Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
AKS primality test
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Algorithm checking for prime numbers}} The '''AKS primality test''' (also known as '''Agrawal–Kayal–Saxena primality test''' and '''cyclotomic AKS test''') is a [[deterministic algorithm|deterministic]] [[primality test|primality-proving]] [[algorithm]] created and published by [[Manindra Agrawal]], [[Neeraj Kayal]], and [[Nitin Saxena]], computer scientists at the [[Indian Institute of Technology Kanpur]], on August 6, 2002, in an article titled "PRIMES is in P".<ref name="AKS">{{cite journal |first1=Manindra |last1=Agrawal |first2=Neeraj |last2=Kayal |first3=Nitin |last3=Saxena |url=http://www.cse.iitk.ac.in/users/manindra/algebra/primality_v6.pdf |title=PRIMES is in P |journal=[[Annals of Mathematics]] |volume=160 |year=2004 |issue=2 |pages=781–793 |doi=10.4007/annals.2004.160.781 |jstor=3597229 |doi-access=free }}</ref> The algorithm was the first one which is able to determine in [[polynomial time]], whether a given number is [[Prime number|prime]] or [[Composite number|composite]] without relying on [[mathematical conjecture]]s such as the [[generalized Riemann hypothesis]]. The proof is also notable for not relying on the field of [[analysis (mathematics)|analysis]].<ref>{{cite journal|first=Andrew|last=Granville|url=https://www.ams.org/bull/2005-42-01/S0273-0979-04-01037-7/home.html|title=It is easy to determine whether a given integer is prime|journal=Bull. Amer. Math. Soc.|volume=42|year=2005|pages=3–38|doi=10.1090/S0273-0979-04-01037-7|doi-access=free}}</ref> In 2006 the authors received both the [[Gödel Prize]] and [[Fulkerson Prize]] for their work. ==Importance== AKS is the first primality-proving algorithm to be simultaneously ''general'', ''polynomial-time'', ''deterministic'', and ''unconditionally correct''. Previous algorithms had been developed for centuries and achieved three of these properties at most, but not all four. * The AKS algorithm can be used to verify the primality of any '''general''' number given. Many fast primality tests are known that work only for numbers with certain properties. For example, the [[Lucas–Lehmer primality test|Lucas–Lehmer test]] works only for [[Mersenne number]]s, while [[Pépin's test]] can be applied to [[Fermat number]]s only. * The maximum running time of the algorithm can be bounded by a '''[[Polynomial time#Polynomial time|polynomial]]''' over the number of digits in the target number. [[Elliptic curve primality proving|ECPP]] and [[Adleman–Pomerance–Rumely primality test|APR]] conclusively prove or disprove that a given number is prime, but are not known to have polynomial time bounds for all inputs. * The algorithm is guaranteed to distinguish '''[[Deterministic algorithm|deterministically]]''' whether the target number is prime or composite. Randomized tests, such as [[Miller–Rabin primality test|Miller–Rabin]] and [[Baillie–PSW primality test|Baillie–PSW]], can test any given number for primality in polynomial time, but are known to produce only a probabilistic result. * The correctness of AKS is '''not conditional''' on any subsidiary unproven [[hypothesis]]. In contrast, Miller's version of the [[Miller–Rabin primality test#Deterministic variants|Miller–Rabin test]] is fully deterministic and runs in polynomial time over all inputs, but its correctness depends on