Modern Primality Tests and the Agrawal-Kayal-Saxena Algorithm1 Jason Wojciechowski Hampshire College, Amherst, Massachusetts
[email protected] Committee: Ken Hoffman (Chair), David Kelly 25th April 2003
1
This paper is a Natural Science Division Three project submitted to complete the requirements for graduation in May, 2003.
Contents Abstract 1 Introduction 1.1 Motivation . . . . . . 1.2 Purpose of this paper 1.3 Outline . . . . . . . . 1.4 Acknowledgments . . .
1 . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
2 2 4 4 5
2 Computational complexity 2.1 A motivational question . . 2.2 Huge numbers . . . . . . . . 2.3 Polynomial time . . . . . . 2.4 Integers as algorithm inputs 2.5 Huge number arithmetic . . 2.6 Randomized computation .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
6 6 6 7 7 8 10
3 Miller’s test 3.1 Overview . . . . . . . . . 3.2 The algorithm . . . . . . . 3.3 Definitions . . . . . . . . . 3.4 Main theorem . . . . . . . 3.5 Lemmas . . . . . . . . . . 3.6 Analysis of the algorithm
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
11 11 12 13 15 16 21
. . . . .
22 22 22 24 24 27
. . . .
. . . .
. . . . . .
4 Rabin’s modifications to Miller’s test 4.1 Overview . . . . . . . . . . . . . . . . 4.2 Definitions . . . . . . . . . . . . . . . . 4.3 Main theorem . . . . . . . . . . . . . . 4.4 Lemmas . . . . . . . . . . . . . . . . . 4.5 Proof of the main theorem . . . . . . . i
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
CONTENTS 4.6
ii
Analysis of the algorithm . . . . . . . . . . . . . . . . . . . .
5 Solovay-Strassen test 5.1 Overview . . . . . . . . . . . 5.2 Preliminaries . . . . . . . . . 5.3 Main theorem . . . . . . . . . 5.4 Lemmas . . . . . . . . . . . . 5.5 Analysis of the algorithm . . 5.6 Derandomizing the algorithm 6 Advanced primality tests 6.1 Adleman, Pomerance, and 6.2 Atkin’s ECPP . . . . . . . 6.3 Goldwasser and Kilian . . 6.4 Adleman and Huang . . . 7 The 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
Rumely’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AKS algorithm Foundation of the algorithm . . Truth for prime n . . . . . . . . Exiting the while loop . . . . . Lemmas for n composite . . . . Truth for composite n . . . . . Time analysis . . . . . . . . . . A little algebra . . . . . . . . . Some bounds involving primes
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
29
. . . . . .
31 31 32 33 33 35 35
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
37 37 38 38 39
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
41 41 42 43 46 49 50 51 53
8 AKS code
65
9 Conclusion
72
A The Riemann Hypothesis
74
B Ankeny’s Theorem
78
C Chinese Remainder Theorem
81
D Algorithms D.1 Computing the Jacobi symbol D.2 Power testing code . . . . . . D.3 Modular exponentiation . . . D.4 Euclidean Algorithm . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
83 83 89 90 90
CONTENTS D.5 Na¨ıve primality testing . . . . . . . . . . . . . . . . . . . . . . D.6 The largest prime factor of an integer . . . . . . . . . . . . . D.7 Multiplication of polynomials . . . . . . . . . . . . . . . . . .
iii 95 95 96
Abstract This paper is an introduction to modern primality testing techniques. We are concerned only with general algorithms, so we will not consider tests such as the Lucas-Lehmer test for Mersenne Primes. We strive for a balance of depth and breadth: detailed proofs of some of the algorithms will be presented, but complicated theorems that deserve their own lengthy treatments will be stated without proof. We will consider the tests of Miller; Rabin; Solovay and Strassen; Adleman, Pomerance, and Rumely; Atkin; Goldwasser and Kilian; and Adleman and Huang. The capstone of the paper is an exposition and proof of the new algorithm (a preprint of their paper appeared in August, 2002) of Agrawal, Kayal, and Saxena that shows primality testing to be in P.
1
Chapter 1
Introduction 1.1
Motivation
The problem of determining whether a general integer is prime or composite is an old one. With the relatively recent advent of public-key cryptography, which relies on huge prime numbers, the problem gained new importance for researchers. Accordingly, progress in creating ever better algorithms for determining primality has been made at explosive rates in the last 30 years. A head of sorts was reached in August, 2002, as Agrawal, Kayal, and Saxena [3] announced a surprisingly simple algorithm that determined whether an integer n was prime in time proportional to a polynomial in the logarithm of n (i.e. they made the discovery that primality testing is in the complexity class P). Algorithm 1 is pseudo-code of their groundbreaking discovery. Note how short the algorithm is, and how it makes use of nothing more complicated than polynomial multiplication in an ideal (in line 18). We will see later that, before this test was made available, primality testing was moving rapidly away from the elementary operations used in tests like this one or Miller’s algorithm and toward ideas in less accessible fields like algebraic geometry. Perhaps the most striking feature of the algorithm, however, is that it is essentially founded upon no new ideas: the theorems we will later prove to show that the algorithm works were all known to be true before Agrawal et al. made their test available. In other words, the authors put the puzzle together from its disparate pieces without having to cut any new pieces of their own. Finally, unlike the solutions to many long-standing problems, we will see that most of those theorems are accessible to a motivated undergraduate
2
CHAPTER 1. INTRODUCTION
Algorithm 1 Determine primality of n; Agrawal-Kayal-Saxena Require: n ≥ 2 1: if n = ab for some a, b ∈ Z, b > 1 then 2: return COMPOSITE 3: end if 4: r ← 2 5: while r < n do 6: if (n, r) 6= 1 then 7: return COMPOSITE 8: end if 9: if r is prime then 10: q ← the largest prime factor of (r − 1) √ 11: if q ≥ 4 r log n and n(r−1)/q 6≡ 1 (mod r) then 12: break 13: end if 14: end if 15: r ←r+1 16: end while √ 17: for a = 1 to 2 r log n do 18: if (x − a)n 6≡ xn − a (mod xr − 1, n) then 19: return COMPOSITE 20: end if 21: end for 22: return PRIME
3
CHAPTER 1. INTRODUCTION
4
with some number theory and algebra background, so that even students early in their mathematics careers can gain a very good grasp of how this algorithm works. We will not jump right in with too many gory details here, but we do wish to point out the main ideas we will have to prove later on. First note that the while loop essentially exists only to find an r with which we can seed the for loop. The main result that drives the algorithm, then, is that line 18’s condition being true really does imply that n is composite, and furthermore that if line 18’s condition is false for only as many a as are tested in the for loop, then n is prime. Hopefully, neither of those statements is immediately obvious; if they are, most of Chapter 7 can be skipped.
1.2
Purpose of this paper
This paper is designed to serve as a guide to the state of modern primality testing. We will try to give a sense of the progression of solutions to the problem since Miller [17] published his algorithm, usually regarded as the first modern primality test, in 1976. While we will follow the example set above and point out the key ideas in each algorithm, we will also prove as much as space and time allow. This means that proofs of the earlier tests will be more detailed than the treatments we give later tests such as Adleman and Huang’s [1], which is one of those tests that veers into the realm of such topics as algebraic geometry (as noted in [25]) and is the sole subject of a book which runs well over 100 pages. We can only hope to scratch the surface of such tests without being specialists, so, since this paper is not written for specialists, we will only briefly touch on these more complicated algorithms.
1.3
Outline
We will start with a with a discussion of basic computational complexity in Chapter 2, focusing on the method of determining the running time of an algorithm (in particular, a number theoretic algorithm) since it can be a slippery topic. Chapter 3 contains Miller’s test, Chapter 4 contains Rabin’s modification to Miller’s test, and Chapter 5 contains the Solovay-Strassen test. Those three tests are fairly elementary, so they are discussed and proved in detail. The next four tests are each discussed briefly in Chapter 6. Contained in that chapter are Adleman, Pomerance, and Rumely’s test,
CHAPTER 1. INTRODUCTION
5
Atkin’s ECPP (elliptic curve primality proving) method, Goldwasser and Kilian’s algorithm, and the just-mentioned Adleman-Huang method. Note that we move in chronological order, with the exception of discussing Rabin’s test before moving on to Solovay-Strassen. Hopefully, the reader will be able to gain some sense of the progression of work in this area since 1976. Finally, we will come back to the AKS algorithm in Chapter 7, where we will give the gory details withheld above. Morain [18], Bernstein [9], Radhakrishnan [23], Smid [27], and others have made papers available on the Internet providing explanation or clarification of the algorithm, and, in Bernstein’s case, improvement to the algorithm. Only Smid seems to have a similar goal as I do, namely that of explaining the algorithm in detail and proving the lemmas and theorems that lead to its proof. However, this paper acts as more of a companion piece to Agrawal et al. than Smid’s paper does.
1.4
Acknowledgments
I thank my advisors, Ken Hoffman and David Kelly, not only for hours of mathematical advice, but also for making sure math stayed relevant and, most importantly, fun; Austen Rachlis, for proofreading and encouragement; and most importantly, Leon and Mom, because, even if I don’t call as often as I should, I know they’ll be there when I do.
Chapter 2
Computational complexity 2.1
A motivational question
Being an old problem, the question of whether an integer is prime has many old solutions. For example, the Sieve of Eratosthenes, named for the Greek mathematician who died over 2000 years ago, is often cited as the first primality test. One might ask, though, why the problem of testing for primality is still so interesting. After all, with the fast computers available on many homes’ desktops, not to mention computing laboratories throughout the world, even rudimentary methods should provide answers quickly. We can answer that question two ways.
2.2
Huge numbers
First, such tests as trial division (as presented in Appendix D.5) will settle primality of relatively small numbers fairly quickly on modern machines, but they perform much too slowly on such “industry grade” numbers as RSA Security’s so-called challenge numbers. RSA Security provides large cash rewards for prime factorizations of these numbers, so testing primality of numbers approximately their size is a related problem. The smallest currently unfactored challenge number is 176 decimal digits long. Trying trial division on a number of this size is not feasible, since we would test numbers up to the square root of the input, a number of about 88 decimal digits. That is a lot of divisions, and thus would take a long time, even before considering that division of a 176-digit number by a 65-digit number is significantly harder computationally than division of, say, a 3-digit number by a 1-digit number. This statement may seem obvious, but we will nail 6
CHAPTER 2. COMPUTATIONAL COMPLEXITY
7
down more precisely how hard arithmetical operations are in Section 2.5.
2.3
Polynomial time
The second answer to our original question is a theoretically-fueled one. For an algorithm to be considered theoretically fast, we require that it run in a number of steps polynomial in the size of the input to the algorithm. In other words, if the input is of size n, we want the algorithm to always run in ak nk + ak−1 nk−1 + . . . + a1 n + a0 or fewer steps, where k and each of the ai are not dependent on the input n. Writing polynomials of this form can get cumbersome, so now is a good time to introduce O notation. We will formally define the expression O(f (n)) for a function f as in [20]. Definition 2.3.1. Let f and g be functions from N to N. Then f = O(g) means that there are positive integers c and n0 such that for all n ≥ n0 , we have f (n) ≤ cg(n). In other words, f = O(g) means that f grows at most as fast as g. Thus, our above polynomial ak nk + ak−1 nk−1 + . . . + a1 n + a0 = O(nk ). Note how the most basic information about the growth of the function is captured succinctly using this notation, but also note how much information is “lost.” Algorithms that are theoretically fast can sometimes be surprisingly slow when implemented because the O notation hides constants and lower-power terms that may be quite large. Thus we can revise our wording of what it means to be theoretically fast to say that, for an input of size n, the algorithm must run in a number of steps that is O(nk ) for some k independent of n.
2.4
Integers as algorithm inputs
Why doesn’t trial division satisfy us, then? For an input n, we perform up √ to n divisions which is O(n1/2 ) and certainly looks polynomial (we ignore the question of how hard each division step is for now). Recall, however, that we wish for our algorithm to compute an answer in time proportional
CHAPTER 2. COMPUTATIONAL COMPLEXITY
8
to a polynomial in the size of the input. Unfortunately n is not the size of n. As is standard, we will use the number of binary digits in the integer n to represent n. The reason we care about the binary digits is related both to how computers, even modern ones, function at a basic level and also to the idea of Turing machines underlying modern analysis of computation. Rather than give a full treatment of Turing machines and the foundations of the theory of computational complexity, we recommend that readers interested in the details turn to, for example, Papadimitriou’s book [20]. Papers dealing with algorithms, especially number theoretic algorithms, often represent the number of binary digits in n by log n. Unfortunately, confusion can be bred by multiple uses of the symbol “log” since the author may wish to also make use of the natural logarithm, or a logarithm to any other base. To avoid such confusion, we will adopt the sensible and suggestive notation of [8]: lg n will mean the length of the binary representation of n, ignoring the sign. In other words, lg n is essentially log2 |n|. Thus, an algorithm that runs in at most k 4 + 3k 2 + 17 steps, where k is the length of the input, will be said to run in O((lg n)4 ) steps.
2.5
Huge number arithmetic
It was briefly hinted at above that division of two large numbers is computationally harder than division of two small numbers. This is of course true of any arithmetic operation. Here we will discuss how long it takes to add (thus subtract), multiply, divide, and take powers of integers. We will not prove that algorithms to perform these operations in the given times exist. Readers interested in those details might turn to such a book as Crandall and Pomerance’s [13]. Note that above, our example algorithm ran in O((lg n)4 ) ‘steps,” but we never defined precisely what would be considered a step. If we do not set some sensible step size, we could reach absurd situations rather quickly. A simple example is letting any addition, subtraction, multiplication, or division of any size numbers be one step. Anybody who learned long division in elementary school knows, though, that dividing 4 by 2 is much easier than dividing 13517 by 253. There is no universally agreed-upon base for all algorithms, and for good reason. Different kinds of algorithms require different kinds of computation. The type of computation needed by, say, a shortest-path algorithm on a graph is different from that needed by a number theoretic algorithm.
CHAPTER 2. COMPUTATIONAL COMPLEXITY
9
Bach and Shallit [8, Section 3.2] give a reasonable solution to this problem. For essentially the same reasons that we use lg n as the length of an input n to an algorithm, we will consider one step in any algorithm in this paper to be a “bit operation.” At their most basic level, all our algorithms have variables that take only 0 or 1 (i.e., “false” or “true”) as values. These variables are acted upon by three logical operations: • Conjunction: a ∧ b (logical AND); • Disjunction: a ∨ b (logical OR); • Negation: ∼ a (logical NOT). Any time one of these operations is performed, we count it as a step. As we are already getting somewhat far afield, we will not prove the contents of Figure 2.1, which gives the number of bit operations required to perform the three basic arithmetic operations (addition is the same as subtraction), instead quoting it from [8, p. 43]. In all three operations, a and b are considered to be integers of size at most lg n. Figure 2.1: Cost of arithmetic operations Operation a+b a·b a = qb + r
Complexity O(lg n) O(lg n lg lg n lg lg lg n) O(lg n lg lg n lg lg lg n)
This last operation can be used to divide two integers, take the remainder modulo q of some integer a, or decide whether b divides a. It is difficult, however, to see true differences in how fast big numbers are added or multiplied compared to operations on small numbers when we use a modern computer. Using Pari-GP on a 450 MHz K6-II processor, multiplication of two numbers whose product has a base-10 logarithm of about 332 took less than a millisecond. Adding approximately another 100 decimal digits to the product had literally no discernible effect on the time, as the function that reports running time in Pari-GP, which measures time in milliseconds, still reported 0. This quickness at integer multiplication will only make the difficulties we run into when we attempt an implementation of the AKS algorithm more intriguing.
CHAPTER 2. COMPUTATIONAL COMPLEXITY
2.6
10
Randomized computation
Now that we know what it means for an algorithm to run quickly, we must tighten up our expectations of what a truly satisfying algorithm is. A few of the algorithms we discuss in this paper (Rabin’s, for example) make use of randomization. Algorithms that run in polynomial time on all inputs but that are not completely deterministic meet our requirement for speed, but are not completely acceptable because of the element of uncertainty. In the case of the algorithms in this paper, we are searching for a procedure that results in either “prime” or “composite.” Introducing randomization either adds the case “unknown” to the list of possible outputs or prepends the word “probably” to at least one of “prime” and “composite.” In the former case, “unknown” is returned with some probability 0 < ² < 1. If the algorithm is run n times, then the probability that we get “unknown” decreases to ²n < ² and this probability vanishes as n → ∞. In the latter case, suppose that the possible outputs are “composite” and “probably prime.” Then if “probably prime” is returned for some input k, there is some probability δ that k is actually composite. Again, if the algorithm is run n times and “probably prime” is returned each time, then the probability that k is composite is reduced to δ n and this, as before, vanishes as n → ∞. Both cases are unsatisfactory, however. We can not expect to run an algorithm infinitely many times to be sure that we will get a satisfactory output, so we will have to be satisfied with either the possibility that, in the former case (called a Las Vegas algorithm), we may never get an answer, or, in the latter case (called a Monte Carlo algorithm), we will never know for certain that the input is prime. In practice, since it is often far easier to create a randomized algorithm that runs quickly than a deterministic one, certain randomized algorithms can be implemented to great effect. Rabin’s modification of Miller’s test for primality, discussed in Section 4, is one example of this. Since being “pretty sure” of an answer is not satisfying theoretically, however, the search for a fast primality test continued even after Rabin’s paper was published.
Chapter 3
Miller’s test 3.1
Overview
In 1976, Miller published what is often regarded as the first modern primality test [17]. He shows that, contingent on the Extended Riemann Hypothesis (ERH, discussed in Appendix A), primality testing can be done in polynomial time. Miller bases his algorithm on Fermat’s Little Theorem, noting that, for some positive integer n, if we can find an integer a with 1 < a < n such that an−1 6≡ 1 (mod n), then we will know that n is composite. There are two major drawbacks to this approach: (a) Testing all possible a takes us out of the realm of polynomial-time computation. We would not have to literally test all a less than n, since half of them are just the negatives of the other half modulo n, but testing up to n/2 congruences is not satisfactory. (b) There are Carmichael numbers to worry about. Carmichael numbers are composite n such that for all a with (a, n) = 1, we have an−1 ≡ 1 (mod n). In other words, even if we could test all a for some n and they all point to n being prime, we are still not assured that n is prime. An example (the first example, as a matter of fact) of the latter is n = 561 = 3 · 11 · 17. An application like Mathematica or Pari-GP can check this very quickly, using a loop like in Algorithm 2. In the rest of this chapter, we will show how Miller overcomes these obstacles.
