多項式時間確定型質數判定演算法的研究

(1)

國立臺灣大學理學院數學系碩士論文

Department of Mathematics College of Science

National Taiwan University Master Thesis

多項式時間確定型質數判定演算法的研究 On the AKS Algorithm

曾膺任

Ying-Jen Tseng

指導教授﹕陳其誠博士 Advisor: Ki-Seng Tan, Ph.D.

中華民國 105 年 1 月 January 2016

(2)

口試委員會審定書……… .………...………i

誌謝……… ..………….ii

中文摘要……… ..………iii

英文摘要……… ..………iv

第一章簡介………..………1

第二章算法的根源……….…...2

引理 2.0.1………...………....2

第三章演算法……… .………...3

第四章演算法的正確性……….………...3

定理 1. ……… .……...………. 3

引理 4.0.2 ………...………...3

引理 4.0.3………...…………4

定理 2………...………4

第五章演算法的時間雜度分析……… .…….8

定理 3. ………...…..8

引理 5.0.4………...………9

定理 4………...……....9

參考文獻 ……….……...10

(3)

誌謝

我要感謝指導教授陳其誠老師給我這個研究方向，讓我從中體會到數學理論在質數判定這個重要的問題裡起了什麼樣的作用。在和老師討論論文裡各種的細節的時候，老師總是很有耐心地替我解說，幫我重拾起許多重要的代數觀念，使我獲益良多。老師除了教導我們數學，平日也時常與我們聊天，關心我們的日常生活。老師看似總以一種幽默態度面對周遭，跟在老師身邊，讓我不只學習數學，更多的時候，也許在潛移默化中學到老師面對人生的那股豁達精神。回顧碩班三年多來和老師相處的時光，我覺得自己很幸運能成為老師的學生，這些年來我成長了很多，不管是在數學還是其他方面，我由衷的感謝陳其誠老師！

我也要感謝這幾年在台大認識的好朋友，建鑫，啟樺，俊飛，昶凱，偉碩，

黃瑞，楷倫，還記得大家同住男一那段充滿歡笑的回憶嗎？感謝家榮在我碩一的時候提供房間讓我入住，那裡的環境和你讓我有一種家的感覺，到現在還會想起。感謝為淵那陣子的深夜電影約會，讓我學術之餘有紓壓的管道，也感謝你和芳如這幾年的陪伴。感謝金緯帶我進入數學的世界，過去每每和你討論完總是充滿鬥志，你是數學路上的好同志。感謝勇賢在碩班時找我討論修課科目，

一起準備考試。你們每一位參與著我的生活，就像拼圖一樣，拼出了我這幾年多采多姿的人生，我感謝你們！

最後我要感謝我的父母，是你們無怨無悔把我帶大，重視教育，賺錢供我

讀書，默默地支持我的選擇，當我受挫時在旁鼓勵我，安慰我。你們用一雙手

撐起這個溫暖的家庭，到我長大點才發現原來這並不容易。你們永遠是我心靈

最深處的依靠，謝謝，我愛你們！

(4)

中文摘要

本文研究由 M. Agrawal, N. Kayal and N. Saxena 提出的第一個多項式時間確定型的質數判定演算法，經過 H. Lenstra Jr.等人的建議修改後的版本”PRIMES is in P”(2004)，並補充了一些原文裡證明細節。

關鍵詞：質數; 演算法; 多項式時間; 確定型; 質數判定

(5)

英文摘要

We take a exposition at the paper “PRIMES is in P” by M. Agrawal, N. Kayal and N.

Saxena (2004), in which they used Lenstra's idea and made a revision of their earlier version. We also present some details in the proof.

Key Words: prime number ; algorithm; polynomial time; deterministic; primality test

(6)

ON THE AKS ALGORITHM

Ying-Jen Tseng

ABSTRACT. We investigate the AKS algorithm which determines whether a number is prime in polynomial time.

1. INTRODUCTION

In August 2002, M. Agrawal, N. Kayal and N. Saxena proposed an unconditional, deterministic and polynomial time primality test. It is now known as AKS test or AKS algorithm. Prior to then, several efficient primality test had been founded. Miller test (proposed in 1975, deterministic and polynomial time assuming the Extended Riemann Hypothesis); Rabin-Miller test(proposed in 1980, unconditional but in randomised polynomial time); Soloray-Strassen test(proposed in 1977, in randomised polynomial time);

Adleman-Pomerance-Rumely test(proposed in 1983, deterministic and in (logn)O(log log log n)

time); Goldwasser-Kilian test(proposed in 1986, in randomised expected polynomial time);

Atkin-Adleman-Huang test (proposed in 1992, also in randomised polynomial time).

