introduction to the aks primality test

The AKS Primality Test

Pranshu BhatnagarChennai Mathematical Institute

Indraprastha Institute of Information Technology

11th

June 2015

Introduction to Primality Testing• Goal: given an integer n > 1, determine whether n is

prime

• Most people know the smallest primes • 2, 3, 5, 7, 11, 13, 17, 19, 23, …

• What about:• 38,476? No, because it is even• 4,359? No, because the sum of the digits is 21, a multiple of 3• 127? Yes, because it does not have any factors < √127 ≈ 11.27• 257,885,161 − 1?

• This has over 17 million digits. We need better tests…

2

3 CategoriesFor some arithmetic statement S which is easy to check:1.n is prime S(n)⇒

• pseudoprimes • strong pseudoprimes

2.S(n) n is prime⇒• n-1 test (Lucas Theorem)• n+1 test (Lucas-Lehmer)

3.S(n) ⇔ n is prime• AKS test

3

n is prime S(n)⇒• S(n): n = 2 or n is odd

• S(n): n = 3 or sum of digits of n is not divisible by 3

• ¬ S(n) n is composite⇒

• S(n) ?⇒

5

Pseudoprimes• n prime S(n)⇒

• S-pseudoprime: n is composite but S(n) holds

• S(n): n = 2 or n is odd• n = 15 is a pseudoprime

7

Intro to Modular Arithmetic• a ≡ b (mod n)

• Formally n|(a-b)• a/n leaves remainder b

• Clocks keep time (mod 12)• 16:30 (military time) ≡ 4:30 pm• 8:00 am + 7 hours = 15:00 ≡ 3 pm

• Subtract the modulus until the result is small enough• 11 ≡ 4 (mod 7)• 35 ≡ 0 (mod 5)• 23 = 8 ≡ 2 (mod 3)

11

Fermat Pseudoprimes• n prime S(n)⇒

• S is based on Fermat’s Little Theorem: If n is prime then an ≡ a (mod n), a∀ ∈ℤ

• S(n): an ≡ a (mod n)

• Fermat pseudoprime: n is composite but an ≡ a (mod n) for some a

13

Examplesn prime a⇒ n ≡ a (mod n)• Let n = 91

• Composite: 91 = 7 * 13

• 391 ≡ 3 (mod 91)• 91 is a Fermat pseudoprime base 3

• 291 ≠ 2 (mod 91)• 91 is not a Fermat pseudoprime base 2 (91 is composite)

• Note: Most probably, infinite Carmichael numbers, ∃composites with

an ≡ a (mod n) for every a

17

S(n) n is prime⇒• n is composite ¬ S(n) ⇒

• ¬ S(n) ?⇒

19

The n-1 Test• S is based on the Lucas Theorem:

If an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n) prime q|n-1,∀ then n is prime (for some a )∈ℤ

• S(n): an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)

23

Example [an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)] n ⇒prime• Let n = 19

• n-1 = 18 = 2 * 32

• Let a = 2218 ≡ 1 (mod 19)29 ≡ 18 (mod 19)26 ≡ 7 (mod 19)

• So 19 is prime

29

Another Example[an-1 ≡ 1 (mod n) but a(n-1)/q ≠ 1 (mod n)] n ⇒prime• S(n) n is prime⇒

• ¬ S(n) ?⇒

• Let n = 13, a = 5• n-1 = 12 = 22 * 3

512 ≡ 1 (mod 13) 56 ≡ 12 (mod 13)

But 54 ≡ 1 (mod 13)

• S(n) is false, but n = 13 is prime

31

S(n) ⇔ n is prime• S(n) n is prime⇒

• ¬ S(n) n is composite⇒

• Theorem: Given some a with gcd(a,n) = 1:

n is prime iff (x + a)n ≡ xn + a (mod n)

• S(n): (x + a)n ≡ xn + a (mod n)

37

ExampleS(n): (x + a)n ≡ xn + a (mod n)• (x+4)7

= x7 + 28x6 + 336x5 + 2240x4 + 8960x3 + 21504x2 + 28672x + 16384 ≡ x7 + 4 (mod 7)

• 7 is prime

• (x+3)4

= x4 + 12x3 + 54x2 + 108x + 81 ≡ x4 + 2x2 + 1 (mod 4) ≠ x4 + 3

• 4 is composite

41

Improvement: The AKS Theorem• Agrawal-Kayal-Saxena (AKS) Theorem: n is prime iff

• n is not a power,• n has no small factors,• (x + a)n ≡ xn + a (mod n, xr - 1)

for certain r and small values of a

43

The AKS Algorithm

47

Input: n ≥ 1STEP 1. If a, b > 1 N such that n = a∃ ∈ b , then Output COMPOSITE;STEP 2. Find the minimal r N such that o∈ r(n) > log2(n);STEP 3. For a = 1 to r do if 1 < (a, n) < n, then Output COMPOSITE;STEP 4. if r ≥ n, then Output PRIME ;STEP 5. For a = 1 to do if (x + a)n ≡ xn + a (mod xr − 1, n), then Output COMPOSITE;STEP 6. Output PRIME;

Proof Of Correctness

n is prime S(n)⇒l n is certainly not of the form ab for any a, b > 1, sol STEP 1 will not output COMPOSITE. l Since n is prime, we also know that x N, (n, x) = 1 or n. ∀ ∈

Hence STEP 3 will not output composite either. l We have seen that for any prime n, (x+a)n ≡ xn+a (mod n),

so STEP 5 will not output COMPOSITE. l Therefore the algorithm will output PRIME

S(n) n is prime⇒l If the algorithm returns PRIME during STEP 4, then we

know that m < n, (m, n) = 1 (this was checked in STEP 3), ∀meaning n is prime.

l The remaining case, in which the algorithm returns PRIME during STEP 6, will take considerably more effort and require some extra machinery.

