\begin{document}
\documentclass[11pt]{article}

\usepackage{latexsym}
\usepackage{amsmath}
\usepackage{amssymb}
\usepackage{amsthm}
\usepackage{hyperref}
\usepackage{algorithmic}
\usepackage{algorithm}
\usepackage{complexity}
\usepackage{graphicx}

\usepackage{palatino} %what a beautiful font!


\newcommand{\handout}[5]{
  \noindent
  \begin{center}
    \framebox[\textwidth]{
      \vbox{
        \hbox to \textwidth { {\bf #2}\hfill {\bf Computational Number Theory }
       }
        \vspace{4mm}
        \hbox to \textwidth { {\Large \hfill #5  \hfill} }
        \vspace{2mm}
        \hbox to \textwidth { {\em #3 \hfill #4} }
      }
    }
  \end{center}
  \vspace*{4mm}
}

\newcommand{\lecture}[4]{\handout{#1}{#2}{Instructor: #3}{Scribe:
    #4}{Lecture #1}}

\newtheorem{theorem}{Theorem}
\newtheorem{theorem*}{Theorem}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{observation}[theorem]{Observation}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{definition}[]{Definition}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{fact}[]{Fact}
\newtheorem{subclaim}[theorem]{Subclaim}

% my custom commands
\newcommand{\inparen}[1]{\left(#1\right)}             %\inparen{x+y}  is (x+y)
\newcommand{\inbrace}[1]{\left\{#1\right\}}           %\inbrace{x+y}  is {x+y}
\newcommand{\insquar}[1]{\left[#1\right]}             %\insquar{x+y}  is [x+y]
\newcommand{\inangle}[1]{\left\langle#1\right\rangle} %\inangle{A}    is <A>
\newcommand{\abs}[1]{\left|#1\right|}                 %\abs{x}        is |x|
\newcommand{\norm}[1]{\left\Vert#1\right\Vert}        %\norm{x}       is ||x||
\newcommand{\union}{\cup}
\newcommand{\Union}{\bigcup}
\newcommand{\intersection}{\cap}
\newcommand{\Intersection}{\bigcap}
\newcommand{\super}[2]{#1^{\inparen{#2}}}             %\super{G}{i-1} is G^{(i-1)}
\newcommand{\setdef}[2]{\inbrace{{#1}\ : \ {#2}}}
\newcommand{\inv}[1]{#1^{-1}}
\newcommand{\inrpdt}[2]{\left\langle{#1},{#2}\right\rangle}%\inrpdt{x}{y} is <x,y>.
\newcommand{\pderiv}[2]{\frac{\partial #1}{\partial #2}}
\newcommand{\iso}{\cong}
\newcommand{\bea}[1]{\begin{eqnarray*} #1 \end{eqnarray*}}
\newcommand{\legendre}[2]{\inparen{\frac{#1}{#2}}}

% Commands specific to this file
% TODO: Find the right way to typeset group index
\DeclareMathOperator{\Sym}{Sym}
\newcommand{\gpidx}[2]{\insquar{#1 : #2}}             %\gpidx{H}{K}   is [H : K]
\newcommand{\gpigs}[2]{\gpidx{\super{G}{#1}}{\super{G}{#2}}} %Group index of g super ...
\newcommand{\llhd}{\!\!\lhd\!\!\lhd}
\newcommand{\roundoff}[1]{\left\lfloor #1 \right\rceil}


% \newcommand{\ceil}[1]{\lceil #1 \rceil}
\newcommand{\floor}[1]{\lfloor #1 \rfloor}
\newcommand{\F}{\mathbb{F}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Q}{\mathbb{Q}}
\newcommand{\Z}{\mathbb{Z}}
\renewcommand{\R}{\mathbb{R}}
\renewcommand{\C}{\mathbb{C}}

%for algorithms
\renewcommand{\algorithmicrequire}{\textbf{Input:}}

% Problems we look at
\newcommand{\GIso}{\lang{Graph\text{-}Iso}} %Without \text, ugly minus instead of hyphen.
\newcommand{\GAut}{\lang{Graph\text{-}Aut}}
\newcommand{\SStab}{\lang{Set\text{-}Stab}}

%for Quantum computing
\newcommand{\q}[1]{\left|#1\right\rangle}


\lecture{20 and 21: Solovay Strassen Primality Testing}{CS681}{Piyush P Kurur}{Ramprasad Saptharishi}

\section*{Overview}

Last class we stated a similar reciprocity theorem for the Jacobi
symbol. In this class we shall do the proof of it, discuss the
algorithm, and also do the Solovay-Strassen primality testing. 

