Turns out, Primes are in P

zorba1 writes "Manindra Agrawal et. al. of the Indian Institute of Technology Kanpur CS department have released a most interesting paper today. It presents an algorithm that determines whether a number is prime or not in polynomial time. While I haven't gone through the presentation in detail, it looks like a promising, albeit non-optimized, solution for the famous PRIMES in P problem."

Huh

[KingKire64]

News for Math Geniuses, Algorithms that matter?

Re:Huh

[zapfie]

Um, if you don't like nerdy stuff.. I hate to break it to you, but this might not be the place for you. :)

Re:Huh

[KingKire64]

So much for comedy!

you guys need to relax

Re:Huh

This looks like a problem for a giant robot.

Big O, it's showtime!!!

p=np?

[freality]

If I can find primes in polynomial time, can I do 3-sat in p too?

Re:p=np?

[RabeiUsura]

No, because find primes was classified as NP, 3-SAT and others are NP-Complete which are a "superclass" of NP problems.

Re:p=np?

If by "superclass", you mean problems that are (thought to be) harder than the other set of problems, then yes.
But technically speaking, NP-complete problems actually form a "sub"class of NP problems.
And yes, primes is not _known to_ be a NP-complete problem, so this doesn't really affect complexity of 3-SAT directly.

Re:p=np?

[allsmileys4u]

mathematicians have been pondering over that prob for decades.. if that works out we'll have fresh prespective of univ..(remember the pendulum, algorithmic univ theories)

Re:p=np?

[RabeiUsura]

Your are right i meant the first thing, thanks for the correction.

Re:p=np?

[Vengie]

3-sat isnt it 3-cnf-sat? or is cnf typically dropped?

Re:p=np?

Indeed, primality has been known since the 80's to belong to the class RP (problems solvable in expected polynomial time by a randomised algorithm). It has never (in recent years) been suspected of being NP-complete. Most experts don't even think factoring is NP-complete.

(All this assuming P!=NP, or else all these distinctions collapse.)

Re:p=np?

[welthqa]

how long have you guys been waiting for a topic on prime numbers, it's like your entire lives have been building up to this point. hurray!

Re:p=np?

Is this discovery of any obvious practical use? If I remember my discrete math class correctly, when you want to test primality of a number that you are actually going to use, you can use a "probabilistic proof" to guarantee primality to whatever degree of accuracy you desire.

Re:p=np?

NP-complete problem are no superclass of NP, but they are considered to be the hardest problems in NP. "The hardest problems in NP" means that if one finds and deterministic polynomial algorithm for a NP-complete problem, you could use this algorithm as a subprocedure for any problem in NP (every instance of a problem in NP can be reformulated as an instance of this NP-complete problem in det. pol. time) and therefore P=NP.
But it is more likely that there exists no det. pol. time alg. for any NP-complete probleme and so P != NP)

Re:p=np?

[Oztun]

Yeah what the hell is this intelligent discussion. Lets go back to "Linux is uhh cool teehee". Or how about "Cowboyneal sure has a big hat, yup".

Re:p=np?

[Vengie]

Whatever idiot modded me as "off topic" doesn't know ANYTHING about complexity and p/np. 3-sat doesnt exist. its 3-cnf-sat 3- conj. normal form - satis. problem.

I always thought is was in P

[Mr.+Sketch]

I can tell if a number is prime via:

bool isprime(p)
for i = 2 to sqrt(p)
if p mod i == 0
return false
endif
endfor
return true
endfunc

If I'm not correct, that algo is O(n), thus polynomial, thus in P. But for very large p, that algo is impractical.

Re:I always thought is was in P

congrats you foud a worse algorithm

Re:I always thought is was in P

Not quite true. You are doing a considerable amount of operations when you calculate mod i, which means that you're performing it in exponential time.

Re:I always thought is was in P

For P, it has to be polynomial in the size of _the input_. The input size here is log(n) since it requires log(n) bits to represent n. log(n)^12 hence is polynomial (which i believe their algo guarantees), whereas sqrt(n) is not.

Re:I always thought is was in P

Er, I would call a simple divide "considerable".

Re:I always thought is was in P

[Walker]

What are you referring to as your input size n in O(n)? The number p? The correct size n is the number of digits of p. That algorithm is definitely non-polynomial for that (correct) n.

Re:I always thought is was in P

[crlf]

Uhh..

Pardon my french, but isn't sqrt(n) is better than log(n)^12?

Re:I always thought is was in P

[crlf]

I hate replying to my own posts, but upon further inspection, I realized that sqrt(n) > log(n)^12 for large n.

Yet, sqrt(n) is still polynomial time.

Re:I always thought is was in P

[Boronx]

Someone posted above that the actual size of input, grows as log(n), so the actuall speed of the algorithm is sqrt(2^i) or 2^(i/2), where i is the number of bits in the input.

Re:I always thought is was in P

True this is in P for n. However, a polynomial time algorithm for this would not be, to the best of my understanding, polynomial in the size of n. Your algorithm there certainly is. It would be polynomial in the number of digits in n. So, an algorithm that is only polynomial in the size of n would be exponential in the number of digits in n, because representing n in any non unary number system only requires a number of digits logorithmic in n.

Re:I always thought is was in P

[tunah]

No. Polynomial time, as was said, is polynomial in terms of the input. Input b bits and n is (worst case) on the order of 2^b so now sqrt(n) is about sqrt(2^b)=2^(b/2) which is far worse than polynomial in b.

Re:I always thought is was in P

[khuber]

Er, I would call a simple divide "considerable".

Assuming you meant "wouldn't call", division is definitely "considerable". Remember we are talking about large numbers. Try doing long division on paper for 35184535666823 divided by 4194319 (answer is 8388617) and you can see there is some work involved, even with these small numbers.

The paper method of long division is O(n^2) and it turns out it can be done more efficiently: As I understand it, you can do division in the steps required for multiplication. Therefore the number of operations required to divide two n digit numbers is bounded by the best multiplication which is O(n lg n lg lg n) (from Knuth Volume II).

This is about 57 for 10 digits and about 182 for 20 digits. You can see that doubling the number of digits here more than triples the required number of operations to compute this result! Likewise 30 digits require about 6 times more operations. You can see that the "n times" grows faster than the number of digits. Thus, division gets slower and slower the more digits you have to divide.

-Kevin

Re:I always thought is was in P

[khuber]

Hey everyone, Yoda is posting to Slashdot! Just kidding ya :).

-Kevin

Re:I always thought is was in P

One polynolmial way of determining if a number is prime has been known for a long time, and is as follows:

for all integers 'x',

((2^x)-2)/x is an integer if and only if x is prime.

Re:I always thought is was in P

Not sure, but it seems that you're including 2 in the test for a 0 remainder. Wouldn't that falsely report 2 as a non-prime number? Plus you need to have the error-catching out front for both 1 and 2.

Re:I always thought is was in P

[John+Allsup]

As others have pointed out, n is the size of the input, i.e. the number of bits representing the number. A number that requires e.g. 20 bits to write (i.e. has a 1 in the 20th place) would then be between 2^19 and 2^20 (if we start counting at 1, so the 20th place corresponds to 2^19). Thus the input for p has size approx. lg2 p and so the for loop requres sqrt(p) ~ sqrt(2^n) = 2^(0.5 n) steps. This is exponential time.

You must always be careful not to confuse the size of the input with what it represents.

Re:I always thought is was in P

If I'm not correct, that algo is O(n), thus polynomial, thus in P. But for very large p, that algo is impractical.

Correction: This old algorithm is O(n^0.5), which is actually better than O(n).

Re:I always thought is was in P

You have the wrong n. Move along.

Re:I always thought is was in P

previous poster said:

((2^x)-2)/x is an integer if and only if x is prime

now let's look ...
"((2^x)-2)/x is an integer" can be expressed as:

(2^x)-2 == 0 (mod x), which is the same as:

(2^x) == 2 (mod x), and dividing by two:

2^(x-1) == 1 (mod x).

OK, now that almost is Euler's formula: for all numbers n and a prime p: n^(p-1) == 1 (mod p) (that one is true) ...

However, simply using 2 is producing false positives ... try using 341 as an input for x ... 2^340 == 1 (mod 341), and thus ((2^341)-2)/341 is an integer, but 341 is not prime (since 341 == 31*11).

You are wrong. Sorry.

Nobel Prize Time

[flonker]

If I'm reading this correctly, we've got a nearly guaranteed winner of the Nobel Prize here.

Re:Nobel Prize Time

Incorrect. There is no Nobel Prize for mathematics. You are thinking of the Fields Medal.

Read more here:
http://mathworld.wolfram.com/FieldsMedal.ht ml

Re:Nobel Prize Time

[RackinFrackin]

If I'm reading this correctly, we've got a nearly guaranteed winner of the Nobel Prize here.

This would be more in line for a Fields Medal than a Nobel Prize.

Re:Nobel Prize Time

to the best of my knowledge, there is no nobel prize for mathematics.

Re:Nobel Prize Time

there is no nobel prize for mathematics.

Re:Nobel Prize Time

A direct link to the MathWorld site.

Re:Nobel Prize Time

[EvanED]

What category? Unfortunately, there's no mathematics Nobel Prize. I realize that they consider applications, but I don't see many in physics, chemistry, medicine, economics, peace, or literature.

Re:Nobel Prize Time

how long until the algorithm gets implemented in something similar to primenet?

http://www.mersenne.org/primenet/

mmmmmh...massively parallel distributed O(n) prime number calculator...

Re:Nobel Prize Time

[amnesty]

There is no Nobel Prize for math. The Fields Medal is given for contributions to math.

Justin

Re:Nobel Prize Time

[orz]

What category? Unfortunately, there's no mathematics Nobel Prize. I realize that they consider applications, but I don't see many in physics, chemistry, medicine, economics, peace, or literature.

The Nobel Prize for literature of course.

Re:Nobel Prize Time

[fatphil]

ECPP is already polynomial time with theoretical exponent ~6. However, the
best ECPP implementation out there, Marcel Martin's 'Primo', seems to behave
as if it has exponent ~4.5-5.
ECPP is non-deterministic though. But it looks like this one is too.

So this looks as if it may be worse than the state of the art.

I'll wait for Lenstra and Pomerance to say their piece though, before making
my mind up.

FatPhil

Re:Nobel Prize Time

[retiarius]

ah, but lenstra & pomerance are in the
acknowledgements as reviewers.

if they're not up to snuff, try the ghost
of ramanujan.

Re:Nobel Prize Time

I'll post to this one due to random luck. Don't forget that there is also an age restriction on the Fields Medal, and some other wacky restrictions, so we might not even see a Fields Medal for this.

Re:Nobel Prize Time

[khuber]

Everyone knows Nobel's wife cheated on him with a mathematician so, out of spite, there is no Nobel for mathematics!

-Kevin (yes I know that isn't true - Nobel never married)

Re:Nobel Prize Time

[fatphil]

Where did you find out that they were reviewers?

However, word on teh grapevine I have access to says that it seems
that Henrik Lenstra (not to be confused with Arjen), has already
declared taht he believes the proof to be correct and elegant.

And that's about as high a recommendation as it gets.

I'll try to knock up an implementation of his algorithm some time soon, and
see what the practical big-Oh looks like.

Phil

Re:Nobel Prize Time

[gunix]

well it's not O(n).. if you read the paper it says something like O(n^6) or O(n^12)

Re:Nobel Prize Time

[distributed.karma]

Mathematical discoveries can be awarded the Nobel Prize in some cases, if the discovery has an impact on one of the noble sciences. For example, we all should know now that John Nash won the Nobel Prize for Economics, although his theory was purely mathematical.

Re:Nobel Prize Time

I'll personally confirm that Carl Pomerance also sent word to the NMBRTHRY list that he believes the proof to be correct, "very elegant and quite a bit simpler" than other primality tests.

To address the non-determinism issue, this algorithm is assuredly deterministic, which is the point of this surprisingly elementary (in the good sense) paper.

Re:Nobel Prize Time

[shiva]

But the Nobel Prize in Economics is not a true Nobel Prize. It's given out by a bunch of Swiss bankers in "honor of Nobel."

for the sake of our eyes

[fatmav]

the ps version looks much better:
http://www.cse.iitk.ac.in/primality.ps

Re:for the sake of our eyes

[fatbitch]

he should have used dvipdfm

Re:for the sake of our eyes

[blafasel]

or pdftex or \usepackage{times}

Re:for the sake of our eyes

[Soft]

pdflatex doesn't always work - try it with prosper slides for instance - and the times package is obsolete.

Either use package txfonts or maybe pxfonts (uses only PostScript fonts), or mathptmx (keeps Computer Modern fonts for math, but this doesn't always work), or install the vectorial T1 version of the ECM fonts and make sure those are used instead of the bitmap ones.

Re:for the sake of our eyes

[the+way,+what're+you]

apparently it's been moved:
http://www.cse.iitk.ac.in/news/primality.ps

Re:for the sake of our eyes

[Oberon]

Using teTex, the way to avoid the ugly (Type 3) fonts in the pdf version is to use the flags
-Pamz -Pcmz
when invoking dvips. Then ps2pdf will produce a pdf containing good-looking Type 1 fonts.

What's Polynomial Time?

[Stephen+VanDahm]

I don't know anything about theoretical CS. What's polynomial time?

Steve

Re:What's Polynomial Time?

[orz]

They're saying the the time T necessary to determine whether or not an N digit number is prime satisfies this equation:

T a)
for some value (can be any finite value) of k and a.

Re:What's Polynomial Time?

[Goonie]

The technical definition is kinda long and complex, but in essence it's like this. Given a problem of some size n, a polynomial time algorithm is guaranteed to give a solution in time proportional to a polynomial of n. If a polynomial-time algorithm exists that solves a problem, then the problem is said to be in polynomial time.

To give an example, say you've got a list of numbers and you want to know the sum. That can be done in linear time - ie, the time taken is proportional to the length of the list of numbers. The size of the problem (n) is defined by the length of the list and the time taken (T) is as follows: T = c1 * n + c0, where c1 and c0 are some fixed constants. The formula for T is a polynomial, and so the problem "LIST-SUM" is in polynomial time. It would still be in polynomial time if the formula for T was a polynomial with n^2, n^3, n^50 terms in it, or even terms like n^1.5 (because as n grows very large an n^1.5 term will always be smaller than an n^2 term).

Showing you an example of something outside polynomial time is a little more difficult, but some standard examples are SAT (the satisfiability problem) or the travelling-salesman problem, which you can read about in any book on the subject.

Re:What's Polynomial Time?

[jeffy124]

a simple way to think of it:

an NP-complete (NP=non-polynomial) problem is one that can be solved, but takes about 8*age_of_universe time to solve. To get around this, approximation algorithms are used, but these can never give a 100% guarantee of finding the correct solution, nor may provide the same solution if it were to execute on the same data twice.

a polynomial-time problem is one that can be solved within our lifetimes, guarantee 100% accuracy, and can always generate the same solution for the same data.

there's a LOT more to it. The book Intro to Algorithms has a good chapter on the topic of NP-completeness, which will explain the intricate and gory details.

Re:What's Polynomial Time?

[MrCreosote]

Isn't it some kind of new marketing campaign by Swatch?

Re:What's Polynomial Time?

[platipusrc]

NP stands for Nondeterministic Polynomial.

ie, it can be completed by a nondeterministic machine in polynomial time. The main problem with NP algorithms is that there aren't any nondeterminisitic machines around. (A nondeterministic machine can attempt all paths to try to reach a conclusion at once whereas a deterministic machine can only try one at a time.)

Re:What's Polynomial Time?

NP stands for non-deterministic polynomial rather than non-polynomial.

Re:What's Polynomial Time?

[Kaz+Riprock]

Back in the days of parachute pants, leg warmers, and the 80's, there was a man....a man with a rapping and dancing vision. His name...

MC Polynomial.

And he sang a song..."P can't Touch This". Before the drum break of this song, Poly sang:

It's a prime, because you know
P can't touch this
P can't touch this
Stop...Polynomial Time...

Thus giving rise to a branch of mathematical order functions denoting the complexity of a problem...

Either that or it's defined pretty well here.

Re:What's Polynomial Time?

informally, and without any formatting problems, polynomial time refers to the relationship between the amount of time an algorithm runs and the size of its inputs. Specifically, the amount of time grows, at worst, as some function that is a polynomial, such as n^2, or n^10000000000.

Re:What's Polynomial Time?

"NP=non-polynomial" == LOSE!!

"NP=non-deterministic polynomial" == WIN!!

Re:What's Polynomial Time?

showing an example of something outside polynomial time is difficult, because we don't know if such a thing exists since P is included in NP and no one proved NP isn't in P... Nor the contrary.

Re:What's Polynomial Time?

