# Annals of Mathematics

PRIMES Is in P
Author(s): Manindra Agrawal, Neeraj Kayal and Nitin Saxena
Source: Annals of Mathematics, Second Series, Vol. 160, No. 2 (Sep., 2004), pp. 781-793
Stable URL: http://www.jstor.org/stable/3597229
Accessed: 05-10-2015 14:36 UTC
REFERENCES
http://www.jstor.org/stable/3597229?seq=1&cid=pdf-reference#references_tab_contents

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at http://www.jstor.org/page/
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content
in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms of scholarship.

Annals of Mathematics is collaborating with JSTOR to digitize, preserve and extend access to Annals of Mathematics.

http://www.jstor.org

This content downloaded from 202.78.175.199 on Mon, 05 Oct 2015 14:36:28 UTC
All use subject to JSTOR Terms and Conditions

otherwise it is prime. This content downloaded from 202. Of special interest are those properties that allow one to determine efficiently if a number is prime.NEERAJKAYAL.175. 1. An efficient test should need only a polynomial (in the size of the input = [log ni) number of steps. however. The test. This test was known since the time of the ancient Greeks-it is a specialization of the Sieve of Eratosthenes (ca.78. 160 (2004). and number theory in particular. 240 BC) that generates all primes less than n. However. Given an a and n it can be efficiently checked if an-1 = 1 (mod n) by using repeated squaring to compute the (n . and any number a not divisible by p. Introduction Prime numbers are of fundamental importance in mathematics in general.and NITIN SAXENA* Abstract We present an unconditional deterministic polynomial-time algorithm that determines whether an input number is prime or composite. is inefficient: it takes Q(x/n) steps to determine if n is prime. 781-793 PRIMES is in P By MANINDRAAGRAWAL.Annals of Mathematics. Let PRIMES denote the set of all prime numbers. it is not a correct test since many composites n also satisfy it for some a's (all a's in case of Carmichael numbers [Car]). So it is of great interest to study different properties of prime numbers.199 on Mon. Since the beginning of complexity theory in the 1960s-when the notions of complexity were formalized and various complexity classes were defined*The last two authors were partially supported by MHRD grant MHRD-CSE-20010018. aP-1 = 1 (mod p). The definition of prime numbers already gives a way of determining if a number n is in PRIMES: try dividing n by every number m < v/n-if any m divides n then it is composite.1)th power of a. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions . Fermat's Little Theorem became the basis for many efficient primality tests. Such efficient tests are also useful in practice: a number of cryptographic protocols need large prime numbers. Nevertheless. A property that almost gives an efficient test is Fermat's Little Theorem: for any prime number p.

78.This content downloaded from 202. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions .175.199 on Mon.

From Lemma 2. The idea Our test is based on the following identity for prime numbers which is a generalization of Fermat's Little Theorem. This identity was the basis for a randomized polynomial-time algorithm in [AB]: LEMMA2. n E AK. Let a E Z. Then (n) = 0 (mod n) and hence all the coefficients are zero.78. we fix the notation used. we get a deterministic polynomial time algorithm for testing primality. we state the algorithm and present its proof of correctness. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions . A simple way to reduce the number of coefficients is to evaluate both sides of (1) modulo a polynomial of the form Xr . Section 6 discusses some ways of improving the time complexity of the algorithm.n > 2.(Xn + a)) is (n)an-i Suppose n is prime. The above identity suggests a simple test for primality: given an input n.199 on Mon. n). this takes time Q(n) because we need to evaluate n coefficients in the LHS in the worst case. and (a. we can almost restore the characterization: we show that for appropriately chosen r if the equation (2) is satisfied for several a's then n must be a prime power. The number of a's and the appropriate r are both bounded by a polynomial in log n and therefore.n) = 1.1 for an appropriately chosen small r.1. In Section 5.175.PRIMES IS IN P 783 In Section 2. For 0 < i < n.(Xn + a)) is not El identically zero over Zn. Proof. 2.1 it is immediate that all primes n satisfy the equation (2) for all values of a and r. Then n is prime and only if if (1) (X + a)n = Xn + a (mod n). However. This content downloaded from 202. test if the following equation is satisfied: (2) (X + a)n = Xn + a (mod Xr . choose an a and test whether the congruence (1) is satisfied. we summarize the basic idea behind our algorithm. the coefficient of xi in ((X + a)n . The problem now is that some composites n may also satisfy the equation for a few values of a and r (and indeed they do). In Section 4. However. In other words.1. we obtain bounds on the running time of the algorithm. Thus ((X + a)n . In Section 3. Suppose n is composite. Consider a prime q that is a factor of n and let qkln. Then qk does not divide (n) and is coprime to an-q and hence the coefficient of Xq is not zero (mod n).

