\documentclass{article} \usepackage{../../src/scripts/tex/axiom} \begin{document} \title{\$SPAD/src/algebra primesp.spad} \author{Manindra Agrawal, Neeraj Kayal and Nitin Saxena} \maketitle \begin{abstract} We present a deterministic polynomial-time algorithm that determines whether an input number $n$ is prime or composite. \end{abstract} \begin{quote} {\sl "The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it should be superfluous to discuss the problem at length\ldots Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated."} \begin{flushright} Karl Friedrich Gauss, {\sl Disquisitiones Arithmeticae}, 1801 (translated from [Knu98]) \end{flushright} \end{quote} \eject \tableofcontents \eject \section{Introduction} Since ancient times, mathematicians have been fascinated by problems concerning prime numbers. One of the fundamental problems concerning prime numbers is to determine if a given number is prime. In modern times, primality testing has also become important from a practical perspective because of its applications in cryptography. Starting from ancient Chinese and Greek, many have worked on the problem of finding an efficient algorithm for testing primality. The Sieve of Eratosthenes (ca. 240 BC) is the most ancient algorithm that works correctly for all primes, however, its time complexity ($=\Omega{}(n)$ where $n$ is input number) is exponential in the size of input. In 17th Century, Fermat proved what is referred as {\sl Fermat's Little Theorem} stating that for any prime number $p$, and any number $a$ not divisible by $p$, $a^{p-1} = 1 (mod p)$. Although the converse of this theorem does not hold (and in fact fails spectacularly for {\sl Carmichael numbers}, this result has been the starting point for seeral efficient primality testing algorithms. In 1976, Miller [Mil76] used this property to obtain a deterministic polynomial-time algorithm for primality testing assuming {\sl Extended Riemann Hypothesis (ERH)}. His test was modified by Rabin [Rab80] to yield an unconditional but randomized polynomial-time algorithm. Solovay and Strassen [SS77] obtained another randomized polynomial-time algorithm using quadratic residues. (Their algorithm can also be derandomized under ERH). Since then, a number of randomized polynomial-time algorithms have been proposed for primality testing. In 1983, Adleman, Pomerance, and Rumely achieved a major breakthrough by giving a deterministic algorithm for primality that runs in $(log n)^{O(log long log n)}$ time (all the previous deterministic algorithms require exponential time). In 1986, Goldwasser and Killian [GK86] proposed a randomized algorithm based on Elliptic curves running in expected polynomial-time on almost all inputs ({\sl all} inputs under a widely believed hypothesis) that produces a certificate of primality (until then, all randomized algorithms produced certificates for compositeness only). A similar algorithm was developed by Atkin [Atk86]. Adelman and Huang [AH92] modified Goldwasser-Killian algorithm to obtain a randomized polynomial-time algorithm that always produced a certificate for primality. The ultimate goal of this line of research is, of course, to obtain an unconditional deterministic polynomial-time algorithm for primality testing. Despite the impressive progress made in primality testing so far, this goal has remained elusive. In this paper, we achieve this. We give a deterministic, $\Omega((log n)^{12})$ time algorithm for testing if a number is prime. Heuristically, our algorithm does much better: