Turns out, Primes are in P

zorba1 writes "Manindra Agrawal et. al. of the Indian Institute of Technology Kanpur CS department have released a most interesting paper today. It presents an algorithm that determines whether a number is prime or not in polynomial time. While I haven't gone through the presentation in detail, it looks like a promising, albeit non-optimized, solution for the famous PRIMES in P problem."

Re:Huh

[zapfie]

Um, if you don't like nerdy stuff.. I hate to break it to you, but this might not be the place for you. :)

Nobel Prize Time

[flonker]

If I'm reading this correctly, we've got a nearly guaranteed winner of the Nobel Prize here.

Re:Nobel Prize Time

[RackinFrackin]

If I'm reading this correctly, we've got a nearly guaranteed winner of the Nobel Prize here.

This would be more in line for a Fields Medal than a Nobel Prize.

Re:Nobel Prize Time

[EvanED]

What category? Unfortunately, there's no mathematics Nobel Prize. I realize that they consider applications, but I don't see many in physics, chemistry, medicine, economics, peace, or literature.

Re:Nobel Prize Time

[amnesty]

There is no Nobel Prize for math. The Fields Medal is given for contributions to math.

Justin

Re:Nobel Prize Time

[orz]

What category? Unfortunately, there's no mathematics Nobel Prize. I realize that they consider applications, but I don't see many in physics, chemistry, medicine, economics, peace, or literature.

The Nobel Prize for literature of course.

Re:Nobel Prize Time

[fatphil]

ECPP is already polynomial time with theoretical exponent ~6. However, the
best ECPP implementation out there, Marcel Martin's 'Primo', seems to behave
as if it has exponent ~4.5-5.
ECPP is non-deterministic though. But it looks like this one is too.

So this looks as if it may be worse than the state of the art.

I'll wait for Lenstra and Pomerance to say their piece though, before making
my mind up.

FatPhil

Re:Nobel Prize Time

[retiarius]

ah, but lenstra & pomerance are in the
acknowledgements as reviewers.

if they're not up to snuff, try the ghost
of ramanujan.

Re:Nobel Prize Time

[khuber]

Everyone knows Nobel's wife cheated on him with a mathematician so, out of spite, there is no Nobel for mathematics!

-Kevin (yes I know that isn't true - Nobel never married)

Re:Nobel Prize Time

[fatphil]

Where did you find out that they were reviewers?

However, word on teh grapevine I have access to says that it seems
that Henrik Lenstra (not to be confused with Arjen), has already
declared taht he believes the proof to be correct and elegant.

And that's about as high a recommendation as it gets.

I'll try to knock up an implementation of his algorithm some time soon, and
see what the practical big-Oh looks like.

Phil

Re:Nobel Prize Time

[distributed.karma]

Mathematical discoveries can be awarded the Nobel Prize in some cases, if the discovery has an impact on one of the noble sciences. For example, we all should know now that John Nash won the Nobel Prize for Economics, although his theory was purely mathematical.

Re:Nobel Prize Time

[shiva]

But the Nobel Prize in Economics is not a true Nobel Prize. It's given out by a bunch of Swiss bankers in "honor of Nobel."

for the sake of our eyes

[fatmav]

the ps version looks much better:
http://www.cse.iitk.ac.in/primality.ps

Re:for the sake of our eyes

[fatbitch]

he should have used dvipdfm

Re:for the sake of our eyes

[Soft]

pdflatex doesn't always work - try it with prosper slides for instance - and the times package is obsolete.

Either use package txfonts or maybe pxfonts (uses only PostScript fonts), or mathptmx (keeps Computer Modern fonts for math, but this doesn't always work), or install the vectorial T1 version of the ECM fonts and make sure those are used instead of the bitmap ones.

Re:for the sake of our eyes

[the+way,+what're+you]

apparently it's been moved:
http://www.cse.iitk.ac.in/news/primality.ps

Re:for the sake of our eyes

[Oberon]

Using teTex, the way to avoid the ugly (Type 3) fonts in the pdf version is to use the flags
-Pamz -Pcmz
when invoking dvips. Then ps2pdf will produce a pdf containing good-looking Type 1 fonts.

What's Polynomial Time?

[Stephen+VanDahm]

I don't know anything about theoretical CS. What's polynomial time?

Steve

Re:What's Polynomial Time?

[orz]

They're saying the the time T necessary to determine whether or not an N digit number is prime satisfies this equation:

T a)
for some value (can be any finite value) of k and a.

Re:What's Polynomial Time?

[Goonie]

The technical definition is kinda long and complex, but in essence it's like this. Given a problem of some size n, a polynomial time algorithm is guaranteed to give a solution in time proportional to a polynomial of n. If a polynomial-time algorithm exists that solves a problem, then the problem is said to be in polynomial time.

To give an example, say you've got a list of numbers and you want to know the sum. That can be done in linear time - ie, the time taken is proportional to the length of the list of numbers. The size of the problem (n) is defined by the length of the list and the time taken (T) is as follows: T = c1 * n + c0, where c1 and c0 are some fixed constants. The formula for T is a polynomial, and so the problem "LIST-SUM" is in polynomial time. It would still be in polynomial time if the formula for T was a polynomial with n^2, n^3, n^50 terms in it, or even terms like n^1.5 (because as n grows very large an n^1.5 term will always be smaller than an n^2 term).

Showing you an example of something outside polynomial time is a little more difficult, but some standard examples are SAT (the satisfiability problem) or the travelling-salesman problem, which you can read about in any book on the subject.

Re:What's Polynomial Time?

[jeffy124]

a simple way to think of it:

an NP-complete (NP=non-polynomial) problem is one that can be solved, but takes about 8*age_of_universe time to solve. To get around this, approximation algorithms are used, but these can never give a 100% guarantee of finding the correct solution, nor may provide the same solution if it were to execute on the same data twice.

a polynomial-time problem is one that can be solved within our lifetimes, guarantee 100% accuracy, and can always generate the same solution for the same data.

there's a LOT more to it. The book Intro to Algorithms has a good chapter on the topic of NP-completeness, which will explain the intricate and gory details.

Re:What's Polynomial Time?

[MrCreosote]

Isn't it some kind of new marketing campaign by Swatch?

Re:What's Polynomial Time?

[platipusrc]

NP stands for Nondeterministic Polynomial.

ie, it can be completed by a nondeterministic machine in polynomial time. The main problem with NP algorithms is that there aren't any nondeterminisitic machines around. (A nondeterministic machine can attempt all paths to try to reach a conclusion at once whereas a deterministic machine can only try one at a time.)

Re:What's Polynomial Time?

[Kaz+Riprock]

Back in the days of parachute pants, leg warmers, and the 80's, there was a man....a man with a rapping and dancing vision. His name...

MC Polynomial.

And he sang a song..."P can't Touch This". Before the drum break of this song, Poly sang:

It's a prime, because you know
P can't touch this
P can't touch this
Stop...Polynomial Time...

Thus giving rise to a branch of mathematical order functions denoting the complexity of a problem...

Either that or it's defined pretty well here.

Re:What's Polynomial Time?

[Goonie]

Well, there are things that are definitely outside polynomial time - the halting problem for instance, which is undecidable no matter how much time you have. There are also problems that provably take exponential time even on a nondeterministic Turing machine. However, you are quite correct that TSP or SAT just might be in P (but it's pretty damn unlikely).

I was trying to keep it simple because the original poster said that he didn't know anything about theoretical CS.

Re:What's Polynomial Time?

[DaveUIUC]

SAT and the travelling salesman have not been proven to be in P. They're both NP-Complete, which means that if they /are/ in P, then P = NP. While it's very likely that neither are in P, it's still far from being fact.

Re:What's Polynomial Time?

[Salsaman]

There is a remote island in the South Pacific called 'Polynosia' (not to be confused with 'Polynesia').

The island has a number of strange customs.

1) All the women on this island are called 'Polly' in reverence to the island's god, Polynose.

2) The men of the island are very philosphical (maybe because all the women are called Polly, so it gets very confusing). They spend most of their time poring over mathematical problems.

3) The island has strict laws on the use of technology. Telephones are not allowed, aircraft are not allowed to land there, in fact the only way to reach the island is by boat, nevertheless it is very popular with tourists.

4) It is considered offensive to Polynose for anyone who is not a Polynosian woman (a Polly) to prepare food. Since the island is popular with holiday makers though, all of the enterprising Polly's have opened small restaurants called 'Polly-meal-time'.

The men of the island, in order to discuss their mathematical musings, recently opened a cafe. To distinguish this from all the restaurants, they named it 'Polly-no-meal-time'.

The article reports that recently a boatload of mathematicians visited Polynose, and told the island's men how to check if a number is prime.

Thus the headline 'Primes can now be solved in Polly-no-meal-time'.

/me ducks :-)

Re:What's Polynomial Time?

[zakharin]

The halting problem is not necessarily outside of P either since it certainly is in NP and we do not know that P!=NP

Re:What's Polynomial Time?

[RickL]

You forgot to mention that the philosophers sit around a big table in the cafe. They spend their time either eating or thinking. Between each philosopher is a chopstick. In order to eat, the philosopher must have both of the chopsticks. If they don't have a good strategy, then they starve.

Re:What's Polynomial Time?

[DaveUIUC]

The halting problem isn't in NP (this was proved by Turing). Since P subset NP, the halting problem can't in P either.

Re:What's Polynomial Time?

[jirka]

Something with a time of (in seconds)

99999999999999999999999 * n^555555555555

Is in P, yet not solvable within our lifetimes. P just tells you the GROWTH rate, not the absolute time. NP complete problems (with current non-P algs) for small numbers are doable within seconds too. P problems are quite often too slow just as well. Any alg that does n^2 will kill your puter on even fairly small n just as well.

Re:What's Polynomial Time?

[phliar]

NP=non-polynomial

Wrong. NP is the class of "non-deterministic polynomial-time" algorithms.

Another way to think about it is: can a proposed solution to the problem be checked (deterministically, of course) in polynomial time?

an NP-complete problem is one that can be solved, but takes about 8*age_of_universe time to solve

Wrong again. If you have a class C, the class "C-complete" represents something like the kernel of class C -- roughly, if you can solve a problem in C-complete defined under some restrictions, then you can solve any problem in C under those restrictions. Example: if you can solve a problem in NP-complete -- say 3-SAT -- in P time, then you can solve any problem in NP in P time.

a polynomial-time problem is one that can be solved within our lifetimes

Not encessarily. An n^{large-number} is not realistic to use for any non-trivial n. Anything above a cubic is not really usable.

Re:What's Polynomial Time?

[Jay+L]

Not to be confused with MC Hawking.

Cryptography

[jesterzog]

Out of interest, will this finding have any impact on the effectiveness of present day cryptography?

Re:Cryptography

[God!+Awful]

Out of interest, will this finding have any impact on the effectiveness of present day cryptography?

Probably not. While it is possible that this research could lead to results in speeding up factoring, a faster algorithm for determining whether a number is prime is not going to compromise the security of RSA.

Your RSA key pair is derived from 2 large primes. The way we generate keys is to randomly test large random numbers to see if any of them are prime. Ergo, we must already have an efficient formula for determining if a number is prime or not.

FYI, the most commonly used algorithm is Euler's formula. Euler's formula doesn't actually tell you if a number is prime, but it will usually give a non-zero output if the number is not prime, so if you run it enough times with different inputs, you can be 99.99999% sure that a number is prime. However, a small percentage of numbers are "pseudoprimes" -- numbers that are not prime but which will also satisfy Euler's formula. Therefore, after you discover a candidate prime, you should use a different (slower) formula to double-check.

Since this is fairly common knowledge among geeks who use encryption, I'm somewhat surprised that so many people here jumped to the same conclusion you did.

-a

Re:Cryptography

[Valar]

obviously, any attempts to factor a composite into primes should have a good list of primes...this would help in generating that...but then again...it would make creating really big (tm) keys easier too...

Re:Cryptography

[davidcash]

what is this "euler's formula" of which you speak?

i thought miller-rabin was the most commonly used primality test.

