This post is the first in a series of posts to discuss the Miller-Rabin primality test. In this post, we discuss how to perform the calculation (by tweaking Fermat’s little theorem). The Miller-Rabin test is fast and efficient and is in many ways superior to the Fermat test.
Fermat primality test is based on the notions of probable primes and pseudoprimes. One problem with the Fermat test is that it fails to detect the compositeness of a class of composite numbers called Carmichael numbers. It is possible to tweak the Fermat test to by pass this problem. The resulting primality test is called the Miller-Rabin test. Central to the working of the Miller-Rabin test are the notions of strong probable primes and strong pseudoprimes.
Fermat’s little theorem, the basis of the Fermat primality test, states that if is a prime number, then
for all numbers that are relatively prime to the modulus . When testing a prime number, the Fermat test always gives the correct answer. What is the success rate of the Fermat test when it is applied on a composite number? The Fermat test is correct on most composite numbers. Unfortunately the Fermat test fails to detect the compositeness of Carmichael numbers. A Carmichael number is any composite integer such that (*) is true for any that is relatively prime to . Fortunately we can tweak the calculation in (*) to get a better primality test.
Recall that a positive odd integer is a probable prime to base if the condition (*) holds. A probable prime could be prime or could be composite. If the latter, then is said to be a pseudoprime to base .
Setting up the calculation
Let be an odd positive integer. Instead of calculating , we set where is an odd number and . Then compute the following sequence of numbers:
Each term in (1) is reduced modulo . The first term can be computed using the fast powering (also called fast exponentiation) algorithm. Each subsequent term is the square of the preceding term. Of course, the last term is . It follows from Fermat’s little theorem that the last term in the sequence (1) is always a 1 as long as is prime and the number is relatively prime to . The numbers used in the calculation of (1) are called bases.
Suppose we have a large positive odd integer whose “prime or composite” status is not known. Choose a base . Then compute the numbers in the sequence (1). If is prime, we will see one of the following two patterns:
In (1a), the entire sequence consists of 1. In (1b), an asterisk means that the number is congruent to neither 1 nor -1 modulo . In (1b), the sequence ends in a 1, and the term preceding the first 1 is a -1. These two patterns capture a property of prime numbers. We have the following theorem.
The theorem behind the Miller-Rabin test
- The first term in the sequence (1) is congruent to 1 modulo .
- The term preceding the first 1 is congruent to -1 modulo .
Let be an odd prime number such that where is an odd number and . Let be a positive integer not divisible by . Then the sequence (1) resembles (1a) or (1b), i.e., either one of the following two conditions holds:
The proof of Theorem 1 is not complicated. It uses Fermat’s little theorem and the fact that if is an odd prime, the only solutions to the congruence equation are . The proof goes like this. By Fermat’s little theorem, the last term in sequence (1) is a 1, assuming that is an odd prime and is relatively prime to . If the first term in (1) is a 1, then we are done. Otherwise, look at the first term in (1) that is a 1. The term preceding the first 1 must be a -1 based on the fact that the equation can have only the trivial solutions .
It is an amazing fact that Theorem 1 is easily proved and yet is the basis of a powerful and efficient and practical primality test. Next we define the notions of strong probable primes and strong pseudoprimes.
Strong probable primes and strong pseudoprimes
Suppose we have a large positive odd integer whose “prime or composite” status is not known. We calculate sequence (1) for one base . If the last term of the sequence (1) is not a 1, then is composite by Fermat’s little theorem. If the last term is a 1 but the sequence (1) does not match the patterns (1a) or (1b), then is composite by Theorem 1. So to test for compositeness for , we look for a base such that the sequence (1) does not fit the patterns (1a) or (1b). Such a base is said to be a Miller-Rabin witness for the compositeness of . Many authors refer to a Miller-Rabin witness as a witness.
When we calculate the sequence (1) on the odd number for base , if we get either (1a) or (1b), then is said to be a strong probable prime to the base . A strong probable prime could be prime or could be composite. When a strong probable prime to the base is composite, it is said to be a strong pseudoprime to the base . To test for primality of , the Miller-Rabin test consists of checking for strong probable primality for several bases where that are randomly chosen.
For an example of a primality testing exercise using the Miller-Rabin test, see the post The first prime number after the 8th Fermat number.
Small examples of strong pseudoprimes
Some small examples to illustrate the definitions. Because , the number 341 is a probable prime to the base 2. Because 341 is composite with factors 11 and 31, the number 341 is a pseudoprime to the base 2. In fact, 341 is the least pseudoprime to base 2. Now the strong probable prime calculation. Note that . The calculated numbers in sequence (1) are 32, 1, 1, calculated as follows:
Because the sequence 32, 1, 1 does not fit pattern (1a) or (1b) (the term before the first 1 is not a -1), the number 341 is not a strong pseudoprime prime to base 2.
