Computational Number Theory and Modern Cryptography

Contents

Cover

Series

Title Page

Copyright

About the Author

Preface

Acknowledgments

Part 1: Preliminaries

Chapter 1: Introduction

1.1 What is Number Theory?

1.2 What is Computation Theory?

1.3 What is Computational Number Theory?

1.4 What is Modern Cryptography?

1.5 Bibliographic Notes and Further Reading

References

Chapter 2: Fundamentals

2.1 Basic Algebraic Structures

2.2 Divisibility Theory

2.3 Arithmetic Functions

2.4 Congruence Theory

2.5 Primitive Roots

2.6 Elliptic Curves

2.7 Bibliographic Notes and Further Reading

References

Part II: Computational Number Theory

Chapter 3: Primality Testing

3.1 Basic Tests

3.2 Miller–Rabin Test

3.3 Elliptic Curve Tests

3.4 AKS Test

3.5 Bibliographic Notes and Further Reading

References

Chapter 4: Integer Factorization

4.1 Basic Concepts

4.2 Trial Divisions Factoring

4.3 ρ and p−1 Methods

4.4 Elliptic Curve Method

4.5 Continued Fraction Method

4.6 Quadratic Sieve

4.7 Number Field Sieve

4.8 Bibliographic Notes and Further Reading

References

Chapter 5: Discrete Logarithms

5.1 Basic Concepts

5.2 Baby-Step Giant-Step Method

5.3 Pohlig–Hellman Method

5.4 Index Calculus

5.5 Elliptic Curve Discrete Logarithms

5.6 Bibliographic Notes and Further Reading

References

Part III: Modern Cryptography

Chapter 6: Secret-Key Cryptography

6.1 Cryptography and Cryptanalysis

6.2 Classic Secret-Key Cryptography

6.3 Modern Secret-Key Cryptography

6.4 Bibliographic Notes and Further Reading

References

Chapter 7: Integer Factorization Based Cryptography

7.1 RSA Cryptography

7.2 Cryptanalysis of RSA

7.3 Rabin Cryptography

7.4 Residuosity Based Cryptography

7.5 Zero-Knowledge Proof

7.6 Bibliographic Notes and Further Reading

References

Chapter 8: Discrete Logarithm Based Cryptography

8.1 Diffie–Hellman–Merkle Key-Exchange Protocol

8.2 ElGamal Cryptography

8.3 Massey–Omura Cryptography

8.4 DLP-Based Digital Signatures

8.5 Bibliographic Notes and Further Reading

References

Chapter 9: Elliptic Curve Discrete Logarithm Based Cryptography

9.1 Basic Ideas

9.2 Elliptic Curve Diffie–Hellman–Merkle Key Exchange Scheme

9.3 Elliptic Curve Massey–Omura Cryptography

9.4 Elliptic Curve ElGamal Cryptography

9.5 Elliptic Curve RSA Cryptosystem

9.6 Menezes–Vanstone Elliptic Curve Cryptography

9.7 Elliptic Curve DSA

9.8 Bibliographic Notes and Further Reading

References

Part IV: Quantum Resistant Cryptography

Chapter 10: Quantum Computational Number Theory

10.1 Quantum Algorithms for Order Finding

10.2 Quantum Algorithms for Integer Factorization

10.3 Quantum Algorithms for Discrete Logarithms

10.4 Quantum Algorithms for Elliptic Curve Discrete Logarithms

10.5 Bibliographic Notes and Further Reading

References

Chapter 11: Quantum Resistant Cryptography

11.1 Coding-Based Cryptography

11.2 Lattice-Based Cryptography

11.3 Quantum Cryptography

11.4 DNA Biological Cryptography

11.5 Bibliographic Notes and Further Reading

References

Index

INFORMATION SECURITY SERIES

The Wiley-HEP Information Security Series systematically introduces the fundamentals of information security design and application. The goals of the Series are:

to provide fundamental and emerging theories and techniques to stimulate more research in cryptology, algorithms, protocols, and architectures

to inspire professionals to understand the issues behind important security problems and the ideas behind the solutions

to give references and suggestions for additional reading and further study

The Series is a joint project between Wiley and Higher Education Press (HEP) of China. Publications consist of advanced textbooks for graduate students as well as researcher and practitioner references covering the key areas, including but not limited to:

– Modern Cryptography

– Cryptographic Protocols and Network Security Protocols

– Computer Architecture and Security

– Database Security

– Multimedia Security

– Computer Forensics

– Intrusion Detection

LEAD EDITORS

EDITORIAL BOARD

This edition first published 2013

© 2013 Higher Education Press. All rights reserved.

