Primality

Primality Testing: The AKS Algorithm
Ramprasad Saptharishi
Chennai Mathematical Institute

Third Year B.Sc Mathematics
RP (CMI) Primality Testing January 17th, 2007 1 / 35

Table of Contents
1 Introduction
2 The Idea
3 Towards Correctness
4 Conditions required for critical claim
5 Getting hold of the r
6 Putting the Pieces Together
7 Different Polynomials
8 Summary and Open Problems

The Problem
Given as input a number n in binary.

Check if n is prime.

The Problem
Given as input a number n in binary.

Check if n is prime.
Input length: log n

Polynomial time =⇒ O(logk n) time

Introduction
Was known to be in co − NP (trivial)

Was known to be in NP (Pratt Certificates)
VERY efficient probabilistic algorithms
Follows from the Extended Riemann Hypothesis
Checking primality critical in CRT and other techniques

Table of Contents
1 Introduction
2 The Idea

The Distinguisher
Theorem
If n is prime, then (X − a)n = X n − a (modn)
If gcd(a, n) = 1 and n is composite, then
(X − a)n 6= X n − a (modn)

The Distinguisher
Theorem
If n is prime, then (X − a)n = X n − a (modn)
If gcd(a, n) = 1 and n is composite, then
(X − a)n 6= X n − a (modn)
Algorithm:
Check if (X − 1)n = X n − 1 (modn) and output accordingly.

Difficulties
1 Computing (X − 1)n takes n − 1 multiplications (naively)

Difficulties
1 Computing (X − 1)n takes n − 1 multiplications (naively)
2 (X − 1)n has n + 1 terms in it, and computing such a polynomial is

not feasible in O(logk n) time.

Getting Around: Difficulty 1
Repeated Squaring:
i
Compute pi = (X − 1)2 .
Use the binary representation of n and multiply appropriate pi s to compute
(X − a)n

Repeated Squaring:
i
Compute pi = (X − 1)2 .
Use the binary representation of n and multiply appropriate pi s to compute
(X − a)n
[Pingala200BC]: Journal Publication in Chandah-Sutra

(X − 1)n has too many coefficients, n + 1 of them (exponential in log n).


Evaluate it modulo a polynomial of small degree, go mod(X r − 1) for
some small r (O(logk n)).


Evaluate it modulo a polynomial of small degree, go mod(X r − 1) for
some small r (O(logk n)).
For compensation, evaluate (X − a)n with different ’a’s as witness.

The Algorithm: Skeleton

1: {some preliminary tests and choice for r , s and a}


2: for a = 1, 2, · · · , s do


2: for a = 1, 2, · · · , s do
3: if (X − a)n 6= X n − a (modX r − 1, p) then
4: declare composite
5: end if
6: end for


2: for a = 1, 2, · · · , s do
5: end if
6: end for
7: declare prime


2: for a = 1, 2, · · · , s do
5: end if
6: end for
7: declare prime
Things to figure out:
What are the preliminary tests?
Choice of r .
Choice of s.

Table of Contents
1 Introduction
2 The Idea

The Idea
We want to check if a degree O(n) polynomial is zero

((X − a)n − (X n − a))

The Idea

((X − a)n − (X n − a))
We need to restrict resources to O(logk n)

The Idea

((X − a)n − (X n − a))
Check modulo a (O(logk n)) degree polynomial

The Idea

((X − a)n − (X n − a))
Do it for different a’s for control

The Idea

((X − a)n − (X n − a))
From roots of the small degree polynomials, induce roots for the
degree O(n) polynomial

The Idea

((X − a)n − (X n − a))
Show that it has too many roots, and hence show it’s identically zero

The Idea

((X − a)n − (X n − a))
Show that it has too many roots, and hence show it’s identically zero
Challenge: From O(logk n) polynomials of O(logk n),we need to

induce O(n), exponential blow up in roots.

Introspective Numbers
Call a number m introspective if (X − a)m = X m − a (mod X r − 1, p)

for all 1 ≤ a ≤ s.


If n is a composite number, and p is any proper prime divisor of n, and
that n fails the test for all a. We will show that such problematic n can be
for checked earlier by choosing suitable preliminary tests and values for r
and s.