199 on Mon. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions .This content downloaded from 202.78.175.

175.This content downloaded from 202.78. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions .199 on Mon.

175. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions .This content downloaded from 202.78.199 on Mon.

t > log2 n.7 (Hendrik Lenstra Jr. Let m e I. 787 and g(X) then it is also Proof.g(X). If m is introspective for f(X) introspective for f(X) . . X+2.).6.r) = (p. X+l. G is generated by n and p modulo r and since or(n) > log2 n. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions . This content downloaded from 202.199 on Mon. This is a subgroup of Zr since. Let Qr(X) be the rth cyclotomic polynomial over Fp. First note that since h(X) is a factor of the cyclotomic polynomial Qr(X). Let h(X) be one such irreducible factor.78. Proof.r) = 1.175.. r) = 1 (G is a subgroup of Zr).p). Let f(X) and g(X) be two such polynomials in P. Since m is introspective for both f and g. Let g be this group which is generated by elements X.g(Y) for every m E G. improved a bound shown in an earlier version of our paper [AKS]. Polynomial Qr(X) divides Xr ..PRIMES IS IN P LEMMA4.2 LEMMA4. To define the second group. as already observed. we get: f(Xm) = g(Xm) in F. The second group is the set of all residues of polynomials in P modulo h(X) and p. Oi The above two lemmas together imply that every number in the set I = {(ni pi j i.j > 0} is introspective for every polynomial in the set P = {it=0(X + a)ea I ea > 0}. [g(X)]m g(Xm) (mod Xr -1. We also have [f(X)]m = [g(X)]m in F. [Len]. in turn. X+i in the field F = Fp[X]/(h(X)) and is a subgroup of the multiplicative group of F. Since (m. and h(X) divides Xr . which. the degree of h(X) is greater than one. 11 > (+t). X is a primitive rth root of unity in F. each such xm is a 2Macaj [Mac] also proved this lemma independently. The following lemma proves a lower bound on the size of the group g. Since or(p) > 1. We now define two groups based on these sets that will play a crucial role in the proof. Let G be this group and IGI = t.1 and factors into irreducible factors of degree Or(P) [LN]. The first group is the set of all residues of numbers in I modulo r.1.. This implies that Xm is a root of the polynomial Q(Y) = f(Y) . We now show that any two distinct polynomials of degree less than t in P will map to different elements in 9. (n. we need some basic facts about cyclotomic polynomials over finite fields. It is a slight improvement on a bound shown by Hendrik Lenstra Jr. Suppose f(X) = g(X) in the field F. We have: [f(X) g m If(X)]m =f(Xm) .

175.78.This content downloaded from 202. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions .199 on Mon.

199 on Mon. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions .This content downloaded from 202.175.78.

Given any number n e Af that is not a perfect square. Artin's conjecture-if it becomes effective for m = O(log2 n)-immediately shows that there is an r = O(log2 n) with the required properties. For any such prime q.199 on Mon.12 occur with positive density.35. [GMM]. The time complexity of the algorithm can be improved by improving the estimate for r (done in Lemma 4. In fact. the number of primes q < m for which oq(n) = q . Fouvry has shown: LEMMA 5. Such an r will yield an algorithm with time complexity Or (log6 n). There has been some progress towards proving Artin's conjecture [GM].790 MANINDRA AGRAWAL.3). for all x > no: 2 \{q Iq is prime. If the second conjecture holds.1) > q3 }II X c-. Primes q with this property are called Sophie-Germain primes. NEERAJ KAYAL. there are two conjectures that support the possibility of such an r (below In is the natural logarithm): Artin's Conjecture.c .78.m where A(n) is Artin's constant with A(n) > 0. So each equation can be verified in time O (r log2 n) steps. This implies that there must exist a prime r = O(log2 n) such that Or(n) > log2 n. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions . Let P(m) denote the greatest prime divisor of number m. This time dominates all the others and is therefore the time C complexity of the algorithm. q < x and P(q . Any q for which Oq(n) < 2 must divide n2 . Goldfeld [Gol] showed that primes q with P(q. [HB]. There exist constants c > 0 and no such that. In x' This content downloaded from 202. Thus the time complexity of step 5 is O(rv/b(r) log3 n) = O0(r2 log3 n) = O (log21/2n).1 and so the number of such q is bounded by O(log n). Of course the best possible scenario would be when r = O(log2 n) and in that case the time complexity of the algorithm would be O(log6 n).1) > q2+C. The number of primes Sophie-Germain Prime Density Conjecture.175. we can conclude that r = O (log2 n): By the density of Sophie-Germain primes. either oq(n) < 2 or oq(n) > q-1.2 ([Fou]). and it is also known that this conjecture holds under the Generalized Riemann Hypothesis. AND NITIN SAXENA size O(logn). There has been progress towards proving this conjecture as well.1 is asymptotically A(n) .66). < m such that is 1 a also q 2q + prime is asymptotically 2C2mwhere C2 is the twin prime constant (estimated to be approximately 0. Improving upon this. there must exist at least log2n such primes between 81og2n and clog2 n(loglogn)2 for a suitable constant c.

