Miller–Rabin primality test Information & Miller–Rabin primality test Links at HealthHaven.com

The Miller–Rabin primality test or Rabin–Miller primality test is a primality test: an algorithm which determines whether a given number is prime, similar to the Fermat primality test and the Solovay–Strassen primality test. Its original version, due to Gary L. Miller, is deterministic, but the determinism relies on the unproven generalized Riemann hypothesis;^[1] Michael O. Rabin modified it to obtain an unconditional probabilistic algorithm.^[2]

[edit] Concepts

Just like the Fermat and Solovay–Strassen tests, the Miller–Rabin test relies on an equality or set of equalities that hold true for prime values, then checks whether or not they hold for a number that we want to test for primality.

First, a lemma about square roots of unity in the finite field $\mathbb{Z}/p\mathbb{Z}$ , where p is prime and p > 2. Certainly 1 and −1 always yield 1 when squared mod p; call these trivial square roots of 1. There are no nontrivial square roots of 1 mod p (a special case of the result that, in a field, a polynomial has no more zeroes than its degree). To show this, suppose that x is a square root of 1 mod p. Then:

$x^{2} \equiv 1\pmod{p}$

$\left (x - 1 \right ) \left ( x + 1 \right ) \equiv 0\pmod{p}.$

In other words, p divides the product $(x - 1)(x + 1)$ . It thus divides one of the factors and it follows that x is either congruent to 1 or −1 mod p.

Now, let n be an odd prime. Then n−1 is even and we can write it as 2^s·d, where s and d are positive integers (d is odd). For each $a\in \left(\mathbb{Z}/n\mathbb{Z}\right)^*$ , either

$a^{d} \equiv 1\pmod{n}$

or

$a^{2^r\cdot d} \equiv -1\pmod{n}$ for some $0 \le r \le s-1.$

To show that one of these must be true, recall Fermat's little theorem:

$a^{n-1} \equiv 1\pmod{n}.$

By the lemma above, if we keep taking square roots of a^{n − 1}, we will get either 1 or −1. If we get −1 then the second equality holds and we are done.

In the case when we've taken out every power of 2 and the second equality never held, we are left with the first equality which also must be equal to 1 or −1, as it too is a square root. However, if the second equality never held, then it couldn't have held for r = 0, meaning that

$a^{2^0 \cdot d} = a^d \not\equiv -1\pmod{n}.$

Thus in case the second equality doesn't hold, the first equality must.

The Miller–Rabin primality test is based on the contrapositive of the above claim. That is, if we can find an a such that

$a^{d} \not\equiv 1\pmod{n}$

and

$a^{2^rd} \not\equiv -1\pmod{n}$ for all $0 \le r \le s-1$

then a is a witness for the compositeness of n (sometimes misleadingly called a strong witness, although it is a certain proof of this fact). Otherwise a is called a strong liar, and n is a strong probable prime to base a. The term "strong liar" refers to the case where n is composite but nevertheless the equations hold as they would for a prime.

For every odd composite n, there are many witnesses a. However, no simple way of generating such an a is known. The solution is to make the test probabilistic: we choose nonzero $a \in \left(\mathbb{Z}/n\mathbb{Z}\right)$ randomly, and check whether or not it is a witness for the compositeness of n. If n is composite, most of the choices for a will be witnesses, and the test will detect n as composite with high probability. There is, nevertheless, a small chance that we are unlucky and hit an a which is a strong liar for n. We may reduce the probability of such error by repeating the test for several independently chosen a.

[edit] Example

Suppose we wish to determine if n = 221 is prime. We write n − 1 = 220 as 2²·55, so that we have s = 2 and d = 55. We randomly select an a < n of 174. We proceed to compute:

a^2⁰·d mod n = 174⁵⁵ mod 221 = 47 ≠ 1, n − 1
a^2¹·d mod n = 174¹¹⁰ mod 221 = 220 = n − 1.

Since 220 ≡ −1 mod n, either 221 is prime, or 174 is a strong liar for 221. We try another random a, this time choosing a=137:

a^2⁰·d mod n = 137⁵⁵ mod 221 = 188 ≠ 1, n − 1
a^2¹·d mod n = 137¹¹⁰ mod 221 = 205 ≠ n − 1.

Hence 137 is a witness for the compositeness of 221, and 174 was in fact a strong liar. Note that this tells us nothing about the factors of 221 (which are 13 and 17).

