Algorithms for primes D. J. Bernstein University of Illinois at - - PDF document

algorithms for primes d j bernstein university of
SMART_READER_LITE
LIVE PREVIEW

Algorithms for primes D. J. Bernstein University of Illinois at - - PDF document

Nov 14, 2023 458 likes •1.19k views

Algorithms for primes D. J. Bernstein University of Illinois at Chicago Some literature: Recognizing primes: 1982 AtkinLarson On a primality test of Solovay and Strassen; 1995 Atkin Intelligent primality test offer Proving

slide-1
SLIDE 1

Algorithms for primes

  • D. J. Bernstein

University of Illinois at Chicago Some literature: Recognizing primes: 1982 Atkin–Larson “On a primality test of Solovay and Strassen”; 1995 Atkin “Intelligent primality test offer”

slide-2
SLIDE 2

Proving primes to be prime: 1993 Atkin–Morain “Elliptic curves and primality proving” Factoring integers into primes: 1993 Atkin–Morain “Finding suitable curves for the elliptic curve method of factorization” Enumerating small primes: 2004 Atkin–Bernstein “Prime sieves using binary quadratic forms”

slide-3
SLIDE 3

Recognizing primes Fermat: ✇ ✷ Z, prime ♥ ✷ Z ✮ ✇♥ ✇ = 0 in Z❂♥. e.g. Fast proof of compositeness

  • f ♥ = 314159265358979323:

in Z❂♥ compute 2♥ 2 = 198079119221837430 ✻= 0.

slide-4
SLIDE 4

Recognizing primes Fermat: ✇ ✷ Z, prime ♥ ✷ Z ✮ ✇♥ ✇ = 0 in Z❂♥. e.g. Fast proof of compositeness

  • f ♥ = 314159265358979323:

in Z❂♥ compute 2♥ 2 = 198079119221837430 ✻= 0. “Carmichael numbers” are composites that cannot be proven composite this way. 1994 Alford–Granville–Pomerance: #❢Carmichael numbers❣ = ✶.

slide-5
SLIDE 5

Refined Fermat: ✇ ✷ Z, prime ♥ ✷ 1 + 2Z ✮ ✇ = 0 in Z❂♥

  • r ✇(♥1)❂2 + 1 = 0 in Z❂♥
  • r ✇(♥1)❂2 1 = 0 in Z❂♥.

Proof: ✇♥ ✇ = ✇(✇♥1 1) = ✇(✇(♥1)❂2 + 1)(✇(♥1)❂2 1).

slide-6
SLIDE 6

Doubly refined Fermat: ✇ ✷ Z, prime ♥ ✷ 1 + 4Z ✮ ✇ = 0 in Z❂♥

  • r ✇(♥1)❂2 + 1 = 0 in Z❂♥
  • r ✇(♥1)❂4 + 1 = 0 in Z❂♥
  • r ✇(♥1)❂4 1 = 0 in Z❂♥.

Proof: ✇♥ ✇ = ✇(✇♥1 1) = ✇(✇(♥1)❂2 + 1)(✇(♥1)❂2 1); = ✇(✇(♥1)❂2 + 1) (✇(♥1)❂4 +1)(✇(♥1)❂4 1).

slide-7
SLIDE 7

1966 Artjuhov: ✇ ✷ Z, prime ♥ ✷ 1 + 2✉ + 2✉+1Z ✮ ✇ = 0 in Z❂♥

  • r ✇(♥1)❂2 + 1 = 0 in Z❂♥
  • r ✇(♥1)❂4 + 1 = 0 in Z❂♥

. . .