\section{Proof of the Reciprocity of $\legendre{m}{n}$}

The proof will just be induction on $m.$ Recall the statement of the
theorem
\bea{
\legendre{2}{n} & = & (-1)^{\frac{n^2 - 1}{8}}\\
\legendre{m}{n}\legendre{n}{m} & = & (-1)^{\frac{m-1}{2}\frac{n-1}{2}}
}
We shall just prove the second part here. The first part uses the same
technique. Let us assume that the theorem is true for all $m'<m.$ If
$m$ is a prime, we do induction on $n.$

Suppose $m = m_1m_2$, then
\bea{
\legendre{m_1m_2}{n}\legendre{n}{m_1m_2} & =
& \legendre{m_1}{n}\legendre{n}{m_1}\legendre{m_2}{n}\legendre{n}{m_2}\\
& = & (-1)^{\frac{n-1}{2}\inparen{\frac{m_1 - 1}{2} + \frac{m_2 -
1}{2}}} } 

From now on, the work shall be happening on the exponent and
let us just denote $\frac{n-1}{2}E$ for the exponent of $-1.$ We want
to evaluate $E\bmod{2}$ since we are looking at $(-1)$ power the
exponent and only the parity matters.

Let $m_1 = 4k_1+b_1$ and $m_2 = 4k_2+b_2$ where $b_1,b_2 = \pm 1$
since $m$ is odd. 
\bea{
E & = & \frac{4k_1+4k_2 + b_1 + b_2 - 2}{2}\\
  & = & \frac{b_1+b_2 - 2}{2} \bmod{2}\\
\frac{m-1}{2} & = & \frac{(4k_1+b_1)(4k_2+b_2)-1}{2}\\
  & = & 8k_1k_2 + 2k_1b_2 + 2k_2b_1 + \frac{b_1b_2 - 1}{2}\\
  & = & \frac{b_1b_2 - 1}{2}\bmod{2}
}

And now it is easy to check that for $b_1,b_2 = \pm 1$,
$$
\frac{b_1b_2 - 1}{2} = \frac{b_1+b_2 - 2}{2}\bmod{2}
$$
and therefore, $E = \frac{m-1}{2}\bmod{2}$ and hence, 
$$
\legendre{m}{n}\legendre{n}{m} = (-1)^{\frac{n-1}{2}E} = (-1)^{\frac{n-1}{2}\frac{m-1}{2}}\qed
$$

\section{Algorithm to compute $\legendre{m}{n}$}

The reciprocity laws give a polynomial time algorithm to compute the
Jacobi symbol $\frac{m}{n}.$ Note that $\legendre{m}{n}$ depends only
on $m\bmod{n}$ and therefore we can reduce $m$ modulo $n$ and
compute. When $m<n$, we use the reciprocity to get $\legendre{n}{m}$
and we reduce again. 

The bases cases (cases when either of them is $1$ or $gcd(m,n)>1$ or $m =
2^km'$ or $n = 2^km'$ etc) are omitted\footnote{the \TeX source file
of this lecture note has them commented out. Uncomment them and
recompile if needed}.

\begin{algorithm}
\caption{\sc{Jacobi Symbol}\quad$\legendre{m}{n}$}
\begin{algorithmic}[1]
\STATE //base cases omitted
%% \IF{$gcd(m,n) > 1$}
%% \STATE {\bf return } $0$
%% \ELSIF{$m=1$}
%% \STATE {\bf return } $1$
%% \ELSIF{$m=2$}
%% \STATE {\bf return} $(-1)^{\frac{n-1}{2}}$
%% \ELSIF{$m = 2^km'$}
%% \STATE {\bf return} $\legendre{2}{n}^{k}\legendre{m'}{n}$
%% \ELSIF{$n = 2^kn'$}
%% \STATE {\bf return} $\legendre{m}{2}^k\legendre{m}{n'}$
%% \ENDIF
%% \STATE //base cases complete
\IF{$m>n$}
\STATE {\bf return} $\legendre{m\bmod{n}}{n}$
\ELSE
\STATE {\bf return} $(-1)^{\frac{m-1}{2}\frac{n-1}{2}}\legendre{n}{m}$
\ENDIF
\end{algorithmic}
\end{algorithm}

The running time of this algorithm is $(\log m\log n)^{O(1)}.$

\section{Solovay Strassen Primality Testing}

The general philosophy of primality testing is the following:
\begin{itemize}
\item Find a property that is satisfied by exactly the prime numbers.
\item Find an efficient way to check if the property is satisfied by
arbitrary numbers.
\item Show that for any composite number, one can ``easily'' find a
witness that the property fails. 
\end{itemize}