Published by John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01 Solaris South Tower, Singapore 138628, under exclusive license by Higher Education Press in all media and all languages throughout the world excluding Mainland China and excluding Simplified and Traditional Chinese languages.

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center. Requests for permission should be addressed to the Publisher, John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01 Solaris South Tower, Singapore 138628, tel: 65-66438000, fax: 65-66438008, email: [email protected].

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The Publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging-in-Publication Data

Yan, Song Y.

Computational number theory and modern cryptography / Song Y. Yan.

pages cm

Includes bibliographical references and index.

ISBN 978-1-118-18858-3 (hardback)

1. Data encryption (Computer science) 2. Number theory–Data processing. I. Title.

QA76.9.A25Y358 2012

005.8′2–dc23

2012032708

ISBN: 9781118188583

ABOUT THE AUTHOR

Professor Song Y. Yan majored in both Computer Science and Mathematics, and obtained a PhD in Number Theory in the Department of Mathematics at the University of York, England. His current research interests include Computational Number Theory, Computational Complexity Theory, Algebraic Coding Theory, Public-Key Cryptography and Information/Network Security. He published, among others, the following five well-received and popular books in computational number theory and public-key cryptography:

1. Perfect, Amicable and Sociable Numbers: A Computational Approach, World Scientific, 1996.

2. Number Theory for Computing, Springer, First Edition, 2000, Second Edition, 2002. (Polish Translation, Polish Scientific Publishers PWN, Warsaw, 2006; Chinese Translation, Tsinghua University Press, Beijing, 2007.)

3. Cryptanalytic Attacks on RSA, Springer, 2007. (Russian Translation, Moscow, 2010.)

4. Primality Testing and Integer Factorization in Public-Key Cryptography, Springer, First Edition, 2004; Second Edition, 2009.

5. Quantum Attacks on Public-Key Cryptosystems, Springer, 2012.

Song can be reached by email address [email protected] anytime.

PREFACE

The book is about number theory and modern cryptography. More specically, it is about computational number theory and modern public-key cryptography based on number theory. It consists of four parts. The first part, consisting of two chapters, provides some preliminaries. Chapter 1 provides some basic concepts of number theory, computation theory, computational number theory, and modern public-key cryptography based on number theory. In chapter 2, a complete introduction to some basic concepts and results in abstract algebra and elementary number theory is given.

The second part is on computational number theory. There are three chapters in this part. Chapter 3 deals with algorithms for primality testing, with an emphasis on the Miller-Rabin test, the elliptic curve test, and the AKS test. Chapter 4 treats with algorithms for integer factorization, including the currently fastest factoring algorithm NFS (Number Field Sieve), and the elliptic curve factoring algorithm ECM (Elliptic Curve Method). Chapter 5 discusses various modern algorithms for discrete logarithms and for elliptic curve discrete logarithms. It is well-known now that primality testing can be done in polynomial-time on a digital computer, however, integer factorization and discrete logarithms still cannot be performed in polynomial-time. From a computational complexity point of view, primality testing is feasible (tractable, easy) on a digital computer, whereas integer factorization and discrete logarithms are infeasible (intractable, hard, difficult). Of course, no-one has yet been able to prove that the integer factorization and the discrete logarithm problems must be infeasible on a digital computer.

Building on the results in the first two parts, the third part of the book studies the modern cryptographic schemes and protocols whose security relies exactly on the infeasibility of the integer factorization and discrete logarithm problems. There are four chapters in this part. Chapter 6 presents some basic concepts and ideas of secret-key cryptography. Chapter 7 studies the integer factoring based public-key cryptography, including, among others, the most famous and widely used RSA cryptography, the Rabin cryptosystem, the probabilistic encryption and the zero-knowledge proof protocols. Chapter 8 studies the discrete logarithm based cryptography, including the DHM key-exchange protocol (the world’s first public-key system), the ElGamal cryptosystem, and the US Government’s Digital Signature Standard (DSS), Chapter 9 discusses various cryptographic systems and digital signature schemes based on the infeasibility of the elliptic curve discrete logarithm problem, some of them are just the elliptic curve analogues of the ordinary public-key cryptography such as elliptic curve DHM, elliptic curve ElGamal, elliptic curve RSA, and elliptic curve DSA/DSS.

