Primality is among the oldest questions in arithmetic: given a positive integer , is it prime, or does it factor into smaller integers? Using basic number theory, there is an immediate procedure. A composite integer has a prime divisor at most
, so one may test every possible divisor up to that point. This always works, and it proves that primality is decidable. But complexity theory asks a different question. It asks not merely whether a method eventually gives the right answer, but whether the amount of work is reasonably small compared with the amount of information needed to specify the input. When the integer
is written in binary, that amount of information is its bit length
This is the natural measure of the size of the problem. An integer close to
may be astronomically large as a number, yet it is represented by only about
binary digits. Trial division examines on the order of
possible divisors; for an
-bit integer, this is roughly
Thus trial division takes exponentially many steps in the input length. It is efficient when
itself is regarded as the scale, but it is not efficient in the sense required by computational complexity.
The AKS theorem establishes the much stronger conclusion that primality can be decided in genuinely efficient time. There is a deterministic algorithm which, given the binary expansion of any integer , always determines whether
is prime, and whose number of bit operations is bounded by a fixed polynomial in
. In the standard language of complexity theory,
The significance of this statement is not that it gives the fastest known practical primality test. Rather, it gives an unconditional theoretical answer: primality does not require factorization, exhaustive search, random choices, or any unproved hypothesis. It can be recognized with certainty using an amount of computation that grows only polynomially with the number of digits of the input.
Polynomial Identity
The proof does not arise from a miraculous efficient way of trying divisors. Its starting point is Fermat’s little theorem, but used in a much more rigid polynomial form. A prime does not merely satisfy the numerical congruence . It satisfies the polynomial identity
The ordinary Fermat congruence is recovered by substituting a number for . The polynomial identity is vastly stronger: it says that all intermediate binomial coefficients disappear modulo
. AKS begins from this observation, compresses the polynomial identity by imposing
, and then proves that a composite number cannot imitate this compressed prime behavior too often. The proof has one central tension. The accepted congruences force a certain multiplicative set inside a finite field to be very large. But if the input were composite and not a prime power, the same congruences would force that set to be too small. The two estimates contradict one another.
Let be prime. The binomial theorem gives
For every index strictly between
and
, the coefficient
is divisible by
. Thus all middle terms vanish modulo
:
Fermat’s little theorem gives
, so
For a prime, this identity holds for every integer
. More importantly, the full identity characterizes primality. Suppose that
, that
, and that
holds as a genuine polynomial congruence, without reducing modulo any further polynomial in . Then
must be prime.
Indeed, assume that is composite, choose a prime divisor
of
, and write
The coefficient of
in
is
Since
, the factor
is not divisible by
. Thus we only need to examine
. Using
we see that the first factor has
-adic valuation
. The second factor is not divisible by
, because
modulo . Therefore
The coefficient
is not divisible by
, hence not divisible by
. So the full polynomial congruence fails for every composite
.
This would already give a primality test: verify
The defect is that these are degree- polynomials. Handling
coefficients means handling exponentially many coefficients in the bit length
. The entire AKS method is an answer to one question: can we retain enough of this prime identity while reducing its degree from
to something polynomial in
?
Choose a positive integer and work in the quotient ring
Inside this quotient, one has
Every power of
can therefore be reduced modulo
in its exponent, so every polynomial has a representative of degree less than
. Instead of checking the full degree-
identity, AKS checks the compressed congruence
A prime still passes this test, because the full polynomial identity remains true after any further reduction. A composite can sometimes pass such a truncated test, however, because reducing modulo identifies many different powers of
. AKS therefore does not claim that one congruence, or even one value of
, detects primality. The theorem lies in the much subtler statement that a composite cannot pass enough carefully chosen compressed congruences unless it is a prime power.
The parameter must be chosen so that the powers of
remain nontrivial modulo
. Write
for the least positive integer
such that
This is defined when
. AKS chooses the least
for which
The inequality says that, modulo
, the powers
are still all distinct. This is exactly the reservoir of distinct exponents that will later force a large collection of distinct field elements.
Given , carry out the following steps.
- First test whether
is a nontrivial perfect power:
If it is, declare
composite.
- Next find the least
such that
- Then compute
for every integer
with
. If any such greatest common divisor satisfies
declare
composite.
- If no such divisor has appeared and
declare
prime. This step is safe because, if
were composite, it would have a prime divisor at most
, which the preceding gcd checks would have found.
