PRIMES is in P

1
PRIMES is in P

• Manindra Agrawal
• NUS Singapore / IIT Kanpur

2
The Problem

• Given number n, test if it is prime efficiently.
• Efficiently in time a polynomial in number of
  digits
• (log n)c for some constant c

3
The Trial Division Method

• Try dividing by all numbers up to n1/2.
• takes exponential time ?(n1/2).
• Also produces a factor of n when it is composite.

4
A Possible Approach

• Find a characterization of prime numbers that is
  efficiently verifiable
• Many characterizations of primes have been
  obtained over centuries.
• But none were provably efficient until recently.

5
Wilsons Characterization (18th century)

• n is prime
• iff
• (n-1)! -1 (mod n)
• Requires O(n) operations

6
Fermats Little Theorem (17th century)

• n is prime
• implies
• for any a
• an a (mod n).
• It is easy to check
• Compute a2, square it to a4, square it to a8,
• Needs only O(log n) multiplications.

7
An Efficient but Wrong Characterization

• n is prime
• iff
• for 0 lt a lt 4 log2n an a (mod n)
• Requires only O(log3n) multiplications and
  divisions.
• Fails on Carmichael numbers, e.g., 561 3 11
  17.

8
Lucas Characterization (1891)

• n is prime
• iff
• for every prime divisor q of n-1
• there is an 1 lt a lt n such that
• an-1 1 (mod n) and gcd(a(n-1)/q 1, n) 1
• Based on FLT
• It is inefficient requires factorization of n-1

9
An NP ? coNP Algorithm

• A trivial algorithm shows that the set is in
  coNP given a factor of n it is easy to verify
  that n is composite.
• Pratt, 1974 Lucas characterization yields an
  NP algorithm guess a prime factorization of n-1
  recursively verify its correctness and guess an
  a with required properties.

10
Millers (unproven) Characterization (1975)

• n 1 2t s is odd prime
• iff
• for 0 lt a lt 4 log2n
• either as 1 (mod n)
• or a2ks -1 (mod n) for some 0 k lt t

11
Yields an Efficient Algorithm

• Based on FLT
• Yields an efficient algorithm O(log4n) steps
• It is correct assuming Generalized Riemann
  Hypothesis

12
coRP Algorithms

• 1974 Solovay-Strassen gave the first
  unconditional but randomized polynomial time
  algorithm.
• This algorithm might give a wrong answer with a
  small probability when n is composite.
• 1975 Rabin modified Millers characterization
  to obtain another algorithm with similar
  properties.

13
An Almost Efficient Characterization

• 1983 Adleman, Pomerance, and Rumely gave a
  (rather complicated) characterization that yields
  a deterministic algorithm running in time (log
  n)c log log log n.

14
An Efficient Chracterization

• 2002 A., Kayal, Saxena gave the first
  deterministically verifiable efficient
  characterization.

15
Starting Point A Polynomial based
Characterization

• n is prime
• iff
• (X 1)n Xn 1 (mod n)

Proof If n is prime then all coefficients are
divisible by n. If n is composite then at least
one is not.
16

• A generalization of FLT to polynomials.
• Simple and elegant.
• Inefficient although requires only O(log n)
  polynomial multiplications, intermediate
  polynomials are of large degree.

17
A Way to Reduce Space

• Test the equation modulo Xr - 1 for a small r.
• Or, more generally, test if
• (X a)n Xn a (mod n, Xr - 1)
• For a few as and a few small rs.

18
It Almost Works
Or(n) smallest k with nk 1 (mod r).

• n is prime
• iff
• for any r such that Or(n) gt 4 log2n
• n has no divisor smaller than min(n,r) and
• for every a, 1 a 2 vr log n
• (X a)n Xn a (mod n, Xr 1)

19
The Algorithm

• Input n.
• Find the smallest number r such that Or(n) gt 4
  (log n)2.
• If any number lt r divides n, output
  PRIME/COMPOSITE appropriately.
• For every a ? 2?r log n
• If (Xa)n ? Xn a (mod n, Xr 1) then output
  COMPOSITE.
• Output PRIME.