How far do we have to go up from 341 to reach the first strong pseudoprime to base 2. The least strong pseudoprime to base 2 is 2047. Note that . Note that the congruences and . The sequence (1) is 1, 1, which is the pattern (1a). Thus 2047 is a strong pseudoprime to base 2. Note that 2047 is composite with factors 23 and 89. It can be shown (at least by calculation) that all odd integers less than 2047 are not strong pseudoprime to base 2. In other words, if a positive odd integer is less than 2047 and if it is a strong probable prime to base 2, then must be a prime number.
Consider a slightly larger example. Let 65281. Set . The following is the calculation for the sequence (1) using base 2.
The pattern is *, *, *, -1, 1, 1, 1, 1, 1, which is (1b) (the term preceding the first 1 is a -1). So 65281 is strong probable prime to base 2. The following computation using base 3 will show that 65281 is a composite number, thus is a strong pseudoprime to base 2.
Looking at the last term in the base 3 calculation, we see that the number 65281 is composite by Fermat’s little theorem. Because the pattern is *, *, *, *, *, *, *, *, *, 65281 is not a strong pseudoprime to base 3.
How does pseudoprimality and strong pseudoprimality relate?
There are two notions of “pseudoprime” discussed here and in previous posts. One is based on Fermat’s little theorem (pseudoprime) and one is based on Theorem 1 above (strong pseudoprime). It is clear from the definition that any strong pseudoprime to base is a pseudoprime to base . The converse is not true.
Let’s start with the number 341. It is a pseudoprime to base 2. This means that the Fermat test cannot detect its compositeness using base 2. Yet the strong pseudoprimality calculation as described above can detect the compositeness of 341 using base 2. The 341 is not a strong pseudoprime to base 2 since the least strong pseudoprime to base 2 is 2047.
Let’s look at a slightly larger example. Take the number 25761. It is a pseudoprime to base 2 since and its factors are 3, 31 and 277. Let refine the calculation according to sequence (1) as indicated above. Note that . The pattern of sequence (1) is *, *, 1, 1, 1, 1. The term preceding the first 1 is not a -1. Thus the strong pseudomality method does detect the compositeness of 25761 using base 2.
In general, strong pseudoprimality implies pseudoprimality (to the same base). The above two small examples show that the converse is not true since they are pseudoprimes to base 2 but not strong pseudoprimes to base 2.
Why look at pseudoprimes and strong pseudoprimes?
The most important reason for studying these notions is that pseudoprimality and strong pseudoprimality are the basis of two primality tests. In general, pseudoprimality informs primality.
In a previous post on probable primes and pseudoprimes, we point out that most probable primes are primes. The same thing can be said for the strong version. According to , there are only 4842 strong pseudoprimes to base 2 below . Using the prime number theorem, it can be shown that there are approximately many prime numbers below . Thus most strong probable primes are primes. For a randomly chosen , showing that is a strong probable prime to one base can be quite strong evidence that is prime.
Because strong pseudoprimality is so rare, knowing what they are actually help in detecting primality. For example, according to , there are only 13 numbers below that are strong pseudoprimes to all of the bases 2, 3 and 5. These 13 strong pseudoprimes are:
Strong pseudoprimes to all of the bases 2, 3 and 5 below 25 billion
25326001, 161304001, 960946321, 1157839381, 3215031751, 3697278427, 5764643587, 6770862367, 14386156093, 15579919981, 18459366157, 19887974881, 21276028621
These 13 strong pseudoprimes represent a deterministic primality test on integers less than . Any odd positive integer less than that is a strong probable prime to all 3 bases 2, 3 and 5 must be a prime number if it is not one of the 13 numbers on the list. See Example 1 below for an illustration. This primality is fast since it only requires 3 exponentiations. Best of all, it gives a proof of primality. However, this is a fairly limited primality test since it only works on numbers less than . Even though this is a limited example, it is an excellent illustration that strong pseudoprimality can inform primality.
Consider the odd integer 1777288949, which is less than . Set . The proof of primality of requires only the calculation for 3 bases 2, 3 and 5.
The patterns for the 3 calculations fit either (1a) or (1b). So 1777288949 is a strong probable prime to all 3 bases 2, 3 and 5. Clearly 1777288949 is not on the list of 13 strong pseudoprimes listed above. Thus 1777288949 cannot be a composite number.
- Use the strong pseudoprime test to show that the following numbers are composite.
- Use the 13 strong pseudoprimes to the bases 2, 3 and 5 (used in Example 1) to show that the following numbers are prime numbers.
- Pomerance C., Selfridge J. L., Wagstaff, S. S., The pseudoprimes to , Math. Comp., Volume 35, 1003-1026, 1980.