AKS primality test

The AKS primality test (also known as Agrawal–Kayal–Saxena primality test and cyclotomic AKS test) is a deterministic primality-proving algorithm created and published by Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, computer scientists at the Indian Institute of Technology Kanpur, on August 6, 2002, in a paper titled "PRIMES is in P".^[1] The algorithm determines whether a number is prime or composite within polynomial time. The authors received the 2006 Gödel Prize and the 2006 Fulkerson Prize for this work.

Importance

AKS is the first primality-proving algorithm to be simultaneously general, polynomial, deterministic, and unconditional. Previous algorithms had been developed for centuries and achieved three of these properties at most, but not all four.

The AKS algorithm can be used to verify the primality of any general number given. Many fast primality tests are known that work only for numbers with certain properties. For example, the Lucas–Lehmer test works only for Mersenne numbers, while Pépin's test can be applied to Fermat numbers only.
The maximum running time of the algorithm can be expressed as a polynomial over the number of digits in the target number. ECPP and APR conclusively prove or disprove that a given number is prime, but are not known to have polynomial time bounds for all inputs.
The algorithm is guaranteed to distinguish deterministically whether the target number is prime or composite. Randomized tests, such as Miller–Rabin and Baillie–PSW, can test any given number for primality in polynomial time, but are known to produce only a probabilistic result.
The correctness of AKS is not conditional on any subsidiary unproven hypothesis. In contrast, the Miller test is fully deterministic and runs in polynomial time over all inputs, but its correctness depends on the truth of the yet-unproven generalized Riemann hypothesis.

While the algorithm is of immense theoretical importance, it is not used in practice. For 64-bit inputs, the Baillie–PSW is deterministic and runs many orders of magnitude faster. For larger inputs, the performance of the (also unconditionally correct) ECPP and APR tests is far superior to AKS. Additionally, ECPP can output a primality certificate that allows independent and rapid verification of the results, which is not possible with the AKS algorithm.

Concepts

The AKS primality test is based upon the following theorem: An integer n (≥ 2) is prime if and only if the polynomial congruence relation

(x + a)^{n} \equiv (x^{n} + a) \pmod{n} \qquad (1)

holds for some a coprime to n.^[1] Note that x is a free variable.

This theorem is a generalization to polynomials of Fermat's little theorem, and can easily be proven using the binomial theorem together with the following property of the binomial coefficient:

{n \choose k} \equiv 0 \pmod{n}

for all

0<k<n

if and only if n is prime.

While the relation (1) constitutes a primality test in itself, verifying it takes exponential time: the brute force approach would require the expansion of the (x - a)ⁿ polynomial and a reduction (mod n) of the resulting n + 1 coefficients.

The congruence is an equality in the polynomial ring ℤ_n[x]. Evaluating in a quotient ring of ℤ_n[x] creates an upper bound for the degree of the polynomials involved. The AKS evaluates the equality in ℤ_n[x]/(x^r - 1), making the computational complexity dependent on the size of r. For clarity,^[1] this is expressed as the congruence

(x + a)^{n} \equiv (x^{n} + a) \pmod{x^{r}-1, n} \qquad (2)

which is the same as:

(x + a)^n - (x^n + a) = (x^r - 1)g + nf \qquad (3)

for some polynomials f and g.

Note that all primes satisfy this relation (choosing g = 0 in (3) gives (1), which holds for n prime). This congruence can be checked in polynomial time when r is polynomial to the digits of n. The AKS algorithm evaluates this congruence for a large set of a values, whose size is polynomial to the digits of n. The proof of validity of the AKS algorithm shows that one can find an r and a set of a values with the above properties such that if the congruences hold then n is a power of a prime.^[1]

History and running time

In the first version of the above-cited paper, the authors proved the asymptotic time complexity of the algorithm to be $\tilde{O}(\log(n)^{12})$ (using Õ from big O notation). In other words, the algorithm takes less time than the twelfth power of the number of digits in n times a polylogarithmic (in the number of digits) factor. However, the upper bound proved in the paper was rather loose; indeed, a widely held conjecture about the distribution of the Sophie Germain primes would, if true, immediately cut the worst case down to $\tilde{O}(\log(n)^6)$ .

In the months following the discovery, new variants appeared (Lenstra 2002, Pomerance 2002, Berrizbeitia 2003, Cheng 2003, Bernstein 2003a/b, Lenstra and Pomerance 2003), which improved the speed of computation by orders of magnitude. Due to the existence of the many variants, Crandall and Papadopoulos refer to the "AKS-class" of algorithms in their scientific paper "On the implementation of AKS-class primality tests", published in March 2003.

In response to some of these variants, and to other feedback, the paper "PRIMES is in P" was updated with a new formulation of the AKS algorithm and of its proof of correctness. (This version was eventually published in Annals of Mathematics.) While the basic idea remained the same, r was chosen in a new manner, and the proof of correctness was more coherently organized. While the previous proof had relied on many different methods, the new version relied almost exclusively on the behavior of cyclotomic polynomials over finite fields. The new version also allowed for an improved bound on the time complexity, which can now be shown by simple methods to be $\tilde{O}(\log(n)^{10.5})$ . Using additional results from sieve theory, this can be further reduced to $\tilde{O}(\log(n)^{7.5})$ .