20
Correctness Non-trivial Part

• Assume
• r is given such that Or(n) gt 4(log n)2.
• Smallest prime dividing n is at least min(n,r).
• (Xa)n Xn a (mod n, Xr-1) for 0 lt a ? 2?r log
  n.

21

• Fix a prime p dividing n with p ? r and Or(p) gt
  1.
• Clearly, (Xa)n Xn a (mod p, Xr-1) too for 0
  lt a ? 2?r log n.
• And of course, (Xa)p Xp a (mod p, Xr-1)
  (according to previous prime characterization)

22
Introspective Numbers

• We call any number m such that g(X)m g(Xm) (mod
  p, Xr-1) an introspective number for g(X).
• So, p and n are introspective numbers for Xa for
  0 lt a ? 2?r log n.

23
Introspective Numbers Are Closed Under

• Lemma If s and t are introspective for g(X), so
  is s t.
• Proof
• g(X)st g(Xs)t (mod p, Xr 1), and
• g(Xs)t g(Xst) (mod p, Xsr 1)
• g(Xst) (mod p, Xr 1).

24
So There Are Lots of Them

• Let I ni pj i, j ? 0.
• Every m in I is introspective for Xa for 0 lt a ?
  2?r log n.

25
Introspective Numbers Are Also For Products

• Lemma If m is introspective for both g(X) and
  h(X), then it is also for g(X) h(X).
• Proof
• (g(X) h(X))m g(X)m h(X)m
• g(Xm) h(Xm) (mod p, Xr-1)

26
So Introspective Numbers Are For Lots of
Polynomials

• Let Q ?a1, 2?r logn (X a)ea ea ? 0.
• Every m in I is introspective for every g(X) in Q.

27
Finite Fields Facts

• Let h(X) be an irreducible divisor of rth
  cyclotomic polynomial Cr(X) in the ring FpX
• Cr(X) divides Xr-1.
• Polynomials modulo p and h(X) form a field, say
  F.
• Xi ? Xj in F for 0 ? i ? j lt r.

28
Moving to Field F

• Since h(X) divides Xr-1, equations for
  introspective numbers continue to hold in F.
• We now argue over F.

29
Two Sets in Field F

• Let G Xm m ? I .
• Every element of G is an rth root of unity.
• t G ? Or(n) gt 4 log2n.
• Let H g(X) (mod p, h(X)) g(X) ? Q .
• H is a multiplicative group in F.

30
H is large

• Let Qt be set of all polynomials in Q of degree lt
  t.
• Lemma There are gt n2?t distinct polynomials in
  Qt
• Consider all products of Xas of degee lt t.
• There are gt gt n2?t of
  these (since r gt t and ?t gt 2 log n).

31
because Qt injects into F

• Let f(X), g(X) in Qt with f(X) ? g(X).
• Suppose f(X) g(X) in F. Then
• For every Xm in G, f(Xm) f(X)m g(X)m g(Xm)
  in F.
• So polynomial P(z) f(z) g(z) has G t
  roots in F.
• Contradiction, since P(z) ? 0 and degree of P(z)
  is lt t.

32
implies that I has few small numbers

• Let m1, m2, , mk be numbers in I ? n2?t.
• Suppose k gt t.
• Then, there exist mi and mj, mi gt mj, such that
• Xmi Xmj (in F)

I set of introspective numbers F
FpX/(h(X)), h(X) Xr-1 Q set of
introspective polynomials G XI H Q
(mod h(X))
33

• Let g(X) be any element of H.
• Then
• g(X)mi g(Xmi) g(Xmj) g(X)mj (in F)
• Therefore, g(X) is a root of the polynomial P(z)
  zmi zmj in the field F.

I set of introspective numbers F
FpX/(h(X)), h(X) Xr-1 Q set of
introspective polynomials G XI H Q
(mod h(X))
34

• Since H has more than n2?t elements in F, P(Y)
  has more than n2?t roots in F.
• Contradiction, since P(z) ? 0 and degree of P(z)
  mi ? n2?t.