The AKS test finally achieved the desired polynomial runtime requirement using only fully proved facts. It not only settled the theoretical issue of primality test but also stunned the world with its simplicity. Many of the previous algorithms used deeper result while the AKS algorithm utilised simpler tools and acquire more efficient runtime condition.

Soon after the AKS algorithm proposed, some variant algorithms had also been founded, two of them are in [LEN05] and [BER03], both proving primality in better asymptotic running time.

In this thesis, we take a exposition at the paper “PRIMES is in P” [AKS04] by M.

Agrawal, N. Kayal and N. Saxena (2004), in which they used Lenstra’s idea and made a

(7)

revision of their earlier version [AKS02]. Some of the structure and arrangement of the content are from [RC05] and [AG05].

We begin with an observation which is the idea that the AKS algorithm is based on.

2. BASIC IDEA

We shall let Z_ndenote the ring Z/nZ.

Lemma 2.0.1. Let a be an integer, n be a positive integer, n ≥ 2, and (a, n) = 1. Then n is a prime if and only if

(1) (x + a)ⁿ≡ xⁿ+ a (mod n).

Proof. The coefficient of xⁱ in (x + a)ⁿ− (xⁿ+ a) is ⁿ_i. If n is a prime, then ⁿ_i = 0 (mod n). If n is composite and q is a prime factor of n such that q^k||n, then since

n q

= n(n − 1) · · · (n − q + 1) q!

and q^k||n(n − 1) · · · (n − q + 1), q^k can not divide ⁿ_q, whence n can not divide ⁿ_q. The coefficient of x^qis a^{n−q n}_q, which can not be divided by n since (a, n) = 1. So (x + a)ⁿ−

(xⁿ+ a) is not identically zero over Z_n.

The above criterion is not efficient enough to be polynomial-time: to verify (1) directly, one needs to compute all terms of the left-hand side and the computation takes O(n) time.

A probable way of solving the problem is to modulo a polynomial f (x) on both side of (1). In particular, if (1) is satisfied, then the congruence

(2) (x + a)ⁿ≡ xⁿ+ a (mod x^r− 1, n)

will also be satisfied. If the degree r is not so large (bounded by an polynomial function of log n), then we can check (2) quickly (in polynomial time). However, while (2) is necessary for n to be prime, it is not sufficient. And it seems that this is the main difficulty

(8)

to overcome if one wants a fast algorithm that derived from criterion (1). It turns out M. Agrawal, N. Kayal and N. Saxena managed to resolve this kind of difficulty: they can restore the characterization by verifying (2) for every a up to a certain point, if (2) is satisfied for all of these a, then n must be a prime power, which can be detected efficiently from the very beginning. The degree r is also appropriately chosen to assure each (2) can be verified in polynomial time, hence the total run time of their algorithm is polynomial time. Now we state the algorithm as pseudo code in the next section, after which is its correctness proof followed by analysis of time complexity.

3. THE ALGORITHM

Input: integer n > 1.

1. If n is a perfect power, return COMPOSITE.

2. Find the least integer r such that the order of n in Z_r^∗exceeding log²n.

3. If a|n for some 2 ≤ a ≤p

φ (r) log n, return COMPOSITE.

4. For 2 ≤ a ≤p

φ (r) log n, if (x + a)ⁿ6= xⁿ+ a (mod x^r− 1, n), return COMPOSITE.

5. Return PRIME.

4. CORRECTNESS OF THE ALGORITHM

Theorem 1. The algorithm returns PRIME if and only if n is prime.

The proof of Theorem 1 is split into two parts: Lemma 4.0.2 and Theorem 2, dealing with the case which returns COMPOSITE and PRIME, respectively.

Lemma 4.0.2. If the algorithm returns COMPOSITE, then n is composite.

Proof. If the algorithm returns COMPOSITE from step 1 or 3, then clearly n is composite.

Otherwise, COMPOSITE is returned from step 4, then by Theorem 1, n cannot be prime,

thus n is also composite.

(9)

The case that returns PRIME requires more efforts, and it serves as the main criterion in the algorithm. Some authors call this criterion “AKS Theorem”. Before proceeding on, we need some lemmas.

In the rest of the context, let R denote the ring Z_p[x]/(x^r− 1).

Lemma 4.0.3. Let p be a prime number and r be a positive integer co-prime to p. Let T : R −→ R be defined by T ( f ) = f^p. Then T is injective.