If n is a composite number, and p is any proper prime divisor of n, and
that n fails the test for all a. We will show that such problematic n can be
for checked earlier by choosing suitable preliminary tests and values for r
and s.
(X − a)n = X n − a (mod X r − 1, p)
(X − a)p = X p − a (mod X r − 1, p)
the second one coming for free from Fermat’s little theorem.

More Introspective Numbers
Claim
If m1 and m2 are introspective numbers, that is for all 1 ≤ a ≤ s
(X − a)m1 = X m1 − a (mod X r − 1, p)
(X − a)m2 = X m2 − a (mod X r − 1, p)
then so is m1 m2
(X − a)m1 m2 = X m1 m2 − a (mod X r − 1, p)

Proof of Claim
Proof.
(X − a)m2 − (X m2 − a) = (X r − 1)g (X )

Proof of Claim
Proof.
(X − a)m2 − (X m2 − a) = (X r − 1)g (X )
=⇒ (X m1 − a)m2 − (X m1 m2 − a) = (X m1 r − 1)g (X m1 )

Proof of Claim
Proof.
(X − a)m2 − (X m2 − a) = (X r − 1)g (X )
=⇒ (X m1 − a)m2 − (X m1 m2 − a) = (X m1 r − 1)g (X m1 )
= 0 (mod X r − 1, p)

Proof of Claim
Proof.
(X − a)m2 − (X m2 − a) = (X r − 1)g (X )
=⇒ (X m1 − a)m2 − (X m1 m2 − a) = (X m1 r − 1)g (X m1 )
= 0 (mod X r − 1, p)
=⇒ (X − a)m1 m2 = (X m1 − a)m2

Proof of Claim
Proof.
(X − a)m2 − (X m2 − a) = (X r − 1)g (X )
=⇒ (X m1 − a)m2 − (X m1 m2 − a) = (X m1 r − 1)g (X m1 )
= 0 (mod X r − 1, p)
=⇒ (X − a)m1 m2 = (X m1 − a)m2
= X m1 m2 − a (mod X r − 1, p)

More Introspective Numbers
(X − a)n = X n − a (mod X r − 1, p)
(X − a)p = X p − a (mod X r − 1, p)
Hence, for each m of the form p i nj we have (X − a)m = X m − a for

a = 1, 2, . . . , s.

Too many introspective numbers =⇒ collision
Let G be the subgroup of Zr , generated by n and p modulo r , and let t be

the order of the group. Note that t ≥ ordr (n).


√
L = {p i nj |0 ≤ i, j ≤ t}
√
Note that any m ∈ L is atmost n2 t.


√
L = {p i nj |0 ≤ i, j ≤ t}
√ √
Note that any m ∈ L is atmost n2 t . Since |L| = ( t + 1)2 > t, there
exists m1 = p i1 nj1 and m2 = p i2 nj2 such that m1 = m2 + kr
(X − a)m1 = X m2 +kr − a = X m2 − a = (X − a)m2 (mod X r − 1, p)

Critical Claim
Claim
If m1 , m2 ∈ L are such that
(X − a)m1 = (X − a)m2 (mod X r − 1, p)
for a = 1, 2, . . . , s, then m1 = m2

Critical Claim
Claim
(X − a)m1 = (X − a)m2 (mod X r − 1, p)
for a = 1, 2, . . . , s, then m1 = m2
Once we have this, then p i1 nj1 = p i2 nj2 , and this implies that n = p s .

Critical Claim
Claim
(X − a)m1 = (X − a)m2 (mod X r − 1, p)
for a = 1, 2, . . . , s, then m1 = m2
Once we have this, then p i1 nj1 = p i2 nj2 , and this implies that n = p s . And
since we assumed n is composite, s ≥ 2, and checking if n is a power of a
prime is easy and can be added in the preliminary tests.

Critical Claim
Claim
(X − a)m1 = (X − a)m2 (mod X r − 1, p)
for a = 1, 2, . . . , s, then m1 = m2
Once we have this, then p i1 nj1 = p i2 nj2 , and this implies that n = p s . And
since we assumed n is composite, s ≥ 2, and checking if n is a power of a
prime is easy and can be added in the preliminary tests.
All that’s left now is to choose the parameters that force m1 = m2 .