under a widely believed conjecture on the density of Sophie Germain primes (primes $p$ such that $2p+1$ is also prime), the algorithm takes only $\Omega((log n)^{6})$ steps. The correctness proof of our algorithm requires only simple tools of algebra (except for appealing to a sieve theory result on the density of primes $p$ with $p-1$ having a large prime factor). In contrast, the correctness proofs of deterministic algorithms of [APR83, GK86, Atk86] are much more complex. In section 2, we summarize the basic idea behind our algorithm. In section 3, we state some preliminary theorems and fix the notation used here. Thereafter, we state the algorithm in full detail and present the proof of correctness. \section{Basic Idea and Approach} Our test is based on the following identity for prime numbers. This same identity was basis for a randomized polynomial-time algorithm in [AB99]: \vskip .1cm \noindent {\bf Identity} {\sl Suppose that a is coprime to p. Then p is prime if and only if} $$(x-a)^p == (x^p - a)(mod\ p)\eqno{1}$$ \noindent {\sl Proof}. For $0 < i < p$, the coefficient of $x^i$ in $((x-a)^p - (x^p - a))$ is $(-1)^i \left(p \over i\right) a^{p-i}$. Now if $p$ is prime, $\left(p \over i\right) == 0(mod\ p)$ and hence all the coefficients are zero. \noindent If $p$ is composite: consider a prime $q$ that is a factor of $p$ and let $q^k \vert\vert p$. Then $q^k$ does not divide $\left(p \over q\right)$ and is coprime to $a^{p-q}$ and hence the coefficient of $x^q$ is not zero $(mod\ p)$. Thus $((x-a)^p - (x^p - a))$ is not identically zero over $F_p$. Thus given a $p$ as input, one could pick a polynomial $P(x) = x - a$ and compute whether the congruence (1) is not satisfied or not. However, this takes time $\Omega(p)$ because we need to evaluate $p$ coefficients in the LHS in the worst case. Therefore, to make it feasible we will evaluate both sides of (1) modulo a polynomial of the form $x^r - 1$. One iteration of our algorithm will consist of evaluating whether the following holds: $$(x - a)^p == (x^p - a)(mod\ x^r - 1,p)\eqno{2}$$ \noindent From the identity it is immediate that all primes $p$ satisfy the above congruence for all values of $a$ and $r$; however some composites $p$ may also satisfy (2) for a few values of $(a,r)$. The above congruence takes $O(r^2\ log^3\ p)$ time for verification (lhs is evaluated by repeated squaring), or even better $O(r\ log^2\ p)$ if Fast Fourier Multiplication [Knu98] is used. Our algorithm first chooses a ``suitable'' $r$. (An $r$ is ``suitable'' for us if it is a prime=$O(log^6\ p)$ and $r-1$ contains a prime factor of size at least $r^{({1 \over{2}} +\delta)}$, for some constant $\delta > 0$. [Fou85, BH96] assures us that such a ``suitable'' $r$ exists.) Thereafter, the algorithm verifies the congruence (2) for a ``small'' $( O(\sqrt{r}\ log\ p))$ number of $a$'s. We prove that this idea works: i.e., the algorithm correctly determines whether $p$ is prime or not. \section{Notation and Preliminaries} This section states some algebraic and number theoretic results which we will be using in the later proofs. In the rest of the paper $F_{p^d}$ denotes the finite field, where $p$ is a prime. Recall that if $p$ is a prime and $h(x)$ is a polynomial of degree $d$ and irreducible in $F_p$, then $F_p[x]/(h(x))$ is a finite field of order $P^d$. In the rest of the paper h(x) will be a factor of ${{x^r-1}\over{x-1}}$ unless stated otherwise. We will use the $O(t(n))$ for $O(t(n)poly(log\ t(n)))$, where $t(n)$ is some function of $n$. Unless stated otherwise, log will be to base 2 in this paper. We now collect some simple facts from algebra that can be found in any standard text, e.g. [LN86, Fra90]. We also prove some of these for the sake of completeness. \noindent {\bf Lemma 3.1} {\sl Let p and r be prime numbers, $p \ne r$.