In 2005, Carl Pomerance and H. W. Lenstra, Jr. demonstrated a variant of AKS that runs in $\tilde{O}(\log(n)^{6})$ operations, where n is the number to be tested – a marked improvement over the initial $\tilde{O}(\log(n)^{12})$ bound in the original algorithm.^[2] An updated version of the paper is also available.^[3]

Agrawal, Kayal and Saxena suggest a variant of their algorithm which would run in $\tilde{O}(\log(n)^{3})$ if Agrawal's conjecture is true; however, a heuristic argument by Hendrik Lenstra and Carl Pomerance suggests that it is probably false.^[1]

The algorithm

The algorithm is as follows:^[1]

Input: integer n > 1.

Check if n is a power: if n = a^b for integers a > 1 and b > 1, output composite.
Find the smallest r such that O_r(n) > (log₂ n)².
For all a ≤ r, check that a is coprime to n: If 1 < gcd(a,n) < n for some a ≤ r, output composite.
If n ≤ r, output prime.
For a = 1 to $\scriptstyle\lfloor \scriptstyle{\sqrt{\varphi(r)}\log_2(n)} \scriptstyle\rfloor$ do
if (X+a)ⁿ≠ Xⁿ+a (mod X^r − 1,n), output composite;
Output prime.

Here O_r(n) is the multiplicative order of n modulo r, log₂ is the binary logarithm, and $\scriptstyle\varphi(r)$ is Euler's totient function of r.

Proof of validity outline

For the algorithm to be correct, all steps that identify n must be correct. Steps 1, 3 and 4 are trivially correct, since they are based on direct tests of the divisibility of n. Step 5 is also correct: since (2) is true for any choice of a coprime to n and r if n is prime, an inequality means that n must be composite.

The difficult case of the algorithm is step 6. Its proof of correctness is based on the upper and lower bounds of a multiplicative group in ℤ_n[x] constructed from the (X + a) binomials that are tested in step 5. Step 4 guaranties that these binomials are $\scriptstyle\lfloor \scriptstyle{\sqrt{\varphi(r)}\log_2(n)} \scriptstyle\rfloor$ distinct elements of ℤ_n[x]. For the particular choice of r, the bounds produce a contradiction unless n is prime or a power of a prime. Together with the test of step 1, this implies that n is always prime at step 6.^[1]

Example 1: n = 31 is Prime

Input: integer n = 31 > 1.

If n = a^b for integers a > 1 and b > 1, output composite.
For [ b=2, b <= log₂(n), b++,
a=n^1/b;

If [ a is integer, Return[Composite]]

];

a=n^1/2...n^1/4={5.568, 3.141, 2.360}
Find the smallest r such that O_r(n) > (log₂ n)².
maxk= $\scriptstyle\lfloor$ (log₂ n)² $\scriptstyle\rfloor$ ;

maxr=Max[3, ⌈(Log₂ n)⁵⌉]; (*maxr really isn't needed*)

nextR=True;

For [r=2, nextR && r < maxr, r++,
nextR=False;

For [k=1,(!nextR) &&k ≤ maxk, k++,
nextR=(Mod[n^k, r]==1 || Mod[n^k, r]==0)

]

];

r--; (*the loop over increments by one*)

r = 29
If 1 < gcd(a,n) < n for some a ≤ r, output composite.
For [a=r, a > 1, a--,
If [(gcd=GCD[a,n]) > 1 && gcd < n, Return[Composite]]

];

gcd={GCD(29,31)=1, GCD(28,31)=1, ..., GCD(2,31)=1} ≯ 1
If n ≤ r, output prime.
If [n ≤ r, Return[Prime]]; (* this step may be omitted if n > 5690034 *)

31 > 29
For a = 1 to $\scriptstyle{\lfloor\sqrt{\varphi(r)}\log_2(n)\rfloor}$ do
if (X+a)ⁿ≠ Xⁿ+a (mod X^r − 1,n), output composite;

φ[x_]:=EulerPhi[x];

PolyModulo[f_]:=PolynomialMod[ PolynomialRemainder[f,x^r-1,x],n];

max=Floor[Log[2,n]√(φ[r])];

For[a=1, a ≤ max, a++,
If[PolyModulo[(x+a)ⁿ]-PolynomialRemainder[xⁿ+a, x^r-1, x]≠0,
Return[Composite]

]

];