[edit] Algorithm and running time

The algorithm can be written in pseudocode as follows:

 Input: n > 2, an odd integer to be tested for primality;  Input: k, a parameter that determines the accuracy of the test Output: composite if n is composite, otherwise probably prime write n − 1 as 2^s·d with d odd by factoring powers of 2 from n − 1 LOOP: repeat k times:    pick a randomly in the range [2, n − 1]    x ← a^d mod n    if x = 1 or x = n − 1 then do next LOOP    for r = 1 .. s − 1       x ← x² mod n       if x = 1 then return composite       if x = n − 1 then do next LOOP    return composite return probably prime

Using modular exponentiation by repeated squaring, the running time of this algorithm is O(k log³ n), where k is the number of different values of a we test; thus this is an efficient, polynomial-time algorithm. FFT-based multiplication can push the running time down to O(k log² n log log n log log log n) = Õ(k log² n).

[edit] Accuracy of the test

The more bases a we test, the better the accuracy of the test. It can be shown that for any odd composite n, at least ¾ of the bases a are witnesses for the compositeness of n.^[2]^[3] The Miller–Rabin test is strictly stronger than the Solovay–Strassen primality test in the sense that for every composite n, the set of strong liars for n is a subset of the set of Euler liars for n, and for many n, the subset is proper. If n is composite then the Miller–Rabin primality test declares n probably prime with a probability at most 4^−k. On the other hand, the Solovay–Strassen primality test declares n probably prime with a probability at most 2^−k.

On average the probability that a composite number is declared probably prime is significantly smaller than 4^−k. Damgård, Landrock and Pomerance^[4] compute some explicit bounds. Such bounds can, for example, be used to generate primes; however, they should not be used to verify primes with unknown origin, since in cryptographic applications an adversary might try to send you a pseudoprime in a place where a prime number is required. In such cases, only the error bound of 4^−k can be relied upon.

[edit] Deterministic variants of the test

The Miller–Rabin algorithm can be made deterministic by trying all possible a below a certain limit. The problem in general is to set the limit so that the test is still reliable.

If the tested number n is composite, the strong liars a coprime to n are contained in a proper subgroup of the group $\left(\mathbb{Z}/n\mathbb{Z}\right)^*$ , which means that if we test all a from a set which generates $\left(\mathbb{Z}/n\mathbb{Z}\right)^*$ , one of them must be a witness for the compositeness of n. Assuming the truth of the generalized Riemann hypothesis (GRH), it is known that the group is generated by its elements smaller than O((log n)²), which was already noted by Miller.^[1] The constant involved in the Big O notation was reduced to 2 by Eric Bach.^[5] This leads to the following conditional primality testing algorithm:

 Input: n > 1, an odd integer to test for primality. Output: composite if n is composite, otherwise prime write n−1 as 2^s·d by factoring powers of 2 from n−1 repeat for all :          then return composite return prime

The running time of the algorithm is Õ((log n)⁴). The full power of the generalized Riemann hypothesis is not needed to ensure the correctness of the test: as we deal with subgroups of even index, it suffices to assume the validity of GRH for quadratic Dirichlet characters.^[3]

This algorithm is not used in practice, as it is much slower than the randomized version of the Miller-Rabin test. For theoretical purposes, it was superseded by the AKS primality test, which does not rely on unproven assumptions.

When the number n to be tested is small, trying all a < 2(ln n)² is not necessary, as much smaller sets of potential witnesses are known to suffice. For example, Pomerance, Selfridge and Wagstaff^[6] and Jaeschke^[7] have verified that

if n < 1,373,653, it is enough to test a = 2 and 3.
if n < 9,080,191, it is enough to test a = 31 and 73.
if n < 4,759,123,141, it is enough to test a = 2, 7, and 61.
if n < 2,152,302,898,747, it is enough to test a = 2, 3, 5, 7, and 11.
if n < 3,474,749,660,383, it is enough to test a = 2, 3, 5, 7, 11, and 13.
if n < 341,550,071,728,321, it is enough to test a = 2, 3, 5, 7, 11, 13, and 17.

See The Primes Page^[8] and Zhang and Tang^[9] for other criteria of this sort. These results give very fast deterministic primality tests for numbers in the appropriate range, without any assumptions.

There is a small list of potential witnesses for every possible input size (at most n values for n-bit numbers), which can be observed by noting that BPP is contained in P/poly. However, no finite set of bases is sufficient for all composite numbers. Alford, Granville, and Pomerance have shown that there exist infinitely many composite numbers n whose smallest compositeness witness is at least (ln n)^{1/(3ln ln ln n)}.^[10] They also argue heuristically that the smallest number w such that every composite number below n has a compositeness witness less than w should be of order $Θ$ (log n log log n).

