The Computational Complexity of Primality Testing for Cryptographic Purposes Thomas Steinke∗ Supervisors:

Douglas Bridges, Ben Martin, Tad Takaoka University of Canterbury, Christchurch, New Zealand

Abstract Primality Testing, the problem of algorithmically identifying prime numbers, is of critical importance to cryptographic systems such as RSA. We give an expository survey of some of the algorithms currently at the forefront of the field. We focus on the AKS and Miller-Rabin primality tests; we have implemented, tested and timed both of these algorithms.

1

Introduction

Prime numbers are fundamental to much of mathematics. Primes have been seriously studied since at least around 300BC, when a proof that there are infinitely many appeared in the ninth book of Euclid’s Elements. Today we have more practical reasons to study primes. Since the invention of digital computer networks, cryptographic algorithms based on number theoretic problems have become crucial to secure communication. We will present two efficient algorithms for determining whether a given number is prime or composite. First we present the AKS test. We have made modifications to both the algorithm and its proof of correctness. These modifications are intended to simplify and improve the performance of the algorithm. Second we present the Miller-Rabin test. The Miller-Rabin test is used by libraries such as OpenSSL1 . We begin with some motivation for the study of primality testing. We briefly explain encryption and decryption using RSA as presented in [17]. This is the means by which most secure internet transactions begin. ∗ 1

[email protected] http://www.openssl.org/docs/apps/genrsa.html

1

To create a key, one begins by choosing two different prime numbers p and q and a suitable exponent e (usually e = 65537).2 The public key is the pair n = pq and e; the number n is called the modulus. The public key is distributed to other parties to allow them to encrypt messages. The private key, which is needed for efficient decryption, is the pair n and another exponent d. The decryption exponent d is calculated to have the property de = 1 + k(p − 1)(q − 1) for some integer k; the extended Euclidean algorithm allows d to be calculated efficiently. To encrypt a message, it must first be converted to a number m ∈ Z∗n . The ciphertext c is calculated as c = me (mod n) and is transmitted. To decrypt a message c, one calculates m′ = cd (mod n). As a result of Euler’s theorem, m′ = cd = (me )d = m1+k(p−1)(q−1) = m · (mφ(n) )k = m (mod n), where φ(n) represents the Euler totient function. Hence this method successfully transmits m. ‘Breaking’ RSA – that is, decrypting a message without being given the private key, is usually done by factoring n to find p and q and thus obtaining the private key.3 Hence we see that the security of RSA depends on n being difficult to factor. This requires us to choose p and q to be large (typically hundreds of digits in length) and difficult for others to guess, which means we must choose them randomly. In order to assume that RSA is secure, we must assume that there are no efficient algorithms for factoring large integers.4 However, we must also have efficient algorithms for randomly generating large primes; otherwise generating good RSA keys would be computationally impossible. This problem can be solved and we shall explain some practical methods for doing so. We will begin in Section 2 by showing that efficiently finding random primes can be done once one has an efficient primality testing algorithm. In Section 3 we will demonstrate the failings of elementary primality testing methods. Then, after having clarified the need for them, we will begin introducing some polynomial time tests. Deterministic tests are discussed in Section 4 and probabilistic tests are discussed in Section 5. After discussing a more theoretical viewpoint in Section 6, we conclude with Section 7. Our references and the appendix can be found at the end of this document. We aim to give an overview of these algorithms that is intelligible to most senior undergraduate computer science or mathematics students. Some of the more interesting and simpler results are included in the main body of this document. However, we also wish to provide sufficient detail and rigor to convince the reader of the correctness of our main claims in a self-contained manner; for this reason we include several proofs in the appendix. The reader is warned that the proofs in the appendix are much longer and more difficult. Familiarity with mathematical rigor, modular arithmetic and abstract algebra (groups, rings and fields) is required to be comfortable with our arguments. 2

Note that we require gcd(e, (p − 1)(q − 1)) = 1. It has not been shown that factoring n is necessary for decrypting messages. It may be possible that an efficient method for breaking RSA exists which does not require factoring n. 4 An efficient algorithm for integer factorisation which runs on a hypothetical quantum computer has been devised by P. Shor in 1994 [20]. Quantum computers are still mostly hypothetical devices. This algorithm does not present an immediate threat to RSA. 3

2

2

The Guess-and-Check Algorithm

The method generally used for randomly finding large primes proceeds as follows. It is the method recommended by [17]. Step 1. Randomly choose a suitable integer n. Step 2. If n is prime, we are done; return n. Step 3. If n is composite, we try again; go to Step 1. While it is immediately obvious that this algorithm is correct, it is not so obvious that it is efficient. For this to be efficient, we require that there be many suitable primes so that the probability of finding one randomly is large. We also require an efficient means of identifying when we have found a prime number. What is meant by a ‘suitable’ integer varies depending on the application.5 We shall assume that suitable means 2 ≤ n ≤ m for some provided upper bound m. Now we wish to prove that there are sufficiently many prime numbers in such intervals. Let π(x) denote the number of prime numbers less than or equal to x. The famous prime number theorem states that π(x) x ln(x)

→ 1 as x → ∞.

This allows us to determine that the expected number of iterations required for the Guessand-Check algorithm is θ(log(m)). We shall not prove this; however, we shall prove a weaker but sufficiently powerful lower bound on π(x), which allows us to give an upper bound on the complexity of this algorithm. For each positive integer m denote the lowest common multiple of the numbers 1, 2, · · · , m by L(m) = min{a > 0 : i|a (1 ≤ i ≤ m)}. We give a lower bound on L(m) which leads to a lower bound on π(m). Lemma 1. For m ≥ 1, L(m) ≥ 2m−2 . Proof. This proof comes from [14]. Let Im = Since 0 ≤ x(1 − x) ≤ points, we have

1 4

Z

1 0

xm (1 − x)m dx.

for 0 ≤ x ≤ 1 and 0 < x(1 − x) <

1 4

everywhere except three isolated

1 0 < Im < ( )m . 4

5

It is recommended by [17] that p and q have certain properties. The definition of suitable may be slightly more complicated than is mentioned here.

3

Also, Z

1

Im · L(2m + 1) =

1

=

Z

0

xm (1 − x)m dx · L(2m + 1) xm

0

m   X n

i

i=0

m  X

(−x)i · L(2m + 1) dx



n = (−1)i · L(2m + 1) · i i=0 m   X n L(2m + 1) , = (−1)i m+i+1 i

Z

1

xm+i dx

0

i=0

which is a strictly positive integer, since 1 ≤ m + i + 1 ≤ 2m + 1 implies that L(2m + 1) is always divisible by m + i + 1. It follows that Im · L(2m + 1) ≥ 1, so 1 1 ≥ 1 m. Im (4)

L(2m + 1) ≥ For odd m we obtain L(m) ≥ 4

m−1 2

= 2m−1 > 2m−2 ,

and for even m, L(m) ≥ L(m − 1) ≥ 2m−2 .  Theorem 2. For m ≥ 1, π(m) ≥

m−2 log2 (m) .

Proof. This proof also comes from [14]. We first give an upper bound on L(m) based on prime numbers; then, using the lower bound from Lemma 1, we are able to derive the required result. Let p1 , p2 , · · · , pπ(m) be all the primes less than or equal to m and let π(m)

Pm =

Y

⌊logpi (m)⌋

pi

.

i=1

We wish to show that Pm ≥ L(m) (in fact they are equal). We do this by showing that any integer n with 1 ≤ n ≤ m divides Pm ; so Pm is a common multiple of 1, 2, · · · , m; since L(m) is the least common multiple, the result will follow. Take 1 ≤ n ≤ m and let the prime decomposition of n be e

π(m) n = pe11 pe22 · · · pπ(m) .

For 1 ≤ i ≤ π(m) we have ⌊logpi (m)⌋

so pei i divides pi

pei i ≤ n ≤ m =⇒ ei ≤ logpi (m),

and hence n divides Pm .

By Lemma 1, we have Pm ≥ L(m) ≥ 2m−2 . 4

Since

π(m)

Y

logpi (m)

pi

i=1

we have

π(m)

Y i=1

logp (m) pi i

≥ Pm ≥ 2m−2 ,

π(m)

=

Y i=1

m = mπ(m) ≥ 2m−2 .

Hence π(m) ≥ logm (2m−2 ) =

m−2 . log2 (m) 

For m ≥ 3, the probability of randomly choosing a prime number from the interval 2 ≤ n ≤ m, is at least m−2 1 log2 (m) ≥ . m−1 2 log2 (m)

The number of iterations required by the Guess-and-Check algorithm to randomly find a prime in the range 2 ≤ n ≤ m is geometrically distributed. Hence the expected number of iterations is O(log(m)). This shows us that once we have an efficient method for identifying primes, we already have an efficient method for finding primes and generating RSA keys. This motivates our search for efficient primality testing algorithms. Note that we require a general primality test – that is, a test which works efficiently for any n > 1. There are several primality tests which are only efficient for numbers with particular properties: For example, the Lucas-Lehmer-Riesel test [16] works efficiently for Mersenne numbers – numbers of the form 2k − 1 – but not for arbitrary numbers.

3

Trial Division

Trial division, also known as exhaustive division, is a simple primality test. It attempts to find a divisor of n, the number being tested. If it finds one, it determines that n is composite; if not, it determines that n is prime. Without any further analysis, it is obvious that this cannot be of much use in the RSA system; this is in fact a factoring algorithm. If this algorithm were used for RSA key generation, then an eavesdropper could use the same algorithm to factor the key. If we wish to use primality testing to our advantage in RSA, we will need an algorithm which is significantly faster than any factoring algorithm. This tells us that we cannot possibly use a ‘constructive’ compositeness test. Whatever primality test we use must give us no useful information about the factors of a composite number. Nevertheless, we shall continue to analyse this algorithm.

5

A first attempt at this method would divide n by 2, 3, 4, · · · , n − 1. It is clear that n is prime ˜ if and only if none of these numbers divides it. This takes θ(n) time.6 We can improve on this by noting that, if n is composite, then at least one of its factors must be √ √ less than or equal to n. This means we need only divide n by 2, 3, 4, · · · , ⌊ n⌋, which requires √ ˜ n) time. We can further improve on this by only trying prime divisors. Theorem 2 tells us θ( √ prime divisors to consider. Thus we cannot hope that, for n ≥ 3, there are still at least ⌊logn−1⌋ 2 (n) to benefit significantly from eliminating composites. Trial division is clearly far too slow to be of practical use. Unfortunately, there are no obvious algorithms for solving this problem; we must appeal to more complicated methods to achieve the desired complexity. We want a polynomial time primality test; the running time of the algorithm must be bounded by a polynomial in the length (number of bits) of n. A polynomial time algorithm will have a complexity of the form O((log(n))k ), where k is some positive integer. Remarkably, this can be achieved, as we shall soon see.

4

The AKS Primality Test

In this section we discuss polynomial time deterministic primality tests. 4 ) time. ˜ The first such test was discovered by G. Miller in 1976 [13]; it runs in O((log(n)) However, it is not known that the test is correct, as the proof depends on the correctness of the extended Riemann hypothesis, which remains unproven.

The first unconditional algorithm is due to Manindra Agrawal, Neeraj Kayal and Nitin Saxena (AKS) [1]; it was only discovered in 2002. We follow their presentation with some changes. The idea behind the test is the following result. Lemma 3. If p is prime, then (u + v)p = up + v p (mod p) and (x + a)p = xp + a in the polynomial ring over Zp . Proof. We have p

p

(u + v) = u +

p−1   X p i=1

where

i

ui v p−i + v p ,

  p (p − 1)(p − 2) · · · (p − i + 1) =p . i i(i − 1)(i − 2) · · · 1

In the above 1 ≤ i, i − 1, i − 2, · · · , 1 ≤ p − 1 and p is prime, so p cannot be a factor of the denominator. Hence p can be factored out of the numerator of pi and we are left with an

6 ˜ ˜ ˜ Note that f (n) = Ω(g(n)), f (n) = θ(g(n)) and f (n) = O(g(n)) denote that, for some k ≥ 0, f (n) = Ω(g(n)(log(g(n))k ), f (n) = θ(g(n)(log(g(n))k ) and f (n) = O(g(n)(log(g(n))k ) respectively. For more detail on asymptotic notation see the appendix.

6

integer, which gives   p = 0 (mod p), i (u + v)p = up + v p (mod p). In particular, applying this to the polynomial x + a for some a ∈ Zp , we get (x + a)p = xp + ap = xp + a (mod p), as ap = a (mod p) for a 6= 0 (mod p) by Fermat’s Little Theorem and trivially for a = 0 (mod p).  The converse of the second part of Lemma 3 is in fact also true. This alone forms the basis of a primality test: The number n is prime if and only if, after choosing some a ∈ Z∗n , we have (x + a)n = xn + a (mod n). Using this to test for primality requires far too much computation. The test we present performs this computation modulo a polynomial of the form xr − 1; if r is sufficiently small, then this can be done efficiently. For each positive integer r and each n ∈ Z∗r , we denote by |n|Z∗r the order of n in the group Z∗r – that is, the smallest k > 0 such that nk = 1 (mod r). We denote congruences, modulo an integer a and a polynomial f (x), by A(x) = B(x) (mod f (x), a). This means that there exist polynomials S(x) and T (x) such that A(x) − B(x) = S(x) · f (x) + T (x) · a. We now present the algorithm and, based on some results from the appendix, we prove that it correctly determines whether its input is prime in polynomial time.

1. 2. 3. 4. 5. 6.

The AKS Primality Testing Algorithm Input: n > 1 If n = ab for some a, b > 1, return COMPOSITE. Find the smallest r such that n ∈ Z∗r , |n|Z∗r > ⌊log2 (n)⌋2 and r is a prime power. If 1 < gcd(a, n) < n for some 1 ≤ a ≤ r, return COMPOSITE. If n ≤ r, returnpPRIME. For 1 ≤ a ≤ l = ⌊ φ(r)⌋⌊log2 (n)⌋; if (x + a)n 6= xn + a (mod xr − 1, n), return COMPOSITE. Return PRIME.