78.3. for allowing us to use his observation on improving the lower bound on the size of the group g. Such an r can assuredly be found in the range [2. As argued above. This is because the product of prime numbers less than x is at least ex (see [Apo]). [1 Recently. This seems very likely.IN P 791 The above lemma is now known to hold for exponents up to 0. Hendrik Lenstra and Carl Pomerance [LP1] have come up with a modified version of our algorithm whose time complexity is provably O (log6 n). This has made the proof completely elementary (an earlier version required the density bound of Lemma 5. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions . This gives a time complexity of Or (log3 n). The number of iterations of the loop could be reduced if we could show that a still smaller set of (X + a)'s generates a group of the required size. 4 log n]. Verifying the congruence takes time O(r log2 n). Proof.1 (mod Xr.6683 [BH]. 6. the loop in step 5 needs to run for [ /b(r) log nj times to ensure that the size of the group g is large enough. a high density of primes q with P(q . One can further improve the complexity to O (log3 n) if the following conjecture-given in [BP] and verified for r < 100 and n < 1010 in [KS]-is proved: 6. Thereafter we can test whether the congruence (6) holds or not. if we force r > log n).1. n).175. then either n is prime or n2 = 1 (mod r). some variant of the conjecture may still be true (for example. Using the above lemma.PRIMES IS. we can improve the analysis of our algorithm: THEOREM5.1. However. Recently. Hendrik Lenstra and Carl Pomerance [LP2] have given a heuristic argument which suggests that the above conjecture is false.199 on Mon. This brings the complexity of the algorithm down to O0 (log15/2n). Acknowledgments.2).1)n = Xn . If this conjecture is true. The asymptotic time complexity of the algorithm is O (log15/2 n). Future work In our algorithm. we can modify the algorithm slightly to search first for an r which does not divide n2 .1) > 2 q3 implies that step 2 of the algorithm will find an r = O(log3 n) with Or(n) > log2 n. simplified the proof and improved the time complexity! This content downloaded from 202. If r is a prime number that does not divide n and if CONJECTURE (6) (X .We wish to express our gratitude to Hendrik Lenstra Jr.1.

Lecture Notes in Math. Primality Testing and Abelian Varieties over Finite Fields. CARMICHAEL.ps). Ann. Soc.ac. 0. 1512. a number of researchers took the trouble of pointing out various omissions in our paper. of Math.in/news/primality.ac. Primality and identity testing via Chinese remaindering.iitk. INDIANINSTITUTEOF DEPARTMENT OF COMPUTERSCIENCE& ENGINEERING.in/research/btp2001/primality. Theoreme de Brun-Titchmarsh. S. Introduction to Analytic Number Theory. Radhakrishnan.NEERAJ KAYAL. Math. 429-443.ac. C. Math. G. and Madhu Sudan for allowing us to use their proof of Lemma 4. POMERANCE.iitk. D. PRIMES is in P. application au theoreme de Fermat. ADLEMANand M.in kayaln@cse. Note on a number theory function. 1997. IIT Kanpur. This has made the proofs of both upper and lower bounds on the size of g similar (both are now based on the number of roots of a polynomial in a field). M. SAXENA. BHATTACHARJEEand P. Progr. We have tried to incorporate their suggestions in the paper and our apologies if we missed out on some. [Atk] A. Invent. L. [APR] L.8. M.78. MA.On distinguishing [AB] from composite numbers. We thank Erich Bach. This content downloaded from 202. We are thankful to all of them. M. Rajat Bhattacharjee. ADLEMAN. 117 (1983).MANINDRA AGRAWAL. [Car] R. Math. 1995). and Carl Pomerance for providing us with useful references. FOUVRY. ATKIN. Since our preprint appeared.INDIA E-mail addresses: manindra@cse. and August 2002. E. TECHNOLOGY KANPUR. AND NITIN SAXENA 792 We are also thankful to Adam Kalai. Pieter Moree.cse. HUANG. we thank the anonymous referee of the paper whose suggestions and observations have been very useful. Roger Heath-Brown. [AKS] [Apo] prime numbers N. BISWAS. 1992. and V. Springer-Verlag. T. RUMELY. [BP] R. available at http://www.KANPUR.iitk. Boulder (Colorado). Primality testing.ac.html. Volume I (Allerton Park.199 on Mon.-D. Journal of the ACM 50 (2003). 1996.in REFERENCES [AH] L. 79 (1985). 16 [Fou] (1910).iitk. APOSTOL. 138. M. [BH] R. Manuscript. PANDEY. 383-407. 232-238. AGRAWAL and S. Harman. Lecture notes of a conference. Boston. Jaikumar Somenath We thank Biswas. (http://www. Finally. in Analytic Number Theory.in nitinsa@cse. 173-206. preprint AGRAWAL. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions . Birkhiiuser Boston. The Brun-Titchmarsh Theorem on average. BAKER and G. Abhijit Das. Richard Pinch. HARMAN. KAYAL.iitk. and R. Vinay for many useful discussions.ac. New York. 2001. N. Amer. IL. August 1986. Springer-Verlag. Amit Sahai. Bull.cse. C. M. Technical report.175. New York. 39-103.