In the Solovay-Strassen algorithm, the property used is the
following. 
\begin{proposition}\label{ss-prop}
$n$ is prime if and only if for all $a\in (\Z/n\Z)^\star$, 
$$
\legendre{a}{n} = a^{\frac{n-1}{2}}
$$
\end{proposition}

And with the following claim, we have the algorithm immediately.

\begin{claim}
If $n$ was composite, then for $a$ randomly chosen from $(Z/n\Z)^\star$,
$$
\Pr_{a\in (\Z/n\Z)^\star}\insquar{\legendre{a}{n}\neq
a^{\frac{n-1}{2}}} \geq \frac{1}{2}
$$
\end{claim}

Thus, the algorithm is the following. 

\begin{algorithm}
\caption{{\sc Solovay-Strassen}: check if $n$ is prime}
\begin{algorithmic}[1]
\STATE Pick a random element $a<n.$
\IF{$gcd(a,n)>1$}
\STATE {\bf return} {\sc composite}
\ENDIF
\STATE Compute $a^{\frac{n-1}{2}}$ using repeated squaring and
$\legendre{a}{n}$ using the earlier algorithm.
\IF{$\legendre{a}{n} \neq a^{\frac{n-1}{2}}$}
\STATE {\bf return} {\sc composite}
\ELSE
\STATE {\bf return} {\sc prime}
\ENDIF
\end{algorithmic}
\end{algorithm}

All that's left to do is prove the claim. For that, let us look at a
more general theorem which would be very useful. 

\begin{theorem}
Let $\psi_1$ and $\psi_2$ be two homomorphisms from a finite group $G$ to a
group $H.$ If $\psi_1\neq \psi_2$, that is there is atleast one $g\in
G$ such that $\psi_1(g) \neq \psi_2(g)$, then $\psi_1$ and $\psi_2$
differ at atleast $|G|/2$ points. 
\end{theorem}

This intuitively means that two different homomorphisms can either be
the same or have to be very different. 

\begin{proof}
Consider the set
$$
H = \setdef{g\in G}{\psi_1(g) = \psi_2(g)}
$$
Note that clearly $1$ belongs to $H$ and if $a,b\in H$, then so is
$ab$ as $\psi_1(ab) = \psi_1(a)\psi_1(b) = \psi_2(a)\psi_2(b)
= \psi_2(ab).$ Inverses are inside as well and therefore, $H$ is a
subgroup of $G$. Also since $\psi_1\neq \psi_2$, they differ at
atleast one point say $g_0.$ Then $g_0\notin H$ and hence $H$ is a
proper subgroup of $G.$

By Lagrange's theorem, $|H|$ divides $|G|$ and since $|H|<|G|$, $|H|$
can atmost be $|G|/2.$ Since every element in $G\setminus H$ is a
point where $\psi_1$ and $\psi_2$ differ, it follows that $\psi_1$ and
$\psi_2$ differ at atleast $|G|/2$ points. 
\end{proof}

The claim directly follows from the theorem since both the Jacobi
symbol and the map $a\mapsto a^{\frac{n-1}{2}}$ are homomorphisms and
hence will differ in atleast half of the elements of
$(\Z/n\Z)^\star.$\\

Thus, the Solovay-Strassen algorithm has the following error bounds:
\begin{itemize}
\item If $n$ is a prime, the program outputs {\sc prime} with
probability $1.$
\item If $n$ is not a prime, the program outputs {\sc composite} with
probability atleast $\frac{1}{2}.$
\end{itemize}
Of course, the confidence can be boosted by making checks on more such
$a$'s.\\

All that's left to do is to prove the proposition. 

\section{Proof of the Proposition \ref{ss-prop}}

We want to show that if $n$ is not a prime, there the two
homomorphisms $a\mapsto a^{\frac{n-1}{2}}$ and
$a\mapsto \legendre{a}{n}$ are not the same. Thus, it suffices to find
a single $a\in (\Z/n\Z)^\star$ such that $\legendre{a}{n} \neq
a^{\frac{n-1}{2}}.$

\subsection*{Case $1$: $n$ is not square free}

Suppose $n$ had a prime factor $p$ such that $p^2$ divides $n.$ Recall
that for all $n = p_1^{\alpha_1}p_2^{\alpha_2}\cdots p_k^{\alpha_k}$,
the Euler $\phi$ function evaluates to:
$$
\phi(n) = \prod_{i=1}^k p_i^{\alpha_i - 1}(p_i-1)
$$