  • r ✇(♥1)❂2✉ + 1 = 0 in Z❂♥
  • r ✇(♥1)❂2✉ 1 = 0 in Z❂♥.

e.g. Proof that 2821 is not prime: in Z❂2821 have 21410 + 1 = 1521; 2705 + 1 = 2606; 2705 1 = 2604.

slide-8
SLIDE 8

Non-prime ♥ ✷ 1 + 2Z ✮ uniform random ✇ ✷ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ♥ 1❣ has ✕75% chance to prove ♥ non-prime by this test. Try ❞lg ♥❡ choices of ✇. Conjecture: If this doesn’t prove ♥ non-prime then ♥ is prime. Messy history: Dubois, Selfridge, Miller, Rabin, Lehmer, Solovay– Strassen, Monier, Atkin–Larson.

slide-9
SLIDE 9

Time (lg ♥)3+♦(1) for (lg ♥)1+♦(1) exponentiations. Can we do better? e.g. Only ✝♣lg ♥ ✞ choices of ✇?

slide-10
SLIDE 10

Time (lg ♥)3+♦(1) for (lg ♥)1+♦(1) exponentiations. Can we do better? e.g. Only ✝♣lg ♥ ✞ choices of ✇? No! There are too many ♥’s that have too many failing ✇’s. e.g. 1982 Atkin–Larson: If 4❦ + 3❀ 8❦ + 5 are prime then ♥ = (4❦ + 3)(8❦ + 5) has (2❦ + 1)(4❦ + 2) failing ✇’s.

slide-11
SLIDE 11

Do better by extending Z❂♥? Main credits: Lucas, Selfridge. e.g. Prime ♥ ✷ 1 + 2Z, ✇ ✷ Z, ✇2 4 has Jacobi symbol 1 in Z❂♥ ✮ t(♥+1)❂2 ✷ ❢1❀ 1❣ in (Z❂♥)[t]❂(t2 ✇t + 1). Proof: ❦ = (Z❂♥)[t]❂(t2 ✇t + 1) is a field. In ❦[✉] have ✉2 ✇✉ + 1 = (✉ t)(✉ t♥) so in ❦ have t♥+1 = 1.

slide-12
SLIDE 12

Geometric view: group scheme ● = ✟ (①❀ ②) : ①2 ✇①② + ②2 = 1 ✠ ; addition of (①❀ ②) induced by mult of ② +①t modulo t2 ✇t+1. ✇2 4 has Jacobi symbol 1 so #●(Z❂♥) = ♥ + 1 so (♥ + 1)(1❀ 0) = (0❀ 1) in ●(Z❂♥). Faster than (Z❂♥)✄? No. More reliable than (Z❂♥)✄?

slide-13
SLIDE 13

Geometric view: group scheme ● = ✟ (①❀ ②) : ①2 ✇①② + ②2 = 1 ✠ ; addition of (①❀ ②) induced by mult of ② +①t modulo t2 ✇t+1. ✇2 4 has Jacobi symbol 1 so #●(Z❂♥) = ♥ + 1 so (♥ + 1)(1❀ 0) = (0❀ 1) in ●(Z❂♥). Faster than (Z❂♥)✄? No. More reliable than (Z❂♥)✄?

  • No. Easily construct many ♥

that have many bad ✇.

slide-14
SLIDE 14

Try another group scheme? e.g. ❊ : ①2 + ②2 = 1 30①2②2. Main obstacle: Find #❊(Z❂♥), assuming that ♥ is prime. 1986 Chudnovsky–Chudnovsky, 1987 Gordon: Build ❊ here using CM with class number 1. Faster than (Z❂♥)✄? No. More reliable than (Z❂♥)✄?

slide-15
SLIDE 15

Try another group scheme? e.g. ❊ : ①2 + ②2 = 1 30①2②2. Main obstacle: Find #❊(Z❂♥), assuming that ♥ is prime. 1986 Chudnovsky–Chudnovsky, 1987 Gordon: Build ❊ here using CM with class number 1. Faster than (Z❂♥)✄? No. More reliable than (Z❂♥)✄?