Our algorithm differs from the original AKS one in two respects. First, it requires that r be a prime power, which the original does not; this simplifies a later proof (Lemma 17). Our version of the proof of Lemma 17 is elementary and does not rely on cyclotomic polynomials, as [1] does. 7

This will make the proof more understandable to those who are not familiar with polynomials over fields. Since this step does not dominate the computational complexity of the algorithm, our requirement has no effect on its asymptotic complexity.7 Secondly, the original algorithm has ⌊(log2 (n))2 ⌋ rather than ⌊log2 (n)⌋2 in step 2. The reason for this change is that the former is quite difficult to calculate exactly, whereas the computation of the latter is simple. This is an important difference as one must calculate this value exactly in order for the proof to be valid. If a larger number is used, the proof of existence and an upper bound on r may no longer be valid; if a smaller number is used, the algorithm may no longer be correct. To accommodate this change, the appropriate results have also been altered. p φ(r) log2 (n)⌋ in step 5 of the original algorithm has been changed to Additionally, the ⌊ p ⌊ φ(r)⌋⌊log2 (n)⌋ in ours. This is not very significant, as verifying that the congruence holds for more values of a will not affect the correctness of the algorithm. ˜ 32 (log(n))3 ) steps, and that it is correct We next show that the algorithm terminates in O(r based on some results from the appendix. Our complexity bound depends on using several fast algorithms, found in [22], to perform basic operations. The algorithm still runs in polynomial time if somewhat slower methods are used for some underlying operations, but it may have a ˜ 32 (log(n))3 ). higher complexity than O(r Theorem 4. The AKS Primality Testing Algorithm correctly determines whether or not its ˜ 32 (log(n))3 ) steps. input is prime in O(r Proof. Let n and r be as in the algorithm. We show that each individual part of the algorithm ˜ 32 (log(n))3 ) steps. will only return a correct result and that it runs in O(r Step 1. If this step finds a, b > 1 such that n = ab , then clearly n is composite as we have a nontrivial factor a. Since a ≥ 2, we must check for bth roots of n for 2 ≤ b ≤ ⌊log2 (n)⌋. 2 ) steps. This leads to an ˜ Finding a root can be done using a binary search in O((log(n)) 3 ). ˜ overall complexity of O((log(n)) Step 2. Lemma 10 tells us that such an r exits. If we start at r = 2 and test successively larger values of r, then we must check only O(r) values. Each candidate requires checking that ˜ – gcd(n, r) = 1, which can be done in O(log(n) + (log(r))2 ) steps; 2 log(r)) ˜ – nk 6= 1 (mod r) for 1 ≤ k ≤ ⌊log2 (n)⌋2 , which can be done in O((log(n)) steps; and

– r is a prime power. Testing if r is a prime power can be done by finding the smallest 2 ) steps each. We ˜ root of r. This requires testing for O(log(r)) roots in O((log(r)) then test if this root is prime, either by trial division or by recursively calling the ˜ √r) steps. algorithm; trial division takes O( ˜ √r + (log(n))2 log(r)). Overall, the complexity of this step is O(r Step 3. If this step finds a such that 1 < gcd(a, n) < n, then we have a nontrivial factor of n, so n is composite. This involves computing the greatest common divisor of r pairs of numbers; ˜ ˜ log(n)). this takes O(log(n) + (log(r))2 ) steps for each pair. Thus the complexity is O(r 7

We conjecture that the minimality of r guarantees that it is a prime power anyway.

8

Step 4. If n ≤ r then the preceding step amounts to trial division, so n must be prime. Doing this comparison takes O(log(n) + log(r)) time. Step 5. By Lemma 3, if n is prime, then (x + a)n = xa + n (mod n) for every a; if this test fails, then n cannot be prime. This step dominates the complexity of the algorithm. The loop runs p √ l = ⌊ φ(r)⌋⌊log2 (n)⌋ = O( r log(n))

times. Each iteration involves computing (x + a)n modulo xr − 1 and n. Fast exponentiation leads to O(log(n)) multiplications of polynomials. If simple polynomial multiplication is used, we require O(r 2 ) arithmetic operations in Zn . However, faster polynomial mul˜ tiplication methods exist which require O(r) operations. Each operation can be done in ˜ O(log(n)) steps. Thus the overall complexity of this step and of the algorithm is √ ˜ 32 (log(n))3 ). ˜ r log(n) · log(n) · r · log(n)) = O(r O( Step 6. By Lemma 20, if we reach the end of the algorithm, then n is prime. This takes O(1) steps.  Lemma 10 shows that r ≤ max{3, ⌈(log 2 (n))5 ⌉}. So we can prove that the algorithm terminates 21 ˜ 2 ) steps. However, this bound on r is far from tight. It can in fact be shown that in O((log(n)) 15 ˜ 2 ) steps. Empirical evidence as well as r = O((log(n))3 ) and the algorithm runs in O((log(n)) several conjectures, including the Extended Riemann Hypothesis, lead to the conclusion that 6 ) steps. A ˜ r = O((log(n))2 ); this would have the running time of the algorithm at O((log(n)) ˜ different version of this algorithm has been discovered [8] which provably runs in O((log(n))6 ) steps. 6 ) is a massive achievement, and it proves that primality testing can be done ˜ While O((log(n)) deterministically and unconditionally in polynomial time, it still leaves much to be desired practically. This algorithm is too slow to compete with the algorithms we will meet in the next section. The AKS test is primarily of theoretical interest.

For testing, this algorithm was implemented in C++ using the GMP8 library for arithmetic; the code can be found in the appendix. Figure 1 details the runtime of the algorithm on randomly generated input. Note that computations taking longer than 1000 seconds were terminated and are not shown on Figure 1. It is obvious from the graph that this is impractically slow. The algorithm takes more than 10 minutes to prove that 452537 is prime. The large jump in time occurring around log2 (n) = 16 can be explained as the point where integer resolution must be increased to avoid overflow. The graph shows that composite numbers are identified as being so very quickly. This suggests that the value of l is perhaps excessive. We have discovered a method of improving the performance of the algorithm by decreasing l. Our experiments show that an improvement of a factor 8

http://gmplib.org/

9

Figure 1: Running time of the AKS primality test. of about 3 can be achieved. We describe this method in the appendix after the proof of Lemma 20 on page 30.

5

The Miller-Rabin Test

6 ) bound offered by deterministic primality tests, we must make ˜ To improve on the O((log(n)) use of randomness. Random algorithms have access to a source of random data.

It is clear that one must make sacrifices to gain performance improvements from random algorithms: Suppose that we have a random primality testing algorithm that has worst-case polynomial time complexity and always gives correct answers. Since the algorithm is guaranteed to give correct results in polynomial time regardless of the random input, it can be made into an equally fast deterministic algorithm by feeding deterministic data in. In order to gain from randomness, one must either accept non-polynomial time in the worst case or accept a non-zero probability of error. We shall consider some algorithms which admit a small probability of incorrectly identifying a composite number as being prime. These algorithms work by randomly attempting to prove 10

that their input n is composite, using some variant of Fermat’s little theorem. If they are unable to prove that n is composite, then it is considered to be ‘probably prime’. These algorithms are more correctly called compositeness testing algorithms. We require that, for composite n, the probability of successfully proving n to be composite is large. Let us begin by stating and proving Fermat’s little theorem. Theorem 5. If p is prime and 0 < a < p, then ap−1 = 1 (mod p). Proof. This proof comes from [6]. We prove this by proving that p divides ap − a; since p does not divide a, we can conclude that p divides ap−1 − 1, as required. We take an alphabet containing a characters. We consider the set S of all strings of length p except those which are one character repeated p times. Clearly, there are ap strings of length p and a strings of one character repeated; so S contains ap − a elements. We attempt to partition S into groups of p elements. If this succeeds, then we know that the size of S is divisible by p; which gives the desired result. We form groups by taking strings related by cyclic shifts. A cyclic shift consists of taking one character from one end of the string and appending it to the other end of the string. This process can be repeated arbitrarily many times. Suppose that one of these groups has size k < p. This means that removing the last k characters from the end of the string and appending them to the front will give the same string. Hence the string is a repetition of a smaller string of length k. This means that k must divide p, as we can create a string of p characters from a repetition of a string of k characters. Since p is prime and k < p, we have k = 1; the string is one character repeated p times. This is impossible as S does not contain such strings; so all groups must have size p, as required.  It is possible to create a test using only Fermat’s little theorem. This is called the Fermat test. It can be shown that this test performs well on most inputs. Unfortunately, the Fermat test will almost always give an incorrect answer on Carmichael numbers; it is rarely used as a primality test. A Carmichael number n is a composite number that satisfies an−1 = 1 (mod n) for every a ∈ Z∗n ; the smallest example is 561. We must use stronger versions of Fermat’s little theorem. The first practical primality test of this form was discovered by R. Solovay and V. Strassen in p−1 1974 [21]. It is based on a result about the value of a 2 (mod p). In 1980 M. Rabin produced another primality test [15] based on the conditional deterministic test by G. Miller [13]. The Miller-Rabin test has superseded the Solovay-Strassen test as it is faster. The Miller-Rabin test is based on the following result. Lemma 6. If p is an odd prime and p − 1 = 2s d where d is odd, then for any 0 < a < p, we r have either ad = 1 (mod p) or a2 d = −1 (mod p) for some r with 0 ≤ r ≤ s − 1. 11

r

Proof. Suppose that a2 d 6= −1 (mod p) for 0 ≤ r ≤ s − 1. We now show, by induction, that r 0 a2 d = 1 (mod p) for 0 ≤ r ≤ s. Therefore a2 d = ad = 1 (mod p), as required. s

Firstly, by Fermat’s little theorem, since a ∈ Z∗p , we have ap−1 = a2 d = 1 (mod p). Since Zp is a field, x2 − 1 has no more than two distinct roots over Zp (Lemma 16). Thus there are no more than two distinct solutions to the congruence b2 = 1 (mod p); as p > 2 we have +1 and r −1 being these solutions. Now the induction step: Suppose that a2 d = 1 (mod p) for some r−1 r r−1 r > 0. Then (a2 d )2 = a2 d = 1 (mod p); so a2 d = ±1 (mod p). The −1 case is impossible r−1 due to our original supposition; so a2 d = 1 (mod p), as required.  Furthermore, it can be shown that, if n > 1 is an odd composite integer, then at least three quarters of all possible values of a will prove that n is composite by Lemma 6. The proof can be found in the appendix as Lemma 25.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

The Miller-Rabin Primality Testing Algorithm Input: n > 1, k ≥ 1 If n is even, then: If n = 2, return PRIME; otherwise return COMPOSITE. Set s and d such that n − 1 = 2s d and d is odd. Repeat the following loop k times. Randomly choose 1 < a < n. If gcd(a, n) 6= 1 return COMPOSITE. Set x ← ad (mod n). If x = ±1, continue to the next loop iteration. Repeat s − 1 times: Set x ← x2 (mod n). If x = −1, continue to the next loop iteration. Return COMPOSITE. Return PROBABLY PRIME.

We now show that this algorithm will give correct results with a probability of at least 1 − ( 14 )k .

2) ˜ Theorem 7. The Miller-Rabin Primality Testing Algorithm always terminates in O(k·(log(n)) −k steps. If n is composite, then the probability of returning PROBABLY PRIME is at most 4 ; otherwise it will always give the correct answer.

Proof. Let n, s and d be as in the algorithm. We show that each part of the algorithm only ˜ · (log(n))2 ) steps. returns the required results and terminates in O(k • Initialisation: Identifying s and d can be done by repeatedly dividing n − 1 by 2. Each division, in the form of a shift, takes O(log(n)) time, as does the single subtraction. Since s ≤ log2 (n − 1), there are only O(log(n)) such divisions. Hence calculating s and d takes O(log2 (n)) steps. Checking whether n is even involves checking the last bit of n in binary form; clearly this part returns correct results and takes O(log(n)) steps. • Choosing a: Choosing a at random can be done in O(log(n)) steps. (Provided that the source of randomness can produce a this fast.) Checking that gcd(a, n) = 1 can be done in 12

2 ˜ O(log (n)) steps. Clearly, if this step returns COMPOSITE, then n is composite as we have found a nontrivial factor. This check is, however, not strictly necessary; if gcd(a, n) 6= 1, then ak 6= ±1 (mod n) for all integers k and the test will determine that n is composite anyway.

• Performing the Test: By Lemma 6, if this step finds that ad 6= 1 (mod n) and r a2 d 6= −1 (mod n) for 0 ≤ r < s and returns COMPOSITE, then n must be composite. 2 ˜ Performing this test involves calculating ad (mod n), which can be done in O(log (n)) steps using fast exponentiation. Then we must square s − 1 times; each squaring takes 2 ˜ ˜ O(log(n)) steps. Overall, O(log (n)) steps are required for performing the test. • Positive Result: If the algorithm returns PROBABLY PRIME, then we have checked that k random elements from Z∗n are all in the set rd

Bn = {a ∈ Z∗n : ad = 1 (mod n) or a2

= −1 (mod n) for some r with 0 ≤ r ≤ s − 1}.

By Lemma 25, if n is odd and composite, then |Bn | 1 ≤ . ∗ |Zn | 4 Thus, the probability of each a value being in Bn is at most one in four. Since k different a values are tried, the probability that all k are in Bn and we incorrectly return PROBABLY PRIME is at most 4−k . This shows that, if the algorithm returns PRIME or COMPOSITE, then n is in fact prime or composite respectively. Also the probability of PROBABLY PRIME being returned for a composite 2 ˜ n is at most 4−k . All of the parts run in O(log (n)) steps with the loop repeating k times.  This algorithm is very practical: With as few as 20 iterations we can ensure that the probability of failure is less than one in a trillion. It can be proved that, for most values of n, the one in four probability bound is not tight. Values for which this is close to tight are rare. We can, under certain conditions, safely use as few as 3 iterations to obtain very low failure probabilities for the Guess-and-Check algorithm. See [11] for these results. This algorithm has been implemented in C++ using the GMP library for arithmetic; the source code can be found in the appendix. Figure 2 shows the runtime of the algorithm on randomly generated primes. Note that the regression line in Figure 2 is a cubic rather than quadratic. This is because, for small numbers, the GMP library will use a θ((log(n))2 ) time multiplication algorithm, rather ˜ than a θ(log(n)) time algorithm. (The latter only becomes more efficient for extremely large numbers.) Clearly this is a very fast and practical test. Using the Guess-and-Check algorithm with the Miller-Rabin primality test, we are able to produce a 5000-bit random prime in under two minutes. We are also able to find 550-bit prime numbers, which is nearer the size used in RSA, in about one second.

13

Figure 2: Running time of the Miller-Rabin primality test on prime input with k = 20.