11
CHAPTER 3. MILLER’S TEST
12
Algorithm 2 Determine whether n is Carmichael (na¨ıve algorithm) 1: for i = 2 to n − 1 do 2: if (i, n) = 1 then 3: if in−1 6≡ 1 (mod n) then 4: return NOT CARMICHAEL 5: end if 6: end if 7: end for 8: return CARMICHAEL
3.2
The algorithm
Miller’s test is Algorithm 3. Algorithm 3 Determine primality of n; Miller Require: n odd, f (n) a computable function on N 1: if n = ab for a, b ∈ Z and b > 1 then 2: return COMPOSITE 3: end if 4: for a = 2 to f (n) do 5: if a | n then 6: return COMPOSITE 7: end if 8: if an−1 6≡ 1 (mod n) then 9: return COMPOSITE 10: end if k 11: if ((a(n−1)/2 − 1 (mod n)), n) 6= 1 or n for some k between 1 and the greatest power of 2 that divides n − 1 then 12: return COMPOSITE 13: end if 14: end for 15: return PRIME This is more properly described as a sketch of an algorithm. We will work out what the function f (n) (line 4) and the variable k (line 11) will be, as well as prove that, when n is composite, we will find a ≤ f (n) that is a witness to n’s primality.
CHAPTER 3. MILLER’S TEST
3.3
13
Definitions
We begin with two definitions of the Carmichael lambda function. The first is a more clear definition of what the lambda function does, while the second states the function in a form that is both more useful to us for the proof of the algorithm and also more easily computed. Miller gives only the second definition in his paper. Definition 3.3.1. The Carmichael lambda function λ(n) denotes the least positive exponent c such that ac ≡ 1 (mod n) for all a in Z∗n . Definition 3.3.2. For an integer n with prime factorization pv11 . . . pvmm , we have λ(n) = lcm(pv11 −1 (p1 − 1), . . . , pvmm −1 (pm − 1)). While we will not prove that these two are equivalent, a few examples may assuage fears that these two λ functions give different results. Consider a prime n, say 17. Then by the second definition, λ(17) = lcm(16) = 16. Since we know that the order of any integer modulo a prime n is n − 1, we have that λ(17) is also 16 by the first definition. Now, consider n = 32 · 52 · 13 = 2925. Then λ(n) = lcm(3 · 2, 5 · 4, 12) = lcm(6, 20, 12) = 60. Algorithm 4 will check that 60 is λ(2925) by the first definition. This algorithm ran in less than a second in Pari-GP on my machine. Algorithm 4 Decide whether λ(2925) = 180 1: flag ← NO 2: for i = 1 to 60 do 3: if flag = YES then 4: return λ(2925) = 1 5: end if 6: for j = 1 to 2925 do 7: if (j, 2925) = 1 then 8: if j i 6≡ 1 (mod n) then 9: next i 10: end if 11: end if 12: end for 13: flag ← YES 14: end for Miller also defines a similar function λ0 (n).
CHAPTER 3. MILLER’S TEST
14
Definition 3.3.3. With n as above, we have λ0 (n) = lcm(p1 − 1, . . . , pm − 1). We will use this function to split the composite numbers into two sets: those for which λ0 (n) divides n − 1 and those for which it does not. For the above two numbers, we see that λ0 (17) = 16 which clearly divides 17−1 = 16, while λ0 (2925) = lcm(2, 4, 12) = 12 but 2924 = 22 · 17 · 43, so 12 - 2924. Of the first 20000 integers (starting with 2), 2370 of them satisfy λ0 (n) | n − 1 and the remaining 17629 do not. That latter number represents about 88% of the n up to that point. Integers that satisfy the property, while less common than those which do not, seem to not be what we might call rare. Let us first define, as Miller does, the symbol #2 (m) to mean the number of 2’s in m. In other words, #2 (m) is the greatest k such that 2k | m. Consider an integer n with prime factors q1 , . . . , qm . Since λ0 (n) is the least common multiple of all the (qi − 1), the number of two’s in λ0 (n) must be equal to the number of two’s in one of the (qi − 1). In other words, #2 (λ0 (n) = #2 (qi − 1) for some i. Miller uses this to further split the set of n into two more classes. Definition 3.3.4. We call n Type A if #2 (λ0 (n)) > #2 (qi − 1) for some i, and we call n Type B if #2 (λ0 (n)) = #2 (q1 − 1) = · · · = #2 (qm − 1). Note that these categories really do split the n under discussion: all n are either Type A or Type B. Of the 2370 integers between 2 and 20000 for which λ0 (n) | n − 1, 576 of them are of Type A, approximately 24%. Adding 10000 integers to the sample results in the same approximate percentage, so there is evidence that Type B and A numbers exist in about a three-to-one relationship. Next, we define the index of an integer a modulo p. Definition 3.3.5. For a prime p, pick a generator b of the cyclic group Z∗p . The index of a modulo p, which we write indp a, is the least m such that bm ≡ a (mod p). Note that the index of an integer is dependent on the choice of generator. Our final definition is just convenient notation.
CHAPTER 3. MILLER’S TEST
15
Definition 3.3.6. Let q and p be primes such that q | p − 1. Then N (p, q) is the least qth non-residue modulo p. ³ ´ a When p 6= q, define N (pq) to be the least a such that pq 6= 1.
3.4
Main theorem
Though we will not prove it here, Miller claims that Ankeny’s Theorem (see Appendix B) implies that N (pq) = O((log pq)2 ). The proof of the main theorem below is essentially an outline, referring to lemmas we prove later in the chapter. Theorem 3.4.1. Algorithm 3 with f (n) = c log2 n for some positive constant c tests primality correctly. Proof. By Ankeny’s Theorem, we can find a c such that N (p, q) ≤ c log2 p and N (pq) ≤ c log2 pq. This motivates our choice of f (n) in the statement of the theorem. If n is prime, then clearly all three if tests will fail, so the algorithm will return prime. For the harder case, where n is composite, it will fall into one of three categories: (1) n is a power of a prime; (2) λ0 (n) - n − 1; (3) λ0 (n) | n − 1 and n is not a power of a prime. Case (1) will clearly be caught by the first if test of the algorithm. In case (2), Lemma 3.5.1 will show that some a will pass the second if test of the for loop. By our choice of f , that a must be less than f (n). Now in case (3), we break these numbers into their Type A and Type B categories, as before. Let n be of Type A and m = n − 1. Let k be ¶ µ m #2 +1 λ0 (n) so that k ≤ #2 (n − 1). Finally, let p be a prime dividing n, and let a be the least quadratic non-residue modulo p. Then by Lemma 3.5.5, we have a
λ0 (n) 2
≡a
(n−1) 2k
(mod p)
CHAPTER 3. MILLER’S TEST
16
so that by Lemma 3.5.3, we have that either a or a
(n−1) 2k
− 1 (mod n)
has a non-trivial GCD with n. In the former case, a must divide n, since if it did not, some b that divides both a and n would have been found earlier in the algorithm. Thus a will pass the first if test of the for loop, and the algorithm will return composite. In the latter case, a will pass the third if test of the for loop and the algorithm will return composite. Now, if n is Type B, since n is the not a power of a single prime, we have distinct prime divisors of n, say p and q, such that µ ¶ a = −1. pq If we have a = N (pq) and k as before (which now implies that k ≥ #2 (n−1)), then we have by Lemma 3.5.4 that either a divides n or a
(n−1) 2k
− 1 (mod n)
has a non-trivial GCD with n, so the same tests as before will result in a return value of composite. An appropriate a will be found in both Type A and B since Ankeny’s Theorem guarantees the existence of such an a less than or equal to our f (n).
3.5
Lemmas
Lemma 3.5.1. If λ0 (n) - (n − 1) then there exist primes p and q such that (1) p | n; (2) (p − 1) - (n − 1); (3) q m | (p − 1) for some positive integer m; (4) q m - (n − 1) for the same m; (5) if a is a qth non-residue modulo p, then an−1 6≡ 1 (mod n).
CHAPTER 3. MILLER’S TEST
17
We really only need to prove the first four items so that we can prove the fifth, which we used in the proof of Theorem 3.4.1. Proof. Let the distinct prime factors of n be q1 , . . . , qk . Then, since λ0 (n) (n − 1), we have that the least common multiple of (q1 − 1, . . . , qk − 1) does not divide (n − 1). Thus, there is some qi for which qi − 1 does not divide (n − 1). Letting p = qi gives us the p that satisfies (1) and (2). Since p − 1 - n − 1, there is some prime q raised to some power m which divides p − 1 but does not divide n − 1. This q and m satisfy (3) and (4). Now we show (5) by contradiction. Suppose that an−1 ≡ 1 (mod n). Since p | n, we also have that an−1 ≡ 1
(mod p).
(3.5.1)
Now let b be a generator of the group Zp . Then since bindp a ≡ a (mod p), by (3.5.1), we have that b(indp a)(n−1) ≡ 1
(mod p).
Since b generates Zp , its order is p − 1, so p − 1 | (indp a)(n − 1). Now we claim that since a is a qth non-residue modulo p, we have q indp a. Suppose q | indp a. Then indp a = ql for some l, so bql ≡ a (mod p). Thus (bl )q ≡ a (mod p) so a is a qth residue modulo p, a contradiction. Now since q m | p − 1, clearly q m | (indp a)(n − 1) and since q - indp a, we must have that q m divides (n − 1). Thus our assumption that (5) leads to a contradiction of (4), so the lemma is proved. This lemma and Ankeny’s Theorem (see Appendix B) allow us to prove the next lemma. Lemma 3.5.2. (ERH) If λ0 (n) - n − 1 then there exists a = O((log n)2 ) such that an−1 6≡ 1 (mod n).
CHAPTER 3. MILLER’S TEST
18
Proof. The generalized version of Ankeny’s Theorem gives the size of a, a qth non-residue modulo p. Condition (5) of Lemma 3.5.1 tells us that, since a is a qth non-residue modulo p, we know an−1 is not 1 modulo n. Our next two lemmas concern themselves with Type A and Type B numbers n, respectively. Lemma 3.5.3. Let n be composite of Type A, and let p and q prime both divide n, where #2 (λ0 (n)) = #2 (p − 1) > #2 (q − 1). ³ ´ Now, if we have an integer a strictly between 0 and n with either a or λ0 (n) a 2 − 1 (mod n)
a p
= −1, then
has non-trivial GCD with n. ³ ´ Note that ap is the Legendre symbol, defined in Definition A.4. Proof. Suppose that (a, n) = 1. This is the only trivial GCD we must consider because a < n. Since we have q − 1 | λ0 (n) and the number of two’s in q − 1 is less than that in λ0 (n), we must also have q−1|
λ0 (n) . 2
Since q is prime, this implies that 0
aλ (n)/2 ≡ 1
(mod q).
(3.5.2)
Since p − 1 | λ0 (n) and p is prime, we have, like above, that 0
aλ (n) ≡ 1 (mod p) so that (a Thus a
λ0 (n) 2
λ0 (n) 2
)2 ≡ 1 (mod p). ≡ ±1 (mod p).
Suppose the positive case is true. Then since, for a generator b, we have bindp a ≡ 1 (mod p),
CHAPTER 3. MILLER’S TEST we know that (bindp a )
19
λ0 (n) 2
≡1
(mod p).
Thus, since the order of b is p − 1, we have that p − 1 | (indp a)(λ0 (n)/2). Now, since the number of two’s in p − 1 is equal to that in indp a, we must have 2 | indp a. ³ ´ However, since
a p
= −1, we know that there is no b such that b2 ≡ a (mod p),
so the index of a must be odd. Thus our assumption that a
λ0 (n) 2
≡1
(mod p)
leads to a contradiction, so it must be −1. Thus p does not divide the 0 residue modulo n of aλ (n)/2 − 1, so 0
(n, aλ (n)/2 − 1 mod n) 6= n.
(3.5.3) 0
Now, (3.5.2) implies that q divides the residue modulo n of aλ (n)/2 − 1, so 0
(n, aλ (n)/2 − 1 mod n) 6= 1.
(3.5.4)
Thus the lemma is proved. Now we move to a similar lemma, but for Type B numbers this time. Lemma 3.5.4. Let n be composite of Type B, and let p and q³ be´distinct a prime divisors of n. Let a be an integer with 1 < a < n and pq = −1. Then either a or λ0 (n) a 2 − 1 (mod n) has a nontrivial GCD with n. Now, with the bottom half composite, in Definition A.5.
³ ´ a pq
is the Jacobi symbol, defined
³ ´ ³ ´ Proof. Without loss of generality, we assume that ap = 1 and aq = −1. Proceeding as in the proof of the previous lemma, we assume a has a trivial GCD with n, so (a, n) = 1. By precisely the same argument as above, we know that λ0 (n) a 2 ≡ −1 (mod p).
CHAPTER 3. MILLER’S TEST
20 0
Now we wish to show, as before, that aλ (n)/2 ≡ 1 (mod q). Also as before, (a so a
λ0 (n) 2
)2 ≡ 1 (mod q),
λ0 (n) 2
≡ ±1
(mod q).
This time we assume the negative case. Since a is a quadratic residue modulo q, we have some b such that b2 ≡ a (mod q). Thus we have (b2 )
λ0 (n) 2
0
≡ bλ (n) ≡ −1 (mod q).
But since q − 1 divides λ0 (n), we must have 0
bλ (n) ≡ 1 (mod q) for all b, so we have reached a contradiction and conclude that a
λ0 (n) 2
≡1
(mod q).
The conclusions of the previous two paragraphs are the same as in the last lemma, so we can come to the same final conclusion as before. Now we have reached our final lemma. Lemma 3.5.5. Let p be a prime factor of n and let λ0 (n) divide an integer m. Let ¶ µ m + 1. k = #2 λ0 (n) Then a
λ0 (n) 2
m
≡ a 2k
(mod p).
Proof. As usual, we know that since 0
aλ (n) ≡ 1 (mod p), we have a
λ0 (n) 2
≡ ±1 (mod p).
We first consider the positive case. Since λ0 (n) | m, the k in the conditions of the lemma is designed so that λ0 (n) m | k 2 2
CHAPTER 3. MILLER’S TEST so
21
m
a 2k ≡ 1 (mod p) so we are done with this case. Now we consider the negative case. We have λ0 (n)m
m
a 2k = a λ0 (n)2k =a
λ0 (n) · 0 m k−1 2 λ (n)2
= (a
λ0 (n) 2
m
) λ0 (n)2k−1 m
= (−1) λ0 (n)2k−1 . Now since 2k−1 is the number of twos in
m λ0 (n) ,
we have that
m λ0 (n)2k−1
is
k am/2
odd, so is −1 raised to an odd power, so it is −1 (mod p), and the lemma is proved.
3.6
Analysis of the algorithm
Theorem 3.6.1. Algorithm 3 with f (n) = c log2 n runs in polynomial time on all inputs. Proof. Since the for loop runs O((lg n)2 ) times, we only need to check that each of the if tests can be computed in polynomial time. The first test is implemented in polynomial time and discussed in Algorithm 9 in Appendix D.2. To decide whether a | n, dividing n by a suffices, and, referring back to Figure 2.1, we see that this can be done in O(lg n lg lg n lg lg lg n) steps. Computing an−1 (mod n) is done in time O(2 lg(n − 1)M (n)) where M (n) is the cost of multiplying two numbers of length lg n together. An algorithm and short discussion can be found in Appendix D.3. The final step requires a division in the exponent and an exponentiation, which we have already discussed. Then we must compute a greatest common divisor. Euclid’s classic algorithm suits our purposes here. Discussion of its polynomial running time can be found in Appendix D.4. Thus each step of the loop can be computed in polynomial time and the theorem is proved.
Chapter 4
Rabin’s modifications to Miller’s test 4.1
Overview
About four years after the appearance of Miller’s test, Rabin [22] published his probabilistic test based on the same foundations as Miller’s. Rabin’s test is guaranteed to work, since it does not depend on the ERH, as Miller’s does, but it does output the wrong answer sometimes. It identifies all prime numbers correctly, but incorrectly labels a composite as prime with probability less than 1/22k , where k is the number of randomly chosen integers employed by the algorithm. Rabin takes care to note that this should not be interpreted to mean that an integer identified as prime by the algorithm is prime with probability 1 − 1/22k , since an integer either is prime or it is not. The proper interpretation is that if the test is applied to 22k integers, there will be approximately 1 mistake made by the algorithm. Rabin’s algorithm is set out in Algorithm 5. The idea behind the algorithm is that if n is composite, at least one of the bi is likely to be a “witness to the compositeness of n.” In other words, it is very likely that there exists some bi in the set chosen at the beginning that satisfies either the if test on line 9 or that on line 13.
4.2
Definitions
Formally, Rabin defines an integer b as a witness to the compositeness of n when it, as the name implies, tells us that n is composite in the following 22
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST
Algorithm 5 Determine primality of n; Rabin 1: Choose k integers 1 ≤ b1 , . . . , bk < n 2: t ← #2 (n − 1) 3: m ← n−1 t 4: for i = 1 to k do 5: b ← bm i (mod n) 6: for j = 1 to t do j 7: cj ← bm2 (mod n) 8: end for 9: if bn−1 6= 1 then 10: return COMPOSITE 11: else 12: for g = 1 to t do 13: if 1 < (cg − 1, n) < n then 14: return COMPOSITE 15: end if 16: end for 17: end if 18: end for 19: return PRIME
23
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST
24
way. Definition 4.2.1. A positive integer b is said to be a witness to the compositeness of an integer n, written Wn (b), if b < n and it satisfies either 1. bn−1 6≡ 1 (mod n) or i
2. there exists i such that 2i | (n − 1) and b(n−1)/2 − 1 has a non-trivial GCD with n. We abuse the “mod” notation and define b (mod m) when m is a sequence to be the sequence hb (mod m1 ), . . . , b (mod mk )i.
4.3
Main theorem
The key theorem we need to prove for this test is that, if n is composite, witnesses are distributed in such a way that we would reasonably expect to find at least one in some set of randomly chosen integers. Theorem 4.3.1. If n > 4 is composite, then the number of witnesses b of . n’s compositeness is greater than or equal to 3(n−1) 4 We need to prove two lemmas to get to the proof of this theorem. The first lemma serves only to give us the second, which gives a bound on the number of integers b that do not satisfy Wn (b), which we will then translate into the bound given in the theorem above.