Proof. Suppose there are u, v belonging to R such that T (u) = T (v). Then

0 = T (u) − T (v) = u^p− v^p= (u − v)^p= T (u − v).

Let w = u − v. It suffices to prove w = 0. Write w = a₀+ a₁x+ · · · + a_r−1x^r−1, so that in R,

0 = T (w)

= w^p

= (a₀+ a₁x+ · · · + a_r−1x^r−1)^p

= a₀+ a₁x^p+ · · · + a_r−1x^(r−1)p.

If x^ip= x^{j p}in R for some nonnegative integer i, j, then r|p(i − j), which means r|i − j due to (r, p) = 1. Since 0, 1, 2, ..., r − 1 are all distinct modulo r, the terms 1, x^p, x^2p, ..., x^(r−1)p are actually the rearrangement of 1, x, x², ..., x^r−1, and hence a₀+a₁x^p+· · ·+a_r−1x^(r−1)p= 0 implies a₀= a₁= · · · = a_r−1= 0. That is, w = 0. Therefore, T is injective.

Let f (x) ∈ R denote the residue class of f (x) ∈ Z_p[x] and let m be a non-negative integer.

If g(x) = f (x), then g(x) = f (x) + h(x)(x^r− 1), hence

g(x^m) = f (x^m) + h(x^m)(x^rm− 1).

Since x^mr− 1 is divisible by x^r− 1, we see that g(x^m) = f (x^m). In other words, the residue class f (x^m) depends only on f (x) and is independent of the choice of f (x). Hence, we

(10)

have a well-defined operator

E_m: R −→ R, f (x) 7→ f (x^m).

In particular, if p is a prime number, then since f (x^p) = f (x)^pfor every f (x) ∈ Z_p[x], we can conclude that for every f (x) ∈ R,

f(x^p) = f (x)^p.

Theorem 2. (AKS Theorem) Suppose n is an integer with n ≥ 2, r is a positive integer with(r, n) = 1 and the order of n in Z_r^∗is larger thanlog²n. Moreover, assume that

(3) (x + a)ⁿ= xⁿ+ a (mod x^r− 1, p)

holds for integer a with0 ≤ a ≤p

φ (r) log n. If n has a prime factor p >p

φ (r) log n, then n= p^mfor some positive integer m. If n has no prime factor in the interval[1,p

φ (r) log n]

and n is not a perfect power, then n is prime.

Proof. Suppose n has a prime factor p >p

φ (r) log n. Denote

G= {g(x) ∈ Z_p[x] : g(x)ⁿ= g(xⁿ) (mod x^r− 1)}.

By (3), we know that x + a ∈ G, for all 0 ≤ a ≤p

φ (r) log n. Since G is closed under multiplication, if each eais a nonnegative integer, then the product

∏

0≤a≤√

φ (r) log n(x + a)^e^a ∈ G.

Let ¯G⊂ R denote the set of all residue classes of f ∈ G modulo x^r− 1. Then

G¯= { f (x) ∈ R | f (xⁿ) = f (x)ⁿ}.

For each f (x) ∈ ¯G, denote v := f (x^n/p) and w := f (x)^n/p. Then

v^p= f (xⁿ) = f (x)ⁿ= w^p.

(11)

Thus, by Lemma 4.0.3, we have v = w. Let m₁and m₂be positive integers such that

f(x^m¹) = f (x)^m¹ and f (x^m²) = f (x)^m²

in R. Then there is q(x) ∈ Z_p[x] satisfying

f(x)^m² = f (x^m²) + q(x)(x^r− 1)

in Z_p[x]. Substitute x with x^m¹ and get

f(x^m¹)^m²= f (x^m¹^m²) + q(x^m¹)(x^m¹^r− 1)

in Z_p[x]. Note that x^r− 1|x^m¹^r− 1, and hence in R

f(x^m¹^m²) = f (x^m¹)^m² = f (x)^m¹^m².

Define

I= {pⁱ(n/p)^j | i, j ≥ 0}.

From the above it has been shown for every m ∈ I and every g(x) ∈ G, g(x)^m= g(x^m) in R.

Let Q_r(x) be the r^th cyclotomic polynomial over the finite field Z_p. Then Q_r(x)|x^r− 1 and Q_r(x) factors into irreducible factors of degree O_r(p) [LN86]. Let h(x) be one such irreducible factor and let F denote Zp[x]/(h(x)), which is a finite extension of Z_p. Every element of F is the residue class of some f (x) ∈ Zp[x] and will be denoted as df(x). Let Gˆ ⊂ F denote the set of all residues classes of polynomials in G modulo h(x).