6

Theoretical Viewpoint

So far we have presented primality testing algorithms as a quest for faster algorithms. This is perhaps not representative of the field. The Miller-Rabin test was discovered more than 20 years before the AKS test; yet, despite being far slower than the Miller-Rabin test, the AKS test is still considered to be very important. It is perhaps more representative to present these algorithms as a quest to remove randomness from the polynomial time algorithms. To show the nature of this quest, we shall define some complexity classes. A complexity class is a set of decision problems for which a certain type of algorithm exists. A decision problem is one for which there is a yes or no answer; for the problem of primality testing, the answer is either prime (yes) or composite (no). The exact definition of what constitutes an algorithm is based on the idea of a Turing machine which either accepts (yes) or rejects (no) its input; see [4] for more details about Turing machines. We shall consider random algorithms – that is, algorithms which have access to a source of true randomness. Now we shall define some probabilistic complexity classes. BPP Bounded error Probabilistic Polynomial time: problems for which there exists a random algorithm which always has a probability of giving the correct answer of at least two thirds9 , and always halts in polynomial time. 9

The choice of two thirds as the success probability is arbitrary. Any fixed value in the interval ( 21 , 1) will give an equivalent definition of BPP.

14

RP Randomized Polynomial time: problems for which there exists a random algorithm which never gives a false positive and always has a probability of giving the right answer of at least one half10 , and always halts in polynomial time. co-RP Complement of RP: problems for which there exists a random algorithm which never gives a false negative and always has a probability of giving the right answer of at least one half, and always halts in polynomial time. ZPP Zero error Probabilistic Polynomial time: problems for which there exists a random algorithm which always gives the correct answer and, on average, halts in polynomial time. (However the algorithm may have a worst case which is not polynomial time but extremely improbable.) P Polynomial time: problems for which there exists a deterministic algorithm which always gives the correct answer and halts in polynomial time. If we denote that A is a subset of B with an arrow from A to B, then the above complexity classes are related as follows.

All problems in these complexity classes are considered to be ‘easy’ as there are polynomial time algorithms to solve them with high certainty. Ever since the first random polynomial time primality testing algorithms emerged in 1974, the goal has been to bring the problem down towards P. The probabilistic tests we have described here show that primality testing is in co-RP: If we run the Miller-Rabin test for only one iteration, then we have a polynomial time algorithm which can prove that its input is composite (a proof means that we never get a false negative) and will do so with a probability of at least three quarters if that is the case. In 1992 it was also shown by L. Adleman and M-D. Huang [10] that primality testing is in RP. Algorithms from RP are more practical for proving the primality of a number than the 10

Again, the choice of one half is arbitrary. Any fixed value in (0, 1) can be used.

15

AKS test. However, in practice co-RP algorithms are still used, as proving that a number is ‘probably prime’ is usually sufficient. We can then show that primality testing lies in ZPP: If we take an RP algorithm and a co-RP algorithm and continually alternate between iterations of the RP and co-RP algorithms, then we have an algorithm which will eventually prove that the input is either prime (through the RP algorithm) or composite (through the co-RP algorithm). This algorithm will on average run in polynomial time, as the probability that we successfully determine the answer at every stage is at least one half. The AKS test [1] completed the quest in 2002: The authors showed that deterministic polynomial time primality testing is possible. Since the discovery of G. Miller’s conditional algorithm [15], it has been conjectured that primality testing is in P. In fact it is conjectured (for example [3] page 343) that BBP=P – that is, all problems solvable in polynomial time by a random algorithm can also be solved in polynomial time by a deterministic algorithm. However, while a deterministic algorithm may be desirable theoretically, in practice a random algorithm may be superior, as the comparison between AKS and Miller-Rabin shows.

7

Conclusion

Here we summarise what we have learnt and achieved and, hopefully, have conveyed through this report. We have seen that primality testing can be done in polynomial time. This fact is far from obvious upon initial inspection of the problem. The algorithms for achieving this are deceptively simple: They can be described in merely a few lines, but to demonstrate that they are correct and efficient requires several pages of careful reasoning. We have also seen that randomness is a very important tool. No practical method for primality testing that is deterministic is known; all practical methods rely on randomness. The AKS test, while a major theoretical breakthrough, has not yet enjoyed any practical success. It is still more efficient to use co-RP algorithms to eliminate composites and RP algorithms to prove that numbers are prime than it is to use the AKS test. The reason why randomness is so crucial is that the patterns being studied are so complex that they are not efficiently predictable enough for deterministic methods to succeed. Alternatively, we may simply lack the understanding of these patterns required to devise such methods. The most we can thus far achieve is to show that we seek objects which are plentiful. This allows us to be confident that random methods will quickly succeed. It is interesting to note that the efficient methods for primality testing we have discussed are in fact compositeness tests; they cannot prove that a number is prime, only that it is composite. It would perhaps be more appropriate to call these methods compositeness testing algorithms. However, in practice these algorithms are used to identify primes and are therefore usually called primality tests. This is because in practice we are not as concerned about proving that 16

a number is prime as we are for theoretical applications. From the practical viewpoint, the most important realisation is the existence of practical methods for finding large random prime numbers, such as the Guess-and-Check method along with the Miller-Rabin primality test. This is an extremely important realisation for RSA: As we saw in Section 1, without efficient algorithms for finding primes, RSA keys cannot be created effectively. Examining the details of these tests has also shown us the secret to RSA’s security. By studying these tests, we see the difference between primality testing and prime factorisation. These are two very different problems. None of the efficient primality tests will give us any useful information about the factors of a composite number; we are merely assured that nontrivial factors exist. This is the difference between testing and factoring: A testing algorithm will prove that a given number has nontrivial factors, but may not identify them. A factoring algorithm will find any factors. It is the asymmetry between primality testing and factorisation which RSA depends on. Legitimate users of the system are able to use polynomial time algorithms, including those for primality testing, for communication. However, illegitimate users are faced with a problem for which no practical method of solution currently is known to exist. As this is a very large and well developed field, the focus has been primarily on understanding existing algorithms for primality testing. The Miller-Rabin and AKS tests have been implemented for testing purposes; the source code can be found in the appendix. However, some improvements to the AKS test have also been made. One of the computations involved in the AKS test has been simplified, and a method for tripling the speed has been devised. The proof of Lemma 17 has also been altered to avoid cyclotomic polynomials. This makes the test easier to understand to those who are not experts in the required areas. Unfortunately, the latter two of these improvements require one to explore the AKS test more than has been done here. For the sake of brevity, most of the details of the AKS test have only been included in the appendix. Hence our improvements are only found there.11

References [1] Manindra Agrawal, Neeral Kayal, and Nitin Saxena. Primes is in P. Annals of Mathematics, 160(2):781–793, 2004. [2] John E. Hopcroft Alfred V. Aho and Jeffrey D. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974. [3] Sanjeev Arora and Boaz Barak. Computational Complexity: A Modern Approach. Cambridge University Press. Draft, to appear March 2009. [4] Frank S. Beckman. Mathematical Foundations of Programming. Addison-Wesley, 1981. [5] Douglas S. Bridges. Lecture notes on the analysis of algorithms. Notes from supervisor. 11

The improvements to the AKS test can be found on pages 8, 26 and 30 respectively.

17

[6] Edsger W. Dijkstra. A short proof of one of Fermat’s theorems. circulated privately, May 1980. [7] Martin F¨ urer. Faster integer multiplication. In 39th ACM STOC, pages 57–66, San Diego, California, USA, June 2007. http://www.cse.psu.edu/~furer/Papers/mult.pdf. [8] Jr. H. W. Lenstra and Carl Pomerance. Primality testing with gaussian periods. (Preliminary version 2005) http://www.math.dartmouth.edu/ carlp/PDF/complexity12.pdf, 2005. [9] G¨ unter Scheja Hans-J¨org Reiffen and Udo Vetter. Mannheim/Wein/Z¨ urich, 1969. (German).

Algebra.

Bibliographesches Institut

[10] Leonard M. Adleman Ming-Deh A. Huang. Primality Testing and Abelian Varieties Over Finite Fields. Springer-Verlag, 1992. [11] Peter Landrock Ivan Damg˚ ard and Carl Pomerance. Average case error estimates for the strong probable prime test. Mathematics of Computation, 61(203):177–194, July 1993. [12] Donald E. Knuth. The Art of Computer Programming, volume 2. Addison-Wesley, 1969. [13] Gary L. Miller. Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences, 13(3):300–317, 1976. [14] M. Nair. On Chebyshev-type inequalities for primes. American Math. Monthly, 89(2):126–129, February 1982. [15] Michael O. Rabin. Probabilistic algorithm for testing primality. 12(1):128–138, 1980.

Journal of number Theory,

[16] Hans Riesel. Lucasian criteria for the primality of n = h · 2n − 1. Mathematics of Computation, 23(108):869–875, October 1969. [17] A. Shamir R.L. Rivest and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, September 1977. [18] A. Sch¨ onhage and V. Strassen. Schnelle multiplikation großer zahlen (fast multiplication of large numbers). Computing: Archiv f¨ ur elektronisches Rechnen (Archives for electronic computing), 7:281–292, 1971. (German). [19] Ren´e Schoof. Four primality testing algorithms. http://www.mat.uniroma2.it/ schoof/millerrabinpom.pdf. [20] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J.SCI.STATIST.COMPUT., 26:1484, 1997. [21] R. Solovay and V. Strassen. A fast monte-carlo test for primality. SIAM Journal on Computing, 6(1):84–85, March 1977. [22] Joachim von zur Gathen and J¨ urgen Gerhard. Modern Computer Algebra. Cambridge University Press, 1999.

18

8

Appendix

8.1

Notation and Arithmetic

This section is intended as a reference for the notation used in this document and also for some results about the complexity of arithmetic operations. Notation f (n) = O(g(n)) f (n) = Ω(g(n)) f (n) = θ(g(n)) ˜ f (n) = O(n) ˜ f (n) = Ω(g(n)) ˜ f (n) = θ(g(n)) |n|Z∗r A = B (mod n) A(x) = B(x) (mod f (x), n) a|b gcd(a, b) Z∗n φ(n)

Operation a+b a−b a·b ⌊ ab ⌋ a (mod b) gcd(a, b) a−1 (mod b)

8.2

Meaning There exist constants A, B > 0 such that, if |n| > A, (n) | < B. then | fg(n) g(n) = O(f (n)). f (n) = O(g(n)) and f (n) = Ω(g(n)). There exists a constant k ≥ 0 such that f (n) = O(g(n) · (log(g(n))k ). ˜ (n)). g(n) = O(f ˜ ˜ f (n) = O(g(n)) and f (n) = Ω(g(n)). The smallest k > 0 such that nk = 1 (mod r). There exists an s such that A = B + s · n. There exist polynomials S(x) and T (x) such that A(x) = B(x) + S(x) · f (x) + T (x) · n. a divides b – that is, there exists an integer k such that b = ka. The greatest common divisor of a and b – the largest integer that divides both a and b. The multiplicative group of the integers modulo n. The Euler totient function, φ(n) = |Z∗n | – the number of integers 0 < a < n with gcd(a, n) = 1.

Complexity O(log(|a|) + log(|b|)). See [12] pages 229 to 248. Same as addition. ˜ O(log(|a · b|)) or O(log(|a · b|) · log(log(|a · b|)) · log(log(log(|a · b|)))). See [18] or, for a tighter bound, see [7]. Same as multiplication; see [2] page 286. Same as multiplication. ˜ O(log(max{|a|, |b|}) + (log(min{|a|, |b|}))2 ) using the Euclidean algorithm; see [5] page 13. ˜ O(log(|a|) + (log(|b|))2 ), using the extended Euclidean algorithm.

The AKS Test

We begin by proving the existence of a suitable r and giving a loose upper bound on it. We break the proof into three lemmas.

19

Lemma 8. Let f (x) = x4 − 2,

1 g(x) = log2 (x5 + 1) + x2 (x2 + 1). 2

If x ≥ log2 (5), then f (x) > g(x). Proof. When x = log2 (5), we have f (x) − g(x) ≥ 3 > 0. If x ≥ log2 (5), then, noting that 1 1 ln(2) 1 1 ≤ = =⇒ ≤ , x log2 (5) ln(5) x ln(2) ln(5) and log2 (5) > 2, we have 5x4 1 d (f (x) − g(x)) = 4x3 − 2x3 − x − dx ln(2) x5 + 1 1 5 ≥ 2x3 − x − ln(2) x 5 ≥ x(2x2 − 1) − ln(5) 2 ≥ 2(2 · 2 − 1) − 5 > 0. Hence f (x) − g(x) is strictly increasing for x ≥ log2 (5), and the result follows. Let Bn = ⌈(log2 (n))5 ⌉, Pn = n⌊log2 (Bn )⌋

⌊log2 (n)⌋2

Y i=1

(ni − 1).

Lemma 9. If n ≥ 3, then Pn < 2Bn −2 . Proof. We first compute P3 = 54 < 512 = 2B3 −2 , P4 = 740, 275, 200 < 1, 073, 741, 824 = 2B4 −2 .

20



If n ≥ 5, then Pn = n

⌊log2 (Bn )⌋

⌊log2 (n)⌋2

Y i=1

⌊log2 (n)⌋2

Y

≤ nlog2 (Bn )

= nlog2 (Bn )+ = n

(ni − 1)

ni

i=1 P⌊log2 (n)⌋2 i=1

i

log2 (Bn )+ 12 ⌊log2 (n)⌋2 (⌊log2 (n)⌋2 +1) 5 +1)+ 1 (log (n))2 ((log (n))2 +1) 2 2 2

≤ nlog2 ((log2 (n)) 4 −2

< n(log2 (n)) ≤ 2(log2

(by Lemma 8)

(n))5 −2 log

2 (n)

≤ 2Bn −2 . 

Lemma 10. For each integer n > 1, there exists rˆ such that: (i) rˆ ≤ max{3, ⌈(log 2 (n))5 ⌉}, (ii) rˆ is a prime power. (iii) n ∈ Z∗rˆ, and (iv) |n|Zr∗ˆ > ⌊log2 (n)⌋2 . Proof. If n = 2, then we take rˆ = 3. Consider n ≥ 3. Let rˆ be the smallest number such that rˆ > 1 and rˆ does not divide Pn . Suppose that rˆ > Bn = ⌈(log 2 (n))5 ⌉. Then Pn must be a common multiple of i for every 1 ≤ i ≤ Bn , as rˆ is its smallest non-divisor. Hence Pn ≥ L(Bn ), by definition. By Lemmas 1 and 9, 2Bn −2 > Pn ≥ L(Bn ) ≥ 2Bn −2 . This contradiction shows that (i) holds. Now suppose that rˆ is not a prime power. Then there exist integers a and b such that 1 < a, b < rˆ, gcd(a, b) = 1, and rˆ = ab. Both of a and b cannot divide Pn , as otherwise rˆ would also do so. Thus one of a, b does not divide Pn . This contradicts the minimality of rˆ, so rˆ must be a prime power. Writing rˆ = q k , where q is prime, next suppose that gcd(ˆ r , n) 6= 1. Then q divides n. Since q ≥ 2 and rˆ ≤ Bn , we have k = logq (r) ≤ log2 (Bn ). Hence nk divides n⌊log2 (Bn )⌋ , which in turn divides Pn , but rˆ = q k divides nk ; so rˆ divides Pn , which is impossible. Hence rˆ is coprime to n and n ∈ Z∗rˆ.