Table of Contents
1 Introduction
2 The Idea

Too many roots =⇒ zero polynomial
Theorem
In field, a non-zero polynomial of degree d has at most d roots.

Too many roots =⇒ zero polynomial
Theorem
In field, a non-zero polynomial of degree d has at most d roots.
h(Z ) = Z m1 − Z m2 has several roots, namely (X − a) for a = 1, 2, . . . , s.

We want to show that it has more roots than its degree, thereby forcing
m1 = m2 .
But we need a field first.

Moving to a field
Let η be a primitive r -th root of unity.

Moving to a field
Let η be a primitive r -th root of unity. Then, for a = 1, 2, . . . , s
(η − a)m1 = (η − a)m2
in the field Fp (η), or in other words, (η − a) is a root of the polynomial

h(Z ) = Z m1 − Z m2 .

Moving to a field
(η − a)m1 = (η − a)m2

h(Z ) = Z m1 − Z m2 . And note that if α and β are roots of h, so is αβ.

Moving to a field
(η − a)m1 = (η − a)m2

Thus each element of the set
( s )
Y
δa
S= (η − a) |δa ∈ {0, 1}
a=1
is a root of h.

Moving to a field
(η − a)m1 = (η − a)m2

( s )
Y
δa
S= (η − a) |δa ∈ {0, 1}
a=1
is a root of h. Suppose we force that each element in S is distinct, then

we have 2s roots of h.

Moving to a field
(η − a)m1 = (η − a)m2

( s )
Y
δa
S= (η − a) |δa ∈ {0, 1}
a=1
is a root of h. Suppose we force that each element in S is distinct, then

we have 2s roots of h. √ √
√
Suppose further that 2s > n2 t , that is s = 2 r log n + 1 > 2 t log n,
then we force m1 = m2 .

Elements of S are distinct
Suppose we look at
s
( )
Y
SX = (X − a)δa |δa ∈ {0, 1}
a=1
what do we need to ensure that they are distinct polynomials of Fp [X ]?

Suppose we look at
s
( )
Y
SX = (X − a)δa |δa ∈ {0, 1}
a=1

The (X − a)’s will be distinct if one makes sure that a = 1, 2, . . . , s do not
divide n (and hence p) so that no wrap arounds are possible. This can be
added in the preliminary tests.

Suppose we look at
s
( )
Y
SX = (X − a)δa |δa ∈ {0, 1}
a=1

added in the preliminary tests. Since polynomials factor uniquely into
irreducible factors, it follows that SX has 2s elements.

Suppose we look at
s
( )
Y
SX = (X − a)δa |δa ∈ {0, 1}
a=1

added in the preliminary tests. Since polynomials factor uniquely into
irreducible factors, it follows that SX has 2s elements.
We now need to push this to show that if g1 and g2 are two different
elements in SX , then g1 (η) and g2 (η) are different elements.

Pushing to η
By claim 1, for every m = p i nj , g (X )m = g (X m ) (modX r − 1, p).

Pushing to η

Hence if g1 , g2 are two elements of SX such that g1 (η) = g2 (η), then for
all m of the form p i nj , η m is a root of g = g1 − g2

Pushing to η

i j
# of values of η p n = number of distinct residues of p i nj modulo r .
Hence g1 − g2 has atleast t roots in Fp (η).

Pushing to η

i j
Hence g1 − g2 has atleast t roots in Fp (η). Since these are polynomials
√ of
√
degree atmost s, if we ensure that t > s = 2 r log n + 1 > 2 t log n,
then we force g1 = g2 in Fp [X ].

Pushing to η

i j
√ of
√
then we force g1 = g2 in Fp [X ].And this is true if t > 4(log2 n) + 2 and
since t ≥ ordr (n), it’s enough to ensure that ordr (n) > 4(log2 n) + 2.