- Now define
where
is Euler’s totient function. For every integer
with
test whether
If any test fails, declare
composite. If every test succeeds, declare it prime.
We now explain why this last declaration is justified. The easy direction is immediate: if is prime, it is not a nontrivial perfect power, has no nontrivial gcd with any
, and satisfies the full polynomial Fermat identity. Thus every prime passes every stage. The difficult direction begins by assuming that the algorithm accepts some integer
, and proving that this accepted integer must be prime. Suppose the algorithm reaches its final declaration. Since the perfect-power test did not reject,
is not a nontrivial prime power. Since the gcd stage did not reject, every prime divisor of
is larger than
. Indeed, if a prime
divided
and satisfied
, then the gcd computation at
would reveal the proper divisor
.
Also , because otherwise the algorithm would already have stopped at the earlier prime declaration. Let
be a prime divisor of
. We need one for which
Such a divisor exists. If every prime divisor
of
were congruent to
modulo
, then their product with multiplicities would give
But
, so
is not congruent to
modulo
. Choose a prime divisor
for which
. At this point the proof has selected a particular prime factor
of
. The accepted congruences will be reduced modulo
. The aim is to show that they force
to be a power of this
. The preliminary perfect-power test will then finish the proof.
Reduce the accepted congruence modulo . Since
, for every
we obtain
There is also the trivial case
, namely
. Thus we may work uniformly with the linear polynomials
In characteristic
, the Frobenius rule says
Hence
The less obvious statement is that
has the same effect on the tested linear polynomials (because
).
Define Taking the
th power in characteristic
gives
The accepted congruence says that this is zero modulo and
. One must now justify the inference from
to
. This would fail in a ring with nilpotents, so it is not a formal triviality. Here it works because
, and hence
. The derivative of
is
which is not the zero polynomial modulo
. Thus
has no repeated roots over an algebraic closure of
. Equivalently, the quotient ring
has no nonzero nilpotent elements. Therefore
implies
, and so
It is useful to give this phenomenon a name. Call a positive integer a Frobenius-like exponent for a polynomial
when
For each tested polynomial , both
and
are Frobenius-like exponents. The reason for introducing this terminology is that these exponents can be multiplied. If
and
are Frobenius-like for
, then
In the second congruence we simply apply the Frobenius-like relation for after replacing
by
. Likewise, if
is Frobenius-like for both
and
, then it is Frobenius-like for their product:
Consequently, every exponent of the form is Frobenius-like for every polynomial of the form
This is the hidden rigidity created by acceptance. The algorithm checks only a short list of congruences. But those congruences propagate multiplicatively into a very large family of exponent identities.
Let be the subgroup of
generated by the residue classes of
and
Every element of
can be represented by one of the nonnegative products
. Write
The element
lies in
. Hence the order of
modulo
is at most
:
This lower bound is the reason AKS selected
using a large-order condition. The group
contains more than
distinct residue classes, and each of them will later produce a distinct power of a primitive
th root of unity.
Before entering a finite field, observe that Indeed,
and
, so
. Therefore
The inequality
came from the gcd stage. Consequently the residues
are distinct modulo
. This modest-looking fact is needed later, because it guarantees that the polynomials
are distinct linear factors over
. The quotient ring modulo
is useful for computation, but it is not the ideal setting for the final counting argument. We want to use the elementary fact that a nonzero polynomial of degree
over a field has at most
roots. For this reason, choose an irreducible factor
over
, where
is the
th cyclotomic polynomial. Form the finite field
Let denote the image of
in
. Because
divides the cyclotomic polynomial,
is a primitive
th root of unity:
but
for
The degree of this field extension is
To see this, put
. The field
has
elements, so every nonzero element satisfies
. In particular,
and therefore
This proves that
. Conversely, if
, then
so
is a root of
. Its minimal polynomial
divides this polynomial, giving
. Hence
. By the choice of
, this degree exceeds
. Thus
In particular none of the elements
is zero. If
for some
, then
would belong to
, contrary to the extension degree being greater than one.
Define to be the multiplicative subgroup of
generated by these elements:
The remaining proof gives one lower and one upper bound for
. Consider the family of polynomials
A polynomial in has degree
Because the linear factors
are distinct over
, unique factorization shows that distinct exponent vectors produce distinct polynomials. We claim that distinct members
of degree less than
remain distinct after evaluation at
:
Suppose instead that
Let
Then
is nonzero and has degree less than
. We will force it to have at least
distinct roots.
