
  algorithm.
• This algorithm is always correct when n is prime,
  however, with a small probability might give a
  wrong answer when n is composite.
• Solovay-Strassen gave another algorithm with
  similar properties.

6
History contd.

• 1977 Public-key encryption was invented via
  Diffie-Hellman and RSA algorithms.
• These algorithms used large random prime numbers
  (these days prime numbers of 150 digits are
  routinely used).
• This made the efficient tests for primality of
  great practical importance!

7
History contd.

• 1983 Adleman, Pomerance, and Rumely gave a
  deterministic algorithm running in time (log n)c
  log log log n.
• 1992 Adleman and Huang gave a randomized
  polynomial time algorithm that errs only on
  primes.

8
Our Contribution

• We provide the first deterministic
  polynomial-time algorithm for primality testing.

9
The Algorithm

• Input n.
• Output COMPOSITE if n mk, k gt 1.
• Find the smallest prime r such that
• P(r-1) gt 2 ?r log n, and
• P(r-1) divides the order of n in Fr.
• For every a lt 4 ?r log n
• If (X-a)n ? Xn a (mod n, Xr 1) then output
  COMPOSITE.
• Output PRIME.

P(r-1) largest prime factor of r-1
10
Principle Idea of Our Approach

• n is prime
• iff
• (X-a)n Xn a (mod n) for any a,
• where X is a formal variable.
• A generalization of Fermats Little Theorem.

11
Examples (n a prime)

• (x-1)5 ? x5 - 5x4 10x3 10x2 5x 1
• (x-2)5 ? x5-10x440x3-80x280x-32
• (x-3)5 ? x5-15x490x3-270x2405x-243

12
Examples (n a composite)

• (x-1)6 ? x6-6x515x4-20x315x2-6x1

13
Evaluating the Identity Takes Long

• Evaluating the identity takes ?(n) steps
• nth power of a polynomial can be quickly computed
  by repeated squaring.
• However, (X-a)n has n1 terms and so its
  expansion takes a long time.

14
Translating Identity Over Small Cyclotomic Rings

• For a small ( (log n)6) value of r, r prime,
  test
• (X-a)n Xn a (mod n, Xr-1)
• for 4 ?r log n different values of a.
• For an appropriate small value of r, we show
  that if all the above identities hold then n is a
  prime power.

15
Finite Fields Facts

• The multiplicative group of finite field Fq is
  denoted by Fq and is cyclic.
• Polynomial (Xr 1)/(X 1) factors into degree d
  irreducible factors in the polynomial ring FpX
  where d order of p in Fr.

16
Change in Modulus

• Let n be composite, with prime p n.
• Let (X-a)n Xn a (mod n, Xr-1) for some a gt 1
  and prime r gt 2.
• Clearly, (X-a)n Xn a (mod p, Xr-1) too.
• And of course, (X-a)p Xp a (mod p, Xr-1).

17
Introspective Numbers

• We call any number m such that g(X)m g(Xm) (mod
  p, Xr-1) an introspective number for g(X).
• So, 1, p and n are introspective numbers for X-a
  for every a tried by the algorithm.

18
There Are Infinitely Many Introspective Numbers

• Let g(X) be a unit in the ring FpX / (Xr-1) and
  Og(X) be its order.
• If m is introspective for g(X), then so is m k
  Rg(X) for every k, where Rg(X) lcm(r, Og(X))
• g(X)mkRg(X) g(X)m
• g(Xm) g(XmkRg(X))

g(X)Og(X) 1 (mod p, Xr-1)
19
But These Are Mere Copies
1
ltngt
12Rg(X)
13Rg(X)
ltngt2Rg(X)
ltpgt
ltpgt2Rg(X)
0
Rg(X)
2Rg(X)
3Rg(X)
ltpgt p (mod Rg(X))
ltngt n (mod Rg(X))

• Are there more introspective numbers lt Rg(X)?

20
Yes

• Lemma If s and t are introspective for g(X), so
  is s t.
• Proof
• g(X)st g(Xs)t (mod p, Xr 1), and
• g(Xs)t g(Xst) (mod p, Xsr 1)
• g(Xst) (mod p, Xr 1).