[Goonie]

Well, there are things that are definitely outside polynomial time - the halting problem for instance, which is undecidable no matter how much time you have. There are also problems that provably take exponential time even on a nondeterministic Turing machine. However, you are quite correct that TSP or SAT just might be in P (but it's pretty damn unlikely).

I was trying to keep it simple because the original poster said that he didn't know anything about theoretical CS.

Re:What's Polynomial Time?

[DaveUIUC]

SAT and the travelling salesman have not been proven to be in P. They're both NP-Complete, which means that if they /are/ in P, then P = NP. While it's very likely that neither are in P, it's still far from being fact.

Re:What's Polynomial Time?

[Salsaman]

There is a remote island in the South Pacific called 'Polynosia' (not to be confused with 'Polynesia').

The island has a number of strange customs.

1) All the women on this island are called 'Polly' in reverence to the island's god, Polynose.

2) The men of the island are very philosphical (maybe because all the women are called Polly, so it gets very confusing). They spend most of their time poring over mathematical problems.

3) The island has strict laws on the use of technology. Telephones are not allowed, aircraft are not allowed to land there, in fact the only way to reach the island is by boat, nevertheless it is very popular with tourists.

4) It is considered offensive to Polynose for anyone who is not a Polynosian woman (a Polly) to prepare food. Since the island is popular with holiday makers though, all of the enterprising Polly's have opened small restaurants called 'Polly-meal-time'.

The men of the island, in order to discuss their mathematical musings, recently opened a cafe. To distinguish this from all the restaurants, they named it 'Polly-no-meal-time'.

The article reports that recently a boatload of mathematicians visited Polynose, and told the island's men how to check if a number is prime.

Thus the headline 'Primes can now be solved in Polly-no-meal-time'.

/me ducks :-)

Re:What's Polynomial Time?

[zakharin]

The halting problem is not necessarily outside of P either since it certainly is in NP and we do not know that P!=NP

Re:What's Polynomial Time?

[RickL]

You forgot to mention that the philosophers sit around a big table in the cafe. They spend their time either eating or thinking. Between each philosopher is a chopstick. In order to eat, the philosopher must have both of the chopsticks. If they don't have a good strategy, then they starve.

Re:What's Polynomial Time?

[DaveUIUC]

The halting problem isn't in NP (this was proved by Turing). Since P subset NP, the halting problem can't in P either.

Re:What's Polynomial Time?

Ummm... that's also what he said. Did you read his post?

Re:What's Polynomial Time?

[jirka]

Something with a time of (in seconds)

99999999999999999999999 * n^555555555555

Is in P, yet not solvable within our lifetimes. P just tells you the GROWTH rate, not the absolute time. NP complete problems (with current non-P algs) for small numbers are doable within seconds too. P problems are quite often too slow just as well. Any alg that does n^2 will kill your puter on even fairly small n just as well.

Re:What's Polynomial Time?

[phliar]

NP=non-polynomial

Wrong. NP is the class of "non-deterministic polynomial-time" algorithms.

Another way to think about it is: can a proposed solution to the problem be checked (deterministically, of course) in polynomial time?

an NP-complete problem is one that can be solved, but takes about 8*age_of_universe time to solve

Wrong again. If you have a class C, the class "C-complete" represents something like the kernel of class C -- roughly, if you can solve a problem in C-complete defined under some restrictions, then you can solve any problem in C under those restrictions. Example: if you can solve a problem in NP-complete -- say 3-SAT -- in P time, then you can solve any problem in NP in P time.

a polynomial-time problem is one that can be solved within our lifetimes

Not encessarily. An n^{large-number} is not realistic to use for any non-trivial n. Anything above a cubic is not really usable.

Re:What's Polynomial Time?

Actually, there is a slight mistake in this comment, and that is that we do not know if SAT or TSP are in or out P. we do know that SAT and TSP are NP (nondeterministic polynomic problems), but wheter P and NP are equal or not is an open problem

Re:What's Polynomial Time?

[Jay+L]

Not to be confused with MC Hawking.

Cryptography

[jesterzog]

Out of interest, will this finding have any impact on the effectiveness of present day cryptography?

Re:Cryptography

No. As the abstract also describes, there exists a randomized algorithm for doing primality testing in polynomial time (and is probably much faster than this algorithm as of now). This is of great theoretical interest, but unless it leads to an algorithm for factoring, probably does not have any direct impact on crypto.

Re:Cryptography

[God!+Awful]

Out of interest, will this finding have any impact on the effectiveness of present day cryptography?

Probably not. While it is possible that this research could lead to results in speeding up factoring, a faster algorithm for determining whether a number is prime is not going to compromise the security of RSA.

Your RSA key pair is derived from 2 large primes. The way we generate keys is to randomly test large random numbers to see if any of them are prime. Ergo, we must already have an efficient formula for determining if a number is prime or not.

FYI, the most commonly used algorithm is Euler's formula. Euler's formula doesn't actually tell you if a number is prime, but it will usually give a non-zero output if the number is not prime, so if you run it enough times with different inputs, you can be 99.99999% sure that a number is prime. However, a small percentage of numbers are "pseudoprimes" -- numbers that are not prime but which will also satisfy Euler's formula. Therefore, after you discover a candidate prime, you should use a different (slower) formula to double-check.

Since this is fairly common knowledge among geeks who use encryption, I'm somewhat surprised that so many people here jumped to the same conclusion you did.

-a

Re:Cryptography

[Valar]

obviously, any attempts to factor a composite into primes should have a good list of primes...this would help in generating that...but then again...it would make creating really big (tm) keys easier too...

Re:Cryptography

[davidcash]

what is this "euler's formula" of which you speak?

i thought miller-rabin was the most commonly used primality test.

Re:Cryptography

[MatanZ]

Why would proving that "factorization is in P" break modern public key cryptograph?

If you need to factorize a 128 bit number, and you have O(n^12) method, than you'll still need 2^84 steps.

Re:Cryptography

He didn't jump to a conclusion. He asked a question.

Re:Cryptography

[God!+Awful]

what is this "euler's formula" of which you speak? i thought miller-rabin was the most commonly used primality test.

I had trouble finding a good reference for this. As I mentioned before, the Euler test is very fast, but it is vulnerable to pseudoprimes. After you find a candidate, you may want to double-check it with another algorithm, such as Miller-Rabin. Here's a crypto library that uses both.

-a

Re:Cryptography

[Erpo]

I totally agree with you. Now we know a little more about primes - that's all. My post was in reply to all of the previous posts saying something to the effect of "Doesn't this have a huge impact on modern cryptography?" and "Well, looks like RSA is broken..."

If this is true...

[Jon+Howard]

They could have easily taken over the infrastructure of a modernized computer-bent, encryption-shielded society such as the US or Japan. If that is indeed the case, these guys deserve a Nobel Peace Prize for giving this powerful tool to all and not using it as a weapon of war.

This does, however, sound unlikely. Any mathematicians out there care to comment?

Re:If this is true...

[ipfwadm]

They could have easily taken over the infrastructure of a modernized computer-bent, encryption-shielded society such as the US or Japan.

Primality testing and factorization are not one and the same. It is possible to know that a number is not prime without knowing its factors. Breaking encryption requires factoring the product of two huge primes (it is already known that the number you're trying to factor is NOT prime, so Primes being in P is more or less useless by itself for this particular application), and factorization has yet to be shown to be in P.

Re:If this is true...

I am a very amateur mathematician, but I know the following:

A. There already are well known algorithms today that run in O(n^2) time that output one of the two following: 1) This number is not a prime or 2) This number is a prime with a probability of 99.9999999% (i.e., amongst those outputs that are claimed "probably prime", almost all of them actually are.) The algorithm presented just happens to change that probablity to 100%.

B. Knowing that a number is factorable, is not the same thing as actually knowing what the factors are. Basically, the way all of these algorithms work is that they use some parametric expression that is always true when you plug a prime number into it (because some mathmetician has proven it). They then test the expression with many parameters, and the number they are testing for primality. If the expression ever fails, then they know its not a prime. But the expression does not suddenly pop out a factor for the number.

For example, 2^p-2 is divisible by p, if p is a prime number. Same with 3^p-3, 5^p-5, and so on. So if you plug in a value for p which is not prime you might find that say 5^p-p is not divisible by p, and therefore would know that p is not prime. But you would have no clue as to its factorization.

Crypto repercusions?

[Toodles]

I am by no means a heavy duty math cruncher or cypherpunk, but how exactly is this going to affect number and factoring? I don't know of any advanced prime number search algorythms, but Sieve of Erothenes (did I get that right?) solved in NP time. (Each number is check is evenly divisible by an earlier prime, and if none found, add to list of primes, lather rinse repeat)If primes can be found in P time, finding the first 50 prime numbers would take the same time as finding the first 50 three hundred digit primes.

While that may not be thrilling at first, let's use the RCA contest for money as an example. We get a 1024 bit number containing 200 digits in decimal formm, which is the product of exactly two prime numbers. We know then that:
1. We only need to find one prime to easily find the other.
2. The digits in the factors can total no more than 200 digits.
3. One of the factors contains less than 100 digits.

Start at 10^100 and count down using this algorythm, and youll find it in P time instead of NP time. It'll still take forever, literally and figuratively, but wouldn't it take significantly less time than before?

Toodles

Re:Crypto repercusions?

[Eu4ria]

If the old method took 'forever' and the new method takes less time than that. Just how long is that? Isn't it almost like saying infinity-1 :)

Re:Crypto repercusions?

[DavidTC]

Pssst. 3 is
3. One of the factors contain less than or exactly 100 digits.

Now wouldn't you feel silly if they both were exactly 100 digits prime and you spent all that time look at 99 digit primes and below? ;)

Re:Crypto repercusions?

>I am by no means a heavy duty math cruncher or cypherpunk
.
.
.
>Start at 10^100 and count down using this algorythm

You do realize that there are 99999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999 numbers between 10^100 and 10^99, don't you?

Re:Crypto repercusions?

Hi, guess what? You are a stupid fuck.

Re:Crypto repercusions?

Given:
1. We only need to find one prime to easily find the other.

2. ?????
3. PROFIT!!!11!1!111

Best. P=NP. Evar.

Re:Crypto repercusions?

[_LFTL_]

Start at 10^100 and count down using this algorythm, and youll find it in P time instead of NP time. It'll still take forever, literally and figuratively, but wouldn't it take significantly less time than before?

None of the other replies have really clearly answered your question. I haven't finished the paper but it sounds like their algorithm is only a primality test. It only tells you whether a number is prime or not. If it is composite it doesn't tell you what the factors are which is what you really need to be applicable to RSA. Considering that eariler primality test could give you a relatively confident guess as to the primality of a number this will likely do very little for cracking RSA

Scott

Re:Crypto repercusions?

[mlc]

Start at 10^100 and count down using this algorythm, and youll find it in P time instead of NP time. It'll still take forever, literally and figuratively, but wouldn't it take significantly less time than before?

Ah, no. First, note that a 2^1024-big number has more than 300 decimal digits, and so a 2^512-big number has more than 150. Then, even if primality testing took only 1 operation, we'd still need to perform something like 2^511 operations by your method. At 10^24 (one trillion trillion; unfathomably many) operations per second, this'd *still* stake 10^112 times longer than the estimated lifetime of the universe (1.5*10^10 yrs) to complete!

There are, however, faster ways of factorization than testing all the numbers in (1..sqrt(N)) to see if they are factors of N. They are not noted in (or relevant to) the paper mentioned by this article.

[nb: See other comments for why this is, in *practical* use, not such a big improvement on Miller-Rabin and other randomized methods which have been known for decades.]

Re:Crypto repercusions?

[khuber]

Don't you mean 9000000.....?

-Kevin

Re:Crypto repercusions?

[a_n_d_e_r_s]

Think again.

The larger number is 10 times larger than the lower number so all number in between must be nearly 10 times larger than the lowest number - so it requires a number with something like 100 digits to represent. (You do the exact math )

The result should be all nines of course.

Re:Crypto repercusions?

No, no, no ... this discovery has *NO* crypto BREAKING repercussions.

Prior to this paper there already exist algorithms which find "pseudo-primes" (primes > 99.99999 % of the time) in polynomial time. The paper just changes this status to "definite primes".

The tool chest for cryptographers essentially is unchanged, except now there is a 100% accurate primality testing algorthim as opposed to 99.99999% accurate.

This result is more important for the pure math community, than the applied math community. This has just been a bit of a thorn in the pure math community's side, that now appears to be removed. Not to minimize the importance of this results at all -- it is very significant.

But I repeat, it doesn't have any affect on the state of cracking crypto.

Re:Crypto repercusions?

[jannic]

Then please show me the 99 numbers between 10 and 100 :-)

Re:Crypto repercusions?

[a_n_d_e_r_s]

Sorry, you are right the number should be a 8 followed by a large number of nines.

The answer for 10 and 100 is of course 89.

Re:Crypto repercusions?

[n1vux]

Beautiful Troll!

This is an excellent mockery of the "I am not a mathematician so I'll share my opinions anyway" sort of comment. The misspellings of key words are excellent too.

But what dunces marked it Informative? Funny, yes, Troll, yes. On a real crypto board it would be flaimbait.

(Disclaimer: I am not currently a practicing mathematician or computer security researcher, but I once was, many years ago.)

Re:Crypto repercusions?

The replies have answered that (well, by the time I read this). I think the poster understands that it is only a primality test. I think he fails to realize that we already have algorithms to do this and maybe fails to realize just how many 100 digit primes there are :)

mod parent up

[orz]

it's the only correct reply so far

Oh yeah? Well...

[God!+Awful]

Bah.... so what? I have developed an algorithm that will determine if any number less than a google is prime in O(1). Above a google it degrades pretty fast, though.

-a

Re:Oh yeah? Well...

[braindead]

• I have developed an algorithm that will determine if any number less than a google is prime in O(1). Above a google it degrades pretty fast, though.

Aha... is that based on a precomputed sieve with 10^100 elements, by any chance? ;-)

(it's googol, by the way. Google.com is obviously not prime, based on the fact that they haven't IPO'd yet)

Re:Oh yeah? Well...

Care to share?

Re:Oh yeah? Well...

[Kwikymart]

google v. [common] To search the Web using the Google search engine,
`www.google.com'. Google is highly esteemed among hackers for its
significance ranking system, which is so uncannily effective that many
users consider it to have rendered other search engines effectively
irrelevant. The name `google' has additional flavor for hackers because
most know that it was copied from a mathematical term for ten to the
hundredth power, famously first uttered by a mathematician's infant
child.

---------

googol
n : a cardinal number represented as 1 followed by 100 zeros
(ten raised to the power of a hundred)

There is a HUGE difference between the two.

Re:Oh yeah? Well...

[God!+Awful]

No. I was just using the fact that any algorithm is O(1) if you specify an upper bound on n.

The algorithm is:

Precompute Tmax = number of seconds to determine if a number near 10^100 is prime.

1. Compute if x is prime, taking T seconds.
2. Sleep for Tmax-T seconds.
3. Output answer.

-a

Re:Oh yeah? Well...

[veltyen]

Um. Aren't they the same number
10**100 (10 * 10 * 10 ...) is a 1 followed by 100 zeros, just as 10**2 is a 1 followed by 2 zeros.

Re:Oh yeah? Well...

[khuber]

the point is that the word "google" is not the name of the large number which is "googol". it's a homonym.

-Kevin

Re:Oh yeah? Well...

I thought things that sounded the same but were spelled differently were homophones. I thought homonyms were spelled the same with different meaning.

YOUR NIT HAS BEEN PICKED!!!

Re:Oh yeah? Well...

[fatphil]

Yup - cracking 128-bit AES by brute force is O(1) too, because the key size
is fixed at 128 bits.

Phil

Re:Oh yeah? Well...

[khuber]

oops, you're right!

-Kevin

Primes Are In P??

[dbretton]

Does the eating of asparagus affect the presence of primes in P?

Inquiring minds want to know!

Re:Primes Are In P??

tsk tsk
"Offtopic" means "Moderator didn't get it"

Re:Primes Are In P??

[schon]

Just think... all this time spent by mathematicians, and it turns out that urologists are the ones who find the primes!

Re:Primes Are In P??

Maybe this accounts for the taste. Hmmm.

If this turns out to be true...

[angramainyu]

...then you can bet the NSA has had this algorithm for decades.

Re:If this turns out to be true...

[jasonditz]

They'll have had it for decades as soon as they have time to read through it and edit all the past documentation they have :)

Re:If this turns out to be true...

Why do you say this? Of course you're trying to
be funny, but many of the folks at the NSA are failed research mathematicians. The best people in this field are in the universities, not the NSA.

Re:If this turns out to be true...

[danro]

...or not working in the US at all.

