\documentclass[11pt]{article} \usepackage{amsmath} %\usepackage{fullpage} %\usepackage{epic} %\usepackage{eepic} %\usepackage{psfig} %\newcommand{\proof}[1]{ %{\noindent {\it Proof.} {#1} \rule{2mm}{2mm} \vskip \belowdisplayskip} %} %\newtheorem{lemma}{Lemma}[section] %\newtheorem{theorem}[lemma]{Theorem} %\newtheorem{claim}[lemma]{Claim} %\newtheorem{definition}[lemma]{Definition} %\newtheorem{corollary}[lemma]{Corollary} %Theorems and likes \newtheorem{assumption}{Assumption}[section] \newtheorem{theorem}{Theorem}[section] \newtheorem{fact}{Fact}[section] \newtheorem{claim}{Claim}[section] \newtheorem{lemma}{Lemma}[section] \newtheorem{example}{Example}[section] \newtheorem{definition}{Definition}[section] \newtheorem{corollary}{Corollary}[section] \newtheorem{exercise}{Exercise}[section] \newtheorem{observation}{Observation}[section] \newcommand{\bproof}{\noindent{\it Proof}} %\newcommand{\eproof}{\hspace*{\fill}$\Box$~~~~~\bigskip} \newcommand{\eproof}{\hspace*{\fill}\rule{2mm}{2mm}~~~~~\bigskip} \newenvironment{proof}{\bproof: }{\eproof} % symbols and notation \newcommand{\defeq}{\stackrel{\rm def}{=}} \setlength{\oddsidemargin}{0in} \setlength{\topmargin}{0in} \setlength{\textwidth}{6in} \setlength{\textheight}{8in} \begin{document} \setlength{\fboxrule}{.5mm}\setlength{\fboxsep}{1.2mm} \newlength{\boxlength}\setlength{\boxlength}{\textwidth} \addtolength{\boxlength}{-4mm} \begin{center}\framebox{\parbox{\boxlength}{\bf CS 681: Computational Number Theory and Algebra \hfill Lecture 15 \\\\ Two Randomized Algorithms for Primality Testing \\\\ Lecturer: Manindra Agrawal \hfill Scribe: Sudeepa Roy %\\ \begin{flushright} %date August 19, 2005 \end{flushright} }}\end{center} \vspace{5mm} \section{Introduction } In the last lecture we studied the deterministic algorithm for primality testing. In this lecture we will study two randomized polynomial time algorithms that work more efficiently for many practical purposes. \section{Miller-Rabin Algorithm} This algorithm was proposed in 70's. Miller and Rabin gave two versions of the same algorithm to test whether a number $n$ is prime or not. Whereas Rabin's algorithm works with a randomly chosen $a \in Z_n$, and is therefore a randomized one, Miller's version tests deterministically for all $a$'s, where $1 \leq a \leq 4\log^2 n$. But correctness of Miller's algorithm depends on correctness of \textit{Extended Riemann Hypothesis}. We will discuss Rabin's version of the algorithm here. \\\\{\large\textbf{Algorithm} \\\\ Let $\psi$ be an automorphism in $Z_n$. \\Let $n-1~ =~ s\times 2^t$ for odd $s$. \begin{enumerate} \item Test if $n~=~m^j$ for $j>1$. If yes, output COMPOSITE. \item Randomly choose $a \in Z_n$. \item Test if $a^{n-1}~=~1 (\mod n~)$. If no, output COMPOSITE. \item Compute $u_i~ =~ a^{s\times2^i} (\mod n~)$ for $0 \leq i < t$. \item If there is an $i$ such that $u_i~ =~ 1$ and $u_{i-1}~ \neq \pm 1$, output COMPOSITE. \item output PRIME. \end{enumerate} \large\textbf{Correctness} \begin{observation} $\Pr\limits_{a \in Z_n} [$test is correct $|~n$ is prime $]~ =~ 1$. \end{observation} Now let us consider the case when $n$ is composite. \\Let primes $p$ and $q$ divides $n$. \begin{tabbing} Either \=$(1)$ $u_0~ =~ 1~ =~ u_1~ =~ \cdots~ =~ u_{i-1}$\\ or \> $(2)~ \exists i>0, u_i~=~1$ and $u_{i-1}~=~-1$ \end{tabbing} \large\textbf{\underline{case $(1)$:}} \\\\$u_0~=a^s~ =~ 1(\mod n~) \Rightarrow a^s~ =~ 1(\mod p~)$ and $a^s~ =~ 1(\mod q~)$ \\Hence, \begin{tabbing} \= \= $\Pr\limits_{a \in Z_n} [a^s~ =~ 1(\mod n~)]$ \\\> \> $\leq \Pr\limits_{a \in Z_n}[a^s~ =~ 1(\mod p~) \wedge a^s~ =~ 1(\mod q~)]$ \\\> \> $=\Pr\limits_{a \in Z_n}[a^s~ =~ 1(\mod p~)] \times \Pr\limits_{a \in Z_n}[a^s~ =~ 1(\mod p~) | a^s~ =~ 1(\mod q~)]$ \\\> \> $=\Pr\limits_{a \in Z_p}[a^s~ =~ 1(\mod p~)] \times \Pr\limits_{a \in Z_q}[a^s~ =~ 1(\mod q~)]$ \end{tabbing} Where the last step can be argued as follows. \\\\Let $|\left\{a_0 \in Z_p : a_0^s = 1 (\mod p~)\right\}| = k$. Then $\Pr\limits_{a \in Z_p}[a^s~ =~ 1(\mod p~)]=\frac{k}{p}$. Copies of $a_0$ in $Z_n$ are $a_0, a_0+p, \cdots, a_0 + (\frac{n}{p}-1)p$, i.e., $\frac{n}{p}$ copies. \\Hence, $\Pr\limits_{a \in Z_n}[a^s~ =~ 1(\mod p~)]=\frac{n}{p} \times k \times \frac{1}{n} = \frac{k}{p}=\Pr\limits_{a \in Z_p}[a^s~ =~ 1(\mod p~)]=\frac{k}{p}$. \\Now among these copies, $a_0, a_0+qp, \cdots $ fall in class $[a_0]$, $a_0+p, a_0+(q+1)p, \cdots $ fall in class $[a_0+p]$, and so on. Hence arguing as before it can be shown that \\$\Pr\limits_{a \in Z_n}[a^s = 1(\mod p~) | a^s = 1(\mod q~)]=\Pr\limits_{a \in Z_q}[a^s = 1(\mod q~)]$ \\\\\\Now $a^s = 1(\mod p~)$ and $a^{p-1} = 1(\mod p~)$ \\$\Rightarrow a^{\gcd(s, p-1)} = 1(\mod p~)$ \\$\Rightarrow a^{\frac{p-1}{2}} = 1(\mod p~)$ $[$as $s$ odd and $p-1$ even, hence the gcd is odd and divides $\frac{p-1}{2}]$ \\So, $\Pr\limits_{a \in Z_p}[a^s~ =~ 1(\mod p~)]=\Pr\limits_{a \in Z_p}[a^s~ =~ 1(\mod p~)]\leq \frac{1}{2}$. \\\\Therefore, $\Pr\limits_{a \in Z_n} [a^s~ =~ 1(\mod n~)] \leq \frac{1}{4}$ \\\\\large\textbf{\underline{case $(2)$:}} \\\\$\exists i:~a^{s.2^i}~ =~ 1(\mod n~)$ and $a^{s.2^{i-1}}~ =~ -1(\mod n~)$ \\Let $\hat{s}~=~s.2^{i-1}$ \\So, $a^{\hat{s}}~=~-1(\mod n~)$ and $a^{2\hat{s}}~=~1(\mod n~)$ \\Hence as in case $(1)$, \begin{tabbing} \= \= $\Pr\limits_{a \in Z_n} [a^{\hat s}~ =~ -1(\mod n~)]$ \\\> \> $\leq \Pr\limits_{a \in Z_n}[a^{\hat s}~ =~ -1(\mod p~) \wedge a^{\hat s}~ =~ -1(\mod q~)]$ \\\> \> $=\Pr\limits_{a \in Z_n}[a^{\hat s}~ =~ -1(\mod p~)] \times \Pr\limits_{a \in Z_n}[a^{\hat s}~ =~ -1(\mod p~) | a^{\hat s}~ =~ -1(\mod q~)]$ \\\> \> $=\Pr\limits_{a \in Z_p}[a^{\hat s}~ =~ -1(\mod p~)] \times \Pr\limits_{a \in Z_q}[a^{\hat s}~ =~ -1(\mod q~)]$ \end{tabbing} Now $a^{2\hat s}~ =~ 1(\mod p~)$ and $a^{p-1}~ =~ 1(\mod p~)$ \\$\Rightarrow a^{\gcd(2\hat s,~ p-1)}~ =~ 1(\mod p~)$ \\$\Rightarrow a^{\frac{1}{2} \gcd(2\hat s,~ p-1)}~ =~ \pm 1(\mod p~)$ \\\\As $a^{\hat s}~ =~ -1(\mod p~)$, so $a^{\frac{1}{2} \gcd(2\hat s,~ p-1)}~ =~ - 1(\mod p~)$ \\\\Now, $\gcd(2\hat s,~ p-1)\leq \frac{1}{2}(p-1)$ \\Hence, $\Pr\limits_{a \in Z_p}[a^{\hat s}~ =~ 1(\mod p~)] \leq \frac{1}{2}$. \\Similarly, $\Pr\limits_{a \in Z_q}[a^{\hat s}~ =~ 1(\mod q~)] \leq \frac{1}{2}$. \\\\Therefore, $\Pr\limits_{a \in Z_n} [a^{\hat s}~ =~ -1(\mod n~)] \leq \frac{1}{4}$ \\\\\\\underline{Combining case $(1)$ and case $(2)$}, \\\\$\Pr\limits_{a \in Z_n} [$test outputs PRIME $|~ n$ is composite $]$ \\$= \Pr[$ case $(1)$ happens or case $(2)$ happens $]$ \\$\leq \Pr[$ case $(1)$ happens $]~ +~ \Pr[$ case $(2)$ happens $]$ \\$\leq \frac{1}{4} + \frac{1}{4}$ \\$= \frac{1}{2}$ \\\\Hence the test is correct with probability $\geq \frac{1}{2}$. \\The probability of success can be boosted further by repeating the test a few times, where output will be COMPOSITE if any of the single test output is COMPOSITE, else PRIME. \\\\\large\textbf{Time Complexity} \begin{itemize} \item Computing $u_0$ : $\tilde{O}(\log n) \times O(\log s) = \tilde{O}(\log^2 n)$ $[$ by repeated squaring $O(\log s)$ times, $s \leq n$, then multiplying and taking modulo $n$ each time all with $\log n$ bits numbers using FFT takes $\tilde {O}(\log n)$ time $]$ \item Computing $u_1, u_2, \cdots, u_t$ : $\tilde{O}(\log^2 n)$ $[~ t \leq \log n$, squaring and taking modulo $n$ takes $\tilde{O} (\log n)$ time $]$. \item Testing if $n = m^j$ holds for some $j > 1$ can be done in $\tilde{O} (\log^2 n)$ time. \end{itemize} Hence the time complexity of the algorithm is $\tilde{O}(\log n)$. \subsection{Another Randomized Algorithm for Primality Testing} \large\textbf{Algorithm} \\\\ The outline of the algorithm is as follows. \begin{enumerate} \item Choose a random monic polynomial $Q(x)$ of degree $\log n$ over $Z_n$. \item Test if $(x+1)^n = x^n + 1 (\mod n,~ Q(x))$. \item If yes, output PRIME, else output COMPOSITE. \end{enumerate} \large\textbf{Correctness} \begin{lemma} $(x+1)^n = x^n + 1$ if and only if $n$ is prime. \end{lemma} Proof. 'If' part is trivial. \\For the 'only if' part, consider $n$ is composite. \\$(1+x)^n = \sum\limits_{j=0}^{n} {n \choose j}x^j$ \\If $p|n$ and $n$ is prime, then ${n \choose p} \neq 0 (\mod n~)$ \\Hence $(x+1)^n - x^n - 1 \neq 0 (\mod n)$ \\\\So we need to consider the case when $n$ is composite, and $(x+1)^n = x^n + 1 (\mod q(x)~)$ \\It can be shown that with high probability, $q(x)$ does not divide $(x+1)^n - x^n - 1~ (\mod n~)$. For details of the proof, refer to \cite{MS90}. \begin{thebibliography}{99} \bibitem{MS90} Manindra Agrawal and Somenath Biswas, \emph{Primality and Identity Testing via Chinese Remaindering.},FOCS 1999: 202-209 \end{thebibliography} \end{document}