21

Finally, since n ∈ Z∗rˆ, we know that |n|Zr∗ˆ is a well-defined number. Also, for 1 ≤ i ≤ ⌊log2 (n)⌋2 , since ni − 1 divides Pn , we see that rˆ does not divide ni − 1. Hence ni 6= 1 (mod rˆ) for 1 ≤ i ≤ ⌊log2 (n)⌋2 , from which (iv) follows.  Hence we know that r can be found and that r = O((log(n))5 ). This is crucial to proving that the AKS primality test halts and does so in a timely manner. Now we wish to prove that the final step of the algorithm it correct. For the rest of this section the values of n and r are fixed as in the algorithm. We show that, if the AKS Primality Testing Algorithm returns PRIME at the last step, then the input is in fact prime. All of the following lemmas assume, as an unstated hypothesis, that the algorithm returned PRIME at the last step. First we give a rough proof sketch: We wish to work in fields so we work modulo a prime divisor of n and an irreducible factor of xr − 1. We generalise the property (x + a)p = xp + a (mod p) from Lemma 3. Based on what Step 5 of the algorithm verifies and Lemma 3, we determine some objects with this property. Then we show that this property is preserved under multiplication. By looking at the set generated under multiplication, we are able to give a lower bound on the number of objects with this property. We are also able to give an upper bound if n is composite – specifically not a prime power. The bounds are too tight for n to be anything but a prime power, so we conclude that it is prime since Step 1 deals with prime powers. Lemma 11. There exists a prime divisor p of n such that |p|Z∗r > 1. Proof. Note that, since gcd(n, r) = 1, we have gcd(d, r) = 1 for each divisor d of n. Suppose that every prime divisor of n has order 1 in Z∗r . Then every prime divisor of n is congruent to 1 modulo r. Therefore n = 1 (mod r), which is impossible as |n|Z∗r > ⌊log2 (n)⌋2 ≥ 1. So at least one prime divisor must have nontrivial order.  For the remainder of the section, we fix one such prime divisor p of n with |p|Z∗r > 1. Lemma 12. The following are true: • r < p, • xr − 1 has no repeated factors in Zp [x], and • if a divides b then xa − 1 divides xb − 1. Proof. Suppose that r ≥ p. Then either p = n ≤ r and step 4 returns PRIME or p < n and step 3 returns COMPOSITE as 1 < gcd(p, n) = p < n and 1 ≤ p ≤ r. Either way the algorithm never reaches step 6, so r < p. Suppose that xr − 1 has a repeated factor in Zp [x], that is xr − 1 = (f (x))2 g(x) (mod p), 22

for some f (x), g(x) ∈ Zp [x] with the degree of f (x) being at least one. Then, over Z, we have xr − 1 = (f (x))2 g(x) + ph(x), for some h(x) ∈ Z[x]. Since Z is in R, we can apply calculus to get rxr−1 = 2f (x)f ′ (x)g(x) + (f (x))2 g′ (x) + ph′ (x). These are still polynomials with integer coefficients so we can take them modulo p to get rxr−1 = 2f (x)f ′ (x)g(x) + (f (x))2 g′ (x) (mod p). This implies that f (x) divides rxr−1 ; since 0 < r < p, r is invertible modulo p, f (x) also divides xr−1 . Combining this together we conclude that f (x) divides (xr − 1) − x(xr−1 ) = −1 (mod p). This is impossible as the degree of f (x) is greater than that of −1. So xr − 1 cannot have a repeated factor. Suppose that a divides b. Then xa − 1 divides xb − 1 as follows; b

b

a

(x − 1)

−1 a X

ia

x

=

i=0

−1 a X

b

x

(i+1)a

i=0 b a

=

X i=1 b

xia −



b −1 a

X

−1 a X

xia

i=0

xia

i=0

= x − 1.  Definition 13. Let m ≥ 1 and f (x) ∈ Zp [x]. We say m is introspective for f (x) if (f (x))m = f (xm ) (mod xr − 1, p). Lemma 14. Both p and

n p

p are introspective for x+a for every a with 1 ≤ a ≤ l = ⌊ φ(r)⌋⌊log2 (n)⌋.

Proof. We fix some 0 ≤ a ≤ l. Since p is prime, by Lemma 3, we have (x + a)p = xp + a (mod p). Hence (x + a)p = xp + a (mod xr − 1, p), and p is introspective for x + a. Also, the algorithm verifies that (x + a)n = xn + a (mod xr − 1, n), (the case a = 0 is trivially true). Since p divides n, this also holds modulo p and we conclude that n is introspective for x + a. 23

Let m =

n p

and f (x) = (x + a)m − xm − a. We have (f (x))p = ((x + a)m − xm − a)p (mod xr − 1, p)

= ((x + a)m )p + (−xm )p + (−a)p (mod xr − 1, p) (by Lemma 3)

= (x + a)n − xn − a (mod xr − 1, p)

(since either p > 2, then p is odd and (−1)p = −1 (mod p), or p = 2 and

−1 = +1 (mod p). Also

ap = a (mod p) by Fermat’s little theorem) = xn + a − xn − a (mod xr − 1, p)

(since n is introspective for x + a)

= 0 (mod xr − 1, p). So xr − 1 divides (f (x))p (modulo p). Now we factorise both into monic irreducible polynomials xr − 1 = g1 (x)g2 (x) · · · gτ (x),

f (x) = h1 (x)h2 (x) · · · hσ (x).

Each gi (x) must divide some hji (x) and, since both are irreducible, gi (x) = hji (x). Hence xr − 1 = hj1 (x)hj2 (x) · · · hjτ (x). However, none of these factors can be repeated (Lemma 12), so xr −1 divides f (x) too. Therefore f (x) = (x + a)m − xm − a = 0 (mod xr − 1, p),

(x + a)m = xm + a (mod xr − 1, p).

Since this holds for any 0 ≤ a ≤ l, we conclude that m = for every 0 ≤ a ≤ l.

n p

and p are introspective for x + a 

Lemma 15. If m and m′ are introspective for f (x), then so is m · m′ . If m is introspective for f (x) and for g(x), then it is also introspective for f (x) · g(x). Proof. Since m is introspective for f (x), we have ′



(f (x))mm = (f (xm ))m (mod xr − 1, p). Since m′ is also introspective for f (x), replacing x with xm also gives us ′



(f (xm ))m = f (xmm ) (mod xmr − 1, p). However, xr − 1 divides xmr − 1 by Lemma 12. Hence ′





(f (x))mm = (f (xm ))m = f (xmm ) (mod xr − 1, p). 24

Also (f (x)g(x))m = (f (x))m (g(x))m = f (xm )g(xm ) (mod xr − 1, p).  Lemma 16. Let f (x) be a polynomial in x of degree k over a field. Then • x − c divides f (x) if and only if f (c) = 0, and • f (x) has no more than k distinct roots. Proof. Suppose that f (c) = 0, and k X

f (x) =

αi xi .

i=0

Let βi =

k−i−1 X

αi+j+1 cj .

j=0

Then we have k−(k−1)−1

X

βk−1 =

αk−1+j+1 cj

j=0

= αk , k−(i−1)−1

X

βi−1 − cβi = =

j=0

k−i X j=0

−cβ0

j

αi−1+j+1 c −

αi+j cj −

k−i X

αi+j cj

j=1

= αi , for 1 ≤ i ≤ k − 1, k−1 X αj+1 cj+1 = − j=0

= −

k X

αj cj

j=1

= −(f (c) − α0 )

= α0 .

25

k−i−1 X j=0

αi+j+1 cj+1

Now x − c divides f (x) as follows (x − c)

k−1 X

βi xi =

i=0

=

k−1 X

i=0 k X i=1

βi xi+1 − βi−1 xi −

= βk−1 xk + = αk xk +

k−1 X

i=0 k−1 X

cβi xi cβi xi

i=0 k−1 X

i=1 k−1 X

(βi−1 − cβi )xi − cβ0

αi xi + α0

i=1

= f (x).

Suppose, conversely, that x − c divides f (x). Then f (x) = (x − c)g(x), f (c) = (c − c)g(c) = 0, for some polynomial g(x). Suppose that f (x) has κ distinct roots. Let these roots be c1 , c2 , · · · , cκ . Then the distinct linear polynomials x − c1 , x − c2 , · · · , x − cκ divide f (x). Thus: f (x) = (x − c1 )(x − c2 ) · · · (x − cκ )g(x), for some polynomial g(x). This means that the degree of f (x) is at least κ so κ ≤ k.



Lemma 17. There exists a polynomial, h(x), over Zp , such that • h(x) is monic and irreducible, • h(x) has degree at least two, • h(x) divides xr − 1, and • h(x) does not divide xk − 1 for any 1 ≤ k ≤ r − 1. Proof. 12 We factorise xr − 1 into monic irreducible polynomials. Suppose that all factors have degree one. Then we have xr − 1 = (x − c1 )(x − c2 ) · · · (x − cr ) (mod p). Let H = {c1 , c2 , · · · , cr }. By Lemma 16, H = {c ∈ Z∗p : cr − 1 = 0 (mod p)}, so H is precisely the set of r th roots of unity. By Lemma 12, these factors are distinct and |H| = r. In fact H is a subgroup of Z∗p as: 12

The original proof of this result was based on cyclotomic polynomials. This argument avoids these.

26

• If a, b ∈ H, then ar = br = 1 (mod p) so (ab)r = ar br = 1 (mod p) and ab ∈ H. • If a ∈ H, then ar = a−1 a = 1 so 1r = (a−1 a)r = (a−1 )r ar = (a−1 )r = 1 and a−1 ∈ H. So H is a subgroup of Z∗p . By Lagrange’s theorem, the order of a subgroup must divide that of the group. Thus |H| = r divides |Z∗p | = p − 1. This implies that p = 1 (mod r), but, by definition (Lemma 11), p 6= 1 (mod r). So this situation is impossible and xr − 1 must have at least one irreducible factor of degree at least two. Now we must simply show that at least one of the irreducible factors of xr − 1 does not divide xk − 1 for any 1 ≤ k ≤ r − 1. We know that r is a prime power, so let r = q s where q is prime. Note that all linear factors of s−1 xr − 1 divide xq − 1: If x − c divides xr − 1, then cr = 1 (mod p) (Lemma 16). However, the order of c must be strictly less than r as we already know we cannot have r distinct r th roots of s−1 = 1 (mod p) unity; the order of c must also be a divisor of r, so it is a divisor of q s−1 . Thus cq s−1 q − 1. and x − c divides x Suppose that every nonlinear irreducible factor of xr − 1 also divides some xk − 1 with 1 ≤ k ≤ r − 1. Clearly k must be a divisor of r so it is a divisor of q s−1 . Thus every irreducible factor s−1 − 1 (Lemma 12). of xr − 1 divides xq s−1

− 1; this Since the factors of xr − 1 are not repeated (Lemma 12), we have xr − 1 divides xq is impossible as the former has higher degree than the latter. So, at least one of the nonlinear irreducible factors of xr − 1 satisfies the requirements.  Let h(x) be one such irreducible nonlinear divisor of xr − 1. We fix h(x) for the rest of this section. Now we can define the required sets. Let n I = {pi ( )j : i, j ≥ 0}, p l Y P = { (x + a)ea : ea ≥ 0 (0 ≤ a ≤ l)}, a=0

G = I mod r, G = P mod h(x), p. That is to say G and G are the residues of I and P modulo r and h(x), p respectively. Clearly every m ∈ I is introspective for every f (x) ∈ P ; this follows from Lemmas 14 and 15. Let t = |G|.



Lemma 18. If n ≥ 7, then |G| > n⌊

t⌋ .

27

Proof. Let Pˆ be the subset of P defined by Pˆ = {

l Y

a=0

(x + a)ea : e1 , e2 , · · · , el ≥ 0 and e0 + e1 + · · · + el < t},

namely, all the elements of P with degree less than t. We first show that distinct elements in Pˆ map to distinct elements in G. Let f (x), g(x) be distinct elements of Pˆ . Now suppose that f (x) = g(x) (mod h(x), p). Take some m ∈ I. Since m is introspective for f (x) and g(x) and xr − 1 is divisible by h(x), we have f (xm ) = (f (x))m = (g(x))m = g(xm ) (mod h(x), p). So xm is a root of the polynomial f (y) − g(y) ∈ (Zp [x]/h(x))[y] for every m ∈ I. We now show ′ that these roots are distinct. So, suppose that m, m′ ∈ G, m ≤ m′ , and xm = xm (mod h(x), p). ′ Then xm −m = 1 (mod h(x), p). Now m ≤ m′ implies m′ − m ≥ 0; m, m′ ∈ G ⊆ Z∗r implies m′ − m < r; xk 6= 1 (mod h(x), p) for 0 < k < r implies m′ = m. So there are at least as many distinct roots as there are elements in G. However, this leads to a contradiction as the degree of the polynomial is strictly less than t (by our choice of f (x), g(x)) and it has at least t roots; this contradicts Lemma 16. Thus, every member of Pˆ maps to a distinct member of G, so |G| ≥ |Pˆ |. Every member of Pˆ corresponds to a partitioning of t − 1 into l + 2 non-negative integers13 with order being important. Each such partition corresponds to a partition of t − 1 dots (•) into l + 2 groups by l + 1 separators (|): For example, 1, 3, 0, 2, 0 ≡ • | • • • || •• | . Here we are choosing t − 1 positions to put dots out of an available t − 1 + l + 1 positions, so t+l  such combinations. Therefore there are t−1 |G| ≥ |Pˆ | =



   t+l t+l = . t−1 l+1

√ √ t+l  Now, it only remains to show that t−1 > n⌊ t⌋ . Let k = ⌊ t⌋⌊log2 (n)⌋.14 Then, since ni ∈ G √ √ for all i ≥ 0, we have t = |G| ≥ |n|Z∗r > ⌊log2 (n)⌋2 ; thus t > ⌊log2 (n)⌋, so t > t⌊log2 (n)⌋ ≥ k; p hence t − 1 ≥ k. Also, G ⊆ Z∗r , so t = |G| ≤ |Z∗r | = φ(r); hence l = ⌊ φ(r)⌋⌊log 2 (n)⌋ ≥ √ ⌊ t⌋⌊log2 (n)⌋ = k. Hence         t−1+l+1 k+l+1 k+l+1 k+k+1 ≥ = ≥ . l+1 l+1 k k

These two inequalities holds because we are choosing the same number of items from a possibly 13

The l + 2 comes from l + 1 exponents plus one ‘slack variable’ which allows the exponents can sum to less than t − 1. √ 14 Note that n ≥ 2 so t > ⌊log 2 (n)⌋2 ≥ 1 therefore k = ⌊ t⌋⌊log 2 (n)⌋ ≥ 1.