Let ˆIbe the set of all residues of numbers in I modulo r and denote t = | ˆI|. Obviously φ (r) ≥ t. An element f (x) ∈ R is the residue class of a unique f (x) ∈ Z_p[x] with deg f (x) <

rand we define the degree of f (x) to be that of f (x). Suppose f (x), g(x) ∈ G are of degree less than t such that df(x) = dg(x) in F. Then

[f(xⁱ) = [f(x)ⁱ= df(x)ⁱ= dg(x)ⁱ= dg(x)ⁱ= dg(xⁱ)

(12)

in F, for all i ∈ ˆI. Now since ˆx (the residue class of x in F) is a primitive rth root of 1, all ˆxⁱ, i∈ ˆI, are distinct elements in F. Hence f (x) = g(x) in Zp[x] (otherwise h(x) = f (x) − g(x) will have more than t roots in F). Thus, we have proved that for any two distinct elements of degree less than t in G will map to different elements in ˆG.

Since p >p

φ (r) log n ≥

√tlog n, the linear polynomials x, x+1, ..., x+λ , λ := [√ tlog n], are all distinct in G. Since Z_p[x] is a unique factorisation domain, for distinct sequences e:= e₀, ..., e_λ, the corresponding product

f_e:=

∏

0≤a≤λ(x + a)^e^a

are distinct. Because nⁱ∈ I, for every i = 0, ..., the number t is no less than the order of n in Z_r^∗, and hence t ≥ log²n. Therefore,

t≥√

tlog n > λ .

To have deg f_e< t, we can choose e such that either e_i< t for some fixed i and e_j= 0 for all j 6= i, or each term e_j= 0 or 1 and not all e_j= 1. Then we can conclude that there are at least 2^{λ +1}distinct f_e∈ G with deg f_e< t. This implies

(4) | ˆG| ≥ 2^{λ +1}> 2

√tlog n= n

√t.

Suppose n is not a perfect power of p. Consider the subset

J:= {(n/p)ⁱp^j| 0 ≤ i, j ≤ [√

t]} ⊂ I.

Since n is not a power of p, J contains ([√

t] + 1)²> t distinct elements. So there are at least two numbers m₁, m₂in J with m₁> m₂such that m₁= m₂ (mod r). Then x^m¹ = x^m² (mod x^r− 1), and hencebx^m¹ =bx^m². Let df(x) ∈ ˆG. Then

(5) fd(x)^m¹= \f(x^m¹) = f (xc^m¹) = f (xc^m²) = \f(x^m²) = df(x)^m².

(13)

It follows that ˆf(x)^m¹ = ˆf(x)^m² in F. Hence every ˆf(x) ∈ ˆG is a root of the equation Y^m¹−Y^m²= 0 in F. Again, because the number of roots of a polynomial in any extension of the field which its coefficients lie can not exceed its degree, we have | ˆG| ≤ m₁. Clearly

m₁≤ (n/p · p)^[

√t]≤ n

√t,

hence | ˆG| ≤ m₁≤ n^√^t, a contradiction to (4). Therefore n is a power of p. It is clear now that if n has no prime factor p ≤p

φ (r) log n and n is not a perfect power, then n is

prime.

5. TIME COMPLEXITYANALYSIS

We use the notation Õ(t(n)) for O(t(n) ∗ poly(logt(n))), where t(n) is some function of n. Note that we can perform addition, multiplication and division operations between two m bits number in time Õ(m) [vzGG99]. Operations on two degree d polynomials with coefficients at most m bits can be done in time Õ(dm) in a similar way [vzGG99]. In the following, we compute the runtime bound in terms of n and r in the algorithm.

Theorem 3. The asymptotic time complexity of the algorithm is ˜O(r^3/2log³n).

Proof. The first step of the algorithm can be done with checking every possible exponent in ˜O(log³n) time.

Step 2 can be done by trying successive numbers r that is coprime to n, and test if n^k6= 1 (mod r) for every k ≤ log²n. For a particular r, this can be done in ˜O(log r log²n), so it will take ˜O(r log²n) time.

The time taken for step 3 is ˜O(r^1/2log²n). In step 4, we have to verify aboutp

φ (r) log n equations. To verify each equation, one needs log n multiplications of degree r polynomials with coefficient of size O(log n), hence each equation can be verified in ˜O(r log²n).

The total time taken for step 4 is therefore ˜O(r^3/2log³n).

(14)

Summing the above, we get the total time complexity of the algorithm: ˜O(r^3/2log³n).

Up to this point, we have seen that the time needed for the algorithm is ˜O(r^3/2log³n).