the truth of the yet-unproven [[generalized Riemann hypothesis]]. While the algorithm is of immense theoretical importance, it is not used in practice, rendering it a [[galactic algorithm]]. For 64-bit inputs, the [[Baillie–PSW primality test|Baillie–PSW test]] is deterministic and runs many orders of magnitude faster. For larger inputs, the performance of the (also unconditionally correct) ECPP and APR tests is ''far'' superior to AKS. Additionally, ECPP can output a [[primality certificate]] that allows independent and rapid verification of the results, which is not possible with the AKS algorithm. ==Concepts== The AKS primality test is based upon the following theorem: Given an integer <math>n\ge 2</math> and integer <math>a</math> [[coprime]] to <math>n</math>, <math>n</math> is prime if and only if the [[polynomial ring|polynomial]] [[Congruence relation#Modular arithmetic|congruence relation]] {{NumBlk|:|<math>(X + a)^{n} \equiv X^{n} + a \pmod{n}</math>|{{EquationRef|1}}}} holds within the polynomial ring <math>(\mathbb Z/n\mathbb Z)[X]</math>.<ref name="AKS"/> Note that <math>X</math> denotes the [[polynomial ring#Definition (univariate case)|indeterminate]] which generates this polynomial ring. This theorem is a generalization to polynomials of [[Fermat's little theorem]]. In one direction it can easily be proven using the [[binomial theorem]] together with the following property of the [[binomial coefficient]]: :<math>{n \choose k} \equiv 0 \pmod{n}</math> for all <math>0<k<n</math> if <math>n</math> is prime. While the relation ({{EquationNote|1}}) constitutes a primality test in itself, verifying it takes [[exponential time]]: the [[brute force method|brute force]] approach would require the expansion of the <math> (X + a)^n</math> polynomial and a reduction <math>\pmod{n}</math> of the resulting <math>n + 1</math> coefficients. The congruence is an equality in the [[polynomial ring]] <math>(\mathbb Z/n\mathbb Z)[X]</math>. Evaluating in a quotient ring of <math>(\mathbb Z/n\mathbb Z)[X]</math> creates an upper bound for the degree of the polynomials involved. The AKS evaluates the equality in <math>(\mathbb Z/n\mathbb Z)[X]/(X^r -1)</math>, making the [[Computational complexity theory|computational complexity]] dependent on the size of <math>r</math>. For clarity,<ref name="AKS"/> this is expressed as the congruence {{NumBlk|:|<math>(X + a)^{n} \equiv (X^{n} + a) \pmod{X^{r}-1, n}</math>|{{EquationRef|2}}}} which is the same as: {{NumBlk|:|<math>(X + a)^n - (X^n + a) = (X^r - 1)g + nf</math>|{{EquationRef|3}}}} for some polynomials <math>f</math> and <math>g</math>. Note that all primes satisfy this relation (choosing <math>g=0</math> in ({{EquationNote|3}}) gives ({{EquationNote|1}}), which holds for <math>n</math> prime). This congruence can be checked in polynomial time when <math>r</math> is polynomial to the digits of <math>n</math>. The AKS algorithm evaluates this congruence for a large set of <math>a</math> values, whose size is polynomial to the digits of <math>n</math>. The proof of validity of the AKS algorithm shows that one can find an <math>r</math> and a set of <math>a</math> values with the above properties such that if the congruences hold then <math>n</math> is a power of a prime.