28

 smaller set. Using induction, we show that 2k+1 ≥ 3k : k   2(1) + 1 = 3, (1)   2(k + 1) + 1 (2k + 3)(2k + 2)(2k + 1) · · · (k + 2) = (k + 1) (k + 2)(k + 1)k · · · 1 (2k + 3)(2k + 2) (2k + 1) · · · (k + 2) = · (k + 2)(k + 1) k···1   1 2k + 1 = 2(2 − )· k k+2   2k + 1 ≥ 3· . k Now we obtain our desired result, |G| ≥ |Pˆ |   t+l = l+1   2k + 1 ≥ k ≥ 3k



= 3⌊

t⌋⌊log2 (n)⌋ √ log2 (n)−1 ⌊ t⌋

> (3 ) √ 1 = ( nlog2 (3) )⌊ t⌋ 3 √ nlog2 (3)−1 ⌊√t⌋ ) = n⌊ t⌋ ( 3 √ 7log2 (3)−1 ⌊√t⌋ ) ≥ n⌊ t⌋ ( 3 [Since n ≥ 7.] √ t⌋

≥ n⌊

.

 Lemma 19. If n is not a power of p, then |G| ≤

√ n⌊ t⌋ .

Proof. Consider the following subset of I √ n Iˆ = {pi ( )j : 0 ≤ i, j ≤ ⌊ t⌋}. p ˆ so there is a Since n is not a power of p, there is a unique factorisation for each element of I; ˆ one-to-one correspondence between i, j values and elements of I. Hence √ ˆ = (⌊ t⌋ + 1)2 > t. |I|

29

Since |G| = t, all these numbers cannot be distinct modulo r in G. Let m1 , m2 ∈ Iˆ be two such numbers with m1 > m2 . Then xm1 = xm2 (mod h(x), p), as xr = 1 (mod h(x), p). Let, f (x) ∈ G. Then (f (x))m1 = f (xm1 ) = f (xm2 ) = (f (x))m2 (mod h(x), p), as m1 and m2 are introspective for f (x). So every f (x) ∈ G is a root of the polynomial y m1 − y m2 ∈ (Zp [x]/h(x))[y]. These are all distinct roots so the size of G must be less than or equal to the order of the polynomial (Lemma 16). Hence √ n √ |G| ≤ m1 ≤ (p )⌊ t⌋ = n⌊ t⌋ . p

 Lemma 20. The number n is prime. Proof. We show this is true by considering two cases: first n < 7, then n ≥ 7. Suppose that n < 7 and n is not prime. Then either n = 4 or n = 6. If n = 4, then step 1 will have determined that n = 4 = 22 and n is composite. If n = 6, then r = 11 and step 3 will have determined that 0 < gcd(n, 2) = 2 < n and n is composite. Either way, this is impossible as we have reached step 6; so if n < 7, then n is prime. Now, suppose that n ≥ 7. If n is not a power of p then, by Lemmas 18 and 19, we have √ √ n⌊ t⌋ < |G| ≤ n⌊ t⌋ . This is not possible, so n must be a power of p. Let n = pk . Then k > 0 as n > 1; if k > 1, then step 1 would determine that n = pk with p, k > 1 and that n is composite. So the only possibility is that k = 1 and n = p is prime. 

This completes the proof of the correctness of the AKS test. By examining the proof of Lemma 18, we see a method of improving the algorithm. This is the only place where we require that l be sufficiently large. In fact all that we require of l is that   √ t+l > n⌊ t⌋ . l+1 We also have bounds on t, namely ⌊log2 (n)⌋2 + 1 ≤ t ≤ φ(r). p From these bounds alone we show in Lemma 18 that choosing l = ⌊ φ(r)⌋⌊log2 (n)⌋ is sufficient. However, we can do better. We first note that     t+l ⌊log2 (n)⌋2 + 1 + l ≥ , l+1 l+1 and



n⌊

t⌋

√ ≤ n⌊ φ(r)⌋ . 30

So, if we directly calculate the smallest l such that   √ ⌊log2 (n)⌋2 + 1 + l ⌊ φ(r)⌋ n < , l+1 then we will have an appropriate l which can be no larger than our original bound and is possibly smaller. Making l smaller will have a significant impact on the speed of the algorithm as the loop which runs l times dominates the complexity of the algorithm. We have performed experiments using this method. Our data indicates p that the l values calculated using this method are approximately one third of the value of ⌊ φ(r)⌋⌊log2 (n)⌋. The computation of l using this method can be performed efficiently using the recurrence     (l + 1) + ⌊log2 (n)⌋2 + 1 l + ⌊log2 (n)⌋2 + 2 l + ⌊log2 (n)⌋2 + 1 = . ⌊log2 (n)⌋2 l+2 ⌊log2 (n)⌋2

8.3

The Miller-Rabin Test

Definition 21. For an odd integer n > 1, let n − 1 = 2s d where d is odd, and rd

Bn = {a ∈ Z∗n : ad = 1 (mod n) or a2

= −1 (mod n) for some 0 ≤ r ≤ s − 1}.

Note that Lemma 6 is equivalent to saying that, if p is prime, then Bp = Z∗p . We now turn our attention to the case where n is composite and prove another result about the size of Bn . First we must prove some lemmas about Z∗n for various values of n. Lemma 22. If p is prime, then Z∗p is cyclic. Proof. This proof comes from [9] page 122. We compare Z∗p to a cyclic group of the same order, say G; let n be the order of these groups. Let md be the number of elements in Z∗p of order d and, similarly, let m′d be the number of elements of order d in G. Clearly, since every element’s order must divide that of the group, we have X X md = n = m′d . d|n

d|n

We show that md ≤ m′d and thus, by the above equality, md = m′d for all d. From this the desired result will follow: Since G is cyclic, m′n ≥ 1 so mn ≥ 1; which tells us there is an element in Z∗p which generates the entire group. Let Hd = {a ∈ Z∗p : ad = 1 (mod p)}. Since Zp is a field, xd − 1 cannot have more than d distinct roots (Lemma 16). Therefore |Hd | ≤ d. Now take a subgroup H of Z∗p . Let d = |H|. By Lagrange’s theorem, for any a ∈ H we have ad = 1 (mod p), so H ⊆ Hd . However, d = |H| ≤ |Hd | ≤ d so |H| = |Hd |. Thus H = Hd . So all subgroups of the same order are identical; in particular, if a is an element of order k, then all elements of order k are in the same subgroup so are powers of a. Note that ai has the same order as a if and only if a = (ai )j for 31

some integer j; which is possible if and only if i is invertible modulo the order of a. Thus, if there are any elements of order k, then there are φ(k) such elements.15 n

Suppose k divides n. Then, if g is a generator for G, then g k is an element of order k. By a similar argument to the above we can show that m′k ≥ φ(k). So we have m′k ≥ φ(k) ≥ mk , as required.  Lemma 23. If n = pk is an odd prime power, then Z∗n is cyclic. Proof. This proof also comes from [9] page 122. We show that, there exists a ∈ Z such that a (mod p) generates Z∗p , and g = (p + 1)a (mod n) generates Z∗n . ˆ Firstly, by Lemma 22, there exists a ˆ ∈ Z such that a ˆ (mod p) generates Z∗p . The order of a modulo n must be a multiple of p − 1 because that is the order of a ˆ modulo p. Let the order of a ˆ modulo n be l(p − 1) and let a = a ˆl . Then the order of a modulo n is exactly p − 1. The element ∗ a (mod p) must also generate Zp : Since the order of a ˆ modulo n, namely l(p − 1), must divide ∗ k−1 k−1 |Zn | = p (p − 1), we have l divides p and gcd(l, p − 1) = 1. Hence, if l′ = l−1 (mod p − 1), ′ l ˆ (mod p); so a (mod p) generates everything that a ˆ (mod p) does. then a = a We require the following result. Let i ≥ 0. Then there exists an αi coprime to p such that i

(p + 1)p = αi pi+1 + 1. We show this inductively. It is clear that α0 = 1. Let  p−1 p X j αj p(i+1)j−(i+2) + αpi p(i+1)p−(i+3) , βi = p i j=2

αi+1 = αi + pβi .

Note that βi is an integer because i ≥ 0 and j ≥ 2 and p ≥ 3. Now, the induction step: Suppose that, for some i ≥ 0, αi satisfies the requirements. Then (p + 1)p

i+1

i

= ((p + 1)p )p = (1 + αi pi+1 )p p   X p = (αi pi+1 )j j j=0

= 1 + pαi p

i+1

+

p−1   X p

j

j=2

p−1 X i+2 = 1 + p (αi + p( j=2

= 1+p

i+2

p j

(αi pi+1 )j + (αi pi+1 )p



p

αji p(i+1)j−(i+2) + αpi p(i+1)p−(i+3) ))

(αi + pβi )

= 1 + αi+1 pi+2 . 15

Note that φ(k) denotes the Euler totient function, which gives the number of invertible elements modulo k. Also, we must have φ(1) = 1 here.

32

This completes the inductive proof. It immediately follows that the order of p + 1 modulo n is pk−1 . Let H be the subgroup of Z∗n generated by p + 1 (mod n). Clearly |H| = pk−1 . Also, let ˆ s = {x ∈ Z∗n : x = s (mod p)}. Then we see that for any s ∈ Z we have sH ⊆ H ˆ s . (Since for H l l k−1 ˆ ˆ s. any l ∈ Z, s(p + 1) = s1 = s (mod p).) Since |Hs | = |H| = p , we have sH = H Now we consider some cosets of H, namely H, aH, a2 H, a3 H, · · · , ap−2 H (mod n). If we take any x ∈ Z∗n , then, we can find x ˆ ∈ Z such that x ˆ = x (mod p). Also x ˆ = ai (mod p) for some ˆ xˆ = ai H. So these cosets cover all of Z∗n . i and x ∈ H All that remains to be shown is that g generates all of these cosets: Suppose that we want to generate b ∈ Z∗n . We can write b = ai (p + 1)j (mod n) for some i, j ∈ Z. We use the extended Euclidean algorithm to find integers x and y such that pk−1 x + (p − 1)y = 1. Let z = ipk−1 x + j(p − 1)y. Then gz = aip

k−1 x+j(p−1)y

(p + 1)ip

i(1−y(p−1))+jy(p−1)

= a

i+(p−1)(jy−iy)

= a

k−1 x+j(p−1)y

(mod n)

j(1−pk−1 x)+ipk−1 x

(p + 1)

j+pk−1 (ix−jx)

(p + 1)

pk−1

= ai (ap−1 )jy−iy (p + 1)j ((p + 1)

(mod n)

(mod n)

)ix−jx (mod n)

= ai (p + 1)j (mod n).

This completes the proof. We have shown that the required a exists and that g generates all the cosets which cover Z∗n .  Lemma 24. If pk is a power of an odd prime and m is an integer, then the congruence am = 1 (mod pk ) has precisely gcd(pk−1 (p − 1), m) solutions. Proof. Firstly, we note that Zpk is cyclic, by Lemma 23. Let g be a generator of Zpk and let H be the set of solutions to the congruence. Suppose that gi ∈ H with 0 ≤ i < pk−1 (p − 1). Then (gi )m = gim = 1 (mod pk ). Since the order of g is pk−1 (p − 1), im is a multiple thereof. Conversely, if im is a multiple of pk−1 (p − 1), then gi ∈ H. Thus, the number of elements in H is exactly the number of values of i satisfying16 0 ≤ i < pk−1 (p − 1) and im is a multiple of pk−1 (p − 1). This means that the i values must be of the form lpk−1 (p − 1) , il = m m for some integer l with 0 ≤ l < m. For il to be an integer l must be a multiple of gcd(m,pk−1 . (p−1)) From this it is clear that there are exactly gcd(m, pk−1 (p − 1)) such l values. 16

This restriction on the value of i ensures that each g i value is distinct.

33



Lemma 25. If n > 1 is an odd composite integer, then |Bn | 1 ≤ . |Z∗n | 4 Proof. This proof comes from [19]. If n ≤ 9, then the only possibility is n = 9, in this case B9 = {1} and the proof is trivial. From now on we assume n > 9. Let n − 1 = 2s d with d being odd. Let the prime decomposition of n be pa11 pa22 · · · pat t . Let 2l be the largest power of 2 that divides p1 − 1, p2 − 1, · · · , pt − 1. Now we define l−1 d

B ′ = {a ∈ Z∗n : a2

= ±1 (mod n)}.

We prove the result by showing that Bn ⊆ B ′ and B ′ satisfies the size constraint. l−1

Suppose that a ∈ Bn . There are two cases to consider: If ad = 1 (mod n), then a2 d = r r 1 (mod n), so a ∈ B ′ . If a2 d = −1 (mod n) with 0 ≤ r < s, then a2 d = −1 (mod pi ) for every 1 ≤ i ≤ t. It follows that the order of a modulo pi is 2r+1 d so 2r+1 must divide pi − 1 for every 1 ≤ i ≤ t. By the maximality of l we have l ≥ r + 1. Thus l−1 d

a2

r

l−1−r

= (a2 d )2

l−(r+1)

= (−1)2

= ±1 (mod n).

Either way, a ∈ B ′ so Bn ⊆ B ′ . We are able to give an explicit formula for the size of B ′ based on the prime decomposition of l−1 n. By the Chinese remainder theorem, a ∈ Z is a solution to a2 d = ±1 (mod n) if and only if l−1 it is a solution to a2 d = ±1 (mod pai i ) for every 1 ≤ i ≤ t. Hence the number of solutions to the congruence modulo n is the product of the number of solutions to the congruence modulo the prime powers dividing n – that is |B ′ | =

t Y i=1

l−1 d

|{a ∈ Z∗pai : a2 i

= 1 (mod pai i ) }| +

t Y i=1

l−1 d

|{a ∈ Z∗pai : a2 i

= −1 (mod pai i ) }|.

By Lemma 24, l−1 d

|{a ∈ Z∗pai : a2 i

= 1 (mod pai i ) }| = gcd(2l−1 d, piai −1 (pi − 1)).