4.4
Lemmas
Lemma 4.4.1. Let mi | n for 1 ≤ i ≤ k and (mi , mj ) = 1 for all i 6= j. Finally let m be the sequence hm1 , . . . , mk i. Then for any sequence s = hs1 , . . . , sk i, where si ∈ Z∗mi , the number of elements in the set Z∗n ∩ {b | b ≡ s (mod m)} is the same. Proof. Let t be the product of all primes that divide n, except for the mi . The Chinese Remainder Theorem (see Appendix C) guarantees that we have an integer b such that b ≡ hs1 , . . . , sk , 1i (mod hm, ti). Since mi | n for all i
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST
25
and t | n, we must have the product of the mi with t less than or equal to n, so b can be assumed to be between 1 and n. We claim that b ∈ Z∗n . Suppose this is false. Then we have some p that divides both n and b. This p must, since it divides n, also divide either t or one of the mi . In the latter case, since si = b − qi mi , we must have p|si , but (m1 , s1 ) = 1. Suppose, then, that p divides t. Since 1 = b − qt, we must have p | 1, but p is prime, so the claim is proved. Consider the map f that takes every b in Z∗n to its residue modulo m. Then f maps Z∗n into the direct product Z∗m1 × · · · × Z∗mk . For convenience, call this direct product G. Since any sequence in G has a corresponding b ∈ Z∗n , we know that f actually maps Z∗n onto G. Thus, for all s, the size of the set Zn ∩ {b | b ≡ s (mod m)} is not zero. Suppose for some s, then, the size of that set is v, and suppose one of those members is b1 . Since b1 is congruent modulo m to all of the other members of the set, we have that b1 + h is congruent to the other members plus h as well, so all of those elements plus h map to the same s under f . Thus for any s, there are v elements that map to it under f , so the lemma is proved. Our next lemma gives a bound on the number of integers that do not satisfy Wn (b). Lemma 4.4.2. Let p1 and p2 be different primes, and let qi = pki i (any time we use i in this lemma or its proof, we mean i = 1, 2, but we will not write it each time, for the sake of brevity and clarity). Assume q1 q2 | n. Also let φ(n) i) ∗ ti = (φ(qi ), n − 1) and mi = φ(q ti . Then at most m1 m2 of the integers b ∈ Zn do not satisfy Wn (b). φ(n) Also, if ti is even, then at most 2m of the b ∈ Z∗n do not satisfy 1 m2 Wn (b). Proof. Let ai be a primitive root modulo qi , and let b ∈ Z∗n . Then b and qi are relatively prime and b ≡ ari i (mod qi ) for some ri . If bn−1 ≡ 1
(mod n),
(4.4.1)
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST then
r (n−1)
ai i
26
≡ 1 (mod n).
Since qi | n, this implies that r (n−1)
ai i
≡ 1 (mod qi )
so φ(qi ) | ri (n − 1). We can get rid of the n − 1 on the right side by dividing φ(qi ) by ti , leaving that mi | ri . Thus, there are ti of these ri between 1 and φ(qi ) that satisfy (4.4.1), so ti 1 = φ(qi ) mi of the ti satisfy the condition. [24] Thus, out of all pairs s1 , s2 that are residues of b modulo q1 and q2 , respectively, m11m2 of them satisfy (4.4.1). Now by Lemma 4.4.1, for each pair s1 , s2 , the number of b which give that pair as residues modulo q1 , q2 is the same, so, since there are φ(n) elements b such that (4.4.1) holds. The first elements in Z∗n , there are mφ(n) 1 m2 conclusion of the lemma is proved, then, since if (4.4.1) holds, then Wn (b) does not. For the second conclusion, we claim that when t1 is even, at least half of the instances of (4.4.1) holding also have the second condition of Definition 4.2.1 true. Since mi | ri , we have mi hi = ri . . Assume that t1 is even and that #2 (t1 ) = #2 (t2 ). We write d(j) = n−1 2j Let j be such that d(j) is an integer, ti - d(j), and t2i | d(j). If one of the hi is even, we have φ(qi ) |
hi φ(qi )d(j) ti
since two in ti and hi can be divided out, and ti /2 divides d(j), so we are left with an untouched φ(qi ) on the right side, so φ(qi ) certainly divides the right side. This implies that h mi d(j)
ai i
≡ 1 (mod q2 )
but since hi mi is just ri and ari i is b, we are left with bd(j) ≡ 1 (mod q2 ). This implies that q2 divides bd(j) − 1, so that, since q2 also divides n, we have that bd(j) − 1 has a non-trivial GCD with n, so Wn (b) is satisfied.
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST
27
We have one of the hi even at least half the time, so at least half of the φ(n) b ∈ Z∗n satisfy Wn (b), so we have that at most 2m of the b do not satisfy 1 m2 the conditions. The other case we need to prove is when #2 (t1 ) > #2 (t2 ). We first choose j so that t2 | d(j) and t1 - d(j). Then we choose the least k such that t1 | d(j). The case of t2 , then, is the same here as the case of ti even above, 2k so we have that bd(j) ≡ 1 (mod q2 ). Now for bd(j) to also be 1 modulo q1 , we must again have φ(q1 ) | h1 m1 d(j), which requires that 2k | h1 . Thus at most 2kφ(n) of the b do m1 m2 k not satisfy Wn (b), but since t1 is even and 2 must divide t1 , we have k ≥ 1, φ(n) so it is certainly true that at most 2m do not satisfy Wn (b). 1 m2
4.5
Proof of the main theorem
Proof of Theorem 4.3.1. If b is between 1 and n and b and n are not relatively prime, then bn−1 6≡ 1 (mod n), so b is a witness. Thus if at least 3/4 of the integers relatively prime to n are witnesses, then we will certainly have that 3/4 of the integers from 1 to n − 1 are witnesses, which will suffice to prove the theorem. Suppose n is a prime power, say pk . Then φ(n) = pk−1 (p − 1). Also p - (n − 1), so (φ(pk ), n − 1) ≤ p − 1, thus φ(n) ≥ pk−1 . (φ(n), n − 1)
(4.5.1)
Call the left hand side of (4.5.1) m. Lemma 4.4.2 allows us to conclude from this that at most φ(n)/m of the b are not witnesses. A bound on m will give us the theorem for this case. Consider n > 9. If we wish to let k be anything greater than 1, we must have p ≥ 5. If we want to let p be anything greater than 1, we must have k ≥ 4. Note that (φ(pk ), n−1) must be either 1 or p−1. Thus m is at least φ(pk )/p−1 = pk−1 . Plugging in the bounds from above, we see that m must be at least 5 in the first case or 8 in the second. Thus, m is certainly at least 4, so at most φ(n)/4 of the b are not witnesses. Now consider n with at least two prime factors, say p1 and p2 . Let ki be the greatest integers such that qi = pki i | n. Also assume that φ(q1 ) - (n − 1). Then (φ(q1 ), n − 1) < φ(q1 ), so m1 =
φ(q1 ) ≥ 2. (φ(q1 ), n − 1)
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST
28
If φ(q2 ) also does not divide n − 1, then m2 is also at least 2. Then by Lemma 4.4.2, at most φ(n)/4 of our b are not witnesses, as needed. Assume, then, that φ(q2 ) | n − 1. Also suppose that p2 is not 2. Then φ(q2 ) is even, so (φ(q2 ), n − 1) = φ(q2 ) is even, so, again by Lemma 4.4.2, at most φ(n)/2m1 m2 of the b are not witnesses. Now, since (φ(q2 ), n − 1) = φ(q2 ), we have m2 = 1. We already have m1 ≥ 2, so the bound becomes at least φ(n)/4, as required. Now suppose p2 = 2. Then at least all the even numbers less than n are not relatively prime to n, so φ(n) ≤ (n − 1)/2. Thus, once more by the lemma, and since m2 = 1, we have that at most φ(n) (n − 1) ≤ m1 4 of the b are not witnesses. Now let for r at least 2, and let
n = pk11 . . . pkr r φ(pki i ) | n − 1.
Then ki = 1. If we had some ki > 1, we would have pki i −1 (p − 1) | n − 1 so, since (piki −1 , p − 1) = 1, we must have both terms dividing n − 1, but pi - n − 1. We now show that r must actually be at least 3. Suppose n = p1 p2 . Then n − 1 = p1 p2 − 1 = p2 (p1 − 1) + (p2 − 1) ≡ p2 − 1 6≡ 0 (mod p1 − 1). Thus p − 1 - n − 1, but this contradicts φ(p) | n − 1, so we can not have just two prime factors. A number of this type satisfies bn−1 ≡ 1 (mod n) for all b in Z∗n , since φ(pi ) | n−1 implies that bn−1 ≡ 1 (mod pi ) and, since the pi are all relatively prime, bn−1 is equivalent to 1 modulo their product, which is n. We call a number of this type Carmichael. Let n be as before, and consider three prime factors of n, say p1 , p2 , and p3 . Suppose #2 (p1 − 1) = #2 (p2 − 1) = #2 (p3 − 1).
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST
29
Let j be an integer such that for d(j) as before, we have (pi − 1) - d(j) and (pi − 1) | d(j). 2 Now we have a situation almost exactly like that in the proof of Lemma 4.4.2, though with three divisors of n now instead of two. This does not change the analysis, however, so we are left with the fact that, unless all the ri have the same parity, Wn (b) holds. Since there are eight possibilities for combinations of parities and the all-odds and all-evens represent two of them, we have that Wn (b) does not hold for at most 41 φ(n) of the b. The other cases are covered by #2 (p1 − 1) > #2 (p2 − 1) = #2 (p3 − 1) and #2 (p1 − 1) ≥ #2 (p2 − 1) > #2 (g3 − 1). These two cases are taken care of in the same way as the last case in the proof of Lemma 4.4.2. The idea remains the same: we find that either bd(j) ≡ 1 (mod pi ) for all i, so that Wn (b) does not hold, or that bd(j) 6≡ 1 (mod pi ) for all i, so that Wn (b) does not hold, or, finally, that at least one of the pi results in equivalence and at least one results in non-equivalence, so that Wn (b) does hold. We again find that at most 14 φ(n) of the b do not satisfy Wn (b). We first proved that the theorem holds for all prime powers. Then, for other composite n, we first proved that if pk || n and φ(pk ) - n − 1, then the theorem holds. Finally, we proved that if φ(pki i ) | n − 1 for all pki i || n, then the theorem holds. This covers all composite n, so we are done. Thus if we take a set of b1 , . . . , bk all less than n and none of them satisfy Wn (b), then we can say n is probably prime, with chance of error less than 1 . 4k
4.6
Analysis of the algorithm
Theorem 4.6.1. The algorithm runs in time polynomial in lg n, where n is the input. Proof. Since we might run the algorithm for all k of the bi chosen at the beginning, we must obviously have k of size polynomial in lg n, so we assume that is true.
CHAPTER 4. RABIN’S MODIFICATIONS TO MILLER’S TEST
30
The calculation of m in line 3 will take the longest when n − 1 is a power of 2. In that case, log2 (n − 1) = O(lg n) divisions will be necessary. Recall from Figure 2.1 that division of integers no bigger than lg n can be performed in time polynomial in lg n. For lines 5 and 7, a polynomial algorithm for modular exponentiation is discussed in Appendix D.3. For line 13, the Euclidean algorithm, which runs in polynomial time, is discussed in Appendix D.4. Since t is O(lg n), the for loops in lines 6 and 12 run a polynomial number of times. Thus each step runs in polynomial time and the loops run a polynomial number of times, so the theorem is proved.
Chapter 5
Solovay-Strassen test 5.1
Overview
In 1977, Solovay and Strassen [28] published a Monte Carlo algorithm (the first randomized algorithm, actually, since, though we discussed it in Chapter 4, Rabin’s test was not published until 1980) for testing primality which can be derandomized under the ERH. We will require a number of definitions and lemmas but most are very accessible. The most difficult lemma is Lemma 5.4.2, which we do not prove. All the later lemmas and theorems in the proof depend on this one, which itself depends on the ERH. Solovay and Strassen’s algorithm is Algorithm 6. Algorithm 6 Determine primality of n; Solovay-Strassen Require: n ≥ 3 and n odd 1: pick a randomly from (1, 2, 3, . . . , n − 1) 2: if (a, n) = 1 then ¡ ¢ 3: if na ≡ a(n−1)/2 (mod n) then 4: return PRIME 5: end if 6: else 7: return COMPOSITE 8: end if We shall see that the Solovay-Strassen algorithm is correct when it returns “composite,” and sometimes wrong when it returns “prime,” just as Rabin’s algorithm is. The fact that there is only one if test in this algorithm makes it easy to see what we must prove to show that it works: we will have to show that 31
CHAPTER 5. SOLOVAY-STRASSEN TEST
32
such an a chosen randomly has some small probability of returning “prime” when n is composite, so that we can choose different a until we either see that n is composite or make the probability of the algorithm being wrong so small that n is almost certainly prime.
5.2
Preliminaries
We give Euler’s Criterion, then define the set of “Euler liars” before we state and prove the main theorem for the randomized test. Lemma 5.2.1 (Euler’s Criterion). Let p be an odd prime and let a be an integer such that gcd(a, p) = 1. Then a is a quadratic residue mod p if a
(p−1) 2
≡ 1 (mod p)
and a is a nonresidue if a
(p−1) 2
≡ −1 (mod p).
Proof. Let x = a(p−1)/2 . Then x2 = ap−1 ≡ 1
(mod p)
by Fermat’s Little Theorem, so x = ±1. Suppose there exists b such that b2 ≡ a (mod p). Then we have x = a(p−1)/2 ≡ (b2 )(p−1)/2 = bp−1 ≡ 1
(mod p)
where we again apply Fermat’s Little Theorem at the end. Now suppose that a is a nonresidue mod p. Since there are at most roots of the congruence z
(p−1) 2
p−1 2
≡ 1 (mod p)
p−1 2
and there are quadratic residues modulo p (since p is an odd prime), the only roots of the equivalence are the quadratic residues mod p. Since a is not one of those, but a(p−1)/2 ≡ ±1 (mod p), a must be −1 (mod p). Definition 5.2.2. The group of Euler liars E(n) is defined ³a´ ≡ a(n−1)/2 (mod n)}, E(n) = {a ∈ Z∗n : n where Z∗n is the group of integers relatively prime to n, also known as the group of units of the field Zn . ¡ ¢ Recall that na is the Jacobi symbol, defined in Definition A.5. This group can be illustrated with the analogy “Euler liars are to Euler’s Criterion as Carmichael numbers are to Fermat’s Little Theorem.”
CHAPTER 5. SOLOVAY-STRASSEN TEST
5.3
33
Main theorem
Theorem 5.3.1. If n is prime, the Solovay Strassen test returns prime. If n is composite, it returns composite for at least 1/2 of the a in {1, 2, 3, . . . , n − 1}. Proof. If n is prime, the first if test will be passed regardless of the choice of a and the second if test will be passed by Euler’s Criterion, so “prime” will be returned. Otherwise, we have either n ∈ Z∗n or not. If n is not in the group, then it will fail the first if statement and “composite” will be returned. So suppose that n is in the group. We will see from Lemma 5.4.4 that E(n) 6= Z∗n , but E(n) is clearly a subgroup of Z∗n , so it is a proper subgroup, giving us |Z∗ | φ(n) (n − 1) n |E(n)| ≤ n = ≤ ≤ , 2 2 2 2 where the first inequality is true because the order of a subgroup must divide the order of the group. Thus the size of the group of Euler liars, which is the size of the set of false positives given by the algorithm, is less than half the size of the set of integers we choose our a from, as required.
5.4
Lemmas
Note that we only call upon one lemma in the proof of Theorem 5.3.1. Unfortunately, we must have three other preliminary lemmas before we can get to Lemma 5.4.4. For the first lemma, recall Definition 3.3.1 of the Carmichael lambda function. Lemma 5.4.1. A composite number n is Carmichael if and only if λ(n) | (n − 1). Proof. If n is Carmichael, then a(n−1) ≡ 1 (mod n) for any appropriate a. Any c such that ac ≡ 1 (mod n), then, must be a factor of (n − 1). Now suppose λ(n) | (n − 1). Since aλ(n) ≡ 1 (mod n) for all appropriate a, we have akλ(n) ≡ 1 (mod n) for all k. Since multiplication with one of those k results in (n − 1), we have an−1 ≡ 1 (mod n) for all a ∈ Z∗n , so a is Carmichael. We state without proof the following facts about λ(n). Proof can be found in [8].
CHAPTER 5. SOLOVAY-STRASSEN TEST
34
Lemma 5.4.2. The following are properties of λ(n): 1. λ(1) = 1, 2. λ(pe ) = pc−1 (p − 1) if p is an odd prime, 3. λ(2) = 1, λ(4) = 2, λ(2c ) = 2c−2 for c > 2, Q 4. if n is a product of prime powers pci i , then λ(n) = lcm(λ(pci i )). This allows us to prove the following fact. Lemma 5.4.3. If n is a Carmichael number, then it is square free. Proof. First we show that n must be odd. Suppose that n has an odd factor. Then λ(n) will have an even factor, due to the second and fourth parts of Lemma 5.4.2. If n has no odd factor, then part three of Lemma 5.4.2 shows that λ(n) has an even factor. Thus 2 | λ(n), so by Lemma 5.4.1, (n − 1) is even, so n is odd. To prove that n is square free, suppose for a contradiction that p2 | n, where p is a prime. Since n is odd, p is odd, so one of λ(n)’s factors is p(p − 1). Thus p | λ(n) and so by Lemma 5.4.1, p | (n − 1). Since p | n and p | (n − 1), we know that p | 1, so p = 1, but p is prime, so we have reached a contradiction. Lemma 5.4.4. Let n be an odd integer ≥ 3. Then n is prime if and only if E(n) = Z∗n . Proof. Assume E(n) = Z∗n , but n is composite. Then an−1 = (a(n−1)/2 )2 ≡
³ a ´2 n
≡ (±1)2 ≡ 1 (mod n),
where the second to last congruence is true because (a, n) = 1. Then n is Carmichael, so by Lemma 5.4.3, it is square free. We write n = pr, where p is prime and (r, p) = 1. Let g be a quadratic residue mod p and let a ≡ g (mod p) and a ≡ 1 (mod r). Then we have ³ a ´ µ a ¶ µa¶ ³a´ µg ¶ µ1¶ = = = n pr p r p r where the last equality is true because a quadratic residue can only be congruent to another quadratic residue, and similarly for nonresidues.
CHAPTER 5. SOLOVAY-STRASSEN TEST
35
We defined g to be a nonresidue modulo p and 1 is clearly a residue for any modulus, so we are left with µ ¶µ ¶ 1 g = (−1)(1) = −1. p r Since we assumed that
³a´ n
= a(n−1)/2 ,
we have a(n−1)/2 ≡ −1
(mod n)
so r | n implies that a(n−1)/2 ≡ −1 (mod r), but that contradicts a ≡ 1 (mod r) unless r = 2, but r cannot be 2, because n is odd.
5.5
Analysis of the algorithm
Theorem 5.5.1. The Solovay-Strassen algorithm runs in time polynomial in the input n. Proof. The polynomial-time Euclidean algorithm for computing the greatest common divisor is discussed in Appendix D.4. Proof that the Jacobi symbol and a(n−1)/2 (mod n) can be computed in polynomial time can be found in Appendix D.1. Finally, an explanation of a polynomial-time for taking powers modulo n is in Appendix D.3. Thus it is possible to perform each of the three computations in the algorithm in polynomial time, so the theorem is proved.