Runtime Analysis

Notation

Basic Operationsl Let n, m N. Then∈l Computing m + n takes O(||n|| + ||m||) = O(log(n) + log(m))

bit operations.l Computing m · n takes O(||n|| · ||m||) = O(log(n) · log(m))

bit operations.l Computing the quotient n div m and the remainder n mod

m takes O((||n|| −||m|| + 1) · ||m||) bit operations.

Basic Operationsl Let m, n N with at most k bits each. Then:∈l m and n can be multiplied with O(k(log(k))(loglogk)) =

O~(k) bit operations.l n div m and n mod m can be computed using O(k(log(k))

(log logk)) = O~(k) bit operations.l Multiplication of two polynomials of degree d with

coefficients at most m bits in size can be done in O~(d · m) bit operations.

Euclidean Algorithml Input: m, n Z∈l 0: a, b integer;l 1: if |n| ≥ |m|l 2: then a ← |n|; b ← |m|;l 3: else b ← |m|; a ← |n|;l 4: while b > 0 repeatl 5: (a, b) ← (b, a mod b); //i.e., ai = bi−1 , bi = ai−1 mod bi−1l 6: return a;l This algorithm runs in O(log(n) · log(m)).

Fast Modular Exponentiationl Let n = 2a

1 + 2a2 + · · · + 2a

l where a1 > a2 > · · · > al. l Define f0 := (x + a),l fi+1(x) = fi(x)2 (mod xr − 1, n). l Then faj(x) = (x + a)aj . l If we further define g1(x) := fa1(x) and gk(x)≡gk−1(x) fk (x)

(mod xr − 1, n), then we see thatl gl(x) ≡ (x + a)2a

1 +···+2a

l = (x + a) n (mod x r − 1, n).l We have therefore computed (x + a)n (mod xr − 1, n) in a1 +

l ≤ 2log(n) steps, where a step consists of multiplying two polynomials of degree less than r with coefficients in Z/nZ.

This leads to a total runtime of O∼(r·log2 (n)).

Perfect power Testl Input : n N∈l 0: a, b, c, m integerl 1: b ← 2l 2: while (b ≤ log(n)) dol 3: a=1;c=m;l 4: while c − a ≥ 2 do l 5: m ← (a + c) div 2;l 6: p ← min {mb , 1};l 7: if p = n then return "n is

a perfect power";l 8: if p < n then a ← m else

c ← m;l 9: b ← b + 1;l 10: return "n is not a perfect

power."

l Loop 1 will run at most log(n) times. Also, it will take at most log(n) iterations of loop 2 before |c − a| ≤ 1. During each iteration of loop 2, we calculate (a + c) div 2 and mb , which can be done in

O~(log(n)) bit operations. l The complexity of the entire

algorithm is therefore

O∼(log3(n)).

Overall

STEP 1 At most O∼(log3(n)) bit operations.

STEP 2 We know that there exists an r< log5(n) such that or(n) > log2(n) .The easiest way to find such an r is simply to calculate nk(mod r) for k = 1, 2, ..., log2(n). This involves O(log2(n)) multiplications modulo r for each r, so STEP 2 takes O∼(log7(n)) bit operations.

STEP 3 While determining whether (a,n)> 1 for some a ≤ r, computing each gcd takes O∼(log2(n)) bit operations using the Euclidean Algorithm, resulting in a total of O∼(log7(n)) bit operations

OverallSTEP 5 Given a ≤ , calculating (x + a)n in the ring Z/nZ as reducing modulo xr − 1 is trivial (simply replace xs by x(s−r)). In order to calculate (x+a)n, we must perform O(log(n)) multiplications of polynomials of degree<r with coefficients of size O(log(n)) (as the coefficients are written modulo n; recall that all polynomials are reduced modulo xr −1

during Fast Modular Exponentiation).Each congruence therefore takes O∼(log7(n)) bit operations to verify. This step therefore takes O∼( log(n) log7(n)) = O∼( log8(n)) = O∼(log21/2(n)) bit operations. The complexity of STEP 5 clearly dominates the complexity of the other steps, so the overall complexity of the algorithm is O∼(log10.5(n)), which is indeed polynomial.

Example• Is n = 1993 prime?

1.1993 is not a power ✓

53

Example Continued(Is n = 1993 prime?)

1.(i) Find “certain r:” Really finding the least integer r > log2n with order of n in ℤr

*

We find r = 5. (ii) Check that n has no “small factors” Really checking no factors in [2, log n * √φ(r)] = [2, log(1993)*√4] = [2, 21.92]) 2, 3, 4, 5, …, 21 are not factors ✓

Note: √1993 ≈ 44.643 – AKS checks less than half as many numbers as possible factors

59

Example Continued(Is n = 1993 prime?)1.Check (x + a)n ≡ xn + a (mod n, xr - 1) for a up to the same value (log n* √φ(r))

So for 1 ≤ a ≤ 21 check (x + a)1993 ≡ x1993 + a (mod 1993, x5 - 1) ✓

Result: n = 1993 passed all 3 tests. So 1993 is prime.

61

Significance• Determines whether n is prime or composite in

polynomial time

• AKS Test is an iff statement• If pass the test then n is definitely prime• If fail the test then n is definitely composite

67

Work Cited• Linowitz, Benjamin. An Exposition of the AKS Polynomial

Time Primality Testing• Stay, Michael, Primes is in P, slowly.• Crandall, Richard, and Carl Pomerance. Prime Numbers:

A Computational Perspective. New York: Springer, 2005.

• Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P"

71