For the negative case, we observe that there are gcd(2l d, piai −1 (pi −1)) solutions to the congruence l a2 d = 1 (mod pai i ). Hence there are gcd(2l d, piai −1 (pi − 1)) − gcd(2l−1 d, piai −1 (pi − 1)) l−1

solutions to the congruence a2 d = −1 (mod pai i ). This is because there are only two square l roots of 1 modulo pai i (again by Lemma 24); so the solutions to a2 d = 1 (mod pai i ) must be l−1 l−1 solutions to exactly one of a2 d = 1 (mod pai i ) or a2 d = −1 (mod pai i ). Note that 2l divides pi − 1 for all i with 1 ≤ i ≤ t by definition; also pi does not divide d since otherwise pi would be a common divisor of n and n − 1 = 2s d which is impossible. So gcd(2l d, piai −1 (pi − 1)) = 2l gcd(d, pi − 1),

gcd(2l−1 d, piai −1 (pi − 1)) = 2l−1 gcd(d, pi − 1).

34

Now we have the required formula, ′

|B | = =

t Y

i=1 t Y

|{a ∈

Z∗pai i

2l−1 d

:a

= 1 (mod

2l−1 gcd(d, pi − 1) +

i=1 t Y

= 2

i=1

pai i )

}| +

t Y i=1

l−1 d

|{a ∈ Z∗pai : a2 i

= −1 (mod pai i ) }|

t Y i=1

(2l gcd(d, pi − 1) − 2l−1 gcd(d, pi − 1))

2l−1 gcd(d, pi − 1).

We conclude by assuming that B ′ is larger than our desired bound and deriving a contradiction. Suppose that t Y |B ′ | 1 2l−1 gcd(d, pi − 1) > . = 2 a −1 ∗ i |Zn | 4 (pi − 1)pi i=1 Q Note that |Z∗n | = ti=1 (pi − 1)piai −1 . Since both 2l and gcd(d, pi − 1) divide pi − 1 and, as d is odd, these are coprime, their product also divides pi − 1. Hence 2l gcd(d, pi − 1) ≤ pi − 1. So 2l gcd(d, pi − 1) 1 1 2l−1 gcd(d, pi − 1) = ≤ ai −1 . ai −1 a −1 i (pi − 1) (pi − 1)pi 2pi 2pi Therefore 1 4

t

<

Y 1 |B ′ | 21−t ≤ 2 = Q t ai −1 , |Z∗n | 2piai −1 i=1 pi i=1

8 > 2t

t Y

piai −1 .

i=1

This implies that t < 3. Also t 6= 1: Otherwise n = pa11 . Since n is composite, a1 > 1; hence 8 > 2p1a1 −1 and 4 > p1 . Then p1 = 3 and a1 = 2 is the only option. Hence n = 32 = 9; which contradicts the assumption that n > 9. So we are left with t = 2. This means that 2 > p1a1 −1 p2a2 −1 ; thus a1 = a2 = 1. Hence we can write n = pq for two distinct primes p and q. This gives 2l−1 gcd(d, p − 1) 2l−1 gcd(d, q − 1) 1 |B ′ | = 2 > , ∗ |Zn | p−1 q−1 4 q−1 p−1 < 2. 2l gcd(d, p − 1) 2l gcd(d, q − 1) Both of the above fractions are integers and are, therefore, both equal to 1. Now we have ˆ p − 1 = 2l gcd(d, p − 1) = 2l d, where dˆ = gcd(d, p − 1). We consider n − 1 = pq − 1 = 2s d. 35

ˆ noting that dˆ divides both d and p − 1, We take this modulo d, ˆ 1q − 1 = 2s 0 (mod d). Thus dˆ divides q − 1; since 2l also divides q − 1, we have p − 1 divides q − 1. By symmetry, q − 1 divides p − 1 too. We conclude that p − 1 = q − 1, which is impossible as p 6= q. This gives us our contradiction and concludes the proof. 

8.4

Source Code and Log

Attached is the source code used for testing the primality testing algorithms and a log of work done. Note that the code used for testing the tests is itself not included. The attached source code files are as follows. • stdh.h This is a header containing definitions meant to be visible throughout the program. • utils.h, utils.cpp These files contain utility functions not specific to any primality test. • polynomial.h, polynomial.cpp These files define a class used to represent polynomials for use in the AKS test. • aks.h, aks.cpp These files contain the code for the AKS primality test. • millerrabin.h, millerrabin.cpp These files contain the code for the Miller-Rabin primality test.

36

7XERHEVH LIEHIV XS FI MRGPYHIH MR EPP TVSNIGX JMPIW 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ MJRHIJ 78(,C, HIJMRI 78(,C, MRGPYHI EWWIVX L" HIJMRI %77)68 \ EWWIVX \ MJHIJ ()&9+ MRGPYHI MSWXVIEQ" HIJMRI 46-28 \ WXH GIVV HIJMRI 46-287 \ WXH GIVV IPWI HIJMRI 46-28 \ HIJMRI 46-287 \ IRHMJ %VFMXVEV] TVIGMWMSR EVMXLQIXMG MRGPYHI KQT L" MRGPYHI KQT\\ L" X]TIHIJ QT^CGPEWW &-RX X]TIHIJ PSRK PSRK -RX IRHMJ

\

WXH \

IRHP

9XMPMX] JYRGXMSRW 8LSQEW 7XIMROI XEW MRGPYHI

$WXYHIRX GERXIVFYV] EG R^

WXHL L

)\TSRIRXMEXMSR &-RX &-RX &-RX &-RX

TS[ GSRWX &-RX FEWI -RX I\T TS[ -RX FEWI -RX I\T QSHTS[ GSRWX &-RX FEWI GSRWX -RX QSHTS[ GSRWX &-RX FEWI GSRWX &-RX

I\T GSRWX &-RX I\T GSRWX &-RX

Q Q

+VIEXIWX GSQQSR HMZMWSV -RX KGH -RX -RX &-RX KGH GSRWX &-RX -RX KGH GSRWX &-RX -RX KGH GSRWX -RX

GSRWX &-RX GSRWX -RX GSRWX &-RX

1M\IH 1M\IH

*PSSV SJ PSKEVMXLQ XS XLI FEWI -RX JPSSV0SK -RX JPSSV0SK

GSRWX -RX GSRWX &-RX

*PSSV SJ WUYEVI VSSX -RX JPSSV7UVX GSRWX -RX &-RX JPSSV7UVX GSRWX &-RX 8V] XS JMRH OXL VSSX SJ R VIXYVRW XVYI MJ JSYRH JEPWI MJ RSX JSYRH FSSP OXLVSSX GSRWX -RX FSSP OXLVSSX GSRWX &-RX

R R

8VMEP HMZMWMSR FSSP XVMEPHMZMHI GSRWX -RX FSSP XVMEPHMZMHI GSRWX &-RX

GSRWX -RX GSRWX -RX

O O

-RX VIWYPX &-RX VIWYPX

T T

'PEWW XS KIRIVEXI VERHSQ RYQFIVW GPEWW 6ERHSQ+IRIVEXSV _ KQTCVERHWXEXICX VRH TYFPMG 6ERHSQ+IRIVEXSV b6ERHSQ+IRIVEXSV &-RX KIX GSRWX &-RX WYT &-RX KIXFMXW MRX RFMXW a

+IRIVEXI ER SHH MRXIKIV [MXL RFMXW FMXW

7SQI YXMPMX] JYRGXMSRW EPKSVMXLQ MRHITIRHERX 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ MRGPYHI MRGPYHI

WXHL L YXMPW L

&-RX TS[ GSRWX &-RX FEWI -RX I\T _ &-RX VIWYPX ! -RX M ! &-RX FM ! FEWI FM ! FEWI B M [LMPI I\T " _ MJ I\T ! _ VIWYPX ! VIWYPX FM a M ! M FM ! FM FM I\T ! I\T a VIXYVR VIWYPX a &-RX TS[ -RX FEWI -RX I\T _ &-RX X ! YRWMKRIH PSRK MRX VIXYVR TS[ X I\T a

FEWI

&-RX QSHTS[ GSRWX &-RX FEWI GSRWX &-RX I\T &-RX VIWYPX ! -RX M ! &-RX I ! I\T &-RX FM ! FEWI Q FM ! FEWI B M QSH Q [LMPI I " _ MJ I ! _ VIWYPX ! VIWYPX FM Q a M ! M FM ! FM FM Q I ! I a VIXYVR VIWYPX a &-RX QSHTS[ GSRWX &-RX FEWI GSRWX -RX &-RX I ! YRWMKRIH PSRK MRX I\T VIXYVR QSHTS[ FEWI I Q a

I\T

GSRWX &-RX

GSRWX &-RX

Q

Q

_

_

+VIEXIWX GSQQSR HMZMWSV 9WI IYGPMHIER EPKSVMXLQ JSV -RX 9WI XLI PMFVEV] W KGH JYRGXMSR JSV &-RX -RX KGH -RX E -RX F _ 46-287 KGH E MJ E " F _-RX X ! E [LMPI E ! _ -RX X ! F E F ! E E ! X a 46-28 F

E ! F

F ! F ! X a 2S[ E

! F EX EPP XMQIW

VIXYVR F a &-RX KGH GSRWX &-RX E GSRWX &-RX F &-RX G QT^CKGH G KIXCQT^CX E KIXCQT^CX VIXYVR G a

_ F KIXCQT^CX

-RX KGH GSRWX &-RX E GSRWX -RX F _ VIXYVR KGH -RX &-RX E &-RX YRWMKRIH PSRK MRX F a -RX KGH GSRWX -RX VIXYVR KGH F a

E

GSRWX &-RX

F

KIXCYM

_

E

*PSSV 0SK FEWI MRTYX "! -RX JPSSV0SK GSRWX -RX R _ -RX QMR ! -RX QE\ ! -RX XTQ ! B QE\ [LMPI XTQ ! R _QE\ ! XTQ ! XTQ XTQ a *VSQ RS[ SR B QMR ! R B QE\ [LMPI QMR QE\ _ -RX QMH ! QMR QE\ X ! B QMH -RX X ! QMH MJ X ! R _ B QMH ! R QMR ! QMH a IPWI _ B QMH " R QE\ ! QMH a a RS[ B QMR ! R B QE\ ERH QE\ ! QMR SV QE\ ! QMR WS QMR ! PSKC R QE\ ! QMR 46-28 JPSSV0SK R ! QMR VIXYVR QMR a -RX JPSSV0SK GSRWX &-RX R _ -RX QMR ! -RX QE\ ! &-RX XTQ ! B QE\ [LMPI XTQ ! R _QE\ ! XTQ ! XTQ XTQ a *VSQ RS[ SR B QMR ! R B QE\ [LMPI QMR QE\ _ -RX QMH ! QMR QE\ &-RX X ! TS[ QMH MJ X ! R _ B QMH ! R QMR ! QMH a IPWI _ B QMH " R QE\ ! QMH a a RS[ B QMR ! R B QE\ ERH QE\ ! QMR SV QE\ ! QMR WS QMR ! PSKC R QE\ ! QMR 46-28 JPSSV0SK R ! QMR VIXYVR QMR a *PSSV SJ WUEVI VSSX

F

R "! -RX JPSSV7UVX GSRWX -RX R _ -RX QMR ! -RX QE\ ! R *VSQ RS[ SR QMR B ! R QE\ B [LMPI QMR QE\ _ -RX QMH ! QMR QE\ -RX X ! QMH QMH X ! QMH B MJ X ! R _ QMH B ! R QMR ! QMH a IPWI _ QMH B " R QE\ ! QMH a a 2S[ QMR B ! R QE\ B ERH QE\ ! QMR SV QE\ ! QMR 7S QMR ! WUVX R QE\ ! QMR 46-28 JPSSV7UVX R ! QMR VIXYVR QMR a &-RX JPSSV7UVX GSRWX &-RX R _ &-RX QMR ! &-RX QE\ ! R *VSQ RS[ SR QMR B ! R QE\ B [LMPI QMR QE\ _ &-RX QMH ! QMR QE\ &-RX X ! QMH QMH X ! QMH B MJ X ! R _ QMH B ! R QMR ! QMH a IPWI _ QMH B " R QE\ ! QMH a a 2S[ QMR B ! R QE\ B ERH QE\ ! QMR SV QE\ ! QMR 7S QMR ! WUVX R QE\ ! QMR 46-28 JPSSV7UVX R ! QMR VIXYVR QMR a 8V] XS JMRH MRXIKVEP OXL VSSX SJ R VIXYVR XVYI MJ JSYRH JEPWI SXLIV[MWI VIWYPX MW WIX XS XLI VSSX MJ MX MW JSYRH R "! O "! FSSP OXLVSSX GSRWX -RX R GSRWX -RX -RX QMR ! -RX QE\ ! R *VSQ RS[ SR MJ ER MRXIKVEP VSSX [LMPI QMR QE\ _ -RX QMH ! QMR QE\ &-RX X ! TS[ QMH O QMH B MJ X YRWMKRIH PSRK MRX R QMR ! QMH a IPWI _ QMH B O "! R QE\ ! QMH a a 2S[ QMR ! QE\ WS MJ ER MRXIKVEP MJ VIWYPX ! 2900 VIWYPX ! QMR 46-28 OXLVSSX R O PSRK MRX R # XVYI JEPWI

O

-RX

I\MXW

VIWYPX QMR B O

_ ! R

! QE\ B O

O _

QMH B O

R

VSSX I\MXW XLIR QMR B O ! ? QMR

TS[ QMR A

! R O

! QMR B O !!

YRWMKRIH

VIXYVR

TS[ QMR

O

!!