5.6
Derandomizing the algorithm
The Solovay Strassen test can be derandomized under the ERH to obtain a conditional deterministic algorithm like Miller’s. The derandomized test is Algorithm 7. First note that the only real difference between the deterministic and random versions is the use of a for loop to touch all a up to 2(log n)2 instead of randomly choosing an a. The proof must clearly rely, then, on the fact that testing only this many a is sufficient. Ankeny’s Theorem (see Appendix B) lets us prove the next theorem, after which we will be able to prove that this deterministic algorithm works and runs quickly.
CHAPTER 5. SOLOVAY-STRASSEN TEST
36
Algorithm 7 Determine primality of n; derandomized Solovay-Strassen Require: n ≥ 3 and n odd 1: for a = 2 to 2(log n)2 do 2: if gcd(a, n) 6= 1 then 3: return ¡ a ¢COMPOSITE 4: else if n 6≡ a(n−1)/2 (mod n) then 5: return COMPOSITE 6: end if 7: end for 8: return PRIME Theorem 5.6.1. Assume the ERH. If n is an odd composite integer, then there¡is ¢a positive integer a < n with a ≤ 2(log n)2 for which either gcd(a, n) 6= 1 or na 6= a(n−1)/2 (mod n). Proof. By Lemma 5.4.4, E(n) is a proper nontrivial subgroup of (Z(n))∗ when n is an odd composite integer. By Ankeny’s Theorem, there is an a = O((log n)2 ) in Zn − E(n), since the complement of Zn − E(n) is a nontrivial subgroup of Z∗n . If a 6∈ Z∗n , then gcd(a, n) 6= 1; if a ∈ Z∗n , then ¡a¢ (n−1)/2 (mod n), since a is not in E(n). n 6≡ a This very clearly shows that the deterministic Solovay-Strassen test returns prime if and only if n is prime. Since we only test at most 2(log n)2 values of a, the polynomial running time follows from the fact that the original algorithm ran in polynomial time, since this algorithm uses only the computations the original one did.
Chapter 6
Advanced primality tests 6.1
Adleman, Pomerance, and Rumely’s algorithm
Adleman, Pomerance, and Rumely published their deterministic, almost polynomial primality test (which we will refer to as APR) in 1983. [2] While the earlier tests in this paper sacrifice certainty in some form or another (for Miller, certainty that the test worked, since its proof depends on the ERH; for Rabin, certainty that the algorithm’s output is correct; and Solovay and Strassen, both, since they published both a probabilistic and deterministic version of their rest) to gain speed, APR has no dependency on an unproven theorem and, while the authors also include a “computerfriendly” probabilistic version of their algorithm, their main breakthrough is a faster-than-ever-before deterministic test. They did sacrifice speed to get that certainty, however, as the algorithm is, as mentioned, only “almost polynomial.” Specifically, it runs in O(lg nc lg lg lg n ), where the lack of polynomial-ness comes from the fact that the exponent depends on n. That exponent can be fairly small: for the 50-digit number 92124593025627458391094824937109472987431748298467 we have lg lg lg n a little less than 3. As always, though, we must beware that constant c, though it is guaranteed to be computable. The test is, as the other tests before it are, based at least partly on Fermat’s Little Theorem. We have seen this theorem’s weaknesses as a primality test, however, especially with regard to Carmichael numbers. Like Solovay and Strassen, then, APR employs the Jacobi symbol, which can be
37
CHAPTER 6. ADVANCED PRIMALITY TESTS
38
defined for n prime as µ ¶ b ≡ b(n−1)/2 n
(mod n).
Solovay and Strassen make use of the fact that, when n is composite, this equivalence fails at least half the time (see the proof of Theorem 5.3.1). APR makes use of this identity differently, instead using the test to obtain restrictions on possible divisors of the input n. ¡ Then, just as the ¢ above congruence defines the quadratic residue symbol nb , APR also uses congruences defining pth power residues in the cyclotomic fields Q(ζp ), where ζp is a pth root of unity. These congruences also provide restrictions on possible divisors of n. Essentially, then, the algorithm finds a reasonably small set of possible divisors and then tests them systematically. The authors note that other primality tests made use of number fields as they do. However, they also state that their use of pth power residues is new, as other tests had only employed quadratic residues.
6.2
Atkin’s ECPP
In [6], Atkin and Morain discuss Atkin’s Elliptic Curve Primality Proving test, which Atkin introduced at a conference in 1986, as well as Morain’s implementation of the algorithm. Atkin, as the acronym ECPP implies, employs elliptic curves to develop a test that, while it is not polynomial on the size of the input in the worst case, has a polynomial expected running time. Perhaps more importantly, the algorithm gives a certificate of the primality of an integer n which can be checked in far less time than the original algorithm takes. This allows us to check a number asserted prime by ECPP without having to run the algorithm over again, so that the effect of a possible hardware error during the running of the original algorithm is reduced.
6.3
Goldwasser and Kilian
Goldwasser and Kilian [16] in 1986 presented a probabilistic algorithm for testing primality also based on elliptic curves. This algorithm is different from the other probabilistic algorithms we have seen, in that, if the output is “prime” or “composite,” it is correct, but there is some fraction of the possible inputs for which the algorithm does not terminate in expected polynomial time.
CHAPTER 6. ADVANCED PRIMALITY TESTS
39
This algorithm, when it determines that a number is prime or composite, also gives a certificate for that assertion which can be verified in (deterministic) polynomial time. Specifically, the certificate for an input n is of size O((lg n)2 ) and can be verified in time O((lg n)4 ). Cram´er’s conjecture states, where pk is the kth prime, that lim sup n→∞
pn+! − pn = 1. (log pn )2
If this conjecture is true, then Goldwasser and Kilian’s algorithm always halts in expected polynomial time and returns either “prime” or “composite.”
6.4
Adleman and Huang
As we noted in the introduction, Adleman and Huang published their primality test (hereafter referred to as AHA (Adleman Huang Algorithm)) in a Lecture Notes in Mathematics volume that runs over 100 pages. Length aside, the proof relies on topics far outside the realm of this paper. We hope to not give this algorithm too short shrift, but we will err on the side of brevity and refer interested readers to the original document [1]. AHA is unique because it is a Las Vegas algorithm, as contrasted with the Rabin and Solovay-Strassen algorithms, which are of the Monte Carlo variety. Adleman and Huang provide a succinct, informal overview of their algorithm which we will try to pare down to a few points here while strongly urging readers to turn to the original work. The basis of the algorithm is reducing the proof of primality of some integer n to the proof of primality of some smaller integer m. Proving the primality of some n can always be reduced to proving the primality of n−1 2 and this reduction can be performed quickly. Unfortunately, reducing the proof that 13 is prime to a proof that 6 is prime gets us nowhere. The authors use the reduction techniques that Goldwasser and Kilian used in their algorithm (Section 6.3) as a springboard. Since that algorithm has the same problem as in the above paragraph (the reduction is only useful if m is itself prime), Adleman and Huang needed to adjust the method. Rather than basing their reductions on elliptic curves, they use “the Jacobians of curves of genus 2.” [1] Where m and n are as above, this method of reduction brings a “high probability” that m is prime. Specifically, that probability is 1/ logc p for some positive integer constant c.
CHAPTER 6. ADVANCED PRIMALITY TESTS
40
The downside of this method is that the “reduction” turns out to not be much of a reduction at all: m will always be larger than n. In fact, m will be about n2 . This problem is overcome by reusing the GoldwasserKilian method (or a more “generalized” Goldwasser-Kilian method given by Adleman and Huang). It turns out that after a sequence of reductions (of the new type) of an input n is performed, the resulting integer (which we assume to be prime without loss of generality) can be, with “high probability,” be proved prime by Goldwasser-Kilian (generalized or not) reductions.
Chapter 7
The AKS algorithm 7.1
Foundation of the algorithm
We noted in the introduction that the driving force behind the AKS algorithm is that passing the if test in the for loop really does imply that n is composite. The following lemma is the beginning of a proof that the end of the algorithm truly is correct. Lemma 7.1.1. Suppose (a, p) = 1. Then p is prime if and only if (x − a)p ≡ (xp − a) (mod p). All we must do, then, is compute the polynomials above for some a relatively prime to the input p. Unfortunately, we can not do this in polynomial time. What Agrawal et al. devised, then, is that the polynomial comparison would not only be considered modulo p, but also modulo a polynomial of the form xr −1. It is clear that this will not affect the truth of the lemma for p prime, but it could result in a composite pseudoprime, so the algorithm will actually compute the above polynomials for a number of different a. We must, of course, prove that the number of a used in the algorithm is sufficient to eliminate the possibility that n is a pseudoprime with respect to this test. Of course, our first task is really to prove this lemma, since the whole discussion is moot unless we can use polynomial comparisons to determine the primality of n. Proof of Lemma 7.1.1. For i strictly between 0 and p, the coefficient of the xi term in (x − a)p − (xp − a) 41
CHAPTER 7. THE AKS ALGORITHM is
42
µ ¶ p p−i (−1) a . i i
If p is prime, we have
¡p¢ i
≡ 0 (mod p), since p! p(p − 1)! = i!(p − i)! i!(p − i)!
and the p in the numerator will never be divided out, since the denominator contains no p’s and no terms that multiply together to be p, since it is prime. Thus we have all the coefficients of those xi terms equivalent to zero, so we’re left with xp − ap − xp + a = a − ap ≡ a − a ≡ 0 (mod p), where the last congruence is by Fermat’s Little Theorem. Now suppose p is composite and consider¡ a¢ prime factor of p, say q. Let k q exactly divide p. Then q k does not divide pq , since that would imply that q k+1 | p. Also, we have (q k , ap−q ) = 1: since (a, p) = 1, we have (a, q) = 1, so powers of a and q are relatively prime. Since the coefficient of xq in the polynomial above is µ ¶ q p (−1) ap−q q and a 6≡ 0 (mod p), the coefficient of xq is not 0 (mod p), so the polynomials are not equivalent.
7.2
Truth for prime n
It is quite easy to see that the algorithm is correct for prime n. If n is prime, then it is clearly not of the form ab for b > 1, so the first if test will fail. Then, we know that (r, n) = 1 for all r < n, so we can not get “composite” out of the while loop. Now we just need one algebraic fact to show that the for loop can not return “composite.” Lemma 7.2.1. Let f (x) be a polynomial with integer coefficients and let p be prime. Then f (x)p ≡ f (xp ) (mod p). Proof. We will prove this by induction on the number of terms in the polynomial f (x). In the expression (a1 + a2 )p , all but the ap1 and ap2 terms are divisible by p, so we have (a1 + a2 )p ≡ ap1 + ap2
(mod p).
(7.2.1)
CHAPTER 7. THE AKS ALGORITHM
43
Suppose (a1 + a2 + . . . + an )p ≡ ap1 + ap2 + . . . apn (mod p). Then (a1 + a2 + . . . + an + an+1 ) = ((a1 + a2 + . . . + an ) + an+1 ) so by equation (7.2.1), we have (a1 + a2 + . . . + an + an+1 )p ≡ (a1 + a2 + . . . + an )p + apn+1 ≡ ap1 + ap2 + . . . + apn + apn+1
(mod p).
This lemma implies that when n is prime, (x−a)n ≡ (xn −a) (mod n), so the two polynomials are certainly equivalent modulo some other polynomial, so we are done with the case where n is prime. The case where n is composite is not nearly so easy, unfortunately. We must state a acquire a number of lemmas before we can prove that the algorithm works for all n.
7.3
Exiting the while loop
We must show that the while loop exits with a suitable r for use in the for loop. This result will depend on a few bounds involving primes that will be stated (and in one case, proved) at the end of this chapter. Lemma 7.3.1. There exist positive constants c1 and c2 for which there is a prime r in the interval £ ¤ c1 (log n)6 , c2 (log n)6 (7.3.1) √ such that r − 1 has a prime factor q ≥ 4 r log n and q divides the order of r mod n. Proof. Let c be a positive constant and P (n) be the greatest prime divisor of n. We will calls primes r such that P (r − 1) > (c2 (log n)6 )2/3 > r2/3 “special primes.” The number of special primes in the above interval is greater than or equal to the number of special primes between 1 and the upper limit of (7.3.1) minus the number of primes between 1 and the lower limit of (7.3.1). In other words, if π(n) is the number of primes less than or equal to n and π 0 (n) is the number of special primes less than or equal to n, the number of special primes in the interval is π 0 (c2 (log n)6 ) − π(c1 (log n)6 ).
CHAPTER 7. THE AKS ALGORITHM
44
Now by Lemma 7.8.1, c2 (log n)6 log(c2 (log n)6 ) cc2 (log n)6 = , log c2 + 6 log log n
π 0 (c2 (log n)6 ) ≥ c
(7.3.2)
and by Lemma 7.8.2, 8c1 (log n)6 log(c1 (log n)6 ) 8c1 (log n)6 . = log c1 + 6 log log n
π(c1 (log n)6 ) ≥
(7.3.3)
For big enough n, we have log log n ≥ log c2 , so 7 log log n ≥ log c2 + 6 log log n, so the fraction (7.3.2) is ≥
cc2 (log n)6 . 7 log log n
≤
8c1 (log n)6 6 log log n
Now, (7.3.3) is
so the difference of (7.3.2) and (7.3.3) is cc2 (log n)6 8c1 (log n)6 − 7 log log n 6 log log n µ ¶ (log n)6 cc2 8c1 = − . log log n 7 6
≥
Now choose c1 ≥ 46 and c2 so that the quantity in parentheses above is positive, and call that quantity c3 . Let y = c2 (log n)6 . Consider the product N=
1/3 yY
(ni − 1).
i=1
Since an integer m can have at most log m prime factors, the j th term of N has at most log(nj ) = j log n prime factors. Since the largest j is y 1/3 , we
CHAPTER 7. THE AKS ALGORITHM
45
have j log n ≤ y 1/3 log n for all j in the product. Thus the number of prime factors of N is at most (y 1/3 log n)(y 1/3 ) = y 2/3 log n. Note, however that y 2/3 log n = (c2 (log n)6 )2/3 log n 2/3
= c2 (log n)5 <
c3 (log n)6 . log log n
Thus, since there are more special primes in the interval than there are prime factors in N , there is some special prime (say r) that does not divide N . This is the r that we are searching for. First, it has the required large prime factor. Because c1 > 46 , we have r ≥ 46 (log n)6 ⇒r1/6 ≥ 4 log n ⇒r2/3 r−1/2 ≥ 4 log n ⇒r2/3 ≥ 4r1/2 log n √ ⇒r2/3 ≥ 4 r log n, so that, since P (r − 1) > (c2 (log n)6 )2/3 > r2/3 because r is a special prime, √ P (r − 1) > 4 r log n as required. Now let P (r − 1) = q and suppose that q divides the order of n mod r. Then n(r−1)/q ≡ 1 mod r so r | n(r−1)/q − 1. Now examine
r−1 q .
Since r − 1 < c2 (log n)6
and q > (c2 (log n)6 )2/3 ,
CHAPTER 7. THE AKS ALGORITHM
46
we have r−1 c2 (log n)6 < q (c2 (log n)6 )2/3 = (c2 (log n)6 )1/3 = y 1/3 . Thus we have r | nj − 1 for some j < x1/3 , but nj − 1 is a term of the product N , so since r - N , we have reached a contradiction, and the lemma is proved.
7.4
Lemmas for n composite
Now that we know the while loop does its job, we will really Q need to use the fact that n is composite. Let n have prime factorization pji i . For r as in the algorithm, we first prove that the order of n modulo r, written ordr (n), divides the least common multiple of the orders modulo r of the prime factors pi . Since any piji raised to the order of pi is 1 (mod r), we also have pji i raised to the product of the orders of the set of pi ’s equivalent to 1 (mod r), and thus pji i raised to the least common multiple of that product is 1 (mod r). Thus the product of the pji i ’s raised to the least common multiple of the product of the orders is also 1 (mod r), so n raised to the least common multiple of the product of the orders is 1 (mod r), so the order of n divides that least common multiple. Now since, by Lemma 7.3.1, we have q | ordr (n), we know that q divides the least common multiple of the orders of the prime factors of n, so that, since q is prime, we have that q divides one of the prime factors, say p. This will be the p we refer to for the remainder of this proof. √ To keep the notation from getting unwieldy, we will also let l = 2 r log n. Note that l is the maximum number of times the second loop of the algorithm will run. Since a ≡ b (mod cd) implies a ≡ b (mod c), if h(x) is a factor of xr − 1, we have that (x − a)n ≡ (xn − a) (mod xr − 1, n) ⇒ (x − a)n ≡ (xn − a) (mod h(x), p). In other words, the congruence holds in Fp [x]/(h(x)).
CHAPTER 7. THE AKS ALGORITHM
47
Lemma 7.4.1. In Fp [x]/h(x), the group G generated by the binomials {(x − a) | 1 ≤ a ≤ l} is cyclic and of size greater than (d/l)l . Proof. First, note that ( G=
l Y
) αa
(x − a)
| αa ≥ 0 .
a=1
G is a group: it is clearly closed, the identity is the element with αa = 0 for all a, and, since each element g has an order, the inverse of g is just g raised to one less than the order. To show the size part of the lemma, we consider the set S: ( l ) l Y X S= (x − a)αa | αa ≤ d − 1 . a=1
a=1
First, we will show that all the elements of S are distinct in Fp [x]/h(x). √ The while loop in the algorithm gives r > q > 4 r log n > l. If any a in the binomials was congruent to any other a modulo p, we would have p < l < r < n, so n must be composite, so there are no two such a. Since the degree of every term in the products is less than (d − 1), we cannot reduce those terms modulo h(x). ¡ ¢ We now claim that the cardinality of S is l+d−1 . We should be able, l then, to find a way of expressing each element of S as a unique subset of size l of a set of size (l + d − 1). Consider the set M = {a1 , a2 , . . . al+d−1 }. Given the sequence of exponents of some element of S, say {α1 , α2 , . . . αl }, we will construct a subset of M . The first element of the subset is aα1 +1 . The next element is aα1 +α2 +2 . The third element is aα1 +α2 +α3 +3 , and so on. We will never attempt to choose an element of M from beyond the end of the list since the αk sum to at most (d − 1) and the integer term will be at most l, so the last element of M chosen will be, ”at most,” ad−1+l . It is clear that each of these subsets is unique given unique exponent sequences. Now µ ¶l µ ¶ d l+d−1 (l + d − 1)(l + d − 2) · · · (d) > . = l! l l The inequality is true because ll is clearly greater than l! while the product in the numerator of the left side contains a dl term multiplied by other positive terms, so it is greater than the numerator of the right side.
