• 沒有找到結果。

# The Primality Problem

N/A
N/A
Protected

Share "The Primality Problem"

Copied!
44
0
0

(1)

## coNP Hardness and NP Hardness

a

Proposition 46 If a coNP-hard problem is in NP, then NP = coNP.

Let L ∈ NP be coNP-hard.

Let NTM M decide L.

For any L0 ∈ coNP, there is a reduction R from L0 to L.

L0 ∈ NP as it is decided by NTM M (R(x)).

– Alternatively, NP is closed under complement.

Hence coNP ⊆ NP.

The other direction NP ⊆ coNP is symmetric.

aBrassard (1979); Selman (1978).

(2)

## coNP Hardness and NP Hardness (concluded)

Similarly,

Proposition 47 If an NP-hard problem is in coNP, then NP = coNP.

As a result:

NP-complete problems are unlikely to be in coNP.

coNP-complete problems are unlikely to be in NP.

(3)

## The Primality Problem

An integer p is prime if p > 1 and all positive numbers other than 1 and p itself cannot divide it.

primes asks if an integer N is a prime number.

Dividing N by 2, 3, . . . ,√

N is not efficient.

The length of N is only log N , but

N = 20.5 log N.

A polynomial-time algorithm for primes was not found until 2002 by Agrawal, Kayal, and Saxena!

We will focus on efficient “probabilistic” algorithms for primes (used in Mathematica, e.g.).

(4)

1: if n = ab for some a, b > 1 then

2: return “composite”;

3: end if

4: for r = 2, 3, . . . , n − 1 do

5: if gcd(n, r) > 1 then

6: return “composite”;

7: end if

8: if r is a prime then

9: Let q be the largest prime factor of r − 1;

10: if q ≥ 4

r log n and n(r−1)/q 6= 1 mod r then

11: break; {Exit the for-loop.}

12: end if

13: end if

14: end for{r − 1 has a prime factor q ≥ 4

r log n.}

15: for a = 1, 2, . . . , 2

r log n do

16: if (x − a)n 6= (xn − a) mod (xr − 1) in Zn[ x ] then

17: return “composite”;

18: end if

19: end for

20: return “prime”; {The only place with “prime” output.}

(5)

## The Primality Problem (concluded)

NP ∩ coNP is the class of problems that have succinct certificates and succinct disqualifications.

– Each “yes” instance has a succinct certificate.

– Each “no” instance has a succinct disqualification.

– No instances have both.

We will see that primes ∈ NP ∩ coNP.

In fact, primes ∈ P as mentioned earlier.

(6)

## Primitive Roots in Finite Fields

Theorem 48 (Lucas and Lehmer (1927)) a A number p > 1 is prime if and only if there is a number 1 < r < p (called the primitive root or generator) such that

1. rp−1 = 1 mod p, and

2. r(p−1)/q 6= 1 mod p for all prime divisors q of p − 1.

We will prove the theorem later.

aFran¸cois Edouard Anatole Lucas (1842–1891); Derrick Henry Lehmer (1905–1991).

(7)

(8)

## Pratt’s Theorem

Theorem 49 (Pratt (1975)) primes ∈ NP ∩ coNP.

primes is in coNP because a succinct disqualification is a divisor.

Suppose p is a prime.

p’s certificate includes the r in Theorem 48 (p. 380).

Use recursive doubling to check if rp−1 = 1 mod p in time polynomial in the length of the input, log2 p.

We also need all prime divisors of p − 1: q1, q2, . . . , qk.

Checking r(p−1)/qi 6= 1 mod p is also easy.

(9)

## The Proof (concluded)

Checking q1, q2, . . . , qk are all the divisors of p − 1 is easy.

We still need certificates for the primality of the qi’s.

The complete certificate is recursive and tree-like:

C(p) = (r; q1, C(q1), q2, C(q2), . . . , qk, C(qk)).

C(p) can also be checked in polynomial time.

We next prove that C(p) is succinct.