Re:Big consequences related to encryption

[God!+Awful]

Well, encryption based on the multiplication of large primes, anyway.

Yeah... that step in key generation where you check whether a candidate key is prime or not will now be performed with 100% confidence instead of that annoying 99.999999999999999% confidence we used to have.

-a

Oops. HTML

[orz]

They're saying the the time T necessary to determine whether or not an N digit number is prime satisfies this equation:

T N ^ k + a

for some values (can be any finite value) of k and a.

Basically, it's a statement about how well an algorithm scales to REALLY large numbers.

say again

which equation?

primes

ok so you can tell if soething is a prime pretty quick. Does this help you factor large numbers pretty quick? It's been a while... or else what is the point...

arg. I did it again

[orz]

hm... I'm not sure why it removes comparison symbols when set to plain text... oh well, I wrote out "is less than" this time

They're saying the the time T necessary to determine whether or not an N digit number is prime satisfies this equation:

T is less than N ^ k + a

for some values (can be any finite value) of k and a.

Basically, it's a statement about how well an algorithm scales to REALLY large numbers.

No major implications for crypto as far as I see..

[bbuda]

I haven't seen the paper yet (slashdotted, go fig), but I'm guessing this doesn't have a big bearing on crypto systems or factoring. As the poster wrote, the algorithm is not optimized, and I imagine that it's _very_ inefficient. While P is faster than NP (for the most part), P!=Fast .... this algorithm could be polynomial on the length of input and still be exceedingly slow. Don't buy that quantum cryptography PCI card yet :-)

Cryptography

[Erpo]

They've figured out how to determine if a given number is prime in P time. That, by itself, doesn't break modern public key cryptographic systems. In order to do that, you would need to be able to factor a given number into its two prime factors in P time (a different problem).

no

It doesn't let you factor large numbers. This paper is almost purely of academic interest.

Re:arg. I did it again

preview is your friend

Factoring might still be NP

[IntelliTubbie]

For those of you wondering about the implications for cryptography, this does not imply that composite numbers can be factored in polynomial time. This algorithm is simply a primality test -- that is, it tells you whether or not a number has any proper divisors (in polynomial time), but it doesn't tell you what these divisors actually are. Determining whether a number is prime has always been considerably easier than finding the prime factorization.

In fact, for schemes like RSA -- where the key is the product of two large primes -- we already know that the number is composite, by definition, so a more efficient primality test doesn't give us any new information.

Cheers,
IT

Re:Factoring might still be NP

You mean Factoring might still be *NP-Hard*. It is quite obviously in NP (a class that encompasses all polynomial time problems, and as such, not quite as interesting as the class of NP-hard or NP-complete problems).

Re:Factoring might still be NP

[Paolomania]

Won't this actually make RSA cryptography implementations stronger by enabling better selection of key pairs? I'm not exactly up to speed on crypto, but in the past weren't keys sometimes being selected that were only relatively prime, but guaranteeing that they are truly prime effectively strengthens the practical implementation - and faster primality testing perhaps makes it easier to up the practical key length?

Re:Factoring might still be NP

Factoring is in NP, no question. I think you just mean "factoring isn't necessarily in P".

Re:Factoring might still be NP

[EJB]

Key generation for algorithms like RSA already use numbers that are prime with a high probability. There are quick algorithms for that. But key generation algorithms currently don't run for several months to ensure for 100% that the factors are prime.

So perhaps this algorithm makes RSA, DSA, etc. even stronger because it will be easier to guarantee that the factors are prime instead of assuming it with 99,999999999999% probability.

Re:Factoring might still be NP

[Dan+D.]

however this could help with choosing those two large primes for RSA (although I think the algorithms used these days are already highly efficient at finding relatively prime numbers which is all that actually matters)

Re:Factoring might still be NP

99,999999999999%

Freaking foreigners.

Re:Factoring might still be NP

Yes, but in factoring large composite numbers with large prime number factors, don't you need to be able to test whether a possible factor is prime or not? If so, then this *will* help speed up an algorithm for cracking RSA keys, no?

Re:Factoring might still be NP

[Jouster]

True.

What I'd like to see is a tool that would use this algorithm to verify the pool of five hundred or so private keys I control (since I currently only have a ((1/4)^16) confidence that each half is, in fact, prime.

Jouster

Re:Factoring might still be NP

[epsalon]

This is a common mistake about probabilistic algorithms. Primes was up to now known to be in ZPP. That means there is a polynomial time algorithm that has > 2/3 chance of answering correctly, and 1/3 chance of not answering, independent between trials.

Thus, to check primality, we simply employ this algorith until it answers, and then we could be sure of the answer. This could theoretically take a long time if you are extremely unlucky, but realistically, there's a bigger chance of you suddenly reappearing in China.

Re:Factoring might still be NP

Yeah, but theres a 99.9999999% probability that he`s not as fat as you. Seen any obese old people recently? Exactly.

Re:Big consequences related to encryption

[DavidTC]

Of course, there's still a larger chance of a cosmic ray flipping a bit in the processor or memory then the math being wrong, anyway. ;)

This may seem like a strange question, but isn't a non-prime that passes the 99.99999999999% check just as good as a prime in encryption? I mean, seriously, is anyone really going to notice it's not prime? Sure, they could accidently stumble on the 'wrong' factors while trying decode it, but, seriously, halving the time to decode your message isn't a huge mistake, considering we're talking on the order of centuries at least. ;)

What is 'x' and how is 'q' calculated?

[Mr.+Sketch]

From looking at the algo, I can't figure out what 'x' (or maybe it's a chi) is? Can someone help? I've looked it over, but couldn't find a definition of it. I'm also assuming that the 'if (r is prime)' line is a recursive call to itself? Also, how do we determine 'q' the 'largest prime factor of r-1' ? Another recursive call to get the factors? I must admit, I'm kind of lost by the algo, but it's still interesting.

Re:What is 'x' and how is 'q' calculated?

Yeah, I want to know how does one find the biggest prime factor of a number that is one minus a prime number. Finding the smallest prime factor is simple.. it's always two (assuming your prime number is greater than two). Another part of the algorithm that wasn't explained much was line one:

if (n is of the form a^b, b>1) output COMPOSITE;

How is this implemented in O(n) time? The simplest algorithm that comes to mind is to use two nested for loops. Needless to say that algorithm is definitely not O(n).

Re:What is 'x' and how is 'q' calculated?

Finding the smallest prime factor is not very easy if you're dealing with a number that is the product of two huge primes. Remember RSA.

Re:What is 'x' and how is 'q' calculated?

[Smthng]

Easy enough,
try b=1...log(a) (log using base 2)

trying each b takes constant time. The number of b's is of order log(n) which is linear in the size of n as required.

Re:What is 'x' and how is 'q' calculated?

[matrix0040]

no you dont need recursive call. as r is O(log(n)) so size of r is O(log log(n))) so if an exponential time algorithm is used for checking the primality of r, it'll be exp in log(log(n)) i.e. linear in log(n)

Same goes with q. as it's "small" you can afford an exponential algoritm.

also x is a variable, those eqns (12) really are polynomial eqns.

Re:What is 'x' and how is 'q' calculated?

[deblau]

From looking at the algo, I can't figure out what 'x' (or maybe it's a chi) is? Can someone help? I've looked it over, but couldn't find a definition of it. I'm also assuming that the 'if (r is prime)' line is a recursive call to itself? Also, how do we determine 'q' the 'largest prime factor of r-1' ? Another recursive call to get the factors? I must admit, I'm kind of lost by the algo, but it's still interesting.

OK, I'll address these points in order:

First off, 'x' doesn't matter. The loop at the bottom checks a congruence of two polynomials over two finite rings (if I'm reading it right, the first is generated by x^r-1 and the second by the input n). Simplistically, this amounts to grinding out the coefficients of the two polynomials and verifying that the difference of the polys equals zero, modulo the ring generator. The actual 'value of x' is never used.

Second, if you check the order statistic calculation, they're assuming worst-case on factoring 'r' (they apply order r^1/2 for that factorization). They then make an assumption that O(r^1/2) = O((log n)^3), or that O(r) = O((log n)^6), which seems rather suspect (as if they knew the answer ahead of time and plugged in a recursive value for it). Nevertheless, they do go to some length to show that such an r exists, and that it requires at most O((log n)^6) iterations of the first loop to find it.

As for 'q', I think again it is determined by brute-force factoring r-1. On the one hand, r is small; on the other hand, that doesn't mean a damn thing when it comes to dealing with order statistics, which I think is also a little suspect.

Re:What is 'x' and how is 'q' calculated?

[fatphil]

x is just a symbol. The proof is performed using polynomial ring.

Doing shit modulo (x^r-1) means that as soon as you multiply your
polynomials together and get any terms over x^(r-1) you can replace
x^(r+d) with x^d, because (x^(r+d)-x^d) == 0 (mod (x^r-1))

e.g. modulo x^2-1

(ax+b)^2 == a^2x^2 + 2abx + b^2 == (2ab)x + (a^2+b^2)

FatPhil

Re:What is 'x' and how is 'q' calculated?

[matrix0040]

well you simply try them all ! since r is "small" its O(log(n)^6), your can just keep going from r-2 to 2 until you find a factor and still be in poly time.

about the second thing, it's also pretty simple just do a loop over the exponent try exp(log(n)/b) if it's an integer then you're good else try another !

Re:What is 'x' and how is 'q' calculated?

Surely r can be up to n-1, you can't write it off as "small"

Funny

[Alizarin+Erythrosin]

It's funny when I read the comments, and I see all kinds of stuff that reminds me of my Discrete Structures class (we did the P and NP stuff at the end)...

Makes me wonder what this means for computer theory, but if you think about it, polynomial time can still be slow for very large n with very big powers... although not as bad as an exponential with large n's (assuming you go out far enough that the exponential will grow faster then the polynomial)

Kudos to the team that discovered this

you have it backwards

NP-complete problems form a subclass of NP problems.

Re:Big consequences related to encryption

You don't get it - the whole RSA algorithm is based on the difficulty of factorizing large numbers. If you can determine if a number is prime in polynomial time, you can break RSA in polynomial time. The factor might of course still be impractically large, but such a result would be sensational if true.
Now, on the other hand, I would rate the probability that this article holds to 0.1%....

I don't think so.

[orz]

Cracking any specific key-length is P, but cracking RSA in general remains NP, since that method requires checking a number of potential primes proportional to 2^(N/2) or so where N is the key size.

I'm dead tired

[Henry+V+.009]

I'm dead tired and will look at the paper in the morning. But right now I have a problem with step 6:
"Let q be the largest prime factor of r-1"
Won't getting q boost the thing back into power n complexity?

Re:I'm dead tired

[Henry+V+.009]

I took a second look, and I'm pretty sure about it. To complete this algorithm for n, for every prime rn, you will need to find the largest prime factor of r-1.

Re:I'm dead tired

[epictetus]

r isn't the input to the algorithm. r is an intermediate number used in the algorithm. It's of size O(log^6 n).

Re:I'm dead tired

[Henry+V+.009]

"for every prime r less than n"

Thank you, lameness filter. I think. I am tired and could have missed it.

Re:I'm dead tired

[epictetus]

the while condition, r < n, is a red herring. The loop will exit when it hits the inner break. It's guaranteed to finish in O(log^6 n) iterations (or so they say--I haven't verified the proof personally!).

Re:I'm dead tired

[Henry+V+.009]

You are right. I was just reading the algorithm down in order. I shouldn't have gotten ahead of myself.

Re:I'm dead tired

[matrix0040]

no it wont as q is "small", as proved in lemma 4.2 r is O(log(n)^6) and so is an upper bound on q. so the size of q is O(log(log(n)) and an exponential time in that will be linear in log(n) !!

Re:I'm dead tired

I swear to god you made that up.

If you're confused by "P" and "NP"....

[Erpo]

look here.

Implications

[davemarmaros]

There are 2 different problems:
1) Determining if a number is prime [is 909 prime?]
2) Determining the factors of a number [what are the factors of 909?]

This article claims to be able to solve problem 1 in Polynomial time.

However, problem 2 is MUCH harder, and that is the one which will break cryptography as we know it. This article does not claim to solve problem 2, so we're safe for now.

Re:Implications

This is in fact incorrect. Back in the 80s a poly-time algorithm for factoring was given, assuming a poly-time primality test.

Re:Implications

and that is the one which will break cryptography as we know it

But remember that (2) is not an NP-complete problem, meaning that there are other Discrete Log based schemes that will be safe.

Re:Implications

[Zaak]

Back in the 80s a poly-time algorithm for factoring was given, assuming a poly-time primality test.

Put your money where your mouth is. If you know such an algorithm, you could be very famous very quickly.

Primality testing is very fast. This is what makes RSA usable.

Factoring is very slow. This is what makes RSA secure.

TTFN

Re:Implications

[Zaak]

...that is the one which will break cryptography as we know it.

Only public-key cryptography based on algorithms like RSA will be broken. Symmetric-key cryptosystems will be unaffected.

However, public-key crypto is what makes secure communication possible without prearrangement, so perhaps you are correct after all.

We just have to hope that a discovery that breaks RSA wouldn't break other public-key systems at the same time.

TTFN

Re:Implications

[Indras]

1) Determining if a number is prime [is 909 prime?]

Here, quick math trick that will save people a bit of time. It's always easy to tell if a number is divisible by three, just add all the digits together, and if the result is divisible by three, then so is the original number. 909 = 9 + 0 + 9 = 18 (divisible by three). Oh, and you can take it a step further (18 = 1 + 8 = 9) if the result is still too long.

Therefore, this number showed up right away to me as being divisible by three, and quick division will show that 303 * 3 = 909.

Re:Implications

[ryanvm]

However, [determining the factors of a number] is MUCH harder, and that is the one which will break cryptography as we know it.

Not all public-key cryptography is based on the difficulty of factoring numbers. There are a number of other one-way functions (such as elliptic curves) that are being used in cryptography. So I wouldn't say it'll break crypto "as we know it", but it would certainly freak some people out.

Re:Implications

[p3d0]

Not to mention that if all the digits in a number are divisible by n, then the whole number is also divisible by n.

Re:Implications

[HaeMaker]

Got a proof for this?

Re:Implications

realy?

37 (sum = 10) / 5 ? ;-)

think this works only for a 3 *g*

Re:Implications

[p3d0]

Er, what does this have to do with what I said? The digits of 37 are not divisible by 5.

Re:Implications

[some+guy+I+know]

Similarly, if the digits add up to 9, or a number that is divisible by 9, then the original number is divisible by 9.
So, we also know that 909 is divisible by 9.

This "digits adding up" thing works for all b-1, where b is even and is the number base.
For example, in hexidecimal (base 16), we know that the number 1E is divisible by F, since 1+E = F.

Re:Implications

[diablovision]

There are a number of other one-way functions (such as elliptic curves)

No, no, no and no. Elliptic curves form a group, and the definition of a group guarantees that the group's operation is invertible.

Secondly, how do you plan to accomplish decryption of a one-way function? By the definition of "one-way" you can't.

Re:Implications

[timster]

This proof is by spontateous invention, so don't sue me if it's screwed up someplace. There's probably a much simpler proof, but proof by induction is fun. Note that I'm assuming base 10, and this obviously doesn't work in other bases.

Start with the first multiple of 3: 3. As this is one digit, obviously the sum of all its digits is divisible by three. Consider this a basis case for induction.

When we add 3 to a number that is divisible by three, either we have to perform a carry, or we don't. If we don't, then the addition operation will add exactly three to the sum of the digits. Since we know (from our induction assumption) that the sum of the digits is already divisible by three, obviously adding three to that sum creates another multiple of three.

If we have to perform a single carry into the tens place (say 9+3=12), then the sum of the digits excluding the ones place increases by 1, and the value of the number (ignoring the ones place) increases by 10. Since we're adding three, obviously the value of the ones place always has to decrease by seven. 1-7=-6, so this operation always subtracts 6 from our total digit sum. Obviously subtracting 6 from any number that is already a multiple of 3 yields another multiple of 3.

What if the carry is compound (99+3=102, or 999+3=1002)? Since we're only adding 3, any place that is affected by the compound carry will have to be a 9. The 9 will always change to a 0. Subtracting nines doesn't hurt our multiple of 3, so we can ignore it. Then, the value of the first place that isn't a 9 will increase by 1, which makes this ultimately the same as the case in the above paragraph.

Thus, the first multiple of 3, 3, has digits that add up to 3, and adding 3 to a multiple of 3 whose digits add up to a multiple of 3 will create a number whose digits sum to a multiple of 3. So by induction, all multiples of 3 have digits that add up to a multiple of 3.

Re:Implications

[kallisti]

Got a proof for this?