CHAPTER 7. THE AKS ALGORITHM
48
Since S is a subset of G, the size of G is greater than or equal to the size of S, so we are done. Since d is the order of p modulo r and q divides the order of p, we have √ d ≥ q ≥ 4 r log n = 2l. The size of G, then, is greater than µ ¶l 2l = 2l . l Now let g(x) be√ a generator of G. Then the order of g(x) in Fp [x]/h(x) is greater than n2 r . Next we define the set Ig(x) : Ig(x) = {m | g(x)m ≡ g(xm ) (mod xr − 1, p)} . Our next lemma gives us closure in Ig(x) . Lemma 7.4.2. Ig(x) is closed under multiplication. Proof. Let m1 , m2 be in Ig(x) . Then g(x)m1 ≡ g(xm1 )
(mod xr − 1, p)
g(x)m2 ≡ g(xm2 ) (mod xr − 1, p).
(7.4.1)
Now substitute xm1 for x in (7.4.1) to get g(xm1 )m2 ≡ g(xm1 m2 )
(mod xm1 r − 1, p).
Note that k | l if and only if l/k X (x − 1) = (x − 1) (xl−ik ), l
k
i=1
so we have
xr
−1|
xm1 r
− 1. Then (7.4.2) implies
g(xm1 )m2 ≡ g(xm1 m2 )
(mod xr − 1, p).
Thus g(x)m1 m2 ≡ (g(x)m1 )m2 ≡ g(xm1 )m2
(mod xr − 1, p) (mod xr − 1, p)
≡ g(xm1 m2 ) (mod xr − 1, p) which implies that m1 m2 is in the set Ig(x) .
(7.4.2)
CHAPTER 7. THE AKS ALGORITHM
49
Now we get one more property of Ig(x) . Lemma 7.4.3. Let the order of g(x) in Fp [x]/h(x) be bg and let m1 , m2 be in Ig(x) . Then if m1 ≡ m2 (mod r), we have m1 ≡ m2 (mod bg ). Proof. We start by noting that m1 = m2 +kr for some non-negative k. Now, g(x)m2 ≡ g(xm2 )
(mod xr−1 , p)
⇒ g(x)m2 ≡ g(xm2 ) in Fp [x]/h(x) ⇒ g(x)m1 +kr ≡ g(xm1 +kr ) in Fp [x]/h(x) ⇒ g(x)m1 g(x)kr ≡ g(xm1 +kr ) in Fp [x]/h(x) ⇒ g(x)m1 g(x)kr ≡ g(xm1 ) in Fp [x]/h(x) m1
⇒ g(x)
kr
g(x)
m1
≡ g(x)
(7.4.3)
in Fp [x]/h(x)
where (7.4.3) is true by Lemma 7.7.2. Since g(x) 6≡ 0, we know that g(x)m1 6≡ 0, so we can divide by it to get g(x)kr ≡ 1 in Fp [x]/h(x) ⇒ bg | kr ⇒ kr ≡ 0 (mod bg ) ⇒ m1 ≡ m2 + 0 ≡ m2
7.5
(mod bg ).
Truth for composite n
Theorem 7.5.1. If n is composite, the algorithm will return composite. Proof. Suppose the algorithm returns prime instead. Then we know that √ for all a between 1 and 2 r log n, we have (x − a)n ≡ (xn − a) (mod xr − 1, p).
(7.5.1)
Since g(x) generates the group G, it is of the form l Y
(x − a)αa
a=1
where each of the a satisfy (7.5.1), so that g(x)n ≡ g(xn ) (mod xr − 1, p). Thus n is in Ig(x) . Now by Lemma 7.2.1, p is also in Ig(x) .
CHAPTER 7. THE AKS ALGORITHM
50
Now consider the set E: © √ ª E = ni pj | 0 ≤ i, j ≤ b rc . Since Ig(x) is closed and n, p ∈ Ig(x) , we have E ⊆ Ig(x) . √ √ √ √ √ The size of E is (b rc+1)2 . Since r−b rc < 1, we have r < b rc+1, √ so (b rc + 1)2 > r. Thus by the pigeonhole principle, we must have two elements in E, say ni1 pj1 and ni2 pj2 where the exponents are not equal and ni1 pj1 ≡ ni2 pj2
(mod r).
Then by Lemma 7.4.3, we know that ni1 pj1 ≡ ni2 pj2 i1 −i2
⇒n
≡p
j2 −j1
(mod bg ) (mod bg ).
(7.5.2)
√ √ √ Since bg ≥ n2 r and n|i1 −i2 | , p|j1 −j2 | < n r (since i1 , i2 , j1 , j2 < b rc, the √ distance between them is less than r, and p < n). Thus (7.5.2) implies ni1 −i2 = pj2 −j1 . Since n is composite and p is prime, this implies that n = pk for some positive k, but this possibility was eliminated in the first step of the algorithm, so we have reached a contradiction, and the algorithm must return composite.
7.6
Time analysis
Now we prove that the AKS algorithm actually shows that the problem of primality testing is in P. Theorem 7.6.1. The AKS algorithm runs in time polynomial in lg n. Proof. As before, if we show that each of the if tests runs in polynomial time and that the loops execute a number of times proportional to a polynomial in lg n, we will have the theorem. The first line of the algorithm is discussed in Appendix D.2. Next we move to the while loop. Lemma 7.3.1 guarantees that an appropriate r < c2 (log n)6 = O((lg n)6 ) will be found, so the while loop runs a polynomial number of times. Euclid’s algorithm for computing the greatest common divisor, as in line 6, is discussed in Appendix D.4. The next step requires us to figure out whether the integer r is prime or not. We could conceivably make the AKS algorithm recursive, but that is
CHAPTER 7. THE AKS ALGORITHM
51
probably more trouble than it is worth, since r is small enough that a nonpolynomial time algorithm will not throw off the running time of AKS. Thus, √ we have an algorithm that runs in O( r lg r lg lg r lg lg lg r) in Appendix D.5. When r is prime, we must find the least prime factor of r − 1, so we use essentially the same algorithm as we used to find r prime to find this prime factor. This algorithm is discussed in Appendix D.6. For the first half of the next if test, we will have pre-computed 4 log n, so we will be multiplying two numbers each of size O((lg n)3 ) (since r = O((lg n)6 ), we have r1/2 = O((lg n)3 )), so we can multiply them in O((lg n)3 lg(lg n)3 lg lg(lg n)3 ). Modular exponentiation is discussed in Appendix D.3. Thus, after the power test and the while loop have run, we are still within our polynomial time bound. √ Now we examine the final loop. Clearly, it runs 2 r log n times, which is O((lg n)4 ). Multiplication of polynomials is discussed in Appendix D.7. Fast Fourier Transforms can be used to speed up polynomial multiplication, but they can also be difficult to implement, so, since our implementation uses the programming language’s built-in polynomial multiplication, we will assume it uses the standard “pencil-and-paper” method discussed in that appendix. Since repeated squaring works just as well for polynomials as it does for integers, Appendix D.3 tells us that we need 2 lg n squarings or multiplications to compute (x − a)n . Since the polynomials we multiply are of degree less than r, we have by Appendix D.7 that 2 lg n polynomial multiplications will take O(r2 lg n lg r lg lg r lg lg lg r). Since r = O((lg n)6 ), we have the multiplications take O((lg n)12 lg n lg(lg n)6 lg lg(lg n)6 lg lg lg(lg n)6 ). Thus, every step of the algorithm can be computed in polynomial time, so the theorem is proved. Thus we see the settling of a problem open for literally millennia, and all in the space of about 11 pages. This is truly a remarkable piece of work, and clearly the culmination of years of effort by mathematicians around the world. The reader may elect to applaud now or hold it until after the last few details are worked out in the remaining pages of this chapter.
7.7
A little algebra
In the preceding pages, we have (sometimes implicitly) used a few algebraic facts that we will now prove. All of the following lemmas can be found in
CHAPTER 7. THE AKS ALGORITHM
52
texts such as [15]. In each lemma, let p and r be prime integers, p 6= r. Lemma 7.7.1. The multiplicative group of any field Fpt for t > 0, denoted Fp∗t , is cyclic. Proof. Fp∗t is isomorphic to Zd1 × Zd2 × . . . × Zdr where the di are prime powers. Let m be the least common multiple of the di . Then m ≤ d1 d2 · · · dr . Now, if ai ∈ Zdi , then adi i = 1, so am i = 1 in that group. Thus every element of Fp∗t is a zero of xm − 1. However, xm − 1 can have at most m unique zeros, so, since there are d1 d2 · · · dr elements in Fp∗t , we have m ≥ d1 d2 · · · dr . Thus, m = d1 d2 · · · dr , so the di are all distinct, so Fp∗t is isomorphic to Zm , which is cyclic. Lemma 7.7.2. Let h(x) be any factor of xr − 1 and let m = mr (mod r). Then xm ≡ xmr (mod h(x)). Proof. Let m = kr + mr . Then xr ≡ 1
(mod xr − 1)
⇒ xkr ≡ 1 (mod xr − 1) ⇒ xkr+mr ≡ xmr ⇒ xm ≡ xmr
(mod xr − 1) (mod h(x))
since a ≡ b (mod d) implies a ≡ b (mod c), where c | d. Lemma 7.7.3. Let ordr (p) be the order of p modulo r. Then in Fp , xr − 1 x−1 factorizes into irreducible polynomials, each of degree ordr (p). r
−1 . Suppose Qr (x) has an irreducible Proof. Let d = ordr (p) and Qr (x) = xx−1 factor h(x) in Fp of degree k. Note that Fp [x]/(h(x)) is a field of size pk . The multiplicative group of this field is cyclic: call the generator of the group d g(x). In the field, then, g(x)p ≡ g(xp ) by Lemma 7.2.1. Thus g(x)p ≡ d d d d g(xp ). Now xp ≡ x, so g(x)p ≡ g(x), which implies that g(x)p −1 ≡ 1. Since g(x) is a generator of a group of size pk , its order is pk − 1. Thus pk − 1 | pd − 1.
CHAPTER 7. THE AKS ALGORITHM
53
Now we want to show that k | d. Since pk ≡ pd ≡ 1 (mod pd − 1), the order of p modulo pd − 1 divides both d and k. Since k ≤ d, this implies that k | d. Now since h(x) divides (xr − 1), we know that xr ≡ 1 in Fp [x]/(h(x)). Since r is prime, the order of x in this field must be r. Thus r divides pk − 1, so pk ≡ 1 (mod r). Since the order of p modulo r is d, we have that d divides k. Thus, d = k, so the degree of the irreducible factor h(x) is indeed the order of p modulo r.
7.8
Some bounds involving primes
We will not prove the following lemma, due to Fouvry [14], as it is beyond the scope of this paper. Lemma 7.8.1. There exist constants c > 0 and n0 such that for all x ≥ n0 , the size of the set of primes p less than x with largest prime factor greater x than p2/3 is greater than or equal to c logx . The next few pages will be devoted to the proof of the following lemma, which gives bounds on π(n). Lemma 7.8.2. [5] For n ≥ 2, we have 6n n < π(n) < 6 log n log n This lemma will require a number of definitions and lemmas, so we will first define all the terms we need, then move on to proving facts. Definition 7.8.3. An arithmetical function is a real- or complex-valued function defined on the positive integers. Those familiar with arithmetical functions will realize that this definition does not include the usually-useful multiplicative property of these functions, but this is intentional: we will not need other properties than those needed by the convolutions defined below. Definition 7.8.4. Given f and g, two arithmetical functions, their Dirichlet convolution or Dirichlet product, denoted f ∗ g, is defined ³n´ X (f ∗ g)(n) = f (d)g . d d|n
CHAPTER 7. THE AKS ALGORITHM
54
Next, we define the generalized convolution. Definition 7.8.5. For an arithmetical function α and a real- or complexvalued function F defined on the positive real axis and equal to 0 when 0 < x < 1, the generalized convolution of α and F , denoted α ◦ F , is defined ³x´ X (α ◦ F )(x) = α(n)F . n n≤x
Convolutions are of much greater use than we put them to in this proof. Here, we consider them only as manipulations of arithmetical functions. Definition 7.8.6. For all n ≥ 1, we define ½ log p if n = pm for some m ≥ 1 Λ(n) = 0 otherwise Definition 7.8.7. Define the Chebyshev ϑ function as X ϑ(n) = log p. p≤n
Our first lemma gives a sort of associativity to the generalized convolution. Lemma 7.8.8. For two arithmetical functions α and β and F defined as in Definition 7.8.5, we have α ◦ (β ◦ F ) = (α ∗ β) ◦ F. Proof. For x > 0, we have (α ◦ (β ◦ F ))(x) =
X
α(n)(β ∗ F )
n≤x
³x´ n
³ x ´ mn n≤x m≤(x/n) ³ x ´ X = α(n)β(m)F mn mn≤x µ ¶ X ³x´ X k = F α(n)β k n k≤x n|k X ³x´ (α ∗ β)(k) = F k =
X
α(n)
X
k≤x
= ((α ∗ β) ◦ F )(x).
β(m)F
CHAPTER 7. THE AKS ALGORITHM
55
Our next lemma is essentially technical in nature. Lemma 7.8.9. Let h = f ∗ g and let H(x) =
X
h(n).
n≤x
Also, let F (x) and G(x) be defined analogously to H. Then ³x´ X ³x´ X H(x) = f (n)G = g(n)F . n n n≤x
n≤x
Proof. Let U (x) be defined as follows: ½ 0 0
n≤x
since x/n > 1. Now, f ◦ G = f ◦ (g ◦ U ) = (f ∗ g) ◦ U = h ◦ U = H g ◦ F = g ◦ (f ◦ U ) = (g ∗ f ) ◦ U = h ◦ U = H so, since f ◦G=
X
f (n)G
³x´
n≤x
n
,
the lemma is proved. If g(n) = 1 for all n, we have G(x) = [x], since X X G(x) = g(n) = 1 = [x]. n≤x
n≤x
The next lemma, then, is a corollary of Lemma 7.8.9. Lemma 7.8.10. If we have F (x) defined as before, then hxi X ³x´ XX X f (d) = f (n) = F . n n n≤x d|n
n≤x
n≤x
CHAPTER 7. THE AKS ALGORITHM
56
Proof. H(x) =
X
h(n)
n≤x
=
X
(f ∗ g)(n)
n≤x
=
XX n≤x d|n
=
XX
µ ¶ d f (d)g n f (d).
(7.8.1)
n≤x d|n
Also, however, we have X
H(x) =
f (n)G
³x´
n hxi X = f (n) . n n≤x
(7.8.2)
n≤x
Finally, we have H(x) =
X
g(n)F
n≤x
=
X
F
n≤x
³x´
³x´ n
n .
(7.8.3)
Thus we have (7.8.1), (7.8.2), and (7.8.3) all equal, and the lemma is proved. Lemma 7.8.11.
X
Λ(n)
hxi
n≤x
Proof.
X
Λ(n)
n≤x
n
hxi n
=
= log([x]!) XX
Λ(d),
n≤x d|n
£ ¤ as, for every n ≤ x, there are nx numbers that are multiples of n. Then we have XX X Λ(d) = log(n) n≤x d|n
n≤x
CHAPTER 7. THE AKS ALGORITHM
57
because for each pk that exactly divides n, we will get k log(p)’s, since pk | n, pk−1 | n, . . . , p | n. Because X log([x]!) = log(n), n≤x
the lemma is proved. Now we prove our final lemma before the proof of Lemma 7.8.2. Lemma 7.8.12. Let
¸ ∞ · X x . pm m=1 Q Then for all x ≥ 1, we have [x]! = n≤x pα(p) . α(p) =
Proof. From Lemma 7.8.11, we know that hxi X log([x]!) = Λ(n) . n n≤x
The right side, however, can be written ∞ XX
· log p
p≤x m=1
¸ x . pm
The equality of the individual terms of the sums is easy to see: simply replace n in the first with pm in the second, since Λ(pm ) = log p. That the limits of the sums are the same is similarly straightforward: because Λ(n) is 0 when n is not a prime power, we can, instead of summing over all n, take the sum over all prime powers. This is represented by the two summation signs, with the m’s being all possible exponents. Because · ¸ x =0 pm when pm > x, the limit of only summing over n ≤ x is maintained. Now, ∞ XX p≤x m=1
·
¸ X ¸ X ∞ · X x x log p m = log p = (log p)(α(p)). p pm p≤x
m=1
p≤x
CHAPTER 7. THE AKS ALGORITHM But we also have log
Y
pα(p) =
p≤x
X
58
³ ´ X log pα(p) = α(p) log p.
p≤x
Thus we have
p≤x
log([x]!) = log
Y
pα(p) ,
p≤x
so [x]! =
Y
pα(p) .
p≤x
Now we have the tools to prove Lemma 7.8.2. Proof of Lemma 7.8.2. First we will show that µ ¶ 2n n 2 ≤ < 4n . n The left-hand ¡4¢ 12 inequality can be shown by induction. Let n = 2 for the base case: 2 = 2 = 6 ≥ 4. ¡ ¢ n+1 = 2(2n ) and Now suppose that 2n ≤ 2n n . Then, since 2 µ ¶ 2(n + 1) (2n + 2)(2n + 1)2n! = , n+1 ((n + 1)n!)2 we see that if 2≤
(2n + 2)(2n + 1) , (n + 1)2
the induction will be complete. Because n ≥ 2, we have (2n + 2)(2n + 1) 10 2(n + 1)(2n + 1) 2(2n + 1) ≥ , = = (n + 1)2 (n + 1)2 n+1 3 so we are done. To prove the right-hand inequality, first note that n
4n = 22 = 22n = (1 + 1)2n so we can expand that as a polynomial into µ ¶ µ ¶ µ ¶ µ ¶ 2n 2n 2n 2n 1+ 1 + ... + 1+ 1 0 1 2n − 1 2n
CHAPTER 7. THE AKS ALGORITHM
59
which can be written more concisely as ¶ 2n µ X 2n . k k=0
Since
¶ 2n µ X 2n k
k=0
>
µ ¶ 2n , n
the right-hand inequality is proved. Now, we take logarithms in the inequality to obtain ¶ µ 2n! n log 2 ≤ log < n log 4 n!n! ¶ µ 2n! n log 2 ≤ log < n log 4 (n!)2 n log 2 ≤ log(2n!) − 2log(n!) < n log 4. By Lemma 7.8.12,
X
log(2n!) − 2 log(n!) =
= h Since
X p≤2n
n pm
i
à log p
¸ ∞ · X 2n m=1
pm
α(p) log p − 2
p≤2n
!