} \vskip .1cm \begin{enumerate} \item {\sl The multiplicative group of any field $F_{p^t}$ for $t > 0$, denoted by $F_{p^t}^*$ is cyclic.} \item {\sl Let $f(x)$ be a polynomial with integral coefficients. Then $$f(x)^p == f(x^p)(mod\ p)$$} \item {\sl Let h(x) be any factor of $x^r - 1$. Let $m == m_r(mod\ r)$. Then $$x^m == x^{m_r}\ (mod\ h(x))$$} \item {\sl Let $o_r(p)$ be the order of $p\ module\ r$. Then in $F_p$, ${{x^r - 1}\over{x-1}}$ factorises into irreducible polynomials each of degree $o_r(p)$.} \end{enumerate} \vskip .2cm \noindent {\sl Proof} \begin{enumerate} \item See, e.g., [LN86] \item Let $f(x) = a_0+a_1x+\ldots+a_dx^d$. The coefficient of $x^i$ in $f(x)^p$ is $$\Sigma_{{i_0+\ldots+i_d=p}\over{i_1+2i_2+\ldots+di_d=i}} a_0^{i_0} \dots a_d^{i_d} {{p!}\over{i_0! \dots i_d!}}$$ Note that this sum is divisible by $p$ unless one of the $i_j$'s is $p$. In the latter case $i=pj$ and the coefficient of $x^i$ is $a_j^p = a_j$. This gives us the required congruence. \item Let $m=kr+m_r$. Now \vskip .1cm \begin{tabular}{llllll} \ \ \ \ \ \ \ \ & & $x^r$ & $==$ & $1$ & $(mod\ x^r - 1)$\\ \ \ \ \ \ \ \ \ &$=>$ & $x^{kr}$ & $==$ & $1$ & $(mod\ x^r - 1)$\\ \ \ \ \ \ \ \ \ &$=>$ & $x^{kr+m_r}$ & $==$ & $x^{m_r}$ & $(mod\ x^r - 1)$\\ \ \ \ \ \ \ \ \ &$=>$ & $x^m$ & $==$ & $x^{m_r}$ & $(mod\ h(x))$ \end{tabular} \item Let $d = o_r(p)$ and $Q_r(x) = {{x^r-1}\over{x-1}}$. Suppose that $Q_r(x)$ has an irreducible factor, $h(x)$ in $F_p$ of degree $k$. Now $F_p[x]/h(x)$ forms a field of size $p^k$ and the multiplicative subgroup of $F_p[x]/h(x)$ is cyclic with a generator, say $g(x)$. Also, in this galois field, by fact(2) above, we have \vskip .1cm \begin{tabular}{llllll} \ \ \ \ \ \ \ \ & & $g(x)^p$ & $==$ & $g(x^p)$\\ \ \ \ \ \ \ \ \ &$=>$ & $g(x)^{p^d}$ & $==$ & $g(x^{p^d})$\\ \ \ \ \ \ \ \ \ &$=>$ & $g(x)^{p^d}$ & $==$ & $g(x)$ [By fact (3) above]\\ \ \ \ \ \ \ \ \ &$=>$ & $g(x)^{{p^d}-1}$ & $==$ & $1$ \end{tabular} \vskip .1cm Since $(p^k - 1)$ is the order of $g(x)$, we get $(p^k - 1) \vert (p^d - 1)$ which implies that $k \vert d$. We also have that $h(x) \vert (x^r - 1)$ in $F_p$ and therefore in the field $F_p[x]/h(x)$ we have $$x^r == 1$$ Thus the order of $x$ in this field must be $r$ (since $r$ is prime and $x !== 1$). Therefore $r \vert (p^k - 1)$, i.e. $p^k == 1 (mod\ r)$. Hence, $d \vert k$. Therefore, $k = d$, and the lemma follows. \end{enumerate} In addition to the above algebraic facts, we will need the following two number theoretic facts. \noindent {\bf Lemma 3.2} {\sl [Fou85, BH96] Let $P(n)$ denote the greatest prime divisor of $n$. There exist constants $c > 0$ and $n_0$ such that, for all $x \ge n_0$} $$\vert \{p \vert p\ is\ prime, p \le x\ and\ P(p-1) > x^{{2}\over{3}} \} \vert \ge c{{x}\over{log\ x}}$$ The above lemma is, in fact, known to hold for exponents up to $0.6683$ (see [BH96] for a summary of results of this kind). \noindent {\bf Lemma 3.3} {\sl [Apo97] Let $\pi(n)$ be the number of primes $\le n$. Then for $n \ge 1$:} $${{n}\over{6\ log\ n}} \le \pi(n) \le {{8n}\over{log\ n}}$$ \eject \section{The Algorithm} \hrule \vskip .1cm Input: integer $n > 1$ \begin{enumerate} \item if ($n$ is of the form $a^b$, $b>1$) output COMPOSITE; \item $r = 2$; \item while $(r < n)$ \{ \item \ \ \ \ if ($gcd(n,r) \ne 1$) output COMPOSITE; \item \ \ \ \ if ($r$ is prime) \item \ \ \ \ \ \ \ \ let $q$ be the largest prime factor of $r - 1$; \item \ \ \ \ \ \ \ \ if ($q \ge 4\sqrt{r}\ log\ n$) and ($n^{{r-1}\over{q}} !