introduction to the aks primality test
TRANSCRIPT
The AKS Primality Test
Pranshu BhatnagarChennai Mathematical Institute
Indraprastha Institute of Information Technology
11th
June 2015
Introduction to Primality Testing• Goal: given an integer n > 1, determine whether n is
prime
• Most people know the smallest primes • 2, 3, 5, 7, 11, 13, 17, 19, 23, …
• What about:• 38,476? No, because it is even• 4,359? No, because the sum of the digits is 21, a multiple of 3• 127? Yes, because it does not have any factors < √127 ≈ 11.27• 257,885,161 − 1?
• This has over 17 million digits. We need better tests…
2
3 CategoriesFor some arithmetic statement S which is easy to check:1.n is prime S(n)⇒
• pseudoprimes • strong pseudoprimes
2.S(n) n is prime⇒• n-1 test (Lucas Theorem)• n+1 test (Lucas-Lehmer)
3.S(n) ⇔ n is prime• AKS test
3
n is prime S(n)⇒• S(n): n = 2 or n is odd
• S(n): n = 3 or sum of digits of n is not divisible by 3
• ¬ S(n) n is composite⇒
• S(n) ?⇒
5
Pseudoprimes• n prime S(n)⇒
• S-pseudoprime: n is composite but S(n) holds
• S(n): n = 2 or n is odd• n = 15 is a pseudoprime
7
Intro to Modular Arithmetic• a ≡ b (mod n)
• Formally n|(a-b)• a/n leaves remainder b
• Clocks keep time (mod 12)• 16:30 (military time) ≡ 4:30 pm• 8:00 am + 7 hours = 15:00 ≡ 3 pm
• Subtract the modulus until the result is small enough• 11 ≡ 4 (mod 7)• 35 ≡ 0 (mod 5)• 23 = 8 ≡ 2 (mod 3)
11
Fermat Pseudoprimes• n prime S(n)⇒
• S is based on Fermat’s Little Theorem: If n is prime then an ≡ a (mod n), a∀ ∈ℤ
• S(n): an ≡ a (mod n)
• Fermat pseudoprime: n is composite but an ≡ a (mod n) for some a
13
Examplesn prime a⇒ n ≡ a (mod n)• Let n = 91
• Composite: 91 = 7 * 13
• 391 ≡ 3 (mod 91)• 91 is a Fermat pseudoprime base 3
• 291 ≠ 2 (mod 91)• 91 is not a Fermat pseudoprime base 2 (91 is composite)
• Note: Most probably, infinite Carmichael numbers, ∃composites with
an ≡ a (mod n) for every a
17
S(n) n is prime⇒• n is composite ¬ S(n) ⇒
• ¬ S(n) ?⇒
19
The n-1 Test• S is based on the Lucas Theorem:
If an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n) prime q|n-1,∀ then n is prime (for some a )∈ℤ
• S(n): an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)
23
Example [an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)] n ⇒prime• Let n = 19
• n-1 = 18 = 2 * 32
• Let a = 2218 ≡ 1 (mod 19)29 ≡ 18 (mod 19)26 ≡ 7 (mod 19)
• So 19 is prime
29
Another Example[an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)] n ⇒prime• S(n) n is prime⇒
• ¬ S(n) ?⇒
• Let n = 13, a = 5• n-1 = 12 = 22 * 3
512 ≡ 1 (mod 13) 56 ≡ 12 (mod 13)
But 54 ≡ 1 (mod 13)
• S(n) is false, but n = 13 is prime
31
S(n) ⇔ n is prime• S(n) n is prime⇒
• ¬ S(n) n is composite⇒
• Theorem: Given some a with gcd(a,n) = 1:
n is prime iff (x + a)n ≡ xn + a (mod n)
• S(n): (x + a)n ≡ xn + a (mod n)
37
ExampleS(n): (x + a)n ≡ xn + a (mod n)• (x+4)7
= x7 + 28x6 + 336x5 + 2240x4 + 8960x3 + 21504x2 + 28672x + 16384 ≡ x7 + 4 (mod 7)
• 7 is prime
• (x+3)4
= x4 + 12x3 + 54x2 + 108x + 81 ≡ x4 + 2x2 + 1 (mod 4) ≠ x4 + 3
• 4 is composite
41
Improvement: The AKS Theorem• Agrawal-Kayal-Saxena (AKS) Theorem: n is prime iff
• n is not a power,• n has no small factors,• (x + a)n ≡ xn + a (mod n, xr - 1)
for certain r and small values of a
43
The AKS Algorithm
47
Input: n ≥ 1STEP 1. If a, b > 1 N such that n = a∃ ∈ b , then Output COMPOSITE;STEP 2. Find the minimal r N such that o∈ r(n) > log2(n);STEP 3. For a = 1 to r do if 1 < (a, n) < n, then Output COMPOSITE;STEP 4. if r ≥ n, then Output PRIME ;STEP 5. For a = 1 to do if (x + a)n ≡ xn + a (mod xr − 1, n), then Output COMPOSITE;STEP 6. Output PRIME;
Proof Of Correctness
n is prime S(n)⇒l n is certainly not of the form ab for any a, b > 1, sol STEP 1 will not output COMPOSITE. l Since n is prime, we also know that x N, (n, x) = 1 or n. ∀ ∈
Hence STEP 3 will not output composite either. l We have seen that for any prime n, (x+a)n ≡ xn+a (mod n),
so STEP 5 will not output COMPOSITE. l Therefore the algorithm will output PRIME
S(n) n is prime⇒l If the algorithm returns PRIME during STEP 4, then we
know that m < n, (m, n) = 1 (this was checked in STEP 3), ∀meaning n is prime.
l The remaining case, in which the algorithm returns PRIME during STEP 6, will take considerably more effort and require some extra machinery.