  • No. Easily construct many

“elliptic pseudoprimes.”

slide-16
SLIDE 16

1980 Baillie–Wagstaff, 1980 Pomerance–Selfridge–Wagstaff: One ①2 ✇①② + ②2 = 1 test plus one (Z❂♥)✄ exponentiation. Time (lg ♥)2+♦(1). Much more reliable than two (Z❂♥)✄ exponentiations! $620 for a counterexample, i.e., a non-proved non-prime.

slide-17
SLIDE 17

1995 Atkin:

  • ne (Z❂♥)✄ exponentiation

plus one ①2 ✇①② + ②2 = 1 test plus one cubic test. $2500 for a counterexample. Bad news: There should be infinitely many counterexamples to the 1980 tests (1984 Pomerance, adapting heuristic from 1956 Erd˝

  • s)

and to Atkin’s test.

slide-18
SLIDE 18

Conjecture (new?): Continuing this series becomes perfectly reliable after only (lg ♥)♦(1) tests. Resulting algorithm determines primality of ♥ in time (lg ♥)2+♦(1).

slide-19
SLIDE 19

Conjecture (new?): Continuing this series becomes perfectly reliable after only (lg ♥)♦(1) tests. Resulting algorithm determines primality of ♥ in time (lg ♥)2+♦(1). To optimize ♦(1): replace high-degree extensions with many elliptic curves.

slide-20
SLIDE 20

1956 Erd˝

  • s heuristic:

For each prime divisor ♣ of ♥: Force frequent ✇♥1 = 1 in Z❂♣ by forcing ♥ 1 ✷ (♣ 1)Z or maybe ♥ 1 ✷ ((♣ 1)❂2)Z ✿ ✿ ✿

slide-21
SLIDE 21

1956 Erd˝

  • s heuristic:

For each prime divisor ♣ of ♥: Force frequent ✇♥1 = 1 in Z❂♣ by forcing ♥ 1 ✷ (♣ 1)Z or maybe ♥ 1 ✷ ((♣ 1)❂2)Z ✿ ✿ ✿ “Chance” ✙ 1❂lcm❢♣ 1❣.

slide-22
SLIDE 22

1956 Erd˝

  • s heuristic:

For each prime divisor ♣ of ♥: Force frequent ✇♥1 = 1 in Z❂♣ by forcing ♥ 1 ✷ (♣ 1)Z or maybe ♥ 1 ✷ ((♣ 1)❂2)Z ✿ ✿ ✿ “Chance” ✙ 1❂lcm❢♣ 1❣. Force small lcm by restricting to primes ♣ with ♣ 1 = ◗ subset of ◗1, where ◗1 is set of small primes.

slide-23
SLIDE 23

1984 Pomerance heuristic: Choose disjoint ◗1❀ ◗2. Restrict to primes ♣ with ♣ 1 = ◗ subset of ◗1 and ♣ + 1 = ◗ subset of ◗2. Build ♥ from these primes ♣. Large chance that ♥ 1 ✷ (♣ 1)Z for all ♣ and ♥ + 1 ✷ (♣ + 1)Z for all ♣.

slide-24
SLIDE 24

Obvious extension: Can similarly fool t tests starting with ◗1❀ ◗2❀ ✿ ✿ ✿ ❀ ◗t. ✿ ✿ ✿ but quantitative analysis, generalizing Pomerance analysis, suggests that smallest ♥ is doubly exponential in t, i.e., t ✷ ❖(lg lg ♥). My conjecture: t ✷ (lg ♥)♦(1).

slide-25
SLIDE 25

Interlude: Building ❊ by CM How quickly can we build t elliptic curves ❊ with known #❊(Z❂♥), assuming ♥ is prime? (Maybe best: 4 extensions and t 4 elliptic curves.) Assume t ✔ (lg ♥)0✿3. Compare to ECPP situation: t ✷ (lg ♥)1+♦(1) to find near-prime order.

slide-26
SLIDE 26

Adapting idea of FastECPP (1990 Shallit): Compute square roots

  • f ❢1❀ 2❀ ✿ ✿ ✿ ❀ ❜t1❂2❝❣ in Z❂♥.

