Determining Primes: From NP to P

Determining Primes: From NP to P

Jing Yu

National Tsing Hua University, and National Center for Theoretical Sciences

March 30, 2009

Gauss

Problem fromC. F. Gauss, Disquisitiones Arithmeticae, article 329.

Determine whether a given integer n is prime?

Is it easy? Your answer?

Want good method for “Primality Testing”.

Naive Sieve method. Dividing by numbers ≤√ n.

What do we mean by “good”method? What Gauss want?

Origin of Algebra and Algorithms.

In 9-th century, Al-Khwarizmi wrote book called Algebra.

The word Algorithm is from this author’s name: Al-Khwarizmi.

Algorithms

What are the algorithms you know? Which are good?

Algorithms in school arithmetic, in high school mathematics.

Complexityof algorithms.

Input data: bits, i.e. number of digits, log n.

Running time measured in bit operations, f (log n).

How large f (log n) could be as log n increases substantially?

Determine whether an integer with 200 digits is a prime.

The growth of such a function f is a problem in mathematics.

Complexity theory in Theoretical Computer Sciences.

Interdisciplinary area between mathematics and computer science.

Complexity

Algorithms requiring requiring O(log^dn) in time for some fixed d?

Polynomial time algorithms. Problems for which polynomial time algorithms known are classified as incomplexity class P.

Note O(n) is bad, exponential in input bits log n.

Examples of polynomial time algorithms:

Addition, multiplication, long division.

Euclidean algorithm for computing gcd(n, m) is a “perfect”

polynomial time algorithm. Computing gcd without factorization.

In fact none of the algorithms for factorization known is

polynomial time. No one knows whetherfactorization problem is in class P or not.

An undergraduate Math Project in India

Determining whether a given integer n is prime, i.e. Primality Testing, is easier than factorizing n.

Until August 2002, no one knows any polynomial time algorithm for determining primes.

Two hundred years after Gauss, all of us still wander whether Primality Testing is in class P or not?

2002, Kanpur, India, Agrawal, and university students Kayal and Saxena found a polynomial time algorithm for the primality testing problem, thereby provesit is a problem in class P.

This AKS work is very elementary, using only mathematics which can be easily picked up by high school students.

Prize from the Clay Mathematics Institute.

Congruences

Operating integers modulo a fixed integer m.

Congruent classes of integers.

Chinese remainder theorem. Solving the following is of class P:

x ≡ a1 (mod m1) x ≡ a2 (mod m2)

· · · · x ≡ a_r (mod m_r) here gcd(m_i, m_j) = 1 for i 6= j.

Little theorem ofFermat : if p is a prime, for all integers a, a^p ≡ a (mod p).

Consider a not-divisible by prime p, then a^p−1≡ 1 (mod p).

Fermat

This Fermat theorem is non-trivial, as prime p could be very large.

Question: If n is not a prime, can one find b s.t.

bⁿ6≡ b (mod n).

Answer is no : 561 divides a⁵⁶¹− a for all integers a, however 561 = 3 × 11 × 17.

On the other hand, answer is yes for “most”integers n.

If p 6= 2, p − 1 is even, then for a - p

a^p−12 ≡ ±1 (mod p).

Write n − 1 = 2^uv with v odd. Compute (in polynomial time) for a aⁿ⁻¹ (mod n), a^(n−1)/2 (mod n), · · · , a^(n−1)/2u (mod n).

A random polynomial time algorithm

If n is a prime, there are only two possibilities:

1, 1, · · · , 1 or 1, 1, · · · , 1, −1.

If the result is different from the above, n must be “composite”.

In this circumstances, call a awitnessto n being composite.

Can one find a witness quickly if odd n is composite?

A key observation: if n is not a prime,

at least half of the integers a, 1 ≤ a ≤ n, are witnesses for odd n.

Strategy: pick a1, a2, · · · , ak at randomfrom {1, 2, · · · n} until a witness come up.

If n is not a prime, theprobabilitythat none of a₁, · · · , a_k are witness for n is ≤ 1/2^k. Therefore,in practice, this works.

Arandom polynomial algorithmfor primality testing.

Proves determining primes is a problem in complexity class RP.

Class NP

If n is a prime, it is possible to write down a“proof”that it is a prime which can be checked in polynomial time. However one may needs exponential time to find such a proof.

We say such a problem is in complexity class NP. Both factorization and primality testing are in class NP.

Here NP is fornon-deterministic polynomial time. Because the method for discovering the proof is not necessarily determined.

A little theorem of Gauss: If p is a prime, there exists integer g, 1 < g ≤ p − 1, such that p − 1 is the least integer m satisfying

g^m ≡ 1 (mod p).

Given such g one can verify n = p is a prime in polynomial time.

These g are said to be or order p − 1 mod p.

Is P 6= NP?

The set of problems in complexity class P are those for which we can find solutions, with proofs, in polynomial time.

By definition P ⊂ NP. We believe that there are problems in NP which are not in P, e.g. the factoring problem.