Here's a less formal, but possibly easier to understand proof. When you shift a digit, what you are doing is making 10^n * a into 10^(n-1)*a, the difference is therefore:
a * 10^n - a * 10^(n-1)
a * (10^n - 10^(n-1))
a * (10^(n-1) * 10 - 10^(n-1))
a * 10^(n-1) * (10 - 1)
a * 10^(n-1) * 9
Since this number is divisible by 3 (not to mention 9) shifting a digit right is equivalent to subtracting out a bunch of 3s, which won't affect the result of the division. This is why adding the digits is also known as casting out nines.

Re:Implications

[schon]

This is why adding the digits is also known as casting out nines.

I thought that "casting out nines" was a reference to the fact that you can (quickly) find the recursive sum of any series of digits by eliminating every multiple occurrence of the number 9?

Re:Implications

[kallisti]

In school I read a book called Magic House of Numbers by Irving Adler. In that book, adding digits was referred to as casting out nines. Sadly, the book is out of print as it is an excellent collection of math factoids and classic puzzles. I reread over every few years in school and always got more out of it.

Re:Big consequences related to encryption

[jpmorgan]

Maybe, maybe not. If that non-prime happens to be 2^2031, I bet it'll make your encryption really weak. ;)

Re:Big consequences related to encryption

[Goonie]

Uh, no. Just because you can tell whether a number is prime in polynomial time, doesn't mean you can find the factors of a number in polynomial time, as I understand it.

Re:Big consequences related to encryption

[tbo]

Thank you. I'm glad someone finally pointed out that we already have a classical (as opposed to quantum) probabilistic algorithm for determining primality. Every other fool on this board is running around wearing his/her tin hat and shouting about RSA being defunct. All this does is push primality testing from the BPP complexity class into the P complexity class. It is significant in the sense that it weakens the argument for BPP being larger than P.

Of course, we also have a polynomial-time algorithm for prime factorization (Shor's Algorithm). It's just that it requires a quantum computer, which is difficult to build. So far, the biggest number factored is 15... 1024 bit keys will be safe for a while yet. I believe it's 15 - 20 years until they're broken, if Moore's Law holds for quantum computers in terms of maximum number of qubits possible (so far, it roughly has, but then, we're only at about 7 qubits).

Ignore parent

[God!+Awful]

Ignore the parent post, since it is wrong. The previous poster did a much better job of explaining the concept of polynomial time.

An NP-complete problem does not take 8 times the age of the universe to solve. This completely missed the point. Every P or NP problem can be expressed in terms of a variable "n", which represents the input size. There are many practical problems where the best-known P algorithm is slower than the best NP algorithm for typical values of n. However, computational theory tells us that as n increases, the P algorithm will eventually beat the NP one.

-a

Re:Big consequences related to encryption

plzdiekthx

We already knew that...

[FalafelXXX]

The famous result by Miller 1976 (and indepdently rediscovered(?) by Rabin 1980) already did that. The only difference is that their algorithm was in RP (randomized polynomial). Namely, if the algorithm says it is prime it might be wrong (with probablity half, say), and if it says that the number is not prime, then it is not prime for sure.

Now, if you have a number n, you run this algorithm, say 20*log(n) times. If the algorithm says it is prime on all executions that it is prime, you know damn sure it is. If it says it isn't, you are sure it isn't. There is a rediclously tiny probablity that if the algorithm claims that it is prime in all executions, that it is still not prime. This probablity is so small, that it can be essentially ignored. Now, random bits are cheap nowadays, so this is quite satisfactory. This is in fact the algorithm that turned the RSA crypto system into a practical and useful algorithm, because suddently finding primes became easy.

To break RSA, and become really famous, one has to come up with a polynomial time algorithm for factoring. It might even be that RSA can be broken without factoring, but this is still an open question (I think).

Ahh, and BTW. Polynomial time means polynomial time in the size of the input. So if the number is n, the size of the input is O(log(n)), and the running time needs to be O( (log(n))^(O(1)) ).

Ok. End of boredom.

Re:We already knew that...

[spitzak]

Does anybody know what happens to RSA if in fact one of the "prime" numbers is not prime? My guess is that this does not make it suddenly easy to break, or make it fail to encode (because either of those would imply a fast way to determine if a number is prime by seeing if it works in RSA). I would guess that a tiny fraction of messages would decode to garbage rather than to the desired text, but does anybody know for sure?

Re:We already knew that...

>Polynomial time means polynomial time in the
>size of the input. So if the number is n, the
>size of the input is O(log(n)), and the running
>time needs to be O( (log(n))^(O(1)) ).

Only if using binary to represent the number.

If I use base 10 then size of input = log10(N).

If I use one tick mark per number (so 5 would
be 5 ticks and 10 would be 10), then size of
input = N.

And here's the kicker: Nothing prevents me from
using a base equal to the number itself. In
that case, size of input will always be 1.

That's why P is really meaningless, unless the implementation of the hardware is considered.

Re:We already knew that...

[fatphil]

I think you're missing the point of Rabin's test.

Rabin's test says that if there is no witness below 2ln^2(n), then the
number is certainly prime.
The repeated-by-a-fixed-small-number PRP-test MR test is still a
compositeness test, or a Probable Primality test, and does not give a
certain answer.

A PRP is not _proven_ prime.

See professor Caldwell's Prime Pages at:
http://primepages.org/

FatPhil

Re:We already knew that...

[stud9920]

There is a rediclously tiny probablity that if the algorithm claims that it is prime in all executions, that it is still not prime

It's your spelling that's rediclous. This is ludacris.

Re:We already knew that...

[zenyu]

Yeah, in fact someone told me about a determinastic polynomial algorithm almost a year ago. Maybe he was a reviewer for this paper, I dunno. But I assume someone more knowledgable will pipe up on this eventually. What I know is that there are some known composites that look like primes to the Miller and Rabin algorithms, and they can wreak havock to encryption. I think there is a test for these, but there may be more of em out there. Carmichel is the name that pops in my head, but I'm probably wrong.

In anycase, for cryptography you would probably run the randomized algorithm on a bunch a numbers until you found a number to be a prime with high probability, then you would run this to verify that it is a prime with higher certainty. The certainty sorta depends on the length of the proof for this algorithm. Since for a sufficiently complex proof there is a non-zero probability that the proof is not correct, and the probabilistic algorithms often have simple proofs that we may be more certain of.

Re:We already knew that...

[Mornelithe]

I probably really shouldn't be replying, because it's been a while since I read how it works, but I can copy the algorithm and tell you where I think it would break (if at all). Please correct me where I'm wrong.

1. Generate two random primes p and q
2. Calculate n = pq and phi(n) = (p - 1)(q - 1) = n - (p + q) + 1 (Note: phi(n) is the number of primes less than n (Euler's totient function, I believe). phi(p) = p - 1 for prime p, and phi(pq) = phi(p)phi(q) for p relatively prime to q (note, this step breaks if p or q aren't prime))
3. Generate e
4. Calculate d, the inverse of e (mod phi(n)) (i.e. d*e = 1 (mod phi(n)))
5. is the enciphering key, is the deciphering key
6. For plaintext P, you get ciphertext C by doing: C = P^e mod n, and get P back by doing P = C^d mod n

So, now there's the matter of why it works. Here we go:

• Because of Fermat's Little Theorem, we know that a^(phi(n)) = 1 (mod n)
• Since ed = 1 (mod phi(n)) we have: ed = 1 + k*phi(n) for some integer k
• So, if we encipher and decypher, we have: (P^e)^d = P^(ed) (mod n)
• Which also means we have: P^(1 + k*phi(n)) = P*(P^(k*phi(n))) = P*((P^phi(n))^k) = P*(1^k) = P (mod n)

So when p or q are not prime, phi(n) != (p - 1)(q - 1), so when you calculate d, you'll get something that doesn't negate the encrypting process (because its not a multiplicative inverse mod the real phi(n)), so you'll probably get junk when you decipher.

I don't really feel like doing a detailed analysis of the algorithm, but I imagine that this isn't used as a primality test because it's running time probably isn't polynomial time.

Re:We already knew that...

[Alsee]

Only if using binary to represent the number.

Nope. You need to learn what O() means.

He never said log2(n). He said log(n) without a base. O() measures what happens when n gets arbitrarily large and the statements are true for ANY fixed base. That's why no base it given, it is irrelevant. The difference between log2(n) and log10(n) is a fixed factor of 3.3. The O() of a problem tells you weather it takes you microseconds or gigayears to solve it. There really isn't any meaningful difference between 1 microsecond and 3.3 microseconds, or between 1 gigayear and 3.3 gigayears.

And here's the kicker: Nothing prevents me from using a base equal to the number itself.

As I said, O() measures what happens when n gets arbitrarily large. If you are using an arbitrarily large base then what you've got is a quantum computer. This problem and the harder problem of actually finding the factors have already been proven solvable in polynomial time for quantum computers.

-

Re:We already knew that...

[Mornelithe]

By the way: Many thanks to Sarah Flannery, the author of In Code, whose book I paraphrased the algorithm/proof above from (luckily it was sitting on the table in front of me).

Re:We already knew that...

[plaa]

(Note: phi(n) is the number of primes less than n (Euler's totient function, I believe). phi(p) = p - 1 for prime p, and phi(pq) = phi(p)phi(q) for p relatively prime to q (note, this step breaks if p or q aren't prime))

A slight error: phi(n) is the number of positive integers less than n, which are relatively prime to n (ie. gcd(n,x)=1). Therefore, if p is a prime, it is also relatively prime to all smaller integers, so phi(p)=p-1.

The function that tells the number of primes smaller than n is pi(n), the prime counting function.

Refs: Totient Function Prime Counting Function (MathWorld's luckily back online!)

Re:We already knew that...

[thogard]

When you build a key with from two primes you have two keys that work, one is private and one is public.

When you build a key with three primes you have one public key, one private key and two that will work for the hackers.

When you build a key out of four primes you end up with the two keys you expect and 6 or 9 others.

You can do this by building your own RSA like system with 32 bit keys and plug in some small random even "prime" and see how many other keys work.

Not all keys work but some of the combos will.

Re:We already knew that...

[CProgrammer98]

Sheeeesh.

The words are spelt "Ridiculous" and "Ludicrous"

Why do geeks have so much trouble spelling these two words?

Other pet hates include confusing "your" and "you're", and "loose" and "lose"...

Re:We already knew that...

plug in some small random even "prime"