I set of introspective numbers F
FpX/(h(X)), h(X) Xr-1 Q set of
introspective polynomials G XI H Q
(mod h(X))
35
so n must be a prime power!

• Consider numbers na pb with 0 ? a, b ? ?t.
• Each such number is ? n2?t (small).
• So there are ? t (few) such numbers.
• This gives a, b, c, d with
• (a,b) ? (c,d) and na pb nc pd
• Therefore, n pe for some e gt 0.

t Or(n,p) F FpX/(h(X)), h(X) Xr-1 I
set of introspective numbers Qlow polynomials of
deg lt t
I set of introspective numbers F
FpX/(h(X)), h(X) Xr-1 Q set of
introspective polynomials G XI H Q
(mod h(X))
36
This forces n to be prime

• Lemma Hendrik Lenstra Jr.,1983 If an a (mod
  n) for 1 a 4 log2n then n is square-free.
• Since
• (Xa)n Xn a (mod n, Xr-1) for 0 lt a ? 2?r log
  n,
• we have
• an a (mod n) for 0 lt a ? 4 log2n,
• (as r gt 4 log2n). So n must be square-free.

37
The Choice of r

• We need r such that Or(n) gt 4 (log n)2.
• Any r such that Or(n) ? 4 (log n)2 must divide
• ?k1, 4 log2n (nk-1) lt n16 log4n 216 log5n.
• By Chebyshevs prime density estimates the lcm of
  first m numbers is at least 2m (for m gt 7).
• Therefore, there must exist an r that we desire ?
  16 (log n)5 1.

38
Time Complexity

• Step 3 dominates running time.
• It needs to verify O(?r log n) equations.
• Each equation needs O(r log2n) time to verify.
• So time complexity is O(r1.5 log3n)
  O(log10.5n).

39

• Using a result of Fouvry, one can show that r
  O(log3n) is enough.
• The result shows that primes r such that r-1 has
  a large prime divisor have high density.
• This brings time complexity down to O(log7.5n).

40
A Cleaner Characterization

• The characterization is a bit messy.
• Three different conditions need to hold
• r needs to be such that Or(n) gt 4 (log n)2
• No prime divisor of n is smaller than min(n,r)
• For every a, 1 a vr log n
• (X a)n Xn a (mod n, Xr 1)
• Can these be combined into a single equation?

41
Yes!

• Use the equation
• (X 1)n Xn 1 (mod n, Q(X))
• for appropriate small dgree Q(X).

42
Eliminating Condition on r

• Try for all r 16 log5n!

43
Eliminating Small Divisors

• Lemma If (X 1)n Xn 1 (mod n, Xr) then n
  has no divisor less then min(n,r).
• Proof If prime p lt min(n,r) divides n, then (X
  1)n 1 n/p Xp (mod n, Xr) ? 1 (mod n, Xr).

44
Eliminating Multiple Equations

• Lemma (X 1)n Xn 1 (mod n, Q(X-a)) for 0 lt
  a B iff
• (X a)n Xn a (mod n, Q(X)) for 1 lt a B1.
• Proof Assume for B-1. Then
• (X 1)n Xn 1 (mod n, Q(X-B)) iff
• (XB1)n (XB)n 1 (mod n, Q(X)) iff
• (XB1)n Xn B 1 (mod n, Q(X))

45
Putting These Together

• n is prime
• iff
• (X 1)n Xn 1 (mod n, Q(X))
• where
• Degree of Q(X) is O(log27/2n).

46
Further work

• Lenstra-Pomerance,2003 r O(log2n) is enough
  with a different polynomial of degree r than
  Xr-1.
• This improves time complexity to O(log6n).
• Berrizbeitia-Bernstein,2003 Randomized
  primality proving algorithm with time complexity
  O(log4n).

47
Further Improvement?

• Conjecture
• n is prime
• iff
• n is not a prime power,
• n ? 1 (mod r) for some prime r gt log n,
• and (X-1)n Xn 1 (mod n, Xr 1)
• Yields a O(log3n) time algorithm.