But thishas not been proved.

One of the Clay Mathematics Institute’s million dollar problem.

After AKS 2002, we finally confirm that primality testing is in P, not just in NP or RP.

By the way, the previous strategy of finding witness a to composite n could be made deterministic, in polynomial time.

BecauseGeneralized Riemann Hypothesis GRH implies there must be a witness ≤ 2 log²n. GRH is another difficult open problem in Clay Mathematics Institute’s million list.

The binomial theorem

Recall for positive integer n

(x + y)ⁿ=

n

X

i=0

n i

 xⁱyⁿ⁻ⁱ

Combining with little theorem of Fermat, if n happens to be prime (x + y)ⁿ≡ xⁿ+ yⁿ (mod n).

Starting point of AKS, consider x as a variable,

Theorem. Integer n is a primeif and only if the following congruence holds as polynomials in x

(x + 1)ⁿ≡ xⁿ+ 1 (mod n).

AKS

If n is composite let p be a prime dividing n. In the expansion

n p



= n(n − 1)(n − 2) · · · (n − (p − 1)) p(p − 1) · · · 1

we see that the only terms p divides are the n in the numerator and the p in the denominator; and so if p^k is the largest power of p dividing n, then p^k−1 is the largest power of p dividing ⁿ_p
, and therefore n does not divide ⁿ_p
.

Computing (x + 1)ⁿ (mod n) is not in polynomial time of log n since it involves storing n coefficients.

Ideaof AKS: to compute (x + 1)ⁿ mod some small degree polynomial as well as mod n.

The algorithm

AKS algorithm is based on the following theorem:

For given integer n ≥ 2, let r be a positive integer < n, for which n has order > log²n mod r. Then n is a prime if and only if (i) n is not a perfect power,

(ii) n does not have any prime factor ≤ r, (iii) For each integer a, 1 ≤ a ≤√

r log n,

(x + a)ⁿ≡ xⁿ+ a mod (n, x^r− 1).

Running time: between O(log^7+1/2n) and O(log^6+n).

Note that there is polynomial time algorithm to determine whether n is perfect power. The crucial point is to find small size r.

Auxiliary parameter r

If n is not a perfect power, then

Step 1. Find r for which the order of n (mod r) is > log²n.

Step 2. Determine whether gcd(a, n) > 1 for some a ≤ r.

Step 3. For a = 1, 2, . . . , b√

r log²nc, check

(x + a)ⁿ≡ xⁿ+ a mod (n, x^r− 1).

How can we find desired r for given n?

For each integer q > blog²nc, compute n^j mod q for

j = 1, . . . , blog²nc until we reach the first value of q for which none of the residues is equal to 1 (mod q). Then can set r = q.

AKS proves existence of such r around log⁵n.

In fact one expects to find many such r which are < 2 log²n.

Fast Exponentiation

Want to compute (x + a)ⁿ≡ xⁿ+ a mod (n, x^r− 1) quickly. For j ≥ 0 define f0(x) = x + a and fj+1(x) = fj(x)² mod (n, x^r− 1).

At each step we determine f_j(x)² and then reduce mod x^r− 1 so the degree of the resulting polynomial is always < r, and then reduce mod n to obtain fj+1. Note that

fj(x) ≡ (x + a)^2j mod (n, x^r− 1).

Write n = 2^a1 + 2^a2 + · · · + 2<sup>a`</sup>, with a<sub>1</sub>> a<sub>2</sub> > · · · > a<sub>`</sub>≥ 0. Let g1(x) = fa1(x), and then gj(x) = gj−1(x)faj(x) mod (n, x^r− 1).

g`(x) ≡ (x + a)<sup>2a1+2a2+···+2a`</sup> = (x + a)ⁿ mod (n, x^r− 1).

Running time :O(r log n(log n + log r)^1+).

Primality test and Cryptography

Currently if you are interested in the task of determining whether given integer n is prime

Challenge: consider the case of n with 10000 digits.

Primality testing is in class P, but factoring is presumably in class NP − P. We pray NP 6= P.

Otherwise, there is little chance that we can have safe public key cryptography, or that one could build a highly unpredictable (pseudo-)random number generator....

In today’s world, the security of data on computers, electronic business transactions, etc, all depends on public key cryptosystems, it is genuinely safe only if NP 6= P.

Riemann Hypothesis

Riemann zeta function, for complex numbers s with real part > 1

ζ(s) =

∞

X

n=1

1

n^s = Y

p prime

(1 − 1 p^s)⁻¹.

The domain of definition of this analytic function can be extended to include all complex numbers except s = 1.

Write s = x + iy, Riemann conjectures that if ζ(s) = 0 and x > 0, then we must have x = 1/2.

Given integer n, this conjecture is closely related to whether there exists a ≤ 2 log²n which is a witness to n being composite.

AKS 2002 just discovered a way to prove primality testing is in P not relying onRiemann Hypothesis.

The End. Thank You for your attention.