It is interesting to note that although integer factorization and discrete logarithms cannot be solved in polynomial-time on a classical digital computer, they all can be solved in polynomial-time on a quantum computer, provided that a practical quantum computer with several thousand quantum bits can be built. So, the last part of the book is on quantum computational number theory and quantum-computing resistant cryptography. More speciffically, in Chapter 10, we shall study efficient quantum algorithms for solving the Integer Factorization Problem (IFP), the Discrete Logarithm Problem (DLP) and the Elliptic Curve Discrete Logarithm Problem (ECDLP). Since IFP, DLP and ECDLP can be solved efficiently on a quantum computer, the IFP, DLP and ECDLP based cryptographic systems and protocols can be broken efficiently on a quantum computer. However, there are many infeasible problems such as the coding-based problems and the lattice-based problems that cannot be solved in polynomial-time even on a quantum computer. That is, a quantum computer is basically a special type of computing device using a different computing paradigm, it is only suitable or good for some special problems such as the IFP, DLP and ECDLP problems. Thus, in chapter 11, the last chapter of the book, we shall discuss some quantum-computing resistant cryptographic systems, including the coding-based and lattice-based cryptographic systems, that resist all known quantum attacks. Note that quantum-computing resistant cryptography is still classic cryptography, but quantum resistant. We shall, however, also introduce a truly quantum cryptographic scheme, based on ideas of quantum mechanics and some DNA cryptographic schemes based on idea of DNA molecular computation.

The materials presented in the book are based on the author’s many years teaching and research experience in the field, and also based on the author’s other books published in the past ten years or so, particularly the following three books, all by Springer:

1. Number Theory for Computing, 2nd Edition, 2002.

2. Cryptanalytic Attacks on RSA, 2007.

3. Primality Testing and Integer Factorization in Public-Key Cryptography, 2nd Edition, 2009.

The book is suited as a text for final year undergraduate or first year postgraduate courses in computational number theory and modern cryptography, or as a basic research reference in the field.

Corrections, comments and suggestions from readers are very welcomed and can be sent via email to [email protected].

Song Y. Yan

London, England

June 2012

ACKNOWLEDGMENTS

The author would like to thank the editors at Wiley and HEP, particularly Hongying Chen, Shelley Chow, James Murphy, Clarissa Lim, and Shalini Sharma, for their encouragement, assistance, and proof-reading. Special thanks must also be given to the three anonymous referees for their very helpful and constructive comments and suggestions.

The work was supported in part by the Royal Society London, the Royal Academy of Engineering London, the Recruitment Program of Global Experts of Hubei Province, the Funding Project for Academic Human Resources Development in Institutions of Higher Learning under the Jurisdiction of the Beijing Municipality (PHR/IHLB), the Massachusetts Institute of Technology and Harvard University.

Part 1

Preliminaries

In this part, we shall first explain what are number theory, computation theory, computational number theory, and modern (number-theoretic) cryptography are. The relationship betweeen them may be shown in the following figure:

Then we shall present an introduction to the elementary theory of numbers from an algebraic perspective (see the following figure), that shall be used throughout the book.

1

Introduction

In this chapter, we present some basic concepts and ideas of number theory, computation theory, computational number theory, and modern (number-theoretic) cryptography. More specifically, we shall try to answer the following typical questions in the field:

What is number theory?

What is computation theory?

What is computational number theory?

What is modern (number-theoretic) cryptography?

1.1 What is Number Theory?

Number theory is concerned mainly with the study of the properties (e.g., the divisibility) of the integers

particularly the positive integers

For example, in divisibility theory, all positive integers can be classified into three classes:

1. Unit: 1.

2. Prime numbers: 2, 3, 5, 7, 11, 13, 17, 19,....

3. Composite numbers: 4, 6, 8, 9, 10, 12, 14, 15,....

Recall that a positive integer n>1 is called a prime number, if its only divisors are 1 and n, otherwise, it is a composite number. 1 is neither prime number nor composite number. Prime numbers play a central role in number theory, as any positive integer n>1 can be written uniquely into the following standard prime factorization form:

(1.1) numbered Display Equation

where p1<p2<...<pk are primes and positive integers. Although prime numbers have been studied for more than 2000 years, there are still many open problems about their distribution. Let us investigate some of the most interesting problems about prime numbers.