(x+a)³¹ =
a³¹ +31a³⁰x +465a²⁹x² +4495a²⁸x³ +31465a²⁷x⁴ +169911a²⁶x⁵ +736281a²⁵x⁶ +2629575a²⁴x⁷ +7888725a²³x⁸ +20160075a²²x⁹ +44352165a²¹x¹⁰ +84672315a²⁰x¹¹ +141120525a¹⁹x¹² +206253075a¹⁸x¹³ +265182525a¹⁷x¹⁴ +300540195a¹⁶x¹⁵ +300540195a¹⁵x¹⁶ +265182525a¹⁴x¹⁷ +206253075a¹³x¹⁸ +141120525a¹²x¹⁹ +84672315a¹¹x²⁰ +44352165a¹⁰x²¹ +20160075a⁹x²² +7888725a⁸x²³ +2629575a⁷x²⁴ +736281a⁶x²⁵ +169911a⁵x²⁶ +31465a⁴x²⁷ +4495a³x²⁸ +465a²x²⁹ +31ax³⁰ +x³¹

PolynomialRemainder [(x+a)³¹, x²⁹-1] =
465a² +a³¹ +(31a+31a³⁰)x +(1+465a²⁹)x² +4495a²⁸x³ +31465a²⁷x⁴ +169911a²⁶x⁵ +736281a²⁵x⁶ +2629575a²⁴x⁷ +7888725a²³x⁸ +20160075a²²x⁹ +44352165a²¹x¹⁰ +84672315a²⁰x¹¹ +141120525a¹⁹x¹² +206253075a¹⁸x¹³ +265182525a¹⁷x¹⁴ +300540195a¹⁶x¹⁵ +300540195a¹⁵x¹⁶ +265182525a¹⁴x¹⁷ +206253075a¹³x¹⁸ +141120525a¹²x¹⁹ +84672315a¹¹x²⁰ +44352165a¹⁰x²¹ +20160075a⁹x²² +7888725a⁸x²³ +2629575a⁷x²⁴ +736281a⁶x²⁵ +169911a⁵x²⁶ +31465a⁴x²⁷ +4495a³x²⁸

A) PolynomialMod [PolynomialRemainder [(x+a)³¹, x²⁹-1], 31] = a³¹+x²

B) PolynomialRemainder [x³¹+a, x²⁹-1] = a+x²

A) - B) = a³¹+x² - (a+x²) = a³¹-a

max = $\scriptstyle\lfloor$ log₂ (31) $\scriptstyle\sqrt{\varphi(29)}\rfloor$ = 26

{1³¹-1=0 (mod 31), 2³¹-2=0 (mod 31), 3³¹-3=0 (mod 31), ..., 26³¹-26=0 (mod 31)}
Output prime.
31 Must be Prime

Where PolynomialMod is a term-wise modulo reduction of the polynomial. e.g. PolynomialMod[x+2x²+3x³, 3] = x+2x²+0x³

References

1 2 3 4 5 6 7 Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P" (PDF). Annals of Mathematics 160 (2): 781–793. doi:10.4007/annals.2004.160.781. JSTOR 3597229.
↑ H. W. Lenstra Jr. and Carl Pomerance, "Primality testing with Gaussian periods", preliminary version July 20, 2005.
↑ H. W. Lenstra jr. and Carl Pomerance, "Primality testing with Gaussian periods", version of April 12, 2011.

External links

Weisstein, Eric W., "AKS Primality Test", MathWorld.
R. Crandall, Apple ACG, and J. Papadopoulos (March 18, 2003): On the implementation of AKS-class primality tests (PDF)
Article by Borneman, containing photos and information about the three Indian scientists (PDF)
Andrew Granville: It is easy to determine whether a given integer is prime
The Prime Facts: From Euclid to AKS, by Scott Aaronson (PDF)
The PRIMES is in P little FAQ by Anton Stiglic
2006 Gödel Prize Citation
2006 Fulkerson Prize Citation
The AKS "PRIMES in P" Algorithm Resource
Grime, Dr. James. "Fool-Proof Test for Primes - Numberphile" (video). Brady Haran. [the video describes the exponential time relation (1), which it calls AKS]

Number-theoretic algorithms

Primality tests	AKS test APR test Baillie–PSW Elliptic curve Pocklington Fermat Lucas Lucas–Lehmer Lucas–Lehmer–Riesel Proth's theorem Pépin's Quadratic Frobenius test Solovay–Strassen Miller–Rabin

Prime-generating	Sieve of Atkin Sieve of Eratosthenes Sieve of Sundaram Wheel factorization

Integer factorization	Continued fraction (CFRAC) Dixon's Lenstra elliptic curve (ECM) Euler's Pollard's rho p − 1 p + 1 Quadratic sieve (QS) General number field sieve (GNFS) Special number field sieve (SNFS) Rational sieve Fermat's Shanks' square forms Trial division Shor's

Multiplication	Ancient Egyptian Long Karatsuba Toom–Cook Schönhage–Strassen Fürer's

Discrete logarithm	Baby-step giant-step Pollard rho Pollard kangaroo Pohlig–Hellman Index calculus Function field sieve

Greatest common divisor	Binary Euclidean Extended Euclidean Lehmer's

Modular square root	Cipolla Pocklington's Tonelli–Shanks

Other algorithms	Chakravala Cornacchia LLL Integer square root Modular exponentiation Schoof's

Italics indicate that algorithm is for numbers of special forms

This article is issued from Wikipedia - version of the Saturday, April 30, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.