You mean small random even number of primes, right? Because otherwise, your only choice is 2.

~~~

Re:We already knew that...

[thogard]

All primes above some low number of digits are pseudo-primes. Pseudo-primes aren't proven prime by attempting to factor all numbers smaller than it, but are proven by a number of tests that seem to indicate that the number is prime.

For testing why things break because you can factor a supposedly prime number, an even number will work as well as any other and its sure speeds up the factoring if you have to do it by hand.

Knuth has some interesting bits on this in his books.

Re:We already knew that...

I'm not sure what you mean, but "pseudo-prime" refers to a /composite/ number that cannot be /proven composite/ by checking fermat's little theorem with a certain base.

Re:We already knew that...

You are half-right about the Carmichael numbers. Using Fermat's little theorem by itself, with any base, will not catch a carmichael number. However, Rabin-Miller can catch them, because of a step in the algorithm where it checks to see if it has found a non-trivial root of unity. It has been proven that, for any composite number, at least 3 in 4 numbers under it are witnesses to its compositeness. Therefore, if the base is selected randomly, and you use enough trials, no composite stands much of a chance of beating it.

Re:We already knew that...

[Mornelithe]

Oh, yeah, thanks.

I probably should have caught that there aren't p - 1 primes less than a prime p. :)

Re:We already knew that...

[ihgreenman]

Bzzt... Wrong! Thanks for playing

(BTW, generalization of this is left as an exercise to the reader.)

Your public / private keys depend upon the factorization of the composite number and something called the phi function. The rules for this function are somewhat complex, but in the case of a series of factors consisting of unique primes it's pretty simple.

Taking the case of a number with three unique prime factors: N = p * q * r. [p != q, q != r, r != p. p, q and r are all prime.]

Then, phi(N) = (p - 1) * (q - 1) * (r - 1).

Fine, you say, but what does this mean? The reason RSA works is due to a generalization of theorem of Fermat's (from Euler):

When a is not a multiple of p, q, or r (the prime factors of N), you can choose a number g such that 1 + g * N = a ^ phi(N). Or, to use modular arithmetic terms, a ^ phi(N) = 1 mod N.

That in turn means that a ^ ((k * phi(N)) + 1)= a mod N, for *any* integer k. Note that for a given a, other powers may work as well -- but you are garunteed that any power equal to ((k * phi(N)) + 1) will work for any a that is coprime to N. (a coprime to N means that a is not divisable by any of the factors of N.)

Let's say you have a private key (e) that you want to use. Then there may exist a decryption key (d). If d exists, d * e = k * phi(N) + 1. That is: d * e = 1 mod phi(N). Note that given d and e that work, then *any* number of the form d + k * phi(N) will work! The trick with RSA is that phi(N) for a very large number tends to be very large, hence these extra keys are very far apart.

Therefore, for a given RSA encryption key, there are an infinity of decryption keys! Having extra factors has absolutely nothing to do with it.

Re:We already knew that...

[CustomDesigned]

The July 2002 Dr. Dobbs Journal has a provable prime algorithm. The article did not do a complexity analysis, but it requires work equivalent to two passes of Miller-Rabin. The algorithm is called CUL and does two Lucas function tests. However, the proof doesn't deal with whether composites are provable - so perhaps it is what you are looking for. The proof for probable primes was reasonably simple.

Re:Big consequences related to encryption

[mpsmps]

No, most messages will decode incorrectly.

Consider a simple public key encryption algorithm based on the fact proved in any beginning number theory book that for primes p, q

a^x = a (mod pq) if x = 1 (mod m)

where m = (p - 1)(q - 1)

Now choose your favorite number f and use Euclidean algorithm to efficiently find a number g such that

fg = 1 (mod m)

You may have to try another value of f if the Euclidean algorithm terminated before reaching 1, but it won't take many guesses. Now publish the number f and mod m as your public key and keep g private.

Someone sends text t to you by sending t^f (mod m).
Now you just raise that message to the power g and reduce mod m to recover the original text. (This follows immediately by combining the above statements).

Finally, I'll get to the point. This algorithm is simply busted if p and q are not prime because t^fg will not equal t mod m unless you are very lucky. In fact, if you want to add a bunch of nines to your percentage certainty, just encrypt and decrypt a sample message text and verify that it works.

huh?

my contact lenses are sticking to my corneas.

Re:Huh?

[maxwell+demon]

You probably got confused by the quoting of the posting from streetlawyer I answered to. The italic stuff is actually what he quoted from ipfwadm.

His (streetlawyer's) first sentence is "No it isn't.", which is wrong, because the statement of the quoted sentence is correct (as you yourself re-state).

And that his second sentence it correct, we agree anyway ;-)

sigs

I was about to mod you up ... but then I read your sig. Anyone with a sig about moderation needs to be bitchslapped.

Re:sigs

Sorry, man. You may think the sig is me begging to be mod'ed up, but it's more of a commentary on asshole moderators who mod down anything they don't agree with. I especially hate the ones who wait until the next day when the conversation has started to die down and who use overrated so they can escape metamoderation.

Half empty?

[legomad]

You guys always say things like "so what?" or "that's old". C'mon guys, go outside and smile.

Re:Half empty?

Yeah, you're right!

But I think that this is a syndrome of CS guys, they always think that they know everything and they love to make some bad coments.

I would like to know if they would say the same if we've got a solution for factoring in polynomial time.

I guess they would say something like:
"RSA wasn't secure anyway, what's the fun?"

Greetings from Brazil.

Re:Half empty?

[falzer]

It's all about whose beard is the longest. Besides, I could smile on a PDP-11 before you were born. ;)

Re:Half empty?

ou-, outside, OUTSIDE? No, no, NO NOT OUTSIDE - the, the light! THE LIGHT, NOT THE LIGHT!! AARRGHH IT BURNS, IT BURNS!!!

Re:Half empty?

Yeah, I once saw that light too, it sure as hell was painful. What is it, anyhow?

Primality testing has never been hard

[sasami]

This result, if true, is very interesting from a theory standpoint.

As far as practice, it's fairly irrelevant. Probabilistic primality testing can be done in constant time with bounded error.

The Miller-Rabin test will tell you if a number is prime with at most 1/4 probability of error. That sounds ridiculous, but the catch is that you can iterate it using a random parameter. Do the test twice and your probability drops to 1/16. Do it fifteen times and your chances of being wrong are about one billionth.

If you're truly paranoid, do it 50 times. That'll bring the error rate of the algorithm magnitudes below the error rate of your hardware.

---
Dum de dum.

Re:Primality testing has never been hard

As has been noted, the Solovay-Strassen and Miller-Rabin tests were for all practical purposes near-deterministic polynomial-time algorithms.

However, there is a certain stunning elegance about this new test for primality (the main loop hit me hard) that almost takes it to the level of Euclid's algorithm for GCD. A loop of the form 'while(r less than n) {...;r++;}' has an in-your-face audacity, especially when we learn that it will deterministically terminate before log(n)^3 (if I'm reading it right)!

Re:Primality testing has never been hard

[Alsee]

If you're truly paranoid, do it 50 times. That'll bring the error rate of the algorithm magnitudes below the error rate of your hardware.

Depending upon what version Pentium CPU you're using you can accomplish that with 2 or 3 steps.

Old joke, but couldn't resist :)

-

Re:Primality testing has never been hard

[Kynde]

The Miller-Rabin test [mit.edu] will tell you if a number is prime with at most 1/4 probability of error. That sounds ridiculous, but the catch is that you can iterate it using a random parameter. Do the test twice and your probability drops to 1/16. Do it fifteen times and your chances of being wrong are about one billionth. If you're truly paranoid, do it 50 times. That'll bring the error rate of the algorithm magnitudes below the error rate of your hardware.

Just consider how fast it's on some of the better known commercial operating systems, because even that 1/4 error probability is magnitudes below the error rate of your platform

Re:Primality testing has never been hard

[bluGill]

What nobody knows though is if error is good or bad. If Miller-Rabin says a number is prime, and you use it for an application that requires a prime number, the application will still work. At least that is true for all the applications I know of that require a prime number (Public Key Encryption), there are probably others.

I've speculated that the existance of non-primes that work is one of the things that makes public key encryption hard enough to be useful. I can't prove it though, and offer it only as an interesting (but likely wrong) point to consider.

Re:Primality testing has never been hard

[bearnol]

Just for the record, as I've stated elsewhere, the Miller-Rabin Test is unjustifiable (for which read _wrong_) There is nothing wrong with its _math_, however the preliminary logic is completely up-the-spout, as it computes Pr(A|B) at a critical point, rather than the required Pr(B|A) - if you don't believe me, read the paper...!

Re:Primality testing has never been hard

you stopped reading to early. later on it stated that

gcd(n,r) = 1 for all r = ...

Re:Primality testing has never been hard

[Kynde]

What a load of crap...

What nobody knows though is if error is good or bad. If Miller-Rabin says a number is prime, and you use it for an application that requires a prime number, the application will still work.


Not necessarily, and even when it does, incase it indeed is not a prime it may very well be attackable, even significantly. Although, when Miller-Rabin says one in 10^50, it means that the odds really are that low, and as it's way beyond your hardware reliability, who cares if it's actually false or not.


I've speculated that the existance of non-primes that work is one of the things that makes public key encryption hard enough to be useful. I can't prove it though, and offer it only as an interesting (but likely wrong) point to consider.


There are numbers that fool the gaussian test for primes, so called Carmichael numbers. There are also composite numbers (i.e. nonprimes) that pass Miller-Rabin test, therefore for example in Mathematica the Miller-Rabin test is combined with Lucas pseudoprime test. Though, it may still fail, it's sufficiently unlikely.

BUT how the fsck can you say that "the existance of non-primes that work is one of the things that makes public key encryption hard enough to be useful" ???
Public key cryptography IS being used, and a lot! And on top of which, the smallest problem with it is the generation of primes.

There are "problems" with it, the unawareness wether there actually is a P complex factorisation algorithm yet to be discovered. Also from a steganographical point of view, RSA has somewhat detectable bias, although it's usually being used just transmit the key for some symmetric proven-to-be-strong cipher, which inturn is used to encipher the actual message.

Re:Primality testing has never been hard

[mal0rd]

> If you're truly paranoid, do it 50 times.
> That'll bring the error rate of the algorithm
> magnitudes below the error rate of your hardware.

This doesn't make any sense. If, for any given time you run the algorithim, the hardware has a one in a million chance of messing up, then after running it 50 times the chance of it giving the wrong answer all the time is closer to zlich then the algorithim giving the wrong answer the majority of the time.

Re:Big consequences related to encryption

That "proof" would have killed my CS professor.

Don't forget...!

[Libor+Vanek]

...that in praxis it doesn't really matter if problem is P or NP when P is 100000000000000000*n while NP solution could be 0.00000000000001*(2^n) - the complexity class is nice thing but not all.

Re:Don't forget...!

[meteu]

That's not a very good example, considering that 0.00000000000001*(2^n) > 100000000000000000*n when n >= 110. On 128 bit input, the exponential runtime is more than 265,000 times as slow as the linear.

Complexity classes are more than just "nice."

This is brute force but....

[chairmanKAGA]

...couldn;t you figure out if a number is prime by taking the number you want to see if is prime, start at 2 and muliply that by every number until it is greater than the number you want to see if is prime, if not then go to 3 and repeat until a number * 2 > than your number?

This isn't elegant but I'm assuming it would work. I'm not a math wiz, only some calculas but could someone tell me why I'm wrong?

Also, that is in polynomial time I beleive.

Also, is the product of 2 primes always prime?

Thanx.

Re:This is brute force but....

[MrByte420]

Firstly, you only need to check up to the square root of n as anything larger will not be a prime factor. Secondly the algo you suggest is MUCH larger than n^k where n is the LENGTH OF THE INPUT NOT THE SIZE OF THE NUMBER!

Re:This is brute force but....

[chairmanKAGA]

The time it takes to calculate with a variation of this algo is ~ [(n + 1) / 2]! , no?

I thought that would be in P time but I see it cannot.

Re:This is brute force but....

[subtleluck]

umm...wouldn't it be easier to just loop from 2 to n-1 (n = the number you are checking for prime) and to see if they divide it?

and no prime * prime is not prime

Re:This is brute force but....

[MrByte420]

Well, I'm not sure if you mean factorial or excitement with that exclaimation mark but either way thats much larger than the input size of the number. NOT THE CARDINALITY OF THE NUMBER. i.e. if a number has n digits it won't be poly to that!

Re:This is brute force but....

[chairmanKAGA]

I was refering to factorial.

Re:This is brute force but....

[chairmanKAGA]

I was just suggesting a raw, non optimized algo for something like this. by z = n+1 ,z = z / 2 and then checking all products, which is z! but that ins't P time I see now so I'm sure many algo's like this already exist and are much slower than the P algo.

Re:This is brute force but....

[MrByte420]

Factorial grows faster than exponential! watch: polynomial time: 2^2=2 3^2=9 4^2=16 10^2=100 Exponential: 2^2=4 2^4=16 2^10=1024 Factorial; 2!=2 4!=24 10!=3,628,800 See what I mean?

Re:This is brute force but....

[chairmanKAGA]

Yes, and I realize this. To be honest, I have very little business discussing higer math as I am not *bad* at math but do not have the dedication to it. A couple years of Calculas is all I really want to ever have. I can derive and use integrals among other things.

I like discrete math/logic more anyways,

Thank you for clarifing a couple things for me though. :)

Re:This is brute force but....

Actually, it's kind of stupid to continue after testing m=sqrt(n)...

Re:This is brute force but....

Actually, it's kind of stupid to continue after testing m=sqrt(n).

Not necessarily... I mean you might find the one number that breaks the rules! Just like Bender's nightmare... "it was an endless string of ones and zeros.. and I think I saw a two!" :o)

Re:arg. I did it again

[shepd]

>I'm not sure why it removes comparison symbols when set to plain text...

Slashdot removes left angle brackets in an attempt to stop abuse. Since it still lets raw right angle brackets through for old style quoting (which I prefer), the left ones have to go on unverified tags.

To display a left angle bracket despite that you'll need to type its ISO code, which renders the bracket unusable for tags (which is a good thing).

ie: < is entered with this: &lt;

Just something to note down FFR. Oh, and &nbsp; can be handy if you want to try to slip through some important, on-topic simple tables or ascii art. Sometimes. But not lately.

- o
<
\__/

Even worse ...

Even worse is a polynomial time algorithm that runs in O(n^1000000000000000). Even O(n^1000) is quite bad.

MrByte's 1 Page P, NP, NP-Complete Primer

[MrByte420]

So I'm already sensing the level of confusion rising as this is a very confusing topic. Here's a quick review. Note: I'm going to do this on a higher level and not start talking about Formal Languages as this is not the place to teach it. So in loose terms, Problems that in P are easily solveable. For example, sorting is a problem in p. Proof: I can sort a set of n numbers in no worse than n^2 time using a bubble sort. (Yes - I know there's faster but this is an example). The bubble sort just compares every number to every other number. Assuming you didn't optimize the algorithm you'd compare each number to every other number and they'd be sorted in no worse than n*n = n^2 comparisons. So what is NP? NP are problems that given a proposed solution we can verify that the solution is correct or not in polynomial time. An example of this is factoring. (note: it is not known whether factoring is in P). Given current methods we know factoring a big number into its prime factors. But if I was to tell you that p=q*r you could very quickly multiply q*r and see if it is equal to p and "verify" my answer. Another way to think about it is you can try out one branch of computation in polynomial time. So what is NP-complete? NP complete problems are is follows. A problem is NP-Complete iff 1) The problem is in NP 2) A solution in polynomial time to this problem would yield a polynomial time solution to all other problems in NP. That is, no other problem in NP is harder than NP-Complete and if one NP-Complete problem is solveable in Polynomial time than all of NP is solveable in polynomail time, P=NP and you will win doctorates and a nobel prize, turing award and a million bucks from the clay institute for proving this. Sigh - you are probally still confused.. :)

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[ctrimble]

Maybe you should have mentioned that step 2 in the NP-Complete definition means that there's a polynomial time transformation that will turn one NP-Complete problem into another. That's why showing that one NP-Complete problem is in P means that they're all in P.

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[MrByte420]

Hehe - That defintely is part of it but I was just trying to be clear rather than precise.
You obviously can't take k^n time to use the solution generated to decide the other part.

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[uhoreg]

Problems that in P are easily solveable.

Nope. You can have huge constants, or huge exponents, or both. P only describes (somewhat loosely) how much harder the problem becomes as the size of the input grows. But if the problem already takes an impossibly long time with an input size of two, you aint goin very far.

In addition, it is possible to know that a problem is in P, but not have an algorithm for it. (e.g. Robertson and Seymour's huge graph minor theorem, a series of about 20 papers which you probably don't want to read (I don't).)

(And please always capitalize Turing. Nobel too.)

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[MrByte420]

Yes. The Time construction theorems do show that their exists a language that takes n^1000, n ^(10^123323), etc. However they are all easier to solve that Exponential time funtions!

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[uhoreg]

Yeah, I guess "easy" is a relative term. I usually associate "easy" with "practical", which I suppose disqualifies me from doing work in theoretical computer science. ;-) (I am doing theoretical CS, but not complexity theory.)

One day...

Factoring primes is going to be found to be in P, and all over the world, dead slashdot readers will also be found in pee.

Knuth

This is old news (1997). If one looks at TAOCP Volume 2, third edition, page 396, there are three mentioned algorithms. One algorithm operates at O(log n)^5, proves with rigor, and depends on the proof of the extended Riemann Hypothesis(tm). There is also aother that is in (log n)^O(log log log n) that does not depend on unproven hypothesises, yet is not exactly P.

Re:Knuth

[MrByte420]

a Proof is not rigorus if it depends on unproven theorems. There are many examples if theories that were thought to be true and were later proved to be false. This proof relies on nothing more than a little abastract algebra, some number theory and good ole plain algebra..

Re:Knuth

[matrix0040]

well ERH is a million dollar problem (literally) !! Claymath.org, so i wouldn't bet my money on a proof which relies on ERH.

Re:Big consequences related to encryption

[(outer-limits)]