(10)

## The Succinctness of the Certificate

Lemma 50 The length of C(p) is at most quadratic at 5 log22 p.

This claim holds when p = 2 or p = 3.

In general, p − 1 has k < log2 p prime divisors q1 = 2, q2, . . . , qk.

C(p) requires: 2 parentheses and 2k < 2 log2 p separators (length at most 2 log2 p long), r (length at most log2 p), q1 = 2 and its certificate 1 (length at most 5 bits), the qi’s (length at most 2 log2 p), and the C(qi)s.

(11)

## The Proof (concluded)

C(p) is succinct because

|C(p)| ≤ 5 log2 p + 5 + 5

Xk i=2

log22 qi

≤ 5 log2 p + 5 + 5

ÃXk

i=2

log2 qi

!2

≤ 5 log2 p + 5 + 5 log22 p − 1 2

< 5 log2 p + 5 + 5(log2 p − 1)2

= 5 log22 p + 10 − 5 log2 p ≤ 5 log22 p for p ≥ 4.

(12)

## A Certificate for 23

a

As 7 is a primitive root modulo 23 and 22 = 2 × 11, so C(23) = (7, 2, C(2), 11, C(11)).

As 2 is a primitive root modulo 11 and 10 = 2 × 5, so C(11) = (2, 2, C(2), 5, C(5)).

As 2 is a primitive root modulo 5 and 4 = 22, so C(5) = (2, 2, C(2)).

In summary,

C(23) = (7, 2, C(2), 11, (2, 2, C(2), 5, (2, 2, C(2)))).

aThanks to a lively discussion on April 24, 2008.

(13)

## Basic Modular Arithmetics

a

Let m, n ∈ Z+.

m|n means m divides n and m is n’s divisor.

We call the numbers 0, 1, . . . , n − 1 the residue modulo n.

The greatest common divisor of m and n is denoted gcd(m, n).

The r in Theorem 48 (p. 380) is a primitive root of p.

We now prove the existence of primitive roots and then Theorem 48.

aCarl Friedrich Gauss.

(14)

a

## Totient or Phi Function

Let

Φ(n) = {m : 1 ≤ m < n, gcd(m, n) = 1}

be the set of all positive integers less than n that are prime to n (Zn is a more popular notation).

Φ(12) = {1, 5, 7, 11}.

Define Euler’s function of n to be φ(n) = |Φ(n)|.

φ(p) = p − 1 for prime p, and φ(1) = 1 by convention.

Euler’s function is not expected to be easy to compute without knowing n’s factorization.

aLeonhard Euler (1707–1783).

(15)

    Q











I+Q/

(16)

## Two Properties of Euler’s Function

The inclusion-exclusion principlea can be used to prove the following.

Lemma 51 φ(n) = n Q

p|n(1 − 1p).

If n = pe11pe22 · · · pett is the prime factorization of n, then φ(n) = n

Yt i=1

µ

1 − 1 pi

.

Corollary 52 φ(mn) = φ(m) φ(n) if gcd(m, n) = 1.

aSee my Discrete Mathematics lecture notes.

(17)

## A Key Lemma

Lemma 53 P

m|n φ(m) = n.

Let Q`

i=1 pkii be the prime factorization of n and consider Y`

i=1

[ φ(1) + φ(pi) + · · · + φ(pkii) ]. (4)

Equation (4) equals n because φ(pki ) = pki − pk−1i by Lemma 51.

Expand Eq. (4) to yield P

k01≤k1,...,k`0≤k`

Q`

i=1 φ(pki0i).

(18)

## The Proof (concluded)

By Corollary 52 (p. 390), Y`

i=1

φ(pki0i) = φ

Ã ` Y

i=1

pki0i

! .

Each Q`

i=1 pki0i is a unique divisor of n = Q`

i=1 pkii.

Equation (4) becomes

X

m|n

φ(m).

(19)

## All numbers < n

It works, but does it work well?

