AKS primality test

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The AKS primality test (also known as Agrawal–Kayal–Saxena primality test and cyclotomic AKS test) is a deterministic primality-proving algorithm created and published by Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, computer scientists at the Indian Institute of Technology Kanpur, on August 6, 2002, in a paper titled "PRIMES is in P".[1] The algorithm determines whether a number is prime or composite within polynomial time. The authors received the 2006 Gödel Prize and the 2006 Fulkerson Prize for this work.

Importance[edit]

AKS is the first primality-proving algorithm to be simultaneously general, polynomial, deterministic, and unconditional. Previous algorithms had been developed for centuries and achieved three of these properties at most, but not all four.

  • The AKS algorithm can be used to verify the primality of any general number given. Many fast primality tests are known that work only for numbers with certain properties. For example, the Lucas–Lehmer test for Mersenne numbers works only for Mersenne numbers, while Pépin's test can be applied to Fermat numbers only.
  • The maximum running time of the algorithm can be expressed as a polynomial over the number of digits in the target number. ECPP and APR conclusively prove or disprove that a given number is prime, but are not known to have polynomial time bounds for all inputs.
  • The algorithm is guaranteed to distinguish deterministically whether the target number is prime or composite. Randomized tests, such as Miller–Rabin and Baillie–PSW, can test any given number for primality in polynomial time, but are known to produce only a probabilistic result.
  • The correctness of AKS is not conditional on any subsidiary unproven hypothesis. In contrast, the Miller test is fully deterministic and runs in polynomial time over all inputs, but its correctness depends on the truth of the yet-unproven generalized Riemann hypothesis.

Concepts[edit]

The AKS primality test is based upon the following theorem: An integer n (≥ 2) is prime if and only if the polynomial congruence relation

(x - a)^{n} \equiv (x^{n} - a) \pmod{n} \qquad (1)

holds for all integers a coprime to n (or even just for some such integer a, in particular for a = 1).[1] Note that x is a free variable. It is never substituted by a number; instead you have to expand (x-a)^n and compare the coefficients of the x powers.

This theorem is a generalization to polynomials of Fermat's little theorem, and can easily be proven using the binomial theorem together with the following property of the binomial coefficient:

{n \choose k} \equiv 0 \pmod{n} for all 0<k<n if and only if n is prime.

While the relation (1) constitutes a primality test in itself, verifying it takes exponential time. Therefore, to reduce the computational complexity, AKS makes use of the related congruence

(x - a)^{n} \equiv (x^{n} - a) \pmod{(n,x^{r}-1)} \qquad (2)

which is the same as:

(x - a)^n - (x^n - a) = nf + (x^r - 1)g \qquad (3)

for some polynomials f and g. This congruence can be checked in polynomial time with respect to the number of digits in n, because it is provable that r need only be logarithmic with respect to n. Note that all primes satisfy this relation (choosing g = 0 in (3) gives (1), which holds for n prime). However, some composite numbers also satisfy the relation. The proof of correctness for AKS consists of showing that there exists a suitably small r and suitably small set of integers A such that, if the congruence holds for all such a in A, then n must be prime.

History and running time[edit]

In the first version of the above-cited paper, the authors proved the asymptotic time complexity of the algorithm to be \tilde{O}(\log^{12}(n)) (using Õ from big O notation). In other words, the algorithm takes less time than the twelfth power of the number of digits in n times a polylogarithmic (in the number of digits) factor. However, the upper bound proved in the paper was rather loose; indeed, a widely held conjecture about the distribution of the Sophie Germain primes would, if true, immediately cut the worst case down to \tilde{O}(\log^6(n)).

In the months following the discovery, new variants appeared (Lenstra 2002, Pomerance 2002, Berrizbeitia 2003, Cheng 2003, Bernstein 2003a/b, Lenstra and Pomerance 2003), which improved the speed of computation by orders of magnitude. Due to the existence of the many variants, Crandall and Papadopoulos refer to the "AKS-class" of algorithms in their scientific paper "On the implementation of AKS-class primality tests", published in March 2003.

In response to some of these variants, and to other feedback, the paper "PRIMES is in P" was updated with a new formulation of the AKS algorithm and of its proof of correctness. (This version was eventually published in Annals of Mathematics.) While the basic idea remained the same, r was chosen in a new manner, and the proof of correctness was more coherently organized. While the previous proof had relied on many different methods, the new version relied almost exclusively on the behavior of cyclotomic polynomials over finite fields. The new version also allowed for an improved bound on the time complexity, which can now be shown by simple methods to be \tilde{O}(\log^{10.5}(n)). Using additional results from sieve theory, this can be further reduced to \tilde{O}(\log^{7.5}(n)).

In 2005, Carl Pomerance and H. W. Lenstra, Jr. demonstrated a variant of AKS that runs in \tilde{O}(\log^{6}(n)) operations, where n is the number to be tested – a marked improvement over the initial \tilde{O}(\log^{12}(n)) bound in the original algorithm.[2] An updated version of the paper is also available.[3]

Agrawal, Kayal and Saxena suggest a variant of their algorithm which would run in \tilde{O}(\log^{3}(n)) if a certain conjecture made by Bhattacharjee and Pandey in 2001 is true (Agrawal's conjecture); however, a heuristic argument by Hendrik Lenstra and Carl Pomerance suggests that it is probably false.[1]

Algorithm[edit]

The algorithm is as follows:[1]

Input: integer n > 1.
  1. If n = ab for integers a > 1 and b > 1, output composite.
  2. Find the smallest r such that Or(n) > (log n)2.
  3. If 1 < gcd(a,n) < n for some ar, output composite.
  4. If nr, output prime.
  5. For a = 1 to \scriptstyle\lfloor \scriptstyle{\sqrt{\varphi(r)}\log(n)} \scriptstyle\rfloor do
    if (X+a)nXn+a (mod Xr − 1,n), output composite;
  6. Output prime.

