The Proof (continued)

Gauss’s Lemma

Lemma 63 (Gauss) Let p and q be two distinct odd primes. Then (q|p) = (−1)^m, where m is the number of residues in R = { iq mod p : 1 ≤ i ≤ (p − 1)/2 } that are greater than (p − 1)/2.

• All residues in R are distinct.

– If iq = jq mod p, then p| (j − i) or p|q.

– But neither is possible.

• No two elements of R add up to p.

– If iq + jq = 0 mod p, then p|(i + j) or p|q.

– But neither is possible.

The Proof (continued)

• Replace each of the m elements a ∈ R such that a > (p − 1)/2 by p − a.

– This is equivalent to performing −a mod p.

• Call the resulting set of residues R^′.

• All numbers in R^′ are at most (p − 1)/2.

• In fact, R^′ = {1, 2, . . . , (p − 1)/2} (see illustration next page).

– Otherwise, two elements of R would add up to p, which has been shown to be impossible.

5 1 2 3 4

6 5

1 2 3 4

6

p = 7 and q = 5.

The Proof (concluded)

• Alternatively, R^′ = {±iq mod p : 1 ≤ i ≤ (p − 1)/2}, where exactly m of the elements have the minus sign.

• Take the product of all elements in the two representations of R^′.

• So

[(p − 1)/2]! = (−1)^mq^(p−1)/2[(p − 1)/2]! mod p.

• Because gcd([(p − 1)/2]!, p) = 1, the above implies 1 = (−1)^mq^(p−1)/2 mod p.

Legendre’s Law of Quadratic Reciprocity

• Let p and q be two distinct odd primes.

• The next result says their Legendre symbols are distinct if and only if both numbers are 3 mod 4.

Lemma 64 (Legendre (1785), Gauss)

(p|q)(q|p) = (−1)^{p−12 q−12} .

aFirst stated by Euler in 1751. Legendre (1785) did not give a correct proof. Gauss proved the theorem when he was 19. He gave at least 8 different proofs during his life. The 152nd proof appeared in 1963.

A computer-generated formal proof was given in Russinoff (1990). As of 2008, there have been 4 such proofs. According to Wiedijk (2008),

“the Law of Quadratic Reciprocity is the first nontrivial theorem that a student encounters in the mathematics curriculum.”

The Proof (continued)

• Sum the elements of R^′ in the previous proof in mod2.

• On one hand, this is just ∑(p−1)/2

i=1 i mod 2.

• On the other hand, the sum equals

mp +

(p∑−1)/2 i=1

(

iq − p

⌊iq p

⌋)

mod 2

= mp +



q

(p−1)/2∑

i=1

i − p

(p−1)/2∑

i=1

⌊iq p

⌋ mod 2.

– m of the iq mod p are replaced by p − iq mod p.

– But signs are irrelevant under mod2.

The Proof (continued)

• Ignore odd multipliers to make the sum equal

m +





(p∑−1)/2 i=1

i −

(p−1)/2∑

i=1

⌊iq p

⌋ mod 2.

• Equate the above with ∑(p−1)/2

i=1 i mod 2 to obtain m =

(p∑−1)/2 i=1

⌊iq p

⌋

mod 2.

The Proof (concluded)

• ∑(p−1)/2

i=1 ⌊^iq_p ⌋ is the number of integral points below the line

y = (q/p) x for 1 ≤ x ≤ (p − 1)/2.

• Gauss’s lemma (p. 531) says (q|p) = (−1)^m.

• Repeat the proof with p and q reversed.

• Then (p|q) = (−1)^m′, where m^′ is the number of integral points above the line y = (q/p) x for 1 ≤ y ≤ (q − 1)/2.

• As a result, (p|q)(q|p) = (−1)^m+m′.

• But m + m^′ is the total number of integral points in the

Eisenstein’s Rectangle

(p,q)

(p - 1)/2 (q - 1)/2

Above, p = 11 and q = 7.

The Jacobi Symbol

• The Legendre symbol only works for odd prime moduli.

• The Jacobi symbol (a | m) extends it to cases where m is not prime.