(20)

## Factorization and Euler’s Function

The ratio of numbers ≤ n relatively prime to n is φ(n)/n.

When n = pq, where p and q are distinct primes, φ(n)

n = pq − p − q + 1

pq > 1 − 1

q 1 p.

So the ratio of numbers ≤ n not relatively prime to n is

< (1/q) + (1/p).

The “density attack” to factor n = pq hence takes Ω(

n) steps on average when p ∼ q = O(√ n ).

– This running time is exponential: Ω(20.5 log2n).

(21)

## The Chinese Remainder Theorem

Let n = n1n2 · · · nk, where ni are pairwise relatively prime.

For any integers a1, a2, . . . , ak, the set of simultaneous equations

x = a1 mod n1, x = a2 mod n2,

...

x = ak mod nk,

has a unique solution modulo n for the unknown x.

(22)

## Fermat’s “Little” Theorem

a

Lemma 54 For all 0 < a < p, ap−1 = 1 mod p.

Consider aΦ(p) = {am mod p : m ∈ Φ(p)}.

aΦ(p) = Φ(p).

aΦ(p) ⊆ Φ(p) as a remainder must be between 0 and p − 1.

Suppose am = am0 mod p for m > m0, where m, m0 ∈ Φ(p).

That means a(m − m0) = 0 mod p, and p divides a or m − m0, which is impossible.

aPierre de Fermat (1601–1665).

(23)

## The Proof (concluded)

Multiply all the numbers in Φ(p) to yield (p − 1)!.

Multiply all the numbers in aΦ(p) to yield ap−1(p − 1)!.

As aΦ(p) = Φ(p), ap−1(p − 1)! = (p − 1)! mod p.

Finally, ap−1 = 1 mod p because p 6 |(p − 1)!.

(24)

## The Fermat-Euler Theorem

a

Corollary 55 For all a ∈ Φ(n), aφ(n) = 1 mod n.

The proof is similar to that of Lemma 54 (p. 396).

Consider aΦ(n) = {am mod n : m ∈ Φ(n)}.

aΦ(n) = Φ(n).

aΦ(n) ⊆ Φ(n) as a remainder must be between 0 and n − 1 and relatively prime to n.

Suppose am = am0 mod n for m0 < m < n, where m, m0 ∈ Φ(n).

That means a(m − m0) = 0 mod n, and n divides a or m − m0, which is impossible.

aProof by Mr. Wei-Cheng Cheng (R93922108) on November 24, 2004.

(25)

## The Proof (concluded)

Multiply all the numbers in Φ(n) to yield Q

m∈Φ(n) m.

Multiply all the numbers in aΦ(n) to yield aΦ(n) Q

m∈Φ(n) m.

As aΦ(n) = Φ(n), Y

m∈Φ(n)

m = aΦ(n)

 Y

m∈Φ(n)

m

 mod n.

Finally, aΦ(n) = 1 mod n because n 6 | Q

m∈Φ(n) m.

(26)

## An Example

As 12 = 22 × 3,

φ(12) = 12 × µ

1 − 1 2

¶ µ

1 − 1 3

= 4

In fact, Φ(12) = {1, 5, 7, 11}.

For example,

54 = 625 = 1 mod 12.

(27)

## Exponents

The exponent of m ∈ Φ(p) is the least k ∈ Z+ such that mk = 1 mod p.

Every residue s ∈ Φ(p) has an exponent.

1, s, s2, s3, . . . eventually repeats itself modulo p, say si = sj mod p, which means sj−i = 1 mod p.

If the exponent of m is k and m` = 1 mod p, then k|`.

Otherwise, ` = qk + a for 0 < a < k, and

m` = mqk+a = ma = 1 mod p, a contradiction.

Lemma 56 Any nonzero polynomial of degree k has at most k distinct roots modulo p.

(28)

## Exponents and Primitive Roots

From Fermat’s “little” theorem, all exponents divide p − 1.

A primitive root of p is thus a number with exponent p − 1.

Let R(k) denote the total number of residues in Φ(p) that have exponent k.