== 1 (mod\ r)$) \item \ \ \ \ \ \ \ \ \ \ \ \ break; \item \ \ \ \ $r \leftarrow r + 1$; \item \} \item for $a = 1$ to $2\sqrt{r}\ log\ n$ \item \ \ \ \ if ($(x-a)^n !== (x^n - a)(mod\ x^r-1,n)$) output COMPOSITE; \item output PRIME; \end{enumerate} \hrule \vskip .3cm \noindent {\bf Theorem 4.1} {\sl The algorithm above returns PRIME if and only if $n$ is prime} In the remainder of the section, we establish this theorem through a sequence of lemmas. First note that the algorithm has two loops. The first loop tries to find a prime $r$ such that $r-1$ has a large prime factor $q \ge 4\sqrt{r}\ log\ n$, and that $q \vert o_r(n)$, where $o_r(n)$ is the order of $n\ modulo\ r$. Let us first bound the number of iterations of the {\bf while} loop after which such an $r$ is found. \vskip .2cm \noindent {\bf Lemma 4.2} {\sl There exist positive constants $c_1$ and $c_2$ for which there is a prime $r$ in the interval $[c_1 (log\ n)^6, c_2 (log\ n)^6]$ such that $r - 1$ has a prime factor $q \ge 4 \sqrt{r}\ log\ n$ and $q \vert o_r(n)$.} \vskip .2cm \noindent {\sl Proof} Let $c$ and $P(n)$ be as given in Lemma 3.2. Thus, the number of prime $r$'s (lets call them {\sl special} primes) between $c_1(log\ n)^6$ and $c_2(log\ n)^6$ such that $P(r-1) > (c_2(log\ n)^6)^{{2}\over{3}} > r^{{2}\over{3}}$ is (for large enough $n$) \vskip .1cm \begin{tabular}{lll} \ \ \ \ \ \ \ \ & $\ge$ & No of special primes in $[1\dots c_2(log\ n)^6]-$\\ & & No of primes in $[1\dots c_1(log\ n)^6]$\\ \ \ \ \ \ \ \ \ & $\ge$ & ${{cc_2(log\ n)^6}\over{7\ log\ log\ n}} - {{8c_1(log\ n)^6}\over{6\ log\ log\ n}}$ (using Lemma 3.3)\\ \ \ \ \ \ \ \ \ & $=$ & ${{(log\ n)^6}\over{log\ log\ n}} \left({{cc_2}\over{7}} - {{8c_1}\over{6}}\right)$ \end{tabular} \vskip .3cm \noindent Choose constants $c_1 \ge 4^6$ and $c_2$ so that the quantity in braces is a positive constant, say $c_3$. Let $x=c_2(log\ n)^6$. Consider the product $$\Pi = (n-1)(n^2-1)\dots(n^{x^{{1}\over{3}}} - 1)$$ \noindent This product has at most $x^{{2}\over{3}}\ log\ n$ prime factors. Note that: $$x^{{2}\over{3}}\ log\ n < {{c_3(log\ n)^6}\over{log\ log\ n}}$$ \noindent Therefore, there is at least one special prime, say $r$, that does not divide the product $\Pi$ This is the required prime: $r-1$ has a large prime factor $q \ge r^{{2}\over{3}} \ge 4\sqrt{r}\ log\ n$ (since $c_1 \ge 4^6$), and $q \vert o_r(n)$. Once we know that the {\bf while} loop halts, we are ready to show: \vskip .3cm \noindent {\bf Lemma 4.3} {\sl If $n$ is prime, the algorithm returns PRIME} \vskip .3cm \noindent {\sl Proof}. The {\bf while} loop cannot return COMPOSITE since $gcd(n,r) = 1$ for all $r \le c_2(log\ n)^6$, where $c_2$ is as in Lemma 4.2. By Lemma 3.1 (fact 2), the {\bf for} loop also cannot return COMPOSITE. Thus, algorithm will identify $n$ as PRIME. Now let us turn our attention to the case where a composite $n$ is input to our algorithm. The significance of the $r$ found by the {\bf while} loop arises when $n$ is composite with say $p_i$, $1 \le i \le k$, as its prime factors. In this case, $o_r(n) \vert lcm_i\{o_r(p_i)\}$ and hence there exists a prime factor $p$ of $n$ such that $q \vert o_r(p)$, where $q$ is the largest prime factor of $r-1$. For the remainder of the argument, let $p$ be such a prime factor of $n$. The second