Re:Cryptography

[MatanZ]

Why would proving that "factorization is in P" break modern public key cryptograph?

If you need to factorize a 128 bit number, and you have O(n^12) method, than you'll still need 2^84 steps.

Re:Cryptography

He didn't jump to a conclusion. He asked a question.

Re:Cryptography

[God!+Awful]

what is this "euler's formula" of which you speak? i thought miller-rabin was the most commonly used primality test.

I had trouble finding a good reference for this. As I mentioned before, the Euler test is very fast, but it is vulnerable to pseudoprimes. After you find a candidate, you may want to double-check it with another algorithm, such as Miller-Rabin. Here's a crypto library that uses both.

-a

Re:Cryptography

[Erpo]

I totally agree with you. Now we know a little more about primes - that's all. My post was in reply to all of the previous posts saying something to the effect of "Doesn't this have a huge impact on modern cryptography?" and "Well, looks like RSA is broken..."

Re:I always thought is was in P

For P, it has to be polynomial in the size of _the input_. The input size here is log(n) since it requires log(n) bits to represent n. log(n)^12 hence is polynomial (which i believe their algo guarantees), whereas sqrt(n) is not.

If this is true...

[Jon+Howard]

They could have easily taken over the infrastructure of a modernized computer-bent, encryption-shielded society such as the US or Japan. If that is indeed the case, these guys deserve a Nobel Peace Prize for giving this powerful tool to all and not using it as a weapon of war.

This does, however, sound unlikely. Any mathematicians out there care to comment?

Re:If this is true...

[ipfwadm]

They could have easily taken over the infrastructure of a modernized computer-bent, encryption-shielded society such as the US or Japan.

Primality testing and factorization are not one and the same. It is possible to know that a number is not prime without knowing its factors. Breaking encryption requires factoring the product of two huge primes (it is already known that the number you're trying to factor is NOT prime, so Primes being in P is more or less useless by itself for this particular application), and factorization has yet to be shown to be in P.

Re:I always thought is was in P

[Walker]

What are you referring to as your input size n in O(n)? The number p? The correct size n is the number of digits of p. That algorithm is definitely non-polynomial for that (correct) n.

Crypto repercusions?

[Toodles]

I am by no means a heavy duty math cruncher or cypherpunk, but how exactly is this going to affect number and factoring? I don't know of any advanced prime number search algorythms, but Sieve of Erothenes (did I get that right?) solved in NP time. (Each number is check is evenly divisible by an earlier prime, and if none found, add to list of primes, lather rinse repeat)If primes can be found in P time, finding the first 50 prime numbers would take the same time as finding the first 50 three hundred digit primes.

While that may not be thrilling at first, let's use the RCA contest for money as an example. We get a 1024 bit number containing 200 digits in decimal formm, which is the product of exactly two prime numbers. We know then that:
1. We only need to find one prime to easily find the other.
2. The digits in the factors can total no more than 200 digits.
3. One of the factors contains less than 100 digits.

Start at 10^100 and count down using this algorythm, and youll find it in P time instead of NP time. It'll still take forever, literally and figuratively, but wouldn't it take significantly less time than before?

Toodles

Re:Crypto repercusions?

[Eu4ria]

If the old method took 'forever' and the new method takes less time than that. Just how long is that? Isn't it almost like saying infinity-1 :)

Re:Crypto repercusions?

[DavidTC]

Pssst. 3 is
3. One of the factors contain less than or exactly 100 digits.

Now wouldn't you feel silly if they both were exactly 100 digits prime and you spent all that time look at 99 digit primes and below? ;)

Re:Crypto repercusions?

>I am by no means a heavy duty math cruncher or cypherpunk
.
.
.
>Start at 10^100 and count down using this algorythm

You do realize that there are 99999999999999999999999999999999999999999999999999 9999999999999999999999999999999999999999999999999 numbers between 10^100 and 10^99, don't you?

Re:Crypto repercusions?

[_LFTL_]

Start at 10^100 and count down using this algorythm, and youll find it in P time instead of NP time. It'll still take forever, literally and figuratively, but wouldn't it take significantly less time than before?

None of the other replies have really clearly answered your question. I haven't finished the paper but it sounds like their algorithm is only a primality test. It only tells you whether a number is prime or not. If it is composite it doesn't tell you what the factors are which is what you really need to be applicable to RSA. Considering that eariler primality test could give you a relatively confident guess as to the primality of a number this will likely do very little for cracking RSA

Scott

Re:Crypto repercusions?

[mlc]

Start at 10^100 and count down using this algorythm, and youll find it in P time instead of NP time. It'll still take forever, literally and figuratively, but wouldn't it take significantly less time than before?

Ah, no. First, note that a 2^1024-big number has more than 300 decimal digits, and so a 2^512-big number has more than 150. Then, even if primality testing took only 1 operation, we'd still need to perform something like 2^511 operations by your method. At 10^24 (one trillion trillion; unfathomably many) operations per second, this'd *still* stake 10^112 times longer than the estimated lifetime of the universe (1.5*10^10 yrs) to complete!

There are, however, faster ways of factorization than testing all the numbers in (1..sqrt(N)) to see if they are factors of N. They are not noted in (or relevant to) the paper mentioned by this article.

[nb: See other comments for why this is, in *practical* use, not such a big improvement on Miller-Rabin and other randomized methods which have been known for decades.]

Re:Crypto repercusions?

[khuber]

Don't you mean 9000000.....?

-Kevin

Re:Crypto repercusions?

[a_n_d_e_r_s]

Think again.

The larger number is 10 times larger than the lower number so all number in between must be nearly 10 times larger than the lowest number - so it requires a number with something like 100 digits to represent. (You do the exact math )

The result should be all nines of course.

Re:Crypto repercusions?

[jannic]

Then please show me the 99 numbers between 10 and 100 :-)

Re:Crypto repercusions?

[a_n_d_e_r_s]

Sorry, you are right the number should be a 8 followed by a large number of nines.

The answer for 10 and 100 is of course 89.

Re:Crypto repercusions?

[n1vux]

Beautiful Troll!

This is an excellent mockery of the "I am not a mathematician so I'll share my opinions anyway" sort of comment. The misspellings of key words are excellent too.

But what dunces marked it Informative? Funny, yes, Troll, yes. On a real crypto board it would be flaimbait.

(Disclaimer: I am not currently a practicing mathematician or computer security researcher, but I once was, many years ago.)

mod parent up

[orz]

it's the only correct reply so far

If this turns out to be true...

[angramainyu]

...then you can bet the NSA has had this algorithm for decades.

Re:If this turns out to be true...

[jasonditz]

They'll have had it for decades as soon as they have time to read through it and edit all the past documentation they have :)

Re:If this turns out to be true...

[danro]

...or not working in the US at all.

Re:Big consequences related to encryption

[God!+Awful]

Well, encryption based on the multiplication of large primes, anyway.

Yeah... that step in key generation where you check whether a candidate key is prime or not will now be performed with 100% confidence instead of that annoying 99.999999999999999% confidence we used to have.

-a

Oops. HTML

[orz]

They're saying the the time T necessary to determine whether or not an N digit number is prime satisfies this equation:

T N ^ k + a

for some values (can be any finite value) of k and a.

Basically, it's a statement about how well an algorithm scales to REALLY large numbers.

arg. I did it again

[orz]

hm... I'm not sure why it removes comparison symbols when set to plain text... oh well, I wrote out "is less than" this time

They're saying the the time T necessary to determine whether or not an N digit number is prime satisfies this equation:

T is less than N ^ k + a

for some values (can be any finite value) of k and a.

Basically, it's a statement about how well an algorithm scales to REALLY large numbers.

Re:p=np?

[RabeiUsura]

No, because find primes was classified as NP, 3-SAT and others are NP-Complete which are a "superclass" of NP problems.

Cryptography

[Erpo]

They've figured out how to determine if a given number is prime in P time. That, by itself, doesn't break modern public key cryptographic systems. In order to do that, you would need to be able to factor a given number into its two prime factors in P time (a different problem).

Re:arg. I did it again

preview is your friend

Factoring might still be NP

[IntelliTubbie]

For those of you wondering about the implications for cryptography, this does not imply that composite numbers can be factored in polynomial time. This algorithm is simply a primality test -- that is, it tells you whether or not a number has any proper divisors (in polynomial time), but it doesn't tell you what these divisors actually are. Determining whether a number is prime has always been considerably easier than finding the prime factorization.

In fact, for schemes like RSA -- where the key is the product of two large primes -- we already know that the number is composite, by definition, so a more efficient primality test doesn't give us any new information.

Cheers,
IT

Re:Factoring might still be NP

[Paolomania]

Won't this actually make RSA cryptography implementations stronger by enabling better selection of key pairs? I'm not exactly up to speed on crypto, but in the past weren't keys sometimes being selected that were only relatively prime, but guaranteeing that they are truly prime effectively strengthens the practical implementation - and faster primality testing perhaps makes it easier to up the practical key length?

Re:Factoring might still be NP

[EJB]

Key generation for algorithms like RSA already use numbers that are prime with a high probability. There are quick algorithms for that. But key generation algorithms currently don't run for several months to ensure for 100% that the factors are prime.

So perhaps this algorithm makes RSA, DSA, etc. even stronger because it will be easier to guarantee that the factors are prime instead of assuming it with 99,999999999999% probability.

Re:Factoring might still be NP

[Dan+D.]

however this could help with choosing those two large primes for RSA (although I think the algorithms used these days are already highly efficient at finding relatively prime numbers which is all that actually matters)

Re:Factoring might still be NP

[Jouster]

True.

What I'd like to see is a tool that would use this algorithm to verify the pool of five hundred or so private keys I control (since I currently only have a ((1/4)^16) confidence that each half is, in fact, prime.

Jouster

Re:Factoring might still be NP

[epsalon]

This is a common mistake about probabilistic algorithms. Primes was up to now known to be in ZPP. That means there is a polynomial time algorithm that has > 2/3 chance of answering correctly, and 1/3 chance of not answering, independent between trials.

Thus, to check primality, we simply employ this algorith until it answers, and then we could be sure of the answer. This could theoretically take a long time if you are extremely unlucky, but realistically, there's a bigger chance of you suddenly reappearing in China.

Re:Big consequences related to encryption

[DavidTC]

Of course, there's still a larger chance of a cosmic ray flipping a bit in the processor or memory then the math being wrong, anyway. ;)

This may seem like a strange question, but isn't a non-prime that passes the 99.99999999999% check just as good as a prime in encryption? I mean, seriously, is anyone really going to notice it's not prime? Sure, they could accidently stumble on the 'wrong' factors while trying decode it, but, seriously, halving the time to decode your message isn't a huge mistake, considering we're talking on the order of centuries at least. ;)

What is 'x' and how is 'q' calculated?

[Mr.+Sketch]

From looking at the algo, I can't figure out what 'x' (or maybe it's a chi) is? Can someone help? I've looked it over, but couldn't find a definition of it. I'm also assuming that the 'if (r is prime)' line is a recursive call to itself? Also, how do we determine 'q' the 'largest prime factor of r-1' ? Another recursive call to get the factors? I must admit, I'm kind of lost by the algo, but it's still interesting.

Re:What is 'x' and how is 'q' calculated?

[Smthng]

Easy enough,
try b=1...log(a) (log using base 2)

trying each b takes constant time. The number of b's is of order log(n) which is linear in the size of n as required.

Re:What is 'x' and how is 'q' calculated?

[matrix0040]

no you dont need recursive call. as r is O(log(n)) so size of r is O(log log(n))) so if an exponential time algorithm is used for checking the primality of r, it'll be exp in log(log(n)) i.e. linear in log(n)

Same goes with q. as it's "small" you can afford an exponential algoritm.

also x is a variable, those eqns (12) really are polynomial eqns.

Re:What is 'x' and how is 'q' calculated?

[deblau]

From looking at the algo, I can't figure out what 'x' (or maybe it's a chi) is? Can someone help? I've looked it over, but couldn't find a definition of it. I'm also assuming that the 'if (r is prime)' line is a recursive call to itself? Also, how do we determine 'q' the 'largest prime factor of r-1' ? Another recursive call to get the factors? I must admit, I'm kind of lost by the algo, but it's still interesting.