Pushing to η

i j
√ of
√
Thus the choice of r is a number such that ordr (n) > 4(log2 n) + 2 and
√
s = 2 r log n + 1, and we are done

Pushing to η

i j
√ of
√
Thus the choice of r is a number such that ordr (n) > 4(log2 n) + 2 and
√
s = 2 r log n + 1, and we are done nearly, how do we get the r ?

Table of Contents
1 Introduction
2 The Idea

A Nice Lemma
Lemma
The LCM of 1, 2, . . . 2k + 1 is atleast 22k

A Nice Lemma
Lemma
Proof.
Z 1
−2k
2 ≥ [x(1−x)]k dx
0

A Nice Lemma
Lemma
Proof.
Z 1 k Z 1 k
−2k k
X k X Mi
2 ≥ [x(1−x)] dx = (−1)i x k+i dx =
0 i 0 k +i +1
i=0 i=0

A Nice Lemma
Lemma
Proof.
Z 1 k Z 1 k
−2k k
X k X Mi M
2 ≥ [x(1−x)] dx = (−1)i x k+i dx = =
0 i 0 k +i +1 L
i=0 i=0
where M is an integer and L is the LCM of k + 1, k + 2, . . . , 2k + 1.

A Nice Lemma
Lemma
Proof.
Z 1 k Z 1 k
−2k k
X k X Mi M
2 ≥ [x(1−x)] dx = (−1)i x k+i dx = =
0 i 0 k +i +1 L
i=0 i=0
where M is an integer and L is the LCM of k + 1, k + 2, . . . , 2k + 1.Since

the integral is clearly positive it is atleast 1/L, and hence L ≥ 22k

Existance of a small r
Suppose we run through all r till some odd number say R and fail to get
one such that ordr (n) > T = 4(log2 n) + 2.

one such that ordr (n) > T = 4(log2 n) + 2. Then each r ≤ R divides
T
2
Y
(ni − 1) ≤ nT
i=0
and hence the LCM of all r ≤ R divides it.

T
2
Y
(ni − 1) ≤ nT
i=0
and hence the LCM of all r ≤ R divides it. By the earlier lemma, we must
2
have 2R−1 ≤ nT that is R ≤ T 2 log n + 1.

T
2
Y
(ni − 1) ≤ nT
i=0
and hence the LCM of all r ≤ R divides it. By the earlier lemma, we must
2
have 2R−1 ≤ nT that is R ≤ T 2 log n + 1. Hence there is a number
r = O(log5 n) with ordr (n) ≥ T .

Table of Contents
1 Introduction
2 The Idea

The Algorithm for Primality Testing
1: if n = ab for a, b ≥ 2 then
3: end if

3: end if
4: Choose r such that ordr (n) ≥ 4 log2 n + 2
√
5: Let s = 2 r log n + 1

3: end if
√
5: Let s = 2 r log n + 1
6: if any 2 ≤ a ≤ s divides n then
8: end if

3: end if
√
5: Let s = 2 r log n + 1
8: end if
9: for a = 1, 2, · · · , s do
12: end if
13: end for

3: end if
√
5: Let s = 2 r log n + 1
8: end if
9: for a = 1, 2, · · · , s do
12: end if
13: end for
14: declare prime

3: end if
√
5: Let s = 2 r log n + 1
8: end if
9: for a = 1, 2, · · · , s do
12: end if
13: end for
14: declare prime
Running time is O(log12 n), some optimizations has now got it down to
O(log6 n).
Table of Contents
1 Introduction
2 The Idea

Revisiting Difficulty 2
(X − 1)n had too many coefficients


Solution was to evaluate it modulo a polynomial of small degree


We compensated for possible error by evaluating (X − a)n for
different a’s.


We compensated for possible error by evaluating (X − a)n for
different a’s.
Why not go modulo different polynomials instead?

Primality and Chinese Remaindering: [AgrawalBiswas]
Theorem
For any fixed r and any t > 0,
(X + 1)n = X n + 1 (mod n, (X + a)r − 1) for 1 ≤ a ≤ t
if and only if
(X − a)n = X n − a (mod n, X r − 1) for 1 ≤ a ≤ t

Primality and Chinese Remaindering: [AgrawalBiswas]
Theorem
For any fixed r and any t > 0,
(X + 1)n = X n + 1 (mod n, (X + a)r − 1) for 1 ≤ a ≤ t
if and only if
(X − a)n = X n − a (mod n, X r − 1) for 1 ≤ a ≤ t
[AB99] presents a randomized algorithm for primality and identity testing

using this. After [AKS02], the revised version [AB03] looked at [AKS02] as
a derandomization of [AB99].

