Distinguishing prime numbers from composite numbers: the state of - PDF document

Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago

Is it easy to determine whether a given integer is prime? If “easy” means “computable”: Yes, of course. If “easy” means “computable in polynomial time”: Yes. (2002 Agrawal/Kayal/Saxena) If “easy” means “computable in essentially cubic time”: Conjecturally yes! See Williams talk tomorrow.

What about quadratic time? What about linear time? What if we want to determine with proof whether a given integer is prime? Can results be verified faster than they’re computed? What if we want proven bounds on time? Does randomness help?

Cost measure for this talk: time on a serial computer. Beyond scope of this talk: use “ AT ” cost measure to see communication, parallelism. Helpful subroutines: B -bit product, Can compute B 1+ o (1) . � quotient, gcd in time (1963 Toom; 1966 Cook; 1971 Knuth) Beyond scope of this talk: time analyses more precise o (1) .” � B constant+ than “

Compositeness proofs n is prime and w 2 Z If n w � w 2 n Z then n is “ w -sprp”: so the easy difference-of-squares n w � w , factorization of n � 1), depending on ord 2 ( n Z . has at least one factor in n 2 5 + 8 Z is prime e.g.: If w 2 Z then w 2 n Z or and w ( n � 1) = 2 + 1 2 n Z or w ( n � 1) = 4 + 1 2 n Z or w ( n � 1) = 4 � 1 2 n Z .

n � 2: Try random w . Given n is not w -sprp, have proven n If composite. Otherwise keep trying. n , Given composite this algorithm eventually finds w . compositeness certificate w has � 75% chance. Each B 2+ o (1) � Random time B . n < 2 to find certificate if B 2+ o (1) � Deterministic time to verify certificate. Open: Is there a compositeness O (1) , B certificate findable in time B 1+ o (1) ? � verifiable in time

n , Given prime this algorithm loops forever. w ’s we are After many n is prime : : : confident that but we don’t have a proof. Challenge to number theorists: n prime! Prove Side issue: Do users care? Paranoid bankers: “Yes, we demand primality proofs.” Competent cryptographers: “No, but we have other uses for the underlying tools.”

Combinatorial primality proofs If there are many elements of a particular subgroup of a prime cyclotomic extension of Z =n then n is a power of a prime. (2002 Agrawal/Kayal/Saxena) r have Many primes r 2 = 3 r � 1 above prime divisors of (1985 Fouvry). Deduce that AKS B 12+ o (1) � algorithm takes time n . to prove primality of Algorithm is conjectured B 6+ o (1) . � to take time

Variant using arbitrary cyclotomic B 8+ o (1) . � extensions takes time (2002 Lenstra) Variant with better bound on group structure takes time B 7 : 5+ o (1) . (2002 Macaj; � same idea without credit in 2003 revision of AKS paper) These variants are conjectured B 6+ o (1) . � to take time Variant using Gaussian periods B 6+ o (1) . � is proven to take time (2004 Lenstra/Pomerance)

n is composite? What if Output of these algorithms is a compositeness proof. B 4+ o (1) to verify proof. � Time B 6+ o (1) to find proof. � Time For comparison, traditional sprp compositeness proofs: B 2+ o (1) ; � verify proof, B 2+ o (1) . � find proof, random For comparison, factorization: B 1+ o (1) ; � verify proof, = 3 . find proof, conjectured : 901 ::: + o (1))( B = lg B ) 1 � B (1

Benefit from randomness? Use random Kummer extensions; twist. (2003.01 Bernstein, and independently 2003.03 Mih˘ ailescu/Avanzi; 2-power-degree case: 2002.12 Berrizbeitia; prime-degree case: 2003.01 Cheng) ��� n � 1 (overkill: Many divisors of 1983 Odlyzko/Pomerance). B 4+ o (1) � Deduce: time to verify primality certificate. B 2+ o (1) � Random time to find certificate.

Open: Primality proof with proven deterministic time B 5+ o (1) to find, verify? � Open: Primality proof with proven random time B 3+ o (1) to find, verify? � Open: Primality proof with reasonably conjectured time B 3+ o (1) to find, verify? �

Prime-order primality proofs n � 1 = 1 in Z =n , and w n � 1 p If n q � has a prime divisor w ( n � 1) =q � , � 1 in ( Z =n ) with n is prime. (1876 Lucas, then 1914 Pocklington, 1927 Lehmer) Many generalizations. Can extend Z =n . (1876 Lucas, 1930 Lehmer, 1975 Morrison, 1975 Selfridge/Wunderlich, 1975 Brillhart/Lehmer/Selfridge, 1976 Williams/Judd, 1983 Adleman/Pomerance/Rumely)

Can prove arbitrary primes. Proofs are fast to verify but often very slow to find. Replace unit group by random elliptic-curve group. (1986 Goldwasser/Kilian; point counting: 1985 Schoof) Use complex-multiplication curves; faster point counting. (1988 Atkin; special cases: 1985 Bosma, 1986 Chudnovsky/Chudnovsky) Merge square-root computations. (1990 Shallit)