OK, I'll address these points in order:

First off, 'x' doesn't matter. The loop at the bottom checks a congruence of two polynomials over two finite rings (if I'm reading it right, the first is generated by x^r-1 and the second by the input n). Simplistically, this amounts to grinding out the coefficients of the two polynomials and verifying that the difference of the polys equals zero, modulo the ring generator. The actual 'value of x' is never used.

Second, if you check the order statistic calculation, they're assuming worst-case on factoring 'r' (they apply order r^1/2 for that factorization). They then make an assumption that O(r^1/2) = O((log n)^3), or that O(r) = O((log n)^6), which seems rather suspect (as if they knew the answer ahead of time and plugged in a recursive value for it). Nevertheless, they do go to some length to show that such an r exists, and that it requires at most O((log n)^6) iterations of the first loop to find it.

As for 'q', I think again it is determined by brute-force factoring r-1. On the one hand, r is small; on the other hand, that doesn't mean a damn thing when it comes to dealing with order statistics, which I think is also a little suspect.

Re:What is 'x' and how is 'q' calculated?

[fatphil]

x is just a symbol. The proof is performed using polynomial ring.

Doing shit modulo (x^r-1) means that as soon as you multiply your
polynomials together and get any terms over x^(r-1) you can replace
x^(r+d) with x^d, because (x^(r+d)-x^d) == 0 (mod (x^r-1))

e.g. modulo x^2-1

(ax+b)^2 == a^2x^2 + 2abx + b^2 == (2ab)x + (a^2+b^2)

FatPhil

Re:What is 'x' and how is 'q' calculated?

[matrix0040]

well you simply try them all ! since r is "small" its O(log(n)^6), your can just keep going from r-2 to 2 until you find a factor and still be in poly time.

about the second thing, it's also pretty simple just do a loop over the exponent try exp(log(n)/b) if it's an integer then you're good else try another !

Funny

[Alizarin+Erythrosin]

It's funny when I read the comments, and I see all kinds of stuff that reminds me of my Discrete Structures class (we did the P and NP stuff at the end)...

Makes me wonder what this means for computer theory, but if you think about it, polynomial time can still be slow for very large n with very big powers... although not as bad as an exponential with large n's (assuming you go out far enough that the exponential will grow faster then the polynomial)

Kudos to the team that discovered this

I don't think so.

[orz]

Cracking any specific key-length is P, but cracking RSA in general remains NP, since that method requires checking a number of potential primes proportional to 2^(N/2) or so where N is the key size.

I'm dead tired

[Henry+V+.009]

I'm dead tired and will look at the paper in the morning. But right now I have a problem with step 6:
"Let q be the largest prime factor of r-1"
Won't getting q boost the thing back into power n complexity?

Re:I'm dead tired

[Henry+V+.009]

I took a second look, and I'm pretty sure about it. To complete this algorithm for n, for every prime rn, you will need to find the largest prime factor of r-1.

Re:I'm dead tired

[epictetus]

r isn't the input to the algorithm. r is an intermediate number used in the algorithm. It's of size O(log^6 n).

Re:I'm dead tired

[Henry+V+.009]

"for every prime r less than n"

Thank you, lameness filter. I think. I am tired and could have missed it.

Re:I'm dead tired

[epictetus]

the while condition, r < n, is a red herring. The loop will exit when it hits the inner break. It's guaranteed to finish in O(log^6 n) iterations (or so they say--I haven't verified the proof personally!).

Re:I'm dead tired

[Henry+V+.009]

You are right. I was just reading the algorithm down in order. I shouldn't have gotten ahead of myself.

Re:I'm dead tired

[matrix0040]

no it wont as q is "small", as proved in lemma 4.2 r is O(log(n)^6) and so is an upper bound on q. so the size of q is O(log(log(n)) and an exponential time in that will be linear in log(n) !!

If you're confused by "P" and "NP"....

[Erpo]

look here.

Re:p=np?

If by "superclass", you mean problems that are (thought to be) harder than the other set of problems, then yes.
But technically speaking, NP-complete problems actually form a "sub"class of NP problems.
And yes, primes is not _known to_ be a NP-complete problem, so this doesn't really affect complexity of 3-SAT directly.

Implications

[davemarmaros]

There are 2 different problems:
1) Determining if a number is prime [is 909 prime?]
2) Determining the factors of a number [what are the factors of 909?]

This article claims to be able to solve problem 1 in Polynomial time.

However, problem 2 is MUCH harder, and that is the one which will break cryptography as we know it. This article does not claim to solve problem 2, so we're safe for now.

Re:Implications

[Zaak]

Back in the 80s a poly-time algorithm for factoring was given, assuming a poly-time primality test.

Put your money where your mouth is. If you know such an algorithm, you could be very famous very quickly.

Primality testing is very fast. This is what makes RSA usable.

Factoring is very slow. This is what makes RSA secure.

TTFN

Re:Implications

[Zaak]

...that is the one which will break cryptography as we know it.

Only public-key cryptography based on algorithms like RSA will be broken. Symmetric-key cryptosystems will be unaffected.

However, public-key crypto is what makes secure communication possible without prearrangement, so perhaps you are correct after all.

We just have to hope that a discovery that breaks RSA wouldn't break other public-key systems at the same time.

TTFN

Re:Implications

[Indras]

1) Determining if a number is prime [is 909 prime?]

Here, quick math trick that will save people a bit of time. It's always easy to tell if a number is divisible by three, just add all the digits together, and if the result is divisible by three, then so is the original number. 909 = 9 + 0 + 9 = 18 (divisible by three). Oh, and you can take it a step further (18 = 1 + 8 = 9) if the result is still too long.

Therefore, this number showed up right away to me as being divisible by three, and quick division will show that 303 * 3 = 909.

Re:Implications

[ryanvm]

However, [determining the factors of a number] is MUCH harder, and that is the one which will break cryptography as we know it.

Not all public-key cryptography is based on the difficulty of factoring numbers. There are a number of other one-way functions (such as elliptic curves) that are being used in cryptography. So I wouldn't say it'll break crypto "as we know it", but it would certainly freak some people out.

Re:Implications

[p3d0]

Not to mention that if all the digits in a number are divisible by n, then the whole number is also divisible by n.

Re:Implications

[HaeMaker]

Got a proof for this?

Re:Implications

[p3d0]

Er, what does this have to do with what I said? The digits of 37 are not divisible by 5.

Re:Implications

[some+guy+I+know]

Similarly, if the digits add up to 9, or a number that is divisible by 9, then the original number is divisible by 9.
So, we also know that 909 is divisible by 9.

This "digits adding up" thing works for all b-1, where b is even and is the number base.
For example, in hexidecimal (base 16), we know that the number 1E is divisible by F, since 1+E = F.

Re:Implications

[diablovision]

There are a number of other one-way functions (such as elliptic curves)

No, no, no and no. Elliptic curves form a group, and the definition of a group guarantees that the group's operation is invertible.

Secondly, how do you plan to accomplish decryption of a one-way function? By the definition of "one-way" you can't.

Re:Implications

[timster]

This proof is by spontateous invention, so don't sue me if it's screwed up someplace. There's probably a much simpler proof, but proof by induction is fun. Note that I'm assuming base 10, and this obviously doesn't work in other bases.

Start with the first multiple of 3: 3. As this is one digit, obviously the sum of all its digits is divisible by three. Consider this a basis case for induction.

When we add 3 to a number that is divisible by three, either we have to perform a carry, or we don't. If we don't, then the addition operation will add exactly three to the sum of the digits. Since we know (from our induction assumption) that the sum of the digits is already divisible by three, obviously adding three to that sum creates another multiple of three.

If we have to perform a single carry into the tens place (say 9+3=12), then the sum of the digits excluding the ones place increases by 1, and the value of the number (ignoring the ones place) increases by 10. Since we're adding three, obviously the value of the ones place always has to decrease by seven. 1-7=-6, so this operation always subtracts 6 from our total digit sum. Obviously subtracting 6 from any number that is already a multiple of 3 yields another multiple of 3.

What if the carry is compound (99+3=102, or 999+3=1002)? Since we're only adding 3, any place that is affected by the compound carry will have to be a 9. The 9 will always change to a 0. Subtracting nines doesn't hurt our multiple of 3, so we can ignore it. Then, the value of the first place that isn't a 9 will increase by 1, which makes this ultimately the same as the case in the above paragraph.

Thus, the first multiple of 3, 3, has digits that add up to 3, and adding 3 to a multiple of 3 whose digits add up to a multiple of 3 will create a number whose digits sum to a multiple of 3. So by induction, all multiples of 3 have digits that add up to a multiple of 3.

Re:Implications

[kallisti]

Got a proof for this?

Here's a less formal, but possibly easier to understand proof. When you shift a digit, what you are doing is making 10^n * a into 10^(n-1)*a, the difference is therefore:
a * 10^n - a * 10^(n-1)
a * (10^n - 10^(n-1))
a * (10^(n-1) * 10 - 10^(n-1))
a * 10^(n-1) * (10 - 1)
a * 10^(n-1) * 9
Since this number is divisible by 3 (not to mention 9) shifting a digit right is equivalent to subtracting out a bunch of 3s, which won't affect the result of the division. This is why adding the digits is also known as casting out nines.

Re:Implications

[schon]

This is why adding the digits is also known as casting out nines.

I thought that "casting out nines" was a reference to the fact that you can (quickly) find the recursive sum of any series of digits by eliminating every multiple occurrence of the number 9?

Re:Implications

[kallisti]

In school I read a book called Magic House of Numbers by Irving Adler. In that book, adding digits was referred to as casting out nines. Sadly, the book is out of print as it is an excellent collection of math factoids and classic puzzles. I reread over every few years in school and always got more out of it.

Re:Big consequences related to encryption

[jpmorgan]

Maybe, maybe not. If that non-prime happens to be 2^2031, I bet it'll make your encryption really weak. ;)

Re:Big consequences related to encryption

[Goonie]

Uh, no. Just because you can tell whether a number is prime in polynomial time, doesn't mean you can find the factors of a number in polynomial time, as I understand it.

Re:Oh yeah? Well...

[braindead]

• I have developed an algorithm that will determine if any number less than a google is prime in O(1). Above a google it degrades pretty fast, though.

Aha... is that based on a precomputed sieve with 10^100 elements, by any chance? ;-)

(it's googol, by the way. Google.com is obviously not prime, based on the fact that they haven't IPO'd yet)

Re:Big consequences related to encryption

[tbo]

Thank you. I'm glad someone finally pointed out that we already have a classical (as opposed to quantum) probabilistic algorithm for determining primality. Every other fool on this board is running around wearing his/her tin hat and shouting about RSA being defunct. All this does is push primality testing from the BPP complexity class into the P complexity class. It is significant in the sense that it weakens the argument for BPP being larger than P.

Of course, we also have a polynomial-time algorithm for prime factorization (Shor's Algorithm). It's just that it requires a quantum computer, which is difficult to build. So far, the biggest number factored is 15... 1024 bit keys will be safe for a while yet. I believe it's 15 - 20 years until they're broken, if Moore's Law holds for quantum computers in terms of maximum number of qubits possible (so far, it roughly has, but then, we're only at about 7 qubits).

Ignore parent

[God!+Awful]

Ignore the parent post, since it is wrong. The previous poster did a much better job of explaining the concept of polynomial time.

An NP-complete problem does not take 8 times the age of the universe to solve. This completely missed the point. Every P or NP problem can be expressed in terms of a variable "n", which represents the input size. There are many practical problems where the best-known P algorithm is slower than the best NP algorithm for typical values of n. However, computational theory tells us that as n increases, the P algorithm will eventually beat the NP one.

-a

Re:Oh yeah? Well...

[Kwikymart]

google v. [common] To search the Web using the Google search engine,
`www.google.com'. Google is highly esteemed among hackers for its
significance ranking system, which is so uncannily effective that many
users consider it to have rendered other search engines effectively
irrelevant. The name `google' has additional flavor for hackers because
most know that it was copied from a mathematical term for ten to the
hundredth power, famously first uttered by a mathematician's infant
child.