YRWMKRIH PSRK MRX

R

a FSSP OXLVSSX GSRWX &-RX R GSRWX -RX O &-RX VIWYPX _ &-RX QMR ! &-RX QE\ ! R *VSQ RS[ SR MJ ER MRXIKVEP VSSX I\MXW QMR B O ! R ! QE\ B O [LMPI QMR QE\ _ &-RX QMH ! QMR QE\ &-RX X ! TS[ QMH O MJ X R _ QMH B O R QMR ! QMH a IPWI _ QMH B O "! R QE\ ! QMH a a 2S[ QMR ! QE\ WS MJ ER MRXIKVEP VSSX I\MXW XLIR QMR B O ! R ! QMR B O MJ VIWYPX ! 2900 VIWYPX ! QMR 46-28 OXLVSSX R O ! ? TS[ QMR O !! R # XVYI JEPWI QMR A VIXYVR TS[ QMR O !! R a FSSP XVMEPHMZMHI GSRWX -RX T _ -RX WUVXT ! JPSSV7UVX T JSV -RX M ! M ! WUVXT M MJ T M !! _ VIXYVR JEPWI a a VIXYVR XVYI a

T _

FSSP XVMEPHMZMHI GSRWX &-RX T _ &-RX WUVXT ! JPSSV7UVX T JSV &-RX M ! M ! WUVXT M MJ T M !! _ VIXYVR JEPWI a a VIXYVR XVYI a 6ERHSQ+IRIVEXSV 6ERHSQ+IRIVEXSV KQTCVERHMRMXCHIJEYPX VRH a 6ERHSQ+IRIVEXSV b6ERHSQ+IRIVEXSV KQTCVERHGPIEV VRH a

T _

_

_

&-RX 6ERHSQ+IRIVEXSV KIX GSRWX &-RX WYT QT^CX X QT^CMRMX X QT^CYVERHSQQ X VRH WYT KIXCQT^CX &-RX V X QT^CGPIEV X VIXYVR V a &-RX 6ERHSQ+IRIVEXSV QT^CX X QT^CMRMX X QT^CYVERHSQF X

KIXFMXW MRX RFMXW VRH

RFMXW

_

_ -R VERKI ?

B

RFMXW

A

&-RX V X QT^CGPIEV X ;I [ERX VERKI &-RX \ ! JSV MRX M ! V ! \ 2S[ [I EVI MR ;I [ERX XS FI MJ V !! VIXYVR V a

? M

B

RFMXW RFMXW

B RFMXW M

VIUYMVIH VERKI SHH V

\

!

A

% GPEWW XS HIEP [MXL XLI VMRK >CR?\A \ B V 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ MRGPYHI

WXHL L

GPEWW 4SP]RSQMEP _ &-RX R -RX V &-RX G 'SIJJMGMIRXW MRX VIJW 8LI RYQFIV SJ TSP]RSQMEP SFNIGXW VIJIVIRGMRK XLI WEQI HEXE TYFPMG JVMIRH 4SP]RSQMEP *EWX1YPXMTP] GSRWX 4SP]RSQMEP GSRWX 4SP]RSQMEP 4SP]RSQMEP GSRWX &-RX RR GSRWX -RX VV 'VIEXI ^IVS TSP]RSQMEP 4SP]RSQMEP GSRWX &-RX RR GSRWX -RX VV GSRWX &-RX I\T 'VIEXI \ B I\T TSP]RSQMEP 4SP]RSQMEP GSRWX 4SP]RSQMEP 4SP]RSQMEP STIVEXSV! GSRWX 4SP]RSQMEP b4SP]RSQMEP 4SP]RSQMEP STIVEXSV GSRWX 4SP]RSQMEP GSRWX 4SP]RSQMEP STIVEXSV GSRWX -RX GSRWX 4SP]RSQMEP STIVEXSV GSRWX &-RX GSRWX 4SP]RSQMEP STIVEXSV GSRWX 4SP]RSQMEP GSRWX 4SP]RSQMEP STIVEXSV GSRWX -RX GSRWX 4SP]RSQMEP STIVEXSV GSRWX &-RX GSRWX 4SP]RSQMEP STIVEXSVB GSRWX -RX GSRWX 4SP]RSQMEP STIVEXSVB GSRWX &-RX GSRWX FSSP STIVEXSV!! GSRWX 4SP]RSQMEP GSRWX &-RX STIVEXSV?A GSRWX -RX &-RX KIXR GSRWX -RX KIXV GSRWX

GSRWX

a 4SP]RSQMEP 4SP]RSQMEP 4SP]RSQMEP 4SP]RSQMEP

STIVEXSV STIVEXSV STIVEXSV STIVEXSV

GSRWX GSRWX GSRWX GSRWX

-RX &-RX -RX &-RX

GSRWX 4SP]RSQMEP GSRWX 4SP]RSQMEP GSRWX 4SP]RSQMEP GSRWX 4SP]RSQMEP

% GPEWW XS HIEP [MXL XLI VMRK >CR?\A \ B V 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ MRGPYHI MRGPYHI MRGPYHI

WXHL L YXMPW L TSP]RSQMEP L

7PS[ *IVQEX *SYVMIV 8VERWJSVQ ZSMH 7**8 &-RX EVVE] &-RX [SVOWTEGI -RX WM^I GSRWX &-RX *R GSRWX &-RX EPTLE _ 46-28 ***8 GEPPIH *R ! *R WM^I ! WM^I 7PS[ ZIVWMSR JSV RS[ FCM ! WYQ N ! WM^I ECN ETPLE B M N JSV -RX M ! M WM^I M _ &-RX X ! JSV -RX N ! N WM^I N _ X ! X EVVE]?NA QSHTS[ EPTLE M N *R *R a [SVOWTEGI?MA ! X a JSV -RX M ! M WM^I M _ 46-28 GSIJ? M A ! EVVE]?MA JJX? M A ! [SVOWTEGI?MA EVVE]?MA ! [SVOWTEGI?MA a 46-28 ***8 HSRI a *EWX *IVQEX *SYVMIV 8VERWJSVQ ZSMH ***8 &-RX EPTLE _ MJ

WM^I !!

EVVE]

&-RX

VIXYVR

[SVOWTEGI

-RX WM^I

GSRWX &-RX

*R

GSRWX &-RX

)RH VIGYVWMSR

4EVXMXMSR XLI EVVE] MRXS IZIR ERH SHH MR XLI [SVOWTEGI JSV -RX M ! M WM^I M _ [SVOWTEGI?MA ! EVVE]? MA )ZIR a JSV -RX M ! M WM^I M _ [SVOWTEGI?M WM^I A ! EVVE]? M A 3HH a 6IGYVWI &-RX EPTLE ! EPTLE EPTLE *R ***8 [SVOWTEGI? A EVVE]? A WM^I ***8 [SVOWTEGI?WM^I A EVVE]?WM^I

A * a

6IGSQFMRI &-RX EM ! &-RX * ! *R *R JSV -RX M ! M WM^I M _ EVVE]?M A ! [SVOWTEGI?MA *R EVVE]?M WM^I A ! [SVOWTEGI?MA *R EM ! EM EPTLE *R a

*R A

EPTLE WM^I

*R

EPTLE

EM

[SVOWTEGI?M

WM^I

EM

[SVOWTEGI?M

WM^I

A

4SP]RSQMEP *EWX1YPXMTP] GSRWX 4SP]RSQMEP T GSRWX 4SP]RSQMEP T 46-28 *EWX1YPXMTP] 'EPPIH %77)68 T KIXR !! T KIXR T KIXV !! T KIXV 2IIH EX PIEWX V IRXVMIW MR SYV EVVE] *CJR MW SYV JIVQEX RYQFIV LEW SVHIV B JR WS JR "! PSKC EVVE]WM^I EVVE]WM^I MW E TS[IV SJ 8S KIX GSVVIGX VIWYPX *R " V R R 7S QEOI *R "! V R R -RX JR ! -RX EVVE]WM^I ! &-RX * ! * ! *R [LMPI EVVE]WM^I T KIXV `` * YRWMKRIH PSRK MRX T KIXR T KIXR _JR EVVE]WM^I ! * ! * * a *MPP SYV EVVE]W &-RX EVVE]W? A 8LMVH EVVE] MW [SVOMRK WTEGI EVVE]W? A ! RI[ &-RX?EVVE]WM^IA EVVE]W? A ! RI[ &-RX?EVVE]WM^IA EVVE]W? A ! RI[ &-RX?EVVE]WM^IA JSV a JSV

-RX M ! M T KIXV EVVE]W? A?MA ! T ?MA EVVE]W? A?MA ! T ?MA -RX M ! T KIXV EVVE]W? A?MA ! EVVE]W? A?MA !

M

M

_

T

KIXV

_

EVVE]WM^I

M

_

a (IXIVQMRI XLI TVMQMXMZI VSSX MW E TVMQMXMZI B JR XL VSSX [I RIIH E TVMQMXMZI PSKC EVVE]WM^I ! JR 7S MW SYV TVMQMXMZI VSSX

XL VSSX

*R ! B B JR B JR ! EVVE]WM^I &-RX *R ! * 4IVJSVQ **8 ***8 EVVE]W? A ***8 EVVE]W? A

EVVE]W? A EVVE]W? A

EVVE]WM^I EVVE]WM^I

*R *R

&-RX &-RX

2S[ QYPXMTP] ***8 ZEPYIW XSKIXLIV JSV -RX M ! M EVVE]WM^I M _ EVVE]W? A?MA ! EVVE]W? A?MA EVVE]W? A?MA a -RZIVX **8 &-RX EPTLE ! TS[ EVVE]WM^I ***8 EVVE]W? A EVVE]W? A EVVE]WM^I

*R

*R

EPTLE

'SRWXVYGX TSP]RSQMEP 46-28 'SRWXVYGXMRK TSP]RSQMEP 4SP]RSQMEP VIWYPX T KIXR T KIXV JSV -RX M ! M EVVE]WM^I M _ -RX O ! M VIWYPX V %77)68 EVVE]W? A?MA YRWMKRIH PSRK MRX EVVE]WM^I !! VIWYPX G?OA ! VIWYPX G?OA EVVE]W? A?MA YRWMKRIH PSRK MRX EVVE]WM^I VIWYPX R a HIPIXI?A EVVE]W? A HIPIXI?A EVVE]W? A

HIPIXI?A EVVE]W? A 46-28

*EWX1YPXMTP] (SRI

VIXYVR VIWYPX a GPEWW 4SP]RSQMEP _ -RX R V -RX G 'SIJJMGMIRXW MRX VIJW 8LI RYQFIV SJ TSP]RSQMEP SFNIGXW VIJIVIRGMRK XLI WEQI HEXE TYFPMG 4SP]RSQMEP 4SP]RSQMEP GSRWX &-RX RR GSRWX -RX R ! RI[ &-RX R ! RR V ! RI[ -RX V ! VV G ! RI[ &-RX? VA VIJW ! RI[ MRX VIJW ! JSV -RX M ! M V M G?MA ! a

VV

_

4SP]RSQMEP 4SP]RSQMEP GSRWX &-RX RR GSRWX -RX 'VIEXI \ B I\T TSP]RSQMEP R ! RI[ &-RX R ! RR V ! RI[ -RX V ! VV G ! RI[ &-RX? VA VIJW ! RI[ MRX VIJW ! JSV -RX M ! M V M G?MA ! &-RX IV ! YRWMKRIH PSRK MRX V &-RX I ! I\T IV G? -RX I KIXCYM A ! a

VV

GSRWX &-RX

4SP]RSQMEP 4SP]RSQMEP GSRWX 4SP]RSQMEP R ! SXLIV R V ! SXLIV V G ! SXLIV G VIJW ! SXLIV VIJW VIJW a 4SP]RSQMEP 4SP]RSQMEP VIJW MJ VIJW !! _ HIPIXI R HIPIXI V HIPIXI?A G HIPIXI VIJW a R ! SXLIV R V ! SXLIV V G ! SXLIV G VIJW ! SXLIV VIJW VIJW VIXYVR XLMW

SXLIV

'VIEXI ^IVS TSP]RSQMEP

_

STIVEXSV! GSRWX 4SP]RSQMEP

SXLIV

_

I\T

_

a 4SP]RSQMEP b4SP]RSQMEP VIJW MJ VIJW !! _ HIPIXI R HIPIXI V HIPIXI?A G HIPIXI VIJW a a

_

4SP]RSQMEP 4SP]RSQMEP STIVEXSV GSRWX 4SP]RSQMEP %77)68 R !! SXLIV R V !! SXLIV V 4SP]RSQMEP VIWYPX R V JSV -RX M ! M V M _ VIWYPX G?MA ! G?MA SXLIV G?MA R a VIXYVR VIWYPX a 4SP]RSQMEP 4SP]RSQMEP STIVEXSV &-RX MM ! PSRK M VIXYVR XLMW MM a

GSRWX -RX

4SP]RSQMEP 4SP]RSQMEP STIVEXSV 4SP]RSQMEP VIWYPX R V JSV -RX N ! N V N VIWYPX G? A ! G? A M VIXYVR VIWYPX a

GSRWX &-RX

M

SXLIV

GSRWX _

GSRWX _

M

GSRWX _

VIWYPX G?NA ! G?NA R

4SP]RSQMEP 4SP]RSQMEP STIVEXSV GSRWX 4SP]RSQMEP SXLIV GSRWX _ %77)68 R !! SXLIV R V !! SXLIV V 4SP]RSQMEP JEWXVIWYPX ! *EWX1YPXMTP] XLMW SXLIV MJHIJ 703;C1908-40= 8LI JSPPS[MRK MW WPS[ GSHI 4SP]RSQMEP VIWYPX R V JSV -RX M ! M V M _ JSV -RX N ! N V N _ -RX O ! M N V VIWYPX G?OA ! VIWYPX G?OA G?MA SXLIV G?NA a a %77)68 JEWXVIWYPX !! VIWYPX IRHMJ VIXYVR JEWXVIWYPX a 4SP]RSQMEP 4SP]RSQMEP STIVEXSV &-RX MM ! PSRK M VIXYVR XLMW MM a

GSRWX -RX

4SP]RSQMEP 4SP]RSQMEP STIVEXSV 4SP]RSQMEP VIWYPX R V JSV -RX M ! M V M VIWYPX G?MA ! G?MA VIXYVR VIWYPX a

GSRWX &-RX

4SP]RSQMEP 4SP]RSQMEP

\

M

GSRWX _

\

GSRWX _

R

STIVEXSVB GSRWX -RX

I\TSRIRX

GSRWX _

R

-RX I\T ! I\TSRIRX 4SP]RSQMEP VIWYPX R V VIWYPX ! -RX M ! 4SP]RSQMEP XM XLMW XM ! XLMW B M [LMPI I\T " _ MJ I\T ! _ VIWYPX ! VIWYPX XM a M ! M XM ! XM XM I\T ! I\T a VIXYVR VIWYPX a 4SP]RSQMEP 4SP]RSQMEP STIVEXSVB GSRWX &-RX I\TSRIRX &-RX I\T ! I\TSRIRX 4SP]RSQMEP VIWYPX R V VIWYPX ! -RX M ! 4SP]RSQMEP XM XLMW XM ! XLMW B M [LMPI I\T " _ MJ I\T ! _ VIWYPX ! VIWYPX XM a M ! M XM ! XM XM I\T ! I\T a VIXYVR VIWYPX a FSSP 4SP]RSQMEP STIVEXSV!! GSRWX 4SP]RSQMEP SXLIV %77)68 R !! SXLIV R V !! SXLIV V JSV -RX M ! M V M _ MJ G?MA ! SXLIV G?MA VIXYVR JEPWI a VIXYVR XVYI a &-RX 4SP]RSQMEP STIVEXSV?A GSRWX -RX %77)68 ! M M V VIXYVR G?MA a &-RX 4SP]RSQMEP VIXYVR R a -RX 4SP]RSQMEP VIXYVR V a

KIXR

KIXV

M

GSRWX _

GSRWX _

GSRWX _

GSRWX _

GSRWX _

4SP]RSQMEP STIVEXSV VIXYVR T M a

GSRWX -RX

4SP]RSQMEP STIVEXSV VIXYVR T M a

GSRWX &-RX

4SP]RSQMEP STIVEXSV VIXYVR T M

GSRWX -RX

M

GSRWX 4SP]RSQMEP

M

M

T

GSRWX 4SP]RSQMEP

GSRWX 4SP]RSQMEP

_

T

T

_

_

a 4SP]RSQMEP STIVEXSV VIXYVR T M a

GSRWX &-RX

M

GSRWX 4SP]RSQMEP

T

_

8LI %/7 4VMQEPMX] 8IWX 7II 1ERMRHVE %KVE[EP 2IIVEN /E]EP 2MXMR 7E\IRE 1EXLIQEXMGW RS TT ¶ 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ MRGPYHI

WXHL L

X]TIHIJ IRYQ _46-1)

'31437-8)

)6636a 8IWX6IWYPX

-RX JMRHV GSRWX &-RX 8IWX6IWYPX %/78IWX GSRWX &-RX 8IWX6IWYPX %/78IWX GSRWX &-RX

R

-RX

VV

46-1)7 MW MR 4

%RREPW SJ

8LI %/7 4VMQEPMX] 8IWX 7II 1ERMRHVE %KVE[EP 2IIVEN /E]EP 2MXMR 7E\IRE 1EXLIQEXMGW RS TT ¶ 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ MRGPYHI MRGPYHI MRGPYHI MRGPYHI

WXHL L YXMPW L TSP]RSQMEP L EOW L

MRGPYHI

WXHMS L"

'LIGO XLEX E B M

!