I believe it's 15 - 20 years until they're broken

15 to 20 years is not a long time, I remember when it was 15 years to Y2K. It wasn't the disaster that it was beaten up to be, but it did cost a lot of money to remedy.

Encryption is pretty low level stuff, so the ramifications could be large for many systems.

It's not algorythm,

it's algorithm, fuckface.

The question is

[einhverfr]

Whether polynomial time is longer or shorter than prime time.

Re:The question is

Just GREAT. Now Nielson is gonna want to monitor what my Tivo is recording during polynomial time, too?

Re:Big consequences related to encryption

[jbolden]

You can break RSA in polynomial time.

Let pq be a public key. For integers n sqrt(pq) check if n | pq. Each division takes O((pq)^1.58) time (see any algorythem book for proof).

So you have O(sqrt(pq)) * O((pq)^1.58) which is just slightly larger than O((pq)^2) and less than O(pq^3). Improving only slightly over brute force gets you down below squared time.

Re:Big consequences related to encryption

[jbolden]

I forgot to put in the punch line.

The problem is not that you can't crack RSA in polynomial time as the numbers grow, but rather that means that you are cracking RSA in exponential time as the number of digits grow. Incidentally the best you can do so far is O(e^1.58) (which comes from the division problem).

O(num_bits**12) time estimates

[Adam+J.+Richter]

We give a deterministic O((log n)**12) time algorithm for testing whether a number is prime.

[Sorry, the Slashdot filter does not allow me to superscript the 12.]

The algorithm takes O(log2(n)**12) time, where n is number being factored. If we optimistically assume that this algorithm can test the primality of a 16-bit number in one microsecond, then here is how long it would take to test time primality of some larger numbers.

• 2**12 times as long for a 32-bit number = 4096 microseconds = 4 milliseconds,
• 4**12 times as long for a 64-bit number = 16,777,216 microseconds = 16 seconds,
• 8**12 times as long for a 128-bit number = 68,719,476,736 microseconds = 68,719 seconds = 19 hours,
• 16**12 times as long for a 256-bit number = 281,474,976,710,656 microseconds = 9 years.

I don't know what a realistic base time for this algorithm really would be, and I don't know where the cross over point against existing exponential time deterministic primality testing algorithms would be, but at least this provide a sense of how log2(n)**12 grows.

Re:O(num_bits**12) time estimates

Read the paper more carefully. The algorithm in *KNOWN* to run in O(log(n)**12), however it is conjectured to run in O(log(n)**6), and there is suggested future work that might improve this dramatically to O(log(n)**3)!

There is reason to be optimistic with this approach.

Good for RSA?

I haven't read the PDF (Acrobat for Linux doesn't render it for whatever reason), but this sounds like it would be a good thing. RSA already does a quick check to see if generated key is prime. If this is more efficient, maybe this would make keys faster/more secure?

Re:arg. I did it again

Preview is *MY* friend.

FAPFAPFAPFAP

Oh no!

[SEAPEA]

I'm not sure what Primes look like or even what they are but having them in my P can't be good for the ole' prostate.

Re:Big consequences related to encryption

[Bill+Currie]

I think there's an error in your algo. Shouldn't it be t^f (mod pq) and message^g (mod pq)?

Re:Big consequences related to encryption

[kyletinsley]

"If you can determine if a number is prime in polynomial time, you can break RSA in polynomial time."

Awww fuck polynomial time.... I'm still waiting for somebody to determine it in STOP! hammer time...

Doooooooo doo doo doo, doooooooooooooooooooo do - Can't crack this!

---
God that was stoopid... sleeeep goooood!

We did NOT know this.

Randomized polynomial time is NOT the same as polynomial time. In the CS theory literature, it is not known if RP=P (randomized polynomial time = polynomial time).

I love reading ./ when stories that require any amount of CS sophistication is required. All the people who've never taken a theory course come out of the woodwork, and spout their own beliefs as if they were liquid gold.

Re:We did NOT know this.

I would wager that all these people spouting bullshit did take the CS theory course and they probably think they understood it too.

Re:arg. I did it again

[jnana]

You have to escape < with <, because otherwise the parser wouldn't be able to tell when an element tag was beginning or you meant less than. > isn't required to be escaped for this reason, because it is clear whether it is closing a tag or not. You also have to escape the ampersand, because otherwise the parser would have to scan ahead to know if you were specifying an entity like   or you just meant & and whatever.

step 6 is fine

but the rest of it is a mess.....

Step 6: Let q be the largest prime factor of r-1
Step 7: ???
Step 8: Profit!

smile?

big deal. corners of my mouth move. so what? I did that with linux years ago.

how is this a troll?

the guy admits he has no idea what he's talking about; it may by an ignorant question but it's hardly a troll!

Re:arg. I did it again

[orz]

But I set it to plain text! Shouldn't slashdot automatically replace my (less-than) symbol with &lt or whatever?

Since slashdot doesn't seem to be doing that I feel like the mode shouldn't be called "Plain Old Text".

Ah well. I'm just bitter because I screwed up twice in a row.

Why does polynomial time matter?

[Flat5]

There seems to be endless fascination with P vs NP problems, and I just can't understand how it could possibly matter. Aren't there infinitely many "polynomial times" that are complete disasters?

Isn't n^1000000000000000000 polynomial time?

Flat5

Re:Why does polynomial time matter?

[archnerd]

If you've studied your calculus, you'll know that anything that can be done in polynomial time can be done faster than in exponential time after a certain length. Since we're talking order of magnitude, it doesn't really _matter_ what the polynomial exponent is as long as it's a constant. Formally, for any constants {a,b}, there exists an n such that a^n > n^b. Therefore, for any NP-complete cryptosystem, it is possible to create a key length such that it will take any desired number of times longer to crack the system than to use it normally.

Re:Why does polynomial time matter?

[sirius_bbr]

Aren't there infinitely many "polynomial times" that are complete disasters?

Isn't n^1000000000000000000 polynomial time?

There are, but if you take n large enough, eventualy, for example 2^n will be larger then your n^'very_large_number'.
So there is a significant difference between P and NP complexity. BTW no-one has yet proved that NP problems like SAT or the traveling salesman problem, or any problem derivable from those cannot be solved in polynomial time. It's just a very fascinating subject ;))

Re:Why does polynomial time matter?

[maxwell+demon]

But if we have a P algorithm and an NP algorithm, and the NP algorithm gets more efficient at about 10^100 bits, then for all practical purposes, the NP algorithm is faster.

Re:Why does polynomial time matter?

[fatphil]

These principles ignore the fact that there's a finite amount of time,
matter and energy in the universe.

A P algorithm that can never be performed due to its order or constant
factor has no practical use, only theoretical interest.

Theoretical interest is still very interesting.
Practical presses my bottons more though.

Phil

Re:Why does polynomial time matter?

Because, if you read the damn paper, you'd know that the polynomial is shown to be n^12 for sure, and is probably n^6 (conjectured.)

You need to learn to walk before you can run ... likely, if this paper stands up to scrutiny, it will be followed by improvements which bring the desgree of this polynomial down quite a bit in short order.

Re:Why does polynomial time matter?

There exists a^n < n! for all a > 0.

Therefore all polynomial times are useful, but only for sufficiently large values.

Re:Why does polynomial time matter?

[Flat5]

I don't see what calculus has to do with it, and your statement still doesn't convince me that it matters.

"After sufficient length." Sure. But there's *never* any discussion about what that length is. And if it's sufficiently large (as in, larger than you could ever use), it doesn't matter. The exponent *does* matter in that case.

Flat5

Re:Why does polynomial time matter?

[Flat5]

Sure. But n "large enough" may be completely - orders upon orders of magnitude - out of the range of applicability, in which case this usual professorial argument about "the exponent doesn't matter" is hogwash.

Flat5

Re:Why does polynomial time matter?

[Flat5]

I was asking a more general question than about the results of this particular paper.

I always have and still do reject this ridiculous notion that the exponent never matters because "for sufficiently large" n it's always a win.

We do not work with infinite n. We work with finite n of a quite limited range. The exponent matters, and to say anything to the contrary is a misleading oversimplification.

Flat5

Re:Why does polynomial time matter?

[Agilus]

This question was brought up in my theory course a few semesters ago. And it's a completely valid question. The answer my professor gave was that you don't run into polynomial time algorithms with this large of an exponent. If something can be shown to run in polynomial time at all, then it can almost certainly be optimized to have a fairly low exponent (10 or less). If you're really curious to test this, you should look around for optimized polynomial time algorithms and see if you can find one with a huge exponent. I think it will be very difficult to do, if not impossible.

Re:Why does polynomial time matter?

[magicianeer]

We do not work with infinite n. We work with finite n of a quite limited range. The exponent matters, and to say anything to the contrary is a misleading oversimplification.

But n is rapidly increasing.

There is a Moores Law-like effect on dataset sizes that grows faster than processing power. Today terabyte databases are not unusual. It is not unreasonable to have a terabyte on the desktop. Five years ago people could not access drives bigger than 8GB.

An algorithm that takes exponential time to process such a dataset may perform better FOR NOW than one that takes polynomial time. But 5 years from now the exponential algorithm will be useless-- the dataset size (n) will have increased by orders of magnitude, which does horrible things to the exponential runtime.

We routinely keep software around for 30+ years. We cannot expect an exponential time algorithm to be useful over even 10 years. But with the increasing processing power, we can expect a bad polynomial time algorithm to eventually become useful, as recently happened with 3D graphics algorithms.

Re:Why does polynomial time matter?

[uhoreg]

Yes. Nobody is going to come up with an n^1000000000000000000 algorithm, though. Chances are, an algorithm with that kind of running time would be so complicated, nobody would understand it.

To me, having PRIMES in P means that there is more hope of being able to do it efficiently. If it was shown to be NP complete, I would have much less hope. In this case, for example, although the running time is O((log n)^12), which isn't too impressive, the researchers say that they did not fully optimize the algorithm, as they were only interested is showing it was possible.

P is a pretty nice group to deal with, because it happens to be fairly robust between different models of computation. (i.e. P doesn't change if you go from Turing machines, to random access machines, etc.) But there are always researchers interested in getting things down to linear, quadratic, cubic, etc. time. I don't think anybody's going to let this paper be the final word on the complexity of PRIMES. But this is a significant step in finding an efficient algorithm for it.

That isn't constant time

A single iteration of the Miller-Rabin test does not take constant time. The time taken involves a number of multiplications mod p (mostly repeated squaring). Both the number of math operations and the difficulty of each one increase with p.

It is therefore polynomial in the size of p, and not constant.

Re:That isn't constant time

[sasami]

A single iteration of the Miller-Rabin test does not take constant time. The time taken involves a number of multiplications mod p (mostly repeated squaring). Both the number of math operations and the difficulty of each one increase with p.

It is therefore polynomial in the size of p, and not constant.

Oops! Yes, this is completely true. Anything that involves multiplications is obviously not going to be constant in the size of the input.

I should offer my head on a platter to Prof. Rabin! I took his class on randomized algorithms...

(If I wanted to be petulant, I could blame the Motwani & Raghavan book for modeling multiplies as unit cost, but that ain't gonna fool anyone. =)

---
Dum de dum.

the most amazing part is...

[keshto]

this work was done by undergrads for their senior honors thesis under Dr. Agarwal's supervision. Isn't that amazing!!! Dr Agarwal was also my undergrad advisor- he is one amazing fellow and damn smart too!! I just wish my honors thesis had been even a fraction of this...

Re:the most amazing part is...

[Kredal]

Fraction, or factor? Sorry...

Re:the most amazing part is...

I believe he meant something like he wishes his undergraduate thesis was a fraction as good or as groundbreaking as this one.

So it was fraction, not factor.

Re:the most amazing part is...

I've met plenty of seniors undergrads who were brilliant and were writing assembly at 8 years old. I knew a guy in college who wrote a C compiler in the 80's when he was 16. The difference isn't that they are smarter. They just want attention and care more about glory than some person who just loves programming and coding and could give a rats ass about fame. Just cuz others are jumping for attention doesn't mean these two guys are wonder kids.

Re:the most amazing part is...

Well, this is 'localized' amazement. Obviously, it amazes you that he also advised these fellows on an excellent paper.

This makes sense: you may have had a dozen advisors or so in your academic career, and the likelihood that any one of them is up for a Nobel prize is quite low no matter how brilliant they are.

But unless there fellows are his very first students, there are one or more people (including yourself) whom he has already advised. So the likelihood that he has other students is very high.

So... from your perspective this is amazing. But from mine, it isn't. :-)

That being said... even if you aren't up for a Nobel prize, from your remarks you obviously enjoyed working with him. And that's what really counts.

--
Reginald Braithwaite-Lee

bad in math?

[RelliK]

log2(16) = 4
log2(32) = 5
log2(64) = 6
log2(128) = 7
log2(256) = 8

by your assumption a*log2(16)^12 + b = 1 ms
for simplicity, let's ignore the constant b.
then:

a*log2(16)^12 = a * 4^12 = 1 ms (by assumption)
a*log2(32)^12 = a * 5^12 = 14.5 ms
a*log2(64)^12 = a * 6^12 = 129.75 ms
...
a*log2(256)^12 = a * 8^12 = 4096 ms

Re:bad in math?

[kavau]

Hold your breath... the algorithm is log2(n)^12 where n represents the number to be tested, not the number of digits. If you denote the number of digits by m, that is, m = log2(n), you get a complexity of O(m^12). The algorithm is therefore polynomial in the number of digits, with a very large exponent of 12. This large exponent could easily hamper the practical use of the algorithm, as Adam correctly demonstrated. The upshot is: Adam is right, RelliK is wrong!

Tip

If you're going to try to be funny, please be successful at it.

Size matters

[deblau]

Note that this algorithm takes O((log n)^12). For this to actually be faster than, say, factoring n directly, and assuming a multiplicative factor of 1 in the order statistic, n has to be at least 3*10^22, or roughly 75 bits long. This algorithm is probably very ineffective at factoring small integers.

Re:Size matters

[fatphil]

Firstly note that the 12 is a proven upper bound, and for the majority of
real world numbers it will be much lower.

Secondly, it's not a factoring algorithm, so your final comment is a bit odd.

Phil

Re:We already knew even more...

[archeopterix]

Namely, if the algorithm says it is prime it might be wrong (with probablity half, say), and if it says that the number is not prime, then it is not prime for sure.

As far as i know, there is a complementary probabilistic algorithm: if it says the number is prime, it is prime for sure, if if says it's composite, it can be wrong (with a fixed probability). So you can check whether a number is prime or not - with an absolute certainty, by running the two algorithms repeatedly, until one of them gives the 'sure' answer. The only thing that is unsure is the execution time - perhaps you will have to run both algorithms many times before obtaining a certain answer. The expected running time is of course polynomial. This means than prime testing is in ZPP. A google search on 'ZPP prime' or something should reveal more, if anyone is interested.

Re:Big consequences related to encryption

[mpsmps]

Oops! But with your correction, it works.

Re:Big consequences related to encryption

[Bush+Pig]

You'd instantly know that 2^n, n>1, is not prime anyway.

Re:Big consequences related to encryption

[kreyg]

15 - 20 years until they're broken...

Hmm... you know, I've been thinking... if anyone actually saves some of those packets floating around on the 'net, it my be possible to decrypt ALL of them in that time frame. In other words, even if it's encrypted, be aware that it may not be secure for the remainder of your life, perhaps much, much less. I wonder if I'll have the same credit card numbers in 15 years. Alternatively, I wonder if anybody will think about this more than a year before it's possible.

Another interesting case where it's faster to wait for the hardware than to start chugging away with what we've got right now.

a pedantic ass writes

[streetlawyer]

It is possible to know that a number is not prime without knowing its factors.

No it isn't. If you know that X is prime, you know that its factors are 1 and X.

Yes, I know, I know.

Re:a pedantic ass writes

[archnerd]

I'm not sure what you meant by that last line, but you're wrong. Your argument is the converse of the argument made, which doesn't follow.

Re:a pedantic ass writes

[maxwell+demon]

Your first sentence is wrong. Your second sentence is correct, but unrelated.

The fact that you know the factors of a prime doesn't tell you anything about what you know about the factors of a non-prime (unless you know the prime to be a factor of the non-prime, of course).

When being pedantic, you'd better double-check that you are right :-)

Re:a pedantic ass writes

Were you drunk when you wrote this by any chance?

Re:a pedantic ass writes

No it isn't. If you know that X is prime, you know that its factors are 1 and X.

No, its factors are 1, 1, 1, and X.

Re:a pedantic ass writes

Original argument:
It is possible to know that a number is not prime without knowing its factors.

Reply argument:
If you know that X is prime, you know that its factors are 1 and X.

Your reply to the Reply argument:
Your argument is the converse of the argument made, which doesn't follow.

How is the Reply argument the converse of the original argument?

The converse of the reply argument is: If you know that its factors are 1 and X, then you know it's prime. This is certainly true, but it is neither the original argument, nor does it follow from the reply argument.

And since the converse of the converse should be the Original argument, the Reply argument cannot be the converse of the Original argument.

Re:for the sake of our eyes [OT]

[spongman]

yeah, you would have thought that Adobe, the people tht brought us Postscript could write half-decent font rendering code, but no...

On the MaxOSX it looks great (I'm guessing they use the Mac's native font rendering), but on my XP box it looks like something from the mid 80's compared to the cleartype that everything else is done with.

don't get me started on the ActiveX control...

Undergraduate Student Project

It turns out that both Kayal and Saxena are undergraduate students, and the result is developed out of their final-year project thesis. When was the last time that a Senior at a US university produced a result of this calibre? Answer: Never been done.

Computer Science at IIT, Kanpur, incidentally, has traditionally been the most difficult course to gain admission into in the IIT system. About 250,000 applicants write a grueling entrance test (the JEE) to get admission to about 30~40 seats in CS/IITK.

Finally, a result to make all that selectivity worthwhile.

Re:Undergraduate Student Project

[mkudzin]

When was the last time that a Senior at a US university produced a result of this calibre? Answer: Never been done.

I don't know why I let myself be suckered by such obvious bait.