We already knew that R(k) = 0 for k 6 |(p − 1).

So P

k|(p−1) R(k) = p − 1 as every number has an exponent.

(29)

## Size of R(k)

Any a ∈ Φ(p) of exponent k satisfies xk = 1 mod p.

Hence there are at most k residues of exponent k, i.e., R(k) ≤ k, by Lemma 56 on p. 401.

Let s be a residue of exponent k.

1, s, s2, . . . , sk−1 are all distinct modulo p.

Otherwise, si = sj mod p with i < j.

Then sj−i = 1 mod p with j − i < k, a contradiction.

As all these k distinct numbers satisfy xk = 1 mod p, they are all the solutions of xk = 1 mod p.

(30)

## Size of R(k) (continued)

But do all of them have exponent k (i.e., R(k) = k)?

And if not (i.e., R(k) < k), how many of them do?

Suppose ` < k and ` 6∈ Φ(k) with gcd(`, k) = d > 1.

Then

(s`)k/d = (sk)`/d = 1 mod p.

Therefore, s` has exponent at most k/d, which is less than k.

We conclude that

R(k) ≤ φ(k).

(31)

## Size of R(k) (concluded)

Because all p − 1 residues have an exponent, p − 1 = X

k|(p−1)

R(k) ≤ X

k|(p−1)

φ(k) = p − 1

by Lemma 52 on p. 390.

Hence

R(k) =



φ(k) when k|(p − 1) 0 otherwise

In particular, R(p − 1) = φ(p − 1) > 0, and p has at least one primitive root.

This proves one direction of Theorem 48 (p. 380).

(32)

## A Few Calculations

Let p = 13.

From p. 398, we know φ(p − 1) = 4.

Hence R(12) = 4.

And there are 4 primitives roots of p.

As Φ(p − 1) = {1, 5, 7, 11}, the primitive roots are g1, g5, g7, g11 for any primitive root g.

(33)

## The Other Direction of Theorem 48 (p. 380)

We must show p is a prime only if there is a number r (called primitive root) such that

1. rp−1 = 1 mod p, and

2. r(p−1)/q 6= 1 mod p for all prime divisors q of p − 1.

Suppose p is not a prime.

We proceed to show that no primitive roots exist.

Suppose rp−1 = 1 mod p (note gcd(r, p) = 1).

We will show that the 2nd condition must be violated.

(34)

## The Proof (concluded)

rφ(p) = 1 mod p by the Fermat-Euler theorem (p. 398).

Because p is not a prime, φ(p) < p − 1.

Let k be the smallest integer such that rk = 1 mod p.

Note that k | (p − 1) (p. 401).

As k ≤ φ(p), k < p − 1.

Let q be a prime divisor of (p − 1)/k > 1.

Then k|(p − 1)/q.

Therefore, by virtue of the definition of k, r(p−1)/q = 1 mod p.

But this violates the 2nd condition.

(35)

## Function Problems

Decisions problem are yes/no problems (sat, tsp (d), etc.).

Function problems require a solution (a satisfying truth assignment, a best tsp tour, etc.).

Optimization problems are clearly function problems.

What is the relation between function and decision problems?

Which one is harder?

(36)

## Function Problems Cannot Be Easier than Decision Problems

If we know how to generate a solution, we can solve the corresponding decision problem.

– If you can find a satisfying truth assignment efficiently, then sat is in P.

– If you can find the best tsp tour efficiently, then tsp (d) is in P.

But decision problems can be as hard as the corresponding function problems.

(37)

## fsat

fsat is this function problem:

Let φ(x1, x2, . . . , xn) be a boolean expression.

If φ is satisfiable, then return a satisfying truth assignment.

– Otherwise, return “no.”

We next show that if sat ∈ P, then fsat has a polynomial-time algorithm.