---------

googol
n : a cardinal number represented as 1 followed by 100 zeros
(ten raised to the power of a hundred)

There is a HUGE difference between the two.

Re:p=np?

[allsmileys4u]

mathematicians have been pondering over that prob for decades.. if that works out we'll have fresh prespective of univ..(remember the pendulum, algorithmic univ theories)

We already knew that...

[FalafelXXX]

The famous result by Miller 1976 (and indepdently rediscovered(?) by Rabin 1980) already did that. The only difference is that their algorithm was in RP (randomized polynomial). Namely, if the algorithm says it is prime it might be wrong (with probablity half, say), and if it says that the number is not prime, then it is not prime for sure.

Now, if you have a number n, you run this algorithm, say 20*log(n) times. If the algorithm says it is prime on all executions that it is prime, you know damn sure it is. If it says it isn't, you are sure it isn't. There is a rediclously tiny probablity that if the algorithm claims that it is prime in all executions, that it is still not prime. This probablity is so small, that it can be essentially ignored. Now, random bits are cheap nowadays, so this is quite satisfactory. This is in fact the algorithm that turned the RSA crypto system into a practical and useful algorithm, because suddently finding primes became easy.

To break RSA, and become really famous, one has to come up with a polynomial time algorithm for factoring. It might even be that RSA can be broken without factoring, but this is still an open question (I think).

Ahh, and BTW. Polynomial time means polynomial time in the size of the input. So if the number is n, the size of the input is O(log(n)), and the running time needs to be O( (log(n))^(O(1)) ).

Ok. End of boredom.

Re:We already knew that...

[spitzak]

Does anybody know what happens to RSA if in fact one of the "prime" numbers is not prime? My guess is that this does not make it suddenly easy to break, or make it fail to encode (because either of those would imply a fast way to determine if a number is prime by seeing if it works in RSA). I would guess that a tiny fraction of messages would decode to garbage rather than to the desired text, but does anybody know for sure?

Re:We already knew that...

[fatphil]

I think you're missing the point of Rabin's test.

Rabin's test says that if there is no witness below 2ln^2(n), then the
number is certainly prime.
The repeated-by-a-fixed-small-number PRP-test MR test is still a
compositeness test, or a Probable Primality test, and does not give a
certain answer.

A PRP is not _proven_ prime.

See professor Caldwell's Prime Pages at:
http://primepages.org/

FatPhil

Re:We already knew that...

[stud9920]

There is a rediclously tiny probablity that if the algorithm claims that it is prime in all executions, that it is still not prime

It's your spelling that's rediclous. This is ludacris.

Re:We already knew that...

[zenyu]

Yeah, in fact someone told me about a determinastic polynomial algorithm almost a year ago. Maybe he was a reviewer for this paper, I dunno. But I assume someone more knowledgable will pipe up on this eventually. What I know is that there are some known composites that look like primes to the Miller and Rabin algorithms, and they can wreak havock to encryption. I think there is a test for these, but there may be more of em out there. Carmichel is the name that pops in my head, but I'm probably wrong.

In anycase, for cryptography you would probably run the randomized algorithm on a bunch a numbers until you found a number to be a prime with high probability, then you would run this to verify that it is a prime with higher certainty. The certainty sorta depends on the length of the proof for this algorithm. Since for a sufficiently complex proof there is a non-zero probability that the proof is not correct, and the probabilistic algorithms often have simple proofs that we may be more certain of.

Re:We already knew that...

[Mornelithe]

I probably really shouldn't be replying, because it's been a while since I read how it works, but I can copy the algorithm and tell you where I think it would break (if at all). Please correct me where I'm wrong.

1. Generate two random primes p and q
2. Calculate n = pq and phi(n) = (p - 1)(q - 1) = n - (p + q) + 1 (Note: phi(n) is the number of primes less than n (Euler's totient function, I believe). phi(p) = p - 1 for prime p, and phi(pq) = phi(p)phi(q) for p relatively prime to q (note, this step breaks if p or q aren't prime))
3. Generate e
4. Calculate d, the inverse of e (mod phi(n)) (i.e. d*e = 1 (mod phi(n)))
5. is the enciphering key, is the deciphering key
6. For plaintext P, you get ciphertext C by doing: C = P^e mod n, and get P back by doing P = C^d mod n

So, now there's the matter of why it works. Here we go:

• Because of Fermat's Little Theorem, we know that a^(phi(n)) = 1 (mod n)
• Since ed = 1 (mod phi(n)) we have: ed = 1 + k*phi(n) for some integer k
• So, if we encipher and decypher, we have: (P^e)^d = P^(ed) (mod n)
• Which also means we have: P^(1 + k*phi(n)) = P*(P^(k*phi(n))) = P*((P^phi(n))^k) = P*(1^k) = P (mod n)

So when p or q are not prime, phi(n) != (p - 1)(q - 1), so when you calculate d, you'll get something that doesn't negate the encrypting process (because its not a multiplicative inverse mod the real phi(n)), so you'll probably get junk when you decipher.

I don't really feel like doing a detailed analysis of the algorithm, but I imagine that this isn't used as a primality test because it's running time probably isn't polynomial time.

Re:We already knew that...

[Alsee]

Only if using binary to represent the number.

Nope. You need to learn what O() means.

He never said log2(n). He said log(n) without a base. O() measures what happens when n gets arbitrarily large and the statements are true for ANY fixed base. That's why no base it given, it is irrelevant. The difference between log2(n) and log10(n) is a fixed factor of 3.3. The O() of a problem tells you weather it takes you microseconds or gigayears to solve it. There really isn't any meaningful difference between 1 microsecond and 3.3 microseconds, or between 1 gigayear and 3.3 gigayears.

And here's the kicker: Nothing prevents me from using a base equal to the number itself.

As I said, O() measures what happens when n gets arbitrarily large. If you are using an arbitrarily large base then what you've got is a quantum computer. This problem and the harder problem of actually finding the factors have already been proven solvable in polynomial time for quantum computers.

-

Re:We already knew that...

[Mornelithe]

By the way: Many thanks to Sarah Flannery, the author of In Code, whose book I paraphrased the algorithm/proof above from (luckily it was sitting on the table in front of me).

Re:We already knew that...

[plaa]

(Note: phi(n) is the number of primes less than n (Euler's totient function, I believe). phi(p) = p - 1 for prime p, and phi(pq) = phi(p)phi(q) for p relatively prime to q (note, this step breaks if p or q aren't prime))

A slight error: phi(n) is the number of positive integers less than n, which are relatively prime to n (ie. gcd(n,x)=1). Therefore, if p is a prime, it is also relatively prime to all smaller integers, so phi(p)=p-1.

The function that tells the number of primes smaller than n is pi(n), the prime counting function.

Refs: Totient Function Prime Counting Function (MathWorld's luckily back online!)

Re:We already knew that...

[thogard]

When you build a key with from two primes you have two keys that work, one is private and one is public.

When you build a key with three primes you have one public key, one private key and two that will work for the hackers.

When you build a key out of four primes you end up with the two keys you expect and 6 or 9 others.

You can do this by building your own RSA like system with 32 bit keys and plug in some small random even "prime" and see how many other keys work.

Not all keys work but some of the combos will.

Re:We already knew that...

[CProgrammer98]

Sheeeesh.

The words are spelt "Ridiculous" and "Ludicrous"

Why do geeks have so much trouble spelling these two words?

Other pet hates include confusing "your" and "you're", and "loose" and "lose"...

Re:We already knew that...

[thogard]

All primes above some low number of digits are pseudo-primes. Pseudo-primes aren't proven prime by attempting to factor all numbers smaller than it, but are proven by a number of tests that seem to indicate that the number is prime.

For testing why things break because you can factor a supposedly prime number, an even number will work as well as any other and its sure speeds up the factoring if you have to do it by hand.

Knuth has some interesting bits on this in his books.

Re:We already knew that...

[Mornelithe]

Oh, yeah, thanks.

I probably should have caught that there aren't p - 1 primes less than a prime p. :)

Re:We already knew that...

[ihgreenman]

Bzzt... Wrong! Thanks for playing

(BTW, generalization of this is left as an exercise to the reader.)

Your public / private keys depend upon the factorization of the composite number and something called the phi function. The rules for this function are somewhat complex, but in the case of a series of factors consisting of unique primes it's pretty simple.

Taking the case of a number with three unique prime factors: N = p * q * r. [p != q, q != r, r != p. p, q and r are all prime.]

Then, phi(N) = (p - 1) * (q - 1) * (r - 1).

Fine, you say, but what does this mean? The reason RSA works is due to a generalization of theorem of Fermat's (from Euler):

When a is not a multiple of p, q, or r (the prime factors of N), you can choose a number g such that 1 + g * N = a ^ phi(N). Or, to use modular arithmetic terms, a ^ phi(N) = 1 mod N.

That in turn means that a ^ ((k * phi(N)) + 1)= a mod N, for *any* integer k. Note that for a given a, other powers may work as well -- but you are garunteed that any power equal to ((k * phi(N)) + 1) will work for any a that is coprime to N. (a coprime to N means that a is not divisable by any of the factors of N.)

Let's say you have a private key (e) that you want to use. Then there may exist a decryption key (d). If d exists, d * e = k * phi(N) + 1. That is: d * e = 1 mod phi(N). Note that given d and e that work, then *any* number of the form d + k * phi(N) will work! The trick with RSA is that phi(N) for a very large number tends to be very large, hence these extra keys are very far apart.

Therefore, for a given RSA encryption key, there are an infinity of decryption keys! Having extra factors has absolutely nothing to do with it.

Re:We already knew that...

[CustomDesigned]

The July 2002 Dr. Dobbs Journal has a provable prime algorithm. The article did not do a complexity analysis, but it requires work equivalent to two passes of Miller-Rabin. The algorithm is called CUL and does two Lucas function tests. However, the proof doesn't deal with whether composites are provable - so perhaps it is what you are looking for. The proof for probable primes was reasonably simple.

Re:Big consequences related to encryption

[mpsmps]

No, most messages will decode incorrectly.

Consider a simple public key encryption algorithm based on the fact proved in any beginning number theory book that for primes p, q

a^x = a (mod pq) if x = 1 (mod m)

where m = (p - 1)(q - 1)

Now choose your favorite number f and use Euclidean algorithm to efficiently find a number g such that

fg = 1 (mod m)

You may have to try another value of f if the Euclidean algorithm terminated before reaching 1, but it won't take many guesses. Now publish the number f and mod m as your public key and keep g private.

Someone sends text t to you by sending t^f (mod m).
Now you just raise that message to the power g and reduce mod m to recover the original text. (This follows immediately by combining the above statements).

Finally, I'll get to the point. This algorithm is simply busted if p and q are not prime because t^fg will not equal t mod m unless you are very lucky. In fact, if you want to add a bunch of nines to your percentage certainty, just encrypt and decrypt a sample message text and verify that it works.

Half empty?

[legomad]

You guys always say things like "so what?" or "that's old". C'mon guys, go outside and smile.

Re:Half empty?

[falzer]

It's all about whose beard is the longest. Besides, I could smile on a PDP-11 before you were born. ;)

Primality testing has never been hard

[sasami]

This result, if true, is very interesting from a theory standpoint.

As far as practice, it's fairly irrelevant. Probabilistic primality testing can be done in constant time with bounded error.

The Miller-Rabin test will tell you if a number is prime with at most 1/4 probability of error. That sounds ridiculous, but the catch is that you can iterate it using a random parameter. Do the test twice and your probability drops to 1/16. Do it fifteen times and your chances of being wrong are about one billionth.

If you're truly paranoid, do it 50 times. That'll bring the error rate of the algorithm magnitudes below the error rate of your hardware.

---
Dum de dum.

Re:Primality testing has never been hard

As has been noted, the Solovay-Strassen and Miller-Rabin tests were for all practical purposes near-deterministic polynomial-time algorithms.