Time t1❂2(lg ♥)2+♦(1). (Surely t1❂2 isn’t optimal.) Multiply to obtain square roots

  • f all t1❂2-smooth

discriminants ✔ t2. Time t2(lg ♥)1+♦(1).

slide-27
SLIDE 27

Apply Cornacchia. Time t2(lg ♥)1+♦(1). Now have ✙ t CM discriminants for ♥, assuming standard heuristics. If ❁ t: tweak “✔ t2.” Find the curves by fast CM: t2(lg ♥)1+♦(1) + t(lg ♥)2+♦(1)? Latest news: 2010.09 Sutherland.

slide-28
SLIDE 28

Proving primes to be prime ECPP finds proof of primality in conjectured time (lg ♥)5+♦(1). FastECPP: (lg ♥)4+♦(1). (1990 Shallit) Verifying proof: time (lg ♥)3+♦(1). Current project, Bernstein– Lange–Peters–Swart: Accelerate (and simplify!) verification. (lg ♥)3+♦(1), but better ♦(1).

slide-29
SLIDE 29

Standard proof structure: elliptic curve ❊ over Z❂♥; point ❲ ✷ ❊(Z❂♥)

  • f prime order q ❃ (♥1❂4 + 1)2;

recursive proof that q is prime. Verifier checks that q❲ = 0 in ❊(Z❂♥) (so q❲ = 0 in each ❊(Z❂♣)); that ❲ is “stably nonzero” (so ❲ ✻= 0 in each ❊(Z❂♣)); that q ❃ (♥1❂4 + 1)2; and that q is prime.

slide-30
SLIDE 30

Bad news, part 1: Findable q’s are close to ♥, so recursion has many levels. Bad news, part 2: Arithmetic in ❊(Z❂♥) is slow! Engineer’s defn of ❊(Z❂♥) (e.g., 1986 Goldwasser–Kilian) computes gcd at each step.

slide-31
SLIDE 31

Bad news, part 1: Findable q’s are close to ♥, so recursion has many levels. Bad news, part 2: Arithmetic in ❊(Z❂♥) is slow! Engineer’s defn of ❊(Z❂♥) (e.g., 1986 Goldwasser–Kilian) computes gcd at each step. Mathematician’s defn of ❊(Z❂♥) (e.g., 1987 Lenstra) computes gcd at each step.

slide-32
SLIDE 32

Division-polynomial ECPP (e.g., 2005 Morain) uses many mults per bit.

slide-33
SLIDE 33

Division-polynomial ECPP (e.g., 2005 Morain) uses many mults per bit. Jacobian coordinates are somewhat faster but still (9 + ♦(1)) lg ♥ mults, including (1 + ♦(1)) lg ♥ for multi-gcd.

slide-34
SLIDE 34

Division-polynomial ECPP (e.g., 2005 Morain) uses many mults per bit. Jacobian coordinates are somewhat faster but still (9 + ♦(1)) lg ♥ mults, including (1 + ♦(1)) lg ♥ for multi-gcd. “Montgomery ladder, ✶ ✼✦ 0” (2006 Bernstein) reduces 9 to 8 but proof is an unholy mess.

slide-35
SLIDE 35

Edwards to the rescue! Edwards addition law for ①2 + ②2 = 1 + ❞①2②2 is complete for non-square ❞. (2007 Bernstein–Lange) Can skip the multi-gcd. (7 + ♦(1))) lg ♥ mults, with very small ♦(1). State of the art: 2010 Hisil.

slide-36
SLIDE 36

Need correct computations in ❊(Z❂♣) for every prime ♣ in ♥. Is ❞ non-square in Z❂♣?

slide-37
SLIDE 37

Need correct computations in ❊(Z❂♣) for every prime ♣ in ♥. Is ❞ non-square in Z❂♣? Solution: Take ❞ with Jacobi symbol 1 in Z❂♥. Must be non-square in some Z❂♣. Deduce ♣ ✕ (q1❂2 1)2. Verify: no small primes in ♥. Conclude that ♥ is prime. Can check larger order to reduce “small.” Many optimizations.

slide-38
SLIDE 38

Interlude: addition laws 1985 H. Lange–Ruppert: ❆(❦) has a complete system

  • f addition laws, degree ✔ (3❀ 3).