And hence, if $p^2\mid n \implies p\mid \phi(n).$ Now look at the
multiplicative group $(\Z/n\Z)^\star$, this has $\phi(n)$ elements. A
theorem of Cayley tells us that if $p\mid |G|$ then $G$ has an element
of order $p.$\footnote{actually it is more. It says that for
every prime power $p^\alpha\mid |G|$, there is a subgroup of order $p^\alpha$
in $G.$} Let $g$ be an element of order $p$ in $(\Z/n\Z)^\star.$ 

What is the value of $g^{\frac{n-1}{2}}?$ Can this be $\pm 1?$ If it
were $\pm 1$, then $g^{n-1} = 1.$ This means that the order of $g$
divides $n-1$, or $p\mid n-1$ which is impossible since $p\mid n.$ And
therefore, $g^{\frac{n-1}{2}}\neq \pm 1$ and therefore, certainly
cannot be $\legendre{g}{n}$ which takes values only $\pm 1$ for all
$g$ coprime to $n.$ 

Thus $g$ is a witness that $\legendre{g}{n} \neq g^{\frac{n-1}{2}}.$

\subsection*{Case $2$: $n$ is a product of distinct primes}

Now $n$ will be square-free if and only if it is a product of distinct
primes. Suppose $n = p_1p_2\cdots p_k$ \\

Suppose there is some some $a$ such that
$a^{\frac{n-1}{2}}\neq \legendre{a}{p_1}$, are we done? Yes we are. We
can use such a $a$ to find a $g$ such that
$g^{\frac{n-1}{2}}\neq \legendre{g}{n}.$

By the Chinese Remainder Theorem, we know that $(\Z/n\Z)^\star \iso
(\Z/p_1\Z)^\star \times \cdots \times (\Z/p_k\Z)^\star.$ Let $g$ be the element in
$(\Z/n\Z)^\star$ such that $g\mapsto (a,1,1,\cdots,1)$ by the CRT map. By the
definition of the Jacobi Symbol, 
$$
\legendre{g}{n} = \prod_{i\in 1}^k\legendre{g}{p_i}
= \prod_{i=1}^k\legendre{g\mod p_i}{p_i}
= \legendre{a}{p_1}\legendre{1}{p_2}\cdots\legendre{1}{p_k} = \legendre{a}{p_1}
$$
And $g^{\frac{n-1}{2}} = (a^{\frac{n-1}{2}},1,\cdots,1).$ What we know
is that $a^{\frac{n-1}{2}}\neq \legendre{a}{p_1}.$ Suppose
$\legendre{a}{p_1} = 1$, then $\legendre{a}{p_1} = \legendre{g}{n} =
1.$ But $g^{\frac{n-1}{2}}$ on the other hand looks like
$(a^{\frac{n-1}{2}},1,\cdots,1)$ and we know that $\legendre{a}{p_1} =
1 \neq a^{\frac{n-1}{2}}.$ Therefore, $g^{\frac{n-1}{2}}$ looks like
$(\ast,1,\cdots,1)$ where the first coordinate is {\em not} $1.$ And
therefore, this is not $1.$ Therefore $\legendre{g}{n} \neq
g^{\frac{n-1}{2}}.$

Suppose $\legendre{a}{p_1} = -1$, then things are even
simpler. $\legendre{g}{n} = -1$ but $g^{\frac{n-1}{2}}$ looks like
$(\ast,1,\cdots, 1) \neq -1.$ Therefore $\legendre{g}{n} \neq
g^{\frac{n-1}{2}}.$\\

And of course, it works for any prime factor $p$ of $n.$ Thus, the bad
case is when for all $a$ and for all prime factors $p_i$,
$\legendre{a}{p_i} = a^{\frac{n-1}{2}}.$ Since $n$ is composite, there
are at least $2$ distinct prime factors $p_1$ and $p_2.$ Pick
$a\in (\Z/p_1\Z)^\star$ which is a quadratic residue
($\legendre{a}{p_1} = 1$) and a $b\in (\Z/p_2\Z)^\star$ that is a
non-residue ($\legendre{b}{p_2} = -1$). Now look at the element $g\in
(\Z/n\Z)^\star$ that maps to $(a,b,1,1,\cdots, 1)$ by the chinese
remainder theorem. 

Now $g^{\frac{n-1}{2}} =
(a^{\frac{n-1}{2}},b^{\frac{n-1}{2}},1,\cdots, 1) = (1,-1,1,\cdots 1)$
which is not $\pm 1.$ And hence clearly, $\legendre{g}{n} \neq
g^{\frac{n-1}{2}}.$\\

That completes the proof of correctness of the Solovay-Strassen
primality test. 

\end{document}