Culmination of these ideas is “fast elliptic-curve primality proving” (FastECPP): B 4+ o (1) � Conjectured time to find certificate n . proving primality of Proven deterministic time B 3+ o (1) to verify certificate. � For comparison, combinatorics: B 2+ o (1) to find, � proven random B 4+ o (1) to verify. �

Variant using genus-2 hyperelliptic curves: O (1) B Proven random time to find certificate n . proving primality of (1992 Adleman/Huang) Tools in proof: bounds on size of Jacobian (1948 Weil); many x 3 = 4 primes in interval of width x (1979 Iwaniec/Jutila). around Proven deterministic time B 3+ o (1) to verify certificate. �

Variant using elliptic curves with large power-of-2 factors (1987 Pomerance): Proven existence of certificate n . proving primality of Proven deterministic time B 2+ o (1) to verify certificate. � Open: Is there a primality certificate O (1) , B findable in time B 2+ o (1) ? � verifiable in time Open: Is there a primality certificate B 1+ o (1) ? � verifiable in time

Verifying elliptic-curve proofs Main theorem in a nutshell: If an elliptic curve E ( Z =n ) has a point d n 1 = 4 q > ( e + 1) 2 of prime order n is prime. then Proof in a nutshell: p is a prime divisor of n If p then the same point mod q in E ( F p ), p has order E ( F � ( p + 1) 2 p ) but # n 1 = 2 < p . (Hasse 1936), so

More concretely: n � 2, Given odd integer a 2 f 6 ; 10 ; 14 ; 18 ; : : : g , integer , � � n; 3 + a 2 + � � gcd = 1, n; a 2 � 4 gcd = 1, d n 1 = 4 q > ( e + 1) 2 : prime x 1 = , z 1 = 1, Define x 2 i = ( x 2 � z 2 i i ) 2 , z 2 i = 4 x z x 2 ax z z 2 i i ( i i + i + i ), x 2 i +1 = 4( x x � z z i i +1 i i +1 ) 2 , z 2 i +1 = 4 ( x z � z x i i +1 i i +1 ) 2 . z 2 n Z then n is prime. q If

p dividing n : For each prime a 2 � 4)( 3 + a 2 + ) p , ( 6 = 0 in F so ( 3 + a 2 + ) y 2 = x 3 + ax 2 + x p ; is an elliptic curve over F ; 1) is a point on curve. ( i ( ; 1) = ( x =z ; : : : ) i i On curve: generically. (1987 Montgomery) Analyze exceptional cases, show q ( ; 1) = 1 . (2006 Bernstein) Many previous ECPP variants. Trickier recursions, typically testing coprimality.

Finding elliptic-curve proofs n : Choose To prove primality of E . Compute # E ( Z =n ) random by Schoof’s algorithm. q = # E ( Z =n ) = 2. If q Compute E . doesn’t seem prime, try new d n 1 = 4 q � n or q � ( e + 1) 2 : If n is small; easy base case. Otherwise: q . Recursively prove primality of P on E . Choose random point P = 1 , try another P . If 2 P has prime order q . Now 2

Schoof’s algorithm: B 5+ o (1) . time q after Conjecturally find prime B 1+ o (1) curves on average. Reduce number of curves by allowing q = # E ( Z =n ). smaller ratios Recursion involves B 1+ o (1) levels. Reduce number of levels by allowing and demanding q = # E ( Z =n ). smaller ratios B 7+ o (1) . Overall time

Faster way to generate curves with known number of points: generate curves with small-discriminant complex multiplication (CM). Reduces conjectured time B 5+ o (1) . to B 4+ o (1) . With more work: CM has applications beyond primality proofs: e.g., can generate CM curves with low embedding degree for pairing-based cryptography.

Complex multiplication Consider positive squarefree D 2 3 + 4 Z . integers D ’s too.) (Can allow some other n equals ( u 2 + D v 2 ) = 4 If prime � D ” then “CM with discriminant produces curves over Z =n with n + 1 � u points. B 2+ o (1) : D � Assuming B 2 : 5+ o (1) . Time B 2+ o (1) . Fancier algorithms:

First step: Find all vectors a; b; ) 2 Z 3 with ( f a; b; g = 1, gcd � D = b 2 � 4 a , j b j � a � , b � 0 ) j b j < a < . and How? b between p p Try each integer � b D = 3 and b D = 3 . b 2 + D . p Find all small factors of a � b D = 3 . Find all factors a; b ), For each ( and check conditions. find

a; b; ) Second step: For each ( p compute to high precision j ( � b= 2 a + � D = 2 a ) 2 C . Some wacky standard notations: q ( z ) = exp(2 � iz ). � P k k (3 k � 1) = 2 � 24 = q � 1) q 1 + ( k � 1 � 24 P k k (3 k +1) = 2 � 1) q + ( . k � 1 f 24 z ) = � 24 ( z = 2) =� 24 ( z ). 1 ( j = ( f 24 =f 24 1 + 16) 3 1 .