However, there is a certain stunning elegance about this new test for primality (the main loop hit me hard) that almost takes it to the level of Euclid's algorithm for GCD. A loop of the form 'while(r less than n) {...;r++;}' has an in-your-face audacity, especially when we learn that it will deterministically terminate before log(n)^3 (if I'm reading it right)!

Re:Primality testing has never been hard

[Alsee]

If you're truly paranoid, do it 50 times. That'll bring the error rate of the algorithm magnitudes below the error rate of your hardware.

Depending upon what version Pentium CPU you're using you can accomplish that with 2 or 3 steps.

Old joke, but couldn't resist :)

-

Re:Primality testing has never been hard

[Kynde]

The Miller-Rabin test [mit.edu] will tell you if a number is prime with at most 1/4 probability of error. That sounds ridiculous, but the catch is that you can iterate it using a random parameter. Do the test twice and your probability drops to 1/16. Do it fifteen times and your chances of being wrong are about one billionth. If you're truly paranoid, do it 50 times. That'll bring the error rate of the algorithm magnitudes below the error rate of your hardware.

Just consider how fast it's on some of the better known commercial operating systems, because even that 1/4 error probability is magnitudes below the error rate of your platform

Re:Primality testing has never been hard

[bluGill]

What nobody knows though is if error is good or bad. If Miller-Rabin says a number is prime, and you use it for an application that requires a prime number, the application will still work. At least that is true for all the applications I know of that require a prime number (Public Key Encryption), there are probably others.

I've speculated that the existance of non-primes that work is one of the things that makes public key encryption hard enough to be useful. I can't prove it though, and offer it only as an interesting (but likely wrong) point to consider.

Re:Primality testing has never been hard

[bearnol]

Just for the record, as I've stated elsewhere, the Miller-Rabin Test is unjustifiable (for which read _wrong_) There is nothing wrong with its _math_, however the preliminary logic is completely up-the-spout, as it computes Pr(A|B) at a critical point, rather than the required Pr(B|A) - if you don't believe me, read the paper...!

Re:Primality testing has never been hard

[Kynde]

What a load of crap...

What nobody knows though is if error is good or bad. If Miller-Rabin says a number is prime, and you use it for an application that requires a prime number, the application will still work.


Not necessarily, and even when it does, incase it indeed is not a prime it may very well be attackable, even significantly. Although, when Miller-Rabin says one in 10^50, it means that the odds really are that low, and as it's way beyond your hardware reliability, who cares if it's actually false or not.


I've speculated that the existance of non-primes that work is one of the things that makes public key encryption hard enough to be useful. I can't prove it though, and offer it only as an interesting (but likely wrong) point to consider.


There are numbers that fool the gaussian test for primes, so called Carmichael numbers. There are also composite numbers (i.e. nonprimes) that pass Miller-Rabin test, therefore for example in Mathematica the Miller-Rabin test is combined with Lucas pseudoprime test. Though, it may still fail, it's sufficiently unlikely.

BUT how the fsck can you say that "the existance of non-primes that work is one of the things that makes public key encryption hard enough to be useful" ???
Public key cryptography IS being used, and a lot! And on top of which, the smallest problem with it is the generation of primes.

There are "problems" with it, the unawareness wether there actually is a P complex factorisation algorithm yet to be discovered. Also from a steganographical point of view, RSA has somewhat detectable bias, although it's usually being used just transmit the key for some symmetric proven-to-be-strong cipher, which inturn is used to encipher the actual message.

Re:Primality testing has never been hard

[mal0rd]

> If you're truly paranoid, do it 50 times.
> That'll bring the error rate of the algorithm
> magnitudes below the error rate of your hardware.

This doesn't make any sense. If, for any given time you run the algorithim, the hardware has a one in a million chance of messing up, then after running it 50 times the chance of it giving the wrong answer all the time is closer to zlich then the algorithim giving the wrong answer the majority of the time.

Re:Big consequences related to encryption

That "proof" would have killed my CS professor.

Don't forget...!

[Libor+Vanek]

...that in praxis it doesn't really matter if problem is P or NP when P is 100000000000000000*n while NP solution could be 0.00000000000001*(2^n) - the complexity class is nice thing but not all.

Re:Don't forget...!

[meteu]

That's not a very good example, considering that 0.00000000000001*(2^n) > 100000000000000000*n when n >= 110. On 128 bit input, the exponential runtime is more than 265,000 times as slow as the linear.

Complexity classes are more than just "nice."

Re:I always thought is was in P

[crlf]

Uhh..

Pardon my french, but isn't sqrt(n) is better than log(n)^12?

Re:I always thought is was in P

[crlf]

I hate replying to my own posts, but upon further inspection, I realized that sqrt(n) > log(n)^12 for large n.

Yet, sqrt(n) is still polynomial time.

Re:p=np?

[RabeiUsura]

Your are right i meant the first thing, thanks for the correction.

Re:arg. I did it again

[shepd]

>I'm not sure why it removes comparison symbols when set to plain text...

Slashdot removes left angle brackets in an attempt to stop abuse. Since it still lets raw right angle brackets through for old style quoting (which I prefer), the left ones have to go on unverified tags.

To display a left angle bracket despite that you'll need to type its ISO code, which renders the bracket unusable for tags (which is a good thing).

ie: < is entered with this: &lt;

Just something to note down FFR. Oh, and &nbsp; can be handy if you want to try to slip through some important, on-topic simple tables or ascii art. Sometimes. But not lately.

- o
<
\__/

Re:Oh yeah? Well...

[God!+Awful]

No. I was just using the fact that any algorithm is O(1) if you specify an upper bound on n.

The algorithm is:

Precompute Tmax = number of seconds to determine if a number near 10^100 is prime.

1. Compute if x is prime, taking T seconds.
2. Sleep for Tmax-T seconds.
3. Output answer.

-a

MrByte's 1 Page P, NP, NP-Complete Primer

[MrByte420]

So I'm already sensing the level of confusion rising as this is a very confusing topic. Here's a quick review. Note: I'm going to do this on a higher level and not start talking about Formal Languages as this is not the place to teach it. So in loose terms, Problems that in P are easily solveable. For example, sorting is a problem in p. Proof: I can sort a set of n numbers in no worse than n^2 time using a bubble sort. (Yes - I know there's faster but this is an example). The bubble sort just compares every number to every other number. Assuming you didn't optimize the algorithm you'd compare each number to every other number and they'd be sorted in no worse than n*n = n^2 comparisons. So what is NP? NP are problems that given a proposed solution we can verify that the solution is correct or not in polynomial time. An example of this is factoring. (note: it is not known whether factoring is in P). Given current methods we know factoring a big number into its prime factors. But if I was to tell you that p=q*r you could very quickly multiply q*r and see if it is equal to p and "verify" my answer. Another way to think about it is you can try out one branch of computation in polynomial time. So what is NP-complete? NP complete problems are is follows. A problem is NP-Complete iff 1) The problem is in NP 2) A solution in polynomial time to this problem would yield a polynomial time solution to all other problems in NP. That is, no other problem in NP is harder than NP-Complete and if one NP-Complete problem is solveable in Polynomial time than all of NP is solveable in polynomail time, P=NP and you will win doctorates and a nobel prize, turing award and a million bucks from the clay institute for proving this. Sigh - you are probally still confused.. :)

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[ctrimble]

Maybe you should have mentioned that step 2 in the NP-Complete definition means that there's a polynomial time transformation that will turn one NP-Complete problem into another. That's why showing that one NP-Complete problem is in P means that they're all in P.

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[MrByte420]

Hehe - That defintely is part of it but I was just trying to be clear rather than precise.
You obviously can't take k^n time to use the solution generated to decide the other part.

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[uhoreg]

Problems that in P are easily solveable.

Nope. You can have huge constants, or huge exponents, or both. P only describes (somewhat loosely) how much harder the problem becomes as the size of the input grows. But if the problem already takes an impossibly long time with an input size of two, you aint goin very far.

In addition, it is possible to know that a problem is in P, but not have an algorithm for it. (e.g. Robertson and Seymour's huge graph minor theorem, a series of about 20 papers which you probably don't want to read (I don't).)

(And please always capitalize Turing. Nobel too.)

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[MrByte420]

Yes. The Time construction theorems do show that their exists a language that takes n^1000, n ^(10^123323), etc. However they are all easier to solve that Exponential time funtions!

Re:MrByte's 1 Page P, NP, NP-Complete Primer

[uhoreg]

Yeah, I guess "easy" is a relative term. I usually associate "easy" with "practical", which I suppose disqualifies me from doing work in theoretical computer science. ;-) (I am doing theoretical CS, but not complexity theory.)

Re:Knuth

[MrByte420]

a Proof is not rigorus if it depends on unproven theorems. There are many examples if theories that were thought to be true and were later proved to be false. This proof relies on nothing more than a little abastract algebra, some number theory and good ole plain algebra..

Re:p=np?

[Vengie]

3-sat isnt it 3-cnf-sat? or is cnf typically dropped?

Re:This is brute force but....

[MrByte420]

Firstly, you only need to check up to the square root of n as anything larger will not be a prime factor. Secondly the algo you suggest is MUCH larger than n^k where n is the LENGTH OF THE INPUT NOT THE SIZE OF THE NUMBER!

Re:Big consequences related to encryption

[(outer-limits)]

I believe it's 15 - 20 years until they're broken

15 to 20 years is not a long time, I remember when it was 15 years to Y2K. It wasn't the disaster that it was beaten up to be, but it did cost a lot of money to remedy.

Encryption is pretty low level stuff, so the ramifications could be large for many systems.

The question is

[einhverfr]

Whether polynomial time is longer or shorter than prime time.

Re:Big consequences related to encryption

[jbolden]

You can break RSA in polynomial time.

Let pq be a public key. For integers n sqrt(pq) check if n | pq. Each division takes O((pq)^1.58) time (see any algorythem book for proof).

So you have O(sqrt(pq)) * O((pq)^1.58) which is just slightly larger than O((pq)^2) and less than O(pq^3). Improving only slightly over brute force gets you down below squared time.

Re:I always thought is was in P

[Boronx]

Someone posted above that the actual size of input, grows as log(n), so the actuall speed of the algorithm is sqrt(2^i) or 2^(i/2), where i is the number of bits in the input.

Re:Big consequences related to encryption

[jbolden]

I forgot to put in the punch line.

The problem is not that you can't crack RSA in polynomial time as the numbers grow, but rather that means that you are cracking RSA in exponential time as the number of digits grow. Incidentally the best you can do so far is O(e^1.58) (which comes from the division problem).

O(num_bits**12) time estimates

[Adam+J.+Richter]

We give a deterministic O((log n)**12) time algorithm for testing whether a number is prime.

[Sorry, the Slashdot filter does not allow me to superscript the 12.]

The algorithm takes O(log2(n)**12) time, where n is number being factored. If we optimistically assume that this algorithm can test the primality of a 16-bit number in one microsecond, then here is how long it would take to test time primality of some larger numbers.

• 2**12 times as long for a 32-bit number = 4096 microseconds = 4 milliseconds,
• 4**12 times as long for a 64-bit number = 16,777,216 microseconds = 16 seconds,
• 8**12 times as long for a 128-bit number = 68,719,476,736 microseconds = 68,719 seconds = 19 hours,
• 16**12 times as long for a 256-bit number = 281,474,976,710,656 microseconds = 9 years.

I don't know what a realistic base time for this algorithm really would be, and I don't know where the cross over point against existing exponential time deterministic primality testing algorithms would be, but at least this provide a sense of how log2(n)**12 grows.

Re:This is brute force but....

[chairmanKAGA]

The time it takes to calculate with a variation of this algo is ~ [(n + 1) / 2]! , no?

I thought that would be in P time but I see it cannot.

Re:This is brute force but....

[subtleluck]

umm...wouldn't it be easier to just loop from 2 to n-1 (n = the number you are checking for prime) and to see if they divide it?

and no prime * prime is not prime

Re:This is brute force but....

[MrByte420]

Well, I'm not sure if you mean factorial or excitement with that exclaimation mark but either way thats much larger than the input size of the number. NOT THE CARDINALITY OF THE NUMBER. i.e. if a number has n digits it won't be poly to that!