Symmetry ✮ degree ✔ (2❀ 2). “The proof is nonconstructive✿ ✿ ✿ To determine explicitly a complete system of addition laws requires tedious computations already in the easiest case

  • f an elliptic curve

in Weierstrass normal form.”

slide-39
SLIDE 39

1985 Lange–Ruppert: Explicit complete system

  • f 3 addition laws

for short Weierstrass curves. Reduce formulas to 53 monomials by introducing extra variables ①✐②❥ + ①❥②✐, ①✐②❥ ①❥②✐. 1987 Lange–Ruppert: Explicit complete system

  • f 3 addition laws

for long Weierstrass curves.

slide-40
SLIDE 40
slide-41
SLIDE 41

1995 Bosma–Lenstra: Explicit complete system

  • f 2 addition laws

for long Weierstrass curves: ❳3❀ ❨3❀ ❩3❀ ❳✵

3❀ ❨ ✵ 3❀ ❩✵ 3

✷ Z[❛1❀ ❛2❀ ❛3❀ ❛4❀ ❛6❀ ❳1❀ ❨1❀ ❩1❀ ❳2❀ ❨2❀ ❩2].

slide-42
SLIDE 42

1995 Bosma–Lenstra: Explicit complete system

  • f 2 addition laws

for long Weierstrass curves: ❳3❀ ❨3❀ ❩3❀ ❳✵

3❀ ❨ ✵ 3❀ ❩✵ 3

✷ Z[❛1❀ ❛2❀ ❛3❀ ❛4❀ ❛6❀ ❳1❀ ❨1❀ ❩1❀ ❳2❀ ❨2❀ ❩2]. My previous slide in this talk: Bosma–Lenstra ❨ ✵

3❀ ❩✵ 3.

slide-43
SLIDE 43

1995 Bosma–Lenstra: Explicit complete system

  • f 2 addition laws

for long Weierstrass curves: ❳3❀ ❨3❀ ❩3❀ ❳✵

3❀ ❨ ✵ 3❀ ❩✵ 3

✷ Z[❛1❀ ❛2❀ ❛3❀ ❛4❀ ❛6❀ ❳1❀ ❨1❀ ❩1❀ ❳2❀ ❨2❀ ❩2]. My previous slide in this talk: Bosma–Lenstra ❨ ✵

3❀ ❩✵ 3.

Actually, slide shows Publish(❨ ✵

3)❀ Publish(❩✵ 3),

where Publish introduces typos.

slide-44
SLIDE 44

What this means: For all fields ❦, all P2 Weierstrass curves ❊❂❦ : ❨ 2❩ + ❛1❳❨ ❩ + ❛3❨ ❩2 = ❳3 + ❛2❳2❩ + ❛4❳❩2 + ❛6❩3, all P1 = (❳1 : ❨1 : ❩1) ✷ ❊(❦), all P2 = (❳2 : ❨2 : ❩2) ✷ ❊(❦): (❳3 : ❨3 : ❩3) is P1 + P2 or (0 : 0 : 0); (❳✵

3 : ❨ ✵ 3 : ❩✵ 3)

is P1 + P2 or (0 : 0 : 0); at most one of these is (0 : 0 : 0).

slide-45
SLIDE 45

2009 Bernstein–T. Lange: For all fields ❦ with 2 ✻= 0, all P1 ✂ P1 Edwards curves ❊❂❦ : ❳2❚ 2 + ❨ 2❩2 = ❩2❚ 2 + ❞❳2❨ 2, all P1❀ P2 ✷ ❊(❦), P1 = ((❳1 : ❩1)❀ (❨1 : ❚1)), P2 = ((❳2 : ❩2)❀ (❨2 : ❚2)): (❳3 : ❩3) is ①(P1 + P2) or (0 : 0); (❳✵