1. The distribution of prime numbers.

Euclid proved 2000 years ago in his Elements that there were infinitely many prime numbers. That is, the sequence of prime numbers

is endless. For example, 2, 3, 5 are the first three prime numbers, whereas 2⁴³¹¹²⁶⁰⁹−1 is the largest prime number to date, it has 12978189 digits and was found on 23 August 2008. Let denote the prime numbers up to x (Table 1.1 gives some values of for some large x), then Euclid’s theorem of infinitude of primes actually says that

A much better result about the distribution of prime numbers is the Prime Number theorem, stating that

(1.2) numbered Display Equation

In other words,

(1.3) numbered Display Equation

Note that the log is the natural logarithm loge (normally denoted by ln ), where e = 2.7182818.... However, if the Riemann Hypothesis [3] is true, then there is a refinement of the Prime Number theorem

(1.4) numbered Display Equation

to the effect that

(1.5) numbered Display Equation

Of course we do not know if the Riemann Hypothesis is true. Whether or not the Riemann Hypothesis is true is one of the most important open problems in mathematics, and in fact it is one of the seven Millennium Prize Problems proposed by the Clay Mathematics Institute in Boston in 2000, each with a one million US dollars prize [4]. The Riemann hypothesis states that all the nontrivial (complex) zeros of the function

(1.6)

lying in the critical strip 0s)<1 must lie on the critical line , that is, , where denotes a nontrivial zero of . Riemann calculated the first five nontrivial zeros of and found that they all lie on the critical line (see Figure 1.1), he then conjectured that all the nontrivial zeros of are on the critical line.

2. The distribution of twin prime numbers.

Twin prime numbers are of the form , where both numbers are prime. For example, (3, 5), (5, 7), (11, 13) are the first three smallest twin prime pairs, whereas the largest twin primes so far are , discovered in August 2009, both numbers having 100355 digits. Table 1.2 gives 10 large twin prime pairs. Let be the number of twin primes up to x (Table 1.3 gives some values of for different x), then the twin prime conjecture states that

If the probability of a random integer x and the integer x+2 being prime were statistically independent, then it would follow from the prime number theorem that

(1.7) numbered Display Equation

or more precisely,

(1.8) numbered Display Equation

with

(1.9) numbered Display Equation

As these probabilities are not independent, so Hardy and Littlewood conjectured that

(1.10) numbered Display Equation

The infinite product in the above formula is the twin prime constant; this constant was estimated to be approximately 0.6601618158.... Using very complicated arguments based on sieve methods, in his work on the Goldbach conjecture, the Chinese mathematician Chen showed that there are infinitely many pairs of integers (n, n+2), with n prime and n+2 a product of at most two primes. The famous Goldbach conjecture states that every even number greater than 4 is the sum of two odd prime numbers. It was conjectured by Goldbach in a letter to Euler in 1742. It remains unsolved to this day. The best result for this conjecture is due to Chen, who announced it in 1966, but the full proof was not given until 1973 due to the chaotic Cultural Revolution, that every sufficiently large even number is the sum of one prime number and the product of at most two prime numbers, that is, E=p1+p2p3, where E is a sufficiently large even number and p1, p2, p3 are prime numbers. As a consequence, there are infinitely many such twin numbers (p1, p1+2=p2p3). Extensions relating to the twin prime numbers have also been considered. For example, are there infinitely many triplet primes (p, q, r) with q=p+2 and r=p+6? The first five triplets of this form are as follows: (5, 7, 11), (11, 13, 17), (17, 19, 23), (41, 43, 47), (101, 103, 107). The triplet prime problem is much harder than the twin prime problem. It is amusing to note that there is only one triplet prime (p, q, r) with q=p+2 and r=p+4. That is, (3, 5, 7). The Riemann Hypothesis, the Twin Prime Problem, and the Goldbach conjecture form the famous Hilbert’s 8th Problem.