• Let m = p¹p₂ · · · p^k be the prime factorization of m.

• When m > 1 is odd and gcd(a, m) = 1, then (a| m) =

∏k i=1

(a | pⁱ).

– Note that the Jacobi symbol equals ±1.

– It reduces to the Legendre symbol when m is a prime.

• Define (a | 1) = 1.

Properties of the Jacobi Symbol

The Jacobi symbol has the following properties, for arguments for which it is defined.

1. (ab | m) = (a | m)(b | m).

2. (a| m¹m₂) = (a| m¹)(a | m²).

3. If a = b mod m, then (a | m) = (b | m).

4. (−1 | m) = (−1)^(m−1)/2 (by Lemma 63 on p. 531).

5. (2| m) = (−1)^(m2−1)/8.^a

6. If a and m are both odd, then (a| m)(m | a) = (−1)^{(a−1)(m−1)/4}.

aBy Lemma 63 (p. 531) and some parity arguments.

Properties of the Jacobi Symbol (concluded)

• These properties allow us to calculate the Jacobi symbol without factorization.

• This situation is similar to the Euclidean algorithm.

• Note also that (a | m) = 1/(a | m) because (a | m) = ±1.^a

aContributed by Mr. Huang, Kuan-Lin (B96902079, R00922018) on December 6, 2011.

Calculation of (2200 |999)

(202|999) = (2|999)(101|999)

= (−1)^(9992−1)/8(101|999)

= (−1)¹²⁴⁷⁵⁰(101|999) = (101|999)

= (−1)(100)(998)/4

(999|101) = (−1)²⁴⁹⁵⁰(999|101)

= (999|101) = (90|101) = (−1)^(1012−1)/8(45|101)

= (−1)¹²⁷⁵(45|101) = −(45|101)

= −(−1)(44)(100)/4

(101|45) = −(101|45) = −(11|45)

= −(−1)^(10)(44)/4(45|11) = −(45|11)

= −(1|11) = −1.

A Result Generalizing Proposition 10.3 in the Textbook

Theorem 65 The group of set Φ(n) under multiplication mod n has a primitive root if and only if n is either 1, 2, 4, p^k, or 2p^k for some nonnegative integer k and and odd

prime p.

This result is essential in the proof of the next lemma.

The Jacobi Symbol and Primality Test

Lemma 66 If (M|N) = M^(N−1)/2 mod N for all M ∈ Φ(N), then N is a prime. (Assume N is odd.)

• Assume N = mp, where p is an odd prime, gcd(m, p) = 1, and m > 1 (not necessarily prime).

• Let r ∈ Φ(p) such that (r | p) = −1.

• The Chinese remainder theorem says that there is an M ∈ Φ(N) such that

M = r mod p, M = 1 mod m.

aMr. Clement Hsiao (B4506061, R88526067) pointed out that the text- book’s proof for Lemma 11.8 is incorrect in January 1999 while he was a senior.

The Proof (continued)

• By the hypothesis,

M^(N−1)/2 = (M | N) = (M | p)(M | m) = −1 mod N.

• Hence

M^(N−1)/2 = −1 mod m.

• But because M = 1 mod m,

M^(N−1)/2 = 1 mod m, a contradiction.

The Proof (continued)

• Second, assume that N = p^a, where p is an odd prime and a ≥ 2.

• By Theorem 65 (p. 544), there exists a primitive root r modulo p^a.

• From the assumption, M^N−1 =

[

M^(N−1)/2 ]2

= (M|N)² = 1 mod N for all M ∈ Φ(N).

The Proof (continued)

• As r ∈ Φ(N) (prove it), we have

r^N−1 = 1 mod N.

• As r’s exponent modulo N = p^a is ϕ(N ) = p^a−1(p − 1), p^a−1(p − 1) | (N − 1),

which implies that p| (N − 1).

• But this is impossible given that p | N.

The Proof (continued)

• Third, assume that N = mp^a, where p is an odd prime, gcd(m, p) = 1, m > 1 (not necessarily prime), and a is even.

• The proof mimics that of the second case.

• By Theorem 65 (p. 544), there exists a primitive root r modulo p^a.