Runtime Analysis
Notation
Basic Operationsl Let n, m N. Then∈l Computing m + n takes O(||n|| + ||m||) = O(log(n) + log(m))
bit operations.l Computing m · n takes O(||n|| · ||m||) = O(log(n) · log(m))
bit operations.l Computing the quotient n div m and the remainder n mod
m takes O((||n|| −||m|| + 1) · ||m||) bit operations.
Basic Operationsl Let m, n N with at most k bits each. Then:∈l m and n can be multiplied with O(k(log(k))(loglogk)) =
O~(k) bit operations.l n div m and n mod m can be computed using O(k(log(k))
(log logk)) = O~(k) bit operations.l Multiplication of two polynomials of degree d with
coefficients at most m bits in size can be done in O~(d · m) bit operations.
Euclidean Algorithml Input: m, n Z∈l 0: a, b integer;l 1: if |n| ≥ |m|l 2: then a ← |n|; b ← |m|;l 3: else b ← |m|; a ← |n|;l 4: while b > 0 repeatl 5: (a, b) ← (b, a mod b); //i.e., ai = bi−1 , bi = ai−1 mod bi−1l 6: return a;l This algorithm runs in O(log(n) · log(m)).
Fast Modular Exponentiationl Let n = 2a
1 + 2a2 + · · · + 2a
l where a1 > a2 > · · · > al. l Define f0 := (x + a),l fi+1(x) = fi(x)2 (mod xr − 1, n). l Then faj(x) = (x + a)aj . l If we further define g1(x) := fa1(x) and gk(x)≡gk−1(x) fk (x)
(mod xr − 1, n), then we see thatl gl(x) ≡ (x + a)2a
1 +···+2a
l = (x + a) n (mod x r − 1, n).l We have therefore computed (x + a)n (mod xr − 1, n) in a1 +
l ≤ 2log(n) steps, where a step consists of multiplying two polynomials of degree less than r with coefficients in Z/nZ.
This leads to a total runtime of O∼(r·log2 (n)).
Perfect power Testl Input : n N∈l 0: a, b, c, m integerl 1: b ← 2l 2: while (b ≤ log(n)) dol 3: a=1;c=m;l 4: while c − a ≥ 2 do l 5: m ← (a + c) div 2;l 6: p ← min {mb , 1};l 7: if p = n then return "n is
a perfect power";l 8: if p < n then a ← m else
c ← m;l 9: b ← b + 1;l 10: return "n is not a perfect
power."
l Loop 1 will run at most log(n) times. Also, it will take at most log(n) iterations of loop 2 before |c − a| ≤ 1. During each iteration of loop 2, we calculate (a + c) div 2 and mb , which can be done in
O~(log(n)) bit operations. l The complexity of the entire
algorithm is therefore
O∼(log3(n)).
Overall
STEP 1 At most O∼(log3(n)) bit operations.
STEP 2 We know that there exists an r< log5(n) such that or(n) > log2(n) .The easiest way to find such an r is simply to calculate nk(mod r) for k = 1, 2, ..., log2(n). This involves O(log2(n)) multiplications modulo r for each r, so STEP 2 takes O∼(log7(n)) bit operations.
STEP 3 While determining whether (a,n)> 1 for some a ≤ r, computing each gcd takes O∼(log2(n)) bit operations using the Euclidean Algorithm, resulting in a total of O∼(log7(n)) bit operations
OverallSTEP 5 Given a ≤ , calculating (x + a)n in the ring Z/nZ as reducing modulo xr − 1 is trivial (simply replace xs by x(s−r)). In order to calculate (x+a)n, we must perform O(log(n)) multiplications of polynomials of degree<r with coefficients of size O(log(n)) (as the coefficients are written modulo n; recall that all polynomials are reduced modulo xr −1
during Fast Modular Exponentiation).Each congruence therefore takes O∼(log7(n)) bit operations to verify. This step therefore takes O∼( log(n) log7(n)) = O∼( log8(n)) = O∼(log21/2(n)) bit operations. The complexity of STEP 5 clearly dominates the complexity of the other steps, so the overall complexity of the algorithm is O∼(log10.5(n)), which is indeed polynomial.
Example• Is n = 1993 prime?
1.1993 is not a power ✓
53
Example Continued(Is n = 1993 prime?)
1.(i) Find “certain r:” Really finding the least integer r > log2n with order of n in ℤr
*
We find r = 5. (ii) Check that n has no “small factors” Really checking no factors in [2, log n * √φ(r)] = [2, log(1993)*√4] = [2, 21.92]) 2, 3, 4, 5, …, 21 are not factors ✓
Note: √1993 ≈ 44.643 – AKS checks less than half as many numbers as possible factors
59
Example Continued(Is n = 1993 prime?)1.Check (x + a)n ≡ xn + a (mod n, xr - 1) for a up to the same value (log n* √φ(r))
So for 1 ≤ a ≤ 21 check (x + a)1993 ≡ x1993 + a (mod 1993, x5 - 1) ✓
Result: n = 1993 passed all 3 tests. So 1993 is prime.
61
Significance• Determines whether n is prime or composite in
polynomial time
• AKS Test is an iff statement• If pass the test then n is definitely prime• If fail the test then n is definitely composite
67
Work Cited• Linowitz, Benjamin. An Exposition of the AKS Polynomial
Time Primality Testing• Stay, Michael, Primes is in P, slowly.• Crandall, Richard, and Carl Pomerance. Prime Numbers:
A Computational Perspective. New York: Springer, 2005.
• Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P"
71