3. The distribution of arithmetic progressions of prime numbers.

An arithmetic progression of prime numbers is defined to be the sequence of primes satisfying:

(1.11) numbered Display Equation

where p is the first term, d the common difference, and p+(k−1)d the last term of the sequence. For example, the following are some sequences of the arithmetic progression of primes:

The longest arithmetic progression of primes is the following sequence with 23 terms: 56211383760397 + k.44546738095860 with k=0, 1, ... , 22. Thanks to Green and Tao who proved in 2007 that there are arbitrary long arithmetic progressions of primes (i.e., k can be any arbitrary large natural number), which enabled, among others, Tao to receive a Field Prize in 2006, the equivalent to a Nobel Prize for Mathematics. However, their result is not about consecutive primes; we still do not know if there are arbitrary long arithmetic progressions of consecutive primes, although Chowa proved in 1944 that there exists an infinity of three consecutive primes of arithmetic progressions. Note that an arithmetic progression of consecutive primes is a sequence of consecutive primes in the progression. In 1967, Jones, Lal, and Blundon found an arithmetic progression of five consecutive primes 10¹⁰+24493+30k with k=0, 1, 2, 3, 4. In the same year, Lander and Parkin discovered six in an arithmetic progression 121174811+30k with k=0, 1, 2, 3, 4, 5. The longest arithmetic progression of consecutive primes, discovered by Manfred Toplic in 1998, is 507618446770482.193# + x77 + 210k, where 193# is the product of all primes 193, that is, 193# = 2. 3. 5. 7... 193, x77 is a 77-digit number 54538241683887582668189703590110659057865934764604873840781923513421103495579 and k=0, 1, 2, ..., 9.

Figure 1.1 Riemann hypothesis

Table 1.1 for some large x

Table 1.2 Ten large twin prime pairs

Table 1.3 for some large values

Table 1.4 The 47 known Mersenne primes Mp=2p−1

It should be noted that problems in number theory are easy to state, because they are mainly concerned with integers with which we are very familiar, but often very hard to solve!

Problems for Section 1.1

1. Show that there are infinitely many prime numbers.

2. Prove or disprove there are infinitely many twin prime numbers.

3. Are there infinitely many triple prime numbers of the form p, p+2, p+4, where p, p+2, p+4 are all prime numbers? For example, 3, 5, 7 are such triple prime numbers.

4. Are there infinitely many triple prime numbers of the form p, p+2, p+6, where p, p+2, p+6 are all prime numbers? For example, 5, 7, 11 are such triple prime numbers.

5. (Prime Number Theorem) Show that

6. The Riemann -function is defined as follows:

where is a complex number. Riemann conjectured that all zeroes of in the critical strip must lie on the critical line . That is,

Prove or disprove the Riemann Hypothesis.

7. Andrew Beal in 1993 conjectured that the equation xa+yb=zc has no positive integer solutions in x, y, z, a, b, c, where a,b,c 3 and gcd(x,y)=(y,z)=(x,z)=1. Beal has offered $100 000 for a proof or a disproof of this conjecture.

8. Prove or disprove the Goldbach conjecture that any even number greater than 6 is the sum of two odd prime numbers.

9. A positive integer n is perfect if σ (n) =2n, where σ (n) is the sum of all divisors of n. For example, 6 is perfect since σ (6)= 1+2+3+6= 2. 6 = 12. Show n is perfect if and only if n=2p−1(2p−1), where 2p−1 is a Mersenne prime.

10. All known perfect numbers are even perfect. Recent research shows that if there exists an odd perfect number, it must be greater than 10³⁰⁰ and must have at least 29 prime factors (not necessarily distinct). Prove or disprove that there exists at least one odd perfect number.

11. Show that there are arbitrary long arithmetic progressions of prime numbers

where p is the first term, d the common difference, and p+(k−1)d the last term of the sequence, and furthermore, all the terms in the sequence are prime numbers and k can be any arbitrary large positive integer.

12. Prove or disprove that there are arbitrary long arithmetic progressions of consecutive prime numbers.

1.2 What is Computation Theory?

Computation theory, or the theory of computation, is a branch that deals with whether and how efficiently problems can be solved on a model of computation, using an algorithm. It may be divided into two main branches: Computability theory and computational complexity theory. Generally speaking, computability theory deals with what a computer can or cannot do theoretically (i.e., without any restrictions), whereas complexity theory deals with what computer can or cannot do practically (with e.g., time or space limitations). Feasibility or infeasibility theory is a subfield of complexity theory, which concerns itself with what a computer can or cannot do efficiently in polynomial-time. A reasonable model of computation is the Turing machine, first studied by the great British logician and mathematician Alan Turing in 1936, we shall first introduce the basic concepts of Turing machines, then discuss complexity, feasibility, and infeasiblity theories based on Turing machines.