(38)

## An Algorithm for fsat Using sat

1: t := ²;

2: if φ ∈ sat then

3: for i = 1, 2, . . . , n do

4: if φ[ xi = true ] ∈ sat then 5: t := t ∪ { xi = true };

6: φ := φ[ xi = true ];

7: else

8: t := t ∪ { xi = false };

9: φ := φ[ xi = false ];

10: end if 11: end for 12: return t;

13: else

14: return “no”;

15: end if

(39)

## Analysis

There are ≤ n + 1 calls to the algorithm for sat.a

Shorter boolean expressions than φ are used in each call to the algorithm for sat.

So if sat can be solved in polynomial time, so can fsat.

Hence sat and fsat are equally hard (or easy).

aContributed by Ms. Eva Ou (R93922132) on November 24, 2004.

(40)

## tsp and tsp (d) Revisited

We are given n cities 1, 2, . . . , n and integer distances dij = dji between any two cities i and j.

The tsp asks for a tour with the shortest total distance (not just the shortest total distance, as earlier).

– The shortest total distance must be at most 2| x |, where x is the input.

tsp (d) asks if there is a tour with a total distance at most B.

We next show that if tsp (d) ∈ P, then tsp has a polynomial-time algorithm.

(41)

## An Algorithm for tsp Using tsp (d)

1: Perform a binary search over interval [ 0, 2| x | ] by calling tsp (d) to obtain the shortest distance, C;

2: for i, j = 1, 2, . . . , n do

3: Call tsp (d) with B = C and dij = C + 1;

4: if “no” then

5: Restore dij to old value; {Edge [ i, j ] is critical.}

6: end if

7: end for

8: return the tour with edges whose dij ≤ C;

(42)

## Analysis

An edge that is not on any optimal tour will be eliminated, with its dij set to C + 1.

An edge which is not on all remaining optimal tours will also be eliminated.

So the algorithm ends with n edges which are not eliminated (why?).

There are O(| x | + n2) calls to the algorithm for tsp (d).

So if tsp (d) can be solved in polynomial time, so can tsp.

Hence tsp (d) and tsp are equally hard (or easy).

(43)

## Function Problems Are Not Harder than Decision Problems If P = NP

Theorem 57 Suppose that P = NP. Then, for every NP language L there exists a polynomial-time TM B that on input x ∈ L outputs a certificate for x.

We are looking for a certificate in the sense of Proposition 31 (p. 271).

That is, a certificate y for every x ∈ L such that (x, y) ∈ R,

where R is a polynomially decidable and polynomially balanced relation.

(44)

## The Proof (concluded)

Recall the algorithm for fsat on p. 412.

The reduction of Cook’s Theorem L to sat is a Levin reduction (p. 275).

So there is a polynomial-time computable function R such that x ∈ L iff R(x) ∈ sat.

In fact, more is true: R maps a satisfying assignment of R(x) into a certificate for x.

Therefore, we can use the algorithm for fsat to come up with an assignment for R(x) and then map it back into a certificate for x.

circuit sat: Given a circuit, is there a truth assignment such that the circuit outputs true?.. • circuit sat ∈ NP: Guess a truth assignment and then evaluate the

circuit sat: Given a circuit, is there a truth assignment such that the circuit outputs truea. • circuit sat ∈ NP: Guess a truth assignment and then evaluate

– The The readLine readLine method is the same method used to read method is the same method used to read  from the keyboard, but in this case it would read from a

• Each row corresponds to one truth assignment of the n variables and records the truth value of φ under that truth assignment. • A truth table can be used to prove if two

• To the right of the Draw mode buttons you find push buttons through which you can access all the functions that you need to define and solve the PDE problem: define

Write the following problem on the board: “What is the area of the largest rectangle that can be inscribed in a circle of radius 4?” Have one half of the class try to solve this

Then, we recast the signal recovery problem as a smoothing penalized least squares optimization problem, and apply the nonlinear conjugate gradient method to solve the smoothing

Then, we recast the signal recovery problem as a smoothing penalized least squares optimization problem, and apply the nonlinear conjugate gradient method to solve the smoothing