<ref name="AKS"/> ==History and running time== In the first version of the above-cited paper, the authors proved the asymptotic time complexity of the algorithm to be <math>\tilde{O}(\log(n)^{12})</math> (using [[Big O notation#Extensions to the Bachmann–Landau notations|Õ]] from [[big O notation]])—the twelfth power of the number of digits in ''n'' times a factor that is polylogarithmic in the number of digits. However, this upper bound was rather loose; a widely-held conjecture about the distribution of the [[Sophie Germain prime]]s would, if true, immediately cut the worst case down to <math>\tilde{O}(\log(n)^6)</math>. In the months following the discovery, new variants appeared (Lenstra 2002, Pomerance 2002, Berrizbeitia 2002, Cheng 2003, Bernstein 2003a/b, Lenstra and Pomerance 2003), which improved the speed of computation greatly. Owing to the existence of the many variants, Crandall and Papadopoulos refer to the "AKS-class" of algorithms in their scientific paper "On the implementation of AKS-class primality tests", published in March 2003. In response to some of these variants, and to other feedback, the paper "PRIMES is in P" was updated with a new formulation of the AKS algorithm and of its proof of correctness. (This version was eventually published in ''[[Annals of Mathematics]]''.) While the basic idea remained the same, ''r'' was chosen in a new manner, and the proof of correctness was more coherently organized. The new proof relied almost exclusively on the behavior of [[cyclotomic polynomial]]s over [[finite fields]]. The new upper bound on time complexity was <math>\tilde{O}(\log(n)^{10.5})</math>, later reduced using additional results from [[sieve theory]] to <math>\tilde{O}(\log(n)^{7.5})</math>. In 2005, [[Carl Pomerance|Pomerance]] and [[Hendrik Lenstra|Lenstra]] demonstrated a variant of AKS that runs in <math>\tilde{O}(\log(n)^{6})</math> operations,<ref name="lenstra_pomerance_2005">H. W. Lenstra Jr. and Carl Pomerance, "[http://www.math.dartmouth.edu/~carlp/PDF/complexity12.pdf Primality testing with Gaussian periods]", preliminary version July 20, 2005.</ref> leading to another updated version of the paper.<ref name="lenstra_pomerance_2011">H. W. Lenstra Jr. and Carl Pomerance, "[http://www.math.dartmouth.edu/~carlp/aks041411.pdf Primality testing with Gaussian periods] {{Webarchive|url=https://web.archive.org/web/20120225052810/http://www.math.dartmouth.edu/~carlp/aks041411.pdf |date=2012-02-25 }}", version of April 12, 2011.</ref> Agrawal, Kayal and Saxena proposed a variant which would run in <math>\tilde{O}(\log(n)^{3})</math> if [[Agrawal's conjecture]] were true; however, a heuristic argument by Pomerance and Lenstra suggested that it is probably false. ==The algorithm== The algorithm is as follows:<ref name="AKS" /> : Input: integer {{math|''n'' > 1}}. # Check if ''n'' is a [[perfect power]]: if {{math|1=''n'' = ''a''<sup>''b''</sup>}} for integers {{math|''a'' > 1}} and {{math|''b'' > 1}}, then output ''composite''. # Find the smallest ''r'' such that {{math|[[multiplicative order|ord]]<sub>''r''</sub>(''n'') > (log<sub>2</sub> ''n'')<sup>2</sup>}}. If ''r'' and ''n'' are not coprime, then output ''composite''. # For all 2 ≤ ''a'' ≤ min (''r'', ''n''−1), check that ''a'' does not divide ''n'': If ''a''|''n'' for some 2 ≤ ''a'' ≤ min (''r'', ''n''−1), then output ''composite''. # If ''n'' ≤ ''r'', then output ''prime''. # For {{math|1=''a'' = 1}} to <math>\left\lfloor \sqrt{\varphi(r)}\log_2(n) \right\rfloor</math> do #: if (''X''+''a'')<sup>''n''</sup> ≠ ''X''<sup>''n''</sup>+''a'' (mod ''X''<sup>''r''</sup> − 1,''n''), then output ''composite''; # Output ''prime''. Here [[multiplicative order|ord]]<sub>''r''</sub>(''n'') is the [[multiplicative order]] of ''n'' [[modular arithmetic|modulo]] ''r'', log<sub>2</sub> is the [[binary logarithm]], and <math>\varphi(r)</math> is [[Euler's totient function]] of ''r''. Step 3 is shown in the paper as checking 1 < gcd(''a'',''n'') < ''n'' for all ''a'' ≤ ''r''. It can be seen this is equivalent to trial division up to ''r'', which can be done very efficiently without using [[greatest common divisor|gcd]]. Similarly the comparison in step 4 can be replaced by having the trial division return ''prime'' once it has checked all values up to and including <math>\left\lfloor \sqrt{n} \right\rfloor.</math> Once beyond very small inputs, step 5 dominates the time taken. The essential reduction in complexity (from exponential to polynomial) is achieved by performing all calculations in the finite ring : <math>R = (\mathbb Z/n\mathbb Z)[X]/(X^r -1)</math> consisting of <math>n^r</math> elements. This ring contains only the <math>r</math> [[monomial]]s <math>\{X^0,X^1,\ldots,X^{r-1}\} </math>, and the [[coefficient]]s are in <math>\mathbb Z/n\mathbb Z</math> which has <math>n</math> elements, all of them codable within <math>\log_2(n)</math> bits. Most later improvements made to the algorithm have concentrated on reducing the size of ''r,'' which makes the core operation in step 5 faster, and in reducing the size of ''s'', the number of loops performed in step 5.<ref name="bernstein03">Daniel J. Bernstein, "[https://cr.yp.to/papers/aks.pdf Proving Primality After Agrawal-Kayal-Saxena]", version of January 25, 2003.</ref> Typically these changes do not change the computational complexity, but can lead to many orders of magnitude less time taken; for example, Bernstein's final version has a theoretical speedup by a factor of over 2 million. ===Proof of validity outline=== For the algorithm to be correct, all steps that identify ''n'' must be correct. Steps 1, 3, and 4 are trivially correct, since they are based on direct tests of the divisibility of ''n''. Step 5 is also correct: since (2) is true for any choice of ''a'' coprime to ''n'' and ''r'' if ''n'' is prime, an inequality means that ''n'' must be composite. The difficult part of the proof is showing that step 6 is true. Its proof of correctness is based on the upper and lower bounds of a [[multiplicative group]] in <math>\mathbb{Z}_{n}[x]</math> constructed from the (''X'' + ''a'') binomials that are tested in step 5. Step 4 guarantees that these binomials are <math>\left\lfloor \sqrt{\varphi(r)}\log_2(n) \right\rfloor</math> distinct elements of <math>\mathbb{Z}_n[x]</math>. For the particular choice of ''r'', the bounds produce a [[proof by contradiction|contradiction]] unless ''n'' is prime or a power of a prime. Together with the test of step 1, this implies that ''n'' is always prime at step 6.