[edit] Notes

^ ^a ^b Miller, Gary L. (1976), "Riemann's Hypothesis and Tests for Primality", Journal of Computer and System Sciences 13 (3): 300–317, doi:10.1145/800116.803773
^ ^a ^b Rabin, Michael O. (1980), "Probabilistic algorithm for testing primality", Journal of Number Theory 12 (1): 128–138, doi:10.1016/0022-314X(80)90084-0
^ ^a ^b Schoof, René, "Four primality testing algorithms", Algorithmic Number Theory: Lattices, Number Fields, Curves and Cryptography, Cambridge University Press, ISBN 0521808545, http://www.mat.uniroma2.it/~schoof/millerrabinpom.pdf
^ Damgård, I.; Landrock, P. & Pomerance, C. (1993), "Average case error estimates for the strong probable prime test", Mathematics of Computation 61 (203): 177–194, http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf
^ Bach, Eric (1990), "Explicit bounds for primality testing and related problems", Mathematics of Computation 55 (191): 355–380, http://www.jstor.org/stable/2008811
^ Pomerance, C.; Selfridge, J. L. & Wagstaff, S. S., Jr. (1980), "The pseudoprimes to 25·10⁹", Mathematics of Computation 35 (151): 1003–1026, http://www.jstor.org/stable/2006210
^ Jaeschke, Gerhard (1993), "On strong pseudoprimes to several bases", Mathematics of Computation 61 (204): 915–926, http://www.jstor.org/stable/2153262
^ The Primes Page, http://primes.utm.edu/prove/prove2_3.html
^ Zhang, Zhenxiang & Tang, Min (2003), "Finding strong pseudoprimes to several bases. II", Mathematics of Computation 72 (44): 2085–2097, doi:10.1090/S0025-5718-03-01545-X
^ Alford, W. R.; Granville, A.; Pomerance, C. (1994), "On the difficulty of finding reliable witnesses", in Adleman, L. M.; Huang, M.-D., Algorithmic Number Theory, First International Symposium, Proceedings, LNCS 877, Springer-Verlag, pp. 1–16

[edit] External links

MathWorld – Rabin-Miller Strong Pseudoprime Test
Miller-Rabin demo with source code
Interactive Online Implementation of the Deterministic Variant (stepping through the algorithm step-by-step)
Applet (German)

[miller-0] Miller, Gary L. (1976), "Riemann's Hypothesis and Tests for Primality", Journal of Computer and System Sciences 13 (3): 300–317, doi:10.1145/800116.803773

[rabin-1] Rabin, Michael O. (1980), "Probabilistic algorithm for testing primality", Journal of Number Theory 12 (1): 128–138, doi:10.1016/0022-314X(80)90084-0

[schoof-2] Schoof, René, "Four primality testing algorithms", Algorithmic Number Theory: Lattices, Number Fields, Curves and Cryptography, Cambridge University Press, ISBN 0521808545, http://www.mat.uniroma2.it/~schoof/millerrabinpom.pdf

[3] Damgård, I.; Landrock, P. & Pomerance, C. (1993), "Average case error estimates for the strong probable prime test", Mathematics of Computation 61 (203): 177–194, http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf

[4] Bach, Eric (1990), "Explicit bounds for primality testing and related problems", Mathematics of Computation 55 (191): 355–380, http://www.jstor.org/stable/2008811

[5] Pomerance, C.; Selfridge, J. L. & Wagstaff, S. S., Jr. (1980), "The pseudoprimes to 25·10⁹", Mathematics of Computation 35 (151): 1003–1026, http://www.jstor.org/stable/2006210

[6] Jaeschke, Gerhard (1993), "On strong pseudoprimes to several bases", Mathematics of Computation 61 (204): 915–926, http://www.jstor.org/stable/2153262

[7] The Primes Page, http://primes.utm.edu/prove/prove2_3.html

[8] Zhang, Zhenxiang & Tang, Min (2003), "Finding strong pseudoprimes to several bases. II", Mathematics of Computation 72 (44): 2085–2097, doi:10.1090/S0025-5718-03-01545-X

[9] Alford, W. R.; Granville, A.; Pomerance, C. (1994), "On the difficulty of finding reliable witnesses", in Adleman, L. M.; Huang, M.-D., Algorithmic Number Theory, First International Symposium, Proceedings, LNCS 877, Springer-Verlag, pp. 1–16

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

Contents