Here Or(n) is the multiplicative order of n modulo r, log is the binary logarithm, and \scriptstyle\varphi(r) is Euler's totient function of r.

If n is a prime number, the algorithm will always return prime: since n is prime, steps 1 and 3 will never return composite. Step 5 will also never return composite, because (2) is true for all prime numbers n. Therefore, the algorithm will return prime either in step 4 or in step 6.

Conversely, if n is composite, the algorithm will always return composite: if the algorithm returns prime, then this will occur in either step 4 or step 6. In the first case, since nr, n has a factor ar such that 1 < gcd(a,n) < n, which will return composite. The remaining possibility is that the algorithm returns prime in step 6. The authors' article[1] proves that this will not happen because the multiple congruences tested in step 5 are sufficient to guarantee that the output is composite.

Example 1: n = 31 is Prime[edit]

Input: integer n = 31 > 1.
  1. If n = ab for integers a > 1 and b > 1, output composite.
    For [ b=2, b<log2(n), b++,
    a=n1/b;
    If [ a is integer, Return[Composite]];
    ];
    log2(31)<4.96.
    a=n1/2...n1/4={5.568, 3.141, 2.360}
  2. Find the smallest r such that Or(n) > (log n)2.
    maxk=\scriptstyle\lfloor(log2 n)2\scriptstyle\rfloor;
    maxr=Max[3, ⌈(Log2 n)5⌉]; (*maxr really isn't needed*)
    r=2;
    nextR=True;
    For [r=2, nextR && r < maxr, r++,
    nextR=False;
    For [k=1,(!nextR) &&k ≤ maxk, k++,
    nextR=(Mod[nk, r]==1 || Mod[nk, r]==0)
    ]
    ];
    r--; (*the loop over increments by one*)
     
    r = 29
  3. If 1 < gcd(a,n) < n for some ar, output composite.
    For [a=r, a > 1, a--,
    If [(gcd=GCD[a,n]) > 1 && gcd < n, Return[Composite]]
    ];
     
    gcd={GCD(29,31)=1, GCD(28,31)=1, ..., GCD(2,31)=1} ≯ 1
  4. If nr, output prime.
    If [n ≤ r, Return[Prime]]; (* this step may be omitted if n > 5690034 *)
     
    31 > 29
  5. For a = 1 to \scriptstyle\lfloor \scriptstyle{\sqrt{\varphi(r)}\log(n)} \scriptstyle\rfloor do
    if (X+a)nXn+a (mod Xr − 1,n), output composite;
     
    φ[x_]:=EulerPhi[x];
    PolyModulo[f_]:=PolynomialMod[ PolynomialRemainder[f,xr-1,x],n];
    max=Floor[Log[2,n]√φ[r]];
    For[a=1, a ≤ max, a++,
    If[PolyModulo[(x+a)n]-PolynomialRemainder[xn+a, xr-1, x]≠0,
    Return[Composite]
    ]
    ];
     
    (x+a)31 =
    a31 +31a30x +465a29x2 +4495a28x3 +31465a27x4 +169911a26x5 +736281a25x6 +2629575a24x7 +7888725a23x8 +20160075a22x9 +44352165a21x10 +84672315a20x11 +141120525a19x12 +206253075a18x13 +265182525a17x14 +300540195a16x15 +300540195a15x16 +265182525a14x17 +206253075a13x18 +141120525a12x19 +84672315a11x20 +44352165a10x21 +20160075a9x22 +7888725a8x23 +2629575a7x24 +736281a6x25 +169911a5x26 +31465a4x27 +4495a3x28 +465a2x29 +31ax30 +x31
     
    PolynomialRemainder [(x+a)31, x29-1] =
    465a2 +a31 +(31a+31a30)x +(1+465a29)x2 +4495a28x3 +31465a27x4 +169911a26x5 +736281a25x6 +2629575a24x7 +7888725a23x8 +20160075a22x9 +44352165a21x10 +84672315a20x11 +141120525a19x12 +206253075a18x13 +265182525a17x14 +300540195a16x15 +300540195a15x16 +265182525a14x17 +206253075a13x18 +141120525a12x19 +84672315a11x20 +44352165a10x21 +20160075a9x22 +7888725a8x23 +2629575a7x24 +736281a6x25 +169911a5x26 +31465a4x27 +4495a3x28
     
    A) PolynomialMod [PolynomialRemainder [(x+a)31, x29-1], 31] = a31+x2
     
    B) PolynomialRemainder [x31+a, x29-1] = a+x2
     
    A) - B) = a31+x2 - (a+x2) = a31-a
     
    max = \scriptstyle\lfloorlog2 (31)\scriptstyle\sqrt{\varphi(29)}\rfloor = 26
     
    {131-1=0 (mod 31), 231-2=0 (mod 31), 331-3=0 (mod 31), ..., 2631-26=0 (mod 31)}
  6. Output prime.
    31 Must be Prime

Where PolynomialMod is a term-wise modulo reduction of the polynomial. e.g. PolynomialMod[x+2x2+3x3, 3] = x+2x2+0x3

References[edit]

  1. ^ a b c d e Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P". Annals of Mathematics 160 (2): 781–793. doi:10.4007/annals.2004.160.781. JSTOR 3597229. 
  2. ^ H. W. Lenstra Jr. and Carl Pomerance, "Primality testing with Gaussian periods", preliminary version July 20, 2005.
  3. ^ H. W. Lenstra jr. and Carl Pomerance, "Primality testing with Gaussian periods", version of April 12, 2011.

Further reading[edit]

External links[edit]