Re:This is brute force but....

[chairmanKAGA]

I was refering to factorial.

Re:This is brute force but....

[chairmanKAGA]

I was just suggesting a raw, non optimized algo for something like this. by z = n+1 ,z = z / 2 and then checking all products, which is z! but that ins't P time I see now so I'm sure many algo's like this already exist and are much slower than the P algo.

Oh no!

[SEAPEA]

I'm not sure what Primes look like or even what they are but having them in my P can't be good for the ole' prostate.

Re:This is brute force but....

[MrByte420]

Factorial grows faster than exponential! watch: polynomial time: 2^2=2 3^2=9 4^2=16 10^2=100 Exponential: 2^2=4 2^4=16 2^10=1024 Factorial; 2!=2 4!=24 10!=3,628,800 See what I mean?

Re:Big consequences related to encryption

[Bill+Currie]

I think there's an error in your algo. Shouldn't it be t^f (mod pq) and message^g (mod pq)?

Re:Big consequences related to encryption

[kyletinsley]

"If you can determine if a number is prime in polynomial time, you can break RSA in polynomial time."

Awww fuck polynomial time.... I'm still waiting for somebody to determine it in STOP! hammer time...

Doooooooo doo doo doo, doooooooooooooooooooo do - Can't crack this!

---
God that was stoopid... sleeeep goooood!

Re:This is brute force but....

[chairmanKAGA]

Yes, and I realize this. To be honest, I have very little business discussing higer math as I am not *bad* at math but do not have the dedication to it. A couple years of Calculas is all I really want to ever have. I can derive and use integrals among other things.

I like discrete math/logic more anyways,

Thank you for clarifing a couple things for me though. :)

Re:Oh yeah? Well...

[veltyen]

Um. Aren't they the same number
10**100 (10 * 10 * 10 ...) is a 1 followed by 100 zeros, just as 10**2 is a 1 followed by 2 zeros.

Re:p=np?

Indeed, primality has been known since the 80's to belong to the class RP (problems solvable in expected polynomial time by a randomised algorithm). It has never (in recent years) been suspected of being NP-complete. Most experts don't even think factoring is NP-complete.

(All this assuming P!=NP, or else all these distinctions collapse.)

Re:Oh yeah? Well...

[khuber]

the point is that the word "google" is not the name of the large number which is "googol". it's a homonym.

-Kevin

Re:arg. I did it again

[jnana]

You have to escape < with <, because otherwise the parser wouldn't be able to tell when an element tag was beginning or you meant less than. > isn't required to be escaped for this reason, because it is clear whether it is closing a tag or not. You also have to escape the ampersand, because otherwise the parser would have to scan ahead to know if you were specifying an entity like   or you just meant & and whatever.

Re:I always thought is was in P

[tunah]

No. Polynomial time, as was said, is polynomial in terms of the input. Input b bits and n is (worst case) on the order of 2^b so now sqrt(n) is about sqrt(2^b)=2^(b/2) which is far worse than polynomial in b.

Re:arg. I did it again

[orz]

But I set it to plain text! Shouldn't slashdot automatically replace my (less-than) symbol with &lt or whatever?

Since slashdot doesn't seem to be doing that I feel like the mode shouldn't be called "Plain Old Text".

Ah well. I'm just bitter because I screwed up twice in a row.

Why does polynomial time matter?

[Flat5]

There seems to be endless fascination with P vs NP problems, and I just can't understand how it could possibly matter. Aren't there infinitely many "polynomial times" that are complete disasters?

Isn't n^1000000000000000000 polynomial time?

Flat5

Re:Why does polynomial time matter?

[archnerd]

If you've studied your calculus, you'll know that anything that can be done in polynomial time can be done faster than in exponential time after a certain length. Since we're talking order of magnitude, it doesn't really _matter_ what the polynomial exponent is as long as it's a constant. Formally, for any constants {a,b}, there exists an n such that a^n > n^b. Therefore, for any NP-complete cryptosystem, it is possible to create a key length such that it will take any desired number of times longer to crack the system than to use it normally.

Re:Why does polynomial time matter?

[maxwell+demon]

But if we have a P algorithm and an NP algorithm, and the NP algorithm gets more efficient at about 10^100 bits, then for all practical purposes, the NP algorithm is faster.

Re:Why does polynomial time matter?

[fatphil]

These principles ignore the fact that there's a finite amount of time,
matter and energy in the universe.

A P algorithm that can never be performed due to its order or constant
factor has no practical use, only theoretical interest.

Theoretical interest is still very interesting.
Practical presses my bottons more though.

Phil

Re:Why does polynomial time matter?

[Flat5]

I don't see what calculus has to do with it, and your statement still doesn't convince me that it matters.

"After sufficient length." Sure. But there's *never* any discussion about what that length is. And if it's sufficiently large (as in, larger than you could ever use), it doesn't matter. The exponent *does* matter in that case.

Flat5

Re:Why does polynomial time matter?

[Flat5]

Sure. But n "large enough" may be completely - orders upon orders of magnitude - out of the range of applicability, in which case this usual professorial argument about "the exponent doesn't matter" is hogwash.

Flat5

Re:Why does polynomial time matter?

[Flat5]

I was asking a more general question than about the results of this particular paper.

I always have and still do reject this ridiculous notion that the exponent never matters because "for sufficiently large" n it's always a win.

We do not work with infinite n. We work with finite n of a quite limited range. The exponent matters, and to say anything to the contrary is a misleading oversimplification.

Flat5

Re:Why does polynomial time matter?

[magicianeer]

We do not work with infinite n. We work with finite n of a quite limited range. The exponent matters, and to say anything to the contrary is a misleading oversimplification.

But n is rapidly increasing.

There is a Moores Law-like effect on dataset sizes that grows faster than processing power. Today terabyte databases are not unusual. It is not unreasonable to have a terabyte on the desktop. Five years ago people could not access drives bigger than 8GB.

An algorithm that takes exponential time to process such a dataset may perform better FOR NOW than one that takes polynomial time. But 5 years from now the exponential algorithm will be useless-- the dataset size (n) will have increased by orders of magnitude, which does horrible things to the exponential runtime.

We routinely keep software around for 30+ years. We cannot expect an exponential time algorithm to be useful over even 10 years. But with the increasing processing power, we can expect a bad polynomial time algorithm to eventually become useful, as recently happened with 3D graphics algorithms.

Re:Why does polynomial time matter?

[uhoreg]

Yes. Nobody is going to come up with an n^1000000000000000000 algorithm, though. Chances are, an algorithm with that kind of running time would be so complicated, nobody would understand it.

To me, having PRIMES in P means that there is more hope of being able to do it efficiently. If it was shown to be NP complete, I would have much less hope. In this case, for example, although the running time is O((log n)^12), which isn't too impressive, the researchers say that they did not fully optimize the algorithm, as they were only interested is showing it was possible.

P is a pretty nice group to deal with, because it happens to be fairly robust between different models of computation. (i.e. P doesn't change if you go from Turing machines, to random access machines, etc.) But there are always researchers interested in getting things down to linear, quadratic, cubic, etc. time. I don't think anybody's going to let this paper be the final word on the complexity of PRIMES. But this is a significant step in finding an efficient algorithm for it.

Re:p=np?

[welthqa]

how long have you guys been waiting for a topic on prime numbers, it's like your entire lives have been building up to this point. hurray!

the most amazing part is...

[keshto]

this work was done by undergrads for their senior honors thesis under Dr. Agarwal's supervision. Isn't that amazing!!! Dr Agarwal was also my undergrad advisor- he is one amazing fellow and damn smart too!! I just wish my honors thesis had been even a fraction of this...

Re:the most amazing part is...

[Kredal]

Fraction, or factor? Sorry...

bad in math?

[RelliK]

log2(16) = 4
log2(32) = 5
log2(64) = 6
log2(128) = 7
log2(256) = 8

by your assumption a*log2(16)^12 + b = 1 ms
for simplicity, let's ignore the constant b.
then:

a*log2(16)^12 = a * 4^12 = 1 ms (by assumption)
a*log2(32)^12 = a * 5^12 = 14.5 ms
a*log2(64)^12 = a * 6^12 = 129.75 ms
...
a*log2(256)^12 = a * 8^12 = 4096 ms

Re:bad in math?

[kavau]

Hold your breath... the algorithm is log2(n)^12 where n represents the number to be tested, not the number of digits. If you denote the number of digits by m, that is, m = log2(n), you get a complexity of O(m^12). The algorithm is therefore polynomial in the number of digits, with a very large exponent of 12. This large exponent could easily hamper the practical use of the algorithm, as Adam correctly demonstrated. The upshot is: Adam is right, RelliK is wrong!

Re:Knuth

[matrix0040]

well ERH is a million dollar problem (literally) !! Claymath.org, so i wouldn't bet my money on a proof which relies on ERH.

Size matters

[deblau]

Note that this algorithm takes O((log n)^12). For this to actually be faster than, say, factoring n directly, and assuming a multiplicative factor of 1 in the order statistic, n has to be at least 3*10^22, or roughly 75 bits long. This algorithm is probably very ineffective at factoring small integers.

Re:Size matters

[fatphil]

Firstly note that the 12 is a proven upper bound, and for the majority of
real world numbers it will be much lower.

Secondly, it's not a factoring algorithm, so your final comment is a bit odd.

Phil

Re:We already knew even more...

[archeopterix]

Namely, if the algorithm says it is prime it might be wrong (with probablity half, say), and if it says that the number is not prime, then it is not prime for sure.

As far as i know, there is a complementary probabilistic algorithm: if it says the number is prime, it is prime for sure, if if says it's composite, it can be wrong (with a fixed probability). So you can check whether a number is prime or not - with an absolute certainty, by running the two algorithms repeatedly, until one of them gives the 'sure' answer. The only thing that is unsure is the execution time - perhaps you will have to run both algorithms many times before obtaining a certain answer. The expected running time is of course polynomial. This means than prime testing is in ZPP. A google search on 'ZPP prime' or something should reveal more, if anyone is interested.

Re:Big consequences related to encryption

[mpsmps]

Oops! But with your correction, it works.

Re:Big consequences related to encryption

[kreyg]

15 - 20 years until they're broken...

Hmm... you know, I've been thinking... if anyone actually saves some of those packets floating around on the 'net, it my be possible to decrypt ALL of them in that time frame. In other words, even if it's encrypted, be aware that it may not be secure for the remainder of your life, perhaps much, much less. I wonder if I'll have the same credit card numbers in 15 years. Alternatively, I wonder if anybody will think about this more than a year before it's possible.

Another interesting case where it's faster to wait for the hardware than to start chugging away with what we've got right now.

Re:I always thought is was in P

[khuber]

Er, I would call a simple divide "considerable".

Assuming you meant "wouldn't call", division is definitely "considerable". Remember we are talking about large numbers. Try doing long division on paper for 35184535666823 divided by 4194319 (answer is 8388617) and you can see there is some work involved, even with these small numbers.

The paper method of long division is O(n^2) and it turns out it can be done more efficiently: As I understand it, you can do division in the steps required for multiplication. Therefore the number of operations required to divide two n digit numbers is bounded by the best multiplication which is O(n lg n lg lg n) (from Knuth Volume II).

This is about 57 for 10 digits and about 182 for 20 digits. You can see that doubling the number of digits here more than triples the required number of operations to compute this result! Likewise 30 digits require about 6 times more operations. You can see that the "n times" grows faster than the number of digits. Thus, division gets slower and slower the more digits you have to divide.

-Kevin

Re:That isn't constant time

[sasami]

A single iteration of the Miller-Rabin test does not take constant time. The time taken involves a number of multiplications mod p (mostly repeated squaring). Both the number of math operations and the difficulty of each one increase with p.

It is therefore polynomial in the size of p, and not constant.

Oops! Yes, this is completely true. Anything that involves multiplications is obviously not going to be constant in the size of the input.

I should offer my head on a platter to Prof. Rabin! I took his class on randomized algorithms...

(If I wanted to be petulant, I could blame the Motwani & Raghavan book for modeling multiplies as unit cost, but that ain't gonna fool anyone. =)

---
Dum de dum.