• From the assumption, M^N−1 =

[

M^(N−1)/2 ]2

= (M|N)² = 1 mod N for all M ∈ Φ(N).

The Proof (continued)

• In particular,

M^N−1 = 1 mod p^a (13)

for all M ∈ Φ(N).

• The Chinese remainder theorem says that there is an M ∈ Φ(N) such that

M = r mod p^a, M = 1 mod m.

• Because M = r mod p^a and Eq. (13),

N−1 a

The Proof (concluded)

• As r’s exponent modulo N = p^a is ϕ(N ) = p^a−1(p − 1), p^a−1(p − 1) | (N − 1),

which implies that p| (N − 1).

• But this is impossible given that p | N.

The Number of Witnesses to Compositeness

Theorem 67 (Solovay and Strassen (1977)) If N is an odd composite, then (M|N) = M^(N−1)/2 mod N for at most half of M ∈ Φ(N).

• By Lemma 66 (p. 545) there is at least one a ∈ Φ(N) such that (a|N) ̸= a^(N−1)/2 mod N .

• Let B = {b1, b₂, . . . , b_k} ⊆ Φ(N) be the set of all distinct residues such that (b_i|N) = b^(N_i ^−1)/2 mod N .

• Let aB = {abⁱ mod N : i = 1, 2, . . . , k}.

• Clearly, aB ⊆ Φ(N), too.

The Proof (concluded)

• |aB| = k.

– ab_i = ab_j mod N implies N | a(bⁱ − b^j), which is

impossible because gcd(a, N ) = 1 and N > |bⁱ − b^j|.

• aB ∩ B = ∅ because

(abi)^(N−1)/2 = a^(N−1)/2b^(N_i ^−1)/2 ̸= (a|N)(bⁱ|N) = (abⁱ|N).

• Combining the above two results, we know

| B |

ϕ(N ) ≤ | B |

| B ∪ aB | = 0.5.

1: if N is even but N ̸= 2 then

2: return “N is composite”;

3: else if N = 2 then

4: return “N is a prime”;

5: end if

6: Pick M ∈ {2, 3, . . . , N − 1} randomly;

7: if gcd(M, N ) > 1 then

8: return “N is composite”;

9: else

10: if (M|N) = M^(N−1)/2 mod N then

11: return “N is (probably) a prime”;

12: else

13: return “N is composite”;

14: end if

Analysis

• The algorithm certainly runs in polynomial time.

• There are no false positives (for compositeness).

– When the algorithm says the number is composite, it is always correct.

• The probability of a false negative is at most one half.

– Suppose the input is composite.

– The probability that the algorithm says the number is a prime is ≤ 0.5 by Theorem 67 (p. 552).

• So it is a Monte Carlo algorithm for compositeness.

The Improved Density Attack for compositeness

All numbers < N

Witnesses to compositeness of

N via Jacobi Witnesses to

compositeness of N via common

factor

Randomized Complexity Classes; RP

• Let N be a polynomial-time precise NTM that runs in time p(n) and has 2 nondeterministic choices at each step.

• N is a polynomial Monte Carlo Turing machine for a language L if the following conditions hold:

– If x ∈ L, then at least half of the 2^p(n) computation paths of N on x halt with “yes” where n = | x |.

– If x ̸∈ L, then all computation paths halt with “no.”

• The class of all languages with polynomial Monte Carlo TMs is denoted RP (randomized polynomial time).^a

aAdleman and Manders (1977).

Comments on RP

• In analogy to Proposition 35 (p. 306), a “yes” instance of an RP problem has many certificates (witnesses).

• There are no false positives.

• If we associate nondeterministic steps with flipping fair coins, then we can cast RP in the language of

probability.

– If x ∈ L, then N(x) halts with “yes” with probability at least 0.5 .

– If x ̸∈ L, then N(x) halts with “no.”

Comments on RP (concluded)

• The probability of false negatives is ϵ ≤ 0.5.

• But any constant between 0 and 1 can replace 0.5.

– Repeat the algorithm k = ⌈−_log¹

2ϵ⌉ times and answer

“yes” only if all runs answer “yes.”