21
But Not Many!

• Lemma There are lt r introspective numbers for
  g(X) that are less than Rg(X).
• Proof Suppose s and t are introspective for
  g(X), s lt t, and s t (mod r).
• Then modulo (p, Xr-1)
• g(X)s g(Xs) since s is introspective
• g(Xt) since s t (mod r) g(X)t
  since t is introspective
• Therefore, s t (mod Rg(X)) and so t gt Rg(X).

22
So n is (almost) Forced to be a Prime Power

• We have n and p introspective for X-a.
• So will be ni pj for 0 ? i, j ? ?r.
• These are gt r introspective numbers each at most
  n2?r.
• So if RX-a gt n2?r, two of them must be equal.
• This implies n pk for some k!

23
How to Ensure RX-a gt n2?r ?

• We need to move down to the field to argue
  this.
• Let h(X) be an irreducible factor of (Xr-1)/(X-1)
  in the field Fp.
• We have d degree of h(X) order of p in Fr.
• Also, RX-a ? order of X-a in the field
  FpX/(h(X)).

24
It is Easy IF

• Let us assume the following
• r gt 5 log2 n,
• p generates the group Fr (so d r-1).
• X-a generates the group FpX / (h(X)).
• Then RX-a ? pr-1 1 gt p2?r log n ? n2?r.

25
However, It is a BIG IF

• X-a may never be a generator!
• Try to find a g(X) that WILL be a generator!
• An open problem!!

26
Recall

• We only need to find a g(X) with large order,
  not necessarily a generator!
• How do we find a g(X) with order gt n2?r in group
  FpX/(h(X))?
• X-a may have large order, but it appears hard to
  prove

27
The Solution

• Both n and p are introspective for each X-a for 4
  ?r log n different as.
• Let G be the multiplicative group generated by
  all such (X-a)s in the field.
• Both n and p will be introspective for any
  element in the group!

28
Why?

• Let g(X) ?a1, 4?r logn (X a)ea, for ea ? 0,
  be an element of G.
• g(X)n ?a1, 4?r logn (X a)nea
• ?a1, 4?r logn (Xn a)ea
• g(Xn) (mod p, Xr-1)

29
What is the Size of G?

• Group G has at least 2k 1 elements for k
  mind, 4 ?r log n
• Consider only the first k (X-a)s.
• Product of different subsets (except for the
  entire set) will be different.
• Reason since all such products have degree lt d
  which is degree of h(X).

30
Almost Done

• Since G is cyclic, its generator has order
  exactly the size of the group.
• So we need to ensure that 2k gt n2?r.
• If 2d gt n2?r, we are done.
• So we must ensure that d, the order of p modulo
  r, is greater than 2?r log n.

31
Is It Easy to Ensure?

• Unfortunately, no.
• Fortunately, this is already done by Fouvry,
  Baker-Harman etc!
• They show that primes r lt z such that r-1 has a
  prime factor gt r2/3 have positive density.

32
And That Is All We Need!

• Consider primes r between c log6n and d log6n
  such that P(r-1) gt r2/3 gt c log4n.
• Amongst these, consider rs such that order of n
  modulo these rs is not divisible by P(r-1)
• Order of n is bounded by r1/3 lt d log2n.
• So, all such rs divide
• ?k1, d log2n (nk-1) lt nd log4n 2O(log5n).
• Number of such rs is, therefore, O(log5n)
  o(log6n/loglog n).

33
This Ensures Existence of Required r

• So there must exists an r ?(log6n) such that
  P(r-1) gt r2/3, and P(r-1) divides the order of n
  in Fr.
• Then P(r-1) will also divide the order d of some
  prime factor p of n making d gt r2/3 gt 2 r1/2 log
  n.

34
Remarks

• Our algorithm is impractical its running time
  is O(log12n) provably (but non-effectively), and
  O(log6n) heuristically.
• To make it practical, one needs to bring the
  exponent down to 4 or less.

35
A Brief History of Polynomial Time Algorithms
36
What Next?

• Conjecture If n2 ? 1 (mod r) and (X-1)n Xn 1
  (mod n, Xr 1) then n must be a prime power.
• Yields a O(log3 n) time algorithm!