Only if r is bounded by a polynomial of log n can the algorithm be in polynomial runtime overall. Indeed, this is the case, and we prove this in Theorem 4 using Lemma 5.0.4.

Lemma 5.0.4. Let LCM(m) denote the lcm of first m numbers. For m ≥ 7: LCM(m) ≥ 2^m.

I heard the following proof from Dr. Yi-Chih Chiu, who was a post doctor research fellow at National Taiwan University when I worked on this thesis, and he mainly used the approach as in [Nai82], with more direct arguments.

Proof. We first prove that n(n + 1) ²ⁿ⁺¹_n |LCM(2n + 1). This is true because

LCM(2n + 1) =

∏

p^r≤2n+1<p^r+1

p^r,

while the exponent of p in the prime factorisation of ²ⁿ⁺¹_n equals

i≥1

∑

([(2n + 1)/pⁱ] − [n/pⁱ] − [(n + 1)/pⁱ]) ≤ r

if p^r≤ 2n+1 < p^r+1as each term is 0 or 1. When p^a||n or p^a||(n+1), we can improve the upper bound of the above summation by r − a. Hence, the divisibility property follows.

As a consequence, LCM(2n + 1) ≥ n(n + 1) ²ⁿ⁺¹_n = n(2n + 1) ²ⁿ_n ≥ n · 2²ⁿ. This shows LCM(m) ≥ 2^mfor odd m ≥ 3. The case of even m follows from the crude estimation

LCM(m) ≥ LCM(m − 1).

Theorem 4. Let n ≥ 3. In step 2, the integer r can be found with r ≤log⁵n + 1 or n will be verified composite in this step.

Proof. Since n ≥ 3, so m ≥log⁵n > 10 and by Lemma 5.0.4,

(6) LCM(m) ≥ 2^m.

(15)

Let r₀be the least number that does not divide the product

Q:=

b^log²ⁿc

∏

i=1

(nⁱ− 1) < n^log⁴ⁿ= 2^log⁵ⁿ.

If l is a prime number and l^bkLCM(r₀− 1), then l^b≤ r₀− 1, and hence l^b| Q. This implies

LCM(r₀− 1) ≤ Q < 2^log⁵ⁿ.

then we must have

r₀≤l log⁵nm

+ 1, for otherwise, r₀− 1 ≥log⁵n + 1, hence by (6),

LCM(r₀− 1) ≥ 2d^log⁵ⁿe⁺¹> 2^log⁵ⁿ

a contradiction to the above inequality.

Now, if (r₀, n) > 1 then n is composite; otherwise, (r₀, n) = 1 and O_r₀(n) > log²n.

From theorems above, the time complexity of the algorithm is ˜O(r^3/2log³n) = ˜O(log^21/2n).

Using a deep result from analytic number theory in [Fo85], one can show that r may actually be chosen with r = O(log³n), and thus getting a more tight but ineffective bound of the runtime: ˜O(log^7.5n).

REFERENCES

[AKS04] Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin, PRIMES is in P, Annals of Mathematics 160, 2(2004), 781-793.

[AKS02] Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin, PRIMES is in P, Preprint, (2002).

[RC05] Crandall, R. and Pomerance, C. Prime Numbers: A Computational Perspective, 2nd ed. New York:

Springer-Verlag, 2005.

[AG05] Granville, A. It Is Easy to Determine Whether a Given Integer Is Prime. Bull. Amer. Math. Soc.

42, 3-38, 2005.

(16)

[Nai82] M.Nair. On Cheybyshev-type inequalities for primes. Amer. Math. Monthly, 89:126-129, 1982.

[Fo85] E. Fouvry. Theorem de Brun-Titchmarsh; application au theoreme de Fermat. Invent. Math., 79:383-407, 1985.

[LN86] R. Lidl and H. Niederreiter. Introduction to finite fields and their applications. Cambridge Univer- sity Press, 1986.

[vzGG99] Joachim von zur Gathen and Jurgen Gerhard. Modern Computer Algebra. Cambridge University Press, 1999.

[MJ04] Problems in Algebraic Number Theory, 2nd ed. Springer-Verlag, 2004.

[LEN05] H. W. Lenstra Jr. and Carl Pomerance, Primality testing with Gaussian periods, preliminary version July 20, 2005.

[BER03] D. Bernstein, Proving primality in essentially quartic time. http://cr.yp.to/ntheory.html#quartic

DEPARTMENT OFMATHEMATICS, NATIONALTAIWANUNIVERSITY, TAIPEI10764, TAIWAN

E-mail address: r01221030@ntu.edu.tw