Some remarks and questions about the AKS algorithm and related conjecture. Private communication. [Len] H. 23-27.cse. V. Monthly 89 (1982).PRIMES IS IN P 793 [GK] S. Cambridge. [KS] N.yp. [LN] R. and M. 1986. 78 (1984). Oxford 37 (1986). STRASSEN. V.fmph. Introduction to Finite Fields and their Applications. Invent. RAM MURTY. Quart.ac. M. unpublished (http://www. [Gol] M. Proc. SIAM Journal on Computing 4 (1975). LIDL and H.org/ March 2003. GOLDFELD.aimath.175. 2002. 300-317. Almost all primes can be quickly certified. unpublished (http://thales. HEATH-BROWN. [Lee] J. KAYAL and N.78. 126-129. Artin's conjecture for primitive roots. MIT Press. POMERANCE. KILIAN. [LP2] .. Every prime has a succinct certificate.to/papers. Cambridge. J.html. Primality testing with gaussian periods. and M. LENSTRA. Math. RAM MURTY. 1985). KUMAR MURTY. 1990. The Euclidian algorithm for S-integers. GUPTA and M.199 on Mon. August http://cr. 0. NIEDERREITER. GOLDWASSER and J. On the number of primes p for which p + a has a large prime factor. Math. (Received January 24.doa. R. A fast Monte-Carlo test for primality. M.). R.. Remarks on Agrawal's conjecture. Cambridge. JR. Sys. [LP1] H. LENSTRA. Private communication. IIT Kanpur. Sci. Modern Computer Algebra. SOLOVAY and V. Press. Handbook of Theoretical Computer Science. Volume A. WWN/ primesinp/articles/html/50a/). 127-130. [HB] D. 27-38. SIAM Journal on Computing 6 (1977). Cambridge Univ. 1986. 7 (1987).in/ research/btp2002/primality. 189-202. PRATT.uniba. Que. [GM] Annual ACM Symposium on the Theory of Computing. V. Math. A.pdf). CMS Conf. Number Theory (Montreal.html#aks 2002. R. [GMM] R. 214-220. M. Technical report. 316-329. On Chebyshev-type inequalities for primes. Cambridge Univ. 13 (1976). and C. J. SUDAN. unpublished (see for an exposition of Lenstra's argument). in Proc. MILLER. March 2003. 128-138. August 2002. NAIR. Number Theory 12 (1980). Probabilistic algorithm for testing primality. J. L. 1999. SAHAI. available at http://www. GUPTA. 84-86. A remark on Artin's conjecture. JR. [Mac] [Mil] [Nai] [Pra] [Rab] [SS] [vzGG] G. W. Press. MA. Notes on primality test and analysis of AKS. Riemann's hypothesis and tests for primality. Comput. 2003) This content downloaded from 202. December 2002. Mathematika 16 (1969).iitk. LEEUWEN (ed. KALAI. 05 Oct 2015 14:36:28 UTC All use subject to JSTOR Terms and Conditions . SAXENA. GERHARD. Towards a deterministic polynomial-time test.sk/macaj/aksremarks. Amer. MACAJ. Primality testing with cyclotomic rings. [KSS] A. J. VON ZUR GATHEN and J. RABIN. W.