Re:I always thought is was in P

[khuber]

Hey everyone, Yoda is posting to Slashdot! Just kidding ya :).

-Kevin

Re:a pedantic ass writes

[archnerd]

I'm not sure what you meant by that last line, but you're wrong. Your argument is the converse of the argument made, which doesn't follow.

Re:a pedantic ass writes

[maxwell+demon]

Your first sentence is wrong. Your second sentence is correct, but unrelated.

The fact that you know the factors of a prime doesn't tell you anything about what you know about the factors of a non-prime (unless you know the prime to be a factor of the non-prime, of course).

When being pedantic, you'd better double-check that you are right :-)

Re:for the sake of our eyes [OT]

[spongman]

yeah, you would have thought that Adobe, the people tht brought us Postscript could write half-decent font rendering code, but no...

On the MaxOSX it looks great (I'm guessing they use the Mac's native font rendering), but on my XP box it looks like something from the mid 80's compared to the cleartype that everything else is done with.

don't get me started on the ActiveX control...

Re:Oh yeah? Well...

I thought things that sounded the same but were spelled differently were homophones. I thought homonyms were spelled the same with different meaning.

YOUR NIT HAS BEEN PICKED!!!

Re:arg. I did it again

[pediddle]

All plain text mode does is automatically break your paragraphs when you type "enter" (so you don't have to use

or
). But since you can still type, say, , or in plain text mode, it can't automatically translate your '<' into '<', or else those tags wouldn't work.

What you want is to either type out the '&lt;' and '&amp;', or, probably what you really want is to:

use Extrans or Code modes (Code is just like Extrans except formatted in a fixed-width font). I'm using Extrans to type this message right now, since it has so many '<'s.

Re:Big consequences related to encryption

[fatphil]

The PRP tests used to check numbers for compositeness or probable primality
actually test to see if this exponentiation procedure works.

RSA does work with carmichael numbers instead of primes, for example, because

a^c == a (mod c) for all a s.t. (a,c)==1, c a carmichael number

Try it - it works!

Phil

It would be interesting...

[GnomeKing]

...if he HAD found a way to do factoring in P time... gotta wonder what would happen if he took a holiday to the states - I'm sure SOMEONE would try to have a go at him for breaking encryption

Re:Oh yeah? Well...

[fatphil]

Yup - cracking 128-bit AES by brute force is O(1) too, because the key size
is fixed at 128 bits.

Phil

This is highly unlikely...

[commie_pig]

It will only be a matter of time before somebody finds a flaw in the paper. I suppose I will give it a bash.

First of all, to the best of my knowledge, none of the prime algorithms are NP-complete, so even showing that one of them runs in polynomial time will still not answer the question of whether P = NP.

Second, as some other readers have pointed out, this will probably not make a dent in the integrity of crypto systems, since the factoring problem becomes no easier. Take RSA for example. We know that the messages are composite numbers, but I bet you'll keep your computer more than busy for the next few eons trying to factor a 1024 bit composite.

There is a brilliant probabilistic algorithm (due to Rabin and I think Miller) for checking primeness which allows one to arbitrarily choose the likelihood of an error.

So anyways, don't get to excited at the prospect of the fall of the Western world's security, because if anyone posed such a threat, it would be in the interest of many countries to have such a person eliminated.

Re:p=np?

NP-complete problem are no superclass of NP, but they are considered to be the hardest problems in NP. "The hardest problems in NP" means that if one finds and deterministic polynomial algorithm for a NP-complete problem, you could use this algorithm as a subprocedure for any problem in NP (every instance of a problem in NP can be reformulated as an instance of this NP-complete problem in det. pol. time) and therefore P=NP.
But it is more likely that there exists no det. pol. time alg. for any NP-complete probleme and so P != NP)

Re:Big consequences related to encryption

[ranulf]

but isn't a non-prime that passes the 99.99999999999% check just as good as a prime in encryption? I mean, seriously, is anyone really going to notice it's not prime?
No, most messages will decode incorrectly.

So, if the key obviously doesn't work, then you can assume that the modulus isn't prime and try another.

In fact, following that argument through, you could have a test suite of various messages to encode. If they work, you can be reasonably sure the number is prime. Obviously, with this approach you'd need to be reasonably sure you had a prime, otherwise you'd waste a lot of time.

Disclaimer: I dropped out of Uni level Maths before I got to anything particularly hard, so most of this is over my head.

Re:Oh yeah? Well...

[khuber]

oops, you're right!

-Kevin

Great, now not even the posters *READ* the article

[sup4hleet]

While I haven't gone through the presentation in detail,

This fact is not new...

[mgessner]

I wrote a paper back in 1990 about a prime number sieve that was basically an O(n^2) algorithm.
It basically worked by finding out if numbers were composite, but the algorithm used could be "inverted" to tell you if a number was prime or not by telling you if it was composite or not.
It was very well suited to parallel implementations, too.

Re:This fact is not new...

[gelderen]

Citation and online reference, please?

Re:This fact is not new...

[mgessner]

The research was done as part of my Senior Honors Thesis, and is available from the university.

My advisor, Dr. Antonio Quesada, later published a paper (proceedings of the ACM, maybe?) wherein he discussed the sieve that we built, in very generic terms.

Basically, it involves going through and computing the distances between the composites in a special set and doing that over and over and over. But by simply determining if a number is going to be cancelled out or not is pretty simple: just run through the sets.

Re:This fact is not new...

[uhoreg]

Is it quadratic in the magnitude of the number, or quadratic in the bit size of the number? i.e. if I wanted to test if 907 is prime, would it be c*907^2 time, or c*log(907)^2?

Re: Use Double Keys DUH!

[linuxislandsucks]

Ah you know most people who use the pair key system of encryption never have to worry about whether primes are factorable or not..

Single key encryption is only for windows slobs!

PGP forerver!

Re:for the sake of our eyes [OT]

[MrFredBloggs]

Is there a reason why the underlining in PDF is out a fair bit?

Re:Big consequences related to encryption

[xbrownx]

It would be a truly horrible test for prime numbers if any even number greater than 2 passed.

Fantastic

[twem2]

From a theoretical point of view.
As someone who's incredibly interested in theoretic computer science, this is a fascinating and very important result.
Practically it may not have much of an effect. It is in P, but that doesn't tell you how long it actually takes to run. It could be that the algorithm takes an inpractical time to run, although refinements to the algorithm might be made to speed it up.
This will also have little impact on the problem of factoring, unless the maths used provides a new approach to that problem.
Great news though.
I'll have to read the paper now.

Well I hope your ready for more

[CaffeineAddict2001]

cause you're going back to P. Didn't you hear professor? You do the trying, we do the dividing.

Discrete log also unaffected

[yerricde]

Only ... algorithms like RSA will be broken. Symmetric-key cryptosystems will be unaffected.

As far as I know, public key crypto based on a discrete logarithm will be unaffected as well.

Re:p=np?

[Oztun]

Yeah what the hell is this intelligent discussion. Lets go back to "Linux is uhh cool teehee". Or how about "Cowboyneal sure has a big hat, yup".

Mod parent down

[volpe]

The input size here is log(n) since it requires log(n) bits to represent n. log(n)^12 hence is polynomial (which i believe their algo guarantees), whereas sqrt(n) is not.


Nonsense. Sqrt(n) is less than n for all n, therefore O(sqrt(n)) is even better than O(n).

Re:Mod parent down

[volpe]

I'm aware that calculating the integer square root function is part of the cost of the algorithm, but even so, it's still a polynomial time algorithm. And even if it weren't, you could make it polynomial by replacing "sqrt(n)" with "n". This would, of course, make the algorithm take *longer* on any practical implementation, but it would be just as correct and trivially polynomial.

Why is this interesting?

[(void*)]

I present to you a very stupid algorithm to check that Primality is in P:

for i = 1 to sqrt(n):
if i divides n: n is NOT PRIME, stop.
if loop runs to exhaustion, n IS PRIME.

Now, this simple minded deterministic algorithm has runtime O(n^0.5). Thus primality is in P. Why is this simple, elementary result unknown to slashdotters?

The true achievement of this paper is that a speed up from polynomial time to fast polynomial times. That primality testing is in P, is KNOWN FACT. All those people expounding on the ramifications of Primality being in P and its implica5tions for factoring are talking out of their ass.

Re:Why is this interesting?

[SamBeckett]

Your algorithm sux0rs. It should be:

for i = 2 to sqrt(n):
if i divides n: n is NOT PRIME, stop.
if loop runs to exhaustion, n is PRIME.

Re:Why is this interesting?

[TheShadow]

Wait... One better:

if 2 divides n: n is NOT PRIME, stop
for (i = 3; i sqrt(n); i+=2)
if i divides n: n is NOT PRIME, stop;
if loop runs to exhaustion, n is PRIME.

This is much better because you only test odd numbers.

Maybe we can keep this thread going and eventually come up with an O(1) algorithm.

Re:Why is this interesting?

[muck1969]

Your solution is a brute-force calculation that even novice coders could realize. I've used a similar piece to create a factoring program on my TI-82 (but increm +2 and pair this with a 10 digit rand. nbr gen proggy ... it's entertaining for 30 seconds). I believe the solution these math nerds are looking for is an elegant solution for those who don't code.

Re:I always thought is was in P

[John+Allsup]

As others have pointed out, n is the size of the input, i.e. the number of bits representing the number. A number that requires e.g. 20 bits to write (i.e. has a 1 in the 20th place) would then be between 2^19 and 2^20 (if we start counting at 1, so the 20th place corresponds to 2^19). Thus the input for p has size approx. lg2 p and so the for loop requres sqrt(p) ~ sqrt(2^n) = 2^(0.5 n) steps. This is exponential time.

You must always be careful not to confuse the size of the input with what it represents.

Re:p=np?

[Vengie]

Whatever idiot modded me as "off topic" doesn't know ANYTHING about complexity and p/np. 3-sat doesnt exist. its 3-cnf-sat 3- conj. normal form - satis. problem.

Re:Undergraduate Student Project

[mkudzin]

When was the last time that a Senior at a US university produced a result of this calibre? Answer: Never been done.

I don't know why I let myself be suckered by such obvious bait.

There is a lot of extraordinary undergraduate research being done in the United States. For two obvious examples, look at the work done by the students of Feank Morgan and at Harvery Mudd College

Matthew Kudzin

Re:Big consequences related to encryption

[heliocentric]

I wonder if I'll have the same credit card numbers in 15 years.

My CC company tends to send me a new one every few years (right before the old one expires) with a new number. When does your card expire? What does your CC company do around that time if it doesn't send you a new number?

Proofs of X mod 9 and X mod 3

[UnknownSoldier]

Indras> It's always easy to tell if a number is divisible by three, just add all the digits together, and if the result is divisible by three, then so is the original number.

HaeMaker> Got a proof for this?

You need to use these few Number Theory modulas rules:
Eq 1. m mod m = 0 [defn. of modulas]
and
Eq 2. (a mod m) + (b mod m) = (a + b) mod m
and
Eq 3. (a*m) mod m = 0

If you want a better handle on where Eq. 2 comes from, look at an analog clock.
i.e.
What is 11am + 9 hours expressed in am/pm format?
= (11+9) mod 12
= (12 + 8) mod 12
= (12 mod 12) + (8 mod 12)
= 8 pm

Similiarly for Eq 3.

The reason why (X mod 9) and (x mod 3) are interesting is because anytime you have 10 mod X = 1, you can use some mod tricks.
0 mod 3 = 0
1 mod 3 = 1
2 mod 3 = 2
3 mod 3 = 0
4 mod 3 = 1
5 mod 3 = 2
6 mod 3 = 0
7 mod 3 = 1
8 mod 3 = 2
9 mod 3 = 0
10 mod 3 = 1

INANT (I'm not a Number Theorist so please correct me if any of this is wrong! :) but here are a few exampes that should satisfy your curiousity.