– The probability of false negatives becomes ϵ^k ≤ 0.5.

• In fact, ϵ can be arbitrarily close to 1 as long as it is at most 1 − 1/q(n) for some polynomial q(n).

– −_log¹

2ϵ = O(_1−ϵ¹ ) = O(q(n)).

Where RP Fits

• P ⊆ RP ⊆ NP.

– A deterministic TM is like a Monte Carlo TM except that all the coin flips are ignored.

– A Monte Carlo TM is an NTM with extra demands on the number of accepting paths.

• compositeness ∈ RP;^a primes ∈ coRP;

primes ∈ RP.^b

– In fact, primes ∈ P.^c

• RP ∪ coRP is an alternative “plausible” notion of efficient computation.

aRabin (1976) and Solovay and Strassen (1977).

ZPP

(Zero Probabilistic Polynomial)

• The class ZPP is defined as RP ∩ coRP.

• A language in ZPP has two Monte Carlo algorithms, one with no false positives and the other with no false

negatives.

• If we repeatedly run both Monte Carlo algorithms, eventually one definite answer will come (unlike RP).

– A positive answer from the one without false positives.

– A negative answer from the one without false negatives.

aGill (1977).

The ZPP Algorithm (Las Vegas)

1: {Suppose L ∈ ZPP.}

2: {N¹ has no false positives, and N₂ has no false negatives.}

3: while true do

4: if N₁(x) = “yes” then

5: return “yes”;

6: end if

7: if N₂(x) = “no” then

8: return “no”;

9: end if

10: end while

ZPP (concluded)

• The expected running time for the correct answer to emerge is polynomial.

– The probability that a run of the 2 algorithms does not generate a definite answer is 0.5 (why?).

– Let p(n) be the running time of each run of the while-loop.

– The expected running time for a definite answer is

∑∞ i=1

0.5ⁱip(n) = 2p(n).

• Essentially, ZPP is the class of problems that can be solved, without errors, in expected polynomial time.

Large Deviations

• Suppose you have a biased coin.

• One side has probability 0.5 + ϵ to appear and the other 0.5 − ϵ, for some 0 < ϵ < 0.5.

• But you do not know which is which.

• How to decide which side is the more likely side—with high confidence?

• Answer: Flip the coin many times and pick the side that appeared the most times.

• Question: Can you quantify the confidence?

The Chernoff Bound

Theorem 68 (Chernoff (1952)) Suppose x₁, x₂, . . . , x_n are independent random variables taking the values 1 and 0 with probabilities p and 1 − p, respectively. Let X = ∑n

i=1 x_i. Then for all 0 ≤ θ ≤ 1,

prob[ X ≥ (1 + θ) pn ] ≤ e^−θ2pn/3.

• The probability that the deviate of a binomial random variable from its expected value

E[ X ] = E

[ _n

∑

i=1

x_i ]

= pn decreases exponentially with the deviation.

aHerman Chernoff (1923–). The bound is asymptotically optimal.

The Proof

• Let t be any positive real number.

• Then

prob[ X ≥ (1 + θ) pn ] = prob[ e^tX ≥ e^{t(1+θ) pn} ].

• Markov’s inequality (p. 503) generalized to real-valued random variables says that

prob [

e^tX ≥ kE[ e^tX ]]

≤ 1/k.

• With k = e^{t(1+θ) pn}/E[ e^tX ], we have

prob[ X ≥ (1 + θ) pn ] ≤ e^{−t(1+θ) pn}E[ e^tX ].

The Proof (continued)

• Because X = ∑n

i=1 x_i and x_i’s are independent, E[ e^tX ] = (E[ e^tx1 ])ⁿ = [ 1 + p(e^t − 1) ]ⁿ.

• Substituting, we obtain

prob[ X ≥ (1 + θ) pn ] ≤ e^{−t(1+θ) pn}[ 1 + p(e^t − 1) ]ⁿ

≤ e^{−t(1+θ) pn}e^pn(et−1) as (1 + a)ⁿ ≤ e^an for all a > 0.