Table of Contents
1 Introduction
2 The Idea

Summary
Simple idea, simple proof

A later paper by Manindra converted the entire testing to a single
polynomial.
O(log6 n) still not exciting
Randomized algorithms do way better

Open Problems
More efficient algo

Do we actually need to check for various ’a’s?
Lower bounds on primality
Exploring tie-ups between [AKS] and [AB]

Thank You
Slides and TEXsources are available at

~ramprasad/studenttalks/primality/

Primality

Uploaded by

Copyright:

Available Formats

You might also like

Primality

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Primality

Uploaded by

Copyright:

Available Formats

Primality Testing: The AKS Algorithm

Chennai Mathematical Institute

RP (CMI) Primality Testing January 17th, 2007 1 / 35

4 Conditions required for critical claim

5 Getting hold of the r

6 Putting the Pieces Together

8 Summary and Open Problems

RP (CMI) Primality Testing January 17th, 2007 2 / 35

Given as input a number n in binary.

RP (CMI) Primality Testing January 17th, 2007 3 / 35

Given as input a number n in binary.

Input length: log n

RP (CMI) Primality Testing January 17th, 2007 3 / 35

Was known to be in co − NP (trivial)

RP (CMI) Primality Testing January 17th, 2007 4 / 35

4 Conditions required for critical claim

5 Getting hold of the r

6 Putting the Pieces Together

8 Summary and Open Problems

RP (CMI) Primality Testing January 17th, 2007 5 / 35

RP (CMI) Primality Testing January 17th, 2007 6 / 35

RP (CMI) Primality Testing January 17th, 2007 6 / 35

1 Computing (X − 1)n takes n − 1 multiplications (naively)

RP (CMI) Primality Testing January 17th, 2007 7 / 35

1 Computing (X − 1)n takes n − 1 multiplications (naively)

2 (X − 1)n has n + 1 terms in it, and computing such a polynomial is

RP (CMI) Primality Testing January 17th, 2007 7 / 35

RP (CMI) Primality Testing January 17th, 2007 8 / 35

RP (CMI) Primality Testing January 17th, 2007 8 / 35

(X − 1)n has too many coefficients, n + 1 of them (exponential in log n).

RP (CMI) Primality Testing January 17th, 2007 9 / 35

(X − 1)n has too many coefficients, n + 1 of them (exponential in log n).

RP (CMI) Primality Testing January 17th, 2007 9 / 35

(X − 1)n has too many coefficients, n + 1 of them (exponential in log n).

RP (CMI) Primality Testing January 17th, 2007 9 / 35

RP (CMI) Primality Testing January 17th, 2007 10 / 35

1: {some preliminary tests and choice for r , s and a}

RP (CMI) Primality Testing January 17th, 2007 10 / 35

1: {some preliminary tests and choice for r , s and a}

RP (CMI) Primality Testing January 17th, 2007 10 / 35

1: {some preliminary tests and choice for r , s and a}

RP (CMI) Primality Testing January 17th, 2007 10 / 35

1: {some preliminary tests and choice for r , s and a}

RP (CMI) Primality Testing January 17th, 2007 10 / 35

1: {some preliminary tests and choice for r , s and a}

RP (CMI) Primality Testing January 17th, 2007 10 / 35

4 Conditions required for critical claim

5 Getting hold of the r

6 Putting the Pieces Together

8 Summary and Open Problems

RP (CMI) Primality Testing January 17th, 2007 11 / 35

We want to check if a degree O(n) polynomial is zero

RP (CMI) Primality Testing January 17th, 2007 12 / 35

We want to check if a degree O(n) polynomial is zero

RP (CMI) Primality Testing January 17th, 2007 12 / 35

We want to check if a degree O(n) polynomial is zero

RP (CMI) Primality Testing January 17th, 2007 12 / 35