3 : ❩✵ 3) is ①(P1 + P2) or (0 : 0);

(❨3 : ❚3) is ②(P1 + P2) or (0 : 0); (❨ ✵

3 : ❚ ✵ 3) is ②(P1 + P2) or (0 : 0);

at most one of these is (0 : 0).

slide-46
SLIDE 46

❳3 = ❳1❨2❩2❚1 + ❳2❨1❩1❚2, ❩3 = ❩1❩2❚1❚2 + ❞❳1❳2❨1❨2, ❨3 = ❨1❨2❩1❩2 ❳1❳2❚1❚2, ❚3 = ❩1❩2❚1❚2 ❞❳1❳2❨1❨2, ❳✵

3 = ❳1❨1❩2❚2 + ❳2❨2❩1❚1,

❩✵

3 = ❳1❳2❚1❚2 + ❨1❨2❩1❩2,

❨ ✵

3 = ❳1❨1❩2❚2 ❳2❨2❩1❚1,

❚ ✵

3 = ❳1❨2❩2❚1 ❳2❨1❩1❚2.

Much, much, much simpler than Lange–Ruppert, Bosma–Lenstra. Also much easier to prove.

slide-47
SLIDE 47
slide-48
SLIDE 48
slide-49
SLIDE 49
slide-50
SLIDE 50

1987 Lenstra: Use Lange–Ruppert complete system of addition laws to computationally define ❊(❘) for more general rings ❘. Define P2(❘) = ❢(❳ : ❨ : ❩) : ❳❀ ❨❀ ❩ ✷ ❘; ❳❘+❨ ❘+❩❘ = ❘❣ where (❳ : ❨ : ❩) is the module ❢(✕❳❀ ✕❨❀ ✕❩) : ✕ ✷ ❘❣. Define ❊(❘) = ❢(❳ : ❨ : ❩) ✷ P2(❘) : ❨ 2❩ = ❳3 + ❛4❳❩2 + ❛6❩3❣.

slide-51
SLIDE 51

To define (and compute) sum (❳1 : ❨1 : ❩1) + (❳2 : ❨2 : ❩2): Consider (and compute) Lange–Ruppert (❳3 : ❨3 : ❩3), (❳✵

3 : ❨ ✵ 3 : ❩✵ 3), (❳✵✵ 3 : ❨ ✵✵ 3 : ❩✵✵ 3).

Add these ❘-modules: ❢ (✕❳3❀ ✕❨3❀ ✕❩3) + (✕✵❳✵

3❀ ✕✵❨ ✵ 3❀ ✕✵❩✵ 3)

+ (✕✵✵❳✵✵

3 ❀ ✕✵✵❨ ✵✵ 3 ❀ ✕✵✵❩✵✵ 3) :

✕❀ ✕✵❀ ✕✵✵ ✷ ❘❣. Express as (❳ : ❨ : ❩); assume trivial class group of ❘.

slide-52
SLIDE 52

Factoring integers into primes 1993 Atkin–Morain “Finding suitable curves for the elliptic curve method of factorization”: “For practical application,

  • ne may as well use the largest

group available, namely the group (Z❂8Z) ✂ (Z❂2Z) of ①3.1, giving a prescribed factor of 16 in ❦.”

slide-53
SLIDE 53

2010 Bernstein–Birkner–Lange: Better to switch to a family of twisted Edwards curves ①2 + ②2 = 1 + ❞①2②2 with Z❂6 torsion. Expected benefit: These curves are very fast.

slide-54
SLIDE 54

2010 Bernstein–Birkner–Lange: Better to switch to a family of twisted Edwards curves ①2 + ②2 = 1 + ❞①2②2 with Z❂6 torsion. Expected benefit: These curves are very fast. Unexpected benefit: These curves find more primes despite smaller torsion.