loop of the algorithm uses the value of $r$ obtained to do polynomial computations on $l = 2\sqrt{r}\ log\ n$ binomials: $(x-a)$ for $1 \le n \le l$. By Lemma 3.1 (fact 4), we have a polynomial $h(x)$ (factor of $x^r - 1$) of degree $d = o_r(p)$ irreducible in $F_p$. Note that $$(x-a)^n == (x^n - a)(mod\ x^r - 1,n)$$ implies that $$(x-a)^n == (x^n - a)(mod\ h(x),p)$$ \vskip .2cm \noindent So the identities on each binomial hold in the field $F_p[x]/(h(x))$. The set of {\sl l} binomials form a large cyclic group in this field: \noindent {\bf Lemma 4.4} {\sl In the field $F_p[x]/(h(x))$, the group generated by the l binomials: $(x-a)$,$1 \le a \le l$ i.e., $$G = \left\{\Pi_{1 \le a \le l} (x-a)^{\alpha_a} \vert \alpha_a \ge 0, \forall 1 \le a \le l\right\}$$ is cyclic and of size $> \left({d}\over{l}\right)^l$ \noindent {\sl Proof} It is clear that $G$ is a group and sinze it is a subgroup of the cyclic group $(F_p[x]/(h(x)))^*$, it is also cyclic. Now consider the set $$S=\left{\Pi_{1 \le a \le l} (x-a)^{\alpha_a} \vert \Sigma_{1 \le a \le l} \alpha_a \le d - 1, \alpha_a \ge 0, \forall{l} \le a \le l\right}$$ \noindent The following argument shows that all the elements of $S$ are distinct in $F_p[x]/(h(x)). The {\tt while} loop ensures that once it halts the final $r$ is such that $r > q > 4\sqrt(r)\ log\ n > l$. Also step 4 of the algorithm checks {\tt gcd} of $r$ and $n$. If any of the $a$'s are congruent modulo $p$, then $p < l < r$ and thus step 4 of the algorithm identifies $n$ as composite. Thus, none of the $a$'s are congruent module $p$. So any two elements of $S$ are distinct module $p$. This implies that all of the elements of $S$ are distinct in the field $F_p[x]/(h(x)) since degree of any element of $S$ is less thatn $d$ -- the degree of h(x). The crdinality of the set $S$ is: \begin{tabular}{lll} $$\left({l + d - 1}\over{l}\right)$$ & $=$ & $${l + d - 1)(l + d - 2)\dots(d)}\over{l!}$$\\ & $$\left({d}\over{l}\right)^l$$ \end{tabular} \noindent Since $S$ is just a subset of $G$ we get the result. Since $d \ge 2l$, size of $G$ is $> 2^l = n^{2\sqrt{r}}$. Let $g(x)$ be a generator of $G$. Clearly, order of $g(x)$ in $F_p[x]/(h(x))$ is $> n^{2\sqrt{r}}$. We now define a set related to $g(x)$ which will play an important role in the remaining arguments. Let $$I_{g(x)} = \{m \vert g(x)^m \ident g(x^m)(mod\ x^r - 1,p)\}$$ Here is a nice property of $I_{g(x)}$: \section{package PRIMESP PrimesIsInP} <<package PRIMESP PrimesIsInP>>= )abbrev package PRIMESP PrimesIsInP ++ Author: Tim Daly ++ Date Created: Nov 29, 2003 ++ Date Last Updated: ++ Basic Functions: ++ Related Constructors: ++ Also See: ++ AMS Classifications: ++ Keywords: ++ References: ++ Description: ++ A deterministic polynomial-time algorith that determines whether an ++ input number is prime or composite ++ AbelianGroup(): Category == CancellationAbelianMonoid with --operations "-": % -> % ++ -x is the additive inverse of x. "-": (%,%) -> % ++ x-y is the difference of x and y ++ i.e. \spad{x + (-y)}. -- subsumes the partial subtraction from previous "*": (Integer,%) -> % ++ n*x is the product of x by the integer n. add (x:% - y:%):% == x+(-y) subtractIfCan(x:%, y:%):Union(%, "failed") == (x-y) :: Union(%,"failed") n:NonNegativeInteger * x:% == (n::Integer) * x import RepeatedDoubling(%) if not (% has Ring) then n:Integer * x:% == zero? n => 0 n>0 => double(n pretend PositiveInteger,x) double((-n) pretend PositiveInteger,-x) @ \eject \begin{thebibliography}{99} \bibitem{1} nothing \end{thebibliography} \end{document}