Now 909 mod 9 is:
= (900 mod 9) + (9 mod 9)
= (100*9 mod 9) + 0
= 0

Lets try 911 mod 9:
= (100*9 mod 9) + (11 mod 9)
= 0 + (9 mod 9) + (2 mod 9)
= 0 + 0 + 2
= 2

and 974 mod 3
= (300*3) + (74 mod 3)
= 0 + (24*3 mod 3) + (2 mod 3)
= 0 + 0 + 2
= 2

Cheers

Please STOP!

[phliar]

Everyone: just because you start out by writing "I'm no mathematician, but..." doesn't means you can pull crap right out of your ass. Words mean things, and when you talk about math, words mean things exactly. Please don't misuse them.

It's the Sieve of Eratosthenes. A number n is of size log(n). This is a deterministic algorithm; why bring up NP? What is the time complexity of division? And here's a hint: you start with n-digit (n=100) numbers and present an algorithm that runs in time 10^n. This is in P?

Has anyone actually read the paper? The algorithm is outlined, with a complexity analysis. Don't forget, P-time doesn't mean usable.

Not constant...

[Tom7]

> Probabilistic primality testing can be done in constant time with bounded error.

You don't really mean constant time. Just looking at the number is already linear time!

Miller-Rabin is also polynomial time (admittedly, a much better polynomial than this).

Re:Not constant...

[sasami]

Just looking at the number is already linear time!

Almost. The length of p is log(p). (But yeah, that's more than enough to make Miller-Rabin polynomial, not constant.)

---
Dum de dum.

Re:Not constant...

[Tom7]

When we talk about the speed of an algorithm operating on a number, we talk about the *size of the input*, not the magnitude of the number itself. So, when they say polynomial here they mean polynomial in the size of the input (log of the number), just as when I say linear I mean linear in the size of the input (log of the number).

smart guy

[charmer]

I went to school with this guy at IIT, Kanpur. He is smart, and had a great advisor, Somnath Biswas for his PhD. Looks like IIT,K did away with their policy not to hire people educated at IIT,K, since he is a professor there now. Maybe they made an exception.

charmer

Re:smart guy

[ketanm]

Very true.....I am a recent pass out. The policy has again implemented of not taking in IITK grads as profs.

*Simpler* proof of X mod 9 and X mod 3

[UnknownSoldier]

I know its bad netiquitte to reply to one's own post, but I can clarify the proof in a much simpler way:

When given a decimal digit d (equal to 0 thru 9), what is: d * 10 mod 3 equal to ?

Using our mod rules:
= (d*9 + d) mod 3
= (d*9) mod 3 + (d mod 3)
= (d*3*3 mod 3) + (d mod 3)
= 0 + (d mod 3)
That is, any digit times 10 mod 3 is equal to that digit.

Similiarly we can extend this to any power of 10.
e.g. d * 100 mod 3
= (d * 100) mod 3
= (d*99 mod 3) + (d mod 3)
= (d*33*3 mod 3) + (d mod 3)
= 0 + (d mod 3)

We can use the same proof for when finding d*10 mod 9.

So, using our previous example:
What is 974 mod 3 = ?
= (900 + 70 + 4) mod 3
= (900 mod 3) + (70 mod 3) + (4 mod 3)
= (9 mod 3) + (7 mod 3) + (4 mod 3)
= (9 + 7 + 4) mod 3
= 20 mod 3
= (2 mod 3) + (0 mod 3)
= 2

Re:*Simpler* proof of X mod 9 and X mod 3

[Genyin]

I know its bad netiquitte to reply to one's own post
Slashdotiquitte is bad netiquitte... ;)

Re:*Simpler* proof of X mod 9 and X mod 3

[UnknownSoldier]

Hehe.

Or "Trashdot. The tabloid of the tech news." as one of my friends calls it.

Apparently correct

[Alomex]

The local expert says that the buzzword in the crypto community is that the algorithm is apparently correct. The fact that is so elementary makes it less likely to be wrong.

We will have to wait a few days to be certain...

Practical crypto sizes... Faster Algorithm

[billstewart]

Thanks for a discussion discussing actual speeds! O(logn**12) is pretty slow, but the paper also says that if a widely held conjecture is true, the algorithm should usually run in time O(logn**6), which is much less bad. That says that doubling the key length increases the run time by only a factor of 64, not 4096. I don't know if your run time examples are realistic, but this could make it occasionally usable.
The authors also conjecture that if certain things are true, the algorithm could be changed to an O(logn**3) algorithm, which would be quite practical, perhaps competitive with the probablistic tests.

In practice, most public-key crypto algorithms formerly used 512-bit or 1024-bit keys, and are tending to do 2048 bits today. A few paranoids use longer keys just because they can, but 2048 is generally believed to be good enough. Existing factoring technology has cracked 512-bit keys, and I think the longest successful crack is about 640 bits. Dan Bernstein's factoring machine proposal has led some people to abandon trust in 1024-bit keys, though other people think that's premature.

Prime in O(1)

[seangw]

We can easily do this:

x is Prime in question
P is set of all primes

if ( x elemOf P ) Then
output X
end if

Duh.

Re:Prime in O(1)

[muck1969]

Wouldn't P be an infinitely large set?

Re:Huh?

[maxwell+demon]

You probably got confused by the quoting of the posting from streetlawyer I answered to. The italic stuff is actually what he quoted from ipfwadm.

His (streetlawyer's) first sentence is "No it isn't.", which is wrong, because the statement of the quoted sentence is correct (as you yourself re-state).

And that his second sentence it correct, we agree anyway ;-)

better practical algorithm

[charmer]

From the paper:


<i> In 1983, Adelman et al achieved a major breakthrough by giving a eterministic algorithm for primality that runs in (log n) ** O(log log log n) </i> <br>

in contrast, this paper suggests an algorithm that runs in (log n) ** 12, which means that the 1983 algorithm would run better for numbers less than:
<strong>
n = (2 ** (2** (2 ** 12)))
</strong>

-- charmer

Re:Primes Are In P??

[schon]

Just think... all this time spent by mathematicians, and it turns out that urologists are the ones who find the primes!

Re:Big consequences related to encryption

[gomiam]

I thought the division problem was already an O(nlgn) problem, as product is.

In practise, this algorithm does nothing new...

[Shade,+The]

There is already an algorithm which can find out if a number is prime or not, and has been around for some time. Or, at least, it can say that a number is "probably" prime. And, if that probability is, say 2^400 - 593, (i.e. 0.9999999...), then in practical terms this is good enough. When you get to probabilities that are so high that computer component failiure is more likely, it ceases to matter that the solution isn't quite perfect.

Discovered by Micheal O. Rabin, it depends on the notion of integers being a "witness". If one witness number can be found, the number is not prime. According to theory, if the number is not prime, then more than half of the integers in the set {2, 3, ... , n - 1} are witnesses. So obviously, the more numbers tested for "witness capability", the lower the chance of the number being prime.

A witness number is defined to be any integer w satisfying either of the two conditions below:

1. w^(n-1) = 1 mod n
2. For some integer k, m = (n - 1) / 2^k is an integer and 1 < gcd(wn - 1, n) < n

So this discovery, is not, in fact, anything that will lead (at least directly) to anything new at all.

Re:In practise, this algorithm does nothing new...

[ketanm]

If you talk about practical implementation, then can you explain of what advantages this new test has over Miller-rabin test?

Prime Number DB!

[JonathanTWilson]

Why doesn't some Math's dude just make a massive, and I do mean massive prime nubmer database??? There are lots of people who love putting terabytes of data into databases why not do it with something useful like Prime numbers???? Then have it avialble on-line. Lets really test the limits of MySQL.

Re:Prime Number DB!

[dbretton]

Take all of the prime numbers that have been computed to date, and you could fit it all on a floppy, with probably room to spare for a Word document.

Re:Prime Number DB!

[too_bad]

Not exactly what you want. But interesting: Here is the list of all the largest known primes (at their time): http://www.utm.edu/research/primes/ftp/all.txt

Re:Undergraduate Student Project

[bsharma]

Well, Prof. Manindra Agarwal is an established theoretician and is the "first" author of the paper.. When several authors contribute nearly the same research in a paper, the tradition is to list the names in alphabetical order (last names). These authors - Agarwal, Kayal and Saxena seem to be that.

Re:Undergraduate Student Project

[bsharma]

>>>Well, Prof. Manindra Agarwal is an established theoretician and is the "first" author of the paper.. When several authors contribute equally in a research, they are listed alphabetically. Agarwal, Kayal and Saxena seems like that.

First quote from Knuth

[marko123]

Everyone in slashdot drops his name, but you, sir, have quoted from his books.

Therefore, you have the largest hoodaddy in the thread.

(My time between girlfriends is polynomial)

Re: Use Double Keys DUH!

[tbo]

Ah you know most people who use the pair key system of encryption never have to worry about whether primes are factorable or not..

I'm working more on the physics side of quantum computing, not the computer side, so I don't know quite as much about crypto as I'd like. I can see how it might be possible to have perfect forward security (which is what you're talking about) in a real-time two-way communcation scenario, but not in a one-way asynchronous situation like PGPed emails.

Can you elaborate? I couldn't find anything with a Google search.

Primes and Factoring Primes in P

[sambo_shacklock]

In fact, both of these problems are at most O(n), and can be solved the same way.

For each in test n%i=0. if there exists a i such that n%i=0 then the number is not prime. If you're trying to factor a product of two primes, then you've found one factor (and the other is easy to find:).

In fact, the fastest algorythm that we've discovered for factoring a product of two primes is O(sqrt(n)). The problem is that 'n' is so big---1024 bits (oh for a constant time algorythm:)

Anti-disclaimer: I did indeed take a cryptography course a few years back.

Tim

Re:Devil's Advocate

[Goonie]

You might make it theoretically possible, but you're not helping much. Consider, say, a machine with 64 kilobytes of RAM and no other state (no registers, no disk etc) - in other words, a very minimal system by today's standards. That gives us 524,288 bits of state, and thus 2^524,288 states.

Your worst case performance is going to be rather crappy :)

Re:Big consequences related to encryption

[kreyg]

A few years ago, they only updated the date. They changed the number on my most recent card because they added some digits, no idea if they're going to change it next time.

The point was less about my CC specifically, and more about "which numbers have I sent across the 'net that I'd rather nobody know?" I'm sure there are a few, from vital things to personal information that is supposed to be confidential.

Re:You and your code sucks

[WeedMonkey]

no single letter variables... it's a stupid practice and anyone who condones it is an asshole.

FFS, anyone who has a rule that you're not allowed to use i as a loop counter deserves to be dragged out into the street, beaten around the head with printouts of the Win95 codebase, then exiled to Redmond for the rest of their life, as they obviously aren't familiar with even the most basic of accepted practices.

I can just see you sitting there, late at night, typing

for (myLoopCounter=1; myLoopCounter<=maximumIterationsAllowedForThisLoop ; myLoopCounter++)

while the rest of us are in the pub. Ah well, your loss.

101*3*3

[wiredog]

nuff said

Re: Use Double Keys DUH!

[God!+Awful]

You can have perfect forward secrecy for dynamic communications, but the standard perfect forward secrecy algorithm (Diffie-Hellman) can also be cracked by a quantum computer.

-a

Re:Bzzt! Nondeterministic polynomial

[ssun]

YM NTM/DTM, not NFA/DFA.

re: "Factoring might still be NP" - question

[markgriffith]

Just wondering though if there are regions of the number line where as yet unused primes of useful size [large enough to make hard ciphers, small enough to be manageable] are few enough in number to make a primality test like this useful to surveillance agencies.....

.....not of course as a way of factoring large composites, but just for the sake of collecting a big list of suitable cipher-making primes in that region of size for later testing of large composites in other people's ciphers?

I mean that, aside from the mathematics, for full-time crackers and coders chunks of the number line might have a kind of political geography, with sections of the naturals known or believed by insiders to contain primes used by this intelligence agency or that surveillance group for this or that kind of encryption. The task might be ridiculously huge overall, but in local regions of the naturals, sections of suitable keys for some applications or machines might seem worth mapping, in someone's view.

In that context, surely a new classical primality test [especially if used to develop an improved probabilistic primality test] might make quite a difference, indirectly, to helping someone much more quickly factor large composites, no?