−2
X
à log p
p≤n
X
(7.8.4)
α(p) log p
p≤n
¸! ∞ · X n . pm
(7.8.5)
m=1
= 0 when pm > n and we have pm > n ⇒ log pm > log n log n ⇒m > log p · ¸ log n ⇒m > , log p
(7.8.6)
we only need to consider m in the right hand side of (7.8.5) up to the right hand side of (7.8.6) and, replacing n with 2n, the same is true for the left side of (7.8.5). Thus (7.8.5) becomes h log 2n i h log n i · ¸ ¸ log p log p · X X n X 2n X log p − 2 log p (7.8.7) . m p pm p≤2n
m=1
p≤n
m=1
CHAPTER 7. THE AKS ALGORITHM
60
h i 2n We can let p and m have upper limits of 2n and log respectively on log p the right side of (7.8.7) because it adds only zeros. Thus (7.8.7) becomes h log 2n i h log 2n i · ¸ · ¸ log p log p X X X X 2n 2n 2 m log p log p − m p p m=1
p≤2n
=
X p≤2n
m=1
p≤2n
h
· ¸ · ¸ X 2n n log p − 2 m . m p p log 2n log p
i
(7.8.8)
m=1
Because [2x] − 2[x] is either 1 or 0, (7.8.8) is less than or equal to h log 2n i log p X X log p 1 m=1
p≤2n
·
X
log 2n = log p log p p≤2n X ≤ log 2n
¸
p≤2n
= π(2n) log 2n. Thus, n log 2 ≤ π(2n) log 2n, so n log 2 log 2n 2n log 2 = 2 log 2n 2n log 2 = · log 2n 2 2n 1 > · log 2n 4
π(2n) ≥
because log 2 > 1/2. Thus we have a bound on the number of primes less than or equal to
CHAPTER 7. THE AKS ALGORITHM
61
some even integer. For an odd integer 2n + 1, we have π(2n + 1) ≥ π(2n) 1 2n > · 4 log 2n 1 2n 2n + 1 = · · 4 log 2n 2n + 1 1 2n 2n + 1 > · · 4 log(2n + 1) 2n + 1 1 2n 2n + 1 = · · 4 2n + 1 log(2n + 1) 1 2 2n + 1 ≥ · · 4 3 log(2n + 1) 1 2n + 1 = · 6 log(2n + 1)
(7.8.9) (7.8.10)
where we can move from (7.8.9) to (7.8.10) because, since n ≥ 2, we have 2n 2 2n+1 ≥ 3 . Thus we have 1 2n π(2n) > 4 log 2n 1 2n + 1 π(2n + 1) ≥ 6 log(2n + 1) so we can conclude that
1 n . 6 log n so we have proved the left hand side of the lemma. For the right side, we start by going back to (7.8.8) and examining the m = 1 term: µ· ¸ · ¸¶ X 2n n log p −2 . p p π(n) >
p≤2n
Since all the other terms of the sum are greater than or equal to 0, we know that µ· ¸ · ¸¶ X 2n n log(2n!) − 2 log(n!) ≥ log p −2 . (7.8.11) p p p≤2n
Let’s examine (7.8.11) for n < p ≤ 2n. For each of those p, we have · ¸ 2n =1 p
CHAPTER 7. THE AKS ALGORITHM and
62
· ¸ n = 0. p
Thus,
X
log(2n!) − 2 log(n!) ≥
log p.
n
Since
X
log p = ϑ(2n) − ϑ(n),
n
we have ϑ(2n) − ϑ(n) ≤ log(2n!) − 2 log(n!) < n log 4, where the last inequality is from (7.8.4). Suppose n is a power of 2, say n = 2r . Then the above becomes ϑ(2r+1 ) − ϑ(2r ) < 2r log 4 = 2r+1 log 2. Let us sum both sides over r = 0 through k. The left side, then, is k X
ϑ(2r+1 ) − ϑ(2r ).
r=0
Since ϑ(2r+1 ) cancels with −ϑ(2r ) for the next r, we are left with only ϑ(2k+1 ) − ϑ(1) = ϑ(2k+1 ). For the right side, k X
2r+1 log 2 < 2k+2 log 2
r=0
because m
2
=1+
m−1 X
2j .
j=0
Thus we have ϑ(2k+1 ) < 2k+2 log 2. We now “reset” n. It may seem that the above manipulations depend on the n from our lemma, but they actually do not. In particular, this last fact in the last paragraph is a true statement no matter our choice of n.
CHAPTER 7. THE AKS ALGORITHM
63
Thus we choose a k such that 2k ≤ n < 2k+1 . Then we have ϑ(n) ≤ ϑ(2k+1 ) < 2k+2 log 2 ≤ 4n log 2, because 4n log 2 ≥ 4 · 2k log 2 = 2k+2 log 2. Now let 0 < β < 1. Then we have ³ ´ π(n) − π(nβ ) log(nβ ) <
X
log p
nβ
because there are (π(n) − π(nβ ) primes between nβ and n, and the least term in the sum is log(nβ ), so the left side is indeed smaller. Now, X log p ≤ ϑ(n), nβ
so ϑ(n) < 4n log 2. Thus,
³
´ π(n) − π(nβ ) log(nβ ) < 4n log 2 ⇒ π(n) − π(nβ ) < ⇒ π(n) <
4n log 2 β log n
4n log 2 + π(nβ ). β log n
Then since nβ > π(nβ ), we have 4n log 2 + π(nβ ) β log n 4n log 2 < + nβ β log n µ ¶ n 4 log 2 = + nβ log n β µ ¶ µ ¶ n 4 log 2 n log n = + log n β log n n1−β µ ¶ n 4 log 2 log n = + 1−β . log n β n
(7.8.12)
CHAPTER 7. THE AKS ALGORITHM
64
Now, for c > 0 and x ≥ 1, the function f (x) = x−c log x has its max at x = e1/c , since 1 c log x − c+1 = 0 xc+1 x ⇒ 1 − c log x = 0
f 0 (x) =
⇒ c log x = 1 1 ⇒ log x = c 1/c ⇒x=e . Thus f (x) is never larger than ³ ´ 1 1 (e1/c )−c log e1/c = e−1 · = . c ce This gives that the portion of (7.8.12) log n = n−(1−β) log n n1−β is less than or equal to
1 . e(1 − β)
Then, taking β = 2/3, we get n−1/3 log n ≤
3 e
so µ ¶ n 4 log 2 3 π(n) < + log n 2/3 e µ ¶ n 3 = 6 log 2 + log n e 6n log 2 < log n 6n < log n and our proof is complete.
Chapter 8
AKS code I implemented the AKS algorithm in Pari-GP. The code for the implementation is below, with discussion of various pieces interlaced. Whenever the time used by the algorithm or a piece is mentioned, we mean the time in milliseconds as obtained by Pari-GP’s gettime function. 1 2 3 4 5 6 7 8 9 10 11 12 13 14
i s p o w e r ( n) = { local ( greatexp , k , f l a g ) ; flag = 0; k = 2; greatexp = log (n)/ log ( 2 ) ; while ( ( k <= g r e a t e x p && f l a g ! = 1 ) , i f ( n == ( f l o o r ( 0 . 5 + 2 ˆ ( g r e a t e x p /k ) ) ) ˆ k , flag = 1; ); k = k + 1; ); return ( f l a g ) } This is the subroutine I experienced the most difficulty with. The concept is fairly straightforward, and it is presented in Appendix D.2, but there is some subtlety to get used to in figuring out what we want to take the floor of, why that should work, and so forth. Figure 8.1 contains some timings for this subroutine. Note that the first, second, fifth, and sixth inputs are not perfect powers. The second input is actually (an accidentally discovered!) prime. The base 2 logarithm of the last input is approximately 183. 65
CHAPTER 8. AKS CODE Input 2349212 164651843 264 = 18446744073709551616 12312 = 11991163848716906297072721 16911981616316974913123164 16911981616316974913123164494981981816516549851651654761
66 Time 0 10 0 0 20 50
Figure 8.1: Timings for power test subroutine 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
i s p r i m e ( n) = { local (d , flag , s ) ; d = 3; flag = 0; s = sqrt (n ) ; i f ( Mod( n , 2 ) = = 0 , flag = 1 ); while ( d < s && f l a g == 0 , i f ( Mod( n , d ) == 0 , flag = 1 ); d = d + 2; ); return ( ! f l a g ) ; } This is an implementation of the na¨ıve trial division primality testing algorithm described in Appendix D.5. The only aspect to remark on is that the only even number tested is 2. Ideally, we would only test primes up to the square root, but that makes things grow large and complicated (by way of recursion) quickly. Since about the only reason we use this subroutine in the AKS is to avoid recursion, it would not make sense to then implement recursion inside this routine. Since we will not test only primes, though, we can at least save some time and only test odd numbers. Figure 8.2 contains some timings for this subroutine. The first two inputs are prime, and the last four are products of two primes. The base-2 logarithm of the fourth input is about 37, while the logarithm of the last input is approximately double that, at about 75. Thus
CHAPTER 8. AKS CODE Input 17 21851 21851 · 288683 = 6308012233 416443 · 288683 = 120220014569 656483 · 495372434747 = 325203582080014801 3361901 · 9673205191943927 = 32520358208001480125227
67 Time 0 0 420 5270 12120 62650
Figure 8.2: Naive primality testing timings for a doubling in the size of the integer, we get a twelve-fold increase in running time. Perhaps the size of their smallest prime factor of these integers is more important, however, because the algorithm will exit when it finds that factor. For the fourth input, that logarithm is about 19, while for the last, it is about 21, so they are approximately the same size. It appears, then, that a key factor is how long it takes to perform the divisions necessary on the larger integers. This factor is rendered void no matter how large the number if it has a very small prime factor, though. As we discussed in the introduction, this subroutine, run on a modern home computer, runs fairly quickly. That last integer, though, only has 23 decimal digits; compare that to the smallest current RSA Challenge number that we mentioned earlier, which has almost 8 times as many decimal digits. Even if we ignore the huge memory requirements that a system like Pari-GP on a home computer will not be able to meet, it is pretty clear that trial division really will not be suitable. Suppose, for example, that for a doubling in the decimal digits (such as that which approximately occurs between the third and last inputs of our table), we get a twelve-fold increase in time. Then to get from the last input above to that RSA Challenge number, we require three doublings, so we would get approximately a 123 = 1728-fold time increase. This results in the test running in about 30 hours. There are a number of reasons why this is a conservative estimate, including that the 176-digit number could be prime or that it could have a prime factor very close to its square root. Thirty hours may not sound like a lot, when prime proving time is often measured in weeks today rather than hours, but the reason is that 176 digits is pretty puny in the modern reckoning. Consider that the 279th and 280th largest known primes each have 100000 decimal digits. The largest known prime in the world at this writing has just over four million digits. [11]
CHAPTER 8. AKS CODE 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
68
l p f ( n) = { local (d , s ) ; d = 2; s = sqrt (n ) ; i f ( Mod( n , d ) == 0 , return ( d ) ); d = 3; while ( d < s , i f ( Mod( n , d ) == 0 , return ( d ) ); d = d + 2; ); return ( n ) ; } This subroutine computes the least prime factor of the input n, using the algorithm given in Appendix D.6. The similarities between the last subroutine and this one are apparent; the details of the similarities are discussed in the Appendix. The true difference between the functions is in the type of value returned: is prime returns a boolean variable (either “yes” or “no”), while lpf returns an integer. We will not run another figure with timings, since they will only be the same numbers we saw for the trial division subroutine.
52 53 54 55 56 57 58 59 60 61
polypower ( fx , n) = { i f ( n == 2 , return ( f x ˆ 2 ) , i f ( n%2 == 0, return ( polypower ( f x ˆ 2 , n / 2 ) ) , return ( f x ∗ polypower ( fx , n − 1 ) ) ; ); ); } The subroutine polypower implements repeated squaring in a recursive way. Note that this subroutine performs a squaring operation any time the exponent is even. Programmers must be careful not to fall into the trap, as I did, of simply performing squarings until the original exponent
CHAPTER 8. AKS CODE
69
is odd, then doing multiplications for all the rest. Clearly, this would be very inefficient for any odd input, since the algorithm would believe that no squarings were possible when, in reality, it could be squaring for at least half of its operations. 63 64 65 66 67 68 69 70
aks ( n) = { f l a g = ”TBD” ; i f ( ispower (n ) , f l a g = ”COMPOSITE” ; s u b f l a g = ”POWER” ; ); This is the first if test, line 1 of Algorithm 1.
72
twolgn = 2 ∗ ( l o g ( n ) / l o g ( 2 ) ) ; This constant is used a few times throughout the algorithm, so some computation is saved by setting it equal to a variable here.
74 75 76 77 78 79 80
r = 1; while ( r < n−1 && f l a g==”TBD” , r++; i f ( gcd ( n , r ) ! = 1 , f l a g = ”COMPOSITE” ; s u b f l a g = ”GCD” ; ); This is the beginning of the while loop and the GCD test from lines 6 and 7 of the algorithm. Note that Pari-GP’s built-in GCD command is used here. Whatever algorithm the language is using, it almost certainly will be at least as fast as the Euclidean algorithm described in Appendix D.4, and may be faster. i f ( f l a g == ”TBD” && i s p r i m e ( r ) , q = lpf ( r − 1 );
81 82
These two lines are lines 9 and 10 of the algorithm. 83 84 85 86 87 88
i f ( q >= 2∗ s q r t ( r ) ∗ twolgn && ( Mod( n ˆ ( ( r −1)/q ) , r ) ! = 1 ) , f l a g = ”BREAK” ; ); ); );
CHAPTER 8. AKS CODE
70
This last if test of the while loop is line 11 of the algorithm. end = s q r t ( r ) ∗ twolgn ;
90
Again, rather than have to compute this constant each time the for loop below completes one iteration, it is computed once here and stored in a variable that can be used for comparison on line 93. a = 1; while ( a <= end && f l a g ! = ”COMPOSITE” , comp poly = Mod( xˆn − Mod( a , n ) , xˆ r − 1 ) ;
92 93 94
The variable comp poly holds the polynomial from the right side of line 18 in the algorithm. Storing this in a variable now is more useful for making the if test below more readable, though it comes at some small memory cost. If memory were something to be worried about, this variable could just as easily be eliminated. f x = Mod( x − Mod( a , n ) , xˆ r − 1 ) ;
95
The variable fx is used in a similar way as comp poly above, and could be similarly eliminated if we so desired. Since eliminating it would make the statement of the if test a huge mess (especially since we would have to put the polypower subroutine call inside the if test), I am content to spend a little memory on another variable. f x = polypower ( fx , n ) ;
96
This computes (x − a)n (mod n) for the left side of line 18 in the algorithm. i f ( f x ! = comp poly , f l a g = ”COMPOSITE” ; s u b f l a g = ”POLY” ; ); a = a + 1;
97 98 99 100 101 102
); Now that the polynomials are prepared, they are finally compared and a decision of some kind can be made on whether n is composite or still might be prime.
104 105 106 107 108
i f ( f l a g == ”COMPOSITE” , print ( flag , ” ” , subflag ) , p r i n t ( ”PRIME” ) ); }
CHAPTER 8. AKS CODE
71
The only thing that might want explanation here is the usage of the “subflag.” This variable first arose for debugging purposes. When many prime n were being declared composite by an early version of this program, by having the program tell me which if test labeled n incorrectly, I was able to see where the bugs were. I have left it in the final program because it is still fun to see what test is tripped by composite inputs. There will be no table of times for the program as a whole, since the times get large enough quickly enough to be very discouraging. For example, to determine 677 prime took over a minute, as compared with an essentially instant response from the trial division algorithm. There appear to be two places that really slow things down. First, the polynomial multiplication is apparently very slow. Fast Fourier Transforms might help, but the fact that we are dealing with approximately r = O((log n)6 )-degree polynomials is a huge hindrance to getting this algorithm to result in a fast practical test. The other problem is also related to the size of r. We proved that the while loop in the algorithm exits with some r less than c(log n)6 for a constant c. However, (log n)6 can be very large. For example, for n = 677, we get (log n)6 ≈ 76657. Thus, r could be anything up to 676 and indeed, in this case, that is what r ends up being. This is our first real example in this paper of theoretical polynomial time failing in a big way when it comes to implementing an algorithm in real life. A quick estimate of where (log n)6 will first be less than n is somewhere around n equals 24 million. Dealing with numbers of this size is not really a problem, but dealing with polynomials of this size can be. An often ignored part of algorithm analysis is how much “space” an algorithm uses. The base unit of “space” can be as ambiguous as that of time, but it is clear that whatever measure one chooses, it should reflect that storing a polynomial of degree 24 million with coefficients also at most 24 million must take more space than just storing the integer 24000000 itself.
Chapter 9
Conclusion Primality testing has taken something of an odd path through history. Mathematicians such as Eratosthenes were interested in the problem in ancient times and Gauss famously called the problem of recognizing primes one of the most important in all of mathematics, yet most the major progress in creating fast primality tests has happened only since 1976. Part of this recent onslaught of work might be attributed to the widespread appearance of computers creating a new emphasis on algorithms in mathematics, which emphasis could be said to have been heralded by the appearance of Knuth’s famous The Art of Computer Programming series of books in the 1960’s and 1970’s. The importance of the advent of public-key cryptography (which, of course, depended on widespread computer usage) can also not be ignored, as it created renewed interest in factoring and primality testing. Thus, even when researchers were not working on creating tests that actually work in practice for these problems, the idea that a breakthrough needed to be made was on their minds in a way that it was not 300 years ago. Perhaps more interesting is the way algorithms being published moved from the fairly elementary (and also easy to program) algorithms of Miller, Rabin, and Solovay and Strassen in the 1970’s to tests whose details are beyond the reach of the average undergraduate mathematics student. These latter tests are also certainly more difficult to implement, largely because many of them were essentially created with the disclaimer: “For theoretical use only.” Then came AKS. The test has a fairly straightforward implementation and is quickly comprehensible, making it similar to the earliest modern algorithms, but in practice, it might be essentially useless, perhaps more so than even some of the later, more complicated tests. Adleman, Pomerance, and
72
CHAPTER 9. CONCLUSION
73
Rumely’s algorithm, for example, can be turned into a “computer-friendly” probabilistic algorithm, while no such probabilistic approach to the AKS test seems to be known. One could envision, though, the for loop at the end of that algorithm running over random a, if we could estimate the probability that the output “prime” was wrong for a single a. Of course, this probabilistic version may not be needed if we find that a highly optimized version of the algorithm, including employing Fast Fourier Transforms for the polynomial multiplication, runs quickly. It seems doubtful, though, that even the best optimization of this algorithm will surpass such a test as Rabin’s, which generally works well for practical use. Mathematica, for example, makes use of Rabin’s test for its internal primality test. Pari-GP also makes use of Rabin’s algorithm (in combination with other tests) internally. AKS, though, whether practical or not, is what it is: a theoretical breakthrough that mathematicians have been seeking for years.