slide-55
SLIDE 55

Mulmods/15-bit prime found:

620 640 660 680 700 720 740 760 780 800 1 250 500 750 1000

slide-56
SLIDE 56

Mulmods/16-bit prime found:

750 800 850 900 950 1000 1050 1 250 500 750 1000

slide-57
SLIDE 57

Mulmods/17-bit prime found:

1000 1050 1100 1150 1200 1250 1300 1350 1 250 500 750 1000

slide-58
SLIDE 58

Mulmods/18-bit prime found:

1350 1400 1450 1500 1550 1600 1650 1700 1750 1 250 500 750 1000

slide-59
SLIDE 59

Mulmods/19-bit prime found:

1700 1750 1800 1850 1900 1950 2000 2050 2100 1 250 500 750 1000

slide-60
SLIDE 60

Mulmods/20-bit prime found:

2150 2200 2250 2300 2350 2400 2450 2500 2550 2600 2650 1 250 500 750 1000

slide-61
SLIDE 61

Mulmods/21-bit prime found:

2700 2800 2900 3000 3100 3200 3300 3400 3500 1 250 500 750 1000

slide-62
SLIDE 62

Mulmods/22-bit prime found:

3600 3700 3800 3900 4000 4100 4200 4300 4400 1 250 500 750 1000

slide-63
SLIDE 63

Mulmods/23-bit prime found:

4600 4700 4800 4900 5000 5100 5200 5300 5400 1 250 500 750 1000

slide-64
SLIDE 64

Mulmods/24-bit prime found:

5800 5900 6000 6100 6200 6300 6400 6500 6600 6700 6800 1 250 500 750 1000

slide-65
SLIDE 65

Mulmods/25-bit prime found:

7200 7400 7600 7800 8000 8200 8400 8600 1 250 500 750 1000

slide-66
SLIDE 66

Mulmods/26-bit prime found:

9000 9200 9400 9600 9800 10000 10200 10400 10600 1 250 500 750 1000

slide-67
SLIDE 67

Enumerating small primes Sieve of Eratosthenes enumerates products ✐❥; i.e., enumerates values ①2 + ②2; i.e., enumerates norms of elements ② + ①t of Z[t]❂(t2 1). Determines primality of ♥ by counting representations

  • f ♥ as such norms.

Fast computation if batched across all ♥ ✷ ❢1❀ 2❀ ✿ ✿ ✿ ❀ ❍❣.

slide-68
SLIDE 68

Sieve of Atkin enumerates 4①2 + ②2 for ♥ ✷ 1 + 4Z, 3①2 + ②2 for ♥ ✷ 7 + 12Z, 3①2 ②2 for ♥ ✷ 11 + 12Z. Fundamentally more efficient than sieve of Eratosthenes: Q(♣1), Q(♣3), Q( ♣ 3) are smaller than “Q( ♣ 1)” = Q ✂ Q. (Can we determine primality by enumerating points

  • n elliptic curves?)
slide-69
SLIDE 69

Consequence: Can print the primes in ❢1❀ 2❀ ✿ ✿ ✿ ❀ ❍❣, in order, using Θ(❍❂ lg lg ❍)

  • ps on Θ(lg ❍)-bit integers

and ❍1❂2+♦(1) bits of memory. Galway: ❍1❂3+♦(1). ❍1❂4+♦(1) should be doable with LLL, Coppersmith, etc. But is this a meaningful game?

slide-70
SLIDE 70

Radeon 5970 graphics card: 2 320 000 000 000 mults/second. $600; consumes 300 watts. Can run at even higher speed using more power, more fans:

slide-71
SLIDE 71

Need better algorithms with massive parallelism, very little communication. Good example, 2006 Sorenson “The pseudosquares prime sieve”: Θ(❍ lg ❍) operations, Θ((lg ❍)2) bits of memory, assuming standard conjectures. Output is always correct: primes in ❢1❀ 2❀ ✿ ✿ ✿ ❀ ❍❣.