Take any residue class . Choose an exponent
whose reduction modulo
equals
. The earlier propagation argument says that
is Frobenius-like for both
and
. Therefore
Since
, we deduce
But
and
, so
Thus
for every
. The elements
are distinct as
runs through the
residue classes in
, because
has exact order
. Hence
has at least
distinct roots, while its degree is less than
. This is impossible.
Thus every product in of degree at most
gives a different element of
. The number of choices of nonnegative integers
satisfying
is
Therefore
This is the large side of the contradiction. Acceptance makes the exponents in
propagate a putative equality
to too many roots. As a result, no collision among low-degree products is possible, and
must contain many elements.
Now suppose, toward a contradiction, that is not a power of the chosen prime
. Consider the finite set
All these integers are distinct. For if then comparing the prime factors other than
forces
, because
has a prime factor different from
. Once
, one gets
. There are
such integers, but only
residue classes in the group
. Hence two distinct elements
have the same residue modulo
. Arrange them so that
Then
Each generator
of
satisfies
Indeed, both exponents are Frobenius-like for , so
and the right sides agree because
. Since every generator has the same
th and
th power, every element
does as well:
Thus every element of
is a root of the nonzero polynomial
Over a field, a nonzero polynomial of degree
has at most
roots. Hence
The size of
is controlled by the way it was chosen. Since both exponents in its definition are at most
,
Therefore, under the assumption that is not a power of
,
This is the small side of the contradiction. The large group
forces many distinct products in
. But the pigeonhole collision among the exponents forces every element of
to satisfy one polynomial equation of relatively low degree.
Put Because
we have
and hence
Therefore
Also
is a subgroup of
, so
It follows that
The lower bound for
therefore gives
For ,
One quick way to see this is to write
The first factor is larger than
, and each remaining factor is larger than
, so the whole product exceeds
. Since
we obtain
Combining the estimates yields
But the upper-bound argument, under the assumption that is not a power of
, gave
This contradiction proves that an accepted
must be a power of the selected prime:
The first step of the algorithm had already rejected all nontrivial perfect powers. Hence
, so
Thus every integer accepted by the algorithm is prime. Together with the earlier observation that every prime passes, this proves correctness: The AKS algorithm outputs PRIME if and only if is prime.
Correctness is not enough. The theorem says that the algorithm runs in time polynomial in , so the parameters
and
must themselves be polynomially bounded in
.
The key fact is that a suitable exists with
Here is the elementary reason. Put
and choose a large polynomial bound
Suppose, for contradiction, that every integer
coprime to
satisfies
Then for each such
, there is some
with
Thus every such
divides the product
The logarithm of this product is small:
On the other hand, the least common multiple of all integers
coprime to
is much too large to divide
. A standard binomial-coefficient estimate gives
Removing the prime powers whose underlying primes divide
loses at most a factor
, where
is the number of distinct prime factors of
. Since
the least common multiple of the integers at most
that are coprime to
is at least
For
, this is larger than
once
is outside a finite range of small values, and those small inputs can be checked directly. Thus it cannot divide
, whose binary logarithm is below
. The contradiction proves that some
has
Since the algorithm chooses the least such
, it follows that
Consequently,
The algorithm therefore performs only polynomially many gcd calculations and polynomial congruence tests. Each polynomial calculation is performed in the quotient modulo , so its representatives have degree below
. Repeated squaring computes
using
polynomial multiplications. Even with naive cyclic polynomial multiplication, the degree and coefficient sizes are bounded by fixed powers of
. Hence every stage, and therefore the full algorithm, has bit complexity bounded by a polynomial in
.
The AKS theorem does not say that the short congruence by itself recognizes primes. Composites can imitate it in isolated cases. The proof works because successful tests for a whole interval of
values create a large system of compatible Frobenius-like identities. Those identities spread from the two exponents
to the large semigroup
Modulo
, this semigroup contains a large group of exponents. In a finite field containing a primitive
th root of unity, the large group forces many products of
to be distinct. Yet, unless
is a power of a single prime, two exponents must collide modulo
, forcing every one of those products to satisfy the same low-degree polynomial equation. A set cannot simultaneously be that large and that small. That contradiction is the heart of AKS. The perfect-power check removes the one surviving possibility. What remains is exactly primality: PRIMES is in