The Proof (concluded)

• With the choice of t = ln(1 + θ), the above becomes prob[ X ≥ (1 + θ) pn ] ≤ e^{pn[ θ}−(1+θ) ln(1+θ) ].

• The exponent expands to

−θ²

2 + θ³

6 − θ⁴

12 + · · · for 0 ≤ θ ≤ 1.

• But it is less than

−θ²

2 + θ³

6 ≤ θ² (

−1

2 + θ 6

)

≤ θ² (

−1

2 + 1 6

)

= −θ² 3 .

Power of the Majority Rule

From prob[ X ≤ (1 − θ) pn ] ≤ e^−θ2pn/2 (prove it):

Corollary 69 If p = (1/2) + ϵ for some 0 ≤ ϵ ≤ 1/2, then prob

[ _n

∑

i=1

x_i ≤ n/2 ]

≤ e^−ϵ2n/2.

• The textbook’s corollary to Lemma 11.9 seems incorrect.^a

• Our original problem (p. 564) hence demands, e.g.,

n ≈ 1.4k/ϵ² independent coin flips to guarantee making an error with probability ≤ 2^−k with the majority rule.

aSee Dubhashi and Panconesi (2012) for many Chernoff-type bounds.

BPP

(Bounded Probabilistic Polynomial)

• The class BPP contains all languages L for which there is a precise polynomial-time NTM N such that:

– If x ∈ L, then at least 3/4 of the computation paths of N on x lead to “yes.”

– If x ̸∈ L, then at least 3/4 of the computation paths of N on x lead to “no.”

• So N accepts or rejects by a clear majority.

aGill (1977).

Magic 3/4?

• The number 3/4 bounds the probability (ratio) of a right answer away from 1/2.

• Any constant strictly between 1/2 and 1 can be used without affecting the class BPP.

• In fact, as with RP,

1

2 + 1 q(n)

for any polynomial q(n) can replace 3/4 (p. 559).

• The next algorithm shows why.

The Majority Vote Algorithm

Suppose L is decided by N by majority (1/2) + ϵ.

1: for i = 1, 2, . . . , 2k + 1 do

2: Run N on input x;

3: end for

4: if “yes” is the majority answer then

5: “yes”;

6: else

7: “no”;

8: end if

Analysis

• The running time remains polynomial: 2k + 1 times N’s running time.

• By Corollary 69 (p. 569), the probability of a false answer is at most e^−ϵ2k.

• By taking k = ⌈ 2/ϵ² ⌉, the error probability is at most 1/4.

• Recall that ϵ can be any inverse polynomial.

• So k remains a polynomial in n.

Aspects of BPP

• BPP is the most comprehensive yet plausible notion of efficient computation.

– If a problem is in BPP, we take it to mean that the problem can be solved efficiently.

– In this aspect, BPP has effectively replaced P.

• (RP ∪ coRP) ⊆ (NP ∪ coNP).

• (RP ∪ coRP) ⊆ BPP.

• Whether BPP ⊆ (NP ∪ coNP) is unknown.

• But it is unlikely that NP ⊆ BPP (see p. 591 and

coBPP

• The definition of BPP is symmetric: acceptance by clear majority and rejection by clear majority.

• An algorithm for L ∈ BPP becomes one for ¯L by reversing the answer.

• So ¯L ∈ BPP and BPP ⊆ coBPP.

• Similarly coBPP ⊆ BPP.

• Hence BPP = coBPP.

• This approach does not work for RP.^a

aIt did not work for NP either.

BPP and coBPP

Ø\HVÙ ØQRÙ ØQRÙ Ø\HVÙ

BPP and P

Theorem 70 (Nisan and Wigderson (1994)) If every language in BPP only needs a pseudorandom generator which stretches a random seed of logarithmic length, then BPP = P.

• We only need to show BPP ⊆ P.

• Run the BPP algorithm for each of the seeds.

– There are only 2^{O(log n)} = O(n^c) seeds, a polynomial

• Accept if and only if at least 3/4 of the outcomes is a

“yes.”

• The running time is clearly deterministically polynomial.

“The Good, the Bad, and the Ugly”

P BPP ZPP

RP coRP

NP coNP