Definition 1.1 A standard multitape Turing machine, M (see Figure 1.2), is an algebraic system defined by

Figure 1.2 k-tape (k 1) Turing machine

(1.12) numbered Display Equation

where

1. Q is a finite set of internal states;

2. Σ is a finite set of symbols called the input alphabet. We assume that Σ ;

3. Γ is a finite set of symbols called the tape alphabet;

4. δ is the transition function, which is defined by

i if M is a deterministic Turing machine (DTM), then

(1.13) numbered Display Equation

ii if M is a nondeterministic Turing machine (NDTM), then

(1.14) numbered Display Equation

where L and R specify the movement of the read-write head left or right. When k=1, it is just a standard one-tape Turing machine;

5. is a special symbol called the blank;

6. is the initial state;

7. is the set of final states.

Thus, Turing machines provide us with the simplest possible abstract model of computation for modern digital (even quantum) computers.

Any effectively computable function can be computed by a Turing machine, and there is no effective procedure that a Turing machine cannot perform. This leads naturally to the following famous Church–Turing thesis, named after Alonzo Church (1903–1995) and Alan Turing (1912–1954):

The Church–Turing thesis: Any effectively computable function can be computed by a Turing machine.

The Church–Turing thesis thus provides us with a powerful tool to distinguish what is computation and what is not computation, what function is computable and what function is not computable, and more generally, what computers can do and what computers cannot do. From a computer science and particularly a cryptographic point of view, we are not just interested in what computers can do, but in what computers can do efficiently. That is, in cryptography we are more interested in practical computable rather than just theoretical computable; this leads to the Cook–Karp thesis.

Definition 1.2 A probabilistic Turing machine is a type of nondeterministic Turing machine with distinct states called coin-tossing states. For each coin-tossing state, the finite control unit specifies two possible legal next states. The computation of a probabilistic Turing machine is deterministic except that in coin-tossing states the machine tosses an unbiased coin to decide between the two possible legal next states.

A probabilistic Turing machine can be viewed as a randomized Turing machine, as described in Figure 1.3. The first tape, holding input, is just the same as conventional multitape Turing machine. The second tape is referred to as random tape, containing randomly and independently chosen bits, with probability 1/2 of a 0 and the same probability 1/2 of a 1. The third and subsequent tapes are used, if needed, as scratch tapes by the Turing machine.

Figure 1.3 Probabilistic k-tape (k 1) Turing machine

Definition 1.3 is the class of problems solvable in polynomial-time by a deterministic Turing machine (DTM). Problems in this class are classified to be tractable (feasible) and easy to solve on a computer. For example, additions of any two integers, no matter how big they are, can be performed in polynomial-time, and hence are is in .

Definition 1.4 is the class of problems solvable in polynomial-time on a nondeterministic Turing machine (NDTM). Problems in this class are classified to be intractable (infeasible) and hard to solve on a computer. For example, the Traveling Salesman Problem (TSP) is in , and hence it is hard to solve.

In terms of formal languages, we may also say that is the class of languages where the membership in the class can be decided in polynomial-time, whereas is the class of languages where the membership in the class can be verified in polynomial-time. It seems that the power of polynomial-time verifiable is greater than that of polynomial-time decidable, but no proof has been given to support this statement (see Figure 1.4). The question of whether or not is one of the greatest unsolved problems in computer science and mathematics, and in fact it is one of the seven Millennium Prize Problems proposed by the Clay Mathematics Institute in Boston in 2000, each with one-million US dollars.

Figure 1.4 The Versus problem

Definition 1.5 is the class of problems solvable by a deterministic Turing machine (DTM) in time bounded by .

Definition 1.6 A function f is polynomial-time computable if for any input w, f(w) will halt on a Turing machine in polynomial-time. A language A is polynomial-time reducible to a langauge B, denoted by A B, if there exists a polynomial-time computable function such that for every input w,

The function f is called the polynomial-time reduction of A to B.

Definition 1.7 A language/problem L is -complete, denoted by , if it satisfies the following two conditions:

1. ,

2. .

Definition 1.8 A problem D is -hard, denoted by , if it satisfies the following condition:

where d may be in , or may not be in . Thus, -hard means at least as hard as any -problem, although it might, in fact, be harder.

Definition 1.9 is the class of problems solvable in expected polynomial-time with one-sided error by a probabilistic (randomized) Turing machine (PTM). By one-sided error we mean that the machine will answer yes when the answer is yes with a probability of error <1/2, and will answer no when the answer is no with zero probability of error.

Definition 1.10 is the class of problems solvable in expected polynomial-time with zero error on a probabilistic Turing machine (PTM). It is defined by