Appendix A
The Riemann Hypothesis The primality tests of Miller [17] and Solovay and Strassen [28] depend on the Extended Riemann Hypothesis (ERH), so we devote some time for it here. The Riemann Hypothesis can be stated in a number of equivalent forms. Because it also has a number of consequences, the consequences can sometimes be confused with the forms of the hypothesis itself. We will try to avoid such confusion here. The official Millennium Prize Problem1 description [10] gives the hypothesis in the terms of Riemann’s zeta-function. Definition A.1. The Riemann zeta-function is ζ(s) =
∞ X 1 ns
n=1
where s is a complex variable and the real part of s is greater than 1. Note that if s ≤ 1, then ζ(s) is not convergent. Sondow [29] obtained an analytic continuation (a power series representation of a function whose radius of convergence extends beyond the domain of the original function) of the zeta-function to the whole complex plane (except for a pole at s = 1) using Euler’s transformation of series. That continuation takes the form µ ¶ ∞ n X 1 X 1 k n (−1) (k + 1)−s . ζ(s) = 1 − 21−s 2n+1 k n=0
k=0
1
The Clay Mathematics Institute is offering a one million dollar prize to the first person to prove the Riemann Hypothesis. There are eight Millennium Prize Problems in all.
74
APPENDIX A. THE RIEMANN HYPOTHESIS
75
This form of the zeta function has zeros, known as trivial zeros, at the negative even integers. However, it also has a number of other zeros. One statement of the Riemann Hypothesis, then, is Riemann Hypothesis 1. The non-trivial zeros of ζ(s) have real part equal to 21 . Riemann’s original conjecture was actually about the zeros of a related zeta-function, but it is equivalent to Riemann Hypothesis 1. Euler showed that the zeta-function can also be expressed as the product over the set of primes Y 1 ζ(s) = . (1 − p−s ) p Patterson says that this formulation “is the reason for the significance of the zeta-function.” A proof that the two expressions of the zeta functions are equivalent can be found in Patterson’s book [21]. The above representation of the zeta-function is our first suggestion that the Riemann Hypothesis might have consequences in number theory, and, indeed, there is a more purely number theoretic form of the hypothesis. Before we give that form, though, we need a definition. Definition A.2. The logarithmic integral li(x) is defined as Z x dt . li(x) = log t 2 Recalling that π(x) is the number of primes less than x, we have Riemann Hypothesis 2. π(x) = li(x) + O(x1/2+² ). Finally, we can state two more equivalent hypotheses, also about prime numbers. First, we need a new function: Definition A.3. ψ(x) =
X
log p = log(lcm(1, 2, 3, . . . , bxc)),
pk ≤x
summing over all primes p and all non-negative integers k. Now, we have the third formulation.
APPENDIX A. THE RIEMANN HYPOTHESIS
76
Riemann Hypothesis 3. ∀² > 0, ψ(x) = x + O(x1/2+² ). Recall Definition 7.8.7. It is the basis for our final statement of the Riemann Hypothesis. Riemann Hypothesis 4. ∀² > 0, ϑ(x) = x + O(x1/2+² ). All of the above is as given in [8]. The evidence from the last three statements of the Riemann Hypothesis that it is going to be of use in number theoretic problems leads us to the ERH.2 As with the original Riemann Hypothesis, we find a number of formulations of the ERH. Chowla [12] first defines a function Lp of a complex variable s: ∞ µ ¶ X n 1 Lp (s) = , p ns n=1
³ ´ where
n p
is the Legendre Symbol: ³ ´
Definition A.4. The Legendre Symbol µ ¶ 0 n 1 = p −1
n p
is defined for p prime as
if p | n if n is a quadratic residue mod p and p - n if n is a quadratic non-residue mod p and p - n.
Jacobi generalized the Legendre symbol to all odd integers, regardless of primality. Definition A.5 (Jacobi Symbol). Let n be odd with prime factorization Q pei i . Then ³ a ´ Y µ a ¶ei = n pi where the symbol in the product is the Legendre symbol. The ERH, then, can be stated as follows: 2
In fact, algorithms have been discovered for factoring polynomials and finding primitive roots over finite fields, among others, whose correctness or speed require the ERH.
APPENDIX A. THE RIEMANN HYPOTHESIS
77
Extended Riemann Hypothesis 1. All the zeros of Lp (s) which lie in the “critical strip” (zeros with real part strictly between 0 and 1) have real part equal to 21 . Let π(x, n, a) be the number of primes less than or equal to x and equivalent to a modulo n. Then the ERH can also be set out this way, as in [8]: Extended Riemann Hypothesis 2. For n and a relatively prime integers and ² > 0, li(x) π(x, n, a) = + O(x1/2+² ). φ(n) This version recalls Riemann Hypothesis 2, especially in the absence of functions of complex variables, zeta functions, L-functions, or anything of that sort. To give one final definition of the ERH, we first define a character. Definition A.6. A character on a finite Abelian group G is a homomorphism (a map that preserves the group operation) from G to the unit circle. Let µ be a character on Z∗n . We define the Dirichlet character χ as ½ µ(m mod n) if gcd(m, n) = 1 χ(m) = 0 otherwise If χ is always 0 or 1, it is called principal. This leads, then, to Extended Riemann Hypothesis 3. [8] Define the Dirichlet L-function to be X χ(n) L(s, χ) = ns n≥1
when the real part of s > 1 and, as before, analytic continuation otherwise. L(s, χ) has infinitely many zeroes in 0 < <(s) < 1. The ERH, then, is that all zeros in that interval have real part 21 . This is very similar to Extended Riemann Hypothesis 1 above; the only difference lies in how the L function is stated. Bach and Shallit [8] note that the “‘extended’ or ‘generalized’ Riemann hypothesis is interpreted differently by different authors” and quote Narkiewicz [19] to give a general overview of how the ERH should be seen: “We use ERH . . . to denote the statement that every conceivable zeta-function which should not have zeroes in the critical strip indeed does not have them.”
Appendix B
Ankeny’s Theorem We will state and prove Ankeny’s Theorem in a slightly different (though equivalent) form than the one Ankeny himself used [4]. It might be clearer from Ankeny’s version, however, how the theorem is useful to Miller and to Solovay and Strassen. To declare an input integer n composite, both Miller’s test and the derandomized Solovay-Strassen test require that a witness a to n’s compositeness arise from a systematic search. That a is, in both cases, a quadratic nonresidue modulo n. Ankeny’s Theorem guarantees that the least such a is O((lg n)2 ). Thus, if we test all a up to c(lg n)2 for some c, we will either find a quadratic non-residue or know that none exists. That constant c could cause problems in a practical implementation, but luckily, c has been proved to be 2 for the cases we are interested in (searching for a witness to the compositeness of n) by Bach [7]. Miller’s paper [17] makes use of a generalization which Ankeny notes in his paper: the theorem “can be generalized to finding the least dth power non residue mod k where d | k − 1.” [4] Ankeny’s Theorem is the link to the ERH for both Miller and SolovayStrassen, as neither test calls upon that hypothesis directly. In fact, Ankeny’s Theorem actually depends on a lemma that itself depends on the ERH, so even its relationship to the hypothesis is at least a second degree one. We first state the just-mentioned lemma. Proof of the lemma can be found in [8]. Lemma B.1. Assume the ERH. Let χ be a Dirichlet character, and let
78
APPENDIX B. ANKENY’S THEOREM
79
1χ = 1 when χ is principal and 0 otherwise. Then X
Λ(p)χ(p)(x − p) = 1χ
p≤x
x2 + O(x3/2 log n). 2
For convenience, we will state the theorem in terms of a set G(n). Let G(n) = min{x : Z∗n is generated by primes ≤ x}. Theorem B.2 (Ankeny’s Theorem). Assume the ERH. Then G(n) = O((log n)2 ) and every nontrivial subgroup of Z∗n omits a positive number a = O((log n)2 ). Proof. First note that if x > 0 and the p’s are those primes less than or equal to x mentioned in the definition of G(n), X X Λ(p)(x − p) = log p(x − p) p≤x p|n
X log p − p log p Y X = x log( p) − p log p X ≤ x log n − p log p
=x
X
≤ x log n.
(B-1)
Now assume that the primes less than or equal to x do not generate Then they generate a proper subgroup of Z∗n , so we can choose a nonprincipal Dirichlet character χ such that χ(n) is 0 or 1 for all n < x. Then, since χ is non-principal, by Lemma B.1, we have X Λ(p)χ(p)(x − p) = O(x3/2 log n).
Z∗n .
p≤x
Now, X p≤x
Λ(p)χ(p)(x − p) =
X X Λ(p)(x − p) (x − p) log p − p≤x
(B-2)
p≤x p|n
since χ(p) = 0 when p | n. The first term of the right-hand side can be rewritten as before as X X x log p − p log p. (B-3) p≤x
p≤x
APPENDIX B. ANKENY’S THEOREM
80
The first term of (B-3) then becomes xϑ(x), where ϑ(x) is the Chebyshev function defined in Definition 7.8.7. But ϑ(x) ∼ x [8]. Since a consequence of the prime number theorem is that the pth prime is about p log p, the second term of (B-3) gives X p≤x
p log p ∼
X
n∼
n≤x
x2 . 2
All together, then, the first term of the right hand side of (B-2) is Ω(x2 ). Combining with the estimate obtained in (B-1) for the second term of (B-2), we see that the whole expression is Ω(x2 − x log n). Thus, Ω(x2 − x log n) = O(x3/2 log n) x2 − x log n = O(O(x3/2 log n)) x2 − x log n = O(x3/2 log n) log n x1/2 − 1/2 = O(log n) x √ 1 x = O(log n) + √ log n x √ 1 x ≤ c log n + √ log n x √ 1 x ≤ (c + √ ) log n x √ x = O(log n) x = O((log n)2 ) and the proof is complete, since G(n) must be less than this x by our assumption on x, so G(n) is also O((log n)2 ).
Appendix C
Chinese Remainder Theorem The Chinese Remainder Theorem is a part of basic number theory, but it might be useful to prove it here. Theorem C.1. Let m1 , m2 , . . . , mk be integers such that (mi , mj ) = 1 for all i 6= j. Then for any sequences of integers ha1 , a2 , . . . , ak i, the congruences x ≡ a1
(mod m1 )
x ≡ a2
(mod m2 ) .. .
x ≡ ak
(mod mk )
have a unique solution modulo the product of the mi . Proof. It is sufficient to prove this for the case k = 2. For any larger case, we take, for example, the first two congruences and turn them into one congruence modulo m1 m2 , then take that congruence and combine it with the third, and so forth. Note that this is not a very constructive proof, since doing this in practice would require “unwinding” the knot we created by combining most of the moduli. Consider the first two lines of the set of congruences above. Set x = a1 +m1 y to satisfy the first one. Then the second congruence is a1 +m1 y ≡ a2 (mod m2 ), which implies that m1 y ≡ a2 − a1 (mod m2 ). We now claim that a solution y ∈ Z exists if and only if (m1 , m2 ) | a2 −a1 . More generally, we can say that dz ≡ b (mod r) has a solution z if and only if (d, r) | b. The that congruence implies that dz + ru = b, so there is a solution if and only if b is in the ideal hd, ri, which is the same as the ideal h(d, r)i. This true statement is equivalent to the statement of the claim. 81
APPENDIX C. CHINESE REMAINDER THEOREM
82
Thus we must have (m1 , m2 ) | a2 −a1 , but (m1 , m2 ) = 1, so the existence part of the theorem is proved. The first step toward proving uniqueness is to claim that a solution of r the congruence dz ≡ b (mod r) is unique modulo (d,r) . Suppose there are 0 0 two solutions z and z . Then dz ≡ dz (mod r). Now we claim that z ≡ z 0 (mod r/(r, d)). Let g = (d, r) so that r = gr1 and d = gd1 , where (r1 , d1 ) = 1. Then we have dz ≡ dz 0
(mod r)
⇒ r | d(z − z 0 ) ⇒ r1 | d1 (z − z 0 ) ⇒ r1 | (z − z 0 ) ⇒ z ≡ z0
(mod r1 )
and the claim is proved since r1 = r/g = r/(d, r). Thus we have that our solution y of m1 y ≡ a2 − a1 (mod m2 ) is unique modulo (m2 /(m1 , m2 )), but m1 and m2 are relatively prime, so y is in fact unique modulo m2 . Thus, since x = a1 + m1 y, we have x unique modulo m1 m2 , so we are done.
Appendix D
Algorithms Here we present some of the algorithms we use in the paper with discussion and, where necessary, proof of running times or correctness.
D.1
Computing the Jacobi symbol
¡ ¢ Because the Jacobi symbol na is defined in terms of the prime factorization of n, it is not immediately obvious that we can compute the symbol in polynomial time. Our discussion of why we can, in fact, do so follows that of [8, Section 5.9]. In order to give some properties of the Jacobi symbol, we will first state without proof Gauss’s Lemma and the quadratic reciprocity law. Proof of the former can be found in [8, Solution to Exercise 5.30]. Lemma D.1 (Gauss’s Lemma). Let p be an odd prime and let m be an integer such that p - m. Let the set Sp be {m (mod p), 2m (mod p), . . . , m p−1 2 (mod p)}. Finally, ³ ´ let r be the number of members of Sp that are greater than p2 . Then
m p
= (−1)r .
Lemma D.2 (Quadratic Reciprocity). Let p and q be odd primes where p 6= q. Then µ ¶µ ¶ p−1 q−1 p q = (−1) 2 2 . q p Now we prove some properties of the Jacobi symbol. Lemma D.3. Let m and n be odd, and let a and b be any integers. Then the following are true:
83
APPENDIX D. ALGORITHMS
84
¡ ¢¡ ¢ = na nb ¡ a ¢ ¡ a ¢¡a¢ (2) mn = m n (1)
¡ ab ¢ n
(3) if a ≡ b (mod n), then ¡ ¢ (4) −1 = (−1)(n−1)/2 n ¡ ¢ 2 (5) n2 = (−1)(n −1)/8
¡a¢ n
=
¡b¢ n
(6) if (a, n) = 1 and a is a positive odd integer, then
¡a¢ ¡n¢ n
a
= (−1)
a−1 n−1 2 2
Proof.
(1) By Euler’s Criterion, we know that µ ¶ a = a(p−1)/2 p ³ ´ when p is prime (i.e. when ap is the Legendre symbol). Thus µ
ab p
¶ (p−1)/2
= (ab)
=a
(p−1)/2 (p−1)/2
b
µ ¶µ ¶ a b = . p p
Thus it is clearly also true when p is actually some composite n. (2) This follows immediately from the definition of the Jacobi symbol, since mn factorizes into the factorization of m times that of n. (3) Since quadratic residues can only be congruent to other ³ quadratic ´ ³ ´ residues (and the same for non-residues), we know that ap = pb when a and b are congruent modulo p, so the case where p is a composite n follows. (4) We first claim that for ni odd, we have n1 + n2 + · · · + nk − k ≡ n1 n2 . . . nk − 1 (mod 2). The right side is 0, since the product of the ni is 1. Thus we are done, since k X 1 = k (mod 2) i=1
so the sum of the ni are equivalent to k modulo 2.
APPENDIX D. ALGORITHMS
85
Now if n=
t Y
pi
i=1
where the pi are not necessarily distinct, then µ
−1 n
¶
t Pt Y ≡ (−1)(pi −1)/2 ≡ (−1) i=1 ((pi −1)/2)
(mod n),
i=1
where the second congruence is by what we noted in the proof of (1). Then by the previous paragraph, the exponent has the same parity as p1 ...pt −1 , so (−1) raised to either power gives the same result. 2 ³ ´ 2 (5) We will first prove that p2 = (−1)(p −1)/8 . Then, we will show that k X p2 − 1 i
i=1
8
≡
p21 . . . p2k − 1 8
(mod 2).
These two facts will give us the result in the same way that we got the proof of (4). We can restate the first claim the following way: µ ¶ ½ 2 1 if p ≡ 1 or 7 (mod 8) = −1 if p ≡ 3 or 5 (mod 8) p
(D-1)
For example, when p = 8k + 1, we have p2 = 64k 2 + 16k + 1 so that p2 −1 is 8k 2 + 2k, which is even. 8 Consider the set Sp as in Gauss’s Lemma where m = 2, so Sp = {2, 4, . . . , p − 1}. We claim that when p ≡ 3 (mod 4) we have the r in Gauss’s Lemma equal to p+1 4 and when p ≡ 1 (mod 4), we get p−1 r = 4 . Let p = 4k1 + 3 in the first case and 4k2 + 1 in the second. Then we ask how many elements of Sp are between p2 and p − 1: in the first case, this is the number of elements between 4k1 + 3 and 4k1 + 2 2 and in the second, it is the number of elements between 4k2 + 1 and 4k2 . 2
APPENDIX D. ALGORITHMS
86
In the first case, the first element of the subset is 2k1 + 2, so we have r = k1 +1. In the second case, the first element of the subset is 2k2 +2, so we have r = k2 . Now, in the first case, p+1 4 = k1 + 1 and in the second, p−1 = k , so the claim is proved. 2 4 Thus, when p ≡ 1 (mod 8), we have p ≡ 1 (mod 4), so r = p−1 4 . We can write p = 8k + 1, so that r = 2k, which is even. Similarly, when p ≡ 7 (mod 8), we have p =≡ 3 (mod 4), so, since p = 8k − 1, we get r = 8k 4 = 2k, also even. Thus, the first half of (D-1) is proved. For the second half, note that p ≡ 3 (mod 8) implies that p ≡ 3 (mod 4), so r = 2k + 1 and p ≡ 5 (mod 8) implies p ≡ 1 (mod 4) so r is again 2k + 1. ³ ´ 2 Thus we have proved that p2 = (−1)(p −1)/8 . For the second part, the beginning of the proof of (4) implies what we want here since x2 ≡ x (mod 2) for any x. (6) Let a = p1 . . . pk and n = q1 . . . qm where the pi are prime, though not necessarily distinct, and the same for the qi . Then we have, by (1) and (2), m k µ ¶µ ¶ ³ a ´ ³n´ Y qj pi . = n a qj pi i=1 j=1
Then by the Quadratic Reciprocity Theorem (our Lemma D.2), we have this equal to (−1)αβ where α=
k X pi i=1
and β=
2
m X qj j=1
2
.
Then, again by the same argument from the beginning of (4), this leaves us with a−1 n−1 (−1) 2 2 so we are done.