There is a lot of extraordinary undergraduate research being done in the United States. For two obvious examples, look at the work done by the students of Feank Morgan and at Harvery Mudd College

Matthew Kudzin

Re:Undergraduate Student Project

>When was the last time that a Senior at a US
>university produced a result of this calibre?
>Answer: Never been done.

Sigh... This is incredibly wrong. You might have heard of a mathematician by the name of John Milnor (author of Topology from the Differentiable Viewpoint, Morse Theory, Characteristic Classes...). When he was a freshman at Princeton, he once came to class and saw an open problem in knot theory on the chalkboard. Thinking it was a homework problem, he wrote it down and turned it in a week later. Now *that* is impressive work.

Re:Undergraduate Student Project

Well, Prof. Manindra Agarwal is an established theoretician and is the "first" author of the paper..

Re:Undergraduate Student Project

I guess my elation got the better of me and prompted me to make the flame bait about the quality of UG education in the US. I'll qualify it and say that the quality of Higher Education in the US is unbeatable, if only for the reason that only students who are really motivated and capable enroll for a graduate degree and higher, the rest enter the workforce.

I've still not got over the whole thing, though. Manindra is a friend-of-a-friend (though I've never met him), and one of the reviewers of the preprint, Abhijit Das, was my graduate school classmate and co-student of Prof.C.E.Veni Madhavan, doyen of Computational Number Theory, Primality Theory and Combinatorics at the Indian Institute of Science (IISc.), Bangalore for about 2 decades (BTW, this result should rightfully have gone to IISc., but unfortunately ground-breaking research discoveries have a habit of being serendipitious. Oh, well).

Re:Undergraduate Student Project

I took a quick look at the Williams UG work, and while it certainly required considerable competency, most of it seemed to be esoteric computational geometry related to the topology of soap-film bubbles and so on. Certainly hard, but not necessarily at the pinnacle of the field.

The Harvey Mudd work is just routine student publications of a good mathematics college. The program is nowhere near as selective or competitive as a typical IIT, nor is the reasearch work in any way near as rigorous or as significant as the IITK work.

Re:Undergraduate Student Project

[bsharma]

Well, Prof. Manindra Agarwal is an established theoretician and is the "first" author of the paper.. When several authors contribute nearly the same research in a paper, the tradition is to list the names in alphabetical order (last names). These authors - Agarwal, Kayal and Saxena seem to be that.

Re:Undergraduate Student Project

[bsharma]

>>>Well, Prof. Manindra Agarwal is an established theoretician and is the "first" author of the paper.. When several authors contribute equally in a research, they are listed alphabetically. Agarwal, Kayal and Saxena seems like that.

Re:arg. I did it again

[pediddle]

All plain text mode does is automatically break your paragraphs when you type "enter" (so you don't have to use

or
). But since you can still type, say, , or in plain text mode, it can't automatically translate your '<' into '<', or else those tags wouldn't work.

What you want is to either type out the '&lt;' and '&amp;', or, probably what you really want is to:

use Extrans or Code modes (Code is just like Extrans except formatted in a fixed-width font). I'm using Extrans to type this message right now, since it has so many '<'s.

What is 'n'?

'Primality test is a P class' is wrong.

What is 'n'?

Hehehehe

Is it the total of bits of the number?

Or is it the number?

Stupid demonstration.

JCPM

Re:Big consequences related to encryption

[fatphil]

The PRP tests used to check numbers for compositeness or probable primality
actually test to see if this exponentiation procedure works.

RSA does work with carmichael numbers instead of primes, for example, because

a^c == a (mod c) for all a s.t. (a,c)==1, c a carmichael number

Try it - it works!

Phil

It would be interesting...

[GnomeKing]

...if he HAD found a way to do factoring in P time... gotta wonder what would happen if he took a holiday to the states - I'm sure SOMEONE would try to have a go at him for breaking encryption

This is highly unlikely...

[commie_pig]

It will only be a matter of time before somebody finds a flaw in the paper. I suppose I will give it a bash.

First of all, to the best of my knowledge, none of the prime algorithms are NP-complete, so even showing that one of them runs in polynomial time will still not answer the question of whether P = NP.

Second, as some other readers have pointed out, this will probably not make a dent in the integrity of crypto systems, since the factoring problem becomes no easier. Take RSA for example. We know that the messages are composite numbers, but I bet you'll keep your computer more than busy for the next few eons trying to factor a 1024 bit composite.

There is a brilliant probabilistic algorithm (due to Rabin and I think Miller) for checking primeness which allows one to arbitrarily choose the likelihood of an error.

So anyways, don't get to excited at the prospect of the fall of the Western world's security, because if anyone posed such a threat, it would be in the interest of many countries to have such a person eliminated.

Re:This is highly unlikely...

It will only be a matter of time before somebody finds a flaw in the paper.

Look at the acknowledgements.. it has been looked at by reputed researchers in the field.

Re:Big consequences related to encryption

[ranulf]

but isn't a non-prime that passes the 99.99999999999% check just as good as a prime in encryption? I mean, seriously, is anyone really going to notice it's not prime?
No, most messages will decode incorrectly.

So, if the key obviously doesn't work, then you can assume that the modulus isn't prime and try another.

In fact, following that argument through, you could have a test suite of various messages to encode. If they work, you can be reasonably sure the number is prime. Obviously, with this approach you'd need to be reasonably sure you had a prime, otherwise you'd waste a lot of time.

Disclaimer: I dropped out of Uni level Maths before I got to anything particularly hard, so most of this is over my head.

Re:for the sake of our eyes [OT]

Did it occur to you that Microsoft might not want Adobe to have a decently-rendered universal document format on their platform? This is, after all, Microsoft -- the company which changes the .doc format every chance they get in order to enforce an artificial monopoly.

Great, now not even the posters *READ* the article

[sup4hleet]

While I haven't gone through the presentation in detail,

This fact is not new...

[mgessner]

I wrote a paper back in 1990 about a prime number sieve that was basically an O(n^2) algorithm.
It basically worked by finding out if numbers were composite, but the algorithm used could be "inverted" to tell you if a number was prime or not by telling you if it was composite or not.
It was very well suited to parallel implementations, too.

Re:This fact is not new...

[gelderen]

Citation and online reference, please?

Re:This fact is not new...

[mgessner]

The research was done as part of my Senior Honors Thesis, and is available from the university.

My advisor, Dr. Antonio Quesada, later published a paper (proceedings of the ACM, maybe?) wherein he discussed the sieve that we built, in very generic terms.

Basically, it involves going through and computing the distances between the composites in a special set and doing that over and over and over. But by simply determining if a number is going to be cancelled out or not is pretty simple: just run through the sets.

Re:This fact is not new...

[uhoreg]

Is it quadratic in the magnitude of the number, or quadratic in the bit size of the number? i.e. if I wanted to test if 907 is prime, would it be c*907^2 time, or c*log(907)^2?

You and your code sucks

I don't care what they say - i, p and other one letter variable names suck even for loops. Get another job because you're a loser.

Re:You and your code sucks

One letter variables lead to more efficient code.

With one letter variables, you are limited to 26, resulting in considerable memory savings.

Re:You and your code sucks

There is absolutely no reason not to use i for an index variable, and I've never heard of anyone even trying to justify a different practice. The P is a bit more subjective, but can still be justified in extremely simple functions such as this.

Re:You and your code sucks

There is absolutely no reason not to use i for an index variable, and I've never heard of anyone even trying to justify a different practice. The P is a bit more subjective, but can still be justified in extremely simple functions such as this.

There is absolutely no reason to use i. Any single letter variable is not descriptive (the only two possible exceptions I can think of would be for sqrt(-1) and base of natural logs (e)). I run a software development company and one of the few rules I have is no single letter variables - EVER. It's a stupid practice and anyone who condones it is an asshole.

Guess that makes you an asshole.

Re:You and your code sucks

[WeedMonkey]

no single letter variables... it's a stupid practice and anyone who condones it is an asshole.

FFS, anyone who has a rule that you're not allowed to use i as a loop counter deserves to be dragged out into the street, beaten around the head with printouts of the Win95 codebase, then exiled to Redmond for the rest of their life, as they obviously aren't familiar with even the most basic of accepted practices.

I can just see you sitting there, late at night, typing

for (myLoopCounter=1; myLoopCounter<=maximumIterationsAllowedForThisLoop ; myLoopCounter++)

while the rest of us are in the pub. Ah well, your loss.

Re:You and your code sucks

Here are reasons why i and many other single letter variables are perfectly fine, and I am not an asshole:

1) Every single software development textbook will use i for counters.
2) x, y, and z can be used for coordinates.
3) a, b, and c can be used to figure out the quadratic equation.
4) Using shorter variable names simplifies the code when dealing with extremely simple situations such as the above.
5) Any of the above variables are completely obvious WITHOUT context. If I saw an i, I would automatically assume it was a loop counter, as would anyone who had taken programming courses at a university level.

Using long variables names indiscriminantly is an idiot's way of making their program legible. The important issues are intelligent layout, and proper internal documentation through comments. I can find myself 100 doctorates who would agree with me, but I doubt you could find 2 who stand by your statement.

Have fun running your company in your mom's basement; the boys will be done with her shortly, and then you can come upstairs.

Re: Use Double Keys DUH!

[linuxislandsucks]

Ah you know most people who use the pair key system of encryption never have to worry about whether primes are factorable or not..

Single key encryption is only for windows slobs!

PGP forerver!

Er

[cca93014]

Is polynomial-time like Hammer-time?

Re:for the sake of our eyes [OT]

[MrFredBloggs]

Is there a reason why the underlining in PDF is out a fair bit?

Re:Big consequences related to encryption

[xbrownx]

It would be a truly horrible test for prime numbers if any even number greater than 2 passed.

Fantastic

[twem2]

From a theoretical point of view.
As someone who's incredibly interested in theoretic computer science, this is a fascinating and very important result.
Practically it may not have much of an effect. It is in P, but that doesn't tell you how long it actually takes to run. It could be that the algorithm takes an inpractical time to run, although refinements to the algorithm might be made to speed it up.
This will also have little impact on the problem of factoring, unless the maths used provides a new approach to that problem.
Great news though.
I'll have to read the paper now.

Well I hope your ready for more

[CaffeineAddict2001]

cause you're going back to P. Didn't you hear professor? You do the trying, we do the dividing.

Discrete log also unaffected

[yerricde]

Only ... algorithms like RSA will be broken. Symmetric-key cryptosystems will be unaffected.

As far as I know, public key crypto based on a discrete logarithm will be unaffected as well.

Re:Discrete log also unaffected

Hi, cock.. actually we call it a Federal Republic. Please to be going and fucking yourself.

Re:arg. I did it again

I'm gonna have to agree with the other guy. "Plain Old Text" is a bit misleading. It's actually "Html-formatted Text Replacing Enters With
And

"

As for hyperlinks, it would be nice to have them in a "Plain Old Text" mode, but I've never seen anything I'd refer to as "Plain Old Text" include clickable hyperlinks. I think ideally there'd be a third mode, but maybe I'm just a dreamer.

Mod parent down

[volpe]

The input size here is log(n) since it requires log(n) bits to represent n. log(n)^12 hence is polynomial (which i believe their algo guarantees), whereas sqrt(n) is not.


Nonsense. Sqrt(n) is less than n for all n, therefore O(sqrt(n)) is even better than O(n).

Re:Mod parent down

Not nonsense at all, you just don't understand the problem.

Calculating the square root function is part of the cost of the algorithm [the slow one somebody gave above], because it obviously appears in the algorithm, and is effected by the size of the input.
p.
But calculating the time that the algorithm will take to run is not part of the algorithm itself. So a square root showing up there does not EFFECT the time it takes to run, it PREDICTS the time it takes to run. You have confused cause and effect.

Re:Mod parent down

[volpe]

I'm aware that calculating the integer square root function is part of the cost of the algorithm, but even so, it's still a polynomial time algorithm. And even if it weren't, you could make it polynomial by replacing "sqrt(n)" with "n". This would, of course, make the algorithm take *longer* on any practical implementation, but it would be just as correct and trivially polynomial.

Re:Well, well, well...

That's very rude and racist too. Someone mod this down

Why is this interesting?

[(void*)]

I present to you a very stupid algorithm to check that Primality is in P:

for i = 1 to sqrt(n):
if i divides n: n is NOT PRIME, stop.
if loop runs to exhaustion, n IS PRIME.

Now, this simple minded deterministic algorithm has runtime O(n^0.5). Thus primality is in P. Why is this simple, elementary result unknown to slashdotters?

The true achievement of this paper is that a speed up from polynomial time to fast polynomial times. That primality testing is in P, is KNOWN FACT. All those people expounding on the ramifications of Primality being in P and its implica5tions for factoring are talking out of their ass.

Re:Why is this interesting?

By example, is
n = 1,000,000,000,000,000,000,000,000,000,001 a prime number?
(this number occupies log2(n) = little 100 bits!!)
You do say that it's O(n^0.5)=O(sqrt(n)), ahh, ok.
O(sqrt(n))=O(1,000,000,000,000,000._)=1,000 TeraOps :( very very slow for a supercomputer.

JCPM

Re:Why is this interesting?

Um, no and no... "in P" means in relation to the "size" of the input measured in bits--not how big the number is. So, if n is the input number, you need an algorithim that runs is O(log(n)^O(1)) time to be "polynomial", not O(n^O(1)) time like yours... If you look, the paper gives a runtime of O(log(n)^12).

Re:Why is this interesting?

Please check one of the first threads of the posting: "I always thought is was in P"

Re:Why is this interesting?

[SamBeckett]

Your algorithm sux0rs. It should be:

for i = 2 to sqrt(n):
if i divides n: n is NOT PRIME, stop.
if loop runs to exhaustion, n is PRIME.

Re:Why is this interesting?

[TheShadow]

Wait... One better:

if 2 divides n: n is NOT PRIME, stop
for (i = 3; i sqrt(n); i+=2)
if i divides n: n is NOT PRIME, stop;
if loop runs to exhaustion, n is PRIME.

This is much better because you only test odd numbers.

Maybe we can keep this thread going and eventually come up with an O(1) algorithm.

Re:Why is this interesting?

Polynomial time means a run-time proportional to a polynomial in the amount of needed input to the problem. To specify a number n, the input required is only log2(n) bits, proportional to ln(n), so polynomial time means bounded by a finite power of ln(n), not a finite power of n itself.

Re:Why is this interesting?

[muck1969]

Your solution is a brute-force calculation that even novice coders could realize. I've used a similar piece to create a factoring program on my TI-82 (but increm +2 and pair this with a 10 digit rand. nbr gen proggy ... it's entertaining for 30 seconds). I believe the solution these math nerds are looking for is an elegant solution for those who don't code.

Re:Why is this interesting?

its not a prime

Cool but not yet useful

As has been pointed out, Rabin-Miller is how one finds primes in practice.
Even Adleman, Pomerance, and Rumely's deterministic algorithm runs in time (log n)^{O(log log log n)}. That's not polynomial, but it's pretty nice. Contrast to this, which is (log n)^{12}. Now, 12 e^{e^{e^{12}}}, which is an absolutely huge number (perl thinks it's close enough to infinity for it).
Conclusion: This is really cool, but not yet practical. However, as the authors say, it may be possible to improve the bounds.

Re:Cool but not yet useful

Actually, it is probably very practical, because of its simplicity. The average case time complexity is probably much better than the worst case O(log^12(n)). The fact that certain widely believed conjectures permit the worst-case complexity to drop dramatically implies that the average case is *much better*.

Re:Big consequences related to encryption

Anything can be cracked in hammer time... provided a big enough hammer.

Re:Big consequences related to encryption

[heliocentric]

I wonder if I'll have the same credit card numbers in 15 years.

My CC company tends to send me a new one every few years (right before the old one expires) with a new number. When does your card expire? What does your CC company do around that time if it doesn't send you a new number?

Proofs of X mod 9 and X mod 3

[UnknownSoldier]

Indras> It's always easy to tell if a number is divisible by three, just add all the digits together, and if the result is divisible by three, then so is the original number.

HaeMaker> Got a proof for this?

You need to use these few Number Theory modulas rules:
Eq 1. m mod m = 0 [defn. of modulas]
and
Eq 2. (a mod m) + (b mod m) = (a + b) mod m
and
Eq 3. (a*m) mod m = 0

If you want a better handle on where Eq. 2 comes from, look at an analog clock.
i.e.
What is 11am + 9 hours expressed in am/pm format?
= (11+9) mod 12
= (12 + 8) mod 12
= (12 mod 12) + (8 mod 12)
= 8 pm

Similiarly for Eq 3.

The reason why (X mod 9) and (x mod 3) are interesting is because anytime you have 10 mod X = 1, you can use some mod tricks.
0 mod 3 = 0
1 mod 3 = 1
2 mod 3 = 2
3 mod 3 = 0
4 mod 3 = 1
5 mod 3 = 2
6 mod 3 = 0
7 mod 3 = 1
8 mod 3 = 2
9 mod 3 = 0
10 mod 3 = 1

INANT (I'm not a Number Theorist so please correct me if any of this is wrong! :) but here are a few exampes that should satisfy your curiousity.

Now 909 mod 9 is:
= (900 mod 9) + (9 mod 9)
= (100*9 mod 9) + 0
= 0

Lets try 911 mod 9:
= (100*9 mod 9) + (11 mod 9)
= 0 + (9 mod 9) + (2 mod 9)
= 0 + 0 + 2
= 2

and 974 mod 3
= (300*3) + (74 mod 3)
= 0 + (24*3 mod 3) + (2 mod 3)
= 0 + 0 + 2
= 2

Cheers

Please STOP!

[phliar]

Everyone: just because you start out by writing "I'm no mathematician, but..." doesn't means you can pull crap right out of your ass. Words mean things, and when you talk about math, words mean things exactly. Please don't misuse them.

It's the Sieve of Eratosthenes. A number n is of size log(n). This is a deterministic algorithm; why bring up NP? What is the time complexity of division? And here's a hint: you start with n-digit (n=100) numbers and present an algorithm that runs in time 10^n. This is in P?

Has anyone actually read the paper? The algorithm is outlined, with a complexity analysis. Don't forget, P-time doesn't mean usable.

if N is large

[DinZy]

You have to go out "far enough" in the exponential because N^x+1/(x+1)! > N^x/x! you have to keep going until N/X is negligable. Exp(a*N) always grows faster than N^n regardless of how small a is (a>0)

Not constant...

[Tom7]

> Probabilistic primality testing can be done in constant time with bounded error.

You don't really mean constant time. Just looking at the number is already linear time!

Miller-Rabin is also polynomial time (admittedly, a much better polynomial than this).

Re:Not constant...

[sasami]

Just looking at the number is already linear time!

Almost. The length of p is log(p). (But yeah, that's more than enough to make Miller-Rabin polynomial, not constant.)

---
Dum de dum.

Re:Not constant...