QSH Q

JSV M !

FSSP XIWXSVHIV GSRWX &-RX E GSRWX -RX QQ &-RX Q ! YRWMKRIH PSRK MRX QQ -RX M ! &-RX EM ! E Q EM ! E B M QSH Q [LMPI M ! O _ MJ EM !! _ 46-28 XIWXSVHIV E ? M ! M A VIXYVR JEPWI a M EM ! EM E Q a 46-28 XIWXSVHIV E QQ VIXYVR XVYI a

46-1)7 MW MR 4

%RREPW SJ

O GSRWX -RX

QQ

O

_

O

O

! JEPWI

! XVYI

'LIGO XLEX V MW E TVMQI TS[IV FSSP MWTVMQITS[IV GSRWX -RX V _ *MRH XLI GERHMHEXI TVMQI XLI WQEPPIWX VSSX SJ V -RX T 'ERHMHEXI TVMQI JSV -RX O ! JPSSV0SK V O " O _ FSSP JSYRH ! OXLVSSX V O T MJ JSYRH FVIEO a ;I QYWX EP[E]W JMRH SRI EW V ! V B XVMZMEPP] 2S[ TIVJSVQ XVMEP HMZMWMSR 8V] [LEX LETTIRW MJ VIGYVWMSR MW YWIH LIVI MRWXIEH

-RX WUVXT ! JPSSV7UVX T T JSV -RX M ! M ! WUVXT M _ MJ T M !! _ 46-28 @XMWTVMQITS[IV V ! JEPWI ? T ! T HMZMWMFPI F] M A 8LMW MW E LMKP] WYVTVMWMRK GEWI [I [SYPH PMOI XS WXST LIVI JTVMRXJ WXHIVV 2SR TVMQI TS[IV V HIXIGXIH PPH @R V VIXYVR JEPWI a a

46-28 @XMWTVMQITS[IV VIXYVR XVYI

V

! XVYI ? T !

T

A

a *MRH XLI V ZEPYI YWIH F] XLI XIWX R " -RX JMRHV GSRWX &-RX R _ -RX PSK ! JPSSV0SK R -RX V ! [LMPI XVYI _ /IIT XV]MRK RI[ V ZEPYIW MJ KGH R V !! XIWXSVHIV R V FVIEO V JSYRH V a VIXYVR V a 8LI %/7 4VMQEPMX] 8IWX 7II 1ERMRHVE %KVE[EP 2IIVEN /E]EP 1EXLIQEXMGW RS TT 8IWX6IWYPX %/78IWX GSRWX &-RX -RTYX R " MJ R ! VIXYVR )6636 -RX PSK ! JPSSV0SK R 46-28 PSK ! PSK

R

PSK

2MXMR 7E\IRE ¶ -RX

PSK

VV

PSK

MWTVMQITS[IV V

46-1)7 MW MR 4

%RREPW SJ

_

! JPSSV PSKC

R

7XIT -J R ! E B F JSV WSQI E F " VIXYVR '31437-8) 'LIGO JSV FXL VSSXW JSV F ! PSK 46-28 7XEVXMRK WXIT JSV -RX F ! F ! PSK F _ MJ OXLVSSX R F 2900 VIXYVR '31437-8) a 7XIT *MRH XLI WQEPPIWX V WYGL XLEX KGH R V ! `R`C_>CV a " PSK B ERH V MW E TVMQI TS[IV 7XIT -J E HMZMHIW R JSV WSQI ! E ! V VIXYVR '31437-8) 7XIT -J R ! V VIXYVR 46-1) 46-28 7XEVXMRK WXITW ERH -RX V ! [LMPI XVYI _ /IIT XV]MRK RI[ V ZEPYIW TIVJSVQMRK WXITW ERH IR VSYXI 46-28 @X XV]MRK V ! V PSK B ! PSK PSK PSK PSK PSK MJ R !! YRWMKRIH PSRK MRX V VIXYVR 46-1) 7XIT MJ R &-RX YRWMKRIH PSRK MRX V !! VIXYVR '31437-8) 7XIT MJ KGH R V !! XIWXSVHIV R V PSK PSK MWTVMQITS[IV V FVIEO V JSYRH V a MJ VV ! 2900 VV ! V 46-28 V ! V PSK B ! PSK PSK PSK PSK PSK R

7XIT *SV ! E ! P ! JPSSV WUVX TLM V ! \ B R E VIXYVR '31437-8) 46-28 7XEVXMRK WXIT -RX P ! JPSSV7UVX V PSK 46-28 P ! P 4SP]RSQMEP \ R V 4SP]RSQMEP \R R V R \R ! \ B R

JPSSV PSKC

R

MJ

\

E

B

JSV

-RX E ! E ! P E 46-28 @X XV]MRK E ! MJ \ E B R !!

_ E \R

E

VIXYVR '31437-8)

a 7XIT VIXYVR 46-1) 46-28 7XEVXMRK WXIT VIXYVR 46-1) a (SR X [SVV] EFSYX V 8IWX6IWYPX %/78IWX GSRWX &-RX

R

_VIXYVR %/78IWX R

2900

a

1MPPIV 6EFMR 4VMQEPMX] 8IWX 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ FSSP 1MPPIV6EFMR8IWX GSRWX &-RX

R

MRX O

8LI 1-PPIV 6EFMR 4VMQEPMX] 8IWX 8LSQEW 7XIMROI XEW $WXYHIRX GERXIVFYV] EG R^ MRGPYHI MRGPYHI MRGPYHI

WXHL L YXMPW L QMPPIVVEFMR L

FSSP 1MPPIV6EFMR8IWX GSRWX &-RX R MRX O _ MJ R !! _ VIXYVR R !! a &-RX H ! R -RX W ! [LMPI H !! _ H ! H W a 6ERHSQ+IRIVEXSV VRH 46-28 R ! R ! H JSV MRX M ! M O M _ &-RX E ! VRH KIX R 46-28 8V]MRK E ! E R ! E ! QSHTS[ E H R 46-28 @XE B H ! E MJ E !! `` E !! R GSRXMRYI JSV MRX N ! N W N _ E ! E E R 46-28 E B H B N MJ E !! `` E !! R FVIEO a MJ E !! R GSRXMRYI VIXYVR JEPWI a VIXYVR XVYI a

B

W

R

!

E

The Computational Complexity of Primality Testing for ...

Int gcd(const Int & a, const BInt & b) {. 77 return gcd(b, a);. 78. } 79. 80. /*. 81. Floor Log base 2. 82 input >= 1. 83. */. 84. Int floorLog2(const Int & n) {. 85. Int min = 0;. 86. Int max = 1;. 87. Int tpm = 2; //2 ^ max. 88 while (tpm <= n) {max *= 2; tpm = tpm * tpm;}. 89. //From now on 2 ^ min <= n < 2 ^ max. 90 while (min + 1 < max) {.

2MB Sizes 3 Downloads 304 Views

Recommend Documents

Primality Testing
Harish G. Department of Computer Science & Engineering ... or, in other words, one needs to have a fast primality test, .... not with a given degree of confidence.

A Method for Reducing the Computational Complexity ...
E. N. Arcoverde Neto, A. L. O. Cavalcanti Jr., W. T. A. Lopes, M. S. Alencar and F. Madeiro ... words, the encoder uses the encoding rule C(x) = bI if d(x, wI ) < d(x, ...

Computational Complexity of Interference Alignment for ...
degrees of freedom (DoF) for an arbitrary MIMO network with- out symbol ... achieves a total degrees of freedom (DoF) that grows linearly ..... The MIT Press, 2007.

Reducing the Computational Complexity of ... - Research at Google
form output of each spatial filter is passed to a longer-duration ... The signal is passed through a bank of P spatial filters which convolve .... from 0 to 20 dB. Reverberation is simulated using the image model [15] – room dimensions and micropho

The Computational Complexity of Linear Optics - Scott Aaronson
In particular, we define a model of computation in which identical photons are generated, sent through a linear-optical network, then .... 8.1 Numerical Data . .... For example, what is the “input” to a Bose-Einstein condensate? In other words ..

Testing Computational Models of Dopamine and ... - CiteSeerX
performance task, ADHD participants showed reduced sensitivity to working memory contextual ..... perform better than chance levels during the test phase2.

The Computational Complexity of Linear Optics - Scott Aaronson
Dec 22, 2012 - (3.14). From now on, we will use x as shorthand for x1,....xm, and xS as ...... (6.5) be a unitary transformation that acts as U on the first m modes, ...

The Computational Complexity of Linear Optics - Scott Aaronson
Abstract. We give new evidence that quantum computers—moreover, rudimentary quantum ... sent through a linear-optical network, then nonadaptively measured to count the number of .... Thus, one might suspect that proving a quantum system's computati

The Computational Complexity of Linear Optics - Scott Aaronson
Dec 22, 2012 - solve sampling problems and search problems that are classically intractable under plausible .... 102. 1 Introduction. The Extended Church-Turing Thesis says that all computational ...... we have also plotted the pdf of Dn := |Det(X)|

A The Computational Complexity of Truthfulness in ...
the valuation function more substantially than just the value of a single set. ...... This is a convex function of c which is equal to (1−1/e)pm|U| at c = 0 and equal to ...

From Query Complexity to Computational Complexity - Semantic Scholar
Nov 2, 2011 - valuation is represented by an oracle that can answer a certain type of queries. .... is symmetric (for this case the papers [3, 1] provide inapproximability ... In order to interpret φ as a description of the function fφ = fAx* , we

From Query Complexity to Computational Complexity - Semantic Scholar
Nov 2, 2011 - valuation is represented by an oracle that can answer a certain type of ... oracle: given a set S, what is f(S)? To prove hardness results in the ...

Testing Computational Models of Dopamine and ... - CiteSeerX
Over the course of training, participants learn to choose stimuli A, C and ..... observed when distractors are presented during the delay period, in which case BG.

The non-adaptive query complexity of testing k-parities
Jul 2, 2013 - We call f a k-parity (equivalently, a parity of size k) if x has Hamming ... “confidence parameter” δ, typically δ = 1/3) whether f is a k-parity or far from any ... the one-way communication complexity of k-disjointness was known

pdf-1471\computational-complexity-a-quantitative-perspective ...
... apps below to open or edit this item. pdf-1471\computational-complexity-a-quantitative-perspective-volume-196-north-holland-mathematics-studies.pdf.

Errors in Computational Complexity Proofs for Protocols - Springer Link
establishment and authentication over many years, have promoted the use of for- ... three-party server-based protocols [5] and multi-party protocols [9]. ..... Security in the models is defined using the game G, played between a malicious.

Elliptic curves, Factorization and Primality Testing
Now we can define a projective K curve using projective coordinates, F(x, y, z) = 0, where. F(x, y, z) is a homogeneous .... curve has a single point with z = 0, equivalent to (0,1,0); so for simplicity one can think of the affine curve .... and if (

Errors in Computational Complexity Proofs for Protocols - Springer Link
examine several protocols with claimed proofs of security by Boyd &. González Nieto (2003), Jakobsson ...... CertA,β · ge,x. −−−−−−−→. {rB,IDB}rA ..... ACM Transactions on Information and System Security (TISSEC), pages. 275–288,

Computational complexity of time-dependent ... - Research at Google
Aug 15, 2014 - 3. 1 Vienna Center for Quantum Science and Technology, ..... the local potential energy are both bounded by constant EL and that ...... We point out that an alternative to our lattice approach may exist using tools from partial.

Testing Computational Models of Dopamine and ...
2 Dept of Psychology and Center for Neuroscience, University of Colorado at Boulder ... Robinson-Johnson & Sena Hitt-Laustsen for help in data collec- tion/subject recruitment. .... tus, Guido, & Levey, 1998; Cragg, Hille, & Greenfield,. 2002).

Testing Computational Models of Dopamine and ...
negative (NoGo) reinforcement learning, only the former deficits were ameliorated by medication. ... doi:10.1038/sj.npp.1301278; published online 13 December 2006 ... common childhood-onset psychiatric condition character- ... Program in Neuroscience

Logical Omniscience as a Computational Complexity ...
stant specification for JL ∈ {J, JD, JT, J4, JD4, LP}, then JLCS as an epistemic system with simple reflected fragment rJLCS passes LOT (with respect to a certain proof system). In the last two statements, we assume that CS(·) is com- putable in p

UPTU B.Tech Computational Complexity ECS 072 Sem 7_2011-12 ...
UPTU B.Tech Computational Complexity ECS 072 Sem 7_2011-12.pdf. UPTU B.Tech Computational Complexity ECS 072 Sem 7_2011-12.pdf. Open. Extract.