APPENDIX D. ALGORITHMS
¡ ¢ Algorithm 8 Compute the Jacobi symbol na Require: n odd, 0 < a < n 1: t ← 1 2: while a 6= 0 do 3: while a ≡ 0 (mod 2) do 4: a ← a/2 5: if n ≡ 3 (mod 8) or n ≡ 5 (mod 8) then 6: t ← −t 7: end if 8: end while 9: interchange a and n 10: if a ≡ 3 (mod 4) and n ≡ 3 (mod 4) then 11: t ← −t 12: end if 13: a ← a (mod n) 14: end while 15: if n = 1 then 16: return t 17: else 18: return 0 19: end if
87
APPENDIX D. ALGORITHMS
88
Algorithm 8 makes use of these facts to compute the Jacobi symbol in polynomial time. That Algorithm 8 actually computes the Jacobi symbol is the first thing we must prove, since it is not at all obvious. First, for n0 odd and 0 ≤ a0 < n0 , let a = 2e n0 and n = qn0 + a0 for some q. Then we have ³ a ´ µ 2e n0 ¶ µ 2e ¶ µ n0 ¶ = = n n n n by part (1) of Lemma D.3. Then, for the first term, we have µ e ¶ µ ¶e n2 −1 2 2 = = (−1)e· 8 n n by parts (1) and (5). Now by (6), we can multiply both sides by ³n´ n0 to get
³ n ´³a´ n0
= (−1)e·
n2 −1 n−1 n0 −1 + 2 · 2 8
n 0 Then, by (3), since a ≡ n (mod n0 ), we know that µ 0¶ ³ ´ a n = 0 n n0
.
so we can multiply them together to get 1. Thus, we can multiply both sides by µ 0¶ a n0 to obtain
³a´ n 2
0
µ =
a0 n0
¶ (−1)s
n −1 where s = e · n 8−1 + n−1 2 · 2 . Thus, we have obtained a reduction of the problem of computing the Jacobi symbol for two integers to that of computing the symbol for two smaller integers (times a constant, but we do not have to actually compute s, since we only care whether it is even or odd). We can carry out this process until we have a0 = 0. This ¡ is ¢ precisely what Algorithm 8 does.¡ ¢ Note that if n = 1, we have n0 = 1, but it is 0 otherwise, since a1 is defined to be 1 for all integers, but 0 is a quadratic non-residue modulo any non-trivial input.
APPENDIX D. ALGORITHMS
89
The while loop that starts on line 3 pulls out the highest power of 2 2 possible from a, and, in the case that n 8−1 is odd, multiplies t by −1, as called for by (5). After removing the powers of two from a, we are left with n0 on the top. Multiplying by ³n´ n0 is represented by line 9’s command to “interchange” a and n. After this n0 −1 step, we again multiply t by −1 only when we have n−1 2 and 2 both odd. Now, we have the required n0 on the bottom, but we need to get a0 on top, instead of n, to complete the reduction. Since a0 ≡ n (mod n0 ), taking the residue of n gives us the required a0 on top. This is carried out in line 12. Finally, we must show that this algorithm runs in polynomial time for all inputs a and n. Let a0 = a and n0 = n. Then we can follow the computations of the algorithm as follows: a0 = 2e1 n1 e2
n0 = q1 n1 + a1
a1 = 2 n2
n1 = q2 n2 + a2 .. .
ak−1 = 2ek nk
nk−1 = qk nk + ak
We wish to first show that k = O(lg n). Suppose qi is odd. Then since ni is odd for all i, we must have ai even. Thus ei+1 ≥ 1 so that ni+1 ≤ ai /2. If, on the other hand, qi is even, then it is at least two, so ni ≤ ni−1 /2. Thus we have for all i that ni+1 < ni−1 /2. This means we at least half n for every two iterations, so that n2j < n2−j , so k is certainly O(lg n). This shows that the while loop runs a polynomial number of times. Since the steps inside the while loop are all divisions (which can be done in polynomial time), the problem of computing the Jacobi symbol can be done in polynomial time. Specifically, Bach and Shallit [8, Theorem 5.9.3] say that the algorithm runs in O((lg a)(lg n)).
D.2
Power testing code
Algorithm 9 decides whether n is a perfect power in polynomial time.
APPENDIX D. ALGORITHMS
90
Algorithm 9 Determine whether n is of the form ab for b > 1. 1: for k = 1 to log n do 2: if [2log n/k ]k = n then 3: return POWER 4: end if 5: end for 6: return NOT POWER
D.3
Modular exponentiation
Algorithm 10 computes xy (mod n) in time O((2 log y)(M (n)) where M (n) is the time it takes to multiply two numbers of size n. Algorithm 10 Compute xy (mod n). 1: Write y = y0 + 2y1 + 22 y2 + · · · + 2t yt . 2: w ← 1 3: v ← x 4: for a = 0 to t do 5: if ya = 1 then 6: w ← w · v (mod n) 7: end if 8: v ← v 2 (mod n) 9: end for 10: return w The first line essentially writes y in binary form. The algorithm is based on the fact that ty t
xy = xy0 +2y1 +···+2
t
= xy0 · (x2 )y1 . . . (x2 )yt . There are at most t multiplies and t squarings to compute. Since y is written in binary, t is approximately log y, so there are at most 2 log y computations.
D.4
Euclidean Algorithm
Algorithm 11 is Euclid’s algorithm for computing the greatest common divisor of two integers.
APPENDIX D. ALGORITHMS
91
Algorithm 11 Computes (a, b); Euclid Require: a ≥ b 1: r0 ← a 2: r1 ← b 3: k ← 1 4: while rk 6= 0 do 5: k ←k+1 6: rk ← rk−2 − rk−1 qk−1 7: end while 8: return rk−1 A recursive algorithm that is perhaps more aesthetically pleasing, but also perhaps less obvious, is Algorithm 12. Algorithm 12 Computes (a, b); [8, p. 67] 1: if b = 0 then 2: return a 3: else 4: return gcd(b, a (mod b)) 5: end if Note that qk−1 and rk are found each iteration using the division algorithm. We will not prove the correctness of this algorithm, instead referring the interested reader to [26, Section 3.3], or probably any other book like it. We are, however, interested in seeing how fast this algorithm runs, so we will follow the proof of the algorithm’s polynomial running time given in [8, Section 4.2]. Let fk denote the kth Fibonacci number. Lemma D.1. Let a > b > 0 and suppose that (a, b) takes n divisions to compute. Then a ≥ fn+2 and b ≥ fn+1 . Proof. Let a = r0 and b = r1 . Then we get the following sequences of
APPENDIX D. ALGORITHMS
92
equations: r0 = r1 q1 + r2 r1 = r2 q2 + r3 .. . rn−2 = rn−1 qn−1 + rn rn−1 = rn qn where 0 ≤ rk < rk−1 for k = 2 through n. Now, each of q1 , . . . , qn−1 is at least 1 and qn is at least 2, since rn < rn−1 . Thus, we have rn ≥ 1 = f2 rn−1 ≥ 2rn ≥ 2fn = f3 rn−2 ≥ rn−1 + rn ≥ f3 + f2 = f4 .. . r2 ≥ r3 + r4 ≥ fn−1 + fn−2 = fn r1 = b ≥ r2 + r3 ≥ fn + fn−1 = fn+1 r0 = a ≥ r2 + r1 ≥ fn+1 + fn = fn+2 , and we are done. We will use this fact to show that the “least” pair of inputs that could result in the algorithm taking n steps is (fn+2 , fn+1 ), which, after we prove an identity about the Fibonacci numbers, will allow us to show the polynomial running time of the algorithm. Now, the word “least” does not have a natural meaning since we are dealing with a pair of integers. We will define it this way: with, as usual, a > b and c > d, we have (a, b) < (c, d) if a < c or if a = c and b < d. Lemma D.2. Let a > b > 0 and let (a, b) be computed with n divisions. Also, let (a, b) < (c, d) for all c, d such that (c, d) is computed with n divisions. Then we must have a = fn+2 and b = fn+1 . Proof. Because of the previous lemma, we only need to prove that, if a = fn+2 and b = fn+1 , the computation of (a, b) takes n divisions. To prove this, we can show that the sequence of quotients j q0k, q1 , . . . , qn−2 are all 1. This, f in turn, can be proved by showing that fk+2 = 1 and that fk−1 ≡ fk+1 k+1
APPENDIX D. ALGORITHMS
93
(mod fk ), both for k ≥ 2. These two facts would imply that the sequence the algorithm takes is the Fibonacci sequence in reverse, so we must count down from fn+2 to f2 to get the greatest common j k divisor. fk+2 To prove the first claim, suppose that fk+1 = c > 1. Then fk+2 ≥ 2fk+1 . However, since fk+2 = fk+1 + fk , we have that fk+1 + fk ≥ 2fk+1 so fk ≥ fk+1 , which is false. For the second claim, since fk+1 = fk + fk−1 , the claim is reduced to fk−1 ≡ fk−1 (mod fk ). We now establish the promised identity for the Fibonacci numbers. Lemma D.3. For α =
√ 1+ 5 2
and β = fn =
√ 1− 5 2 ,
we have
αn − β n √ . 5
Proof. We prove this by induction on n. Let n = 1, so that fn = 1. We have αn − β n α−β √ = √ 5 5 √ 2 5/2 = √ 5 = 1. Now suppose the lemma is true for n = 2 through k − 1. Then we have fk = fk−1 + fk−2 = = = = =
αk−1 − β k−1 αk−2 − β k−2 √ √ + 5 5 k−1 k−2 k−1 α +α −β − β k−2 √ 5 k−2 α (α + 1) − β k−2 (β + 1) √ 5 k−2 2 k−2 α (α ) − β (β 2 ) √ 5 αk − β k √ . 5
(D-1) (D-2)
We get (D-1) because both α and β are roots of the polynomial x2 −x−1, so we have x2 = x + 1.
APPENDIX D. ALGORITHMS
94
Theorem D.4. Let a > b > 0. Then the number of divisions required√to 5 compute (a, b) is less than c1 log a+c2 −2+c3 a−1 where c1 = log1 α , c2 = log log α , 1 and c3 = √5 log . We have α as before. α Proof. Suppose a ≥ fn+2 . Then we have a≥
αn+2 − 1 αn+2 − β n+2 √ √ > . 5 5
√ n+2 , so, taking logarithms on both sides, Then we know that √ a 5+1 ≥ α we have log(1 + a 5) ≥ (n + 2) log α. Since x + 1 = x(1 + 1/x), we have √ that log(x +√1) = log x + log(1 + 1/x) ≥ (n + 2) log α. Since so the above can be rewritten log a 5 + log(1 + a 5) √ 1 we have 1/x > log(1 + 1/x), we know that a√5 + log a 5 > (n + 2) log α, so √ 1 log a 5 n< √ + −2 log α a 5 log α √ 1 log a 5 + −2 ⇒n< √ + a 5 log α log α log α ⇒ n < c1 log a + c2 + c3 a−1 − 2. Now we take the contrapositive of what we have just proved, so we have that n ≥ c1 log a + c2 + c3 a−1 − 2 implies a < fn+2 . Choose, then, § ¨ n = c1 log a + c2 + c3 a−1 − 2 . We know, by Lemma D.1, that if a < fn+2 , then the number of divisions to calculate (a, b) is less than n, so, since that number of divisions must be an integer, we must have that it is less than c1 log a + c2 + c3 a−1 − 2 so the theorem is proved for all cases. This theorem implies that the Euclidean algorithm on (a, b) for a > b requires O(lg a) divisions. Thus, since all divisions are performed on integers of at most lg a bits, the Euclidean algorithm runs in O((lg a)3 ) (we have simplified this to keep things from getting too unwieldy).
APPENDIX D. ALGORITHMS
D.5
95
Na¨ıve primality testing
We present here a na¨ıve primality testing algorithm that runs only quickly enough for the AKS algorithm to use internally, but not nearly quickly enough for general use. That algorithm is Algorithm 13. Algorithm 13 Na¨ıve primality test for integer r √ 1: for d = 2 to r do 2: if r = 0 (mod d) then 3: return COMPOSITE 4: end if 5: end forreturn PRIME When actually programming this, there are easy time saving tricks like only checking d = 2 and d odd, but for a rough analysis of the worst case √ behavior, Algorithm 13 will do. The algorithm divides r by d up to r times, where each division takes, recalling Figure 2.1, O(lg r lg lg r lg lg lg r) √ steps. Thus the algorithm runs in time O( r lg r lg lg r lg lg lg r).
D.6
The largest prime factor of an integer
There is no known way to compute the largest prime factor of an integer n in time polynomial in the length of n. We can easily modify the na¨ıve primality testing algorithm (Appendix D.5), however, to get an algorithm that runs in the same time as trial division. The only difference between Algorithm 14 and Algorithm 13 is that the former returns an integer (the least prime factor), while the latter simply returns whether it found such a prime integer. Algorithm 14 Computes the largest prime factor of n Require: n ≥ 2 1: for i = 2 to n do 2: if i | n then 3: return i 4: end if 5: end for 6: return n The last return value is there to catch prime inputs. If no prime factor is found less than the square root of n, then the for loop will exit and this
APPENDIX D. ALGORITHMS
96
last return call will be executed, since the least prime factor of a prime n is n itself. This algorithm clearly runs in the same time as the trial division algorithm. The algorithm returns the smallest integer, say k, that divides n. If k is not prime, then the algorithm would have found a prime that divides k earlier in the loop. Clearly, this new prime must also divide n, so that value would have been returned. Thus, the algorithm really does return the least prime factor of n.
D.7
Multiplication of polynomials
We discuss here the “pencil-and-paper” method of multiplying polynomials, following the discussion in [30, Section 2.6]. First multiply each coefficient in the first polynomial by each in the second and add coefficients for like terms. To simplify the discussion, we will assume that both polynomials are of the same degree, say n. Let our polynomials be n n X X ai xi and bj xj . i=0
j=0
Then the coefficient of xk in the product is k X
ai bk−i ,
i=1
so it takes k multiplications and k additions to compute the kth coefficient. Since we must compute coefficients for k = 1 through 2n, we have to compute 2n X
i
i=1
multiplications and the same number of additions. This sum is of course 1 2 (2n)(2n + 1) = n(2n + 1). Referring to Figure 2.1, the cost of the multiplications is (n(2n+1) lg n lg lg n lg lg lg n) and the cost of the additions is (n(2n + 1) lg n). Thus, the cost of multiplication is O(n2 lg n lg lg n lg lg lg n) and the cost of addition is O(n2 lg n), so the total cost is O(n2 lg n lg lg n lg lg lg n).
Bibliography [1] Leonard M. Adleman and Ming-Deh A. Huang, Primality Testing and Abelian Varieties Over Finite Fields, Lecture Notes in Mathematics, vol. 1512, Springer-Verlag, 1992. [2] Leonard M. Adleman, Carl Pomerance, and Robert S. Rumely, On distinguishing prime numbers from composite numbers, The Annals of Mathematics 117 (1983), no. 1, 173–206. [3] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, PRIMES is in P, Preprint available at http://www.cse.iitk.ac.in/news/primality.ps. [4] N.C. Ankeny, The least quadratic non residue, The Annals of Mathematics 55 (1952), no. 1, 65–72. [5] Tom M. Apostol, Introduction to Analytic Number Theory, First ed., Springer-Verlag, 1976. [6] A.O.L. Atkin and F. Morain, Elliptic curves and primality proving, Mathematics of Computation 61 (1993), no. 203, 29–68. [7] Eric Bach, Explicit bounds for primality testing and related problems, Mathematics of Computation 55 (1990), no. 191, 355–380. [8] Eric Bach and Jeffrey Shallit, Algorithmic Number Theory, Foundations of Computing, vol. 1: Efficient Algorithms, The MIT Press, 1996. [9] Daniel J. Bernstein, Proving primality after agrawal-kayal-saxena, Draft available at http://cr.yp.to/papers/aks.pdf, January 2003. [10] E. Bombieri, Problems of the Millenium: the Riemann Hypothesis, http://www.claymath.org/prizeproblems/riemann.pdf. [11] Chris K. Caldwell, Prime Pages, http://www.utm.edu/research/primes/. 97
Internet
site,
BIBLIOGRAPHY
98
[12] S. Chowla, The Riemann Hypothesis and Hilbert’s Tenth Problem, Gordon and Breach, 150 Fifth Ave., New York, NY, 10011, 1965. [13] Richard Crandall and Carl Pomerance, Prime Numbers: A Computational Perspective, Springer, 2001. ´ [14] Etienne Fouvry, Th´eor`eme de Brun-Titchmarsh; application au th´eor`eme de Fermat, Inventiones mathematicae 79 (1985), 383–407. [15] John B. Fraleigh, A First Course in Abstract Algebra, Sixth ed., Addison Wesley Longman, 2000. [16] Shafi Goldwasser and Joe Kilian, Almost all primes can be quickly certified, Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing (11 West 42nd St., New York), Association for Computing Machinery, May 1986, pp. 316–329. [17] Gary L. Miller, Riemann’s Hypothesis and tests for primality, Journal of Computer and System Sciences 13 (1976), 300–317. [18] F. Morain, Primalit´e th´eorique et primalit´e pratique ou aks vs. ecpp, Available at http://www.lix.polytechnique.fr/Labo/Francois.Morain/aks-f.pdf, October 2002. [19] W. Narkiewicz, Elementary and Analytic Theory of Algebraic Numbers, Springer-Verlag, 1990. [20] Christos H. Papadimitriou, Computational complexity, Addison-Wesley, 1994. [21] S. J. Patterson, An Introduction to the Theory of the Riemann ZetaFunction, Cambridge Studies in Advanced Mathematics, Cambridge University Press, 1988. [22] Michael O. Rabin, Probabilistic algorithm for testing primality, Journal of Number Theory 12 (1980), 128–138. [23] Jaikumar Radhakrishnan, News from India; Primes is in P, Bulletin of the EATCS (2002), no. 78, 61–65, Available at http://www.tcs.tifr.res.in/˜jaikumar/Papers/eatcs.ps. [24] Fr´ed´eric Raynal, Test de primalt´e de Miller-Rabin, Available at http://www.security-labs.org/Download/miller-rabin.ps.gz, November 2001.
BIBLIOGRAPHY
99
[25] Paulo Ribenboim, The New Book of Prime Number Records, Third ed., Springer, 1996. [26] Kenneth H. Rosen, Elementary Number Theory and its Applications, 4 ed., Addison Wesley Longman, 2000. [27] Michiel Smid, Primality testing in polynomial time, Available at http://www.scs.carleton.ca/˜michiel/primes.ps.gz, December 2002. [28] R. Solovay and V. Strassen, A fast monte-carlo test for primality, SIAM Journal of Computing 6 (1977), no. 1, 84–85. [29] Jonathon Sondow, Analytic continuation of Riemann’s zeta function and values at negative integers via Euler’s transformation of series, Proceedings of the American Mathematical Society 120 (1994), no. 2, 421–424. [30] Herbert S. Wilf, Algorithms and Complexity, Prentice-Hall, 1986.