[Tom7]

When we talk about the speed of an algorithm operating on a number, we talk about the *size of the input*, not the magnitude of the number itself. So, when they say polynomial here they mean polynomial in the size of the input (log of the number), just as when I say linear I mean linear in the size of the input (log of the number).

mod parent up

It's the first sensible post in this subthread.

It's illustrative of a common phenomenon in mathematics. We've known since Goedel that mathematics isn't completely decidable, and we've known since Chaitin that mathematics is even "almost all" undecidable. Yet the fact remains that most problems we are actually interested in seem to be tractable.

So while it's easy to prove that there are problems that can't be done in less than O(n^1000000) time, empirically such a problem never seems to be a worthwhile or interesting problem. The division between polytime and exptime has proven to be a good one in practice even if it's theoretically possible to get a really bad polytime algorithm.

smart guy

[charmer]

I went to school with this guy at IIT, Kanpur. He is smart, and had a great advisor, Somnath Biswas for his PhD. Looks like IIT,K did away with their policy not to hire people educated at IIT,K, since he is a professor there now. Maybe they made an exception.

charmer

Re:smart guy

policy was repealed some time back i think. quite a few are there. only prob is that iitk grads cringe from the idea of returning there( most of the telus do:-)

Re:smart guy

[ketanm]

Very true.....I am a recent pass out. The policy has again implemented of not taking in IITK grads as profs.

All said and done..

Let's take a count:
How many could go beyond Lemma 3.1 ??

My guess is that, it would take atleast a week for even a math /theoretical CS major to assimilate exactly how it works.

I've never heard of that...

That seems to work. Is there a proof for it? If there is a proof, does anyone have an argument why this isn't polynomial.

Bzzt! Nondeterministic polynomial

While it's convenient to think of it as meaning "non polynomial" it really means nondeterministic polynomial. That means it can be solved in polynomial time but only on an NFA (as opposed to a DFA).

Re:Bzzt! Nondeterministic polynomial

[ssun]

YM NTM/DTM, not NFA/DFA.

He is correct

I'm not sure you you are complaining about. He raised a valid agument and supported it with facts. I see no problems in the post by the post by the "pedantic ass".

Huh?

The first sentence is correct. If there is an error please state what it is. The second sentence is also correct. He is absolutely right about factorization not being the same as knowing primality. Actually there have been fast algorithms for determining primality for years. How do you think all these crypto programs generate primes to use in the keys? The difference is that the older algorithms are statistical in nature and this new one is not.

Re:Crypto repercusions? Probably not.

Interesting idea but there are two problems.

1) There are a _ton_ of 100 digit prime numbers.
2) There are already very fast algorithms for determining primality. How does that jive with the publication of this paper? The algorithms are current statistical. i.e. we are 99.999% certain this is a prime. The new algorithm is not. For your application 99.999% might be good enough.

Parent: +5 Funny

damn fine joke.

*Simpler* proof of X mod 9 and X mod 3

[UnknownSoldier]

I know its bad netiquitte to reply to one's own post, but I can clarify the proof in a much simpler way:

When given a decimal digit d (equal to 0 thru 9), what is: d * 10 mod 3 equal to ?

Using our mod rules:
= (d*9 + d) mod 3
= (d*9) mod 3 + (d mod 3)
= (d*3*3 mod 3) + (d mod 3)
= 0 + (d mod 3)
That is, any digit times 10 mod 3 is equal to that digit.

Similiarly we can extend this to any power of 10.
e.g. d * 100 mod 3
= (d * 100) mod 3
= (d*99 mod 3) + (d mod 3)
= (d*33*3 mod 3) + (d mod 3)
= 0 + (d mod 3)

We can use the same proof for when finding d*10 mod 9.

So, using our previous example:
What is 974 mod 3 = ?
= (900 + 70 + 4) mod 3
= (900 mod 3) + (70 mod 3) + (4 mod 3)
= (9 mod 3) + (7 mod 3) + (4 mod 3)
= (9 + 7 + 4) mod 3
= 20 mod 3
= (2 mod 3) + (0 mod 3)
= 2

Re:*Simpler* proof of X mod 9 and X mod 3

[Genyin]

I know its bad netiquitte to reply to one's own post
Slashdotiquitte is bad netiquitte... ;)

Re:*Simpler* proof of X mod 9 and X mod 3

[UnknownSoldier]

Hehe.

Or "Trashdot. The tabloid of the tech news." as one of my friends calls it.

Apparently correct

[Alomex]

The local expert says that the buzzword in the crypto community is that the algorithm is apparently correct. The fact that is so elementary makes it less likely to be wrong.

We will have to wait a few days to be certain...

Practical crypto sizes... Faster Algorithm

[billstewart]

Thanks for a discussion discussing actual speeds! O(logn**12) is pretty slow, but the paper also says that if a widely held conjecture is true, the algorithm should usually run in time O(logn**6), which is much less bad. That says that doubling the key length increases the run time by only a factor of 64, not 4096. I don't know if your run time examples are realistic, but this could make it occasionally usable.
The authors also conjecture that if certain things are true, the algorithm could be changed to an O(logn**3) algorithm, which would be quite practical, perhaps competitive with the probablistic tests.

In practice, most public-key crypto algorithms formerly used 512-bit or 1024-bit keys, and are tending to do 2048 bits today. A few paranoids use longer keys just because they can, but 2048 is generally believed to be good enough. Existing factoring technology has cracked 512-bit keys, and I think the longest successful crack is about 640 bits. Dan Bernstein's factoring machine proposal has led some people to abandon trust in 1024-bit keys, though other people think that's premature.

Re:Practical crypto sizes... Faster Algorithm

The average-case complexity is constrained by how big r gets. If a suitable r can be quickly found in the first loop, then the second identity will be much easier to evaluate. So it boils down to the average-case size of r. My guess is that a typical r is very small, probably O(log(n)): for a 100-digit number, r is probably not over 3-digits in most cases. I'd like to see a practical implementation and get an idea of the typical range of values for r.

Factoring is still NP

It *is* still NP. It has still not been determined whether P and NP are separate sets (P is a subset of NP, but they may be equal), so factorization will always be in NP, unless someone discovers a P-time algorithm for an NP-complete problem (and thus proves that NP and P are one and the same).

Definitions:
P: Problems that can be solved in polynomial time. ("P" stands for polynomial.)
NP: Stands for "nondeterministic polynomial time" (NOT non-polynomial) where nondeterministic is just a fancy way of talking about guessing a solution (A quantum computer could solve an NP problem in P time, because quantum computers are nondeterministic in nature. I beleive a paper was written recently stating that P=NP in the realm of quantum computing). On a more readily accessible level, an NP problem is one that can be verified given a certificate (solution) in polynomial time.

For a bit more info, see:
http://www.ics.uci.edu/~eppstein/161/960312. html

Prime in O(1)

[seangw]

We can easily do this:

x is Prime in question
P is set of all primes

if ( x elemOf P ) Then
output X
end if

Duh.

Re:Prime in O(1)

[muck1969]

Wouldn't P be an infinitely large set?

better practical algorithm

[charmer]

From the paper:


<i> In 1983, Adelman et al achieved a major breakthrough by giving a eterministic algorithm for primality that runs in (log n) ** O(log log log n) </i> <br>

in contrast, this paper suggests an algorithm that runs in (log n) ** 12, which means that the 1983 algorithm would run better for numbers less than:
<strong>
n = (2 ** (2** (2 ** 12)))
</strong>

-- charmer

Re:better practical algorithm

This algorithm probably has a much better average case run time than the worst case O(log^12(n)). It probably finds a suitable 'small' r in most cases very quickly and trivially. The worst case only applies if certain well-known conjectures don't hold.

What I'd really like to see is a graph of the typical value of r versus the size of n from 64 bits to about 4000 bits. This would give us an idea of average case run times.

Re:Big consequences related to encryption

[gomiam]

I thought the division problem was already an O(nlgn) problem, as product is.

Devil's Advocate

[mkldev]

Of course, one should note that not all computer or math theories map equally well onto real-world problems. Some of them fit nicely. The halting problem is a good example of one that doesn't.

In the case of the halting problem, the key to its solution is recognizing that a program's semantics are only known when you examine it in the context of its environment, something which theoretical computer science often ignores.

Computers are finite state machines, with deterministic state transitions (hardware bugs notwithstanding). If you really wanted to do so, you could definitively determine whether a program would halt by exhaustive testing. Run it once. If the system has twenty trillion states, it can take at most twenty trillion minus one instructions to either A. repeat a state (in which case the program will not halt) or B. halt.

That's an extreme example because the number of states is mind-boggling in most systems, but a good approximation can be achieved by looking at only the different states in certain components (e.g. certain registers, RAM, etc.), and by limiting the problem domain, you end up making the solution easier.

In certain cases, public key encryption can be cracked trivially. PK encryption has pattern weaknesses and short data weaknesses that can be exploited. The fact that you can't recover the private key doesn't always mean you can't recover the encrypted data.

Again, if you limit the domain of the problem, it often ceases to be a hard problem. The real question then becomes how one could limit the complexity of breaking RSA. There's a lot of work going on in that area, as I recall. It will certainly be interesting to watch.

Re:Devil's Advocate

[Goonie]

You might make it theoretically possible, but you're not helping much. Consider, say, a machine with 64 kilobytes of RAM and no other state (no registers, no disk etc) - in other words, a very minimal system by today's standards. That gives us 524,288 bits of state, and thus 2^524,288 states.

Your worst case performance is going to be rather crappy :)

math idiots

This is so pathetic. Every time any cs-theoretic problem is mentioned on /., everyone comes out of hiding clamoring for people to explain the issue, asking for an explanation P and NP, or making grand statements based on nothing but an undergraduate math background, if that.

Get a clue. Using google is much more useful than being a leech and expecting other people to explain everything to you. These threads can be condensed down to a handful of useful and funny comments. The rest of you should STFU and read a book.

In practise, this algorithm does nothing new...

[Shade,+The]

There is already an algorithm which can find out if a number is prime or not, and has been around for some time. Or, at least, it can say that a number is "probably" prime. And, if that probability is, say 2^400 - 593, (i.e. 0.9999999...), then in practical terms this is good enough. When you get to probabilities that are so high that computer component failiure is more likely, it ceases to matter that the solution isn't quite perfect.

Discovered by Micheal O. Rabin, it depends on the notion of integers being a "witness". If one witness number can be found, the number is not prime. According to theory, if the number is not prime, then more than half of the integers in the set {2, 3, ... , n - 1} are witnesses. So obviously, the more numbers tested for "witness capability", the lower the chance of the number being prime.

A witness number is defined to be any integer w satisfying either of the two conditions below:

1. w^(n-1) = 1 mod n
2. For some integer k, m = (n - 1) / 2^k is an integer and 1 < gcd(wn - 1, n) < n

So this discovery, is not, in fact, anything that will lead (at least directly) to anything new at all.

Re:In practise, this algorithm does nothing new...

Miller-Rabin is a probabilistic test for primality. What it finds are 'pseudoprimes', i.e. numbers which are either primes or composites that satisfy most properties of prime numbers.

This test is deterministic. It finds a succint certificate, r. It then evaluates an identity to determine whether the number is prime or composite, thus adding 1 bit of information to the certificate.

The numbers that it certifies as prime, are prime, and the numbers that it certifies as composite, are composite. It terminates in polynomial time. It is simple, elegant and does lots of things that are new. The end.

Re:In practise, this algorithm does nothing new...

[ketanm]

If you talk about practical implementation, then can you explain of what advantages this new test has over Miller-rabin test?

Prime Number DB!

[JonathanTWilson]

Why doesn't some Math's dude just make a massive, and I do mean massive prime nubmer database??? There are lots of people who love putting terabytes of data into databases why not do it with something useful like Prime numbers???? Then have it avialble on-line. Lets really test the limits of MySQL.

Re:Prime Number DB!

[dbretton]

Take all of the prime numbers that have been computed to date, and you could fit it all on a floppy, with probably room to spare for a Word document.

Re:Prime Number DB!

[too_bad]

Not exactly what you want. But interesting: Here is the list of all the largest known primes (at their time): http://www.utm.edu/research/primes/ftp/all.txt

First quote from Knuth

[marko123]

Everyone in slashdot drops his name, but you, sir, have quoted from his books.

Therefore, you have the largest hoodaddy in the thread.

(My time between girlfriends is polynomial)

Re: Use Double Keys DUH!

[tbo]

Ah you know most people who use the pair key system of encryption never have to worry about whether primes are factorable or not..

I'm working more on the physics side of quantum computing, not the computer side, so I don't know quite as much about crypto as I'd like. I can see how it might be possible to have perfect forward security (which is what you're talking about) in a real-time two-way communcation scenario, but not in a one-way asynchronous situation like PGPed emails.

Can you elaborate? I couldn't find anything with a Google search.

Primes and Factoring Primes in P

[sambo_shacklock]

In fact, both of these problems are at most O(n), and can be solved the same way.

For each in test n%i=0. if there exists a i such that n%i=0 then the number is not prime. If you're trying to factor a product of two primes, then you've found one factor (and the other is easy to find:).

In fact, the fastest algorythm that we've discovered for factoring a product of two primes is O(sqrt(n)). The problem is that 'n' is so big---1024 bits (oh for a constant time algorythm:)

Anti-disclaimer: I did indeed take a cryptography course a few years back.

Tim

Re:frist ps0t

So primes are in p, huh? Maybe that's why it tastes the way it does.

Re:for the sake of our eyes [OT]

Seeing as how Adobe is the one that attacked Dmitry Skylarov, maybe we shouldn't be encouraging use of their products anyway.

Re:Big consequences related to encryption

[kreyg]

A few years ago, they only updated the date. They changed the number on my most recent card because they added some digits, no idea if they're going to change it next time.

The point was less about my CC specifically, and more about "which numbers have I sent across the 'net that I'd rather nobody know?" I'm sure there are a few, from vital things to personal information that is supposed to be confidential.

Oh yeah?

Then what's he doing with that "Jump to Conclusions" mat? ;-)

101*3*3

[wiredog]

nuff said

Re: Use Double Keys DUH!

[God!+Awful]

You can have perfect forward secrecy for dynamic communications, but the standard perfect forward secrecy algorithm (Diffie-Hellman) can also be cracked by a quantum computer.

-a

Don't be a fucking moron

Our code base has a very, very, very low bug rate and no one is ridiculous enough to create such an assinine variable name.

i doesn't mean shit to anyone, and therefore is a crappy name for a variable. The fact that you buy into the age-old adage that you can use crappy names for loop variables indicates you don't have the ability to think for yourself.

Find a new profession.

Re:Don't be a fucking moron

OK look, find me ONE SINGLE BOOK (okay, two, because obviously you got your fuckhead ideas from somewhere) where it suggests using anything other than a single letter variable for an index. You haven't done anything except blow shit out your ass.

Re:Don't be a fucking moron

OK look, find me ONE SINGLE BOOK (okay, two, because obviously you got your fuckhead ideas from somewhere) where it suggests using anything other than a single letter variable for an index. You haven't done anything except blow shit out your ass.

Wrong, fuck-nut. Not every idea comes from a book. I look at shit-for-brain code where people use shit-for-brain variables (like you do, obviously), and I see that it produces shit-for-brain code. I don't like shit-for-brain code so I realize - hey, one letter vars are a shit-for-brain idea. Let's not use them. In fact, the minimum length variable name I ever use is 3 characters.

Maybe you're incapable of an original idea, but not everyone is as lame as you.

If you can give one real good reason why i and its ilk is obvious or a good idea, I'll be impressed. The fact that people use it in demo code and crappy excuses like that is not a good reason.

Re:Don't be a fucking moron

see this

But he is a fucking moron

I read this and could tell right away this guy was a moron. I've seen his type before. He has a minimum extreme and a maximum extreme and doesn't believe in anything else in the middle. The fact that he thinks that "i" and "maximumIterationsAllowedForThisLoop" are the only two options brings home that he is a junior programmer (or never progressed up to that level).

Also, not everyone programs in C/C++. He assumes you do - another indication of "black and white thinking". While he's at the pub, I'm sure you and yours are producing quality code.

Re:But he is a fucking moron

OK, black and white thinking would be assuming that variable names have to be long bloated affairs regardless of context. i in itself is completely obvious, and requires no further elaboration. As stated earlier, p is probably not adequate to indicate a prime number, unless it is a small function that is being used in a program that has to be viewed by a small number of people. Black and white thinking is applying the same idea regardless of little things like this that get in the way. People who can think for themselves use i and get on with the fucking program.

Re:But he is a fucking moron

. People who can think for themselves use i and get on with the fucking program.

People who can think for themselves use useful, creative names. Anyone moron can use 'i'. It takes no thought whatsoever.

You don't even see the contradiction in your own thought processes.

What a luser!

Re:But he is a fucking moron

Yeah yeah, I have been trolled. har har.

re: "Factoring might still be NP" - question

[markgriffith]

Just wondering though if there are regions of the number line where as yet unused primes of useful size [large enough to make hard ciphers, small enough to be manageable] are few enough in number to make a primality test like this useful to surveillance agencies.....

.....not of course as a way of factoring large composites, but just for the sake of collecting a big list of suitable cipher-making primes in that region of size for later testing of large composites in other people's ciphers?

I mean that, aside from the mathematics, for full-time crackers and coders chunks of the number line might have a kind of political geography, with sections of the naturals known or believed by insiders to contain primes used by this intelligence agency or that surveillance group for this or that kind of encryption. The task might be ridiculously huge overall, but in local regions of the naturals, sections of suitable keys for some applications or machines might seem worth mapping, in someone's view.

In that context, surely a new classical primality test [especially if used to develop an improved probabilistic primality test] might make quite a difference, indirectly, to helping someone much more quickly factor large composites, no?

FAQ: PRIMES is in P little FAQ

I wrote a little FAQ that answers allot of the questions that were asked here, and resolves allot of the misconceptions. You can read it at http://crypto.cs.mcgill.ca/~stiglic/PRIMES_P_FAQ.h tml Enjoy! --Anton