<ref name="AKS"/> ===Example 1: ''n'' = 31 is prime=== {{pre|style=white-space:pre;overflow:auto; |1=<nowiki/> '''Input''': integer ''n'' = 31 > 1. <u>(* Step 1 *)</u> '''If''' (''n'' = ''a''<sup>''b''</sup> for integers ''a'' > 1 and ''b'' > 1), '''output''' ''composite''. '''For''' ( b = 2; b <= log<sub>2</sub>(n); b++) { a = n<sup>1/b</sup>; '''If''' (a is integer), '''Return'''[Composite] } a = n<sup>1/2</sup>...n<sup>1/4</sup> = {5.568, 3.141, 2.360} <u>(* Step 2 *)</u> Find the smallest ''r'' such that ''O''<sub>''r''</sub>(''n'') > (log<sub>''2''</sub> ''n'')<sup>2</sup>. maxk = ⌊(log<sub>''2''</sub> n)<sup>2</sup>⌋; maxr = Max[3, ⌈(Log<sub>''2''</sub> n)<sup>5</sup>⌉]; <u>(* maxr really isn't needed *)</u> nextR = True; '''For''' (r = 2; nextR && r < maxr; r++) { nextR = False; '''For''' (k = 1; (!nextR) && k ≤ maxk; k++) { nextR = (Mod[n<sup>k</sup>, r] == 1 {{!!}} Mod[n<sup>k</sup>, r]==0) } } r--; <u>(*the loop over increments by one*)</u> r = 29 <u>(* Step 3 *)</u> '''If''' (1 < [[greatest common divisor|gcd]](''a'',''n'') < ''n'' for some ''a'' ≤ ''r''), '''output''' ''composite''. '''For''' (a = r; a > 1; a--) { '''If''' ((gcd = GCD[a,n]) > 1 && gcd < n), '''Return'''[Composite] } gcd = {GCD(29,31)=1, GCD(28,31)=1, ..., GCD(2,31)=1} ≯ 1 <u>(* Step 4 *)</u> '''If''' (''n'' ≤ ''r''), '''output''' ''prime''. '''If''' (n ≤ r), '''Return'''[Prime] <u>(* this step may be omitted if n > 5690034 *)</u> 31 > 29 <u>(* Step 5 *)</u> '''For''' ''a'' = 1 '''to''' <math>\left\lfloor\sqrt{\varphi(r)}\log_2(n)\right\rfloor</math> '''do''' '''If''' ((''X''+''a'')<sup>''n''</sup> ≠ ''X''<sup>''n''</sup> + ''a'' (mod ''X''<sup>''r''</sup> − 1,''n'')), '''output''' ''composite''; φ[x_] := EulerPhi[x]; PolyModulo[f_] := PolynomialMod<nowiki>[</nowiki>[[polynomial remainder|PolynomialRemainder]][f, x<sup>r</sup>-1, x], n]; max = Floor[Log[2, n]{{sqrt|φ[r]}}]; '''For''' (a = 1; a ≤ max; a++) { '''If''' (PolyModulo[(x+a)<sup>n</sup> - PolynomialRemainder[x<sup>n</sup>+a, x<sup>r</sup>-1], x] ≠ 0) { '''Return'''[Composite] { } (x+a)<sup>31</sup> = a<sup>31</sup> +31a<sup>30</sup>x +465a<sup>29</sup>x<sup>2</sup> +4495a<sup>28</sup>x<sup>3</sup> +31465a<sup>27</sup>x<sup>4</sup> +169911a<sup>26</sup>x<sup>5</sup> +736281a<sup>25</sup>x<sup>6</sup> +2629575a<sup>24</sup>x<sup>7</sup> +7888725a<sup>23</sup>x<sup>8</sup> +20160075a<sup>22</sup>x<sup>9</sup> +44352165a<sup>21</sup>x<sup>10</sup> +84672315a<sup>20</sup>x<sup>11</sup> +141120525a<sup>19</sup>x<sup>12</sup> +206253075a<sup>18</sup>x<sup>13</sup> +265182525a<sup>17</sup>x<sup>14</sup> +300540195a<sup>16</sup>x<sup>15</sup> +300540195a<sup>15</sup>x<sup>16</sup> +265182525a<sup>14</sup>x<sup>17</sup> +206253075a<sup>13</sup>x<sup>18</sup> +141120525a<sup>12</sup>x<sup>19</sup> +84672315a<sup>11</sup>x<sup>20</sup> +44352165a<sup>10</sup>x<sup>21</sup> +20160075a<sup>9</sup>x<sup>22</sup> +7888725a<sup>8</sup>x<sup>23</sup> +2629575a<sup>7</sup>x<sup>24</sup> +736281a<sup>6</sup>x<sup>25</sup> +169911a<sup>5</sup>x<sup>26</sup> +31465a<sup>4</sup>x<sup>27</sup> +4495a<sup>3</sup>x<sup>28</sup> +465a<sup>2</sup>x<sup>29</sup> +31ax<sup>30</sup> +x<sup>31</sup> PolynomialRemainder [(x+a)<sup>31</sup>, x<sup>29</sup>-1] = 465a<sup>2</sup> +a<sup>31</sup> +(31a+31a<sup>30</sup>)x +(1+465a<sup>29</sup>)x<sup>2</sup> +4495a<sup>28</sup>x<sup>3</sup> +31465a<sup>27</sup>x<sup>4</sup> +169911a<sup>26</sup>x<sup>5</sup> +736281a<sup>25</sup>x<sup>6</sup> +2629575a<sup>24</sup>x<sup>7</sup> +7888725a<sup>23</sup>x<sup>8</sup> +20160075a<sup>22</sup>x<sup>9</sup> +44352165a<sup>21</sup>x<sup>10</sup> +84672315a<sup>20</sup>x<sup>11</sup> +141120525a<sup>19</sup>x<sup>12</sup> +206253075a<sup>18</sup>x<sup>13</sup> +265182525a<sup>17</sup>x<sup>14</sup> +300540195a<sup>16</sup>x<sup>15</sup> +300540195a<sup>15</sup>x<sup>16</sup> +265182525a<sup>14</sup>x<sup>17</sup> +206253075a<sup>13</sup>x<sup>18</sup> +141120525a<sup>12</sup>x<sup>19</sup> +84672315a<sup>11</sup>x<sup>20</sup> +44352165a<sup>10</sup>x<sup>21</sup> +20160075a<sup>9</sup>x<sup>22</sup> +7888725a<sup>8</sup>x<sup>23</sup> +2629575a<sup>7</sup>x<sup>24</sup> +736281a<sup>6</sup>x<sup>25</sup> +169911a<sup>5</sup>x<sup>26</sup> +31465a<sup>4</sup>x<sup>27</sup> +4495a<sup>3</sup>x<sup>28</sup> ({{EquationRef|A}}) PolynomialMod [PolynomialRemainder [(x+a)<sup>31</sup>, x<sup>29</sup>-1], 31] = a<sup>31</sup>+x<sup>2</sup> ({{EquationRef|B}}) PolynomialRemainder [x<sup>31</sup>+a, x<sup>29</sup>-1] = a+x<sup>2</sup> ({{EquationNote|A}}) - ({{EquationNote|B}}) = a<sup>31</sup>+x<sup>2</sup> - (a+x<sup>2</sup>) = a<sup>31</sup>-a <math>\max = \left\lfloor\log_2 (31) \sqrt{\varphi(29)} \right\rfloor = 26</math> {1<sup>31</sup>-1 = 0 (mod 31), 2<sup>31</sup>-2 = 0 (mod 31), 3<sup>31</sup>-3 = 0 (mod 31), ..., 26<sup>31</sup>-26 = 0 (mod 31)} <u>(* Step 6 *)</u> '''Output''' ''prime''. {{samp|31 Must be Prime}} }} Where PolynomialMod is a term-wise modulo reduction of the polynomial. e.g. PolynomialMod[x+2x<sup>2</sup>+3x<sup>3</sup>, 3] = x+2x<sup>2</sup>+0x<sup>3</sup> <ref>See [[Talk:AKS primality test#Worked Example|AKS Talk]] page for a discussion on why 'Example 2: n is not Prime past Step 4' is missing.</ref> ==References== {{Reflist}} ==Further reading== * {{cite book | last=Dietzfelbinger | first=Martin | title=Primality testing in polynomial time. From randomized algorithms to ''PRIMES is in P'' | series=Lecture Notes in Computer Science | volume=3000 | location=Berlin | publisher=[[Springer-Verlag]] | year=2004 | isbn=3-540-40344-2 | zbl=1058.11070 }} ==External links== * {{MathWorld|urlname=AKSPrimalityTest|title=AKS Primality Test}} * [https://web.archive.org/web/20140219064936/http://www.dm.unito.it/~cerruti/ac/aks-crandall.pdf R. Crandall, Apple ACG, and J. Papadopoulos (March 18, 2003): On the implementation of AKS-class primality tests] (PDF) * [https://www.ams.org/notices/200305/fea-bornemann.pdf Article by Bornemann, containing photos and information about the three Indian scientists] (PDF) * [https://www.ams.org/bull/2005-42-01/S0273-0979-04-01037-7/home.html Andrew Granville: It is easy to determine whether a given integer is prime] * [http://www.scottaaronson.com/writings/prime.pdf The Prime Facts: From Euclid to AKS], by [[Scott Aaronson]] (PDF) * [http://www.instantlogic.net/publications/PRIMES%20is%20in%20P%20little%20FAQ.htm The PRIMES is in P little FAQ] by Anton Stiglic * [https://web.archive.org/web/20150327071905/http://www.sigact.org/Prizes/Godel/2006.html 2006 Gödel Prize Citation] * [https://www.ams.org/notices/200611/comm-fulkerson.pdf 2006 Fulkerson Prize Citation] * [http://fatphil.org/maths/AKS The AKS "PRIMES in P" Algorithm Resource] {{Number theoretic algorithms}} {{Authority control}} [[Category:Primality tests]] [[Category:Finite fields]] [[Category:Articles with example pseudocode]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Authority control
(
edit
)
Template:Cite book
(
edit
)
Template:Cite journal
(
edit
)
Template:EquationNote
(
edit
)
Template:Math
(
edit
)
Template:MathWorld
(
edit
)
Template:NumBlk
(
edit
)
Template:Number theoretic algorithms
(
edit
)
Template:Pre
(
edit
)
Template:Reflist
(
edit
)
Template:SfnRef
(
edit
)
Template:Short description
(
edit
)
Template:Webarchive
(
edit
)